From 62db25d6d14b27096fe717308a0aa38f44f52c5d Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 17 Jan 2019 09:05:51 -0800 Subject: [PATCH 001/492] new build 011719 --- windows/privacy/TOC.md | 1 + ...ndows-diagnostic-events-and-fields-19H1.md | 5817 +++++++++++++++++ 2 files changed, 5818 insertions(+) create mode 100644 windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md diff --git a/windows/privacy/TOC.md b/windows/privacy/TOC.md index 35561d07af..e2a139c80d 100644 --- a/windows/privacy/TOC.md +++ b/windows/privacy/TOC.md @@ -7,6 +7,7 @@ ### [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md) ### [Diagnostic Data Viewer for PowerShell Overview](Microsoft-DiagnosticDataViewer.md) ## Basic level Windows diagnostic data events and fields +### [Windows 10, version 19H1 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-19H1.md) ### [Windows 10, version 1809 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) ### [Windows 10, version 1803 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) ### [Windows 10, version 1709 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md new file mode 100644 index 0000000000..da9e5f277e --- /dev/null +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md @@ -0,0 +1,5817 @@ +--- +description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. +title: Windows 10, version 19H1 basic diagnostic events and fields (Windows 10) +keywords: privacy, telemetry +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: brianlic-msft +ms.author: brianlic +ms.date: 01/17/2019 +--- + + +# Windows 10, version 19H1 basic level Windows diagnostic events and fields + + +> [!IMPORTANT] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + + **Applies to** + +- Windows 10, version 19H1 + + +The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information. + +The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. + +Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief description is provided for each field. Every event generated includes common data, which collects device data. + +You can learn more about Windows functional and diagnostic data through these articles: + + +- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) +- [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) +- [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) +- [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) +- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) +- [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) + + + + +## AppLocker events + +### Microsoft.Windows.Security.AppLockerCSP.AddParams + +Parameters passed to Add function of the AppLockerCSP Node. + +The following fields are available: + +- **child** The child URI of the node to add. +- **uri** URI of the node relative to %SYSTEM32%/AppLocker. + + +### Microsoft.Windows.Security.AppLockerCSP.AddStart + +Start of "Add" Operation for the AppLockerCSP Node. + + + +### Microsoft.Windows.Security.AppLockerCSP.AddStop + +End of "Add" Operation for AppLockerCSP Node. + +The following fields are available: + +- **hr** The HRESULT returned by Add function in AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.CAppLockerCSP::Commit + +No content is currently available. + +The following fields are available: + +- **oldId** No content is currently available. +- **txId** No content is currently available. + + +### Microsoft.Windows.Security.AppLockerCSP.ClearParams + +Parameters passed to the "Clear" operation for AppLockerCSP. + +The following fields are available: + +- **uri** The URI relative to the %SYSTEM32%\AppLocker folder. + + +### Microsoft.Windows.Security.AppLockerCSP.ConfigManagerNotificationStart + +Start of the "ConfigManagerNotification" operation for AppLockerCSP. + +The following fields are available: + +- **NotifyState** State sent by ConfigManager to AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.ConfigManagerNotificationStop + +End of the "ConfigManagerNotification" operation for AppLockerCSP. + +The following fields are available: + +- **hr** HRESULT returned by the ConfigManagerNotification function in AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceParams + +Parameters passed to the CreateNodeInstance function of the AppLockerCSP node. + +The following fields are available: + +- **NodeId** NodeId passed to CreateNodeInstance. +- **nodeOps** NodeOperations parameter passed to CreateNodeInstance. +- **uri** URI passed to CreateNodeInstance, relative to %SYSTEM32%\AppLocker. + + +### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceStart + +Start of the "CreateNodeInstance" operation for the AppLockerCSP node. + + + +### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceStop + +End of the "CreateNodeInstance" operation for the AppLockerCSP node + +The following fields are available: + +- **hr** HRESULT returned by the CreateNodeInstance function in AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.DeleteChildParams + +Parameters passed to the DeleteChild function of the AppLockerCSP node. + +The following fields are available: + +- **child** The child URI of the node to delete. +- **uri** URI relative to %SYSTEM32%\AppLocker. + + +### Microsoft.Windows.Security.AppLockerCSP.EnumPolicies + +Logged URI relative to %SYSTEM32%\AppLocker, if the Plugin GUID is null, or the CSP doesn't believe the old policy is present. + +The following fields are available: + +- **uri** URI relative to %SYSTEM32%\AppLocker. + + +### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesParams + +Parameters passed to the GetChildNodeNames function of the AppLockerCSP node. + +The following fields are available: + +- **uri** URI relative to %SYSTEM32%/AppLocker for MDM node. + + +### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesStart + +Start of the "GetChildNodeNames" operation for the AppLockerCSP node. + + + +### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesStop + +End of the "GetChildNodeNames" operation for the AppLockerCSP node. + +The following fields are available: + +- **child[0]** If function succeeded, the first child's name, else "NA". +- **count** If function succeeded, the number of child node names returned by the function, else 0. +- **hr** HRESULT returned by the GetChildNodeNames function of AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.GetLatestId + +The result of 'GetLatestId' in AppLockerCSP (the latest time stamped GUID). + +The following fields are available: + +- **dirId** The latest directory identifier found by GetLatestId. +- **id** The id returned by GetLatestId if id > 0 - otherwise the dirId parameter. + + +### Microsoft.Windows.Security.AppLockerCSP.HResultException + +HRESULT thrown by any arbitrary function in AppLockerCSP. + +The following fields are available: + +- **file** File in the OS code base in which the exception occurs. +- **function** Function in the OS code base in which the exception occurs. +- **hr** HRESULT that is reported. +- **line** Line in the file in the OS code base in which the exception occurs. + + +### Microsoft.Windows.Security.AppLockerCSP.SetValueParams + +Parameters passed to the SetValue function of the AppLockerCSP node. + +The following fields are available: + +- **dataLength** Length of the value to set. +- **uri** The node URI to that should contain the value, relative to %SYSTEM32%\AppLocker. + + +### Microsoft.Windows.Security.AppLockerCSP.SetValueStart + +Start of the "SetValue" operation for the AppLockerCSP node. + + + +### Microsoft.Windows.Security.AppLockerCSP.SetValueStop + +End of the "SetValue" operation for the AppLockerCSP node. + +The following fields are available: + +- **hr** HRESULT returned by the SetValue function in AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.TryRemediateMissingPolicies + +EntryPoint of fix step or policy remediation, includes URI relative to %SYSTEM32%\AppLocker that needs to be fixed. + +The following fields are available: + +- **uri** URI for node relative to %SYSTEM32%/AppLocker. + + +## Appraiser events + +### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount + +This event lists the types of objects and how many of each exist on the client device. This allows for a quick way to ensure that the records present on the server match what is present on the client. + +The following fields are available: + +- **DatasourceApplicationFile_19A** No content is currently available. +- **DatasourceApplicationFile_19ASetup** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_19H1** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS4** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS5** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS5Setup** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_TH2** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_19A** No content is currently available. +- **DatasourceDevicePnp_19ASetup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_19H1** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS4** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS5** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS5Setup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_TH2** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_19A** No content is currently available. +- **DatasourceDriverPackage_19ASetup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_19H1** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS4** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS5** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS5Setup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_TH2** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_19A** No content is currently available. +- **DataSourceMatchingInfoBlock_19ASetup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS5Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_19A** No content is currently available. +- **DataSourceMatchingInfoPassive_19ASetup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS5Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_19A** No content is currently available. +- **DataSourceMatchingInfoPostUpgrade_19ASetup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS1** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. +- **DataSourceMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS5Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_19A** No content is currently available. +- **DatasourceSystemBios_19ASetup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_19H1** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_19H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS4** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS5** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS5Setup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_TH2** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_19A** No content is currently available. +- **DecisionApplicationFile_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_19H1** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS4** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS5** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_TH2** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_19A** No content is currently available. +- **DecisionDevicePnp_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_19H1** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS4** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS5** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_TH2** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_19A** No content is currently available. +- **DecisionDriverPackage_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_19H1** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS4** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS5** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_TH2** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_19A** No content is currently available. +- **DecisionMatchingInfoBlock_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_19A** No content is currently available. +- **DecisionMatchingInfoPassive_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_19A** No content is currently available. +- **DecisionMatchingInfoPostUpgrade_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS1** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. +- **DecisionMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_19A** No content is currently available. +- **DecisionMediaCenter_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_19H1** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_19H1Setup** The total DecisionMediaCenter objects targeting the next release of Windows on this device. +- **DecisionMediaCenter_RS4** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_RS5** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_TH2** The count of the number of this particular object type present on this device. +- **DecisionSystemBios_19A** No content is currently available. +- **DecisionSystemBios_19ASetup** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_19H1** The count of the number of this particular object type present on this device. +- **DecisionSystemBios_19H1Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_RS4** The total DecisionSystemBios objects targeting Windows 10 version, 1803 present on this device. +- **DecisionSystemBios_RS5** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_RS5Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_TH2** The count of the number of this particular object type present on this device. +- **InventoryApplicationFile** The count of the number of this particular object type present on this device. +- **InventoryLanguagePack** The count of the number of this particular object type present on this device. +- **InventoryMediaCenter** The count of the number of this particular object type present on this device. +- **InventorySystemBios** The count of the number of this particular object type present on this device. +- **InventoryUplevelDriverPackage** The count of the number of this particular object type present on this device. +- **PCFP** The count of the number of this particular object type present on this device. +- **SystemMemory** The count of the number of this particular object type present on this device. +- **SystemProcessorCompareExchange** The count of the number of this particular object type present on this device. +- **SystemProcessorLahfSahf** The count of the number of this particular object type present on this device. +- **SystemProcessorNx** The total number of objects of this type present on this device. +- **SystemProcessorPrefetchW** The total number of objects of this type present on this device. +- **SystemProcessorSse2** The total number of objects of this type present on this device. +- **SystemTouch** The count of the number of this particular object type present on this device. +- **SystemWim** The total number of objects of this type present on this device. +- **SystemWindowsActivationStatus** The count of the number of this particular object type present on this device. +- **SystemWlan** The total number of objects of this type present on this device. +- **Wmdrm_19A** No content is currently available. +- **Wmdrm_19ASetup** The count of the number of this particular object type present on this device. +- **Wmdrm_19H1** The count of the number of this particular object type present on this device. +- **Wmdrm_19H1Setup** The total Wmdrm objects targeting the next release of Windows on this device. +- **Wmdrm_RS4** The total Wmdrm objects targeting Windows 10, version 1803 present on this device. +- **Wmdrm_RS5** The count of the number of this particular object type present on this device. +- **Wmdrm_RS5Setup** The count of the number of this particular object type present on this device. +- **Wmdrm_TH2** The count of the number of this particular object type present on this device. + + +### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd + +Represents the basic metadata about specific application files installed on the system. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file that is generating the events. +- **AvDisplayName** If the app is an anti-virus app, this is its display name. +- **CompatModelIndex** The compatibility prediction for this file. +- **HasCitData** Indicates whether the file is present in CIT data. +- **HasUpgradeExe** Indicates whether the anti-virus app has an upgrade.exe file. +- **IsAv** Is the file an anti-virus reporting EXE? +- **ResolveAttempted** This will always be an empty string when sending telemetry. +- **SdbEntries** An array of fields that indicates the SDB entries that apply to this file. + + +### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove + +This event indicates that the DatasourceApplicationFile object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileStartSync + +This event indicates that a new set of DatasourceApplicationFileAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd + +This event sends compatibility data for a Plug and Play device, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **ActiveNetworkConnection** Indicates whether the device is an active network device. +- **AppraiserVersion** The version of the appraiser file generating the events. +- **CosDeviceRating** An enumeration that indicates if there is a driver on the target operating system. +- **CosDeviceSolution** An enumeration that indicates how a driver on the target operating system is available. +- **CosDeviceSolutionUrl** Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd . Empty string +- **CosPopulatedFromId** The expected uplevel driver matching ID based on driver coverage data. +- **IsBootCritical** Indicates whether the device boot is critical. +- **UplevelInboxDriver** Indicates whether there is a driver uplevel for this device. +- **WuDriverCoverage** Indicates whether there is a driver uplevel for this device, according to Windows Update. +- **WuDriverUpdateId** The Windows Update ID of the applicable uplevel driver. +- **WuPopulatedFromId** The expected uplevel driver matching ID based on driver coverage from Windows Update. + + +### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove + +This event indicates that the DatasourceDevicePnp object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpStartSync + +This event indicates that a new set of DatasourceDevicePnpAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageAdd + +This event sends compatibility database data about driver packages to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageRemove + +This event indicates that the DatasourceDriverPackage object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageStartSync + +This event indicates that a new set of DatasourceDriverPackageAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd + +This event sends blocking data about any compatibility blocking entries hit on the system that are not directly related to specific applications or devices, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync + +This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events have been sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd + +This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync + +This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd + +This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync + +This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd + +This event sends compatibility database information about the BIOS to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync + +This event indicates that a new set of DatasourceSystemBiosAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionApplicationFileAdd + +This event sends compatibility decision data about a file to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file that is generating the events. +- **BlockAlreadyInbox** The uplevel runtime block on the file already existed on the current OS. +- **BlockingApplication** Indicates whether there are any application issues that interfere with the upgrade due to the file in question. +- **DisplayGenericMessage** Will be a generic message be shown for this file? +- **DisplayGenericMessageGated** Indicates whether a generic message be shown for this file. +- **HardBlock** This file is blocked in the SDB. +- **HasUxBlockOverride** Does the file have a block that is overridden by a tag in the SDB? +- **MigApplication** Does the file have a MigXML from the SDB associated with it that applies to the current upgrade mode? +- **MigRemoval** Does the file have a MigXML from the SDB that will cause the app to be removed on upgrade? +- **NeedsDismissAction** Will the file cause an action that can be dimissed? +- **NeedsInstallPostUpgradeData** After upgrade, the file will have a post-upgrade notification to install a replacement for the app. +- **NeedsNotifyPostUpgradeData** Does the file have a notification that should be shown after upgrade? +- **NeedsReinstallPostUpgradeData** After upgrade, this file will have a post-upgrade notification to reinstall the app. +- **NeedsUninstallAction** The file must be uninstalled to complete the upgrade. +- **SdbBlockUpgrade** The file is tagged as blocking upgrade in the SDB, +- **SdbBlockUpgradeCanReinstall** The file is tagged as blocking upgrade in the SDB. It can be reinstalled after upgrade. +- **SdbBlockUpgradeUntilUpdate** The file is tagged as blocking upgrade in the SDB. If the app is updated, the upgrade can proceed. +- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the SDB. It does not block upgrade. +- **SdbReinstallUpgradeWarn** The file is tagged as needing to be reinstalled after upgrade with a warning in the SDB. It does not block upgrade. +- **SoftBlock** The file is softblocked in the SDB and has a warning. + + +### Microsoft.Windows.Appraiser.General.DecisionApplicationFileStartSync + +This event indicates that a new set of DecisionApplicationFileAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd + +This event sends compatibility decision data about a PNP device to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **AssociatedDriverIsBlocked** Is the driver associated with this PNP device blocked? +- **AssociatedDriverWillNotMigrate** Will the driver associated with this plug-and-play device migrate? +- **BlockAssociatedDriver** Should the driver associated with this PNP device be blocked? +- **BlockingDevice** Is this PNP device blocking upgrade? +- **BlockUpgradeIfDriverBlocked** Is the PNP device both boot critical and does not have a driver included with the OS? +- **BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork** Is this PNP device the only active network device? +- **DisplayGenericMessage** Will a generic message be shown during Setup for this PNP device? +- **DisplayGenericMessageGated** Indicates whether a generic message will be shown during Setup for this PNP device. +- **DriverAvailableInbox** Is a driver included with the operating system for this PNP device? +- **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update? +- **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device? +- **DriverBlockOverridden** Is there is a driver block on the device that has been overridden? +- **NeedsDismissAction** Will the user would need to dismiss a warning during Setup for this device? +- **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS? +- **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade? +- **SdbDriverBlockOverridden** Is there an SDB block on the PNP device that blocks upgrade, but that block was overridden? +- **TEMP_WuFalseAndCosInbox** No content is currently available. +- **TEMP_WuFalseAndCosOnline** No content is currently available. +- **TEMP_WuFalseAndNoCos** No content is currently available. +- **TEMP_WuTrueAndCosInbox** No content is currently available. +- **TEMP_WuTrueAndCosOnline** No content is currently available. +- **TEMP_WuTrueAndNoCos** No content is currently available. + + +### Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove + +This event indicates that the DecisionDevicePnp object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionDevicePnpStartSync + +The DecisionDevicePnpStartSync event indicates that a new set of DecisionDevicePnpAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionDriverPackageAdd + +This event sends decision data about driver package compatibility to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for this driver package. +- **DriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden? +- **DriverIsDeviceBlocked** Was the driver package was blocked because of a device block? +- **DriverIsDriverBlocked** Is the driver package blocked because of a driver block? +- **DriverShouldNotMigrate** Should the driver package be migrated during upgrade? +- **SdbDriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden? + + +### Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove + +This event indicates that the DecisionDriverPackage object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionDriverPackageStartSync + +This event indicates that a new set of DecisionDriverPackageAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd + +This event sends compatibility decision data about blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **BlockingApplication** Are there are any application issues that interfere with upgrade due to matching info blocks? +- **DisplayGenericMessage** Will a generic message be shown for this block? +- **NeedsUninstallAction** Does the user need to take an action in setup due to a matching info block? +- **SdbBlockUpgrade** Is a matching info block blocking upgrade? +- **SdbBlockUpgradeCanReinstall** Is a matching info block blocking upgrade, but has the can reinstall tag? +- **SdbBlockUpgradeUntilUpdate** Is a matching info block blocking upgrade but has the until update tag? + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockStartSync + +This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd + +This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **BlockingApplication** Are there any application issues that interfere with upgrade due to matching info blocks? +- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown due to matching info blocks. +- **MigApplication** Is there a matching info block with a mig for the current mode of upgrade? + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync + +This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeAdd + +This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **NeedsInstallPostUpgradeData** Will the file have a notification after upgrade to install a replacement for the app? +- **NeedsNotifyPostUpgradeData** Should a notification be shown for this file after upgrade? +- **NeedsReinstallPostUpgradeData** Will the file have a notification after upgrade to reinstall the app? +- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the compatibility database (but is not blocking upgrade). + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync + +This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMediaCenterAdd + +This event sends decision data about the presence of Windows Media Center, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **BlockingApplication** Is there any application issues that interfere with upgrade due to Windows Media Center? +- **MediaCenterActivelyUsed** If Windows Media Center is supported on the edition, has it been run at least once and are the MediaCenterIndicators are true? +- **MediaCenterIndicators** Do any indicators imply that Windows Media Center is in active use? +- **MediaCenterInUse** Is Windows Media Center actively being used? +- **MediaCenterPaidOrActivelyUsed** Is Windows Media Center actively being used or is it running on a supported edition? +- **NeedsDismissAction** Are there any actions that can be dismissed coming from Windows Media Center? + + +### Microsoft.Windows.Appraiser.General.DecisionMediaCenterStartSync + +This event indicates that a new set of DecisionMediaCenterAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemBiosAdd + +This event sends compatibility decision data about the BIOS to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Blocking** Is the device blocked from upgrade due to a BIOS block? +- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for the bios. +- **HasBiosBlock** Does the device have a BIOS block? +- **HasBiosBlockServicing** No content is currently available. +- **HasBiosBlockSwap** No content is currently available. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync + +This event indicates that a new set of DecisionSystemBiosAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionTestRemove + +No content is currently available. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** No content is currently available. + + +### Microsoft.Windows.Appraiser.General.DecisionTestStartSync + +No content is currently available. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** No content is currently available. + + +### Microsoft.Windows.Appraiser.General.GatedRegChange + +This event sends data about the results of running a set of quick-blocking instructions, to help keep Windows up to date. + +The following fields are available: + +- **NewData** The data in the registry value after the scan completed. +- **OldData** The previous data in the registry value before the scan ran. +- **PCFP** An ID for the system calculated by hashing hardware identifiers. +- **RegKey** The registry key name for which a result is being sent. +- **RegValue** The registry value for which a result is being sent. +- **Time** The client time of the event. + + +### Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd + +This event represents the basic metadata about a file on the system. The file must be part of an app and either have a block in the compatibility database or be part of an antivirus program. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **AvDisplayName** If the app is an antivirus app, this is its display name. +- **AvProductState** Indicates whether the antivirus program is turned on and the signatures are up to date. +- **BinaryType** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64. +- **BinFileVersion** An attempt to clean up FileVersion at the client that tries to place the version into 4 octets. +- **BinProductVersion** An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets. +- **BoeProgramId** If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata. +- **CompanyName** The company name of the vendor who developed this file. +- **FileId** A hash that uniquely identifies a file. +- **FileVersion** The File version field from the file metadata under Properties -> Details. +- **HasUpgradeExe** Indicates whether the antivirus app has an upgrade.exe file. +- **IsAv** Indicates whether the file an antivirus reporting EXE. +- **LinkDate** The date and time that this file was linked on. +- **LowerCaseLongPath** The full file path to the file that was inventoried on the device. +- **Name** The name of the file that was inventoried. +- **ProductName** The Product name field from the file metadata under Properties -> Details. +- **ProductVersion** The Product version field from the file metadata under Properties -> Details. +- **ProgramId** A hash of the Name, Version, Publisher, and Language of an application used to identify it. +- **Size** The size of the file (in hexadecimal bytes). + + +### Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove + +This event indicates that the InventoryApplicationFile object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync + +This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryLanguagePackAdd + +This event sends data about the number of language packs installed on the system, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **HasLanguagePack** Indicates whether this device has 2 or more language packs. +- **LanguagePackCount** The number of language packs are installed. + + +### Microsoft.Windows.Appraiser.General.InventoryLanguagePackRemove + +This event indicates that the InventoryLanguagePack object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryLanguagePackStartSync + +This event indicates that a new set of InventoryLanguagePackAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryMediaCenterAdd + +This event sends true/false data about decision points used to understand whether Windows Media Center is used on the system, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **EverLaunched** Has Windows Media Center ever been launched? +- **HasConfiguredTv** Has the user configured a TV tuner through Windows Media Center? +- **HasExtendedUserAccounts** Are any Windows Media Center Extender user accounts configured? +- **HasWatchedFolders** Are any folders configured for Windows Media Center to watch? +- **IsDefaultLauncher** Is Windows Media Center the default app for opening music or video files? +- **IsPaid** Is the user running a Windows Media Center edition that implies they paid for Windows Media Center? +- **IsSupported** Does the running OS support Windows Media Center? + + +### Microsoft.Windows.Appraiser.General.InventoryMediaCenterRemove + +This event indicates that the InventoryMediaCenter object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryMediaCenterStartSync + +This event indicates that a new set of InventoryMediaCenterAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventorySystemBiosAdd + +This event sends basic metadata about the BIOS to determine whether it has a compatibility block. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **BiosDate** The release date of the BIOS in UTC format. +- **BiosName** The name field from Win32_BIOS. +- **Manufacturer** The manufacturer field from Win32_ComputerSystem. +- **Model** The model field from Win32_ComputerSystem. + + +### Microsoft.Windows.Appraiser.General.InventorySystemBiosStartSync + +This event indicates that a new set of InventorySystemBiosAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryTestRemove + +No content is currently available. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** No content is currently available. + + +### Microsoft.Windows.Appraiser.General.InventoryTestStartSync + +No content is currently available. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** No content is currently available. + + +### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd + +This event is only runs during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. Is critical to understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **BootCritical** Is the driver package marked as boot critical? +- **Build** The build value from the driver package. +- **CatalogFile** The name of the catalog file within the driver package. +- **Class** The device class from the driver package. +- **ClassGuid** The device class unique ID from the driver package. +- **Date** The date from the driver package. +- **Inbox** Is the driver package of a driver that is included with Windows? +- **OriginalName** The original name of the INF file before it was renamed. Generally a path under $WINDOWS.~BT\Drivers\DU. +- **Provider** The provider of the driver package. +- **PublishedName** The name of the INF file after it was renamed. +- **Revision** The revision of the driver package. +- **SignatureStatus** Indicates if the driver package is signed. Unknown = 0, Unsigned = 1, Signed = 2. +- **VersionMajor** The major version of the driver package. +- **VersionMinor** The minor version of the driver package. + + +### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove + +This event indicates that the InventoryUplevelDriverPackage object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageStartSync + +This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.RunContext + +This event indicates what should be expected in the data payload. + +The following fields are available: + +- **AppraiserBranch** The source branch in which the currently running version of Appraiser was built. +- **AppraiserProcess** The name of the process that launched Appraiser. +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **CensusId** No content is currently available. +- **Context** Indicates what mode Appraiser is running in. Example: Setup or Telemetry. +- **PCFP** An ID for the system calculated by hashing hardware identifiers. +- **Subcontext** Indicates what categories of incompatibilities appraiser is scanning for. Can be N/A, Resolve, or a semicolon-delimited list that can include App, Dev, Sys, Gat, or Rescan. +- **Time** The client time of the event. + + +### Microsoft.Windows.Appraiser.General.SystemMemoryAdd + +This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Blocking** Is the device from upgrade due to memory restrictions? +- **MemoryRequirementViolated** Was a memory requirement violated? +- **pageFile** The current committed memory limit for the system or the current process, whichever is smaller (in bytes). +- **ram** The amount of memory on the device. +- **ramKB** The amount of memory (in KB). +- **virtual** The size of the user-mode portion of the virtual address space of the calling process (in bytes). +- **virtualKB** The amount of virtual memory (in KB). + + +### Microsoft.Windows.Appraiser.General.SystemMemoryStartSync + +This event indicates that a new set of SystemMemoryAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeAdd + +This event sends data indicating whether the system supports the CompareExchange128 CPU requirement, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **CompareExchange128Support** Does the CPU support CompareExchange128? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeStartSync + +This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd + +This event sends data indicating whether the system supports the LahfSahf CPU requirement, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **LahfSahfSupport** Does the CPU support LAHF/SAHF? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfStartSync + +This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd + +This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **NXDriverResult** The result of the driver used to do a non-deterministic check for NX support. +- **NXProcessorSupport** Does the processor support NX? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorNxStartSync + +This event indicates that a new set of SystemProcessorNxAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd + +This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **PrefetchWSupport** Does the processor support PrefetchW? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync + +This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Add + +This event sends data indicating whether the system supports the SSE2 CPU requirement, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **SSE2ProcessorSupport** Does the processor support SSE2? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorSse2StartSync + +This event indicates that a new set of SystemProcessorSse2Add events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemTouchAdd + +This event sends data indicating whether the system supports touch, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **IntegratedTouchDigitizerPresent** Is there an integrated touch digitizer? +- **MaximumTouches** The maximum number of touch points supported by the device hardware. + + +### Microsoft.Windows.Appraiser.General.SystemTouchStartSync + +This event indicates that a new set of SystemTouchAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWimAdd + +This event sends data indicating whether the operating system is running from a compressed Windows Imaging Format (WIM) file, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **IsWimBoot** Is the current operating system running from a compressed WIM file? +- **RegistryWimBootValue** The raw value from the registry that is used to indicate if the device is running from a WIM. + + +### Microsoft.Windows.Appraiser.General.SystemWimStartSync + +This event indicates that a new set of SystemWimAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusAdd + +This event sends data indicating whether the current operating system is activated, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **WindowsIsLicensedApiValue** The result from the API that's used to indicate if operating system is activated. +- **WindowsNotActivatedDecision** Is the current operating system activated? + + +### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusStartSync + +This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWlanAdd + +This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked because of an emulated WLAN driver? +- **HasWlanBlock** Does the emulated WLAN driver have an upgrade block? +- **WlanEmulatedDriver** Does the device have an emulated WLAN driver? +- **WlanExists** Does the device support WLAN at all? +- **WlanModulePresent** Are any WLAN modules present? +- **WlanNativeDriver** Does the device have a non-emulated WLAN driver? + + +### Microsoft.Windows.Appraiser.General.SystemWlanStartSync + +This event indicates that a new set of SystemWlanAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.TelemetryRunHealth + +This event indicates the parameters and result of a telemetry (diagnostic) run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date. + +The following fields are available: + +- **AppraiserBranch** The source branch in which the version of Appraiser that is running was built. +- **AppraiserDataVersion** The version of the data files being used by the Appraiser telemetry run. +- **AppraiserProcess** The name of the process that launched Appraiser. +- **AppraiserVersion** The file version (major, minor and build) of the Appraiser DLL, concatenated without dots. +- **AuxFinal** Obsolete, always set to false. +- **AuxInitial** Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app. +- **DeadlineDate** A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan. +- **EnterpriseRun** Indicates if the telemetry run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter. +- **FullSync** Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent. +- **InboxDataVersion** The original version of the data files before retrieving any newer version. +- **IndicatorsWritten** Indicates if all relevant UEX indicators were successfully written or updated. +- **InventoryFullSync** Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent. +- **PCFP** An ID for the system calculated by hashing hardware identifiers. +- **PerfBackoff** Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal. +- **PerfBackoffInsurance** Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row. +- **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device. +- **RunDate** The date that the telemetry run was stated, expressed as a filetime. +- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional telemetry on an infrequent schedule and only from machines at telemetry levels higher than Basic. +- **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information. +- **RunResult** The hresult of the Appraiser telemetry run. +- **ScheduledUploadDay** The day scheduled for the upload. +- **SendingUtc** Indicates if the Appraiser client is sending events during the current telemetry run. +- **StoreHandleIsNotNull** Obsolete, always set to false +- **TelementrySent** Indicates if telemetry was successfully sent. +- **ThrottlingUtc** Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also telemetry reliability. +- **Time** The client time of the event. +- **VerboseMode** Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging. +- **WhyFullSyncWithoutTablePrefix** Indicates the reason or reasons that a full sync was generated. + + +### Microsoft.Windows.Appraiser.General.WmdrmAdd + +This event sends data about the usage of older digital rights management on the system, to help keep Windows up to date. This data does not indicate the details of the media using the digital rights management, only whether any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able to be removed once all mitigations are in place. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **BlockingApplication** Same as NeedsDismissAction. +- **NeedsDismissAction** Indicates if a dismissible message is needed to warn the user about a potential loss of data due to DRM deprecation. +- **WmdrmApiResult** Raw value of the API used to gather DRM state. +- **WmdrmCdRipped** Indicates if the system has any files encrypted with personal DRM, which was used for ripped CDs. +- **WmdrmIndicators** WmdrmCdRipped OR WmdrmPurchased. +- **WmdrmInUse** WmdrmIndicators AND dismissible block in setup was not dismissed. +- **WmdrmNonPermanent** Indicates if the system has any files with non-permanent licenses. +- **WmdrmPurchased** Indicates if the system has any files with permanent licenses. + + +### Microsoft.Windows.Appraiser.General.WmdrmStartSync + +This event indicates that a new set of WmdrmAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +## Census events + +### Census.App + +Provides information on IE and Census versions running on the device + +The following fields are available: + +- **AppraiserEnterpriseErrorCode** The error code of the last Appraiser enterprise run. +- **AppraiserErrorCode** The error code of the last Appraiser run. +- **AppraiserRunEndTimeStamp** The end time of the last Appraiser run. +- **AppraiserRunIsInProgressOrCrashed** Flag that indicates if the Appraiser run is in progress or has crashed. +- **AppraiserRunStartTimeStamp** The start time of the last Appraiser run. +- **AppraiserTaskEnabled** Whether the Appraiser task is enabled. +- **AppraiserTaskExitCode** The Appraiser task exist code. +- **AppraiserTaskLastRun** The last runtime for the Appraiser task. +- **CensusVersion** The version of Census that generated the current data for this device. +- **IEVersion** The version of Internet Explorer that is running on the device. + + +### Census.Battery + +This event sends type and capacity data about the battery on the device, as well as the number of connected standby devices in use, type to help keep Windows up to date. + +The following fields are available: + +- **InternalBatteryCapablities** Represents information about what the battery is capable of doing. +- **InternalBatteryCapacityCurrent** Represents the battery's current fully charged capacity in mWh (or relative). Compare this value to DesignedCapacity  to estimate the battery's wear. +- **InternalBatteryCapacityDesign** Represents the theoretical capacity of the battery when new, in mWh. +- **InternalBatteryNumberOfCharges** Provides the number of battery charges. This is used when creating new products and validating that existing products meets targeted functionality performance. +- **IsAlwaysOnAlwaysConnectedCapable** Represents whether the battery enables the device to be AlwaysOnAlwaysConnected . Boolean value. + + +### Census.Camera + +This event sends data about the resolution of cameras on the device, to help keep Windows up to date. + +The following fields are available: + +- **FrontFacingCameraResolution** Represents the resolution of the front facing camera in megapixels. If a front facing camera does not exist, then the value is 0. +- **RearFacingCameraResolution** Represents the resolution of the rear facing camera in megapixels. If a rear facing camera does not exist, then the value is 0. + + +### Census.Enterprise + +This event sends data about Azure presence, type, and cloud domain use in order to provide an understanding of the use and integration of devices in an enterprise, cloud, and server environment. + +The following fields are available: + +- **AADDeviceId** Azure Active Directory device ID. +- **AzureOSIDPresent** Represents the field used to identify an Azure machine. +- **AzureVMType** Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs. +- **CDJType** Represents the type of cloud domain joined for the machine. +- **CommercialId** Represents the GUID for the commercial entity which the device is a member of.  Will be used to reflect insights back to customers. +- **ContainerType** The type of container, such as process or virtual machine hosted. +- **EnrollmentType** Defines the type of MDM enrollment on the device. +- **HashedDomain** The hashed representation of the user domain used for login. +- **IsCloudDomainJoined** Is this device joined to an Azure Active Directory (AAD) tenant? true/false +- **IsDERequirementMet** Represents if the device can do device encryption. +- **IsDeviceProtected** Represents if Device protected by BitLocker/Device Encryption +- **IsDomainJoined** Indicates whether a machine is joined to a domain. +- **IsEDPEnabled** Represents if Enterprise data protected on the device. +- **IsMDMEnrolled** Whether the device has been MDM Enrolled or not. +- **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID +- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise SCCM environment. +- **ServerFeatures** Represents the features installed on a Windows   Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. +- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier + + +### Census.Firmware + +This event sends data about the BIOS and startup embedded in the device, to help keep Windows up to date. + +The following fields are available: + +- **FirmwareManufacturer** Represents the manufacturer of the device's firmware (BIOS). +- **FirmwareReleaseDate** Represents the date the current firmware was released. +- **FirmwareType** Represents the firmware type. The various types can be unknown, BIOS, UEFI. +- **FirmwareVersion** Represents the version of the current firmware. + + +### Census.Flighting + +This event sends Windows Insider data from customers participating in improvement testing and feedback programs, to help keep Windows up to date. + +The following fields are available: + +- **DeviceSampleRate** The telemetry sample rate assigned to the device. +- **DriverTargetRing** No content is currently available. +- **EnablePreviewBuilds** Used to enable Windows Insider builds on a device. +- **FlightIds** A list of the different Windows Insider builds on this device. +- **FlightingBranchName** The name of the Windows Insider branch currently used by the device. +- **IsFlightsDisabled** Represents if the device is participating in the Windows Insider program. +- **MSA_Accounts** Represents a list of hashed IDs of the Microsoft Accounts that are flighting (pre-release builds) on this device. +- **SSRK** Retrieves the mobile targeting settings. + + +### Census.Hardware + +This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level setting, and TPM support, to help keep Windows up to date. + +The following fields are available: + +- **ActiveMicCount** The number of active microphones attached to the device. +- **ChassisType** Represents the type of device chassis, such as desktop or low profile desktop. The possible values can range between 1 - 36. +- **ComputerHardwareID** Identifies a device class that is represented by a hash of different SMBIOS fields. +- **D3DMaxFeatureLevel** Supported Direct3D version. +- **DeviceForm** Indicates the form as per the device classification. +- **DeviceName** The device name that is set by the user. +- **DigitizerSupport** Is a digitizer supported? +- **DUID** The device unique ID. +- **Gyroscope** Indicates whether the device has a gyroscope (a mechanical component that measures and maintains orientation). +- **InventoryId** The device ID used for compatibility testing. +- **Magnetometer** Indicates whether the device has a magnetometer (a mechanical component that works like a compass). +- **NFCProximity** Indicates whether the device supports NFC (a set of communication protocols that helps establish communication when applicable devices are brought close together.) +- **OEMDigitalMarkerFileName** The name of the file placed in the \Windows\system32\drivers directory that specifies the OEM and model name of the device. +- **OEMManufacturerName** The device manufacturer name. The OEMName for an inactive device is not reprocessed even if the clean OEM name is changed at a later date. +- **OEMModelBaseBoard** The baseboard model used by the OEM. +- **OEMModelBaseBoardVersion** Differentiates between developer and retail devices. +- **OEMModelName** The device model name. +- **OEMModelNumber** The device model number. +- **OEMModelSKU** The device edition that is defined by the manufacturer. +- **OEMModelSystemFamily** The system family set on the device by an OEM. +- **OEMModelSystemVersion** The system model version set on the device by the OEM. +- **OEMOptionalIdentifier** A Microsoft assigned value that represents a specific OEM subsidiary. +- **OEMSerialNumber** The serial number of the device that is set by the manufacturer. +- **PhoneManufacturer** The friendly name of the phone manufacturer. +- **PowerPlatformRole** The OEM preferred power management profile. It's used to help to identify the basic form factor of the device. +- **SoCName** The firmware manufacturer of the device. +- **StudyID** Used to identify retail and non-retail device. +- **TelemetryLevel** The telemetry level the user has opted into, such as Basic or Enhanced. +- **TelemetryLevelLimitEnhanced** The telemetry level for Windows Analytics-based solutions. +- **TelemetrySettingAuthority** Determines who set the telemetry level, such as GP, MDM, or the user. +- **TPMManufacturerId** The ID of the TPM manufacturer. +- **TPMManufacturerVersion** The version of the TPM manufacturer. +- **TPMVersion** The supported Trusted Platform Module (TPM) on the device. If no TPM is present, the value is 0. +- **VoiceSupported** Does the device have a cellular radio capable of making voice calls? + + +### Census.Memory + +This event sends data about the memory on the device, including ROM and RAM, to help keep Windows up to date. + +The following fields are available: + +- **TotalPhysicalRAM** Represents the physical memory (in MB). +- **TotalVisibleMemory** Represents the memory that is not reserved by the system. + + +### Census.Network + +This event sends data about the mobile and cellular network used by the device (mobile service provider, network, device ID, and service cost factors), to help keep Windows up to date. + +The following fields are available: + +- **IMEI0** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage. +- **IMEI1** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage. +- **MCC0** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **MCC1** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **MEID** Represents the Mobile Equipment Identity (MEID). MEID is a worldwide unique phone ID assigned to CDMA phones. MEID replaces electronic serial number (ESN), and is equivalent to IMEI for GSM and WCDMA phones. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. +- **MNC0** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **MNC1** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **MobileOperatorBilling** Represents the telephone company that provides services for mobile phone users. +- **MobileOperatorCommercialized** Represents which reseller and geography the phone is commercialized for. This is the set of values on the phone for who and where it was intended to be used. For example, the commercialized mobile operator code AT&T in the US would be ATT-US. +- **MobileOperatorNetwork0** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage. +- **MobileOperatorNetwork1** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage. +- **NetworkAdapterGUID** The GUID of the primary network adapter. +- **NetworkCost** Represents the network cost associated with a connection. +- **SPN0** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage. +- **SPN1** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage. + + +### Census.OS + +This event sends data about the operating system such as the version, locale, update service configuration, when and how it was originally installed, and whether it is a virtual device, to help keep Windows up to date. + +The following fields are available: + +- **ActivationChannel** Retrieves the retail license key or Volume license key for a machine. +- **AssignedAccessStatus** Kiosk configuration mode. +- **CompactOS** Indicates if the Compact OS feature from Win10 is enabled. +- **DeveloperUnlockStatus** Represents if a device has been developer unlocked by the user or Group Policy. +- **DeviceTimeZone** The time zone that is set on the device. Example: Pacific Standard Time +- **GenuineState** Retrieves the ID Value specifying the OS Genuine check. +- **InstallationType** Retrieves the type of OS installation. (Clean, Upgrade, Reset, Refresh, Update). +- **InstallLanguage** The first language installed on the user machine. +- **IsDeviceRetailDemo** Retrieves if the device is running in demo mode. +- **IsEduData** Returns Boolean if the education data policy is enabled. +- **IsPortableOperatingSystem** Retrieves whether OS is running Windows-To-Go +- **IsSecureBootEnabled** Retrieves whether Boot chain is signed under UEFI. +- **LanguagePacks** The list of language packages installed on the device. +- **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store. +- **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine. +- **OSEdition** Retrieves the version of the current OS. +- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc +- **OSOOBEDateTime** Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC). +- **OSSKU** Retrieves the Friendly Name of OS Edition. +- **OSSubscriptionStatus** Represents the existing status for enterprise subscription feature for PRO machines. +- **OSSubscriptionTypeId** Returns boolean for enterprise subscription feature for selected PRO machines. +- **OSTimeZoneBiasInMins** Retrieves the time zone set on machine. +- **OSUILocale** Retrieves the locale of the UI that is currently used by the OS. +- **ProductActivationResult** Returns Boolean if the OS Activation was successful. +- **ProductActivationTime** Returns the OS Activation time for tracking piracy issues. +- **ProductKeyID2** Retrieves the License key if the machine is updated with a new license key. +- **RACw7Id** Retrieves the Microsoft Reliability Analysis Component (RAC) Win7 Identifier. RAC is used to monitor and analyze system usage and reliability. +- **ServiceMachineIP** Retrieves the IP address of the KMS host used for anti-piracy. +- **ServiceMachinePort** Retrieves the port of the KMS host used for anti-piracy. +- **ServiceProductKeyID** Retrieves the License key of the KMS +- **SharedPCMode** Returns Boolean for education devices used as shared cart +- **Signature** Retrieves if it is a signature machine sold by Microsoft store. +- **SLICStatus** Whether a SLIC table exists on the device. +- **SLICVersion** Returns OS type/version from SLIC table. + + +### Census.PrivacySettings + +This event provides information about the device level privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represent the authority that set the value. The effective consent (first 8 bits) is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority (last 8 bits) is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = system, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings. + +The following fields are available: + +- **Activity** Current state of the activity history setting. +- **ActivityHistoryCloudSync** Current state of the activity history cloud sync setting. +- **ActivityHistoryCollection** Current state of the activity history collection setting. +- **AdvertisingId** Current state of the advertising ID setting. +- **AppDiagnostics** Current state of the app diagnostics setting. +- **Appointments** Current state of the calendar setting. +- **Bluetooth** Current state of the Bluetooth capability setting. +- **BluetoothSync** Current state of the Bluetooth sync capability setting. +- **BroadFileSystemAccess** Current state of the broad file system access setting. +- **CellularData** Current state of the cellular data capability setting. +- **Chat** Current state of the chat setting. +- **Contacts** Current state of the contacts setting. +- **DocumentsLibrary** Current state of the documents library setting. +- **Email** Current state of the email setting. +- **FindMyDevice** Current state of the "find my device" setting. +- **GazeInput** Current state of the gaze input setting. +- **HumanInterfaceDevice** Current state of the human interface device setting. +- **InkTypeImprovement** Current state of the improve inking and typing setting. +- **Location** Current state of the location setting. +- **LocationHistory** Current state of the location history setting. +- **LocationHistoryCloudSync** No content is currently available. +- **LocationHistoryOnTimeline** No content is currently available. +- **Microphone** Current state of the microphone setting. +- **PhoneCall** Current state of the phone call setting. +- **PhoneCallHistory** Current state of the call history setting. +- **PicturesLibrary** Current state of the pictures library setting. +- **Radios** Current state of the radios setting. +- **SensorsCustom** Current state of the custom sensor setting. +- **SerialCommunication** Current state of the serial communication setting. +- **Sms** Current state of the text messaging setting. +- **SpeechPersonalization** Current state of the speech services setting. +- **USB** Current state of the USB setting. +- **UserAccountInformation** Current state of the account information setting. +- **UserDataTasks** Current state of the tasks setting. +- **UserNotificationListener** Current state of the notifications setting. +- **VideosLibrary** Current state of the videos library setting. +- **Webcam** Current state of the camera setting. +- **WiFiDirect** Current state of the Wi-Fi direct setting. + + +### Census.Processor + +Provides information on several important data points about Processor settings + +The following fields are available: + +- **KvaShadow** This is the micro code information of the processor. +- **MMSettingOverride** Microcode setting of the processor. +- **MMSettingOverrideMask** Microcode setting override of the processor. +- **PreviousUpdateRevision** Previous microcode revision +- **ProcessorArchitecture** Retrieves the processor architecture of the installed operating system. +- **ProcessorClockSpeed** Clock speed of the processor in MHz. +- **ProcessorCores** Number of logical cores in the processor. +- **ProcessorIdentifier** Processor Identifier of a manufacturer. +- **ProcessorManufacturer** Name of the processor manufacturer. +- **ProcessorModel** Name of the processor model. +- **ProcessorPhysicalCores** Number of physical cores in the processor. +- **ProcessorUpdateRevision** The microcode revision. +- **ProcessorUpdateStatus** Enum value that represents the processor microcode load status +- **SocketCount** Count of CPU sockets. +- **SpeculationControl** If the system has enabled protections needed to validate the speculation control vulnerability. + + +### Census.Security + +This event provides information on about security settings used to help keep Windows up to date and secure. + +The following fields are available: + +- **AvailableSecurityProperties** This field helps to enumerate and report state on the relevant security properties for Device Guard. +- **CGRunning** Credential Guard isolates and hardens key system and user secrets against compromise, helping to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already running via a local or network based vector. This field tells if Credential Guard is running. +- **DGState** This field summarizes the Device Guard state. +- **HVCIRunning** Hypervisor Code Integrity (HVCI) enables Device Guard to help protect kernel mode processes and drivers from vulnerability exploits and zero days. HVCI uses the processor’s functionality to force all software running in kernel mode to safely allocate memory. This field tells if HVCI is running. +- **IsSawGuest** Indicates whether the device is running as a Secure Admin Workstation Guest. +- **IsSawHost** Indicates whether the device is running as a Secure Admin Workstation Host. +- **RequiredSecurityProperties** Describes the required security properties to enable virtualization-based security. +- **SecureBootCapable** Systems that support Secure Boot can have the feature turned off via BIOS. This field tells if the system is capable of running Secure Boot, regardless of the BIOS setting. +- **SModeState** The Windows S mode trail state. +- **VBSState** Virtualization-based security (VBS) uses the hypervisor to help protect the kernel and other parts of the operating system. Credential Guard and Hypervisor Code Integrity (HVCI) both depend on VBS to isolate/protect secrets, and kernel-mode code integrity validation. VBS has a tri-state that can be Disabled, Enabled, or Running. + + +### Census.Speech + +This event is used to gather basic speech settings on the device. + +The following fields are available: + +- **AboveLockEnabled** Cortana setting that represents if Cortana can be invoked when the device is locked. +- **GPAllowInputPersonalization** Indicates if a Group Policy setting has enabled speech functionalities. +- **HolographicSpeechInputDisabled** Holographic setting that represents if the attached HMD devices have speech functionality disabled by the user. +- **HolographicSpeechInputDisabledRemote** Indicates if a remote policy has disabled speech functionalities for the HMD devices. +- **KeyVer** Version information for the census speech event. +- **KWSEnabled** Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS). +- **MDMAllowInputPersonalization** Indicates if an MDM policy has enabled speech functionalities. +- **RemotelyManaged** Indicates if the device is being controlled by a remote administrator (MDM or Group Policy) in the context of speech functionalities. +- **SpeakerIdEnabled** Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice. +- **SpeechServicesEnabled** Windows setting that represents whether a user is opted-in for speech services on the device. +- **SpeechServicesValueSource** Indicates the deciding factor for the effective online speech recognition privacy policy settings: remote admin, local admin, or user preference. + + +### Census.Storage + +This event sends data about the total capacity of the system volume and primary disk, to help keep Windows up to date. + +The following fields are available: + +- **PrimaryDiskTotalCapacity** Retrieves the amount of disk space on the primary disk of the device in MB. +- **PrimaryDiskType** Retrieves an enumerator value of type STORAGE_BUS_TYPE that indicates the type of bus to which the device is connected. This should be used to interpret the raw device properties at the end of this structure (if any). +- **StorageReservePassedPolicy** No content is currently available. +- **SystemVolumeTotalCapacity** Retrieves the size of the partition that the System volume is installed on in MB. + + +### Census.Userdefault + +This event sends data about the current user's default preferences for browser and several of the most popular extensions and protocols, to help keep Windows up to date. + +The following fields are available: + +- **CalendarType** The calendar identifiers that are used to specify different calendars. +- **DefaultApp** The current uer's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf. +- **DefaultBrowserProgId** The ProgramId of the current user's default browser. +- **LongDateFormat** The long date format the user has selected. +- **ShortDateFormat** The short date format the user has selected. + + +### Census.UserDisplay + +This event sends data about the logical/physical display size, resolution and number of internal/external displays, and VRAM on the system, to help keep Windows up to date. + +The following fields are available: + +- **InternalPrimaryDisplayLogicalDPIX** Retrieves the logical DPI in the x-direction of the internal display. +- **InternalPrimaryDisplayLogicalDPIY** Retrieves the logical DPI in the y-direction of the internal display. +- **InternalPrimaryDisplayPhysicalDPIX** Retrieves the physical DPI in the x-direction of the internal display. +- **InternalPrimaryDisplayPhysicalDPIY** Retrieves the physical DPI in the y-direction of the internal display. +- **InternalPrimaryDisplayResolutionHorizontal** Retrieves the number of pixels in the horizontal direction of the internal display. +- **InternalPrimaryDisplayResolutionVertical** Retrieves the number of pixels in the vertical direction of the internal display. +- **InternalPrimaryDisplaySizePhysicalH** Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches . +- **InternalPrimaryDisplaySizePhysicalY** Retrieves the physical vertical length of the display in mm. Used for calculating the diagonal length in inches +- **NumberofExternalDisplays** Retrieves the number of external displays connected to the machine +- **NumberofInternalDisplays** Retrieves the number of internal displays in a machine. +- **VRAMDedicated** Retrieves the video RAM in MB. +- **VRAMDedicatedSystem** Retrieves the amount of memory on the dedicated video card. +- **VRAMSharedSystem** Retrieves the amount of RAM memory that the video card can use. + + +### Census.UserNLS + +This event sends data about the default app language, input, and display language preferences set by the user, to help keep Windows up to date. + +The following fields are available: + +- **DefaultAppLanguage** The current user Default App Language. +- **DisplayLanguage** The current user preferred Windows Display Language. +- **HomeLocation** The current user location, which is populated using GetUserGeoId() function. +- **KeyboardInputLanguages** The Keyboard input languages installed on the device. +- **SpeechInputLanguages** The Speech Input languages installed on the device. + + +### Census.UserPrivacySettings + +This event provides information about the current users privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represents the authority that set the value. The effective consent is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = user, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings. + +The following fields are available: + +- **Activity** Current state of the activity history setting. +- **ActivityHistoryCloudSync** Current state of the activity history cloud sync setting. +- **ActivityHistoryCollection** Current state of the activity history collection setting. +- **AdvertisingId** Current state of the advertising ID setting. +- **AppDiagnostics** Current state of the app diagnostics setting. +- **Appointments** Current state of the calendar setting. +- **Bluetooth** Current state of the Bluetooth capability setting. +- **BluetoothSync** Current state of the Bluetooth sync capability setting. +- **BroadFileSystemAccess** Current state of the broad file system access setting. +- **CellularData** Current state of the cellular data capability setting. +- **Chat** Current state of the chat setting. +- **Contacts** Current state of the contacts setting. +- **DocumentsLibrary** Current state of the documents library setting. +- **Email** Current state of the email setting. +- **GazeInput** Current state of the gaze input setting. +- **HumanInterfaceDevice** Current state of the human interface device setting. +- **InkTypeImprovement** Current state of the improve inking and typing setting. +- **InkTypePersonalization** Current state of the inking and typing personalization setting. +- **Location** Current state of the location setting. +- **LocationHistory** Current state of the location history setting. +- **LocationHistoryCloudSync** No content is currently available. +- **LocationHistoryOnTimeline** No content is currently available. +- **Microphone** Current state of the microphone setting. +- **PhoneCall** Current state of the phone call setting. +- **PhoneCallHistory** Current state of the call history setting. +- **PicturesLibrary** Current state of the pictures library setting. +- **Radios** Current state of the radios setting. +- **SensorsCustom** Current state of the custom sensor setting. +- **SerialCommunication** Current state of the serial communication setting. +- **Sms** Current state of the text messaging setting. +- **SpeechPersonalization** Current state of the speech services setting. +- **USB** Current state of the USB setting. +- **UserAccountInformation** Current state of the account information setting. +- **UserDataTasks** Current state of the tasks setting. +- **UserNotificationListener** Current state of the notifications setting. +- **VideosLibrary** Current state of the videos library setting. +- **Webcam** Current state of the camera setting. +- **WiFiDirect** Current state of the Wi-Fi direct setting. + + +### Census.VM + +This event sends data indicating whether virtualization is enabled on the device, and its various characteristics, to help keep Windows up to date. + +The following fields are available: + +- **CloudService** Indicates which cloud service, if any, that this virtual machine is running within. +- **HyperVisor** Retrieves whether the current OS is running on top of a Hypervisor. +- **IOMMUPresent** Represents if an input/output memory management unit (IOMMU) is present. +- **IsVDI** Is the device using Virtual Desktop Infrastructure? +- **IsVirtualDevice** Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#1 Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field should not be relied upon for non-Hv#1 Hypervisors. +- **SLATSupported** Represents whether Second Level Address Translation (SLAT) is supported by the hardware. +- **VirtualizationFirmwareEnabled** Represents whether virtualization is enabled in the firmware. + + +### Census.WU + +This event sends data about the Windows update server and other App store policies, to help keep Windows up to date. + +The following fields are available: + +- **AppraiserGatedStatus** Indicates whether a device has been gated for upgrading. +- **AppStoreAutoUpdate** Retrieves the Appstore settings for auto upgrade. (Enable/Disabled). +- **AppStoreAutoUpdateMDM** Retrieves the App Auto Update value for MDM: 0 - Disallowed. 1 - Allowed. 2 - Not configured. Default: [2] Not configured +- **AppStoreAutoUpdatePolicy** Retrieves the Microsoft Store App Auto Update group policy setting +- **DelayUpgrade** Retrieves the Windows upgrade flag for delaying upgrades. +- **OSAssessmentFeatureOutOfDate** How many days has it been since a the last feature update was released but the device did not install it? +- **OSAssessmentForFeatureUpdate** Is the device is on the latest feature update? +- **OSAssessmentForQualityUpdate** Is the device on the latest quality update? +- **OSAssessmentForSecurityUpdate** Is the device on the latest security update? +- **OSAssessmentQualityOutOfDate** How many days has it been since a the last quality update was released but the device did not install it? +- **OSAssessmentReleaseInfoTime** The freshness of release information used to perform an assessment. +- **OSRollbackCount** The number of times feature updates have rolled back on the device. +- **OSRolledBack** A flag that represents when a feature update has rolled back during setup. +- **OSUninstalled** A flag that represents when a feature update is uninstalled on a device . +- **OSWUAutoUpdateOptions** Retrieves the auto update settings on the device. +- **OSWUAutoUpdateOptionsSource** The source of auto update setting that appears in the OSWUAutoUpdateOptions field. For example: Group Policy (GP), Mobile Device Management (MDM), and Default. +- **UninstallActive** A flag that represents when a device has uninstalled a previous upgrade recently. +- **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS). +- **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates. +- **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades. +- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network. +- **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier. +- **WUPauseState** Retrieves WU setting to determine if updates are paused. +- **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default). + + +## Common data extensions + +### Common Data Extensions.app + +Describes the properties of the running application. This extension could be populated by a client app or a web app. + +The following fields are available: + +- **asId** An integer value that represents the app session. This value starts at 0 on the first app launch and increments after each subsequent app launch per boot session. +- **env** The environment from which the event was logged. +- **expId** Associates a flight, such as an OS flight, or an experiment, such as a web site UX experiment, with an event. +- **id** Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application. +- **locale** The locale of the app. +- **name** The name of the app. +- **userId** The userID as known by the application. +- **ver** Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app. + + +### Common Data Extensions.container + +Describes the properties of the container for events logged within a container. + +The following fields are available: + +- **epoch** An ID that's incremented for each SDK initialization. +- **localId** The device ID as known by the client. +- **osVer** The operating system version. +- **seq** An ID that's incremented for each event. +- **type** The container type. Examples: Process or VMHost + + +### Common Data Extensions.cs + +Describes properties related to the schema of the event. + +The following fields are available: + +- **sig** A common schema signature that identifies new and modified event schemas. + + +### Common Data Extensions.device + +Describes the device-related fields. + +The following fields are available: + +- **deviceClass** The device classification. For example, Desktop, Server, or Mobile. +- **localId** A locally-defined unique ID for the device. This is not the human-readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId +- **make** Device manufacturer. +- **model** Device model. + + +### Common Data Extensions.Envelope + +Represents an envelope that contains all of the common data extensions. + +The following fields are available: + +- **cV** Represents the Correlation Vector: A single field for tracking partial order of related telemetry events across component boundaries. +- **data** Represents the optional unique diagnostic data for a particular event schema. +- **ext_app** Describes the properties of the running application. This extension could be populated by either a client app or a web app. See [Common Data Extensions.app](#common-data-extensionsapp). +- **ext_container** Describes the properties of the container for events logged within a container. See [Common Data Extensions.container](#common-data-extensionscontainer). +- **ext_cs** Describes properties related to the schema of the event. See [Common Data Extensions.cs](#common-data-extensionscs). +- **ext_device** Describes the device-related fields. See [Common Data Extensions.device](#common-data-extensionsdevice). +- **ext_os** Describes the operating system properties that would be populated by the client. See [Common Data Extensions.os](#common-data-extensionsos). +- **ext_receipts** Describes the fields related to time as provided by the client for debugging purposes. See [Common Data Extensions.receipts](#common-data-extensionsreceipts). +- **ext_sdk** Describes the fields related to a platform library required for a specific SDK. See [Common Data Extensions.sdk](#common-data-extensionssdk). +- **ext_user** Describes the fields related to a user. See [Common Data Extensions.user](#common-data-extensionsuser). +- **ext_utc** Describes the fields that might be populated by a logging library on Windows. See [Common Data Extensions.utc](#common-data-extensionsutc). +- **ext_xbl** Describes the fields related to XBOX Live. See [Common Data Extensions.xbl](#common-data-extensionsxbl). +- **flags** Represents a collection of bits that describe how the event should be processed by the Connected User Experience and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency. +- **iKey** Represents an ID for applications or other logical groupings of events. +- **name** Represents the uniquely qualified name for the event. +- **popSample** Represents the effective sample rate for this event at the time it was generated by a client. +- **time** Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the client. This should be in ISO 8601 format. +- **ver** Represents the major and minor version of the extension. + + +### Common Data Extensions.os + +Describes some properties of the operating system. + +The following fields are available: + +- **bootId** An integer value that represents the boot session. This value starts at 0 on first boot after OS install and increments after every reboot. +- **expId** Represents the experiment ID. The standard for associating a flight, such as an OS flight (pre-release build), or an experiment, such as a web site UX experiment, with an event is to record the flight / experiment IDs in Part A of the common schema. +- **locale** Represents the locale of the operating system. +- **name** Represents the operating system name. +- **ver** Represents the major and minor version of the extension. + + +### Common Data Extensions.receipts + +Represents various time information as provided by the client and helps for debugging purposes. + +The following fields are available: + +- **originalTime** The original event time. +- **uploadTime** The time the event was uploaded. + + +### Common Data Extensions.sdk + +Used by platform specific libraries to record fields that are required for a specific SDK. + +The following fields are available: + +- **epoch** An ID that is incremented for each SDK initialization. +- **installId** An ID that's created during the initialization of the SDK for the first time. +- **libVer** The SDK version. +- **seq** An ID that is incremented for each event. + + +### Common Data Extensions.user + +Describes the fields related to a user. + +The following fields are available: + +- **authId** This is an ID of the user associated with this event that is deduced from a token such as a Microsoft Account ticket or an XBOX token. +- **locale** The language and region. +- **localId** Represents a unique user identity that is created locally and added by the client. This is not the user's account ID. + + +### Common Data Extensions.utc + +Describes the properties that could be populated by a logging library on Windows. + +The following fields are available: + +- **aId** Represents the ETW ActivityId. Logged via TraceLogging or directly via ETW. +- **bSeq** Upload buffer sequence number in the format: buffer identifier:sequence number +- **cat** Represents a bitmask of the ETW Keywords associated with the event. +- **cpId** The composer ID, such as Reference, Desktop, Phone, Holographic, Hub, IoT Composer. +- **epoch** Represents the epoch and seqNum fields, which help track how many events were fired and how many events were uploaded, and enables identification of data lost during upload and de-duplication of events on the ingress server. +- **flags** Represents the bitmap that captures various Windows specific flags. +- **mon** Combined monitor and event sequence numbers in the format: monitor sequence : event sequence +- **op** Represents the ETW Op Code. +- **raId** Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW. +- **seq** Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue. The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server. +- **stId** Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID. + + +### Common Data Extensions.xbl + +Describes the fields that are related to XBOX Live. + +The following fields are available: + +- **claims** Any additional claims whose short claim name hasn't been added to this structure. +- **did** XBOX device ID +- **dty** XBOX device type +- **dvr** The version of the operating system on the device. +- **eid** A unique ID that represents the developer entity. +- **exp** Expiration time +- **ip** The IP address of the client device. +- **nbf** Not before time +- **pid** A comma separated list of PUIDs listed as base10 numbers. +- **sbx** XBOX sandbox identifier +- **sid** The service instance ID. +- **sty** The service type. +- **tid** The XBOX Live title ID. +- **tvr** The XBOX Live title version. +- **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts. +- **xid** A list of base10-encoded XBOX User IDs. + + +## Common data fields + +### Ms.Device.DeviceInventoryChange + +Describes the installation state for all hardware and software components available on a particular device. + +The following fields are available: + +- **action** The change that was invoked on a device inventory object. +- **inventoryId** Device ID used for Compatibility testing +- **objectInstanceId** Object identity which is unique within the device scope. +- **objectType** Indicates the object type that the event applies to. +- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. + + +## Component-based servicing events + +### CbsServicingProvider.CbsCapabilityEnumeration + +This event reports on the results of scanning for optional Windows content on Windows Update. + +The following fields are available: + +- **architecture** Indicates the scan was limited to the specified architecture. +- **capabilityCount** The number of optional content packages found during the scan. +- **clientId** The name of the application requesting the optional content. +- **duration** The amount of time it took to complete the scan. +- **hrStatus** The HReturn code of the scan. +- **language** Indicates the scan was limited to the specified language. +- **majorVersion** Indicates the scan was limited to the specified major version. +- **minorVersion** Indicates the scan was limited to the specified minor version. +- **namespace** Indicates the scan was limited to packages in the specified namespace. +- **sourceFilter** A bitmask indicating the scan checked for locally available optional content. +- **stackBuild** The build number of the servicing stack. +- **stackMajorVersion** The major version number of the servicing stack. +- **stackMinorVersion** The minor version number of the servicing stack. +- **stackRevision** The revision number of the servicing stack. + + +### CbsServicingProvider.CbsCapabilitySessionFinalize + +This event provides information about the results of installing or uninstalling optional Windows content from Windows Update. + +The following fields are available: + +- **capabilities** The names of the optional content packages that were installed. +- **clientId** The name of the application requesting the optional content. +- **currentID** The ID of the current install session. +- **downloadSource** The source of the download. +- **highestState** The highest final install state of the optional content. +- **hrLCUReservicingStatus** Indicates whether the optional content was updated to the latest available version. +- **hrStatus** The HReturn code of the install operation. +- **rebootCount** The number of reboots required to complete the install. +- **retryID** The session ID that will be used to retry a failed operation. +- **retryStatus** Indicates whether the install will be retried in the event of failure. +- **stackBuild** The build number of the servicing stack. +- **stackMajorVersion** The major version number of the servicing stack. +- **stackMinorVersion** The minor version number of the servicing stack. +- **stackRevision** The revision number of the servicing stack. + + +### CbsServicingProvider.CbsCapabilitySessionPended + +This event provides information about the results of installing optional Windows content that requires a reboot to keep Windows up to date. + +The following fields are available: + +- **clientId** The name of the application requesting the optional content. +- **pendingDecision** Indicates the cause of reboot, if applicable. + + +### CbsServicingProvider.CbsSelectableUpdateChangeV2 + +No content is currently available. + +The following fields are available: + +- **applicableUpdateState** No content is currently available. +- **buildVersion** No content is currently available. +- **clientId** No content is currently available. +- **downloadSource** No content is currently available. +- **downloadtimeInSeconds** No content is currently available. +- **executionID** No content is currently available. +- **executionSequence** No content is currently available. +- **firstMergedExecutionSequence** No content is currently available. +- **firstMergedID** No content is currently available. +- **hrDownloadResult** No content is currently available. +- **hrStatusUpdate** No content is currently available. +- **identityHash** No content is currently available. +- **initiatedOffline** No content is currently available. +- **majorVersion** No content is currently available. +- **minorVersion** No content is currently available. +- **packageArchitecture** No content is currently available. +- **packageLanguage** No content is currently available. +- **packageName** No content is currently available. +- **rebootRequired** No content is currently available. +- **revisionVersion** No content is currently available. +- **stackBuild** No content is currently available. +- **stackMajorVersion** No content is currently available. +- **stackMinorVersion** No content is currently available. +- **stackRevision** No content is currently available. +- **updateName** No content is currently available. +- **updateStartState** No content is currently available. +- **updateTargetState** No content is currently available. + + +## Diagnostic data events + +### TelClientSynthetic.ConnectivityHeartBeat_0 + +This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network. + +The following fields are available: + +- **CensusExitCode** Returns last execution codes from census client run. +- **CensusStartTime** Returns timestamp corresponding to last successful census run. +- **CensusTaskEnabled** Returns Boolean value for the census task (Enable/Disable) on client machine. +- **LastConnectivityLossTime** Retrieves the last time the device lost free network. +- **NetworkState** Retrieves the network state: 0 = No network. 1 = Restricted network. 2 = Free network. +- **NoNetworkTime** Retrieves the time spent with no network (since the last time) in seconds. +- **RestrictedNetworkTime** Retrieves the time spent on a metered (cost restricted) network in seconds. + + +### TelClientSynthetic.HeartBeat_5 + +This event sends data about the health and quality of the diagnostic data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device. + +The following fields are available: + +- **AgentConnectionErrorsCount** Number of non-timeout errors associated with the host/agent channel. +- **CensusExitCode** The last exit code of the Census task. +- **CensusStartTime** Time of last Census run. +- **CensusTaskEnabled** True if Census is enabled, false otherwise. +- **CompressedBytesUploaded** Number of compressed bytes uploaded. +- **ConsumerDroppedCount** Number of events dropped at consumer layer of telemetry client. +- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. +- **CriticalDataThrottleDroppedCount** The number of critical data sampled events that were dropped because of throttling. +- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event DB. +- **DbCriticalDroppedCount** Total number of dropped critical events in event DB. +- **DbDroppedCount** Number of events dropped due to DB fullness. +- **DbDroppedFailureCount** Number of events dropped due to DB failures. +- **DbDroppedFullCount** Number of events dropped due to DB fullness. +- **DecodingDroppedCount** Number of events dropped due to decoding failures. +- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. +- **EtwDroppedBufferCount** Number of buffers dropped in the UTC ETW session. +- **EtwDroppedCount** Number of events dropped at ETW layer of telemetry client. +- **EventsPersistedCount** Number of events that reached the PersistEvent stage. +- **EventStoreLifetimeResetCounter** Number of times event DB was reset for the lifetime of UTC. +- **EventStoreResetCounter** Number of times event DB was reset. +- **EventStoreResetSizeSum** Total size of event DB across all resets reports in this instance. +- **EventsUploaded** Number of events uploaded. +- **Flags** Flags indicating device state such as network state, battery state, and opt-in state. +- **FullTriggerBufferDroppedCount** Number of events dropped due to trigger buffer being full. +- **HeartBeatSequenceNumber** The sequence number of this heartbeat. +- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. +- **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel. +- **LastEventSizeOffender** Event name of last event which exceeded max event size. +- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. +- **MaxActiveAgentConnectionCount** The maximum number of active agents during this heartbeat timeframe. +- **MaxInUseScenarioCounter** Soft maximum number of scenarios loaded by UTC. +- **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events). +- **PrivacyBlockedCount** No content is currently available. +- **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. +- **SettingsHttpAttempts** Number of attempts to contact OneSettings service. +- **SettingsHttpFailures** The number of failures from contacting the OneSettings service. +- **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers. +- **TopUploaderErrors** List of top errors received from the upload endpoint. +- **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client. +- **UploaderErrorCount** Number of errors received from the upload endpoint. +- **VortexFailuresTimeout** The number of timeout failures received from Vortex. +- **VortexHttpAttempts** Number of attempts to contact Vortex. +- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. +- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. +- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. +- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. + + +## DxgKernelTelemetry events + +### DxgKrnlTelemetry.GPUAdapterInventoryV2 + +This event sends basic GPU and display driver information to keep Windows and display drivers up-to-date. + +The following fields are available: + +- **AdapterTypeValue** The numeric value indicating the type of Graphics adapter. +- **aiSeqId** The event sequence ID. +- **bootId** The system boot ID. +- **BrightnessVersionViaDDI** The version of the Display Brightness Interface. +- **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload. +- **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes). +- **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes). +- **DisplayAdapterLuid** The display adapter LUID. +- **DriverDate** The date of the display driver. +- **DriverRank** The rank of the display driver. +- **DriverVersion** The display driver version. +- **DX10UMDFilePath** The file path to the location of the DirectX 10 Display User Mode Driver in the Driver Store. +- **DX11UMDFilePath** The file path to the location of the DirectX 11 Display User Mode Driver in the Driver Store. +- **DX12UMDFilePath** The file path to the location of the DirectX 12 Display User Mode Driver in the Driver Store. +- **DX9UMDFilePath** The file path to the location of the DirectX 9 Display User Mode Driver in the Driver Store. +- **GPUDeviceID** The GPU device ID. +- **GPUPreemptionLevel** The maximum preemption level supported by GPU for graphics payload. +- **GPURevisionID** The GPU revision ID. +- **GPUVendorID** The GPU vendor ID. +- **InterfaceId** The GPU interface ID. +- **IsDisplayDevice** Does the GPU have displaying capabilities? +- **IsHwSchSupported** No content is currently available. +- **IsHybridDiscrete** Does the GPU have discrete GPU capabilities in a hybrid device? +- **IsHybridIntegrated** Does the GPU have integrated GPU capabilities in a hybrid device? +- **IsLDA** Is the GPU comprised of Linked Display Adapters? +- **IsMiracastSupported** Does the GPU support Miracast? +- **IsMismatchLDA** Is at least one device in the Linked Display Adapters chain from a different vendor? +- **IsMPOSupported** Does the GPU support Multi-Plane Overlays? +- **IsMsMiracastSupported** Are the GPU Miracast capabilities driven by a Microsoft solution? +- **IsPostAdapter** Is this GPU the POST GPU in the device? +- **IsRemovable** TRUE if the adapter supports being disabled or removed. +- **IsRenderDevice** Does the GPU have rendering capabilities? +- **IsSoftwareDevice** Is this a software implementation of the GPU? +- **KMDFilePath** The file path to the location of the Display Kernel Mode Driver in the Driver Store. +- **MeasureEnabled** Is the device listening to MICROSOFT_KEYWORD_MEASURES? +- **NumVidPnSources** The number of supported display output sources. +- **NumVidPnTargets** The number of supported display output targets. +- **SharedSystemMemoryB** The amount of system memory shared by GPU and CPU (in bytes). +- **SubSystemID** The subsystem ID. +- **SubVendorID** The GPU sub vendor ID. +- **TelemetryEnabled** Is the device listening to MICROSOFT_KEYWORD_TELEMETRY? +- **TelInvEvntTrigger** What triggered this event to be logged? Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling) +- **version** The event version. +- **WDDMVersion** The Windows Display Driver Model version. + + +## Fault Reporting events + +### Microsoft.Windows.FaultReporting.AppCrashEvent + +This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes\" by a user DO NOT emit this event. + +The following fields are available: + +- **AppName** The name of the app that has crashed. +- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend. +- **AppTimeStamp** The date/time stamp of the app. +- **AppVersion** The version of the app that has crashed. +- **ExceptionCode** The exception code returned by the process that has crashed. +- **ExceptionOffset** The address where the exception had occurred. +- **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting. +- **FriendlyAppName** The description of the app that has crashed, if different from the AppName. Otherwise, the process name. +- **IsFatal** True/False to indicate whether the crash resulted in process termination. +- **ModName** Exception module name (e.g. bar.dll). +- **ModTimeStamp** The date/time stamp of the module. +- **ModVersion** The version of the module that has crashed. +- **PackageFullName** Store application identity. +- **PackageRelativeAppId** Store application identity. +- **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. +- **ProcessCreateTime** The time of creation of the process that has crashed. +- **ProcessId** The ID of the process that has crashed. +- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. +- **TargetAppId** The kernel reported AppId of the application being reported. +- **TargetAppVer** The specific version of the application being reported +- **TargetAsId** The sequence number for the hanging process. + + +## Hang Reporting events + +### Microsoft.Windows.HangReporting.AppHangEvent + +This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. + +The following fields are available: + +- **AppName** The name of the app that has hung. +- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the telemetry backend. +- **AppVersion** The version of the app that has hung. +- **IsFatal** True/False based on whether the hung application caused the creation of a Fatal Hang Report. +- **PackageFullName** Store application identity. +- **PackageRelativeAppId** Store application identity. +- **ProcessArchitecture** Architecture of the hung process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. +- **ProcessCreateTime** The time of creation of the process that has hung. +- **ProcessId** The ID of the process that has hung. +- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. +- **TargetAppId** The kernel reported AppId of the application being reported. +- **TargetAppVer** The specific version of the application being reported. +- **TargetAsId** The sequence number for the hanging process. +- **TypeCode** Bitmap describing the hang type. +- **WaitingOnAppName** If this is a cross process hang waiting for an application, this has the name of the application. +- **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it is waiting. +- **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting. +- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application id of the package. + + +## Inventory events + +### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum + +This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object. + +The following fields are available: + +- **Device** A count of device objects in cache. +- **DeviceCensus** A count of device census objects in cache. +- **DriverPackageExtended** A count of driverpackageextended objects in cache. +- **File** A count of file objects in cache. +- **FileSigningInfo** A count of file signing objects in cache. +- **Generic** A count of generic objects in cache. +- **HwItem** A count of hwitem objects in cache. +- **InventoryApplication** A count of application objects in cache. +- **InventoryApplicationAppV** A count of application AppV objects in cache. +- **InventoryApplicationDriver** A count of application driver objects in cache +- **InventoryApplicationFile** A count of application file objects in cache. +- **InventoryApplicationFramework** A count of application framework objects in cache +- **InventoryApplicationShortcut** A count of application shortcut objects in cache +- **InventoryDeviceContainer** A count of device container objects in cache. +- **InventoryDeviceInterface** A count of Plug and Play device interface objects in cache. +- **InventoryDeviceMediaClass** A count of device media objects in cache. +- **InventoryDevicePnp** A count of device Plug and Play objects in cache. +- **InventoryDeviceUsbHubClass** A count of device usb objects in cache +- **InventoryDriverBinary** A count of driver binary objects in cache. +- **InventoryDriverPackage** A count of device objects in cache. +- **InventoryMiscellaneousOfficeAddIn** A count of office add-in objects in cache +- **InventoryMiscellaneousOfficeAddInUsage** A count of office add-in usage objects in cache. +- **InventoryMiscellaneousOfficeIdentifiers** A count of office identifier objects in cache +- **InventoryMiscellaneousOfficeIESettings** A count of office ie settings objects in cache +- **InventoryMiscellaneousOfficeInsights** A count of office insights objects in cache +- **InventoryMiscellaneousOfficeProducts** A count of office products objects in cache +- **InventoryMiscellaneousOfficeSettings** A count of office settings objects in cache +- **InventoryMiscellaneousOfficeVBA** A count of office vba objects in cache +- **InventoryMiscellaneousOfficeVBARuleViolations** A count of office vba rule violations objects in cache +- **InventoryMiscellaneousUUPInfo** A count of uup info objects in cache +- **Metadata** A count of metadata objects in cache. +- **Orphan** A count of orphan file objects in cache. +- **Programs** A count of program objects in cache. + + +### Microsoft.Windows.Inventory.Core.AmiTelCacheVersions + +This event sends inventory component versions for the Device Inventory data. + +The following fields are available: + +- **aeinv** The version of the App inventory component. +- **devinv** The file version of the Device inventory component. + + +### Microsoft.Windows.Inventory.Core.FileSigningInfoAdd + +This event enumerates the signatures of files, either driver packages or application executables. For driver packages, this data is collected on demand via Telecommand to limit it only to unrecognized driver packages, saving time for the client and space on the server. For applications, this data is collected for up to 10 random executables on a system. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **CatalogSigners** Signers from catalog. Each signer starts with Chain. +- **DigestAlgorithm** No content is currently available. +- **DriverPackageStrongName** Optional. Available only if FileSigningInfo is collected on a driver package. +- **EmbeddedSigners** Embedded signers. Each signer starts with Chain. +- **FileName** The file name of the file whose signatures are listed. +- **FileType** Either exe or sys, depending on if a driver package or application executable. +- **InventoryVersion** The version of the inventory file generating the events. +- **Thumbprint** Comma separated hash of the leaf node of each signer. Semicolon is used to separate CatalogSigners from EmbeddedSigners. There will always be a trailing comma. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationAdd + +This event sends basic metadata about an application on the system to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **HiddenArp** Indicates whether a program hides itself from showing up in ARP. +- **InstallDate** The date the application was installed (a best guess based on folder creation date heuristics). +- **InstallDateArpLastModified** The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015 00:00:00 +- **InstallDateFromLinkFile** The estimated date of install based on the links to the files. Passed as an array. +- **InstallDateMsi** The install date if the application was installed via Microsoft Installer (MSI). Passed as an array. +- **InventoryVersion** The version of the inventory file generating the events. +- **Language** The language code of the program. +- **MsiPackageCode** A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage. +- **MsiProductCode** A GUID that describe the MSI Product. +- **Name** The name of the application. +- **OSVersionAtInstallTime** The four octets from the OS version at the time of the application's install. +- **PackageFullName** The package full name for a Store application. +- **ProgramInstanceId** A hash of the file IDs in an app. +- **Publisher** The Publisher of the application. Location pulled from depends on the 'Source' field. +- **RootDirPath** The path to the root directory where the program was installed. +- **Source** How the program was installed (for example, ARP, MSI, Appx). +- **StoreAppType** A sub-classification for the type of Microsoft Store app, such as UWP or Win8StoreApp. +- **Type** One of ("Application", "Hotfix", "BOE", "Service", "Unknown"). Application indicates Win32 or Appx app, Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is a service. Application and BOE are the ones most likely seen. +- **Version** The version number of the program. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverAdd + +This event represents what drivers an application installs. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory component +- **ProgramIds** The unique program identifier the driver is associated with + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync + +The InventoryApplicationDriverStartSync event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory component. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationFileAdd + +No content is currently available. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **BinaryType** No content is currently available. +- **BinFileVersion** No content is currently available. +- **BinProductVersion** No content is currently available. +- **BoeProgramId** No content is currently available. +- **CompanyName** No content is currently available. +- **FileId** No content is currently available. +- **FileVersion** No content is currently available. +- **InventoryVersion** No content is currently available. +- **Language** No content is currently available. +- **LinkDate** No content is currently available. +- **LowerCaseLongPath** No content is currently available. +- **Name** No content is currently available. +- **ProductName** No content is currently available. +- **ProductVersion** No content is currently available. +- **ProgramId** No content is currently available. +- **Size** No content is currently available. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd + +This event provides the basic metadata about the frameworks an application may depend on. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **FileId** A hash that uniquely identifies a file. +- **Frameworks** The list of frameworks this file depends on. +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync + +This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationRemove + +This event indicates that a new set of InventoryDevicePnpAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationStartSync + +This event indicates that a new set of InventoryApplicationAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd + +This event sends basic metadata about a device container (such as a monitor or printer as opposed to a Plug and Play device) to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Categories** A comma separated list of functional categories in which the container belongs. +- **DiscoveryMethod** The discovery method for the device container. +- **FriendlyName** The name of the device container. +- **Icon** No content is currently available. +- **InventoryVersion** The version of the inventory file generating the events. +- **IsActive** Is the device connected, or has it been seen in the last 14 days? +- **IsConnected** For a physically attached device, this value is the same as IsPresent. For wireless a device, this value represents a communication link. +- **IsMachineContainer** Is the container the root device itself? +- **IsNetworked** Is this a networked device? +- **IsPaired** Does the device container require pairing? +- **Manufacturer** The manufacturer name for the device container. +- **ModelId** A unique model ID. +- **ModelName** The model name. +- **ModelNumber** The model number for the device container. +- **PrimaryCategory** The primary category for the device container. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerRemove + +This event indicates that the InventoryDeviceContainer object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerStartSync + +This event indicates that a new set of InventoryDeviceContainerAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd + +This event retrieves information about what sensor interfaces are available on the device. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Accelerometer3D** Indicates if an Accelerator3D sensor is found. +- **ActivityDetection** Indicates if an Activity Detection sensor is found. +- **AmbientLight** Indicates if an Ambient Light sensor is found. +- **Barometer** Indicates if a Barometer sensor is found. +- **Custom** Indicates if a Custom sensor is found. +- **EnergyMeter** Indicates if an Energy sensor is found. +- **FloorElevation** Indicates if a Floor Elevation sensor is found. +- **GeomagneticOrientation** Indicates if a Geo Magnetic Orientation sensor is found. +- **GravityVector** Indicates if a Gravity Detector sensor is found. +- **Gyrometer3D** Indicates if a Gyrometer3D sensor is found. +- **Humidity** Indicates if a Humidity sensor is found. +- **InventoryVersion** The version of the inventory file generating the events. +- **LinearAccelerometer** Indicates if a Linear Accelerometer sensor is found. +- **Magnetometer3D** Indicates if a Magnetometer3D sensor is found. +- **Orientation** Indicates if an Orientation sensor is found. +- **Pedometer** Indicates if a Pedometer sensor is found. +- **Proximity** Indicates if a Proximity sensor is found. +- **RelativeOrientation** Indicates if a Relative Orientation sensor is found. +- **SimpleDeviceOrientation** Indicates if a Simple Device Orientation sensor is found. +- **Temperature** Indicates if a Temperature sensor is found. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync + +This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd + +This event sends additional metadata about a Plug and Play device that is specific to a particular class of devices to help keep Windows up to date while reducing overall size of data payload. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Audio_CaptureDriver** The Audio device capture driver endpoint. +- **Audio_RenderDriver** The Audio device render driver endpoint. +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove + +This event indicates that the InventoryDeviceMediaClassRemove object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassStartSync + +This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd + +This event represents the basic metadata about a plug and play (PNP) device and its associated driver. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **BusReportedDescription** The description of the device reported by the bux. +- **Class** The device setup class of the driver loaded for the device. +- **ClassGuid** The device class GUID from the driver package +- **COMPID** The device setup class guid of the driver loaded for the device. +- **ContainerId** The list of compat ids for the device. +- **Description** System-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the computer. +- **DeviceInterfaceClasses** No content is currently available. +- **DeviceState** The device description. +- **DriverId** DeviceState is a bitmask of the following: DEVICE_IS_CONNECTED 0x0001 (currently only for container). DEVICE_IS_NETWORK_DEVICE 0x0002 (currently only for container). DEVICE_IS_PAIRED 0x0004 (currently only for container). DEVICE_IS_ACTIVE 0x0008 (currently never set). DEVICE_IS_MACHINE 0x0010 (currently only for container). DEVICE_IS_PRESENT 0x0020 (currently always set). DEVICE_IS_HIDDEN 0x0040. DEVICE_IS_PRINTER 0x0080 (currently only for container). DEVICE_IS_WIRELESS 0x0100. DEVICE_IS_WIRELESS_FAT 0x0200. The most common values are therefore: 32 (0x20)= device is present. 96 (0x60)= device is present but hidden. 288 (0x120)= device is a wireless device that is present +- **DriverName** A unique identifier for the driver installed. +- **DriverPackageStrongName** The immediate parent directory name in the Directory field of InventoryDriverPackage +- **DriverVerDate** Name of the .sys image file (or wudfrd.sys if using user mode driver framework). +- **DriverVerVersion** The immediate parent directory name in the Directory field of InventoryDriverPackage. +- **Enumerator** The date of the driver loaded for the device. +- **ExtendedInfs** The extended INF file names. +- **HWID** The version of the driver loaded for the device. +- **Inf** The bus that enumerated the device. +- **InstallState** The device installation state. One of these values: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx +- **InventoryVersion** List of hardware ids for the device. +- **LowerClassFilters** Lower filter class drivers IDs installed for the device +- **LowerFilters** Lower filter drivers IDs installed for the device +- **Manufacturer** INF file name (the name could be renamed by OS, such as oemXX.inf) +- **MatchingID** Device installation state. +- **Model** The version of the inventory binary generating the events. +- **ParentId** Lower filter class drivers IDs installed for the device. +- **ProblemCode** Lower filter drivers IDs installed for the device. +- **Provider** The device manufacturer. +- **Service** The device service name +- **STACKID** Represents the hardware ID or compatible ID that Windows uses to install a device instance. +- **UpperClassFilters** Upper filter drivers IDs installed for the device +- **UpperFilters** The device model. + + +### Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove + +This event indicates that the InventoryDevicePnpRemove object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDevicePnpStartSync + +This event indicates that a new set of InventoryDevicePnpAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd + +This event sends basic metadata about the USB hubs on the device. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. +- **TotalUserConnectablePorts** Total number of connectable USB ports. +- **TotalUserConnectableTypeCPorts** Total number of connectable USB Type C ports. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassStartSync + +This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd + +This event provides the basic metadata about driver binaries running on the system. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **DriverCheckSum** The checksum of the driver file. +- **DriverCompany** The company name that developed the driver. +- **DriverInBox** Is the driver included with the operating system? +- **DriverIsKernelMode** Is it a kernel mode driver? +- **DriverName** The file name of the driver. +- **DriverPackageStrongName** The strong name of the driver package +- **DriverSigned** The strong name of the driver package +- **DriverTimeStamp** The low 32 bits of the time stamp of the driver file. +- **DriverType** A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8. define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE 0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64 0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15. define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED 0x800000. +- **DriverVersion** The version of the driver file. +- **ImageSize** The size of the driver file. +- **Inf** The name of the INF file. +- **InventoryVersion** The version of the inventory file generating the events. +- **Product** The product name that is included in the driver file. +- **ProductVersion** The product version that is included in the driver file. +- **Service** The name of the service that is installed for the device. +- **WdfVersion** The Windows Driver Framework version. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove + +This event indicates that the InventoryDriverBinary object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryStartSync + +This event indicates that a new set of InventoryDriverBinaryAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd + +This event sends basic metadata about drive packages installed on the system to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Class** The class name for the device driver. +- **ClassGuid** The class GUID for the device driver. +- **Date** The driver package date. +- **Directory** The path to the driver package. +- **DriverInBox** Is the driver included with the operating system? +- **Inf** The INF name of the driver package. +- **InventoryVersion** The version of the inventory file generating the events. +- **Provider** The provider for the driver package. +- **SubmissionId** The HLK submission ID for the driver package. +- **Version** The version of the driver package. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverPackageRemove + +This event indicates that the InventoryDriverPackageRemove object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverPackageStartSync + +This event indicates that a new set of InventoryDriverPackageAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.StartUtcJsonTrace + +This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the beginning of the event download, and that tracing should begin. + + + +### Microsoft.Windows.Inventory.Core.StopUtcJsonTrace + +This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the end of the event download, and that tracing should end. + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd + +Provides data on the installed Office Add-ins. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AddinCLSID** The class identifier key for the Microsoft Office add-in. +- **AddInId** The identifier for the Microsoft Office add-in. +- **AddinType** The type of the Microsoft Office add-in. +- **BinFileTimestamp** The timestamp of the Office add-in. +- **BinFileVersion** The version of the Microsoft Office add-in. +- **Description** Description of the Microsoft Office add-in. +- **FileId** The file identifier of the Microsoft Office add-in. +- **FileSize** The file size of the Microsoft Office add-in. +- **FriendlyName** The friendly name for the Microsoft Office add-in. +- **FullPath** The full path to the Microsoft Office add-in. +- **InventoryVersion** The version of the inventory binary generating the events. +- **LoadBehavior** Integer that describes the load behavior. +- **OfficeApplication** The Microsoft Office application associated with the add-in. +- **OfficeArchitecture** The architecture of the add-in. +- **OfficeVersion** The Microsoft Office version for this add-in. +- **OutlookCrashingAddin** Indicates whether crashes have been found for this add-in. +- **ProductCompany** The name of the company associated with the Office add-in. +- **ProductName** The product name associated with the Microsoft Office add-in. +- **ProductVersion** The version associated with the Office add-in. +- **ProgramId** The unique program identifier of the Microsoft Office add-in. +- **Provider** Name of the provider for this add-in. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove + +Indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync + +This event indicates that a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd + +Provides data on the Office identifiers. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. +- **OAudienceData** Sub-identifier for Microsoft Office release management, identifying the pilot group for a device +- **OAudienceId** Microsoft Office identifier for Microsoft Office release management, identifying the pilot group for a device +- **OMID** Identifier for the Office SQM Machine +- **OPlatform** Whether the installed Microsoft Office product is 32-bit or 64-bit +- **OTenantId** Unique GUID representing the Microsoft O365 Tenant +- **OVersion** Installed version of Microsoft Office. For example, 16.0.8602.1000 +- **OWowMID** Legacy Microsoft Office telemetry identifier (SQM Machine ID) for WoW systems (32-bit Microsoft Office on 64-bit Windows) + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd + +Provides data on Office-related Internet Explorer features. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. +- **OIeFeatureAddon** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_ADDON_MANAGEMENT feature lets applications hosting the WebBrowser Control to respect add-on management selections made using the Add-on Manager feature of Internet Explorer. Add-ons disabled by the user or by administrative group policy will also be disabled in applications that enable this feature. +- **OIeMachineLockdown** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_LOCALMACHINE_LOCKDOWN feature is enabled, Internet Explorer applies security restrictions on content loaded from the user's local machine, which helps prevent malicious behavior involving local files. +- **OIeMimeHandling** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_MIME_HANDLING feature control is enabled, Internet Explorer handles MIME types more securely. Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2) +- **OIeMimeSniffing** Flag indicating which Microsoft Office products have this setting enabled. Determines a file's type by examining its bit signature. Windows Internet Explorer uses this information to determine how to render the file. The FEATURE_MIME_SNIFFING feature, when enabled, allows to be set differently for each security zone by using the URLACTION_FEATURE_MIME_SNIFFING URL action flag +- **OIeNoAxInstall** Flag indicating which Microsoft Office products have this setting enabled. When a webpage attempts to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request. When a webpage tries to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request +- **OIeNoDownload** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_RESTRICT_FILEDOWNLOAD feature blocks file download requests that navigate to a resource, that display a file download dialog box, or that are not initiated explicitly by a user action (for example, a mouse click or key press). Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2) +- **OIeObjectCaching** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_OBJECT_CACHING feature prevents webpages from accessing or instantiating ActiveX controls cached from different domains or security contexts +- **OIePasswordDisable** Flag indicating which Microsoft Office products have this setting enabled. After Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2), Internet Explorer no longer allows usernames and passwords to be specified in URLs that use the HTTP or HTTPS protocols. URLs using other protocols, such as FTP, still allow usernames and passwords +- **OIeSafeBind** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SAFE_BINDTOOBJECT feature performs additional safety checks when calling MonikerBindToObject to create and initialize Microsoft ActiveX controls. Specifically, prevent the control from being created if COMPAT_EVIL_DONT_LOAD is in the registry for the control +- **OIeSecurityBand** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SECURITYBAND feature controls the display of the Internet Explorer Information bar. When enabled, the Information bar appears when file download or code installation is restricted +- **OIeUncSaveCheck** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_UNC_SAVEDFILECHECK feature enables the Mark of the Web (MOTW) for local files loaded from network locations that have been shared by using the Universal Naming Convention (UNC) +- **OIeValidateUrl** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_VALIDATE_NAVIGATE_URL feature control prevents Windows Internet Explorer from navigating to a badly formed URL +- **OIeWebOcPopup** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_WEBOC_POPUPMANAGEMENT feature allows applications hosting the WebBrowser Control to receive the default Internet Explorer pop-up window management behavior +- **OIeWinRestrict** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_WINDOW_RESTRICTIONS feature adds several restrictions to the size and behavior of popup windows +- **OIeZoneElevate** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_ZONE_ELEVATION feature prevents pages in one zone from navigating to pages in a higher security zone unless the navigation is generated by the user + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd + +This event provides insight data on the installed Office products + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. +- **OfficeApplication** The name of the Office application. +- **OfficeArchitecture** The bitness of the Office application. +- **OfficeVersion** The version of the Office application. +- **Value** The insights collected about this entity. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsRemove + +Indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync + +This diagnostic event indicates that a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd + +Describes Office Products installed. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. +- **OC2rApps** A GUID the describes the Office Click-To-Run apps +- **OC2rSkus** Comma-delimited list (CSV) of Office Click-To-Run products installed on the device. For example, Office 2016 ProPlus +- **OMsiApps** Comma-delimited list (CSV) of Office MSI products installed on the device. For example, Microsoft Word +- **OProductCodes** A GUID that describes the Office MSI products + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd + +This event describes various Office settings + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **BrowserFlags** Browser flags for Office-related products +- **ExchangeProviderFlags** Provider policies for Office Exchange +- **InventoryVersion** The version of the inventory binary generating the events. +- **SharedComputerLicensing** Office shared computer licensing policies + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync + +Indicates a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAAdd + +This event provides a summary rollup count of conditions encountered while performing a local scan of Office files, analyzing for known VBA programmability compatibility issues between legacy office version and ProPlus, and between 32 and 64-bit versions + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Design** Count of files with design issues found. +- **Design_x64** Count of files with 64 bit design issues found. +- **DuplicateVBA** Count of files with duplicate VBA code. +- **HasVBA** Count of files with VBA code. +- **Inaccessible** Count of files that were inaccessible for scanning. +- **InventoryVersion** The version of the inventory binary generating the events. +- **Issues** Count of files with issues detected. +- **Issues_x64** Count of files with 64-bit issues detected. +- **IssuesNone** Count of files with no issues detected. +- **IssuesNone_x64** Count of files with no 64-bit issues detected. +- **Locked** Count of files that were locked, preventing scanning. +- **NoVBA** Count of files with no VBA inside. +- **Protected** Count of files that were password protected, preventing scanning. +- **RemLimited** Count of files that require limited remediation changes. +- **RemLimited_x64** Count of files that require limited remediation changes for 64-bit issues. +- **RemSignificant** Count of files that require significant remediation changes. +- **RemSignificant_x64** Count of files that require significant remediation changes for 64-bit issues. +- **Score** Overall compatibility score calculated for scanned content. +- **Score_x64** Overall 64-bit compatibility score calculated for scanned content. +- **Total** Total number of files scanned. +- **Validation** Count of files that require additional manual validation. +- **Validation_x64** Count of files that require additional manual validation for 64-bit issues. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARemove + +Indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsAdd + +This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated with the validation rule + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Count** Count of total Microsoft Office VBA rule violations +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsRemove + +Indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync + +This event indicates that a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd + +Provides data on Unified Update Platform (UUP) products and what version they are at. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Identifier** UUP identifier +- **LastActivatedVersion** Last activated version +- **PreviousVersion** Previous version +- **Source** UUP source +- **Version** UUP version + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoRemove + +Indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +### Microsoft.Windows.Inventory.Indicators.Checksum + +This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events. + +The following fields are available: + +- **CensusId** A unique hardware identifier. +- **ChecksumDictionary** A count of each operating system indicator. +- **PCFP** Equivalent to the InventoryId field that is found in other core events. + + +### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd + +These events represent the basic metadata about the OS indicators installed on the system which are used for keeping the device up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **IndicatorValue** The indicator value. + + +### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorEndSync + +No content is currently available. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove + +This event is a counterpart to InventoryMiscellaneousUexIndicatorAdd that indicates that the item has been removed. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync + +This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +## Kernel events + +### IO + +This event indicates the number of bytes read from or read by the OS and written to or written by the OS upon system startup. + +The following fields are available: + +- **BytesRead** The total number of bytes read from or read by the OS upon system startup. +- **BytesWritten** The total number of bytes written to or written by the OS upon system startup. + + +### Microsoft.Windows.Kernel.BootEnvironment.OsLaunch + +OS information collected during Boot, used to evaluate the success of the upgrade process. + +The following fields are available: + +- **BootApplicationId** This field tells us what the OS Loader Application Identifier is. +- **BootAttemptCount** The number of consecutive times the boot manager has attempted to boot into this operating system. +- **BootSequence** The current Boot ID, used to correlate events related to a particular boot session. +- **BootStatusPolicy** Identifies the applicable Boot Status Policy. +- **BootType** Identifies the type of boot (e.g.: "Cold", "Hiber", "Resume"). +- **EventTimestamp** Seconds elapsed since an arbitrary time point. This can be used to identify the time difference in successive boot attempts being made. +- **FirmwareResetReasonEmbeddedController** Reason for system reset provided by firmware. +- **FirmwareResetReasonEmbeddedControllerAdditional** Additional information on system reset reason provided by firmware if needed. +- **FirmwareResetReasonPch** Reason for system reset provided by firmware. +- **FirmwareResetReasonPchAdditional** Additional information on system reset reason provided by firmware if needed. +- **FirmwareResetReasonSupplied** Flag indicating that a reason for system reset was provided by firmware. +- **IO** Amount of data written to and read from the disk by the OS Loader during boot. See [IO](#io). +- **LastBootSucceeded** Flag indicating whether the last boot was successful. +- **LastShutdownSucceeded** Flag indicating whether the last shutdown was successful. +- **MaxAbove4GbFreeRange** This field describes the largest memory range available above 4Gb. +- **MaxBelow4GbFreeRange** This field describes the largest memory range available below 4Gb. +- **MeasuredLaunchPrepared** This field tells us if the OS launch was initiated using Measured/Secure Boot over DRTM (Dynamic Root of Trust for Measurement). +- **MeasuredLaunchResume** This field tells us if Dynamic Root of Trust for Measurement (DRTM) was used when resuming from hibernation. +- **MenuPolicy** Type of advanced options menu that should be shown to the user (Legacy, Standard, etc.). +- **RecoveryEnabled** Indicates whether recovery is enabled. +- **TcbLaunch** Indicates whether the Trusted Computing Base was used during the boot flow. +- **UserInputTime** The amount of time the loader application spent waiting for user input. + + +## Other events + +### Microsoft.Windows.Cast.Miracast.MiracastSessionEnd + +No content is currently available. + +The following fields are available: + +- **AudioChannelCount** No content is currently available. +- **AudioSampleRate** No content is currently available. +- **AudioSubtype** No content is currently available. +- **AverageBitrate** No content is currently available. +- **AverageDataRate** No content is currently available. +- **AveragePacketSendTimeInMs** No content is currently available. +- **ConnectorType** No content is currently available. +- **EncodeAverageTimeMS** No content is currently available. +- **EncodeCount** No content is currently available. +- **EncodeMaxTimeMS** No content is currently available. +- **EncodeMinTimeMS** No content is currently available. +- **EncoderCreationTimeInMs** No content is currently available. +- **ErrorSource** No content is currently available. +- **FirstFrameTime** No content is currently available. +- **FirstLatencyMode** No content is currently available. +- **FrameAverageTimeMS** No content is currently available. +- **FrameCount** No content is currently available. +- **FrameMaxTimeMS** No content is currently available. +- **FrameMinTimeMS** No content is currently available. +- **Glitches** No content is currently available. +- **HardwareCursorEnabled** No content is currently available. +- **HDCPState** No content is currently available. +- **HighestBitrate** No content is currently available. +- **HighestDataRate** No content is currently available. +- **LastLatencyMode** No content is currently available. +- **LogTimeReference** No content is currently available. +- **LowestBitrate** No content is currently available. +- **LowestDataRate** No content is currently available. +- **MediaErrorCode** No content is currently available. +- **MiracastEntry** No content is currently available. +- **MiracastM1** No content is currently available. +- **MiracastM2** No content is currently available. +- **MiracastM3** No content is currently available. +- **MiracastM4** No content is currently available. +- **MiracastM5** No content is currently available. +- **MiracastM6** No content is currently available. +- **MiracastM7** No content is currently available. +- **MiracastSessionState** No content is currently available. +- **MiracastStreaming** No content is currently available. +- **ProfileCount** No content is currently available. +- **ProfileCountAfterFiltering** No content is currently available. +- **RefreshRate** No content is currently available. +- **RotationSupported** No content is currently available. +- **RTSPSessionId** No content is currently available. +- **SessionGuid** No content is currently available. +- **SinkHadEdid** No content is currently available. +- **SupportMicrosoftColorSpaceConversion** No content is currently available. +- **SupportsMicrosoftDiagnostics** No content is currently available. +- **SupportsMicrosoftFormatChange** No content is currently available. +- **SupportsMicrosoftLatencyManagement** No content is currently available. +- **SupportsMicrosoftRTCP** No content is currently available. +- **SupportsMicrosoftVideoFormats** No content is currently available. +- **SupportsWiDi** No content is currently available. +- **TeardownErrorCode** No content is currently available. +- **TeardownErrorReason** No content is currently available. +- **UIBCEndState** No content is currently available. +- **UIBCEverEnabled** No content is currently available. +- **UIBCStatus** No content is currently available. +- **VideoBitrate** No content is currently available. +- **VideoCodecLevel** No content is currently available. +- **VideoHeight** No content is currently available. +- **VideoSubtype** No content is currently available. +- **VideoWidth** No content is currently available. +- **WFD2Supported** No content is currently available. + + +### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.General + +This event provides information about application properties to indicate the successful execution. + +The following fields are available: + +- **AppMode** Indicates the mode the app is being currently run around privileges. +- **ExitCode** Indicates the exit code of the app. +- **Help** Indicates if the app needs to be launched in the help mode. +- **ParseError** Indicates if there was a parse error during the execution. +- **RightsAcquired** Indicates if the right privileges were acquired for successful execution. +- **RightsWereEnabled** Indicates if the right privileges were enabled for successful execution. +- **TestMode** Indicates whether the app is being run in test mode. + + +### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.GetCount + +This event provides information about the properties of user accounts in the Administrator group. + +The following fields are available: + +- **Internal** Indicates the internal property associated with the count group. +- **LastError** The error code (if applicable) for the cause of the failure to get the count of the user account. +- **Result** The HResult error. + + +### Microsoft.Windows.UpdateReserveManager.InitializeUpdateReserveManager + +No content is currently available. + +The following fields are available: + +- **ClientId** No content is currently available. +- **Flags** No content is currently available. +- **FlightId** No content is currently available. +- **Offline** No content is currently available. +- **PolicyPassed** No content is currently available. +- **ReturnCode** No content is currently available. +- **Version** No content is currently available. + + +### Value + +This event returns data about Mean Time to Failure (MTTF) for Windows devices. It is the primary means of estimating reliability problems in Basic Diagnostic reporting with very strong privacy guarantees. Since Basic Diagnostic reporting does not include system up-time, and since that information is important to ensuring the safe and stable operation of Windows, the data provided by this event provides that data in a manner which does not threaten a user’s privacy. + +The following fields are available: + +- **Algorithm** The algorithm used to preserve privacy. +- **DPRange** The upper bound of the range being measured. +- **DPValue** The randomized response returned by the client. +- **Epsilon** The level of privacy to be applied. +- **HistType** The histogram type if the algorithm is a histogram algorithm. +- **PertProb** The probability the entry will be Perturbed if the algorithm chosen is “heavy-hitters”. + + +## Privacy consent logging events + +### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted + +This event is used to determine whether the user successfully completed the privacy consent experience. + +The following fields are available: + +- **presentationVersion** Which display version of the privacy consent experience the user completed +- **privacyConsentState** The current state of the privacy consent experience +- **settingsVersion** Which setting version of the privacy consent experience the user completed +- **userOobeExitReason** The exit reason of the privacy consent experience + + +### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentStatus + +Event tells us effectiveness of new privacy experience. + +The following fields are available: + +- **isAdmin** whether the person who is logging in is an admin +- **isExistingUser** whether the account existed in a downlevel OS +- **isLaunching** Whether or not the privacy consent experience will be launched +- **isSilentElevation** whether the user has most restrictive UAC controls +- **privacyConsentState** whether the user has completed privacy experience +- **userRegionCode** The current user's region setting + + +## Sediment events + +### Microsoft.Windows.Sediment.Info.DetailedState + +This event is sent when detailed state information is needed from an update trial run. + +The following fields are available: + +- **Data** Data relevant to the state, such as what percent of disk space the directory takes up. +- **Id** Identifies the trial being run, such as a disk related trial. +- **ReleaseVer** The version of the component. +- **State** The state of the reporting data from the trial, such as the top-level directory analysis. +- **Time** The time the event was fired. + + +## Setup events + +### SetupPlatformTel.SetupPlatformTelActivityEvent + +This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up to date. + +The following fields are available: + +- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. +- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. +- **Value** Value associated with the corresponding event name. For example, time-related events will include the system time + + +### SetupPlatformTel.SetupPlatformTelActivityStarted + +This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. + +The following fields are available: + +- **Name** The name of the dynamic update type. Example: GDR driver + + +### SetupPlatformTel.SetupPlatformTelActivityStopped + +This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. + + + +### SetupPlatformTel.SetupPlatformTelEvent + +This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios. + +The following fields are available: + +- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. +- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. +- **Value** Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time. + + +## Software update events + +### SoftwareUpdateClientTelemetry.CheckForUpdates + +Scan process event on Windows Update client. See the EventScenario field for specifics (started/failed/succeeded). + +The following fields are available: + +- **ActivityMatchingId** Contains a unique ID identifying a single CheckForUpdates session from initialization to completion. +- **AllowCachedResults** Indicates if the scan allowed using cached results. +- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable +- **BiosFamily** The family of the BIOS (Basic Input Output System). +- **BiosName** The name of the device BIOS. +- **BiosReleaseDate** The release date of the device BIOS. +- **BiosSKUNumber** The sku number of the device BIOS. +- **BIOSVendor** The vendor of the BIOS. +- **BiosVersion** The version of the BIOS. +- **BranchReadinessLevel** The servicing branch configured on the device. +- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. +- **CapabilityDetectoidGuid** The GUID for a hardware applicability detectoid that could not be evaluated. +- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. +- **CDNId** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. +- **ClientVersion** The version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No data is currently reported in this field. Expected value for this field is 0. +- **Context** Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown +- **CurrentMobileOperator** The mobile operator the device is currently connected to. +- **DeferralPolicySources** Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000). +- **DeferredUpdates** Update IDs which are currently being deferred until a later time +- **DeviceModel** What is the device model. +- **DriverError** The error code hit during a driver scan. This is 0 if no error was encountered. +- **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled. +- **DriverSyncPassPerformed** Were drivers scanned this time? +- **EventInstanceID** A globally unique identifier for event instance. +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. +- **ExtendedMetadataCabUrl** Hostname that is used to download an update. +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. +- **FailedUpdateGuids** The GUIDs for the updates that failed to be evaluated during the scan. +- **FailedUpdatesCount** The number of updates that failed to be evaluated during the scan. +- **FeatureUpdateDeferral** The deferral period configured for feature OS updates on the device (in days). +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FeatureUpdatePausePeriod** The pause duration configured for feature OS updates on the device (in days). +- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). +- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). +- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. +- **IntentPFNs** Intended application-set metadata for atomic update scenarios. +- **IPVersion** Indicates whether the download took place over IPv4 or IPv6 +- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. +- **IsWUfBFederatedScanDisabled** Indicates if Windows Update for Business federated scan is disabled on the device. +- **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce +- **MSIError** The last error that was encountered during a scan for updates. +- **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6 +- **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete +- **NumberOfApplicationsCategoryScanEvaluated** The number of categories (apps) for which an app update scan checked +- **NumberOfLoop** The number of round trips the scan required +- **NumberOfNewUpdatesFromServiceSync** The number of updates which were seen for the first time in this scan +- **NumberOfUpdatesEvaluated** The total number of updates which were evaluated as a part of the scan +- **NumFailedMetadataSignatures** The number of metadata signatures checks which failed for new metadata synced down. +- **Online** Indicates if this was an online scan. +- **PausedUpdates** A list of UpdateIds which that currently being paused. +- **PauseFeatureUpdatesEndTime** If feature OS updates are paused on the device, this is the date and time for the end of the pause time window. +- **PauseFeatureUpdatesStartTime** If feature OS updates are paused on the device, this is the date and time for the beginning of the pause time window. +- **PauseQualityUpdatesEndTime** If quality OS updates are paused on the device, this is the date and time for the end of the pause time window. +- **PauseQualityUpdatesStartTime** If quality OS updates are paused on the device, this is the date and time for the beginning of the pause time window. +- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting (pre-release builds) being introduced. +- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided. +- **QualityUpdateDeferral** The deferral period configured for quality OS updates on the device (in days). +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **QualityUpdatePausePeriod** The pause duration configured for quality OS updates on the device (in days). +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one +- **ScanDurationInSeconds** The number of seconds a scan took +- **ScanEnqueueTime** The number of seconds it took to initialize a scan +- **ScanProps** This is a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits are used; all remaining bits are reserved and set to zero. Bit 0 (0x1): IsInteractive - is set to 1 if the scan is requested by a user, or 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker - is set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates). +- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.). +- **ServiceUrl** The environment URL a device is configured to scan with +- **ShippingMobileOperator** The mobile operator that a device shipped on. +- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult). +- **SyncType** Describes the type of scan the event was +- **SystemBIOSMajorRelease** Major version of the BIOS. +- **SystemBIOSMinorRelease** Minor version of the BIOS. +- **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null. +- **TotalNumMetadataSignatures** The total number of metadata signatures checks done for new metadata that was synced down. +- **WebServiceRetryMethods** Web service method requests that needed to be retried to complete operation. +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. + + +### SoftwareUpdateClientTelemetry.Commit + +This event tracks the commit process post the update installation when software update client is trying to update the device. + +The following fields are available: + +- **BiosFamily** Device family as defined in the system BIOS +- **BiosName** Name of the system BIOS +- **BiosReleaseDate** Release date of the system BIOS +- **BiosSKUNumber** Device SKU as defined in the system BIOS +- **BIOSVendor** Vendor of the system BIOS +- **BiosVersion** Version of the system BIOS +- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. +- **BundleRevisionNumber** Identifies the revision number of the content bundle +- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client +- **ClientVersion** Version number of the software distribution client +- **DeploymentProviderMode** No content is currently available. +- **DeviceModel** Device model as defined in the system bios +- **EventInstanceID** A globally unique identifier for event instance +- **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc. +- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver". +- **FlightId** The specific id of the flight the device is getting +- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) +- **RevisionNumber** Identifies the revision number of this specific piece of content +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc) +- **SystemBIOSMajorRelease** Major release version of the system bios +- **SystemBIOSMinorRelease** Minor release version of the system bios +- **UpdateId** Identifier associated with the specific piece of content +- **WUDeviceID** Unique device id controlled by the software distribution client + + +### SoftwareUpdateClientTelemetry.Download + +Download process event for target update on Windows Update client. See the EventScenario field for specifics (started/failed/succeeded). + +The following fields are available: + +- **ActiveDownloadTime** Number of seconds the update was actively being downloaded. +- **AppXBlockHashFailures** Indicates the number of blocks that failed hash validation during download of the app payload. +- **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded. +- **AppXDownloadScope** Indicates the scope of the download for application content. For streaming install scenarios, AllContent - non-streaming download, RequiredOnly - streaming download requested content required for launch, AutomaticOnly - streaming download requested automatic streams for the app, and Unknown - for events sent before download scope is determined by the Windows Update client. +- **AppXScope** Indicates the scope of the app download. +- **BiosFamily** The family of the BIOS (Basic Input Output System). +- **BiosName** The name of the device BIOS. +- **BiosReleaseDate** The release date of the device BIOS. +- **BiosSKUNumber** The sku number of the device BIOS. +- **BIOSVendor** The vendor of the BIOS. +- **BiosVersion** The version of the BIOS. +- **BundleBytesDownloaded** Number of bytes downloaded for the specific content bundle. +- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. +- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. +- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to download. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **BytesDownloaded** Number of bytes that were downloaded for an individual piece of content (not the entire bundle). +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. +- **CbsDownloadMethod** Indicates whether the download was a full-file download or a partial/delta download. +- **CbsMethod** The method used for downloading the update content related to the Component Based Servicing (CBS) technology. +- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. +- **CDNId** ID which defines which CDN the software distribution client downloaded the content from. +- **ClientVersion** The version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. +- **ConnectTime** Indicates the cumulative amount of time (in seconds) it took to establish the connection for all updates in an update bundle. +- **CurrentMobileOperator** The mobile operator the device is currently connected to. +- **DeviceModel** What is the device model. +- **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority. +- **DownloadProps** Information about the download operation. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started downloading content, or whether it was cancelled, succeeded, or failed. +- **EventType** Possible values are Child, Bundle, or Driver. +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). +- **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight. +- **FlightId** The specific ID of the flight (pre-release build) the device is getting. +- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). +- **HandlerType** Indicates what kind of content is being downloaded (app, driver, windows patch, etc.). +- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. +- **HostName** The hostname URL the content is downloading from. +- **IPVersion** Indicates whether the download took place over IPv4 or IPv6. +- **IsDependentSet** Indicates whether a driver is a part of a larger System Hardware/Firmware Update +- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. +- **NetworkCost** A flag indicating the cost of the network (congested, fixed, variable, over data limit, roaming, etc.) used for downloading the update content. +- **NetworkCostBitMask** Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.) +- **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered." +- **PackageFullName** The package name of the content. +- **PhonePreviewEnabled** Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced. +- **PostDnldTime** Time taken (in seconds) to signal download completion after the last job has completed downloading payload. +- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **Reason** A 32-bit integer representing the reason the update is blocked from being downloaded in the background. +- **RegulationReason** The reason that the update is regulated +- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content. +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. +- **RepeatFailCount** Indicates whether this specific content has previously failed. +- **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download. +- **RevisionNumber** The revision number of the specified piece of content. +- **ServiceGuid** An ID that represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). +- **Setup360Phase** If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway. +- **ShippingMobileOperator** The mobile operator that a device shipped on. +- **SizeCalcTime** Time taken (in seconds) to calculate the total download size of the payload. +- **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). +- **SystemBIOSMajorRelease** Major version of the BIOS. +- **SystemBIOSMinorRelease** Minor version of the BIOS. +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **ThrottlingServiceHResult** Result code (success/failure) while contacting a web service to determine whether this device should download content yet. +- **TimeToEstablishConnection** Time (in ms) it took to establish the connection prior to beginning downloaded. +- **TotalExpectedBytes** The total count of bytes that the download is expected to be. +- **UpdateId** An identifier associated with the specific piece of content. +- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional. +- **UsedDO** Whether the download used the delivery optimization service. +- **UsedSystemVolume** Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive. +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. + + +### SoftwareUpdateClientTelemetry.DownloadCheckpoint + +This event provides a checkpoint between each of the Windows Update download phases for UUP content + +The following fields are available: + +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client +- **ClientVersion** The version number of the software distribution client +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed +- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver" +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough +- **FileId** A hash that uniquely identifies a file +- **FileName** Name of the downloaded file +- **FlightId** The unique identifier for each flight +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one +- **RevisionNumber** Unique revision number of Update +- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.) +- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult) +- **UpdateId** Unique Update ID +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue + + +### SoftwareUpdateClientTelemetry.DownloadHeartbeat + +This event allows tracking of ongoing downloads and contains data to explain the current state of the download + +The following fields are available: + +- **BytesTotal** Total bytes to transfer for this content +- **BytesTransferred** Total bytes transferred for this content at the time of heartbeat +- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client +- **ClientVersion** The version number of the software distribution client +- **ConnectionStatus** Indicates the connectivity state of the device at the time of heartbeat +- **CurrentError** Last (transient) error encountered by the active download +- **DownloadFlags** Flags indicating if power state is ignored +- **DownloadState** Current state of the active download for this content (queued, suspended, or progressing) +- **EventType** Possible values are "Child", "Bundle", or "Driver" +- **FlightId** The unique identifier for each flight +- **IsNetworkMetered** Indicates whether Windows considered the current network to be ?metered" +- **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any +- **MOUpdateDownloadLimit** Mobile operator cap on size of operating system update downloads, if any +- **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby) +- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one +- **ResumeCount** Number of times this active download has resumed from a suspended state +- **RevisionNumber** Identifies the revision number of this specific piece of content +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) +- **SuspendCount** Number of times this active download has entered a suspended state +- **SuspendReason** Last reason for why this active download entered a suspended state +- **UpdateId** Identifier associated with the specific piece of content +- **WUDeviceID** Unique device id controlled by the software distribution client + + +### SoftwareUpdateClientTelemetry.Install + +This event sends tracking data about the software distribution client installation of the content for that update, to help keep Windows up to date. + +The following fields are available: + +- **BiosFamily** The family of the BIOS (Basic Input Output System). +- **BiosName** The name of the device BIOS. +- **BiosReleaseDate** The release date of the device BIOS. +- **BiosSKUNumber** The sku number of the device BIOS. +- **BIOSVendor** The vendor of the BIOS. +- **BiosVersion** The version of the BIOS. +- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. +- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. +- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to install. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. +- **ClientVersion** The version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No value is currently reported in this field. Expected value for this field is 0. +- **CSIErrorType** The stage of CBS installation where it failed. +- **CurrentMobileOperator** The mobile operator to which the device is currently connected. +- **DeploymentProviderMode** No content is currently available. +- **DeviceModel** The device model. +- **DriverPingBack** Contains information about the previous driver and system state. +- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. +- **EventType** Possible values are Child, Bundle, or Driver. +- **ExtendedErrorCode** The extended error code. +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode is not specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBranch** The branch that a device is on if participating in the Windows Insider Program. +- **FlightBuildNumber** If this installation was for a Windows Insider build, this is the build number of that build. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **FlightRing** The ring that a device is on if participating in the Windows Insider Program. +- **HandlerType** Indicates what kind of content is being installed (for example, app, driver, Windows update). +- **HardwareId** If this install was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. +- **InstallProps** A bitmask for future flags associated with the install operation. No value is currently reported in this field. Expected value for this field is 0. +- **IntentPFNs** Intended application-set metadata for atomic update scenarios. +- **IsDependentSet** Indicates whether the driver is part of a larger System Hardware/Firmware update. +- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. +- **IsFirmware** Indicates whether this update is a firmware update. +- **IsSuccessFailurePostReboot** Indicates whether the update succeeded and then failed after a restart. +- **IsWUfBDualScanEnabled** Indicates whether Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Indicates whether Windows Update for Business is enabled on the device. +- **MergedUpdate** Indicates whether the OS update and a BSP update merged for installation. +- **MsiAction** The stage of MSI installation where it failed. +- **MsiProductCode** The unique identifier of the MSI installer. +- **PackageFullName** The package name of the content being installed. +- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting being introduced. +- **ProcessName** The process name of the caller who initiated API calls, in the event that CallerApplicationName was not provided. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one +- **RepeatFailCount** Indicates whether this specific piece of content has previously failed. +- **RepeatFailFlag** Indicates whether this specific piece of content previously failed to install. +- **RevisionNumber** The revision number of this specific piece of content. +- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). +- **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway. +- **ShippingMobileOperator** The mobile operator that a device shipped on. +- **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult). +- **SystemBIOSMajorRelease** Major version of the BIOS. +- **SystemBIOSMinorRelease** Minor version of the BIOS. +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **TransactionCode** The ID that represents a given MSI installation. +- **UpdateId** Unique update ID. +- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional. +- **UsedSystemVolume** Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive. +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. + + +### SoftwareUpdateClientTelemetry.Revert + +Revert event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded). + +The following fields are available: + +- **BundleId** Identifier associated with the specific content bundle. Should not be all zeros if the BundleId was found. +- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **ClientVersion** Version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. +- **CSIErrorType** Stage of CBS installation that failed. +- **DeploymentProviderMode** No content is currently available. +- **DriverPingBack** Contains information about the previous driver and system state. +- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). +- **EventType** Event type (Child, Bundle, Release, or Driver). +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode is not specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBuildNumber** Indicates the build number of the flight. +- **FlightId** The specific ID of the flight the device is getting. +- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). +- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. +- **IsFirmware** Indicates whether an update was a firmware update. +- **IsSuccessFailurePostReboot** Indicates whether an initial success was a failure after a reboot. +- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. +- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. +- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. +- **RepeatFailCount** Indicates whether this specific piece of content has previously failed. +- **RevisionNumber** Identifies the revision number of this specific piece of content. +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **UpdateId** The identifier associated with the specific piece of content. +- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). +- **UsedSystemVolume** Indicates whether the device's main system storage drive or an alternate storage drive was used. +- **WUDeviceID** Unique device ID controlled by the software distribution client. + + +### SoftwareUpdateClientTelemetry.TaskRun + +Start event for Server Initiated Healing client. See EventScenario field for specifics (for example, started/completed). + +The following fields are available: + +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **ClientVersion** Version number of the software distribution client. +- **CmdLineArgs** Command line arguments passed in by the caller. +- **EventInstanceID** A globally unique identifier for the event instance. +- **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). +- **Mode** No content is currently available. +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **WUDeviceID** Unique device ID controlled by the software distribution client. + + +### SoftwareUpdateClientTelemetry.Uninstall + +Uninstall event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded). + +The following fields are available: + +- **BundleId** The identifier associated with the specific content bundle. This should not be all zeros if the bundleID was found. +- **BundleRepeatFailCount** Indicates whether this particular update bundle previously failed. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CallerApplicationName** Name of the application making the Windows Update request. Used to identify context of request. +- **ClientVersion** Version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. +- **DeploymentProviderMode** No content is currently available. +- **DriverPingBack** Contains information about the previous driver and system state. +- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers when a recovery is required. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventScenario** Indicates the purpose of the event (a scan started, succeded, failed, etc.). +- **EventType** Indicates the event type. Possible values are "Child", "Bundle", "Release" or "Driver". +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode is not specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBuildNumber** Indicates the build number of the flight. +- **FlightId** The specific ID of the flight the device is getting. +- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). +- **HardwareId** If the download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. +- **IsFirmware** Indicates whether an update was a firmware update. +- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. +- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. +- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. +- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. +- **RepeatFailCount** Indicates whether this specific piece of content previously failed. +- **RevisionNumber** Identifies the revision number of this specific piece of content. +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **UpdateId** Identifier associated with the specific piece of content. +- **UpdateImportance** Indicates the importance of a driver and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). +- **UsedSystemVolume** Indicates whether the device’s main system storage drive or an alternate storage drive was used. +- **WUDeviceID** Unique device ID controlled by the software distribution client. + + +### SoftwareUpdateClientTelemetry.UpdateDetected + +This event sends data about an AppX app that has been updated from the Microsoft Store, including what app needs an update and what version/architecture is required, in order to understand and address problems with apps getting required updates. + +The following fields are available: + +- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable. +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. +- **IntentPFNs** Intended application-set metadata for atomic update scenarios. +- **NumberOfApplicableUpdates** The number of updates ultimately deemed applicable to the system after the detection process is complete. +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. +- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.). +- **WUDeviceID** The unique device ID controlled by the software distribution client. + + +### SoftwareUpdateClientTelemetry.UpdateMetadataIntegrity + +Ensures Windows Updates are secure and complete. Event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack. + +The following fields are available: + +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **EndpointUrl** The endpoint URL where the device obtains update metadata. This is used to distinguish between test, staging, and production environments. +- **EventScenario** The purpose of this event, such as scan started, scan succeeded, or scan failed. +- **ExtendedStatusCode** The secondary status code of the event. +- **LeafCertId** The integral ID from the FragmentSigning data for the certificate that failed. +- **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate. +- **MetadataIntegrityMode** The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce +- **MetadataSignature** A base64-encoded string of the signature associated with the update metadata (specified by revision ID). +- **RawMode** The raw unparsed mode string from the SLS response. This field is null if not applicable. +- **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable. +- **RevisionId** The revision ID for a specific piece of content. +- **RevisionNumber** The revision number for a specific piece of content. +- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Microsoft Store +- **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate. +- **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate. +- **SHA256OfTimestampToken** An encoded string of the timestamp token. +- **SignatureAlgorithm** The hash algorithm for the metadata signature. +- **SLSPrograms** A test program to which a device may have opted in. Example: Insider Fast +- **StatusCode** The status code of the event. +- **TimestampTokenCertThumbprint** The thumbprint of the encoded timestamp token. +- **TimestampTokenId** The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed. +- **UpdateId** The update ID for a specific piece of content. +- **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp. + + +## Update events + +### Update360Telemetry.Revert + +This event sends data relating to the Revert phase of updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the Revert phase. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **RebootRequired** Indicates reboot is required. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **RevertResult** The result code returned for the Revert operation. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. + + +### Update360Telemetry.UpdateAgentCommit + +This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **ErrorCode** The error code returned for the current install phase. +- **FlightId** Unique ID for each flight. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Outcome of the install phase of the update. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentDownloadRequest + +This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. + +The following fields are available: + +- **DeletedCorruptFiles** Boolean indicating whether corrupt payload was deleted. +- **DownloadRequests** Number of times a download was retried. +- **ErrorCode** The error code returned for the current download request phase. +- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. +- **FlightId** Unique ID for each flight. +- **InternalFailureResult** Indicates a non-fatal error from a plugin. +- **ObjectId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). +- **PackageCategoriesSkipped** Indicates package categories that were skipped, if applicable. +- **PackageCountOptional** Number of optional packages requested. +- **PackageCountRequired** Number of required packages requested. +- **PackageCountTotal** Total number of packages needed. +- **PackageCountTotalCanonical** Total number of canonical packages. +- **PackageCountTotalDiff** Total number of diff packages. +- **PackageCountTotalExpress** Total number of express packages. +- **PackageExpressType** Type of express package. +- **PackageSizeCanonical** Size of canonical packages in bytes. +- **PackageSizeDiff** Size of diff packages in bytes. +- **PackageSizeExpress** Size of express packages in bytes. +- **RangeRequestState** Indicates the range request type used. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Outcome of the download request phase of update. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each attempt (same value for initialize, download, install commit phases). +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentExpand + +This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **ElapsedTickCount** Time taken for expand phase. +- **EndFreeSpace** Free space after expand phase. +- **EndSandboxSize** Sandbox size after expand phase. +- **ErrorCode** The error code returned for the current install phase. +- **FlightId** Unique ID for each flight. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **StartFreeSpace** Free space before expand phase. +- **StartSandboxSize** Sandbox size after expand phase. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentFellBackToCanonical + +This event collects information when express could not be used and we fall back to canonical during the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **FlightId** Unique ID for each flight. +- **ObjectId** Unique value for each Update Agent mode. +- **PackageCount** Number of packages that feel back to canonical. +- **PackageList** PackageIds which fell back to canonical. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentInitialize + +This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. + +The following fields are available: + +- **ErrorCode** The error code returned for the current install phase. +- **FlightId** Unique ID for each flight. +- **FlightMetadata** Contains the FlightId and the build being flighted. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Outcome of the install phase of the update. +- **ScenarioId** Indicates the update scenario. +- **SessionData** String containing instructions to update agent for processing FODs and DUICs (Null for other scenarios). +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentInstall + +This event sends data for the install phase of updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the current install phase. +- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. +- **FlightId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). +- **InternalFailureResult** Indicates a non-fatal error from a plugin. +- **ObjectId** Correlation vector value generated from the latest USO scan. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** The result for the current install phase. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentMerge + +The UpdateAgentMerge event sends data on the merge phase when updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the current merge phase. +- **FlightId** Unique ID for each flight. +- **MergeId** The unique ID to join two update sessions being merged. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Related correlation vector value. +- **Result** Outcome of the merge phase of the update. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentMitigationResult + +This event sends data indicating the result of each update agent mitigation. + +The following fields are available: + +- **Applicable** Indicates whether the mitigation is applicable for the current update. +- **CommandCount** The number of command operations in the mitigation entry. +- **CustomCount** The number of custom operations in the mitigation entry. +- **FileCount** The number of file operations in the mitigation entry. +- **FlightId** Unique identifier for each flight. +- **Index** The mitigation index of this particular mitigation. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **Name** The friendly name of the mitigation. +- **ObjectId** Unique value for each Update Agent mode. +- **OperationIndex** The mitigation operation index (in the event of a failure). +- **OperationName** The friendly name of the mitigation operation (in the event of failure). +- **RegistryCount** The number of registry operations in the mitigation entry. +- **RelatedCV** The correlation vector value generated from the latest USO scan. +- **Result** The HResult of this operation. +- **ScenarioId** The update agent scenario ID. +- **SessionId** Unique value for each update attempt. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). +- **UpdateId** Unique ID for each Update. + + +### Update360Telemetry.UpdateAgentMitigationSummary + +This event sends a summary of all the update agent mitigations available for an this update. + +The following fields are available: + +- **Applicable** The count of mitigations that were applicable to the system and scenario. +- **Failed** The count of mitigations that failed. +- **FlightId** Unique identifier for each flight. +- **MitigationScenario** The update scenario in which the mitigations were attempted. +- **ObjectId** The unique value for each Update Agent mode. +- **RelatedCV** The correlation vector value generated from the latest USO scan. +- **Result** The HResult of this operation. +- **ScenarioId** The update agent scenario ID. +- **SessionId** Unique value for each update attempt. +- **TimeDiff** The amount of time spent performing all mitigations (in 100-nanosecond increments). +- **Total** Total number of mitigations that were available. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentModeStart + +This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. + +The following fields are available: + +- **FlightId** Unique ID for each flight. +- **Mode** Indicates the mode that has started. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. +- **Version** Version of update + + +### Update360Telemetry.UpdateAgentOneSettings + +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **Count** The count of applicable OneSettings for the device. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. +- **Values** The values sent back to the device, if applicable. + + +### Update360Telemetry.UpdateAgentPostRebootResult + +This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. + +The following fields are available: + +- **ErrorCode** The error code returned for the current post reboot phase. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **ObjectId** Unique value for each Update Agent mode. +- **PostRebootResult** Indicates the Hresult. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentReboot + +This event sends information indicating that a request has been sent to suspend an update. + +The following fields are available: + +- **ErrorCode** The error code returned for the current reboot. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. + + +### Update360Telemetry.UpdateAgentSetupBoxLaunch + +The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. + +The following fields are available: + +- **ContainsExpressPackage** Indicates whether the download package is express. +- **FlightId** Unique ID for each flight. +- **FreeSpace** Free space on OS partition. +- **InstallCount** Number of install attempts using the same sandbox. +- **ObjectId** Unique value for each Update Agent mode. +- **Quiet** Indicates whether setup is running in quiet mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **SandboxSize** Size of the sandbox. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **SetupMode** Mode of setup to be launched. +- **UpdateId** Unique ID for each Update. +- **UserSession** Indicates whether install was invoked by user actions. + + +## Upgrade events + +### FacilitatorTelemetry.DCATDownload + +This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **DownloadSize** Download size of payload. +- **ElapsedTime** Time taken to download payload. +- **MediaFallbackUsed** Used to determine if we used Media CompDBs to figure out package requirements for the upgrade. +- **ResultCode** Result returned by the Facilitator DCAT call. +- **Scenario** Dynamic update scenario (Image DU, or Setup DU). +- **Type** Type of package that was downloaded. +- **UpdateId** No content is currently available. + + +### FacilitatorTelemetry.InitializeDU + +This event determines whether devices received additional or critical supplemental content during an OS upgrade. + +The following fields are available: + +- **DownloadRequestAttributes** The attributes we send to DCAT. +- **ResultCode** The result returned from the initiation of Facilitator with the URL/attributes. +- **Scenario** Dynamic Update scenario (Image DU, or Setup DU). +- **Url** The Delivery Catalog (DCAT) URL we send the request to. +- **Version** Version of Facilitator. + + +### Setup360Telemetry.Downlevel + +This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ClientId** If using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but it can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the downlevel OS. +- **HostOsSkuName** The operating system edition which is running Setup360 instance (downlevel OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** In the Windows Update scenario, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** More detailed information about phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360 (for example, Predownload, Install, Finalize, Rollback). +- **Setup360Result** The result of Setup360 (HRESULT used to diagnose errors). +- **Setup360Scenario** The Setup360 flow type (for example, Boot, Media, Update, MCT). +- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS). +- **State** Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** An ID that uniquely identifies a group of events. +- **WuId** This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId. + + +### Setup360Telemetry.Finalize + +This event sends data indicating that the device has started the phase of finalizing the upgrade, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** More detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** ID that uniquely identifies a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. + + +### Setup360Telemetry.OsUninstall + +This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, it indicates the outcome of an OS uninstall. + +The following fields are available: + +- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase or action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** ID that uniquely identifies a group of events. +- **WuId** Windows Update client ID. + + +### Setup360Telemetry.PostRebootInstall + +This event sends data indicating that the device has invoked the post reboot install phase of the upgrade, to help keep Windows up-to-date. + +The following fields are available: + +- **ClientId** With Windows Update, this is the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback +- **Setup360Result** The result of Setup360. This is an HRESULT error code that's used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled +- **TestId** A string to uniquely identify a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as ClientId. + + +### Setup360Telemetry.PreDownloadQuiet + +This event sends data indicating that the device has invoked the predownload quiet phase of the upgrade, to help keep Windows up to date. + +The following fields are available: + +- **ClientId** Using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous operating system). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** Using Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled. +- **TestId** ID that uniquely identifies a group of events. +- **WuId** This is the Windows Update Client ID. Using Windows Update, this is the same as the clientId. + + +### Setup360Telemetry.PreDownloadUX + +This event sends data regarding OS Updates and Upgrades from Windows 7.X, Windows 8.X, Windows 10 and RS, to help keep Windows up-to-date and secure. Specifically, it indicates the outcome of the PredownloadUX portion of the update process. + +The following fields are available: + +- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **HostOSBuildNumber** The build number of the previous operating system. +- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous operating system). +- **InstanceId** Unique GUID that identifies each instance of setuphost.exe. +- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS). +- **State** The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** ID that uniquely identifies a group of events. +- **WuId** Windows Update client ID. + + +### Setup360Telemetry.PreInstallQuiet + +This event sends data indicating that the device has invoked the preinstall quiet phase of the upgrade, to help keep Windows up-to-date. + +The following fields are available: + +- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. +- **Setup360Scenario** Setup360 flow type (Boot, Media, Update, MCT). +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** A string to uniquely identify a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. + + +### Setup360Telemetry.PreInstallUX + +This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10, to help keep Windows up-to-date. Specifically, it indicates the outcome of the PreinstallUX portion of the update process. + +The following fields are available: + +- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type, Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** A string to uniquely identify a group of events. +- **WuId** Windows Update client ID. + + +### Setup360Telemetry.Setup360 + +This event sends data about OS deployment scenarios, to help keep Windows up-to-date. + +The following fields are available: + +- **ClientId** Retrieves the upgrade ID. In the Windows Update scenario, this will be the Windows Update client ID. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FieldName** Retrieves the data point. +- **FlightData** Specifies a unique identifier for each group of Windows Insider builds. +- **InstanceId** Retrieves a unique identifier for each instance of a setup session. +- **ReportId** Retrieves the report ID. +- **ScenarioId** Retrieves the deployment scenario. +- **Value** Retrieves the value associated with the corresponding FieldName. + + +### Setup360Telemetry.Setup360DynamicUpdate + +This event helps determine whether the device received supplemental content during an operating system upgrade, to help keep Windows up-to-date. + +The following fields are available: + +- **FlightData** Specifies a unique identifier for each group of Windows Insider builds. +- **InstanceId** Retrieves a unique identifier for each instance of a setup session. +- **Operation** Facilitator's last known operation (scan, download, etc.). +- **ReportId** ID for tying together events stream side. +- **ResultCode** Result returned for the entire setup operation. +- **Scenario** Dynamic Update scenario (Image DU, or Setup DU). +- **ScenarioId** Identifies the update scenario. +- **TargetBranch** Branch of the target OS. +- **TargetBuild** Build of the target OS. + + +### Setup360Telemetry.Setup360MitigationResult + +This event sends data indicating the result of each setup mitigation. + +The following fields are available: + +- **Applicable** TRUE if the mitigation is applicable for the current update. +- **ClientId** In the Windows Update scenario, this is the client ID passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **CommandCount** The number of command operations in the mitigation entry. +- **CustomCount** The number of custom operations in the mitigation entry. +- **FileCount** The number of file operations in the mitigation entry. +- **FlightData** The unique identifier for each flight (test release). +- **Index** The mitigation index of this particular mitigation. +- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **Name** The friendly (descriptive) name of the mitigation. +- **OperationIndex** The mitigation operation index (in the event of a failure). +- **OperationName** The friendly (descriptive) name of the mitigation operation (in the event of failure). +- **RegistryCount** The number of registry operations in the mitigation entry. +- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM. +- **Result** HResult of this operation. +- **ScenarioId** Setup360 flow type. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). + + +### Setup360Telemetry.Setup360MitigationSummary + +This event sends a summary of all the setup mitigations available for this update. + +The following fields are available: + +- **Applicable** The count of mitigations that were applicable to the system and scenario. +- **ClientId** The Windows Update client ID passed to Setup. +- **Failed** The count of mitigations that failed. +- **FlightData** The unique identifier for each flight (test release). +- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE. +- **MitigationScenario** The update scenario in which the mitigations were attempted. +- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM. +- **Result** HResult of this operation. +- **ScenarioId** Setup360 flow type. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). +- **Total** The total number of mitigations that were available. + + +### Setup360Telemetry.Setup360OneSettings + +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **ClientId** The Windows Update client ID passed to Setup. +- **Count** The count of applicable OneSettings for the device. +- **FlightData** The ID for the flight (test instance version). +- **InstanceId** The GUID (Globally-Unique ID) that identifies each instance of setuphost.exe. +- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. +- **ReportId** The Update ID passed to Setup. +- **Result** The HResult of the event error. +- **ScenarioId** The update scenario ID. +- **Values** Values sent back to the device, if applicable. + + +### Setup360Telemetry.UnexpectedEvent + +This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date. + +The following fields are available: + +- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** A string to uniquely identify a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. + + +## Windows as a Service diagnostic events + +### Microsoft.Windows.WaaSMedic.SummaryEvent + +Result of the WaaSMedic operation. + +The following fields are available: + +- **callerApplication** The name of the calling application. +- **capsuleCount** No content is currently available. +- **capsuleFailureCount** No content is currently available. +- **detectionSummary** Result of each applicable detection that was run. +- **featureAssessmentImpact** WaaS Assessment impact for feature updates. +- **hrEngineResult** Error code from the engine operation. +- **hrLastSandboxError** No content is currently available. +- **initSummary** No content is currently available. +- **isInteractiveMode** The user started a run of WaaSMedic. +- **isManaged** Device is managed for updates. +- **isWUConnected** Device is connected to Windows Update. +- **noMoreActions** No more applicable diagnostics. +- **pluginFailureCount** No content is currently available. +- **pluginsCount** No content is currently available. +- **qualityAssessmentImpact** WaaS Assessment impact for quality updates. +- **remediationSummary** Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on. +- **usingBackupFeatureAssessment** Relying on backup feature assessment. +- **usingBackupQualityAssessment** Relying on backup quality assessment. +- **usingCachedFeatureAssessment** WaaS Medic run did not get OS build age from the network on the previous run. +- **usingCachedQualityAssessment** WaaS Medic run did not get OS revision age from the network on the previous run. +- **versionString** Version of the WaaSMedic engine. +- **waasMedicRunMode** Indicates whether this was a background regular run of the medic or whether it was triggered by a user launching Windows Update Troubleshooter. + + +## Windows Error Reporting events + +### Microsoft.Windows.WERVertical.OSCrash + +This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event. + +The following fields are available: + +- **BootId** Uint32 identifying the boot number for this device. +- **BugCheckCode** Uint64 "bugcheck code" that identifies a proximate cause of the bug check. +- **BugCheckParameter1** Uint64 parameter providing additional information. +- **BugCheckParameter2** Uint64 parameter providing additional information. +- **BugCheckParameter3** Uint64 parameter providing additional information. +- **BugCheckParameter4** Uint64 parameter providing additional information. +- **DumpFileAttributes** Codes that identify the type of data contained in the dump file +- **DumpFileSize** Size of the dump file +- **IsValidDumpFile** True if the dump file is valid for the debugger, false otherwise +- **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson). + + +## Windows Error Reporting MTT events + +### Microsoft.Windows.WER.MTT.Denominator + +This event provides a denominator to calculate MTTF (mean-time-to-failure) for crashes and other errors, to help keep Windows up to date. + +The following fields are available: + +- **Value** Standard UTC emitted DP value structure See [Value](#value). + + +## Windows Store events + +### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation + +This event is sent when an installation or update is canceled by a user or the system and is used to help keep Windows Apps up to date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** Number of retry attempts before it was canceled. +- **BundleId** The Item Bundle ID. +- **CategoryId** The Item Category ID. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed before this operation. +- **IsBundle** Is this a bundle? +- **IsInteractive** Was this requested by a user? +- **IsMandatory** Was this a mandatory update? +- **IsRemediation** Was this a remediation install? +- **IsRestore** Is this automatically restoring a previously acquired product? +- **IsUpdate** Flag indicating if this is an update. +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The product family name of the product being installed. +- **ProductId** The identity of the package or packages being installed. +- **SystemAttemptNumber** The total number of automatic attempts at installation before it was canceled. +- **UserAttemptNumber** The total number of user attempts at installation before it was canceled. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.BeginGetInstalledContentIds + +This event is sent when an inventory of the apps installed is started to determine whether updates for those apps are available. It's used to help keep Windows up-to-date and secure. + + + +### Microsoft.Windows.StoreAgent.Telemetry.BeginUpdateMetadataPrepare + +This event is sent when the Store Agent cache is refreshed with any available package updates. It's used to help keep Windows up-to-date and secure. + + + +### Microsoft.Windows.StoreAgent.Telemetry.CancelInstallation + +This event is sent when an app update or installation is canceled while in interactive mode. This can be canceled by the user or the system. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all package or packages to be downloaded and installed. +- **AttemptNumber** Total number of installation attempts. +- **BundleId** The identity of the Windows Insider build that is associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **IsBundle** Is this a bundle? +- **IsInteractive** Was this requested by a user? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this an automatic restore of a previously acquired product? +- **IsUpdate** Is this a product update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of all packages to be downloaded and installed. +- **PreviousHResult** The previous HResult code. +- **PreviousInstallState** Previous installation state before it was canceled. +- **ProductId** The name of the package or packages requested for installation. +- **RelatedCV** Correlation Vector of a previous performed action on this product. +- **SystemAttemptNumber** Total number of automatic attempts to install before it was canceled. +- **UserAttemptNumber** Total number of user attempts to install before it was canceled. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.CompleteInstallOperationRequest + +This event is sent at the end of app installations or updates to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The Store Product ID of the app being installed. +- **HResult** HResult code of the action being performed. +- **IsBundle** Is this a bundle? +- **PackageFamilyName** The name of the package being installed. +- **ProductId** The Store Product ID of the product being installed. +- **SkuId** Specific edition of the item being installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndAcquireLicense + +This event is sent after the license is acquired when a product is being installed. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** Includes a set of package full names for each app that is part of an atomic set. +- **AttemptNumber** The total number of attempts to acquire this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** HResult code to show the result of the operation (success/failure). +- **IsBundle** Is this a bundle? +- **IsInteractive** Did the user initiate the installation? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this happening after a device restore? +- **IsUpdate** Is this an update? +- **PFN** Product Family Name of the product being installed. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The number of attempts by the system to acquire this product. +- **UserAttemptNumber** The number of attempts by the user to acquire this product +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndDownload + +This event is sent after an app is downloaded to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed. +- **AttemptNumber** Number of retry attempts before it was canceled. +- **BundleId** The identity of the Windows Insider build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **DownloadSize** The total size of the download. +- **ExtendedHResult** Any extended HResult error codes. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this initiated by the user? +- **IsMandatory** Is this a mandatory installation? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this a restore of a previously acquired product? +- **IsUpdate** Is this an update? +- **ParentBundleId** The parent bundle ID (if it's part of a bundle). +- **PFN** The Product Family Name of the app being download. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The number of attempts by the system to download. +- **UserAttemptNumber** The number of attempts by the user to download. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndFrameworkUpdate + +This event is sent when an app update requires an updated Framework package and the process starts to download it. It is used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **HResult** The result code of the last action performed before this operation. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndGetInstalledContentIds + +This event is sent after sending the inventory of the products installed to determine whether updates for those products are available. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **HResult** The result code of the last action performed before this operation. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndInstall + +This event is sent after a product has been installed to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **ExtendedHResult** The extended HResult error code. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this an interactive installation? +- **IsMandatory** Is this a mandatory installation? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this automatically restoring a previously acquired product? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** Product Family Name of the product being installed. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndScanForUpdates + +This event is sent after a scan for product updates to determine if there are packages to install. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed. +- **IsApplicability** Is this request to only check if there are any applicable packages to install? +- **IsInteractive** Is this user requested? +- **IsOnline** Is the request doing an online check? + + +### Microsoft.Windows.StoreAgent.Telemetry.EndSearchUpdatePackages + +This event is sent after searching for update packages to install. It is used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The total number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of the package or packages requested for install. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndStageUserData + +This event is sent after restoring user data (if any) that needs to be restored following a product install. It is used to keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed. +- **AttemptNumber** The total number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of the package or packages requested for install. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of system attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndUpdateMetadataPrepare + +This event is sent after a scan for available app updates to help keep Windows up-to-date and secure. + +The following fields are available: + +- **HResult** The result code of the last action performed. + + +### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentComplete + +This event is sent at the end of an app install or update to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The name of the product catalog from which this app was chosen. +- **FailedRetry** Indicates whether the installation or update retry was successful. +- **HResult** The HResult code of the operation. +- **PFN** The Package Family Name of the app that is being installed or updated. +- **ProductId** The product ID of the app that is being updated or installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate + +This event is sent at the beginning of an app install or update to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The name of the product catalog from which this app was chosen. +- **fulfillmentPluginId** No content is currently available. +- **FulfillmentPluginId** No content is currently available. +- **PFN** The Package Family Name of the app that is being installed or updated. +- **pluginTelemetryData** No content is currently available. +- **PluginTelemetryData** No content is currently available. +- **ProductId** The product ID of the app that is being updated or installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.InstallOperationRequest + +This event is sent when a product install or update is initiated, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **BundleId** The identity of the build associated with this product. +- **CatalogId** If this product is from a private catalog, the Store Product ID for the product being installed. +- **ProductId** The Store Product ID for the product being installed. +- **SkuId** Specific edition ID being installed. +- **VolumePath** The disk path of the installation. + + +### Microsoft.Windows.StoreAgent.Telemetry.PauseInstallation + +This event is sent when a product install or update is paused (either by a user or the system), to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The total number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The Product Full Name. +- **PreviousHResult** The result code of the last action performed before this operation. +- **PreviousInstallState** Previous state before the installation or update was paused. +- **ProductId** The Store Product ID for the product being installed. +- **RelatedCV** Correlation Vector of a previous performed action on this product. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.ResumeInstallation + +This event is sent when a product install or update is resumed (either by a user or the system), to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed before this operation. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **IsUserRetry** Did the user initiate the retry? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of the package or packages requested for install. +- **PreviousHResult** The previous HResult error code. +- **PreviousInstallState** Previous state before the installation was paused. +- **ProductId** The Store Product ID for the product being installed. +- **RelatedCV** Correlation Vector for the original install before it was resumed. +- **ResumeClientId** The ID of the app that initiated the resume operation. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.ResumeOperationRequest + +This event is sent when a product install or update is resumed by a user or on installation retries, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ProductId** The Store Product ID for the product being installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.SearchForUpdateOperationRequest + +This event is sent when searching for update packages to install, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The Store Catalog ID for the product being installed. +- **ProductId** The Store Product ID for the product being installed. +- **SkuId** Specfic edition of the app being updated. + + +### Microsoft.Windows.StoreAgent.Telemetry.StateTransition + +No content is currently available. + +The following fields are available: + +- **CatalogId** No content is currently available. +- **FulfillmentPluginId** No content is currently available. +- **HResult** No content is currently available. +- **NewState** No content is currently available. +- **PFN** No content is currently available. +- **PluginLastStage** No content is currently available. +- **PluginTelemetryData** No content is currently available. +- **Prevstate** No content is currently available. +- **ProductId** No content is currently available. + + +### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest + +This event occurs when an update is requested for an app, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **PFamN** The name of the app that is requested for update. + + +## Windows Update Delivery Optimization events + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled + +This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **background** Is the download being done in the background? +- **bytesFromCacheServer** Bytes received from a cache host. +- **bytesFromCDN** The number of bytes received from a CDN source. +- **bytesFromGroupPeers** The number of bytes received from a peer in the same group. +- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same group. +- **bytesFromLinkLocalPeers** No content is currently available. +- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. +- **bytesFromPeers** The number of bytes received from a peer in the same LAN. +- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. +- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. +- **cdnIp** The IP Address of the source CDN (Content Delivery Network). +- **cdnUrl** The URL of the source CDN (Content Delivery Network). +- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. +- **errorCode** The error code that was returned. +- **experimentId** When running a test, this is used to correlate events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **gCurMemoryStreamBytes** Current usage for memory streaming. +- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. +- **isVpn** Is the device connected to a Virtual Private Network? +- **jobID** Identifier for the Windows Update job. +- **predefinedCallerName** The name of the API Caller. +- **reasonCode** Reason the action or event occurred. +- **routeToCacheServer** The cache server setting, source, and value. +- **sessionID** The ID of the file download session. +- **updateID** The ID of the update being downloaded. +- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted + +This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **background** Is the download a background download? +- **bytesFromCacheServer** Bytes received from a cache host. +- **bytesFromCDN** The number of bytes received from a CDN source. +- **bytesFromGroupPeers** The number of bytes received from a peer in the same domain group. +- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same domain group. +- **bytesFromLinkLocalPeers** No content is currently available. +- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. +- **bytesFromPeers** The number of bytes received from a peer in the same LAN. +- **bytesRequested** The total number of bytes requested for download. +- **cacheServerConnectionCount** Number of connections made to cache hosts. +- **cdnConnectionCount** The total number of connections made to the CDN. +- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. +- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. +- **cdnIp** The IP address of the source CDN. +- **cdnUrl** Url of the source Content Distribution Network (CDN). +- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. +- **doErrorCode** The Delivery Optimization error code that was returned. +- **downlinkBps** The maximum measured available download bandwidth (in bytes per second). +- **downlinkUsageBps** The download speed (in bytes per second). +- **downloadMode** The download mode used for this file download session. +- **downloadModeReason** Reason for the download. +- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **fileSize** The size of the file being downloaded. +- **gCurMemoryStreamBytes** Current usage for memory streaming. +- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. +- **groupConnectionCount** The total number of connections made to peers in the same group. +- **internetConnectionCount** The total number of connections made to peers not in the same LAN or the same group. +- **isEncrypted** TRUE if the file is encrypted and will be decrypted after download. +- **isVpn** Is the device connected to a Virtual Private Network? +- **jobID** Identifier for the Windows Update job. +- **lanConnectionCount** The total number of connections made to peers in the same LAN. +- **linkLocalConnectionCount** No content is currently available. +- **numPeers** The total number of peers used for this download. +- **numPeersLocal** No content is currently available. +- **predefinedCallerName** The name of the API Caller. +- **restrictedUpload** Is the upload restricted? +- **routeToCacheServer** The cache server setting, source, and value. +- **sessionID** The ID of the download session. +- **totalTimeMs** Duration of the download (in seconds). +- **updateID** The ID of the update being downloaded. +- **uplinkBps** The maximum measured available upload bandwidth (in bytes per second). +- **uplinkUsageBps** The upload speed (in bytes per second). +- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused + +This event represents a temporary suspension of a download with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **background** Is the download a background download? +- **cdnUrl** The URL of the source CDN (Content Delivery Network). +- **errorCode** The error code that was returned. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being paused. +- **isVpn** Is the device connected to a Virtual Private Network? +- **jobID** Identifier for the Windows Update job. +- **predefinedCallerName** The name of the API Caller object. +- **reasonCode** The reason for pausing the download. +- **routeToCacheServer** The cache server setting, source, and value. +- **sessionID** The ID of the download session. +- **updateID** The ID of the update being paused. + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted + +This event sends data describing the start of a new download to enable Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **background** Indicates whether the download is happening in the background. +- **bytesRequested** Number of bytes requested for the download. +- **cdnUrl** The URL of the source Content Distribution Network (CDN). +- **costFlags** A set of flags representing network cost. +- **deviceProfile** Identifies the usage or form factor (such as Desktop, Xbox, or VM). +- **diceRoll** Random number used for determining if a client will use peering. +- **doClientVersion** The version of the Delivery Optimization client. +- **doErrorCode** The Delivery Optimization error code that was returned. +- **downloadMode** The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100). +- **downloadModeReason** No content is currently available. +- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). +- **errorCode** The error code that was returned. +- **experimentId** ID used to correlate client/services calls that are part of the same test during A/B testing. +- **fileID** The ID of the file being downloaded. +- **filePath** The path to where the downloaded file will be written. +- **fileSize** Total file size of the file that was downloaded. +- **fileSizeCaller** Value for total file size provided by our caller. +- **groupID** ID for the group. +- **isEncrypted** Indicates whether the download is encrypted. +- **isVpn** Indicates whether the device is connected to a Virtual Private Network. +- **jobID** The ID of the Windows Update job. +- **peerID** The ID for this delivery optimization client. +- **predefinedCallerName** Name of the API caller. +- **routeToCacheServer** Cache server setting, source, and value. +- **sessionID** The ID for the file download session. +- **setConfigs** A JSON representation of the configurations that have been set, and their sources. +- **updateID** The ID of the update being downloaded. +- **usedMemoryStream** Indicates whether the download used memory streaming. + + +### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication + +This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **cdnHeaders** The HTTP headers returned by the CDN. +- **cdnIp** The IP address of the CDN. +- **cdnUrl** The URL of the CDN. +- **errorCode** The error code that was returned. +- **errorCount** The total number of times this error code was seen since the last FailureCdnCommunication event was encountered. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **httpStatusCode** The HTTP status code returned by the CDN. +- **isHeadRequest** The type of HTTP request that was sent to the CDN. Example: HEAD or GET +- **peerType** The type of peer (LAN, Group, Internet, CDN, Cache Host, etc.). +- **requestOffset** The byte offset within the file in the sent request. +- **requestSize** The size of the range requested from the CDN. +- **responseSize** The size of the range response received from the CDN. +- **sessionID** The ID of the download session. + + +### Microsoft.OSG.DU.DeliveryOptClient.JobError + +This event represents a Windows Update job error. It allows for investigation of top errors. + +The following fields are available: + +- **cdnIp** The IP Address of the source CDN (Content Delivery Network). +- **doErrorCode** Error code returned for delivery optimization. +- **errorCode** The error code returned. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **jobID** The Windows Update job ID. + + +## Windows Update events + +### Microsoft.Windows.Update.NotificationUx.DialogNotificationToBeDisplayed + +This event indicates that a notification dialog box is about to be displayed to user. + +The following fields are available: + +- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode. +- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before the RebootFailed dialog box is shown. +- **DaysSinceRebootRequired** Number of days since restart was required. +- **DeviceLocalTime** The local time on the device sending the event. +- **EngagedModeLimit** The number of days to switch between DTE dialog boxes. +- **EnterAutoModeLimit** The maximum number of days for a device to enter Auto Reboot mode. +- **ETag** OneSettings versioning value. +- **IsForcedEnabled** Indicates whether Forced Reboot mode is enabled for this device. +- **IsUltimateForcedEnabled** Indicates whether Ultimate Forced Reboot mode is enabled for this device. +- **NotificationUxState** Indicates which dialog box is shown. +- **NotificationUxStateString** Indicates which dialog box is shown. +- **RebootUxState** Indicates the state of the restart (Engaged, Auto, Forced, or UltimateForced). +- **RebootUxStateString** Indicates the state of the restart (Engaged, Auto, Forced, or UltimateForced). +- **RebootVersion** Version of DTE. +- **SkipToAutoModeLimit** The minimum length of time to pass in restart pending before a device can be put into auto mode. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UtcTime** The time the dialog box notification will be displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootFailedDialog + +This event indicates that the Enhanced Engaged restart "restart failed" dialog box was displayed. + +The following fields are available: + +- **DeviceLocalTime** The local time of the device sending the event. +- **EnterpriseAttributionValue** No content is currently available. +- **ETag** OneSettings versioning value. +- **ExitCode** Indicates how users exited the dialog box. +- **RebootVersion** Version of DTE. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UserResponseString** The option that the user chose in this dialog box. +- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootImminentDialog + +This event indicates that the Enhanced Engaged restart "restart imminent" dialog box was displayed. + +The following fields are available: + +- **DeviceLocalTime** Time the dialog box was shown on the local device. +- **EnterpriseAttributionValue** No content is currently available. +- **ETag** OneSettings versioning value. +- **ExitCode** Indicates how users exited the dialog box. +- **RebootVersion** Version of DTE. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UserResponseString** The option that user chose in this dialog box. +- **UtcTime** The time that dialog box was displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootReminderDialog + +This event returns information relating to the Enhanced Engaged reboot reminder dialog that was displayed. + +The following fields are available: + +- **DeviceLocalTime** The time at which the reboot reminder dialog was shown (based on the local device time settings). +- **EnterpriseAttributionValue** No content is currently available. +- **ETag** The OneSettings versioning value. +- **ExitCode** Indicates how users exited the reboot reminder dialog box. +- **RebootVersion** The version of the DTE (Direct-to-Engaged). +- **UpdateId** The ID of the update that is waiting for reboot to finish installation. +- **UpdateRevision** The revision of the update that is waiting for reboot to finish installation. +- **UserResponseString** The option chosen by the user on the reboot dialog box. +- **UtcTime** The time at which the reboot reminder dialog was shown (in UTC). + + +### Microsoft.Windows.Update.Orchestrator.ActivityRestrictedByActiveHoursPolicy + +This event indicates a policy is present that may restrict update activity to outside of active hours. + +The following fields are available: + +- **activeHoursEnd** The end of the active hours window. +- **activeHoursStart** The start of the active hours window. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.DeferRestart + +This event indicates that a restart required for installing updates was postponed. + +The following fields are available: + +- **displayNeededReason** List of reasons for needing display. +- **eventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). +- **filteredDeferReason** Applicable filtered reasons why reboot was postponed (such as user active, or low battery). +- **gameModeReason** Name of the executable that caused the game mode state check to start. +- **ignoredReason** List of reasons that were intentionally ignored. +- **IgnoreReasonsForRestart** List of reasons why restart was deferred. +- **revisionNumber** Update ID revision number. +- **systemNeededReason** List of reasons why system is needed. +- **updateId** Update ID. +- **updateScenarioType** Update session type. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.Detection + +This event indicates that a scan for a Windows Update occurred. + +The following fields are available: + +- **deferReason** Reason why the device could not check for updates. +- **detectionBlockingPolicy** State of update action. +- **detectionBlockreason** The reason detection did not complete. +- **detectionRetryMode** Indicates whether we will try to scan again. +- **errorCode** The error code returned for the current process. +- **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. +- **flightID** The specific ID of the Windows Insider build the device is getting. +- **interactive** Indicates whether the session was user initiated. +- **networkStatus** Error info +- **revisionNumber** Update revision number. +- **scanTriggerSource** Source of the triggered scan. +- **updateId** Update ID. +- **updateScenarioType** Identifies the type of update session being performed. +- **wuDeviceid** The unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.DisplayNeeded + +This event indicates the reboot was postponed due to needing a display. + +The following fields are available: + +- **displayNeededReason** Reason the display is needed. +- **eventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. +- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours. +- **revisionNumber** Revision number of the update. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated. +- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue + + +### Microsoft.Windows.Update.Orchestrator.Download + +This event sends launch data for a Windows Update download to help keep Windows up to date. + +The following fields are available: + +- **deferReason** Reason for download not completing. +- **errorCode** An error code represented as a hexadecimal value. +- **eventScenario** End-to-end update session ID. +- **flightID** The specific ID of the Windows Insider build the device is getting. +- **interactive** Indicates whether the session is user initiated. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.EscalationRiskLevels + +This event is sent during update scan, download, or install, and indicates that the device is at risk of being out-of-date. + +The following fields are available: + +- **configVersion** The escalation configuration version on the device. +- **downloadElapsedTime** Indicates how long since the download is required on device. +- **downloadRiskLevel** At-risk level of download phase. +- **installElapsedTime** Indicates how long since the install is required on device. +- **installRiskLevel** The at-risk level of install phase. +- **isSediment** Assessment of whether is device is at risk. +- **scanElapsedTime** Indicates how long since the scan is required on device. +- **scanRiskLevel** At-risk level of the scan phase. +- **wuDeviceid** Device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.FailedToAddTimeTriggerToScanTask + +This event indicated that USO failed to add a trigger time to a task. + +The following fields are available: + +- **errorCode** The Windows Update error code. +- **wuDeviceid** The Windows Update device ID. + + +### Microsoft.Windows.Update.Orchestrator.FlightInapplicable + +This event indicates that the update is no longer applicable to this device. + +The following fields are available: + +- **EventPublishedTime** Time when this event was generated. +- **flightID** The specific ID of the Windows Insider build. +- **inapplicableReason** No content is currently available. +- **revisionNumber** Update revision number. +- **updateId** Unique Windows Update ID. +- **updateScenarioType** Update session type. +- **UpdateStatus** Last status of update. +- **UUPFallBackConfigured** Indicates whether UUP fallback is configured. +- **wuDeviceid** Unique Device ID. + + +### Microsoft.Windows.Update.Orchestrator.InitiatingReboot + +This event sends data about an Orchestrator requesting a reboot from power management to help keep Windows up to date. + +The following fields are available: + +- **EventPublishedTime** Time of the event. +- **flightID** Unique update ID +- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action. +- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours. +- **revisionNumber** Revision number of the update. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.Install + +This event sends launch data for a Windows Update install to help keep Windows up to date. + +The following fields are available: + +- **batteryLevel** Current battery capacity in mWh or percentage left. +- **deferReason** Reason for install not completing. +- **errorCode** The error code reppresented by a hexadecimal value. +- **eventScenario** End-to-end update session ID. +- **flightID** The ID of the Windows Insider build the device is getting. +- **flightUpdate** Indicates whether the update is a Windows Insider build. +- **ForcedRebootReminderSet** A boolean value that indicates if a forced reboot will happen for updates. +- **IgnoreReasonsForRestart** The reason(s) a Postpone Restart command was ignored. +- **installCommitfailedtime** The time it took for a reboot to happen but the upgrade failed to progress. +- **installRebootinitiatetime** The time it took for a reboot to be attempted. +- **interactive** Identifies if session is user initiated. +- **minutesToCommit** The time it took to install updates. +- **rebootOutsideOfActiveHours** Indicates whether a reboot is scheduled outside of active hours. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.LowUptimes + +This event is sent if a device is identified as not having sufficient uptime to reliably process updates in order to keep secure. + +The following fields are available: + +- **availableHistoryMinutes** The number of minutes available from the local machine activity history. +- **isLowUptimeMachine** Is the machine considered low uptime or not. +- **lowUptimeMinHours** Current setting for the minimum number of hours needed to not be considered low uptime. +- **lowUptimeQueryDays** Current setting for the number of recent days to check for uptime. +- **uptimeMinutes** Number of minutes of uptime measured. +- **wuDeviceid** Unique device ID for Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.OneshotUpdateDetection + +This event returns data about scans initiated through settings UI, or background scans that are urgent; to help keep Windows up to date. + +The following fields are available: + +- **externalOneshotupdate** The last time a task-triggered scan was completed. +- **interactiveOneshotupdate** The last time an interactive scan was completed. +- **oldlastscanOneshotupdate** The last time a scan completed successfully. +- **wuDeviceid** The Windows Update Device GUID (Globally-Unique ID). + + +### Microsoft.Windows.Update.Orchestrator.PreShutdownStart + +This event is generated before the shutdown and commit operations. + +The following fields are available: + +- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. + + +### Microsoft.Windows.Update.Orchestrator.RebootFailed + +This event sends information about whether an update required a reboot and reasons for failure, to help keep Windows up to date. + +The following fields are available: + +- **batteryLevel** Current battery capacity in mWh or percentage left. +- **deferReason** Reason for install not completing. +- **EventPublishedTime** The time that the reboot failure occurred. +- **flightID** Unique update ID. +- **rebootOutsideOfActiveHours** Indicates whether a reboot was scheduled outside of active hours. +- **RebootResults** Hex code indicating failure reason. Typically, we expect this to be a specific USO generated hex code. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.RefreshSettings + +This event sends basic data about the version of upgrade settings applied to the system to help keep Windows up to date. + +The following fields are available: + +- **errorCode** Hex code for the error message, to allow lookup of the specific error. +- **settingsDownloadTime** Timestamp of the last attempt to acquire settings. +- **settingsETag** Version identifier for the settings. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask + +This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows up to date. + +The following fields are available: + +- **RebootTaskMissedTimeUTC** The time when the reboot task was scheduled to run, but did not. +- **RebootTaskNextTimeUTC** The time when the reboot task was rescheduled for. +- **RebootTaskRestoredTime** Time at which this reboot task was restored. +- **wuDeviceid** Device ID for the device on which the reboot is restored. + + +### Microsoft.Windows.Update.Orchestrator.ScanTriggered + +This event indicates that Update Orchestrator has started a scan operation. + +The following fields are available: + +- **interactive** Indicates whether the scan is interactive. +- **isDTUEnabled** Indicates whether DTU (internal abbreviation for Direct Feature Update) channel is enabled on the client system. +- **isScanPastSla** Indicates whether the SLA has elapsed for scanning. +- **isScanPastTriggerSla** Indicates whether the SLA has elapsed for triggering a scan. +- **minutesOverScanSla** Indicates how many minutes the scan exceeded the scan SLA. +- **minutesOverScanTriggerSla** Indicates how many minutes the scan exceeded the scan trigger SLA. +- **scanTriggerSource** Indicates what caused the scan. +- **updateScenarioType** The update session type. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.StickUpdate + +This event is sent when the update service orchestrator (USO) indicates the update cannot be superseded by a newer update. + +The following fields are available: + +- **updateId** Identifier associated with the specific piece of content. +- **wuDeviceid** Unique device ID controlled by the software distribution client. + + +### Microsoft.Windows.Update.Orchestrator.SystemNeeded + +This event sends data about why a device is unable to reboot, to help keep Windows up to date. + +The following fields are available: + +- **eventScenario** End-to-end update session ID. +- **rebootOutsideOfActiveHours** Indicates whether a reboot is scheduled outside of active hours. +- **revisionNumber** Update revision number. +- **systemNeededReason** List of apps or tasks that are preventing the system from restarting. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.UnstickUpdate + +This event is sent when the update service orchestrator (USO) indicates that the update can be superseded by a newer update. + +The following fields are available: + +- **updateId** Identifier associated with the specific piece of content. +- **wuDeviceid** Unique device ID controlled by the software distribution client. + + +### Microsoft.Windows.Update.Orchestrator.UpdatePolicyCacheRefresh + +This event sends data on whether Update Management Policies were enabled on a device, to help keep Windows up to date. + +The following fields are available: + +- **configuredPoliciescount** Number of policies on the device. +- **policiesNamevaluesource** Policy name and source of policy (group policy, MDM or flight). +- **policyCacherefreshtime** Time when policy cache was refreshed. +- **updateInstalluxsetting** Indicates whether a user has set policies via a user experience option. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.UpdateRebootRequired + +This event sends data about whether an update required a reboot to help keep Windows up to date. + +The following fields are available: + +- **flightID** The specific ID of the Windows Insider build the device is getting. +- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.updateSettingsFlushFailed + +This event sends information about an update that encountered problems and was not able to complete. + +The following fields are available: + +- **errorCode** The error code encountered. +- **wuDeviceid** The ID of the device in which the error occurred. + + +### Microsoft.Windows.Update.Orchestrator.UsoSession + +This event represents the state of the USO service at start and completion. + +The following fields are available: + +- **activeSessionid** A unique session GUID. +- **eventScenario** The state of the update action. +- **interactive** Is the USO session interactive? +- **lastErrorcode** The last error that was encountered. +- **lastErrorstate** The state of the update when the last error was encountered. +- **sessionType** A GUID that refers to the update session type. +- **updateScenarioType** A descriptive update session type. +- **wuDeviceid** The Windows Update device GUID. + + +### Microsoft.Windows.Update.Ux.MusNotification.EnhancedEngagedRebootUxState + +This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes values for the timing of how eDTE will progress through each phase of the reboot. + +The following fields are available: + +- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode. +- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before a Reboot Failed dialog will be shown. +- **DeviceLocalTime** The date and time (based on the device date/time settings) the reboot mode changed. +- **EngagedModeLimit** The number of days to switch between DTE (Direct-to-Engaged) dialogs. +- **EnterAutoModeLimit** The maximum number of days a device can enter Auto Reboot mode. +- **ETag** The Entity Tag that represents the OneSettings version. +- **IsForcedEnabled** Identifies whether Forced Reboot mode is enabled for the device. +- **IsUltimateForcedEnabled** Identifies whether Ultimate Forced Reboot mode is enabled for the device. +- **OldestUpdateLocalTime** The date and time (based on the device date/time settings) this update’s reboot began pending. +- **RebootUxState** Identifies the reboot state: Engaged, Auto, Forced, UltimateForced. +- **RebootVersion** The version of the DTE (Direct-to-Engaged). +- **SkipToAutoModeLimit** The maximum number of days to switch to start while in Auto Reboot mode. +- **UpdateId** The ID of the update that is waiting for reboot to finish installation. +- **UpdateRevision** The revision of the update that is waiting for reboot to finish installation. + + +### Microsoft.Windows.Update.Ux.MusNotification.RebootNoLongerNeeded + +This event is sent when a security update has successfully completed. + +The following fields are available: + +- **UtcTime** The Coordinated Universal Time that the restart was no longer needed. + + +### Microsoft.Windows.Update.Ux.MusNotification.RebootScheduled + +This event sends basic information about scheduling an update-related reboot, to get security updates and to help keep Windows up-to-date. + +The following fields are available: + +- **activeHoursApplicable** Indicates whether Active Hours applies on this device. +- **IsEnhancedEngagedReboot** Indicates whether Enhanced reboot was enabled. +- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action. +- **rebootOutsideOfActiveHours** True, if a reboot is scheduled outside of active hours. False, otherwise. +- **rebootScheduledByUser** True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically. +- **rebootState** Current state of the reboot. +- **rebootUsingSmartScheduler** Indicates that the reboot is scheduled by SmartScheduler. +- **revisionNumber** Revision number of the OS. +- **scheduledRebootTime** Time scheduled for the reboot. +- **scheduledRebootTimeInUTC** Time scheduled for the reboot, in UTC. +- **updateId** Identifies which update is being scheduled. +- **wuDeviceid** The unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled + +This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up-to-date + +The following fields are available: + +- **activeHoursApplicable** Is the restart respecting Active Hours? +- **IsEnhancedEngagedReboot** TRUE if the reboot path is Enhanced Engaged. Otherwise, FALSE. +- **rebootArgument** The arguments that are passed to the OS for the restarted. +- **rebootOutsideOfActiveHours** Was the restart scheduled outside of Active Hours? +- **rebootScheduledByUser** Was the restart scheduled by the user? If the value is false, the restart was scheduled by the device. +- **rebootState** The state of the restart. +- **rebootUsingSmartScheduler** TRUE if the reboot should be performed by the Smart Scheduler. Otherwise, FALSE. +- **revisionNumber** The revision number of the OS being updated. +- **scheduledRebootTime** Time of the scheduled reboot +- **scheduledRebootTimeInUTC** Time of the scheduled restart, in Coordinated Universal Time. +- **updateId** The Windows Update device GUID. +- **wuDeviceid** The Windows Update device GUID. + + +## Windows Update mitigation events + +### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages + +This event sends data specific to the CleanupSafeOsImages mitigation used for OS Updates. + +The following fields are available: + +- **ClientId** The client ID used by Windows Update. +- **FlightId** The ID of each Windows Insider build the device received. +- **InstanceId** A unique device ID that identifies each update instance. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **MountedImageCount** The number of mounted images. +- **MountedImageMatches** The number of mounted image matches. +- **MountedImagesFailed** The number of mounted images that could not be removed. +- **MountedImagesRemoved** The number of mounted images that were successfully removed. +- **MountedImagesSkipped** The number of mounted images that were not found. +- **RelatedCV** The correlation vector value generated from the latest USO scan. +- **Result** HResult of this operation. +- **ScenarioId** ID indicating the mitigation scenario. +- **ScenarioSupported** Indicates whether the scenario was supported. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each Windows Update. +- **WuId** Unique ID for the Windows Update client. + + +### Mitigation360Telemetry.MitigationCustom.FixupEditionId + +This event sends data specific to the FixupEditionId mitigation used for OS updates. + +The following fields are available: + +- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **EditionIdUpdated** Determine whether EditionId was changed. +- **FlightId** Unique identifier for each flight. +- **InstanceId** Unique GUID that identifies each instances of setuphost.exe. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **ProductEditionId** Expected EditionId value based on GetProductInfo. +- **ProductType** Value returned by GetProductInfo. +- **RegistryEditionId** EditionId value in the registry. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** HResult of this operation. +- **ScenarioId** ID indicating the mitigation scenario. +- **ScenarioSupported** Indicates whether the scenario was supported. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. +- **WuId** Unique ID for the Windows Update client. + + +## Winlogon events + +### Microsoft.Windows.Security.Winlogon.SetupCompleteLogon + +This event signals the completion of the setup process. It happens only once during the first logon. + + + + From 17a6787e0ddf7d7b0b3bf20990137909e0262471 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 18 Jan 2019 08:50:56 -0800 Subject: [PATCH 002/492] new build 011819 --- .../basic-level-windows-diagnostic-events-and-fields-19H1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md index da9e5f277e..2fd9b3a25f 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md @@ -9,7 +9,7 @@ ms.pagetype: security localizationpriority: high author: brianlic-msft ms.author: brianlic -ms.date: 01/17/2019 +ms.date: 01/18/2019 --- From 10f85d71532329e2429d2585793ca844f988c4d3 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 22 Jan 2019 09:08:29 -0800 Subject: [PATCH 003/492] new build 012219 --- ...windows-diagnostic-events-and-fields-19H1.md | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md index 2fd9b3a25f..d91af574a8 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md @@ -9,7 +9,7 @@ ms.pagetype: security localizationpriority: high author: brianlic-msft ms.author: brianlic -ms.date: 01/18/2019 +ms.date: 01/22/2019 --- @@ -706,6 +706,8 @@ The following fields are available: - **DriverIsDriverBlocked** Is the driver package blocked because of a driver block? - **DriverShouldNotMigrate** Should the driver package be migrated during upgrade? - **SdbDriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden? +- **SdbDriverBlockServicing** No content is currently available. +- **SdbDriverBlockSwap** No content is currently available. ### Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove @@ -3973,12 +3975,12 @@ Ensures Windows Updates are secure and complete. Event helps to identify whether The following fields are available: - **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **EndpointUrl** The endpoint URL where the device obtains update metadata. This is used to distinguish between test, staging, and production environments. -- **EventScenario** The purpose of this event, such as scan started, scan succeeded, or scan failed. -- **ExtendedStatusCode** The secondary status code of the event. +- **EndpointUrl** URL of the endpoint where client obtains update metadata. Used to identify test vs staging vs production environments. +- **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc. +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. - **LeafCertId** The integral ID from the FragmentSigning data for the certificate that failed. - **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate. -- **MetadataIntegrityMode** The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce +- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce - **MetadataSignature** A base64-encoded string of the signature associated with the update metadata (specified by revision ID). - **RawMode** The raw unparsed mode string from the SLS response. This field is null if not applicable. - **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable. @@ -3989,8 +3991,8 @@ The following fields are available: - **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate. - **SHA256OfTimestampToken** An encoded string of the timestamp token. - **SignatureAlgorithm** The hash algorithm for the metadata signature. -- **SLSPrograms** A test program to which a device may have opted in. Example: Insider Fast -- **StatusCode** The status code of the event. +- **SLSPrograms** A test program a machine may be opted in. Examples include "Canary" and "Insider Fast". +- **StatusCode** Result code of the event (success, cancellation, failure code HResult) - **TimestampTokenCertThumbprint** The thumbprint of the encoded timestamp token. - **TimestampTokenId** The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed. - **UpdateId** The update ID for a specific piece of content. @@ -4620,6 +4622,7 @@ The following fields are available: - **capsuleFailureCount** No content is currently available. - **detectionSummary** Result of each applicable detection that was run. - **featureAssessmentImpact** WaaS Assessment impact for feature updates. +- **hrEngineBlockReason** No content is currently available. - **hrEngineResult** Error code from the engine operation. - **hrLastSandboxError** No content is currently available. - **initSummary** No content is currently available. From 1ba775d8adb99076810cff923e4afac479822f88 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 23 Jan 2019 08:32:26 -0800 Subject: [PATCH 004/492] new build --- ...ndows-diagnostic-events-and-fields-19H1.md | 56 ++++++++----------- 1 file changed, 24 insertions(+), 32 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md index d91af574a8..8af3ec5e62 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md @@ -9,7 +9,7 @@ ms.pagetype: security localizationpriority: high author: brianlic-msft ms.author: brianlic -ms.date: 01/22/2019 +ms.date: 01/23/2019 --- @@ -73,12 +73,12 @@ The following fields are available: ### Microsoft.Windows.Security.AppLockerCSP.CAppLockerCSP::Commit -No content is currently available. +This event returns information about the “Commit” operation in AppLockerCSP. The following fields are available: -- **oldId** No content is currently available. -- **txId** No content is currently available. +- **oldId** The unique identifier for the most recent previous CSP transaction. +- **txId** The unique identifier for the current CSP transaction. ### Microsoft.Windows.Security.AppLockerCSP.ClearParams @@ -243,7 +243,7 @@ This event lists the types of objects and how many of each exist on the client d The following fields are available: -- **DatasourceApplicationFile_19A** No content is currently available. +- **DatasourceApplicationFile_19A** The count of the number of this particular object type present on this device. - **DatasourceApplicationFile_19ASetup** The count of the number of this particular object type present on this device. - **DatasourceApplicationFile_19H1** The count of the number of this particular object type present on this device. - **DatasourceApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. @@ -251,7 +251,7 @@ The following fields are available: - **DatasourceApplicationFile_RS5** The count of the number of this particular object type present on this device. - **DatasourceApplicationFile_RS5Setup** The count of the number of this particular object type present on this device. - **DatasourceApplicationFile_TH2** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_19A** No content is currently available. +- **DatasourceDevicePnp_19A** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_19ASetup** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_19H1** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. @@ -259,7 +259,7 @@ The following fields are available: - **DatasourceDevicePnp_RS5** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_RS5Setup** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_TH2** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_19A** No content is currently available. +- **DatasourceDriverPackage_19A** The count of the number of this particular object type present on this device. - **DatasourceDriverPackage_19ASetup** The count of the number of this particular object type present on this device. - **DatasourceDriverPackage_19H1** The count of the number of this particular object type present on this device. - **DatasourceDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. @@ -267,7 +267,7 @@ The following fields are available: - **DatasourceDriverPackage_RS5** The count of the number of this particular object type present on this device. - **DatasourceDriverPackage_RS5Setup** The count of the number of this particular object type present on this device. - **DatasourceDriverPackage_TH2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_19A** No content is currently available. +- **DataSourceMatchingInfoBlock_19A** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_19ASetup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. @@ -275,7 +275,7 @@ The following fields are available: - **DataSourceMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_RS5Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_19A** No content is currently available. +- **DataSourceMatchingInfoPassive_19A** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPassive_19ASetup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. @@ -283,7 +283,7 @@ The following fields are available: - **DataSourceMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPassive_RS5Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_19A** No content is currently available. +- **DataSourceMatchingInfoPostUpgrade_19A** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPostUpgrade_19ASetup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. @@ -292,7 +292,7 @@ The following fields are available: - **DataSourceMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS5Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_19A** No content is currently available. +- **DatasourceSystemBios_19A** The count of the number of this particular object type present on this device. - **DatasourceSystemBios_19ASetup** The count of the number of this particular object type present on this device. - **DatasourceSystemBios_19H1** The count of the number of this particular object type present on this device. - **DatasourceSystemBios_19H1Setup** The count of the number of this particular object type present on this device. @@ -300,7 +300,7 @@ The following fields are available: - **DatasourceSystemBios_RS5** The count of the number of this particular object type present on this device. - **DatasourceSystemBios_RS5Setup** The count of the number of this particular object type present on this device. - **DatasourceSystemBios_TH2** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_19A** No content is currently available. +- **DecisionApplicationFile_19A** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_19ASetup** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_19H1** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. @@ -308,7 +308,7 @@ The following fields are available: - **DecisionApplicationFile_RS5** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_RS5Setup** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_TH2** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_19A** No content is currently available. +- **DecisionDevicePnp_19A** The count of the number of this particular object type present on this device. - **DecisionDevicePnp_19ASetup** The count of the number of this particular object type present on this device. - **DecisionDevicePnp_19H1** The count of the number of this particular object type present on this device. - **DecisionDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. @@ -316,7 +316,7 @@ The following fields are available: - **DecisionDevicePnp_RS5** The count of the number of this particular object type present on this device. - **DecisionDevicePnp_RS5Setup** The count of the number of this particular object type present on this device. - **DecisionDevicePnp_TH2** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_19A** No content is currently available. +- **DecisionDriverPackage_19A** The count of the number of this particular object type present on this device. - **DecisionDriverPackage_19ASetup** The count of the number of this particular object type present on this device. - **DecisionDriverPackage_19H1** The count of the number of this particular object type present on this device. - **DecisionDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. @@ -324,7 +324,7 @@ The following fields are available: - **DecisionDriverPackage_RS5** The count of the number of this particular object type present on this device. - **DecisionDriverPackage_RS5Setup** The count of the number of this particular object type present on this device. - **DecisionDriverPackage_TH2** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_19A** No content is currently available. +- **DecisionMatchingInfoBlock_19A** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoBlock_19ASetup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. @@ -332,7 +332,7 @@ The following fields are available: - **DecisionMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoBlock_RS5Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_19A** No content is currently available. +- **DecisionMatchingInfoPassive_19A** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPassive_19ASetup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. @@ -340,7 +340,7 @@ The following fields are available: - **DecisionMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPassive_RS5Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_19A** No content is currently available. +- **DecisionMatchingInfoPostUpgrade_19A** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPostUpgrade_19ASetup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. @@ -349,7 +349,7 @@ The following fields are available: - **DecisionMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPostUpgrade_RS5Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_19A** No content is currently available. +- **DecisionMediaCenter_19A** The count of the number of this particular object type present on this device. - **DecisionMediaCenter_19ASetup** The count of the number of this particular object type present on this device. - **DecisionMediaCenter_19H1** The count of the number of this particular object type present on this device. - **DecisionMediaCenter_19H1Setup** The total DecisionMediaCenter objects targeting the next release of Windows on this device. @@ -357,13 +357,13 @@ The following fields are available: - **DecisionMediaCenter_RS5** The count of the number of this particular object type present on this device. - **DecisionMediaCenter_RS5Setup** The count of the number of this particular object type present on this device. - **DecisionMediaCenter_TH2** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_19A** No content is currently available. -- **DecisionSystemBios_19ASetup** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_19A** The count of the number of this particular object type present on this device. +- **DecisionSystemBios_19ASetup** The count of the number of this particular object type present on this device. - **DecisionSystemBios_19H1** The count of the number of this particular object type present on this device. - **DecisionSystemBios_19H1Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. - **DecisionSystemBios_RS4** The total DecisionSystemBios objects targeting Windows 10 version, 1803 present on this device. - **DecisionSystemBios_RS5** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **DecisionSystemBios_RS5Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_RS5Setup** The count of the number of this particular object type present on this device. - **DecisionSystemBios_TH2** The count of the number of this particular object type present on this device. - **InventoryApplicationFile** The count of the number of this particular object type present on this device. - **InventoryLanguagePack** The count of the number of this particular object type present on this device. @@ -381,7 +381,7 @@ The following fields are available: - **SystemWim** The total number of objects of this type present on this device. - **SystemWindowsActivationStatus** The count of the number of this particular object type present on this device. - **SystemWlan** The total number of objects of this type present on this device. -- **Wmdrm_19A** No content is currently available. +- **Wmdrm_19A** The count of the number of this particular object type present on this device. - **Wmdrm_19ASetup** The count of the number of this particular object type present on this device. - **Wmdrm_19H1** The count of the number of this particular object type present on this device. - **Wmdrm_19H1Setup** The total Wmdrm objects targeting the next release of Windows on this device. @@ -661,12 +661,6 @@ The following fields are available: - **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS? - **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade? - **SdbDriverBlockOverridden** Is there an SDB block on the PNP device that blocks upgrade, but that block was overridden? -- **TEMP_WuFalseAndCosInbox** No content is currently available. -- **TEMP_WuFalseAndCosOnline** No content is currently available. -- **TEMP_WuFalseAndNoCos** No content is currently available. -- **TEMP_WuTrueAndCosInbox** No content is currently available. -- **TEMP_WuTrueAndCosOnline** No content is currently available. -- **TEMP_WuTrueAndNoCos** No content is currently available. ### Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove @@ -2300,7 +2294,7 @@ The following fields are available: - **GPUVendorID** The GPU vendor ID. - **InterfaceId** The GPU interface ID. - **IsDisplayDevice** Does the GPU have displaying capabilities? -- **IsHwSchSupported** No content is currently available. +- **IsHwSchSupported** Indicates whether the adapter supports hardware scheduling. - **IsHybridDiscrete** Does the GPU have discrete GPU capabilities in a hybrid device? - **IsHybridIntegrated** Does the GPU have integrated GPU capabilities in a hybrid device? - **IsLDA** Is the GPU comprised of Linked Display Adapters? @@ -3408,7 +3402,7 @@ The following fields are available: ### Microsoft.Windows.UpdateReserveManager.InitializeUpdateReserveManager -No content is currently available. +This event returns data about the Update Reserve Manager, including whether it’s been initialized. The following fields are available: @@ -4946,10 +4940,8 @@ This event is sent at the beginning of an app install or update to help keep Win The following fields are available: - **CatalogId** The name of the product catalog from which this app was chosen. -- **fulfillmentPluginId** No content is currently available. - **FulfillmentPluginId** No content is currently available. - **PFN** The Package Family Name of the app that is being installed or updated. -- **pluginTelemetryData** No content is currently available. - **PluginTelemetryData** No content is currently available. - **ProductId** The product ID of the app that is being updated or installed. From c19b9d50fcc815ccaaff9aa5c940f2f37fc23303 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 23 Jan 2019 13:16:16 -0800 Subject: [PATCH 005/492] new build --- ...ndows-diagnostic-events-and-fields-19H1.md | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md index 8af3ec5e62..569959e879 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md @@ -3400,6 +3400,16 @@ The following fields are available: - **Result** The HResult error. +### Microsoft.Windows.UpdateReserveManager.CommitPendingHardReserveAdjustment + +No content is currently available. + +The following fields are available: + +- **FinalAdjustment** No content is currently available. +- **InitialAdjustment** No content is currently available. + + ### Microsoft.Windows.UpdateReserveManager.InitializeUpdateReserveManager This event returns data about the Update Reserve Manager, including whether it’s been initialized. @@ -3415,6 +3425,23 @@ The following fields are available: - **Version** No content is currently available. +### Microsoft.Windows.UpdateReserveManager.RemovePendingHardReserveAdjustment + +No content is currently available. + + + +### Microsoft.Windows.UpdateReserveManager.UpdatePendingHardReserveAdjustment + +No content is currently available. + +The following fields are available: + +- **ChangeSize** No content is currently available. +- **PendingHardReserveAdjustment** No content is currently available. +- **UpdateType** No content is currently available. + + ### Value This event returns data about Mean Time to Failure (MTTF) for Windows devices. It is the primary means of estimating reliability problems in Basic Diagnostic reporting with very strong privacy guarantees. Since Basic Diagnostic reporting does not include system up-time, and since that information is important to ensuring the safe and stable operation of Windows, the data provided by this event provides that data in a manner which does not threaten a user’s privacy. @@ -5273,6 +5300,23 @@ The following fields are available: - **UtcTime** The time the dialog box notification will be displayed, in Coordinated Universal Time. +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootAcceptAutoDialog + +This event indicates that the Enhanced Engaged restart "accept automatically" dialog box was displayed. + +The following fields are available: + +- **DeviceLocalTime** The local time on the device sending the event. +- **EnterpriseAttributionValue** No content is currently available. +- **ETag** OneSettings versioning value. +- **ExitCode** Indicates how users exited the dialog box. +- **RebootVersion** Version of DTE. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UserResponseString** The option that user chose on this dialog box. +- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time. + + ### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootFailedDialog This event indicates that the Enhanced Engaged restart "restart failed" dialog box was displayed. From 2c981087b5dde7b2480acb1a5e2944687858a59a Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 24 Jan 2019 08:20:29 -0800 Subject: [PATCH 006/492] new build --- ...ndows-diagnostic-events-and-fields-19H1.md | 376 ++++++++++++++---- 1 file changed, 289 insertions(+), 87 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md index 569959e879..c7d639913e 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md @@ -9,7 +9,7 @@ ms.pagetype: security localizationpriority: high author: brianlic-msft ms.author: brianlic -ms.date: 01/23/2019 +ms.date: 01/24/2019 --- @@ -756,7 +756,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd -This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date. +This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -2161,37 +2161,37 @@ The following fields are available: ### CbsServicingProvider.CbsSelectableUpdateChangeV2 -No content is currently available. +This event reports the results of enabling or disabling optional Windows Content to keep Windows up to date. The following fields are available: -- **applicableUpdateState** No content is currently available. -- **buildVersion** No content is currently available. -- **clientId** No content is currently available. -- **downloadSource** No content is currently available. -- **downloadtimeInSeconds** No content is currently available. -- **executionID** No content is currently available. -- **executionSequence** No content is currently available. -- **firstMergedExecutionSequence** No content is currently available. -- **firstMergedID** No content is currently available. -- **hrDownloadResult** No content is currently available. -- **hrStatusUpdate** No content is currently available. -- **identityHash** No content is currently available. -- **initiatedOffline** No content is currently available. -- **majorVersion** No content is currently available. -- **minorVersion** No content is currently available. -- **packageArchitecture** No content is currently available. -- **packageLanguage** No content is currently available. -- **packageName** No content is currently available. -- **rebootRequired** No content is currently available. -- **revisionVersion** No content is currently available. -- **stackBuild** No content is currently available. -- **stackMajorVersion** No content is currently available. -- **stackMinorVersion** No content is currently available. -- **stackRevision** No content is currently available. -- **updateName** No content is currently available. -- **updateStartState** No content is currently available. -- **updateTargetState** No content is currently available. +- **applicableUpdateState** Indicates the highest applicable state of the optional content. +- **buildVersion** The build version of the package being installed. +- **clientId** The name of the application requesting the optional content change. +- **downloadSource** Indicates if optional content was obtained from Windows Update or a locally accessible file. +- **downloadtimeInSeconds** Indicates if optional content was obtained from Windows Update or a locally accessible file. +- **executionID** A unique ID used to identify events associated with a single servicing operation and not reused for future operations. +- **executionSequence** A counter that tracks the number of servicing operations attempted on the device. +- **firstMergedExecutionSequence** The value of a pervious executionSequence counter that is being merged with the current operation, if applicable. +- **firstMergedID** A unique ID of a pervious servicing operation that is being merged with this operation, if applicable. +- **hrDownloadResult** The return code of the download operation. +- **hrStatusUpdate** The return code of the servicing operation. +- **identityHash** A pseudonymized (hashed) identifier for the Windows Package that is being installed or uninstalled. +- **initiatedOffline** Indicates whether the operation was performed against an offline Windows image file or a running instance of Windows. +- **majorVersion** The major version of the package being installed. +- **minorVersion** The minor version of the package being installed. +- **packageArchitecture** The architecture of the package being installed. +- **packageLanguage** The language of the package being installed. +- **packageName** The name of the package being installed. +- **rebootRequired** Indicates whether a reboot is required to complete the operation. +- **revisionVersion** The revision number of the package being installed. +- **stackBuild** The build number of the servicing stack binary performing the installation. +- **stackMajorVersion** The major version number of the servicing stack binary performing the installation. +- **stackMinorVersion** The minor version number of the servicing stack binary performing the installation. +- **stackRevision** The revision number of the servicing stack binary performing the installation. +- **updateName** The name of the optional Windows Operation System feature being enabled or disabled. +- **updateStartState** A value indicating the state of the optional content before the operation started. +- **updateTargetState** A value indicating the desired state of the optional content. ## Diagnostic data events @@ -2249,7 +2249,7 @@ The following fields are available: - **MaxActiveAgentConnectionCount** The maximum number of active agents during this heartbeat timeframe. - **MaxInUseScenarioCounter** Soft maximum number of scenarios loaded by UTC. - **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events). -- **PrivacyBlockedCount** No content is currently available. +- **PrivacyBlockedCount** The number of events blocked due to privacy settings or tags. - **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. - **SettingsHttpAttempts** Number of attempts to contact OneSettings service. - **SettingsHttpFailures** The number of failures from contacting the OneSettings service. @@ -3300,7 +3300,7 @@ The following fields are available: - **UserInputTime** The amount of time the loader application spent waiting for user input. -## Other events +## Miracast events ### Microsoft.Windows.Cast.Miracast.MiracastSessionEnd @@ -3374,72 +3374,85 @@ The following fields are available: - **WFD2Supported** No content is currently available. -### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.General +## Other events -This event provides information about application properties to indicate the successful execution. - -The following fields are available: - -- **AppMode** Indicates the mode the app is being currently run around privileges. -- **ExitCode** Indicates the exit code of the app. -- **Help** Indicates if the app needs to be launched in the help mode. -- **ParseError** Indicates if there was a parse error during the execution. -- **RightsAcquired** Indicates if the right privileges were acquired for successful execution. -- **RightsWereEnabled** Indicates if the right privileges were enabled for successful execution. -- **TestMode** Indicates whether the app is being run in test mode. - - -### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.GetCount - -This event provides information about the properties of user accounts in the Administrator group. - -The following fields are available: - -- **Internal** Indicates the internal property associated with the count group. -- **LastError** The error code (if applicable) for the cause of the failure to get the count of the user account. -- **Result** The HResult error. - - -### Microsoft.Windows.UpdateReserveManager.CommitPendingHardReserveAdjustment - -No content is currently available. - -The following fields are available: - -- **FinalAdjustment** No content is currently available. -- **InitialAdjustment** No content is currently available. - - -### Microsoft.Windows.UpdateReserveManager.InitializeUpdateReserveManager - -This event returns data about the Update Reserve Manager, including whether it’s been initialized. - -The following fields are available: - -- **ClientId** No content is currently available. -- **Flags** No content is currently available. -- **FlightId** No content is currently available. -- **Offline** No content is currently available. -- **PolicyPassed** No content is currently available. -- **ReturnCode** No content is currently available. -- **Version** No content is currently available. - - -### Microsoft.Windows.UpdateReserveManager.RemovePendingHardReserveAdjustment +### Microsoft.Windows.IoT.Client.CEPAL.MonitorStarted No content is currently available. -### Microsoft.Windows.UpdateReserveManager.UpdatePendingHardReserveAdjustment +### Microsoft.Windows.Server.FailoverClusteringCritical.ClusterSummary2 No content is currently available. The following fields are available: -- **ChangeSize** No content is currently available. -- **PendingHardReserveAdjustment** No content is currently available. -- **UpdateType** No content is currently available. +- **autoAssignSite** No content is currently available. +- **autoBalancerLevel** No content is currently available. +- **autoBalancerMode** No content is currently available. +- **blockCacheSize** No content is currently available. +- **ClusterAdConfiguration** No content is currently available. +- **clusterAdType** No content is currently available. +- **clusterDumpPolicy** No content is currently available. +- **clusterFunctionalLevel** No content is currently available. +- **clusterGuid** No content is currently available. +- **clusterWitnessType** No content is currently available. +- **countNodesInSite** No content is currently available. +- **crossSiteDelay** No content is currently available. +- **crossSiteThreshold** No content is currently available. +- **crossSubnetDelay** No content is currently available. +- **crossSubnetThreshold** No content is currently available. +- **csvCompatibleFilters** No content is currently available. +- **csvIncompatibleFilters** No content is currently available. +- **csvResourceCount** No content is currently available. +- **currentNodeSite** No content is currently available. +- **dasModeBusType** No content is currently available. +- **downLevelNodeCount** No content is currently available. +- **drainOnShutdown** No content is currently available. +- **dynamicQuorumEnabled** No content is currently available. +- **enforcedAntiAffinity** No content is currently available. +- **genAppNames** No content is currently available. +- **genSvcNames** No content is currently available. +- **hangRecoveryAction** No content is currently available. +- **hangTimeOut** No content is currently available. +- **isCalabria** No content is currently available. +- **isMixedMode** No content is currently available. +- **isRunningDownLevel** No content is currently available. +- **logLevel** No content is currently available. +- **logSize** No content is currently available. +- **lowerQuorumPriorityNodeId** No content is currently available. +- **minNeverPreempt** No content is currently available. +- **minPreemptor** No content is currently available. +- **netftIpsecEnabled** No content is currently available. +- **NodeCount** No content is currently available. +- **nodeId** No content is currently available. +- **nodeResourceCounts** No content is currently available. +- **nodeResourceOnlineCounts** No content is currently available. +- **numberOfSites** No content is currently available. +- **numNodesInNoSite** No content is currently available. +- **plumbAllCrossSubnetRoutes** No content is currently available. +- **preferredSite** No content is currently available. +- **privateCloudWitness** No content is currently available. +- **quarantineDuration** No content is currently available. +- **quarantineThreshold** No content is currently available. +- **quorumArbitrationTimeout** No content is currently available. +- **resiliencyLevel** No content is currently available. +- **resourceCounts** No content is currently available. +- **resourceTypeCounts** No content is currently available. +- **resourceTypes** No content is currently available. +- **resourceTypesPath** No content is currently available. +- **sameSubnetDelay** No content is currently available. +- **sameSubnetThreshold** No content is currently available. +- **secondsInMixedMode** No content is currently available. +- **securityLevel** No content is currently available. +- **securityLevelForStorage** No content is currently available. +- **sharedVolumeBlockCacheSize** No content is currently available. +- **shutdownTimeoutMinutes** No content is currently available. +- **upNodeCount** No content is currently available. +- **useClientAccessNetworksForCsv** No content is currently available. +- **vmIsolationTime** No content is currently available. +- **witnessDatabaseWriteTimeout** No content is currently available. ### Value @@ -5368,6 +5381,22 @@ The following fields are available: - **UtcTime** The time at which the reboot reminder dialog was shown (in UTC). +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootReminderToast + +No content is currently available. + +The following fields are available: + +- **DeviceLocalTime** No content is currently available. +- **ETag** No content is currently available. +- **ExitCode** No content is currently available. +- **RebootVersion** No content is currently available. +- **UpdateId** No content is currently available. +- **UpdateRevision** No content is currently available. +- **UserResponseString** No content is currently available. +- **UtcTime** No content is currently available. + + ### Microsoft.Windows.Update.Orchestrator.ActivityRestrictedByActiveHoursPolicy This event indicates a policy is present that may restrict update activity to outside of active hours. @@ -5798,6 +5827,32 @@ The following fields are available: ## Windows Update mitigation events +### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.General + +This event provides information about application properties to indicate the successful execution. + +The following fields are available: + +- **AppMode** Indicates the mode the app is being currently run around privileges. +- **ExitCode** Indicates the exit code of the app. +- **Help** Indicates if the app needs to be launched in the help mode. +- **ParseError** Indicates if there was a parse error during the execution. +- **RightsAcquired** Indicates if the right privileges were acquired for successful execution. +- **RightsWereEnabled** Indicates if the right privileges were enabled for successful execution. +- **TestMode** Indicates whether the app is being run in test mode. + + +### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.GetCount + +This event provides information about the properties of user accounts in the Administrator group. + +The following fields are available: + +- **Internal** Indicates the internal property associated with the count group. +- **LastError** The error code (if applicable) for the cause of the failure to get the count of the user account. +- **Result** The HResult error. + + ### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages This event sends data specific to the CleanupSafeOsImages mitigation used for OS Updates. @@ -5845,6 +5900,153 @@ The following fields are available: - **WuId** Unique ID for the Windows Update client. +## Windows Update Reserve Manager events + +### Microsoft.Windows.UpdateReserveManager.BeginScenario + +No content is currently available. + +The following fields are available: + +- **Flags** No content is currently available. +- **HardReserveSize** No content is currently available. +- **HardReserveUsedSpace** No content is currently available. +- **OwningScenarioId** No content is currently available. +- **ReturnCode** No content is currently available. +- **ScenarioId** No content is currently available. + + +### Microsoft.Windows.UpdateReserveManager.ClearSoftReserve + +No content is currently available. + + + +### Microsoft.Windows.UpdateReserveManager.CommitPendingHardReserveAdjustment + +No content is currently available. + +The following fields are available: + +- **FinalAdjustment** No content is currently available. +- **InitialAdjustment** No content is currently available. + + +### Microsoft.Windows.UpdateReserveManager.EndScenario + +No content is currently available. + +The following fields are available: + +- **ActiveScenario** No content is currently available. +- **Flags** No content is currently available. +- **HardReserveSize** No content is currently available. +- **HardReserveUsedSpace** No content is currently available. +- **ReturnCode** No content is currently available. +- **ScenarioId** No content is currently available. + + +### Microsoft.Windows.UpdateReserveManager.FunctionReturnedError + +No content is currently available. + +The following fields are available: + +- **FailedExpression** No content is currently available. +- **FailedFile** No content is currently available. +- **FailedFunction** No content is currently available. +- **FailedLine** No content is currently available. +- **ReturnCode** No content is currently available. + + +### Microsoft.Windows.UpdateReserveManager.InitializeReserves + +No content is currently available. + +The following fields are available: + +- **FallbackInitUsed** No content is currently available. +- **Flags** No content is currently available. +- **HardReserveFinalSize** No content is currently available. +- **HardReserveFinalUsedSpace** No content is currently available. +- **HardReserveInitialSize** No content is currently available. +- **HardReserveInitialUsedSpace** No content is currently available. +- **HardReserveTargetSize** No content is currently available. +- **InitialUserFreeSpace** No content is currently available. +- **PostUpgradeFreeSpace** No content is currently available. +- **SoftReserveFinalSize** No content is currently available. +- **SoftReserveFinalUsedSpace** No content is currently available. +- **SoftReserveInitialSize** No content is currently available. +- **SoftReserveInitialUsedSpace** No content is currently available. +- **SoftReserveTargetSize** No content is currently available. +- **TargetUserFreeSpace** No content is currently available. +- **UpdateScratchFinalUsedSpace** No content is currently available. +- **UpdateScratchInitialUsedSpace** No content is currently available. +- **UpdateScratchReserveFinalSize** No content is currently available. +- **UpdateScratchReserveInitialSize** No content is currently available. + + +### Microsoft.Windows.UpdateReserveManager.InitializeUpdateReserveManager + +This event returns data about the Update Reserve Manager, including whether it’s been initialized. + +The following fields are available: + +- **ClientId** No content is currently available. +- **Flags** No content is currently available. +- **FlightId** No content is currently available. +- **Offline** No content is currently available. +- **PolicyPassed** No content is currently available. +- **ReturnCode** No content is currently available. +- **Version** No content is currently available. + + +### Microsoft.Windows.UpdateReserveManager.PrepareTIForReserveInitialization + +No content is currently available. + +The following fields are available: + +- **Flags** No content is currently available. + + +### Microsoft.Windows.UpdateReserveManager.ReevaluatePolicy + +No content is currently available. + +The following fields are available: + +- **PolicyChanged** No content is currently available. +- **PolicyFailedEnum** No content is currently available. +- **PolicyPassed** No content is currently available. + + +### Microsoft.Windows.UpdateReserveManager.RemovePendingHardReserveAdjustment + +No content is currently available. + + + +### Microsoft.Windows.UpdateReserveManager.TurnOffReserves + +No content is currently available. + +The following fields are available: + +- **Flags** No content is currently available. + + +### Microsoft.Windows.UpdateReserveManager.UpdatePendingHardReserveAdjustment + +No content is currently available. + +The following fields are available: + +- **ChangeSize** No content is currently available. +- **PendingHardReserveAdjustment** No content is currently available. +- **UpdateType** No content is currently available. + + ## Winlogon events ### Microsoft.Windows.Security.Winlogon.SetupCompleteLogon From c89d3c9b014105290f2d1732522eaebb88d80c4a Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 24 Jan 2019 12:20:18 -0800 Subject: [PATCH 007/492] new build --- ...ndows-diagnostic-events-and-fields-19H1.md | 170 +++++++++--------- 1 file changed, 85 insertions(+), 85 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md index c7d639913e..4f2cd83eb0 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md @@ -700,8 +700,6 @@ The following fields are available: - **DriverIsDriverBlocked** Is the driver package blocked because of a driver block? - **DriverShouldNotMigrate** Should the driver package be migrated during upgrade? - **SdbDriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden? -- **SdbDriverBlockServicing** No content is currently available. -- **SdbDriverBlockSwap** No content is currently available. ### Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove @@ -845,8 +843,6 @@ The following fields are available: - **Blocking** Is the device blocked from upgrade due to a BIOS block? - **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for the bios. - **HasBiosBlock** Does the device have a BIOS block? -- **HasBiosBlockServicing** No content is currently available. -- **HasBiosBlockSwap** No content is currently available. ### Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync @@ -1689,8 +1685,8 @@ The following fields are available: - **InkTypeImprovement** Current state of the improve inking and typing setting. - **Location** Current state of the location setting. - **LocationHistory** Current state of the location history setting. -- **LocationHistoryCloudSync** No content is currently available. -- **LocationHistoryOnTimeline** No content is currently available. +- **LocationHistoryCloudSync** Current state of the location history cloud sync setting. +- **LocationHistoryOnTimeline** Current state of the location history on timeline setting. - **Microphone** Current state of the microphone setting. - **PhoneCall** Current state of the phone call setting. - **PhoneCallHistory** Current state of the call history setting. @@ -2319,6 +2315,81 @@ The following fields are available: - **WDDMVersion** The Windows Display Driver Model version. +## Failover Clustering events + +### Microsoft.Windows.Server.FailoverClusteringCritical.ClusterSummary2 + +No content is currently available. + +The following fields are available: + +- **autoAssignSite** No content is currently available. +- **autoBalancerLevel** No content is currently available. +- **autoBalancerMode** No content is currently available. +- **blockCacheSize** No content is currently available. +- **ClusterAdConfiguration** No content is currently available. +- **clusterAdType** No content is currently available. +- **clusterDumpPolicy** No content is currently available. +- **clusterFunctionalLevel** No content is currently available. +- **clusterGuid** No content is currently available. +- **clusterWitnessType** No content is currently available. +- **countNodesInSite** No content is currently available. +- **crossSiteDelay** No content is currently available. +- **crossSiteThreshold** No content is currently available. +- **crossSubnetDelay** No content is currently available. +- **crossSubnetThreshold** No content is currently available. +- **csvCompatibleFilters** No content is currently available. +- **csvIncompatibleFilters** No content is currently available. +- **csvResourceCount** No content is currently available. +- **currentNodeSite** No content is currently available. +- **dasModeBusType** No content is currently available. +- **downLevelNodeCount** No content is currently available. +- **drainOnShutdown** No content is currently available. +- **dynamicQuorumEnabled** No content is currently available. +- **enforcedAntiAffinity** No content is currently available. +- **genAppNames** No content is currently available. +- **genSvcNames** No content is currently available. +- **hangRecoveryAction** No content is currently available. +- **hangTimeOut** No content is currently available. +- **isCalabria** No content is currently available. +- **isMixedMode** No content is currently available. +- **isRunningDownLevel** No content is currently available. +- **logLevel** No content is currently available. +- **logSize** No content is currently available. +- **lowerQuorumPriorityNodeId** No content is currently available. +- **minNeverPreempt** No content is currently available. +- **minPreemptor** No content is currently available. +- **netftIpsecEnabled** No content is currently available. +- **NodeCount** No content is currently available. +- **nodeId** No content is currently available. +- **nodeResourceCounts** No content is currently available. +- **nodeResourceOnlineCounts** No content is currently available. +- **numberOfSites** No content is currently available. +- **numNodesInNoSite** No content is currently available. +- **plumbAllCrossSubnetRoutes** No content is currently available. +- **preferredSite** No content is currently available. +- **privateCloudWitness** No content is currently available. +- **quarantineDuration** No content is currently available. +- **quarantineThreshold** No content is currently available. +- **quorumArbitrationTimeout** No content is currently available. +- **resiliencyLevel** No content is currently available. +- **resourceCounts** No content is currently available. +- **resourceTypeCounts** No content is currently available. +- **resourceTypes** No content is currently available. +- **resourceTypesPath** No content is currently available. +- **sameSubnetDelay** No content is currently available. +- **sameSubnetThreshold** No content is currently available. +- **secondsInMixedMode** No content is currently available. +- **securityLevel** No content is currently available. +- **securityLevelForStorage** No content is currently available. +- **sharedVolumeBlockCacheSize** No content is currently available. +- **shutdownTimeoutMinutes** No content is currently available. +- **upNodeCount** No content is currently available. +- **useClientAccessNetworksForCsv** No content is currently available. +- **vmIsolationTime** No content is currently available. +- **witnessDatabaseWriteTimeout** No content is currently available. + + ## Fault Reporting events ### Microsoft.Windows.FaultReporting.AppCrashEvent @@ -3258,6 +3329,14 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic +## IoT events + +### Microsoft.Windows.IoT.Client.CEPAL.MonitorStarted + +No content is currently available. + + + ## Kernel events ### IO @@ -3376,85 +3455,6 @@ The following fields are available: ## Other events -### Microsoft.Windows.IoT.Client.CEPAL.MonitorStarted - -No content is currently available. - - - -### Microsoft.Windows.Server.FailoverClusteringCritical.ClusterSummary2 - -No content is currently available. - -The following fields are available: - -- **autoAssignSite** No content is currently available. -- **autoBalancerLevel** No content is currently available. -- **autoBalancerMode** No content is currently available. -- **blockCacheSize** No content is currently available. -- **ClusterAdConfiguration** No content is currently available. -- **clusterAdType** No content is currently available. -- **clusterDumpPolicy** No content is currently available. -- **clusterFunctionalLevel** No content is currently available. -- **clusterGuid** No content is currently available. -- **clusterWitnessType** No content is currently available. -- **countNodesInSite** No content is currently available. -- **crossSiteDelay** No content is currently available. -- **crossSiteThreshold** No content is currently available. -- **crossSubnetDelay** No content is currently available. -- **crossSubnetThreshold** No content is currently available. -- **csvCompatibleFilters** No content is currently available. -- **csvIncompatibleFilters** No content is currently available. -- **csvResourceCount** No content is currently available. -- **currentNodeSite** No content is currently available. -- **dasModeBusType** No content is currently available. -- **downLevelNodeCount** No content is currently available. -- **drainOnShutdown** No content is currently available. -- **dynamicQuorumEnabled** No content is currently available. -- **enforcedAntiAffinity** No content is currently available. -- **genAppNames** No content is currently available. -- **genSvcNames** No content is currently available. -- **hangRecoveryAction** No content is currently available. -- **hangTimeOut** No content is currently available. -- **isCalabria** No content is currently available. -- **isMixedMode** No content is currently available. -- **isRunningDownLevel** No content is currently available. -- **logLevel** No content is currently available. -- **logSize** No content is currently available. -- **lowerQuorumPriorityNodeId** No content is currently available. -- **minNeverPreempt** No content is currently available. -- **minPreemptor** No content is currently available. -- **netftIpsecEnabled** No content is currently available. -- **NodeCount** No content is currently available. -- **nodeId** No content is currently available. -- **nodeResourceCounts** No content is currently available. -- **nodeResourceOnlineCounts** No content is currently available. -- **numberOfSites** No content is currently available. -- **numNodesInNoSite** No content is currently available. -- **plumbAllCrossSubnetRoutes** No content is currently available. -- **preferredSite** No content is currently available. -- **privateCloudWitness** No content is currently available. -- **quarantineDuration** No content is currently available. -- **quarantineThreshold** No content is currently available. -- **quorumArbitrationTimeout** No content is currently available. -- **resiliencyLevel** No content is currently available. -- **resourceCounts** No content is currently available. -- **resourceTypeCounts** No content is currently available. -- **resourceTypes** No content is currently available. -- **resourceTypesPath** No content is currently available. -- **sameSubnetDelay** No content is currently available. -- **sameSubnetThreshold** No content is currently available. -- **secondsInMixedMode** No content is currently available. -- **securityLevel** No content is currently available. -- **securityLevelForStorage** No content is currently available. -- **sharedVolumeBlockCacheSize** No content is currently available. -- **shutdownTimeoutMinutes** No content is currently available. -- **upNodeCount** No content is currently available. -- **useClientAccessNetworksForCsv** No content is currently available. -- **vmIsolationTime** No content is currently available. -- **witnessDatabaseWriteTimeout** No content is currently available. - - ### Value This event returns data about Mean Time to Failure (MTTF) for Windows devices. It is the primary means of estimating reliability problems in Basic Diagnostic reporting with very strong privacy guarantees. Since Basic Diagnostic reporting does not include system up-time, and since that information is important to ensuring the safe and stable operation of Windows, the data provided by this event provides that data in a manner which does not threaten a user’s privacy. From 69a68a7a7efe6fe5bec75034cec1800f72b2cd64 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 25 Jan 2019 09:07:55 -0800 Subject: [PATCH 008/492] new build --- ...ndows-diagnostic-events-and-fields-19H1.md | 58 +++++++++---------- 1 file changed, 29 insertions(+), 29 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md index 4f2cd83eb0..5675334faa 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md @@ -9,7 +9,7 @@ ms.pagetype: security localizationpriority: high author: brianlic-msft ms.author: brianlic -ms.date: 01/24/2019 +ms.date: 01/25/2019 --- @@ -858,24 +858,24 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DecisionTestRemove -No content is currently available. +This event provides data that allows testing of “Remove” decisions to help keep Windows up to date. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). The following fields are available: -- **AppraiserVersion** No content is currently available. +- **AppraiserVersion** The version of the appraiser binary (executable) generating the events. ### Microsoft.Windows.Appraiser.General.DecisionTestStartSync -No content is currently available. +This event provides data that allows testing of “Start Sync” decisions to help keep Windows up to date. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). The following fields are available: -- **AppraiserVersion** No content is currently available. +- **AppraiserVersion** The version of the appraiser binary (executable) generating the events. ### Microsoft.Windows.Appraiser.General.GatedRegChange @@ -1046,24 +1046,24 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.InventoryTestRemove -No content is currently available. +This event provides data that allows testing of “Remove” decisions to help keep Windows up to date. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). The following fields are available: -- **AppraiserVersion** No content is currently available. +- **AppraiserVersion** The version of the appraiser binary (executable) generating the events. ### Microsoft.Windows.Appraiser.General.InventoryTestStartSync -No content is currently available. +This event provides data that allows testing of “Start Sync” decisions to help keep Windows up to date. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). The following fields are available: -- **AppraiserVersion** No content is currently available. +- **AppraiserVersion** The version of the appraiser binary (executable) generating the events. ### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd @@ -1533,7 +1533,7 @@ This event sends Windows Insider data from customers participating in improvemen The following fields are available: - **DeviceSampleRate** The telemetry sample rate assigned to the device. -- **DriverTargetRing** No content is currently available. +- **DriverTargetRing** Indicates if the device is participating in receiving pre-release drivers and firmware contrent. - **EnablePreviewBuilds** Used to enable Windows Insider builds on a device. - **FlightIds** A list of the different Windows Insider builds on this device. - **FlightingBranchName** The name of the Windows Insider branch currently used by the device. @@ -1850,8 +1850,8 @@ The following fields are available: - **InkTypePersonalization** Current state of the inking and typing personalization setting. - **Location** Current state of the location setting. - **LocationHistory** Current state of the location history setting. -- **LocationHistoryCloudSync** No content is currently available. -- **LocationHistoryOnTimeline** No content is currently available. +- **LocationHistoryCloudSync** Current state of the location history cloud sync setting. +- **LocationHistoryOnTimeline** Current state of the location history on timeline setting. - **Microphone** Current state of the microphone setting. - **PhoneCall** Current state of the phone call setting. - **PhoneCallHistory** Current state of the call history setting. @@ -2574,28 +2574,28 @@ The following fields are available: ### Microsoft.Windows.Inventory.Core.InventoryApplicationFileAdd -No content is currently available. +This event provides file-level information about the applications that exist on the system. This event is used to understand the applications on a device to determine if those applications will experience compatibility issues when upgrading Windows. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). The following fields are available: -- **BinaryType** No content is currently available. -- **BinFileVersion** No content is currently available. -- **BinProductVersion** No content is currently available. -- **BoeProgramId** No content is currently available. -- **CompanyName** No content is currently available. -- **FileId** No content is currently available. -- **FileVersion** No content is currently available. -- **InventoryVersion** No content is currently available. -- **Language** No content is currently available. -- **LinkDate** No content is currently available. -- **LowerCaseLongPath** No content is currently available. -- **Name** No content is currently available. -- **ProductName** No content is currently available. -- **ProductVersion** No content is currently available. -- **ProgramId** No content is currently available. -- **Size** No content is currently available. +- **BinaryType** The architecture of the binary (executable) file. +- **BinFileVersion** Version information for the binary (executable) file. +- **BinProductVersion** The product version provided by the binary (executable) file. +- **BoeProgramId** The “bag of evidence” program identifier. +- **CompanyName** The company name included in the binary (executable) file. +- **FileId** A pseudonymized (hashed) unique identifier derived from the file itself. +- **FileVersion** The version of the file. +- **InventoryVersion** The version of the inventory component. +- **Language** The language declared in the binary (executable) file. +- **LinkDate** The compiler link date. +- **LowerCaseLongPath** The file path in “long” format. +- **Name** The file name. +- **ProductName** The product name declared in the binary (executable) file. +- **ProductVersion** The product version declared in the binary (executable) file. +- **ProgramId** The program identifier associated with the binary (executable) file. +- **Size** The size of the binary (executable) file. ### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd From d7a06c7cf6a56ebcbc7f249e82b65b597bc6c649 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Mon, 28 Jan 2019 11:36:37 -0800 Subject: [PATCH 009/492] new build --- .../basic-level-windows-diagnostic-events-and-fields-19H1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md index 5675334faa..e54b7bbbad 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md @@ -9,7 +9,7 @@ ms.pagetype: security localizationpriority: high author: brianlic-msft ms.author: brianlic -ms.date: 01/25/2019 +ms.date: 01/28/2019 --- From 96ab744003029a05fb2d0ea59e3f34af1d22d620 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 1 Feb 2019 09:05:09 -0800 Subject: [PATCH 010/492] new build --- ...ndows-diagnostic-events-and-fields-19H1.md | 153 +++++++++++++++--- 1 file changed, 133 insertions(+), 20 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md index e54b7bbbad..feff722d43 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md @@ -9,7 +9,7 @@ ms.pagetype: security localizationpriority: high author: brianlic-msft ms.author: brianlic -ms.date: 01/28/2019 +ms.date: 02/01/2019 --- @@ -625,6 +625,17 @@ The following fields are available: - **SoftBlock** The file is softblocked in the SDB and has a warning. +### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove + +This event indicates Indicates that the DecisionApplicationFile object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + ### Microsoft.Windows.Appraiser.General.DecisionApplicationFileStartSync This event indicates that a new set of DecisionApplicationFileAdd events will be sent. @@ -1122,7 +1133,7 @@ The following fields are available: - **AppraiserBranch** The source branch in which the currently running version of Appraiser was built. - **AppraiserProcess** The name of the process that launched Appraiser. - **AppraiserVersion** The version of the Appraiser file generating the events. -- **CensusId** No content is currently available. +- **CensusId** A unique hardware identifier. - **Context** Indicates what mode Appraiser is running in. Example: Setup or Telemetry. - **PCFP** An ID for the system calculated by hashing hardware identifiers. - **Subcontext** Indicates what categories of incompatibilities appraiser is scanning for. Can be N/A, Resolve, or a semicolon-delimited list that can include App, Dev, Sys, Gat, or Rescan. @@ -1773,7 +1784,7 @@ The following fields are available: - **PrimaryDiskTotalCapacity** Retrieves the amount of disk space on the primary disk of the device in MB. - **PrimaryDiskType** Retrieves an enumerator value of type STORAGE_BUS_TYPE that indicates the type of bus to which the device is connected. This should be used to interpret the raw device properties at the end of this structure (if any). -- **StorageReservePassedPolicy** No content is currently available. +- **StorageReservePassedPolicy** Indicates whether the Storage Reserve policy, which ensures that updates have enough disk space and customers are on the latest OS, is enabled on this device. - **SystemVolumeTotalCapacity** Retrieves the size of the partition that the System volume is installed on in MB. @@ -2155,6 +2166,42 @@ The following fields are available: - **pendingDecision** Indicates the cause of reboot, if applicable. +### CbsServicingProvider.CbsQualityUpdateInstall + +No content is currently available. + +The following fields are available: + +- **buildVersion** No content is currently available. +- **clientId** No content is currently available. +- **corruptionHistoryFlags** No content is currently available. +- **corruptionType** No content is currently available. +- **currentStateEnd** No content is currently available. +- **doqTimeSeconds** No content is currently available. +- **executeTimeSeconds** No content is currently available. +- **failureDetails** No content is currently available. +- **failureSourceEnd** No content is currently available. +- **hrStatusEnd** No content is currently available. +- **initiatedOffline** No content is currently available. +- **majorVersion** No content is currently available. +- **minorVersion** No content is currently available. +- **originalState** No content is currently available. +- **overallTimeSeconds** No content is currently available. +- **planTimeSeconds** No content is currently available. +- **poqTimeSeconds** No content is currently available. +- **postRebootTimeSeconds** No content is currently available. +- **preRebootTimeSeconds** No content is currently available. +- **primitiveExecutionContext** No content is currently available. +- **rebootCount** No content is currently available. +- **rebootTimeSeconds** No content is currently available. +- **resolveTimeSeconds** No content is currently available. +- **revisionVersion** No content is currently available. +- **rptTimeSeconds** No content is currently available. +- **shutdownTimeSeconds** No content is currently available. +- **stackRevision** No content is currently available. +- **stageTimeSeconds** No content is currently available. + + ### CbsServicingProvider.CbsSelectableUpdateChangeV2 This event reports the results of enabling or disabling optional Windows Content to keep Windows up to date. @@ -2781,7 +2828,7 @@ The following fields are available: - **COMPID** The device setup class guid of the driver loaded for the device. - **ContainerId** The list of compat ids for the device. - **Description** System-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the computer. -- **DeviceInterfaceClasses** No content is currently available. +- **DeviceInterfaceClasses** The device interfaces that this device implements. - **DeviceState** The device description. - **DriverId** DeviceState is a bitmask of the following: DEVICE_IS_CONNECTED 0x0001 (currently only for container). DEVICE_IS_NETWORK_DEVICE 0x0002 (currently only for container). DEVICE_IS_PAIRED 0x0004 (currently only for container). DEVICE_IS_ACTIVE 0x0008 (currently never set). DEVICE_IS_MACHINE 0x0010 (currently only for container). DEVICE_IS_PRESENT 0x0020 (currently always set). DEVICE_IS_HIDDEN 0x0040. DEVICE_IS_PRINTER 0x0080 (currently only for container). DEVICE_IS_WIRELESS 0x0100. DEVICE_IS_WIRELESS_FAT 0x0200. The most common values are therefore: 32 (0x20)= device is present. 96 (0x60)= device is present but hidden. 288 (0x120)= device is a wireless device that is present - **DriverName** A unique identifier for the driver installed. @@ -3455,6 +3502,28 @@ The following fields are available: ## Other events +### Microsoft.Xbox.XamTelemetry.AppActivity + +This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc. + +The following fields are available: + +- **AppActionId** The ID of the application action. +- **AppCurrentVisibilityState** The ID of the current application visibility state. +- **AppId** The Xbox LIVE Title ID of the app. +- **AppPackageFullName** The full name of the application package. +- **AppPreviousVisibilityState** The ID of the previous application visibility state. +- **AppSessionId** The application session ID. +- **AppType** The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa). +- **BCACode** The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application. +- **DurationMs** The amount of time (in milliseconds) since the last application state transition. +- **IsTrialLicense** This boolean value is TRUE if the application is on a trial license. +- **LicenseType** The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 - Offline, 4 - Disc). +- **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license. +- **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application. +- **UserId** The XUID (Xbox User ID) of the current user. + + ### Value This event returns data about Mean Time to Failure (MTTF) for Windows devices. It is the primary means of estimating reliability problems in Basic Diagnostic reporting with very strong privacy guarantees. Since Basic Diagnostic reporting does not include system up-time, and since that information is important to ensuring the safe and stable operation of Windows, the data provided by this event provides that data in a manner which does not threaten a user’s privacy. @@ -3469,6 +3538,36 @@ The following fields are available: - **PertProb** The probability the entry will be Perturbed if the algorithm chosen is “heavy-hitters”. +### WheaProvider.WheaErrorRecord + +No content is currently available. + +The following fields are available: + +- **creatorId** No content is currently available. +- **CreatorId** No content is currently available. +- **errorFlags** No content is currently available. +- **ErrorFlags** No content is currently available. +- **notifyType** No content is currently available. +- **NotifyType** No content is currently available. +- **partitionId** No content is currently available. +- **PartitionId** No content is currently available. +- **platformId** No content is currently available. +- **PlatformId** No content is currently available. +- **record** No content is currently available. +- **Record** No content is currently available. +- **recordId** No content is currently available. +- **RecordId** No content is currently available. +- **sectionFlags** No content is currently available. +- **SectionFlags** No content is currently available. +- **SectionSeverity** No content is currently available. +- **sectionTypes** No content is currently available. +- **SectionTypes** No content is currently available. +- **severityCount** No content is currently available. +- **timeStamp** No content is currently available. +- **TimeStamp** No content is currently available. + + ## Privacy consent logging events ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted @@ -3512,6 +3611,17 @@ The following fields are available: - **Time** The time the event was fired. +### Microsoft.Windows.Sediment.Info.PhaseChange + +The event indicates progress made by the updater. This information assists in keeping Windows up to date. + +The following fields are available: + +- **NewPhase** The phase of progress made. +- **ReleaseVer** The version information for the component in which the change occurred. +- **Time** The system time at which the phase chance occurred. + + ## Setup events ### SetupPlatformTel.SetupPlatformTelActivityEvent @@ -3828,7 +3938,7 @@ The following fields are available: - **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No value is currently reported in this field. Expected value for this field is 0. - **CSIErrorType** The stage of CBS installation where it failed. - **CurrentMobileOperator** The mobile operator to which the device is currently connected. -- **DeploymentProviderMode** No content is currently available. +- **DeploymentProviderMode** The mode of operation of the update deployment provider. - **DeviceModel** The device model. - **DriverPingBack** Contains information about the previous driver and system state. - **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required. @@ -4088,10 +4198,12 @@ The following fields are available: - **PackageCountTotalCanonical** Total number of canonical packages. - **PackageCountTotalDiff** Total number of diff packages. - **PackageCountTotalExpress** Total number of express packages. +- **PackageCountTotalPSFX** No content is currently available. - **PackageExpressType** Type of express package. - **PackageSizeCanonical** Size of canonical packages in bytes. - **PackageSizeDiff** Size of diff packages in bytes. - **PackageSizeExpress** Size of express packages in bytes. +- **PackageSizePSFX** No content is currently available. - **RangeRequestState** Indicates the range request type used. - **RelatedCV** Correlation vector value generated from the latest USO scan. - **Result** Outcome of the download request phase of update. @@ -4106,6 +4218,7 @@ This event collects information regarding the expansion phase of the new Unified The following fields are available: +- **CanonicalRequestedOnError** No content is currently available. - **ElapsedTickCount** Time taken for expand phase. - **EndFreeSpace** Free space after expand phase. - **EndSandboxSize** Sandbox size after expand phase. @@ -4336,7 +4449,7 @@ The following fields are available: - **ResultCode** Result returned by the Facilitator DCAT call. - **Scenario** Dynamic update scenario (Image DU, or Setup DU). - **Type** Type of package that was downloaded. -- **UpdateId** No content is currently available. +- **UpdateId** The ID of the update that was downloaded. ### FacilitatorTelemetry.InitializeDU @@ -4980,9 +5093,9 @@ This event is sent at the beginning of an app install or update to help keep Win The following fields are available: - **CatalogId** The name of the product catalog from which this app was chosen. -- **FulfillmentPluginId** No content is currently available. +- **FulfillmentPluginId** The ID of the plugin needed to install the package type of the product. - **PFN** The Package Family Name of the app that is being installed or updated. -- **PluginTelemetryData** No content is currently available. +- **PluginTelemetryData** Diagnostic information specific to the package-type plug-in. - **ProductId** The product ID of the app that is being updated or installed. @@ -5151,7 +5264,7 @@ The following fields are available: - **bytesFromCDN** The number of bytes received from a CDN source. - **bytesFromGroupPeers** The number of bytes received from a peer in the same domain group. - **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same domain group. -- **bytesFromLinkLocalPeers** No content is currently available. +- **bytesFromLinkLocalPeers** The number of bytes received from local peers. - **bytesFromLocalCache** Bytes copied over from local (on disk) cache. - **bytesFromPeers** The number of bytes received from a peer in the same LAN. - **bytesRequested** The total number of bytes requested for download. @@ -5181,7 +5294,7 @@ The following fields are available: - **lanConnectionCount** The total number of connections made to peers in the same LAN. - **linkLocalConnectionCount** No content is currently available. - **numPeers** The total number of peers used for this download. -- **numPeersLocal** No content is currently available. +- **numPeersLocal** The total number of local peers used for this download. - **predefinedCallerName** The name of the API Caller. - **restrictedUpload** Is the upload restricted? - **routeToCacheServer** The cache server setting, source, and value. @@ -5228,7 +5341,7 @@ The following fields are available: - **doClientVersion** The version of the Delivery Optimization client. - **doErrorCode** The Delivery Optimization error code that was returned. - **downloadMode** The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100). -- **downloadModeReason** No content is currently available. +- **downloadModeReason** Reason for the download. - **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). - **errorCode** The error code that was returned. - **experimentId** ID used to correlate client/services calls that are part of the same test during A/B testing. @@ -5383,18 +5496,18 @@ The following fields are available: ### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootReminderToast -No content is currently available. +This event indicates that the Enhanced Engaged restart reminder pop-up banner was displayed. The following fields are available: -- **DeviceLocalTime** No content is currently available. -- **ETag** No content is currently available. -- **ExitCode** No content is currently available. -- **RebootVersion** No content is currently available. -- **UpdateId** No content is currently available. -- **UpdateRevision** No content is currently available. -- **UserResponseString** No content is currently available. -- **UtcTime** No content is currently available. +- **DeviceLocalTime** The local time on the device sending the event. +- **ETag** OneSettings versioning value. +- **ExitCode** Indicates how users exited the pop-up banner. +- **RebootVersion** The version of the reboot logic. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UserResponseString** The option that the user chose in pop-up banner. +- **UtcTime** The time that the pop-up banner was displayed, in Coordinated Universal Time. ### Microsoft.Windows.Update.Orchestrator.ActivityRestrictedByActiveHoursPolicy From 52d04855120793db0365d00d11cee4e7f6b9ecd6 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Mon, 4 Feb 2019 10:30:35 -0800 Subject: [PATCH 011/492] new build --- ...ndows-diagnostic-events-and-fields-19H1.md | 278 ++++++++++-------- 1 file changed, 153 insertions(+), 125 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md index feff722d43..3c14a15736 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md @@ -9,7 +9,7 @@ ms.pagetype: security localizationpriority: high author: brianlic-msft ms.author: brianlic -ms.date: 02/01/2019 +ms.date: 02/04/2019 --- @@ -2168,38 +2168,38 @@ The following fields are available: ### CbsServicingProvider.CbsQualityUpdateInstall -No content is currently available. +This event reports on the performance and reliability results of installing Servicing content from Windows Update to keep Windows up to date. The following fields are available: -- **buildVersion** No content is currently available. -- **clientId** No content is currently available. -- **corruptionHistoryFlags** No content is currently available. -- **corruptionType** No content is currently available. -- **currentStateEnd** No content is currently available. -- **doqTimeSeconds** No content is currently available. -- **executeTimeSeconds** No content is currently available. -- **failureDetails** No content is currently available. -- **failureSourceEnd** No content is currently available. -- **hrStatusEnd** No content is currently available. -- **initiatedOffline** No content is currently available. -- **majorVersion** No content is currently available. -- **minorVersion** No content is currently available. -- **originalState** No content is currently available. -- **overallTimeSeconds** No content is currently available. -- **planTimeSeconds** No content is currently available. -- **poqTimeSeconds** No content is currently available. -- **postRebootTimeSeconds** No content is currently available. -- **preRebootTimeSeconds** No content is currently available. -- **primitiveExecutionContext** No content is currently available. -- **rebootCount** No content is currently available. -- **rebootTimeSeconds** No content is currently available. -- **resolveTimeSeconds** No content is currently available. -- **revisionVersion** No content is currently available. -- **rptTimeSeconds** No content is currently available. -- **shutdownTimeSeconds** No content is currently available. -- **stackRevision** No content is currently available. -- **stageTimeSeconds** No content is currently available. +- **buildVersion** The build version number of the update package. +- **clientId** The name of the application requesting the optional content. +- **corruptionHistoryFlags** A bitmask of the types of component store corruption that have caused update failures on the device. +- **corruptionType** An enumeration listing the type of data corruption responsible for the current update failure. +- **currentStateEnd** The final state of the package after the operation has completed. +- **doqTimeSeconds** The time in seconds spent updating drivers. +- **executeTimeSeconds** The number of seconds required to execute the install. +- **failureDetails** The driver or installer that caused the update to fail. +- **failureSourceEnd** An enumeration indicating at what phase of the update a failure occurred. +- **hrStatusEnd** The return code of the install operation. +- **initiatedOffline** A true or false value indicating whether the package was installed into an offline Windows Imaging Format (WIM) file. +- **majorVersion** The major version number of the update package. +- **minorVersion** The minor version number of the update package. +- **originalState** The starting state of the package. +- **overallTimeSeconds** The time (in seconds) to perform the overall servicing operation. +- **planTimeSeconds** The time in seconds required to plan the update operations. +- **poqTimeSeconds** The time in seconds processing file and registry operations. +- **postRebootTimeSeconds** The time (in seconds) to do startup processing for the update. +- **preRebootTimeSeconds** The time (in seconds) between execution of the installation and the reboot. +- **primitiveExecutionContext** An enumeration indicating at what phase of shutdown or startup the update was installed. +- **rebootCount** The number of reboots required to install the update. +- **rebootTimeSeconds** The time (in seconds) before startup processing begins for the update. +- **resolveTimeSeconds** The time in seconds required to resolve the packages that are part of the update. +- **revisionVersion** The revision version number of the update package. +- **rptTimeSeconds** The time in seconds spent executing installer plugins. +- **shutdownTimeSeconds** The time (in seconds) required to do shutdown processing for the update. +- **stackRevision** The revision number of the servicing stack. +- **stageTimeSeconds** The time (in seconds) required to stage all files that are part of the update. ### CbsServicingProvider.CbsSelectableUpdateChangeV2 @@ -2366,75 +2366,75 @@ The following fields are available: ### Microsoft.Windows.Server.FailoverClusteringCritical.ClusterSummary2 -No content is currently available. +This event returns information about how many resources and of what type are in the server cluster. This data is collected to keep Windows Server safe, secure, and up to date. The data includes information about whether hardware is configured correctly, if the software is patched correctly, and assists in preventing crashes by attributing issues (like fatal errors) to workloads and system configurations. The following fields are available: -- **autoAssignSite** No content is currently available. -- **autoBalancerLevel** No content is currently available. -- **autoBalancerMode** No content is currently available. -- **blockCacheSize** No content is currently available. -- **ClusterAdConfiguration** No content is currently available. -- **clusterAdType** No content is currently available. -- **clusterDumpPolicy** No content is currently available. -- **clusterFunctionalLevel** No content is currently available. -- **clusterGuid** No content is currently available. -- **clusterWitnessType** No content is currently available. -- **countNodesInSite** No content is currently available. -- **crossSiteDelay** No content is currently available. -- **crossSiteThreshold** No content is currently available. -- **crossSubnetDelay** No content is currently available. -- **crossSubnetThreshold** No content is currently available. -- **csvCompatibleFilters** No content is currently available. -- **csvIncompatibleFilters** No content is currently available. -- **csvResourceCount** No content is currently available. -- **currentNodeSite** No content is currently available. -- **dasModeBusType** No content is currently available. -- **downLevelNodeCount** No content is currently available. -- **drainOnShutdown** No content is currently available. -- **dynamicQuorumEnabled** No content is currently available. -- **enforcedAntiAffinity** No content is currently available. -- **genAppNames** No content is currently available. -- **genSvcNames** No content is currently available. -- **hangRecoveryAction** No content is currently available. -- **hangTimeOut** No content is currently available. -- **isCalabria** No content is currently available. -- **isMixedMode** No content is currently available. -- **isRunningDownLevel** No content is currently available. -- **logLevel** No content is currently available. -- **logSize** No content is currently available. -- **lowerQuorumPriorityNodeId** No content is currently available. -- **minNeverPreempt** No content is currently available. -- **minPreemptor** No content is currently available. -- **netftIpsecEnabled** No content is currently available. -- **NodeCount** No content is currently available. -- **nodeId** No content is currently available. -- **nodeResourceCounts** No content is currently available. -- **nodeResourceOnlineCounts** No content is currently available. -- **numberOfSites** No content is currently available. -- **numNodesInNoSite** No content is currently available. -- **plumbAllCrossSubnetRoutes** No content is currently available. -- **preferredSite** No content is currently available. -- **privateCloudWitness** No content is currently available. -- **quarantineDuration** No content is currently available. -- **quarantineThreshold** No content is currently available. -- **quorumArbitrationTimeout** No content is currently available. -- **resiliencyLevel** No content is currently available. -- **resourceCounts** No content is currently available. -- **resourceTypeCounts** No content is currently available. -- **resourceTypes** No content is currently available. -- **resourceTypesPath** No content is currently available. -- **sameSubnetDelay** No content is currently available. -- **sameSubnetThreshold** No content is currently available. -- **secondsInMixedMode** No content is currently available. -- **securityLevel** No content is currently available. -- **securityLevelForStorage** No content is currently available. -- **sharedVolumeBlockCacheSize** No content is currently available. -- **shutdownTimeoutMinutes** No content is currently available. -- **upNodeCount** No content is currently available. -- **useClientAccessNetworksForCsv** No content is currently available. -- **vmIsolationTime** No content is currently available. -- **witnessDatabaseWriteTimeout** No content is currently available. +- **autoAssignSite** The cluster parameter: auto site. +- **autoBalancerLevel** The cluster parameter: auto balancer level. +- **autoBalancerMode** The cluster parameter: auto balancer mode. +- **blockCacheSize** The configured size of the block cache. +- **ClusterAdConfiguration** The ad configuration of the cluster. +- **clusterAdType** The cluster parameter: mgmt_point_type. +- **clusterDumpPolicy** The cluster configured dump policy. +- **clusterFunctionalLevel** The current cluster functional level. +- **clusterGuid** The unique identifier for the cluster. +- **clusterWitnessType** The witness type the cluster is configured for. +- **countNodesInSite** The number of nodes in the cluster. +- **crossSiteDelay** The cluster parameter: CrossSiteDelay. +- **crossSiteThreshold** The cluster parameter: CrossSiteThreshold. +- **crossSubnetDelay** The cluster parameter: CrossSubnetDelay. +- **crossSubnetThreshold** The cluster parameter: CrossSubnetThreshold. +- **csvCompatibleFilters** The cluster parameter: ClusterCsvCompatibleFilters. +- **csvIncompatibleFilters** The cluster parameter: ClusterCsvIncompatibleFilters. +- **csvResourceCount** The number of resources in the cluster. +- **currentNodeSite** The name configured for the current site for the cluster. +- **dasModeBusType** The direct storage bus type of the storage spaces. +- **downLevelNodeCount** The number of nodes in the cluster that are running down-level. +- **drainOnShutdown** Specifies whether a node should be drained when it is shut down. +- **dynamicQuorumEnabled** Specifies whether dynamic Quorum has been enabled. +- **enforcedAntiAffinity** The cluster parameter: enforced anti affinity. +- **genAppNames** The win32 service name of a clustered service. +- **genSvcNames** The command line of a clustered genapp. +- **hangRecoveryAction** The cluster parameter: hang recovery action. +- **hangTimeOut** Specifies the “hang time out” parameter for the cluster. +- **isCalabria** Specifies whether storage spaces direct is enabled. +- **isMixedMode** Identifies if the cluster is running with different version of OS for nodes. +- **isRunningDownLevel** Identifies if the current node is running down-level. +- **logLevel** Specifies the granularity that is logged in the cluster log. +- **logSize** Specifies the size of the cluster log. +- **lowerQuorumPriorityNodeId** The cluster parameter: lower quorum priority node ID. +- **minNeverPreempt** The cluster parameter: minimum never preempt. +- **minPreemptor** The cluster parameter: minimum preemptor priority. +- **netftIpsecEnabled** The parameter: netftIpsecEnabled. +- **NodeCount** The number of nodes in the cluster. +- **nodeId** The current node number in the cluster. +- **nodeResourceCounts** Specifies the number of node resources. +- **nodeResourceOnlineCounts** Specifies the number of node resources that are online. +- **numberOfSites** The number of different sites. +- **numNodesInNoSite** The number of nodes not belonging to a site. +- **plumbAllCrossSubnetRoutes** The cluster parameter: plumb all cross subnet routes. +- **preferredSite** The preferred site location. +- **privateCloudWitness** Specifies whether a private cloud witness exists for this cluster. +- **quarantineDuration** The quarantine duration. +- **quarantineThreshold** The quarantine threshold. +- **quorumArbitrationTimeout** In the event of an arbitration event, this specifies the quorum timeout period. +- **resiliencyLevel** Specifies the level of resiliency. +- **resourceCounts** Specifies the number of resources. +- **resourceTypeCounts** Specifies the number of resource types in the cluster. +- **resourceTypes** Data representative of each resource type. +- **resourceTypesPath** Data representative of the DLL path for each resource type. +- **sameSubnetDelay** The cluster parameter: same subnet delay. +- **sameSubnetThreshold** The cluster parameter: same subnet threshold. +- **secondsInMixedMode** The amount of time (in seconds) that the cluster has been in mixed mode (nodes with different operating system versions in the same cluster). +- **securityLevel** The cluster parameter: security level. +- **securityLevelForStorage** The cluster parameter: security level for storage. +- **sharedVolumeBlockCacheSize** Specifies the block cache size for shared for shared volumes. +- **shutdownTimeoutMinutes** Specifies the amount of time it takes to time out when shutting down. +- **upNodeCount** Specifies the number of nodes that are up (online). +- **useClientAccessNetworksForCsv** The cluster parameter: use client access networks for CSV. +- **vmIsolationTime** The cluster parameter: VM isolation time. +- **witnessDatabaseWriteTimeout** Specifies the timeout period for writing to the quorum witness database. ## Fault Reporting events @@ -3568,6 +3568,32 @@ The following fields are available: - **TimeStamp** No content is currently available. +### wilActivity + +This event provides a Windows Internal Library context used for Product and Service diagnostics. + +The following fields are available: + +- **callContext** The function where the failure occurred. +- **currentContextId** The ID of the current call context where the failure occurred. +- **currentContextMessage** The message of the current call context where the failure occurred. +- **currentContextName** The name of the current call context where the failure occurred. +- **failureCount** The number of failures for this failure ID. +- **failureId** The ID of the failure that occurred. +- **failureType** The type of the failure that occurred. +- **fileName** The file name where the failure occurred. +- **function** The function where the failure occurred. +- **hresult** The HResult of the overall activity. +- **hrspult** No content is currently available. +- **lineNumber** The line number where the failure occurred. +- **message** The message of the failure that occurred. +- **module** The module where the failure occurred. +- **originatingContextId** The ID of the originating call context that resulted in the failure. +- **originatingContextMessage** The message of the originating call context that resulted in the failure. +- **originatingContextName** The name of the originating call context that resulted in the failure. +- **threadId** The ID of the thread on which the activity is executing. + + ## Privacy consent logging events ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted @@ -3764,7 +3790,7 @@ The following fields are available: - **BundleRevisionNumber** Identifies the revision number of the content bundle - **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client - **ClientVersion** Version number of the software distribution client -- **DeploymentProviderMode** No content is currently available. +- **DeploymentProviderMode** The mode of operation of the update deployment provider. - **DeviceModel** Device model as defined in the system bios - **EventInstanceID** A globally unique identifier for event instance - **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc. @@ -3786,10 +3812,10 @@ Download process event for target update on Windows Update client. See the Event The following fields are available: - **ActiveDownloadTime** Number of seconds the update was actively being downloaded. -- **AppXBlockHashFailures** Indicates the number of blocks that failed hash validation during download of the app payload. +- **AppXBlockHashFailures** No content is currently available. - **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded. - **AppXDownloadScope** Indicates the scope of the download for application content. For streaming install scenarios, AllContent - non-streaming download, RequiredOnly - streaming download requested content required for launch, AutomaticOnly - streaming download requested automatic streams for the app, and Unknown - for events sent before download scope is determined by the Windows Update client. -- **AppXScope** Indicates the scope of the app download. +- **AppXScope** No content is currently available. - **BiosFamily** The family of the BIOS (Basic Input Output System). - **BiosName** The name of the device BIOS. - **BiosReleaseDate** The release date of the device BIOS. @@ -3798,18 +3824,18 @@ The following fields are available: - **BiosVersion** The version of the BIOS. - **BundleBytesDownloaded** Number of bytes downloaded for the specific content bundle. - **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. -- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. +- **BundleRepeatFailCount** No content is currently available. - **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to download. - **BundleRevisionNumber** Identifies the revision number of the content bundle. - **BytesDownloaded** Number of bytes that were downloaded for an individual piece of content (not the entire bundle). - **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. - **CbsDownloadMethod** Indicates whether the download was a full-file download or a partial/delta download. -- **CbsMethod** The method used for downloading the update content related to the Component Based Servicing (CBS) technology. +- **CbsMethod** No content is currently available. - **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. - **CDNId** ID which defines which CDN the software distribution client downloaded the content from. - **ClientVersion** The version number of the software distribution client. - **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. -- **ConnectTime** Indicates the cumulative amount of time (in seconds) it took to establish the connection for all updates in an update bundle. +- **ConnectTime** No content is currently available. - **CurrentMobileOperator** The mobile operator the device is currently connected to. - **DeviceModel** What is the device model. - **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority. @@ -3843,7 +3869,7 @@ The following fields are available: - **RegulationReason** The reason that the update is regulated - **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content. - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. -- **RepeatFailCount** Indicates whether this specific content has previously failed. +- **RepeatFailCount** No content is currently available. - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download. - **RevisionNumber** The revision number of the specified piece of content. - **ServiceGuid** An ID that represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). @@ -4207,6 +4233,7 @@ The following fields are available: - **RangeRequestState** Indicates the range request type used. - **RelatedCV** Correlation vector value generated from the latest USO scan. - **Result** Outcome of the download request phase of update. +- **SandboxTaggedForReserves** No content is currently available. - **ScenarioId** Indicates the update scenario. - **SessionId** Unique value for each attempt (same value for initialize, download, install commit phases). - **UpdateId** Unique ID for each update. @@ -5282,6 +5309,7 @@ The following fields are available: - **downloadModeReason** Reason for the download. - **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). - **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **expiresAt** No content is currently available. - **fileID** The ID of the file being downloaded. - **fileSize** The size of the file being downloaded. - **gCurMemoryStreamBytes** Current usage for memory streaming. @@ -5630,7 +5658,7 @@ The following fields are available: - **EventPublishedTime** Time when this event was generated. - **flightID** The specific ID of the Windows Insider build. -- **inapplicableReason** No content is currently available. +- **inapplicableReason** The reason why the update is inapplicable. - **revisionNumber** Update revision number. - **updateId** Unique Windows Update ID. - **updateScenarioType** Update session type. @@ -6037,12 +6065,12 @@ No content is currently available. ### Microsoft.Windows.UpdateReserveManager.CommitPendingHardReserveAdjustment -No content is currently available. +This event is sent when the Update Reserve Manager commits a hard reserve adjustment that was pending. The following fields are available: -- **FinalAdjustment** No content is currently available. -- **InitialAdjustment** No content is currently available. +- **FinalAdjustment** Final adjustment for the hard reserve following the addition or removal of optional content. +- **InitialAdjustment** Initial intended adjustment for the hard reserve following the addition or removal of optional content. ### Microsoft.Windows.UpdateReserveManager.EndScenario @@ -6061,15 +6089,15 @@ The following fields are available: ### Microsoft.Windows.UpdateReserveManager.FunctionReturnedError -No content is currently available. +This event is sent when the Update Reserve Manager returns an error from one of its internal functions. The following fields are available: -- **FailedExpression** No content is currently available. -- **FailedFile** No content is currently available. -- **FailedFunction** No content is currently available. -- **FailedLine** No content is currently available. -- **ReturnCode** No content is currently available. +- **FailedExpression** The failed expression that was returned. +- **FailedFile** The binary file that contained the failed function. +- **FailedFunction** The name of the function that originated the failure. +- **FailedLine** The line number of the failure. +- **ReturnCode** The return code of the function. ### Microsoft.Windows.UpdateReserveManager.InitializeReserves @@ -6105,22 +6133,22 @@ This event returns data about the Update Reserve Manager, including whether it The following fields are available: -- **ClientId** No content is currently available. -- **Flags** No content is currently available. -- **FlightId** No content is currently available. -- **Offline** No content is currently available. -- **PolicyPassed** No content is currently available. -- **ReturnCode** No content is currently available. +- **ClientId** The ID of the caller application. +- **Flags** The enumerated flags used to initialize the manager. +- **FlightId** The flight ID of the content the calling client is currently operating with. +- **Offline** Indicates whether or the reserve manager is called during offline operations. +- **PolicyPassed** Indicates whether the machine is able to use reserves. +- **ReturnCode** Return code of the operation. - **Version** No content is currently available. ### Microsoft.Windows.UpdateReserveManager.PrepareTIForReserveInitialization -No content is currently available. +This event is sent when the Update Reserve Manager prepares the Trusted Installer to initialize reserves on the next boot. The following fields are available: -- **Flags** No content is currently available. +- **Flags** The flags that are passed to the function to prepare the Trusted Installer for reserve initialization. ### Microsoft.Windows.UpdateReserveManager.ReevaluatePolicy @@ -6136,7 +6164,7 @@ The following fields are available: ### Microsoft.Windows.UpdateReserveManager.RemovePendingHardReserveAdjustment -No content is currently available. +This event is sent when the Update Reserve Manager removes a pending hard reserve adjustment. @@ -6155,9 +6183,9 @@ No content is currently available. The following fields are available: -- **ChangeSize** No content is currently available. -- **PendingHardReserveAdjustment** No content is currently available. -- **UpdateType** No content is currently available. +- **ChangeSize** The change in the hard reserve size based on the addition or removal of optional content. +- **PendingHardReserveAdjustment** The final change to the hard reserve size. +- **UpdateType** Indicates whether the change is an increase or decrease in the size of the hard reserve. ## Winlogon events From 7fba077da2a1231a84cd1f7df3eb213dafe58a1c Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 5 Feb 2019 08:44:22 -0800 Subject: [PATCH 012/492] new build --- ...ndows-diagnostic-events-and-fields-19H1.md | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md index 3c14a15736..84c660017a 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md @@ -9,7 +9,7 @@ ms.pagetype: security localizationpriority: high author: brianlic-msft ms.author: brianlic -ms.date: 02/04/2019 +ms.date: 02/05/2019 --- @@ -3812,10 +3812,10 @@ Download process event for target update on Windows Update client. See the Event The following fields are available: - **ActiveDownloadTime** Number of seconds the update was actively being downloaded. -- **AppXBlockHashFailures** No content is currently available. +- **AppXBlockHashFailures** Indicates the number of blocks that failed hash validation during download of the app payload. - **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded. - **AppXDownloadScope** Indicates the scope of the download for application content. For streaming install scenarios, AllContent - non-streaming download, RequiredOnly - streaming download requested content required for launch, AutomaticOnly - streaming download requested automatic streams for the app, and Unknown - for events sent before download scope is determined by the Windows Update client. -- **AppXScope** No content is currently available. +- **AppXScope** Indicates the scope of the app download. - **BiosFamily** The family of the BIOS (Basic Input Output System). - **BiosName** The name of the device BIOS. - **BiosReleaseDate** The release date of the device BIOS. @@ -3824,18 +3824,18 @@ The following fields are available: - **BiosVersion** The version of the BIOS. - **BundleBytesDownloaded** Number of bytes downloaded for the specific content bundle. - **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. -- **BundleRepeatFailCount** No content is currently available. +- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. - **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to download. - **BundleRevisionNumber** Identifies the revision number of the content bundle. - **BytesDownloaded** Number of bytes that were downloaded for an individual piece of content (not the entire bundle). - **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. - **CbsDownloadMethod** Indicates whether the download was a full-file download or a partial/delta download. -- **CbsMethod** No content is currently available. +- **CbsMethod** The method used for downloading the update content related to the Component Based Servicing (CBS) technology. - **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. - **CDNId** ID which defines which CDN the software distribution client downloaded the content from. - **ClientVersion** The version number of the software distribution client. - **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. -- **ConnectTime** No content is currently available. +- **ConnectTime** Indicates the cumulative amount of time (in seconds) it took to establish the connection for all updates in an update bundle. - **CurrentMobileOperator** The mobile operator the device is currently connected to. - **DeviceModel** What is the device model. - **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority. @@ -3869,7 +3869,7 @@ The following fields are available: - **RegulationReason** The reason that the update is regulated - **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content. - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. -- **RepeatFailCount** No content is currently available. +- **RepeatFailCount** Indicates whether this specific content has previously failed. - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download. - **RevisionNumber** The revision number of the specified piece of content. - **ServiceGuid** An ID that represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). @@ -4233,7 +4233,7 @@ The following fields are available: - **RangeRequestState** Indicates the range request type used. - **RelatedCV** Correlation vector value generated from the latest USO scan. - **Result** Outcome of the download request phase of update. -- **SandboxTaggedForReserves** No content is currently available. +- **SandboxTaggedForReserves** The sandbox for reserves. - **ScenarioId** Indicates the update scenario. - **SessionId** Unique value for each attempt (same value for initialize, download, install commit phases). - **UpdateId** Unique ID for each update. @@ -6139,7 +6139,7 @@ The following fields are available: - **Offline** Indicates whether or the reserve manager is called during offline operations. - **PolicyPassed** Indicates whether the machine is able to use reserves. - **ReturnCode** Return code of the operation. -- **Version** No content is currently available. +- **Version** The version of the Update Reserve Manager. ### Microsoft.Windows.UpdateReserveManager.PrepareTIForReserveInitialization @@ -6179,7 +6179,7 @@ The following fields are available: ### Microsoft.Windows.UpdateReserveManager.UpdatePendingHardReserveAdjustment -No content is currently available. +This event is sent when the Update Reserve Manager needs to adjust the size of the hard reserve after the option content is installed. The following fields are available: From 42fc5689fb6b83944eb5facbe9717f16e6bde48e Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 6 Feb 2019 08:39:31 -0800 Subject: [PATCH 013/492] new build --- ...ndows-diagnostic-events-and-fields-19H1.md | 496 ++++++++++++------ 1 file changed, 337 insertions(+), 159 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md index 84c660017a..77792963db 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md @@ -9,7 +9,7 @@ ms.pagetype: security localizationpriority: high author: brianlic-msft ms.author: brianlic -ms.date: 02/05/2019 +ms.date: 02/06/2019 --- @@ -81,6 +81,16 @@ The following fields are available: - **txId** The unique identifier for the current CSP transaction. +### Microsoft.Windows.Security.AppLockerCSP.CAppLockerCSP::Rollback + +Result of the 'Rollback' operation in AppLockerCSP. + +The following fields are available: + +- **oldId** Previous id for the CSP transaction. +- **txId** Current id for the CSP transaction. + + ### Microsoft.Windows.Security.AppLockerCSP.ClearParams Parameters passed to the "Clear" operation for AppLockerCSP. @@ -90,6 +100,21 @@ The following fields are available: - **uri** The URI relative to the %SYSTEM32%\AppLocker folder. +### Microsoft.Windows.Security.AppLockerCSP.ClearStart + +Start of the "Clear" operation for the AppLockerCSP Node. + + + +### Microsoft.Windows.Security.AppLockerCSP.ClearStop + +End of the "Clear" operation for the AppLockerCSP node. + +The following fields are available: + +- **hr** HRESULT reported at the end of the 'Clear' function. + + ### Microsoft.Windows.Security.AppLockerCSP.ConfigManagerNotificationStart Start of the "ConfigManagerNotification" operation for AppLockerCSP. @@ -144,6 +169,21 @@ The following fields are available: - **uri** URI relative to %SYSTEM32%\AppLocker. +### Microsoft.Windows.Security.AppLockerCSP.DeleteChildStart + +Start of the "DeleteChild" operation for the AppLockerCSP node. + + + +### Microsoft.Windows.Security.AppLockerCSP.DeleteChildStop + +End of the "DeleteChild" operation for the AppLockerCSP node. + +The following fields are available: + +- **hr** HRESULT returned by the DeleteChild function in AppLockerCSP. + + ### Microsoft.Windows.Security.AppLockerCSP.EnumPolicies Logged URI relative to %SYSTEM32%\AppLocker, if the Plugin GUID is null, or the CSP doesn't believe the old policy is present. @@ -2239,6 +2279,43 @@ The following fields are available: ## Diagnostic data events +### TelClientSynthetic.AuthorizationInfo_RuntimeTransition + +This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect. + +The following fields are available: + +- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. +- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. +- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. +- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. +- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. +- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. +- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. +- **CanReportScenarios** True if we can report scenario completions, false otherwise. +- **PreviousPermissions** Bitmask of previous telemetry state. +- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. + + +### TelClientSynthetic.AuthorizationInfo_Startup + +Fired by UTC at startup to signal what data we are allowed to collect. + +The following fields are available: + +- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. +- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. +- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. +- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. +- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. +- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. +- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. +- **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise. +- **CanReportScenarios** True if we can report scenario completions, false otherwise. +- **PreviousPermissions** Bitmask of previous telemetry state. +- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. + + ### TelClientSynthetic.ConnectivityHeartBeat_0 This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network. @@ -2254,6 +2331,22 @@ The following fields are available: - **RestrictedNetworkTime** Retrieves the time spent on a metered (cost restricted) network in seconds. +### TelClientSynthetic.EventMonitor_0 + +No content is currently available. + +The following fields are available: + +- **ConsumerCount** No content is currently available. +- **EventName** No content is currently available. +- **EventSnFirst** No content is currently available. +- **EventSnLast** No content is currently available. +- **EventStoreCount** No content is currently available. +- **MonitorSn** No content is currently available. +- **TriggerCount** No content is currently available. +- **UploadedCount** No content is currently available. + + ### TelClientSynthetic.HeartBeat_5 This event sends data about the health and quality of the diagnostic data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device. @@ -2558,7 +2651,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: - **CatalogSigners** Signers from catalog. Each signer starts with Chain. -- **DigestAlgorithm** No content is currently available. +- **DigestAlgorithm** The pseudonymizing (hashing) algorithm used when the file or package was signed. - **DriverPackageStrongName** Optional. Available only if FileSigningInfo is collected on a driver package. - **EmbeddedSigners** Embedded signers. Each signer starts with Chain. - **FileName** The file name of the file whose signatures are listed. @@ -2702,7 +2795,6 @@ The following fields are available: - **Categories** A comma separated list of functional categories in which the container belongs. - **DiscoveryMethod** The discovery method for the device container. - **FriendlyName** The name of the device container. -- **Icon** No content is currently available. - **InventoryVersion** The version of the inventory file generating the events. - **IsActive** Is the device connected, or has it been seen in the last 14 days? - **IsConnected** For a physically attached device, this value is the same as IsPresent. For wireless a device, this value represents a communication link. @@ -3354,7 +3446,7 @@ The following fields are available: ### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorEndSync -No content is currently available. +This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events has been sent. This data helps ensure the device is up to date. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -3380,7 +3472,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic ### Microsoft.Windows.IoT.Client.CEPAL.MonitorStarted -No content is currently available. +This event identifies Windows Internet of Things (IoT) devices which are running the CE PAL subsystem by sending data during CE PAL startup. @@ -3430,77 +3522,164 @@ The following fields are available: ### Microsoft.Windows.Cast.Miracast.MiracastSessionEnd +This event sends data at the end of a Miracast session that helps determine RTSP related Miracast failures along with some statistics about the session + +The following fields are available: + +- **AudioChannelCount** The number of audio channels. +- **AudioSampleRate** The sample rate of audio in terms of samples per second. +- **AudioSubtype** The unique subtype identifier of the audio codec (encoding method) used for audio encoding. +- **AverageBitrate** The average video bitrate used during the Miracast session, in bits per second. +- **AverageDataRate** The average available bandwidth reported by the WiFi driver during the Miracast session, in bits per second. +- **AveragePacketSendTimeInMs** The average time required for the network to send a sample, in milliseconds. +- **ConnectorType** The type of connector used during the Miracast session. +- **EncodeAverageTimeMS** The average time to encode a frame of video, in milliseconds. +- **EncodeCount** The count of total frames encoded in the session. +- **EncodeMaxTimeMS** The maximum time to encode a frame, in milliseconds. +- **EncodeMinTimeMS** The minimum time to encode a frame, in milliseconds. +- **EncoderCreationTimeInMs** The time required to create the video encoder, in milliseconds. +- **ErrorSource** Identifies the component that encountered an error that caused a disconnect, if applicable. +- **FirstFrameTime** The time (tick count) when the first frame is sent. +- **FirstLatencyMode** The first latency mode. +- **FrameAverageTimeMS** Average time to process an entire frame, in milliseconds. +- **FrameCount** The total number of frames processed. +- **FrameMaxTimeMS** The maximum time required to process an entire frame, in milliseconds. +- **FrameMinTimeMS** The minimum time required to process an entire frame, in milliseconds. +- **Glitches** The number of frames that failed to be delivered on time. +- **HardwareCursorEnabled** Indicates if hardware cursor was enabled when the connection ended. +- **HDCPState** The state of HDCP (High-bandwidth Digital Content Protection) when the connection ended. +- **HighestBitrate** The highest video bitrate used during the Miracast session, in bits per second. +- **HighestDataRate** The highest available bandwidth reported by the WiFi driver, in bits per second. +- **LastLatencyMode** The last reported latency mode. +- **LogTimeReference** The reference time, in tick counts. +- **LowestBitrate** The lowest video bitrate used during the Miracast session, in bits per second. +- **LowestDataRate** The lowest video bitrate used during the Miracast session, in bits per second. +- **MediaErrorCode** The error code reported by the media session, if applicable. +- **MiracastEntry** The time (tick count) when the Miracast driver was first loaded. +- **MiracastM1** The time (tick count) when the M1 request was sent. +- **MiracastM2** The time (tick count) when the M2 request was sent. +- **MiracastM3** The time (tick count) when the M3 request was sent. +- **MiracastM4** The time (tick count) when the M4 request was sent. +- **MiracastM5** The time (tick count) when the M5 request was sent. +- **MiracastM6** The time (tick count) when the M6 request was sent. +- **MiracastM7** The time (tick count) when the M7 request was sent. +- **MiracastSessionState** The state of the Miracast session when the connection ended. +- **MiracastStreaming** The time (tick count) when the Miracast session first started processing frames. +- **ProfileCount** The count of profiles generated from the receiver M4 response. +- **ProfileCountAfterFiltering** The count of profiles after filtering based on available bandwidth and encoder capabilities. +- **RefreshRate** The refresh rate set on the remote display. +- **RotationSupported** Indicates if the Miracast receiver supports display rotation. +- **RTSPSessionId** The unique identifier of the RTSP session. This matches the RTSP session ID for the receiver for the same session. +- **SessionGuid** The unique identifier of to correlate various Miracast events from a session. +- **SinkHadEdid** Indicates if the Miracast receiver reported an EDID. +- **SupportMicrosoftColorSpaceConversion** Indicates whether the Microsoft color space conversion for extra color fidelity is supported by the receiver. +- **SupportsMicrosoftDiagnostics** Indicates whether the Miracast receiver supports the Microsoft Diagnostics Miracast extension. +- **SupportsMicrosoftFormatChange** Indicates whether the Miracast receiver supports the Microsoft Format Change Miracast extension. +- **SupportsMicrosoftLatencyManagement** Indicates whether the Miracast receiver supports the Microsoft Latency Management Miracast extension. +- **SupportsMicrosoftRTCP** Indicates whether the Miracast receiver supports the Microsoft RTCP Miracast extension. +- **SupportsMicrosoftVideoFormats** Indicates whether the Miracast receiver supports Microsoft video format for 3:2 resolution. +- **SupportsWiDi** Indicates whether Miracast receiver supports Intel WiDi extensions. +- **TeardownErrorCode** The error code reason for teardown provided by the receiver, if applicable. +- **TeardownErrorReason** The text string reason for teardown provided by the receiver, if applicable. +- **UIBCEndState** Indicates whether UIBC was enabled when the connection ended. +- **UIBCEverEnabled** Indicates whether UIBC was ever enabled. +- **UIBCStatus** The result code reported by the UIBC setup process. +- **VideoBitrate** The starting bitrate for the video encoder. +- **VideoCodecLevel** The encoding level used for encoding, specific to the video subtype. +- **VideoHeight** The height of encoded video frames. +- **VideoSubtype** The unique subtype identifier of the video codec (encoding method) used for video encoding. +- **VideoWidth** The width of encoded video frames. +- **WFD2Supported** Indicates if the Miracast receiver supports WFD2 protocol. + + +## Other events + +### Microsoft.Windows.SysReset.FlightUninstallCancel + +No content is currently available. + + + +### Microsoft.Windows.SysReset.FlightUninstallError + No content is currently available. The following fields are available: -- **AudioChannelCount** No content is currently available. -- **AudioSampleRate** No content is currently available. -- **AudioSubtype** No content is currently available. -- **AverageBitrate** No content is currently available. -- **AverageDataRate** No content is currently available. -- **AveragePacketSendTimeInMs** No content is currently available. -- **ConnectorType** No content is currently available. -- **EncodeAverageTimeMS** No content is currently available. -- **EncodeCount** No content is currently available. -- **EncodeMaxTimeMS** No content is currently available. -- **EncodeMinTimeMS** No content is currently available. -- **EncoderCreationTimeInMs** No content is currently available. -- **ErrorSource** No content is currently available. -- **FirstFrameTime** No content is currently available. -- **FirstLatencyMode** No content is currently available. -- **FrameAverageTimeMS** No content is currently available. -- **FrameCount** No content is currently available. -- **FrameMaxTimeMS** No content is currently available. -- **FrameMinTimeMS** No content is currently available. -- **Glitches** No content is currently available. -- **HardwareCursorEnabled** No content is currently available. -- **HDCPState** No content is currently available. -- **HighestBitrate** No content is currently available. -- **HighestDataRate** No content is currently available. -- **LastLatencyMode** No content is currently available. -- **LogTimeReference** No content is currently available. -- **LowestBitrate** No content is currently available. -- **LowestDataRate** No content is currently available. -- **MediaErrorCode** No content is currently available. -- **MiracastEntry** No content is currently available. -- **MiracastM1** No content is currently available. -- **MiracastM2** No content is currently available. -- **MiracastM3** No content is currently available. -- **MiracastM4** No content is currently available. -- **MiracastM5** No content is currently available. -- **MiracastM6** No content is currently available. -- **MiracastM7** No content is currently available. -- **MiracastSessionState** No content is currently available. -- **MiracastStreaming** No content is currently available. -- **ProfileCount** No content is currently available. -- **ProfileCountAfterFiltering** No content is currently available. -- **RefreshRate** No content is currently available. -- **RotationSupported** No content is currently available. -- **RTSPSessionId** No content is currently available. -- **SessionGuid** No content is currently available. -- **SinkHadEdid** No content is currently available. -- **SupportMicrosoftColorSpaceConversion** No content is currently available. -- **SupportsMicrosoftDiagnostics** No content is currently available. -- **SupportsMicrosoftFormatChange** No content is currently available. -- **SupportsMicrosoftLatencyManagement** No content is currently available. -- **SupportsMicrosoftRTCP** No content is currently available. -- **SupportsMicrosoftVideoFormats** No content is currently available. -- **SupportsWiDi** No content is currently available. -- **TeardownErrorCode** No content is currently available. -- **TeardownErrorReason** No content is currently available. -- **UIBCEndState** No content is currently available. -- **UIBCEverEnabled** No content is currently available. -- **UIBCStatus** No content is currently available. -- **VideoBitrate** No content is currently available. -- **VideoCodecLevel** No content is currently available. -- **VideoHeight** No content is currently available. -- **VideoSubtype** No content is currently available. -- **VideoWidth** No content is currently available. -- **WFD2Supported** No content is currently available. +- **ErrorCode** No content is currently available. -## Other events +### Microsoft.Windows.SysReset.FlightUninstallReboot + +No content is currently available. + + + +### Microsoft.Windows.SysReset.FlightUninstallStart + +No content is currently available. + + + +### Microsoft.Windows.SysReset.FlightUninstallUnavailable + +No content is currently available. + +The following fields are available: + +- **AddedProfiles** No content is currently available. +- **MissingExternalStorage** No content is currently available. +- **MissingInfra** No content is currently available. +- **MovedProfiles** No content is currently available. + + +### Microsoft.Windows.SysReset.HasPendingActions + +No content is currently available. + + + +### Microsoft.Windows.SysReset.PBREngineInitFailed + +No content is currently available. + +The following fields are available: + +- **Operation** No content is currently available. + + +### Microsoft.Windows.SysReset.PBREngineInitSucceed + +No content is currently available. + +The following fields are available: + +- **Operation** No content is currently available. + + +### Microsoft.Windows.SysReset.PBRFailedOffline + +No content is currently available. + +The following fields are available: + +- **HRESULT** No content is currently available. +- **PBRType** No content is currently available. +- **SessionID** No content is currently available. + + +### Microsoft.Xbox.XamTelemetry.AppActivationError + +This event indicates whether the system detected an activation error in the app. + +The following fields are available: + +- **ActivationUri** Activation URI (Uniform Resource Identifier) used in the attempt to activate the app. +- **AppId** The Xbox LIVE Title ID. +- **AppUserModelId** The AUMID (Application User Model ID) of the app to activate. +- **Result** The HResult error. +- **UserId** The Xbox LIVE User ID (XUID). + ### Microsoft.Xbox.XamTelemetry.AppActivity @@ -3540,32 +3719,32 @@ The following fields are available: ### WheaProvider.WheaErrorRecord -No content is currently available. +This event collects data about common platform hardware error recorded by the Windows Hardware Error Architecture (WHEA) mechanism. The following fields are available: -- **creatorId** No content is currently available. -- **CreatorId** No content is currently available. -- **errorFlags** No content is currently available. -- **ErrorFlags** No content is currently available. -- **notifyType** No content is currently available. -- **NotifyType** No content is currently available. -- **partitionId** No content is currently available. -- **PartitionId** No content is currently available. -- **platformId** No content is currently available. -- **PlatformId** No content is currently available. -- **record** No content is currently available. -- **Record** No content is currently available. -- **recordId** No content is currently available. -- **RecordId** No content is currently available. -- **sectionFlags** No content is currently available. -- **SectionFlags** No content is currently available. -- **SectionSeverity** No content is currently available. -- **sectionTypes** No content is currently available. -- **SectionTypes** No content is currently available. -- **severityCount** No content is currently available. -- **timeStamp** No content is currently available. -- **TimeStamp** No content is currently available. +- **creatorId** The unique identifier for the entity that created the error record. +- **CreatorId** The unique identifier for the entity that created the error record. +- **errorFlags** Any flags set on the error record. +- **ErrorFlags** Any flags set on the error record. +- **notifyType** The unique identifier for the notification mechanism which reported the error to the operating system. +- **NotifyType** The unique identifier for the notification mechanism which reported the error to the operating system. +- **partitionId** The unique identifier for the partition on which the hardware error occurred. +- **PartitionId** The unique identifier for the partition on which the hardware error occurred. +- **platformId** The unique identifier for the platform on which the hardware error occurred. +- **PlatformId** The unique identifier for the platform on which the hardware error occurred. +- **record** A collection of binary data containing the full error record. +- **Record** A collection of binary data containing the full error record. +- **recordId** The identifier of the error record. +- **RecordId** The identifier of the error record. +- **sectionFlags** The flags for each section recorded in the error record. +- **SectionFlags** The flags for each section recorded in the error record. +- **SectionSeverity** The severity of each individual section. +- **sectionTypes** The unique identifier that represents the type of sections contained in the error record. +- **SectionTypes** The unique identifier that represents the type of sections contained in the error record. +- **severityCount** The severity of each individual section. +- **timeStamp** The error time stamp as recorded in the error record. +- **TimeStamp** The error time stamp as recorded in the error record. ### wilActivity @@ -3584,7 +3763,6 @@ The following fields are available: - **fileName** The file name where the failure occurred. - **function** The function where the failure occurred. - **hresult** The HResult of the overall activity. -- **hrspult** No content is currently available. - **lineNumber** The line number where the failure occurred. - **message** The message of the failure that occurred. - **module** The module where the failure occurred. @@ -4028,7 +4206,7 @@ The following fields are available: - **ClientVersion** Version number of the software distribution client. - **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. - **CSIErrorType** Stage of CBS installation that failed. -- **DeploymentProviderMode** No content is currently available. +- **DeploymentProviderMode** The mode of operation of the update deployment provider. - **DriverPingBack** Contains information about the previous driver and system state. - **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required. - **EventInstanceID** A globally unique identifier for event instance. @@ -4072,7 +4250,7 @@ The following fields are available: - **CmdLineArgs** Command line arguments passed in by the caller. - **EventInstanceID** A globally unique identifier for the event instance. - **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). -- **Mode** No content is currently available. +- **Mode** Indicates the mode that has started. - **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.). - **StatusCode** Result code of the event (success, cancellation, failure code HResult). - **WUDeviceID** Unique device ID controlled by the software distribution client. @@ -4090,7 +4268,7 @@ The following fields are available: - **CallerApplicationName** Name of the application making the Windows Update request. Used to identify context of request. - **ClientVersion** Version number of the software distribution client. - **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. -- **DeploymentProviderMode** No content is currently available. +- **DeploymentProviderMode** The mode of operation of the Update Deployment Provider. - **DriverPingBack** Contains information about the previous driver and system state. - **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers when a recovery is required. - **EventInstanceID** A globally unique identifier for event instance. @@ -4792,20 +4970,20 @@ Result of the WaaSMedic operation. The following fields are available: - **callerApplication** The name of the calling application. -- **capsuleCount** No content is currently available. -- **capsuleFailureCount** No content is currently available. +- **capsuleCount** The number of Sediment Pack capsules. +- **capsuleFailureCount** The number of capsule failures. - **detectionSummary** Result of each applicable detection that was run. - **featureAssessmentImpact** WaaS Assessment impact for feature updates. -- **hrEngineBlockReason** No content is currently available. +- **hrEngineBlockReason** Indicates the reason for stopping WaaSMedic. - **hrEngineResult** Error code from the engine operation. -- **hrLastSandboxError** No content is currently available. -- **initSummary** No content is currently available. +- **hrLastSandboxError** The last error sent by the WaaSMedic sandbox. +- **initSummary** Summary data of the initialization method. - **isInteractiveMode** The user started a run of WaaSMedic. - **isManaged** Device is managed for updates. - **isWUConnected** Device is connected to Windows Update. - **noMoreActions** No more applicable diagnostics. -- **pluginFailureCount** No content is currently available. -- **pluginsCount** No content is currently available. +- **pluginFailureCount** The number of plugins that have failed. +- **pluginsCount** The number of plugins. - **qualityAssessmentImpact** WaaS Assessment impact for quality updates. - **remediationSummary** Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on. - **usingBackupFeatureAssessment** Relying on backup feature assessment. @@ -5220,19 +5398,19 @@ The following fields are available: ### Microsoft.Windows.StoreAgent.Telemetry.StateTransition -No content is currently available. +Products in the process of being fulfilled (installed or updated) are maintained in a list. This event is sent any time there is a change in a product's fulfillment status (pending, working, paused, cancelled, or complete), to help keep Windows up to date and secure. The following fields are available: -- **CatalogId** No content is currently available. -- **FulfillmentPluginId** No content is currently available. -- **HResult** No content is currently available. -- **NewState** No content is currently available. -- **PFN** No content is currently available. -- **PluginLastStage** No content is currently available. -- **PluginTelemetryData** No content is currently available. -- **Prevstate** No content is currently available. -- **ProductId** No content is currently available. +- **CatalogId** The ID for the product being installed if the product is from a private catalog, such as the Enterprise catalog. +- **FulfillmentPluginId** The ID of the plugin needed to install the package type of the product. +- **HResult** The resulting HResult error/success code of this operation. +- **NewState** The current fulfillment state of this product. +- **PFN** The Package Family Name of the app that is being installed or updated. +- **PluginLastStage** The most recent product fulfillment step that the plug-in has reported (different than its state). +- **PluginTelemetryData** Diagnostic information specific to the package-type plug-in. +- **Prevstate** The previous fulfillment state of this product. +- **ProductId** Product ID of the app that is being updated or installed. ### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest @@ -5257,7 +5435,7 @@ The following fields are available: - **bytesFromCDN** The number of bytes received from a CDN source. - **bytesFromGroupPeers** The number of bytes received from a peer in the same group. - **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same group. -- **bytesFromLinkLocalPeers** No content is currently available. +- **bytesFromLinkLocalPeers** The number of bytes received from local peers. - **bytesFromLocalCache** Bytes copied over from local (on disk) cache. - **bytesFromPeers** The number of bytes received from a peer in the same LAN. - **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. @@ -5461,7 +5639,7 @@ This event indicates that the Enhanced Engaged restart "accept automatically" di The following fields are available: - **DeviceLocalTime** The local time on the device sending the event. -- **EnterpriseAttributionValue** No content is currently available. +- **EnterpriseAttributionValue** Indicates whether the Enterprise attribution is on in this dialog box. - **ETag** OneSettings versioning value. - **ExitCode** Indicates how users exited the dialog box. - **RebootVersion** Version of DTE. @@ -5478,7 +5656,7 @@ This event indicates that the Enhanced Engaged restart "restart failed" dialog b The following fields are available: - **DeviceLocalTime** The local time of the device sending the event. -- **EnterpriseAttributionValue** No content is currently available. +- **EnterpriseAttributionValue** Indicates whether the Enterprise attribution is on in this dialog box. - **ETag** OneSettings versioning value. - **ExitCode** Indicates how users exited the dialog box. - **RebootVersion** Version of DTE. @@ -5495,7 +5673,7 @@ This event indicates that the Enhanced Engaged restart "restart imminent" dialog The following fields are available: - **DeviceLocalTime** Time the dialog box was shown on the local device. -- **EnterpriseAttributionValue** No content is currently available. +- **EnterpriseAttributionValue** Indicates whether the Enterprise attribution is on in this dialog box. - **ETag** OneSettings versioning value. - **ExitCode** Indicates how users exited the dialog box. - **RebootVersion** Version of DTE. @@ -6045,21 +6223,21 @@ The following fields are available: ### Microsoft.Windows.UpdateReserveManager.BeginScenario -No content is currently available. +This event is sent when the Update Reserve Manager is called to begin a scenario. The following fields are available: -- **Flags** No content is currently available. -- **HardReserveSize** No content is currently available. -- **HardReserveUsedSpace** No content is currently available. -- **OwningScenarioId** No content is currently available. -- **ReturnCode** No content is currently available. -- **ScenarioId** No content is currently available. +- **Flags** The flags that are passed to the begin scenario function. +- **HardReserveSize** The size of the hard reserve. +- **HardReserveUsedSpace** The used space in the hard reserve. +- **OwningScenarioId** The scenario ID the client that called the begin scenario function. +- **ReturnCode** The return code for the begin scenario operation. +- **ScenarioId** The scenario ID that is internal to the reserve manager. ### Microsoft.Windows.UpdateReserveManager.ClearSoftReserve -No content is currently available. +This event is sent when the Update Reserve Manager clears the contents of the soft reserve. @@ -6075,16 +6253,16 @@ The following fields are available: ### Microsoft.Windows.UpdateReserveManager.EndScenario -No content is currently available. +This event is sent when the Update Reserve Manager ends an active scenario. The following fields are available: -- **ActiveScenario** No content is currently available. -- **Flags** No content is currently available. -- **HardReserveSize** No content is currently available. -- **HardReserveUsedSpace** No content is currently available. -- **ReturnCode** No content is currently available. -- **ScenarioId** No content is currently available. +- **ActiveScenario** The current active scenario. +- **Flags** The flags passed to the end scenario call. +- **HardReserveSize** The size of the hard reserve when the end scenario is called. +- **HardReserveUsedSpace** The used space in the hard reserve when the end scenario is called. +- **ReturnCode** The return code of this operation. +- **ScenarioId** The ID of the internal reserve manager scenario. ### Microsoft.Windows.UpdateReserveManager.FunctionReturnedError @@ -6102,29 +6280,29 @@ The following fields are available: ### Microsoft.Windows.UpdateReserveManager.InitializeReserves -No content is currently available. +This event is sent when reserves are initialized on the device. The following fields are available: -- **FallbackInitUsed** No content is currently available. -- **Flags** No content is currently available. -- **HardReserveFinalSize** No content is currently available. -- **HardReserveFinalUsedSpace** No content is currently available. -- **HardReserveInitialSize** No content is currently available. -- **HardReserveInitialUsedSpace** No content is currently available. -- **HardReserveTargetSize** No content is currently available. -- **InitialUserFreeSpace** No content is currently available. -- **PostUpgradeFreeSpace** No content is currently available. -- **SoftReserveFinalSize** No content is currently available. -- **SoftReserveFinalUsedSpace** No content is currently available. -- **SoftReserveInitialSize** No content is currently available. -- **SoftReserveInitialUsedSpace** No content is currently available. -- **SoftReserveTargetSize** No content is currently available. -- **TargetUserFreeSpace** No content is currently available. -- **UpdateScratchFinalUsedSpace** No content is currently available. -- **UpdateScratchInitialUsedSpace** No content is currently available. -- **UpdateScratchReserveFinalSize** No content is currently available. -- **UpdateScratchReserveInitialSize** No content is currently available. +- **FallbackInitUsed** Indicates whether fallback initialization is used. +- **Flags** The flags used in the initialization of Update Reserve Manager. +- **HardReserveFinalSize** The final size of the hard reserve. +- **HardReserveFinalUsedSpace** The used space in the hard reserve. +- **HardReserveInitialSize** The size of the hard reserve after initialization. +- **HardReserveInitialUsedSpace** The utilization of the hard reserve after initialization. +- **HardReserveTargetSize** The target size that was set for the hard reserve. +- **InitialUserFreeSpace** The user free space during initialization. +- **PostUpgradeFreeSpace** The free space value passed into the Update Reserve Manager to determine reserve sizing post upgrade. +- **SoftReserveFinalSize** The final size of the soft reserve. +- **SoftReserveFinalUsedSpace** The used space in the soft reserve. +- **SoftReserveInitialSize** The soft reserve size after initialization. +- **SoftReserveInitialUsedSpace** The utilization of the soft reserve after initialization. +- **SoftReserveTargetSize** The target size that was set for the soft reserve. +- **TargetUserFreeSpace** The target user free space that was passed into the reserve manager to determine reserve sizing post upgrade. +- **UpdateScratchFinalUsedSpace** The used space in the scratch reserve. +- **UpdateScratchInitialUsedSpace** The utilization of the scratch reserve after initialization. +- **UpdateScratchReserveFinalSize** The utilization of the scratch reserve after initialization. +- **UpdateScratchReserveInitialSize** The size of the scratch reserve after initialization. ### Microsoft.Windows.UpdateReserveManager.InitializeUpdateReserveManager @@ -6153,13 +6331,13 @@ The following fields are available: ### Microsoft.Windows.UpdateReserveManager.ReevaluatePolicy -No content is currently available. +This event is sent when the Update Reserve Manager reevaluates policy to determine reserve usage. The following fields are available: -- **PolicyChanged** No content is currently available. -- **PolicyFailedEnum** No content is currently available. -- **PolicyPassed** No content is currently available. +- **PolicyChanged** Indicates whether the policy has changed. +- **PolicyFailedEnum** The reason why the policy failed. +- **PolicyPassed** Indicates whether the policy passed. ### Microsoft.Windows.UpdateReserveManager.RemovePendingHardReserveAdjustment @@ -6170,11 +6348,11 @@ This event is sent when the Update Reserve Manager removes a pending hard reserv ### Microsoft.Windows.UpdateReserveManager.TurnOffReserves -No content is currently available. +This event is sent when the Update Reserve Manager turns off reserve functionality for certain operations. The following fields are available: -- **Flags** No content is currently available. +- **Flags** Flags used in the turn off reserves function. ### Microsoft.Windows.UpdateReserveManager.UpdatePendingHardReserveAdjustment From 20958845fe3656864c6472fd8c9f7838b9a8d7b9 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 7 Feb 2019 08:37:17 -0800 Subject: [PATCH 014/492] new build --- ...ndows-diagnostic-events-and-fields-19H1.md | 68 +++++++++---------- 1 file changed, 34 insertions(+), 34 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md index 77792963db..6dc649099d 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md @@ -9,7 +9,7 @@ ms.pagetype: security localizationpriority: high author: brianlic-msft ms.author: brianlic -ms.date: 02/06/2019 +ms.date: 02/07/2019 --- @@ -2333,18 +2333,18 @@ The following fields are available: ### TelClientSynthetic.EventMonitor_0 -No content is currently available. +This event provides statistics for specific diagnostic events. The following fields are available: -- **ConsumerCount** No content is currently available. -- **EventName** No content is currently available. -- **EventSnFirst** No content is currently available. -- **EventSnLast** No content is currently available. -- **EventStoreCount** No content is currently available. -- **MonitorSn** No content is currently available. -- **TriggerCount** No content is currently available. -- **UploadedCount** No content is currently available. +- **ConsumerCount** The number of instances seen in the Event Tracing for Windows consumer. +- **EventName** The name of the event being monitored. +- **EventSnFirst** The expected first event serial number. +- **EventSnLast** The expected last event serial number. +- **EventStoreCount** The number of events reaching the event store. +- **MonitorSn** The serial number of the monitor. +- **TriggerCount** The number of events reaching the trigger buffer. +- **UploadedCount** The number of events uploaded. ### TelClientSynthetic.HeartBeat_5 @@ -3596,76 +3596,76 @@ The following fields are available: ### Microsoft.Windows.SysReset.FlightUninstallCancel -No content is currently available. +This event indicates the customer has cancelled uninstallation of Windows. ### Microsoft.Windows.SysReset.FlightUninstallError -No content is currently available. +This event sends an error code when the Windows uninstallation fails. The following fields are available: -- **ErrorCode** No content is currently available. +- **ErrorCode** Error code for uninstallation failure. ### Microsoft.Windows.SysReset.FlightUninstallReboot -No content is currently available. +This event is sent to signal an upcoming reboot during uninstallation of Windows. ### Microsoft.Windows.SysReset.FlightUninstallStart -No content is currently available. +This event indicates that the Windows uninstallation has started. ### Microsoft.Windows.SysReset.FlightUninstallUnavailable -No content is currently available. +This event sends diagnostic data when the Windows uninstallation is not available. The following fields are available: -- **AddedProfiles** No content is currently available. -- **MissingExternalStorage** No content is currently available. -- **MissingInfra** No content is currently available. -- **MovedProfiles** No content is currently available. +- **AddedProfiles** Indicates that new user profiles have been created since the flight was installed. +- **MissingExternalStorage** Indicates that the external storage used to install the flight is not available. +- **MissingInfra** Indicates that uninstall resources are missing. +- **MovedProfiles** Indicates that the user profile has been moved since the flight was installed. ### Microsoft.Windows.SysReset.HasPendingActions -No content is currently available. +This event is sent when users have actions that will block the uninstall of the latest quality update. ### Microsoft.Windows.SysReset.PBREngineInitFailed -No content is currently available. +This event signals a failed handoff between two recovery binaries. The following fields are available: -- **Operation** No content is currently available. +- **Operation** Legacy customer scenario. ### Microsoft.Windows.SysReset.PBREngineInitSucceed -No content is currently available. +This event signals successful handoff between two recovery binaries. The following fields are available: -- **Operation** No content is currently available. +- **Operation** Legacy customer scenario. ### Microsoft.Windows.SysReset.PBRFailedOffline -No content is currently available. +This event reports the error code when recovery fails. The following fields are available: -- **HRESULT** No content is currently available. -- **PBRType** No content is currently available. -- **SessionID** No content is currently available. +- **HRESULT** Error code for the failure. +- **PBRType** The recovery scenario. +- **SessionID** The unique ID for the recovery session. ### Microsoft.Xbox.XamTelemetry.AppActivationError @@ -4402,12 +4402,12 @@ The following fields are available: - **PackageCountTotalCanonical** Total number of canonical packages. - **PackageCountTotalDiff** Total number of diff packages. - **PackageCountTotalExpress** Total number of express packages. -- **PackageCountTotalPSFX** No content is currently available. +- **PackageCountTotalPSFX** The total number of PSFX packages. - **PackageExpressType** Type of express package. - **PackageSizeCanonical** Size of canonical packages in bytes. - **PackageSizeDiff** Size of diff packages in bytes. - **PackageSizeExpress** Size of express packages in bytes. -- **PackageSizePSFX** No content is currently available. +- **PackageSizePSFX** The size of PSFX packages, in bytes. - **RangeRequestState** Indicates the range request type used. - **RelatedCV** Correlation vector value generated from the latest USO scan. - **Result** Outcome of the download request phase of update. @@ -5487,7 +5487,7 @@ The following fields are available: - **downloadModeReason** Reason for the download. - **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). - **experimentId** When running a test, this is used to correlate with other events that are part of the same test. -- **expiresAt** No content is currently available. +- **expiresAt** Time when the content will expire from the Delivery Optimization Cache. - **fileID** The ID of the file being downloaded. - **fileSize** The size of the file being downloaded. - **gCurMemoryStreamBytes** Current usage for memory streaming. @@ -5498,7 +5498,7 @@ The following fields are available: - **isVpn** Is the device connected to a Virtual Private Network? - **jobID** Identifier for the Windows Update job. - **lanConnectionCount** The total number of connections made to peers in the same LAN. -- **linkLocalConnectionCount** No content is currently available. +- **linkLocalConnectionCount** The number of connections made to peers in the same Link-local network. - **numPeers** The total number of peers used for this download. - **numPeersLocal** The total number of local peers used for this download. - **predefinedCallerName** The name of the API Caller. @@ -5690,7 +5690,7 @@ This event returns information relating to the Enhanced Engaged reboot reminder The following fields are available: - **DeviceLocalTime** The time at which the reboot reminder dialog was shown (based on the local device time settings). -- **EnterpriseAttributionValue** No content is currently available. +- **EnterpriseAttributionValue** Indicates whether Enterprise attribution is on for this dialog. - **ETag** The OneSettings versioning value. - **ExitCode** Indicates how users exited the reboot reminder dialog box. - **RebootVersion** The version of the DTE (Direct-to-Engaged). From b4323b9fe1355df994b76ef7cb4598d280d48795 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 8 Feb 2019 08:20:41 -0800 Subject: [PATCH 015/492] new build --- ...ndows-diagnostic-events-and-fields-19H1.md | 198 ++++++++++++++++-- 1 file changed, 186 insertions(+), 12 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md index 6dc649099d..5e8f28e0bf 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md @@ -9,7 +9,7 @@ ms.pagetype: security localizationpriority: high author: brianlic-msft ms.author: brianlic -ms.date: 02/07/2019 +ms.date: 02/08/2019 --- @@ -2347,6 +2347,19 @@ The following fields are available: - **UploadedCount** The number of events uploaded. +### TelClientSynthetic.GetFileInfoAction_FilePathNotApproved_0 + +No content is currently available. + +The following fields are available: + +- **FilePath** No content is currently available. +- **FilePathExpanded** No content is currently available. +- **FilePathExpandedScenario** No content is currently available. +- **ScenarioId** No content is currently available. +- **ScenarioInstanceId** No content is currently available. + + ### TelClientSynthetic.HeartBeat_5 This event sends data about the health and quality of the diagnostic data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device. @@ -2401,6 +2414,134 @@ The following fields are available: - **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. +### TelClientSynthetic.HeartBeat_Agent_5 + +No content is currently available. + +The following fields are available: + +- **ConsumerDroppedCount** No content is currently available. +- **ContainerBufferFullDropCount** No content is currently available. +- **ContainerBufferFullSevilleDropCount** No content is currently available. +- **CriticalDataThrottleDroppedCount** No content is currently available. +- **DecodingDroppedCount** No content is currently available. +- **EtwDroppedBufferCount** No content is currently available. +- **EtwDroppedCount** No content is currently available. +- **EventsForwardedToHost** No content is currently available. +- **FullTriggerBufferDroppedCount** No content is currently available. +- **HeartBeatSequenceNumber** No content is currently available. +- **HostConnectionErrorsCount** No content is currently available. +- **HostConnectionTimeoutsCount** No content is currently available. +- **LastHostConnectionError** No content is currently available. +- **PreviousHeartBeatTime** No content is currently available. +- **ThrottledDroppedCount** No content is currently available. + + +### TelClientSynthetic.HeartBeat_DevHealthMon_5 + +No content is currently available. + +The following fields are available: + +- **HeartBeatSequenceNumber** No content is currently available. +- **PreviousHeartBeatTime** No content is currently available. + + +### TelClientSynthetic.LifetimeManager_ConsumerBaseTimestampChange_0 + +No content is currently available. + +The following fields are available: + +- **NewBaseTime** No content is currently available. +- **NewSystemTime** No content is currently available. +- **OldSystemTime** No content is currently available. + + +### TelClientSynthetic.MatchEngine_ScenarioCompletionThrottled_0 + +No content is currently available. + +The following fields are available: + +- **MaxHourlyCompletionsSetting** No content is currently available. +- **ScenarioId** No content is currently available. +- **ScenarioName** No content is currently available. + + +### TelClientSynthetic.OsEvents_BootStatReset_0 + +No content is currently available. + +The following fields are available: + +- **BootId** No content is currently available. +- **ResetReason** No content is currently available. + + +### TelClientSynthetic.ProducerThrottled_At_TriggerBuffer_0 + +No content is currently available. + +The following fields are available: + +- **BufferSize** No content is currently available. +- **DataType** No content is currently available. +- **EstSeenCount** No content is currently available. +- **EstTopEvent1Count** No content is currently available. +- **EstTopEvent1Name** No content is currently available. +- **EstTopEvent2Count** No content is currently available. +- **EstTopEvent2Name** No content is currently available. +- **Hit** No content is currently available. +- **IKey** No content is currently available. +- **ProviderId** No content is currently available. +- **ProviderName** No content is currently available. +- **Threshold** No content is currently available. + + +### TelClientSynthetic.ProducerThrottled_Event_Rate_0 + +No content is currently available. + +The following fields are available: + +- **EstSeenCount** No content is currently available. +- **EstTopEvent1Count** No content is currently available. +- **EstTopEvent1Name** No content is currently available. +- **EstTopEvent2Count** No content is currently available. +- **EstTopEvent2Name** No content is currently available. +- **EventPerProviderThreshold** No content is currently available. +- **EventRateThreshold** No content is currently available. +- **Hit** No content is currently available. +- **IKey** No content is currently available. +- **ProviderId** No content is currently available. +- **ProviderName** No content is currently available. + + +### TelClientSynthetic.RunExeWithArgsAction_ExeTerminated_0 + +No content is currently available. + +The following fields are available: + +- **ExpandedExeName** No content is currently available. +- **MaximumRuntimeMs** No content is currently available. +- **ScenarioId** No content is currently available. +- **ScenarioInstanceId** No content is currently available. + + +### TelClientSynthetic.RunExeWithArgsAction_ProcessReturnedNonZeroExitCode + +No content is currently available. + +The following fields are available: + +- **ExitCode** No content is currently available. +- **ExpandedExeName** No content is currently available. +- **ScenarioId** No content is currently available. +- **ScenarioInstanceId** No content is currently available. + + ## DxgKernelTelemetry events ### DxgKrnlTelemetry.GPUAdapterInventoryV2 @@ -3668,6 +3809,18 @@ The following fields are available: - **SessionID** The unique ID for the recovery session. +### Microsoft.Windows.SystemReset.PBRCorruptionRepairOption + +No content is currently available. + +The following fields are available: + +- **cbsSessionOption** No content is currently available. +- **errorCode** No content is currently available. +- **meteredConnection** No content is currently available. +- **sessionID** No content is currently available. + + ### Microsoft.Xbox.XamTelemetry.AppActivationError This event indicates whether the system detected an activation error in the app. @@ -3990,10 +4143,10 @@ Download process event for target update on Windows Update client. See the Event The following fields are available: - **ActiveDownloadTime** Number of seconds the update was actively being downloaded. -- **AppXBlockHashFailures** Indicates the number of blocks that failed hash validation during download of the app payload. +- **AppXBlockHashFailures** No content is currently available. - **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded. - **AppXDownloadScope** Indicates the scope of the download for application content. For streaming install scenarios, AllContent - non-streaming download, RequiredOnly - streaming download requested content required for launch, AutomaticOnly - streaming download requested automatic streams for the app, and Unknown - for events sent before download scope is determined by the Windows Update client. -- **AppXScope** Indicates the scope of the app download. +- **AppXScope** No content is currently available. - **BiosFamily** The family of the BIOS (Basic Input Output System). - **BiosName** The name of the device BIOS. - **BiosReleaseDate** The release date of the device BIOS. @@ -4002,22 +4155,22 @@ The following fields are available: - **BiosVersion** The version of the BIOS. - **BundleBytesDownloaded** Number of bytes downloaded for the specific content bundle. - **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. -- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. +- **BundleRepeatFailCount** No content is currently available. - **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to download. - **BundleRevisionNumber** Identifies the revision number of the content bundle. - **BytesDownloaded** Number of bytes that were downloaded for an individual piece of content (not the entire bundle). - **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. - **CbsDownloadMethod** Indicates whether the download was a full-file download or a partial/delta download. -- **CbsMethod** The method used for downloading the update content related to the Component Based Servicing (CBS) technology. +- **CbsMethod** No content is currently available. - **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. - **CDNId** ID which defines which CDN the software distribution client downloaded the content from. - **ClientVersion** The version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. -- **ConnectTime** Indicates the cumulative amount of time (in seconds) it took to establish the connection for all updates in an update bundle. +- **CommonProps** No content is currently available. +- **ConnectTime** No content is currently available. - **CurrentMobileOperator** The mobile operator the device is currently connected to. - **DeviceModel** What is the device model. - **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority. -- **DownloadProps** Information about the download operation. +- **DownloadProps** No content is currently available. - **EventInstanceID** A globally unique identifier for event instance. - **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started downloading content, or whether it was cancelled, succeeded, or failed. - **EventType** Possible values are Child, Bundle, or Driver. @@ -4045,9 +4198,9 @@ The following fields are available: - **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. - **Reason** A 32-bit integer representing the reason the update is blocked from being downloaded in the background. - **RegulationReason** The reason that the update is regulated -- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content. +- **RegulationResult** No content is currently available. - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. -- **RepeatFailCount** Indicates whether this specific content has previously failed. +- **RepeatFailCount** No content is currently available. - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download. - **RevisionNumber** The revision number of the specified piece of content. - **ServiceGuid** An ID that represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). @@ -5485,9 +5638,9 @@ The following fields are available: - **downlinkUsageBps** The download speed (in bytes per second). - **downloadMode** The download mode used for this file download session. - **downloadModeReason** Reason for the download. -- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). +- **downloadModeSrc** Source of the DownloadMode setting. - **experimentId** When running a test, this is used to correlate with other events that are part of the same test. -- **expiresAt** Time when the content will expire from the Delivery Optimization Cache. +- **expiresAt** The time when the content will expire from the Delivery Optimization Cache. - **fileID** The ID of the file being downloaded. - **fileSize** The size of the file being downloaded. - **gCurMemoryStreamBytes** Current usage for memory streaming. @@ -5716,6 +5869,26 @@ The following fields are available: - **UtcTime** The time that the pop-up banner was displayed, in Coordinated Universal Time. +### Microsoft.Windows.Update.NotificationUx.RebootScheduled + +Indicates when a reboot is scheduled by the system or a user for a security, quality, or feature update. + +The following fields are available: + +- **activeHoursApplicable** Indicates whether an Active Hours policy is present on the device. +- **IsEnhancedEngagedReboot** Indicates whether this is an Enhanced Engaged reboot. +- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action. +- **rebootOutsideOfActiveHours** Indicates whether a restart is scheduled outside of active hours. +- **rebootScheduledByUser** Indicates whether the restart was scheduled by user (if not, it was scheduled automatically). +- **rebootState** The current state of the restart. +- **rebootUsingSmartScheduler** Indicates whether the reboot is scheduled by smart scheduler. +- **revisionNumber** Revision number of the update that is getting installed with this restart. +- **scheduledRebootTime** Time of the scheduled restart. +- **scheduledRebootTimeInUTC** Time of the scheduled restart in Coordinated Universal Time. +- **updateId** ID of the update that is getting installed with this restart. +- **wuDeviceid** Unique device ID used by Windows Update. + + ### Microsoft.Windows.Update.Orchestrator.ActivityRestrictedByActiveHoursPolicy This event indicates a policy is present that may restrict update activity to outside of active hours. @@ -6285,6 +6458,7 @@ This event is sent when reserves are initialized on the device. The following fields are available: - **FallbackInitUsed** Indicates whether fallback initialization is used. +- **FinalUserFreeSpace** No content is currently available. - **Flags** The flags used in the initialization of Update Reserve Manager. - **HardReserveFinalSize** The final size of the hard reserve. - **HardReserveFinalUsedSpace** The used space in the hard reserve. From e0db6ec4424acaafc6a6de23fe0f4c7a4cfbfa9f Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Mon, 11 Feb 2019 08:49:04 -0800 Subject: [PATCH 016/492] new build --- ...ndows-diagnostic-events-and-fields-19H1.md | 23 +++++++++++-------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md index 5e8f28e0bf..47fa6009f5 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md @@ -9,7 +9,7 @@ ms.pagetype: security localizationpriority: high author: brianlic-msft ms.author: brianlic -ms.date: 02/08/2019 +ms.date: 02/11/2019 --- @@ -749,6 +749,7 @@ The following fields are available: - **DriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden? - **DriverIsDeviceBlocked** Was the driver package was blocked because of a device block? - **DriverIsDriverBlocked** Is the driver package blocked because of a driver block? +- **DriverIsTroubleshooterBlocked** Indicates whether the driver package is blocked because of a troubleshooter block. - **DriverShouldNotMigrate** Should the driver package be migrated during upgrade? - **SdbDriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden? @@ -4143,10 +4144,10 @@ Download process event for target update on Windows Update client. See the Event The following fields are available: - **ActiveDownloadTime** Number of seconds the update was actively being downloaded. -- **AppXBlockHashFailures** No content is currently available. +- **AppXBlockHashFailures** Indicates the number of blocks that failed hash validation during download of the app payload. - **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded. - **AppXDownloadScope** Indicates the scope of the download for application content. For streaming install scenarios, AllContent - non-streaming download, RequiredOnly - streaming download requested content required for launch, AutomaticOnly - streaming download requested automatic streams for the app, and Unknown - for events sent before download scope is determined by the Windows Update client. -- **AppXScope** No content is currently available. +- **AppXScope** Indicates the scope of the app download. - **BiosFamily** The family of the BIOS (Basic Input Output System). - **BiosName** The name of the device BIOS. - **BiosReleaseDate** The release date of the device BIOS. @@ -4155,22 +4156,22 @@ The following fields are available: - **BiosVersion** The version of the BIOS. - **BundleBytesDownloaded** Number of bytes downloaded for the specific content bundle. - **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. -- **BundleRepeatFailCount** No content is currently available. +- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. - **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to download. - **BundleRevisionNumber** Identifies the revision number of the content bundle. - **BytesDownloaded** Number of bytes that were downloaded for an individual piece of content (not the entire bundle). - **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. - **CbsDownloadMethod** Indicates whether the download was a full-file download or a partial/delta download. -- **CbsMethod** No content is currently available. +- **CbsMethod** The method used for downloading the update content related to the Component Based Servicing (CBS) technology. - **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. - **CDNId** ID which defines which CDN the software distribution client downloaded the content from. - **ClientVersion** The version number of the software distribution client. -- **CommonProps** No content is currently available. -- **ConnectTime** No content is currently available. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. +- **ConnectTime** Indicates the cumulative amount of time (in seconds) it took to establish the connection for all updates in an update bundle. - **CurrentMobileOperator** The mobile operator the device is currently connected to. - **DeviceModel** What is the device model. - **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority. -- **DownloadProps** No content is currently available. +- **DownloadProps** Information about the download operation. - **EventInstanceID** A globally unique identifier for event instance. - **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started downloading content, or whether it was cancelled, succeeded, or failed. - **EventType** Possible values are Child, Bundle, or Driver. @@ -4198,9 +4199,9 @@ The following fields are available: - **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. - **Reason** A 32-bit integer representing the reason the update is blocked from being downloaded in the background. - **RegulationReason** The reason that the update is regulated -- **RegulationResult** No content is currently available. +- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content. - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. -- **RepeatFailCount** No content is currently available. +- **RepeatFailCount** Indicates whether this specific content has previously failed. - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download. - **RevisionNumber** The revision number of the specified piece of content. - **ServiceGuid** An ID that represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). @@ -6436,6 +6437,8 @@ The following fields are available: - **HardReserveUsedSpace** The used space in the hard reserve when the end scenario is called. - **ReturnCode** The return code of this operation. - **ScenarioId** The ID of the internal reserve manager scenario. +- **SoftReserveSize** No content is currently available. +- **SoftReserveUsedSpace** No content is currently available. ### Microsoft.Windows.UpdateReserveManager.FunctionReturnedError From 9e6edd0c766f22e95c49f51fbbbeb6cb139f40b1 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 12 Feb 2019 09:03:32 -0800 Subject: [PATCH 017/492] new build --- ...ndows-diagnostic-events-and-fields-19H1.md | 189 +++++++++--------- 1 file changed, 90 insertions(+), 99 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md index 47fa6009f5..064e2af5d3 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md @@ -9,7 +9,7 @@ ms.pagetype: security localizationpriority: high author: brianlic-msft ms.author: brianlic -ms.date: 02/11/2019 +ms.date: 02/12/2019 --- @@ -2350,15 +2350,15 @@ The following fields are available: ### TelClientSynthetic.GetFileInfoAction_FilePathNotApproved_0 -No content is currently available. +This event occurs when the DiagTrack escalation fails due to the scenario requesting a path that is not approved for GetFileInfo actions. The following fields are available: -- **FilePath** No content is currently available. -- **FilePathExpanded** No content is currently available. -- **FilePathExpandedScenario** No content is currently available. -- **ScenarioId** No content is currently available. -- **ScenarioInstanceId** No content is currently available. +- **FilePath** The unexpanded path in the scenario XML. +- **FilePathExpanded** The file path, with environment variables expanded. +- **FilePathExpandedScenario** The file path, with property identifiers and environment variables expanded. +- **ScenarioId** The globally unique identifier (GUID) of the scenario. +- **ScenarioInstanceId** The error code denoting which path failed (internal or external). ### TelClientSynthetic.HeartBeat_5 @@ -2417,130 +2417,130 @@ The following fields are available: ### TelClientSynthetic.HeartBeat_Agent_5 -No content is currently available. +This event sends data about the health and quality of the diagnostic data from the specified device (agent), to help keep Windows up to date. The following fields are available: -- **ConsumerDroppedCount** No content is currently available. -- **ContainerBufferFullDropCount** No content is currently available. -- **ContainerBufferFullSevilleDropCount** No content is currently available. -- **CriticalDataThrottleDroppedCount** No content is currently available. -- **DecodingDroppedCount** No content is currently available. -- **EtwDroppedBufferCount** No content is currently available. -- **EtwDroppedCount** No content is currently available. -- **EventsForwardedToHost** No content is currently available. -- **FullTriggerBufferDroppedCount** No content is currently available. -- **HeartBeatSequenceNumber** No content is currently available. -- **HostConnectionErrorsCount** No content is currently available. -- **HostConnectionTimeoutsCount** No content is currently available. -- **LastHostConnectionError** No content is currently available. -- **PreviousHeartBeatTime** No content is currently available. -- **ThrottledDroppedCount** No content is currently available. +- **ConsumerDroppedCount** The number of events dropped at the consumer layer of the diagnostic data collection client. +- **ContainerBufferFullDropCount** The number of events dropped due to the container buffer being full. +- **ContainerBufferFullSevilleDropCount** The number of “Seville” events dropped due to the container buffer being full. +- **CriticalDataThrottleDroppedCount** The number of critical data sampled events dropped due to data throttling. +- **DecodingDroppedCount** The number of events dropped due to decoding failures. +- **EtwDroppedBufferCount** The number of buffers dropped in the ETW (Event Tracing for Windows) session. +- **EtwDroppedCount** The number of events dropped at the ETW (Event Tracing for Windows) layer of the diagnostic data collection client on the user’s device. +- **EventsForwardedToHost** The number of events forwarded from agent (device) to host (server). +- **FullTriggerBufferDroppedCount** The number of events dropped due to the trigger buffer being full. +- **HeartBeatSequenceNumber** The heartbeat sequence number associated with this event. +- **HostConnectionErrorsCount** The number of non-timeout errors encountered in the host (server)/agent (device) socket transport channel. +- **HostConnectionTimeoutsCount** The number of connection timeouts between the host (server) and agent (device). +- **LastHostConnectionError** The last error from a connection between host (server) and agent (device). +- **PreviousHeartBeatTime** The timestamp of the last heartbeat event. +- **ThrottledDroppedCount** The number of events dropped due to throttling of “noisy” providers. ### TelClientSynthetic.HeartBeat_DevHealthMon_5 -No content is currently available. +This event sends data (for Surface Hub devices) to monitor and ensure the correct functioning of those Surface Hub devices. This data helps ensure the device is up-to-date with the latest security and safety features. The following fields are available: -- **HeartBeatSequenceNumber** No content is currently available. -- **PreviousHeartBeatTime** No content is currently available. +- **HeartBeatSequenceNumber** The heartbeat sequence number associated with this event. +- **PreviousHeartBeatTime** The timestamp of the last heartbeat event. ### TelClientSynthetic.LifetimeManager_ConsumerBaseTimestampChange_0 -No content is currently available. +This event sends data when the Windows Diagnostic data collection mechanism detects a timestamp adjustment for incoming diagnostic events. This data is critical for dealing with time changes during diagnostic data analysis, to help keep the device up to date. The following fields are available: -- **NewBaseTime** No content is currently available. -- **NewSystemTime** No content is currently available. -- **OldSystemTime** No content is currently available. +- **NewBaseTime** The new QPC (Query Performance Counter) base time from ETW (Event Tracing for Windows). +- **NewSystemTime** The new system time of the device. +- **OldSystemTime** The previous system time of the device. ### TelClientSynthetic.MatchEngine_ScenarioCompletionThrottled_0 -No content is currently available. +This event sends data when scenario completion is throttled (truncated or otherwise restricted) because the scenario is excessively large. The following fields are available: -- **MaxHourlyCompletionsSetting** No content is currently available. -- **ScenarioId** No content is currently available. -- **ScenarioName** No content is currently available. +- **MaxHourlyCompletionsSetting** The maximum number of scenario completions per hour until throttling kicks in. +- **ScenarioId** The globally unique identifier (GUID) of the scenario being throttled. +- **ScenarioName** The name of the scenario being throttled. ### TelClientSynthetic.OsEvents_BootStatReset_0 -No content is currently available. +This event sends data when the Windows diagnostic data collection mechanism resets the Boot ID. This data helps ensure Windows is up to date. The following fields are available: -- **BootId** No content is currently available. -- **ResetReason** No content is currently available. +- **BootId** The current Boot ID. +- **ResetReason** The reason code for resetting the Boot ID. ### TelClientSynthetic.ProducerThrottled_At_TriggerBuffer_0 -No content is currently available. +This event sends data when a producer is throttled due to the trigger buffer exceeding defined thresholds. The following fields are available: -- **BufferSize** No content is currently available. -- **DataType** No content is currently available. -- **EstSeenCount** No content is currently available. -- **EstTopEvent1Count** No content is currently available. -- **EstTopEvent1Name** No content is currently available. -- **EstTopEvent2Count** No content is currently available. -- **EstTopEvent2Name** No content is currently available. -- **Hit** No content is currently available. -- **IKey** No content is currently available. -- **ProviderId** No content is currently available. -- **ProviderName** No content is currently available. -- **Threshold** No content is currently available. +- **BufferSize** The size of the trigger buffer. +- **DataType** The type of event that this producer generates (Event Tracing for Windows, Time, Synthetic). +- **EstSeenCount** Estimated total number of inputs determining other “Est…” values. +- **EstTopEvent1Count** The count for estimated “noisiest” event from this producer. +- **EstTopEvent1Name** The name for estimated “noisiest” event from this producer. +- **EstTopEvent2Count** The count for estimated second “noisiest” event from this producer. +- **EstTopEvent2Name** The name for estimated second “noisiest” event from this producer. +- **Hit** The number of events seen from this producer. +- **IKey** The IKey identifier of the producer, if available. +- **ProviderId** The provider ID of the producer being throttled. +- **ProviderName** The provider name of the producer being throttled. +- **Threshold** The threshold crossed, which caused the throttling. ### TelClientSynthetic.ProducerThrottled_Event_Rate_0 -No content is currently available. +This event sends data when an event producer is throttled by the Windows Diagnostic data collection mechanism. This data helps ensure Windows is up to date. The following fields are available: -- **EstSeenCount** No content is currently available. -- **EstTopEvent1Count** No content is currently available. -- **EstTopEvent1Name** No content is currently available. -- **EstTopEvent2Count** No content is currently available. -- **EstTopEvent2Name** No content is currently available. -- **EventPerProviderThreshold** No content is currently available. -- **EventRateThreshold** No content is currently available. -- **Hit** No content is currently available. -- **IKey** No content is currently available. -- **ProviderId** No content is currently available. -- **ProviderName** No content is currently available. +- **EstSeenCount** Estimated total number of inputs determining other “Est…” values. +- **EstTopEvent1Count** The count for estimated “noisiest” event from this producer. +- **EstTopEvent1Name** The name for estimated “noisiest” event from this producer. +- **EstTopEvent2Count** The count for estimated second “noisiest” event from this producer. +- **EstTopEvent2Name** The name for estimated second “noisiest” event from this producer. +- **EventPerProviderThreshold** The trigger point for throttling (value for each provider). This value is only applied once EventRateThreshold has been met. +- **EventRateThreshold** The total event rate trigger point for throttling. +- **Hit** The number of events seen from this producer. +- **IKey** The IKey identifier of the producer, if available. +- **ProviderId** The provider ID of the producer being throttled. +- **ProviderName** The provider name of the producer being throttled. ### TelClientSynthetic.RunExeWithArgsAction_ExeTerminated_0 -No content is currently available. +This event sends data when an executable (EXE) file is terminated during escalation because it exceeded its maximum runtime (the maximum amount of time it was expected to run). This data helps ensure Windows is up to date. The following fields are available: -- **ExpandedExeName** No content is currently available. -- **MaximumRuntimeMs** No content is currently available. -- **ScenarioId** No content is currently available. -- **ScenarioInstanceId** No content is currently available. +- **ExpandedExeName** The expanded name of the executable (EXE) file. +- **MaximumRuntimeMs** The maximum runtime (in milliseconds) for this action. +- **ScenarioId** The globally unique identifier (GUID) of the scenario that was terminated. +- **ScenarioInstanceId** The globally unique identifier (GUID) of the scenario instance that was terminated. ### TelClientSynthetic.RunExeWithArgsAction_ProcessReturnedNonZeroExitCode -No content is currently available. +This event sends data when the RunExe process finishes during escalation, but returns a non-zero exit code. This data helps ensure Windows is up to date. The following fields are available: -- **ExitCode** No content is currently available. -- **ExpandedExeName** No content is currently available. -- **ScenarioId** No content is currently available. -- **ScenarioInstanceId** No content is currently available. +- **ExitCode** The exit code of the process +- **ExpandedExeName** The expanded name of the executable (EXE) file. +- **ScenarioId** The globally unique identifier (GUID) of the escalating scenario. +- **ScenarioInstanceId** The globally unique identifier (GUID) of the scenario instance. ## DxgKernelTelemetry events @@ -3812,14 +3812,14 @@ The following fields are available: ### Microsoft.Windows.SystemReset.PBRCorruptionRepairOption -No content is currently available. +This event sends corruption repair diagnostic data when the PBRCorruptionRepairOption encounters a corruption error. The following fields are available: -- **cbsSessionOption** No content is currently available. -- **errorCode** No content is currently available. -- **meteredConnection** No content is currently available. -- **sessionID** No content is currently available. +- **cbsSessionOption** The corruption repair configuration. +- **errorCode** The error code encountered. +- **meteredConnection** Indicates whether the device is connected to a metered network (wired or WiFi). +- **sessionID** The globally unique identifier (GUID) for the session. ### Microsoft.Xbox.XamTelemetry.AppActivationError @@ -4144,10 +4144,10 @@ Download process event for target update on Windows Update client. See the Event The following fields are available: - **ActiveDownloadTime** Number of seconds the update was actively being downloaded. -- **AppXBlockHashFailures** Indicates the number of blocks that failed hash validation during download of the app payload. +- **AppXBlockHashFailures** No content is currently available. - **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded. - **AppXDownloadScope** Indicates the scope of the download for application content. For streaming install scenarios, AllContent - non-streaming download, RequiredOnly - streaming download requested content required for launch, AutomaticOnly - streaming download requested automatic streams for the app, and Unknown - for events sent before download scope is determined by the Windows Update client. -- **AppXScope** Indicates the scope of the app download. +- **AppXScope** No content is currently available. - **BiosFamily** The family of the BIOS (Basic Input Output System). - **BiosName** The name of the device BIOS. - **BiosReleaseDate** The release date of the device BIOS. @@ -4156,18 +4156,18 @@ The following fields are available: - **BiosVersion** The version of the BIOS. - **BundleBytesDownloaded** Number of bytes downloaded for the specific content bundle. - **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. -- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. +- **BundleRepeatFailCount** No content is currently available. - **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to download. - **BundleRevisionNumber** Identifies the revision number of the content bundle. - **BytesDownloaded** Number of bytes that were downloaded for an individual piece of content (not the entire bundle). - **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. - **CbsDownloadMethod** Indicates whether the download was a full-file download or a partial/delta download. -- **CbsMethod** The method used for downloading the update content related to the Component Based Servicing (CBS) technology. +- **CbsMethod** No content is currently available. - **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. - **CDNId** ID which defines which CDN the software distribution client downloaded the content from. - **ClientVersion** The version number of the software distribution client. - **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. -- **ConnectTime** Indicates the cumulative amount of time (in seconds) it took to establish the connection for all updates in an update bundle. +- **ConnectTime** No content is currently available. - **CurrentMobileOperator** The mobile operator the device is currently connected to. - **DeviceModel** What is the device model. - **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority. @@ -4201,7 +4201,7 @@ The following fields are available: - **RegulationReason** The reason that the update is regulated - **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content. - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. -- **RepeatFailCount** Indicates whether this specific content has previously failed. +- **RepeatFailCount** No content is currently available. - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download. - **RevisionNumber** The revision number of the specified piece of content. - **ServiceGuid** An ID that represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). @@ -4577,7 +4577,7 @@ This event collects information regarding the expansion phase of the new Unified The following fields are available: -- **CanonicalRequestedOnError** No content is currently available. +- **CanonicalRequestedOnError** Indicates if an error caused a reversion to a different type of compressed update (TRUE or FALSE). - **ElapsedTickCount** Time taken for expand phase. - **EndFreeSpace** Free space after expand phase. - **EndSandboxSize** Sandbox size after expand phase. @@ -6482,21 +6482,6 @@ The following fields are available: - **UpdateScratchReserveInitialSize** The size of the scratch reserve after initialization. -### Microsoft.Windows.UpdateReserveManager.InitializeUpdateReserveManager - -This event returns data about the Update Reserve Manager, including whether it’s been initialized. - -The following fields are available: - -- **ClientId** The ID of the caller application. -- **Flags** The enumerated flags used to initialize the manager. -- **FlightId** The flight ID of the content the calling client is currently operating with. -- **Offline** Indicates whether or the reserve manager is called during offline operations. -- **PolicyPassed** Indicates whether the machine is able to use reserves. -- **ReturnCode** Return code of the operation. -- **Version** The version of the Update Reserve Manager. - - ### Microsoft.Windows.UpdateReserveManager.PrepareTIForReserveInitialization This event is sent when the Update Reserve Manager prepares the Trusted Installer to initialize reserves on the next boot. @@ -6530,6 +6515,12 @@ This event is sent when the Update Reserve Manager turns off reserve functionali The following fields are available: - **Flags** Flags used in the turn off reserves function. +- **HardReserveSize** No content is currently available. +- **HardReserveUsedSpace** No content is currently available. +- **ScratchReserveSize** No content is currently available. +- **ScratchReserveUsedSpace** No content is currently available. +- **SoftReserveSize** No content is currently available. +- **SoftReserveUsedSpace** No content is currently available. ### Microsoft.Windows.UpdateReserveManager.UpdatePendingHardReserveAdjustment From b5d294eeddb0e393e0e9562d1200eb622bd1a4ab Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 12 Feb 2019 16:47:39 -0800 Subject: [PATCH 018/492] new build --- ...basic-level-windows-diagnostic-events-and-fields-19H1.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md index 064e2af5d3..0fa6cf4c9a 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md @@ -6437,8 +6437,8 @@ The following fields are available: - **HardReserveUsedSpace** The used space in the hard reserve when the end scenario is called. - **ReturnCode** The return code of this operation. - **ScenarioId** The ID of the internal reserve manager scenario. -- **SoftReserveSize** No content is currently available. -- **SoftReserveUsedSpace** No content is currently available. +- **SoftReserveSize** The size of the soft reserve when end scenario is called. +- **SoftReserveUsedSpace** The amount of the soft reserve used when end scenario is called. ### Microsoft.Windows.UpdateReserveManager.FunctionReturnedError @@ -6461,7 +6461,7 @@ This event is sent when reserves are initialized on the device. The following fields are available: - **FallbackInitUsed** Indicates whether fallback initialization is used. -- **FinalUserFreeSpace** No content is currently available. +- **FinalUserFreeSpace** The amount of user free space after initialization. - **Flags** The flags used in the initialization of Update Reserve Manager. - **HardReserveFinalSize** The final size of the hard reserve. - **HardReserveFinalUsedSpace** The used space in the hard reserve. From c0ff6390e9ee613d77ca1caa66d676ab553aba79 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 13 Feb 2019 08:30:52 -0800 Subject: [PATCH 019/492] new build --- ...ndows-diagnostic-events-and-fields-19H1.md | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md index 0fa6cf4c9a..dbaadb2de5 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md @@ -9,7 +9,7 @@ ms.pagetype: security localizationpriority: high author: brianlic-msft ms.author: brianlic -ms.date: 02/12/2019 +ms.date: 02/13/2019 --- @@ -4144,10 +4144,10 @@ Download process event for target update on Windows Update client. See the Event The following fields are available: - **ActiveDownloadTime** Number of seconds the update was actively being downloaded. -- **AppXBlockHashFailures** No content is currently available. +- **AppXBlockHashFailures** Indicates the number of blocks that failed hash validation during download. - **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded. - **AppXDownloadScope** Indicates the scope of the download for application content. For streaming install scenarios, AllContent - non-streaming download, RequiredOnly - streaming download requested content required for launch, AutomaticOnly - streaming download requested automatic streams for the app, and Unknown - for events sent before download scope is determined by the Windows Update client. -- **AppXScope** No content is currently available. +- **AppXScope** Indicates the scope of the app download. - **BiosFamily** The family of the BIOS (Basic Input Output System). - **BiosName** The name of the device BIOS. - **BiosReleaseDate** The release date of the device BIOS. @@ -4156,22 +4156,22 @@ The following fields are available: - **BiosVersion** The version of the BIOS. - **BundleBytesDownloaded** Number of bytes downloaded for the specific content bundle. - **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. -- **BundleRepeatFailCount** No content is currently available. +- **BundleRepeatFailCount** Indicates whether this particular update bundle previously failed. - **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to download. - **BundleRevisionNumber** Identifies the revision number of the content bundle. - **BytesDownloaded** Number of bytes that were downloaded for an individual piece of content (not the entire bundle). - **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. - **CbsDownloadMethod** Indicates whether the download was a full-file download or a partial/delta download. -- **CbsMethod** No content is currently available. +- **CbsMethod** The method used for downloading the update content related to the Component Based Servicing (CBS) technology. - **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. - **CDNId** ID which defines which CDN the software distribution client downloaded the content from. - **ClientVersion** The version number of the software distribution client. - **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. -- **ConnectTime** No content is currently available. +- **ConnectTime** Indicates the cumulative amount of time (in seconds) it took to establish the connection for all updates in an update bundle. - **CurrentMobileOperator** The mobile operator the device is currently connected to. - **DeviceModel** What is the device model. - **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority. -- **DownloadProps** Information about the download operation. +- **DownloadProps** No content is currently available. - **EventInstanceID** A globally unique identifier for event instance. - **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started downloading content, or whether it was cancelled, succeeded, or failed. - **EventType** Possible values are Child, Bundle, or Driver. @@ -4201,7 +4201,7 @@ The following fields are available: - **RegulationReason** The reason that the update is regulated - **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content. - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. -- **RepeatFailCount** No content is currently available. +- **RepeatFailCount** Indicates whether this specific content has previously failed. - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download. - **RevisionNumber** The revision number of the specified piece of content. - **ServiceGuid** An ID that represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). @@ -6515,12 +6515,12 @@ This event is sent when the Update Reserve Manager turns off reserve functionali The following fields are available: - **Flags** Flags used in the turn off reserves function. -- **HardReserveSize** No content is currently available. -- **HardReserveUsedSpace** No content is currently available. -- **ScratchReserveSize** No content is currently available. -- **ScratchReserveUsedSpace** No content is currently available. -- **SoftReserveSize** No content is currently available. -- **SoftReserveUsedSpace** No content is currently available. +- **HardReserveSize** The size of the hard reserve when Turn Off is called. +- **HardReserveUsedSpace** The amount of space used by the hard reserve when Turn Off is called +- **ScratchReserveSize** The size of the scratch reserve when Turn Off is called. +- **ScratchReserveUsedSpace** The amount of space used by the scratch reserve when Turn Off is called. +- **SoftReserveSize** The size of the soft reserve when Turn Off is called. +- **SoftReserveUsedSpace** The amount of the soft reserve used when Turn Off is called. ### Microsoft.Windows.UpdateReserveManager.UpdatePendingHardReserveAdjustment From 4adeb8d342d599d3e2844144dab99820ee0f6819 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 13 Feb 2019 14:03:24 -0800 Subject: [PATCH 020/492] new build --- .../basic-level-windows-diagnostic-events-and-fields-19H1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md index dbaadb2de5..ad1566b7b2 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md @@ -4171,7 +4171,7 @@ The following fields are available: - **CurrentMobileOperator** The mobile operator the device is currently connected to. - **DeviceModel** What is the device model. - **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority. -- **DownloadProps** No content is currently available. +- **DownloadProps** Information about the download operation properties in the form of a bitmask. - **EventInstanceID** A globally unique identifier for event instance. - **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started downloading content, or whether it was cancelled, succeeded, or failed. - **EventType** Possible values are Child, Bundle, or Driver. From b3537b04295e09eadf44cd9b7dcc6eeef5ba2a97 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 15 Feb 2019 09:11:01 -0800 Subject: [PATCH 021/492] new build --- .../basic-level-windows-diagnostic-events-and-fields-19H1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md index ad1566b7b2..0e7eebb254 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md @@ -9,7 +9,7 @@ ms.pagetype: security localizationpriority: high author: brianlic-msft ms.author: brianlic -ms.date: 02/13/2019 +ms.date: 02/15/2019 --- From 6e0a0fca1b293dc2072fe464355c712c42444f47 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Mon, 4 Mar 2019 14:28:11 -0800 Subject: [PATCH 022/492] new build --- ...ndows-diagnostic-events-and-fields-1703.md | 65 +- ...ndows-diagnostic-events-and-fields-1709.md | 10 +- ...ndows-diagnostic-events-and-fields-1803.md | 10 +- ...ndows-diagnostic-events-and-fields-1809.md | 15765 ++++++++-------- 4 files changed, 8183 insertions(+), 7667 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index eaf8f033d0..5dfc2fcfac 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -7,13 +7,13 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security localizationpriority: high -audience: ITPro author: brianlic-msft ms.author: brianlic manager: dansimp ms.collection: M365-security-compliance ms.topic: article -ms.date: 02/15/2019 +audience: ITPro +ms.date: 03/04/2019 --- @@ -1822,61 +1822,6 @@ The following fields are available: ## Diagnostic data events -### TelClientSynthetic.AbnormalShutdown_0 - -This event sends data about boot IDs for which a normal clean shutdown was not observed, to help keep Windows up to date. - -The following fields are available: - -- **AbnormalShutdownBootId** Retrieves the Boot ID for which the abnormal shutdown was observed. -- **CrashDumpEnabled** Indicates whether crash dumps are enabled. -- **CumulativeCrashCount** Cumulative count of operating system crashes since the BootId reset. -- **CurrentBootId** BootId at the time the abnormal shutdown event was being reported. -- **FirmwareResetReasonEmbeddedController** Firmware-supplied reason for the reset. -- **FirmwareResetReasonEmbeddedControllerAdditional** Additional data related to the reset reason provided by the firmware. -- **FirmwareResetReasonPch** Hardware-supplied reason for the reset. -- **FirmwareResetReasonPchAdditional** Additional data related to the reset reason provided by the hardware. -- **FirmwareResetReasonSupplied** Indicates whether the firmware supplied any reset reason. -- **FirmwareType** ID of the FirmwareType as enumerated in DimFirmwareType. -- **HardwareWatchdogTimerGeneratedLastReset** Indicates whether the hardware watchdog timer caused the last reset. -- **HardwareWatchdogTimerPresent** Indicates whether hardware watchdog timer was present or not. -- **LastBugCheckBootId** The Boot ID of the last captured crash. -- **LastBugCheckCode** Code that indicates the type of error. -- **LastBugCheckContextFlags** Additional crash dump settings. -- **LastBugCheckOriginalDumpType** The type of crash dump the system intended to save. -- **LastBugCheckOtherSettings** Other crash dump settings. -- **LastBugCheckParameter1** The first parameter with additional info on the type of the error. -- **LastBugCheckProgress** Progress towards writing out the last crash dump. -- **LastSuccessfullyShutdownBootId** The Boot ID of the last fully successful shutdown. -- **PowerButtonCumulativePressCount** Indicates the number of times the power button has been pressed ("pressed" not to be confused with "released"). -- **PowerButtonCumulativeReleaseCount** Indicates the number of times the power button has been released ("released" not to be confused with "pressed"). -- **PowerButtonErrorCount** Indicates the number of times there was an error attempting to record Power Button metrics (e.g.: due to a failure to lock/update the bootstat file). -- **PowerButtonLastPressBootId** The Boot ID of the last time the Power Button was detected to have been pressed ("pressed" not to be confused with "released"). -- **PowerButtonLastPressTime** The date and time the Power Button was most recently pressed ("pressed" not to be confused with "released"). -- **PowerButtonLastReleaseBootId** The Boot ID of the last time the Power Button was released ("released" not to be confused with "pressed"). -- **PowerButtonLastReleaseTime** The date and time the Power Button was most recently released ("released" not to be confused with "pressed"). -- **PowerButtonPressCurrentCsPhase** Represents the phase of Connected Standby exit when the power button was pressed. -- **PowerButtonPressIsShutdownInProgress** Indicates whether a system shutdown was in progress at the last time the Power Button was pressed. -- **PowerButtonPressLastPowerWatchdogStage** The last stage completed when the Power Button was most recently pressed. -- **PowerButtonPressPowerWatchdogArmed** Indicates whether or not the watchdog for the monitor was active at the time of the last power button press. -- **TransitionInfoBootId** The Boot ID of the captured transition information. -- **TransitionInfoCSCount** The total number of times the system transitioned from "Connected Standby" mode to "On" when the last marker was saved. -- **TransitionInfoCSEntryReason** Indicates the reason the device last entered "Connected Standby" mode ("entered" not to be confused with "exited"). -- **TransitionInfoCSExitReason** Indicates the reason the device last exited "Connected Standby" mode ("exited" not to be confused with "entered"). -- **TransitionInfoCSInProgress** Indicates whether the system was in or entering Connected Standby mode when the last marker was saved. -- **TransitionInfoLastReferenceTimeChecksum** The checksum of TransitionInfoLastReferenceTimestamp. -- **TransitionInfoLastReferenceTimestamp** The date and time that the marker was last saved. -- **TransitionInfoPowerButtonTimestamp** The most recent date and time when the Power Button was pressed (collected via a different mechanism than PowerButtonLastPressTime). -- **TransitionInfoSleepInProgress** Indicates whether the system was in or entering Sleep mode when the last marker was saved. -- **TransitionInfoSleepTranstionsToOn** The total number of times the system transitioned from Sleep mode to on, when the last marker was saved. -- **TransitionInfoSystemRunning** Indicates whether the system was running when the last marker was saved. -- **TransitionInfoSystemShutdownInProgress** Indicates whether a device shutdown was in progress when the power button was pressed. -- **TransitionInfoUserShutdownInProgress** Indicates whether a user shutdown was in progress when the power button was pressed. -- **TransitionLatestCheckpointId** Represents a unique identifier for a checkpoint during the device state transition. -- **TransitionLatestCheckpointSeqNumber** Represents the chronological sequence number of the checkpoint. -- **TransitionLatestCheckpointType** Represents the type of the checkpoint, which can be the start of a phase, end of a phase, or just informational. - - ### TelClientSynthetic.AuthorizationInfo_RuntimeTransition This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect. @@ -6296,6 +6241,12 @@ This event sends data specific to the FixupEditionId mitigation used for OS Upda ## Windows Update Reserve Manager events +### Microsoft.Windows.UpdateReserveManager.InitializeUpdateReserveManager + +This event returns data about the Update Reserve Manager, including whether it’s been initialized. + + + ### Microsoft.Windows.UpdateReserveManager.RemovePendingHardReserveAdjustment This event is sent when the Update Reserve Manager removes a pending hard reserve adjustment. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index 27fcd87f88..d516d29754 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -7,13 +7,13 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security localizationpriority: high -audience: ITPro author: brianlic-msft ms.author: brianlic manager: dansimp ms.collection: M365-security-compliance ms.topic: article -ms.date: 02/15/2019 +audience: ITPro +ms.date: 03/04/2019 --- @@ -6514,6 +6514,12 @@ The following fields are available: ## Windows Update Reserve Manager events +### Microsoft.Windows.UpdateReserveManager.InitializeUpdateReserveManager + +This event returns data about the Update Reserve Manager, including whether it’s been initialized. + + + ### Microsoft.Windows.UpdateReserveManager.RemovePendingHardReserveAdjustment This event is sent when the Update Reserve Manager removes a pending hard reserve adjustment. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index e3c6418b17..6c84d0381d 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -7,13 +7,13 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security localizationpriority: high -audience: ITPro author: brianlic-msft ms.author: brianlic manager: dansimp ms.collection: M365-security-compliance ms.topic: article -ms.date: 02/15/2019 +audience: ITPro +ms.date: 03/04/2019 --- @@ -7646,6 +7646,12 @@ This event is sent when the Update Reserve Manager returns an error from one of +### Microsoft.Windows.UpdateReserveManager.InitializeUpdateReserveManager + +This event returns data about the Update Reserve Manager, including whether it’s been initialized. + + + ### Microsoft.Windows.UpdateReserveManager.PrepareTIForReserveInitialization This event is sent when the Update Reserve Manager prepares the Trusted Installer to initialize reserves on the next boot. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index 8916790a12..0ed80bd117 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -1,7606 +1,8159 @@ ---- -description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. -title: Windows 10, version 1809 basic diagnostic events and fields (Windows 10) -keywords: privacy, telemetry -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -localizationpriority: high -audience: ITPro -author: brianlic-msft -ms.author: brianlic -manager: dansimp -ms.collection: M365-security-compliance -ms.topic: article -ms.date: 02/15/2019 ---- - - -# Windows 10, version 1809 basic level Windows diagnostic events and fields - - **Applies to** - -- Windows 10, version 1809 - - -The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information. - -The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. - -Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief description is provided for each field. Every event generated includes common data, which collects device data. - -You can learn more about Windows functional and diagnostic data through these articles: - - -- [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) -- [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) -- [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) -- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) -- [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) - - - - -## Account trace logging provider events - -### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.General - -This event provides information about application properties to indicate the successful execution. - -The following fields are available: - -- **AppMode** Indicates the mode the app is being currently run around privileges. -- **ExitCode** Indicates the exit code of the app. -- **Help** Indicates if the app needs to be launched in the help mode. -- **ParseError** Indicates if there was a parse error during the execution. -- **RightsAcquired** Indicates if the right privileges were acquired for successful execution. -- **RightsWereEnabled** Indicates if the right privileges were enabled for successful execution. -- **TestMode** Indicates whether the app is being run in test mode. - - -### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.GetCount - -This event provides information about the properties of user accounts in the Administrator group. - -The following fields are available: - -- **Internal** Indicates the internal property associated with the count group. -- **LastError** The error code (if applicable) for the cause of the failure to get the count of the user account. -- **Result** The HResult error. - - -## AppLocker events - -### Microsoft.Windows.Security.AppLockerCSP.ActivityStoppedAutomatically - -Automatically closed activity for start/stop operations that aren't explicitly closed. - - - -### Microsoft.Windows.Security.AppLockerCSP.AddParams - -Parameters passed to Add function of the AppLockerCSP Node. - -The following fields are available: - -- **child** The child URI of the node to add. -- **uri** URI of the node relative to %SYSTEM32%/AppLocker. - - -### Microsoft.Windows.Security.AppLockerCSP.AddStart - -Start of "Add" Operation for the AppLockerCSP Node. - - - -### Microsoft.Windows.Security.AppLockerCSP.AddStop - -End of "Add" Operation for AppLockerCSP Node. - -The following fields are available: - -- **hr** The HRESULT returned by Add function in AppLockerCSP. - - -### Microsoft.Windows.Security.AppLockerCSP.CAppLockerCSP::Rollback - -Result of the 'Rollback' operation in AppLockerCSP. - -The following fields are available: - -- **oldId** Previous id for the CSP transaction. -- **txId** Current id for the CSP transaction. - - -### Microsoft.Windows.Security.AppLockerCSP.ClearParams - -Parameters passed to the "Clear" operation for AppLockerCSP. - -The following fields are available: - -- **uri** The URI relative to the %SYSTEM32%\AppLocker folder. - - -### Microsoft.Windows.Security.AppLockerCSP.ClearStart - -Start of the "Clear" operation for the AppLockerCSP Node. - - - -### Microsoft.Windows.Security.AppLockerCSP.ClearStop - -End of the "Clear" operation for the AppLockerCSP node. - -The following fields are available: - -- **hr** HRESULT reported at the end of the 'Clear' function. - - -### Microsoft.Windows.Security.AppLockerCSP.ConfigManagerNotificationStart - -Start of the "ConfigManagerNotification" operation for AppLockerCSP. - -The following fields are available: - -- **NotifyState** State sent by ConfigManager to AppLockerCSP. - - -### Microsoft.Windows.Security.AppLockerCSP.ConfigManagerNotificationStop - -End of the "ConfigManagerNotification" operation for AppLockerCSP. - -The following fields are available: - -- **hr** HRESULT returned by the ConfigManagerNotification function in AppLockerCSP. - - -### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceParams - -Parameters passed to the CreateNodeInstance function of the AppLockerCSP node. - -The following fields are available: - -- **NodeId** NodeId passed to CreateNodeInstance. -- **nodeOps** NodeOperations parameter passed to CreateNodeInstance. -- **uri** URI passed to CreateNodeInstance, relative to %SYSTEM32%\AppLocker. - - -### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceStart - -Start of the "CreateNodeInstance" operation for the AppLockerCSP node. - - - -### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceStop - -End of the "CreateNodeInstance" operation for the AppLockerCSP node - -The following fields are available: - -- **hr** HRESULT returned by the CreateNodeInstance function in AppLockerCSP. - - -### Microsoft.Windows.Security.AppLockerCSP.DeleteChildParams - -Parameters passed to the DeleteChild function of the AppLockerCSP node. - -The following fields are available: - -- **child** The child URI of the node to delete. -- **uri** URI relative to %SYSTEM32%\AppLocker. - - -### Microsoft.Windows.Security.AppLockerCSP.DeleteChildStart - -Start of the "DeleteChild" operation for the AppLockerCSP node. - - - -### Microsoft.Windows.Security.AppLockerCSP.DeleteChildStop - -End of the "DeleteChild" operation for the AppLockerCSP node. - -The following fields are available: - -- **hr** HRESULT returned by the DeleteChild function in AppLockerCSP. - - -### Microsoft.Windows.Security.AppLockerCSP.EnumPolicies - -Logged URI relative to %SYSTEM32%\AppLocker, if the Plugin GUID is null, or the CSP doesn't believe the old policy is present. - -The following fields are available: - -- **uri** URI relative to %SYSTEM32%\AppLocker. - - -### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesParams - -Parameters passed to the GetChildNodeNames function of the AppLockerCSP node. - -The following fields are available: - -- **uri** URI relative to %SYSTEM32%/AppLocker for MDM node. - - -### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesStart - -Start of the "GetChildNodeNames" operation for the AppLockerCSP node. - - - -### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesStop - -End of the "GetChildNodeNames" operation for the AppLockerCSP node. - -The following fields are available: - -- **child[0]** If function succeeded, the first child's name, else "NA". -- **count** If function succeeded, the number of child node names returned by the function, else 0. -- **hr** HRESULT returned by the GetChildNodeNames function of AppLockerCSP. - - -### Microsoft.Windows.Security.AppLockerCSP.GetLatestId - -The result of 'GetLatestId' in AppLockerCSP (the latest time stamped GUID). - -The following fields are available: - -- **dirId** The latest directory identifier found by GetLatestId. -- **id** The id returned by GetLatestId if id > 0 - otherwise the dirId parameter. - - -### Microsoft.Windows.Security.AppLockerCSP.HResultException - -HRESULT thrown by any arbitrary function in AppLockerCSP. - -The following fields are available: - -- **file** File in the OS code base in which the exception occurs. -- **function** Function in the OS code base in which the exception occurs. -- **hr** HRESULT that is reported. -- **line** Line in the file in the OS code base in which the exception occurs. - - -### Microsoft.Windows.Security.AppLockerCSP.SetValueParams - -Parameters passed to the SetValue function of the AppLockerCSP node. - -The following fields are available: - -- **dataLength** Length of the value to set. -- **uri** The node URI to that should contain the value, relative to %SYSTEM32%\AppLocker. - - -### Microsoft.Windows.Security.AppLockerCSP.SetValueStart - -Start of the "SetValue" operation for the AppLockerCSP node. - - - -### Microsoft.Windows.Security.AppLockerCSP.SetValueStop - -End of the "SetValue" operation for the AppLockerCSP node. - -The following fields are available: - -- **hr** HRESULT returned by the SetValue function in AppLockerCSP. - - -### Microsoft.Windows.Security.AppLockerCSP.TryRemediateMissingPolicies - -EntryPoint of fix step or policy remediation, includes URI relative to %SYSTEM32%\AppLocker that needs to be fixed. - -The following fields are available: - -- **uri** URI for node relative to %SYSTEM32%/AppLocker. - - -## Appraiser events - -### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount - -This event lists the types of objects and how many of each exist on the client device. This allows for a quick way to ensure that the records present on the server match what is present on the client. - -The following fields are available: - -- **DatasourceApplicationFile_19ASetup** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_19H1** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers. -- **DatasourceApplicationFile_RS2** An ID for the system, calculated by hashing hardware identifiers. -- **DatasourceApplicationFile_RS3** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS4** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS4Setup** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS5** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS5Setup** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_TH1** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_TH2** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_19ASetup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_19H1** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS1** The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on this device. -- **DatasourceDevicePnp_RS2** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS3** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS3Setup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS4** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS4Setup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS5** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS5Setup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_TH1** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_TH2** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_19ASetup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_19H1** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS1** The total DataSourceDriverPackage objects targeting Windows 10 version 1607 on this device. -- **DatasourceDriverPackage_RS2** The total DataSourceDriverPackage objects targeting Windows 10, version 1703 on this device. -- **DatasourceDriverPackage_RS3** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS3Setup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS4** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS4Setup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS5** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS5Setup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_TH1** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_TH2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_19ASetup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS1** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1607 on this device. -- **DataSourceMatchingInfoBlock_RS2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS3** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS4Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS5Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_TH1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_19ASetup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS1** The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. -- **DataSourceMatchingInfoPassive_RS2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS3** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS4Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS5Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_19ASetup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_RS1** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. -- **DataSourceMatchingInfoPostUpgrade_RS2** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device. -- **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device. -- **DataSourceMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_RS4Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_RS5Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_TH1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_19ASetup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_19H1** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_19H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS1** The total DatasourceSystemBios objects targeting Windows 10 version 1607 present on this device. -- **DatasourceSystemBios_RS2** The total DatasourceSystemBios objects targeting Windows 10 version 1703 present on this device. -- **DatasourceSystemBios_RS3** The total DatasourceSystemBios objects targeting Windows 10 version 1709 present on this device. -- **DatasourceSystemBios_RS3Setup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS4** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS4Setup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS5** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS5Setup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_TH1** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_TH2** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_19H1** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS1** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS2** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS3** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS4** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS5** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_TH1** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_TH2** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_19H1** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS1** The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this device. -- **DecisionDevicePnp_RS2** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS3** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS3Setup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS4** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS5** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_TH1** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_TH2** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_19H1** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS1** The total DecisionDriverPackage objects targeting Windows 10 version 1607 on this device. -- **DecisionDriverPackage_RS2** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS3** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS3Setup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS4** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS5** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_TH1** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_TH2** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_RS1** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1607 present on this device. -- **DecisionMatchingInfoBlock_RS2** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device. -- **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1709 present on this device. -- **DecisionMatchingInfoBlock_RS4** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1803 present on this device. -- **DecisionMatchingInfoBlock_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_TH1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_RS1** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. -- **DecisionMatchingInfoPassive_RS2** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1703 on this device. -- **DecisionMatchingInfoPassive_RS3** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1803 on this device. -- **DecisionMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_RS1** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. -- **DecisionMatchingInfoPostUpgrade_RS2** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device. -- **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device. -- **DecisionMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_TH1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_19H1** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_19H1Setup** The total DecisionMediaCenter objects targeting the next release of Windows on this device. -- **DecisionMediaCenter_RS1** The total DecisionMediaCenter objects targeting Windows 10 version 1607 present on this device. -- **DecisionMediaCenter_RS2** The total DecisionMediaCenter objects targeting Windows 10 version 1703 present on this device. -- **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting Windows 10 version 1709 present on this device. -- **DecisionMediaCenter_RS4** The total DecisionMediaCenter objects targeting Windows 10 version 1803 present on this device. -- **DecisionMediaCenter_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_RS5** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_TH1** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_TH2** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_19ASetup** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **DecisionSystemBios_19H1** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_19H1Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **DecisionSystemBios_RS1** The total DecisionSystemBios objects targeting Windows 10 version 1607 on this device. -- **DecisionSystemBios_RS2** The total DecisionSystemBios objects targeting Windows 10 version 1703 on this device. -- **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting Windows 10 version 1709 on this device. -- **DecisionSystemBios_RS3Setup** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_RS4** The total DecisionSystemBios objects targeting Windows 10 version, 1803 present on this device. -- **DecisionSystemBios_RS4Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **DecisionSystemBios_RS5** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **DecisionSystemBios_RS5Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **DecisionSystemBios_TH1** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_TH2** The count of the number of this particular object type present on this device. -- **DecisionSystemProcessor_RS2** The count of the number of this particular object type present on this device. -- **DecisionTest_RS1** An ID for the system, calculated by hashing hardware identifiers. -- **InventoryApplicationFile** The count of the number of this particular object type present on this device. -- **InventoryDeviceContainer** A count of device container objects in cache. -- **InventoryDevicePnp** A count of device Plug and Play objects in cache. -- **InventoryDriverBinary** A count of driver binary objects in cache. -- **InventoryDriverPackage** A count of device objects in cache. -- **InventoryLanguagePack** The count of the number of this particular object type present on this device. -- **InventoryMediaCenter** The count of the number of this particular object type present on this device. -- **InventorySystemBios** The count of the number of this particular object type present on this device. -- **InventorySystemMachine** The count of the number of this particular object type present on this device. -- **InventorySystemProcessor** The count of the number of this particular object type present on this device. -- **InventoryTest** The count of the number of this particular object type present on this device. -- **InventoryUplevelDriverPackage** The count of the number of this particular object type present on this device. -- **PCFP** The count of the number of this particular object type present on this device. -- **SystemMemory** The count of the number of this particular object type present on this device. -- **SystemProcessorCompareExchange** The count of the number of this particular object type present on this device. -- **SystemProcessorLahfSahf** The count of the number of this particular object type present on this device. -- **SystemProcessorNx** The total number of objects of this type present on this device. -- **SystemProcessorPrefetchW** The total number of objects of this type present on this device. -- **SystemProcessorSse2** The total number of objects of this type present on this device. -- **SystemTouch** The count of the number of this particular object type present on this device. -- **SystemWim** The total number of objects of this type present on this device. -- **SystemWindowsActivationStatus** The count of the number of this particular object type present on this device. -- **SystemWlan** The total number of objects of this type present on this device. -- **Wmdrm_19ASetup** The count of the number of this particular object type present on this device. -- **Wmdrm_19H1** The count of the number of this particular object type present on this device. -- **Wmdrm_19H1Setup** The total Wmdrm objects targeting the next release of Windows on this device. -- **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers. -- **Wmdrm_RS2** An ID for the system, calculated by hashing hardware identifiers. -- **Wmdrm_RS3** An ID for the system, calculated by hashing hardware identifiers. -- **Wmdrm_RS4** The total Wmdrm objects targeting Windows 10, version 1803 present on this device. -- **Wmdrm_RS4Setup** The count of the number of this particular object type present on this device. -- **Wmdrm_RS5** The count of the number of this particular object type present on this device. -- **Wmdrm_RS5Setup** The count of the number of this particular object type present on this device. -- **Wmdrm_TH1** The count of the number of this particular object type present on this device. -- **Wmdrm_TH2** The count of the number of this particular object type present on this device. - - -### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd - -Represents the basic metadata about specific application files installed on the system. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file that is generating the events. -- **AvDisplayName** If the app is an anti-virus app, this is its display name. -- **CompatModelIndex** The compatibility prediction for this file. -- **HasCitData** Indicates whether the file is present in CIT data. -- **HasUpgradeExe** Indicates whether the anti-virus app has an upgrade.exe file. -- **IsAv** Is the file an anti-virus reporting EXE? -- **ResolveAttempted** This will always be an empty string when sending telemetry. -- **SdbEntries** An array of fields that indicates the SDB entries that apply to this file. - - -### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove - -This event indicates that the DatasourceApplicationFile object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileStartSync - -This event indicates that a new set of DatasourceApplicationFileAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd - -This event sends compatibility data for a Plug and Play device, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **ActiveNetworkConnection** Indicates whether the device is an active network device. -- **AppraiserVersion** The version of the appraiser file generating the events. -- **CosDeviceRating** An enumeration that indicates if there is a driver on the target operating system. -- **CosDeviceSolution** An enumeration that indicates how a driver on the target operating system is available. -- **CosDeviceSolutionUrl** Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd . Empty string -- **CosPopulatedFromId** The expected uplevel driver matching ID based on driver coverage data. -- **IsBootCritical** Indicates whether the device boot is critical. -- **UplevelInboxDriver** Indicates whether there is a driver uplevel for this device. -- **WuDriverCoverage** Indicates whether there is a driver uplevel for this device, according to Windows Update. -- **WuDriverUpdateId** The Windows Update ID of the applicable uplevel driver. -- **WuPopulatedFromId** The expected uplevel driver matching ID based on driver coverage from Windows Update. - - -### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove - -This event indicates that the DatasourceDevicePnp object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpStartSync - -This event indicates that a new set of DatasourceDevicePnpAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageAdd - -This event sends compatibility database data about driver packages to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageStartSync - -This event indicates that a new set of DatasourceDriverPackageAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd - -This event sends blocking data about any compatibility blocking entries hit on the system that are not directly related to specific applications or devices, to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove - -This event indicates that the DataSourceMatchingInfoBlock object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync - -This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events have been sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd - -This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove - -This event indicates that the DataSourceMatchingInfoPassive object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync - -This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd - -This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove - -This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync - -This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd - -This event sends compatibility database information about the BIOS to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosRemove - -This event indicates that the DatasourceSystemBios object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync - -This event indicates that a new set of DatasourceSystemBiosAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionApplicationFileAdd - -This event sends compatibility decision data about a file to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file that is generating the events. -- **BlockAlreadyInbox** The uplevel runtime block on the file already existed on the current OS. -- **BlockingApplication** Indicates whether there are any application issues that interfere with the upgrade due to the file in question. -- **DisplayGenericMessage** Will be a generic message be shown for this file? -- **DisplayGenericMessageGated** Indicates whether a generic message be shown for this file. -- **HardBlock** This file is blocked in the SDB. -- **HasUxBlockOverride** Does the file have a block that is overridden by a tag in the SDB? -- **MigApplication** Does the file have a MigXML from the SDB associated with it that applies to the current upgrade mode? -- **MigRemoval** Does the file have a MigXML from the SDB that will cause the app to be removed on upgrade? -- **NeedsDismissAction** Will the file cause an action that can be dimissed? -- **NeedsInstallPostUpgradeData** After upgrade, the file will have a post-upgrade notification to install a replacement for the app. -- **NeedsNotifyPostUpgradeData** Does the file have a notification that should be shown after upgrade? -- **NeedsReinstallPostUpgradeData** After upgrade, this file will have a post-upgrade notification to reinstall the app. -- **NeedsUninstallAction** The file must be uninstalled to complete the upgrade. -- **SdbBlockUpgrade** The file is tagged as blocking upgrade in the SDB, -- **SdbBlockUpgradeCanReinstall** The file is tagged as blocking upgrade in the SDB. It can be reinstalled after upgrade. -- **SdbBlockUpgradeUntilUpdate** The file is tagged as blocking upgrade in the SDB. If the app is updated, the upgrade can proceed. -- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the SDB. It does not block upgrade. -- **SdbReinstallUpgradeWarn** The file is tagged as needing to be reinstalled after upgrade with a warning in the SDB. It does not block upgrade. -- **SoftBlock** The file is softblocked in the SDB and has a warning. - - -### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove - -This event indicates Indicates that the DecisionApplicationFile object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionApplicationFileStartSync - -This event indicates that a new set of DecisionApplicationFileAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd - -This event sends compatibility decision data about a PNP device to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file generating the events. -- **AssociatedDriverIsBlocked** Is the driver associated with this PNP device blocked? -- **AssociatedDriverWillNotMigrate** Will the driver associated with this plug-and-play device migrate? -- **BlockAssociatedDriver** Should the driver associated with this PNP device be blocked? -- **BlockingDevice** Is this PNP device blocking upgrade? -- **BlockUpgradeIfDriverBlocked** Is the PNP device both boot critical and does not have a driver included with the OS? -- **BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork** Is this PNP device the only active network device? -- **DisplayGenericMessage** Will a generic message be shown during Setup for this PNP device? -- **DisplayGenericMessageGated** Indicates whether a generic message will be shown during Setup for this PNP device. -- **DriverAvailableInbox** Is a driver included with the operating system for this PNP device? -- **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update? -- **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device? -- **DriverBlockOverridden** Is there is a driver block on the device that has been overridden? -- **NeedsDismissAction** Will the user would need to dismiss a warning during Setup for this device? -- **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS? -- **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade? -- **SdbDriverBlockOverridden** Is there an SDB block on the PNP device that blocks upgrade, but that block was overridden? - - -### Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove - -This event indicates that the DecisionDevicePnp object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionDevicePnpStartSync - -The DecisionDevicePnpStartSync event indicates that a new set of DecisionDevicePnpAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionDriverPackageAdd - -This event sends decision data about driver package compatibility to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file generating the events. -- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for this driver package. -- **DriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden? -- **DriverIsDeviceBlocked** Was the driver package was blocked because of a device block? -- **DriverIsDriverBlocked** Is the driver package blocked because of a driver block? -- **DriverIsTroubleshooterBlocked** Indicates whether the driver package is blocked because of a troubleshooter block. -- **DriverShouldNotMigrate** Should the driver package be migrated during upgrade? -- **SdbDriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden? - - -### Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove - -This event indicates that the DecisionDriverPackage object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionDriverPackageStartSync - -This event indicates that a new set of DecisionDriverPackageAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd - -This event sends compatibility decision data about blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file generating the events. -- **BlockingApplication** Are there are any application issues that interfere with upgrade due to matching info blocks? -- **DisplayGenericMessage** Will a generic message be shown for this block? -- **NeedsUninstallAction** Does the user need to take an action in setup due to a matching info block? -- **SdbBlockUpgrade** Is a matching info block blocking upgrade? -- **SdbBlockUpgradeCanReinstall** Is a matching info block blocking upgrade, but has the can reinstall tag? -- **SdbBlockUpgradeUntilUpdate** Is a matching info block blocking upgrade but has the until update tag? - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockRemove - -This event indicates that the DecisionMatchingInfoBlock object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockStartSync - -This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd - -This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **BlockingApplication** Are there any application issues that interfere with upgrade due to matching info blocks? -- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown due to matching info blocks. -- **MigApplication** Is there a matching info block with a mig for the current mode of upgrade? - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveRemove - -This event Indicates that the DecisionMatchingInfoPassive object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync - -This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeAdd - -This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **NeedsInstallPostUpgradeData** Will the file have a notification after upgrade to install a replacement for the app? -- **NeedsNotifyPostUpgradeData** Should a notification be shown for this file after upgrade? -- **NeedsReinstallPostUpgradeData** Will the file have a notification after upgrade to reinstall the app? -- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the compatibility database (but is not blocking upgrade). - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeRemove - -This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync - -This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMediaCenterAdd - -This event sends decision data about the presence of Windows Media Center, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **BlockingApplication** Is there any application issues that interfere with upgrade due to Windows Media Center? -- **MediaCenterActivelyUsed** If Windows Media Center is supported on the edition, has it been run at least once and are the MediaCenterIndicators are true? -- **MediaCenterIndicators** Do any indicators imply that Windows Media Center is in active use? -- **MediaCenterInUse** Is Windows Media Center actively being used? -- **MediaCenterPaidOrActivelyUsed** Is Windows Media Center actively being used or is it running on a supported edition? -- **NeedsDismissAction** Are there any actions that can be dismissed coming from Windows Media Center? - - -### Microsoft.Windows.Appraiser.General.DecisionMediaCenterRemove - -This event indicates that the DecisionMediaCenter object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMediaCenterStartSync - -This event indicates that a new set of DecisionMediaCenterAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionSystemBiosAdd - -This event sends compatibility decision data about the BIOS to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **Blocking** Is the device blocked from upgrade due to a BIOS block? -- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for the bios. -- **HasBiosBlock** Does the device have a BIOS block? - - -### Microsoft.Windows.Appraiser.General.DecisionSystemBiosRemove - -This event indicates that the DecisionSystemBios object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync - -This event indicates that a new set of DecisionSystemBiosAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.GatedRegChange - -This event sends data about the results of running a set of quick-blocking instructions, to help keep Windows up to date. - -The following fields are available: - -- **NewData** The data in the registry value after the scan completed. -- **OldData** The previous data in the registry value before the scan ran. -- **PCFP** An ID for the system calculated by hashing hardware identifiers. -- **RegKey** The registry key name for which a result is being sent. -- **RegValue** The registry value for which a result is being sent. -- **Time** The client time of the event. - - -### Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd - -This event represents the basic metadata about a file on the system. The file must be part of an app and either have a block in the compatibility database or be part of an antivirus program. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **AvDisplayName** If the app is an antivirus app, this is its display name. -- **AvProductState** Indicates whether the antivirus program is turned on and the signatures are up to date. -- **BinaryType** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64. -- **BinFileVersion** An attempt to clean up FileVersion at the client that tries to place the version into 4 octets. -- **BinProductVersion** An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets. -- **BoeProgramId** If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata. -- **CompanyName** The company name of the vendor who developed this file. -- **FileId** A hash that uniquely identifies a file. -- **FileVersion** The File version field from the file metadata under Properties -> Details. -- **HasUpgradeExe** Indicates whether the antivirus app has an upgrade.exe file. -- **IsAv** Indicates whether the file an antivirus reporting EXE. -- **LinkDate** The date and time that this file was linked on. -- **LowerCaseLongPath** The full file path to the file that was inventoried on the device. -- **Name** The name of the file that was inventoried. -- **ProductName** The Product name field from the file metadata under Properties -> Details. -- **ProductVersion** The Product version field from the file metadata under Properties -> Details. -- **ProgramId** A hash of the Name, Version, Publisher, and Language of an application used to identify it. -- **Size** The size of the file (in hexadecimal bytes). - - -### Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove - -This event indicates that the InventoryApplicationFile object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync - -This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventoryLanguagePackAdd - -This event sends data about the number of language packs installed on the system, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **HasLanguagePack** Indicates whether this device has 2 or more language packs. -- **LanguagePackCount** The number of language packs are installed. - - -### Microsoft.Windows.Appraiser.General.InventoryLanguagePackRemove - -This event indicates that the InventoryLanguagePack object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventoryLanguagePackStartSync - -This event indicates that a new set of InventoryLanguagePackAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventoryMediaCenterAdd - -This event sends true/false data about decision points used to understand whether Windows Media Center is used on the system, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **EverLaunched** Has Windows Media Center ever been launched? -- **HasConfiguredTv** Has the user configured a TV tuner through Windows Media Center? -- **HasExtendedUserAccounts** Are any Windows Media Center Extender user accounts configured? -- **HasWatchedFolders** Are any folders configured for Windows Media Center to watch? -- **IsDefaultLauncher** Is Windows Media Center the default app for opening music or video files? -- **IsPaid** Is the user running a Windows Media Center edition that implies they paid for Windows Media Center? -- **IsSupported** Does the running OS support Windows Media Center? - - -### Microsoft.Windows.Appraiser.General.InventoryMediaCenterRemove - -This event indicates that the InventoryMediaCenter object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventoryMediaCenterStartSync - -This event indicates that a new set of InventoryMediaCenterAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventorySystemBiosAdd - -This event sends basic metadata about the BIOS to determine whether it has a compatibility block. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **biosDate** The release date of the BIOS in UTC format. -- **BiosDate** The release date of the BIOS in UTC format. -- **biosName** The name field from Win32_BIOS. -- **BiosName** The name field from Win32_BIOS. -- **manufacturer** The manufacturer field from Win32_ComputerSystem. -- **Manufacturer** The manufacturer field from Win32_ComputerSystem. -- **model** The model field from Win32_ComputerSystem. -- **Model** The model field from Win32_ComputerSystem. - - -### Microsoft.Windows.Appraiser.General.InventorySystemBiosRemove - -This event indicates that the InventorySystemBios object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventorySystemBiosStartSync - -This event indicates that a new set of InventorySystemBiosAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd - -This event is only runs during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. Is critical to understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **BootCritical** Is the driver package marked as boot critical? -- **Build** The build value from the driver package. -- **CatalogFile** The name of the catalog file within the driver package. -- **Class** The device class from the driver package. -- **ClassGuid** The device class unique ID from the driver package. -- **Date** The date from the driver package. -- **Inbox** Is the driver package of a driver that is included with Windows? -- **OriginalName** The original name of the INF file before it was renamed. Generally a path under $WINDOWS.~BT\Drivers\DU. -- **Provider** The provider of the driver package. -- **PublishedName** The name of the INF file after it was renamed. -- **Revision** The revision of the driver package. -- **SignatureStatus** Indicates if the driver package is signed. Unknown = 0, Unsigned = 1, Signed = 2. -- **VersionMajor** The major version of the driver package. -- **VersionMinor** The minor version of the driver package. - - -### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove - -This event indicates that the InventoryUplevelDriverPackage object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageStartSync - -This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.RunContext - -This event indicates what should be expected in the data payload. - -The following fields are available: - -- **AppraiserBranch** The source branch in which the currently running version of Appraiser was built. -- **AppraiserProcess** The name of the process that launched Appraiser. -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **CensusId** A unique hardware identifier. -- **Context** Indicates what mode Appraiser is running in. Example: Setup or Telemetry. -- **PCFP** An ID for the system calculated by hashing hardware identifiers. -- **Subcontext** Indicates what categories of incompatibilities appraiser is scanning for. Can be N/A, Resolve, or a semicolon-delimited list that can include App, Dev, Sys, Gat, or Rescan. -- **Time** The client time of the event. - - -### Microsoft.Windows.Appraiser.General.SystemMemoryAdd - -This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **Blocking** Is the device from upgrade due to memory restrictions? -- **MemoryRequirementViolated** Was a memory requirement violated? -- **pageFile** The current committed memory limit for the system or the current process, whichever is smaller (in bytes). -- **ram** The amount of memory on the device. -- **ramKB** The amount of memory (in KB). -- **virtual** The size of the user-mode portion of the virtual address space of the calling process (in bytes). -- **virtualKB** The amount of virtual memory (in KB). - - -### Microsoft.Windows.Appraiser.General.SystemMemoryRemove - -This event that the SystemMemory object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemMemoryStartSync - -This event indicates that a new set of SystemMemoryAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeAdd - -This event sends data indicating whether the system supports the CompareExchange128 CPU requirement, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **Blocking** Is the upgrade blocked due to the processor? -- **CompareExchange128Support** Does the CPU support CompareExchange128? - - -### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeRemove - -This event indicates that the SystemProcessorCompareExchange object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeStartSync - -This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd - -This event sends data indicating whether the system supports the LahfSahf CPU requirement, to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **Blocking** Is the upgrade blocked due to the processor? -- **LahfSahfSupport** Does the CPU support LAHF/SAHF? - - -### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfRemove - -This event indicates that the SystemProcessorLahfSahf object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfStartSync - -This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd - -This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **Blocking** Is the upgrade blocked due to the processor? -- **NXDriverResult** The result of the driver used to do a non-deterministic check for NX support. -- **NXProcessorSupport** Does the processor support NX? - - -### Microsoft.Windows.Appraiser.General.SystemProcessorNxRemove - -This event indicates that the SystemProcessorNx object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorNxStartSync - -This event indicates that a new set of SystemProcessorNxAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd - -This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **Blocking** Is the upgrade blocked due to the processor? -- **PrefetchWSupport** Does the processor support PrefetchW? - - -### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWRemove - -This event indicates that the SystemProcessorPrefetchW object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync - -This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Add - -This event sends data indicating whether the system supports the SSE2 CPU requirement, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **Blocking** Is the upgrade blocked due to the processor? -- **SSE2ProcessorSupport** Does the processor support SSE2? - - -### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Remove - -This event indicates that the SystemProcessorSse2 object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorSse2StartSync - -This event indicates that a new set of SystemProcessorSse2Add events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemTouchAdd - -This event sends data indicating whether the system supports touch, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **IntegratedTouchDigitizerPresent** Is there an integrated touch digitizer? -- **MaximumTouches** The maximum number of touch points supported by the device hardware. - - -### Microsoft.Windows.Appraiser.General.SystemTouchRemove - -This event indicates that the SystemTouch object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemTouchStartSync - -This event indicates that a new set of SystemTouchAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemWimAdd - -This event sends data indicating whether the operating system is running from a compressed Windows Imaging Format (WIM) file, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **IsWimBoot** Is the current operating system running from a compressed WIM file? -- **RegistryWimBootValue** The raw value from the registry that is used to indicate if the device is running from a WIM. - - -### Microsoft.Windows.Appraiser.General.SystemWimRemove - -This event indicates that the SystemWim object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemWimStartSync - -This event indicates that a new set of SystemWimAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusAdd - -This event sends data indicating whether the current operating system is activated, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **WindowsIsLicensedApiValue** The result from the API that's used to indicate if operating system is activated. -- **WindowsNotActivatedDecision** Is the current operating system activated? - - -### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusRemove - -This event indicates that the SystemWindowsActivationStatus object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusStartSync - -This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemWlanAdd - -This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **Blocking** Is the upgrade blocked because of an emulated WLAN driver? -- **HasWlanBlock** Does the emulated WLAN driver have an upgrade block? -- **WlanEmulatedDriver** Does the device have an emulated WLAN driver? -- **WlanExists** Does the device support WLAN at all? -- **WlanModulePresent** Are any WLAN modules present? -- **WlanNativeDriver** Does the device have a non-emulated WLAN driver? - - -### Microsoft.Windows.Appraiser.General.SystemWlanRemove - -This event indicates that the SystemWlan object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemWlanStartSync - -This event indicates that a new set of SystemWlanAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.TelemetryRunHealth - -This event indicates the parameters and result of a telemetry (diagnostic) run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date. - -The following fields are available: - -- **AppraiserBranch** The source branch in which the version of Appraiser that is running was built. -- **AppraiserDataVersion** The version of the data files being used by the Appraiser telemetry run. -- **AppraiserProcess** The name of the process that launched Appraiser. -- **AppraiserVersion** The file version (major, minor and build) of the Appraiser DLL, concatenated without dots. -- **AuxFinal** Obsolete, always set to false. -- **AuxInitial** Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app. -- **DeadlineDate** A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan. -- **EnterpriseRun** Indicates if the telemetry run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter. -- **FullSync** Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent. -- **InboxDataVersion** The original version of the data files before retrieving any newer version. -- **IndicatorsWritten** Indicates if all relevant UEX indicators were successfully written or updated. -- **InventoryFullSync** Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent. -- **PCFP** An ID for the system calculated by hashing hardware identifiers. -- **PerfBackoff** Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal. -- **PerfBackoffInsurance** Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row. -- **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device. -- **RunDate** The date that the telemetry run was stated, expressed as a filetime. -- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional telemetry on an infrequent schedule and only from machines at telemetry levels higher than Basic. -- **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information. -- **RunResult** The hresult of the Appraiser telemetry run. -- **ScheduledUploadDay** The day scheduled for the upload. -- **SendingUtc** Indicates if the Appraiser client is sending events during the current telemetry run. -- **StoreHandleIsNotNull** Obsolete, always set to false -- **TelementrySent** Indicates if telemetry was successfully sent. -- **ThrottlingUtc** Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also telemetry reliability. -- **Time** The client time of the event. -- **VerboseMode** Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging. -- **WhyFullSyncWithoutTablePrefix** Indicates the reason or reasons that a full sync was generated. - - -### Microsoft.Windows.Appraiser.General.WmdrmAdd - -This event sends data about the usage of older digital rights management on the system, to help keep Windows up to date. This data does not indicate the details of the media using the digital rights management, only whether any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able to be removed once all mitigations are in place. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **BlockingApplication** Same as NeedsDismissAction. -- **NeedsDismissAction** Indicates if a dismissible message is needed to warn the user about a potential loss of data due to DRM deprecation. -- **WmdrmApiResult** Raw value of the API used to gather DRM state. -- **WmdrmCdRipped** Indicates if the system has any files encrypted with personal DRM, which was used for ripped CDs. -- **WmdrmIndicators** WmdrmCdRipped OR WmdrmPurchased. -- **WmdrmInUse** WmdrmIndicators AND dismissible block in setup was not dismissed. -- **WmdrmNonPermanent** Indicates if the system has any files with non-permanent licenses. -- **WmdrmPurchased** Indicates if the system has any files with permanent licenses. - - -### Microsoft.Windows.Appraiser.General.WmdrmRemove - -This event indicates that the Wmdrm object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.WmdrmStartSync - -This event indicates that a new set of WmdrmAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -## Census events - -### Census.App - -Provides information on IE and Census versions running on the device - -The following fields are available: - -- **AppraiserEnterpriseErrorCode** The error code of the last Appraiser enterprise run. -- **AppraiserErrorCode** The error code of the last Appraiser run. -- **AppraiserRunEndTimeStamp** The end time of the last Appraiser run. -- **AppraiserRunIsInProgressOrCrashed** Flag that indicates if the Appraiser run is in progress or has crashed. -- **AppraiserRunStartTimeStamp** The start time of the last Appraiser run. -- **AppraiserTaskEnabled** Whether the Appraiser task is enabled. -- **AppraiserTaskExitCode** The Appraiser task exist code. -- **AppraiserTaskLastRun** The last runtime for the Appraiser task. -- **CensusVersion** The version of Census that generated the current data for this device. -- **IEVersion** The version of Internet Explorer that is running on the device. - - -### Census.Battery - -This event sends type and capacity data about the battery on the device, as well as the number of connected standby devices in use, type to help keep Windows up to date. - -The following fields are available: - -- **InternalBatteryCapablities** Represents information about what the battery is capable of doing. -- **InternalBatteryCapacityCurrent** Represents the battery's current fully charged capacity in mWh (or relative). Compare this value to DesignedCapacity  to estimate the battery's wear. -- **InternalBatteryCapacityDesign** Represents the theoretical capacity of the battery when new, in mWh. -- **InternalBatteryNumberOfCharges** Provides the number of battery charges. This is used when creating new products and validating that existing products meets targeted functionality performance. -- **IsAlwaysOnAlwaysConnectedCapable** Represents whether the battery enables the device to be AlwaysOnAlwaysConnected . Boolean value. - - -### Census.Camera - -This event sends data about the resolution of cameras on the device, to help keep Windows up to date. - -The following fields are available: - -- **FrontFacingCameraResolution** Represents the resolution of the front facing camera in megapixels. If a front facing camera does not exist, then the value is 0. -- **RearFacingCameraResolution** Represents the resolution of the rear facing camera in megapixels. If a rear facing camera does not exist, then the value is 0. - - -### Census.Enterprise - -This event sends data about Azure presence, type, and cloud domain use in order to provide an understanding of the use and integration of devices in an enterprise, cloud, and server environment. - -The following fields are available: - -- **AADDeviceId** Azure Active Directory device ID. -- **AzureOSIDPresent** Represents the field used to identify an Azure machine. -- **AzureVMType** Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs. -- **CDJType** Represents the type of cloud domain joined for the machine. -- **CommercialId** Represents the GUID for the commercial entity which the device is a member of.  Will be used to reflect insights back to customers. -- **ContainerType** The type of container, such as process or virtual machine hosted. -- **EnrollmentType** Defines the type of MDM enrollment on the device. -- **HashedDomain** The hashed representation of the user domain used for login. -- **IsCloudDomainJoined** Is this device joined to an Azure Active Directory (AAD) tenant? true/false -- **IsDERequirementMet** Represents if the device can do device encryption. -- **IsDeviceProtected** Represents if Device protected by BitLocker/Device Encryption -- **IsDomainJoined** Indicates whether a machine is joined to a domain. -- **IsEDPEnabled** Represents if Enterprise data protected on the device. -- **IsMDMEnrolled** Whether the device has been MDM Enrolled or not. -- **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID -- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise SCCM environment. -- **ServerFeatures** Represents the features installed on a Windows   Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. -- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier - - -### Census.Firmware - -This event sends data about the BIOS and startup embedded in the device, to help keep Windows up to date. - -The following fields are available: - -- **FirmwareManufacturer** Represents the manufacturer of the device's firmware (BIOS). -- **FirmwareReleaseDate** Represents the date the current firmware was released. -- **FirmwareType** Represents the firmware type. The various types can be unknown, BIOS, UEFI. -- **FirmwareVersion** Represents the version of the current firmware. - - -### Census.Flighting - -This event sends Windows Insider data from customers participating in improvement testing and feedback programs, to help keep Windows up to date. - -The following fields are available: - -- **DeviceSampleRate** The telemetry sample rate assigned to the device. -- **EnablePreviewBuilds** Used to enable Windows Insider builds on a device. -- **FlightIds** A list of the different Windows Insider builds on this device. -- **FlightingBranchName** The name of the Windows Insider branch currently used by the device. -- **IsFlightsDisabled** Represents if the device is participating in the Windows Insider program. -- **MSA_Accounts** Represents a list of hashed IDs of the Microsoft Accounts that are flighting (pre-release builds) on this device. -- **SSRK** Retrieves the mobile targeting settings. - - -### Census.Hardware - -This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level setting, and TPM support, to help keep Windows up to date. - -The following fields are available: - -- **ActiveMicCount** The number of active microphones attached to the device. -- **ChassisType** Represents the type of device chassis, such as desktop or low profile desktop. The possible values can range between 1 - 36. -- **ComputerHardwareID** Identifies a device class that is represented by a hash of different SMBIOS fields. -- **D3DMaxFeatureLevel** Supported Direct3D version. -- **DeviceColor** Indicates a color of the device. -- **DeviceForm** Indicates the form as per the device classification. -- **DeviceName** The device name that is set by the user. -- **DigitizerSupport** Is a digitizer supported? -- **DUID** The device unique ID. -- **Gyroscope** Indicates whether the device has a gyroscope (a mechanical component that measures and maintains orientation). -- **InventoryId** The device ID used for compatibility testing. -- **Magnetometer** Indicates whether the device has a magnetometer (a mechanical component that works like a compass). -- **NFCProximity** Indicates whether the device supports NFC (a set of communication protocols that helps establish communication when applicable devices are brought close together.) -- **OEMDigitalMarkerFileName** The name of the file placed in the \Windows\system32\drivers directory that specifies the OEM and model name of the device. -- **OEMManufacturerName** The device manufacturer name. The OEMName for an inactive device is not reprocessed even if the clean OEM name is changed at a later date. -- **OEMModelBaseBoard** The baseboard model used by the OEM. -- **OEMModelBaseBoardVersion** Differentiates between developer and retail devices. -- **OEMModelName** The device model name. -- **OEMModelNumber** The device model number. -- **OEMModelSKU** The device edition that is defined by the manufacturer. -- **OEMModelSystemFamily** The system family set on the device by an OEM. -- **OEMModelSystemVersion** The system model version set on the device by the OEM. -- **OEMOptionalIdentifier** A Microsoft assigned value that represents a specific OEM subsidiary. -- **OEMSerialNumber** The serial number of the device that is set by the manufacturer. -- **PhoneManufacturer** The friendly name of the phone manufacturer. -- **PowerPlatformRole** The OEM preferred power management profile. It's used to help to identify the basic form factor of the device. -- **SoCName** The firmware manufacturer of the device. -- **StudyID** Used to identify retail and non-retail device. -- **TelemetryLevel** The telemetry level the user has opted into, such as Basic or Enhanced. -- **TelemetryLevelLimitEnhanced** The telemetry level for Windows Analytics-based solutions. -- **TelemetrySettingAuthority** Determines who set the telemetry level, such as GP, MDM, or the user. -- **TPMManufacturerId** The ID of the TPM manufacturer. -- **TPMManufacturerVersion** The version of the TPM manufacturer. -- **TPMVersion** The supported Trusted Platform Module (TPM) on the device. If no TPM is present, the value is 0. -- **VoiceSupported** Does the device have a cellular radio capable of making voice calls? - - -### Census.Memory - -This event sends data about the memory on the device, including ROM and RAM, to help keep Windows up to date. - -The following fields are available: - -- **TotalPhysicalRAM** Represents the physical memory (in MB). -- **TotalVisibleMemory** Represents the memory that is not reserved by the system. - - -### Census.Network - -This event sends data about the mobile and cellular network used by the device (mobile service provider, network, device ID, and service cost factors), to help keep Windows up to date. - -The following fields are available: - -- **IMEI0** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage. -- **IMEI1** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage. -- **MCC0** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. -- **MCC1** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. -- **MEID** Represents the Mobile Equipment Identity (MEID). MEID is a worldwide unique phone ID assigned to CDMA phones. MEID replaces electronic serial number (ESN), and is equivalent to IMEI for GSM and WCDMA phones. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. -- **MNC0** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. -- **MNC1** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. -- **MobileOperatorBilling** Represents the telephone company that provides services for mobile phone users. -- **MobileOperatorCommercialized** Represents which reseller and geography the phone is commercialized for. This is the set of values on the phone for who and where it was intended to be used. For example, the commercialized mobile operator code AT&T in the US would be ATT-US. -- **MobileOperatorNetwork0** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage. -- **MobileOperatorNetwork1** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage. -- **NetworkAdapterGUID** The GUID of the primary network adapter. -- **NetworkCost** Represents the network cost associated with a connection. -- **SPN0** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage. -- **SPN1** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage. - - -### Census.OS - -This event sends data about the operating system such as the version, locale, update service configuration, when and how it was originally installed, and whether it is a virtual device, to help keep Windows up to date. - -The following fields are available: - -- **ActivationChannel** Retrieves the retail license key or Volume license key for a machine. -- **AssignedAccessStatus** Kiosk configuration mode. -- **CompactOS** Indicates if the Compact OS feature from Win10 is enabled. -- **DeveloperUnlockStatus** Represents if a device has been developer unlocked by the user or Group Policy. -- **DeviceTimeZone** The time zone that is set on the device. Example: Pacific Standard Time -- **GenuineState** Retrieves the ID Value specifying the OS Genuine check. -- **InstallationType** Retrieves the type of OS installation. (Clean, Upgrade, Reset, Refresh, Update). -- **InstallLanguage** The first language installed on the user machine. -- **IsDeviceRetailDemo** Retrieves if the device is running in demo mode. -- **IsEduData** Returns Boolean if the education data policy is enabled. -- **IsPortableOperatingSystem** Retrieves whether OS is running Windows-To-Go -- **IsSecureBootEnabled** Retrieves whether Boot chain is signed under UEFI. -- **LanguagePacks** The list of language packages installed on the device. -- **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store. -- **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine. -- **OSEdition** Retrieves the version of the current OS. -- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc -- **OSOOBEDateTime** Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC). -- **OSSKU** Retrieves the Friendly Name of OS Edition. -- **OSSubscriptionStatus** Represents the existing status for enterprise subscription feature for PRO machines. -- **OSSubscriptionTypeId** Returns boolean for enterprise subscription feature for selected PRO machines. -- **OSTimeZoneBiasInMins** Retrieves the time zone set on machine. -- **OSUILocale** Retrieves the locale of the UI that is currently used by the OS. -- **ProductActivationResult** Returns Boolean if the OS Activation was successful. -- **ProductActivationTime** Returns the OS Activation time for tracking piracy issues. -- **ProductKeyID2** Retrieves the License key if the machine is updated with a new license key. -- **RACw7Id** Retrieves the Microsoft Reliability Analysis Component (RAC) Win7 Identifier. RAC is used to monitor and analyze system usage and reliability. -- **ServiceMachineIP** Retrieves the IP address of the KMS host used for anti-piracy. -- **ServiceMachinePort** Retrieves the port of the KMS host used for anti-piracy. -- **ServiceProductKeyID** Retrieves the License key of the KMS -- **SharedPCMode** Returns Boolean for education devices used as shared cart -- **Signature** Retrieves if it is a signature machine sold by Microsoft store. -- **SLICStatus** Whether a SLIC table exists on the device. -- **SLICVersion** Returns OS type/version from SLIC table. - - -### Census.PrivacySettings - -This event provides information about the device level privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represent the authority that set the value. The effective consent (first 8 bits) is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority (last 8 bits) is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = system, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings. - -The following fields are available: - -- **Activity** Current state of the activity history setting. -- **ActivityHistoryCloudSync** Current state of the activity history cloud sync setting. -- **ActivityHistoryCollection** Current state of the activity history collection setting. -- **AdvertisingId** Current state of the advertising ID setting. -- **AppDiagnostics** Current state of the app diagnostics setting. -- **Appointments** Current state of the calendar setting. -- **Bluetooth** Current state of the Bluetooth capability setting. -- **BluetoothSync** Current state of the Bluetooth sync capability setting. -- **BroadFileSystemAccess** Current state of the broad file system access setting. -- **CellularData** Current state of the cellular data capability setting. -- **Chat** Current state of the chat setting. -- **Contacts** Current state of the contacts setting. -- **DocumentsLibrary** Current state of the documents library setting. -- **Email** Current state of the email setting. -- **FindMyDevice** Current state of the "find my device" setting. -- **GazeInput** Current state of the gaze input setting. -- **HumanInterfaceDevice** Current state of the human interface device setting. -- **InkTypeImprovement** Current state of the improve inking and typing setting. -- **Location** Current state of the location setting. -- **LocationHistory** Current state of the location history setting. -- **LocationHistoryCloudSync** Current state of the location history cloud sync setting. -- **LocationHistoryOnTimeline** Current state of the location history on timeline setting. -- **Microphone** Current state of the microphone setting. -- **PhoneCall** Current state of the phone call setting. -- **PhoneCallHistory** Current state of the call history setting. -- **PicturesLibrary** Current state of the pictures library setting. -- **Radios** Current state of the radios setting. -- **SensorsCustom** Current state of the custom sensor setting. -- **SerialCommunication** Current state of the serial communication setting. -- **Sms** Current state of the text messaging setting. -- **SpeechPersonalization** Current state of the speech services setting. -- **USB** Current state of the USB setting. -- **UserAccountInformation** Current state of the account information setting. -- **UserDataTasks** Current state of the tasks setting. -- **UserNotificationListener** Current state of the notifications setting. -- **VideosLibrary** Current state of the videos library setting. -- **Webcam** Current state of the camera setting. -- **WiFiDirect** Current state of the Wi-Fi direct setting. - - -### Census.Processor - -Provides information on several important data points about Processor settings - -The following fields are available: - -- **KvaShadow** This is the micro code information of the processor. -- **MMSettingOverride** Microcode setting of the processor. -- **MMSettingOverrideMask** Microcode setting override of the processor. -- **PreviousUpdateRevision** Previous microcode revision -- **ProcessorArchitecture** Retrieves the processor architecture of the installed operating system. -- **ProcessorClockSpeed** Clock speed of the processor in MHz. -- **ProcessorCores** Number of logical cores in the processor. -- **ProcessorIdentifier** Processor Identifier of a manufacturer. -- **ProcessorManufacturer** Name of the processor manufacturer. -- **ProcessorModel** Name of the processor model. -- **ProcessorPhysicalCores** Number of physical cores in the processor. -- **ProcessorUpdateRevision** The microcode revision. -- **ProcessorUpdateStatus** Enum value that represents the processor microcode load status -- **SocketCount** Count of CPU sockets. -- **SpeculationControl** Indicates whether the system has enabled protections needed to validate the speculation control vulnerability. - - -### Census.Security - -This event provides information on about security settings used to help keep Windows up to date and secure. - -The following fields are available: - -- **AvailableSecurityProperties** This field helps to enumerate and report state on the relevant security properties for Device Guard. -- **CGRunning** Credential Guard isolates and hardens key system and user secrets against compromise, helping to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already running via a local or network based vector. This field tells if Credential Guard is running. -- **DGState** This field summarizes the Device Guard state. -- **HVCIRunning** Hypervisor Code Integrity (HVCI) enables Device Guard to help protect kernel mode processes and drivers from vulnerability exploits and zero days. HVCI uses the processor’s functionality to force all software running in kernel mode to safely allocate memory. This field tells if HVCI is running. -- **IsSawGuest** Indicates whether the device is running as a Secure Admin Workstation Guest. -- **IsSawHost** Indicates whether the device is running as a Secure Admin Workstation Host. -- **RequiredSecurityProperties** Describes the required security properties to enable virtualization-based security. -- **SecureBootCapable** Systems that support Secure Boot can have the feature turned off via BIOS. This field tells if the system is capable of running Secure Boot, regardless of the BIOS setting. -- **SModeState** The Windows S mode trail state. -- **VBSState** Virtualization-based security (VBS) uses the hypervisor to help protect the kernel and other parts of the operating system. Credential Guard and Hypervisor Code Integrity (HVCI) both depend on VBS to isolate/protect secrets, and kernel-mode code integrity validation. VBS has a tri-state that can be Disabled, Enabled, or Running. - - -### Census.Speech - -This event is used to gather basic speech settings on the device. - -The following fields are available: - -- **AboveLockEnabled** Cortana setting that represents if Cortana can be invoked when the device is locked. -- **GPAllowInputPersonalization** Indicates if a Group Policy setting has enabled speech functionalities. -- **HolographicSpeechInputDisabled** Holographic setting that represents if the attached HMD devices have speech functionality disabled by the user. -- **HolographicSpeechInputDisabledRemote** Indicates if a remote policy has disabled speech functionalities for the HMD devices. -- **KeyVer** Version information for the census speech event. -- **KWSEnabled** Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS). -- **MDMAllowInputPersonalization** Indicates if an MDM policy has enabled speech functionalities. -- **RemotelyManaged** Indicates if the device is being controlled by a remote administrator (MDM or Group Policy) in the context of speech functionalities. -- **SpeakerIdEnabled** Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice. -- **SpeechServicesEnabled** Windows setting that represents whether a user is opted-in for speech services on the device. -- **SpeechServicesValueSource** Indicates the deciding factor for the effective online speech recognition privacy policy settings: remote admin, local admin, or user preference. - - -### Census.Storage - -This event sends data about the total capacity of the system volume and primary disk, to help keep Windows up to date. - -The following fields are available: - -- **PrimaryDiskTotalCapacity** Retrieves the amount of disk space on the primary disk of the device in MB. -- **PrimaryDiskType** Retrieves an enumerator value of type STORAGE_BUS_TYPE that indicates the type of bus to which the device is connected. This should be used to interpret the raw device properties at the end of this structure (if any). -- **StorageReservePassedPolicy** Indicates whether the Storage Reserve policy, which ensures that updates have enough disk space and customers are on the latest OS, is enabled on this device. -- **SystemVolumeTotalCapacity** Retrieves the size of the partition that the System volume is installed on in MB. - - -### Census.Userdefault - -This event sends data about the current user's default preferences for browser and several of the most popular extensions and protocols, to help keep Windows up to date. - -The following fields are available: - -- **CalendarType** The calendar identifiers that are used to specify different calendars. -- **DefaultApp** The current uer's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf. -- **DefaultBrowserProgId** The ProgramId of the current user's default browser. -- **LongDateFormat** The long date format the user has selected. -- **ShortDateFormat** The short date format the user has selected. - - -### Census.UserDisplay - -This event sends data about the logical/physical display size, resolution and number of internal/external displays, and VRAM on the system, to help keep Windows up to date. - -The following fields are available: - -- **InternalPrimaryDisplayLogicalDPIX** Retrieves the logical DPI in the x-direction of the internal display. -- **InternalPrimaryDisplayLogicalDPIY** Retrieves the logical DPI in the y-direction of the internal display. -- **InternalPrimaryDisplayPhysicalDPIX** Retrieves the physical DPI in the x-direction of the internal display. -- **InternalPrimaryDisplayPhysicalDPIY** Retrieves the physical DPI in the y-direction of the internal display. -- **InternalPrimaryDisplayResolutionHorizontal** Retrieves the number of pixels in the horizontal direction of the internal display. -- **InternalPrimaryDisplayResolutionVertical** Retrieves the number of pixels in the vertical direction of the internal display. -- **InternalPrimaryDisplaySizePhysicalH** Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches . -- **InternalPrimaryDisplaySizePhysicalY** Retrieves the physical vertical length of the display in mm. Used for calculating the diagonal length in inches -- **NumberofExternalDisplays** Retrieves the number of external displays connected to the machine -- **NumberofInternalDisplays** Retrieves the number of internal displays in a machine. -- **VRAMDedicated** Retrieves the video RAM in MB. -- **VRAMDedicatedSystem** Retrieves the amount of memory on the dedicated video card. -- **VRAMSharedSystem** Retrieves the amount of RAM memory that the video card can use. - - -### Census.UserNLS - -This event sends data about the default app language, input, and display language preferences set by the user, to help keep Windows up to date. - -The following fields are available: - -- **DefaultAppLanguage** The current user Default App Language. -- **DisplayLanguage** The current user preferred Windows Display Language. -- **HomeLocation** The current user location, which is populated using GetUserGeoId() function. -- **KeyboardInputLanguages** The Keyboard input languages installed on the device. -- **SpeechInputLanguages** The Speech Input languages installed on the device. - - -### Census.UserPrivacySettings - -This event provides information about the current users privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represents the authority that set the value. The effective consent is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = user, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings. - -The following fields are available: - -- **Activity** Current state of the activity history setting. -- **ActivityHistoryCloudSync** Current state of the activity history cloud sync setting. -- **ActivityHistoryCollection** Current state of the activity history collection setting. -- **AdvertisingId** Current state of the advertising ID setting. -- **AppDiagnostics** Current state of the app diagnostics setting. -- **Appointments** Current state of the calendar setting. -- **Bluetooth** Current state of the Bluetooth capability setting. -- **BluetoothSync** Current state of the Bluetooth sync capability setting. -- **BroadFileSystemAccess** Current state of the broad file system access setting. -- **CellularData** Current state of the cellular data capability setting. -- **Chat** Current state of the chat setting. -- **Contacts** Current state of the contacts setting. -- **DocumentsLibrary** Current state of the documents library setting. -- **Email** Current state of the email setting. -- **GazeInput** Current state of the gaze input setting. -- **HumanInterfaceDevice** Current state of the human interface device setting. -- **InkTypeImprovement** Current state of the improve inking and typing setting. -- **InkTypePersonalization** Current state of the inking and typing personalization setting. -- **Location** Current state of the location setting. -- **LocationHistory** Current state of the location history setting. -- **LocationHistoryCloudSync** Current state of the location history cloud synchronization setting. -- **LocationHistoryOnTimeline** Current state of the location history on timeline setting. -- **Microphone** Current state of the microphone setting. -- **PhoneCall** Current state of the phone call setting. -- **PhoneCallHistory** Current state of the call history setting. -- **PicturesLibrary** Current state of the pictures library setting. -- **Radios** Current state of the radios setting. -- **SensorsCustom** Current state of the custom sensor setting. -- **SerialCommunication** Current state of the serial communication setting. -- **Sms** Current state of the text messaging setting. -- **SpeechPersonalization** Current state of the speech services setting. -- **USB** Current state of the USB setting. -- **UserAccountInformation** Current state of the account information setting. -- **UserDataTasks** Current state of the tasks setting. -- **UserNotificationListener** Current state of the notifications setting. -- **VideosLibrary** Current state of the videos library setting. -- **Webcam** Current state of the camera setting. -- **WiFiDirect** Current state of the Wi-Fi direct setting. - - -### Census.VM - -This event sends data indicating whether virtualization is enabled on the device, and its various characteristics, to help keep Windows up to date. - -The following fields are available: - -- **CloudService** Indicates which cloud service, if any, that this virtual machine is running within. -- **HyperVisor** Retrieves whether the current OS is running on top of a Hypervisor. -- **IOMMUPresent** Represents if an input/output memory management unit (IOMMU) is present. -- **IsVDI** Is the device using Virtual Desktop Infrastructure? -- **IsVirtualDevice** Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#1 Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field should not be relied upon for non-Hv#1 Hypervisors. -- **SLATSupported** Represents whether Second Level Address Translation (SLAT) is supported by the hardware. -- **VirtualizationFirmwareEnabled** Represents whether virtualization is enabled in the firmware. - - -### Census.WU - -This event sends data about the Windows update server and other App store policies, to help keep Windows up to date. - -The following fields are available: - -- **AppraiserGatedStatus** Indicates whether a device has been gated for upgrading. -- **AppStoreAutoUpdate** Retrieves the Appstore settings for auto upgrade. (Enable/Disabled). -- **AppStoreAutoUpdateMDM** Retrieves the App Auto Update value for MDM: 0 - Disallowed. 1 - Allowed. 2 - Not configured. Default: [2] Not configured -- **AppStoreAutoUpdatePolicy** Retrieves the Microsoft Store App Auto Update group policy setting -- **DelayUpgrade** Retrieves the Windows upgrade flag for delaying upgrades. -- **OSAssessmentFeatureOutOfDate** How many days has it been since a the last feature update was released but the device did not install it? -- **OSAssessmentForFeatureUpdate** Is the device is on the latest feature update? -- **OSAssessmentForQualityUpdate** Is the device on the latest quality update? -- **OSAssessmentForSecurityUpdate** Is the device on the latest security update? -- **OSAssessmentQualityOutOfDate** How many days has it been since a the last quality update was released but the device did not install it? -- **OSAssessmentReleaseInfoTime** The freshness of release information used to perform an assessment. -- **OSRollbackCount** The number of times feature updates have rolled back on the device. -- **OSRolledBack** A flag that represents when a feature update has rolled back during setup. -- **OSUninstalled** A flag that represents when a feature update is uninstalled on a device . -- **OSWUAutoUpdateOptions** Retrieves the auto update settings on the device. -- **OSWUAutoUpdateOptionsSource** The source of auto update setting that appears in the OSWUAutoUpdateOptions field. For example: Group Policy (GP), Mobile Device Management (MDM), and Default. -- **UninstallActive** A flag that represents when a device has uninstalled a previous upgrade recently. -- **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS). -- **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates. -- **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades. -- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network. -- **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier. -- **WUPauseState** Retrieves WU setting to determine if updates are paused. -- **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default). - - -### Census.Xbox - -This event sends data about the Xbox Console, such as Serial Number and DeviceId, to help keep Windows up to date. - -The following fields are available: - -- **XboxConsolePreferredLanguage** Retrieves the preferred language selected by the user on Xbox console. -- **XboxConsoleSerialNumber** Retrieves the serial number of the Xbox console. -- **XboxLiveDeviceId** Retrieves the unique device ID of the console. -- **XboxLiveSandboxId** Retrieves the developer sandbox ID if the device is internal to Microsoft. - - -## Common data extensions - -### Common Data Extensions.app - -Describes the properties of the running application. This extension could be populated by a client app or a web app. - -The following fields are available: - -- **asId** An integer value that represents the app session. This value starts at 0 on the first app launch and increments after each subsequent app launch per boot session. -- **env** The environment from which the event was logged. -- **expId** Associates a flight, such as an OS flight, or an experiment, such as a web site UX experiment, with an event. -- **id** Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application. -- **locale** The locale of the app. -- **name** The name of the app. -- **userId** The userID as known by the application. -- **ver** Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app. - - -### Common Data Extensions.container - -Describes the properties of the container for events logged within a container. - -The following fields are available: - -- **epoch** An ID that's incremented for each SDK initialization. -- **localId** The device ID as known by the client. -- **osVer** The operating system version. -- **seq** An ID that's incremented for each event. -- **type** The container type. Examples: Process or VMHost - - -### Common Data Extensions.cs - -Describes properties related to the schema of the event. - -The following fields are available: - -- **sig** A common schema signature that identifies new and modified event schemas. - - -### Common Data Extensions.device - -Describes the device-related fields. - -The following fields are available: - -- **deviceClass** The device classification. For example, Desktop, Server, or Mobile. -- **localId** A locally-defined unique ID for the device. This is not the human-readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId -- **make** Device manufacturer. -- **model** Device model. - - -### Common Data Extensions.Envelope - -Represents an envelope that contains all of the common data extensions. - -The following fields are available: - -- **cV** Represents the Correlation Vector: A single field for tracking partial order of related telemetry events across component boundaries. -- **data** Represents the optional unique diagnostic data for a particular event schema. -- **ext_app** Describes the properties of the running application. This extension could be populated by either a client app or a web app. See [Common Data Extensions.app](#common-data-extensionsapp). -- **ext_container** Describes the properties of the container for events logged within a container. See [Common Data Extensions.container](#common-data-extensionscontainer). -- **ext_cs** Describes properties related to the schema of the event. See [Common Data Extensions.cs](#common-data-extensionscs). -- **ext_device** Describes the device-related fields. See [Common Data Extensions.device](#common-data-extensionsdevice). -- **ext_os** Describes the operating system properties that would be populated by the client. See [Common Data Extensions.os](#common-data-extensionsos). -- **ext_receipts** Describes the fields related to time as provided by the client for debugging purposes. See [Common Data Extensions.receipts](#common-data-extensionsreceipts). -- **ext_sdk** Describes the fields related to a platform library required for a specific SDK. See [Common Data Extensions.sdk](#common-data-extensionssdk). -- **ext_user** Describes the fields related to a user. See [Common Data Extensions.user](#common-data-extensionsuser). -- **ext_utc** Describes the fields that might be populated by a logging library on Windows. See [Common Data Extensions.utc](#common-data-extensionsutc). -- **ext_xbl** Describes the fields related to XBOX Live. See [Common Data Extensions.xbl](#common-data-extensionsxbl). -- **flags** Represents a collection of bits that describe how the event should be processed by the Connected User Experience and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency. -- **iKey** Represents an ID for applications or other logical groupings of events. -- **name** Represents the uniquely qualified name for the event. -- **popSample** Represents the effective sample rate for this event at the time it was generated by a client. -- **time** Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the client. This should be in ISO 8601 format. -- **ver** Represents the major and minor version of the extension. - - -### Common Data Extensions.os - -Describes some properties of the operating system. - -The following fields are available: - -- **bootId** An integer value that represents the boot session. This value starts at 0 on first boot after OS install and increments after every reboot. -- **expId** Represents the experiment ID. The standard for associating a flight, such as an OS flight (pre-release build), or an experiment, such as a web site UX experiment, with an event is to record the flight / experiment IDs in Part A of the common schema. -- **locale** Represents the locale of the operating system. -- **name** Represents the operating system name. -- **ver** Represents the major and minor version of the extension. - - -### Common Data Extensions.receipts - -Represents various time information as provided by the client and helps for debugging purposes. - -The following fields are available: - -- **originalTime** The original event time. -- **uploadTime** The time the event was uploaded. - - -### Common Data Extensions.sdk - -Used by platform specific libraries to record fields that are required for a specific SDK. - -The following fields are available: - -- **epoch** An ID that is incremented for each SDK initialization. -- **installId** An ID that's created during the initialization of the SDK for the first time. -- **libVer** The SDK version. -- **seq** An ID that is incremented for each event. - - -### Common Data Extensions.user - -Describes the fields related to a user. - -The following fields are available: - -- **authId** This is an ID of the user associated with this event that is deduced from a token such as a Microsoft Account ticket or an XBOX token. -- **locale** The language and region. -- **localId** Represents a unique user identity that is created locally and added by the client. This is not the user's account ID. - - -### Common Data Extensions.utc - -Describes the properties that could be populated by a logging library on Windows. - -The following fields are available: - -- **aId** Represents the ETW ActivityId. Logged via TraceLogging or directly via ETW. -- **bSeq** Upload buffer sequence number in the format: buffer identifier:sequence number -- **cat** Represents a bitmask of the ETW Keywords associated with the event. -- **cpId** The composer ID, such as Reference, Desktop, Phone, Holographic, Hub, IoT Composer. -- **epoch** Represents the epoch and seqNum fields, which help track how many events were fired and how many events were uploaded, and enables identification of data lost during upload and de-duplication of events on the ingress server. -- **flags** Represents the bitmap that captures various Windows specific flags. -- **mon** Combined monitor and event sequence numbers in the format: monitor sequence : event sequence -- **op** Represents the ETW Op Code. -- **raId** Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW. -- **seq** Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue. The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server. -- **stId** Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID. - - -### Common Data Extensions.xbl - -Describes the fields that are related to XBOX Live. - -The following fields are available: - -- **claims** Any additional claims whose short claim name hasn't been added to this structure. -- **did** XBOX device ID -- **dty** XBOX device type -- **dvr** The version of the operating system on the device. -- **eid** A unique ID that represents the developer entity. -- **exp** Expiration time -- **ip** The IP address of the client device. -- **nbf** Not before time -- **pid** A comma separated list of PUIDs listed as base10 numbers. -- **sbx** XBOX sandbox identifier -- **sid** The service instance ID. -- **sty** The service type. -- **tid** The XBOX Live title ID. -- **tvr** The XBOX Live title version. -- **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts. -- **xid** A list of base10-encoded XBOX User IDs. - - -## Common data fields - -### Ms.Device.DeviceInventoryChange - -Describes the installation state for all hardware and software components available on a particular device. - -The following fields are available: - -- **action** The change that was invoked on a device inventory object. -- **inventoryId** Device ID used for Compatibility testing -- **objectInstanceId** Object identity which is unique within the device scope. -- **objectType** Indicates the object type that the event applies to. -- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. - - -## Compatibility events - -### Microsoft.Windows.Compatibility.Apphelp.SdbFix - -Product instrumentation for helping debug/troubleshoot issues with inbox compatibility components. - -The following fields are available: - -- **AppName** Name of the application impacted by SDB. -- **FixID** SDB GUID. -- **Flags** List of flags applied. -- **ImageName** Name of file. - - -## Component-based servicing events - -### CbsServicingProvider.CbsCapabilityEnumeration - -This event reports on the results of scanning for optional Windows content on Windows Update. - -The following fields are available: - -- **architecture** Indicates the scan was limited to the specified architecture. -- **capabilityCount** The number of optional content packages found during the scan. -- **clientId** The name of the application requesting the optional content. -- **duration** The amount of time it took to complete the scan. -- **hrStatus** The HReturn code of the scan. -- **language** Indicates the scan was limited to the specified language. -- **majorVersion** Indicates the scan was limited to the specified major version. -- **minorVersion** Indicates the scan was limited to the specified minor version. -- **namespace** Indicates the scan was limited to packages in the specified namespace. -- **sourceFilter** A bitmask indicating the scan checked for locally available optional content. -- **stackBuild** The build number of the servicing stack. -- **stackMajorVersion** The major version number of the servicing stack. -- **stackMinorVersion** The minor version number of the servicing stack. -- **stackRevision** The revision number of the servicing stack. - - -### CbsServicingProvider.CbsCapabilitySessionFinalize - -This event provides information about the results of installing or uninstalling optional Windows content from Windows Update. - -The following fields are available: - -- **capabilities** The names of the optional content packages that were installed. -- **clientId** The name of the application requesting the optional content. -- **currentID** The ID of the current install session. -- **downloadSource** The source of the download. -- **highestState** The highest final install state of the optional content. -- **hrLCUReservicingStatus** Indicates whether the optional content was updated to the latest available version. -- **hrStatus** The HReturn code of the install operation. -- **rebootCount** The number of reboots required to complete the install. -- **retryID** The session ID that will be used to retry a failed operation. -- **retryStatus** Indicates whether the install will be retried in the event of failure. -- **stackBuild** The build number of the servicing stack. -- **stackMajorVersion** The major version number of the servicing stack. -- **stackMinorVersion** The minor version number of the servicing stack. -- **stackRevision** The revision number of the servicing stack. - - -### CbsServicingProvider.CbsCapabilitySessionPended - -This event provides information about the results of installing optional Windows content that requires a reboot to keep Windows up to date. - -The following fields are available: - -- **clientId** The name of the application requesting the optional content. -- **pendingDecision** Indicates the cause of reboot, if applicable. - - -### CbsServicingProvider.CbsLateAcquisition - -This event sends data to indicate if some Operating System packages could not be updated as part of an upgrade, to help keep Windows up to date. - -The following fields are available: - -- **Features** The list of feature packages that could not be updated. -- **RetryID** The ID identifying the retry attempt to update the listed packages. - - -### CbsServicingProvider.CbsPackageRemoval - -This event provides information about the results of uninstalling a Windows Cumulative Security Update to help keep Windows up to date. - -The following fields are available: - -- **buildVersion** The build number of the security update being uninstalled. -- **clientId** The name of the application requesting the uninstall. -- **currentStateEnd** The final state of the update after the operation. -- **failureDetails** Information about the cause of a failure, if applicable. -- **failureSourceEnd** The stage during the uninstall where the failure occurred. -- **hrStatusEnd** The overall exit code of the operation. -- **initiatedOffline** Indicates if the uninstall was initiated for a mounted Windows image. -- **majorVersion** The major version number of the security update being uninstalled. -- **minorVersion** The minor version number of the security update being uninstalled. -- **originalState** The starting state of the update before the operation. -- **pendingDecision** Indicates the cause of reboot, if applicable. -- **primitiveExecutionContext** The state during system startup when the uninstall was completed. -- **revisionVersion** The revision number of the security update being uninstalled. -- **transactionCanceled** Indicates whether the uninstall was cancelled. - - -### CbsServicingProvider.CbsQualityUpdateInstall - -This event reports on the performance and reliability results of installing Servicing content from Windows Update to keep Windows up to date. - -The following fields are available: - -- **buildVersion** The build version number of the update package. -- **clientId** The name of the application requesting the optional content. -- **corruptionHistoryFlags** A bitmask of the types of component store corruption that have caused update failures on the device. -- **corruptionType** An enumeration listing the type of data corruption responsible for the current update failure. -- **currentStateEnd** The final state of the package after the operation has completed. -- **doqTimeSeconds** The time in seconds spent updating drivers. -- **executeTimeSeconds** The number of seconds required to execute the install. -- **failureDetails** The driver or installer that caused the update to fail. -- **failureSourceEnd** An enumeration indicating at what phase of the update a failure occurred. -- **hrStatusEnd** The return code of the install operation. -- **initiatedOffline** A true or false value indicating whether the package was installed into an offline Windows Imaging Format (WIM) file. -- **majorVersion** The major version number of the update package. -- **minorVersion** The minor version number of the update package. -- **originalState** The starting state of the package. -- **overallTimeSeconds** The time (in seconds) to perform the overall servicing operation. -- **planTimeSeconds** The time in seconds required to plan the update operations. -- **poqTimeSeconds** The time in seconds processing file and registry operations. -- **postRebootTimeSeconds** The time (in seconds) to do startup processing for the update. -- **preRebootTimeSeconds** The time (in seconds) between execution of the installation and the reboot. -- **primitiveExecutionContext** An enumeration indicating at what phase of shutdown or startup the update was installed. -- **rebootCount** The number of reboots required to install the update. -- **rebootTimeSeconds** The time (in seconds) before startup processing begins for the update. -- **resolveTimeSeconds** The time in seconds required to resolve the packages that are part of the update. -- **revisionVersion** The revision version number of the update package. -- **rptTimeSeconds** The time in seconds spent executing installer plugins. -- **shutdownTimeSeconds** The time (in seconds) required to do shutdown processing for the update. -- **stackRevision** The revision number of the servicing stack. -- **stageTimeSeconds** The time (in seconds) required to stage all files that are part of the update. - - -## Deployment extensions - -### DeploymentTelemetry.Deployment_End - -This event indicates that a Deployment 360 API has completed. - -The following fields are available: - -- **ClientId** Client ID of the user utilizing the D360 API. -- **ErrorCode** Error code of action. -- **FlightId** The specific ID of the Windows Insider build the device is getting. -- **Mode** Phase in upgrade. -- **RelatedCV** The correction vector (CV) of any other related events -- **Result** End result of the action. - - -### DeploymentTelemetry.Deployment_SetupBoxLaunch - -This event indicates that the Deployment 360 APIs have launched Setup Box. - -The following fields are available: - -- **ClientId** The client ID of the user utilizing the D360 API. -- **FlightId** The specific ID of the Windows Insider build the device is getting. -- **Quiet** Whether Setup will run in quiet mode or full mode. -- **RelatedCV** The correlation vector (CV) of any other related events. -- **SetupMode** The current setup phase. - - -### DeploymentTelemetry.Deployment_SetupBoxResult - -This event indicates that the Deployment 360 APIs have received a return from Setup Box. - -The following fields are available: - -- **ClientId** Client ID of the user utilizing the D360 API. -- **ErrorCode** Error code of the action. -- **FlightId** The specific ID of the Windows Insider build the device is getting. -- **Quiet** Indicates whether Setup will run in quiet mode or full mode. -- **RelatedCV** The correlation vector (CV) of any other related events. -- **SetupMode** The current Setup phase. - - -### DeploymentTelemetry.Deployment_Start - -This event indicates that a Deployment 360 API has been called. - -The following fields are available: - -- **ClientId** Client ID of the user utilizing the D360 API. -- **FlightId** The specific ID of the Windows Insider build the device is getting. -- **Mode** The current phase of the upgrade. -- **RelatedCV** The correlation vector (CV) of any other related events. - - -## Diagnostic data events - -### TelClientSynthetic.AbnormalShutdown_0 - -This event sends data about boot IDs for which a normal clean shutdown was not observed, to help keep Windows up to date. - -The following fields are available: - -- **AbnormalShutdownBootId** BootId of the abnormal shutdown being reported by this event. -- **AcDcStateAtLastShutdown** Identifies if the device was on battery or plugged in. -- **BatteryLevelAtLastShutdown** The last recorded battery level. -- **BatteryPercentageAtLastShutdown** The battery percentage at the last shutdown. -- **CrashDumpEnabled** Indicates whether crash dumps are enabled. -- **CumulativeCrashCount** Cumulative count of operating system crashes since the BootId reset. -- **CurrentBootId** BootId at the time the abnormal shutdown event was being reported. -- **Firmwaredata->ResetReasonEmbeddedController** The reset reason that was supplied by the firmware. -- **Firmwaredata->ResetReasonEmbeddedControllerAdditional** Additional data related to reset reason provided by the firmware. -- **Firmwaredata->ResetReasonPch** The reset reason that was supplied by the hardware. -- **Firmwaredata->ResetReasonPchAdditional** Additional data related to the reset reason supplied by the hardware. -- **Firmwaredata->ResetReasonSupplied** Indicates whether the firmware supplied any reset reason or not. -- **FirmwareType** ID of the FirmwareType as enumerated in DimFirmwareType. -- **HardwareWatchdogTimerGeneratedLastReset** Indicates whether the hardware watchdog timer caused the last reset. -- **HardwareWatchdogTimerPresent** Indicates whether hardware watchdog timer was present or not. -- **LastBugCheckBootId** bootId of the last captured crash. -- **LastBugCheckCode** Code that indicates the type of error. -- **LastBugCheckContextFlags** Additional crash dump settings. -- **LastBugCheckOriginalDumpType** The type of crash dump the system intended to save. -- **LastBugCheckOtherSettings** Other crash dump settings. -- **LastBugCheckParameter1** The first parameter with additional info on the type of the error. -- **LastBugCheckProgress** Progress towards writing out the last crash dump. -- **LastBugCheckVersion** The version of the information struct written during the crash. -- **LastSuccessfullyShutdownBootId** BootId of the last fully successful shutdown. -- **LongPowerButtonPressDetected** Identifies if the user was pressing and holding power button. -- **OOBEInProgress** Identifies if the Out-Of-Box-Experience is running. -- **OSSetupInProgress** Identifies if the operating system setup is running. -- **PowerButtonCumulativePressCount** Indicates the number of times the power button has been pressed ("pressed" not to be confused with "released"). -- **PowerButtonCumulativeReleaseCount** Indicates the number of times the power button has been released ("released" not to be confused with "pressed"). -- **PowerButtonErrorCount** Indicates the number of times there was an error attempting to record Power Button metrics (e.g.: due to a failure to lock/update the bootstat file). -- **PowerButtonLastPressBootId** BootId of the last time the Power Button was detected to have been pressed ("pressed" not to be confused with "released"). -- **PowerButtonLastPressTime** Date/time of the last time the Power Button was pressed ("pressed" not to be confused with "released"). -- **PowerButtonLastReleaseBootId** The Boot ID of the last time the Power Button was released ("released" not to be confused with "pressed"). -- **PowerButtonLastReleaseTime** The date and time the Power Button was most recently released ("released" not to be confused with "pressed"). -- **PowerButtonPressCurrentCsPhase** Represents the phase of Connected Standby exit when the power button was pressed. -- **PowerButtonPressIsShutdownInProgress** Indicates whether a system shutdown was in progress at the last time the power button was pressed. -- **PowerButtonPressLastPowerWatchdogStage** The last stage completed when the Power Button was most recently pressed. -- **PowerButtonPressPowerWatchdogArmed** Indicates whether or not the watchdog for the monitor was active at the time of the last power button press. -- **ShutdownDeviceType** Identifies who triggered a shutdown. Is it because of battery, thermal zones, or through a Kernel API. -- **SleepCheckpoint** Provides the last checkpoint when there is a failure during a sleep transition. -- **SleepCheckpointSource** Indicates whether the source is the EFI variable or bootstat file. -- **SleepCheckpointStatus** Indicates whether the checkpoint information is valid. -- **StaleBootStatData** Identifies if the data from bootstat is stale. -- **TransitionInfoBootId** The Boot ID of the captured transition information. -- **TransitionInfoCSCount** The total number of times the system transitioned from "Connected Standby" mode to "On" when the last marker was saved. -- **TransitionInfoCSEntryReason** Indicates the reason the device last entered "Connected Standby" mode ("entered" not to be confused with "exited"). -- **TransitionInfoCSExitReason** Indicates the reason the device last exited "Connected Standby" mode ("exited" not to be confused with "entered"). -- **TransitionInfoCSInProgress** Indicates whether the system was in or entering Connected Standby mode when the last marker was saved. -- **TransitionInfoLastReferenceTimeChecksum** The checksum of TransitionInfoLastReferenceTimestamp. -- **TransitionInfoLastReferenceTimestamp** The date and time that the marker was last saved. -- **TransitionInfoLidState** Describes the state of the laptop lid. -- **TransitionInfoPowerButtonTimestamp** The most recent date and time when the Power Button was pressed (collected via a different mechanism than PowerButtonLastPressTime). -- **TransitionInfoSleepInProgress** Indicates whether the system was in or entering Sleep mode when the last marker was saved. -- **TransitionInfoSleepTranstionsToOn** The total number of times the system transitioned from Sleep mode to on, when the last marker was saved. -- **TransitionInfoSystemRunning** Indicates whether the system was running when the last marker was saved. -- **TransitionInfoSystemShutdownInProgress** Indicates whether a device shutdown was in progress when the power button was pressed. -- **TransitionInfoUserShutdownInProgress** Indicates whether a user shutdown was in progress when the power button was pressed. -- **TransitionLatestCheckpointId** Represents a unique identifier for a checkpoint during the device state transition. -- **TransitionLatestCheckpointSeqNumber** Represents the chronological sequence number of the checkpoint. -- **TransitionLatestCheckpointType** Represents the type of the checkpoint, which can be the start of a phase, end of a phase, or just informational. -- **VirtualMachineId** If the operating system is on a virtual Machine, it gives the virtual Machine ID (GUID) that can be used to correlate events on the host. - - -### TelClientSynthetic.AuthorizationInfo_RuntimeTransition - -This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect. - -The following fields are available: - -- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. -- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. -- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. -- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. -- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. -- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. -- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. -- **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise. -- **CanReportScenarios** True if we can report scenario completions, false otherwise. -- **PreviousPermissions** Bitmask of previous telemetry state. -- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. - - -### TelClientSynthetic.AuthorizationInfo_Startup - -Fired by UTC at startup to signal what data we are allowed to collect. - -The following fields are available: - -- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. -- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. -- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. -- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. -- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. -- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. -- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. -- **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise. -- **CanReportScenarios** True if we can report scenario completions, false otherwise. -- **PreviousPermissions** Bitmask of previous telemetry state. -- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. - - -### TelClientSynthetic.ConnectivityHeartBeat_0 - -This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network. - -The following fields are available: - -- **CensusExitCode** Returns last execution codes from census client run. -- **CensusStartTime** Returns timestamp corresponding to last successful census run. -- **CensusTaskEnabled** Returns Boolean value for the census task (Enable/Disable) on client machine. -- **LastConnectivityLossTime** Retrieves the last time the device lost free network. -- **NetworkState** Retrieves the network state: 0 = No network. 1 = Restricted network. 2 = Free network. -- **NoNetworkTime** Retrieves the time spent with no network (since the last time) in seconds. -- **RestrictedNetworkTime** Retrieves the time spent on a metered (cost restricted) network in seconds. - - -### TelClientSynthetic.HeartBeat_5 - -This event sends data about the health and quality of the diagnostic data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device. - -The following fields are available: - -- **AgentConnectionErrorsCount** Number of non-timeout errors associated with the host/agent channel. -- **CensusExitCode** The last exit code of the Census task. -- **CensusStartTime** Time of last Census run. -- **CensusTaskEnabled** True if Census is enabled, false otherwise. -- **CompressedBytesUploaded** Number of compressed bytes uploaded. -- **ConsumerDroppedCount** Number of events dropped at consumer layer of telemetry client. -- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. -- **CriticalDataThrottleDroppedCount** The number of critical data sampled events that were dropped because of throttling. -- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event DB. -- **DbCriticalDroppedCount** Total number of dropped critical events in event DB. -- **DbDroppedCount** Number of events dropped due to DB fullness. -- **DbDroppedFailureCount** Number of events dropped due to DB failures. -- **DbDroppedFullCount** Number of events dropped due to DB fullness. -- **DecodingDroppedCount** Number of events dropped due to decoding failures. -- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. -- **EtwDroppedBufferCount** Number of buffers dropped in the UTC ETW session. -- **EtwDroppedCount** Number of events dropped at ETW layer of telemetry client. -- **EventsPersistedCount** Number of events that reached the PersistEvent stage. -- **EventStoreLifetimeResetCounter** Number of times event DB was reset for the lifetime of UTC. -- **EventStoreResetCounter** Number of times event DB was reset. -- **EventStoreResetSizeSum** Total size of event DB across all resets reports in this instance. -- **EventSubStoreResetCounter** Number of times event DB was reset. -- **EventSubStoreResetSizeSum** Total size of event DB across all resets reports in this instance. -- **EventsUploaded** Number of events uploaded. -- **Flags** Flags indicating device state such as network state, battery state, and opt-in state. -- **FullTriggerBufferDroppedCount** Number of events dropped due to trigger buffer being full. -- **HeartBeatSequenceNumber** The sequence number of this heartbeat. -- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. -- **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel. -- **LastEventSizeOffender** Event name of last event which exceeded max event size. -- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. -- **MaxActiveAgentConnectionCount** The maximum number of active agents during this heartbeat timeframe. -- **MaxInUseScenarioCounter** Soft maximum number of scenarios loaded by UTC. -- **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events). -- **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. -- **SettingsHttpAttempts** Number of attempts to contact OneSettings service. -- **SettingsHttpFailures** The number of failures from contacting the OneSettings service. -- **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers. -- **TopUploaderErrors** List of top errors received from the upload endpoint. -- **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client. -- **UploaderErrorCount** Number of errors received from the upload endpoint. -- **VortexFailuresTimeout** The number of timeout failures received from Vortex. -- **VortexHttpAttempts** Number of attempts to contact Vortex. -- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. -- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. -- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. -- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. - - -### TelClientSynthetic.HeartBeat_Aria_5 - -This event is the telemetry client ARIA heartbeat. - -The following fields are available: - -- **CompressedBytesUploaded** Number of compressed bytes uploaded. -- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. -- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event database. -- **DbCriticalDroppedCount** Total number of dropped critical events in event database. -- **DbDroppedCount** Number of events dropped at the database layer. -- **DbDroppedFailureCount** Number of events dropped due to database failures. -- **DbDroppedFullCount** Number of events dropped due to database being full. -- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. -- **EventsPersistedCount** Number of events that reached the PersistEvent stage. -- **EventStoreLifetimeResetCounter** Number of times the event store has been reset. -- **EventStoreResetCounter** Number of times the event store has been reset during this heartbeat. -- **EventStoreResetSizeSum** Size of event store reset in bytes. -- **EventsUploaded** Number of events uploaded. -- **HeartBeatSequenceNumber** The sequence number of this heartbeat. -- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. -- **LastEventSizeOffender** Event name of last event which exceeded max event size. -- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. -- **PreviousHeartBeatTime** The FILETIME of the previous heartbeat fire. -- **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. -- **SettingsHttpAttempts** Number of attempts to contact OneSettings service. -- **SettingsHttpFailures** Number of failures from contacting OneSettings service. -- **TopUploaderErrors** List of top errors received from the upload endpoint. -- **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client. -- **UploaderErrorCount** Number of errors received from the upload endpoint. -- **VortexFailuresTimeout** Number of time out failures received from Vortex. -- **VortexHttpAttempts** Number of attempts to contact Vortex. -- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. -- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. -- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. -- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. - - -### TelClientSynthetic.HeartBeat_Seville_5 - -This event is sent by the universal telemetry client (UTC) as a heartbeat signal for Sense. - -The following fields are available: - -- **AgentConnectionErrorsCount** Number of non-timeout errors associated with the host or agent channel. -- **CompressedBytesUploaded** Number of compressed bytes uploaded. -- **ConsumerDroppedCount** Number of events dropped at consumer layer of the telemetry client. -- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. -- **CriticalDataThrottleDroppedCount** Number of critical data sampled events dropped due to throttling. -- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event database. -- **DailyUploadQuotaInBytes** Daily upload quota for Sense in bytes (only in in-proc mode). -- **DbCriticalDroppedCount** Total number of dropped critical events in event database. -- **DbDroppedCount** Number of events dropped due to database being full. -- **DbDroppedFailureCount** Number of events dropped due to database failures. -- **DbDroppedFullCount** Number of events dropped due to database being full. -- **DecodingDroppedCount** Number of events dropped due to decoding failures. -- **DiskSizeInBytes** Size of event store for Sense in bytes (only in in-proc mode). -- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. -- **EtwDroppedBufferCount** Number of buffers dropped in the universal telemetry client (UTC) event tracing for Windows (ETW) session. -- **EtwDroppedCount** Number of events dropped at the event tracing for Windows (ETW) layer of telemetry client. -- **EventsPersistedCount** Number of events that reached the PersistEvent stage. -- **EventStoreLifetimeResetCounter** Number of times event the database was reset for the lifetime of the universal telemetry client (UTC). -- **EventStoreResetCounter** Number of times the event database was reset. -- **EventStoreResetSizeSum** Total size of the event database across all resets reports in this instance. -- **EventsUploaded** Number of events uploaded. -- **Flags** Flags indicating device state, such as network state, battery state, and opt-in state. -- **FullTriggerBufferDroppedCount** Number of events dropped due to trigger buffer being full. -- **HeartBeatSequenceNumber** The sequence number of this heartbeat. -- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. -- **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel. -- **LastEventSizeOffender** Event name of last event which exceeded the maximum event size. -- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. -- **MaxActiveAgentConnectionCount** Maximum number of active agents during this heartbeat timeframe. -- **NormalUploadTimerMillis** Number of milliseconds between each upload of normal events for SENSE (only in in-proc mode). -- **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events). -- **RepeatedUploadFailureDropped** Number of events lost due to repeated failed uploaded attempts. -- **SettingsHttpAttempts** Number of attempts to contact OneSettings service. -- **SettingsHttpFailures** Number of failures from contacting the OneSettings service. -- **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers. -- **TopUploaderErrors** Top uploader errors, grouped by endpoint and error type. -- **UploaderDroppedCount** Number of events dropped at the uploader layer of the telemetry client. -- **UploaderErrorCount** Number of input for the TopUploaderErrors mode estimation. -- **VortexFailuresTimeout** Number of time out failures received from Vortex. -- **VortexHttpAttempts** Number of attempts to contact Vortex. -- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. -- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. -- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. -- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. - - -## Direct to update events - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicabilityGenericFailure - -This event indicatse that we have received an unexpected error in the Direct to Update (DTU) Coordinators CheckApplicability call. - -The following fields are available: - -- **CampaignID** ID of the campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Cleanup call. - -The following fields are available: - -- **CampaignID** Campaign ID being run -- **ClientID** Client ID being run -- **CoordinatorVersion** Coordinator version of DTU -- **CV** Correlation vector -- **hResult** HRESULT of the failure - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupSuccess - -This event indicates that the Coordinator Cleanup call succeeded. - -The following fields are available: - -- **CampaignID** Campaign ID being run -- **ClientID** Client ID being run -- **CoordinatorVersion** Coordinator version of DTU -- **CV** Correlation vector - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Commit call. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitSuccess - -This event indicates that the Coordinator Commit call succeeded. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Download call. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadIgnoredFailure - -This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Download call that will be ignored. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadSuccess - -This event indicates that the Coordinator Download call succeeded. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator HandleShutdown call. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinate version of DTU. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownSuccess - -This event indicates that the Coordinator HandleShutdown call succeeded. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Initialize call. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeSuccess - -This event indicates that the Coordinator Initialize call succeeded. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Install call. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallIgnoredFailure - -This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Install call that will be ignored. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallSuccess - -This event indicates that the Coordinator Install call succeeded. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorProgressCallBack - -This event indicates that the Coordinator's progress callback has been called. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **DeployPhase** Current Deploy Phase. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorSetCommitReadySuccess - -This event indicates that the Coordinator SetCommitReady call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiNotShown - -This event indicates that the Coordinator WaitForRebootUi call succeeded. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSelection - -This event indicates that the user selected an option on the Reboot UI. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **rebootUiSelection** Selection on the Reboot UI. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSuccess - -This event indicates that the Coordinator WaitForRebootUi call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler CheckApplicabilityInternal call. - -The following fields are available: - -- **CampaignID** ID of the campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalSuccess - -This event indicates that the Handler CheckApplicabilityInternal call succeeded. - -The following fields are available: - -- **ApplicabilityResult** The result of the applicability check. -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilitySuccess - -This event indicates that the Handler CheckApplicability call succeeded. - -The following fields are available: - -- **ApplicabilityResult** The result code indicating whether the update is applicable. -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **CV_new** New correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckIfCoordinatorMinApplicableVersionSuccess - -This event indicates that the Handler CheckIfCoordinatorMinApplicableVersion call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **CheckIfCoordinatorMinApplicableVersionResult** Result of CheckIfCoordinatorMinApplicableVersion function. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Commit call. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **CV_new** New correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitSuccess - -This event indicates that the Handler Commit call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run.run -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **CV_new** New correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabFailure - -This event indicates that the Handler Download and Extract cab call failed. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **DownloadAndExtractCabFunction_failureReason** Reason why the update download and extract process failed. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabSuccess - -This event indicates that the Handler Download and Extract cab call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Download call. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadSuccess - -This event indicates that the Handler Download call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Initialize call. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **DownloadAndExtractCabFunction_hResult** HRESULT of the download and extract. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeSuccess - -This event indicates that the Handler Initialize call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **DownloadAndExtractCabFunction_hResult** HRESULT of the download and extraction. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Install call. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallSuccess - -This event indicates that the Coordinator Install call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerSetCommitReadySuccess - -This event indicates that the Handler SetCommitReady call succeeded. - -The following fields are available: - -- **CampaignID** ID of the campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler WaitForRebootUi call. - -The following fields are available: - -- **CampaignID** The ID of the campaigning being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **hResult** The HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiSuccess - -This event indicates that the Handler WaitForRebootUi call succeeded. - -The following fields are available: - -- **CampaignID** ID of the campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -## DxgKernelTelemetry events - -### DxgKrnlTelemetry.GPUAdapterInventoryV2 - -This event sends basic GPU and display driver information to keep Windows and display drivers up-to-date. - -The following fields are available: - -- **AdapterTypeValue** The numeric value indicating the type of Graphics adapter. -- **aiSeqId** The event sequence ID. -- **bootId** The system boot ID. -- **BrightnessVersionViaDDI** The version of the Display Brightness Interface. -- **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload. -- **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes). -- **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes). -- **DisplayAdapterLuid** The display adapter LUID. -- **DriverDate** The date of the display driver. -- **DriverRank** The rank of the display driver. -- **DriverVersion** The display driver version. -- **DX10UMDFilePath** The file path to the location of the DirectX 10 Display User Mode Driver in the Driver Store. -- **DX11UMDFilePath** The file path to the location of the DirectX 11 Display User Mode Driver in the Driver Store. -- **DX12UMDFilePath** The file path to the location of the DirectX 12 Display User Mode Driver in the Driver Store. -- **DX9UMDFilePath** The file path to the location of the DirectX 9 Display User Mode Driver in the Driver Store. -- **GPUDeviceID** The GPU device ID. -- **GPUPreemptionLevel** The maximum preemption level supported by GPU for graphics payload. -- **GPURevisionID** The GPU revision ID. -- **GPUVendorID** The GPU vendor ID. -- **InterfaceId** The GPU interface ID. -- **IsDisplayDevice** Does the GPU have displaying capabilities? -- **IsHwSchSupported** Indicates whether the adapter supports hardware scheduling. -- **IsHybridDiscrete** Does the GPU have discrete GPU capabilities in a hybrid device? -- **IsHybridIntegrated** Does the GPU have integrated GPU capabilities in a hybrid device? -- **IsLDA** Is the GPU comprised of Linked Display Adapters? -- **IsMiracastSupported** Does the GPU support Miracast? -- **IsMismatchLDA** Is at least one device in the Linked Display Adapters chain from a different vendor? -- **IsMPOSupported** Does the GPU support Multi-Plane Overlays? -- **IsMsMiracastSupported** Are the GPU Miracast capabilities driven by a Microsoft solution? -- **IsPostAdapter** Is this GPU the POST GPU in the device? -- **IsRemovable** TRUE if the adapter supports being disabled or removed. -- **IsRenderDevice** Does the GPU have rendering capabilities? -- **IsSoftwareDevice** Is this a software implementation of the GPU? -- **KMDFilePath** The file path to the location of the Display Kernel Mode Driver in the Driver Store. -- **MeasureEnabled** Is the device listening to MICROSOFT_KEYWORD_MEASURES? -- **MsHybridDiscrete** Indicates whether the adapter is a discrete adapter in a hybrid configuration. -- **NumVidPnSources** The number of supported display output sources. -- **NumVidPnTargets** The number of supported display output targets. -- **SharedSystemMemoryB** The amount of system memory shared by GPU and CPU (in bytes). -- **SubSystemID** The subsystem ID. -- **SubVendorID** The GPU sub vendor ID. -- **TelemetryEnabled** Is the device listening to MICROSOFT_KEYWORD_TELEMETRY? -- **TelInvEvntTrigger** What triggered this event to be logged? Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling) -- **version** The event version. -- **WDDMVersion** The Windows Display Driver Model version. - - -## Failover Clustering events - -### Microsoft.Windows.Server.FailoverClusteringCritical.ClusterSummary2 - -This event returns information about how many resources and of what type are in the server cluster. This data is collected to keep Windows Server safe, secure, and up to date. The data includes information about whether hardware is configured correctly, if the software is patched correctly, and assists in preventing crashes by attributing issues (like fatal errors) to workloads and system configurations. - -The following fields are available: - -- **autoAssignSite** The cluster parameter: auto site. -- **autoBalancerLevel** The cluster parameter: auto balancer level. -- **autoBalancerMode** The cluster parameter: auto balancer mode. -- **blockCacheSize** The configured size of the block cache. -- **ClusterAdConfiguration** The ad configuration of the cluster. -- **clusterAdType** The cluster parameter: mgmt_point_type. -- **clusterDumpPolicy** The cluster configured dump policy. -- **clusterFunctionalLevel** The current cluster functional level. -- **clusterGuid** The unique identifier for the cluster. -- **clusterWitnessType** The witness type the cluster is configured for. -- **countNodesInSite** The number of nodes in the cluster. -- **crossSiteDelay** The cluster parameter: CrossSiteDelay. -- **crossSiteThreshold** The cluster parameter: CrossSiteThreshold. -- **crossSubnetDelay** The cluster parameter: CrossSubnetDelay. -- **crossSubnetThreshold** The cluster parameter: CrossSubnetThreshold. -- **csvCompatibleFilters** The cluster parameter: ClusterCsvCompatibleFilters. -- **csvIncompatibleFilters** The cluster parameter: ClusterCsvIncompatibleFilters. -- **csvResourceCount** The number of resources in the cluster. -- **currentNodeSite** The name configured for the current site for the cluster. -- **dasModeBusType** The direct storage bus type of the storage spaces. -- **downLevelNodeCount** The number of nodes in the cluster that are running down-level. -- **drainOnShutdown** Specifies whether a node should be drained when it is shut down. -- **dynamicQuorumEnabled** Specifies whether dynamic Quorum has been enabled. -- **enforcedAntiAffinity** The cluster parameter: enforced anti affinity. -- **genAppNames** The win32 service name of a clustered service. -- **genSvcNames** The command line of a clustered genapp. -- **hangRecoveryAction** The cluster parameter: hang recovery action. -- **hangTimeOut** Specifies the “hang time out” parameter for the cluster. -- **isCalabria** Specifies whether storage spaces direct is enabled. -- **isMixedMode** Identifies if the cluster is running with different version of OS for nodes. -- **isRunningDownLevel** Identifies if the current node is running down-level. -- **logLevel** Specifies the granularity that is logged in the cluster log. -- **logSize** Specifies the size of the cluster log. -- **lowerQuorumPriorityNodeId** The cluster parameter: lower quorum priority node ID. -- **minNeverPreempt** The cluster parameter: minimum never preempt. -- **minPreemptor** The cluster parameter: minimum preemptor priority. -- **netftIpsecEnabled** The parameter: netftIpsecEnabled. -- **NodeCount** The number of nodes in the cluster. -- **nodeId** The current node number in the cluster. -- **nodeResourceCounts** Specifies the number of node resources. -- **nodeResourceOnlineCounts** Specifies the number of node resources that are online. -- **numberOfSites** The number of different sites. -- **numNodesInNoSite** The number of nodes not belonging to a site. -- **plumbAllCrossSubnetRoutes** The cluster parameter: plumb all cross subnet routes. -- **preferredSite** The preferred site location. -- **privateCloudWitness** Specifies whether a private cloud witness exists for this cluster. -- **quarantineDuration** The quarantine duration. -- **quarantineThreshold** The quarantine threshold. -- **quorumArbitrationTimeout** In the event of an arbitration event, this specifies the quorum timeout period. -- **resiliencyLevel** Specifies the level of resiliency. -- **resourceCounts** Specifies the number of resources. -- **resourceTypeCounts** Specifies the number of resource types in the cluster. -- **resourceTypes** Data representative of each resource type. -- **resourceTypesPath** Data representative of the DLL path for each resource type. -- **sameSubnetDelay** The cluster parameter: same subnet delay. -- **sameSubnetThreshold** The cluster parameter: same subnet threshold. -- **secondsInMixedMode** The amount of time (in seconds) that the cluster has been in mixed mode (nodes with different operating system versions in the same cluster). -- **securityLevel** The cluster parameter: security level. -- **securityLevelForStorage** The cluster parameter: security level for storage. -- **sharedVolumeBlockCacheSize** Specifies the block cache size for shared for shared volumes. -- **shutdownTimeoutMinutes** Specifies the amount of time it takes to time out when shutting down. -- **upNodeCount** Specifies the number of nodes that are up (online). -- **useClientAccessNetworksForCsv** The cluster parameter: use client access networks for CSV. -- **vmIsolationTime** The cluster parameter: VM isolation time. -- **witnessDatabaseWriteTimeout** Specifies the timeout period for writing to the quorum witness database. - - -## Fault Reporting events - -### Microsoft.Windows.FaultReporting.AppCrashEvent - -This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes\" by a user DO NOT emit this event. - -The following fields are available: - -- **AppName** The name of the app that has crashed. -- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend. -- **AppTimeStamp** The date/time stamp of the app. -- **AppVersion** The version of the app that has crashed. -- **ExceptionCode** The exception code returned by the process that has crashed. -- **ExceptionOffset** The address where the exception had occurred. -- **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting. -- **FriendlyAppName** The description of the app that has crashed, if different from the AppName. Otherwise, the process name. -- **IsFatal** True/False to indicate whether the crash resulted in process termination. -- **ModName** Exception module name (e.g. bar.dll). -- **ModTimeStamp** The date/time stamp of the module. -- **ModVersion** The version of the module that has crashed. -- **PackageFullName** Store application identity. -- **PackageRelativeAppId** Store application identity. -- **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. -- **ProcessCreateTime** The time of creation of the process that has crashed. -- **ProcessId** The ID of the process that has crashed. -- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. -- **TargetAppId** The kernel reported AppId of the application being reported. -- **TargetAppVer** The specific version of the application being reported -- **TargetAsId** The sequence number for the hanging process. - - -## Feature update events - -### Microsoft.Windows.Upgrade.Uninstall.UninstallFinalizedAndRebootTriggered - -This event indicates that the uninstall was properly configured and that a system reboot was initiated. - - - -### Microsoft.Windows.Upgrade.Uninstall.UninstallGoBackButtonClicked - -This event sends basic metadata about the starting point of uninstalling a feature update, which helps ensure customers can safely revert to a well-known state if the update caused any problems. - - - -## Hang Reporting events - -### Microsoft.Windows.HangReporting.AppHangEvent - -This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. - -The following fields are available: - -- **AppName** The name of the app that has hung. -- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the telemetry backend. -- **AppVersion** The version of the app that has hung. -- **IsFatal** True/False based on whether the hung application caused the creation of a Fatal Hang Report. -- **PackageFullName** Store application identity. -- **PackageRelativeAppId** Store application identity. -- **ProcessArchitecture** Architecture of the hung process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. -- **ProcessCreateTime** The time of creation of the process that has hung. -- **ProcessId** The ID of the process that has hung. -- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. -- **TargetAppId** The kernel reported AppId of the application being reported. -- **TargetAppVer** The specific version of the application being reported. -- **TargetAsId** The sequence number for the hanging process. -- **TypeCode** Bitmap describing the hang type. -- **WaitingOnAppName** If this is a cross process hang waiting for an application, this has the name of the application. -- **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it is waiting. -- **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting. -- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application id of the package. - - -## Inventory events - -### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum - -This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object. - -The following fields are available: - -- **Device** A count of device objects in cache. -- **DeviceCensus** A count of device census objects in cache. -- **DriverPackageExtended** A count of driverpackageextended objects in cache. -- **File** A count of file objects in cache. -- **FileSigningInfo** A count of file signing objects in cache. -- **Generic** A count of generic objects in cache. -- **HwItem** A count of hwitem objects in cache. -- **InventoryApplication** A count of application objects in cache. -- **InventoryApplicationAppV** A count of application AppV objects in cache. -- **InventoryApplicationDriver** A count of application driver objects in cache -- **InventoryApplicationFile** A count of application file objects in cache. -- **InventoryApplicationFramework** A count of application framework objects in cache -- **InventoryApplicationShortcut** A count of application shortcut objects in cache -- **InventoryDeviceContainer** A count of device container objects in cache. -- **InventoryDeviceInterface** A count of Plug and Play device interface objects in cache. -- **InventoryDeviceMediaClass** A count of device media objects in cache. -- **InventoryDevicePnp** A count of device Plug and Play objects in cache. -- **InventoryDeviceUsbHubClass** A count of device usb objects in cache -- **InventoryDriverBinary** A count of driver binary objects in cache. -- **InventoryDriverPackage** A count of device objects in cache. -- **InventoryMiscellaneousOfficeAddIn** A count of office add-in objects in cache -- **InventoryMiscellaneousOfficeAddInUsage** A count of office add-in usage objects in cache. -- **InventoryMiscellaneousOfficeIdentifiers** A count of office identifier objects in cache -- **InventoryMiscellaneousOfficeIESettings** A count of office ie settings objects in cache -- **InventoryMiscellaneousOfficeInsights** A count of office insights objects in cache -- **InventoryMiscellaneousOfficeProducts** A count of office products objects in cache -- **InventoryMiscellaneousOfficeSettings** A count of office settings objects in cache -- **InventoryMiscellaneousOfficeVBA** A count of office vba objects in cache -- **InventoryMiscellaneousOfficeVBARuleViolations** A count of office vba rule violations objects in cache -- **InventoryMiscellaneousUUPInfo** A count of uup info objects in cache -- **Metadata** A count of metadata objects in cache. -- **Orphan** A count of orphan file objects in cache. -- **Programs** A count of program objects in cache. - - -### Microsoft.Windows.Inventory.Core.AmiTelCacheFileInfo - -Diagnostic data about the inventory cache. - -The following fields are available: - -- **CacheFileSize** Size of the cache. -- **InventoryVersion** Inventory version of the cache. -- **TempCacheCount** Number of temp caches created. -- **TempCacheDeletedCount** Number of temp caches deleted. - - -### Microsoft.Windows.Inventory.Core.AmiTelCacheVersions - -This event sends inventory component versions for the Device Inventory data. - -The following fields are available: - -- **aeinv** The version of the App inventory component. -- **devinv** The file version of the Device inventory component. - - -### Microsoft.Windows.Inventory.Core.InventoryApplicationAdd - -This event sends basic metadata about an application on the system to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **HiddenArp** Indicates whether a program hides itself from showing up in ARP. -- **InstallDate** The date the application was installed (a best guess based on folder creation date heuristics). -- **InstallDateArpLastModified** The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015 00:00:00 -- **InstallDateFromLinkFile** The estimated date of install based on the links to the files. Passed as an array. -- **InstallDateMsi** The install date if the application was installed via Microsoft Installer (MSI). Passed as an array. -- **InventoryVersion** The version of the inventory file generating the events. -- **Language** The language code of the program. -- **MsiPackageCode** A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage. -- **MsiProductCode** A GUID that describe the MSI Product. -- **Name** The name of the application. -- **OSVersionAtInstallTime** The four octets from the OS version at the time of the application's install. -- **PackageFullName** The package full name for a Store application. -- **ProgramInstanceId** A hash of the file IDs in an app. -- **Publisher** The Publisher of the application. Location pulled from depends on the 'Source' field. -- **RootDirPath** The path to the root directory where the program was installed. -- **Source** How the program was installed (for example, ARP, MSI, Appx). -- **StoreAppType** A sub-classification for the type of Microsoft Store app, such as UWP or Win8StoreApp. -- **Type** One of ("Application", "Hotfix", "BOE", "Service", "Unknown"). Application indicates Win32 or Appx app, Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is a service. Application and BOE are the ones most likely seen. -- **Version** The version number of the program. - - -### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverAdd - -This event represents what drivers an application installs. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory component. -- **ProgramIds** The unique program identifier the driver is associated with. - - -### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync - -The InventoryApplicationDriverStartSync event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory component. - - -### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd - -This event provides the basic metadata about the frameworks an application may depend on. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **FileId** A hash that uniquely identifies a file. -- **Frameworks** The list of frameworks this file depends on. -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync - -This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryApplicationRemove - -This event indicates that a new set of InventoryDevicePnpAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryApplicationStartSync - -This event indicates that a new set of InventoryApplicationAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd - -This event sends basic metadata about a device container (such as a monitor or printer as opposed to a Plug and Play device) to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Categories** A comma separated list of functional categories in which the container belongs. -- **DiscoveryMethod** The discovery method for the device container. -- **FriendlyName** The name of the device container. -- **InventoryVersion** The version of the inventory file generating the events. -- **IsActive** Is the device connected, or has it been seen in the last 14 days? -- **IsConnected** For a physically attached device, this value is the same as IsPresent. For wireless a device, this value represents a communication link. -- **IsMachineContainer** Is the container the root device itself? -- **IsNetworked** Is this a networked device? -- **IsPaired** Does the device container require pairing? -- **Manufacturer** The manufacturer name for the device container. -- **ModelId** A unique model ID. -- **ModelName** The model name. -- **ModelNumber** The model number for the device container. -- **PrimaryCategory** The primary category for the device container. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerRemove - -This event indicates that the InventoryDeviceContainer object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerStartSync - -This event indicates that a new set of InventoryDeviceContainerAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd - -This event retrieves information about what sensor interfaces are available on the device. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Accelerometer3D** Indicates if an Accelerator3D sensor is found. -- **ActivityDetection** Indicates if an Activity Detection sensor is found. -- **AmbientLight** Indicates if an Ambient Light sensor is found. -- **Barometer** Indicates if a Barometer sensor is found. -- **Custom** Indicates if a Custom sensor is found. -- **EnergyMeter** Indicates if an Energy sensor is found. -- **FloorElevation** Indicates if a Floor Elevation sensor is found. -- **GeomagneticOrientation** Indicates if a Geo Magnetic Orientation sensor is found. -- **GravityVector** Indicates if a Gravity Detector sensor is found. -- **Gyrometer3D** Indicates if a Gyrometer3D sensor is found. -- **Humidity** Indicates if a Humidity sensor is found. -- **InventoryVersion** The version of the inventory file generating the events. -- **LinearAccelerometer** Indicates if a Linear Accelerometer sensor is found. -- **Magnetometer3D** Indicates if a Magnetometer3D sensor is found. -- **Orientation** Indicates if an Orientation sensor is found. -- **Pedometer** Indicates if a Pedometer sensor is found. -- **Proximity** Indicates if a Proximity sensor is found. -- **RelativeOrientation** Indicates if a Relative Orientation sensor is found. -- **SimpleDeviceOrientation** Indicates if a Simple Device Orientation sensor is found. -- **Temperature** Indicates if a Temperature sensor is found. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync - -This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd - -This event sends additional metadata about a Plug and Play device that is specific to a particular class of devices to help keep Windows up to date while reducing overall size of data payload. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **audio.captureDriver** Audio device capture driver. Example: hdaudio.inf:db04a16ce4e8d6ee:HdAudModel:10.0.14887.1000:hdaudio\func_01 -- **audio.renderDriver** Audio device render driver. Example: hdaudio.inf:db04a16ce4e8d6ee:HdAudModel:10.0.14889.1001:hdaudio\func_01 -- **Audio_CaptureDriver** The Audio device capture driver endpoint. -- **Audio_RenderDriver** The Audio device render driver endpoint. -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove - -This event indicates that the InventoryDeviceMediaClassRemove object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassStartSync - -This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd - -This event represents the basic metadata about a plug and play (PNP) device and its associated driver. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **BusReportedDescription** The description of the device reported by the bux. -- **Class** The device setup class of the driver loaded for the device. -- **ClassGuid** The device class unique identifier of the driver package loaded on the device. -- **COMPID** The list of “Compatible IDs” for this device. -- **ContainerId** The system-supplied unique identifier that specifies which group(s) the device(s) installed on the parent (main) device belong to. -- **Description** The description of the device. -- **DeviceInterfaceClasses** The device interfaces that this device implements. -- **DeviceState** Identifies the current state of the parent (main) device. -- **DriverId** The unique identifier for the installed driver. -- **DriverName** The name of the driver image file. -- **DriverPackageStrongName** The immediate parent directory name in the Directory field of InventoryDriverPackage. -- **DriverVerDate** The date associated with the driver installed on the device. -- **DriverVerVersion** The version number of the driver installed on the device. -- **Enumerator** Identifies the bus that enumerated the device. -- **ExtendedInfs** The extended INF file names. -- **HWID** A list of hardware IDs for the device. -- **Inf** The name of the INF file (possibly renamed by the OS, such as oemXX.inf). -- **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx -- **InventoryVersion** The version number of the inventory process generating the events. -- **LowerClassFilters** The identifiers of the Lower Class filters installed for the device. -- **LowerFilters** The identifiers of the Lower filters installed for the device. -- **Manufacturer** The manufacturer of the device. -- **MatchingID** The Hardware ID or Compatible ID that Windows uses to install a device instance. -- **Model** Identifies the model of the device. -- **ParentId** The Device Instance ID of the parent of the device. -- **ProblemCode** The error code currently returned by the device, if applicable. -- **Provider** Identifies the device provider. -- **Service** The name of the device service. -- **STACKID** The list of hardware IDs for the stack. -- **UpperClassFilters** The identifiers of the Upper Class filters installed for the device. -- **UpperFilters** The identifiers of the Upper filters installed for the device. - - -### Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove - -This event indicates that the InventoryDevicePnpRemove object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDevicePnpStartSync - -This event indicates that a new set of InventoryDevicePnpAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd - -This event sends basic metadata about the USB hubs on the device. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. -- **TotalUserConnectablePorts** Total number of connectable USB ports. -- **TotalUserConnectableTypeCPorts** Total number of connectable USB Type C ports. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassStartSync - -This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent. - - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd - -This event provides the basic metadata about driver binaries running on the system. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **DriverCheckSum** The checksum of the driver file. -- **DriverCompany** The company name that developed the driver. -- **DriverInBox** Is the driver included with the operating system? -- **DriverIsKernelMode** Is it a kernel mode driver? -- **DriverName** The file name of the driver. -- **DriverPackageStrongName** The strong name of the driver package -- **DriverSigned** The strong name of the driver package -- **DriverTimeStamp** The low 32 bits of the time stamp of the driver file. -- **DriverType** A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8. define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE 0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64 0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15. define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED 0x800000. -- **DriverVersion** The version of the driver file. -- **ImageSize** The size of the driver file. -- **Inf** The name of the INF file. -- **InventoryVersion** The version of the inventory file generating the events. -- **Product** The product name that is included in the driver file. -- **ProductVersion** The product version that is included in the driver file. -- **Service** The name of the service that is installed for the device. -- **WdfVersion** The Windows Driver Framework version. - - -### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove - -This event indicates that the InventoryDriverBinary object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryStartSync - -This event indicates that a new set of InventoryDriverBinaryAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd - -This event sends basic metadata about drive packages installed on the system to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Class** The class name for the device driver. -- **ClassGuid** The class GUID for the device driver. -- **Date** The driver package date. -- **Directory** The path to the driver package. -- **DriverInBox** Is the driver included with the operating system? -- **Inf** The INF name of the driver package. -- **InventoryVersion** The version of the inventory file generating the events. -- **Provider** The provider for the driver package. -- **SubmissionId** The HLK submission ID for the driver package. -- **Version** The version of the driver package. - - -### Microsoft.Windows.Inventory.Core.InventoryDriverPackageRemove - -This event indicates that the InventoryDriverPackageRemove object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDriverPackageStartSync - -This event indicates that a new set of InventoryDriverPackageAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.StartUtcJsonTrace - -This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the beginning of the event download, and that tracing should begin. - - - -### Microsoft.Windows.Inventory.Core.StopUtcJsonTrace - -This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the end of the event download, and that tracing should end. - - - -### Microsoft.Windows.Inventory.General.AppHealthStaticAdd - -This event sends details collected for a specific application on the source device. - -The following fields are available: - -- **AhaVersion** The binary version of the App Health Analyzer tool. -- **ApplicationErrors** The count of application errors from the event log. -- **Bitness** The architecture type of the application (16 Bit or 32 bit or 64 bit). -- **device_level** Various JRE/JAVA versions installed on a particular device. -- **ExtendedProperties** Attribute used for aggregating all other attributes under this event type. -- **Jar** Flag to determine if an app has a Java JAR file dependency. -- **Jre** Flag to determine if an app has JRE framework dependency. -- **Jre_version** JRE versions an app has declared framework dependency for. -- **Name** Name of the application. -- **NonDPIAware** Flag to determine if an app is non-DPI aware. -- **NumBinaries** Count of all binaries (.sys,.dll,.ini) from application install location. -- **RequiresAdmin** Flag to determine if an app requests admin privileges for execution. -- **RequiresAdminv2** Additional flag to determine if an app requests admin privileges for execution. -- **RequiresUIAccess** Flag to determine if an app is based on UI features for accessibility. -- **VB6** Flag to determine if an app is based on VB6 framework. -- **VB6v2** Additional flag to determine if an app is based on VB6 framework. -- **Version** Version of the application. -- **VersionCheck** Flag to determine if an app has a static dependency on OS version. -- **VersionCheckv2** Additional flag to determine if an app has a static dependency on OS version. - - -### Microsoft.Windows.Inventory.General.AppHealthStaticStartSync - -This event indicates the beginning of a series of AppHealthStaticAdd events. - -The following fields are available: - -- **AllowTelemetry** Indicates the presence of the 'allowtelemetry' command line argument. -- **CommandLineArgs** Command line arguments passed when launching the App Health Analyzer executable. -- **Enhanced** Indicates the presence of the 'enhanced' command line argument. -- **StartTime** UTC date and time at which this event was sent. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd - -Provides data on the installed Office Add-ins. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AddinCLSID** The class identifier key for the Microsoft Office add-in. -- **AddInCLSID** The class identifier key for the Microsoft Office add-in. -- **AddInId** The identifier for the Microsoft Office add-in. -- **AddinType** The type of the Microsoft Office add-in. -- **BinFileTimestamp** The timestamp of the Office add-in. -- **BinFileVersion** The version of the Microsoft Office add-in. -- **Description** Description of the Microsoft Office add-in. -- **FileId** The file identifier of the Microsoft Office add-in. -- **FileSize** The file size of the Microsoft Office add-in. -- **FriendlyName** The friendly name for the Microsoft Office add-in. -- **FullPath** The full path to the Microsoft Office add-in. -- **InventoryVersion** The version of the inventory binary generating the events. -- **LoadBehavior** Integer that describes the load behavior. -- **LoadTime** Load time for the Office add-in. -- **OfficeApplication** The Microsoft Office application associated with the add-in. -- **OfficeArchitecture** The architecture of the add-in. -- **OfficeVersion** The Microsoft Office version for this add-in. -- **OutlookCrashingAddin** Indicates whether crashes have been found for this add-in. -- **ProductCompany** The name of the company associated with the Office add-in. -- **ProductName** The product name associated with the Microsoft Office add-in. -- **ProductVersion** The version associated with the Office add-in. -- **ProgramId** The unique program identifier of the Microsoft Office add-in. -- **Provider** Name of the provider for this add-in. -- **Usage** Data about usage for the add-in. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove - -Indicates that this particular data object represented by the objectInstanceId is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync - -This event indicates that a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd - -Provides data on the Office identifiers. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. -- **OAudienceData** Sub-identifier for Microsoft Office release management, identifying the pilot group for a device -- **OAudienceId** Microsoft Office identifier for Microsoft Office release management, identifying the pilot group for a device -- **OMID** Identifier for the Office SQM Machine -- **OPlatform** Whether the installed Microsoft Office product is 32-bit or 64-bit -- **OTenantId** Unique GUID representing the Microsoft O365 Tenant -- **OVersion** Installed version of Microsoft Office. For example, 16.0.8602.1000 -- **OWowMID** Legacy Microsoft Office telemetry identifier (SQM Machine ID) for WoW systems (32-bit Microsoft Office on 64-bit Windows) - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync - -Diagnostic event to indicate a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd - -Provides data on Office-related Internet Explorer features. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. -- **OIeFeatureAddon** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_ADDON_MANAGEMENT feature lets applications hosting the WebBrowser Control to respect add-on management selections made using the Add-on Manager feature of Internet Explorer. Add-ons disabled by the user or by administrative group policy will also be disabled in applications that enable this feature. -- **OIeMachineLockdown** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_LOCALMACHINE_LOCKDOWN feature is enabled, Internet Explorer applies security restrictions on content loaded from the user's local machine, which helps prevent malicious behavior involving local files. -- **OIeMimeHandling** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_MIME_HANDLING feature control is enabled, Internet Explorer handles MIME types more securely. Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2) -- **OIeMimeSniffing** Flag indicating which Microsoft Office products have this setting enabled. Determines a file's type by examining its bit signature. Windows Internet Explorer uses this information to determine how to render the file. The FEATURE_MIME_SNIFFING feature, when enabled, allows to be set differently for each security zone by using the URLACTION_FEATURE_MIME_SNIFFING URL action flag -- **OIeNoAxInstall** Flag indicating which Microsoft Office products have this setting enabled. When a webpage attempts to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request. When a webpage tries to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request -- **OIeNoDownload** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_RESTRICT_FILEDOWNLOAD feature blocks file download requests that navigate to a resource, that display a file download dialog box, or that are not initiated explicitly by a user action (for example, a mouse click or key press). Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2) -- **OIeObjectCaching** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_OBJECT_CACHING feature prevents webpages from accessing or instantiating ActiveX controls cached from different domains or security contexts -- **OIePasswordDisable** Flag indicating which Microsoft Office products have this setting enabled. After Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2), Internet Explorer no longer allows usernames and passwords to be specified in URLs that use the HTTP or HTTPS protocols. URLs using other protocols, such as FTP, still allow usernames and passwords -- **OIeSafeBind** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SAFE_BINDTOOBJECT feature performs additional safety checks when calling MonikerBindToObject to create and initialize Microsoft ActiveX controls. Specifically, prevent the control from being created if COMPAT_EVIL_DONT_LOAD is in the registry for the control -- **OIeSecurityBand** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SECURITYBAND feature controls the display of the Internet Explorer Information bar. When enabled, the Information bar appears when file download or code installation is restricted -- **OIeUncSaveCheck** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_UNC_SAVEDFILECHECK feature enables the Mark of the Web (MOTW) for local files loaded from network locations that have been shared by using the Universal Naming Convention (UNC) -- **OIeValidateUrl** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_VALIDATE_NAVIGATE_URL feature control prevents Windows Internet Explorer from navigating to a badly formed URL -- **OIeWebOcPopup** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_WEBOC_POPUPMANAGEMENT feature allows applications hosting the WebBrowser Control to receive the default Internet Explorer pop-up window management behavior -- **OIeWinRestrict** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_WINDOW_RESTRICTIONS feature adds several restrictions to the size and behavior of popup windows -- **OIeZoneElevate** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_ZONE_ELEVATION feature prevents pages in one zone from navigating to pages in a higher security zone unless the navigation is generated by the user - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync - -Diagnostic event to indicate a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd - -This event provides insight data on the installed Office products - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. -- **OfficeApplication** The name of the Office application. -- **OfficeArchitecture** The bitness of the Office application. -- **OfficeVersion** The version of the Office application. -- **Value** The insights collected about this entity. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsRemove - -Indicates that this particular data object represented by the objectInstanceId is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync - -This diagnostic event indicates that a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd - -Describes Office Products installed. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. -- **OC2rApps** A GUID the describes the Office Click-To-Run apps -- **OC2rSkus** Comma-delimited list (CSV) of Office Click-To-Run products installed on the device. For example, Office 2016 ProPlus -- **OMsiApps** Comma-delimited list (CSV) of Office MSI products installed on the device. For example, Microsoft Word -- **OProductCodes** A GUID that describes the Office MSI products - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync - -Diagnostic event to indicate a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd - -This event describes various Office settings - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **BrowserFlags** Browser flags for Office-related products -- **ExchangeProviderFlags** Provider policies for Office Exchange -- **InventoryVersion** The version of the inventory binary generating the events. -- **SharedComputerLicensing** Office shared computer licensing policies - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync - -Indicates a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAAdd - -This event provides a summary rollup count of conditions encountered while performing a local scan of Office files, analyzing for known VBA programmability compatibility issues between legacy office version and ProPlus, and between 32 and 64-bit versions - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Design** Count of files with design issues found. -- **Design_x64** Count of files with 64 bit design issues found. -- **DuplicateVBA** Count of files with duplicate VBA code. -- **HasVBA** Count of files with VBA code. -- **Inaccessible** Count of files that were inaccessible for scanning. -- **InventoryVersion** The version of the inventory binary generating the events. -- **Issues** Count of files with issues detected. -- **Issues_x64** Count of files with 64-bit issues detected. -- **IssuesNone** Count of files with no issues detected. -- **IssuesNone_x64** Count of files with no 64-bit issues detected. -- **Locked** Count of files that were locked, preventing scanning. -- **NoVBA** Count of files with no VBA inside. -- **Protected** Count of files that were password protected, preventing scanning. -- **RemLimited** Count of files that require limited remediation changes. -- **RemLimited_x64** Count of files that require limited remediation changes for 64-bit issues. -- **RemSignificant** Count of files that require significant remediation changes. -- **RemSignificant_x64** Count of files that require significant remediation changes for 64-bit issues. -- **Score** Overall compatibility score calculated for scanned content. -- **Score_x64** Overall 64-bit compatibility score calculated for scanned content. -- **Total** Total number of files scanned. -- **Validation** Count of files that require additional manual validation. -- **Validation_x64** Count of files that require additional manual validation for 64-bit issues. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARemove - -Indicates that this particular data object represented by the objectInstanceId is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsAdd - -This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated with the validation rule - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Count** Count of total Microsoft Office VBA rule violations -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsRemove - -Indicates that this particular data object represented by the objectInstanceId is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync - -This event indicates that a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync - -Diagnostic event to indicate a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd - -Provides data on Unified Update Platform (UUP) products and what version they are at. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Identifier** UUP identifier -- **LastActivatedVersion** Last activated version -- **PreviousVersion** Previous version -- **Source** UUP source -- **Version** UUP version - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoRemove - -Indicates that this particular data object represented by the objectInstanceId is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoStartSync - -Diagnostic event to indicate a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - - - -### Microsoft.Windows.Inventory.Indicators.Checksum - -This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events. - -The following fields are available: - -- **CensusId** A unique hardware identifier. -- **ChecksumDictionary** A count of each operating system indicator. -- **PCFP** Equivalent to the InventoryId field that is found in other core events. - - -### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd - -These events represent the basic metadata about the OS indicators installed on the system which are used for keeping the device up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **IndicatorValue** The indicator value. -- **Value** Describes an operating system indicator that may be relevant for the device upgrade. - - -### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove - -This event is a counterpart to InventoryMiscellaneousUexIndicatorAdd that indicates that the item has been removed. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - - - -### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync - -This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - - - -## Kernel events - -### IO - -This event indicates the number of bytes read from or read by the OS and written to or written by the OS upon system startup. - -The following fields are available: - -- **BytesRead** The total number of bytes read from or read by the OS upon system startup. -- **BytesWritten** The total number of bytes written to or written by the OS upon system startup. - - -### Microsoft.Windows.Kernel.BootEnvironment.OsLaunch - -OS information collected during Boot, used to evaluate the success of the upgrade process. - -The following fields are available: - -- **BootApplicationId** This field tells us what the OS Loader Application Identifier is. -- **BootAttemptCount** The number of consecutive times the boot manager has attempted to boot into this operating system. -- **BootSequence** The current Boot ID, used to correlate events related to a particular boot session. -- **BootStatusPolicy** Identifies the applicable Boot Status Policy. -- **BootType** Identifies the type of boot (e.g.: "Cold", "Hiber", "Resume"). -- **EventTimestamp** Seconds elapsed since an arbitrary time point. This can be used to identify the time difference in successive boot attempts being made. -- **FirmwareResetReasonEmbeddedController** Reason for system reset provided by firmware. -- **FirmwareResetReasonEmbeddedControllerAdditional** Additional information on system reset reason provided by firmware if needed. -- **FirmwareResetReasonPch** Reason for system reset provided by firmware. -- **FirmwareResetReasonPchAdditional** Additional information on system reset reason provided by firmware if needed. -- **FirmwareResetReasonSupplied** Flag indicating that a reason for system reset was provided by firmware. -- **IO** Amount of data written to and read from the disk by the OS Loader during boot. See [IO](#io). -- **LastBootSucceeded** Flag indicating whether the last boot was successful. -- **LastShutdownSucceeded** Flag indicating whether the last shutdown was successful. -- **MaxAbove4GbFreeRange** This field describes the largest memory range available above 4Gb. -- **MaxBelow4GbFreeRange** This field describes the largest memory range available below 4Gb. -- **MeasuredLaunchPrepared** This field tells us if the OS launch was initiated using Measured/Secure Boot over DRTM (Dynamic Root of Trust for Measurement). -- **MeasuredLaunchResume** This field tells us if Dynamic Root of Trust for Measurement (DRTM) was used when resuming from hibernation. -- **MenuPolicy** Type of advanced options menu that should be shown to the user (Legacy, Standard, etc.). -- **RecoveryEnabled** Indicates whether recovery is enabled. -- **SecureLaunchPrepared** This field indicates if DRTM was prepared during boot. -- **TcbLaunch** Indicates whether the Trusted Computing Base was used during the boot flow. -- **UserInputTime** The amount of time the loader application spent waiting for user input. - - -## Miracast events - -### Microsoft.Windows.Cast.Miracast.MiracastSessionEnd - -This event sends data at the end of a Miracast session that helps determine RTSP related Miracast failures along with some statistics about the session - -The following fields are available: - -- **AudioChannelCount** The number of audio channels. -- **AudioSampleRate** The sample rate of audio in terms of samples per second. -- **AudioSubtype** The unique subtype identifier of the audio codec (encoding method) used for audio encoding. -- **AverageBitrate** The average video bitrate used during the Miracast session, in bits per second. -- **AverageDataRate** The average available bandwidth reported by the WiFi driver during the Miracast session, in bits per second. -- **AveragePacketSendTimeInMs** The average time required for the network to send a sample, in milliseconds. -- **ConnectorType** The type of connector used during the Miracast session. -- **EncodeAverageTimeMS** The average time to encode a frame of video, in milliseconds. -- **EncodeCount** The count of total frames encoded in the session. -- **EncodeMaxTimeMS** The maximum time to encode a frame, in milliseconds. -- **EncodeMinTimeMS** The minimum time to encode a frame, in milliseconds. -- **EncoderCreationTimeInMs** The time required to create the video encoder, in milliseconds. -- **ErrorSource** Identifies the component that encountered an error that caused a disconnect, if applicable. -- **FirstFrameTime** The time (tick count) when the first frame is sent. -- **FirstLatencyMode** The first latency mode. -- **FrameAverageTimeMS** Average time to process an entire frame, in milliseconds. -- **FrameCount** The total number of frames processed. -- **FrameMaxTimeMS** The maximum time required to process an entire frame, in milliseconds. -- **FrameMinTimeMS** The minimum time required to process an entire frame, in milliseconds. -- **Glitches** The number of frames that failed to be delivered on time. -- **HardwareCursorEnabled** Indicates if hardware cursor was enabled when the connection ended. -- **HDCPState** The state of HDCP (High-bandwidth Digital Content Protection) when the connection ended. -- **HighestBitrate** The highest video bitrate used during the Miracast session, in bits per second. -- **HighestDataRate** The highest available bandwidth reported by the WiFi driver, in bits per second. -- **LastLatencyMode** The last reported latency mode. -- **LogTimeReference** The reference time, in tick counts. -- **LowestBitrate** The lowest video bitrate used during the Miracast session, in bits per second. -- **LowestDataRate** The lowest video bitrate used during the Miracast session, in bits per second. -- **MediaErrorCode** The error code reported by the media session, if applicable. -- **MiracastEntry** The time (tick count) when the Miracast driver was first loaded. -- **MiracastM1** The time (tick count) when the M1 request was sent. -- **MiracastM2** The time (tick count) when the M2 request was sent. -- **MiracastM3** The time (tick count) when the M3 request was sent. -- **MiracastM4** The time (tick count) when the M4 request was sent. -- **MiracastM5** The time (tick count) when the M5 request was sent. -- **MiracastM6** The time (tick count) when the M6 request was sent. -- **MiracastM7** The time (tick count) when the M7 request was sent. -- **MiracastSessionState** The state of the Miracast session when the connection ended. -- **MiracastStreaming** The time (tick count) when the Miracast session first started processing frames. -- **ProfileCount** The count of profiles generated from the receiver M4 response. -- **ProfileCountAfterFiltering** The count of profiles after filtering based on available bandwidth and encoder capabilities. -- **RefreshRate** The refresh rate set on the remote display. -- **RotationSupported** Indicates if the Miracast receiver supports display rotation. -- **RTSPSessionId** The unique identifier of the RTSP session. This matches the RTSP session ID for the receiver for the same session. -- **SessionGuid** The unique identifier of to correlate various Miracast events from a session. -- **SinkHadEdid** Indicates if the Miracast receiver reported an EDID. -- **SupportMicrosoftColorSpaceConversion** Indicates whether the Microsoft color space conversion for extra color fidelity is supported by the receiver. -- **SupportsMicrosoftDiagnostics** Indicates whether the Miracast receiver supports the Microsoft Diagnostics Miracast extension. -- **SupportsMicrosoftFormatChange** Indicates whether the Miracast receiver supports the Microsoft Format Change Miracast extension. -- **SupportsMicrosoftLatencyManagement** Indicates whether the Miracast receiver supports the Microsoft Latency Management Miracast extension. -- **SupportsMicrosoftRTCP** Indicates whether the Miracast receiver supports the Microsoft RTCP Miracast extension. -- **SupportsMicrosoftVideoFormats** Indicates whether the Miracast receiver supports Microsoft video format for 3:2 resolution. -- **SupportsWiDi** Indicates whether Miracast receiver supports Intel WiDi extensions. -- **TeardownErrorCode** The error code reason for teardown provided by the receiver, if applicable. -- **TeardownErrorReason** The text string reason for teardown provided by the receiver, if applicable. -- **UIBCEndState** Indicates whether UIBC was enabled when the connection ended. -- **UIBCEverEnabled** Indicates whether UIBC was ever enabled. -- **UIBCStatus** The result code reported by the UIBC setup process. -- **VideoBitrate** The starting bitrate for the video encoder. -- **VideoCodecLevel** The encoding level used for encoding, specific to the video subtype. -- **VideoHeight** The height of encoded video frames. -- **VideoSubtype** The unique subtype identifier of the video codec (encoding method) used for video encoding. -- **VideoWidth** The width of encoded video frames. -- **WFD2Supported** Indicates if the Miracast receiver supports WFD2 protocol. - - -## OneDrive events - -### Microsoft.OneDrive.Sync.Setup.APIOperation - -This event includes basic data about install and uninstall OneDrive API operations. - -The following fields are available: - -- **APIName** The name of the API. -- **Duration** How long the operation took. -- **IsSuccess** Was the operation successful? -- **ResultCode** The result code. -- **ScenarioName** The name of the scenario. - - -### Microsoft.OneDrive.Sync.Setup.EndExperience - -This event includes a success or failure summary of the installation. - -The following fields are available: - -- **APIName** The name of the API. -- **HResult** HResult of the operation -- **IsSuccess** Whether the operation is successful or not -- **ScenarioName** The name of the scenario. - - -### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation - -This event is related to the OS version when the OS is upgraded with OneDrive installed. - -The following fields are available: - -- **CurrentOneDriveVersion** The current version of OneDrive. -- **CurrentOSBuildBranch** The current branch of the operating system. -- **CurrentOSBuildNumber** The current build number of the operating system. -- **CurrentOSVersion** The current version of the operating system. -- **HResult** The HResult of the operation. -- **SourceOSBuildBranch** The source branch of the operating system. -- **SourceOSBuildNumber** The source build number of the operating system. -- **SourceOSVersion** The source version of the operating system. - - -### Microsoft.OneDrive.Sync.Setup.RegisterStandaloneUpdaterAPIOperation - -This event is related to registering or unregistering the OneDrive update task. - -The following fields are available: - -- **APIName** The name of the API. -- **IsSuccess** Was the operation successful? -- **RegisterNewTaskResult** The HResult of the RegisterNewTask operation. -- **ScenarioName** The name of the scenario. -- **UnregisterOldTaskResult** The HResult of the UnregisterOldTask operation. - - -### Microsoft.OneDrive.Sync.Updater.ComponentInstallState - -This event includes basic data about the installation state of dependent OneDrive components. - -The following fields are available: - -- **ComponentName** The name of the dependent component. -- **isInstalled** Is the dependent component installed? - - -### Microsoft.OneDrive.Sync.Updater.OverlayIconStatus - -This event indicates if the OneDrive overlay icon is working correctly. 0 = healthy; 1 = can be fixed; 2 = broken - -The following fields are available: - -- **32bit** The status of the OneDrive overlay icon on a 32-bit operating system. -- **64bit** The status of the OneDrive overlay icon on a 64-bit operating system. - - -### Microsoft.OneDrive.Sync.Updater.UpdateOverallResult - -This event sends information describing the result of the update. - -The following fields are available: - -- **hr** The HResult of the operation. -- **IsLoggingEnabled** Indicates whether logging is enabled for the updater. -- **UpdaterVersion** The version of the updater. - - -### Microsoft.OneDrive.Sync.Updater.UpdateXmlDownloadHResult - -This event determines the status when downloading the OneDrive update configuration file. - -The following fields are available: - -- **hr** The HResult of the operation. - - -### Microsoft.OneDrive.Sync.Updater.WebConnectionStatus - -This event determines the error code that was returned when verifying Internet connectivity. - -The following fields are available: - -- **winInetError** The HResult of the operation. - - -## Privacy consent logging events - -### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted - -This event is used to determine whether the user successfully completed the privacy consent experience. - -The following fields are available: - -- **presentationVersion** Which display version of the privacy consent experience the user completed -- **privacyConsentState** The current state of the privacy consent experience -- **settingsVersion** Which setting version of the privacy consent experience the user completed -- **userOobeExitReason** The exit reason of the privacy consent experience - - -### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentStatus - -Event tells us effectiveness of new privacy experience. - -The following fields are available: - -- **isAdmin** whether the person who is logging in is an admin -- **isExistingUser** whether the account existed in a downlevel OS -- **isLaunching** Whether or not the privacy consent experience will be launched -- **isSilentElevation** whether the user has most restrictive UAC controls -- **privacyConsentState** whether the user has completed privacy experience -- **userRegionCode** The current user's region setting - - -### wilActivity - -This event provides a Windows Internal Library context used for Product and Service diagnostics. - -The following fields are available: - -- **callContext** The function where the failure occurred. -- **currentContextId** The ID of the current call context where the failure occurred. -- **currentContextMessage** The message of the current call context where the failure occurred. -- **currentContextName** The name of the current call context where the failure occurred. -- **failureCount** The number of failures for this failure ID. -- **failureId** The ID of the failure that occurred. -- **failureType** The type of the failure that occurred. -- **fileName** The file name where the failure occurred. -- **function** The function where the failure occurred. -- **hresult** The HResult of the overall activity. -- **lineNumber** The line number where the failure occurred. -- **message** The message of the failure that occurred. -- **module** The module where the failure occurred. -- **originatingContextId** The ID of the originating call context that resulted in the failure. -- **originatingContextMessage** The message of the originating call context that resulted in the failure. -- **originatingContextName** The name of the originating call context that resulted in the failure. -- **threadId** The ID of the thread on which the activity is executing. - - -## Sediment events - -### Microsoft.Windows.Sediment.Info.DetailedState - -This event is sent when detailed state information is needed from an update trial run. - -The following fields are available: - -- **Data** Data relevant to the state, such as what percent of disk space the directory takes up. -- **Id** Identifies the trial being run, such as a disk related trial. -- **ReleaseVer** The version of the component. -- **State** The state of the reporting data from the trial, such as the top-level directory analysis. -- **Time** The time the event was fired. - - -### Microsoft.Windows.Sediment.Info.Error - -This event indicates an error in the updater payload. This information assists in keeping Windows up to date. - -The following fields are available: - -- **FailureType** The type of error encountered. -- **FileName** The code file in which the error occurred. -- **HResult** The failure error code. -- **LineNumber** The line number in the code file at which the error occurred. -- **ReleaseVer** The version information for the component in which the error occurred. -- **Time** The system time at which the error occurred. - - -### Microsoft.Windows.Sediment.Info.PhaseChange - -The event indicates progress made by the updater. This information assists in keeping Windows up to date. - -The following fields are available: - -- **NewPhase** The phase of progress made. -- **ReleaseVer** The version information for the component in which the change occurred. -- **Time** The system time at which the phase chance occurred. - - -## Setup events - -### SetupPlatformTel.SetupPlatformTelActivityEvent - -This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up to date. - -The following fields are available: - -- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. -- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. -- **Value** Value associated with the corresponding event name. For example, time-related events will include the system time - - -### SetupPlatformTel.SetupPlatformTelActivityStarted - -This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. - -The following fields are available: - -- **Name** The name of the dynamic update type. Example: GDR driver - - -### SetupPlatformTel.SetupPlatformTelActivityStopped - -This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. - - - -### SetupPlatformTel.SetupPlatformTelEvent - -This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios. - -The following fields are available: - -- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. -- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. -- **Value** Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time. - - -## Software update events - -### SoftwareUpdateClientTelemetry.CheckForUpdates - -Scan process event on Windows Update client. See the EventScenario field for specifics (started/failed/succeeded). - -The following fields are available: - -- **ActivityMatchingId** Contains a unique ID identifying a single CheckForUpdates session from initialization to completion. -- **AllowCachedResults** Indicates if the scan allowed using cached results. -- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable -- **BiosFamily** The family of the BIOS (Basic Input Output System). -- **BiosName** The name of the device BIOS. -- **BiosReleaseDate** The release date of the device BIOS. -- **BiosSKUNumber** The sku number of the device BIOS. -- **BIOSVendor** The vendor of the BIOS. -- **BiosVersion** The version of the BIOS. -- **BranchReadinessLevel** The servicing branch configured on the device. -- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. -- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. -- **CapabilityDetectoidGuid** The GUID for a hardware applicability detectoid that could not be evaluated. -- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. -- **CDNId** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. -- **ClientVersion** The version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No data is currently reported in this field. Expected value for this field is 0. -- **Context** Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown -- **CurrentMobileOperator** The mobile operator the device is currently connected to. -- **DeferralPolicySources** Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000). -- **DeferredUpdates** Update IDs which are currently being deferred until a later time -- **DeviceModel** What is the device model. -- **DriverError** The error code hit during a driver scan. This is 0 if no error was encountered. -- **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled. -- **DriverSyncPassPerformed** Were drivers scanned this time? -- **EventInstanceID** A globally unique identifier for event instance. -- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. -- **ExtendedMetadataCabUrl** Hostname that is used to download an update. -- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. -- **FailedUpdateGuids** The GUIDs for the updates that failed to be evaluated during the scan. -- **FailedUpdatesCount** The number of updates that failed to be evaluated during the scan. -- **FeatureUpdateDeferral** The deferral period configured for feature OS updates on the device (in days). -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FeatureUpdatePausePeriod** The pause duration configured for feature OS updates on the device (in days). -- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). -- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). -- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. -- **IntentPFNs** Intended application-set metadata for atomic update scenarios. -- **IPVersion** Indicates whether the download took place over IPv4 or IPv6 -- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. -- **IsWUfBFederatedScanDisabled** Indicates if Windows Update for Business federated scan is disabled on the device. -- **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce -- **MSIError** The last error that was encountered during a scan for updates. -- **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6 -- **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete -- **NumberOfApplicationsCategoryScanEvaluated** The number of categories (apps) for which an app update scan checked -- **NumberOfLoop** The number of round trips the scan required -- **NumberOfNewUpdatesFromServiceSync** The number of updates which were seen for the first time in this scan -- **NumberOfUpdatesEvaluated** The total number of updates which were evaluated as a part of the scan -- **NumFailedMetadataSignatures** The number of metadata signatures checks which failed for new metadata synced down. -- **Online** Indicates if this was an online scan. -- **PausedUpdates** A list of UpdateIds which that currently being paused. -- **PauseFeatureUpdatesEndTime** If feature OS updates are paused on the device, this is the date and time for the end of the pause time window. -- **PauseFeatureUpdatesStartTime** If feature OS updates are paused on the device, this is the date and time for the beginning of the pause time window. -- **PauseQualityUpdatesEndTime** If quality OS updates are paused on the device, this is the date and time for the end of the pause time window. -- **PauseQualityUpdatesStartTime** If quality OS updates are paused on the device, this is the date and time for the beginning of the pause time window. -- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting (pre-release builds) being introduced. -- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided. -- **QualityUpdateDeferral** The deferral period configured for quality OS updates on the device (in days). -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **QualityUpdatePausePeriod** The pause duration configured for quality OS updates on the device (in days). -- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one -- **ScanDurationInSeconds** The number of seconds a scan took -- **ScanEnqueueTime** The number of seconds it took to initialize a scan -- **ScanProps** This is a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits are used; all remaining bits are reserved and set to zero. Bit 0 (0x1): IsInteractive - is set to 1 if the scan is requested by a user, or 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker - is set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates). -- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.). -- **ServiceUrl** The environment URL a device is configured to scan with -- **ShippingMobileOperator** The mobile operator that a device shipped on. -- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult). -- **SyncType** Describes the type of scan the event was -- **SystemBIOSMajorRelease** Major version of the BIOS. -- **SystemBIOSMinorRelease** Minor version of the BIOS. -- **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null. -- **TotalNumMetadataSignatures** The total number of metadata signatures checks done for new metadata that was synced down. -- **WebServiceRetryMethods** Web service method requests that needed to be retried to complete operation. -- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. - - -### SoftwareUpdateClientTelemetry.Commit - -This event tracks the commit process post the update installation when software update client is trying to update the device. - -The following fields are available: - -- **BiosFamily** Device family as defined in the system BIOS -- **BiosName** Name of the system BIOS -- **BiosReleaseDate** Release date of the system BIOS -- **BiosSKUNumber** Device SKU as defined in the system BIOS -- **BIOSVendor** Vendor of the system BIOS -- **BiosVersion** Version of the system BIOS -- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. -- **BundleRevisionNumber** Identifies the revision number of the content bundle -- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client -- **ClientVersion** Version number of the software distribution client -- **DeploymentProviderMode** The mode of operation of the update deployment provider. -- **DeviceModel** Device model as defined in the system bios -- **EventInstanceID** A globally unique identifier for event instance -- **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc. -- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver". -- **FlightId** The specific id of the flight the device is getting -- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) -- **RevisionNumber** Identifies the revision number of this specific piece of content -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc) -- **SystemBIOSMajorRelease** Major release version of the system bios -- **SystemBIOSMinorRelease** Minor release version of the system bios -- **UpdateId** Identifier associated with the specific piece of content -- **WUDeviceID** Unique device id controlled by the software distribution client - - -### SoftwareUpdateClientTelemetry.Download - -Download process event for target update on Windows Update client. See the EventScenario field for specifics (started/failed/succeeded). - -The following fields are available: - -- **ActiveDownloadTime** How long the download took, in seconds, excluding time where the update wasn't actively being downloaded. -- **AppXBlockHashFailures** Indicates the number of blocks that failed hash validation during download of the app payload. -- **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded. -- **AppXDownloadScope** Indicates the scope of the download for application content. -- **AppXScope** Indicates the scope of the app download. -- **BiosFamily** The family of the BIOS (Basic Input Output System). -- **BiosName** The name of the device BIOS. -- **BiosReleaseDate** The release date of the device BIOS. -- **BiosSKUNumber** The sku number of the device BIOS. -- **BIOSVendor** The vendor of the BIOS. -- **BiosVersion** The version of the BIOS. -- **BundleBytesDownloaded** Number of bytes downloaded for the specific content bundle. -- **BundleId** Identifier associated with the specific content bundle. -- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. -- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to download. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **BytesDownloaded** Number of bytes that were downloaded for an individual piece of content (not the entire bundle). -- **CachedEngineVersion** The version of the “Self-Initiated Healing” (SIH) engine that is cached on the device, if applicable. -- **CallerApplicationName** The name provided by the application that initiated API calls into the software distribution client. -- **CbsDownloadMethod** Indicates whether the download was a full- or a partial-file download. -- **CbsMethod** The method used for downloading the update content related to the Component Based Servicing (CBS) technology. -- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. -- **CDNId** ID which defines which CDN the software distribution client downloaded the content from. -- **ClientVersion** The version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. -- **ConnectTime** Indicates the cumulative amount of time (in seconds) it took to establish the connection for all updates in an update bundle. -- **CurrentMobileOperator** The mobile operator the device is currently connected to. -- **DeviceModel** The model of the device. -- **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority. -- **DownloadProps** Information about the download operation. -- **DownloadType** Differentiates the download type of “Self-Initiated Healing” (SIH) downloads between Metadata and Payload downloads. -- **EventInstanceID** A globally unique identifier for event instance. -- **EventScenario** Indicates the purpose for sending this event: whether because the software distribution just started downloading content; or whether it was cancelled, succeeded, or failed. -- **EventType** Identifies the type of the event (Child, Bundle, or Driver). -- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). -- **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight. -- **FlightId** The specific ID of the flight (pre-release build) the device is getting. -- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). -- **HandlerType** Indicates what kind of content is being downloaded (app, driver, windows patch, etc.). -- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. -- **HostName** The hostname URL the content is downloading from. -- **IPVersion** Indicates whether the download took place over IPv4 or IPv6. -- **IsDependentSet** Indicates whether a driver is a part of a larger System Hardware/Firmware Update -- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. -- **NetworkCost** A flag indicating the cost of the network (congested, fixed, variable, over data limit, roaming, etc.) used for downloading the update content. -- **NetworkCostBitMask** Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.) -- **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered." -- **PackageFullName** The package name of the content. -- **PhonePreviewEnabled** Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced. -- **PostDnldTime** Time (in seconds) taken to signal download completion after the last job completed downloading the payload. -- **ProcessName** The process name of the application that initiated API calls, in the event where CallerApplicationName was not provided. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **Reason** A 32-bit integer representing the reason the update is blocked from being downloaded in the background. -- **RegulationReason** The reason that the update is regulated -- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content. -- **RelatedCV** The Correlation Vector that was used before the most recent change to a new Correlation Vector. -- **RepeatFailCount** Indicates whether this specific content has previously failed. -- **RepeatFailFlag** Indicates whether this specific content previously failed to download. -- **RevisionNumber** The revision number of the specified piece of content. -- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Windows Store, etc.). -- **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade. -- **ShippingMobileOperator** The mobile operator linked to the device when the device shipped. -- **SizeCalcTime** Time (in seconds) taken to calculate the total download size of the payload. -- **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). -- **SystemBIOSMajorRelease** Major version of the BIOS. -- **SystemBIOSMinorRelease** Minor version of the BIOS. -- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. -- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. -- **TargetMetadataVersion** The version of the currently downloading (or most recently downloaded) package. -- **ThrottlingServiceHResult** Result code (success/failure) while contacting a web service to determine whether this device should download content yet. -- **TimeToEstablishConnection** Time (in milliseconds) it took to establish the connection prior to beginning downloaded. -- **TotalExpectedBytes** The total size (in Bytes) expected to be downloaded. -- **UpdateId** An identifier associated with the specific piece of content. -- **UpdateID** An identifier associated with the specific piece of content. -- **UpdateImportance** Indicates whether the content was marked as Important, Recommended, or Optional. -- **UsedDO** Indicates whether the download used the Delivery Optimization (DO) service. -- **UsedSystemVolume** Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive. -- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. - - -### SoftwareUpdateClientTelemetry.DownloadCheckpoint - -This event provides a checkpoint between each of the Windows Update download phases for UUP content - -The following fields are available: - -- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client -- **ClientVersion** The version number of the software distribution client -- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed -- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver" -- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough -- **FileId** A hash that uniquely identifies a file -- **FileName** Name of the downloaded file -- **FlightId** The unique identifier for each flight -- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one -- **RevisionNumber** Unique revision number of Update -- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.) -- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult) -- **UpdateId** Unique Update ID -- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue - - -### SoftwareUpdateClientTelemetry.DownloadHeartbeat - -This event allows tracking of ongoing downloads and contains data to explain the current state of the download - -The following fields are available: - -- **BytesTotal** Total bytes to transfer for this content -- **BytesTransferred** Total bytes transferred for this content at the time of heartbeat -- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client -- **ClientVersion** The version number of the software distribution client -- **ConnectionStatus** Indicates the connectivity state of the device at the time of heartbeat -- **CurrentError** Last (transient) error encountered by the active download -- **DownloadFlags** Flags indicating if power state is ignored -- **DownloadState** Current state of the active download for this content (queued, suspended, or progressing) -- **EventType** Possible values are "Child", "Bundle", or "Driver" -- **FlightId** The unique identifier for each flight -- **IsNetworkMetered** Indicates whether Windows considered the current network to be ?metered" -- **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any -- **MOUpdateDownloadLimit** Mobile operator cap on size of operating system update downloads, if any -- **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby) -- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one -- **ResumeCount** Number of times this active download has resumed from a suspended state -- **RevisionNumber** Identifies the revision number of this specific piece of content -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) -- **SuspendCount** Number of times this active download has entered a suspended state -- **SuspendReason** Last reason for why this active download entered a suspended state -- **UpdateId** Identifier associated with the specific piece of content -- **WUDeviceID** Unique device id controlled by the software distribution client - - -### SoftwareUpdateClientTelemetry.Install - -This event sends tracking data about the software distribution client installation of the content for that update, to help keep Windows up to date. - -The following fields are available: - -- **BiosFamily** The family of the BIOS (Basic Input Output System). -- **BiosName** The name of the device BIOS. -- **BiosReleaseDate** The release date of the device BIOS. -- **BiosSKUNumber** The sku number of the device BIOS. -- **BIOSVendor** The vendor of the BIOS. -- **BiosVersion** The version of the BIOS. -- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. -- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. -- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to install. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. -- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. -- **ClientVersion** The version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No value is currently reported in this field. Expected value for this field is 0. -- **CSIErrorType** The stage of CBS installation where it failed. -- **CurrentMobileOperator** The mobile operator to which the device is currently connected. -- **DeploymentProviderMode** The mode of operation of the update deployment provider. -- **DeviceModel** The device model. -- **DriverPingBack** Contains information about the previous driver and system state. -- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required. -- **EventInstanceID** A globally unique identifier for event instance. -- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. -- **EventType** Possible values are Child, Bundle, or Driver. -- **ExtendedErrorCode** The extended error code. -- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode is not specific enough. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBranch** The branch that a device is on if participating in the Windows Insider Program. -- **FlightBuildNumber** If this installation was for a Windows Insider build, this is the build number of that build. -- **FlightId** The specific ID of the Windows Insider build the device is getting. -- **FlightRing** The ring that a device is on if participating in the Windows Insider Program. -- **HandlerType** Indicates what kind of content is being installed (for example, app, driver, Windows update). -- **HardwareId** If this install was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. -- **InstallProps** A bitmask for future flags associated with the install operation. No value is currently reported in this field. Expected value for this field is 0. -- **IntentPFNs** Intended application-set metadata for atomic update scenarios. -- **IsDependentSet** Indicates whether the driver is part of a larger System Hardware/Firmware update. -- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. -- **IsFirmware** Indicates whether this update is a firmware update. -- **IsSuccessFailurePostReboot** Indicates whether the update succeeded and then failed after a restart. -- **IsWUfBDualScanEnabled** Indicates whether Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Indicates whether Windows Update for Business is enabled on the device. -- **MergedUpdate** Indicates whether the OS update and a BSP update merged for installation. -- **MsiAction** The stage of MSI installation where it failed. -- **MsiProductCode** The unique identifier of the MSI installer. -- **PackageFullName** The package name of the content being installed. -- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting being introduced. -- **ProcessName** The process name of the caller who initiated API calls, in the event that CallerApplicationName was not provided. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one -- **RepeatFailCount** Indicates whether this specific piece of content has previously failed. -- **RepeatFailFlag** Indicates whether this specific piece of content previously failed to install. -- **RevisionNumber** The revision number of this specific piece of content. -- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). -- **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway. -- **ShippingMobileOperator** The mobile operator that a device shipped on. -- **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult). -- **SystemBIOSMajorRelease** Major version of the BIOS. -- **SystemBIOSMinorRelease** Minor version of the BIOS. -- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. -- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. -- **TransactionCode** The ID that represents a given MSI installation. -- **UpdateId** Unique update ID. -- **UpdateID** An identifier associated with the specific piece of content. -- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional. -- **UsedSystemVolume** Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive. -- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. - - -### SoftwareUpdateClientTelemetry.Revert - -Revert event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded). - -The following fields are available: - -- **BundleId** Identifier associated with the specific content bundle. Should not be all zeros if the BundleId was found. -- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **ClientVersion** Version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. -- **CSIErrorType** Stage of CBS installation that failed. -- **DriverPingBack** Contains information about the previous driver and system state. -- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required. -- **EventInstanceID** A globally unique identifier for event instance. -- **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). -- **EventType** Event type (Child, Bundle, Release, or Driver). -- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode is not specific enough. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBuildNumber** Indicates the build number of the flight. -- **FlightId** The specific ID of the flight the device is getting. -- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). -- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. -- **IsFirmware** Indicates whether an update was a firmware update. -- **IsSuccessFailurePostReboot** Indicates whether an initial success was a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. -- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. -- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. -- **RepeatFailCount** Indicates whether this specific piece of content has previously failed. -- **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. -- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. -- **UpdateId** The identifier associated with the specific piece of content. -- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). -- **UsedSystemVolume** Indicates whether the device's main system storage drive or an alternate storage drive was used. -- **WUDeviceID** Unique device ID controlled by the software distribution client. - - -### SoftwareUpdateClientTelemetry.TaskRun - -Start event for Server Initiated Healing client. See EventScenario field for specifics (for example, started/completed). - -The following fields are available: - -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **ClientVersion** Version number of the software distribution client. -- **CmdLineArgs** Command line arguments passed in by the caller. -- **EventInstanceID** A globally unique identifier for the event instance. -- **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.). -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **WUDeviceID** Unique device ID controlled by the software distribution client. - - -### SoftwareUpdateClientTelemetry.Uninstall - -Uninstall event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded). - -The following fields are available: - -- **BundleId** The identifier associated with the specific content bundle. This should not be all zeros if the bundleID was found. -- **BundleRepeatFailCount** Indicates whether this particular update bundle previously failed. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **CallerApplicationName** Name of the application making the Windows Update request. Used to identify context of request. -- **ClientVersion** Version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. -- **DriverPingBack** Contains information about the previous driver and system state. -- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers when a recovery is required. -- **EventInstanceID** A globally unique identifier for event instance. -- **EventScenario** Indicates the purpose of the event (a scan started, succeded, failed, etc.). -- **EventType** Indicates the event type. Possible values are "Child", "Bundle", "Release" or "Driver". -- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode is not specific enough. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBuildNumber** Indicates the build number of the flight. -- **FlightId** The specific ID of the flight the device is getting. -- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). -- **HardwareId** If the download was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. -- **IsFirmware** Indicates whether an update was a firmware update. -- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. -- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. -- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. -- **RepeatFailCount** Indicates whether this specific piece of content previously failed. -- **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. -- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. -- **UpdateId** Identifier associated with the specific piece of content. -- **UpdateImportance** Indicates the importance of a driver and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). -- **UsedSystemVolume** Indicates whether the device’s main system storage drive or an alternate storage drive was used. -- **WUDeviceID** Unique device ID controlled by the software distribution client. - - -### SoftwareUpdateClientTelemetry.UpdateDetected - -This event sends data about an AppX app that has been updated from the Microsoft Store, including what app needs an update and what version/architecture is required, in order to understand and address problems with apps getting required updates. - -The following fields are available: - -- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable. -- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. -- **IntentPFNs** Intended application-set metadata for atomic update scenarios. -- **NumberOfApplicableUpdates** The number of updates ultimately deemed applicable to the system after the detection process is complete. -- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. -- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.). -- **WUDeviceID** The unique device ID controlled by the software distribution client. - - -### SoftwareUpdateClientTelemetry.UpdateMetadataIntegrity - -Ensures Windows Updates are secure and complete. Event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack. - -The following fields are available: - -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **EndpointUrl** The endpoint URL where the device obtains update metadata. This is used to distinguish between test, staging, and production environments. -- **EventScenario** The purpose of this event, such as scan started, scan succeeded, or scan failed. -- **ExtendedStatusCode** The secondary status code of the event. -- **LeafCertId** The integral ID from the FragmentSigning data for the certificate that failed. -- **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate. -- **MetadataIntegrityMode** The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce -- **MetadataSignature** A base64-encoded string of the signature associated with the update metadata (specified by revision ID). -- **RawMode** The raw unparsed mode string from the SLS response. This field is null if not applicable. -- **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable. -- **RevisionId** The revision ID for a specific piece of content. -- **RevisionNumber** The revision number for a specific piece of content. -- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Microsoft Store -- **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate. -- **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate. -- **SHA256OfTimestampToken** An encoded string of the timestamp token. -- **SignatureAlgorithm** The hash algorithm for the metadata signature. -- **SLSPrograms** A test program to which a device may have opted in. Example: Insider Fast -- **StatusCode** The status code of the event. -- **TimestampTokenCertThumbprint** The thumbprint of the encoded timestamp token. -- **TimestampTokenId** The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed. -- **UpdateId** The update ID for a specific piece of content. -- **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp. - - -## System Resource Usage Monitor events - -### Microsoft.Windows.Srum.Sdp.CpuUsage - -This event provides information on CPU usage. - -The following fields are available: - -- **UsageMax** The maximum of hourly average CPU usage. -- **UsageMean** The mean of hourly average CPU usage. -- **UsageMedian** The median of hourly average CPU usage. -- **UsageTwoHourMaxMean** The mean of the maximum of every two hour of hourly average CPU usage. -- **UsageTwoHourMedianMean** The mean of the median of every two hour of hourly average CPU usage. - - -### Microsoft.Windows.Srum.Sdp.NetworkUsage - -This event provides information on network usage. - -The following fields are available: - -- **AdapterGuid** The unique ID of the adapter. -- **BytesTotalMax** The maximum of the hourly average bytes total. -- **BytesTotalMean** The mean of the hourly average bytes total. -- **BytesTotalMedian** The median of the hourly average bytes total. -- **BytesTotalTwoHourMaxMean** The mean of the maximum of every two hours of hourly average bytes total. -- **BytesTotalTwoHourMedianMean** The mean of the median of every two hour of hourly average bytes total. -- **LinkSpeed** The adapter link speed. - - -## Update events - -### Update360Telemetry.Revert - -This event sends data relating to the Revert phase of updating Windows. - -The following fields are available: - -- **ErrorCode** The error code returned for the Revert phase. -- **FlightId** Unique ID for the flight (test instance version). -- **ObjectId** The unique value for each Update Agent mode. -- **RebootRequired** Indicates reboot is required. -- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. -- **Result** The HResult of the event. -- **RevertResult** The result code returned for the Revert operation. -- **ScenarioId** The ID of the update scenario. -- **SessionId** The ID of the update attempt. -- **UpdateId** The ID of the update. - - -### Update360Telemetry.UpdateAgentCommit - -This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. - -The following fields are available: - -- **ErrorCode** The error code returned for the current install phase. -- **FlightId** Unique ID for each flight. -- **ObjectId** Unique value for each Update Agent mode. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **Result** Outcome of the install phase of the update. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentDownloadRequest - -This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. - -The following fields are available: - -- **DeletedCorruptFiles** Boolean indicating whether corrupt payload was deleted. -- **DownloadRequests** Number of times a download was retried. -- **ErrorCode** The error code returned for the current download request phase. -- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. -- **FlightId** Unique ID for each flight. -- **InternalFailureResult** Indicates a non-fatal error from a plugin. -- **ObjectId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). -- **PackageCategoriesSkipped** Indicates package categories that were skipped, if applicable. -- **PackageCountOptional** Number of optional packages requested. -- **PackageCountRequired** Number of required packages requested. -- **PackageCountTotal** Total number of packages needed. -- **PackageCountTotalCanonical** Total number of canonical packages. -- **PackageCountTotalDiff** Total number of diff packages. -- **PackageCountTotalExpress** Total number of express packages. -- **PackageExpressType** Type of express package. -- **PackageSizeCanonical** Size of canonical packages in bytes. -- **PackageSizeDiff** Size of diff packages in bytes. -- **PackageSizeExpress** Size of express packages in bytes. -- **RangeRequestState** Indicates the range request type used. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **Result** Outcome of the download request phase of update. -- **SandboxTaggedForReserves** The sandbox for reserves. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each attempt (same value for initialize, download, install commit phases). -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentExpand - -This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. - -The following fields are available: - -- **ElapsedTickCount** Time taken for expand phase. -- **EndFreeSpace** Free space after expand phase. -- **EndSandboxSize** Sandbox size after expand phase. -- **ErrorCode** The error code returned for the current install phase. -- **FlightId** Unique ID for each flight. -- **ObjectId** Unique value for each Update Agent mode. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each update attempt. -- **StartFreeSpace** Free space before expand phase. -- **StartSandboxSize** Sandbox size after expand phase. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentFellBackToCanonical - -This event collects information when express could not be used and we fall back to canonical during the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. - -The following fields are available: - -- **FlightId** Unique ID for each flight. -- **ObjectId** Unique value for each Update Agent mode. -- **PackageCount** Number of packages that feel back to canonical. -- **PackageList** PackageIds which fell back to canonical. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentInitialize - -This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. - -The following fields are available: - -- **ErrorCode** The error code returned for the current install phase. -- **FlightId** Unique ID for each flight. -- **FlightMetadata** Contains the FlightId and the build being flighted. -- **ObjectId** Unique value for each Update Agent mode. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **Result** Outcome of the install phase of the update. -- **ScenarioId** Indicates the update scenario. -- **SessionData** String containing instructions to update agent for processing FODs and DUICs (Null for other scenarios). -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentInstall - -This event sends data for the install phase of updating Windows. - -The following fields are available: - -- **ErrorCode** The error code returned for the current install phase. -- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. -- **FlightId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). -- **InternalFailureResult** Indicates a non-fatal error from a plugin. -- **ObjectId** Correlation vector value generated from the latest USO scan. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **Result** The result for the current install phase. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentMerge - -The UpdateAgentMerge event sends data on the merge phase when updating Windows. - -The following fields are available: - -- **ErrorCode** The error code returned for the current merge phase. -- **FlightId** Unique ID for each flight. -- **MergeId** The unique ID to join two update sessions being merged. -- **ObjectId** Unique value for each Update Agent mode. -- **RelatedCV** Related correlation vector value. -- **Result** Outcome of the merge phase of the update. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each attempt. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentMitigationResult - -This event sends data indicating the result of each update agent mitigation. - -The following fields are available: - -- **Applicable** Indicates whether the mitigation is applicable for the current update. -- **CommandCount** The number of command operations in the mitigation entry. -- **CustomCount** The number of custom operations in the mitigation entry. -- **FileCount** The number of file operations in the mitigation entry. -- **FlightId** Unique identifier for each flight. -- **Index** The mitigation index of this particular mitigation. -- **MitigationScenario** The update scenario in which the mitigation was executed. -- **Name** The friendly name of the mitigation. -- **ObjectId** Unique value for each Update Agent mode. -- **OperationIndex** The mitigation operation index (in the event of a failure). -- **OperationName** The friendly name of the mitigation operation (in the event of failure). -- **RegistryCount** The number of registry operations in the mitigation entry. -- **RelatedCV** The correlation vector value generated from the latest USO scan. -- **Result** The HResult of this operation. -- **ScenarioId** The update agent scenario ID. -- **SessionId** Unique value for each update attempt. -- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). -- **UpdateId** Unique ID for each Update. - - -### Update360Telemetry.UpdateAgentMitigationSummary - -This event sends a summary of all the update agent mitigations available for an this update. - -The following fields are available: - -- **Applicable** The count of mitigations that were applicable to the system and scenario. -- **Failed** The count of mitigations that failed. -- **FlightId** Unique identifier for each flight. -- **MitigationScenario** The update scenario in which the mitigations were attempted. -- **ObjectId** The unique value for each Update Agent mode. -- **RelatedCV** The correlation vector value generated from the latest USO scan. -- **Result** The HResult of this operation. -- **ScenarioId** The update agent scenario ID. -- **SessionId** Unique value for each update attempt. -- **TimeDiff** The amount of time spent performing all mitigations (in 100-nanosecond increments). -- **Total** Total number of mitigations that were available. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentModeStart - -This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. - -The following fields are available: - -- **FlightId** Unique ID for each flight. -- **Mode** Indicates the mode that has started. -- **ObjectId** Unique value for each Update Agent mode. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each update. -- **Version** Version of update - - -### Update360Telemetry.UpdateAgentOneSettings - -This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. - -The following fields are available: - -- **Count** The count of applicable OneSettings for the device. -- **FlightId** Unique ID for the flight (test instance version). -- **ObjectId** The unique value for each Update Agent mode. -- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. -- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. -- **Result** The HResult of the event. -- **ScenarioId** The ID of the update scenario. -- **SessionId** The ID of the update attempt. -- **UpdateId** The ID of the update. -- **Values** The values sent back to the device, if applicable. - - -### Update360Telemetry.UpdateAgentPostRebootResult - -This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. - -The following fields are available: - -- **ErrorCode** The error code returned for the current post reboot phase. -- **FlightId** The specific ID of the Windows Insider build the device is getting. -- **ObjectId** Unique value for each Update Agent mode. -- **PostRebootResult** Indicates the Hresult. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentReboot - -This event sends information indicating that a request has been sent to suspend an update. - -The following fields are available: - -- **ErrorCode** The error code returned for the current reboot. -- **FlightId** Unique ID for the flight (test instance version). -- **ObjectId** The unique value for each Update Agent mode. -- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. -- **Result** The HResult of the event. -- **ScenarioId** The ID of the update scenario. -- **SessionId** The ID of the update attempt. -- **UpdateId** The ID of the update. - - -### Update360Telemetry.UpdateAgentSetupBoxLaunch - -The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. - -The following fields are available: - -- **ContainsExpressPackage** Indicates whether the download package is express. -- **FlightId** Unique ID for each flight. -- **FreeSpace** Free space on OS partition. -- **InstallCount** Number of install attempts using the same sandbox. -- **ObjectId** Unique value for each Update Agent mode. -- **Quiet** Indicates whether setup is running in quiet mode. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **SandboxSize** Size of the sandbox. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each update attempt. -- **SetupMode** Mode of setup to be launched. -- **UpdateId** Unique ID for each Update. -- **UserSession** Indicates whether install was invoked by user actions. - - -## Update notification events - -### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignManagerHeartbeat - -This event is sent at the start of the CampaignManager event and is intended to be used as a heartbeat. - -The following fields are available: - -- **CampaignConfigVersion** Configuration version for the current campaign. -- **CampaignID** Currently campaign that is running on Update Notification Pipeline (UNP). -- **ConfigCatalogVersion** Current catalog version of UNP. -- **ContentVersion** Content version for the current campaign on UNP. -- **CV** Correlation vector. -- **DetectorVersion** Most recently run detector version for the current campaign on UNP. -- **GlobalEventCounter** Client-side counter that indicates the event ordering sent by the user. -- **PackageVersion** Current UNP package version. - - -## Upgrade events - -### FacilitatorTelemetry.DCATDownload - -This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to help keep Windows up-to-date and secure. - -The following fields are available: - -- **DownloadSize** Download size of payload. -- **ElapsedTime** Time taken to download payload. -- **MediaFallbackUsed** Used to determine if we used Media CompDBs to figure out package requirements for the upgrade. -- **ResultCode** Result returned by the Facilitator DCAT call. -- **Scenario** Dynamic update scenario (Image DU, or Setup DU). -- **Type** Type of package that was downloaded. -- **UpdateId** The ID of the update that was downloaded. - - -### FacilitatorTelemetry.DUDownload - -This event returns data about the download of supplemental packages critical to upgrading a device to the next version of Windows. - -The following fields are available: - -- **DownloadRequestAttributes** The attributes sent for download. -- **PackageCategoriesFailed** Lists the categories of packages that failed to download. -- **PackageCategoriesSkipped** Lists the categories of package downloads that were skipped. -- **ResultCode** The result of the event execution. -- **Scenario** Identifies the active Download scenario. -- **Url** The URL the download request was sent to. -- **Version** Identifies the version of Facilitator used. - - -### FacilitatorTelemetry.InitializeDU - -This event determines whether devices received additional or critical supplemental content during an OS upgrade. - -The following fields are available: - -- **DCATUrl** The Delivery Catalog (DCAT) URL we send the request to. -- **DownloadRequestAttributes** The attributes we send to DCAT. -- **ResultCode** The result returned from the initiation of Facilitator with the URL/attributes. -- **Scenario** Dynamic Update scenario (Image DU, or Setup DU). -- **Url** The Delivery Catalog (DCAT) URL we send the request to. -- **Version** Version of Facilitator. - - -### Setup360Telemetry.Downlevel - -This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up-to-date and secure. - -The following fields are available: - -- **ClientId** If using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but it can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the downlevel OS. -- **HostOsSkuName** The operating system edition which is running Setup360 instance (downlevel OS). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. -- **ReportId** In the Windows Update scenario, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. -- **Setup360Extended** More detailed information about phase/action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360 (for example, Predownload, Install, Finalize, Rollback). -- **Setup360Result** The result of Setup360 (HRESULT used to diagnose errors). -- **Setup360Scenario** The Setup360 flow type (for example, Boot, Media, Update, MCT). -- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS). -- **State** Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled. -- **TestId** An ID that uniquely identifies a group of events. -- **WuId** This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId. - - -### Setup360Telemetry.Finalize - -This event sends data indicating that the device has started the phase of finalizing the upgrade, to help keep Windows up-to-date and secure. - -The following fields are available: - -- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the previous OS. -- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe -- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. -- **Setup360Extended** More detailed information about the phase/action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. -- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. -- **TestId** ID that uniquely identifies a group of events. -- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. - - -### Setup360Telemetry.OsUninstall - -This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, it indicates the outcome of an OS uninstall. - -The following fields are available: - -- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the previous OS. -- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. -- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. -- **Setup360Extended** Detailed information about the phase or action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT -- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. -- **TestId** ID that uniquely identifies a group of events. -- **WuId** Windows Update client ID. - - -### Setup360Telemetry.PostRebootInstall - -This event sends data indicating that the device has invoked the post reboot install phase of the upgrade, to help keep Windows up-to-date. - -The following fields are available: - -- **ClientId** With Windows Update, this is the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the previous OS. -- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. -- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. -- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback -- **Setup360Result** The result of Setup360. This is an HRESULT error code that's used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT -- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled -- **TestId** A string to uniquely identify a group of events. -- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as ClientId. - - -### Setup360Telemetry.PreDownloadQuiet - -This event sends data indicating that the device has invoked the predownload quiet phase of the upgrade, to help keep Windows up to date. - -The following fields are available: - -- **ClientId** Using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the previous OS. -- **HostOsSkuName** The OS edition which is running Setup360 instance (previous operating system). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. -- **ReportId** Using Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. -- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. -- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled. -- **TestId** ID that uniquely identifies a group of events. -- **WuId** This is the Windows Update Client ID. Using Windows Update, this is the same as the clientId. - - -### Setup360Telemetry.PreDownloadUX - -This event sends data regarding OS Updates and Upgrades from Windows 7.X, Windows 8.X, Windows 10 and RS, to help keep Windows up-to-date and secure. Specifically, it indicates the outcome of the PredownloadUX portion of the update process. - -The following fields are available: - -- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **HostOSBuildNumber** The build number of the previous operating system. -- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous operating system). -- **InstanceId** Unique GUID that identifies each instance of setuphost.exe. -- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. -- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. -- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS). -- **State** The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled. -- **TestId** ID that uniquely identifies a group of events. -- **WuId** Windows Update client ID. - - -### Setup360Telemetry.PreInstallQuiet - -This event sends data indicating that the device has invoked the preinstall quiet phase of the upgrade, to help keep Windows up-to-date. - -The following fields are available: - -- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the previous OS. -- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe -- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. -- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. -- **Setup360Scenario** Setup360 flow type (Boot, Media, Update, MCT). -- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. -- **TestId** A string to uniquely identify a group of events. -- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. - - -### Setup360Telemetry.PreInstallUX - -This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10, to help keep Windows up-to-date. Specifically, it indicates the outcome of the PreinstallUX portion of the update process. - -The following fields are available: - -- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the previous OS. -- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. -- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. -- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type, Example: Boot, Media, Update, MCT. -- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. -- **TestId** A string to uniquely identify a group of events. -- **WuId** Windows Update client ID. - - -### Setup360Telemetry.Setup360 - -This event sends data about OS deployment scenarios, to help keep Windows up-to-date. - -The following fields are available: - -- **ClientId** Retrieves the upgrade ID. In the Windows Update scenario, this will be the Windows Update client ID. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FieldName** Retrieves the data point. -- **FlightData** Specifies a unique identifier for each group of Windows Insider builds. -- **InstanceId** Retrieves a unique identifier for each instance of a setup session. -- **ReportId** Retrieves the report ID. -- **ScenarioId** Retrieves the deployment scenario. -- **Value** Retrieves the value associated with the corresponding FieldName. - - -### Setup360Telemetry.Setup360DynamicUpdate - -This event helps determine whether the device received supplemental content during an operating system upgrade, to help keep Windows up-to-date. - -The following fields are available: - -- **FlightData** Specifies a unique identifier for each group of Windows Insider builds. -- **InstanceId** Retrieves a unique identifier for each instance of a setup session. -- **Operation** Facilitator’s last known operation (scan, download, etc.). -- **ReportId** ID for tying together events stream side. -- **ResultCode** Result returned for the entire setup operation. -- **Scenario** Dynamic Update scenario (Image DU, or Setup DU). -- **ScenarioId** Identifies the update scenario. -- **TargetBranch** Branch of the target OS. -- **TargetBuild** Build of the target OS. - - -### Setup360Telemetry.Setup360MitigationResult - -This event sends data indicating the result of each setup mitigation. - -The following fields are available: - -- **Applicable** TRUE if the mitigation is applicable for the current update. -- **ClientId** In the Windows Update scenario, this is the client ID passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **CommandCount** The number of command operations in the mitigation entry. -- **CustomCount** The number of custom operations in the mitigation entry. -- **FileCount** The number of file operations in the mitigation entry. -- **FlightData** The unique identifier for each flight (test release). -- **Index** The mitigation index of this particular mitigation. -- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE. -- **MitigationScenario** The update scenario in which the mitigation was executed. -- **Name** The friendly (descriptive) name of the mitigation. -- **OperationIndex** The mitigation operation index (in the event of a failure). -- **OperationName** The friendly (descriptive) name of the mitigation operation (in the event of failure). -- **RegistryCount** The number of registry operations in the mitigation entry. -- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM. -- **Result** HResult of this operation. -- **ScenarioId** Setup360 flow type. -- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). - - -### Setup360Telemetry.Setup360MitigationSummary - -This event sends a summary of all the setup mitigations available for this update. - -The following fields are available: - -- **Applicable** The count of mitigations that were applicable to the system and scenario. -- **ClientId** The Windows Update client ID passed to Setup. -- **Failed** The count of mitigations that failed. -- **FlightData** The unique identifier for each flight (test release). -- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE. -- **MitigationScenario** The update scenario in which the mitigations were attempted. -- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM. -- **Result** HResult of this operation. -- **ScenarioId** Setup360 flow type. -- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). -- **Total** The total number of mitigations that were available. - - -### Setup360Telemetry.Setup360OneSettings - -This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. - -The following fields are available: - -- **ClientId** The Windows Update client ID passed to Setup. -- **Count** The count of applicable OneSettings for the device. -- **FlightData** The ID for the flight (test instance version). -- **InstanceId** The GUID (Globally-Unique ID) that identifies each instance of setuphost.exe. -- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. -- **ReportId** The Update ID passed to Setup. -- **Result** The HResult of the event error. -- **ScenarioId** The update scenario ID. -- **Values** Values sent back to the device, if applicable. - - -### Setup360Telemetry.UnexpectedEvent - -This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date. - -The following fields are available: - -- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the previous OS. -- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe -- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. -- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. -- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. -- **TestId** A string to uniquely identify a group of events. -- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. - - -## Windows as a Service diagnostic events - -### Microsoft.Windows.WaaSMedic.SummaryEvent - -Result of the WaaSMedic operation. - -The following fields are available: - -- **callerApplication** The name of the calling application. -- **detectionSummary** Result of each applicable detection that was run. -- **featureAssessmentImpact** WaaS Assessment impact for feature updates. -- **hrEngineResult** Error code from the engine operation. -- **insufficientSessions** Device not eligible for diagnostics. -- **isInteractiveMode** The user started a run of WaaSMedic. -- **isManaged** Device is managed for updates. -- **isWUConnected** Device is connected to Windows Update. -- **noMoreActions** No more applicable diagnostics. -- **qualityAssessmentImpact** WaaS Assessment impact for quality updates. -- **remediationSummary** Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on. -- **usingBackupFeatureAssessment** Relying on backup feature assessment. -- **usingBackupQualityAssessment** Relying on backup quality assessment. -- **usingCachedFeatureAssessment** WaaS Medic run did not get OS build age from the network on the previous run. -- **usingCachedQualityAssessment** WaaS Medic run did not get OS revision age from the network on the previous run. -- **versionString** Version of the WaaSMedic engine. -- **waasMedicRunMode** Indicates whether this was a background regular run of the medic or whether it was triggered by a user launching Windows Update Troubleshooter. - - -## Windows Error Reporting events - -### Microsoft.Windows.WERVertical.OSCrash - -This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event. - -The following fields are available: - -- **BootId** Uint32 identifying the boot number for this device. -- **BugCheckCode** Uint64 "bugcheck code" that identifies a proximate cause of the bug check. -- **BugCheckParameter1** Uint64 parameter providing additional information. -- **BugCheckParameter2** Uint64 parameter providing additional information. -- **BugCheckParameter3** Uint64 parameter providing additional information. -- **BugCheckParameter4** Uint64 parameter providing additional information. -- **DumpFileAttributes** Codes that identify the type of data contained in the dump file -- **DumpFileSize** Size of the dump file -- **IsValidDumpFile** True if the dump file is valid for the debugger, false otherwise -- **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson). - - -## Windows Error Reporting MTT events - -### Microsoft.Windows.WER.MTT.Denominator - -This event provides a denominator to calculate MTTF (mean-time-to-failure) for crashes and other errors, to help keep Windows up to date. - -The following fields are available: - -- **DPRange** Maximum mean value range. -- **DPValue** Randomized bit value (0 or 1) that can be reconstituted over a large population to estimate the mean. -- **Value** Standard UTC emitted DP value structure See [Value](#value). - - -### Value - -This event returns data about Mean Time to Failure (MTTF) for Windows devices. It is the primary means of estimating reliability problems in Basic Diagnostic reporting with very strong privacy guarantees. Since Basic Diagnostic reporting does not include system up-time, and since that information is important to ensuring the safe and stable operation of Windows, the data provided by this event provides that data in a manner which does not threaten a user’s privacy. - -The following fields are available: - -- **Algorithm** The algorithm used to preserve privacy. -- **DPRange** The upper bound of the range being measured. -- **DPValue** The randomized response returned by the client. -- **Epsilon** The level of privacy to be applied. -- **HistType** The histogram type if the algorithm is a histogram algorithm. -- **PertProb** The probability the entry will be Perturbed if the algorithm chosen is “heavy-hitters”. - - -## Windows Store events - -### Microsoft.Windows.Store.StoreActivating - -This event sends tracking data about when the Store app activation via protocol URI is in progress, to help keep Windows up to date. - - - -### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation - -This event is sent when an installation or update is canceled by a user or the system and is used to help keep Windows Apps up to date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. -- **AttemptNumber** Number of retry attempts before it was canceled. -- **BundleId** The Item Bundle ID. -- **CategoryId** The Item Category ID. -- **ClientAppId** The identity of the app that initiated this operation. -- **HResult** The result code of the last action performed before this operation. -- **IsBundle** Is this a bundle? -- **IsInteractive** Was this requested by a user? -- **IsMandatory** Was this a mandatory update? -- **IsRemediation** Was this a remediation install? -- **IsRestore** Is this automatically restoring a previously acquired product? -- **IsUpdate** Flag indicating if this is an update. -- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). -- **PFN** The product family name of the product being installed. -- **ProductId** The identity of the package or packages being installed. -- **SystemAttemptNumber** The total number of automatic attempts at installation before it was canceled. -- **UserAttemptNumber** The total number of user attempts at installation before it was canceled. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.BeginGetInstalledContentIds - -This event is sent when an inventory of the apps installed is started to determine whether updates for those apps are available. It's used to help keep Windows up-to-date and secure. - - - -### Microsoft.Windows.StoreAgent.Telemetry.BeginUpdateMetadataPrepare - -This event is sent when the Store Agent cache is refreshed with any available package updates. It's used to help keep Windows up-to-date and secure. - - - -### Microsoft.Windows.StoreAgent.Telemetry.CancelInstallation - -This event is sent when an app update or installation is canceled while in interactive mode. This can be canceled by the user or the system. It's used to help keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The names of all package or packages to be downloaded and installed. -- **AttemptNumber** Total number of installation attempts. -- **BundleId** The identity of the Windows Insider build that is associated with this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **IsBundle** Is this a bundle? -- **IsInteractive** Was this requested by a user? -- **IsMandatory** Is this a mandatory update? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this an automatic restore of a previously acquired product? -- **IsUpdate** Is this a product update? -- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). -- **PFN** The name of all packages to be downloaded and installed. -- **PreviousHResult** The previous HResult code. -- **PreviousInstallState** Previous installation state before it was canceled. -- **ProductId** The name of the package or packages requested for installation. -- **RelatedCV** Correlation Vector of a previous performed action on this product. -- **SystemAttemptNumber** Total number of automatic attempts to install before it was canceled. -- **UserAttemptNumber** Total number of user attempts to install before it was canceled. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.CompleteInstallOperationRequest - -This event is sent at the end of app installations or updates to help keep Windows up-to-date and secure. - -The following fields are available: - -- **CatalogId** The Store Product ID of the app being installed. -- **HResult** HResult code of the action being performed. -- **IsBundle** Is this a bundle? -- **PackageFamilyName** The name of the package being installed. -- **ProductId** The Store Product ID of the product being installed. -- **SkuId** Specific edition of the item being installed. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndAcquireLicense - -This event is sent after the license is acquired when a product is being installed. It's used to help keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** Includes a set of package full names for each app that is part of an atomic set. -- **AttemptNumber** The total number of attempts to acquire this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **HResult** HResult code to show the result of the operation (success/failure). -- **IsBundle** Is this a bundle? -- **IsInteractive** Did the user initiate the installation? -- **IsMandatory** Is this a mandatory update? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this happening after a device restore? -- **IsUpdate** Is this an update? -- **PFN** Product Family Name of the product being installed. -- **ProductId** The Store Product ID for the product being installed. -- **SystemAttemptNumber** The number of attempts by the system to acquire this product. -- **UserAttemptNumber** The number of attempts by the user to acquire this product -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndDownload - -This event is sent after an app is downloaded to help keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed. -- **AttemptNumber** Number of retry attempts before it was canceled. -- **BundleId** The identity of the Windows Insider build associated with this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **DownloadSize** The total size of the download. -- **ExtendedHResult** Any extended HResult error codes. -- **HResult** The result code of the last action performed. -- **IsBundle** Is this a bundle? -- **IsInteractive** Is this initiated by the user? -- **IsMandatory** Is this a mandatory installation? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this a restore of a previously acquired product? -- **IsUpdate** Is this an update? -- **ParentBundleId** The parent bundle ID (if it's part of a bundle). -- **PFN** The Product Family Name of the app being download. -- **ProductId** The Store Product ID for the product being installed. -- **SystemAttemptNumber** The number of attempts by the system to download. -- **UserAttemptNumber** The number of attempts by the user to download. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndFrameworkUpdate - -This event is sent when an app update requires an updated Framework package and the process starts to download it. It is used to help keep Windows up-to-date and secure. - -The following fields are available: - -- **HResult** The result code of the last action performed before this operation. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndGetInstalledContentIds - -This event is sent after sending the inventory of the products installed to determine whether updates for those products are available. It's used to help keep Windows up-to-date and secure. - -The following fields are available: - -- **HResult** The result code of the last action performed before this operation. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndInstall - -This event is sent after a product has been installed to help keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. -- **AttemptNumber** The number of retry attempts before it was canceled. -- **BundleId** The identity of the build associated with this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **ExtendedHResult** The extended HResult error code. -- **HResult** The result code of the last action performed. -- **IsBundle** Is this a bundle? -- **IsInteractive** Is this an interactive installation? -- **IsMandatory** Is this a mandatory installation? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this automatically restoring a previously acquired product? -- **IsUpdate** Is this an update? -- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). -- **PFN** Product Family Name of the product being installed. -- **ProductId** The Store Product ID for the product being installed. -- **SystemAttemptNumber** The total number of system attempts. -- **UserAttemptNumber** The total number of user attempts. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndScanForUpdates - -This event is sent after a scan for product updates to determine if there are packages to install. It's used to help keep Windows up-to-date and secure. - -The following fields are available: - -- **ClientAppId** The identity of the app that initiated this operation. -- **HResult** The result code of the last action performed. -- **IsApplicability** Is this request to only check if there are any applicable packages to install? -- **IsInteractive** Is this user requested? -- **IsOnline** Is the request doing an online check? - - -### Microsoft.Windows.StoreAgent.Telemetry.EndSearchUpdatePackages - -This event is sent after searching for update packages to install. It is used to help keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. -- **AttemptNumber** The total number of retry attempts before it was canceled. -- **BundleId** The identity of the build associated with this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **HResult** The result code of the last action performed. -- **IsBundle** Is this a bundle? -- **IsInteractive** Is this user requested? -- **IsMandatory** Is this a mandatory update? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this restoring previously acquired content? -- **IsUpdate** Is this an update? -- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). -- **PFN** The name of the package or packages requested for install. -- **ProductId** The Store Product ID for the product being installed. -- **SystemAttemptNumber** The total number of system attempts. -- **UserAttemptNumber** The total number of user attempts. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndStageUserData - -This event is sent after restoring user data (if any) that needs to be restored following a product install. It is used to keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed. -- **AttemptNumber** The total number of retry attempts before it was canceled. -- **BundleId** The identity of the build associated with this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **HResult** The result code of the last action performed. -- **IsBundle** Is this a bundle? -- **IsInteractive** Is this user requested? -- **IsMandatory** Is this a mandatory update? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this restoring previously acquired content? -- **IsUpdate** Is this an update? -- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). -- **PFN** The name of the package or packages requested for install. -- **ProductId** The Store Product ID for the product being installed. -- **SystemAttemptNumber** The total number of system attempts. -- **UserAttemptNumber** The total number of system attempts. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndUpdateMetadataPrepare - -This event is sent after a scan for available app updates to help keep Windows up-to-date and secure. - -The following fields are available: - -- **HResult** The result code of the last action performed. - - -### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentComplete - -This event is sent at the end of an app install or update to help keep Windows up-to-date and secure. - -The following fields are available: - -- **CatalogId** The name of the product catalog from which this app was chosen. -- **FailedRetry** Indicates whether the installation or update retry was successful. -- **HResult** The HResult code of the operation. -- **PFN** The Package Family Name of the app that is being installed or updated. -- **ProductId** The product ID of the app that is being updated or installed. - - -### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate - -This event is sent at the beginning of an app install or update to help keep Windows up-to-date and secure. - -The following fields are available: - -- **CatalogId** The name of the product catalog from which this app was chosen. -- **FulfillmentPluginId** The ID of the plugin needed to install the package type of the product. -- **PFN** The Package Family Name of the app that is being installed or updated. -- **PluginTelemetryData** Diagnostic information specific to the package-type plug-in. -- **ProductId** The product ID of the app that is being updated or installed. - - -### Microsoft.Windows.StoreAgent.Telemetry.InstallOperationRequest - -This event is sent when a product install or update is initiated, to help keep Windows up-to-date and secure. - -The following fields are available: - -- **BundleId** The identity of the build associated with this product. -- **CatalogId** If this product is from a private catalog, the Store Product ID for the product being installed. -- **ProductId** The Store Product ID for the product being installed. -- **SkuId** Specific edition ID being installed. -- **VolumePath** The disk path of the installation. - - -### Microsoft.Windows.StoreAgent.Telemetry.PauseInstallation - -This event is sent when a product install or update is paused (either by a user or the system), to help keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. -- **AttemptNumber** The total number of retry attempts before it was canceled. -- **BundleId** The identity of the build associated with this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **IsBundle** Is this a bundle? -- **IsInteractive** Is this user requested? -- **IsMandatory** Is this a mandatory update? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this restoring previously acquired content? -- **IsUpdate** Is this an update? -- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). -- **PFN** The Product Full Name. -- **PreviousHResult** The result code of the last action performed before this operation. -- **PreviousInstallState** Previous state before the installation or update was paused. -- **ProductId** The Store Product ID for the product being installed. -- **RelatedCV** Correlation Vector of a previous performed action on this product. -- **SystemAttemptNumber** The total number of system attempts. -- **UserAttemptNumber** The total number of user attempts. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.ResumeInstallation - -This event is sent when a product install or update is resumed (either by a user or the system), to help keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. -- **AttemptNumber** The number of retry attempts before it was canceled. -- **BundleId** The identity of the build associated with this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **HResult** The result code of the last action performed before this operation. -- **IsBundle** Is this a bundle? -- **IsInteractive** Is this user requested? -- **IsMandatory** Is this a mandatory update? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this restoring previously acquired content? -- **IsUpdate** Is this an update? -- **IsUserRetry** Did the user initiate the retry? -- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). -- **PFN** The name of the package or packages requested for install. -- **PreviousHResult** The previous HResult error code. -- **PreviousInstallState** Previous state before the installation was paused. -- **ProductId** The Store Product ID for the product being installed. -- **RelatedCV** Correlation Vector for the original install before it was resumed. -- **ResumeClientId** The ID of the app that initiated the resume operation. -- **SystemAttemptNumber** The total number of system attempts. -- **UserAttemptNumber** The total number of user attempts. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.ResumeOperationRequest - -This event is sent when a product install or update is resumed by a user or on installation retries, to help keep Windows up-to-date and secure. - -The following fields are available: - -- **ProductId** The Store Product ID for the product being installed. - - -### Microsoft.Windows.StoreAgent.Telemetry.SearchForUpdateOperationRequest - -This event is sent when searching for update packages to install, to help keep Windows up-to-date and secure. - -The following fields are available: - -- **CatalogId** The Store Catalog ID for the product being installed. -- **ProductId** The Store Product ID for the product being installed. -- **SkuId** Specfic edition of the app being updated. - - -### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest - -This event occurs when an update is requested for an app, to help keep Windows up-to-date and secure. - -The following fields are available: - -- **PFamN** The name of the app that is requested for update. - - -## Windows System Kit events - -### Microsoft.Windows.Kits.WSK.WskImageCreate - -This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate “image” creation failures. - -The following fields are available: - -- **Phase** The image creation phase. Values are “Start” or “End”. -- **WskVersion** The version of the Windows System Kit being used. - - -### Microsoft.Windows.Kits.WSK.WskImageCustomization - -This event sends simple Product and Service usage data when a user is using the Windows System Kit to create/modify configuration files allowing the customization of a new OS image with Apps or Drivers. The data includes the version of the Windows System Kit, the state of the event, the customization type (drivers or apps) and the mode (new or updating) and is used to help investigate configuration file creation failures. - -The following fields are available: - -- **CustomizationMode** Indicates the mode of the customization (new or updating). -- **CustomizationType** Indicates the type of customization (drivers or apps). -- **Mode** The mode of update to image configuration files. Values are “New” or “Update”. -- **Phase** The image creation phase. Values are “Start” or “End”. -- **Type** The type of update to image configuration files. Values are “Apps” or “Drivers”. -- **WskVersion** The version of the Windows System Kit being used. - - -### Microsoft.Windows.Kits.WSK.WskWorkspaceCreate - -This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new workspace for generating OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate workspace creation failures. - -The following fields are available: - -- **Architecture** The OS architecture that the workspace will target. Values are one of: “AMD64”, “ARM64”, “x86”, or “ARM”. -- **OsEdition** The Operating System Edition that the workspace will target. -- **Phase** The image creation phase. Values are “Start” or “End”. -- **WorkspaceArchitecture** The operating system architecture that the workspace will target. -- **WorkspaceOsEdition** The operating system edition that the workspace will target. -- **WskVersion** The version of the Windows System Kit being used. - - -## Windows Update Delivery Optimization events - -### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled - -This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads. - -The following fields are available: - -- **background** Is the download being done in the background? -- **bytesFromCacheServer** Bytes received from a cache host. -- **bytesFromCDN** The number of bytes received from a CDN source. -- **bytesFromGroupPeers** The number of bytes received from a peer in the same group. -- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same group. -- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. -- **bytesFromPeers** The number of bytes received from a peer in the same LAN. -- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. -- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. -- **cdnIp** The IP Address of the source CDN (Content Delivery Network). -- **cdnUrl** The URL of the source CDN (Content Delivery Network). -- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. -- **errorCode** The error code that was returned. -- **experimentId** When running a test, this is used to correlate events that are part of the same test. -- **fileID** The ID of the file being downloaded. -- **gCurMemoryStreamBytes** Current usage for memory streaming. -- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. -- **isVpn** Indicates whether the device is connected to a VPN (Virtual Private Network). -- **jobID** Identifier for the Windows Update job. -- **predefinedCallerName** The name of the API Caller. -- **reasonCode** Reason the action or event occurred. -- **routeToCacheServer** The cache server setting, source, and value. -- **sessionID** The ID of the file download session. -- **updateID** The ID of the update being downloaded. -- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. - - -### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted - -This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads. - -The following fields are available: - -- **background** Is the download a background download? -- **bytesFromCacheServer** Bytes received from a cache host. -- **bytesFromCDN** The number of bytes received from a CDN source. -- **bytesFromGroupPeers** The number of bytes received from a peer in the same domain group. -- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same domain group. -- **bytesFromLinkLocalPeers** The number of bytes received from local peers. -- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. -- **bytesFromPeers** The number of bytes received from a peer in the same LAN. -- **bytesRequested** The total number of bytes requested for download. -- **cacheServerConnectionCount** Number of connections made to cache hosts. -- **cdnConnectionCount** The total number of connections made to the CDN. -- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. -- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. -- **cdnIp** The IP address of the source CDN. -- **cdnUrl** Url of the source Content Distribution Network (CDN). -- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. -- **doErrorCode** The Delivery Optimization error code that was returned. -- **downlinkBps** The maximum measured available download bandwidth (in bytes per second). -- **downlinkUsageBps** The download speed (in bytes per second). -- **downloadMode** The download mode used for this file download session. -- **downloadModeReason** Reason for the download. -- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). -- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. -- **fileID** The ID of the file being downloaded. -- **fileSize** The size of the file being downloaded. -- **gCurMemoryStreamBytes** Current usage for memory streaming. -- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. -- **groupConnectionCount** The total number of connections made to peers in the same group. -- **internetConnectionCount** The total number of connections made to peers not in the same LAN or the same group. -- **isEncrypted** TRUE if the file is encrypted and will be decrypted after download. -- **isVpn** Is the device connected to a Virtual Private Network? -- **jobID** Identifier for the Windows Update job. -- **lanConnectionCount** The total number of connections made to peers in the same LAN. -- **linkLocalConnectionCount** The number of connections made to peers in the same Link-local network. -- **numPeers** The total number of peers used for this download. -- **numPeersLocal** The total number of local peers used for this download. -- **predefinedCallerName** The name of the API Caller. -- **restrictedUpload** Is the upload restricted? -- **routeToCacheServer** The cache server setting, source, and value. -- **sessionID** The ID of the download session. -- **totalTimeMs** Duration of the download (in seconds). -- **updateID** The ID of the update being downloaded. -- **uplinkBps** The maximum measured available upload bandwidth (in bytes per second). -- **uplinkUsageBps** The upload speed (in bytes per second). -- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. - - -### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused - -This event represents a temporary suspension of a download with Delivery Optimization. It's used to understand and address problems regarding downloads. - -The following fields are available: - -- **background** Is the download a background download? -- **cdnUrl** The URL of the source CDN (Content Delivery Network). -- **errorCode** The error code that was returned. -- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. -- **fileID** The ID of the file being paused. -- **isVpn** Is the device connected to a Virtual Private Network? -- **jobID** Identifier for the Windows Update job. -- **predefinedCallerName** The name of the API Caller object. -- **reasonCode** The reason for pausing the download. -- **routeToCacheServer** The cache server setting, source, and value. -- **sessionID** The ID of the download session. -- **updateID** The ID of the update being paused. - - -### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted - -This event sends data describing the start of a new download to enable Delivery Optimization. It's used to understand and address problems regarding downloads. - -The following fields are available: - -- **background** Indicates whether the download is happening in the background. -- **bytesRequested** Number of bytes requested for the download. -- **cdnUrl** The URL of the source Content Distribution Network (CDN). -- **costFlags** A set of flags representing network cost. -- **deviceProfile** Identifies the usage or form factor (such as Desktop, Xbox, or VM). -- **diceRoll** Random number used for determining if a client will use peering. -- **doClientVersion** The version of the Delivery Optimization client. -- **doErrorCode** The Delivery Optimization error code that was returned. -- **downloadMode** The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100). -- **downloadModeReason** Reason for the download. -- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). -- **errorCode** The error code that was returned. -- **experimentId** ID used to correlate client/services calls that are part of the same test during A/B testing. -- **fileID** The ID of the file being downloaded. -- **filePath** The path to where the downloaded file will be written. -- **fileSize** Total file size of the file that was downloaded. -- **fileSizeCaller** Value for total file size provided by our caller. -- **groupID** ID for the group. -- **isEncrypted** Indicates whether the download is encrypted. -- **isVpn** Indicates whether the device is connected to a Virtual Private Network. -- **jobID** The ID of the Windows Update job. -- **peerID** The ID for this delivery optimization client. -- **predefinedCallerName** Name of the API caller. -- **routeToCacheServer** Cache server setting, source, and value. -- **sessionID** The ID for the file download session. -- **setConfigs** A JSON representation of the configurations that have been set, and their sources. -- **updateID** The ID of the update being downloaded. -- **usedMemoryStream** Indicates whether the download used memory streaming. - - -### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication - -This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads. - -The following fields are available: - -- **cdnHeaders** The HTTP headers returned by the CDN. -- **cdnIp** The IP address of the CDN. -- **cdnUrl** The URL of the CDN. -- **errorCode** The error code that was returned. -- **errorCount** The total number of times this error code was seen since the last FailureCdnCommunication event was encountered. -- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. -- **fileID** The ID of the file being downloaded. -- **httpStatusCode** The HTTP status code returned by the CDN. -- **isHeadRequest** The type of HTTP request that was sent to the CDN. Example: HEAD or GET -- **peerType** The type of peer (LAN, Group, Internet, CDN, Cache Host, etc.). -- **requestOffset** The byte offset within the file in the sent request. -- **requestSize** The size of the range requested from the CDN. -- **responseSize** The size of the range response received from the CDN. -- **sessionID** The ID of the download session. - - -### Microsoft.OSG.DU.DeliveryOptClient.JobError - -This event represents a Windows Update job error. It allows for investigation of top errors. - -The following fields are available: - -- **cdnIp** The IP Address of the source CDN (Content Delivery Network). -- **doErrorCode** Error code returned for delivery optimization. -- **errorCode** The error code returned. -- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. -- **fileID** The ID of the file being downloaded. -- **jobID** The Windows Update job ID. - - -## Windows Update events - -### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentAnalysisSummary - -This event collects information regarding the state of devices and drivers on the system following a reboot after the install phase of the new device manifest UUP (Unified Update Platform) update scenario which is used to install a device manifest describing a set of driver packages. - -The following fields are available: - -- **activated** Whether the entire device manifest update is considered activated and in use. -- **analysisErrorCount** The number of driver packages that could not be analyzed because errors occurred during analysis. -- **flightId** Unique ID for each flight. -- **missingDriverCount** The number of driver packages delivered by the device manifest that are missing from the system. -- **missingUpdateCount** The number of updates in the device manifest that are missing from the system. -- **objectId** Unique value for each diagnostics session. -- **publishedCount** The number of drivers packages delivered by the device manifest that are published and available to be used on devices. -- **relatedCV** Correlation vector value generated from the latest USO scan. -- **scenarioId** Indicates the update scenario. -- **sessionId** Unique value for each update session. -- **summary** A summary string that contains basic information about driver packages that are part of the device manifest and any devices on the system that those driver packages match. -- **summaryAppendError** A Boolean indicating if there was an error appending more information to the summary string. -- **truncatedDeviceCount** The number of devices missing from the summary string because there is not enough room in the string. -- **truncatedDriverCount** The number of driver packages missing from the summary string because there is not enough room in the string. -- **unpublishedCount** How many drivers packages that were delivered by the device manifest that are still unpublished and unavailable to be used on devices. -- **updateId** The unique ID for each update. - - -### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentCommit - -This event collects information regarding the final commit phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. - -The following fields are available: - -- **errorCode** The error code returned for the current session initialization. -- **flightId** The unique identifier for each flight. -- **objectId** The unique GUID for each diagnostics session. -- **relatedCV** A correlation vector value generated from the latest USO scan. -- **result** Outcome of the initialization of the session. -- **scenarioId** Identifies the Update scenario. -- **sessionId** The unique value for each update session. -- **updateId** The unique identifier for each Update. - - -### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentDownloadRequest - -This event collects information regarding the download request phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. - -The following fields are available: - -- **deletedCorruptFiles** Indicates if UpdateAgent found any corrupt payload files and whether the payload was deleted. -- **errorCode** The error code returned for the current session initialization. -- **flightId** The unique identifier for each flight. -- **objectId** Unique value for each Update Agent mode. -- **packageCountOptional** Number of optional packages requested. -- **packageCountRequired** Number of required packages requested. -- **packageCountTotal** Total number of packages needed. -- **packageCountTotalCanonical** Total number of canonical packages. -- **packageCountTotalDiff** Total number of diff packages. -- **packageCountTotalExpress** Total number of express packages. -- **packageSizeCanonical** Size of canonical packages in bytes. -- **packageSizeDiff** Size of diff packages in bytes. -- **packageSizeExpress** Size of express packages in bytes. -- **rangeRequestState** Represents the state of the download range request. -- **relatedCV** Correlation vector value generated from the latest USO scan. -- **result** Result of the download request phase of update. -- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. -- **sessionId** Unique value for each Update Agent mode attempt. -- **updateId** Unique ID for each update. - - -### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInitialize - -This event sends data for initializing a new update session for the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. - -The following fields are available: - -- **errorCode** The error code returned for the current session initialization. -- **flightId** The unique identifier for each flight. -- **flightMetadata** Contains the FlightId and the build being flighted. -- **objectId** Unique value for each Update Agent mode. -- **relatedCV** Correlation vector value generated from the latest USO scan. -- **result** Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled. -- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. -- **sessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios). -- **sessionId** Unique value for each Update Agent mode attempt. -- **updateId** Unique ID for each update. - - -### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInstall - -This event collects information regarding the install phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. - -The following fields are available: - -- **errorCode** The error code returned for the current install phase. -- **flightId** The unique identifier for each flight (pre-release builds). -- **objectId** The unique identifier for each diagnostics session. -- **relatedCV** Correlation vector value generated from the latest scan. -- **result** Outcome of the install phase of the update. -- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate -- **sessionId** The unique identifier for each update session. -- **updateId** The unique identifier for each Update. - - -### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentModeStart - -This event sends data for the start of each mode during the process of updating device manifest assets via the UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. - -The following fields are available: - -- **flightId** The unique identifier for each flight (pre-release builds). -- **mode** Indicates the active Update Agent mode. -- **objectId** Unique value for each diagnostics session. -- **relatedCV** Correlation vector value generated from the latest scan. -- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. -- **sessionId** The unique identifier for each update session. -- **updateId** The unique identifier for each Update. - - -### Microsoft.Windows.Update.NotificationUx.DialogNotificationToBeDisplayed - -This event indicates that a notification dialog box is about to be displayed to user. - -The following fields are available: - -- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode. -- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before the RebootFailed dialog box is shown. -- **DaysSinceRebootRequired** Number of days since restart was required. -- **DeviceLocalTime** The local time on the device sending the event. -- **EngagedModeLimit** The number of days to switch between DTE dialog boxes. -- **EnterAutoModeLimit** The maximum number of days for a device to enter Auto Reboot mode. -- **ETag** OneSettings versioning value. -- **IsForcedEnabled** Indicates whether Forced Reboot mode is enabled for this device. -- **IsUltimateForcedEnabled** Indicates whether Ultimate Forced Reboot mode is enabled for this device. -- **NotificationUxState** Indicates which dialog box is shown. -- **NotificationUxStateString** Indicates which dialog box is shown. -- **RebootUxState** Indicates the state of the restart (Engaged, Auto, Forced, or UltimateForced). -- **RebootUxStateString** Indicates the state of the restart (Engaged, Auto, Forced, or UltimateForced). -- **RebootVersion** Version of DTE. -- **SkipToAutoModeLimit** The minimum length of time to pass in restart pending before a device can be put into auto mode. -- **UpdateId** The ID of the update that is pending restart to finish installation. -- **UpdateRevision** The revision of the update that is pending restart to finish installation. -- **UtcTime** The time the dialog box notification will be displayed, in Coordinated Universal Time. - - -### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootAcceptAutoDialog - -This event indicates that the Enhanced Engaged restart "accept automatically" dialog box was displayed. - -The following fields are available: - -- **DeviceLocalTime** The local time on the device sending the event. -- **ETag** OneSettings versioning value. -- **ExitCode** Indicates how users exited the dialog box. -- **RebootVersion** Version of DTE. -- **UpdateId** The ID of the update that is pending restart to finish installation. -- **UpdateRevision** The revision of the update that is pending restart to finish installation. -- **UserResponseString** The option that user chose on this dialog box. -- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time. - - -### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootFirstReminderDialog - -This event indicates that the Enhanced Engaged restart "first reminder" dialog box was displayed.. - -The following fields are available: - -- **DeviceLocalTime** The local time on the device sending the event. -- **ETag** OneSettings versioning value. -- **ExitCode** Indicates how users exited the dialog box. -- **RebootVersion** Version of DTE. -- **UpdateId** The ID of the update that is pending restart to finish installation. -- **UpdateRevision** The revision of the update that is pending restart to finish installation. -- **UserResponseString** The option that user chose in this dialog box. -- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time. - - -### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootFailedDialog - -This event indicates that the Enhanced Engaged restart "restart failed" dialog box was displayed. - -The following fields are available: - -- **DeviceLocalTime** The local time of the device sending the event. -- **ETag** OneSettings versioning value. -- **ExitCode** Indicates how users exited the dialog box. -- **RebootVersion** Version of DTE. -- **UpdateId** The ID of the update that is pending restart to finish installation. -- **UpdateRevision** The revision of the update that is pending restart to finish installation. -- **UserResponseString** The option that the user chose in this dialog box. -- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time. - - -### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootImminentDialog - -This event indicates that the Enhanced Engaged restart "restart imminent" dialog box was displayed. - -The following fields are available: - -- **DeviceLocalTime** Time the dialog box was shown on the local device. -- **ETag** OneSettings versioning value. -- **ExitCode** Indicates how users exited the dialog box. -- **RebootVersion** Version of DTE. -- **UpdateId** The ID of the update that is pending restart to finish installation. -- **UpdateRevision** The revision of the update that is pending restart to finish installation. -- **UserResponseString** The option that user chose in this dialog box. -- **UtcTime** The time that dialog box was displayed, in Coordinated Universal Time. - - -### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootReminderDialog - -This event returns information relating to the Enhanced Engaged reboot reminder dialog that was displayed. - -The following fields are available: - -- **DeviceLocalTime** The time at which the reboot reminder dialog was shown (based on the local device time settings). -- **ETag** The OneSettings versioning value. -- **ExitCode** Indicates how users exited the reboot reminder dialog box. -- **RebootVersion** The version of the DTE (Direct-to-Engaged). -- **UpdateId** The ID of the update that is waiting for reboot to finish installation. -- **UpdateRevision** The revision of the update that is waiting for reboot to finish installation. -- **UserResponseString** The option chosen by the user on the reboot dialog box. -- **UtcTime** The time at which the reboot reminder dialog was shown (in UTC). - - -### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootReminderToast - -This event indicates that the Enhanced Engaged restart reminder pop-up banner was displayed. - -The following fields are available: - -- **DeviceLocalTime** The local time on the device sending the event. -- **ETag** OneSettings versioning value. -- **ExitCode** Indicates how users exited the pop-up banner. -- **RebootVersion** The version of the reboot logic. -- **UpdateId** The ID of the update that is pending restart to finish installation. -- **UpdateRevision** The revision of the update that is pending restart to finish installation. -- **UserResponseString** The option that the user chose in the pop-up banner. -- **UtcTime** The time that the pop-up banner was displayed, in Coordinated Universal Time. - - -### Microsoft.Windows.Update.NotificationUx.RebootScheduled - -Indicates when a reboot is scheduled by the system or a user for a security, quality, or feature update. - -The following fields are available: - -- **activeHoursApplicable** Indicates whether an Active Hours policy is present on the device. -- **IsEnhancedEngagedReboot** Indicates whether this is an Enhanced Engaged reboot. -- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action. -- **rebootOutsideOfActiveHours** Indicates whether a restart is scheduled outside of active hours. -- **rebootScheduledByUser** Indicates whether the restart was scheduled by user (if not, it was scheduled automatically). -- **rebootState** The current state of the restart. -- **rebootUsingSmartScheduler** Indicates whether the reboot is scheduled by smart scheduler. -- **revisionNumber** Revision number of the update that is getting installed with this restart. -- **scheduledRebootTime** Time of the scheduled restart. -- **scheduledRebootTimeInUTC** Time of the scheduled restart in Coordinated Universal Time. -- **updateId** ID of the update that is getting installed with this restart. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.ActivityRestrictedByActiveHoursPolicy - -This event indicates a policy is present that may restrict update activity to outside of active hours. - -The following fields are available: - -- **activeHoursEnd** The end of the active hours window. -- **activeHoursStart** The start of the active hours window. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.BlockedByActiveHours - -This event indicates that update activity was blocked because it is within the active hours window. - -The following fields are available: - -- **activeHoursEnd** The end of the active hours window. -- **activeHoursStart** The start of the active hours window. -- **updatePhase** The current state of the update process. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.BlockedByBatteryLevel - -This event indicates that Windows Update activity was blocked due to low battery level. - -The following fields are available: - -- **batteryLevel** The current battery charge capacity. -- **batteryLevelThreshold** The battery capacity threshold to stop update activity. -- **updatePhase** The current state of the update process. -- **wuDeviceid** Device ID. - - -### Microsoft.Windows.Update.Orchestrator.DeferRestart - -This event indicates that a restart required for installing updates was postponed. - -The following fields are available: - -- **displayNeededReason** List of reasons for needing display. -- **eventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). -- **filteredDeferReason** Applicable filtered reasons why reboot was postponed (such as user active, or low battery). -- **gameModeReason** Name of the executable that caused the game mode state check to start. -- **ignoredReason** List of reasons that were intentionally ignored. -- **IgnoreReasonsForRestart** List of reasons why restart was deferred. -- **revisionNumber** Update ID revision number. -- **systemNeededReason** List of reasons why system is needed. -- **updateId** Update ID. -- **updateScenarioType** Update session type. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.Detection - -This event indicates that a scan for a Windows Update occurred. - -The following fields are available: - -- **deferReason** The reason why the device could not check for updates. -- **detectionBlockingPolicy** The Policy that blocked detection. -- **detectionBlockreason** The reason detection did not complete. -- **detectionRetryMode** Indicates whether we will try to scan again. -- **errorCode** The error code returned for the current process. -- **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. -- **flightID** The unique identifier for the flight (Windows Insider pre-release build) should be delivered to the device, if applicable. -- **interactive** Indicates whether the user initiated the session. -- **networkStatus** Indicates if the device is connected to the internet. -- **revisionNumber** The Update revision number. -- **scanTriggerSource** The source of the triggered scan. -- **updateId** The unique identifier of the Update. -- **updateScenarioType** Identifies the type of update session being performed. -- **wuDeviceid** The unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.DisplayNeeded - -This event indicates the reboot was postponed due to needing a display. - -The following fields are available: - -- **displayNeededReason** Reason the display is needed. -- **eventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. -- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours. -- **revisionNumber** Revision number of the update. -- **updateId** Update ID. -- **updateScenarioType** The update session type. -- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated. -- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue - - -### Microsoft.Windows.Update.Orchestrator.Download - -This event sends launch data for a Windows Update download to help keep Windows up to date. - -The following fields are available: - -- **deferReason** Reason for download not completing. -- **errorCode** An error code represented as a hexadecimal value. -- **eventScenario** End-to-end update session ID. -- **flightID** The specific ID of the Windows Insider build the device is getting. -- **interactive** Indicates whether the session is user initiated. -- **revisionNumber** Update revision number. -- **updateId** Update ID. -- **updateScenarioType** The update session type. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.DTUCompletedWhenWuFlightPendingCommit - -This event indicates that DTU completed installation of the electronic software delivery (ESD), when Windows Update was already in Pending Commit phase of the feature update. - -The following fields are available: - -- **wuDeviceid** Device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.DTUEnabled - -This event indicates that Inbox DTU functionality was enabled. - -The following fields are available: - -- **wuDeviceid** Device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.DTUInitiated - -This event indicates that Inbox DTU functionality was intiated. - -The following fields are available: - -- **dtuErrorCode** Return code from creating the DTU Com Server. -- **isDtuApplicable** Determination of whether DTU is applicable to the machine it is running on. -- **wuDeviceid** Device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.EscalationRiskLevels - -This event is sent during update scan, download, or install, and indicates that the device is at risk of being out-of-date. - -The following fields are available: - -- **configVersion** The escalation configuration version on the device. -- **downloadElapsedTime** Indicates how long since the download is required on device. -- **downloadRiskLevel** At-risk level of download phase. -- **installElapsedTime** Indicates how long since the install is required on device. -- **installRiskLevel** The at-risk level of install phase. -- **isSediment** Assessment of whether is device is at risk. -- **scanElapsedTime** Indicates how long since the scan is required on device. -- **scanRiskLevel** At-risk level of the scan phase. -- **wuDeviceid** Device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.FailedToAddTimeTriggerToScanTask - -This event indicated that USO failed to add a trigger time to a task. - -The following fields are available: - -- **errorCode** The Windows Update error code. -- **wuDeviceid** The Windows Update device ID. - - -### Microsoft.Windows.Update.Orchestrator.FlightInapplicable - -This event indicates that the update is no longer applicable to this device. - -The following fields are available: - -- **EventPublishedTime** Time when this event was generated. -- **flightID** The specific ID of the Windows Insider build. -- **inapplicableReason** The reason why the update is inapplicable. -- **revisionNumber** Update revision number. -- **updateId** Unique Windows Update ID. -- **updateScenarioType** Update session type. -- **UpdateStatus** Last status of update. -- **UUPFallBackConfigured** Indicates whether UUP fallback is configured. -- **wuDeviceid** Unique Device ID. - - -### Microsoft.Windows.Update.Orchestrator.InitiatingReboot - -This event sends data about an Orchestrator requesting a reboot from power management to help keep Windows up to date. - -The following fields are available: - -- **EventPublishedTime** Time of the event. -- **flightID** Unique update ID -- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action. -- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours. -- **revisionNumber** Revision number of the update. -- **updateId** Update ID. -- **updateScenarioType** The update session type. -- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.Install - -This event sends launch data for a Windows Update install to help keep Windows up to date. - -The following fields are available: - -- **batteryLevel** Current battery capacity in mWh or percentage left. -- **deferReason** Reason for install not completing. -- **errorCode** The error code reppresented by a hexadecimal value. -- **eventScenario** End-to-end update session ID. -- **flightID** The ID of the Windows Insider build the device is getting. -- **flightUpdate** Indicates whether the update is a Windows Insider build. -- **ForcedRebootReminderSet** A boolean value that indicates if a forced reboot will happen for updates. -- **IgnoreReasonsForRestart** The reason(s) a Postpone Restart command was ignored. -- **installCommitfailedtime** The time it took for a reboot to happen but the upgrade failed to progress. -- **installRebootinitiatetime** The time it took for a reboot to be attempted. -- **interactive** Identifies if session is user initiated. -- **minutesToCommit** The time it took to install updates. -- **rebootOutsideOfActiveHours** Indicates whether a reboot is scheduled outside of active hours. -- **revisionNumber** Update revision number. -- **updateId** Update ID. -- **updateScenarioType** The update session type. -- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.LowUptimes - -This event is sent if a device is identified as not having sufficient uptime to reliably process updates in order to keep secure. - -The following fields are available: - -- **availableHistoryMinutes** The number of minutes available from the local machine activity history. -- **isLowUptimeMachine** Is the machine considered low uptime or not. -- **lowUptimeMinHours** Current setting for the minimum number of hours needed to not be considered low uptime. -- **lowUptimeQueryDays** Current setting for the number of recent days to check for uptime. -- **uptimeMinutes** Number of minutes of uptime measured. -- **wuDeviceid** Unique device ID for Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.OneshotUpdateDetection - -This event returns data about scans initiated through settings UI, or background scans that are urgent; to help keep Windows up to date. - -The following fields are available: - -- **externalOneshotupdate** The last time a task-triggered scan was completed. -- **interactiveOneshotupdate** The last time an interactive scan was completed. -- **oldlastscanOneshotupdate** The last time a scan completed successfully. -- **wuDeviceid** The Windows Update Device GUID (Globally-Unique ID). - - -### Microsoft.Windows.Update.Orchestrator.PreShutdownStart - -This event is generated before the shutdown and commit operations. - -The following fields are available: - -- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. - - -### Microsoft.Windows.Update.Orchestrator.RebootFailed - -This event sends information about whether an update required a reboot and reasons for failure, to help keep Windows up to date. - -The following fields are available: - -- **batteryLevel** Current battery capacity in mWh or percentage left. -- **deferReason** Reason for install not completing. -- **EventPublishedTime** The time that the reboot failure occurred. -- **flightID** Unique update ID. -- **rebootOutsideOfActiveHours** Indicates whether a reboot was scheduled outside of active hours. -- **RebootResults** Hex code indicating failure reason. Typically, we expect this to be a specific USO generated hex code. -- **revisionNumber** Update revision number. -- **updateId** Update ID. -- **updateScenarioType** The update session type. -- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.RefreshSettings - -This event sends basic data about the version of upgrade settings applied to the system to help keep Windows up to date. - -The following fields are available: - -- **errorCode** Hex code for the error message, to allow lookup of the specific error. -- **settingsDownloadTime** Timestamp of the last attempt to acquire settings. -- **settingsETag** Version identifier for the settings. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask - -This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows up to date. - -The following fields are available: - -- **RebootTaskMissedTimeUTC** The time when the reboot task was scheduled to run, but did not. -- **RebootTaskNextTimeUTC** The time when the reboot task was rescheduled for. -- **RebootTaskRestoredTime** Time at which this reboot task was restored. -- **wuDeviceid** Device ID for the device on which the reboot is restored. - - -### Microsoft.Windows.Update.Orchestrator.ScanTriggered - -This event indicates that Update Orchestrator has started a scan operation. - -The following fields are available: - -- **errorCode** The error code returned for the current scan operation. -- **eventScenario** Indicates the purpose of sending this event. -- **interactive** Indicates whether the scan is interactive. -- **isDTUEnabled** Indicates whether DTU (internal abbreviation for Direct Feature Update) channel is enabled on the client system. -- **isScanPastSla** Indicates whether the SLA has elapsed for scanning. -- **isScanPastTriggerSla** Indicates whether the SLA has elapsed for triggering a scan. -- **minutesOverScanSla** Indicates how many minutes the scan exceeded the scan SLA. -- **minutesOverScanTriggerSla** Indicates how many minutes the scan exceeded the scan trigger SLA. -- **scanTriggerSource** Indicates what caused the scan. -- **updateScenarioType** The update session type. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.StickUpdate - -This event is sent when the update service orchestrator (USO) indicates the update cannot be superseded by a newer update. - -The following fields are available: - -- **updateId** Identifier associated with the specific piece of content. -- **wuDeviceid** Unique device ID controlled by the software distribution client. - - -### Microsoft.Windows.Update.Orchestrator.SystemNeeded - -This event sends data about why a device is unable to reboot, to help keep Windows up to date. - -The following fields are available: - -- **eventScenario** End-to-end update session ID. -- **rebootOutsideOfActiveHours** Indicates whether a reboot is scheduled outside of active hours. -- **revisionNumber** Update revision number. -- **systemNeededReason** List of apps or tasks that are preventing the system from restarting. -- **updateId** Update ID. -- **updateScenarioType** The update session type. -- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.TerminatedByActiveHours - -This event indicates that update activity was stopped due to active hours starting. - -The following fields are available: - -- **activeHoursEnd** The end of the active hours window. -- **activeHoursStart** The start of the active hours window. -- **updatePhase** The current state of the update process. -- **wuDeviceid** The device identifier. - - -### Microsoft.Windows.Update.Orchestrator.TerminatedByBatteryLevel - -This event is sent when update activity was stopped due to a low battery level. - -The following fields are available: - -- **batteryLevel** The current battery charge capacity. -- **batteryLevelThreshold** The battery capacity threshold to stop update activity. -- **updatePhase** The current state of the update process. -- **wuDeviceid** The device identifier. - - -### Microsoft.Windows.Update.Orchestrator.UnstickUpdate - -This event is sent when the update service orchestrator (USO) indicates that the update can be superseded by a newer update. - -The following fields are available: - -- **updateId** Identifier associated with the specific piece of content. -- **wuDeviceid** Unique device ID controlled by the software distribution client. - - -### Microsoft.Windows.Update.Orchestrator.UpdatePolicyCacheRefresh - -This event sends data on whether Update Management Policies were enabled on a device, to help keep Windows up to date. - -The following fields are available: - -- **configuredPoliciescount** Number of policies on the device. -- **policiesNamevaluesource** Policy name and source of policy (group policy, MDM or flight). -- **policyCacherefreshtime** Time when policy cache was refreshed. -- **updateInstalluxsetting** Indicates whether a user has set policies via a user experience option. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.UpdateRebootRequired - -This event sends data about whether an update required a reboot to help keep Windows up to date. - -The following fields are available: - -- **flightID** The specific ID of the Windows Insider build the device is getting. -- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action. -- **revisionNumber** Update revision number. -- **updateId** Update ID. -- **updateScenarioType** The update session type. -- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.updateSettingsFlushFailed - -This event sends information about an update that encountered problems and was not able to complete. - -The following fields are available: - -- **errorCode** The error code encountered. -- **wuDeviceid** The ID of the device in which the error occurred. - - -### Microsoft.Windows.Update.Orchestrator.UsoSession - -This event represents the state of the USO service at start and completion. - -The following fields are available: - -- **activeSessionid** A unique session GUID. -- **eventScenario** The state of the update action. -- **interactive** Is the USO session interactive? -- **lastErrorcode** The last error that was encountered. -- **lastErrorstate** The state of the update when the last error was encountered. -- **sessionType** A GUID that refers to the update session type. -- **updateScenarioType** A descriptive update session type. -- **wuDeviceid** The Windows Update device GUID. - - -### Microsoft.Windows.Update.Ux.MusNotification.EnhancedEngagedRebootUxState - -This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes values for the timing of how eDTE will progress through each phase of the reboot. - -The following fields are available: - -- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode. -- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before a Reboot Failed dialog will be shown. -- **DeviceLocalTime** The date and time (based on the device date/time settings) the reboot mode changed. -- **EngagedModeLimit** The number of days to switch between DTE (Direct-to-Engaged) dialogs. -- **EnterAutoModeLimit** The maximum number of days a device can enter Auto Reboot mode. -- **ETag** The Entity Tag that represents the OneSettings version. -- **IsForcedEnabled** Identifies whether Forced Reboot mode is enabled for the device. -- **IsUltimateForcedEnabled** Identifies whether Ultimate Forced Reboot mode is enabled for the device. -- **OldestUpdateLocalTime** The date and time (based on the device date/time settings) this update’s reboot began pending. -- **RebootUxState** Identifies the reboot state: Engaged, Auto, Forced, UltimateForced. -- **RebootVersion** The version of the DTE (Direct-to-Engaged). -- **SkipToAutoModeLimit** The maximum number of days to switch to start while in Auto Reboot mode. -- **UpdateId** The ID of the update that is waiting for reboot to finish installation. -- **UpdateRevision** The revision of the update that is waiting for reboot to finish installation. - - -### Microsoft.Windows.Update.Ux.MusNotification.RebootNoLongerNeeded - -This event is sent when a security update has successfully completed. - -The following fields are available: - -- **UtcTime** The Coordinated Universal Time that the restart was no longer needed. - - -### Microsoft.Windows.Update.Ux.MusNotification.RebootScheduled - -This event sends basic information about scheduling an update-related reboot, to get security updates and to help keep Windows up-to-date. - -The following fields are available: - -- **activeHoursApplicable** Indicates whether Active Hours applies on this device. -- **IsEnhancedEngagedReboot** Indicates whether Enhanced reboot was enabled. -- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action. -- **rebootOutsideOfActiveHours** True, if a reboot is scheduled outside of active hours. False, otherwise. -- **rebootScheduledByUser** True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically. -- **rebootState** Current state of the reboot. -- **rebootUsingSmartScheduler** Indicates that the reboot is scheduled by SmartScheduler. -- **revisionNumber** Revision number of the OS. -- **scheduledRebootTime** Time scheduled for the reboot. -- **scheduledRebootTimeInUTC** Time scheduled for the reboot, in UTC. -- **updateId** Identifies which update is being scheduled. -- **wuDeviceid** The unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Ux.MusNotification.UxBrokerScheduledTask - -This event is sent when MUSE broker schedules a task. - -The following fields are available: - -- **TaskArgument** The arguments with which the task is scheduled. -- **TaskName** Name of the task. - - -### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled - -This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up to date. - -The following fields are available: - -- **activeHoursApplicable** Is the restart respecting Active Hours? -- **IsEnhancedEngagedReboot** TRUE if the reboot path is Enhanced Engaged. Otherwise, FALSE. -- **rebootArgument** The arguments that are passed to the OS for the restarted. -- **rebootOutsideOfActiveHours** Was the restart scheduled outside of Active Hours? -- **rebootScheduledByUser** Was the restart scheduled by the user? If the value is false, the restart was scheduled by the device. -- **rebootState** The state of the restart. -- **rebootUsingSmartScheduler** TRUE if the reboot should be performed by the Smart Scheduler. Otherwise, FALSE. -- **revisionNumber** The revision number of the OS being updated. -- **scheduledRebootTime** Time of the scheduled reboot -- **scheduledRebootTimeInUTC** Time of the scheduled restart, in Coordinated Universal Time. -- **updateId** The Windows Update device GUID. -- **wuDeviceid** The Windows Update device GUID. - - -## Windows Update mitigation events - -### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages - -This event sends data specific to the CleanupSafeOsImages mitigation used for OS Updates. - -The following fields are available: - -- **ClientId** The client ID used by Windows Update. -- **FlightId** The ID of each Windows Insider build the device received. -- **InstanceId** A unique device ID that identifies each update instance. -- **MitigationScenario** The update scenario in which the mitigation was executed. -- **MountedImageCount** The number of mounted images. -- **MountedImageMatches** The number of mounted image matches. -- **MountedImagesFailed** The number of mounted images that could not be removed. -- **MountedImagesRemoved** The number of mounted images that were successfully removed. -- **MountedImagesSkipped** The number of mounted images that were not found. -- **RelatedCV** The correlation vector value generated from the latest USO scan. -- **Result** HResult of this operation. -- **ScenarioId** ID indicating the mitigation scenario. -- **ScenarioSupported** Indicates whether the scenario was supported. -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each Windows Update. -- **WuId** Unique ID for the Windows Update client. - - -### Mitigation360Telemetry.MitigationCustom.FixAppXReparsePoints - -This event sends data specific to the FixAppXReparsePoints mitigation used for OS updates. - -The following fields are available: - -- **ClientId** Unique identifier for each flight. -- **FlightId** Unique GUID that identifies each instances of setuphost.exe. -- **InstanceId** The update scenario in which the mitigation was executed. -- **MitigationScenario** Correlation vector value generated from the latest USO scan. -- **RelatedCV** Number of reparse points that are corrupted but we failed to fix them. -- **ReparsePointsFailed** Number of reparse points that were corrupted and were fixed by this mitigation. -- **ReparsePointsFixed** Number of reparse points that are not corrupted and no action is required. -- **ReparsePointsSkipped** HResult of this operation. -- **Result** ID indicating the mitigation scenario. -- **ScenarioId** Indicates whether the scenario was supported. -- **ScenarioSupported** Unique value for each update attempt. -- **SessionId** Unique ID for each Update. -- **UpdateId** Unique ID for the Windows Update client. -- **WuId** Unique ID for the Windows Update client. - - -### Mitigation360Telemetry.MitigationCustom.FixupEditionId - -This event sends data specific to the FixupEditionId mitigation used for OS updates. - -The following fields are available: - -- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **EditionIdUpdated** Determine whether EditionId was changed. -- **FlightId** Unique identifier for each flight. -- **InstanceId** Unique GUID that identifies each instances of setuphost.exe. -- **MitigationScenario** The update scenario in which the mitigation was executed. -- **ProductEditionId** Expected EditionId value based on GetProductInfo. -- **ProductType** Value returned by GetProductInfo. -- **RegistryEditionId** EditionId value in the registry. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **Result** HResult of this operation. -- **ScenarioId** ID indicating the mitigation scenario. -- **ScenarioSupported** Indicates whether the scenario was supported. -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each update. -- **WuId** Unique ID for the Windows Update client. - - -## Windows Update Reserve Manager events - -### Microsoft.Windows.UpdateReserveManager.CommitPendingHardReserveAdjustment - -This event is sent when the Update Reserve Manager commits a hard reserve adjustment that was pending. - -The following fields are available: - -- **FinalAdjustment** Final adjustment for the hard reserve following the addition or removal of optional content. -- **InitialAdjustment** Initial intended adjustment for the hard reserve following the addition/removal of optional content. - - -### Microsoft.Windows.UpdateReserveManager.FunctionReturnedError - -This event is sent when the Update Reserve Manager returns an error from one of its internal functions. - -The following fields are available: - -- **FailedExpression** The failed expression that was returned. -- **FailedFile** The binary file that contained the failed function. -- **FailedFunction** The name of the function that originated the failure. -- **FailedLine** The line number of the failure. -- **ReturnCode** The return code of the function. - - -### Microsoft.Windows.UpdateReserveManager.PrepareTIForReserveInitialization - -This event is sent when the Update Reserve Manager prepares the Trusted Installer to initialize reserves on the next boot. - -The following fields are available: - -- **Flags** The flags that are passed to the function to prepare the Trusted Installer for reserve initialization. - - -### Microsoft.Windows.UpdateReserveManager.RemovePendingHardReserveAdjustment - -This event is sent when the Update Reserve Manager removes a pending hard reserve adjustment. - - - -### Microsoft.Windows.UpdateReserveManager.UpdatePendingHardReserveAdjustment - -This event is sent when the Update Reserve Manager needs to adjust the size of the hard reserve after the option content is installed. - -The following fields are available: - -- **ChangeSize** The change in the hard reserve size based on the addition or removal of optional content. -- **PendingHardReserveAdjustment** The final change to the hard reserve size. -- **UpdateType** Indicates whether the change is an increase or decrease in the size of the hard reserve. - - -## Winlogon events - -### Microsoft.Windows.Security.Winlogon.SetupCompleteLogon - -This event signals the completion of the setup process. It happens only once during the first logon. - - - -## XBOX events - -### Microsoft.Xbox.XamTelemetry.AppActivationError - -This event indicates whether the system detected an activation error in the app. - -The following fields are available: - -- **ActivationUri** Activation URI (Uniform Resource Identifier) used in the attempt to activate the app. -- **AppId** The Xbox LIVE Title ID. -- **AppUserModelId** The AUMID (Application User Model ID) of the app to activate. -- **Result** The HResult error. -- **UserId** The Xbox LIVE User ID (XUID). - - -### Microsoft.Xbox.XamTelemetry.AppActivity - -This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc. - -The following fields are available: - -- **AppActionId** The ID of the application action. -- **AppCurrentVisibilityState** The ID of the current application visibility state. -- **AppId** The Xbox LIVE Title ID of the app. -- **AppPackageFullName** The full name of the application package. -- **AppPreviousVisibilityState** The ID of the previous application visibility state. -- **AppSessionId** The application session ID. -- **AppType** The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa). -- **BCACode** The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application. -- **DurationMs** The amount of time (in milliseconds) since the last application state transition. -- **IsTrialLicense** This boolean value is TRUE if the application is on a trial license. -- **LicenseType** The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 - Offline, 4 - Disc). -- **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license. -- **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application. -- **UserId** The XUID (Xbox User ID) of the current user. - - - +--- +description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. +title: Windows 10, version 1809 basic diagnostic events and fields (Windows 10) +keywords: privacy, telemetry +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: brianlic-msft +ms.author: brianlic +manager: dansimp +ms.collection: M365-security-compliance +ms.topic: article +audience: ITPro +ms.date: 03/04/2019 +--- + + +# Windows 10, version 1809 basic level Windows diagnostic events and fields + + **Applies to** + +- Windows 10, version 1809 + + +The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information. + +The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. + +Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief description is provided for each field. Every event generated includes common data, which collects device data. + +You can learn more about Windows functional and diagnostic data through these articles: + + +- [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) +- [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) +- [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) +- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) +- [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) + + + + +## Account trace logging provider events + +### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.General + +This event provides information about application properties to indicate the successful execution. + +The following fields are available: + +- **AppMode** Indicates the mode the app is being currently run around privileges. +- **ExitCode** Indicates the exit code of the app. +- **Help** Indicates if the app needs to be launched in the help mode. +- **ParseError** Indicates if there was a parse error during the execution. +- **RightsAcquired** Indicates if the right privileges were acquired for successful execution. +- **RightsWereEnabled** Indicates if the right privileges were enabled for successful execution. +- **TestMode** Indicates whether the app is being run in test mode. + + +### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.GetCount + +This event provides information about the properties of user accounts in the Administrator group. + +The following fields are available: + +- **Internal** Indicates the internal property associated with the count group. +- **LastError** The error code (if applicable) for the cause of the failure to get the count of the user account. +- **Result** The HResult error. + + +## AppLocker events + +### Microsoft.Windows.Security.AppLockerCSP.ActivityStoppedAutomatically + +Automatically closed activity for start/stop operations that aren't explicitly closed. + + + +### Microsoft.Windows.Security.AppLockerCSP.AddParams + +Parameters passed to Add function of the AppLockerCSP Node. + +The following fields are available: + +- **child** The child URI of the node to add. +- **uri** URI of the node relative to %SYSTEM32%/AppLocker. + + +### Microsoft.Windows.Security.AppLockerCSP.AddStart + +Start of "Add" Operation for the AppLockerCSP Node. + + + +### Microsoft.Windows.Security.AppLockerCSP.AddStop + +End of "Add" Operation for AppLockerCSP Node. + +The following fields are available: + +- **hr** The HRESULT returned by Add function in AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.CAppLockerCSP::Rollback + +Result of the 'Rollback' operation in AppLockerCSP. + +The following fields are available: + +- **oldId** Previous id for the CSP transaction. +- **txId** Current id for the CSP transaction. + + +### Microsoft.Windows.Security.AppLockerCSP.ClearParams + +Parameters passed to the "Clear" operation for AppLockerCSP. + +The following fields are available: + +- **uri** The URI relative to the %SYSTEM32%\AppLocker folder. + + +### Microsoft.Windows.Security.AppLockerCSP.ClearStart + +Start of the "Clear" operation for the AppLockerCSP Node. + + + +### Microsoft.Windows.Security.AppLockerCSP.ClearStop + +End of the "Clear" operation for the AppLockerCSP node. + +The following fields are available: + +- **hr** HRESULT reported at the end of the 'Clear' function. + + +### Microsoft.Windows.Security.AppLockerCSP.ConfigManagerNotificationStart + +Start of the "ConfigManagerNotification" operation for AppLockerCSP. + +The following fields are available: + +- **NotifyState** State sent by ConfigManager to AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.ConfigManagerNotificationStop + +End of the "ConfigManagerNotification" operation for AppLockerCSP. + +The following fields are available: + +- **hr** HRESULT returned by the ConfigManagerNotification function in AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceParams + +Parameters passed to the CreateNodeInstance function of the AppLockerCSP node. + +The following fields are available: + +- **NodeId** NodeId passed to CreateNodeInstance. +- **nodeOps** NodeOperations parameter passed to CreateNodeInstance. +- **uri** URI passed to CreateNodeInstance, relative to %SYSTEM32%\AppLocker. + + +### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceStart + +Start of the "CreateNodeInstance" operation for the AppLockerCSP node. + + + +### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceStop + +End of the "CreateNodeInstance" operation for the AppLockerCSP node + +The following fields are available: + +- **hr** HRESULT returned by the CreateNodeInstance function in AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.DeleteChildParams + +Parameters passed to the DeleteChild function of the AppLockerCSP node. + +The following fields are available: + +- **child** The child URI of the node to delete. +- **uri** URI relative to %SYSTEM32%\AppLocker. + + +### Microsoft.Windows.Security.AppLockerCSP.DeleteChildStart + +Start of the "DeleteChild" operation for the AppLockerCSP node. + + + +### Microsoft.Windows.Security.AppLockerCSP.DeleteChildStop + +End of the "DeleteChild" operation for the AppLockerCSP node. + +The following fields are available: + +- **hr** HRESULT returned by the DeleteChild function in AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.EnumPolicies + +Logged URI relative to %SYSTEM32%\AppLocker, if the Plugin GUID is null, or the CSP doesn't believe the old policy is present. + +The following fields are available: + +- **uri** URI relative to %SYSTEM32%\AppLocker. + + +### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesParams + +Parameters passed to the GetChildNodeNames function of the AppLockerCSP node. + +The following fields are available: + +- **uri** URI relative to %SYSTEM32%/AppLocker for MDM node. + + +### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesStart + +Start of the "GetChildNodeNames" operation for the AppLockerCSP node. + + + +### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesStop + +End of the "GetChildNodeNames" operation for the AppLockerCSP node. + +The following fields are available: + +- **child[0]** If function succeeded, the first child's name, else "NA". +- **count** If function succeeded, the number of child node names returned by the function, else 0. +- **hr** HRESULT returned by the GetChildNodeNames function of AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.GetLatestId + +The result of 'GetLatestId' in AppLockerCSP (the latest time stamped GUID). + +The following fields are available: + +- **dirId** The latest directory identifier found by GetLatestId. +- **id** The id returned by GetLatestId if id > 0 - otherwise the dirId parameter. + + +### Microsoft.Windows.Security.AppLockerCSP.HResultException + +HRESULT thrown by any arbitrary function in AppLockerCSP. + +The following fields are available: + +- **file** File in the OS code base in which the exception occurs. +- **function** Function in the OS code base in which the exception occurs. +- **hr** HRESULT that is reported. +- **line** Line in the file in the OS code base in which the exception occurs. + + +### Microsoft.Windows.Security.AppLockerCSP.SetValueParams + +Parameters passed to the SetValue function of the AppLockerCSP node. + +The following fields are available: + +- **dataLength** Length of the value to set. +- **uri** The node URI to that should contain the value, relative to %SYSTEM32%\AppLocker. + + +### Microsoft.Windows.Security.AppLockerCSP.SetValueStart + +Start of the "SetValue" operation for the AppLockerCSP node. + + + +### Microsoft.Windows.Security.AppLockerCSP.SetValueStop + +End of the "SetValue" operation for the AppLockerCSP node. + +The following fields are available: + +- **hr** HRESULT returned by the SetValue function in AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.TryRemediateMissingPolicies + +EntryPoint of fix step or policy remediation, includes URI relative to %SYSTEM32%\AppLocker that needs to be fixed. + +The following fields are available: + +- **uri** URI for node relative to %SYSTEM32%/AppLocker. + + +## Appraiser events + +### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount + +This event lists the types of objects and how many of each exist on the client device. This allows for a quick way to ensure that the records present on the server match what is present on the client. + +The following fields are available: + +- **DatasourceApplicationFile_19ASetup** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_19H1** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers. +- **DatasourceApplicationFile_RS2** An ID for the system, calculated by hashing hardware identifiers. +- **DatasourceApplicationFile_RS3** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS3Setup** No content is currently available. +- **DatasourceApplicationFile_RS4** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS4Setup** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS5** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS5Setup** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_TH1** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_TH2** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_19ASetup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_19H1** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS1** The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on this device. +- **DatasourceDevicePnp_RS2** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS3** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS3Setup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS4** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS4Setup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS5** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS5Setup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_TH1** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_TH2** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_19ASetup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_19H1** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS1** The total DataSourceDriverPackage objects targeting Windows 10 version 1607 on this device. +- **DatasourceDriverPackage_RS2** The total DataSourceDriverPackage objects targeting Windows 10, version 1703 on this device. +- **DatasourceDriverPackage_RS3** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS3Setup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS4** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS4Setup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS5** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS5Setup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_TH1** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_TH2** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_19ASetup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS1** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1607 on this device. +- **DataSourceMatchingInfoBlock_RS2** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS3** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS3Setup** No content is currently available. +- **DataSourceMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS4Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS5Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_TH1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_19ASetup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS1** The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. +- **DataSourceMatchingInfoPassive_RS2** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS3** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS3Setup** No content is currently available. +- **DataSourceMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS4Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS5Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_19ASetup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS1** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. +- **DataSourceMatchingInfoPostUpgrade_RS2** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device. +- **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device. +- **DataSourceMatchingInfoPostUpgrade_RS3Setup** No content is currently available. +- **DataSourceMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS4Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS5Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_TH1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_19ASetup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_19H1** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_19H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS1** The total DatasourceSystemBios objects targeting Windows 10 version 1607 present on this device. +- **DatasourceSystemBios_RS2** The total DatasourceSystemBios objects targeting Windows 10 version 1703 present on this device. +- **DatasourceSystemBios_RS3** The total DatasourceSystemBios objects targeting Windows 10 version 1709 present on this device. +- **DatasourceSystemBios_RS3Setup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS4** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS4Setup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS5** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS5Setup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_TH1** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_TH2** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_19H1** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS1** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS2** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS3** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS3Setup** No content is currently available. +- **DecisionApplicationFile_RS4** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS5** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_TH1** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_TH2** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_19H1** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS1** The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this device. +- **DecisionDevicePnp_RS2** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS3** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS4** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS5** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_TH1** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_TH2** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_19H1** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS1** The total DecisionDriverPackage objects targeting Windows 10 version 1607 on this device. +- **DecisionDriverPackage_RS2** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS3** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS4** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS5** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_TH1** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_TH2** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_RS1** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1607 present on this device. +- **DecisionMatchingInfoBlock_RS2** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device. +- **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1709 present on this device. +- **DecisionMatchingInfoBlock_RS3Setup** No content is currently available. +- **DecisionMatchingInfoBlock_RS4** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1803 present on this device. +- **DecisionMatchingInfoBlock_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_TH1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_RS1** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. +- **DecisionMatchingInfoPassive_RS2** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1703 on this device. +- **DecisionMatchingInfoPassive_RS3** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1803 on this device. +- **DecisionMatchingInfoPassive_RS3Setup** No content is currently available. +- **DecisionMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS1** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. +- **DecisionMatchingInfoPostUpgrade_RS2** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device. +- **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device. +- **DecisionMatchingInfoPostUpgrade_RS3Setup** No content is currently available. +- **DecisionMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_TH1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_19H1** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_19H1Setup** The total DecisionMediaCenter objects targeting the next release of Windows on this device. +- **DecisionMediaCenter_RS1** The total DecisionMediaCenter objects targeting Windows 10 version 1607 present on this device. +- **DecisionMediaCenter_RS2** The total DecisionMediaCenter objects targeting Windows 10 version 1703 present on this device. +- **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting Windows 10 version 1709 present on this device. +- **DecisionMediaCenter_RS3Setup** No content is currently available. +- **DecisionMediaCenter_RS4** The total DecisionMediaCenter objects targeting Windows 10 version 1803 present on this device. +- **DecisionMediaCenter_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_RS5** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_TH1** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_TH2** The count of the number of this particular object type present on this device. +- **DecisionSystemBios_19ASetup** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_19H1** The count of the number of this particular object type present on this device. +- **DecisionSystemBios_19H1Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_RS1** The total DecisionSystemBios objects targeting Windows 10 version 1607 on this device. +- **DecisionSystemBios_RS2** The total DecisionSystemBios objects targeting Windows 10 version 1703 on this device. +- **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting Windows 10 version 1709 on this device. +- **DecisionSystemBios_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionSystemBios_RS4** The total DecisionSystemBios objects targeting Windows 10 version, 1803 present on this device. +- **DecisionSystemBios_RS4Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_RS5** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_RS5Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_TH1** The count of the number of this particular object type present on this device. +- **DecisionSystemBios_TH2** The count of the number of this particular object type present on this device. +- **DecisionSystemProcessor_RS2** The count of the number of this particular object type present on this device. +- **DecisionTest_RS1** An ID for the system, calculated by hashing hardware identifiers. +- **InventoryApplicationFile** The count of the number of this particular object type present on this device. +- **InventoryDeviceContainer** A count of device container objects in cache. +- **InventoryDevicePnp** A count of device Plug and Play objects in cache. +- **InventoryDriverBinary** A count of driver binary objects in cache. +- **InventoryDriverPackage** A count of device objects in cache. +- **InventoryLanguagePack** The count of the number of this particular object type present on this device. +- **InventoryMediaCenter** The count of the number of this particular object type present on this device. +- **InventorySystemBios** The count of the number of this particular object type present on this device. +- **InventorySystemMachine** The count of the number of this particular object type present on this device. +- **InventorySystemProcessor** The count of the number of this particular object type present on this device. +- **InventoryTest** The count of the number of this particular object type present on this device. +- **InventoryUplevelDriverPackage** The count of the number of this particular object type present on this device. +- **PCFP** The count of the number of this particular object type present on this device. +- **SystemMemory** The count of the number of this particular object type present on this device. +- **SystemProcessorCompareExchange** The count of the number of this particular object type present on this device. +- **SystemProcessorLahfSahf** The count of the number of this particular object type present on this device. +- **SystemProcessorNx** The total number of objects of this type present on this device. +- **SystemProcessorPrefetchW** The total number of objects of this type present on this device. +- **SystemProcessorSse2** The total number of objects of this type present on this device. +- **SystemTouch** The count of the number of this particular object type present on this device. +- **SystemWim** The total number of objects of this type present on this device. +- **SystemWindowsActivationStatus** The count of the number of this particular object type present on this device. +- **SystemWlan** The total number of objects of this type present on this device. +- **Wmdrm_19ASetup** The count of the number of this particular object type present on this device. +- **Wmdrm_19H1** The count of the number of this particular object type present on this device. +- **Wmdrm_19H1Setup** The total Wmdrm objects targeting the next release of Windows on this device. +- **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers. +- **Wmdrm_RS2** An ID for the system, calculated by hashing hardware identifiers. +- **Wmdrm_RS3** An ID for the system, calculated by hashing hardware identifiers. +- **Wmdrm_RS3Setup** No content is currently available. +- **Wmdrm_RS4** The total Wmdrm objects targeting Windows 10, version 1803 present on this device. +- **Wmdrm_RS4Setup** The count of the number of this particular object type present on this device. +- **Wmdrm_RS5** The count of the number of this particular object type present on this device. +- **Wmdrm_RS5Setup** The count of the number of this particular object type present on this device. +- **Wmdrm_TH1** The count of the number of this particular object type present on this device. +- **Wmdrm_TH2** The count of the number of this particular object type present on this device. + + +### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd + +Represents the basic metadata about specific application files installed on the system. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file that is generating the events. +- **AvDisplayName** If the app is an anti-virus app, this is its display name. +- **CompatModelIndex** The compatibility prediction for this file. +- **HasCitData** Indicates whether the file is present in CIT data. +- **HasUpgradeExe** Indicates whether the anti-virus app has an upgrade.exe file. +- **IsAv** Is the file an anti-virus reporting EXE? +- **ResolveAttempted** This will always be an empty string when sending telemetry. +- **SdbEntries** An array of fields that indicates the SDB entries that apply to this file. + + +### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove + +This event indicates that the DatasourceApplicationFile object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileStartSync + +This event indicates that a new set of DatasourceApplicationFileAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd + +This event sends compatibility data for a Plug and Play device, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **ActiveNetworkConnection** Indicates whether the device is an active network device. +- **AppraiserVersion** The version of the appraiser file generating the events. +- **CosDeviceRating** An enumeration that indicates if there is a driver on the target operating system. +- **CosDeviceSolution** An enumeration that indicates how a driver on the target operating system is available. +- **CosDeviceSolutionUrl** Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd . Empty string +- **CosPopulatedFromId** The expected uplevel driver matching ID based on driver coverage data. +- **IsBootCritical** Indicates whether the device boot is critical. +- **UplevelInboxDriver** Indicates whether there is a driver uplevel for this device. +- **WuDriverCoverage** Indicates whether there is a driver uplevel for this device, according to Windows Update. +- **WuDriverUpdateId** The Windows Update ID of the applicable uplevel driver. +- **WuPopulatedFromId** The expected uplevel driver matching ID based on driver coverage from Windows Update. + + +### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove + +This event indicates that the DatasourceDevicePnp object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpStartSync + +This event indicates that a new set of DatasourceDevicePnpAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageAdd + +This event sends compatibility database data about driver packages to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageStartSync + +This event indicates that a new set of DatasourceDriverPackageAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd + +This event sends blocking data about any compatibility blocking entries hit on the system that are not directly related to specific applications or devices, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove + +This event indicates that the DataSourceMatchingInfoBlock object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync + +This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events have been sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd + +This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove + +This event indicates that the DataSourceMatchingInfoPassive object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync + +This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd + +This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove + +This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync + +This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd + +This event sends compatibility database information about the BIOS to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosRemove + +This event indicates that the DatasourceSystemBios object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync + +This event indicates that a new set of DatasourceSystemBiosAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionApplicationFileAdd + +This event sends compatibility decision data about a file to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file that is generating the events. +- **BlockAlreadyInbox** The uplevel runtime block on the file already existed on the current OS. +- **BlockingApplication** Indicates whether there are any application issues that interfere with the upgrade due to the file in question. +- **DisplayGenericMessage** Will be a generic message be shown for this file? +- **DisplayGenericMessageGated** Indicates whether a generic message be shown for this file. +- **HardBlock** This file is blocked in the SDB. +- **HasUxBlockOverride** Does the file have a block that is overridden by a tag in the SDB? +- **MigApplication** Does the file have a MigXML from the SDB associated with it that applies to the current upgrade mode? +- **MigRemoval** Does the file have a MigXML from the SDB that will cause the app to be removed on upgrade? +- **NeedsDismissAction** Will the file cause an action that can be dimissed? +- **NeedsInstallPostUpgradeData** After upgrade, the file will have a post-upgrade notification to install a replacement for the app. +- **NeedsNotifyPostUpgradeData** Does the file have a notification that should be shown after upgrade? +- **NeedsReinstallPostUpgradeData** After upgrade, this file will have a post-upgrade notification to reinstall the app. +- **NeedsUninstallAction** The file must be uninstalled to complete the upgrade. +- **SdbBlockUpgrade** The file is tagged as blocking upgrade in the SDB, +- **SdbBlockUpgradeCanReinstall** The file is tagged as blocking upgrade in the SDB. It can be reinstalled after upgrade. +- **SdbBlockUpgradeUntilUpdate** The file is tagged as blocking upgrade in the SDB. If the app is updated, the upgrade can proceed. +- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the SDB. It does not block upgrade. +- **SdbReinstallUpgradeWarn** The file is tagged as needing to be reinstalled after upgrade with a warning in the SDB. It does not block upgrade. +- **SoftBlock** The file is softblocked in the SDB and has a warning. + + +### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove + +This event indicates Indicates that the DecisionApplicationFile object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionApplicationFileStartSync + +This event indicates that a new set of DecisionApplicationFileAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd + +This event sends compatibility decision data about a PNP device to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **AssociatedDriverIsBlocked** Is the driver associated with this PNP device blocked? +- **AssociatedDriverWillNotMigrate** Will the driver associated with this plug-and-play device migrate? +- **BlockAssociatedDriver** Should the driver associated with this PNP device be blocked? +- **BlockingDevice** Is this PNP device blocking upgrade? +- **BlockUpgradeIfDriverBlocked** Is the PNP device both boot critical and does not have a driver included with the OS? +- **BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork** Is this PNP device the only active network device? +- **DisplayGenericMessage** Will a generic message be shown during Setup for this PNP device? +- **DisplayGenericMessageGated** Indicates whether a generic message will be shown during Setup for this PNP device. +- **DriverAvailableInbox** Is a driver included with the operating system for this PNP device? +- **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update? +- **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device? +- **DriverBlockOverridden** Is there is a driver block on the device that has been overridden? +- **NeedsDismissAction** Will the user would need to dismiss a warning during Setup for this device? +- **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS? +- **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade? +- **SdbDriverBlockOverridden** Is there an SDB block on the PNP device that blocks upgrade, but that block was overridden? + + +### Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove + +This event indicates that the DecisionDevicePnp object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionDevicePnpStartSync + +The DecisionDevicePnpStartSync event indicates that a new set of DecisionDevicePnpAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionDriverPackageAdd + +This event sends decision data about driver package compatibility to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for this driver package. +- **DriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden? +- **DriverIsDeviceBlocked** Was the driver package was blocked because of a device block? +- **DriverIsDriverBlocked** Is the driver package blocked because of a driver block? +- **DriverIsTroubleshooterBlocked** Indicates whether the driver package is blocked because of a troubleshooter block. +- **DriverShouldNotMigrate** Should the driver package be migrated during upgrade? +- **SdbDriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden? + + +### Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove + +This event indicates that the DecisionDriverPackage object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionDriverPackageStartSync + +This event indicates that a new set of DecisionDriverPackageAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd + +This event sends compatibility decision data about blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **BlockingApplication** Are there are any application issues that interfere with upgrade due to matching info blocks? +- **DisplayGenericMessage** Will a generic message be shown for this block? +- **NeedsUninstallAction** Does the user need to take an action in setup due to a matching info block? +- **SdbBlockUpgrade** Is a matching info block blocking upgrade? +- **SdbBlockUpgradeCanReinstall** Is a matching info block blocking upgrade, but has the can reinstall tag? +- **SdbBlockUpgradeUntilUpdate** Is a matching info block blocking upgrade but has the until update tag? + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockRemove + +This event indicates that the DecisionMatchingInfoBlock object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockStartSync + +This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd + +This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **BlockingApplication** Are there any application issues that interfere with upgrade due to matching info blocks? +- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown due to matching info blocks. +- **MigApplication** Is there a matching info block with a mig for the current mode of upgrade? + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveRemove + +This event Indicates that the DecisionMatchingInfoPassive object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync + +This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeAdd + +This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **NeedsInstallPostUpgradeData** Will the file have a notification after upgrade to install a replacement for the app? +- **NeedsNotifyPostUpgradeData** Should a notification be shown for this file after upgrade? +- **NeedsReinstallPostUpgradeData** Will the file have a notification after upgrade to reinstall the app? +- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the compatibility database (but is not blocking upgrade). + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeRemove + +This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync + +This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMediaCenterAdd + +This event sends decision data about the presence of Windows Media Center, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **BlockingApplication** Is there any application issues that interfere with upgrade due to Windows Media Center? +- **MediaCenterActivelyUsed** If Windows Media Center is supported on the edition, has it been run at least once and are the MediaCenterIndicators are true? +- **MediaCenterIndicators** Do any indicators imply that Windows Media Center is in active use? +- **MediaCenterInUse** Is Windows Media Center actively being used? +- **MediaCenterPaidOrActivelyUsed** Is Windows Media Center actively being used or is it running on a supported edition? +- **NeedsDismissAction** Are there any actions that can be dismissed coming from Windows Media Center? + + +### Microsoft.Windows.Appraiser.General.DecisionMediaCenterRemove + +This event indicates that the DecisionMediaCenter object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMediaCenterStartSync + +This event indicates that a new set of DecisionMediaCenterAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemBiosAdd + +This event sends compatibility decision data about the BIOS to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Blocking** Is the device blocked from upgrade due to a BIOS block? +- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for the bios. +- **HasBiosBlock** Does the device have a BIOS block? + + +### Microsoft.Windows.Appraiser.General.DecisionSystemBiosRemove + +This event indicates that the DecisionSystemBios object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync + +This event indicates that a new set of DecisionSystemBiosAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.GatedRegChange + +This event sends data about the results of running a set of quick-blocking instructions, to help keep Windows up to date. + +The following fields are available: + +- **NewData** The data in the registry value after the scan completed. +- **OldData** The previous data in the registry value before the scan ran. +- **PCFP** An ID for the system calculated by hashing hardware identifiers. +- **RegKey** The registry key name for which a result is being sent. +- **RegValue** The registry value for which a result is being sent. +- **Time** The client time of the event. + + +### Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd + +This event represents the basic metadata about a file on the system. The file must be part of an app and either have a block in the compatibility database or be part of an antivirus program. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **AvDisplayName** If the app is an antivirus app, this is its display name. +- **AvProductState** Indicates whether the antivirus program is turned on and the signatures are up to date. +- **BinaryType** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64. +- **BinFileVersion** An attempt to clean up FileVersion at the client that tries to place the version into 4 octets. +- **BinProductVersion** An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets. +- **BoeProgramId** If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata. +- **CompanyName** The company name of the vendor who developed this file. +- **FileId** A hash that uniquely identifies a file. +- **FileVersion** The File version field from the file metadata under Properties -> Details. +- **HasUpgradeExe** Indicates whether the antivirus app has an upgrade.exe file. +- **IsAv** Indicates whether the file an antivirus reporting EXE. +- **LinkDate** The date and time that this file was linked on. +- **LowerCaseLongPath** The full file path to the file that was inventoried on the device. +- **Name** The name of the file that was inventoried. +- **ProductName** The Product name field from the file metadata under Properties -> Details. +- **ProductVersion** The Product version field from the file metadata under Properties -> Details. +- **ProgramId** A hash of the Name, Version, Publisher, and Language of an application used to identify it. +- **Size** The size of the file (in hexadecimal bytes). + + +### Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove + +This event indicates that the InventoryApplicationFile object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync + +This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryLanguagePackAdd + +This event sends data about the number of language packs installed on the system, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **HasLanguagePack** Indicates whether this device has 2 or more language packs. +- **LanguagePackCount** The number of language packs are installed. + + +### Microsoft.Windows.Appraiser.General.InventoryLanguagePackRemove + +This event indicates that the InventoryLanguagePack object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryLanguagePackStartSync + +This event indicates that a new set of InventoryLanguagePackAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryMediaCenterAdd + +This event sends true/false data about decision points used to understand whether Windows Media Center is used on the system, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **EverLaunched** Has Windows Media Center ever been launched? +- **HasConfiguredTv** Has the user configured a TV tuner through Windows Media Center? +- **HasExtendedUserAccounts** Are any Windows Media Center Extender user accounts configured? +- **HasWatchedFolders** Are any folders configured for Windows Media Center to watch? +- **IsDefaultLauncher** Is Windows Media Center the default app for opening music or video files? +- **IsPaid** Is the user running a Windows Media Center edition that implies they paid for Windows Media Center? +- **IsSupported** Does the running OS support Windows Media Center? + + +### Microsoft.Windows.Appraiser.General.InventoryMediaCenterRemove + +This event indicates that the InventoryMediaCenter object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryMediaCenterStartSync + +This event indicates that a new set of InventoryMediaCenterAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventorySystemBiosAdd + +This event sends basic metadata about the BIOS to determine whether it has a compatibility block. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **biosDate** The release date of the BIOS in UTC format. +- **BiosDate** The release date of the BIOS in UTC format. +- **biosName** The name field from Win32_BIOS. +- **BiosName** The name field from Win32_BIOS. +- **manufacturer** The manufacturer field from Win32_ComputerSystem. +- **Manufacturer** The manufacturer field from Win32_ComputerSystem. +- **model** The model field from Win32_ComputerSystem. +- **Model** The model field from Win32_ComputerSystem. + + +### Microsoft.Windows.Appraiser.General.InventorySystemBiosRemove + +This event indicates that the InventorySystemBios object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventorySystemBiosStartSync + +This event indicates that a new set of InventorySystemBiosAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd + +This event is only runs during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. Is critical to understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **BootCritical** Is the driver package marked as boot critical? +- **Build** The build value from the driver package. +- **CatalogFile** The name of the catalog file within the driver package. +- **Class** The device class from the driver package. +- **ClassGuid** The device class unique ID from the driver package. +- **Date** The date from the driver package. +- **Inbox** Is the driver package of a driver that is included with Windows? +- **OriginalName** The original name of the INF file before it was renamed. Generally a path under $WINDOWS.~BT\Drivers\DU. +- **Provider** The provider of the driver package. +- **PublishedName** The name of the INF file after it was renamed. +- **Revision** The revision of the driver package. +- **SignatureStatus** Indicates if the driver package is signed. Unknown = 0, Unsigned = 1, Signed = 2. +- **VersionMajor** The major version of the driver package. +- **VersionMinor** The minor version of the driver package. + + +### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove + +This event indicates that the InventoryUplevelDriverPackage object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageStartSync + +This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.RunContext + +This event indicates what should be expected in the data payload. + +The following fields are available: + +- **AppraiserBranch** The source branch in which the currently running version of Appraiser was built. +- **AppraiserProcess** The name of the process that launched Appraiser. +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **CensusId** A unique hardware identifier. +- **Context** Indicates what mode Appraiser is running in. Example: Setup or Telemetry. +- **PCFP** An ID for the system calculated by hashing hardware identifiers. +- **Subcontext** Indicates what categories of incompatibilities appraiser is scanning for. Can be N/A, Resolve, or a semicolon-delimited list that can include App, Dev, Sys, Gat, or Rescan. +- **Time** The client time of the event. + + +### Microsoft.Windows.Appraiser.General.SystemMemoryAdd + +This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Blocking** Is the device from upgrade due to memory restrictions? +- **MemoryRequirementViolated** Was a memory requirement violated? +- **pageFile** The current committed memory limit for the system or the current process, whichever is smaller (in bytes). +- **ram** The amount of memory on the device. +- **ramKB** The amount of memory (in KB). +- **virtual** The size of the user-mode portion of the virtual address space of the calling process (in bytes). +- **virtualKB** The amount of virtual memory (in KB). + + +### Microsoft.Windows.Appraiser.General.SystemMemoryRemove + +This event that the SystemMemory object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemMemoryStartSync + +This event indicates that a new set of SystemMemoryAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeAdd + +This event sends data indicating whether the system supports the CompareExchange128 CPU requirement, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **CompareExchange128Support** Does the CPU support CompareExchange128? +- **CompareExchange128Swpport** No content is currently available. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeRemove + +This event indicates that the SystemProcessorCompareExchange object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeStartSync + +This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd + +This event sends data indicating whether the system supports the LahfSahf CPU requirement, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **LahfSahfSupport** Does the CPU support LAHF/SAHF? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfRemove + +This event indicates that the SystemProcessorLahfSahf object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfStartSync + +This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd + +This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **NXDriverResult** The result of the driver used to do a non-deterministic check for NX support. +- **NXProcessorSupport** Does the processor support NX? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorNxRemove + +This event indicates that the SystemProcessorNx object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorNxStartSync + +This event indicates that a new set of SystemProcessorNxAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd + +This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **PrefetchWSupport** Does the processor support PrefetchW? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWRemove + +This event indicates that the SystemProcessorPrefetchW object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync + +This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Add + +This event sends data indicating whether the system supports the SSE2 CPU requirement, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **SSE2ProcessorSupport** Does the processor support SSE2? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Remove + +This event indicates that the SystemProcessorSse2 object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorSse2StartSync + +This event indicates that a new set of SystemProcessorSse2Add events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemTouchAdd + +This event sends data indicating whether the system supports touch, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **IntegratedTouchDigitizerPresent** Is there an integrated touch digitizer? +- **MaximumTouches** The maximum number of touch points supported by the device hardware. + + +### Microsoft.Windows.Appraiser.General.SystemTouchRemove + +This event indicates that the SystemTouch object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemTouchStartSync + +This event indicates that a new set of SystemTouchAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWimAdd + +This event sends data indicating whether the operating system is running from a compressed Windows Imaging Format (WIM) file, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **IsWimBoot** Is the current operating system running from a compressed WIM file? +- **RegistryWimBootValue** The raw value from the registry that is used to indicate if the device is running from a WIM. + + +### Microsoft.Windows.Appraiser.General.SystemWimRemove + +This event indicates that the SystemWim object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWimStartSync + +This event indicates that a new set of SystemWimAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusAdd + +This event sends data indicating whether the current operating system is activated, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **WindowsIsLicensedApiValue** The result from the API that's used to indicate if operating system is activated. +- **WindowsNotActivatedDecision** Is the current operating system activated? + + +### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusRemove + +This event indicates that the SystemWindowsActivationStatus object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusStartSync + +This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWlanAdd + +This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked because of an emulated WLAN driver? +- **HasWlanBlock** Does the emulated WLAN driver have an upgrade block? +- **WlanEmulatedDriver** Does the device have an emulated WLAN driver? +- **WlanExists** Does the device support WLAN at all? +- **WlanModulePresent** Are any WLAN modules present? +- **WlanNativeDriver** Does the device have a non-emulated WLAN driver? + + +### Microsoft.Windows.Appraiser.General.SystemWlanRemove + +This event indicates that the SystemWlan object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWlanStartSync + +This event indicates that a new set of SystemWlanAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.TelemetryRunHealth + +This event indicates the parameters and result of a telemetry (diagnostic) run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date. + +The following fields are available: + +- **AppraiserBranch** The source branch in which the version of Appraiser that is running was built. +- **AppraiserDataVersion** The version of the data files being used by the Appraiser telemetry run. +- **AppraiserProcess** The name of the process that launched Appraiser. +- **AppraiserVersion** The file version (major, minor and build) of the Appraiser DLL, concatenated without dots. +- **AuxFinal** Obsolete, always set to false. +- **AuxInitial** Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app. +- **DeadlineDate** A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan. +- **EnterpriseRun** Indicates if the telemetry run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter. +- **FullSync** Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent. +- **InboxDataVersion** The original version of the data files before retrieving any newer version. +- **IndicatorsWritten** Indicates if all relevant UEX indicators were successfully written or updated. +- **InventoryFullSync** Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent. +- **PCFP** An ID for the system calculated by hashing hardware identifiers. +- **PerfBackoff** Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal. +- **PerfBackoffInsurance** Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row. +- **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device. +- **RunDate** The date that the telemetry run was stated, expressed as a filetime. +- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional telemetry on an infrequent schedule and only from machines at telemetry levels higher than Basic. +- **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information. +- **RunResult** The hresult of the Appraiser telemetry run. +- **ScheduledUploadDay** The day scheduled for the upload. +- **SendingUtc** Indicates if the Appraiser client is sending events during the current telemetry run. +- **StoreHandleIsNotNull** Obsolete, always set to false +- **TelementrySent** Indicates if telemetry was successfully sent. +- **ThrottlingUtc** Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also telemetry reliability. +- **Time** The client time of the event. +- **VerboseMode** Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging. +- **VicboseMode** No content is currently available. +- **WhyFullSyncWithoutTablePrefix** Indicates the reason or reasons that a full sync was generated. + + +### Microsoft.Windows.Appraiser.General.WmdrmAdd + +This event sends data about the usage of older digital rights management on the system, to help keep Windows up to date. This data does not indicate the details of the media using the digital rights management, only whether any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able to be removed once all mitigations are in place. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **BlockingApplication** Same as NeedsDismissAction. +- **NeedsDismissAction** Indicates if a dismissible message is needed to warn the user about a potential loss of data due to DRM deprecation. +- **WmdrmApiResult** Raw value of the API used to gather DRM state. +- **WmdrmCdRipped** Indicates if the system has any files encrypted with personal DRM, which was used for ripped CDs. +- **WmdrmIndicators** WmdrmCdRipped OR WmdrmPurchased. +- **WmdrmInUse** WmdrmIndicators AND dismissible block in setup was not dismissed. +- **WmdrmNonPermanent** Indicates if the system has any files with non-permanent licenses. +- **WmdrmPurchased** Indicates if the system has any files with permanent licenses. + + +### Microsoft.Windows.Appraiser.General.WmdrmRemove + +This event indicates that the Wmdrm object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.WmdrmStartSync + +This event indicates that a new set of WmdrmAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +## Census events + +### Census.App + +Provides information on IE and Census versions running on the device + +The following fields are available: + +- **AppraiserEnterpriseErrorCode** The error code of the last Appraiser enterprise run. +- **AppraiserErrorCode** The error code of the last Appraiser run. +- **AppraiserRunEndT.ApStamp** No content is currently available. +- **AppraiserRunEndTimeStamp** The end time of the last Appraiser run. +- **AppraiserRunIsInProgressOrCrashed** Flag that indicates if the Appraiser run is in progress or has crashed. +- **AppraiserRunStartT.ApStamp** No content is currently available. +- **AppraiserRunStartTimeStamp** The start time of the last Appraiser run. +- **AppraiserTaskEnabled** Whether the Appraiser task is enabled. +- **AppraiserTaskExitCode** The Appraiser task exist code. +- **AppraiserTaskLastRun** The last runtime for the Appraiser task. +- **CensusVersion** The version of Census that generated the current data for this device. +- **IEVersion** The version of Internet Explorer that is running on the device. + + +### Census.Battery + +This event sends type and capacity data about the battery on the device, as well as the number of connected standby devices in use, type to help keep Windows up to date. + +The following fields are available: + +- **InternalBatteryCapablities** Represents information about what the battery is capable of doing. +- **InternalBatteryCapacityCurrent** Represents the battery's current fully charged capacity in mWh (or relative). Compare this value to DesignedCapacity  to estimate the battery's wear. +- **InternalBatteryCapacityDesign** Represents the theoretical capacity of the battery when new, in mWh. +- **InternalBatteryNumberOfCharges** Provides the number of battery charges. This is used when creating new products and validating that existing products meets targeted functionality performance. +- **IsAlwaysOnAlwaysConnectedCapable** Represents whether the battery enables the device to be AlwaysOnAlwaysConnected . Boolean value. + + +### Census.Camera + +This event sends data about the resolution of cameras on the device, to help keep Windows up to date. + +The following fields are available: + +- **FrontFacingCameraResolution** Represents the resolution of the front facing camera in megapixels. If a front facing camera does not exist, then the value is 0. +- **RearFacingCameraResolution** Represents the resolution of the rear facing camera in megapixels. If a rear facing camera does not exist, then the value is 0. + + +### Census.Enterprise + +This event sends data about Azure presence, type, and cloud domain use in order to provide an understanding of the use and integration of devices in an enterprise, cloud, and server environment. + +The following fields are available: + +- **AADDeviceId** Azure Active Directory device ID. +- **AzureOSIDPresent** Represents the field used to identify an Azure machine. +- **AZureOSIDPresent** No content is currently available. +- **AzureVMType** Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs. +- **AZureVMType** No content is currently available. +- **CDJType** Represents the type of cloud domain joined for the machine. +- **CommercialId** Represents the GUID for the commercial entity which the device is a member of.  Will be used to reflect insights back to customers. +- **ContainerType** The type of container, such as process or virtual machine hosted. +- **EnrollmentType** Defines the type of MDM enrollment on the device. +- **HashedDomain** The hashed representation of the user domain used for login. +- **IsCloudDomainJoined** Is this device joined to an Azure Active Directory (AAD) tenant? true/false +- **IsDERequirementMet** Represents if the device can do device encryption. +- **IsDeviceProtected** Represents if Device protected by BitLocker/Device Encryption +- **IsDeviceRrotected** No content is currently available. +- **IsDomainJoined** Indicates whether a machine is joined to a domain. +- **IsEDPEnabled** Represents if Enterprise data protected on the device. +- **IsMDMEnrolled** Whether the device has been MDM Enrolled or not. +- **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID +- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise SCCM environment. +- **ServerFeatures** Represents the features installed on a Windows   Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. +- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier + + +### Census.Firmware + +This event sends data about the BIOS and startup embedded in the device, to help keep Windows up to date. + +The following fields are available: + +- **FirmwareManufacturer** Represents the manufacturer of the device's firmware (BIOS). +- **FirmwareReleaseDate** Represents the date the current firmware was released. +- **FirmwareType** Represents the firmware type. The various types can be unknown, BIOS, UEFI. +- **FirmwareVersion** Represents the version of the current firmware. + + +### Census.Flighting + +This event sends Windows Insider data from customers participating in improvement testing and feedback programs, to help keep Windows up to date. + +The following fields are available: + +- **DeviceSampleRate** The telemetry sample rate assigned to the device. +- **EnablePreviewBuilds** Used to enable Windows Insider builds on a device. +- **FlightIds** A list of the different Windows Insider builds on this device. +- **FlightingBranchName** The name of the Windows Insider branch currently used by the device. +- **IsFlightsDisabled** Represents if the device is participating in the Windows Insider program. +- **MSA_Accounts** Represents a list of hashed IDs of the Microsoft Accounts that are flighting (pre-release builds) on this device. +- **SSRK** Retrieves the mobile targeting settings. + + +### Census.Hardware + +This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level setting, and TPM support, to help keep Windows up to date. + +The following fields are available: + +- **ActiveMicCount** The number of active microphones attached to the device. +- **ChassisType** Represents the type of device chassis, such as desktop or low profile desktop. The possible values can range between 1 - 36. +- **ComputerHardwareID** Identifies a device class that is represented by a hash of different SMBIOS fields. +- **D3DMaxFeatureLevel** Supported Direct3D version. +- **DeviceColor** Indicates a color of the device. +- **DeviceForm** Indicates the form as per the device classification. +- **DeviceName** The device name that is set by the user. +- **DigitizerSupport** Is a digitizer supported? +- **DUID** The device unique ID. +- **Gyroscope** Indicates whether the device has a gyroscope (a mechanical component that measures and maintains orientation). +- **InventoryId** The device ID used for compatibility testing. +- **Magnetometer** Indicates whether the device has a magnetometer (a mechanical component that works like a compass). +- **NFCProximity** Indicates whether the device supports NFC (a set of communication protocols that helps establish communication when applicable devices are brought close together.) +- **OEMDigitalMarkerFileName** The name of the file placed in the \Windows\system32\drivers directory that specifies the OEM and model name of the device. +- **OEMManufacturerName** The device manufacturer name. The OEMName for an inactive device is not reprocessed even if the clean OEM name is changed at a later date. +- **OEMModelBaseBoard** The baseboard model used by the OEM. +- **OEMModelBaseBoardVersion** Differentiates between developer and retail devices. +- **OEMModelName** The device model name. +- **OEMModelNumber** The device model number. +- **OEMModelSKU** The device edition that is defined by the manufacturer. +- **OEMModelSystemFamily** The system family set on the device by an OEM. +- **OEMModelSystemVersion** The system model version set on the device by the OEM. +- **OEMOptionalIdentifier** A Microsoft assigned value that represents a specific OEM subsidiary. +- **OEMSerialNumber** The serial number of the device that is set by the manufacturer. +- **PhoneManufacturer** The friendly name of the phone manufacturer. +- **PowerPlatformRole** The OEM preferred power management profile. It's used to help to identify the basic form factor of the device. +- **SoCName** The firmware manufacturer of the device. +- **StudyID** Used to identify retail and non-retail device. +- **TelemetryLevel** The telemetry level the user has opted into, such as Basic or Enhanced. +- **TelemetryLevelLimitEnha5Sed** No content is currently available. +- **TelemetryLevelLimitEnhanced** The telemetry level for Windows Analytics-based solutions. +- **TelemetrySettingAuthority** Determines who set the telemetry level, such as GP, MDM, or the user. +- **TPMManufacturerId** The ID of the TPM manufacturer. +- **TPMManufacturerVersion** The version of the TPM manufacturer. +- **TPMVersion** The supported Trusted Platform Module (TPM) on the device. If no TPM is present, the value is 0. +- **VoiceSupported** Does the device have a cellular radio capable of making voice calls? + + +### Census.Memory + +This event sends data about the memory on the device, including ROM and RAM, to help keep Windows up to date. + +The following fields are available: + +- **TotalPhysicalRAM** Represents the physical memory (in MB). +- **TotalVisibleMemory** Represents the memory that is not reserved by the system. + + +### Census.Network + +This event sends data about the mobile and cellular network used by the device (mobile service provider, network, device ID, and service cost factors), to help keep Windows up to date. + +The following fields are available: + +- **IMEI0** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage. +- **IMEI1** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage. +- **MCC0** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **MCC1** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **MEID** Represents the Mobile Equipment Identity (MEID). MEID is a worldwide unique phone ID assigned to CDMA phones. MEID replaces electronic serial number (ESN), and is equivalent to IMEI for GSM and WCDMA phones. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. +- **MNC0** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **MNC1** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **MobileOperatorBilling** Represents the telephone company that provides services for mobile phone users. +- **MobileOperatorCommercialized** Represents which reseller and geography the phone is commercialized for. This is the set of values on the phone for who and where it was intended to be used. For example, the commercialized mobile operator code AT&T in the US would be ATT-US. +- **MobileOperatorNetwork0** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage. +- **MobileOperatorNetwork1** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage. +- **NetworkAdapterGUID** The GUID of the primary network adapter. +- **NetworkCost** Represents the network cost associated with a connection. +- **SPN0** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage. +- **SPN1** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage. + + +### Census.OS + +This event sends data about the operating system such as the version, locale, update service configuration, when and how it was originally installed, and whether it is a virtual device, to help keep Windows up to date. + +The following fields are available: + +- **ActivationChannel** Retrieves the retail license key or Volume license key for a machine. +- **AssignedAccessStatus** Kiosk configuration mode. +- **CompactOS** Indicates if the Compact OS feature from Win10 is enabled. +- **DeveloperUnlockStatus** Represents if a device has been developer unlocked by the user or Group Policy. +- **DeviceTimeZone** The time zone that is set on the device. Example: Pacific Standard Time +- **GenuineState** Retrieves the ID Value specifying the OS Genuine check. +- **GenuineStateanchNIsPortableOperatingSystem** No content is currently available. +- **InstallationType** Retrieves the type of OS installation. (Clean, Upgrade, Reset, Refresh, Update). +- **InstallLanguage** The first language installed on the user machine. +- **IsDeviceRetailDemo** Retrieves if the device is running in demo mode. +- **IsEduData** Returns Boolean if the education data policy is enabled. +- **IsPortableOperatingSystem** Retrieves whether OS is running Windows-To-Go +- **IsSecureBootEnabled** Retrieves whether Boot chain is signed under UEFI. +- **LanguagePacks** The list of language packages installed on the device. +- **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store. +- **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine. +- **OSEdition** Retrieves the version of the current OS. +- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc +- **OSOOBEDateTime** Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC). +- **OSSKU** Retrieves the Friendly Name of OS Edition. +- **OSSubscriptionStatus** Represents the existing status for enterprise subscription feature for PRO machines. +- **OSSubscriptionTypeId** Returns boolean for enterprise subscription feature for selected PRO machines. +- **OSTimeZoneBiasInMins** Retrieves the time zone set on machine. +- **OSUILocale** Retrieves the locale of the UI that is currently used by the OS. +- **ProductActivationResult** Returns Boolean if the OS Activation was successful. +- **ProductActivationTime** Returns the OS Activation time for tracking piracy issues. +- **ProductKeyID2** Retrieves the License key if the machine is updated with a new license key. +- **RACw7Id** Retrieves the Microsoft Reliability Analysis Component (RAC) Win7 Identifier. RAC is used to monitor and analyze system usage and reliability. +- **ServiceMachineIP** Retrieves the IP address of the KMS host used for anti-piracy. +- **ServiceMachinePort** Retrieves the port of the KMS host used for anti-piracy. +- **ServiceProductKeyID** Retrieves the License key of the KMS +- **SharedPCMode** Returns Boolean for education devices used as shared cart +- **Signalure** No content is currently available. +- **Signature** Retrieves if it is a signature machine sold by Microsoft store. +- **SLICStatus** Whether a SLIC table exists on the device. +- **SLICVersion** Returns OS type/version from SLIC table. + + +### Census.PrivacySettings + +This event provides information about the device level privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represent the authority that set the value. The effective consent (first 8 bits) is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority (last 8 bits) is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = system, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings. + +The following fields are available: + +- **Activity** Current state of the activity history setting. +- **ActivityHistoryCloudSync** Current state of the activity history cloud sync setting. +- **ActivityHistoryCollection** Current state of the activity history collection setting. +- **AdvertisingId** Current state of the advertising ID setting. +- **AdvertisiNgId** No content is currently available. +- **AppDiagnostics** Current state of the app diagnostics setting. +- **Appointments** Current state of the calendar setting. +- **Bluetooth** Current state of the Bluetooth capability setting. +- **BluetoothSync** Current state of the Bluetooth sync capability setting. +- **BroadFileSystemAccess** Current state of the broad file system access setting. +- **CellularData** Current state of the cellular data capability setting. +- **Chat** Current state of the chat setting. +- **Contacts** Current state of the contacts setting. +- **DocumentsLibrary** Current state of the documents library setting. +- **Email** Current state of the email setting. +- **FindMyDevice** Current state of the "find my device" setting. +- **GazeInput** Current state of the gaze input setting. +- **HumanInterfaceDevice** Current state of the human interface device setting. +- **InkTypeImpro_ement** No content is currently available. +- **InkTypeImprovement** Current state of the improve inking and typing setting. +- **Location** Current state of the location setting. +- **LocationHistory** Current state of the location history setting. +- **LocationHistoryCloudSync** Current state of the location history cloud sync setting. +- **LocationHistoryOnTimeline** Current state of the location history on timeline setting. +- **Microphone** Current state of the microphone setting. +- **PhoneCall** Current state of the phone call setting. +- **PhoneCallHistory** Current state of the call history setting. +- **PicturesLibrary** Current state of the pictures library setting. +- **Radios** Current state of the radios setting. +- **SensorsCustom** Current state of the custom sensor setting. +- **SerialCommunication** Current state of the serial communication setting. +- **Sms** Current state of the text messaging setting. +- **SpeechPersonalization** Current state of the speech services setting. +- **USB** Current state of the USB setting. +- **UserAccountInformation** Current state of the account information setting. +- **UserDataTasks** Current state of the tasks setting. +- **UserNotificationListener** Current state of the notifications setting. +- **VideosLibrary** Current state of the videos library setting. +- **Webcam** Current state of the camera setting. +- **WiFiDirect** Current state of the Wi-Fi direct setting. + + +### Census.Processor + +Provides information on several important data points about Processor settings + +The following fields are available: + +- **KvaShadow** This is the micro code information of the processor. +- **MMSettingOverride** Microcode setting of the processor. +- **MMSettingOverrideMask** Microcode setting override of the processor. +- **PreviousUpdateRevision** Previous microcode revision +- **ProcessorArchitecture** Retrieves the processor architecture of the installed operating system. +- **ProcessorClockSpeed** Clock speed of the processor in MHz. +- **ProcessorCores** Number of logical cores in the processor. +- **ProcessorIdentifier** Processor Identifier of a manufacturer. +- **ProcessorManufacturer** Name of the processor manufacturer. +- **ProcessorModel** Name of the processor model. +- **ProcessorPhysicalCores** Number of physical cores in the processor. +- **ProcessorUpdateRevision** The microcode revision. +- **ProcessorUpdateStatus** Enum value that represents the processor microcode load status +- **SocketCount** Count of CPU sockets. +- **SpeculationControl** Indicates whether the system has enabled protections needed to validate the speculation control vulnerability. + + +### Census.Security + +This event provides information on about security settings used to help keep Windows up to date and secure. + +The following fields are available: + +- **AvailableSecurityProperties** This field helps to enumerate and report state on the relevant security properties for Device Guard. +- **CGRunning** Credential Guard isolates and hardens key system and user secrets against compromise, helping to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already running via a local or network based vector. This field tells if Credential Guard is running. +- **DGState** This field summarizes the Device Guard state. +- **HVCIRunning** Hypervisor Code Integrity (HVCI) enables Device Guard to help protect kernel mode processes and drivers from vulnerability exploits and zero days. HVCI uses the processor’s functionality to force all software running in kernel mode to safely allocate memory. This field tells if HVCI is running. +- **IsSawGuest** Indicates whether the device is running as a Secure Admin Workstation Guest. +- **IsSawHost** Indicates whether the device is running as a Secure Admin Workstation Host. +- **RequiredSecurityProperties** Describes the required security properties to enable virtualization-based security. +- **SecureBootCapable** Systems that support Secure Boot can have the feature turned off via BIOS. This field tells if the system is capable of running Secure Boot, regardless of the BIOS setting. +- **SModeState** The Windows S mode trail state. +- **VBSState** Virtualization-based security (VBS) uses the hypervisor to help protect the kernel and other parts of the operating system. Credential Guard and Hypervisor Code Integrity (HVCI) both depend on VBS to isolate/protect secrets, and kernel-mode code integrity validation. VBS has a tri-state that can be Disabled, Enabled, or Running. + + +### Census.Speech + +This event is used to gather basic speech settings on the device. + +The following fields are available: + +- **Abo_eLockEnabled** No content is currently available. +- **AboveLockEnabled** Cortana setting that represents if Cortana can be invoked when the device is locked. +- **GPAllowInputPersonalization** Indicates if a Group Policy setting has enabled speech functionalities. +- **HolographicSpeechInputDisabled** Holographic setting that represents if the attached HMD devices have speech functionality disabled by the user. +- **HolographicSpeechInputDisabledRemote** Indicates if a remote policy has disabled speech functionalities for the HMD devices. +- **KeyVer** Version information for the census speech event. +- **KWSEnabled** Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS). +- **MDMAllowInputPersonalization** Indicates if an MDM policy has enabled speech functionalities. +- **RemotelyManaged** Indicates if the device is being controlled by a remote administrator (MDM or Group Policy) in the context of speech functionalities. +- **SpeakerIdEnabled** Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice. +- **SpeechServicesEnabled** Windows setting that represents whether a user is opted-in for speech services on the device. +- **SpeechServicesValueSource** Indicates the deciding factor for the effective online speech recognition privacy policy settings: remote admin, local admin, or user preference. + + +### Census.Storage + +This event sends data about the total capacity of the system volume and primary disk, to help keep Windows up to date. + +The following fields are available: + +- **PrimaryDiskTotalCapacity** Retrieves the amount of disk space on the primary disk of the device in MB. +- **PrimaryDiskType** Retrieves an enumerator value of type STORAGE_BUS_TYPE that indicates the type of bus to which the device is connected. This should be used to interpret the raw device properties at the end of this structure (if any). +- **StorageReservePassedPolicy** Indicates whether the Storage Reserve policy, which ensures that updates have enough disk space and customers are on the latest OS, is enabled on this device. +- **SystemVolumeTotalCapacity** Retrieves the size of the partition that the System volume is installed on in MB. + + +### Census.Userdefault + +This event sends data about the current user's default preferences for browser and several of the most popular extensions and protocols, to help keep Windows up to date. + +The following fields are available: + +- **CalendarType** The calendar identifiers that are used to specify different calendars. +- **DefaultApp** The current uer's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf. +- **DefaultBrowserProgId** The ProgramId of the current user's default browser. +- **LongDateFormat** The long date format the user has selected. +- **ShortDateFormat** The short date format the user has selected. + + +### Census.UserDisplay + +This event sends data about the logical/physical display size, resolution and number of internal/external displays, and VRAM on the system, to help keep Windows up to date. + +The following fields are available: + +- **InternalPrimaryDis0layResolutionHorizontal** No content is currently available. +- **InternalPrimaryDisplayLogicalDPIX** Retrieves the logical DPI in the x-direction of the internal display. +- **InternalPrimaryDisplayLogicalDPIY** Retrieves the logical DPI in the y-direction of the internal display. +- **InternalPrimaryDisplayPhysicalDPIX** Retrieves the physical DPI in the x-direction of the internal display. +- **InternalPrimaryDisplayPhysicalDPIY** Retrieves the physical DPI in the y-direction of the internal display. +- **InternalPrimaryDisplayResolutionHorizontal** Retrieves the number of pixels in the horizontal direction of the internal display. +- **InternalPrimaryDisplayResolutionVertical** Retrieves the number of pixels in the vertical direction of the internal display. +- **InternalPrimaryDisplaySizePhysicalH** Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches . +- **InternalPrimaryDisplaySizePhysicalY** Retrieves the physical vertical length of the display in mm. Used for calculating the diagonal length in inches +- **NumberofExternalDisplays** Retrieves the number of external displays connected to the machine +- **NumberofInternalDisplays** Retrieves the number of internal displays in a machine. +- **VRAMDedicated** Retrieves the video RAM in MB. +- **VRAMDedicatedSystem** Retrieves the amount of memory on the dedicated video card. +- **VRAMSharedSystem** Retrieves the amount of RAM memory that the video card can use. + + +### Census.UserNLS + +This event sends data about the default app language, input, and display language preferences set by the user, to help keep Windows up to date. + +The following fields are available: + +- **DefaultAppLanguage** The current user Default App Language. +- **DisplayLanguage** The current user preferred Windows Display Language. +- **HomeLocation** The current user location, which is populated using GetUserGeoId() function. +- **KeyboardInputLanguages** The Keyboard input languages installed on the device. +- **SpeechInputLanguages** The Speech Input languages installed on the device. + + +### Census.UserPrivacySettings + +This event provides information about the current users privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represents the authority that set the value. The effective consent is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = user, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings. + +The following fields are available: + +- **ActitityHistoryCollection** No content is currently available. +- **Activity** Current state of the activity history setting. +- **ActivityHistoryCloudSync** Current state of the activity history cloud sync setting. +- **ActivityHistoryCollection** Current state of the activity history collection setting. +- **AdvertisingId** Current state of the advertising ID setting. +- **AppDiagnostics** Current state of the app diagnostics setting. +- **Appointments** Current state of the calendar setting. +- **Bluatooth** No content is currently available. +- **Bluetooth** Current state of the Bluetooth capability setting. +- **BluetoothSync** Current state of the Bluetooth sync capability setting. +- **BroadFileSystemAccess** Current state of the broad file system access setting. +- **CellularData** Current state of the cellular data capability setting. +- **Chat** Current state of the chat setting. +- **Contacts** Current state of the contacts setting. +- **DocumentsLibrary** Current state of the documents library setting. +- **Email** Current state of the email setting. +- **GazeInput** Current state of the gaze input setting. +- **HumanInterfaceDevice** Current state of the human interface device setting. +- **InkTypeImprovement** Current state of the improve inking and typing setting. +- **InkTypePersonalization** Current state of the inking and typing personalization setting. +- **Location** Current state of the location setting. +- **LocationHistory** Current state of the location history setting. +- **LocationHistoryCloudSync** Current state of the location history cloud synchronization setting. +- **LocationHistoryOnTimeline** Current state of the location history on timeline setting. +- **Microphone** Current state of the microphone setting. +- **PhoneCall** Current state of the phone call setting. +- **PhoneCallHistory** Current state of the call history setting. +- **PicturesLibrary** Current state of the pictures library setting. +- **Radios** Current state of the radios setting. +- **SensorsCustom** Current state of the custom sensor setting. +- **SerialCommunication** Current state of the serial communication setting. +- **Sms** Current state of the text messaging setting. +- **SpeechPersonaliza|ion** No content is currently available. +- **SpeechPersonalization** Current state of the speech services setting. +- **USB** Current state of the USB setting. +- **UserAccountInformation** Current state of the account information setting. +- **UserDataTasks** Current state of the tasks setting. +- **UserNotificationListener** Current state of the notifications setting. +- **VideosLibrary** Current state of the videos library setting. +- **Webcam** Current state of the camera setting. +- **WiFiDirect** Current state of the Wi-Fi direct setting. + + +### Census.VM + +This event sends data indicating whether virtualization is enabled on the device, and its various characteristics, to help keep Windows up to date. + +The following fields are available: + +- **CloudService** Indicates which cloud service, if any, that this virtual machine is running within. +- **HyperVisor** Retrieves whether the current OS is running on top of a Hypervisor. +- **IOMMUPresent** Represents if an input/output memory management unit (IOMMU) is present. +- **IsVDI** Is the device using Virtual Desktop Infrastructure? +- **IsVirtualDevice** Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#1 Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field should not be relied upon for non-Hv#1 Hypervisors. +- **SLATSupported** Represents whether Second Level Address Translation (SLAT) is supported by the hardware. +- **VirtualizationFirmwareEnabled** Represents whether virtualization is enabled in the firmware. + + +### Census.WU + +This event sends data about the Windows update server and other App store policies, to help keep Windows up to date. + +The following fields are available: + +- **AppraiserGatedStatus** Indicates whether a device has been gated for upgrading. +- **AppStoreAutoUpdate** Retrieves the Appstore settings for auto upgrade. (Enable/Disabled). +- **AppStoreAutoUpdateMDM** Retrieves the App Auto Update value for MDM: 0 - Disallowed. 1 - Allowed. 2 - Not configured. Default: [2] Not configured +- **AppStoreAutoUpdatePolicy** Retrieves the Microsoft Store App Auto Update group policy setting +- **DelayeferUpg** No content is currently available. +- **DelayUpgrade** Retrieves the Windows upgrade flag for delaying upgrades. +- **OSAssessmentFeatureOutOfDate** How many days has it been since a the last feature update was released but the device did not install it? +- **OSAssessmentForFeatureUpdate** Is the device is on the latest feature update? +- **OSAssessmentForQualityUpdate** Is the device on the latest quality update? +- **OSAssessmentForSecurityUpdate** Is the device on the latest security update? +- **OSAssessmentQualityOutOfDate** How many days has it been since a the last quality update was released but the device did not install it? +- **OSAssessmentReleaseInfoTime** The freshness of release information used to perform an assessment. +- **OSRollbackCount** The number of times feature updates have rolled back on the device. +- **OSRolledBack** A flag that represents when a feature update has rolled back during setup. +- **OSUninstalled** A flag that represents when a feature update is uninstalled on a device . +- **OSWUAutoUpdateOptions** Retrieves the auto update settings on the device. +- **OSWUAutoUpdateOptionsSource** The source of auto update setting that appears in the OSWUAutoUpdateOptions field. For example: Group Policy (GP), Mobile Device Management (MDM), and Default. +- **UninstallActive** A flag that represents when a device has uninstalled a previous upgrade recently. +- **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS). +- **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates. +- **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades. +- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network. +- **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier. +- **WUPauseState** Retrieves WU setting to determine if updates are paused. +- **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default). +- **WWPauseState** No content is currently available. + + +### Census.Xbox + +This event sends data about the Xbox Console, such as Serial Number and DeviceId, to help keep Windows up to date. + +The following fields are available: + +- **XboxConsolePreferredLanguage** Retrieves the preferred language selected by the user on Xbox console. +- **XboxConsoleSerialNumber** Retrieves the serial number of the Xbox console. +- **XboxLiveDeviceId** Retrieves the unique device ID of the console. +- **XboxLiveSandboxId** Retrieves the developer sandbox ID if the device is internal to Microsoft. + + +## Common data extensions + +### Common Data Extensions.app + +Describes the properties of the running application. This extension could be populated by a client app or a web app. + +The following fields are available: + +- **asId** An integer value that represents the app session. This value starts at 0 on the first app launch and increments after each subsequent app launch per boot session. +- **env** The environment from which the event was logged. +- **expId** Associates a flight, such as an OS flight, or an experiment, such as a web site UX experiment, with an event. +- **id** Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application. +- **locale** The locale of the app. +- **name** The name of the app. +- **userId** The userID as known by the application. +- **ver** Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app. + + +### Common Data Extensions.container + +Describes the properties of the container for events logged within a container. + +The following fields are available: + +- **epoch** An ID that's incremented for each SDK initialization. +- **localId** The device ID as known by the client. +- **osVer** The operating system version. +- **seq** An ID that's incremented for each event. +- **type** The container type. Examples: Process or VMHost + + +### Common Data Extensions.cs + +Describes properties related to the schema of the event. + +The following fields are available: + +- **sig** A common schema signature that identifies new and modified event schemas. + + +### Common Data Extensions.device + +Describes the device-related fields. + +The following fields are available: + +- **deviceClass** The device classification. For example, Desktop, Server, or Mobile. +- **localId** A locally-defined unique ID for the device. This is not the human-readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId +- **make** Device manufacturer. +- **model** Device model. + + +### Common Data Extensions.Envelope + +Represents an envelope that contains all of the common data extensions. + +The following fields are available: + +- **cV** Represents the Correlation Vector: A single field for tracking partial order of related telemetry events across component boundaries. +- **data** Represents the optional unique diagnostic data for a particular event schema. +- **ext_app** Describes the properties of the running application. This extension could be populated by either a client app or a web app. See [Common Data Extensions.app](#common-data-extensionsapp). +- **ext_container** Describes the properties of the container for events logged within a container. See [Common Data Extensions.container](#common-data-extensionscontainer). +- **ext_cs** Describes properties related to the schema of the event. See [Common Data Extensions.cs](#common-data-extensionscs). +- **ext_device** Describes the device-related fields. See [Common Data Extensions.device](#common-data-extensionsdevice). +- **ext_os** Describes the operating system properties that would be populated by the client. See [Common Data Extensions.os](#common-data-extensionsos). +- **ext_receipts** Describes the fields related to time as provided by the client for debugging purposes. See [Common Data Extensions.receipts](#common-data-extensionsreceipts). +- **ext_sdk** Describes the fields related to a platform library required for a specific SDK. See [Common Data Extensions.sdk](#common-data-extensionssdk). +- **ext_user** Describes the fields related to a user. See [Common Data Extensions.user](#common-data-extensionsuser). +- **ext_utc** Describes the fields that might be populated by a logging library on Windows. See [Common Data Extensions.utc](#common-data-extensionsutc). +- **ext_xbl** Describes the fields related to XBOX Live. See [Common Data Extensions.xbl](#common-data-extensionsxbl). +- **flags** Represents a collection of bits that describe how the event should be processed by the Connected User Experience and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency. +- **iKey** Represents an ID for applications or other logical groupings of events. +- **name** Represents the uniquely qualified name for the event. +- **popSample** Represents the effective sample rate for this event at the time it was generated by a client. +- **time** Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the client. This should be in ISO 8601 format. +- **ver** Represents the major and minor version of the extension. + + +### Common Data Extensions.os + +Describes some properties of the operating system. + +The following fields are available: + +- **bootId** An integer value that represents the boot session. This value starts at 0 on first boot after OS install and increments after every reboot. +- **expId** Represents the experiment ID. The standard for associating a flight, such as an OS flight (pre-release build), or an experiment, such as a web site UX experiment, with an event is to record the flight / experiment IDs in Part A of the common schema. +- **locale** Represents the locale of the operating system. +- **name** Represents the operating system name. +- **ver** Represents the major and minor version of the extension. + + +### Common Data Extensions.receipts + +Represents various time information as provided by the client and helps for debugging purposes. + +The following fields are available: + +- **originalTime** The original event time. +- **uploadTime** The time the event was uploaded. + + +### Common Data Extensions.sdk + +Used by platform specific libraries to record fields that are required for a specific SDK. + +The following fields are available: + +- **epoch** An ID that is incremented for each SDK initialization. +- **installId** An ID that's created during the initialization of the SDK for the first time. +- **libVer** The SDK version. +- **seq** An ID that is incremented for each event. + + +### Common Data Extensions.user + +Describes the fields related to a user. + +The following fields are available: + +- **authId** This is an ID of the user associated with this event that is deduced from a token such as a Microsoft Account ticket or an XBOX token. +- **locale** The language and region. +- **localId** Represents a unique user identity that is created locally and added by the client. This is not the user's account ID. + + +### Common Data Extensions.utc + +Describes the properties that could be populated by a logging library on Windows. + +The following fields are available: + +- **aId** Represents the ETW ActivityId. Logged via TraceLogging or directly via ETW. +- **bSeq** Upload buffer sequence number in the format: buffer identifier:sequence number +- **cat** Represents a bitmask of the ETW Keywords associated with the event. +- **cpId** The composer ID, such as Reference, Desktop, Phone, Holographic, Hub, IoT Composer. +- **epoch** Represents the epoch and seqNum fields, which help track how many events were fired and how many events were uploaded, and enables identification of data lost during upload and de-duplication of events on the ingress server. +- **flags** Represents the bitmap that captures various Windows specific flags. +- **mon** Combined monitor and event sequence numbers in the format: monitor sequence : event sequence +- **op** Represents the ETW Op Code. +- **raId** Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW. +- **seq** Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue. The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server. +- **stId** Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID. + + +### Common Data Extensions.xbl + +Describes the fields that are related to XBOX Live. + +The following fields are available: + +- **claims** Any additional claims whose short claim name hasn't been added to this structure. +- **did** XBOX device ID +- **dty** XBOX device type +- **dvr** The version of the operating system on the device. +- **eid** A unique ID that represents the developer entity. +- **exp** Expiration time +- **ip** The IP address of the client device. +- **nbf** Not before time +- **pid** A comma separated list of PUIDs listed as base10 numbers. +- **sbx** XBOX sandbox identifier +- **sid** The service instance ID. +- **sty** The service type. +- **tid** The XBOX Live title ID. +- **tvr** The XBOX Live title version. +- **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts. +- **xid** A list of base10-encoded XBOX User IDs. + + +## Common data fields + +### Ms.Device.DeviceInventoryChange + +Describes the installation state for all hardware and software components available on a particular device. + +The following fields are available: + +- **action** The change that was invoked on a device inventory object. +- **invent** No content is currently available. +- **inventoryId** Device ID used for Compatibility testing +- **objectInstanceId** Object identity which is unique within the device scope. +- **objectInstanceId** No content is currently available. +- **objectType** Indicates the object type that the event applies to. +- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. + + +## Compatibility events + +### Microsoft.Windows.Compatibility.Apphelp.SdbFix + +Product instrumentation for helping debug/troubleshoot issues with inbox compatibility components. + +The following fields are available: + +- **AppName** Name of the application impacted by SDB. +- **FixID** SDB GUID. +- **Flags** List of flags applied. +- **ImageName** Name of file. + + +## Component-based servicing events + +### CbsServicingProvider.CbsCapabilityEnumeration + +This event reports on the results of scanning for optional Windows content on Windows Update. + +The following fields are available: + +- **architecture** Indicates the scan was limited to the specified architecture. +- **capabilityCount** The number of optional content packages found during the scan. +- **clientId** The name of the application requesting the optional content. +- **duration** The amount of time it took to complete the scan. +- **hrStatus** The HReturn code of the scan. +- **language** Indicates the scan was limited to the specified language. +- **majorVersion** Indicates the scan was limited to the specified major version. +- **minorVersion** Indicates the scan was limited to the specified minor version. +- **namespace** Indicates the scan was limited to packages in the specified namespace. +- **sourceFilter** A bitmask indicating the scan checked for locally available optional content. +- **stackBuild** The build number of the servicing stack. +- **stackMajorVersion** The major version number of the servicing stack. +- **stackMinorVersion** The minor version number of the servicing stack. +- **stackRevision** The revision number of the servicing stack. + + +### CbsServicingProvider.CbsCapabilitySessionFinalize + +This event provides information about the results of installing or uninstalling optional Windows content from Windows Update. + +The following fields are available: + +- **capabilities** The names of the optional content packages that were installed. +- **clientId** The name of the application requesting the optional content. +- **currentID** The ID of the current install session. +- **downloadSource** The source of the download. +- **highestState** The highest final install state of the optional content. +- **hrLCUReservicingStatus** Indicates whether the optional content was updated to the latest available version. +- **hrStatus** The HReturn code of the install operation. +- **rebootCount** The number of reboots required to complete the install. +- **retryID** The session ID that will be used to retry a failed operation. +- **retryStatus** Indicates whether the install will be retried in the event of failure. +- **stackBuild** The build number of the servicing stack. +- **stackMajorVersion** The major version number of the servicing stack. +- **stackMinorVersion** The minor version number of the servicing stack. +- **stackRevision** The revision number of the servicing stack. + + +### CbsServicingProvider.CbsCapabilitySessionPended + +This event provides information about the results of installing optional Windows content that requires a reboot to keep Windows up to date. + +The following fields are available: + +- **clientId** The name of the application requesting the optional content. +- **pendingDecision** Indicates the cause of reboot, if applicable. + + +### CbsServicingProvider.CbsLateAcquisition + +This event sends data to indicate if some Operating System packages could not be updated as part of an upgrade, to help keep Windows up to date. + +The following fields are available: + +- **Features** The list of feature packages that could not be updated. +- **RetryID** The ID identifying the retry attempt to update the listed packages. + + +### CbsServicingProvider.CbsPackageRemoval + +This event provides information about the results of uninstalling a Windows Cumulative Security Update to help keep Windows up to date. + +The following fields are available: + +- **buildVersion** The build number of the security update being uninstalled. +- **clientId** The name of the application requesting the uninstall. +- **currentStateEnd** The final state of the update after the operation. +- **failureDetails** Information about the cause of a failure, if applicable. +- **failureSourceEnd** The stage during the uninstall where the failure occurred. +- **hrStatusEnd** The overall exit code of the operation. +- **initiatedOffline** Indicates if the uninstall was initiated for a mounted Windows image. +- **majorVersion** The major version number of the security update being uninstalled. +- **minorVersion** The minor version number of the security update being uninstalled. +- **originalState** The starting state of the update before the operation. +- **pendingDecision** Indicates the cause of reboot, if applicable. +- **primitiveExecutionContext** The state during system startup when the uninstall was completed. +- **revisionVersion** The revision number of the security update being uninstalled. +- **transactionCanceled** Indicates whether the uninstall was cancelled. + + +### CbsServicingProvider.CbsQualityUpdateInstall + +This event reports on the performance and reliability results of installing Servicing content from Windows Update to keep Windows up to date. + +The following fields are available: + +- **buildVersion** The build version number of the update package. +- **clientId** The name of the application requesting the optional content. +- **corruptionHistoryFlags** A bitmask of the types of component store corruption that have caused update failures on the device. +- **corruptionType** An enumeration listing the type of data corruption responsible for the current update failure. +- **currentStateEnd** The final state of the package after the operation has completed. +- **doqTimeSeconds** The time in seconds spent updating drivers. +- **executeTimeSeconds** The number of seconds required to execute the install. +- **failureDetails** The driver or installer that caused the update to fail. +- **failureSourceEnd** An enumeration indicating at what phase of the update a failure occurred. +- **hrStatusEnd** The return code of the install operation. +- **initiatedOffline** A true or false value indicating whether the package was installed into an offline Windows Imaging Format (WIM) file. +- **majorVersion** The major version number of the update package. +- **minorVersion** The minor version number of the update package. +- **originalState** The starting state of the package. +- **overallTimeSeconds** The time (in seconds) to perform the overall servicing operation. +- **planTimeSeconds** The time in seconds required to plan the update operations. +- **poqTimeSeconds** The time in seconds processing file and registry operations. +- **postRebootTimeSeconds** The time (in seconds) to do startup processing for the update. +- **preRebootTimeSeconds** The time (in seconds) between execution of the installation and the reboot. +- **primitiveExecutionContext** An enumeration indicating at what phase of shutdown or startup the update was installed. +- **rebootCount** The number of reboots required to install the update. +- **rebootTimeSeconds** The time (in seconds) before startup processing begins for the update. +- **resolveTimeSeconds** The time in seconds required to resolve the packages that are part of the update. +- **revisionVersion** The revision version number of the update package. +- **rptTimeSeconds** The time in seconds spent executing installer plugins. +- **shutdownTimeSeconds** The time (in seconds) required to do shutdown processing for the update. +- **stackRevision** The revision number of the servicing stack. +- **stageTimeSeconds** The time (in seconds) required to stage all files that are part of the update. + + +## Deployment extensions + +### DeploymentTelemetry.Deployment_End + +This event indicates that a Deployment 360 API has completed. + +The following fields are available: + +- **ClientId** Client ID of the user utilizing the D360 API. +- **ErrorCode** Error code of action. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **Mode** Phase in upgrade. +- **RelatedCV** The correction vector (CV) of any other related events +- **Result** End result of the action. + + +### DeploymentTelemetry.Deployment_SetupBoxLaunch + +This event indicates that the Deployment 360 APIs have launched Setup Box. + +The following fields are available: + +- **ClientId** The client ID of the user utilizing the D360 API. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **Quiet** Whether Setup will run in quiet mode or full mode. +- **RelatedCV** The correlation vector (CV) of any other related events. +- **SetupMode** The current setup phase. + + +### DeploymentTelemetry.Deployment_SetupBoxResult + +This event indicates that the Deployment 360 APIs have received a return from Setup Box. + +The following fields are available: + +- **ClientId** Client ID of the user utilizing the D360 API. +- **ErrorCode** Error code of the action. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **Quiet** Indicates whether Setup will run in quiet mode or full mode. +- **RelatedCV** The correlation vector (CV) of any other related events. +- **SetupMode** The current Setup phase. + + +### DeploymentTelemetry.Deployment_Start + +This event indicates that a Deployment 360 API has been called. + +The following fields are available: + +- **ClientId** Client ID of the user utilizing the D360 API. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **Mode** The current phase of the upgrade. +- **RelatedCV** The correlation vector (CV) of any other related events. + + +## Diagnostic data events + +### TelClientSynthetic.AuthorizationInfo_RuntimeTransition + +This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect. + +The following fields are available: + +- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. +- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. +- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. +- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. +- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. +- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. +- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. +- **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise. +- **CanReportScenarios** True if we can report scenario completions, false otherwise. +- **PreviousPermissions** Bitmask of previous telemetry state. +- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. + + +### TelClientSynthetic.AuthorizationInfo_Startup + +Fired by UTC at startup to signal what data we are allowed to collect. + +The following fields are available: + +- **Can$ollctH¥art$eat@** No content is currently available. +- **Can&erformDiagnosticEscalations** No content is currently available. +- **Can@erformDiagnosticEscalations** No content is currently available. +- **CanollDctWndo‰sAnDlytHcsE‰entL** No content is currently available. +- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. +- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. +- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. +- **CanCollectCoreTelemetzy** No content is currently available. +- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. +- **CanColleCtHeartbeats** No content is currently available. +- **CanCollectNsTelemetry** No content is currently available. +- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. +- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. +- **CanMepoHtSc$narDos** No content is currently available. +- **CanollÿctAAyTe[emeƒry** No content is currently available. +- **CanPerformDiagngsticEscalations** No content is currently available. +- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. +- **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise. +- **CanPerforoDiagnosticEscalations** No content is currently available. +- **CanRepor5Acenarios** No content is currently available. +- **CanReportscenarios** No content is currently available. +- **CanReportScenarios** True if we can report scenario completions, false otherwise. +- **CanþollectOsTelemetry** No content is currently available. +- **Previous&ermissions** No content is currently available. +- **PreviousPermissaons** No content is currently available. +- **PreviousPermissions** Bitmask of previous telemetry state. +- **TransitionfromEverythingOff** No content is currently available. +- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. + + +### TelClientSynthetic.ConnectivityHeartBeat_0 + +This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network. + +The following fields are available: + +- **CensusExitCode** Returns last execution codes from census client run. +- **CensusStartTime** Returns timestamp corresponding to last successful census run. +- **CensusTas{Enasled** No content is currently available. +- **CensusTaskEnabled** Returns Boolean value for the census task (Enable/Disable) on client machine. +- **CwnsusStartTime** No content is currently available. +- **LastConnectivityLossTime** Retrieves the last time the device lost free network. +- **NetworkState** Retrieves the network state: 0 = No network. 1 = Restricted network. 2 = Free network. +- **NoNetworkTime** Retrieves the time spent with no network (since the last time) in seconds. +- **RestrictedNetworkTime** Retrieves the time spent on a metered (cost restricted) network in seconds. +- **낎茨��彿孔ゟꪜㄒ謡폲��춗** No content is currently available. +- **셨恮띚㓃瘙칌델࠮鎫ꖋ͇��솗π㹆** No content is currently available. +- **㨲⣦豑棽沵湤ས萾盗椺魹㙞** No content is currently available. + + +### TelClientSynthetic.HeartBeat_5 + +This event sends data about the health and quality of the diagnostic data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device. + +The following fields are available: + +- **@venStomeRe­etSizeSum** No content is currently available. +- **ࠣ⥶墊뗞ᚄ棛묚ﺪ穢꾜浝返枽탙** No content is currently available. +- **597pressedBytesUploaded** No content is currently available. +- **5ensusExitCode** No content is currently available. +- **5ensusStartTime** No content is currently available. +- **5ensusTaskEnabled** No content is currently available. +- **㉊��ꐔᦵﲉộ恓拥镳ŏ⺃턺맿삷࣫৘彣䞉䮄** No content is currently available. +- **AgentConnectaonErrorsCount** No content is currently available. +- **AgentConnectionErrorsCount** Number of non-timeout errors associated with the host/agent channel. +- **AgentConnect⁩onErrorsCount** No content is currently available. +- **AudioInMS** No content is currently available. +- **AudioOutMS** No content is currently available. +- **BackgroundMouseSec** No content is currently available. +- **CensdsExitCode** No content is currently available. +- **CensdsStartTime** No content is currently available. +- **CensdsTaskEnabled** No content is currently available. +- **CensusExitCode** The last exit code of the Census task. +- **CensusStartTime** Time of last Census run. +- **CensusTaskEnabled** True if Census is enabled, false otherwise. +- **Com`ressedBytesUploaded** No content is currently available. +- **CompressedBytesUploaded** Number of compressed bytes uploaded. +- **CompressedBytesUtyPropagatedSec** No content is currently available. +- **ConsdmerDroppedCount** No content is currently available. +- **ConsumerDroppedCount** Number of events dropped at consumer layer of telemetry client. +- **Critical�ataThrottleDroppedCount** No content is currently available. +- **CriticalDataDbDro`pedCount** No content is currently available. +- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. +- **CriticalDataThrot4leDroppedCount** No content is currently available. +- **CriticalDataThrottleDroppedCount** The number of critical data sampled events that were dropped because of throttling. +- **CriticalOverflowAntersCounter** No content is currently available. +- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event DB. +- **CriticalOverflowEuntestCounter** No content is currently available. +- **CriticalOverflowIntersCounter** No content is currently available. +- **CrivicalOverflowEntersCounter** No content is currently available. +- **DbCriticalDroppedCount** Total number of dropped critical events in event DB. +- **DbDboppedFullCount** No content is currently available. +- **DbDroppedCount** Number of events dropped due to DB fullness. +- **DbDroppedFailureCount** Number of events dropped due to DB failures. +- **DbDroppeDFailureCount** No content is currently available. +- **DbDroppedFailureCountAgentC** No content is currently available. +- **DbDroppedFullCoun�** No content is currently available. +- **DbDroppedFullCount** Number of events dropped due to DB fullness. +- **DbD偲oppedCount** No content is currently available. +- **DecodingDroppedCount** Number of events dropped due to decoding failures. +- **EnteringCriticalOverfl** No content is currently available. +- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. +- **EtwDroppedBufferCount** Number of buffers dropped in the UTC ETW session. +- **EtwDroppedCount** Number of events dropped at ETW layer of telemetry client. +- **EventSequence** No content is currently available. +- **EventsPersistedCount** Number of events that reached the PersistEvent stage. +- **EventsPtesistedCount** No content is currently available. +- **EventStoreLifetimeResetCo}nter** No content is currently available. +- **EventStoreLifetimeResetCounter** Number of times event DB was reset for the lifetime of UTC. +- **EventStoReLifetimeResetCounter** No content is currently available. +- **EventStoreRese|Counter** No content is currently available. +- **EventStoreReseSizeSum** No content is currently available. +- **EventStoreResetCounter** Number of times event DB was reset. +- **EventStoreResetdingSum** No content is currently available. +- **EventStoreResetSizesum** No content is currently available. +- **EventStoreResetSizeSum** Total size of event DB across all resets reports in this instance. +- **EventStoreResettCounter** No content is currently available. +- **EventSubStoreResetCounter** Number of times event DB was reset. +- **EventSubStoreResetSizeSum** Total size of event DB across all resets reports in this instance. +- **EventsUploaded** Number of events uploaded. +- **FellTriggerBufferDroppedCount** No content is currently available. +- **Flags** Flags indicating device state such as network state, battery state, and opt-in state. +- **FullTriggerBufferDroppedCount** Number of events dropped due to trigger buffer being full. +- **FullTrihgerBufferDroppedCount** No content is currently available. +- **HeartBeatSequenceNumber** The sequence number of this heartbeat. +- **Inv,:3tyttpCodeCount** No content is currently available. +- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. +- **isDefault** No content is currently available. +- **isSuccessful** No content is currently available. +- **Las4Inv(lidttpode** No content is currently available. +- **LastAgentConnectionErroeType** No content is currently available. +- **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel. +- **LastEventSingOffender** No content is currently available. +- **LastEventsizeOffender** No content is currently available. +- **LastEventSizeOffender** Event name of last event which exceeded max event size. +- **LastEventSizeOffѥnder** No content is currently available. +- **LastInv,:3tyttpCode** No content is currently available. +- **LastInvali$HttpCode** No content is currently available. +- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. +- **MaxActiveAgentConnectionCount** The maximum number of active agents during this heartbeat timeframe. +- **MaxInUseAcenarioCounter** No content is currently available. +- **MaxInUseS75}arioCounter** No content is currently available. +- **MaxInUseScenarioCounter** Soft maximum number of scenarios loaded by UTC. +- **MaxxrseSum** No content is currently available. +- **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events). +- **renderTrigger** No content is currently available. +- **repeatedUploadFailureDropped** No content is currently available. +- **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. +- **RepeatedUploadFailureerDropp** No content is currently available. +- **result** No content is currently available. +- **SettingsHtt0Att%mpt2** No content is currently available. +- **SettingsHttpAtMempts** No content is currently available. +- **SettingsHttpAttempts** Number of attempts to contact OneSettings service. +- **SettingsHttpFailures** The number of failures from contacting the OneSettings service. +- **SettingsyttpAttempts** No content is currently available. +- **SettingsyttpFailures** No content is currently available. +- **SinceFirstInteractivityMS** No content is currently available. +- **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers. +- **TopUploaderErrors** List of top errors received from the upload endpoint. +- **U0loaderErrorCount** No content is currently available. +- **unteingCriticalOverflowDroppedCounter** No content is currently available. +- **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client. +- **UploaderErrorCount** Number of errors received from the upload endpoint. +- **ViewFlags** No content is currently available. +- **VobtexHttpResponseFailures** No content is currently available. +- **Vor5exFailuresTimeout** No content is currently available. +- **Vor5exHttpAttempts** No content is currently available. +- **Vor5exHttpFailures4xx** No content is currently available. +- **Vor5exHttpFailures5xx** No content is currently available. +- **Vor5exHttpResponseFailures** No content is currently available. +- **Vor5exHttpResponsesWithDroppedEvents** No content is currently available. +- **VordexHttpAttempts** No content is currently available. +- **VortehFailuresTimeout** No content is currently available. +- **VortexFailuresTimeout** The number of timeout failures received from Vortex. +- **VortexHttpAtMempts** No content is currently available. +- **VortexHttpAttempts** Number of attempts to contact Vortex. +- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. +- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. +- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. +- **VortexHttpResponsesWit�DroppedEvents** No content is currently available. +- **VortexHttpResponsesWitfDroppedEvents** No content is currently available. +- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. +- **VortexHttpResponsesWitherDroppEvents** No content is currently available. +- **VortexHvtpAttempts** No content is currently available. +- **VortexyttpAttempts** No content is currently available. +- **VortexyttpFailures4xx** No content is currently available. +- **VortexyttpFailures5xx** No content is currently available. +- **VortexyttpResponseFailures** No content is currently available. +- **VortexyttpResponsesWithDroppedEvents** No content is currently available. +- **Ω霗⺴䷞釬膏੶ˀ䊋䏾៬㝟쀩ﻊႌ᪘绮開웷** No content is currently available. +- **ⴧꈌ噱罼[ᱪ頱찲刕떈ϩꗊ꒶兛槞捖䏛늊邋瑟⌴슰ݎ뜼뱥윞ᶃ** No content is currently available. +- **ꋦɓ☴槼ꏍ䔕趸邽뽎㞖륮獵衻㚔ʅⰤ脝ꁗ㻨剧敳犿矘葹꾇䬝⨘⏇뷮쨢ʜ꟩** No content is currently available. +- **ᤴ䖋叴햢Ѵ갰㹕壑彔蕢㑟䌛݁ꕿ඼丹䆑鱡** No content is currently available. +- **낎茨��彿孔ゟꪜㄒ謡폲��춗** No content is currently available. +- **덀ၫ랫Ƙퟚ᧔퐼㵜킶䆹荸활謁焄㓵犛Ɤ澴㹭ཧ** No content is currently available. +- **롰用᜜™業䬒㥆ἑ��寞⨱ᾝ䞆쨁悺릾䗳** No content is currently available. +- **뤠蔋弌놅똋궑텪邽櫰৳␮媩䉍��녑䍎񳸑** No content is currently available. +- **셨恮띚㓃瘙칌델࠮鎫ꖋ͇��솗π㹆** No content is currently available. +- **즬铗쐌ﰺ읟좌鄀妏 蹤㻇椤㜊䁔鿺䍇趺懤譀뫺◦ɍ煎㟹** No content is currently available. +- **첎艅ꃣ殠ổ⍦ꫭ簆㈺䥲풾Ϊ攝棥��紽鰫꜌ઁ㌲诡ಆᇆ** No content is currently available. +- **斜⤏ܔ馼쯌ℬ壯ꈹ楖뢨┺挖东ⵕ疐﷤㝊䅁荹隼��䎕㹢��⭶ꮬ瀯** No content is currently available. +- **曺跬蝲㥅䬿應鄶뇵鯔㮡侪ч즗퀾祃迼猀亰햗₊珱姰㜔Ⓤ∔痨쌈ꘄ擑蜉滂** No content is currently available. +- **㚡⁓��漭䖾愶툰ꯛ慤־䨃枛䡹ꋷన件Ⴄ棅譟** No content is currently available. +- **㨲⣦豑棽沵湤ས萾盗椺魹㙞** No content is currently available. +- **㰚姗硴龖㾙** No content is currently available. +- **䱉虙璫ຖꍶ搎⪴偩HttpAttempts** No content is currently available. + + +### TelClientSynthetic.HeartBeat_Aria_5 + +This event is the telemetry client ARIA heartbeat. + +The following fields are available: + +- **ࠣ⥶墊뗞ᚄ棛묚ﺪ穢꾜浝返枽탙** No content is currently available. +- **㉊��ꐔᦵﲉộ恓拥镳ŏ⺃턺맿삷࣫৘彣䞉䮄** No content is currently available. +- **CompressedBytesUploaded** Number of compressed bytes uploaded. +- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. +- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event database. +- **DbCriticalDroppedCount** Total number of dropped critical events in event database. +- **DbDroppedCount** Number of events dropped at the database layer. +- **DbDroppedFailureCount** Number of events dropped due to database failures. +- **DbDroppedFullCount** Number of events dropped due to database being full. +- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. +- **EventsPersistedCount** Number of events that reached the PersistEvent stage. +- **EventStoreLifetimeResetCounter** Number of times the event store has been reset. +- **EventStoreResetCounter** Number of times the event store has been reset during this heartbeat. +- **EventStoreResetSizeSum** Size of event store reset in bytes. +- **EventsUploaded** Number of events uploaded. +- **HeartBeatSequenceNumber** The sequence number of this heartbeat. +- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. +- **LastEventSizeOffender** Event name of last event which exceeded max event size. +- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. +- **PreviousHeartBeatTime** The FILETIME of the previous heartbeat fire. +- **repeatedUploadFailureDropped** No content is currently available. +- **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. +- **SettingsHttpAttempts** Number of attempts to contact OneSettings service. +- **SettingsHttpFailures** Number of failures from contacting OneSettings service. +- **TopUploaderErrors** List of top errors received from the upload endpoint. +- **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client. +- **UploaderErrorCount** Number of errors received from the upload endpoint. +- **VortexFailuresTimeout** Number of time out failures received from Vortex. +- **VortexHttpAttempts** Number of attempts to contact Vortex. +- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. +- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. +- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. +- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. +- **Ω霗⺴䷞釬膏੶ˀ䊋䏾៬㝟쀩ﻊႌ᪘绮開웷** No content is currently available. +- **ⴧꈌ噱罼[ᱪ頱찲刕떈ϩꗊ꒶兛槞捖䏛늊邋瑟⌴슰ݎ뜼뱥윞ᶃ** No content is currently available. +- **ꋦɓ☴槼ꏍ䔕趸邽뽎㞖륮獵衻㚔ʅⰤ脝ꁗ㻨剧敳犿矘葹꾇䬝⨘⏇뷮쨢ʜ꟩** No content is currently available. +- **ᤴ䖋叴햢Ѵ갰㹕壑彔蕢㑟䌛݁ꕿ඼丹䆑鱡** No content is currently available. +- **덀ၫ랫Ƙퟚ᧔퐼㵜킶䆹荸활謁焄㓵犛Ɤ澴㹭ཧ** No content is currently available. +- **롰用᜜™業䬒㥆ἑ��寞⨱ᾝ䞆쨁悺릾䗳** No content is currently available. +- **뤠蔋弌놅똋궑텪邽櫰৳␮媩䉍��녑䍎񳸑** No content is currently available. +- **즬铗쐌ﰺ읟좌鄀妏 蹤㻇椤㜊䁔鿺䍇趺懤譀뫺◦ɍ煎㟹** No content is currently available. +- **斜⤏ܔ馼쯌ℬ壯ꈹ楖뢨┺挖东ⵕ疐﷤㝊䅁荹隼��䎕㹢��⭶ꮬ瀯** No content is currently available. +- **曺跬蝲㥅䬿應鄶뇵鯔㮡侪ч즗퀾祃迼猀亰햗₊珱姰㜔Ⓤ∔痨쌈ꘄ擑蜉滂** No content is currently available. +- **㚡⁓��漭䖾愶툰ꯛ慤־䨃枛䡹ꋷన件Ⴄ棅譟** No content is currently available. +- **䱉虙璫ຖꍶ搎⪴偩HttpAttempts** No content is currently available. + + +### TelClientSynthetic.HeartBeat_Seville_5 + +This event is sent by the universal telemetry client (UTC) as a heartbeat signal for Sense. + +The following fields are available: + +- **AgentConnectionErrorsCount** Number of non-timeout errors associated with the host or agent channel. +- **CompressedBytesUploaded** Number of compressed bytes uploaded. +- **ConsumerDroppedCount** Number of events dropped at consumer layer of the telemetry client. +- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. +- **CriticalDataThrottleDroppedCount** Number of critical data sampled events dropped due to throttling. +- **CriticalDroppedCount** No content is currently available. +- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event database. +- **DailyUploadQuotaInBytes** Daily upload quota for Sense in bytes (only in in-proc mode). +- **DbCriticalDroppedCount** Total number of dropped critical events in event database. +- **DbDroppedCount** Number of events dropped due to database being full. +- **DbDroppedFailureCount** Number of events dropped due to database failures. +- **DbDroppedFullCount** Number of events dropped due to database being full. +- **DecodingDroppedCount** Number of events dropped due to decoding failures. +- **DiskSizeInBytes** Size of event store for Sense in bytes (only in in-proc mode). +- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. +- **EtwDroppedBufferCount** Number of buffers dropped in the universal telemetry client (UTC) event tracing for Windows (ETW) session. +- **EtwDroppedCount** Number of events dropped at the event tracing for Windows (ETW) layer of telemetry client. +- **EventsPersistedCount** Number of events that reached the PersistEvent stage. +- **EventStoreLifetimeResetCounter** Number of times event the database was reset for the lifetime of the universal telemetry client (UTC). +- **EventStoreResetCounter** Number of times the event database was reset. +- **EventStoreResetSizeSum** Total size of the event database across all resets reports in this instance. +- **EventsUploaded** Number of events uploaded. +- **Flags** Flags indicating device state, such as network state, battery state, and opt-in state. +- **FullTriggerBufferDroppedCount** Number of events dropped due to trigger buffer being full. +- **HeartBeatSequenceNumber** The sequence number of this heartbeat. +- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. +- **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel. +- **LastEventSizeOffender** Event name of last event which exceeded the maximum event size. +- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. +- **MaxActiveAgentConnectionCount** Maximum number of active agents during this heartbeat timeframe. +- **NormalUploadTimerMillis** Number of milliseconds between each upload of normal events for SENSE (only in in-proc mode). +- **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events). +- **RepeatedUploadFailureDropped** Number of events lost due to repeated failed uploaded attempts. +- **SettingsHttpAttempts** Number of attempts to contact OneSettings service. +- **SettingsHttpFailures** Number of failures from contacting the OneSettings service. +- **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers. +- **TopUploaderErrors** Top uploader errors, grouped by endpoint and error type. +- **UploaderDroppedCount** Number of events dropped at the uploader layer of the telemetry client. +- **UploaderErrorCount** Number of input for the TopUploaderErrors mode estimation. +- **VortexFailuresTimeout** Number of time out failures received from Vortex. +- **VortexHttpAttempts** Number of attempts to contact Vortex. +- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. +- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. +- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. +- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. + + +## Direct to update events + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicability + +Event to indicate that the Coordinator CheckApplicability call succeeded. + +The following fields are available: + +- **ApplicabilityResult** Result of CheckApplicability function. +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **IsDeviceAADDomainJoined** No content is currently available. +- **IsDeviceADDomainJoined** No content is currently available. +- **IsDeviceCloverTrail** No content is currently available. +- **IsDeviceFeatureUpdatingPaused** No content is currently available. +- **IsDeviceNetworkMetered** No content is currently available. +- **IsDeviceOobeBlocked** No content is currently available. +- **IsDeviceRequireUpdateApproval** No content is currently available. +- **IsDeviceSccmManaged** No content is currently available. +- **IsDeviceUninstallActive** No content is currently available. +- **IsDeviceUpdateNotificationLevel** No content is currently available. +- **IsDeviceUpdateServiceManaged** No content is currently available. +- **IsDeviceZeroExhaust** No content is currently available. +- **IsGreaterThanMaxRetry** No content is currently available. +- **IsVolumeLicensed** No content is currently available. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicabilityGenericFailure + +This event indicatse that we have received an unexpected error in the Direct to Update (DTU) Coordinators CheckApplicability call. + +The following fields are available: + +- **CampaignID** ID of the campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Cleanup call. + +The following fields are available: + +- **CampaignID** Campaign ID being run +- **ClientID** Client ID being run +- **CoordinatorVersion** Coordinator version of DTU +- **CV** Correlation vector +- **hResult** HRESULT of the failure + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupSuccess + +This event indicates that the Coordinator Cleanup call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run +- **ClientID** Client ID being run +- **CoordinatorVersion** Coordinator version of DTU +- **CV** Correlation vector + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Commit call. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitSuccess + +This event indicates that the Coordinator Commit call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Download call. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadIgnoredFailure + +This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Download call that will be ignored. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadSuccess + +This event indicates that the Coordinator Download call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator HandleShutdown call. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinate version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownSuccess + +This event indicates that the Coordinator HandleShutdown call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Initialize call. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeSuccess + +This event indicates that the Coordinator Initialize call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Install call. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallIgnoredFailure + +This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Install call that will be ignored. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallSuccess + +This event indicates that the Coordinator Install call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorProgressCallBack + +This event indicates that the Coordinator's progress callback has been called. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **DeployPhase** Current Deploy Phase. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorSetCommitReadySuccess + +This event indicates that the Coordinator SetCommitReady call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiNotShown + +This event indicates that the Coordinator WaitForRebootUi call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSelection + +This event indicates that the user selected an option on the Reboot UI. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **rebootUiSelection** Selection on the Reboot UI. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSuccess + +This event indicates that the Coordinator WaitForRebootUi call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler CheckApplicabilityInternal call. + +The following fields are available: + +- **CampaignID** ID of the campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalSuccess + +This event indicates that the Handler CheckApplicabilityInternal call succeeded. + +The following fields are available: + +- **ApplicabilityResult** The result of the applicability check. +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilitySuccess + +This event indicates that the Handler CheckApplicability call succeeded. + +The following fields are available: + +- **ApplicabilityResult** The result code indicating whether the update is applicable. +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **CV_new** New correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckIfCoordinatorMinApplicableVersionSuccess + +This event indicates that the Handler CheckIfCoordinatorMinApplicableVersion call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **CheckIfCoordinatorMinApplicableVersionResult** Result of CheckIfCoordinatorMinApplicableVersion function. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Commit call. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **CV_new** New correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitSuccess + +This event indicates that the Handler Commit call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run.run +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **CV_new** New correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabFailure + +This event indicates that the Handler Download and Extract cab call failed. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **DownloadAndExtractCabFunction_failureReason** Reason why the update download and extract process failed. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabSuccess + +This event indicates that the Handler Download and Extract cab call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Download call. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadSuccess + +This event indicates that the Handler Download call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Initialize call. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **DownloadAndExtractCabFunction_hResult** HRESULT of the download and extract. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeSuccess + +This event indicates that the Handler Initialize call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **DownloadAndExtractCabFunction_hResult** HRESULT of the download and extraction. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Install call. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallSuccess + +This event indicates that the Coordinator Install call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerSetCommitReadySuccess + +This event indicates that the Handler SetCommitReady call succeeded. + +The following fields are available: + +- **CampaignID** ID of the campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler WaitForRebootUi call. + +The following fields are available: + +- **CampaignID** The ID of the campaigning being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** The HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiSuccess + +This event indicates that the Handler WaitForRebootUi call succeeded. + +The following fields are available: + +- **CampaignID** ID of the campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +## DxgKernelTelemetry events + +### DxgKrnlTelemetry.GPUAdapterInventoryV2 + +This event sends basic GPU and display driver information to keep Windows and display drivers up-to-date. + +The following fields are available: + +- **~ersion** No content is currently available. +- **AdapterTypeValue** The numeric value indicating the type of Graphics adapter. +- **aiCeqId** No content is currently available. +- **aiSeqI�** No content is currently available. +- **aiseqId** No content is currently available. +- **aiSeqId** The event sequence ID. +- **bo** No content is currently available. +- **bootId** The system boot ID. +- **BrigesMessVersionViaDDI** No content is currently available. +- **BrightnessversionViaDDI** No content is currently available. +- **BrightnessVersionViaDDI** The version of the Display Brightness Interface. +- **BrightnessVersionViaDtI** No content is currently available. +- **BrightnessVerskonViaDDI** No content is currently available. +- **BrightnessVersmonViaDDI** No content is currently available. +- **BrighvnessVessionViaDDI@WDDMVersionDisplayAdapterLuid** No content is currently available. +- **BrihhtnessVersionViaDDI** No content is currently available. +- **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload. +- **ComtutePreemptionLevelTelInvEvntTrigger** No content is currently available. +- **DedicatedSys4emMemoryB** No content is currently available. +- **DedicatedSystemMemmryB** No content is currently available. +- **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes). +- **DedicatedSystemMemosyB** No content is currently available. +- **DedicatedvideoMemoryB** No content is currently available. +- **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes). +- **DedicatedVmdeoMemoryB** No content is currently available. +- **DedicatefVideoMemor{B** No content is currently available. +- **DisplayAdapterLuid** The display adapter LUID. +- **DisplayAdaptevLuid** No content is currently available. +- **Dri6erVebsion** No content is currently available. +- **DriferDate** No content is currently available. +- **DriverDate** The date of the display driver. +- **DriverDEte** No content is currently available. +- **DriverRalk** No content is currently available. +- **DriverRank** The rank of the display driver. +- **DriverVersion** The display driver version. +- **DriverVgrsion** No content is currently available. +- **DrivezVersion** No content is currently available. +- **DrivgrRank** No content is currently available. +- **DX10EMDFilePath** No content is currently available. +- **DX10UMDFilePath** The file path to the location of the DirectX 10 Display User Mode Driver in the Driver Store. +- **DX11UMDFilePath** The file path to the location of the DirectX 11 Display User Mode Driver in the Driver Store. +- **DX11UMDFmlePath** No content is currently available. +- **Dx11UMDVilePath** No content is currently available. +- **DX12UMDFilePaph** No content is currently available. +- **Dx12UMDFilePath** No content is currently available. +- **DX12UMDfilePath** No content is currently available. +- **DX12UMDFilePath** The file path to the location of the DirectX 12 Display User Mode Driver in the Driver Store. +- **DX15UMDFilePath** No content is currently available. +- **DX9UMDFilePath** The file path to the location of the DirectX 9 Display User Mode Driver in the Driver Store. +- **DX9UMDFmlePath** No content is currently available. +- **GPEDeviceID** No content is currently available. +- **GPUDeviceID** The GPU device ID. +- **GPUPreemptionLevel** The maximum preemption level supported by GPU for graphics payload. +- **GPURevisionID** The GPU revision ID. +- **GPURevmsionID** No content is currently available. +- **GPUVendorID** The GPU vendor ID. +- **I3SoftwAreDåvice** No content is currently available. +- **InterfacaId** No content is currently available. +- **InterfaceId** The GPU interface ID. +- **IsDisplayDevice** Does the GPU have displaying capabilities? +- **IsDisplayDevmce** No content is currently available. +- **IsHwSchSupported** Indicates whether the adapter supports hardware scheduling. +- **IsHybridDiscrete** Does the GPU have discrete GPU capabilities in a hybrid device? +- **IsHybridDiscrgte** No content is currently available. +- **IsHybridIntegrated** Does the GPU have integrated GPU capabilities in a hybrid device? +- **IsLDA** Is the GPU comprised of Linked Display Adapters? +- **IslidHttpDevice** No content is currently available. +- **IsMiracastStpported** No content is currently available. +- **IsMiracastSupported** Does the GPU support Miracast? +- **IsMismatc`LDA** No content is currently available. +- **IsMismatchLdA** No content is currently available. +- **IsMismatchLDA** Is at least one device in the Linked Display Adapters chain from a different vendor? +- **IsMIsmatchLDA** No content is currently available. +- **IsMPOSupported** Does the GPU support Multi-Plane Overlays? +- **IsMsMiracastSupported** Are the GPU Miracast capabilities driven by a Microsoft solution? +- **IsMsMiracastSupposted** No content is currently available. +- **IsPostAdapter** Is this GPU the POST GPU in the device? +- **IsRemovable** TRUE if the adapter supports being disabled or removed. +- **IsRemovrue,** No content is currently available. +- **IsRenderDevice** Does the GPU have rendering capabilities? +- **IsSoftwareDevice** Is this a software implementation of the GPU? +- **KMDFilePath** The file path to the location of the Display Kernel Mode Driver in the Driver Store. +- **MeasureEnabled** Is the device listening to MICROSOFT_KEYWORD_MEASURES? +- **MeasuruEnab|ed** No content is currently available. +- **MsHybridDiscrete** Indicates whether the adapter is a discrete adapter in a hybrid configuration. +- **NumVadPnTargets** No content is currently available. +- **NumvidPnSources** No content is currently available. +- **NumVidPnSources** The number of supported display output sources. +- **NumVidPnTapgets** No content is currently available. +- **NumVidPnTargets** The number of supported display output targets. +- **ShabedSystemMemoryB** No content is currently available. +- **SharedQystemMemoryB** No content is currently available. +- **SharedRystemMemoRyB** No content is currently available. +- **SharedSystemMemoryB** The amount of system memory shared by GPU and CPU (in bytes). +- **ShaŲedSystemMemoryB** No content is currently available. +- **SubFendorID** No content is currently available. +- **SubSystemAD** No content is currently available. +- **SubSystemID** The subsystem ID. +- **SubSysve}IDEPURevhsionID** No content is currently available. +- **SubVendorID** The GPU sub vendor ID. +- **Teleme|ryEnabled** No content is currently available. +- **TelemetryEnabled** Is the device listening to MICROSOFT_KEYWORD_TELEMETRY? +- **TelInvEvntTrigger** What triggered this event to be logged? Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling) +- **TelInvEvntTrihger** No content is currently available. +- **version** The event version. +- **W6DMVersion** No content is currently available. +- **wDDMVersion** No content is currently available. +- **WDDMVersion** The Windows Display Driver Model version. + + +## Failover Clustering events + +### Microsoft.Windows.Server.FailoverClusteringCritical.ClusterSummary2 + +This event returns information about how many resources and of what type are in the server cluster. This data is collected to keep Windows Server safe, secure, and up to date. The data includes information about whether hardware is configured correctly, if the software is patched correctly, and assists in preventing crashes by attributing issues (like fatal errors) to workloads and system configurations. + +The following fields are available: + +- **autoAssignSite** The cluster parameter: auto site. +- **autoBalancerLevel** The cluster parameter: auto balancer level. +- **autoBalancerMode** The cluster parameter: auto balancer mode. +- **blockCacheSize** The configured size of the block cache. +- **ClusterAdConfiguration** The ad configuration of the cluster. +- **clusterAdType** The cluster parameter: mgmt_point_type. +- **clusterDumpPolicy** The cluster configured dump policy. +- **clusterFunctionalLevel** The current cluster functional level. +- **clusterGuid** The unique identifier for the cluster. +- **clusterWitnessType** The witness type the cluster is configured for. +- **countNodesInSite** The number of nodes in the cluster. +- **crossSiteDelay** The cluster parameter: CrossSiteDelay. +- **crossSiteThreshold** The cluster parameter: CrossSiteThreshold. +- **crossSubnetDelay** The cluster parameter: CrossSubnetDelay. +- **crossSubnetThreshold** The cluster parameter: CrossSubnetThreshold. +- **csvCompatibleFilters** The cluster parameter: ClusterCsvCompatibleFilters. +- **csvIncompatibleFilters** The cluster parameter: ClusterCsvIncompatibleFilters. +- **csvResourceCount** The number of resources in the cluster. +- **currentNodeSite** The name configured for the current site for the cluster. +- **dasModeBusType** The direct storage bus type of the storage spaces. +- **downLevelNodeCount** The number of nodes in the cluster that are running down-level. +- **drainOnShutdown** Specifies whether a node should be drained when it is shut down. +- **dynamicQuorumEnabled** Specifies whether dynamic Quorum has been enabled. +- **enforcedAntiAffinity** The cluster parameter: enforced anti affinity. +- **genAppNames** The win32 service name of a clustered service. +- **genSvcNames** The command line of a clustered genapp. +- **hangRecoveryAction** The cluster parameter: hang recovery action. +- **hangTimeOut** Specifies the “hang time out” parameter for the cluster. +- **isCalabria** Specifies whether storage spaces direct is enabled. +- **isMixedMode** Identifies if the cluster is running with different version of OS for nodes. +- **isRunningDownLevel** Identifies if the current node is running down-level. +- **logLevel** Specifies the granularity that is logged in the cluster log. +- **logSize** Specifies the size of the cluster log. +- **lowerQuorumPriorityNodeId** The cluster parameter: lower quorum priority node ID. +- **minNeverPreempt** The cluster parameter: minimum never preempt. +- **minPreemptor** The cluster parameter: minimum preemptor priority. +- **netftIpsecEnabled** The parameter: netftIpsecEnabled. +- **NodeCount** The number of nodes in the cluster. +- **nodeId** The current node number in the cluster. +- **nodeResourceCounts** Specifies the number of node resources. +- **nodeResourceOnlineCounts** Specifies the number of node resources that are online. +- **numberOfSites** The number of different sites. +- **numNodesInNoSite** The number of nodes not belonging to a site. +- **plumbAllCrossSubnetRoutes** The cluster parameter: plumb all cross subnet routes. +- **preferredSite** The preferred site location. +- **privateCloudWitness** Specifies whether a private cloud witness exists for this cluster. +- **quarantineDuration** The quarantine duration. +- **quarantineThreshold** The quarantine threshold. +- **quorumArbitrationTimeout** In the event of an arbitration event, this specifies the quorum timeout period. +- **resiliencyLevel** Specifies the level of resiliency. +- **resourceCounts** Specifies the number of resources. +- **resourceTypeCounts** Specifies the number of resource types in the cluster. +- **resourceTypes** Data representative of each resource type. +- **resourceTypesPath** Data representative of the DLL path for each resource type. +- **sameSubnetDelay** The cluster parameter: same subnet delay. +- **sameSubnetThreshold** The cluster parameter: same subnet threshold. +- **secondsInMixedMode** The amount of time (in seconds) that the cluster has been in mixed mode (nodes with different operating system versions in the same cluster). +- **securityLevel** The cluster parameter: security level. +- **securityLevelForStorage** The cluster parameter: security level for storage. +- **sharedVolumeBlockCacheSize** Specifies the block cache size for shared for shared volumes. +- **shutdownTimeoutMinutes** Specifies the amount of time it takes to time out when shutting down. +- **upNodeCount** Specifies the number of nodes that are up (online). +- **useClientAccessNetworksForCsv** The cluster parameter: use client access networks for CSV. +- **vmIsolationTime** The cluster parameter: VM isolation time. +- **witnessDatabaseWriteTimeout** Specifies the timeout period for writing to the quorum witness database. + + +## Fault Reporting events + +### Microsoft.Windows.FaultReporting.AppCrashEvent + +This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes\" by a user DO NOT emit this event. + +The following fields are available: + +- **AppName** The name of the app that has crashed. +- **AppQessionGuid** No content is currently available. +- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend. +- **AppTiieStamp** No content is currently available. +- **AppTiíeStamp** No content is currently available. +- **AppTimeStamp** The date/time stamp of the app. +- **AppVersioj** No content is currently available. +- **AppVersion** The version of the app that has crashed. +- **BeportId** No content is currently available. +- **Blags** No content is currently available. +- **ExceptionCode** The exception code returned by the process that has crashed. +- **ExceptionOffset** The address where the exception had occurred. +- **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting. +- **FriefdlyAppName** No content is currently available. +- **Friendly@ppName** No content is currently available. +- **FriendlyAppName** The description of the app that has crashed, if different from the AppName. Otherwise, the process name. +- **FriendlyporName** No content is currently available. +- **IsFatal** True/False to indicate whether the crash resulted in process termination. +- **ModFame** No content is currently available. +- **ModName** Exception module name (e.g. bar.dll). +- **ModTimeStamp** The date/time stamp of the module. +- **ModVersion** The version of the module that has crashed. +- **MxceptionOffset** No content is currently available. +- **PackageFullName** Store application identity. +- **PackageFunlName** No content is currently available. +- **PackageRelativeAppId** Store application identity. +- **PackageRelativeporId** No content is currently available. +- **PeportId** No content is currently available. +- **porName** No content is currently available. +- **porSessionGuid** No content is currently available. +- **porTimeStamp** No content is currently available. +- **porVersion** No content is currently available. +- **ProbessCreateTime** No content is currently available. +- **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. +- **ProcessCreateTame** No content is currently available. +- **ProcessCreateTime** The time of creation of the process that has crashed. +- **processId** No content is currently available. +- **ProcessId** The ID of the process that has crashed. +- **ReportHd** No content is currently available. +- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. +- **T!rgetAppId** No content is currently available. +- **TargetAorId** No content is currently available. +- **TargetAorVer** No content is currently available. +- **TargetAppId** The kernel reported AppId of the application being reported. +- **TargetAppVer** The specific version of the application being reported +- **TargetAsId** The sequence number for the hanging process. + + +## Feature update events + +### Microsoft.Windows.Upgrade.Uninstall.UninstallFinalizedAndRebootTriggered + +This event indicates that the uninstall was properly configured and that a system reboot was initiated. + + + +### Microsoft.Windows.Upgrade.Uninstall.UninstallGoBackButtonClicked + +This event sends basic metadata about the starting point of uninstalling a feature update, which helps ensure customers can safely revert to a well-known state if the update caused any problems. + + + +## Hang Reporting events + +### Microsoft.Windows.HangReporting.AppHangEvent + +This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. + +The following fields are available: + +- **AppName** The name of the app that has hung. +- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the telemetry backend. +- **AppVersion** The version of the app that has hung. +- **ApSession'uid** No content is currently available. +- **ÇaitingO.PackagefelativeuppId** No content is currently available. +- **IsF!tal** No content is currently available. +- **IsFatal** True/False based on whether the hung application caused the creation of a Fatal Hang Report. +- **PackageFullName** Store application identity. +- **PackageRelativeAppId** Store application identity. +- **PfocessArghitectuve** No content is currently available. +- **ProcessArchitecture** Architecture of the hung process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. +- **ProcessCreateTime** The time of creation of the process that has hung. +- **ProcessId** The ID of the process that has hung. +- **RepoftId** No content is currently available. +- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. +- **TargepAppVer** No content is currently available. +- **TargetA#Id** No content is currently available. +- **TargetAppId** The kernel reported AppId of the application being reported. +- **TargetAppIt** No content is currently available. +- **TargetAppVer** The specific version of the application being reported. +- **TargetAsId** The sequence number for the hanging process. +- **TypeCode** Bitmap describing the hang type. +- **WaitingOnAppName** If this is a cross process hang waiting for an application, this has the name of the application. +- **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it is waiting. +- **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting. +- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application id of the package. + + +## Inventory events + +### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum + +This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object. + +The following fields are available: + +- **Device** A count of device objects in cache. +- **DeviceCensus** A count of device census objects in cache. +- **DriverPackageExtended** A count of driverpackageextended objects in cache. +- **File** A count of file objects in cache. +- **FileSigningInfo** A count of file signing objects in cache. +- **Generic** A count of generic objects in cache. +- **HwItem** A count of hwitem objects in cache. +- **InventoryApplication** A count of application objects in cache. +- **InventoryApplicationAppV** A count of application AppV objects in cache. +- **InventoryApplicationDriver** A count of application driver objects in cache +- **InventoryApplicationFile** A count of application file objects in cache. +- **InventoryApplicationFramework** A count of application framework objects in cache +- **InventoryApplicationShortcut** A count of application shortcut objects in cache +- **InventoryDeviceContainer** A count of device container objects in cache. +- **InventoryDeviceInterface** A count of Plug and Play device interface objects in cache. +- **InventoryDeviceMediaClass** A count of device media objects in cache. +- **InventoryDevicePnp** A count of device Plug and Play objects in cache. +- **InventoryDeviceUsbHubClass** A count of device usb objects in cache +- **InventoryDriverBinary** A count of driver binary objects in cache. +- **InventoryDriverPackage** A count of device objects in cache. +- **InventoryMiscellaneousOfficeAddIn** A count of office add-in objects in cache +- **InventoryMiscellaneousOfficeAddInUsage** A count of office add-in usage objects in cache. +- **InventoryMiscellaneousOfficeIdentifiers** A count of office identifier objects in cache +- **InventoryMiscellaneousOfficeIESettings** A count of office ie settings objects in cache +- **InventoryMiscellaneousOfficeInsights** A count of office insights objects in cache +- **InventoryMiscellaneousOfficeProducts** A count of office products objects in cache +- **InventoryMiscellaneousOfficeSettings** A count of office settings objects in cache +- **InventoryMiscellaneousOfficeVBA** A count of office vba objects in cache +- **InventoryMiscellaneousOfficeVBARuleViolations** A count of office vba rule violations objects in cache +- **InventoryMiscellaneousUUPInfo** A count of uup info objects in cache +- **Metadata** A count of metadata objects in cache. +- **Orphan** A count of orphan file objects in cache. +- **Programs** A count of program objects in cache. + + +### Microsoft.Windows.Inventory.Core.AmiTelCacheFileInfo + +Diagnostic data about the inventory cache. + +The following fields are available: + +- **CacheFileSize** Size of the cache. +- **InventoryVersion** Inventory version of the cache. +- **TempCacheCount** Number of temp caches created. +- **TempCacheDeletedCount** Number of temp caches deleted. + + +### Microsoft.Windows.Inventory.Core.AmiTelCacheVersions + +This event sends inventory component versions for the Device Inventory data. + +The following fields are available: + +- **aeinv** The version of the App inventory component. +- **devinv** The file version of the Device inventory component. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationAdd + +This event sends basic metadata about an application on the system to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **HiddenArp** Indicates whether a program hides itself from showing up in ARP. +- **InstallDate** The date the application was installed (a best guess based on folder creation date heuristics). +- **InstallDateArpLastModified** The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015 00:00:00 +- **InstallDateFromLinkFile** The estimated date of install based on the links to the files. Passed as an array. +- **InstallDateMsi** The install date if the application was installed via Microsoft Installer (MSI). Passed as an array. +- **InventoryVersion** The version of the inventory file generating the events. +- **InwtallDateFromLinkFile** No content is currently available. +- **Language** The language code of the program. +- **MsiPackageCode** A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage. +- **MsiProductCode** A GUID that describe the MSI Product. +- **Name** The name of the application. +- **OsVersionAtInstallTime** No content is currently available. +- **OSVersionAtInstallTime** The four octets from the OS version at the time of the application's install. +- **PackageFullFame** No content is currently available. +- **PackageFullName** The package full name for a Store application. +- **ProgramInstanceId** A hash of the file IDs in an app. +- **Publisher** The Publisher of the application. Location pulled from depends on the 'Source' field. +- **RootDirPath** The path to the root directory where the program was installed. +- **Source** How the program was installed (for example, ARP, MSI, Appx). +- **ß_TlgCV__** No content is currently available. +- **StoreAppType** A sub-classification for the type of Microsoft Store app, such as UWP or Win8StoreApp. +- **StoreporType** No content is currently available. +- **Type** One of ("Application", "Hotfix", "BOE", "Service", "Unknown"). Application indicates Win32 or Appx app, Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is a service. Application and BOE are the ones most likely seen. +- **Version** The version number of the program. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverAdd + +This event represents what drivers an application installs. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory component. +- **ProgramIds** The unique program identifier the driver is associated with. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync + +The InventoryApplicationDriverStartSync event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory component. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd + +This event provides the basic metadata about the frameworks an application may depend on. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **FileId** A hash that uniquely identifies a file. +- **Frameworks** The list of frameworks this file depends on. +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync + +This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationRemove + +This event indicates that a new set of InventoryDevicePnpAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationStartSync + +This event indicates that a new set of InventoryApplicationAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd + +This event sends basic metadata about a device container (such as a monitor or printer as opposed to a Plug and Play device) to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Categories** A comma separated list of functional categories in which the container belongs. +- **DiscoveryMe|hod** No content is currently available. +- **DiscoveryMethod** The discovery method for the device container. +- **FriendlyName** The name of the device container. +- **InventoryVersion** The version of the inventory file generating the events. +- **IsActive** Is the device connected, or has it been seen in the last 14 days? +- **IsConnected** For a physically attached device, this value is the same as IsPresent. For wireless a device, this value represents a communication link. +- **IsMachineContainer** Is the container the root device itself? +- **IsNetworked** Is this a networked device? +- **IsPaired** Does the device container require pairing? +- **Manufacturer** The manufacturer name for the device container. +- **ModelId** A unique model ID. +- **ModelName** The model name. +- **ModelNumber** The model number for the device container. +- **PrimaryCategory** The primary category for the device container. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerRemove + +This event indicates that the InventoryDeviceContainer object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerStartSync + +This event indicates that a new set of InventoryDeviceContainerAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd + +This event retrieves information about what sensor interfaces are available on the device. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Accelerometer3D** Indicates if an Accelerator3D sensor is found. +- **ActivityDetection** Indicates if an Activity Detection sensor is found. +- **AmbientLight** Indicates if an Ambient Light sensor is found. +- **Barometer** Indicates if a Barometer sensor is found. +- **Custom** Indicates if a Custom sensor is found. +- **EnergyMeter** Indicates if an Energy sensor is found. +- **FloorElevation** Indicates if a Floor Elevation sensor is found. +- **GeomagneticOrientation** Indicates if a Geo Magnetic Orientation sensor is found. +- **GravityVector** Indicates if a Gravity Detector sensor is found. +- **Gyrometer3D** Indicates if a Gyrometer3D sensor is found. +- **Humidity** Indicates if a Humidity sensor is found. +- **InventoryVersion** The version of the inventory file generating the events. +- **LinearAccelerometer** Indicates if a Linear Accelerometer sensor is found. +- **Magnetometer3D** Indicates if a Magnetometer3D sensor is found. +- **Orientation** Indicates if an Orientation sensor is found. +- **Pedometer** Indicates if a Pedometer sensor is found. +- **Proximity** Indicates if a Proximity sensor is found. +- **RelativeOrientation** Indicates if a Relative Orientation sensor is found. +- **SimpleDeviceOrientation** Indicates if a Simple Device Orientation sensor is found. +- **Temperature** Indicates if a Temperature sensor is found. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync + +This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd + +This event sends additional metadata about a Plug and Play device that is specific to a particular class of devices to help keep Windows up to date while reducing overall size of data payload. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **audio.captureDriver** Audio device capture driver. Example: hdaudio.inf:db04a16ce4e8d6ee:HdAudModel:10.0.14887.1000:hdaudio\func_01 +- **audio.renderDriver** Audio device render driver. Example: hdaudio.inf:db04a16ce4e8d6ee:HdAudModel:10.0.14889.1001:hdaudio\func_01 +- **Audio_CaptureDriver** The Audio device capture driver endpoint. +- **Audio_RenderDriver** The Audio device render driver endpoint. +- **Audio_RenideDriver** No content is currently available. +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove + +This event indicates that the InventoryDeviceMediaClassRemove object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassStartSync + +This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd + +This event represents the basic metadata about a plug and play (PNP) device and its associated driver. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **BusReportedDescription** The description of the device reported by the bux. +- **BusReportelDescription** No content is currently available. +- **Class** The device setup class of the driver loaded for the device. +- **ClassGuid** The device class unique identifier of the driver package loaded on the device. +- **COMPID** The list of “Compatible IDs” for this device. +- **ContainerId** The system-supplied unique identifier that specifies which group(s) the device(s) installed on the parent (main) device belong to. +- **Description** The description of the device. +- **DeviceInterfaceClasses** The device interfaces that this device implements. +- **DeviceState** Identifies the current state of the parent (main) device. +- **Driver^erDate** No content is currently available. +- **DriverId** The unique identifier for the installed driver. +- **DriverName** The name of the driver image file. +- **DriverPackageStrongName** The immediate parent directory name in the Directory field of InventoryDriverPackage. +- **DriverVerDate** The date associated with the driver installed on the device. +- **DriverVerVersion** The version number of the driver installed on the device. +- **Enumerator** Identifies the bus that enumerated the device. +- **ExtendedInfs** The extended INF file names. +- **HWID** A list of hardware IDs for the device. +- **Inf** The name of the INF file (possibly renamed by the OS, such as oemXX.inf). +- **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx +- **Inven|oryVersion** No content is currently available. +- **InvenPoryVersion** No content is currently available. +- **InventoryVersion** The version number of the inventory process generating the events. +- **LowerClassFilters** The identifiers of the Lower Class filters installed for the device. +- **LowerFilters** The identifiers of the Lower filters installed for the device. +- **LowerFiltevs** No content is currently available. +- **Manufacturer** The manufacturer of the device. +- **Manunacturer** No content is currently available. +- **MatchingID** The Hardware ID or Compatible ID that Windows uses to install a device instance. +- **Model** Identifies the model of the device. +- **P** No content is currently available. +- **ParentId** The Device Instance ID of the parent of the device. +- **Pro~ider** No content is currently available. +- **ProblemCode** The error code currently returned by the device, if applicable. +- **ProblemGode** No content is currently available. +- **Provider** Identifies the device provider. +- **Sedvice** No content is currently available. +- **Service** The name of the device service. +- **STACKID** The list of hardware IDs for the stack. +- **UpperClassFilters** The identifiers of the Upper Class filters installed for the device. +- **UpperFilters** The identifiers of the Upper filters installed for the device. + + +### Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove + +This event indicates that the InventoryDevicePnpRemove object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **baseata** No content is currently available. See [baseata](#baseata). +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDevicePnpStartSync + +This event indicates that a new set of InventoryDevicePnpAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd + +This event sends basic metadata about the USB hubs on the device. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. +- **TotalUserConnectablePorts** Total number of connectable USB ports. +- **TotalUserConnectableTypeCPorts** Total number of connectable USB Type C ports. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassStartSync + +This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent. + +This event includes fields from [Ms.De~ice.DeviceInventoryChange](#msde~icedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd + +This event provides the basic metadata about driver binaries running on the system. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **DriverCheckSum** The checksum of the driver file. +- **DriverCompany** The company name that developed the driver. +- **DriverInBox** Is the driver included with the operating system? +- **DriverIsKernelMode** Is it a kernel mode driver? +- **DriverName** The file name of the driver. +- **DriverPackage[trongName** No content is currently available. +- **DriverPackageStrongName** The strong name of the driver package +- **DriverSigned** The strong name of the driver package +- **DriverTimeStamp** The low 32 bits of the time stamp of the driver file. +- **DriverType** A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8. define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE 0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64 0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15. define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED 0x800000. +- **DriverVersion** The version of the driver file. +- **DriverVype** No content is currently available. +- **DrkverIsKernelMode** No content is currently available. +- **ImageSize** The size of the driver file. +- **Inf** The name of the INF file. +- **InventoryVersion** The version of the inventory file generating the events. +- **InvgntoryVersion** No content is currently available. +- **Product** The product name that is included in the driver file. +- **ProductVersion** The product version that is included in the driver file. +- **Service** The name of the service that is installed for the device. +- **WdfVersion** The Windows Driver Framework version. +- **Wd�Version** No content is currently available. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove + +This event indicates that the InventoryDriverBinary object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryStartSync + +This event indicates that a new set of InventoryDriverBinaryAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd + +This event sends basic metadata about drive packages installed on the system to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Class** The class name for the device driver. +- **ClassGuid** The class GUID for the device driver. +- **Date** The driver package date. +- **Directory** The path to the driver package. +- **DriverInBox** Is the driver included with the operating system? +- **Inf** The INF name of the driver package. +- **InventoryVersion** The version of the inventory file generating the events. +- **InwentoryVersion** No content is currently available. +- **Provider** The provider for the driver package. +- **SubmissionId** The HLK submission ID for the driver package. +- **Version** The version of the driver package. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverPackageRemove + +This event indicates that the InventoryDriverPackageRemove object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverPackageStartSync + +This event indicates that a new set of InventoryDriverPackageAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.StartUtcJsonTrace + +This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the beginning of the event download, and that tracing should begin. + + + +### Microsoft.Windows.Inventory.Core.StopUtcJsonTrace + +This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the end of the event download, and that tracing should end. + + + +### Microsoft.Windows.Inventory.General.AppHealthStaticAdd + +This event sends details collected for a specific application on the source device. + +The following fields are available: + +- **AhaVersion** The binary version of the App Health Analyzer tool. +- **ApplicationErrors** The count of application errors from the event log. +- **Bitness** The architecture type of the application (16 Bit or 32 bit or 64 bit). +- **device_level** Various JRE/JAVA versions installed on a particular device. +- **ExtendedProperties** Attribute used for aggregating all other attributes under this event type. +- **Jar** Flag to determine if an app has a Java JAR file dependency. +- **Jre** Flag to determine if an app has JRE framework dependency. +- **Jre_version** JRE versions an app has declared framework dependency for. +- **Name** Name of the application. +- **NonDPIAware** Flag to determine if an app is non-DPI aware. +- **NumBinaries** Count of all binaries (.sys,.dll,.ini) from application install location. +- **RequiresAdmin** Flag to determine if an app requests admin privileges for execution. +- **RequiresAdminv2** Additional flag to determine if an app requests admin privileges for execution. +- **RequiresUIAccess** Flag to determine if an app is based on UI features for accessibility. +- **VB6** Flag to determine if an app is based on VB6 framework. +- **VB6v2** Additional flag to determine if an app is based on VB6 framework. +- **Version** Version of the application. +- **VersionCheck** Flag to determine if an app has a static dependency on OS version. +- **VersionCheckv2** Additional flag to determine if an app has a static dependency on OS version. + + +### Microsoft.Windows.Inventory.General.AppHealthStaticStartSync + +This event indicates the beginning of a series of AppHealthStaticAdd events. + +The following fields are available: + +- **AllowTelemetry** Indicates the presence of the 'allowtelemetry' command line argument. +- **CommandLineArgs** Command line arguments passed when launching the App Health Analyzer executable. +- **Enhanced** Indicates the presence of the 'enhanced' command line argument. +- **StartTime** UTC date and time at which this event was sent. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd + +Provides data on the installed Office Add-ins. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AddinCLSID** The class identifier key for the Microsoft Office add-in. +- **AddInCLSID** The class identifier key for the Microsoft Office add-in. +- **AddInId** The identifier for the Microsoft Office add-in. +- **AddinType** The type of the Microsoft Office add-in. +- **BinFileTimestamp** The timestamp of the Office add-in. +- **BinFileVersion** The version of the Microsoft Office add-in. +- **Description** Description of the Microsoft Office add-in. +- **FileId** The file identifier of the Microsoft Office add-in. +- **FileSize** The file size of the Microsoft Office add-in. +- **FriendlyName** The friendly name for the Microsoft Office add-in. +- **FullPath** The full path to the Microsoft Office add-in. +- **InventoryVersion** The version of the inventory binary generating the events. +- **LoadBehavior** Integer that describes the load behavior. +- **LoadTime** Load time for the Office add-in. +- **OfficeApplication** The Microsoft Office application associated with the add-in. +- **OfficeArchitecture** The architecture of the add-in. +- **OfficeVersion** The Microsoft Office version for this add-in. +- **OutlookCrashingAddin** Indicates whether crashes have been found for this add-in. +- **ProductCompany** The name of the company associated with the Office add-in. +- **ProductName** The product name associated with the Microsoft Office add-in. +- **ProductVersion** The version associated with the Office add-in. +- **ProgramId** The unique program identifier of the Microsoft Office add-in. +- **Provider** Name of the provider for this add-in. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove + +Indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync + +This event indicates that a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd + +Provides data on the Office identifiers. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. +- **OAudienceData** Sub-identifier for Microsoft Office release management, identifying the pilot group for a device +- **OAudienceId** Microsoft Office identifier for Microsoft Office release management, identifying the pilot group for a device +- **OMID** Identifier for the Office SQM Machine +- **OPlatform** Whether the installed Microsoft Office product is 32-bit or 64-bit +- **OTenantId** Unique GUID representing the Microsoft O365 Tenant +- **OVersion** Installed version of Microsoft Office. For example, 16.0.8602.1000 +- **OWowMID** Legacy Microsoft Office telemetry identifier (SQM Machine ID) for WoW systems (32-bit Microsoft Office on 64-bit Windows) + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd + +Provides data on Office-related Internet Explorer features. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. +- **OIeFeatureAddon** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_ADDON_MANAGEMENT feature lets applications hosting the WebBrowser Control to respect add-on management selections made using the Add-on Manager feature of Internet Explorer. Add-ons disabled by the user or by administrative group policy will also be disabled in applications that enable this feature. +- **OIeMachineLockdown** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_LOCALMACHINE_LOCKDOWN feature is enabled, Internet Explorer applies security restrictions on content loaded from the user's local machine, which helps prevent malicious behavior involving local files. +- **OIeMimeHandling** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_MIME_HANDLING feature control is enabled, Internet Explorer handles MIME types more securely. Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2) +- **OIeMimeSniffing** Flag indicating which Microsoft Office products have this setting enabled. Determines a file's type by examining its bit signature. Windows Internet Explorer uses this information to determine how to render the file. The FEATURE_MIME_SNIFFING feature, when enabled, allows to be set differently for each security zone by using the URLACTION_FEATURE_MIME_SNIFFING URL action flag +- **OIeNoAxInstall** Flag indicating which Microsoft Office products have this setting enabled. When a webpage attempts to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request. When a webpage tries to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request +- **OIeNoDownload** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_RESTRICT_FILEDOWNLOAD feature blocks file download requests that navigate to a resource, that display a file download dialog box, or that are not initiated explicitly by a user action (for example, a mouse click or key press). Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2) +- **OIeObjectCaching** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_OBJECT_CACHING feature prevents webpages from accessing or instantiating ActiveX controls cached from different domains or security contexts +- **OIePasswordDisable** Flag indicating which Microsoft Office products have this setting enabled. After Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2), Internet Explorer no longer allows usernames and passwords to be specified in URLs that use the HTTP or HTTPS protocols. URLs using other protocols, such as FTP, still allow usernames and passwords +- **OIeSafeBind** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SAFE_BINDTOOBJECT feature performs additional safety checks when calling MonikerBindToObject to create and initialize Microsoft ActiveX controls. Specifically, prevent the control from being created if COMPAT_EVIL_DONT_LOAD is in the registry for the control +- **OIeSecurityBand** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SECURITYBAND feature controls the display of the Internet Explorer Information bar. When enabled, the Information bar appears when file download or code installation is restricted +- **OIeUncSaveCheck** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_UNC_SAVEDFILECHECK feature enables the Mark of the Web (MOTW) for local files loaded from network locations that have been shared by using the Universal Naming Convention (UNC) +- **OIeValidateUrl** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_VALIDATE_NAVIGATE_URL feature control prevents Windows Internet Explorer from navigating to a badly formed URL +- **OIeWebOcPopup** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_WEBOC_POPUPMANAGEMENT feature allows applications hosting the WebBrowser Control to receive the default Internet Explorer pop-up window management behavior +- **OIeWinRestrict** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_WINDOW_RESTRICTIONS feature adds several restrictions to the size and behavior of popup windows +- **OIeZoneElevate** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_ZONE_ELEVATION feature prevents pages in one zone from navigating to pages in a higher security zone unless the navigation is generated by the user + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd + +This event provides insight data on the installed Office products + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. +- **OfficeApplication** The name of the Office application. +- **OfficeArchitecture** The bitness of the Office application. +- **OfficeVersion** The version of the Office application. +- **Value** The insights collected about this entity. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsRemove + +Indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync + +This diagnostic event indicates that a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd + +Describes Office Products installed. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. +- **OC2rApps** A GUID the describes the Office Click-To-Run apps +- **OC2rSkus** Comma-delimited list (CSV) of Office Click-To-Run products installed on the device. For example, Office 2016 ProPlus +- **OMsiApps** Comma-delimited list (CSV) of Office MSI products installed on the device. For example, Microsoft Word +- **OProductCodes** A GUID that describes the Office MSI products + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd + +This event describes various Office settings + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **BrowserFlags** Browser flags for Office-related products +- **ExchangeProviderFlags** Provider policies for Office Exchange +- **InventoryVersion** The version of the inventory binary generating the events. +- **SharedComputerLicensing** Office shared computer licensing policies + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync + +Indicates a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAAdd + +This event provides a summary rollup count of conditions encountered while performing a local scan of Office files, analyzing for known VBA programmability compatibility issues between legacy office version and ProPlus, and between 32 and 64-bit versions + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Design** Count of files with design issues found. +- **Design_x64** Count of files with 64 bit design issues found. +- **DuplicateVBA** Count of files with duplicate VBA code. +- **HasVBA** Count of files with VBA code. +- **Inaccessible** Count of files that were inaccessible for scanning. +- **InventoryVersion** The version of the inventory binary generating the events. +- **Issues** Count of files with issues detected. +- **Issues_x64** Count of files with 64-bit issues detected. +- **IssuesNone** Count of files with no issues detected. +- **IssuesNone_x64** Count of files with no 64-bit issues detected. +- **Locked** Count of files that were locked, preventing scanning. +- **NoVBA** Count of files with no VBA inside. +- **Protected** Count of files that were password protected, preventing scanning. +- **RemLimited** Count of files that require limited remediation changes. +- **RemLimited_x64** Count of files that require limited remediation changes for 64-bit issues. +- **RemSignificant** Count of files that require significant remediation changes. +- **RemSignificant_x64** Count of files that require significant remediation changes for 64-bit issues. +- **Score** Overall compatibility score calculated for scanned content. +- **Score_x64** Overall 64-bit compatibility score calculated for scanned content. +- **Total** Total number of files scanned. +- **Validation** Count of files that require additional manual validation. +- **Validation_x64** Count of files that require additional manual validation for 64-bit issues. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARemove + +Indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsAdd + +This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated with the validation rule + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Count** Count of total Microsoft Office VBA rule violations +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsRemove + +Indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync + +This event indicates that a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd + +Provides data on Unified Update Platform (UUP) products and what version they are at. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Identifier** UUP identifier +- **LastActivatedVersion** Last activated version +- **PreviousVersion** Previous version +- **Source** UUP source +- **Version** UUP version + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoRemove + +Indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +### Microsoft.Windows.Inventory.Indicators.Checksum + +This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events. + +The following fields are available: + +- **CensusId** A unique hardware identifier. +- **ChecksumDictionary** A count of each operating system indicator. +- **PCFP** Equivalent to the InventoryId field that is found in other core events. + + +### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd + +These events represent the basic metadata about the OS indicators installed on the system which are used for keeping the device up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **IndicatorValue** The indicator value. +- **Value** Describes an operating system indicator that may be relevant for the device upgrade. + + +### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove + +This event is a counterpart to InventoryMiscellaneousUexIndicatorAdd that indicates that the item has been removed. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync + +This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +## Kernel events + +### IO + +This event indicates the number of bytes read from or read by the OS and written to or written by the OS upon system startup. + +The following fields are available: + +- **BytesRead** The total number of bytes read from or read by the OS upon system startup. +- **BytesWritten** The total number of bytes written to or written by the OS upon system startup. +- **f** No content is currently available. See [f](#f). + + +### Microsoft.Windows.Kernel.BootEnvironment.OsLaunch + +OS information collected during Boot, used to evaluate the success of the upgrade process. + +The following fields are available: + +- **BootApplicationId** This field tells us what the OS Loader Application Identifier is. +- **BootAttemptCount** The number of consecutive times the boot manager has attempted to boot into this operating system. +- **BootSequence** The current Boot ID, used to correlate events related to a particular boot session. +- **BootStatusPolicy** Identifies the applicable Boot Status Policy. +- **BootType** Identifies the type of boot (e.g.: "Cold", "Hiber", "Resume"). +- **EventTimestamp** Seconds elapsed since an arbitrary time point. This can be used to identify the time difference in successive boot attempts being made. +- **FirmwareResetReasonEmbeddedController** Reason for system reset provided by firmware. +- **FirmwareResetReasonEmbeddedControllerAdditional** Additional information on system reset reason provided by firmware if needed. +- **FirmwareResetReasonEmbeddedControln09eddedBootSequence** No content is currently available. +- **FirmwareResetReasonPch** Reason for system reset provided by firmware. +- **FirmwareResetReasonPchAdditional** Additional information on system reset reason provided by firmware if needed. +- **FirmwareResetReasonSupplied** Flag indicating that a reason for system reset was provided by firmware. +- **IO** Amount of data written to and read from the disk by the OS Loader during boot. See [IO](#io). +- **LastBootSucceeded** Flag indicating whether the last boot was successful. +- **LastShutdownSucceeded** Flag indicating whether the last shutdown was successful. +- **MaxAbove4GbFr6eRange** No content is currently available. +- **MaxAbove4GbFreeRange** This field describes the largest memory range available above 4Gb. +- **MaxBelow4GbFr6eRange** No content is currently available. +- **MaxBelow4GbFreeRange** This field describes the largest memory range available below 4Gb. +- **MeasuredLaun#hPrepared** No content is currently available. +- **MeasuredLaunchPrepared** This field tells us if the OS launch was initiated using Measured/Secure Boot over DRTM (Dynamic Root of Trust for Measurement). +- **MeasuredLaunchResume** This field tells us if Dynamic Root of Trust for Measurement (DRTM) was used when resuming from hibernation. +- **MenuPolicy** Type of advanced options menu that should be shown to the user (Legacy, Standard, etc.). +- **recoveryEnabled** No content is currently available. +- **Recoveryenabled** No content is currently available. +- **RecoveryEnabled** Indicates whether recovery is enabled. +- **SecureLaunchPrepared** This field indicates if DRTM was prepared during boot. +- **TcbLaunch** Indicates whether the Trusted Computing Base was used during the boot flow. +- **UserInputTime** The amount of time the loader application spent waiting for user input. + + +## Miracast events + +### Microsoft.Windows.Cast.Miracast.MiracastSessionEnd + +This event sends data at the end of a Miracast session that helps determine RTSP related Miracast failures along with some statistics about the session + +The following fields are available: + +- **AudioChannelCount** The number of audio channels. +- **AudioSampleRate** The sample rate of audio in terms of samples per second. +- **AudioSubtype** The unique subtype identifier of the audio codec (encoding method) used for audio encoding. +- **AverageBitrate** The average video bitrate used during the Miracast session, in bits per second. +- **AverageDataRate** The average available bandwidth reported by the WiFi driver during the Miracast session, in bits per second. +- **AveragePacketSendTimeInMs** The average time required for the network to send a sample, in milliseconds. +- **ConnectorType** The type of connector used during the Miracast session. +- **EncodeAverageTimeMS** The average time to encode a frame of video, in milliseconds. +- **EncodeCount** The count of total frames encoded in the session. +- **EncodeMaxTimeMS** The maximum time to encode a frame, in milliseconds. +- **EncodeMinTimeMS** The minimum time to encode a frame, in milliseconds. +- **EncoderCreationTimeInMs** The time required to create the video encoder, in milliseconds. +- **ErrorSource** Identifies the component that encountered an error that caused a disconnect, if applicable. +- **FirstFrameTime** The time (tick count) when the first frame is sent. +- **FirstLatencyMode** The first latency mode. +- **FrameAverageTimeMS** Average time to process an entire frame, in milliseconds. +- **FrameCount** The total number of frames processed. +- **FrameMaxTimeMS** The maximum time required to process an entire frame, in milliseconds. +- **FrameMinTimeMS** The minimum time required to process an entire frame, in milliseconds. +- **Glitches** The number of frames that failed to be delivered on time. +- **HardwareCursorEnabled** Indicates if hardware cursor was enabled when the connection ended. +- **HDCPState** The state of HDCP (High-bandwidth Digital Content Protection) when the connection ended. +- **HighestBitrate** The highest video bitrate used during the Miracast session, in bits per second. +- **HighestDataRate** The highest available bandwidth reported by the WiFi driver, in bits per second. +- **LastLatencyMode** The last reported latency mode. +- **LogTimeReference** The reference time, in tick counts. +- **LowestBitrate** The lowest video bitrate used during the Miracast session, in bits per second. +- **LowestDataRate** The lowest video bitrate used during the Miracast session, in bits per second. +- **MediaErrorCode** The error code reported by the media session, if applicable. +- **MiracastEntry** The time (tick count) when the Miracast driver was first loaded. +- **MiracastM1** The time (tick count) when the M1 request was sent. +- **MiracastM2** The time (tick count) when the M2 request was sent. +- **MiracastM3** The time (tick count) when the M3 request was sent. +- **MiracastM4** The time (tick count) when the M4 request was sent. +- **MiracastM5** The time (tick count) when the M5 request was sent. +- **MiracastM6** The time (tick count) when the M6 request was sent. +- **MiracastM7** The time (tick count) when the M7 request was sent. +- **MiracastSessionState** The state of the Miracast session when the connection ended. +- **MiracastStreaming** The time (tick count) when the Miracast session first started processing frames. +- **ProfileCount** The count of profiles generated from the receiver M4 response. +- **ProfileCountAfterFiltering** The count of profiles after filtering based on available bandwidth and encoder capabilities. +- **RefreshRate** The refresh rate set on the remote display. +- **RotationSupported** Indicates if the Miracast receiver supports display rotation. +- **RTSPSessionId** The unique identifier of the RTSP session. This matches the RTSP session ID for the receiver for the same session. +- **SessionGuid** The unique identifier of to correlate various Miracast events from a session. +- **SinkHadEdid** Indicates if the Miracast receiver reported an EDID. +- **SupportMicrosoftColorSpaceConversion** Indicates whether the Microsoft color space conversion for extra color fidelity is supported by the receiver. +- **SupportsMicrosoftDiagnostics** Indicates whether the Miracast receiver supports the Microsoft Diagnostics Miracast extension. +- **SupportsMicrosoftFormatChange** Indicates whether the Miracast receiver supports the Microsoft Format Change Miracast extension. +- **SupportsMicrosoftLatencyManagement** Indicates whether the Miracast receiver supports the Microsoft Latency Management Miracast extension. +- **SupportsMicrosoftRTCP** Indicates whether the Miracast receiver supports the Microsoft RTCP Miracast extension. +- **SupportsMicrosoftVideoFormats** Indicates whether the Miracast receiver supports Microsoft video format for 3:2 resolution. +- **SupportsWiDi** Indicates whether Miracast receiver supports Intel WiDi extensions. +- **TeardownErrorCode** The error code reason for teardown provided by the receiver, if applicable. +- **TeardownErrorReason** The text string reason for teardown provided by the receiver, if applicable. +- **UIBCEndState** Indicates whether UIBC was enabled when the connection ended. +- **UIBCEverEnabled** Indicates whether UIBC was ever enabled. +- **UIBCStatus** The result code reported by the UIBC setup process. +- **VideoBitrate** The starting bitrate for the video encoder. +- **VideoCodecLevel** The encoding level used for encoding, specific to the video subtype. +- **VideoHeight** The height of encoded video frames. +- **VideoSubtype** The unique subtype identifier of the video codec (encoding method) used for video encoding. +- **VideoWidth** The width of encoded video frames. +- **WFD2Supported** Indicates if the Miracast receiver supports WFD2 protocol. + + +## OneDrive events + +### Microsoft.OneDrive.Sync.Setup.APIOperation + +This event includes basic data about install and uninstall OneDrive API operations. + +The following fields are available: + +- **APIName** The name of the API. +- **Duration** How long the operation took. +- **IsSuccess** Was the operation successful? +- **Res}ltCode** No content is currently available. +- **ResultCode** The result code. +- **ScenarioName** The name of the scenario. + + +### Microsoft.OneDrive.Sync.Setup.EndExperience + +This event includes a success or failure summary of the installation. + +The following fields are available: + +- **APIName** The name of the API. +- **HResult** HResult of the operation +- **IsSuccess** Whether the operation is successful or not +- **ScenarioName** The name of the scenario. + + +### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation + +This event is related to the OS version when the OS is upgraded with OneDrive installed. + +The following fields are available: + +- **CurrentOneDriveVersion** The current version of OneDrive. +- **CurrentOSBuildBranch** The current branch of the operating system. +- **CurrentOSBuildNumber** The current build number of the operating system. +- **CurrentOSVersion** The current version of the operating system. +- **HResult** The HResult of the operation. +- **SourceOSBuildBranch** The source branch of the operating system. +- **SourceOSBuildNumber** The source build number of the operating system. +- **SourceOSVersion** The source version of the operating system. + + +### Microsoft.OneDrive.Sync.Setup.RegisterStandaloneUpdaterAPIOperation + +This event is related to registering or unregistering the OneDrive update task. + +The following fields are available: + +- **APIName** The name of the API. +- **IsSuccess** Was the operation successful? +- **RegisterNewTaskResult** The HResult of the RegisterNewTask operation. +- **ScenarioName** The name of the scenario. +- **UnregisterOldTaskResult** The HResult of the UnregisterOldTask operation. + + +### Microsoft.OneDrive.Sync.Updater.ComponentInstallState + +This event includes basic data about the installation state of dependent OneDrive components. + +The following fields are available: + +- **ComponentName** The name of the dependent component. +- **isInstalled** Is the dependent component installed? + + +### Microsoft.OneDrive.Sync.Updater.OverlayIconStatus + +This event indicates if the OneDrive overlay icon is working correctly. 0 = healthy; 1 = can be fixed; 2 = broken + +The following fields are available: + +- **32bit** The status of the OneDrive overlay icon on a 32-bit operating system. +- **64bit** The status of the OneDrive overlay icon on a 64-bit operating system. + + +### Microsoft.OneDrive.Sync.Updater.UpdateOverallResult + +This event sends information describing the result of the update. + +The following fields are available: + +- **hr** The HResult of the operation. +- **IsLoggingEnabled** Indicates whether logging is enabled for the updater. +- **UpdaterVersion** The version of the updater. + + +### Microsoft.OneDrive.Sync.Updater.UpdateXmlDownloadHResult + +This event determines the status when downloading the OneDrive update configuration file. + +The following fields are available: + +- **hr** The HResult of the operation. + + +### Microsoft.OneDrive.Sync.Updater.WebConnectionStatus + +This event determines the error code that was returned when verifying Internet connectivity. + +The following fields are available: + +- **winInetError** The HResult of the operation. + + +## Privacy consent logging events + +### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted + +This event is used to determine whether the user successfully completed the privacy consent experience. + +The following fields are available: + +- **presentationVersion** Which display version of the privacy consent experience the user completed +- **privacyConsentState** The current state of the privacy consent experience +- **settingsVersion** Which setting version of the privacy consent experience the user completed +- **userOobeExitReason** The exit reason of the privacy consent experience + + +### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentStatus + +Event tells us effectiveness of new privacy experience. + +The following fields are available: + +- **isAdmin** whether the person who is logging in is an admin +- **isExistingUser** whether the account existed in a downlevel OS +- **isLaunching** Whether or not the privacy consent experience will be launched +- **isSilentElevation** whether the user has most restrictive UAC controls +- **privacyConsentState** whether the user has completed privacy experience +- **userRegionCode** The current user's region setting + + +### wilActivity + +This event provides a Windows Internal Library context used for Product and Service diagnostics. + +The following fields are available: + +- **callContext** The function where the failure occurred. +- **currentContextId** The ID of the current call context where the failure occurred. +- **currentContextMessage** The message of the current call context where the failure occurred. +- **currentContextName** The name of the current call context where the failure occurred. +- **failureCount** The number of failures for this failure ID. +- **failureId** The ID of the failure that occurred. +- **failureType** The type of the failure that occurred. +- **fileName** The file name where the failure occurred. +- **function** The function where the failure occurred. +- **hresult** The HResult of the overall activity. +- **lineNumber** The line number where the failure occurred. +- **message** The message of the failure that occurred. +- **module** The module where the failure occurred. +- **originatingContextId** The ID of the originating call context that resulted in the failure. +- **originatingContextMessage** The message of the originating call context that resulted in the failure. +- **originatingContextName** The name of the originating call context that resulted in the failure. +- **threadId** The ID of the thread on which the activity is executing. + + +## Sediment events + +### Microsoft.Windows.Sediment.Info.DetailedState + +This event is sent when detailed state information is needed from an update trial run. + +The following fields are available: + +- **Data** Data relevant to the state, such as what percent of disk space the directory takes up. +- **Id** Identifies the trial being run, such as a disk related trial. +- **ReleaseVer** The version of the component. +- **State** The state of the reporting data from the trial, such as the top-level directory analysis. +- **Time** The time the event was fired. + + +### Microsoft.Windows.Sediment.Info.Error + +This event indicates an error in the updater payload. This information assists in keeping Windows up to date. + +The following fields are available: + +- **FailureType** The type of error encountered. +- **FileName** The code file in which the error occurred. +- **HResult** The failure error code. +- **LineNumber** The line number in the code file at which the error occurred. +- **ReleaseVer** The version information for the component in which the error occurred. +- **Time** The system time at which the error occurred. + + +### Microsoft.Windows.Sediment.Info.PhaseChange + +The event indicates progress made by the updater. This information assists in keeping Windows up to date. + +The following fields are available: + +- **NewPhase** The phase of progress made. +- **ReleaseVer** The version information for the component in which the change occurred. +- **Time** The system time at which the phase chance occurred. + + +## Setup events + +### SetupPlatformTel.SetupPlatformTelActivityEvent + +This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up to date. + +The following fields are available: + +- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. +- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. +- **Value** Value associated with the corresponding event name. For example, time-related events will include the system time + + +### SetupPlatformTel.SetupPlatformTelActivityStarted + +This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. + +The following fields are available: + +- **Name** The name of the dynamic update type. Example: GDR driver + + +### SetupPlatformTel.SetupPlatformTelActivityStopped + +This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. + + + +### SetupPlatformTel.SetupPlatformTelEvent + +This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios. + +The following fields are available: + +- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. +- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. +- **Value** Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time. + + +## Software update events + +### SoftwareUpdateClientTelemetry.CheckForUpdates + +Scan process event on Windows Update client. See the EventScenario field for specifics (started/failed/succeeded). + +The following fields are available: + +- **[yncType** No content is currently available. +- **ActivityMatchingId** Contains a unique ID identifying a single CheckForUpdates session from initialization to completion. +- **ActivityMatghingId** No content is currently available. +- **AllowCachedResu~ts** No content is currently available. +- **AllowCachedResults** Indicates if the scan allowed using cached results. +- **ApplicableUpdateinfo** No content is currently available. +- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable +- **BiosFamily** The family of the BIOS (Basic Input Output System). +- **BiosName** The name of the device BIOS. +- **BiosReleaseDate** The release date of the device BIOS. +- **BiosSKUNumber** The sku number of the device BIOS. +- **BIOSVendor** The vendor of the BIOS. +- **BiosVersion** The version of the BIOS. +- **BranchReadinessLevel** The servicing branch configured on the device. +- **BranchRQadinessLevel** No content is currently available. +- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. +- **CadlerApplicationName** No content is currently available. +- **CallerApplicafionName** No content is currently available. +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. +- **CallerApplicationRame** No content is currently available. +- **canDurapionInSeconds** No content is currently available. +- **CapabilityDetectoidGuid** The GUID for a hardware applicability detectoid that could not be evaluated. +- **CcanDurationInSeconds** No content is currently available. +- **CcanEnqueueTime** No content is currently available. +- **CcanProps** No content is currently available. +- **CClienVersion** No content is currently available. +- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. +- **CDNId** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. +- **ClientVer�ion** No content is currently available. +- **Clientversion** No content is currently available. +- **ClientVersion** The version number of the software distribution client. +- **ClientVersiOn** No content is currently available. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No data is currently reported in this field. Expected value for this field is 0. +- **Context** Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown +- **ContusCode** No content is currently available. +- **CurrentMobileOperator** The mobile operator the device is currently connected to. +- **DeferralPolicySources** Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000). +- **DeferredUpdates** Update IDs which are currently being deferred until a later time +- **DeviceModel** What is the device model. +- **DrivarExclusionPolicy** No content is currently available. +- **DriverError** The error code hit during a driver scan. This is 0 if no error was encountered. +- **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled. +- **DriverSyncPassPerformed** Were drivers scanned this time? +- **DriverSyncPassPerformud** No content is currently available. +- **e:4|SInstanceID** No content is currently available. +- **e:4|SScenario** No content is currently available. +- **E~entScenario** No content is currently available. +- **eallerApplicationName** No content is currently available. +- **eClienVersion** No content is currently available. +- **Even5InstanceID** No content is currently available. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventScenari0** No content is currently available. +- **Eventscenario** No content is currently available. +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. +- **EventScenário** No content is currently available. +- **EventScenavio** No content is currently available. +- **ExtendedContusCode** No content is currently available. +- **ExtendedMetadataCabUrl** Hostname that is used to download an update. +- **ExtendedSsatusCode** No content is currently available. +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. +- **FailedUpdateGuids** The GUIDs for the updates that failed to be evaluated during the scan. +- **FailedUpdatesCount** The number of updates that failed to be evaluated during the scan. +- **FeapureUpdatePause** No content is currently available. +- **FeatureUpdateDeferral** The deferral period configured for feature OS updates on the device (in days). +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FeatureUpdatePausePeriod** The pause duration configured for feature OS updates on the device (in days). +- **FeatureUpdatePawse** No content is currently available. +- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). +- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). +- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. +- **I{WUfBDualScanEnabled** No content is currently available. +- **IntentPFNs** Intended application-set metadata for atomic update scenarios. +- **IPVersion** Indicates whether the download took place over IPv4 or IPv6 +- **IsWUfBDtyUScanEnabled** No content is currently available. +- **IsWUfBDualCcanEnabled** No content is currently available. +- **IsWUfbDualScanEnabled** No content is currently available. +- **IsWUfBDualscanEnabled** No content is currently available. +- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. +- **IsWUfBFederatedScanDisabled** Indicates if Windows Update for Business federated scan is disabled on the device. +- **IsWUMcBederatedScanDisabled** No content is currently available. +- **IsWUMcDualScanEnabled** No content is currently available. +- **IsWUMcEnabled** No content is currently available. +- **ITVersion** No content is currently available. +- **ityUpdatePausDeferral** No content is currently available. +- **IwWUfBDualScanEnabled** No content is currently available. +- **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce +- **MSIError** The last error that was encountered during a scan for updates. +- **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6 +- **NueFailedMetadataSignatures** No content is currently available. +- **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete +- **NumberOfApplicationsCategoryScanEvaluated** The number of categories (apps) for which an app update scan checked +- **NumberOfApplicationsCategoryScanEvalunted** No content is currently available. +- **NumberOfLo-l** No content is currently available. +- **NumberOfLoop** The number of round trips the scan required +- **NumberOfNewUpdadesFromServiceSync** No content is currently available. +- **NumberOfNewupdatesFromServiceSync** No content is currently available. +- **NumberOfNewUpdatesFromServiceSync** The number of updates which were seen for the first time in this scan +- **NumberOfUpdatesEvaluated** The total number of updates which were evaluated as a part of the scan +- **NumberOfUpdatesEvalunted** No content is currently available. +- **NumFailedMetadataSignatures** The number of metadata signatures checks which failed for new metadata synced down. +- **Online** Indicates if this was an online scan. +- **PaeseFeatureUpdatesEndTime** No content is currently available. +- **Pau³eQualityUpdatesStartTime** No content is currently available. +- **PausedUpdates** A list of UpdateIds which that currently being paused. +- **PauseFeatureUpdatesEndTime** If feature OS updates are paused on the device, this is the date and time for the end of the pause time window. +- **PauseFeatureUpdatesSsartTime** No content is currently available. +- **PauseFeatureUpdatesSta2tTime** No content is currently available. +- **PauseFeatureUpdatesStartTime** If feature OS updates are paused on the device, this is the date and time for the beginning of the pause time window. +- **PauseFeatureUpdatesStartTiMe** No content is currently available. +- **PauseityUpdatePaussEndTime** No content is currently available. +- **PauseityUpdatePaussStartTime** No content is currently available. +- **PauseQualityUpdatesDndTime** No content is currently available. +- **PauseQualityUpdatesEndTime** If quality OS updates are paused on the device, this is the date and time for the end of the pause time window. +- **PauseQualityUpdatesSsartTime** No content is currently available. +- **PauseQualityUpdatesStartTime** If quality OS updates are paused on the device, this is the date and time for the beginning of the pause time window. +- **PauseQualityUpdatEsStartTime** No content is currently available. +- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting (pre-release builds) being introduced. +- **ProceosName** No content is currently available. +- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided. +- **ProcessNcme** No content is currently available. +- **ProcessRame** No content is currently available. +- **QualityUpdateDeferral** The deferral period configured for quality OS updates on the device (in days). +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **QualityUpdatePausePeriod** The pause duration configured for quality OS updates on the device (in days). +- **QualityUplatePausmPeriod** No content is currently available. +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one +- **RelntedCV** No content is currently available. +- **ScanDSrationInSeconds** No content is currently available. +- **ScanDurationInSeconds** The number of seconds a scan took +- **ScanEnqueueTime** The number of seconds it took to initialize a scan +- **ScanProps** This is a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits are used; all remaining bits are reserved and set to zero. Bit 0 (0x1): IsInteractive - is set to 1 if the scan is requested by a user, or 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker - is set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates). +- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.). +- **ServiceUrl** The environment URL a device is configured to scan with +- **ShippingMobileOperator** The mobile operator that a device shipped on. +- **SsatusCode** No content is currently available. +- **StatusCodd** No content is currently available. +- **statusCode** No content is currently available. +- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult). +- **Synctate** No content is currently available. +- **SyncType** Describes the type of scan the event was +- **SystemBIOSMajorRelease** Major version of the BIOS. +- **SystemBIOSMinorRelease** Minor version of the BIOS. +- **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null. +- **TotalNumMetadataSignatures** The total number of metadata signatures checks done for new metadata that was synced down. +- **TotalNumMetadaTaSignatures** No content is currently available. +- **WebServiceRetryMethods** Web service method requests that needed to be retried to complete operation. +- **WUDericeID** No content is currently available. +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. +- **WUDewiceID** No content is currently available. + + +### SoftwareUpdateClientTelemetry.Commit + +This event tracks the commit process post the update installation when software update client is trying to update the device. + +The following fields are available: + +- **BiosFamily** Device family as defined in the system BIOS +- **BiosName** Name of the system BIOS +- **BiosReleaseDate** Release date of the system BIOS +- **BiosSKUNumber** Device SKU as defined in the system BIOS +- **BIOSVendor** Vendor of the system BIOS +- **BiosVersion** Version of the system BIOS +- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. +- **BundleRevisionNumbe2** No content is currently available. +- **BundleRevisionNumber** Identifies the revision number of the content bundle +- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client +- **ClientVersion** Version number of the software distribution client +- **DeploymentProviderMode** The mode of operation of the update deployment provider. +- **DeviceModel** Device model as defined in the system bios +- **EventInstanceID** A globally unique identifier for event instance +- **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc. +- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver". +- **FlightId** The specific id of the flight the device is getting +- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) +- **RevisionNumber** Identifies the revision number of this specific piece of content +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc) +- **SystemBIOSMajorRelease** Major release version of the system bios +- **SystemBIOSMinorRelease** Minor release version of the system bios +- **UpdateId** Identifier associated with the specific piece of content +- **WUDeviceID** Unique device id controlled by the software distribution client + + +### SoftwareUpdateClientTelemetry.Download + +Download process event for target update on Windows Update client. See the EventScenario field for specifics (started/failed/succeeded). + +The following fields are available: + +- **ActiveDownloadTime** How long the download took, in seconds, excluding time where the update wasn't actively being downloaded. +- **AppXBlockHalhFailures** No content is currently available. +- **AppXBlockHashFailures** Indicates the number of blocks that failed hash validation during download of the app payload. +- **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded. +- **AppXBoockHashFailures** No content is currently available. +- **AppXDownloadScope** Indicates the scope of the download for application content. +- **AppXScope** Indicates the scope of the app download. +- **AppXScopr** No content is currently available. +- **BiosFamily** The family of the BIOS (Basic Input Output System). +- **BiosName** The name of the device BIOS. +- **BiosReleaseDate** The release date of the device BIOS. +- **BiosSKUNumber** The sku number of the device BIOS. +- **BIOSVendor** The vendor of the BIOS. +- **BiosVersion** The version of the BIOS. +- **BundleBytesDownloaded** Number of bytes downloaded for the specific content bundle. +- **BundleId** Identifier associated with the specific content bundle. +- **BundleRepeatFailCoqnt** No content is currently available. +- **BundleRepeatFailCoun.** No content is currently available. +- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. +- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to download. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **BytesDownloaded** Number of bytes that were downloaded for an individual piece of content (not the entire bundle). +- **BytesDownnoaded** No content is currently available. +- **CachedEngineVersion** The version of the “Self-Initiated Healing” (SIH) engine that is cached on the device, if applicable. +- **CallerApplicationname** No content is currently available. +- **CallerApplicationName** The name provided by the application that initiated API calls into the software distribution client. +- **CallerApplictionaName** No content is currently available. +- **CbsDownloadMethod** Indicates whether the download was a full- or a partial-file download. +- **CbsMethod** The method used for downloading the update content related to the Component Based Servicing (CBS) technology. +- **CDNCoun.ryCdel** No content is currently available. +- **CDNCoundryCode** No content is currently available. +- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. +- **CDNd** No content is currently available. +- **CDNId** ID which defines which CDN the software distribution client downloaded the content from. +- **ClientVersion** The version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. +- **ConnectTime** Indicates the cumulative amount of time (in seconds) it took to establish the connection for all updates in an update bundle. +- **CtatusCode** No content is currently available. +- **CurrentMobileOperator** The mobile operator the device is currently connected to. +- **DeviceModel** The model of the device. +- **DownhoadProps** No content is currently available. +- **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority. +- **DownloadProps** Information about the download operation properties in the form of a bitmask. +- **DownloadType** Differentiates the download type of “Self-Initiated Healing” (SIH) downloads between Metadata and Payload downloads. +- **DownloedPriority** No content is currently available. +- **DventInstanceID** No content is currently available. +- **e:4|SInstanceID** No content is currently available. +- **e:4|SScenario** No content is currently available. +- **E:4|State** No content is currently available. +- **EöentInstanceID** No content is currently available. +- **Eve.tScenario** No content is currently available. +- **EventInst.9ceID** No content is currently available. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventPype** No content is currently available. +- **EventScanario** No content is currently available. +- **eventScenario** No content is currently available. +- **EventScenario** Indicates the purpose for sending this event: whether because the software distribution just started downloading content; or whether it was cancelled, succeeded, or failed. +- **EventType** Identifies the type of the event (Child, Bundle, or Driver). +- **EventTypr** No content is currently available. +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. +- **ExtendedtartusCdel** No content is currently available. +- **FeatureUpdatePaser** No content is currently available. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **Fli.c9BuildNumber** No content is currently available. +- **Fli.c9Id** No content is currently available. +- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). +- **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight. +- **FlightId** The specific ID of the flight (pre-release build) the device is getting. +- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). +- **HandlerType** Indicates what kind of content is being downloaded (app, driver, windows patch, etc.). +- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. +- **HospName** No content is currently available. +- **HostName** The hostname URL the content is downloading from. +- **Hst.Name** No content is currently available. +- **IPVersion** Indicates whether the download took place over IPv4 or IPv6. +- **IsDependentSet** Indicates whether a driver is a part of a larger System Hardware/Firmware Update +- **IsWQfBEnabled** No content is currently available. +- **IsWUfBDualCcanEnabled** No content is currently available. +- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnablad** No content is currently available. +- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. +- **NetworkCost** A flag indicating the cost of the network (congested, fixed, variable, over data limit, roaming, etc.) used for downloading the update content. +- **NetworkCostBitMask** Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.) +- **NetworkCst.** No content is currently available. +- **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered." +- **NetworkRestrictiontartus** No content is currently available. +- **oadPriority** No content is currently available. +- **PackageFullName** The package name of the content. +- **PegulationResult** No content is currently available. +- **PhonePreviewEnabled** Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced. +- **PostDnldDime** No content is currently available. +- **PostDnldTime** Time (in seconds) taken to signal download completion after the last job completed downloading the payload. +- **ProcessName** The process name of the application that initiated API calls, in the event where CallerApplicationName was not provided. +- **Pst.DnldTime** No content is currently available. +- **PvocessName** No content is currently available. +- **QpdateId** No content is currently available. +- **QualityreUpdaPause** No content is currently available. +- **QualityUpdatePaser** No content is currently available. +- **QualityUpdatePatse** No content is currently available. +- **QualityUpdatePausa** No content is currently available. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RdvisionNumber** No content is currently available. +- **Reason** A 32-bit integer representing the reason the update is blocked from being downloaded in the background. +- **RegulationReason** The reason that the update is regulated +- **regulationResult** No content is currently available. +- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content. +- **RegulatIonResult** No content is currently available. +- **RelatedCS** No content is currently available. +- **RelatedCV** The Correlation Vector that was used before the most recent change to a new Correlation Vector. +- **RelntedCV** No content is currently available. +- **RepeatFailCoun.** No content is currently available. +- **RepeatFailCount** Indicates whether this specific content has previously failed. +- **RepeatFailFlag** Indicates whether this specific content previously failed to download. +- **RevisionNumber** The revision number of the specified piece of content. +- **SericeCGuid** No content is currently available. +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Windows Store, etc.). +- **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade. +- **ShippingMobileOperator** The mobile operator linked to the device when the device shipped. +- **SizeCalcTime** Time (in seconds) taken to calculate the total download size of the payload. +- **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). +- **SystemBIOSMajorRelease** Major version of the BIOS. +- **SystemBIOSMinorRelease** Minor version of the BIOS. +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **TargetMetadataVersion** The version of the currently downloading (or most recently downloaded) package. +- **tartusCdel** No content is currently available. +- **ThrottlingServiceHResult** Result code (success/failure) while contacting a web service to determine whether this device should download content yet. +- **TimeToEstablishConnection** Time (in milliseconds) it took to establish the connection prior to beginning downloaded. +- **tizeCalcTime** No content is currently available. +- **TotalExpectedBytes** The total size (in Bytes) expected to be downloaded. +- **UpdateId** An identifier associated with the specific piece of content. +- **UpdateID** An identifier associated with the specific piece of content. +- **UpdateImporEvent** No content is currently available. +- **UpdateImpornstan** No content is currently available. +- **UpdateImport.9ce** No content is currently available. +- **UpdateImportance** Indicates whether the content was marked as Important, Recommended, or Optional. +- **UsedDO** Indicates whether the download used the Delivery Optimization (DO) service. +- **UsedSystemVolume** Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive. +- **WUDericeID** No content is currently available. +- **WUDeviceId** No content is currently available. +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. +- **WUDviceCID** No content is currently available. + + +### SoftwareUpdateClientTelemetry.DownloadCheckpoint + +This event provides a checkpoint between each of the Windows Update download phases for UUP content + +The following fields are available: + +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client +- **ClientVersion** The version number of the software distribution client +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed +- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver" +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough +- **FileId** A hash that uniquely identifies a file +- **FileName** Name of the downloaded file +- **FlightId** The unique identifier for each flight +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one +- **RevisionNumber** Unique revision number of Update +- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.) +- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult) +- **UpdateId** Unique Update ID +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue + + +### SoftwareUpdateClientTelemetry.DownloadHeartbeat + +This event allows tracking of ongoing downloads and contains data to explain the current state of the download + +The following fields are available: + +- **BytesTotal** Total bytes to transfer for this content +- **BytesTransferred** Total bytes transferred for this content at the time of heartbeat +- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client +- **ClientVersion** The version number of the software distribution client +- **ConnectionStatus** Indicates the connectivity state of the device at the time of heartbeat +- **CurrentError** Last (transient) error encountered by the active download +- **DownloadFlags** Flags indicating if power state is ignored +- **DownloadState** Current state of the active download for this content (queued, suspended, or progressing) +- **EventType** Possible values are "Child", "Bundle", or "Driver" +- **FlightId** The unique identifier for each flight +- **IsNetworkMetered** Indicates whether Windows considered the current network to be ?metered" +- **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any +- **MOUpdateDownloadLimit** Mobile operator cap on size of operating system update downloads, if any +- **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby) +- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one +- **ResumeCount** Number of times this active download has resumed from a suspended state +- **RevisionNumber** Identifies the revision number of this specific piece of content +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) +- **SuspendCount** Number of times this active download has entered a suspended state +- **SuspendReason** Last reason for why this active download entered a suspended state +- **UpdateId** Identifier associated with the specific piece of content +- **WUDeviceID** Unique device id controlled by the software distribution client + + +### SoftwareUpdateClientTelemetry.Install + +This event sends tracking data about the software distribution client installation of the content for that update, to help keep Windows up to date. + +The following fields are available: + +- **BiosFamily** The family of the BIOS (Basic Input Output System). +- **BiosName** The name of the device BIOS. +- **BiosReleaseDate** The release date of the device BIOS. +- **BiosSKUNumber** The sku number of the device BIOS. +- **BIOSVendor** The vendor of the BIOS. +- **BiosVersion** The version of the BIOS. +- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. +- **BundleRepeatFailCoun.** No content is currently available. +- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. +- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to install. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. +- **CallerApplictionaName** No content is currently available. +- **ClientVersion** The version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No value is currently reported in this field. Expected value for this field is 0. +- **CSIErrorType** The stage of CBS installation where it failed. +- **CSIErrorTypr** No content is currently available. +- **CurrentMobileOperator** The mobile operator to which the device is currently connected. +- **DeploymentProviderMode** The mode of operation of the update deployment provider. +- **DeviceModel** The device model. +- **DriverPingBack** Contains information about the previous driver and system state. +- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required. +- **DriverRecoverySds** No content is currently available. +- **EvåntInstanceID** No content is currently available. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventInstapceID** No content is currently available. +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. +- **EventType** Possible values are Child, Bundle, or Driver. +- **EventTypr** No content is currently available. +- **ExtendedErrorCdel** No content is currently available. +- **ExtendedErrorCode** The extended error code. +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode is not specific enough. +- **ExtendedtartusCdel** No content is currently available. +- **FeatureUpdatePaser** No content is currently available. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBranch** The branch that a device is on if participating in the Windows Insider Program. +- **FlightBuildNumber** If this installation was for a Windows Insider build, this is the build number of that build. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **FlightRing** The ring that a device is on if participating in the Windows Insider Program. +- **HandlerType** Indicates what kind of content is being installed (for example, app, driver, Windows update). +- **HandlerTypr** No content is currently available. +- **HardwareId** If this install was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. +- **InstallProps** A bitmask for future flags associated with the install operation. No value is currently reported in this field. Expected value for this field is 0. +- **IntentPFNs** Intended application-set metadata for atomic update scenarios. +- **IsDependentSet** Indicates whether the driver is part of a larger System Hardware/Firmware update. +- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. +- **IsFirmware** Indicates whether this update is a firmware update. +- **IsKcfBDualScanEnabled** No content is currently available. +- **IsKcfBEnabled** No content is currently available. +- **IsSuccessFailurePostReboot** Indicates whether the update succeeded and then failed after a restart. +- **IsSuccessFailurePst.Reboot** No content is currently available. +- **IsWUfBDualScanEnabled** Indicates whether Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Indicates whether Windows Update for Business is enabled on the device. +- **IsWVfBDualScanEnabled** No content is currently available. +- **IsWVfBEnabled** No content is currently available. +- **lundleId** No content is currently available. +- **lundleRepeatFailCount** No content is currently available. +- **lundleRevisionNumber** No content is currently available. +- **MergedUpdate** Indicates whether the OS update and a BSP update merged for installation. +- **MsiAction** The stage of MSI installation where it failed. +- **MsiProductCdel** No content is currently available. +- **MsiProductCode** The unique identifier of the MSI installer. +- **PackageBullName** No content is currently available. +- **PackageFullName** The package name of the content being installed. +- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting being introduced. +- **ProcessName** The process name of the caller who initiated API calls, in the event that CallerApplicationName was not provided. +- **QualityUpdatePaser** No content is currently available. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one +- **RepeatFailCoun.** No content is currently available. +- **RepeatFailCount** Indicates whether this specific piece of content has previously failed. +- **RepeatFailFlag** Indicates whether this specific piece of content previously failed to install. +- **RevisionNumber** The revision number of this specific piece of content. +- **SericeCGuid** No content is currently available. +- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). +- **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway. +- **ShippingMobileOperator** The mobile operator that a device shipped on. +- **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult). +- **SystemBIOSMajorRelease** Major version of the BIOS. +- **SystemBIOSMinorRelease** Minor version of the BIOS. +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersaon** No content is currently available. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **TargetingVession** No content is currently available. +- **tartusCdel** No content is currently available. +- **TransactionCdel** No content is currently available. +- **TransactionCode** The ID that represents a given MSI installation. +- **UpdateId** Unique update ID. +- **UpdateID** An identifier associated with the specific piece of content. +- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional. +- **UpdateImportapce** No content is currently available. +- **UsedSystemVolume** Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive. +- **WUDdviceID** No content is currently available. +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. +- **WUDevi'eID** No content is currently available. +- **WUDviceCID** No content is currently available. + + +### SoftwareUpdateClientTelemetry.Revert + +Revert event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded). + +The following fields are available: + +- **BundleId** Identifier associated with the specific content bundle. Should not be all zeros if the BundleId was found. +- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **ClientVersion** Version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. +- **CSIErrorType** Stage of CBS installation that failed. +- **DriverPingBack** Contains information about the previous driver and system state. +- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). +- **EventType** Event type (Child, Bundle, Release, or Driver). +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode is not specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBuildNumber** Indicates the build number of the flight. +- **FlightId** The specific ID of the flight the device is getting. +- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). +- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. +- **IsFirmware** Indicates whether an update was a firmware update. +- **IsSuccessFailurePostReboot** Indicates whether an initial success was a failure after a reboot. +- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. +- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. +- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. +- **RepeatFailCount** Indicates whether this specific piece of content has previously failed. +- **RevisionNumber** Identifies the revision number of this specific piece of content. +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **UpdateId** The identifier associated with the specific piece of content. +- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). +- **UsedSystemVolume** Indicates whether the device's main system storage drive or an alternate storage drive was used. +- **WUDeviceID** Unique device ID controlled by the software distribution client. + + +### SoftwareUpdateClientTelemetry.TaskRun + +Start event for Server Initiated Healing client. See EventScenario field for specifics (for example, started/completed). + +The following fields are available: + +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **ClientVersion** Version number of the software distribution client. +- **CmdLineArgs** Command line arguments passed in by the caller. +- **EventInstanceID** A globally unique identifier for the event instance. +- **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **WUDeviceID** Unique device ID controlled by the software distribution client. + + +### SoftwareUpdateClientTelemetry.Uninstall + +Uninstall event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded). + +The following fields are available: + +- **BundleId** The identifier associated with the specific content bundle. This should not be all zeros if the bundleID was found. +- **BundleRepeatFailCount** Indicates whether this particular update bundle previously failed. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CallerApplicationName** Name of the application making the Windows Update request. Used to identify context of request. +- **ClientVersion** Version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. +- **DriverPingBack** Contains information about the previous driver and system state. +- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers when a recovery is required. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventScenario** Indicates the purpose of the event (a scan started, succeded, failed, etc.). +- **EventType** Indicates the event type. Possible values are "Child", "Bundle", "Release" or "Driver". +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode is not specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBuildNumber** Indicates the build number of the flight. +- **FlightId** The specific ID of the flight the device is getting. +- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). +- **HardwareId** If the download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. +- **IsFirmware** Indicates whether an update was a firmware update. +- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. +- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. +- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. +- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. +- **RepeatFailCount** Indicates whether this specific piece of content previously failed. +- **RevisionNumber** Identifies the revision number of this specific piece of content. +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **UpdateId** Identifier associated with the specific piece of content. +- **UpdateImportance** Indicates the importance of a driver and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). +- **UsedSystemVolume** Indicates whether the device’s main system storage drive or an alternate storage drive was used. +- **WUDeviceID** Unique device ID controlled by the software distribution client. + + +### SoftwareUpdateClientTelemetry.UpdateDetected + +This event sends data about an AppX app that has been updated from the Microsoft Store, including what app needs an update and what version/architecture is required, in order to understand and address problems with apps getting required updates. + +The following fields are available: + +- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable. +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. +- **IntentPFNs** Intended application-set metadata for atomic update scenarios. +- **NumberOfApplicableUpdates** The number of updates ultimately deemed applicable to the system after the detection process is complete. +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. +- **RelntedCV** No content is currently available. +- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.). +- **umberOfApplicableUpdates** No content is currently available. +- **WUDeviceID** The unique device ID controlled by the software distribution client. + + +### SoftwareUpdateClientTelemetry.UpdateMetadataIntegrity + +Ensures Windows Updates are secure and complete. Event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack. + +The following fields are available: + +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **CallerLoglicationName** No content is currently available. +- **EndpointUrl** URL of the endpoint where client obtains update metadata. Used to identify test vs staging vs production environments. +- **EventScenario** The purpose of this event, such as scan started, scan succeeded, or scan failed. +- **ExtendedStatusCode** The secondary status code of the event. +- **ExtendefStatusCode** No content is currently available. +- **LeafCertId** The integral ID from the FragmentSigning data for the certificate that failed. +- **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate. +- **MetadataIntegrityMode** The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce +- **MetadataSignature** A base64-encoded string of the signature associated with the update metadata (specified by revision ID). +- **RawMode** The raw unparsed mode string from the SLS response. This field is null if not applicable. +- **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable. +- **RcwMode** No content is currently available. +- **RevisionId** The revision ID for a specific piece of content. +- **RevisionNumber** The revision number for a specific piece of content. +- **SedviceGuid** No content is currently available. +- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Microsoft Store +- **ServiceGuidEndpointUrl** No content is currently available. +- **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate. +- **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate. +- **SHA256OfTimestampToken** An encoded string of the timestamp token. +- **SignatureAlgorithm** The hash algorithm for the metadata signature. +- **SLSPrograms** A test program to which a device may have opted in. Example: Insider Fast +- **StatusCode** The status code of the event. +- **TimestampTokenCertThumbprint** The thumbprint of the encoded timestamp token. +- **TimestampTokenId** The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed. +- **UpdateId** The update ID for a specific piece of content. +- **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp. + + +## System Resource Usage Monitor events + +### Microsoft.Windows.Srum.Sdp.CpuUsage + +This event provides information on CPU usage. + +The following fields are available: + +- **UsageMax** The maximum of hourly average CPU usage. +- **UsageMean** The mean of hourly average CPU usage. +- **UsageMedian** The median of hourly average CPU usage. +- **UsageTwoHourMaxMean** The mean of the maximum of every two hour of hourly average CPU usage. +- **UsageTwoHourMedianMean** The mean of the median of every two hour of hourly average CPU usage. + + +### Microsoft.Windows.Srum.Sdp.NetworkUsage + +This event provides information on network usage. + +The following fields are available: + +- **AdapterGuid** The unique ID of the adapter. +- **BytesTotalMax** The maximum of the hourly average bytes total. +- **BytesTotalMean** The mean of the hourly average bytes total. +- **BytesTotalMedian** The median of the hourly average bytes total. +- **BytesTotalTwoHourMaxMean** The mean of the maximum of every two hours of hourly average bytes total. +- **BytesTotalTwoHourMedianMean** The mean of the median of every two hour of hourly average bytes total. +- **LinkSpeed** The adapter link speed. + + +## Update events + +### Update360Telemetry.Revert + +This event sends data relating to the Revert phase of updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the Revert phase. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **RebootRequired** Indicates reboot is required. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **RevertResult** The result code returned for the Revert operation. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. + + +### Update360Telemetry.UpdateAgentCommit + +This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **ErrorCode** The error code returned for the current install phase. +- **FlightId** Unique ID for each flight. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Outcome of the install phase of the update. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentDownloadRequest + +This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. + +The following fields are available: + +- **DeletedCorruptFiles** Boolean indicating whether corrupt payload was deleted. +- **DownloadRequests** Number of times a download was retried. +- **ErrorCode** The error code returned for the current download request phase. +- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. +- **FlightId** Unique ID for each flight. +- **InternalFailureResult** Indicates a non-fatal error from a plugin. +- **ObjectId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). +- **PackageCategoriesSkipped** Indicates package categories that were skipped, if applicable. +- **PackageCountOptional** Number of optional packages requested. +- **PackageCountRequired** Number of required packages requested. +- **PackageCountTotal** Total number of packages needed. +- **PackageCountTotalCanonical** Total number of canonical packages. +- **PackageCountTotalDiff** Total number of diff packages. +- **PackageCountTotalExpress** Total number of express packages. +- **PackageCountTotalPSFX** The total number of PSFX packages. +- **PackageExpressType** Type of express package. +- **PackageSizeCanonical** Size of canonical packages in bytes. +- **PackageSizeDiff** Size of diff packages in bytes. +- **PackageSizeExpress** Size of express packages in bytes. +- **PackageSizePSFX** The size of PSFX packages, in bytes. +- **RangeRequestState** Indicates the range request type used. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Outcome of the download request phase of update. +- **SandboxTaggedForReserves** The sandbox for reserves. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each attempt (same value for initialize, download, install commit phases). +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentExpand + +This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **ElapsedTickCount** Time taken for expand phase. +- **EndFreeSpace** Free space after expand phase. +- **EndSandboxSize** Sandbox size after expand phase. +- **ErrorCode** The error code returned for the current install phase. +- **FlightId** Unique ID for each flight. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **StartFreeSpace** Free space before expand phase. +- **StartSandboxSize** Sandbox size after expand phase. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentFellBackToCanonical + +This event collects information when express could not be used and we fall back to canonical during the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **FlightId** Unique ID for each flight. +- **ObjectId** Unique value for each Update Agent mode. +- **PackageCount** Number of packages that feel back to canonical. +- **PackageList** PackageIds which fell back to canonical. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentInitialize + +This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. + +The following fields are available: + +- **ErrorCode** The error code returned for the current install phase. +- **essionData** No content is currently available. +- **FlightId** Unique ID for each flight. +- **FlightMetadata** Contains the FlightId and the build being flighted. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Outcome of the install phase of the update. +- **ScenarioId** Indicates the update scenario. +- **SessionData** String containing instructions to update agent for processing FODs and DUICs (Null for other scenarios). +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentInstall + +This event sends data for the install phase of updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the current install phase. +- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. +- **FlightId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). +- **InternalFailureResult** Indicates a non-fatal error from a plugin. +- **ObjectId** Correlation vector value generated from the latest USO scan. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** The result for the current install phase. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentMerge + +The UpdateAgentMerge event sends data on the merge phase when updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the current merge phase. +- **FlightId** Unique ID for each flight. +- **MergeId** The unique ID to join two update sessions being merged. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Related correlation vector value. +- **Result** Outcome of the merge phase of the update. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentMitigationResult + +This event sends data indicating the result of each update agent mitigation. + +The following fields are available: + +- **Applicable** Indicates whether the mitigation is applicable for the current update. +- **CommandCount** The number of command operations in the mitigation entry. +- **CustomCount** The number of custom operations in the mitigation entry. +- **FileCount** The number of file operations in the mitigation entry. +- **FlightId** Unique identifier for each flight. +- **Index** The mitigation index of this particular mitigation. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **Name** The friendly name of the mitigation. +- **ObjectId** Unique value for each Update Agent mode. +- **OperationIndex** The mitigation operation index (in the event of a failure). +- **OperationName** The friendly name of the mitigation operation (in the event of failure). +- **RegistryCount** The number of registry operations in the mitigation entry. +- **RelatedCV** The correlation vector value generated from the latest USO scan. +- **Result** The HResult of this operation. +- **ScenarioId** The update agent scenario ID. +- **SessionId** Unique value for each update attempt. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). +- **UpdateId** Unique ID for each Update. + + +### Update360Telemetry.UpdateAgentMitigationSummary + +This event sends a summary of all the update agent mitigations available for an this update. + +The following fields are available: + +- **Applicable** The count of mitigations that were applicable to the system and scenario. +- **Failed** The count of mitigations that failed. +- **FlightId** Unique identifier for each flight. +- **Friled** No content is currently available. +- **MitigationScenario** The update scenario in which the mitigations were attempted. +- **ObjectId** The unique value for each Update Agent mode. +- **RelatedCV** The correlation vector value generated from the latest USO scan. +- **Result** The HResult of this operation. +- **ScenarioId** The update agent scenario ID. +- **SessionId** Unique value for each update attempt. +- **TimeDiff** The amount of time spent performing all mitigations (in 100-nanosecond increments). +- **Total** Total number of mitigations that were available. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentModeStart + +This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. + +The following fields are available: + +- **FlightId** Unique ID for each flight. +- **Mode** Indicates the mode that has started. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. +- **Version** Version of update + + +### Update360Telemetry.UpdateAgentOneSettings + +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **Count** The count of applicable OneSettings for the device. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. +- **Values** The values sent back to the device, if applicable. + + +### Update360Telemetry.UpdateAgentPostRebootResult + +This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. + +The following fields are available: + +- **ErrorCode** The error code returned for the current post reboot phase. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **ObjectId** Unique value for each Update Agent mode. +- **PostRebootResult** Indicates the Hresult. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentReboot + +This event sends information indicating that a request has been sent to suspend an update. + +The following fields are available: + +- **ErrorCode** The error code returned for the current reboot. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. + + +### Update360Telemetry.UpdateAgentSetupBoxLaunch + +The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. + +The following fields are available: + +- **ContainsExpressPackage** Indicates whether the download package is express. +- **FlightId** Unique ID for each flight. +- **FreeSpace** Free space on OS partition. +- **InstallCount** Number of install attempts using the same sandbox. +- **ObjectId** Unique value for each Update Agent mode. +- **Quiet** Indicates whether setup is running in quiet mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **SandboxSize** Size of the sandbox. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **SetupMode** Mode of setup to be launched. +- **UpdateId** Unique ID for each Update. +- **UserSession** Indicates whether install was invoked by user actions. + + +## Update notification events + +### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignManagerHeartbeat + +This event is sent at the start of the CampaignManager event and is intended to be used as a heartbeat. + +The following fields are available: + +- **CampaignConfigVersion** Configuration version for the current campaign. +- **CampaignID** Currently campaign that is running on Update Notification Pipeline (UNP). +- **ConfigCatalogVersion** Current catalog version of UNP. +- **ContentVersion** Content version for the current campaign on UNP. +- **CV** Correlation vector. +- **DetectorVersion** Most recently run detector version for the current campaign on UNP. +- **GlobalEventCounter** Client-side counter that indicates the event ordering sent by the user. +- **PackageVersion** Current UNP package version. + + +## Upgrade events + +### FacilitatorTelemetry.DCATDownload + +This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **DownloadSize** Download size of payload. +- **ElapsedTime** Time taken to download payload. +- **MediaFallbackUsed** Used to determine if we used Media CompDBs to figure out package requirements for the upgrade. +- **ResultCode** Result returned by the Facilitator DCAT call. +- **Scenario** Dynamic update scenario (Image DU, or Setup DU). +- **Type** Type of package that was downloaded. +- **UpdateId** The ID of the update that was downloaded. + + +### FacilitatorTelemetry.DUDownload + +This event returns data about the download of supplemental packages critical to upgrading a device to the next version of Windows. + +The following fields are available: + +- **DownloadRequestAttributes** The attributes sent for download. +- **PackageCategoriesFailed** Lists the categories of packages that failed to download. +- **PackageCategoriesSkipped** Lists the categories of package downloads that were skipped. +- **ResultCode** The result of the event execution. +- **Scenario** Identifies the active Download scenario. +- **Url** The URL the download request was sent to. +- **Version** Identifies the version of Facilitator used. + + +### FacilitatorTelemetry.InitializeDU + +This event determines whether devices received additional or critical supplemental content during an OS upgrade. + +The following fields are available: + +- **DCATUrl** The Delivery Catalog (DCAT) URL we send the request to. +- **DownloadRequestAttributes** The attributes we send to DCAT. +- **ResultCode** The result returned from the initiation of Facilitator with the URL/attributes. +- **Scenario** Dynamic Update scenario (Image DU, or Setup DU). +- **Url** The Delivery Catalog (DCAT) URL we send the request to. +- **Version** Version of Facilitator. + + +### Setup360Telemetry.Downlevel + +This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ClientId** If using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but it can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the downlevel OS. +- **HostOsSkuName** The operating system edition which is running Setup360 instance (downlevel OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** In the Windows Update scenario, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** More detailed information about phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360 (for example, Predownload, Install, Finalize, Rollback). +- **Setup360Result** The result of Setup360 (HRESULT used to diagnose errors). +- **Setup360Scenario** The Setup360 flow type (for example, Boot, Media, Update, MCT). +- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS). +- **State** Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** An ID that uniquely identifies a group of events. +- **WuId** This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId. + + +### Setup360Telemetry.Finalize + +This event sends data indicating that the device has started the phase of finalizing the upgrade, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** More detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** ID that uniquely identifies a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. + + +### Setup360Telemetry.OsUninstall + +This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, it indicates the outcome of an OS uninstall. + +The following fields are available: + +- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase or action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** ID that uniquely identifies a group of events. +- **WuId** Windows Update client ID. + + +### Setup360Telemetry.PostRebootInstall + +This event sends data indicating that the device has invoked the post reboot install phase of the upgrade, to help keep Windows up-to-date. + +The following fields are available: + +- **ClientId** With Windows Update, this is the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback +- **Setup360Result** The result of Setup360. This is an HRESULT error code that's used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled +- **TestId** A string to uniquely identify a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as ClientId. + + +### Setup360Telemetry.PreDownloadQuiet + +This event sends data indicating that the device has invoked the predownload quiet phase of the upgrade, to help keep Windows up to date. + +The following fields are available: + +- **ClientId** Using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous operating system). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** Using Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled. +- **TestId** ID that uniquely identifies a group of events. +- **WuId** This is the Windows Update Client ID. Using Windows Update, this is the same as the clientId. + + +### Setup360Telemetry.PreDownloadUX + +This event sends data regarding OS Updates and Upgrades from Windows 7.X, Windows 8.X, Windows 10 and RS, to help keep Windows up-to-date and secure. Specifically, it indicates the outcome of the PredownloadUX portion of the update process. + +The following fields are available: + +- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **HostOSBuildNumber** The build number of the previous operating system. +- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous operating system). +- **InstanceId** Unique GUID that identifies each instance of setuphost.exe. +- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS). +- **State** The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** ID that uniquely identifies a group of events. +- **WuId** Windows Update client ID. + + +### Setup360Telemetry.PreInstallQuiet + +This event sends data indicating that the device has invoked the preinstall quiet phase of the upgrade, to help keep Windows up-to-date. + +The following fields are available: + +- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. +- **Setup360Scenario** Setup360 flow type (Boot, Media, Update, MCT). +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** A string to uniquely identify a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. + + +### Setup360Telemetry.PreInstallUX + +This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10, to help keep Windows up-to-date. Specifically, it indicates the outcome of the PreinstallUX portion of the update process. + +The following fields are available: + +- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type, Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** A string to uniquely identify a group of events. +- **WuId** Windows Update client ID. + + +### Setup360Telemetry.Setup360 + +This event sends data about OS deployment scenarios, to help keep Windows up-to-date. + +The following fields are available: + +- **ClientId** Retrieves the upgrade ID. In the Windows Update scenario, this will be the Windows Update client ID. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FieldName** Retrieves the data point. +- **FlightData** Specifies a unique identifier for each group of Windows Insider builds. +- **InstanãeId** No content is currently available. +- **InstanceId** Retrieves a unique identifier for each instance of a setup session. +- **ReportId** Retrieves the report ID. +- **ScenarioId** Retrieves the deployment scenario. +- **value** No content is currently available. +- **Value** Retrieves the value associated with the corresponding FieldName. + + +### Setup360Telemetry.Setup360DynamicUpdate + +This event helps determine whether the device received supplemental content during an operating system upgrade, to help keep Windows up-to-date. + +The following fields are available: + +- **FlightData** Specifies a unique identifier for each group of Windows Insider builds. +- **InstanceId** Retrieves a unique identifier for each instance of a setup session. +- **Operation** Facilitator’s last known operation (scan, download, etc.). +- **ReportId** ID for tying together events stream side. +- **ResultCode** Result returned for the entire setup operation. +- **Scenario** Dynamic Update scenario (Image DU, or Setup DU). +- **ScenarioId** Identifies the update scenario. +- **TargetBranch** Branch of the target OS. +- **TargetBuild** Build of the target OS. + + +### Setup360Telemetry.Setup360MitigationResult + +This event sends data indicating the result of each setup mitigation. + +The following fields are available: + +- **Applicable** TRUE if the mitigation is applicable for the current update. +- **ClientId** In the Windows Update scenario, this is the client ID passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **CommandCount** The number of command operations in the mitigation entry. +- **CustomCount** The number of custom operations in the mitigation entry. +- **FileCount** The number of file operations in the mitigation entry. +- **FlightData** The unique identifier for each flight (test release). +- **Index** The mitigation index of this particular mitigation. +- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **Name** The friendly (descriptive) name of the mitigation. +- **OperationIndex** The mitigation operation index (in the event of a failure). +- **OperationName** The friendly (descriptive) name of the mitigation operation (in the event of failure). +- **RegistryCount** The number of registry operations in the mitigation entry. +- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM. +- **Result** HResult of this operation. +- **ScenarioId** Setup360 flow type. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). + + +### Setup360Telemetry.Setup360MitigationSummary + +This event sends a summary of all the setup mitigations available for this update. + +The following fields are available: + +- **Applicable** The count of mitigations that were applicable to the system and scenario. +- **ClientId** The Windows Update client ID passed to Setup. +- **Failed** The count of mitigations that failed. +- **FlightData** The unique identifier for each flight (test release). +- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE. +- **MitigationScenario** The update scenario in which the mitigations were attempted. +- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM. +- **Result** HResult of this operation. +- **ScenarioId** Setup360 flow type. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). +- **Total** The total number of mitigations that were available. + + +### Setup360Telemetry.Setup360OneSettings + +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **ClientId** The Windows Update client ID passed to Setup. +- **Count** The count of applicable OneSettings for the device. +- **FlightData** The ID for the flight (test instance version). +- **InstanceId** The GUID (Globally-Unique ID) that identifies each instance of setuphost.exe. +- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. +- **ReportId** The Update ID passed to Setup. +- **Result** The HResult of the event error. +- **ScenarioId** The update scenario ID. +- **Values** Values sent back to the device, if applicable. + + +### Setup360Telemetry.UnexpectedEvent + +This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date. + +The following fields are available: + +- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe +- **o-Ste** No content is currently available. +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** A string to uniquely identify a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. + + +## Windows as a Service diagnostic events + +### Microsoft.Windows.WaaSMedic.SummaryEvent + +Result of the WaaSMedic operation. + +The following fields are available: + +- **callerApplication** The name of the calling application. +- **detectionSummary** Result of each applicable detection that was run. +- **featureAssessmentImpact** WaaS Assessment impact for feature updates. +- **hrEngineResult** Error code from the engine operation. +- **insufficientSessions** Device not eligible for diagnostics. +- **isInteractiveMode** The user started a run of WaaSMedic. +- **isManaged** Device is managed for updates. +- **isWUConnected** Device is connected to Windows Update. +- **noMoreActions** No more applicable diagnostics. +- **qualityAssessmentImpact** WaaS Assessment impact for quality updates. +- **remediationSummary** Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on. +- **usingBackupFeatureAssessment** Relying on backup feature assessment. +- **usingBackupQualityAssessment** Relying on backup quality assessment. +- **usingCachedFeatureAssessment** WaaS Medic run did not get OS build age from the network on the previous run. +- **usingCachedQualityAssessment** WaaS Medic run did not get OS revision age from the network on the previous run. +- **versionString** Version of the WaaSMedic engine. +- **waasMedicRunMode** Indicates whether this was a background regular run of the medic or whether it was triggered by a user launching Windows Update Troubleshooter. + + +## Windows Error Reporting events + +### Microsoft.Windows.WERVertical.OSCrash + +This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event. + +The following fields are available: + +- **BootId** Uint32 identifying the boot number for this device. +- **BugCheckCode** Uint64 "bugcheck code" that identifies a proximate cause of the bug check. +- **BugCheckPar%meter2** No content is currently available. +- **BugCheckParameter1** Uint64 parameter providing additional information. +- **BugCheckParameter2** Uint64 parameter providing additional information. +- **BugCheckParameter3** Uint64 parameter providing additional information. +- **BugCheckParameter4** Uint64 parameter providing additional information. +- **DumpFileAttributes** Codes that identify the type of data contained in the dump file +- **DumpFileSize** Size of the dump file +- **IsValidDumpFile** True if the dump file is valid for the debugger, false otherwise +- **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson). + + +## Windows Error Reporting MTT events + +### Microsoft.Windows.WER.MTT.Denominator + +This event provides a denominator to calculate MTTF (mean-time-to-failure) for crashes and other errors, to help keep Windows up to date. + +The following fields are available: + +- **DPRange** Maximum mean value range. +- **DPValue** Randomized bit value (0 or 1) that can be reconstituted over a large population to estimate the mean. +- **Value** Standard UTC emitted DP value structure See [Value](#value). + + +### Value + +This event returns data about Mean Time to Failure (MTTF) for Windows devices. It is the primary means of estimating reliability problems in Basic Diagnostic reporting with very strong privacy guarantees. Since Basic Diagnostic reporting does not include system up-time, and since that information is important to ensuring the safe and stable operation of Windows, the data provided by this event provides that data in a manner which does not threaten a user’s privacy. + +The following fields are available: + +- **Algorithm** The algorithm used to preserve privacy. +- **DPRange** The upper bound of the range being measured. +- **DPValue** The randomized response returned by the client. +- **Epsilon** The level of privacy to be applied. +- **HistType** The histogram type if the algorithm is a histogram algorithm. +- **PertProb** The probability the entry will be Perturbed if the algorithm chosen is “heavy-hitters”. + + +## Windows Store events + +### Microsoft.Windows.Store.StoreActivating + +This event sends tracking data about when the Store app activation via protocol URI is in progress, to help keep Windows up to date. + + + +### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation + +This event is sent when an installation or update is canceled by a user or the system and is used to help keep Windows Apps up to date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AggregatedPackageFullNcmes** No content is currently available. +- **AttemptNumber** Number of retry attempts before it was canceled. +- **BundleId** The Item Bundle ID. +- **Bundlele** No content is currently available. +- **CategoryId** The Item Category ID. +- **Categoryle** No content is currently available. +- **ClientAppId** The identity of the app that initiated this operation. +- **ClientApple** No content is currently available. +- **HResult** The result code of the last action performed before this operation. +- **IsBundle** Is this a bundle? +- **IsInteractive** Was this requested by a user? +- **IsMandatory** Was this a mandatory update? +- **IsRemediation** Was this a remediation install? +- **IsRestore** Is this automatically restoring a previously acquired product? +- **IsUpdate** Flag indicating if this is an update. +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **ParentBundlele** No content is currently available. +- **PFN** The product family name of the product being installed. +- **Producele** No content is currently available. +- **ProductId** The identity of the package or packages being installed. +- **S{stemAttemptNumber** No content is currently available. +- **SystemAttemptNumber** The total number of automatic attempts at installation before it was canceled. +- **UserAttemptNumber** The total number of user attempts at installation before it was canceled. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.BeginGetInstalledContentIds + +This event is sent when an inventory of the apps installed is started to determine whether updates for those apps are available. It's used to help keep Windows up-to-date and secure. + + + +### Microsoft.Windows.StoreAgent.Telemetry.BeginUpdateMetadataPrepare + +This event is sent when the Store Agent cache is refreshed with any available package updates. It's used to help keep Windows up-to-date and secure. + + + +### Microsoft.Windows.StoreAgent.Telemetry.CancelInstallation + +This event is sent when an app update or installation is canceled while in interactive mode. This can be canceled by the user or the system. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all package or packages to be downloaded and installed. +- **AttemptNumber** Total number of installation attempts. +- **BundleId** The identity of the Windows Insider build that is associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **IsBundle** Is this a bundle? +- **IsInteractive** Was this requested by a user? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this an automatic restore of a previously acquired product? +- **IsUpdate** Is this a product update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of all packages to be downloaded and installed. +- **PreviousHResult** The previous HResult code. +- **PreviousInstallState** Previous installation state before it was canceled. +- **ProductId** The name of the package or packages requested for installation. +- **RelatedCV** Correlation Vector of a previous performed action on this product. +- **SystemAttemptNumber** Total number of automatic attempts to install before it was canceled. +- **UserAttemptNumber** Total number of user attempts to install before it was canceled. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.CompleteInstallOperationRequest + +This event is sent at the end of app installations or updates to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The Store Product ID of the app being installed. +- **HResult** HResult code of the action being performed. +- **IsBundle** Is this a bundle? +- **PackageFamilyName** The name of the package being installed. +- **ProductId** The Store Product ID of the product being installed. +- **SkuId** Specific edition of the item being installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndAcquireLicense + +This event is sent after the license is acquired when a product is being installed. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNaies** No content is currently available. +- **AggregatedpackageFullNames** No content is currently available. +- **AggregatedPackageFullNames** Includes a set of package full names for each app that is part of an atomic set. +- **AttemptNumber** The total number of attempts to acquire this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** HResult code to show the result of the operation (success/failure). +- **IsBundle** Is this a bundle? +- **IsInteractive** Did the user initiate the installation? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this happening after a device restore? +- **IsUp`ate** No content is currently available. +- **IsUpdate** Is this an update? +- **ParentBuneleId** No content is currently available. +- **PFN** Product Family Name of the product being installed. +- **productId** No content is currently available. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The number of attempts by the system to acquire this product. +- **UserAttemptNumber** The number of attempts by the user to acquire this product +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndDownload + +This event is sent after an app is downloaded to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNaðes** No content is currently available. +- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed. +- **AttemptNumber** Number of retry attempts before it was canceled. +- **BundleId** The identity of the Windows Insider build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **DownloadSize** The total size of the download. +- **ExtendedHResult** Any extended HResult error codes. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this initiated by the user? +- **IsMandatory** Is this a mandatory installation? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this a restore of a previously acquired product? +- **IsUpdate** Is this an update? +- **ParentBundleId** The parent bundle ID (if it's part of a bundle). +- **PFN** The Product Family Name of the app being download. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The number of attempts by the system to download. +- **UserAttemptNumber** The number of attempts by the user to download. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndFrameworkUpdate + +This event is sent when an app update requires an updated Framework package and the process starts to download it. It is used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **HResult** The result code of the last action performed before this operation. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndGetInstalledContentIds + +This event is sent after sending the inventory of the products installed to determine whether updates for those products are available. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **HResult** The result code of the last action performed before this operation. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndInstall + +This event is sent after a product has been installed to help keep Windows up-to-date and secure. + +The following fields are available: + +- **__TlgCÖ__** No content is currently available. +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **ExtendedHResult** The extended HResult error code. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this an interactive installation? +- **IsInteragtive** No content is currently available. +- **IsMandatory** Is this a mandatory installation? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this automatically restoring a previously acquired product? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** Product Family Name of the product being installed. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndScanForUpdates + +This event is sent after a scan for product updates to determine if there are packages to install. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed. +- **IsApplicability** Is this request to only check if there are any applicable packages to install? +- **IsInteractive** Is this user requested? +- **IsOnline** Is the request doing an online check? + + +### Microsoft.Windows.StoreAgent.Telemetry.EndSearchUpdatePackages + +This event is sent after searching for update packages to install. It is used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The total number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of the package or packages requested for install. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndStageUserData + +This event is sent after restoring user data (if any) that needs to be restored following a product install. It is used to keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed. +- **AttemptNumber** The total number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of the package or packages requested for install. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of system attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndUpdateMetadataPrepare + +This event is sent after a scan for available app updates to help keep Windows up-to-date and secure. + +The following fields are available: + +- **HResult** The result code of the last action performed. + + +### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentComplete + +This event is sent at the end of an app install or update to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The name of the product catalog from which this app was chosen. +- **CatanogId** No content is currently available. +- **CatdlogId** No content is currently available. +- **FailedRetry** Indicates whether the installation or update retry was successful. +- **HResult** The HResult code of the operation. +- **JResult** No content is currently available. +- **PFN** The Package Family Name of the app that is being installed or updated. +- **Producele** No content is currently available. +- **ProductId** The product ID of the app that is being updated or installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate + +This event is sent at the beginning of an app install or update to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The name of the product catalog from which this app was chosen. +- **FulfillmentPluginId** The ID of the plugin needed to install the package type of the product. +- **PFN** The Package Family Name of the app that is being installed or updated. +- **PluginTelemetryData** Diagnostic information specific to the package-type plug-in. +- **ProductId** The product ID of the app that is being updated or installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.InstallOperationRequest + +This event is sent when a product install or update is initiated, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **BundleId** The identity of the build associated with this product. +- **CatalogId** If this product is from a private catalog, the Store Product ID for the product being installed. +- **ProductId** The Store Product ID for the product being installed. +- **SkuId** Specific edition ID being installed. +- **VolumePath** The disk path of the installation. + + +### Microsoft.Windows.StoreAgent.Telemetry.PauseInstallation + +This event is sent when a product install or update is paused (either by a user or the system), to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The total number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The Product Full Name. +- **PreviousHResult** The result code of the last action performed before this operation. +- **PreviousInstallState** Previous state before the installation or update was paused. +- **ProductId** The Store Product ID for the product being installed. +- **RelatedCV** Correlation Vector of a previous performed action on this product. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.ResumeInstallation + +This event is sent when a product install or update is resumed (either by a user or the system), to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **categoryId** No content is currently available. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed before this operation. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **IsUserRetry** Did the user initiate the retry? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of the package or packages requested for install. +- **PreviousHResult** The previous HResult error code. +- **PreviousInstallState** Previous state before the installation was paused. +- **ProductId** The Store Product ID for the product being installed. +- **RelatedCV** Correlation Vector for the original install before it was resumed. +- **ResumeClientId** The ID of the app that initiated the resume operation. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.ResumeOperationRequest + +This event is sent when a product install or update is resumed by a user or on installation retries, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ProductId** The Store Product ID for the product being installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.SearchForUpdateOperationRequest + +This event is sent when searching for update packages to install, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The Store Catalog ID for the product being installed. +- **ProductId** The Store Product ID for the product being installed. +- **SkuId** Specfic edition of the app being updated. + + +### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest + +This event occurs when an update is requested for an app, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **PFamN** The name of the app that is requested for update. + + +## Windows System Kit events + +### Microsoft.Windows.Kits.WSK.WskImageCreate + +This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate “image” creation failures. + +The following fields are available: + +- **Phase** The image creation phase. Values are “Start” or “End”. +- **WskVersion** The version of the Windows System Kit being used. + + +### Microsoft.Windows.Kits.WSK.WskImageCustomization + +This event sends simple Product and Service usage data when a user is using the Windows System Kit to create/modify configuration files allowing the customization of a new OS image with Apps or Drivers. The data includes the version of the Windows System Kit, the state of the event, the customization type (drivers or apps) and the mode (new or updating) and is used to help investigate configuration file creation failures. + +The following fields are available: + +- **CustomizationMode** Indicates the mode of the customization (new or updating). +- **CustomizationType** Indicates the type of customization (drivers or apps). +- **Mode** The mode of update to image configuration files. Values are “New” or “Update”. +- **Phase** The image creation phase. Values are “Start” or “End”. +- **Type** The type of update to image configuration files. Values are “Apps” or “Drivers”. +- **WskVersion** The version of the Windows System Kit being used. + + +### Microsoft.Windows.Kits.WSK.WskWorkspaceCreate + +This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new workspace for generating OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate workspace creation failures. + +The following fields are available: + +- **Architecture** The OS architecture that the workspace will target. Values are one of: “AMD64”, “ARM64”, “x86”, or “ARM”. +- **OsEdition** The Operating System Edition that the workspace will target. +- **Phase** The image creation phase. Values are “Start” or “End”. +- **WorkspaceArchitecture** The operating system architecture that the workspace will target. +- **WorkspaceOsEdition** The operating system edition that the workspace will target. +- **WskVersion** The version of the Windows System Kit being used. + + +## Windows Update Delivery Optimization events + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled + +This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **background** Is the download being done in the background? +- **bytesFromCacheServer** Bytes received from a cache host. +- **bytesFromCDN** The number of bytes received from a CDN source. +- **bytesFromGroupPeers** The number of bytes received from a peer in the same group. +- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same group. +- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. +- **bytesFromPeers** The number of bytes received from a peer in the same LAN. +- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. +- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. +- **cdnIp** The IP Address of the source CDN (Content Delivery Network). +- **cdnUrl** The URL of the source CDN (Content Delivery Network). +- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. +- **errorCode** The error code that was returned. +- **experimentId** When running a test, this is used to correlate events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **gCurMemoryStreamBytes** Current usage for memory streaming. +- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. +- **isVpn** Indicates whether the device is connected to a VPN (Virtual Private Network). +- **jobID** Identifier for the Windows Update job. +- **predefinedCallerName** The name of the API Caller. +- **reasonCode** Reason the action or event occurred. +- **routeToCacheServer** The cache server setting, source, and value. +- **sessionID** The ID of the file download session. +- **updateID** The ID of the update being downloaded. +- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted + +This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **#dnErrorCounts** No content is currently available. +- **__TlgCVß_** No content is currently available. +- **|anConnectionCount** No content is currently available. +- **0redefinedCallerName** No content is currently available. +- **b6nConnectionCount** No content is currently available. +- **b6nErrorCodes** No content is currently available. +- **b6nErrorCounts** No content is currently available. +- **b6nIp** No content is currently available. +- **b6nUrl** No content is currently available. +- **background** Is the download a background download? +- **bytesFrkmIntPeers** No content is currently available. +- **bytesFromCacheSedver** No content is currently available. +- **bytesFromCacheServer** Bytes received from a cache host. +- **bytesFromCDN** The number of bytes received from a CDN source. +- **bytesFromGroupPeers** The number of bytes received from a peer in the same domain group. +- **bytesFromIntÐeers** No content is currently available. +- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same domain group. +- **bytesFromLinkLocalPeers** The number of bytes received from local peers. +- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. +- **bytesFromPeers** The number of bytes received from a peer in the same LAN. +- **bytesRequested** The total number of bytes requested for download. +- **cacheSarverConnectionCount** No content is currently available. +- **cacheSedverConnectionCount** No content is currently available. +- **cacheServerConndctionCount** No content is currently available. +- **cacheServerConnectionCoujt** No content is currently available. +- **cacheServerConnectionCount** Number of connections made to cache hosts. +- **cdnConnectionCount** The total number of connections made to the CDN. +- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. +- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. +- **cdnIp** The IP address of the source CDN. +- **cdnSonnectionCount** No content is currently available. +- **cdnUrl** Url of the source Content Distribution Network (CDN). +- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. +- **dkwnloadModeSrc** No content is currently available. +- **doErrorCode** The Delivery Optimization error code that was returned. +- **dowflinkBps** No content is currently available. +- **dow�loadMode** No content is currently available. +- **downlinkBps** The maximum measured available download bandwidth (in bytes per second). +- **downlinkUsageBps** The download speed (in bytes per second). +- **downloadMode** The download mode used for this file download session. +- **downloadModeReason** Reason for the download. +- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). +- **downloadMofeSrc** No content is currently available. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **fileSize** The size of the file being downloaded. +- **gCurMemoryStreamBytes** Current usage for memory streaming. +- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. +- **groupConjectionCount** No content is currently available. +- **groupConnectionCount** The total number of connections made to peers in the same group. +- **internetConnectionCount** The total number of connections made to peers not in the same LAN or the same group. +- **internetConnectionCountdownlinkBps** No content is currently available. +- **isEjcrypted** No content is currently available. +- **isEncryptdd** No content is currently available. +- **isEncrypted** TRUE if the file is encrypted and will be decrypted after download. +- **isVpn** Is the device connected to a Virtual Private Network? +- **jobID** Identifier for the Windows Update job. +- **lanConnectionCount** The total number of connections made to peers in the same LAN. +- **linkLocalConnectionCount** The number of connections made to peers in the same Link-local network. +- **numPeers** The total number of peers used for this download. +- **numPeersLocal** The total number of local peers used for this download. +- **predefi.edCallerName** No content is currently available. +- **predefinedCallerName** The name of the API Caller. +- **predefinedCalleRName** No content is currently available. +- **restrictedUpload** Is the upload restricted? +- **romteToCacheServer** No content is currently available. +- **roupeToCacheServer** No content is currently available. +- **routeTnCacheServer** No content is currently available. +- **routeToCacheSedver** No content is currently available. +- **routeToCacheServer** The cache server setting, source, and value. +- **sessionID** The ID of the download session. +- **totalTimeMs** Duration of the download (in seconds). +- **updateID** The ID of the update being downloaded. +- **uplinkBps** The maximum measured available upload bandwidth (in bytes per second). +- **uplinkUsageBps** The upload speed (in bytes per second). +- **uplinkUsegeBps** No content is currently available. +- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused + +This event represents a temporary suspension of a download with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **backgground** No content is currently available. +- **backgrou|d** No content is currently available. +- **background** Is the download a background download? +- **c`nUrl** No content is currently available. +- **cdnUrl** The URL of the source CDN (Content Delivery Network). +- **errorBode** No content is currently available. +- **errorCode** The error code that was returned. +- **expebimentId** No content is currently available. +- **expebimentIderrorCode** No content is currently available. +- **experiientId** No content is currently available. +- **experimenpId** No content is currently available. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being paused. +- **isVp|** No content is currently available. +- **isVpn** Is the device connected to a Virtual Private Network? +- **jobID** Identifier for the Windows Update job. +- **predefinedCallerName** The name of the API Caller object. +- **reasonCod%** No content is currently available. +- **reasonCode** The reason for pausing the download. +- **recsonCodesessiolID** No content is currently available. +- **routeToCacheSedver** No content is currently available. +- **routeToCacheServer** The cache server setting, source, and value. +- **sessionID** The ID of the download session. +- **updateID** The ID of the update being paused. +- **updateMD** No content is currently available. + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted + +This event sends data describing the start of a new download to enable Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **b6nUrl** No content is currently available. +- **background** Indicates whether the download is happening in the background. +- **bacoground** No content is currently available. +- **bileSizeCaller** No content is currently available. +- **bytesRequested** Number of bytes requested for the download. +- **cdnUrl** The URL of the source Content Distribution Network (CDN). +- **costFlags** A set of flags representing network cost. +- **costFlaos** No content is currently available. +- **deviceProfile** Identifies the usage or form factor (such as Desktop, Xbox, or VM). +- **diceRoll** Random number used for determining if a client will use peering. +- **doClientVersion** The version of the Delivery Optimization client. +- **doErrorC/de** No content is currently available. +- **doErrorCode** The Delivery Optimization error code that was returned. +- **downloadMode** The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100). +- **downloadModeReason** Reason for the download. +- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). +- **errorCode** The error code that was returned. +- **experimejtId** No content is currently available. +- **experimen�Id** No content is currently available. +- **experimentId** ID used to correlate client/services calls that are part of the same test during A/B testing. +- **fiheID** No content is currently available. +- **fileID** The ID of the file being downloaded. +- **filePat(** No content is currently available. +- **filePath** The path to where the downloaded file will be written. +- **fileSize** Total file size of the file that was downloaded. +- **fileSizeCaller** Value for total file size provided by our caller. +- **groqpID** No content is currently available. +- **groupID** ID for the group. +- **isEncrypted** Indicates whether the download is encrypted. +- **isFpn** No content is currently available. +- **isVpn** Indicates whether the device is connected to a Virtual Private Network. +- **jobID** The ID of the Windows Update job. +- **peerID** The ID for this delivery optimization client. +- **predefinedCallerName** Name of the API caller. +- **rimentId** No content is currently available. +- **routeToCacheSedver** No content is currently available. +- **routeToCacheServer** Cache server setting, source, and value. +- **sessionID** The ID for the file download session. +- **sessmonID** No content is currently available. +- **setConfigs** A JSON representation of the configurations that have been set, and their sources. +- **updateID** The ID of the update being downloaded. +- **updateYD** No content is currently available. +- **usedMemoryStream** Indicates whether the download used memory streaming. + + +### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication + +This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **`esponseAize** No content is currently available. +- **cdnHeaders** The HTTP headers returned by the CDN. +- **cdnIp** The IP address of the CDN. +- **cdnUrl** The URL of the CDN. +- **eErrorCode** No content is currently available. +- **eErrorCunt** No content is currently available. +- **errorCode** The error code that was returned. +- **errorCode‡httpStatusCodw** No content is currently available. +- **errorCode‡httpSvatusCodw** No content is currently available. +- **errorCount** The total number of times this error code was seen since the last FailureCdnCommunication event was encountered. +- **errorSount** No content is currently available. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **f{leID** No content is currently available. +- **fileID** The ID of the file being downloaded. +- **fkleID** No content is currently available. +- **htppStatusCode** No content is currently available. +- **httpStatusCode** The HTTP status code returned by the CDN. +- **isHeadRequest** The type of HTTP request that was sent to the CDN. Example: HEAD or GET +- **peerType** The type of peer (LAN, Group, Internet, CDN, Cache Host, etc.). +- **requestOffset** The byte offset within the file in the sent request. +- **requestSize** The size of the range requested from the CDN. +- **responseSize** The size of the range response received from the CDN. +- **sessionID** The ID of the download session. +- **swssionIDcdnUrl** No content is currently available. + + +### Microsoft.OSG.DU.DeliveryOptClient.JobError + +This event represents a Windows Update job error. It allows for investigation of top errors. + +The following fields are available: + +- **cdnIp** The IP Address of the source CDN (Content Delivery Network). +- **doErrorCode** Error code returned for delivery optimization. +- **errorCode** The error code returned. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **jobID** The Windows Update job ID. + + +## Windows Update events + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentAnalysisSummary + +This event collects information regarding the state of devices and drivers on the system following a reboot after the install phase of the new device manifest UUP (Unified Update Platform) update scenario which is used to install a device manifest describing a set of driver packages. + +The following fields are available: + +- **activated** Whether the entire device manifest update is considered activated and in use. +- **analysisErrorCount** The number of driver packages that could not be analyzed because errors occurred during analysis. +- **flightId** Unique ID for each flight. +- **missingDriverCount** The number of driver packages delivered by the device manifest that are missing from the system. +- **missingUpdateCount** The number of updates in the device manifest that are missing from the system. +- **objectId** Unique value for each diagnostics session. +- **publishedCount** The number of drivers packages delivered by the device manifest that are published and available to be used on devices. +- **relatedCV** Correlation vector value generated from the latest USO scan. +- **scenarioId** Indicates the update scenario. +- **sessionId** Unique value for each update session. +- **summary** A summary string that contains basic information about driver packages that are part of the device manifest and any devices on the system that those driver packages match. +- **summaryAppendError** A Boolean indicating if there was an error appending more information to the summary string. +- **truncatedDeviceCount** The number of devices missing from the summary string because there is not enough room in the string. +- **truncatedDriverCount** The number of driver packages missing from the summary string because there is not enough room in the string. +- **unpublishedCount** How many drivers packages that were delivered by the device manifest that are still unpublished and unavailable to be used on devices. +- **updateId** The unique ID for each update. + + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentCommit + +This event collects information regarding the final commit phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. + +The following fields are available: + +- **errorCode** The error code returned for the current session initialization. +- **flightId** The unique identifier for each flight. +- **objectId** The unique GUID for each diagnostics session. +- **relatedCV** A correlation vector value generated from the latest USO scan. +- **result** Outcome of the initialization of the session. +- **scenarioId** Identifies the Update scenario. +- **sessionId** The unique value for each update session. +- **updateId** The unique identifier for each Update. + + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentDownloadRequest + +This event collects information regarding the download request phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. + +The following fields are available: + +- **deletedCorruptFiles** Indicates if UpdateAgent found any corrupt payload files and whether the payload was deleted. +- **errorCode** The error code returned for the current session initialization. +- **flightId** The unique identifier for each flight. +- **objectId** Unique value for each Update Agent mode. +- **packageCountOptional** Number of optional packages requested. +- **packageCountRequired** Number of required packages requested. +- **packageCountTotal** Total number of packages needed. +- **packageCountTotalCanonical** Total number of canonical packages. +- **packageCountTotalDiff** Total number of diff packages. +- **packageCountTotalExpress** Total number of express packages. +- **packageSizeCanonical** Size of canonical packages in bytes. +- **packageSizeDiff** Size of diff packages in bytes. +- **packageSizeExpress** Size of express packages in bytes. +- **rangeRequestState** Represents the state of the download range request. +- **relatedCV** Correlation vector value generated from the latest USO scan. +- **result** Result of the download request phase of update. +- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. +- **sessionId** Unique value for each Update Agent mode attempt. +- **updateId** Unique ID for each update. + + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInitialize + +This event sends data for initializing a new update session for the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. + +The following fields are available: + +- **errorCode** The error code returned for the current session initialization. +- **flightId** The unique identifier for each flight. +- **flightMetadata** Contains the FlightId and the build being flighted. +- **objectId** Unique value for each Update Agent mode. +- **relatedCV** Correlation vector value generated from the latest USO scan. +- **result** Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled. +- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. +- **sessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios). +- **sessionId** Unique value for each Update Agent mode attempt. +- **updateId** Unique ID for each update. + + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInstall + +This event collects information regarding the install phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. + +The following fields are available: + +- **errorCode** The error code returned for the current install phase. +- **flightId** The unique identifier for each flight (pre-release builds). +- **objectId** The unique identifier for each diagnostics session. +- **relatedCV** Correlation vector value generated from the latest scan. +- **result** Outcome of the install phase of the update. +- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate +- **sessionId** The unique identifier for each update session. +- **updateId** The unique identifier for each Update. + + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentModeStart + +This event sends data for the start of each mode during the process of updating device manifest assets via the UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. + +The following fields are available: + +- **flightId** The unique identifier for each flight (pre-release builds). +- **mode** Indicates the active Update Agent mode. +- **objectId** Unique value for each diagnostics session. +- **relatedCV** Correlation vector value generated from the latest scan. +- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. +- **sessionId** The unique identifier for each update session. +- **updateId** The unique identifier for each Update. + + +### Microsoft.Windows.Update.NotificationUx.DialogNotificationToBeDisplayed + +This event indicates that a notification dialog box is about to be displayed to user. + +The following fields are available: + +- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode. +- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before the RebootFailed dialog box is shown. +- **DaysSinceRebootRequired** Number of days since restart was required. +- **DeviceLocalTime** The local time on the device sending the event. +- **EngagedModeLimit** The number of days to switch between DTE dialog boxes. +- **EnterAutoModeLimit** The maximum number of days for a device to enter Auto Reboot mode. +- **ETag** OneSettings versioning value. +- **IsForcedEnabled** Indicates whether Forced Reboot mode is enabled for this device. +- **IsUltimateForcedEnabled** Indicates whether Ultimate Forced Reboot mode is enabled for this device. +- **NotificationUxState** Indicates which dialog box is shown. +- **NotificationUxStateString** Indicates which dialog box is shown. +- **RebootUxState** Indicates the state of the restart (Engaged, Auto, Forced, or UltimateForced). +- **RebootUxStateString** Indicates the state of the restart (Engaged, Auto, Forced, or UltimateForced). +- **RebootVersion** Version of DTE. +- **SkipToAutoModeLimit** The minimum length of time to pass in restart pending before a device can be put into auto mode. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UtcTime** The time the dialog box notification will be displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootAcceptAutoDialog + +This event indicates that the Enhanced Engaged restart "accept automatically" dialog box was displayed. + +The following fields are available: + +- **DeviceLocalTime** The local time on the device sending the event. +- **ETag** OneSettings versioning value. +- **ExitCode** Indicates how users exited the dialog box. +- **RebootVersion** Version of DTE. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UserResponseString** The option that user chose on this dialog box. +- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootFirstReminderDialog + +This event indicates that the Enhanced Engaged restart "first reminder" dialog box was displayed.. + +The following fields are available: + +- **DeviceLocalTime** The local time on the device sending the event. +- **ETag** OneSettings versioning value. +- **ExitCode** Indicates how users exited the dialog box. +- **RebootVersion** Version of DTE. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UserResponseString** The option that user chose in this dialog box. +- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootFailedDialog + +This event indicates that the Enhanced Engaged restart "restart failed" dialog box was displayed. + +The following fields are available: + +- **DeviceLocalTime** The local time of the device sending the event. +- **ETag** OneSettings versioning value. +- **ExitCode** Indicates how users exited the dialog box. +- **RebootVersion** Version of DTE. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UserResponseString** The option that the user chose in this dialog box. +- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootImminentDialog + +This event indicates that the Enhanced Engaged restart "restart imminent" dialog box was displayed. + +The following fields are available: + +- **DeviceLocalTime** Time the dialog box was shown on the local device. +- **ETag** OneSettings versioning value. +- **ExitCode** Indicates how users exited the dialog box. +- **RebootVersion** Version of DTE. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UserResponseString** The option that user chose in this dialog box. +- **UtcTime** The time that dialog box was displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootReminderDialog + +This event returns information relating to the Enhanced Engaged reboot reminder dialog that was displayed. + +The following fields are available: + +- **DeviceLocalTime** The time at which the reboot reminder dialog was shown (based on the local device time settings). +- **ETag** The OneSettings versioning value. +- **ExitCode** Indicates how users exited the reboot reminder dialog box. +- **RebootVersion** The version of the DTE (Direct-to-Engaged). +- **UpdateId** The ID of the update that is waiting for reboot to finish installation. +- **UpdateRevision** The revision of the update that is waiting for reboot to finish installation. +- **UserResponseString** The option chosen by the user on the reboot dialog box. +- **UtcTime** The time at which the reboot reminder dialog was shown (in UTC). + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootReminderToast + +This event indicates that the Enhanced Engaged restart reminder pop-up banner was displayed. + +The following fields are available: + +- **DeviceLocalTime** The local time on the device sending the event. +- **ETag** OneSettings versioning value. +- **ExitCode** Indicates how users exited the pop-up banner. +- **RebootVersion** The version of the reboot logic. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UserResponseString** The option that the user chose in the pop-up banner. +- **UtcTime** The time that the pop-up banner was displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.RebootScheduled + +Indicates when a reboot is scheduled by the system or a user for a security, quality, or feature update. + +The following fields are available: + +- **activeHoursApplicable** Indicates whether an Active Hours policy is present on the device. +- **IsEnhancedEngagedReboot** Indicates whether this is an Enhanced Engaged reboot. +- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action. +- **rebootOutsideOfActiveHours** Indicates whether a restart is scheduled outside of active hours. +- **rebootScheduledByUser** Indicates whether the restart was scheduled by user (if not, it was scheduled automatically). +- **rebootState** The current state of the restart. +- **rebootUsingSmartScheduler** Indicates whether the reboot is scheduled by smart scheduler. +- **revisionNumber** Revision number of the update that is getting installed with this restart. +- **scheduledRebootTime** Time of the scheduled restart. +- **scheduledRebootTimeInUTC** Time of the scheduled restart in Coordinated Universal Time. +- **updateId** ID of the update that is getting installed with this restart. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.ActivityRestrictedByActiveHoursPolicy + +This event indicates a policy is present that may restrict update activity to outside of active hours. + +The following fields are available: + +- **activeHoursEnd** The end of the active hours window. +- **activeHoursStart** The start of the active hours window. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.BlockedByActiveHours + +This event indicates that update activity was blocked because it is within the active hours window. + +The following fields are available: + +- **activeHoursEnd** The end of the active hours window. +- **activeHoursStart** The start of the active hours window. +- **updatePhase** The current state of the update process. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.BlockedByBatteryLevel + +This event indicates that Windows Update activity was blocked due to low battery level. + +The following fields are available: + +- **batteryLevel** The current battery charge capacity. +- **batteryLevelThreshold** The battery capacity threshold to stop update activity. +- **updatePhase** The current state of the update process. +- **wuDeviceid** Device ID. + + +### Microsoft.Windows.Update.Orchestrator.DeferRestart + +This event indicates that a restart required for installing updates was postponed. + +The following fields are available: + +- **displayNeededReason** List of reasons for needing display. +- **eventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). +- **filteredDeferReason** Applicable filtered reasons why reboot was postponed (such as user active, or low battery). +- **gameModeReason** Name of the executable that caused the game mode state check to start. +- **ignoredReason** List of reasons that were intentionally ignored. +- **IgnoreReasonsForRestart** List of reasons why restart was deferred. +- **revisionNumber** Update ID revision number. +- **systemNeededReason** List of reasons why system is needed. +- **updateId** Update ID. +- **updateScenarioType** Update session type. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.Detection + +This event indicates that a scan for a Windows Update occurred. + +The following fields are available: + +- **deferReason** The reason why the device could not check for updates. +- **detectionBlockingPolicy** The Policy that blocked detection. +- **detectionBlockreason** The reason detection did not complete. +- **detectionRetryMode** Indicates whether we will try to scan again. +- **errorCode** The error code returned for the current process. +- **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. +- **flightID** The unique identifier for the flight (Windows Insider pre-release build) should be delivered to the device, if applicable. +- **interactive** Indicates whether the user initiated the session. +- **networkStatus** Indicates if the device is connected to the internet. +- **revisionNumber** The Update revision number. +- **scanTriggerSource** The source of the triggered scan. +- **updateId** The unique identifier of the Update. +- **updateScenarioType** Identifies the type of update session being performed. +- **wuDeviceid** The unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.DisplayNeeded + +This event indicates the reboot was postponed due to needing a display. + +The following fields are available: + +- **displayNeededReason** Reason the display is needed. +- **eventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. +- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours. +- **revisionNumber** Revision number of the update. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated. +- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue + + +### Microsoft.Windows.Update.Orchestrator.Download + +This event sends launch data for a Windows Update download to help keep Windows up to date. + +The following fields are available: + +- **deferReason** Reason for download not completing. +- **e:4|SScenario** No content is currently available. +- **errorCode** An error code represented as a hexadecimal value. +- **eventScenario** End-to-end update session ID. +- **flightID** The specific ID of the Windows Insider build the device is getting. +- **interactive** Indicates whether the session is user initiated. +- **interactiveelatedCVerrorCode** No content is currently available. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenariotate** No content is currently available. +- **updateScenarioType** The update session type. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.DTUCompletedWhenWuFlightPendingCommit + +This event indicates that DTU completed installation of the electronic software delivery (ESD), when Windows Update was already in Pending Commit phase of the feature update. + +The following fields are available: + +- **wuDeviceid** Device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.DTUEnabled + +This event indicates that Inbox DTU functionality was enabled. + +The following fields are available: + +- **wuDeviceid** Device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.DTUInitiated + +This event indicates that Inbox DTU functionality was intiated. + +The following fields are available: + +- **dtuErrorCode** Return code from creating the DTU Com Server. +- **isDtuApplicable** Determination of whether DTU is applicable to the machine it is running on. +- **wuDeviceid** Device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.EscalationRiskLevels + +This event is sent during update scan, download, or install, and indicates that the device is at risk of being out-of-date. + +The following fields are available: + +- **configVersion** The escalation configuration version on the device. +- **downloadElapsedTime** Indicates how long since the download is required on device. +- **downloadRiskLevel** At-risk level of download phase. +- **installElapsedTime** Indicates how long since the install is required on device. +- **installRiskLevel** The at-risk level of install phase. +- **isSediment** Assessment of whether is device is at risk. +- **scanElapsedTime** Indicates how long since the scan is required on device. +- **scanRiskLevel** At-risk level of the scan phase. +- **wuDeviceid** Device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.FailedToAddTimeTriggerToScanTask + +This event indicated that USO failed to add a trigger time to a task. + +The following fields are available: + +- **errorCode** The Windows Update error code. +- **wuDeviceid** The Windows Update device ID. + + +### Microsoft.Windows.Update.Orchestrator.FlightInapplicable + +This event indicates that the update is no longer applicable to this device. + +The following fields are available: + +- **EventPublishedTime** Time when this event was generated. +- **flightID** The specific ID of the Windows Insider build. +- **inapplicableReason** The reason why the update is inapplicable. +- **revisionNumber** Update revision number. +- **updateId** Unique Windows Update ID. +- **updateScenarioType** Update session type. +- **UpdateStatus** Last status of update. +- **UUPFallBackConfigured** Indicates whether UUP fallback is configured. +- **wuDeviceid** Unique Device ID. + + +### Microsoft.Windows.Update.Orchestrator.InitiatingReboot + +This event sends data about an Orchestrator requesting a reboot from power management to help keep Windows up to date. + +The following fields are available: + +- **EventPublishedTime** Time of the event. +- **flightID** Unique update ID +- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action. +- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours. +- **revisionNumber** Revision number of the update. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.Install + +This event sends launch data for a Windows Update install to help keep Windows up to date. + +The following fields are available: + +- **batteryLevel** Current battery capacity in mWh or percentage left. +- **defeec-9-0S** No content is currently available. +- **deferReason** Reason for install not completing. +- **errorCode** The error code reppresented by a hexadecimal value. +- **eventScenario** End-to-end update session ID. +- **flightID** The ID of the Windows Insider build the device is getting. +- **flightUpdate** Indicates whether the update is a Windows Insider build. +- **ForcedRebootReminderSet** A boolean value that indicates if a forced reboot will happen for updates. +- **Ignorec-9-0SsFoec-start** No content is currently available. +- **IgnoreReasonsForRestart** The reason(s) a Postpone Restart command was ignored. +- **installCommitfailedtime** The time it took for a reboot to happen but the upgrade failed to progress. +- **installRebootinitiatetime** The time it took for a reboot to be attempted. +- **interactive** Identifies if session is user initiated. +- **minutesToCommit** The time it took to install updates. +- **rebootOutsideOfActiveHours** Indicates whether a reboot is scheduled outside of active hours. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateMd** No content is currently available. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.LowUptimes + +This event is sent if a device is identified as not having sufficient uptime to reliably process updates in order to keep secure. + +The following fields are available: + +- **availableHistoryMinutes** The number of minutes available from the local machine activity history. +- **isLowUptimeMachine** Is the machine considered low uptime or not. +- **lowUptimeMinHours** Current setting for the minimum number of hours needed to not be considered low uptime. +- **lowUptimeQueryDays** Current setting for the number of recent days to check for uptime. +- **uptimeMinutes** Number of minutes of uptime measured. +- **wuDeviceid** Unique device ID for Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.OneshotUpdateDetection + +This event returns data about scans initiated through settings UI, or background scans that are urgent; to help keep Windows up to date. + +The following fields are available: + +- **externalOneshotupdate** The last time a task-triggered scan was completed. +- **interactiveOneshotupdate** The last time an interactive scan was completed. +- **oldlastscanOneshotupdate** The last time a scan completed successfully. +- **wuDeviceid** The Windows Update Device GUID (Globally-Unique ID). + + +### Microsoft.Windows.Update.Orchestrator.PreShutdownStart + +This event is generated before the shutdown and commit operations. + +The following fields are available: + +- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. + + +### Microsoft.Windows.Update.Orchestrator.RebootFailed + +This event sends information about whether an update required a reboot and reasons for failure, to help keep Windows up to date. + +The following fields are available: + +- **batteryLevel** Current battery capacity in mWh or percentage left. +- **deferReason** Reason for install not completing. +- **EventPublishedTime** The time that the reboot failure occurred. +- **flightID** Unique update ID. +- **rebootOutsideOfActiveHours** Indicates whether a reboot was scheduled outside of active hours. +- **RebootResults** Hex code indicating failure reason. Typically, we expect this to be a specific USO generated hex code. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.RefreshSettings + +This event sends basic data about the version of upgrade settings applied to the system to help keep Windows up to date. + +The following fields are available: + +- **errorCode** Hex code for the error message, to allow lookup of the specific error. +- **settingsDownloadTime** Timestamp of the last attempt to acquire settings. +- **settingsETag** Version identifier for the settings. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask + +This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows up to date. + +The following fields are available: + +- **RebootTaskMissedTimeUTC** The time when the reboot task was scheduled to run, but did not. +- **RebootTaskNextTimeUTC** The time when the reboot task was rescheduled for. +- **RebootTaskRestoredTime** Time at which this reboot task was restored. +- **wuDeviceid** Device ID for the device on which the reboot is restored. + + +### Microsoft.Windows.Update.Orchestrator.ScanTriggered + +This event indicates that Update Orchestrator has started a scan operation. + +The following fields are available: + +- **errorCode** The error code returned for the current scan operation. +- **eventScenario** Indicates the purpose of sending this event. +- **interactive** Indicates whether the scan is interactive. +- **isDTUEnabled** Indicates whether DTU (internal abbreviation for Direct Feature Update) channel is enabled on the client system. +- **isScanPastSla** Indicates whether the SLA has elapsed for scanning. +- **isScanPastTriggerSla** Indicates whether the SLA has elapsed for triggering a scan. +- **minutesOverScanSla** Indicates how many minutes the scan exceeded the scan SLA. +- **minutesOverScanTriggerSla** Indicates how many minutes the scan exceeded the scan trigger SLA. +- **scanTriggerSource** Indicates what caused the scan. +- **updateScenarioType** The update session type. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.StickUpdate + +This event is sent when the update service orchestrator (USO) indicates the update cannot be superseded by a newer update. + +The following fields are available: + +- **updateId** Identifier associated with the specific piece of content. +- **wuDeviceid** Unique device ID controlled by the software distribution client. + + +### Microsoft.Windows.Update.Orchestrator.SystemNeeded + +This event sends data about why a device is unable to reboot, to help keep Windows up to date. + +The following fields are available: + +- **eventScenario** End-to-end update session ID. +- **rebootOutsideOfActiveHours** Indicates whether a reboot is scheduled outside of active hours. +- **revisionNumber** Update revision number. +- **systemNeededReason** List of apps or tasks that are preventing the system from restarting. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.TerminatedByActiveHours + +This event indicates that update activity was stopped due to active hours starting. + +The following fields are available: + +- **activeHoursEnd** The end of the active hours window. +- **activeHoursStart** The start of the active hours window. +- **updatePhase** The current state of the update process. +- **wuDeviceid** The device identifier. + + +### Microsoft.Windows.Update.Orchestrator.TerminatedByBatteryLevel + +This event is sent when update activity was stopped due to a low battery level. + +The following fields are available: + +- **batteryLevel** The current battery charge capacity. +- **batteryLevelThreshold** The battery capacity threshold to stop update activity. +- **updatePhase** The current state of the update process. +- **wuDeviceid** The device identifier. + + +### Microsoft.Windows.Update.Orchestrator.UnstickUpdate + +This event is sent when the update service orchestrator (USO) indicates that the update can be superseded by a newer update. + +The following fields are available: + +- **updateId** Identifier associated with the specific piece of content. +- **wuDeviceid** Unique device ID controlled by the software distribution client. + + +### Microsoft.Windows.Update.Orchestrator.UpdatePolicyCacheRefresh + +This event sends data on whether Update Management Policies were enabled on a device, to help keep Windows up to date. + +The following fields are available: + +- **configuredPoliciescount** Number of policies on the device. +- **policiesNamevaluesource** Policy name and source of policy (group policy, MDM or flight). +- **policyCacherefreshtime** Time when policy cache was refreshed. +- **updateInstalluxsetting** Indicates whether a user has set policies via a user experience option. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.UpdateRebootRequired + +This event sends data about whether an update required a reboot to help keep Windows up to date. + +The following fields are available: + +- **flightID** The specific ID of the Windows Insider build the device is getting. +- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.updateSettingsFlushFailed + +This event sends information about an update that encountered problems and was not able to complete. + +The following fields are available: + +- **errorCode** The error code encountered. +- **wuDeviceid** The ID of the device in which the error occurred. + + +### Microsoft.Windows.Update.Orchestrator.UsoSession + +This event represents the state of the USO service at start and completion. + +The following fields are available: + +- **activeSessionid** A unique session GUID. +- **eventScenario** The state of the update action. +- **interactive** Is the USO session interactive? +- **lastErrorcode** The last error that was encountered. +- **lastErrorstate** The state of the update when the last error was encountered. +- **sessionType** A GUID that refers to the update session type. +- **updateScenarioType** A descriptive update session type. +- **wuDeviceid** The Windows Update device GUID. + + +### Microsoft.Windows.Update.Ux.MusNotification.EnhancedEngagedRebootUxState + +This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes values for the timing of how eDTE will progress through each phase of the reboot. + +The following fields are available: + +- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode. +- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before a Reboot Failed dialog will be shown. +- **DeviceLocalTime** The date and time (based on the device date/time settings) the reboot mode changed. +- **EngagedModeLimit** The number of days to switch between DTE (Direct-to-Engaged) dialogs. +- **EnterAutoModeLimit** The maximum number of days a device can enter Auto Reboot mode. +- **ETag** The Entity Tag that represents the OneSettings version. +- **IsForcedEnabled** Identifies whether Forced Reboot mode is enabled for the device. +- **IsUltimateForcedEnabled** Identifies whether Ultimate Forced Reboot mode is enabled for the device. +- **OldestUpdateLocalTime** The date and time (based on the device date/time settings) this update’s reboot began pending. +- **RebootUxState** Identifies the reboot state: Engaged, Auto, Forced, UltimateForced. +- **RebootVersion** The version of the DTE (Direct-to-Engaged). +- **SkipToAutoModeLimit** The maximum number of days to switch to start while in Auto Reboot mode. +- **UpdateId** The ID of the update that is waiting for reboot to finish installation. +- **UpdateRevision** The revision of the update that is waiting for reboot to finish installation. + + +### Microsoft.Windows.Update.Ux.MusNotification.RebootNoLongerNeeded + +This event is sent when a security update has successfully completed. + +The following fields are available: + +- **UtcTime** The Coordinated Universal Time that the restart was no longer needed. + + +### Microsoft.Windows.Update.Ux.MusNotification.RebootScheduled + +This event sends basic information about scheduling an update-related reboot, to get security updates and to help keep Windows up-to-date. + +The following fields are available: + +- **activeHoursApplicable** Indicates whether Active Hours applies on this device. +- **IsEnhancedEngagedReboot** Indicates whether Enhanced reboot was enabled. +- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action. +- **rebootOutsideOfActiveHours** True, if a reboot is scheduled outside of active hours. False, otherwise. +- **rebootScheduledByUser** True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically. +- **rebootState** Current state of the reboot. +- **rebootUsingSmartScheduler** Indicates that the reboot is scheduled by SmartScheduler. +- **revisionNumber** Revision number of the OS. +- **scheduledRebootTime** Time scheduled for the reboot. +- **scheduledRebootTimeInUTC** Time scheduled for the reboot, in UTC. +- **updateId** Identifies which update is being scheduled. +- **wuDeviceid** The unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Ux.MusNotification.UxBrokerScheduledTask + +This event is sent when MUSE broker schedules a task. + +The following fields are available: + +- **TaskArgument** The arguments with which the task is scheduled. +- **TaskName** Name of the task. + + +### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled + +This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up to date. + +The following fields are available: + +- **activeHoursApplicable** Is the restart respecting Active Hours? +- **IsEnhancedEngagedReboot** TRUE if the reboot path is Enhanced Engaged. Otherwise, FALSE. +- **rebootArgument** The arguments that are passed to the OS for the restarted. +- **rebootOutsideOfActiveHours** Was the restart scheduled outside of Active Hours? +- **rebootScheduledByUser** Was the restart scheduled by the user? If the value is false, the restart was scheduled by the device. +- **rebootState** The state of the restart. +- **rebootUsingSmartScheduler** TRUE if the reboot should be performed by the Smart Scheduler. Otherwise, FALSE. +- **revisionNumber** The revision number of the OS being updated. +- **scheduledRebootTime** Time of the scheduled reboot +- **scheduledRebootTimeInUTC** Time of the scheduled restart, in Coordinated Universal Time. +- **updateId** The Windows Update device GUID. +- **wuDeviceid** The Windows Update device GUID. + + +## Windows Update mitigation events + +### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages + +This event sends data specific to the CleanupSafeOsImages mitigation used for OS Updates. + +The following fields are available: + +- **ClientId** The client ID used by Windows Update. +- **FlightId** The ID of each Windows Insider build the device received. +- **InstanceId** A unique device ID that identifies each update instance. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **MountedImageCount** The number of mounted images. +- **MountedImageMatches** The number of mounted image matches. +- **MountedImagesFailed** The number of mounted images that could not be removed. +- **MountedImagesRemoved** The number of mounted images that were successfully removed. +- **MountedImagesSkipped** The number of mounted images that were not found. +- **RelatedCV** The correlation vector value generated from the latest USO scan. +- **Result** HResult of this operation. +- **ScenarioId** ID indicating the mitigation scenario. +- **ScenarioSupported** Indicates whether the scenario was supported. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each Windows Update. +- **WuId** Unique ID for the Windows Update client. + + +### Mitigation360Telemetry.MitigationCustom.FixAppXReparsePoints + +This event sends data specific to the FixAppXReparsePoints mitigation used for OS updates. + +The following fields are available: + +- **ClientId** Unique identifier for each flight. +- **FlightId** Unique GUID that identifies each instances of setuphost.exe. +- **InstanceId** The update scenario in which the mitigation was executed. +- **MitigationScenario** Correlation vector value generated from the latest USO scan. +- **RelatedCV** Number of reparse points that are corrupted but we failed to fix them. +- **ReparsePointsFailed** Number of reparse points that were corrupted and were fixed by this mitigation. +- **ReparsePointsFixed** Number of reparse points that are not corrupted and no action is required. +- **ReparsePointsSkipped** HResult of this operation. +- **Result** ID indicating the mitigation scenario. +- **ScenarioId** Indicates whether the scenario was supported. +- **ScenarioSupported** Unique value for each update attempt. +- **SessionId** Unique ID for each Update. +- **UpdateId** Unique ID for the Windows Update client. +- **WuId** Unique ID for the Windows Update client. + + +### Mitigation360Telemetry.MitigationCustom.FixupEditionId + +This event sends data specific to the FixupEditionId mitigation used for OS updates. + +The following fields are available: + +- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **EditionIdUpdated** Determine whether EditionId was changed. +- **FlightId** Unique identifier for each flight. +- **InstanceId** Unique GUID that identifies each instances of setuphost.exe. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **ProductEditionId** Expected EditionId value based on GetProductInfo. +- **ProductType** Value returned by GetProductInfo. +- **RegistryEditionId** EditionId value in the registry. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** HResult of this operation. +- **ScenarioId** ID indicating the mitigation scenario. +- **ScenarioSupported** Indicates whether the scenario was supported. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. +- **WuId** Unique ID for the Windows Update client. + + +## Windows Update Reserve Manager events + +### Microsoft.Windows.UpdateReserveManager.CommitPendingHardReserveAdjustment + +This event is sent when the Update Reserve Manager commits a hard reserve adjustment that was pending. + +The following fields are available: + +- **FinalAdjustment** Final adjustment for the hard reserve following the addition or removal of optional content. +- **InitialAdjustment** Initial intended adjustment for the hard reserve following the addition/removal of optional content. + + +### Microsoft.Windows.UpdateReserveManager.FunctionReturnedError + +This event is sent when the Update Reserve Manager returns an error from one of its internal functions. + +The following fields are available: + +- **FailedExpression** The failed expression that was returned. +- **FailedFile** The binary file that contained the failed function. +- **FailedFunction** The name of the function that originated the failure. +- **FailedLine** The line number of the failure. +- **ReturnCode** The return code of the function. + + +### Microsoft.Windows.UpdateReserveManager.InitializeUpdateReserveManager + +This event returns data about the Update Reserve Manager, including whether it’s been initialized. + +The following fields are available: + +- **ClientId** The ID of the caller application. +- **Flags** The enumerated flags used to initialize the manager. +- **FlightId** The flight ID of the content the calling client is currently operating with. +- **Offline** Indicates whether or the reserve manager is called during offline operations. +- **PolicyPassed** Indicates whether the machine is able to use reserves. +- **ReturnCode** Return code of the operation. +- **Version** The version of the Update Reserve Manager. + + +### Microsoft.Windows.UpdateReserveManager.PrepareTIForReserveInitialization + +This event is sent when the Update Reserve Manager prepares the Trusted Installer to initialize reserves on the next boot. + +The following fields are available: + +- **Flags** The flags that are passed to the function to prepare the Trusted Installer for reserve initialization. + + +### Microsoft.Windows.UpdateReserveManager.RemovePendingHardReserveAdjustment + +This event is sent when the Update Reserve Manager removes a pending hard reserve adjustment. + + + +### Microsoft.Windows.UpdateReserveManager.UpdatePendingHardReserveAdjustment + +This event is sent when the Update Reserve Manager needs to adjust the size of the hard reserve after the option content is installed. + +The following fields are available: + +- **ChangeSize** The change in the hard reserve size based on the addition or removal of optional content. +- **Disposition** No content is currently available. +- **Flags** No content is currently available. +- **PendingHardReserveAdjustment** The final change to the hard reserve size. +- **UpdateType** Indicates whether the change is an increase or decrease in the size of the hard reserve. + + +## Winlogon events + +### Microsoft.Windows.Security.Winlogon.SetupCompleteLogon + +This event signals the completion of the setup process. It happens only once during the first logon. + + + +## XBOX events + +### Microsoft.Xbox.XamTelemetry.AppActivationError + +This event indicates whether the system detected an activation error in the app. + +The following fields are available: + +- **ActivationUri** Activation URI (Uniform Resource Identifier) used in the attempt to activate the app. +- **AppId** The Xbox LIVE Title ID. +- **AppUserModelId** The AUMID (Application User Model ID) of the app to activate. +- **Result** The HResult error. +- **UserId** The Xbox LIVE User ID (XUID). + + +### Microsoft.Xbox.XamTelemetry.AppActivity + +This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc. + +The following fields are available: + +- **AppActionId** The ID of the application action. +- **AppCurrentVisibilityState** The ID of the current application visibility state. +- **AppId** The Xbox LIVE Title ID of the app. +- **AppPackageFullName** The full name of the application package. +- **AppPreviousVisibilityState** The ID of the previous application visibility state. +- **AppSessionId** The application session ID. +- **AppType** The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa). +- **BCACode** The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application. +- **DurationMs** The amount of time (in milliseconds) since the last application state transition. +- **IsTrialLicense** This boolean value is TRUE if the application is on a trial license. +- **LicenseType** The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 - Offline, 4 - Disc). +- **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license. +- **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application. +- **UserId** The XUID (Xbox User ID) of the current user. + + + From 864408989b0807329b339c128d66e342a0535347 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Mon, 4 Mar 2019 14:30:46 -0800 Subject: [PATCH 023/492] new build --- windows/privacy/TOC.md | 2 +- ...dows-diagnostic-events-and-fields-1903.md} | 951 +++++++++++++++++- 2 files changed, 951 insertions(+), 2 deletions(-) rename windows/privacy/{basic-level-windows-diagnostic-events-and-fields-19H1.md => basic-level-windows-diagnostic-events-and-fields-1903.md} (93%) diff --git a/windows/privacy/TOC.md b/windows/privacy/TOC.md index e2a139c80d..cd6466b6eb 100644 --- a/windows/privacy/TOC.md +++ b/windows/privacy/TOC.md @@ -7,7 +7,7 @@ ### [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md) ### [Diagnostic Data Viewer for PowerShell Overview](Microsoft-DiagnosticDataViewer.md) ## Basic level Windows diagnostic data events and fields -### [Windows 10, version 19H1 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-19H1.md) +### [Windows 10, version 1903 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) ### [Windows 10, version 1809 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) ### [Windows 10, version 1803 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) ### [Windows 10, version 1709 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md similarity index 93% rename from windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md rename to windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index 0e7eebb254..551c98d759 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-19H1.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -9,7 +9,11 @@ ms.pagetype: security localizationpriority: high author: brianlic-msft ms.author: brianlic -ms.date: 02/15/2019 +manager: dansimp +ms.collection: M365-security-compliance +ms.topic: article +audience: ITPro +ms.date: 03/04/2019 --- @@ -241,6 +245,23 @@ The following fields are available: - **line** Line in the file in the OS code base in which the exception occurs. +### Microsoft.Windows.Security.AppLockerCSP.IsDependencySatisfiedStart + +No content is currently available. + + + +### Microsoft.Windows.Security.AppLockerCSP.IsDependencySatisfiedStop + +No content is currently available. + +The following fields are available: + +- **edpActive** No content is currently available. +- **hr** No content is currently available. +- **internalHr** No content is currently available. + + ### Microsoft.Windows.Security.AppLockerCSP.SetValueParams Parameters passed to the SetValue function of the AppLockerCSP node. @@ -2543,6 +2564,12 @@ The following fields are available: - **ScenarioInstanceId** The globally unique identifier (GUID) of the scenario instance. +### TelClientSynthetic.ServiceMain_DevHealthMonEvent + +No content is currently available. + + + ## DxgKernelTelemetry events ### DxgKrnlTelemetry.GPUAdapterInventoryV2 @@ -3656,6 +3683,7 @@ The following fields are available: - **MeasuredLaunchResume** This field tells us if Dynamic Root of Trust for Measurement (DRTM) was used when resuming from hibernation. - **MenuPolicy** Type of advanced options menu that should be shown to the user (Legacy, Standard, etc.). - **RecoveryEnabled** Indicates whether recovery is enabled. +- **SecureLaunchPrepared** This field indicates if DRTM was prepared during boot. - **TcbLaunch** Indicates whether the Trusted Computing Base was used during the boot flow. - **UserInputTime** The amount of time the loader application spent waiting for user input. @@ -3736,6 +3764,846 @@ The following fields are available: ## Other events +### Microsoft.Windows.PBR.BitLockerWipeFinished + +No content is currently available. + +The following fields are available: + +- **error** No content is currently available. +- **sessionID** No content is currently available. +- **succeeded** No content is currently available. +- **timestamp** No content is currently available. + + +### Microsoft.Windows.PBR.BootState + +No content is currently available. + +The following fields are available: + +- **BsdSummaryInfo** No content is currently available. +- **sessionID** No content is currently available. +- **timestamp** No content is currently available. + + +### Microsoft.Windows.PBR.ClearTPMStarted + +No content is currently available. + +The following fields are available: + +- **sessionID** No content is currently available. +- **timestamp** No content is currently available. + + +### Microsoft.Windows.PBR.ClientInfo + +No content is currently available. + +The following fields are available: + +- **name** No content is currently available. +- **sessionID** No content is currently available. +- **timestamp** No content is currently available. + + +### Microsoft.Windows.PBR.DataVolumeCount + +No content is currently available. + +The following fields are available: + +- **count** No content is currently available. +- **sessionID** No content is currently available. +- **timestamp** No content is currently available. + + +### Microsoft.Windows.PBR.DiskSpaceRequired + +No content is currently available. + +The following fields are available: + +- **numBytes** No content is currently available. +- **sessionID** No content is currently available. +- **timestamp** No content is currently available. + + +### Microsoft.Windows.PBR.EnterAPI + +No content is currently available. + +The following fields are available: + +- **apiName** No content is currently available. +- **sessionID** No content is currently available. +- **timestamp** No content is currently available. + + +### Microsoft.Windows.PBR.EnteredOOBE + +No content is currently available. + +The following fields are available: + +- **sessionID** No content is currently available. +- **timestamp** No content is currently available. + + +### Microsoft.Windows.PBR.LeaveAPI + +No content is currently available. + +The following fields are available: + +- **apiName** No content is currently available. +- **errorCode** No content is currently available. +- **sessionID** No content is currently available. +- **success** No content is currently available. +- **timestamp** No content is currently available. + + +### Microsoft.Windows.PBR.OEMExtensionFinished + +No content is currently available. + +The following fields are available: + +- **exitCode** No content is currently available. +- **param** No content is currently available. +- **phase** No content is currently available. +- **script** No content is currently available. +- **sessionID** No content is currently available. +- **succeeded** No content is currently available. +- **timedOut** No content is currently available. +- **timestamp** No content is currently available. + + +### Microsoft.Windows.PBR.OEMExtensionStarted + +No content is currently available. + +The following fields are available: + +- **param** No content is currently available. +- **phase** No content is currently available. +- **script** No content is currently available. +- **sessionID** No content is currently available. +- **timestamp** No content is currently available. + + +### Microsoft.Windows.PBR.OperationExecuteFinished + +No content is currently available. + +The following fields are available: + +- **error** No content is currently available. +- **index** No content is currently available. +- **operation** No content is currently available. +- **phase** No content is currently available. +- **sessionID** No content is currently available. +- **succeeded** No content is currently available. +- **timestamp** No content is currently available. + + +### Microsoft.Windows.PBR.OperationExecuteStarted + +No content is currently available. + +The following fields are available: + +- **index** No content is currently available. +- **operation** No content is currently available. +- **phase** No content is currently available. +- **sessionID** No content is currently available. +- **timestamp** No content is currently available. +- **weight** No content is currently available. + + +### Microsoft.Windows.PBR.OperationQueueConstructFinished + +No content is currently available. + +The following fields are available: + +- **error** No content is currently available. +- **sessionID** No content is currently available. +- **succeeded** No content is currently available. +- **timestamp** No content is currently available. + + +### Microsoft.Windows.PBR.OperationQueueConstructStarted + +No content is currently available. + +The following fields are available: + +- **sessionID** No content is currently available. +- **timestamp** No content is currently available. + + +### Microsoft.Windows.PBR.PBRClearRollBackEntry + +No content is currently available. + +The following fields are available: + +- **SessionID** No content is currently available. + + +### Microsoft.Windows.PBR.PBRClearTPMFailed + +No content is currently available. + +The following fields are available: + +- **SessionID** No content is currently available. + + +### Microsoft.Windows.PBR.PBRCreateNewSystemReconstructionFailed + +No content is currently available. + +The following fields are available: + +- **HRESULT** No content is currently available. +- **PBRType** No content is currently available. +- **SessionID** No content is currently available. +- **SPErrorCode** No content is currently available. +- **SPOperation** No content is currently available. +- **SPPhase** No content is currently available. + + +### Microsoft.Windows.PBR.PBRCreateNewSystemReconstructionSucceed + +No content is currently available. + +The following fields are available: + +- **CBSPackageCount** No content is currently available. +- **CustomizationPackageCount** No content is currently available. +- **PBRType** No content is currently available. +- **SessionID** No content is currently available. + + +### Microsoft.Windows.PBR.PBRDriverInjectionFailed + +No content is currently available. + +The following fields are available: + +- **SessionID** No content is currently available. + + +### Microsoft.Windows.PBR.PBRFailed + +No content is currently available. + +The following fields are available: + +- **ErrorType** No content is currently available. +- **PBRType** No content is currently available. +- **SessionID** No content is currently available. + + +### Microsoft.Windows.PBR.PBRFinalizeNewSystemFailed + +No content is currently available. + +The following fields are available: + +- **HRESULT** No content is currently available. +- **SessionID** No content is currently available. +- **SPErrorCode** No content is currently available. +- **SPOperation** No content is currently available. +- **SPPhase** No content is currently available. + + +### Microsoft.Windows.PBR.PBRFinalizeNewSystemSucceed + +No content is currently available. + +The following fields are available: + +- **SessionID** No content is currently available. + + +### Microsoft.Windows.PBR.PBRFinalUserSelection + +No content is currently available. + +The following fields are available: + +- **PBREraseData** No content is currently available. +- **PBRRecoveryStrategy** No content is currently available. +- **PBRRepartitionDisk** No content is currently available. +- **PBRVariation** No content is currently available. +- **PBRWipeDataDrives** No content is currently available. +- **SessionID** No content is currently available. + + +### Microsoft.Windows.PBR.PBRFormatOSVolumeFailed + +No content is currently available. + +The following fields are available: + +- **JustDeleteFiles** No content is currently available. +- **SessionID** No content is currently available. + + +### Microsoft.Windows.PBR.PBRFormatOSVolumeSucceed + +No content is currently available. + +The following fields are available: + +- **JustDeleteFiles** No content is currently available. +- **SessionID** No content is currently available. + + +### Microsoft.Windows.PBR.PBRInstallWinREFailed + +No content is currently available. + +The following fields are available: + +- **SessionID** No content is currently available. + + +### Microsoft.Windows.PBR.PBRIOCTLErasureSucceed + +No content is currently available. + +The following fields are available: + +- **SessionID** No content is currently available. + + +### Microsoft.Windows.PBR.PBRLayoutImageFailed + +No content is currently available. + +The following fields are available: + +- **SessionID** No content is currently available. + + +### Microsoft.Windows.PBR.PBRLayoutImageSucceed + +No content is currently available. + +The following fields are available: + +- **SessionID** No content is currently available. + + +### Microsoft.Windows.PBR.PBROEM1Failed + +No content is currently available. + +The following fields are available: + +- **HRESULT** No content is currently available. +- **Parameters** No content is currently available. +- **PBRType** No content is currently available. +- **ScriptName** No content is currently available. +- **SessionID** No content is currently available. + + +### Microsoft.Windows.PBR.PBROEM2Failed + +No content is currently available. + +The following fields are available: + +- **HRESULT** No content is currently available. +- **Parameters** No content is currently available. +- **PBRType** No content is currently available. +- **ScriptName** No content is currently available. +- **SessionID** No content is currently available. + + +### Microsoft.Windows.PBR.PBRPostApplyFailed + +No content is currently available. + +The following fields are available: + +- **SessionID** No content is currently available. + + +### Microsoft.Windows.PBR.PBRPostApplyFinished + +No content is currently available. + +The following fields are available: + +- **SessionID** No content is currently available. + + +### Microsoft.Windows.PBR.PBRPostApplyStarted + +No content is currently available. + +The following fields are available: + +- **SessionID** No content is currently available. + + +### Microsoft.Windows.PBR.PBRPreApplyFailed + +No content is currently available. + +The following fields are available: + +- **SessionID** No content is currently available. + + +### Microsoft.Windows.PBR.PBRPreApplyFinished + +No content is currently available. + +The following fields are available: + +- **SessionID** No content is currently available. + + +### Microsoft.Windows.PBR.PBRPreApplyStarted + +No content is currently available. + +The following fields are available: + +- **SessionID** No content is currently available. + + +### Microsoft.Windows.PBR.PBRReachedOOBE + +No content is currently available. + +The following fields are available: + +- **SessionID** No content is currently available. + + +### Microsoft.Windows.PBR.PBRReconstructionInitiated + +No content is currently available. + +The following fields are available: + +- **SessionID** No content is currently available. + + +### Microsoft.Windows.PBR.PBRRequirementChecks + +No content is currently available. + +The following fields are available: + +- **DeploymentType** No content is currently available. +- **InstallType** No content is currently available. +- **PBRType** No content is currently available. +- **SessionID** No content is currently available. + + +### Microsoft.Windows.PBR.PBRRequirementChecksFailed + +No content is currently available. + +The following fields are available: + +- **DiskSpaceAvailable** No content is currently available. +- **DiskSpaceRequired** No content is currently available. +- **ErrorType** No content is currently available. +- **PBRImageVersion** No content is currently available. +- **PBRRecoveryStrategy** No content is currently available. +- **PBRStartedFrom** No content is currently available. +- **PBRType** No content is currently available. +- **SessionID** No content is currently available. + + +### Microsoft.Windows.PBR.PBRRequirementChecksPassed + +No content is currently available. + +The following fields are available: + +- **OSVersion** No content is currently available. +- **PBRImageType** No content is currently available. +- **PBRImageVersion** No content is currently available. +- **PBRRecoveryStrategy** No content is currently available. +- **PBRStartedFrom** No content is currently available. +- **SessionID** No content is currently available. + + +### Microsoft.Windows.PBR.PBRRestoreLicenseFailed + +No content is currently available. + +The following fields are available: + +- **SessionID** No content is currently available. + + +### Microsoft.Windows.PBR.PBRSucceed + +No content is currently available. + +The following fields are available: + +- **OSVersion** No content is currently available. +- **PBRType** No content is currently available. +- **SessionID** No content is currently available. + + +### Microsoft.Windows.PBR.PBRUserCancelled + +No content is currently available. + +The following fields are available: + +- **CancelPage** No content is currently available. +- **PBRVariation** No content is currently available. +- **SessionID** No content is currently available. + + +### Microsoft.Windows.PBR.PBRVersionsMistmatch + +No content is currently available. + +The following fields are available: + +- **OSVersion** No content is currently available. +- **REVersion** No content is currently available. +- **SessionID** No content is currently available. + + +### Microsoft.Windows.PBR.PBRWinREInstallationFailed + +No content is currently available. + +The following fields are available: + +- **SessionID** No content is currently available. + + +### Microsoft.Windows.PBR.PhaseFinished + +No content is currently available. + +The following fields are available: + +- **error** No content is currently available. +- **phase** No content is currently available. +- **sessionID** No content is currently available. +- **succeeded** No content is currently available. +- **timestamp** No content is currently available. + + +### Microsoft.Windows.PBR.PhaseStarted + +No content is currently available. + +The following fields are available: + +- **phase** No content is currently available. +- **sessionID** No content is currently available. +- **timestamp** No content is currently available. + + +### Microsoft.Windows.PBR.ReconstructionInfo + +No content is currently available. + +The following fields are available: + +- **numPackagesAbandoned** No content is currently available. +- **numPackagesFailed** No content is currently available. +- **sessionID** No content is currently available. +- **slowMode** No content is currently available. +- **targetVersion** No content is currently available. +- **timestamp** No content is currently available. + + +### Microsoft.Windows.PBR.ResetOptions + +No content is currently available. + +The following fields are available: + +- **overwriteSpace** No content is currently available. +- **preserveWorkplace** No content is currently available. +- **scenario** No content is currently available. +- **sessionID** No content is currently available. +- **timestamp** No content is currently available. +- **wipeData** No content is currently available. + + +### Microsoft.Windows.PBR.RetryQueued + +No content is currently available. + +The following fields are available: + +- **attempt** No content is currently available. +- **sessionID** No content is currently available. +- **timestamp** No content is currently available. + + +### Microsoft.Windows.PBR.ReturnedToOldOS + +No content is currently available. + +The following fields are available: + +- **sessionID** No content is currently available. +- **timestamp** No content is currently available. + + +### Microsoft.Windows.PBR.ReturnTaskSchedulingFailed + +No content is currently available. + +The following fields are available: + +- **errorCode** No content is currently available. +- **sessionID** No content is currently available. +- **taskName** No content is currently available. +- **timestamp** No content is currently available. + + +### Microsoft.Windows.PBR.RollbackFinished + +No content is currently available. + +The following fields are available: + +- **error** No content is currently available. +- **sessionID** No content is currently available. +- **succeeded** No content is currently available. +- **timestamp** No content is currently available. + + +### Microsoft.Windows.PBR.RollbackStarted + +No content is currently available. + +The following fields are available: + +- **sessionID** No content is currently available. +- **timestamp** No content is currently available. + + +### Microsoft.Windows.PBR.ScenarioNotSupported + +No content is currently available. + +The following fields are available: + +- **errorCode** No content is currently available. +- **reason** No content is currently available. +- **sessionID** No content is currently available. +- **timestamp** No content is currently available. + + +### Microsoft.Windows.PBR.SessionCreated + +No content is currently available. + +The following fields are available: + +- **sessionID** No content is currently available. +- **timestamp** No content is currently available. + + +### Microsoft.Windows.PBR.SessionResumed + +No content is currently available. + +The following fields are available: + +- **sessionID** No content is currently available. +- **timestamp** No content is currently available. + + +### Microsoft.Windows.PBR.SessionSaved + +No content is currently available. + +The following fields are available: + +- **sessionID** No content is currently available. +- **timestamp** No content is currently available. + + +### Microsoft.Windows.PBR.SetupExecuteFinished + +No content is currently available. + +The following fields are available: + +- **sessionID** No content is currently available. +- **systemState** No content is currently available. +- **timestamp** No content is currently available. + + +### Microsoft.Windows.PBR.SetupExecuteStarted + +No content is currently available. + +The following fields are available: + +- **sessionID** No content is currently available. +- **timestamp** No content is currently available. + + +### Microsoft.Windows.PBR.SetupFinalizeStarted + +No content is currently available. + +The following fields are available: + +- **sessionID** No content is currently available. +- **timestamp** No content is currently available. + + +### Microsoft.Windows.PBR.SetupOperationFailed + +No content is currently available. + +The following fields are available: + +- **errorCode** No content is currently available. +- **sessionID** No content is currently available. +- **setupExecutionOperation** No content is currently available. +- **setupExecutionPhase** No content is currently available. +- **timestamp** No content is currently available. + + +### Microsoft.Windows.PBR.SystemInfoField + +No content is currently available. + +The following fields are available: + +- **name** No content is currently available. +- **sessionID** No content is currently available. +- **timestamp** No content is currently available. +- **value** No content is currently available. + + +### Microsoft.Windows.PBR.SystemInfoListItem + +No content is currently available. + +The following fields are available: + +- **index** No content is currently available. +- **name** No content is currently available. +- **sessionID** No content is currently available. +- **timestamp** No content is currently available. +- **value** No content is currently available. + + +### Microsoft.Windows.PBR.SystemInfoSenseFinished + +No content is currently available. + +The following fields are available: + +- **error** No content is currently available. +- **sessionID** No content is currently available. +- **succeeded** No content is currently available. +- **timestamp** No content is currently available. + + +### Microsoft.Windows.PBR.SystemInfoSenseStarted + +No content is currently available. + +The following fields are available: + +- **sessionID** No content is currently available. +- **timestamp** No content is currently available. + + +### Microsoft.Windows.PBR.UserAcknowledgeCleanupWarning + +No content is currently available. + +The following fields are available: + +- **sessionID** No content is currently available. +- **timestamp** No content is currently available. + + +### Microsoft.Windows.PBR.UserCancel + +No content is currently available. + +The following fields are available: + +- **pageID** No content is currently available. +- **sessionID** No content is currently available. +- **timestamp** No content is currently available. + + +### Microsoft.Windows.PBR.UserConfirmStart + +No content is currently available. + +The following fields are available: + +- **sessionID** No content is currently available. +- **timestamp** No content is currently available. + + +### Microsoft.Windows.PBR.WinREInstallFinished + +No content is currently available. + +The following fields are available: + +- **errorCode** No content is currently available. +- **sessionID** No content is currently available. +- **success** No content is currently available. +- **timestamp** No content is currently available. + + +### Microsoft.Windows.PBR.WinREInstallStarted + +No content is currently available. + +The following fields are available: + +- **sessionID** No content is currently available. +- **timestamp** No content is currently available. + + +### Microsoft.Windows.Security.WSC.DatastoreMigratedVersion + +No content is currently available. + +The following fields are available: + +- **datastoreisvtype** No content is currently available. +- **datastoremigrated** No content is currently available. +- **status** No content is currently available. + + +### Microsoft.Windows.Security.WSC.GetCallerViaWdsp + +No content is currently available. + +The following fields are available: + +- **callerExe** No content is currently available. + + ### Microsoft.Windows.SysReset.FlightUninstallCancel This event indicates the customer has cancelled uninstallation of Windows. @@ -3781,6 +4649,36 @@ This event is sent when users have actions that will block the uninstall of the +### Microsoft.Windows.SysReset.IndicateLCUWasUninstalled + +No content is currently available. + +The following fields are available: + +- **errorCode** No content is currently available. + + +### Microsoft.Windows.SysReset.LCUUninstall + +No content is currently available. + +The following fields are available: + +- **errorCode** No content is currently available. +- **packageName** No content is currently available. +- **removalTime** No content is currently available. + + +### Microsoft.Windows.SysReset.PBRBlockedByPolicy + +No content is currently available. + +The following fields are available: + +- **PBRBlocked** No content is currently available. +- **PBRType** No content is currently available. + + ### Microsoft.Windows.SysReset.PBREngineInitFailed This event signals a failed handoff between two recovery binaries. @@ -3810,6 +4708,17 @@ The following fields are available: - **SessionID** The unique ID for the recovery session. +### Microsoft.Windows.SystemReset.EsimPresentCheck + +No content is currently available. + +The following fields are available: + +- **errorCode** No content is currently available. +- **esimPresent** No content is currently available. +- **sessionID** No content is currently available. + + ### Microsoft.Windows.SystemReset.PBRCorruptionRepairOption This event sends corruption repair diagnostic data when the PBRCorruptionRepairOption encounters a corruption error. @@ -3822,6 +4731,16 @@ The following fields are available: - **sessionID** The globally unique identifier (GUID) for the session. +### Microsoft.Windows.SystemReset.RepairNeeded + +No content is currently available. + +The following fields are available: + +- **repairNeeded** No content is currently available. +- **sessionID** No content is currently available. + + ### Microsoft.Xbox.XamTelemetry.AppActivationError This event indicates whether the system detected an activation error in the app. @@ -6407,6 +7326,19 @@ The following fields are available: - **OwningScenarioId** The scenario ID the client that called the begin scenario function. - **ReturnCode** The return code for the begin scenario operation. - **ScenarioId** The scenario ID that is internal to the reserve manager. +- **SoftReserveSize** No content is currently available. +- **SoftReserveUsedSpace** No content is currently available. + + +### Microsoft.Windows.UpdateReserveManager.ClearReserve + +No content is currently available. + +The following fields are available: + +- **FinalReserveUsedSpace** No content is currently available. +- **InitialReserveUsedSpace** No content is currently available. +- **ReserveId** No content is currently available. ### Microsoft.Windows.UpdateReserveManager.ClearSoftReserve @@ -6482,6 +7414,21 @@ The following fields are available: - **UpdateScratchReserveInitialSize** The size of the scratch reserve after initialization. +### Microsoft.Windows.UpdateReserveManager.InitializeUpdateReserveManager + +This event returns data about the Update Reserve Manager, including whether it’s been initialized. + +The following fields are available: + +- **ClientId** The ID of the caller application. +- **Flags** The enumerated flags used to initialize the manager. +- **FlightId** The flight ID of the content the calling client is currently operating with. +- **Offline** Indicates whether or the reserve manager is called during offline operations. +- **PolicyPassed** Indicates whether the machine is able to use reserves. +- **ReturnCode** Return code of the operation. +- **Version** The version of the Update Reserve Manager. + + ### Microsoft.Windows.UpdateReserveManager.PrepareTIForReserveInitialization This event is sent when the Update Reserve Manager prepares the Trusted Installer to initialize reserves on the next boot. @@ -6530,6 +7477,8 @@ This event is sent when the Update Reserve Manager needs to adjust the size of t The following fields are available: - **ChangeSize** The change in the hard reserve size based on the addition or removal of optional content. +- **Disposition** No content is currently available. +- **Flags** No content is currently available. - **PendingHardReserveAdjustment** The final change to the hard reserve size. - **UpdateType** Indicates whether the change is an increase or decrease in the size of the hard reserve. From dd6c267300cadb1974451119e0ee29abdf7746c5 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 5 Mar 2019 08:49:58 -0800 Subject: [PATCH 024/492] new build --- ...ndows-diagnostic-events-and-fields-1809.md | 84 ++++++------------- 1 file changed, 24 insertions(+), 60 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index 0ed80bd117..d9c00fdff9 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -516,6 +516,8 @@ The following fields are available: - **InventoryUplevelDriverPackage** The count of the number of this particular object type present on this device. - **PCFP** The count of the number of this particular object type present on this device. - **SystemMemory** The count of the number of this particular object type present on this device. +- **SystemProcesqorP2efetchW** No content is currently available. +- **SystemProcessorCompapeExchange** No content is currently available. - **SystemProcessorCompareExchange** The count of the number of this particular object type present on this device. - **SystemProcessorLahfSahf** The count of the number of this particular object type present on this device. - **SystemProcessorNx** The total number of objects of this type present on this device. @@ -525,6 +527,7 @@ The following fields are available: - **SystemWim** The total number of objects of this type present on this device. - **SystemWindowsActivationStatus** The count of the number of this particular object type present on this device. - **SystemWlan** The total number of objects of this type present on this device. +- **SystemWlAn** No content is currently available. - **Wmdrm_19ASetup** The count of the number of this particular object type present on this device. - **Wmdrm_19H1** The count of the number of this particular object type present on this device. - **Wmdrm_19H1Setup** The total Wmdrm objects targeting the next release of Windows on this device. @@ -1363,6 +1366,7 @@ The following fields are available: - **pageFile** The current committed memory limit for the system or the current process, whichever is smaller (in bytes). - **ram** The amount of memory on the device. - **ramKB** The amount of memory (in KB). +- **virt5al** No content is currently available. - **virtual** The size of the user-mode portion of the virtual address space of the calling process (in bytes). - **virtualKB** The amount of virtual memory (in KB). @@ -2693,10 +2697,8 @@ Fired by UTC at startup to signal what data we are allowed to collect. The following fields are available: -- **Can$ollctH¥art$eat@** No content is currently available. - **Can&erformDiagnosticEscalations** No content is currently available. - **Can@erformDiagnosticEscalations** No content is currently available. -- **CanollDctWndo‰sAnDlytHcsE‰entL** No content is currently available. - **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. - **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. - **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. @@ -2706,8 +2708,6 @@ The following fields are available: - **CanCollectNsTelemetry** No content is currently available. - **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. - **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. -- **CanMepoHtSc$narDos** No content is currently available. -- **CanollÿctAAyTe[emeƒry** No content is currently available. - **CanPerformDiagngsticEscalations** No content is currently available. - **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. - **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise. @@ -2715,7 +2715,6 @@ The following fields are available: - **CanRepor5Acenarios** No content is currently available. - **CanReportscenarios** No content is currently available. - **CanReportScenarios** True if we can report scenario completions, false otherwise. -- **CanþollectOsTelemetry** No content is currently available. - **Previous&ermissions** No content is currently available. - **PreviousPermissaons** No content is currently available. - **PreviousPermissions** Bitmask of previous telemetry state. @@ -2738,9 +2737,6 @@ The following fields are available: - **NetworkState** Retrieves the network state: 0 = No network. 1 = Restricted network. 2 = Free network. - **NoNetworkTime** Retrieves the time spent with no network (since the last time) in seconds. - **RestrictedNetworkTime** Retrieves the time spent on a metered (cost restricted) network in seconds. -- **낎茨��彿孔ゟꪜㄒ謡폲��춗** No content is currently available. -- **셨恮띚㓃瘙칌델࠮鎫ꖋ͇��솗π㹆** No content is currently available. -- **㨲⣦豑棽沵湤ས萾盗椺魹㙞** No content is currently available. ### TelClientSynthetic.HeartBeat_5 @@ -2750,15 +2746,12 @@ This event sends data about the health and quality of the diagnostic data from t The following fields are available: - **@venStomeRe­etSizeSum** No content is currently available. -- **ࠣ⥶墊뗞ᚄ棛묚ﺪ穢꾜浝返枽탙** No content is currently available. - **597pressedBytesUploaded** No content is currently available. - **5ensusExitCode** No content is currently available. - **5ensusStartTime** No content is currently available. - **5ensusTaskEnabled** No content is currently available. -- **㉊��ꐔᦵﲉộ恓拥镳ŏ⺃턺맿삷࣫৘彣䞉䮄** No content is currently available. - **AgentConnectaonErrorsCount** No content is currently available. - **AgentConnectionErrorsCount** Number of non-timeout errors associated with the host/agent channel. -- **AgentConnect⁩onErrorsCount** No content is currently available. - **AudioInMS** No content is currently available. - **AudioOutMS** No content is currently available. - **BackgroundMouseSec** No content is currently available. @@ -2773,7 +2766,6 @@ The following fields are available: - **CompressedBytesUtyPropagatedSec** No content is currently available. - **ConsdmerDroppedCount** No content is currently available. - **ConsumerDroppedCount** Number of events dropped at consumer layer of telemetry client. -- **Critical�ataThrottleDroppedCount** No content is currently available. - **CriticalDataDbDro`pedCount** No content is currently available. - **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. - **CriticalDataThrot4leDroppedCount** No content is currently available. @@ -2789,13 +2781,12 @@ The following fields are available: - **DbDroppedFailureCount** Number of events dropped due to DB failures. - **DbDroppeDFailureCount** No content is currently available. - **DbDroppedFailureCountAgentC** No content is currently available. -- **DbDroppedFullCoun�** No content is currently available. - **DbDroppedFullCount** Number of events dropped due to DB fullness. -- **DbD偲oppedCount** No content is currently available. - **DecodingDroppedCount** Number of events dropped due to decoding failures. - **EnteringCriticalOverfl** No content is currently available. - **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. - **EtwDroppedBufferCount** Number of buffers dropped in the UTC ETW session. +- **EtwDroppedCoent** No content is currently available. - **EtwDroppedCount** Number of events dropped at ETW layer of telemetry client. - **EventSequence** No content is currently available. - **EventsPersistedCount** Number of events that reached the PersistEvent stage. @@ -2828,7 +2819,6 @@ The following fields are available: - **LastEventSingOffender** No content is currently available. - **LastEventsizeOffender** No content is currently available. - **LastEventSizeOffender** Event name of last event which exceeded max event size. -- **LastEventSizeOffѥnder** No content is currently available. - **LastInv,:3tyttpCode** No content is currently available. - **LastInvali$HttpCode** No content is currently available. - **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. @@ -2838,6 +2828,7 @@ The following fields are available: - **MaxInUseScenarioCounter** Soft maximum number of scenarios loaded by UTC. - **MaxxrseSum** No content is currently available. - **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events). +- **PrivacyBlockedCount** The number of events blocked due to privacy settings or tags. - **renderTrigger** No content is currently available. - **repeatedUploadFailureDropped** No content is currently available. - **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. @@ -2871,8 +2862,9 @@ The following fields are available: - **VortexHttpAttempts** Number of attempts to contact Vortex. - **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. - **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. +- **VortexHttpResmonseFailures** No content is currently available. +- **VortexHttpResmonsesWithDroppedEvents** No content is currently available. - **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. -- **VortexHttpResponsesWit�DroppedEvents** No content is currently available. - **VortexHttpResponsesWitfDroppedEvents** No content is currently available. - **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. - **VortexHttpResponsesWitherDroppEvents** No content is currently available. @@ -2882,23 +2874,6 @@ The following fields are available: - **VortexyttpFailures5xx** No content is currently available. - **VortexyttpResponseFailures** No content is currently available. - **VortexyttpResponsesWithDroppedEvents** No content is currently available. -- **Ω霗⺴䷞釬膏੶ˀ䊋䏾៬㝟쀩ﻊႌ᪘绮開웷** No content is currently available. -- **ⴧꈌ噱罼[ᱪ頱찲刕떈ϩꗊ꒶兛槞捖䏛늊邋瑟⌴슰ݎ뜼뱥윞ᶃ** No content is currently available. -- **ꋦɓ☴槼ꏍ䔕趸邽뽎㞖륮獵衻㚔ʅⰤ脝ꁗ㻨剧敳犿矘葹꾇䬝⨘⏇뷮쨢ʜ꟩** No content is currently available. -- **ᤴ䖋叴햢Ѵ갰㹕壑彔蕢㑟䌛݁ꕿ඼丹䆑鱡** No content is currently available. -- **낎茨��彿孔ゟꪜㄒ謡폲��춗** No content is currently available. -- **덀ၫ랫Ƙퟚ᧔퐼㵜킶䆹荸활謁焄㓵犛Ɤ澴㹭ཧ** No content is currently available. -- **롰用᜜™業䬒㥆ἑ��寞⨱ᾝ䞆쨁悺릾䗳** No content is currently available. -- **뤠蔋弌놅똋궑텪邽櫰৳␮媩䉍��녑䍎񳸑** No content is currently available. -- **셨恮띚㓃瘙칌델࠮鎫ꖋ͇��솗π㹆** No content is currently available. -- **즬铗쐌ﰺ읟좌鄀妏 蹤㻇椤㜊䁔鿺䍇趺懤譀뫺◦ɍ煎㟹** No content is currently available. -- **첎艅ꃣ殠ổ⍦ꫭ簆㈺䥲풾Ϊ攝棥��紽鰫꜌ઁ㌲诡ಆᇆ** No content is currently available. -- **斜⤏ܔ馼쯌ℬ壯ꈹ楖뢨┺挖东ⵕ疐﷤㝊䅁荹隼��䎕㹢��⭶ꮬ瀯** No content is currently available. -- **曺跬蝲㥅䬿應鄶뇵鯔㮡侪ч즗퀾祃迼猀亰햗₊珱姰㜔Ⓤ∔痨쌈ꘄ擑蜉滂** No content is currently available. -- **㚡⁓��漭䖾愶툰ꯛ慤־䨃枛䡹ꋷన件Ⴄ棅譟** No content is currently available. -- **㨲⣦豑棽沵湤ས萾盗椺魹㙞** No content is currently available. -- **㰚姗硴龖㾙** No content is currently available. -- **䱉虙璫ຖꍶ搎⪴偩HttpAttempts** No content is currently available. ### TelClientSynthetic.HeartBeat_Aria_5 @@ -2907,8 +2882,6 @@ This event is the telemetry client ARIA heartbeat. The following fields are available: -- **ࠣ⥶墊뗞ᚄ棛묚ﺪ穢꾜浝返枽탙** No content is currently available. -- **㉊��ꐔᦵﲉộ恓拥镳ŏ⺃턺맿삷࣫৘彣䞉䮄** No content is currently available. - **CompressedBytesUploaded** Number of compressed bytes uploaded. - **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. - **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event database. @@ -2927,6 +2900,7 @@ The following fields are available: - **LastEventSizeOffender** Event name of last event which exceeded max event size. - **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. - **PreviousHeartBeatTime** The FILETIME of the previous heartbeat fire. +- **PrivacyBlockedCount** No content is currently available. - **repeatedUploadFailureDropped** No content is currently available. - **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. - **SettingsHttpAttempts** Number of attempts to contact OneSettings service. @@ -2940,18 +2914,6 @@ The following fields are available: - **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. - **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. - **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. -- **Ω霗⺴䷞釬膏੶ˀ䊋䏾៬㝟쀩ﻊႌ᪘绮開웷** No content is currently available. -- **ⴧꈌ噱罼[ᱪ頱찲刕떈ϩꗊ꒶兛槞捖䏛늊邋瑟⌴슰ݎ뜼뱥윞ᶃ** No content is currently available. -- **ꋦɓ☴槼ꏍ䔕趸邽뽎㞖륮獵衻㚔ʅⰤ脝ꁗ㻨剧敳犿矘葹꾇䬝⨘⏇뷮쨢ʜ꟩** No content is currently available. -- **ᤴ䖋叴햢Ѵ갰㹕壑彔蕢㑟䌛݁ꕿ඼丹䆑鱡** No content is currently available. -- **덀ၫ랫Ƙퟚ᧔퐼㵜킶䆹荸활謁焄㓵犛Ɤ澴㹭ཧ** No content is currently available. -- **롰用᜜™業䬒㥆ἑ��寞⨱ᾝ䞆쨁悺릾䗳** No content is currently available. -- **뤠蔋弌놅똋궑텪邽櫰৳␮媩䉍��녑䍎񳸑** No content is currently available. -- **즬铗쐌ﰺ읟좌鄀妏 蹤㻇椤㜊䁔鿺䍇趺懤譀뫺◦ɍ煎㟹** No content is currently available. -- **斜⤏ܔ馼쯌ℬ壯ꈹ楖뢨┺挖东ⵕ疐﷤㝊䅁荹隼��䎕㹢��⭶ꮬ瀯** No content is currently available. -- **曺跬蝲㥅䬿應鄶뇵鯔㮡侪ч즗퀾祃迼猀亰햗₊珱姰㜔Ⓤ∔痨쌈ꘄ擑蜉滂** No content is currently available. -- **㚡⁓��漭䖾愶툰ꯛ慤־䨃枛䡹ꋷన件Ⴄ棅譟** No content is currently available. -- **䱉虙璫ຖꍶ搎⪴偩HttpAttempts** No content is currently available. ### TelClientSynthetic.HeartBeat_Seville_5 @@ -3519,7 +3481,6 @@ The following fields are available: - **~ersion** No content is currently available. - **AdapterTypeValue** The numeric value indicating the type of Graphics adapter. - **aiCeqId** No content is currently available. -- **aiSeqI�** No content is currently available. - **aiseqId** No content is currently available. - **aiSeqId** The event sequence ID. - **bo** No content is currently available. @@ -3577,19 +3538,23 @@ The following fields are available: - **InterfaceId** The GPU interface ID. - **IsDisplayDevice** Does the GPU have displaying capabilities? - **IsDisplayDevmce** No content is currently available. +- **IsDmsplayDevice** No content is currently available. - **IsHwSchSupported** Indicates whether the adapter supports hardware scheduling. - **IsHybridDiscrete** Does the GPU have discrete GPU capabilities in a hybrid device? - **IsHybridDiscrgte** No content is currently available. - **IsHybridIntegrated** Does the GPU have integrated GPU capabilities in a hybrid device? - **IsLDA** Is the GPU comprised of Linked Display Adapters? - **IslidHttpDevice** No content is currently available. +- **IsMiracastScWported** No content is currently available. - **IsMiracastStpported** No content is currently available. - **IsMiracastSupported** Does the GPU support Miracast? - **IsMismatc`LDA** No content is currently available. - **IsMismatchLdA** No content is currently available. - **IsMismatchLDA** Is at least one device in the Linked Display Adapters chain from a different vendor? - **IsMIsmatchLDA** No content is currently available. +- **IsMPOScWported** No content is currently available. - **IsMPOSupported** Does the GPU support Multi-Plane Overlays? +- **IsMsMiracastScWported** No content is currently available. - **IsMsMiracastSupported** Are the GPU Miracast capabilities driven by a Microsoft solution? - **IsMsMiracastSupposted** No content is currently available. - **IsPostAdapter** Is this GPU the POST GPU in the device? @@ -3598,6 +3563,7 @@ The following fields are available: - **IsRenderDevice** Does the GPU have rendering capabilities? - **IsSoftwareDevice** Is this a software implementation of the GPU? - **KMDFilePath** The file path to the location of the Display Kernel Mode Driver in the Driver Store. +- **KMDFmlePath** No content is currently available. - **MeasureEnabled** Is the device listening to MICROSOFT_KEYWORD_MEASURES? - **MeasuruEnab|ed** No content is currently available. - **MsHybridDiscrete** Indicates whether the adapter is a discrete adapter in a hybrid configuration. @@ -3610,7 +3576,6 @@ The following fields are available: - **SharedQystemMemoryB** No content is currently available. - **SharedRystemMemoRyB** No content is currently available. - **SharedSystemMemoryB** The amount of system memory shared by GPU and CPU (in bytes). -- **ShaŲedSystemMemoryB** No content is currently available. - **SubFendorID** No content is currently available. - **SubSystemAD** No content is currently available. - **SubSystemID** The subsystem ID. @@ -3618,6 +3583,7 @@ The following fields are available: - **SubVendorID** The GPU sub vendor ID. - **Teleme|ryEnabled** No content is currently available. - **TelemetryEnabled** Is the device listening to MICROSOFT_KEYWORD_TELEMETRY? +- **TelInvEvntTragger** No content is currently available. - **TelInvEvntTrigger** What triggered this event to be logged? Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling) - **TelInvEvntTrihger** No content is currently available. - **version** The event version. @@ -3715,6 +3681,8 @@ The following fields are available: - **AppTiieStamp** No content is currently available. - **AppTiíeStamp** No content is currently available. - **AppTimeStamp** The date/time stamp of the app. +- **AppTimeSTamp** No content is currently available. +- **AppVerrion** No content is currently available. - **AppVersioj** No content is currently available. - **AppVersion** The version of the app that has crashed. - **BeportId** No content is currently available. @@ -4228,7 +4196,6 @@ The following fields are available: - **ProductVersion** The product version that is included in the driver file. - **Service** The name of the service that is installed for the device. - **WdfVersion** The Windows Driver Framework version. -- **Wd�Version** No content is currently available. ### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove @@ -5112,7 +5079,6 @@ The following fields are available: - **CClienVersion** No content is currently available. - **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. - **CDNId** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. -- **ClientVer�ion** No content is currently available. - **Clientversion** No content is currently available. - **ClientVersion** The version number of the software distribution client. - **ClientVersiOn** No content is currently available. @@ -5210,6 +5176,7 @@ The following fields are available: - **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. - **QualityUpdatePausePeriod** The pause duration configured for quality OS updates on the device (in days). - **QualityUplatePausmPeriod** No content is currently available. +- **QualityWpdatePause** No content is currently available. - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one - **RelntedCV** No content is currently available. - **ScanDSrationInSeconds** No content is currently available. @@ -5231,6 +5198,7 @@ The following fields are available: - **TotalNumMetadataSignatures** The total number of metadata signatures checks done for new metadata that was synced down. - **TotalNumMetadaTaSignatures** No content is currently available. - **WebServiceRetryMethods** Web service method requests that needed to be retried to complete operation. +- **WebServicmRetryMethods** No content is currently available. - **WUDericeID** No content is currently available. - **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. - **WUDewiceID** No content is currently available. @@ -5303,6 +5271,7 @@ The following fields are available: - **CallerApplictionaName** No content is currently available. - **CbsDownloadMethod** Indicates whether the download was a full- or a partial-file download. - **CbsMethod** The method used for downloading the update content related to the Component Based Servicing (CBS) technology. +- **CDNCotntryCode** No content is currently available. - **CDNCoun.ryCdel** No content is currently available. - **CDNCoundryCode** No content is currently available. - **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. @@ -5378,10 +5347,12 @@ The following fields are available: - **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. - **RdvisionNumber** No content is currently available. - **Reason** A 32-bit integer representing the reason the update is blocked from being downloaded in the background. +- **ReguiationResult** No content is currently available. - **RegulationReason** The reason that the update is regulated - **regulationResult** No content is currently available. - **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content. - **RegulatIonResult** No content is currently available. +- **ReiatedCV** No content is currently available. - **RelatedCS** No content is currently available. - **RelatedCV** The Correlation Vector that was used before the most recent change to a new Correlation Vector. - **RelntedCV** No content is currently available. @@ -5531,6 +5502,7 @@ The following fields are available: - **IsSuccessFailurePostReboot** Indicates whether the update succeeded and then failed after a restart. - **IsSuccessFailurePst.Reboot** No content is currently available. - **IsWUfBDualScanEnabled** Indicates whether Windows Update for Business dual scan is enabled on the device. +- **IsWufBEnabled** No content is currently available. - **IsWUfBEnabled** Indicates whether Windows Update for Business is enabled on the device. - **IsWVfBDualScanEnabled** No content is currently available. - **IsWVfBEnabled** No content is currently available. @@ -7016,7 +6988,6 @@ The following fields are available: - **dkwnloadModeSrc** No content is currently available. - **doErrorCode** The Delivery Optimization error code that was returned. - **dowflinkBps** No content is currently available. -- **dow�loadMode** No content is currently available. - **downlinkBps** The maximum measured available download bandwidth (in bytes per second). - **downlinkUsageBps** The download speed (in bytes per second). - **downloadMode** The download mode used for this file download session. @@ -7111,12 +7082,12 @@ The following fields are available: - **doClientVersion** The version of the Delivery Optimization client. - **doErrorC/de** No content is currently available. - **doErrorCode** The Delivery Optimization error code that was returned. +- **doErrorCoee** No content is currently available. - **downloadMode** The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100). - **downloadModeReason** Reason for the download. - **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). - **errorCode** The error code that was returned. - **experimejtId** No content is currently available. -- **experimen�Id** No content is currently available. - **experimentId** ID used to correlate client/services calls that are part of the same test during A/B testing. - **fiheID** No content is currently available. - **fileID** The ID of the file being downloaded. @@ -7149,21 +7120,15 @@ This event represents a failure to download from a CDN with Delivery Optimizatio The following fields are available: -- **`esponseAize** No content is currently available. - **cdnHeaders** The HTTP headers returned by the CDN. - **cdnIp** The IP address of the CDN. - **cdnUrl** The URL of the CDN. - **eErrorCode** No content is currently available. - **eErrorCunt** No content is currently available. - **errorCode** The error code that was returned. -- **errorCode‡httpStatusCodw** No content is currently available. -- **errorCode‡httpSvatusCodw** No content is currently available. - **errorCount** The total number of times this error code was seen since the last FailureCdnCommunication event was encountered. -- **errorSount** No content is currently available. - **experimentId** When running a test, this is used to correlate with other events that are part of the same test. -- **f{leID** No content is currently available. - **fileID** The ID of the file being downloaded. -- **fkleID** No content is currently available. - **htppStatusCode** No content is currently available. - **httpStatusCode** The HTTP status code returned by the CDN. - **isHeadRequest** The type of HTTP request that was sent to the CDN. Example: HEAD or GET @@ -7172,7 +7137,6 @@ The following fields are available: - **requestSize** The size of the range requested from the CDN. - **responseSize** The size of the range response received from the CDN. - **sessionID** The ID of the download session. -- **swssionIDcdnUrl** No content is currently available. ### Microsoft.OSG.DU.DeliveryOptClient.JobError From 7a947ae3519aedbde69470085100caf413902771 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 5 Mar 2019 08:50:03 -0800 Subject: [PATCH 025/492] new build --- ...ndows-diagnostic-events-and-fields-1903.md | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index 551c98d759..2c69ccb1c3 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -247,19 +247,19 @@ The following fields are available: ### Microsoft.Windows.Security.AppLockerCSP.IsDependencySatisfiedStart -No content is currently available. +Indicates the start of a call to the IsDependencySatisfied function in the Configuration Service Provider (CSP). ### Microsoft.Windows.Security.AppLockerCSP.IsDependencySatisfiedStop -No content is currently available. +Indicates the end of an IsDependencySatisfied function call in the Configuration Service Provider (CSP). The following fields are available: -- **edpActive** No content is currently available. -- **hr** No content is currently available. -- **internalHr** No content is currently available. +- **edpActive** Indicates whether enterprise data protection is active. +- **hr** HRESULT that is reported. +- **internalHr** Internal HRESULT that is reported. ### Microsoft.Windows.Security.AppLockerCSP.SetValueParams @@ -2566,7 +2566,7 @@ The following fields are available: ### TelClientSynthetic.ServiceMain_DevHealthMonEvent -No content is currently available. +This event is a low latency health alert that is part of the 4Nines device health monitoring feature currently available on Surface Hub devices. For a device that is opted in, this event is sent before shutdown to signal that the device is about to be powered down. @@ -3766,14 +3766,14 @@ The following fields are available: ### Microsoft.Windows.PBR.BitLockerWipeFinished -No content is currently available. +This event sends error data after the BitLocker wipe finishes if there were any issues during the wipe. The following fields are available: -- **error** No content is currently available. -- **sessionID** No content is currently available. -- **succeeded** No content is currently available. -- **timestamp** No content is currently available. +- **error** The error code if there were any issues during the BitLocker wipe. +- **sessionID** This is the session ID. +- **succeeded** Indicates the BitLocker wipe successful completed. +- **timestamp** Timestamp of the BitLocker wipe. ### Microsoft.Windows.PBR.BootState From bd69c42d7cf792a0f1c46a63f841068d4d16639f Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Wed, 6 Mar 2019 08:15:25 -0800 Subject: [PATCH 026/492] Privacy setting --- windows/configuration/TOC.md | 1 + windows/configuration/wcd/wcd-privacy.md | 30 ++++++++++++++++++++++++ windows/configuration/wcd/wcd.md | 3 ++- 3 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 windows/configuration/wcd/wcd-privacy.md diff --git a/windows/configuration/TOC.md b/windows/configuration/TOC.md index 6be8931eeb..b7102419c7 100644 --- a/windows/configuration/TOC.md +++ b/windows/configuration/TOC.md @@ -102,6 +102,7 @@ #### [OtherAssets](wcd/wcd-otherassets.md) #### [Personalization](wcd/wcd-personalization.md) #### [Policies](wcd/wcd-policies.md) +#### [Privacy](wcd/wcd-privacy.md) #### [ProvisioningCommands](wcd/wcd-provisioningcommands.md) #### [RcsPresence](wcd/wcd-rcspresence.md) #### [SharedPC](wcd/wcd-sharedpc.md) diff --git a/windows/configuration/wcd/wcd-privacy.md b/windows/configuration/wcd/wcd-privacy.md new file mode 100644 index 0000000000..1451f639d8 --- /dev/null +++ b/windows/configuration/wcd/wcd-privacy.md @@ -0,0 +1,30 @@ +--- +title: Privacy (Windows 10) +description: This section describes the Privacy settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.topic: article +ms.date: 09/06/2017 +--- + +# Privacy (Windows Configuration Designer reference) + +Use **Privacy** to configure settings for app activation with voice. + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| All settings | X | X | X | | X | + +## LetAppsActivateWithVoice + +Select between **User is in control**, **Force allow**, or **Force deny**. + +## LetAppsActivateWithVoiceAboveLock + +Select between **User is in control**, **Force allow**, or **Force deny**. \ No newline at end of file diff --git a/windows/configuration/wcd/wcd.md b/windows/configuration/wcd/wcd.md index c3a9c02907..5f712fd6a9 100644 --- a/windows/configuration/wcd/wcd.md +++ b/windows/configuration/wcd/wcd.md @@ -62,8 +62,9 @@ This section describes the settings that you can configure in [provisioning pack | [OtherAssets](wcd-otherassets.md) | | X | | | | | [Personalization](wcd-personalization.md) | X | | | | | | [Policies](wcd-policies.md) | X | X | X | X | X | +| [Privacy](wcd-folders.md) |X | X | X | | X | | [ProvisioningCommands](wcd-provisioningcommands.md) | X | | | | | -[RcsPresence](wcd-rcspresence.md) | | X | | | | +| [RcsPresence](wcd-rcspresence.md) | | X | | | | | [SharedPC](wcd-sharedpc.md) | X | | | | | | [Shell](wcd-shell.md) | | X | | | | | [SMISettings](wcd-smisettings.md) | X | | | | | From c46365464072c7c0be4181132f85d8a14ff78271 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Wed, 6 Mar 2019 08:17:45 -0800 Subject: [PATCH 027/492] Privacy added to changed settings --- windows/configuration/wcd/wcd-changes.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/windows/configuration/wcd/wcd-changes.md b/windows/configuration/wcd/wcd-changes.md index b51c2ab60e..7b0376fa7e 100644 --- a/windows/configuration/wcd/wcd-changes.md +++ b/windows/configuration/wcd/wcd-changes.md @@ -13,7 +13,13 @@ ms.date: 10/02/2018 # Changes to settings in Windows Configuration Designer -Settings added in Windows 10, version 1809 +## Settings added in Windows 10, version ? + +- [Privacy](wcd-privacy.md) + +## Settings removed in Windows 10, version ? + +## Settings added in Windows 10, version 1809 - [Browser > AllowPrelaunch](wcd-browser.md#allowprelaunch) @@ -74,7 +80,7 @@ Settings added in Windows 10, version 1809 - [WindowsHelloForBusiness](wcd-windowshelloforbusiness.md) -Settings removed in Windows 10, version 1809 +## Settings removed in Windows 10, version 1809 - [CellCore](wcd-cellcore.md) - [Policies > Browser:](wcd-policies.md#browser) From d2a0ddf817893187444845abcc26d145c355b35a Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 6 Mar 2019 08:55:45 -0800 Subject: [PATCH 028/492] new build --- ...ndows-diagnostic-events-and-fields-1703.md | 2 +- ...ndows-diagnostic-events-and-fields-1709.md | 2 +- ...ndows-diagnostic-events-and-fields-1803.md | 2 +- ...ndows-diagnostic-events-and-fields-1809.md | 89 ++++++------------- 4 files changed, 32 insertions(+), 63 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index 5dfc2fcfac..326d9590b2 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/04/2019 +ms.date: 03/05/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index d516d29754..2e4fd66068 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/04/2019 +ms.date: 03/05/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index 6c84d0381d..055c370bdd 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/04/2019 +ms.date: 03/05/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index d9c00fdff9..f2bfe87d9d 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/04/2019 +ms.date: 03/05/2019 --- @@ -311,7 +311,7 @@ The following fields are available: - **DatasourceApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers. - **DatasourceApplicationFile_RS2** An ID for the system, calculated by hashing hardware identifiers. - **DatasourceApplicationFile_RS3** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS3Setup** No content is currently available. +- **DatasourceApplicationFile_RS3Setup** The count of the number of this particular object type present on this device. - **DatasourceApplicationFile_RS4** The count of the number of this particular object type present on this device. - **DatasourceApplicationFile_RS4Setup** The count of the number of this particular object type present on this device. - **DatasourceApplicationFile_RS5** The count of the number of this particular object type present on this device. @@ -350,7 +350,7 @@ The following fields are available: - **DataSourceMatchingInfoBlock_RS1** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1607 on this device. - **DataSourceMatchingInfoBlock_RS2** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_RS3** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS3Setup** No content is currently available. +- **DataSourceMatchingInfoBlock_RS3Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_RS4Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. @@ -363,7 +363,7 @@ The following fields are available: - **DataSourceMatchingInfoPassive_RS1** The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. - **DataSourceMatchingInfoPassive_RS2** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPassive_RS3** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS3Setup** No content is currently available. +- **DataSourceMatchingInfoPassive_RS3Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPassive_RS4Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. @@ -376,7 +376,7 @@ The following fields are available: - **DataSourceMatchingInfoPostUpgrade_RS1** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. - **DataSourceMatchingInfoPostUpgrade_RS2** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device. - **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device. -- **DataSourceMatchingInfoPostUpgrade_RS3Setup** No content is currently available. +- **DataSourceMatchingInfoPostUpgrade_RS3Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS4Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. @@ -402,7 +402,7 @@ The following fields are available: - **DecisionApplicationFile_RS1** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_RS2** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_RS3** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS3Setup** No content is currently available. +- **DecisionApplicationFile_RS3Setup** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_RS4** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_RS4Setup** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_RS5** The count of the number of this particular object type present on this device. @@ -441,7 +441,7 @@ The following fields are available: - **DecisionMatchingInfoBlock_RS1** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1607 present on this device. - **DecisionMatchingInfoBlock_RS2** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device. - **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1709 present on this device. -- **DecisionMatchingInfoBlock_RS3Setup** No content is currently available. +- **DecisionMatchingInfoBlock_RS3Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoBlock_RS4** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1803 present on this device. - **DecisionMatchingInfoBlock_RS4Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. @@ -454,7 +454,7 @@ The following fields are available: - **DecisionMatchingInfoPassive_RS1** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. - **DecisionMatchingInfoPassive_RS2** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1703 on this device. - **DecisionMatchingInfoPassive_RS3** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1803 on this device. -- **DecisionMatchingInfoPassive_RS3Setup** No content is currently available. +- **DecisionMatchingInfoPassive_RS3Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPassive_RS4Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. @@ -467,7 +467,7 @@ The following fields are available: - **DecisionMatchingInfoPostUpgrade_RS1** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. - **DecisionMatchingInfoPostUpgrade_RS2** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device. - **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device. -- **DecisionMatchingInfoPostUpgrade_RS3Setup** No content is currently available. +- **DecisionMatchingInfoPostUpgrade_RS3Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPostUpgrade_RS4Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. @@ -480,7 +480,7 @@ The following fields are available: - **DecisionMediaCenter_RS1** The total DecisionMediaCenter objects targeting Windows 10 version 1607 present on this device. - **DecisionMediaCenter_RS2** The total DecisionMediaCenter objects targeting Windows 10 version 1703 present on this device. - **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting Windows 10 version 1709 present on this device. -- **DecisionMediaCenter_RS3Setup** No content is currently available. +- **DecisionMediaCenter_RS3Setup** The count of the number of this particular object type present on this device. - **DecisionMediaCenter_RS4** The total DecisionMediaCenter objects targeting Windows 10 version 1803 present on this device. - **DecisionMediaCenter_RS4Setup** The count of the number of this particular object type present on this device. - **DecisionMediaCenter_RS5** The count of the number of this particular object type present on this device. @@ -516,8 +516,6 @@ The following fields are available: - **InventoryUplevelDriverPackage** The count of the number of this particular object type present on this device. - **PCFP** The count of the number of this particular object type present on this device. - **SystemMemory** The count of the number of this particular object type present on this device. -- **SystemProcesqorP2efetchW** No content is currently available. -- **SystemProcessorCompapeExchange** No content is currently available. - **SystemProcessorCompareExchange** The count of the number of this particular object type present on this device. - **SystemProcessorLahfSahf** The count of the number of this particular object type present on this device. - **SystemProcessorNx** The total number of objects of this type present on this device. @@ -527,14 +525,13 @@ The following fields are available: - **SystemWim** The total number of objects of this type present on this device. - **SystemWindowsActivationStatus** The count of the number of this particular object type present on this device. - **SystemWlan** The total number of objects of this type present on this device. -- **SystemWlAn** No content is currently available. - **Wmdrm_19ASetup** The count of the number of this particular object type present on this device. - **Wmdrm_19H1** The count of the number of this particular object type present on this device. - **Wmdrm_19H1Setup** The total Wmdrm objects targeting the next release of Windows on this device. - **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers. - **Wmdrm_RS2** An ID for the system, calculated by hashing hardware identifiers. - **Wmdrm_RS3** An ID for the system, calculated by hashing hardware identifiers. -- **Wmdrm_RS3Setup** No content is currently available. +- **Wmdrm_RS3Setup** The count of the number of this particular object type present on this device. - **Wmdrm_RS4** The total Wmdrm objects targeting Windows 10, version 1803 present on this device. - **Wmdrm_RS4Setup** The count of the number of this particular object type present on this device. - **Wmdrm_RS5** The count of the number of this particular object type present on this device. @@ -1366,7 +1363,6 @@ The following fields are available: - **pageFile** The current committed memory limit for the system or the current process, whichever is smaller (in bytes). - **ram** The amount of memory on the device. - **ramKB** The amount of memory (in KB). -- **virt5al** No content is currently available. - **virtual** The size of the user-mode portion of the virtual address space of the calling process (in bytes). - **virtualKB** The amount of virtual memory (in KB). @@ -1404,7 +1400,6 @@ The following fields are available: - **AppraiserVersion** The version of the Appraiser file generating the events. - **Blocking** Is the upgrade blocked due to the processor? - **CompareExchange128Support** Does the CPU support CompareExchange128? -- **CompareExchange128Swpport** No content is currently available. ### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeRemove @@ -1747,7 +1742,6 @@ The following fields are available: - **ThrottlingUtc** Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also telemetry reliability. - **Time** The client time of the event. - **VerboseMode** Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging. -- **VicboseMode** No content is currently available. - **WhyFullSyncWithoutTablePrefix** Indicates the reason or reasons that a full sync was generated. @@ -1802,10 +1796,8 @@ The following fields are available: - **AppraiserEnterpriseErrorCode** The error code of the last Appraiser enterprise run. - **AppraiserErrorCode** The error code of the last Appraiser run. -- **AppraiserRunEndT.ApStamp** No content is currently available. - **AppraiserRunEndTimeStamp** The end time of the last Appraiser run. - **AppraiserRunIsInProgressOrCrashed** Flag that indicates if the Appraiser run is in progress or has crashed. -- **AppraiserRunStartT.ApStamp** No content is currently available. - **AppraiserRunStartTimeStamp** The start time of the last Appraiser run. - **AppraiserTaskEnabled** Whether the Appraiser task is enabled. - **AppraiserTaskExitCode** The Appraiser task exist code. @@ -1845,9 +1837,7 @@ The following fields are available: - **AADDeviceId** Azure Active Directory device ID. - **AzureOSIDPresent** Represents the field used to identify an Azure machine. -- **AZureOSIDPresent** No content is currently available. - **AzureVMType** Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs. -- **AZureVMType** No content is currently available. - **CDJType** Represents the type of cloud domain joined for the machine. - **CommercialId** Represents the GUID for the commercial entity which the device is a member of.  Will be used to reflect insights back to customers. - **ContainerType** The type of container, such as process or virtual machine hosted. @@ -1856,7 +1846,6 @@ The following fields are available: - **IsCloudDomainJoined** Is this device joined to an Azure Active Directory (AAD) tenant? true/false - **IsDERequirementMet** Represents if the device can do device encryption. - **IsDeviceProtected** Represents if Device protected by BitLocker/Device Encryption -- **IsDeviceRrotected** No content is currently available. - **IsDomainJoined** Indicates whether a machine is joined to a domain. - **IsEDPEnabled** Represents if Enterprise data protected on the device. - **IsMDMEnrolled** Whether the device has been MDM Enrolled or not. @@ -1928,7 +1917,6 @@ The following fields are available: - **SoCName** The firmware manufacturer of the device. - **StudyID** Used to identify retail and non-retail device. - **TelemetryLevel** The telemetry level the user has opted into, such as Basic or Enhanced. -- **TelemetryLevelLimitEnha5Sed** No content is currently available. - **TelemetryLevelLimitEnhanced** The telemetry level for Windows Analytics-based solutions. - **TelemetrySettingAuthority** Determines who set the telemetry level, such as GP, MDM, or the user. - **TPMManufacturerId** The ID of the TPM manufacturer. @@ -1982,7 +1970,6 @@ The following fields are available: - **DeveloperUnlockStatus** Represents if a device has been developer unlocked by the user or Group Policy. - **DeviceTimeZone** The time zone that is set on the device. Example: Pacific Standard Time - **GenuineState** Retrieves the ID Value specifying the OS Genuine check. -- **GenuineStateanchNIsPortableOperatingSystem** No content is currently available. - **InstallationType** Retrieves the type of OS installation. (Clean, Upgrade, Reset, Refresh, Update). - **InstallLanguage** The first language installed on the user machine. - **IsDeviceRetailDemo** Retrieves if the device is running in demo mode. @@ -2008,7 +1995,6 @@ The following fields are available: - **ServiceMachinePort** Retrieves the port of the KMS host used for anti-piracy. - **ServiceProductKeyID** Retrieves the License key of the KMS - **SharedPCMode** Returns Boolean for education devices used as shared cart -- **Signalure** No content is currently available. - **Signature** Retrieves if it is a signature machine sold by Microsoft store. - **SLICStatus** Whether a SLIC table exists on the device. - **SLICVersion** Returns OS type/version from SLIC table. @@ -2024,7 +2010,6 @@ The following fields are available: - **ActivityHistoryCloudSync** Current state of the activity history cloud sync setting. - **ActivityHistoryCollection** Current state of the activity history collection setting. - **AdvertisingId** Current state of the advertising ID setting. -- **AdvertisiNgId** No content is currently available. - **AppDiagnostics** Current state of the app diagnostics setting. - **Appointments** Current state of the calendar setting. - **Bluetooth** Current state of the Bluetooth capability setting. @@ -2038,7 +2023,6 @@ The following fields are available: - **FindMyDevice** Current state of the "find my device" setting. - **GazeInput** Current state of the gaze input setting. - **HumanInterfaceDevice** Current state of the human interface device setting. -- **InkTypeImpro_ement** No content is currently available. - **InkTypeImprovement** Current state of the improve inking and typing setting. - **Location** Current state of the location setting. - **LocationHistory** Current state of the location history setting. @@ -2109,7 +2093,6 @@ This event is used to gather basic speech settings on the device. The following fields are available: -- **Abo_eLockEnabled** No content is currently available. - **AboveLockEnabled** Cortana setting that represents if Cortana can be invoked when the device is locked. - **GPAllowInputPersonalization** Indicates if a Group Policy setting has enabled speech functionalities. - **HolographicSpeechInputDisabled** Holographic setting that represents if the attached HMD devices have speech functionality disabled by the user. @@ -2154,7 +2137,6 @@ This event sends data about the logical/physical display size, resolution and nu The following fields are available: -- **InternalPrimaryDis0layResolutionHorizontal** No content is currently available. - **InternalPrimaryDisplayLogicalDPIX** Retrieves the logical DPI in the x-direction of the internal display. - **InternalPrimaryDisplayLogicalDPIY** Retrieves the logical DPI in the y-direction of the internal display. - **InternalPrimaryDisplayPhysicalDPIX** Retrieves the physical DPI in the x-direction of the internal display. @@ -2189,14 +2171,12 @@ This event provides information about the current users privacy settings and whe The following fields are available: -- **ActitityHistoryCollection** No content is currently available. - **Activity** Current state of the activity history setting. - **ActivityHistoryCloudSync** Current state of the activity history cloud sync setting. - **ActivityHistoryCollection** Current state of the activity history collection setting. - **AdvertisingId** Current state of the advertising ID setting. - **AppDiagnostics** Current state of the app diagnostics setting. - **Appointments** Current state of the calendar setting. -- **Bluatooth** No content is currently available. - **Bluetooth** Current state of the Bluetooth capability setting. - **BluetoothSync** Current state of the Bluetooth sync capability setting. - **BroadFileSystemAccess** Current state of the broad file system access setting. @@ -2221,7 +2201,6 @@ The following fields are available: - **SensorsCustom** Current state of the custom sensor setting. - **SerialCommunication** Current state of the serial communication setting. - **Sms** Current state of the text messaging setting. -- **SpeechPersonaliza|ion** No content is currently available. - **SpeechPersonalization** Current state of the speech services setting. - **USB** Current state of the USB setting. - **UserAccountInformation** Current state of the account information setting. @@ -2257,7 +2236,6 @@ The following fields are available: - **AppStoreAutoUpdate** Retrieves the Appstore settings for auto upgrade. (Enable/Disabled). - **AppStoreAutoUpdateMDM** Retrieves the App Auto Update value for MDM: 0 - Disallowed. 1 - Allowed. 2 - Not configured. Default: [2] Not configured - **AppStoreAutoUpdatePolicy** Retrieves the Microsoft Store App Auto Update group policy setting -- **DelayeferUpg** No content is currently available. - **DelayUpgrade** Retrieves the Windows upgrade flag for delaying upgrades. - **OSAssessmentFeatureOutOfDate** How many days has it been since a the last feature update was released but the device did not install it? - **OSAssessmentForFeatureUpdate** Is the device is on the latest feature update? @@ -2278,7 +2256,6 @@ The following fields are available: - **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier. - **WUPauseState** Retrieves WU setting to determine if updates are paused. - **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default). -- **WWPauseState** No content is currently available. ### Census.Xbox @@ -2469,10 +2446,8 @@ Describes the installation state for all hardware and software components availa The following fields are available: - **action** The change that was invoked on a device inventory object. -- **invent** No content is currently available. - **inventoryId** Device ID used for Compatibility testing - **objectInstanceId** Object identity which is unique within the device scope. -- **objectInstanceId** No content is currently available. - **objectType** Indicates the object type that the event applies to. - **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. @@ -2697,28 +2672,16 @@ Fired by UTC at startup to signal what data we are allowed to collect. The following fields are available: -- **Can&erformDiagnosticEscalations** No content is currently available. -- **Can@erformDiagnosticEscalations** No content is currently available. - **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. - **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. - **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. -- **CanCollectCoreTelemetzy** No content is currently available. - **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. -- **CanColleCtHeartbeats** No content is currently available. -- **CanCollectNsTelemetry** No content is currently available. - **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. - **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. -- **CanPerformDiagngsticEscalations** No content is currently available. - **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. - **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise. -- **CanPerforoDiagnosticEscalations** No content is currently available. -- **CanRepor5Acenarios** No content is currently available. -- **CanReportscenarios** No content is currently available. - **CanReportScenarios** True if we can report scenario completions, false otherwise. -- **Previous&ermissions** No content is currently available. -- **PreviousPermissaons** No content is currently available. - **PreviousPermissions** Bitmask of previous telemetry state. -- **TransitionfromEverythingOff** No content is currently available. - **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. @@ -2730,9 +2693,7 @@ The following fields are available: - **CensusExitCode** Returns last execution codes from census client run. - **CensusStartTime** Returns timestamp corresponding to last successful census run. -- **CensusTas{Enasled** No content is currently available. - **CensusTaskEnabled** Returns Boolean value for the census task (Enable/Disable) on client machine. -- **CwnsusStartTime** No content is currently available. - **LastConnectivityLossTime** Retrieves the last time the device lost free network. - **NetworkState** Retrieves the network state: 0 = No network. 1 = Restricted network. 2 = Free network. - **NoNetworkTime** Retrieves the time spent with no network (since the last time) in seconds. @@ -2745,26 +2706,17 @@ This event sends data about the health and quality of the diagnostic data from t The following fields are available: -- **@venStomeRe­etSizeSum** No content is currently available. -- **597pressedBytesUploaded** No content is currently available. -- **5ensusExitCode** No content is currently available. -- **5ensusStartTime** No content is currently available. -- **5ensusTaskEnabled** No content is currently available. - **AgentConnectaonErrorsCount** No content is currently available. - **AgentConnectionErrorsCount** Number of non-timeout errors associated with the host/agent channel. - **AudioInMS** No content is currently available. - **AudioOutMS** No content is currently available. - **BackgroundMouseSec** No content is currently available. -- **CensdsExitCode** No content is currently available. -- **CensdsStartTime** No content is currently available. -- **CensdsTaskEnabled** No content is currently available. - **CensusExitCode** The last exit code of the Census task. - **CensusStartTime** Time of last Census run. - **CensusTaskEnabled** True if Census is enabled, false otherwise. - **Com`ressedBytesUploaded** No content is currently available. - **CompressedBytesUploaded** Number of compressed bytes uploaded. - **CompressedBytesUtyPropagatedSec** No content is currently available. -- **ConsdmerDroppedCount** No content is currently available. - **ConsumerDroppedCount** Number of events dropped at consumer layer of telemetry client. - **CriticalDataDbDro`pedCount** No content is currently available. - **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. @@ -2783,12 +2735,16 @@ The following fields are available: - **DbDroppedFailureCountAgentC** No content is currently available. - **DbDroppedFullCount** Number of events dropped due to DB fullness. - **DecodingDroppedCount** Number of events dropped due to decoding failures. +- **eettingsHttpAttempts** No content is currently available. +- **eettingsHttpFailures** No content is currently available. - **EnteringCriticalOverfl** No content is currently available. - **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. - **EtwDroppedBufferCount** Number of buffers dropped in the UTC ETW session. +- **EtwDroppedBuffinCount** No content is currently available. - **EtwDroppedCoent** No content is currently available. - **EtwDroppedCount** Number of events dropped at ETW layer of telemetry client. - **EventSequence** No content is currently available. +- **EventsPersistedCkunt** No content is currently available. - **EventsPersistedCount** Number of events that reached the PersistEvent stage. - **EventsPtesistedCount** No content is currently available. - **EventStoreLifetimeResetCo}nter** No content is currently available. @@ -2807,6 +2763,7 @@ The following fields are available: - **FellTriggerBufferDroppedCount** No content is currently available. - **Flags** Flags indicating device state such as network state, battery state, and opt-in state. - **FullTriggerBufferDroppedCount** Number of events dropped due to trigger buffer being full. +- **FullTriggerBuffinDroppedCount** No content is currently available. - **FullTrihgerBufferDroppedCount** No content is currently available. - **HeartBeatSequenceNumber** The sequence number of this heartbeat. - **Inv,:3tyttpCodeCount** No content is currently available. @@ -2819,6 +2776,7 @@ The following fields are available: - **LastEventSingOffender** No content is currently available. - **LastEventsizeOffender** No content is currently available. - **LastEventSizeOffender** Event name of last event which exceeded max event size. +- **LastEventSizeOffinder** No content is currently available. - **LastInv,:3tyttpCode** No content is currently available. - **LastInvali$HttpCode** No content is currently available. - **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. @@ -2865,7 +2823,7 @@ The following fields are available: - **VortexHttpResmonseFailures** No content is currently available. - **VortexHttpResmonsesWithDroppedEvents** No content is currently available. - **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. -- **VortexHttpResponsesWitfDroppedEvents** No content is currently available. +- **VortexHttpResponsesWihDroppedEvents** No content is currently available. - **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. - **VortexHttpResponsesWitherDroppEvents** No content is currently available. - **VortexHvtpAttempts** No content is currently available. @@ -3517,22 +3475,28 @@ The following fields are available: - **DrivgrRank** No content is currently available. - **DX10EMDFilePath** No content is currently available. - **DX10UMDFilePath** The file path to the location of the DirectX 10 Display User Mode Driver in the Driver Store. +- **DX10UMDFileTath** No content is currently available. - **DX11UMDFilePath** The file path to the location of the DirectX 11 Display User Mode Driver in the Driver Store. +- **DX11UMDFileTath** No content is currently available. - **DX11UMDFmlePath** No content is currently available. - **Dx11UMDVilePath** No content is currently available. - **DX12UMDFilePaph** No content is currently available. - **Dx12UMDFilePath** No content is currently available. - **DX12UMDfilePath** No content is currently available. - **DX12UMDFilePath** The file path to the location of the DirectX 12 Display User Mode Driver in the Driver Store. +- **DX12UMDFileTath** No content is currently available. - **DX15UMDFilePath** No content is currently available. - **DX9UMDFilePath** The file path to the location of the DirectX 9 Display User Mode Driver in the Driver Store. +- **DX9UMDFileTath** No content is currently available. - **DX9UMDFmlePath** No content is currently available. +- **GP]DeviceID** No content is currently available. - **GPEDeviceID** No content is currently available. - **GPUDeviceID** The GPU device ID. - **GPUPreemptionLevel** The maximum preemption level supported by GPU for graphics payload. - **GPURevisionID** The GPU revision ID. - **GPURevmsionID** No content is currently available. - **GPUVendorID** The GPU vendor ID. +- **I3LDA** No content is currently available. - **I3SoftwAreDåvice** No content is currently available. - **InterfacaId** No content is currently available. - **InterfaceId** The GPU interface ID. @@ -3563,6 +3527,7 @@ The following fields are available: - **IsRenderDevice** Does the GPU have rendering capabilities? - **IsSoftwareDevice** Is this a software implementation of the GPU? - **KMDFilePath** The file path to the location of the Display Kernel Mode Driver in the Driver Store. +- **KMDFileTath** No content is currently available. - **KMDFmlePath** No content is currently available. - **MeasureEnabled** Is the device listening to MICROSOFT_KEYWORD_MEASURES? - **MeasuruEnab|ed** No content is currently available. @@ -4077,6 +4042,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: +- **basedata** No content is currently available. See [basedata](#basedata). - **BusReportedDescription** The description of the device reported by the bux. - **BusReportelDescription** No content is currently available. - **Class** The device setup class of the driver loaded for the device. @@ -4085,6 +4051,7 @@ The following fields are available: - **ContainerId** The system-supplied unique identifier that specifies which group(s) the device(s) installed on the parent (main) device belong to. - **Description** The description of the device. - **DeviceInterfaceClasses** The device interfaces that this device implements. +- **DeviceSta|e** No content is currently available. - **DeviceState** Identifies the current state of the parent (main) device. - **Driver^erDate** No content is currently available. - **DriverId** The unique identifier for the installed driver. @@ -5172,6 +5139,7 @@ The following fields are available: - **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided. - **ProcessNcme** No content is currently available. - **ProcessRame** No content is currently available. +- **QualityUpdateDefe2ral** No content is currently available. - **QualityUpdateDeferral** The deferral period configured for quality OS updates on the device (in days). - **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. - **QualityUpdatePausePeriod** The pause duration configured for quality OS updates on the device (in days). @@ -5184,6 +5152,7 @@ The following fields are available: - **ScanEnqueueTime** The number of seconds it took to initialize a scan - **ScanProps** This is a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits are used; all remaining bits are reserved and set to zero. Bit 0 (0x1): IsInteractive - is set to 1 if the scan is requested by a user, or 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker - is set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates). - **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.). +- **ServiceGuld** No content is currently available. - **ServiceUrl** The environment URL a device is configured to scan with - **ShippingMobileOperator** The mobile operator that a device shipped on. - **SsatusCode** No content is currently available. From fa7b429c080d0a15bb6af21ba32d81e4e4c50261 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 6 Mar 2019 08:55:50 -0800 Subject: [PATCH 029/492] new build --- ...ndows-diagnostic-events-and-fields-1903.md | 94 +++++++++++++++++-- 1 file changed, 87 insertions(+), 7 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index 2c69ccb1c3..acf6f3f503 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/04/2019 +ms.date: 03/05/2019 --- @@ -2301,6 +2301,76 @@ The following fields are available: ## Diagnostic data events +### TelClientSynthetic.AbnormalShutdown_0 + +This event sends data about boot IDs for which a normal clean shutdown was not observed, to help keep Windows up to date. + +The following fields are available: + +- **AbnormalShutdownBootId** BootId of the abnormal shutdown being reported by this event. +- **AcDcStateAtLastShutdown** Identifies if the device was on battery or plugged in. +- **BatteryLevelAtLastShutdown** The last recorded battery level. +- **BatteryPercentageAtLastShutdown** The battery percentage at the last shutdown. +- **CrashDumpEnabled** Are crash dumps enabled? +- **CumulativeCrashCount** Cumulative count of operating system crashes since the BootId reset. +- **CurrentBootId** BootId at the time the abnormal shutdown event was being reported. +- **Firmwaredata->ResetReasonEmbeddedController** The reset reason that was supplied by the firmware. +- **Firmwaredata->ResetReasonEmbeddedControllerAdditional** Additional data related to reset reason provided by the firmware. +- **Firmwaredata->ResetReasonPch** The reset reason that was supplied by the hardware. +- **Firmwaredata->ResetReasonPchAdditional** Additional data related to the reset reason supplied by the hardware. +- **Firmwaredata->ResetReasonSupplied** Indicates whether the firmware supplied any reset reason or not. +- **FirmwareType** ID of the FirmwareType as enumerated in DimFirmwareType. +- **HardwareWatchdogTimerGeneratedLastReset** Indicates whether the hardware watchdog timer caused the last reset. +- **HardwareWatchdogTimerPresent** Indicates whether hardware watchdog timer was present or not. +- **LastBugCheckBootId** bootId of the last captured crash. +- **LastBugCheckCode** Code that indicates the type of error. +- **LastBugCheckContextFlags** Additional crash dump settings. +- **LastBugCheckOriginalDumpType** The type of crash dump the system intended to save. +- **LastBugCheckOtherSettings** Other crash dump settings. +- **LastBugCheckParameter1** The first parameter with additional info on the type of the error. +- **LastBugCheckProgress** Progress towards writing out the last crash dump. +- **LastBugCheckVersion** The version of the information struct written during the crash. +- **LastSuccessfullyShutdownBootId** BootId of the last fully successful shutdown. +- **LongPowerButtonPressDetected** Identifies if the user was pressing and holding power button. +- **OOBEInProgress** Identifies if OOBE is running. +- **OSSetupInProgress** Identifies if the operating system setup is running. +- **PowerButtonCumulativePressCount** How many times has the power button been pressed? +- **PowerButtonCumulativeReleaseCount** How many times has the power button been released? +- **PowerButtonErrorCount** Indicates the number of times there was an error attempting to record power button metrics. +- **PowerButtonLastPressBootId** BootId of the last time the power button was pressed. +- **PowerButtonLastPressTime** Date and time of the last time the power button was pressed. +- **PowerButtonLastReleaseBootId** BootId of the last time the power button was released. +- **PowerButtonLastReleaseTime** Date and time of the last time the power button was released. +- **PowerButtonPressCurrentCsPhase** Represents the phase of Connected Standby exit when the power button was pressed. +- **PowerButtonPressIsShutdownInProgress** Indicates whether a system shutdown was in progress at the last time the power button was pressed. +- **PowerButtonPressLastPowerWatchdogStage** Progress while the monitor is being turned on. +- **PowerButtonPressPowerWatchdogArmed** Indicates whether or not the watchdog for the monitor was active at the time of the last power button press. +- **RegKeyLastShutdownBootId** No content is currently available. +- **ShutdownDeviceType** Identifies who triggered a shutdown. Is it because of battery, thermal zones, or through a Kernel API. +- **SleepCheckpoint** Provides the last checkpoint when there is a failure during a sleep transition. +- **SleepCheckpointSource** Indicates whether the source is the EFI variable or bootstat file. +- **SleepCheckpointStatus** Indicates whether the checkpoint information is valid. +- **StaleBootStatData** Identifies if the data from bootstat is stale. +- **TransitionInfoBootId** BootId of the captured transition info. +- **TransitionInfoCSCount** l number of times the system transitioned from Connected Standby mode. +- **TransitionInfoCSEntryReason** Indicates the reason the device last entered Connected Standby mode. +- **TransitionInfoCSExitReason** Indicates the reason the device last exited Connected Standby mode. +- **TransitionInfoCSInProgress** At the time the last marker was saved, the system was in or entering Connected Standby mode. +- **TransitionInfoLastReferenceTimeChecksum** The checksum of TransitionInfoLastReferenceTimestamp, +- **TransitionInfoLastReferenceTimestamp** The date and time that the marker was last saved. +- **TransitionInfoLidState** Describes the state of the laptop lid. +- **TransitionInfoPowerButtonTimestamp** The date and time of the last time the power button was pressed. +- **TransitionInfoSleepInProgress** At the time the last marker was saved, the system was in or entering sleep mode. +- **TransitionInfoSleepTranstionsToOn** Total number of times the device transitioned from sleep mode. +- **TransitionInfoSystemRunning** At the time the last marker was saved, the device was running. +- **TransitionInfoSystemShutdownInProgress** Indicates whether a device shutdown was in progress when the power button was pressed. +- **TransitionInfoUserShutdownInProgress** Indicates whether a user shutdown was in progress when the power button was pressed. +- **TransitionLatestCheckpointId** Represents a unique identifier for a checkpoint during the device state transition. +- **TransitionLatestCheckpointSeqNumber** Represents the chronological sequence number of the checkpoint. +- **TransitionLatestCheckpointType** Represents the type of the checkpoint, which can be the start of a phase, end of a phase, or just informational. +- **VirtualMachineId** If the operating system is on a virtual Machine, it gives the virtual Machine ID (GUID) that can be used to correlate events on the host. + + ### TelClientSynthetic.AuthorizationInfo_RuntimeTransition This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect. @@ -3773,7 +3843,7 @@ The following fields are available: - **error** The error code if there were any issues during the BitLocker wipe. - **sessionID** This is the session ID. - **succeeded** Indicates the BitLocker wipe successful completed. -- **timestamp** Timestamp of the BitLocker wipe. +- **timestamp** Time the event occurred. ### Microsoft.Windows.PBR.BootState @@ -3789,7 +3859,7 @@ The following fields are available: ### Microsoft.Windows.PBR.ClearTPMStarted -No content is currently available. +This event sends basic data about the recovery operation on the device to allow investigation. The following fields are available: @@ -3808,6 +3878,16 @@ The following fields are available: - **timestamp** No content is currently available. +### Microsoft.Windows.PBR.Completed + +No content is currently available. + +The following fields are available: + +- **sessionID** No content is currently available. +- **timestamp** No content is currently available. + + ### Microsoft.Windows.PBR.DataVolumeCount No content is currently available. @@ -3836,9 +3916,9 @@ No content is currently available. The following fields are available: -- **apiName** No content is currently available. -- **sessionID** No content is currently available. -- **timestamp** No content is currently available. +- **apiName** Name of the API command that is about to execute. +- **sessionID** The session ID. +- **timestamp** Time the event occurred. ### Microsoft.Windows.PBR.EnteredOOBE @@ -4586,7 +4666,7 @@ The following fields are available: ### Microsoft.Windows.Security.WSC.DatastoreMigratedVersion -No content is currently available. +This event provides information about the datastore migration and whether it was successful. The following fields are available: From 85d69bae6492fd0cb0442675c074447e30857076 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Wed, 6 Mar 2019 09:24:40 -0800 Subject: [PATCH 030/492] DeviceUpdatecenter --- windows/configuration/TOC.md | 1 + windows/configuration/wcd/wcd-changes.md | 1 + .../wcd/wcd-deviceupdatecenter.md | 36 +++++++++++++++++++ windows/configuration/wcd/wcd.md | 1 + 4 files changed, 39 insertions(+) create mode 100644 windows/configuration/wcd/wcd-deviceupdatecenter.md diff --git a/windows/configuration/TOC.md b/windows/configuration/TOC.md index b7102419c7..6d017d3a92 100644 --- a/windows/configuration/TOC.md +++ b/windows/configuration/TOC.md @@ -79,6 +79,7 @@ #### [DeviceFormFactor](wcd/wcd-deviceformfactor.md) #### [DeviceInfo](wcd/wcd-deviceinfo.md) #### [DeviceManagement](wcd/wcd-devicemanagement.md) +#### [DeviceUpdateCenter](wcd/wcd-deviceupdatecenter.md) #### [DMClient](wcd/wcd-dmclient.md) #### [EditionUpgrade](wcd/wcd-editionupgrade.md) #### [EmbeddedLockdownProfiles](wcd/wcd-embeddedlockdownprofiles.md) diff --git a/windows/configuration/wcd/wcd-changes.md b/windows/configuration/wcd/wcd-changes.md index 7b0376fa7e..47da52ab8b 100644 --- a/windows/configuration/wcd/wcd-changes.md +++ b/windows/configuration/wcd/wcd-changes.md @@ -15,6 +15,7 @@ ms.date: 10/02/2018 ## Settings added in Windows 10, version ? +- [DeviceUpdateCenter](wcd-deviceupdatecenter.md) - [Privacy](wcd-privacy.md) ## Settings removed in Windows 10, version ? diff --git a/windows/configuration/wcd/wcd-deviceupdatecenter.md b/windows/configuration/wcd/wcd-deviceupdatecenter.md new file mode 100644 index 0000000000..66331ab161 --- /dev/null +++ b/windows/configuration/wcd/wcd-deviceupdatecenter.md @@ -0,0 +1,36 @@ +--- +title: DeviceUpdateCenter (Windows 10) +description: This section describes the DeviceUpdateCenter settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.topic: article +ms.date: 09/06/2017 +--- + +# DeviceUpdateCenter (Windows Configuration Designer reference) + +Use **DeviceUpdateCenter** to configure settings for + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| All settings | X | | | | | + +## CustomPackageId + + + +## DeviceModelId + + + +## OemPartnerRing + + + +## PublisherId \ No newline at end of file diff --git a/windows/configuration/wcd/wcd.md b/windows/configuration/wcd/wcd.md index 5f712fd6a9..5b762d47e7 100644 --- a/windows/configuration/wcd/wcd.md +++ b/windows/configuration/wcd/wcd.md @@ -39,6 +39,7 @@ This section describes the settings that you can configure in [provisioning pack | [DeviceFormFactor](wcd-deviceformfactor.md) | X | X | X | X | | | [DeviceInfo](wcd-deviceinfo.md) | | X | | | | | [DeviceManagement](wcd-devicemanagement.md) | X | X | X | X | | +| [DeviceUpdateCenter](wcd-deviceupdatecenter.md) | X | | | | | | [DMClient](wcd-dmclient.md) | X | X | X | X | X | | [EditionUpgrade](wcd-editionupgrade.md) | X | X | X | X | | | [EmbeddedLockdownProfiles](wcd-embeddedlockdownprofiles.md) | | X | | | | From ae257a5d27c0b48bcf15104db839b98c4ed8cdde Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Wed, 6 Mar 2019 11:01:54 -0800 Subject: [PATCH 031/492] finish DeviceUpdateCenter --- .../configuration/wcd/wcd-deviceupdatecenter.md | 15 +-------------- 1 file changed, 1 insertion(+), 14 deletions(-) diff --git a/windows/configuration/wcd/wcd-deviceupdatecenter.md b/windows/configuration/wcd/wcd-deviceupdatecenter.md index 66331ab161..7417a12104 100644 --- a/windows/configuration/wcd/wcd-deviceupdatecenter.md +++ b/windows/configuration/wcd/wcd-deviceupdatecenter.md @@ -13,7 +13,7 @@ ms.date: 09/06/2017 # DeviceUpdateCenter (Windows Configuration Designer reference) -Use **DeviceUpdateCenter** to configure settings for +Do not use **DeviceUpdateCenter** settings at this time. ## Applies to @@ -21,16 +21,3 @@ Use **DeviceUpdateCenter** to configure settings for | --- | :---: | :---: | :---: | :---: | :---: | | All settings | X | | | | | -## CustomPackageId - - - -## DeviceModelId - - - -## OemPartnerRing - - - -## PublisherId \ No newline at end of file From 6fe75560490053a09545ccb973aaf58ee36969a5 Mon Sep 17 00:00:00 2001 From: "Andrea Bichsel (Aquent LLC)" Date: Fri, 8 Mar 2019 22:23:59 +0000 Subject: [PATCH 032/492] Draft --- ...ecurity-settings-with-tamper-protection.md | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md new file mode 100644 index 0000000000..4a79a4cae8 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md @@ -0,0 +1,39 @@ + + + + +Prevent security settings changes with Tamper Protection + +Tamper Protection helps prevent malicious apps from changing important security settings. These settings include: + +• Real-time protection +• Cloud-delivered protection +• IOfficeAntivirus (IOAV) +• Behavior monitoring +• Scheduled scans +• Policy override settings + +With Tamper Protection set to On, you can still change these settings in the Windows Security app. The following apps and methods can't change these settings: + +• Mobile device management (MDM) apps like Intune +• Enterprise configuration management apps like System Center Configuration Manager (SCCM) +• Command line instruction MpCmdRun.exe -removedefinitions -dynamicsignatures +• Windows System Image Manager (Windows SIM) settings DisableAntiSpyware ad DisableAntiMalware (used in Windows unattended setup) +• Group Policy +• Other Windows Management Instrumentation (WMI) apps + +The Tamper Protection setting doesn't affect how third party antivirus apps register with the Windows Security app. + +On computers running Windows 10 Enterprise E5, users can't change the Tamper Protection setting. + +Tamper Protection is On by default. If you set Tamper Protection to Off, you will see a yellow warning in the Windows Security app under Virus & threat protection. + +Configure Tamper Protection + +1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for Defender. +2. Select Virus & threat protection, then select Virus & threat protection settings. +3. Set Tamper Protection to On or Off. + +Note +If your computer is running Windows 10 Enterprise E5, you can't change the Tamper Protection setting. + From a82e95f29fd3f6c571db912a82298c77061f3d98 Mon Sep 17 00:00:00 2001 From: "Andrea Bichsel (Aquent LLC)" Date: Fri, 8 Mar 2019 22:36:13 +0000 Subject: [PATCH 033/492] Formatting --- ...ecurity-settings-with-tamper-protection.md | 65 ++++++++++++------- 1 file changed, 40 insertions(+), 25 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md index 4a79a4cae8..66d5e0fe86 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md +++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md @@ -1,39 +1,54 @@ +--- +title: Prevent security settings changes with Tamper Protection +description: Use tamper protection to prevent malicious apps from changing important security settings. +keywords: malware, defender, antivirus, tamper protection +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: andreabichsel +ms.author: v-anbic +--- +# Prevent security settings changes with tamper protection +**Applies to:** +- Windows 10 -Prevent security settings changes with Tamper Protection +Tamper protection helps prevent malicious apps from changing important security settings. These settings include: -Tamper Protection helps prevent malicious apps from changing important security settings. These settings include: +- Real-time protection +- Cloud-delivered protection +- IOfficeAntivirus (IOAV) +- Behavior monitoring +- Scheduled scans +- Policy override settings -• Real-time protection -• Cloud-delivered protection -• IOfficeAntivirus (IOAV) -• Behavior monitoring -• Scheduled scans -• Policy override settings +With tamper protection set to **On**, you can still change these settings in the Windows Security app. The following apps and methods can't change these settings: -With Tamper Protection set to On, you can still change these settings in the Windows Security app. The following apps and methods can't change these settings: +- Mobile device management (MDM) apps like Intune +- Enterprise configuration management apps like System Center Configuration Manager (SCCM) +- Command line instruction MpCmdRun.exe -removedefinitions -dynamicsignatures +- Windows System Image Manager (Windows SIM) settings DisableAntiSpyware ad DisableAntiMalware (used in Windows unattended setup) +- Group Policy +- Other Windows Management Instrumentation (WMI) apps -• Mobile device management (MDM) apps like Intune -• Enterprise configuration management apps like System Center Configuration Manager (SCCM) -• Command line instruction MpCmdRun.exe -removedefinitions -dynamicsignatures -• Windows System Image Manager (Windows SIM) settings DisableAntiSpyware ad DisableAntiMalware (used in Windows unattended setup) -• Group Policy -• Other Windows Management Instrumentation (WMI) apps +The tamper protection setting doesn't affect how third party antivirus apps register with the Windows Security app. -The Tamper Protection setting doesn't affect how third party antivirus apps register with the Windows Security app. +On computers running Windows 10 Enterprise E5, users can't change the tamper protection setting. -On computers running Windows 10 Enterprise E5, users can't change the Tamper Protection setting. +Tamper protection is On by default. If you set tamper protection to **Off**, you will see a yellow warning in the Windows Security app under **Virus & threat protection**. -Tamper Protection is On by default. If you set Tamper Protection to Off, you will see a yellow warning in the Windows Security app under Virus & threat protection. +##Configure tamper protection -Configure Tamper Protection +1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. +2. Select **Virus & threat protection**, then select **Virus & threat protection settings**. +3. Set **Tamper Protection** to **On** or **Off**. -1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for Defender. -2. Select Virus & threat protection, then select Virus & threat protection settings. -3. Set Tamper Protection to On or Off. - -Note -If your computer is running Windows 10 Enterprise E5, you can't change the Tamper Protection setting. +>[!NOTE] +>If your computer is running Windows 10 Enterprise E5, you can't change the tamper protection setting. From 8de2be98e03365fe164d7754f582fa992793dfe1 Mon Sep 17 00:00:00 2001 From: "Andrea Bichsel (Aquent LLC)" Date: Fri, 8 Mar 2019 22:37:36 +0000 Subject: [PATCH 034/492] Fixed typo --- ...event-changes-to-security-settings-with-tamper-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md index 66d5e0fe86..930eb2406a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md +++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md @@ -33,7 +33,7 @@ With tamper protection set to **On**, you can still change these settings in the - Mobile device management (MDM) apps like Intune - Enterprise configuration management apps like System Center Configuration Manager (SCCM) - Command line instruction MpCmdRun.exe -removedefinitions -dynamicsignatures -- Windows System Image Manager (Windows SIM) settings DisableAntiSpyware ad DisableAntiMalware (used in Windows unattended setup) +- Windows System Image Manager (Windows SIM) settings DisableAntiSpyware and DisableAntiMalware (used in Windows unattended setup) - Group Policy - Other Windows Management Instrumentation (WMI) apps From 94c2799be4a0ca332e0974ab76a946d1524271f9 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Tue, 12 Mar 2019 07:49:42 -0700 Subject: [PATCH 035/492] time --- windows/configuration/wcd/wcd-time.md | 30 +++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 windows/configuration/wcd/wcd-time.md diff --git a/windows/configuration/wcd/wcd-time.md b/windows/configuration/wcd/wcd-time.md new file mode 100644 index 0000000000..1451f639d8 --- /dev/null +++ b/windows/configuration/wcd/wcd-time.md @@ -0,0 +1,30 @@ +--- +title: Privacy (Windows 10) +description: This section describes the Privacy settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.topic: article +ms.date: 09/06/2017 +--- + +# Privacy (Windows Configuration Designer reference) + +Use **Privacy** to configure settings for app activation with voice. + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| All settings | X | X | X | | X | + +## LetAppsActivateWithVoice + +Select between **User is in control**, **Force allow**, or **Force deny**. + +## LetAppsActivateWithVoiceAboveLock + +Select between **User is in control**, **Force allow**, or **Force deny**. \ No newline at end of file From a43f3bf1001164189866202907a91695ff97c092 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Tue, 12 Mar 2019 08:09:24 -0700 Subject: [PATCH 036/492] Time --- windows/configuration/TOC.md | 3 ++- windows/configuration/wcd/wcd-changes.md | 1 + windows/configuration/wcd/wcd-time.md | 17 +++++++---------- windows/configuration/wcd/wcd.md | 1 + 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/windows/configuration/TOC.md b/windows/configuration/TOC.md index 6d017d3a92..b0edfde74e 100644 --- a/windows/configuration/TOC.md +++ b/windows/configuration/TOC.md @@ -116,7 +116,8 @@ #### [TabletMode](wcd/wcd-tabletmode.md) #### [TakeATest](wcd/wcd-takeatest.md) #### [TextInput](wcd/wcd-textinput.md) -#### [Theme](wcd/wcd-theme.md) +#### [Theme](wcd/wcd-theme.md) +#### [Time](wcd/wcd-time.md) #### [UnifiedWriteFilter](wcd/wcd-unifiedwritefilter.md) #### [UniversalAppInstall](wcd/wcd-universalappinstall.md) #### [UniversalAppUninstall](wcd/wcd-universalappuninstall.md) diff --git a/windows/configuration/wcd/wcd-changes.md b/windows/configuration/wcd/wcd-changes.md index 47da52ab8b..f235ced4e7 100644 --- a/windows/configuration/wcd/wcd-changes.md +++ b/windows/configuration/wcd/wcd-changes.md @@ -17,6 +17,7 @@ ms.date: 10/02/2018 - [DeviceUpdateCenter](wcd-deviceupdatecenter.md) - [Privacy](wcd-privacy.md) +- [Time](wcd-time.md) ## Settings removed in Windows 10, version ? diff --git a/windows/configuration/wcd/wcd-time.md b/windows/configuration/wcd/wcd-time.md index 1451f639d8..d3d0a9c80e 100644 --- a/windows/configuration/wcd/wcd-time.md +++ b/windows/configuration/wcd/wcd-time.md @@ -1,6 +1,6 @@ --- -title: Privacy (Windows 10) -description: This section describes the Privacy settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +title: Time (Windows 10) +description: This section describes the Time settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -11,20 +11,17 @@ ms.topic: article ms.date: 09/06/2017 --- -# Privacy (Windows Configuration Designer reference) - -Use **Privacy** to configure settings for app activation with voice. +Use **Time** to configure settings for time zone setup for Windows 10, version (TBD) and later. ## Applies to | Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | :---: | :---: | :---: | :---: | :---: | -| All settings | X | X | X | | X | +| [ProvisionSetTimeZone](#provisionsettimezone) | X | | | | | -## LetAppsActivateWithVoice +## ProvisionSetTimeZone -Select between **User is in control**, **Force allow**, or **Force deny**. +Set to **True** to skip time zone assignment when the first user signs in. -## LetAppsActivateWithVoiceAboveLock +Set to **False** for time zone assignment to occur when the first user signs in. -Select between **User is in control**, **Force allow**, or **Force deny**. \ No newline at end of file diff --git a/windows/configuration/wcd/wcd.md b/windows/configuration/wcd/wcd.md index 5b762d47e7..b19b249d08 100644 --- a/windows/configuration/wcd/wcd.md +++ b/windows/configuration/wcd/wcd.md @@ -77,6 +77,7 @@ This section describes the settings that you can configure in [provisioning pack | [TakeATest](wcd-takeatest.md) | X | | | | | | [TextInput](wcd-textinput.md) | | X | | | | | [Theme](wcd-theme.md) | | X | | | | +| [Time](wcd-time.md) | X | | | | | | [UnifiedWriteFilter](wcd-unifiedwritefilter.md) | X | | | | X | | [UniversalAppInstall](wcd-universalappinstall.md) | X | X | X | X | X | | [UniversalAppUninstall](wcd-universalappuninstall.md) | X | X | X | X | X | From 5dea266c3da874da90f967c8a0f36e5a33c3a38c Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Tue, 12 Mar 2019 08:38:18 -0700 Subject: [PATCH 037/492] fix h1 --- windows/configuration/wcd/wcd-time.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/configuration/wcd/wcd-time.md b/windows/configuration/wcd/wcd-time.md index d3d0a9c80e..52ade98614 100644 --- a/windows/configuration/wcd/wcd-time.md +++ b/windows/configuration/wcd/wcd-time.md @@ -11,6 +11,8 @@ ms.topic: article ms.date: 09/06/2017 --- +# Time + Use **Time** to configure settings for time zone setup for Windows 10, version (TBD) and later. ## Applies to From 3e645c8e1ad75e02afdbca38a58579c8d476d084 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 12 Mar 2019 08:43:04 -0700 Subject: [PATCH 038/492] new build 3012019 --- ...ndows-diagnostic-events-and-fields-1903.md | 674 ++++++++++++------ 1 file changed, 449 insertions(+), 225 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index acf6f3f503..ac9b7be4f3 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/05/2019 +ms.date: 03/12/2019 --- @@ -1744,14 +1744,18 @@ The following fields are available: - **AdvertisingId** Current state of the advertising ID setting. - **AppDiagnostics** Current state of the app diagnostics setting. - **Appointments** Current state of the calendar setting. +- **AppointmentsSystem** No content is currently available. - **Bluetooth** Current state of the Bluetooth capability setting. - **BluetoothSync** Current state of the Bluetooth sync capability setting. - **BroadFileSystemAccess** Current state of the broad file system access setting. - **CellularData** Current state of the cellular data capability setting. - **Chat** Current state of the chat setting. +- **ChatSystem** Current state of the chat setting. - **Contacts** Current state of the contacts setting. +- **ContactsSystem** No content is currently available. - **DocumentsLibrary** Current state of the documents library setting. - **Email** Current state of the email setting. +- **EmailSystem** No content is currently available. - **FindMyDevice** Current state of the "find my device" setting. - **GazeInput** Current state of the gaze input setting. - **HumanInterfaceDevice** Current state of the human interface device setting. @@ -1763,6 +1767,7 @@ The following fields are available: - **Microphone** Current state of the microphone setting. - **PhoneCall** Current state of the phone call setting. - **PhoneCallHistory** Current state of the call history setting. +- **PhoneCallHistorySystem** No content is currently available. - **PicturesLibrary** Current state of the pictures library setting. - **Radios** Current state of the radios setting. - **SensorsCustom** Current state of the custom sensor setting. @@ -1772,6 +1777,7 @@ The following fields are available: - **USB** Current state of the USB setting. - **UserAccountInformation** Current state of the account information setting. - **UserDataTasks** Current state of the tasks setting. +- **UserDataTasksSystem** No content is currently available. - **UserNotificationListener** Current state of the notifications setting. - **VideosLibrary** Current state of the videos library setting. - **Webcam** Current state of the camera setting. @@ -1909,14 +1915,18 @@ The following fields are available: - **AdvertisingId** Current state of the advertising ID setting. - **AppDiagnostics** Current state of the app diagnostics setting. - **Appointments** Current state of the calendar setting. +- **AppointmentsSystem** No content is currently available. - **Bluetooth** Current state of the Bluetooth capability setting. - **BluetoothSync** Current state of the Bluetooth sync capability setting. - **BroadFileSystemAccess** Current state of the broad file system access setting. - **CellularData** Current state of the cellular data capability setting. - **Chat** Current state of the chat setting. +- **ChatSystem** No content is currently available. - **Contacts** Current state of the contacts setting. +- **ContactsSystem** No content is currently available. - **DocumentsLibrary** Current state of the documents library setting. - **Email** Current state of the email setting. +- **EmailSystem** No content is currently available. - **GazeInput** Current state of the gaze input setting. - **HumanInterfaceDevice** Current state of the human interface device setting. - **InkTypeImprovement** Current state of the improve inking and typing setting. @@ -1928,6 +1938,7 @@ The following fields are available: - **Microphone** Current state of the microphone setting. - **PhoneCall** Current state of the phone call setting. - **PhoneCallHistory** Current state of the call history setting. +- **PhoneCallHistorySystem** No content is currently available. - **PicturesLibrary** Current state of the pictures library setting. - **Radios** Current state of the radios setting. - **SensorsCustom** Current state of the custom sensor setting. @@ -1937,6 +1948,7 @@ The following fields are available: - **USB** Current state of the USB setting. - **UserAccountInformation** Current state of the account information setting. - **UserDataTasks** Current state of the tasks setting. +- **UserDataTasksSystem** No content is currently available. - **UserNotificationListener** Current state of the notifications setting. - **VideosLibrary** Current state of the videos library setting. - **Webcam** Current state of the camera setting. @@ -2345,7 +2357,7 @@ The following fields are available: - **PowerButtonPressIsShutdownInProgress** Indicates whether a system shutdown was in progress at the last time the power button was pressed. - **PowerButtonPressLastPowerWatchdogStage** Progress while the monitor is being turned on. - **PowerButtonPressPowerWatchdogArmed** Indicates whether or not the watchdog for the monitor was active at the time of the last power button press. -- **RegKeyLastShutdownBootId** No content is currently available. +- **RegKeyLastShutdownBootId** The last recorded boot ID. - **ShutdownDeviceType** Identifies who triggered a shutdown. Is it because of battery, thermal zones, or through a Kernel API. - **SleepCheckpoint** Provides the last checkpoint when there is a failure during a sleep transition. - **SleepCheckpointSource** Indicates whether the source is the EFI variable or bootstat file. @@ -3758,6 +3770,59 @@ The following fields are available: - **UserInputTime** The amount of time the loader application spent waiting for user input. +### Microsoft.Windows.Kernel.DeviceConfig.DeviceConfig + +No content is currently available. + +The following fields are available: + +- **ClassGuid** No content is currently available. +- **DeviceInstanceId** No content is currently available. +- **DriverDate** No content is currently available. +- **DriverFlightIds** No content is currently available. +- **DriverInfName** No content is currently available. +- **DriverProvider** No content is currently available. +- **DriverSubmissionId** No content is currently available. +- **DriverVersion** No content is currently available. +- **ExtensionDrivers** No content is currently available. +- **FirstHardwareId** No content is currently available. +- **InboxDriver** No content is currently available. +- **InstallDate** No content is currently available. +- **LastCompatibleId** No content is currently available. +- **Legacy** No content is currently available. +- **NeedReboot** No content is currently available. +- **SetupMode** No content is currently available. +- **StatusCode** No content is currently available. + + +### Microsoft.Windows.Kernel.PnP.AggregateClearDevNodeProblem + +No content is currently available. + +The following fields are available: + +- **Count** No content is currently available. +- **DeviceInstanceId** No content is currently available. +- **LastProblem** No content is currently available. +- **LastProblemStatus** No content is currently available. +- **ServiceName** No content is currently available. + + +### Microsoft.Windows.Kernel.PnP.AggregateSetDevNodeProblem + +No content is currently available. + +The following fields are available: + +- **Count** No content is currently available. +- **DeviceInstanceId** No content is currently available. +- **LastProblem** No content is currently available. +- **LastProblemStatus** No content is currently available. +- **Problem** No content is currently available. +- **ProblemStatus** No content is currently available. +- **ServiceName** No content is currently available. + + ## Miracast events ### Microsoft.Windows.Cast.Miracast.MiracastSessionEnd @@ -3834,6 +3899,165 @@ The following fields are available: ## Other events +### MicArrayGeometry + +No content is currently available. + +The following fields are available: + +- **MicCoords** No content is currently available. +- **usFrequencyBandHi** No content is currently available. +- **usFrequencyBandLo** No content is currently available. +- **usMicArrayType** No content is currently available. +- **usNumberOfMicrophones** No content is currently available. +- **usVersion** No content is currently available. +- **wHorizontalAngleBegin** No content is currently available. +- **wHorizontalAngleEnd** No content is currently available. +- **wVerticalAngleBegin** No content is currently available. +- **wVerticalAngleEnd** No content is currently available. + + +### MicCoords + +No content is currently available. + +The following fields are available: + +- **usType** No content is currently available. +- **wHorizontalAngle** No content is currently available. +- **wVerticalAngle** No content is currently available. +- **wXCoord** No content is currently available. +- **wYCoord** No content is currently available. +- **wZCoord** No content is currently available. + + +### Microsoft.Windows.Audio.EndpointBuilder.DeviceInfo + +No content is currently available. + +The following fields are available: + +- **BusEnumeratorName** No content is currently available. +- **ContainerId** No content is currently available. +- **DeviceInstanceId** No content is currently available. +- **EndpointDevnodeId** No content is currently available. +- **endpointEffectClsid** No content is currently available. +- **endpointEffectModule** No content is currently available. +- **EndpointFormFactor** No content is currently available. +- **endpointID** No content is currently available. +- **endpointInstanceId** No content is currently available. +- **Flow** No content is currently available. +- **globalEffectClsid** No content is currently available. +- **globalEffectModule** No content is currently available. +- **HWID** No content is currently available. +- **IsBluetooth** No content is currently available. +- **isFarField** No content is currently available. +- **IsSideband** No content is currently available. +- **IsUSB** No content is currently available. +- **JackSubType** No content is currently available. +- **localEffectClsid** No content is currently available. +- **localEffectModule** No content is currently available. +- **MicArrayGeometry** No content is currently available. See [MicArrayGeometry](#micarraygeometry). +- **modeEffectClsid** No content is currently available. +- **modeEffectModule** No content is currently available. +- **persistentId** No content is currently available. +- **streamEffectClsid** No content is currently available. +- **streamEffectModule** No content is currently available. + + +### Microsoft.Windows.DriverInstall.DeviceInstall + +No content is currently available. + +The following fields are available: + +- **ClassGuid** No content is currently available. +- **ClassLowerFilters** No content is currently available. +- **ClassUpperFilters** No content is currently available. +- **CoInstallers** No content is currently available. +- **ConfigFlags** No content is currently available. +- **DeviceConfigured** No content is currently available. +- **DeviceInstanceId** No content is currently available. +- **DeviceStack** No content is currently available. +- **DriverDate** No content is currently available. +- **DriverDescription** No content is currently available. +- **DriverInfName** No content is currently available. +- **DriverInfSectionName** No content is currently available. +- **DriverPackageId** No content is currently available. +- **DriverProvider** No content is currently available. +- **DriverUpdated** No content is currently available. +- **DriverVersion** No content is currently available. +- **EndTime** No content is currently available. +- **Error** No content is currently available. +- **ExtensionDrivers** No content is currently available. +- **FinishInstallAction** No content is currently available. +- **FinishInstallUI** No content is currently available. +- **FirmwareDate** No content is currently available. +- **FirmwareRevision** No content is currently available. +- **FirmwareVersion** No content is currently available. +- **FirstHardwareId** No content is currently available. +- **FlightIds** No content is currently available. +- **GenericDriver** No content is currently available. +- **Inbox** No content is currently available. +- **InstallDate** No content is currently available. +- **LastCompatibleId** No content is currently available. +- **LegacyInstallReasonError** No content is currently available. +- **LowerFilters** No content is currently available. +- **MatchingDeviceId** No content is currently available. +- **NeedReboot** No content is currently available. +- **OriginalDriverInfName** No content is currently available. +- **ParentDeviceInstanceId** No content is currently available. +- **PendedUntilReboot** No content is currently available. +- **Problem** No content is currently available. +- **ProblemStatus** No content is currently available. +- **SecondaryDevice** No content is currently available. +- **ServiceName** No content is currently available. +- **SetupMode** No content is currently available. +- **StartTime** No content is currently available. +- **SubmissionId** No content is currently available. +- **UpperFilters** No content is currently available. + + +### Microsoft.Windows.DriverInstall.NewDevInstallDeviceEnd + +No content is currently available. + +The following fields are available: + +- **DeviceInstanceId** No content is currently available. +- **DriverUpdated** No content is currently available. +- **Error** No content is currently available. +- **FlightId** No content is currently available. +- **InstallDate** No content is currently available. +- **InstallFlags** No content is currently available. +- **RebootRequired** No content is currently available. +- **RollbackPossible** No content is currently available. +- **WuTargetedHardwareId** No content is currently available. +- **WuUntargetedHardwareId** No content is currently available. + + +### Microsoft.Windows.DriverInstall.NewDevInstallDeviceStart + +No content is currently available. + +The following fields are available: + +- **DeviceInstanceId** No content is currently available. +- **FirstInstallDate** No content is currently available. +- **LastDriverDate** No content is currently available. +- **LastDriverInbox** No content is currently available. +- **LastDriverInfName** No content is currently available. +- **LastDriverVersion** No content is currently available. +- **LastFirmwareDate** No content is currently available. +- **LastFirmwareRevision** No content is currently available. +- **LastFirmwareVersion** No content is currently available. +- **LastInstallDate** No content is currently available. +- **LastMatchingDeviceId** No content is currently available. +- **LastProblem** No content is currently available. +- **LastProblemStatus** No content is currently available. +- **LastSubmissionId** No content is currently available. + + ### Microsoft.Windows.PBR.BitLockerWipeFinished This event sends error data after the BitLocker wipe finishes if there were any issues during the wipe. @@ -3848,7 +4072,7 @@ The following fields are available: ### Microsoft.Windows.PBR.BootState -No content is currently available. +This event sends data on the Windows Recovery Environment (WinRE) boot, which can be used to determine whether the boot was successful. The following fields are available: @@ -3884,8 +4108,8 @@ No content is currently available. The following fields are available: -- **sessionID** No content is currently available. -- **timestamp** No content is currently available. +- **sessionID** The ID of the push-button reset session. +- **timestamp** Timestamp of this push-button reset event. ### Microsoft.Windows.PBR.DataVolumeCount @@ -3918,7 +4142,7 @@ The following fields are available: - **apiName** Name of the API command that is about to execute. - **sessionID** The session ID. -- **timestamp** Time the event occurred. +- **timestamp** Timestamp of this push-button reset event. ### Microsoft.Windows.PBR.EnteredOOBE @@ -3927,8 +4151,8 @@ No content is currently available. The following fields are available: -- **sessionID** No content is currently available. -- **timestamp** No content is currently available. +- **sessionID** The ID of this push-button reset session. +- **timestamp** Timestamp of this push-button reset event. ### Microsoft.Windows.PBR.LeaveAPI @@ -3937,10 +4161,10 @@ No content is currently available. The following fields are available: -- **apiName** No content is currently available. -- **errorCode** No content is currently available. -- **sessionID** No content is currently available. -- **success** No content is currently available. +- **apiName** Name of the API command that completed. +- **errorCode** Error code if an error occurred during the API call. +- **sessionID** The ID of this push-button reset session. +- **success** Indicates whether the API call was successful. - **timestamp** No content is currently available. @@ -3950,14 +4174,14 @@ No content is currently available. The following fields are available: -- **exitCode** No content is currently available. -- **param** No content is currently available. -- **phase** No content is currently available. -- **script** No content is currently available. -- **sessionID** No content is currently available. -- **succeeded** No content is currently available. -- **timedOut** No content is currently available. -- **timestamp** No content is currently available. +- **exitCode** The exit code from OEM extensibility scripts to push-button reset. +- **param** Parameters used for the OEM extensibility script. +- **phase** Name of the OEM extensibility script phase. +- **script** The path to the OEM extensibility script. +- **sessionID** The ID of this push-button reset session. +- **succeeded** Indicates whether the OEM extensibility script executed successfully. +- **timedOut** Indicates whether the OEM extensibility script timed out. +- **timestamp** Timestamp of this push-button reset event. ### Microsoft.Windows.PBR.OEMExtensionStarted @@ -3966,11 +4190,11 @@ No content is currently available. The following fields are available: -- **param** No content is currently available. -- **phase** No content is currently available. -- **script** No content is currently available. -- **sessionID** No content is currently available. -- **timestamp** No content is currently available. +- **param** The parameters used by the OEM extensibility script. +- **phase** The name of the OEM extensibility script phase. +- **script** The path to the OEM extensibility script. +- **sessionID** The ID of this push-button reset session. +- **timestamp** Timestamp of this push-button reset event. ### Microsoft.Windows.PBR.OperationExecuteFinished @@ -3979,13 +4203,13 @@ No content is currently available. The following fields are available: -- **error** No content is currently available. -- **index** No content is currently available. -- **operation** No content is currently available. -- **phase** No content is currently available. -- **sessionID** No content is currently available. -- **succeeded** No content is currently available. -- **timestamp** No content is currently available. +- **error** Indicates the result code of the event. +- **index** The operation index. +- **operation** The name of the operation. +- **phase** The name of the operation phase. +- **sessionID** The ID of this push-button reset session. +- **succeeded** Indicates whether the operation successfully completed. +- **timestamp** Timestamp of this push-button reset event. ### Microsoft.Windows.PBR.OperationExecuteStarted @@ -3994,12 +4218,12 @@ No content is currently available. The following fields are available: -- **index** No content is currently available. -- **operation** No content is currently available. -- **phase** No content is currently available. -- **sessionID** No content is currently available. -- **timestamp** No content is currently available. -- **weight** No content is currently available. +- **index** The index of this operation. +- **operation** The name of this operation. +- **phase** The phase of this operation. +- **sessionID** The ID of this push-button reset session. +- **timestamp** Timestamp of this push-button reset event. +- **weight** The weight of the operation used to distribute the change in percentage. ### Microsoft.Windows.PBR.OperationQueueConstructFinished @@ -4008,10 +4232,10 @@ No content is currently available. The following fields are available: -- **error** No content is currently available. -- **sessionID** No content is currently available. -- **succeeded** No content is currently available. -- **timestamp** No content is currently available. +- **error** The result code for operation queue construction. +- **sessionID** The ID of this push-button reset session. +- **succeeded** Indicates whether the operation successfully completed. +- **timestamp** Timestamp of this push-button reset event. ### Microsoft.Windows.PBR.OperationQueueConstructStarted @@ -4020,8 +4244,8 @@ No content is currently available. The following fields are available: -- **sessionID** No content is currently available. -- **timestamp** No content is currently available. +- **sessionID** The ID of this push-button reset session. +- **timestamp** Timestamp of this push-button reset event. ### Microsoft.Windows.PBR.PBRClearRollBackEntry @@ -4030,7 +4254,7 @@ No content is currently available. The following fields are available: -- **SessionID** No content is currently available. +- **SessionID** The ID of this push-button reset session. ### Microsoft.Windows.PBR.PBRClearTPMFailed @@ -4039,7 +4263,7 @@ No content is currently available. The following fields are available: -- **SessionID** No content is currently available. +- **SessionID** The ID of this push-button reset session. ### Microsoft.Windows.PBR.PBRCreateNewSystemReconstructionFailed @@ -4048,12 +4272,12 @@ No content is currently available. The following fields are available: -- **HRESULT** No content is currently available. -- **PBRType** No content is currently available. -- **SessionID** No content is currently available. -- **SPErrorCode** No content is currently available. -- **SPOperation** No content is currently available. -- **SPPhase** No content is currently available. +- **HRESULT** Indicates the result code of the event. +- **PBRType** The type of push-button reset. +- **SessionID** The ID of this push-button reset session. +- **SPErrorCode** The error code for the Setup Platform operation. +- **SPOperation** The last Setup Platform operation. +- **SPPhase** The last phase of the Setup Platform operation. ### Microsoft.Windows.PBR.PBRCreateNewSystemReconstructionSucceed @@ -4062,10 +4286,10 @@ No content is currently available. The following fields are available: -- **CBSPackageCount** No content is currently available. -- **CustomizationPackageCount** No content is currently available. -- **PBRType** No content is currently available. -- **SessionID** No content is currently available. +- **CBSPackageCount** The Component Based Servicing package count. +- **CustomizationPackageCount** The Customization package count. +- **PBRType** The type of push-button reset. +- **SessionID** The ID of this push-button reset session. ### Microsoft.Windows.PBR.PBRDriverInjectionFailed @@ -4074,7 +4298,7 @@ No content is currently available. The following fields are available: -- **SessionID** No content is currently available. +- **SessionID** The ID of this push-button reset session. ### Microsoft.Windows.PBR.PBRFailed @@ -4083,9 +4307,9 @@ No content is currently available. The following fields are available: -- **ErrorType** No content is currently available. -- **PBRType** No content is currently available. -- **SessionID** No content is currently available. +- **ErrorType** The result code for the push-button reset error. +- **PBRType** The type of push-button reset. +- **SessionID** The ID of this push-button reset session. ### Microsoft.Windows.PBR.PBRFinalizeNewSystemFailed @@ -4094,11 +4318,11 @@ No content is currently available. The following fields are available: -- **HRESULT** No content is currently available. -- **SessionID** No content is currently available. -- **SPErrorCode** No content is currently available. -- **SPOperation** No content is currently available. -- **SPPhase** No content is currently available. +- **HRESULT** The result error code. +- **SessionID** The ID of this push-button reset session. +- **SPErrorCode** The error code for the Setup Platform operation. +- **SPOperation** The Setup Platform operation. +- **SPPhase** The phase of the Setup Platform operation. ### Microsoft.Windows.PBR.PBRFinalizeNewSystemSucceed @@ -4107,7 +4331,7 @@ No content is currently available. The following fields are available: -- **SessionID** No content is currently available. +- **SessionID** The ID of this push-button reset session. ### Microsoft.Windows.PBR.PBRFinalUserSelection @@ -4116,12 +4340,12 @@ No content is currently available. The following fields are available: -- **PBREraseData** No content is currently available. -- **PBRRecoveryStrategy** No content is currently available. -- **PBRRepartitionDisk** No content is currently available. -- **PBRVariation** No content is currently available. -- **PBRWipeDataDrives** No content is currently available. -- **SessionID** No content is currently available. +- **PBREraseData** Indicates whether the option to erase data is selected. +- **PBRRecoveryStrategy** The recovery strategy for the push-button reset operation. +- **PBRRepartitionDisk** Indicates whether the user has selected the option to repartition the disk. +- **PBRVariation** Indicates the push-button reset type. +- **PBRWipeDataDrives** Indicates whether the option to wipe the data drives is selected. +- **SessionID** The ID of this push-button reset session. ### Microsoft.Windows.PBR.PBRFormatOSVolumeFailed @@ -4130,8 +4354,8 @@ No content is currently available. The following fields are available: -- **JustDeleteFiles** No content is currently available. -- **SessionID** No content is currently available. +- **JustDeleteFiles** Indicates whether disk formatting was skipped. +- **SessionID** The ID of this push-button reset session. ### Microsoft.Windows.PBR.PBRFormatOSVolumeSucceed @@ -4150,7 +4374,7 @@ No content is currently available. The following fields are available: -- **SessionID** No content is currently available. +- **SessionID** The ID of this push-button reset session. ### Microsoft.Windows.PBR.PBRIOCTLErasureSucceed @@ -4159,7 +4383,7 @@ No content is currently available. The following fields are available: -- **SessionID** No content is currently available. +- **SessionID** The ID of this push-button reset session. ### Microsoft.Windows.PBR.PBRLayoutImageFailed @@ -4168,7 +4392,7 @@ No content is currently available. The following fields are available: -- **SessionID** No content is currently available. +- **SessionID** The ID of this push-button reset session. ### Microsoft.Windows.PBR.PBRLayoutImageSucceed @@ -4177,7 +4401,7 @@ No content is currently available. The following fields are available: -- **SessionID** No content is currently available. +- **SessionID** The ID of this push-button reset session. ### Microsoft.Windows.PBR.PBROEM1Failed @@ -4186,11 +4410,11 @@ No content is currently available. The following fields are available: -- **HRESULT** No content is currently available. -- **Parameters** No content is currently available. -- **PBRType** No content is currently available. -- **ScriptName** No content is currently available. -- **SessionID** No content is currently available. +- **HRESULT** The result error code from the OEM extensibility script. +- **Parameters** The parameters that were passed to the OEM extensibility script. +- **PBRType** The type of push-button reset. +- **ScriptName** The path to the OEM extensibility script. +- **SessionID** The ID of this push-button reset session. ### Microsoft.Windows.PBR.PBROEM2Failed @@ -4199,11 +4423,11 @@ No content is currently available. The following fields are available: -- **HRESULT** No content is currently available. -- **Parameters** No content is currently available. -- **PBRType** No content is currently available. -- **ScriptName** No content is currently available. -- **SessionID** No content is currently available. +- **HRESULT** The result code for the error that occurred while running the OEM extensibility script. +- **Parameters** The parameters to the OEM extensibility script. +- **PBRType** The type of push-button reset. +- **ScriptName** The path to the push-button reset script. +- **SessionID** The ID of the push-button reset session. ### Microsoft.Windows.PBR.PBRPostApplyFailed @@ -4212,7 +4436,7 @@ No content is currently available. The following fields are available: -- **SessionID** No content is currently available. +- **SessionID** The ID of this push-button reset session. ### Microsoft.Windows.PBR.PBRPostApplyFinished @@ -4221,7 +4445,7 @@ No content is currently available. The following fields are available: -- **SessionID** No content is currently available. +- **SessionID** The ID of this push-button reset session. ### Microsoft.Windows.PBR.PBRPostApplyStarted @@ -4230,7 +4454,7 @@ No content is currently available. The following fields are available: -- **SessionID** No content is currently available. +- **SessionID** The ID of this push-button reset session. ### Microsoft.Windows.PBR.PBRPreApplyFailed @@ -4239,7 +4463,7 @@ No content is currently available. The following fields are available: -- **SessionID** No content is currently available. +- **SessionID** The ID of this push-button reset session. ### Microsoft.Windows.PBR.PBRPreApplyFinished @@ -4248,7 +4472,7 @@ No content is currently available. The following fields are available: -- **SessionID** No content is currently available. +- **SessionID** The ID of this push-button reset session. ### Microsoft.Windows.PBR.PBRPreApplyStarted @@ -4257,7 +4481,7 @@ No content is currently available. The following fields are available: -- **SessionID** No content is currently available. +- **SessionID** The ID of this push-button reset session. ### Microsoft.Windows.PBR.PBRReachedOOBE @@ -4275,7 +4499,7 @@ No content is currently available. The following fields are available: -- **SessionID** No content is currently available. +- **SessionID** The ID of this push-button reset session. ### Microsoft.Windows.PBR.PBRRequirementChecks @@ -4284,10 +4508,10 @@ No content is currently available. The following fields are available: -- **DeploymentType** No content is currently available. -- **InstallType** No content is currently available. -- **PBRType** No content is currently available. -- **SessionID** No content is currently available. +- **DeploymentType** The type of deployment. +- **InstallType** The type of installation. +- **PBRType** The type of push-button reset. +- **SessionID** The ID for this push-button reset session. ### Microsoft.Windows.PBR.PBRRequirementChecksFailed @@ -4296,14 +4520,14 @@ No content is currently available. The following fields are available: -- **DiskSpaceAvailable** No content is currently available. -- **DiskSpaceRequired** No content is currently available. -- **ErrorType** No content is currently available. -- **PBRImageVersion** No content is currently available. -- **PBRRecoveryStrategy** No content is currently available. +- **DiskSpaceAvailable** The disk space available for the push-button reset. +- **DiskSpaceRequired** The disk space required for the push-button reset. +- **ErrorType** The type of error that occurred during the requirement checks phase of the push-button reset operation. +- **PBRImageVersion** The image version of the push-button reset tool. +- **PBRRecoveryStrategy** The recovery strategy for this phase of push-button reset. - **PBRStartedFrom** No content is currently available. - **PBRType** No content is currently available. -- **SessionID** No content is currently available. +- **SessionID** The ID of this push-button reset session. ### Microsoft.Windows.PBR.PBRRequirementChecksPassed @@ -4314,10 +4538,10 @@ The following fields are available: - **OSVersion** No content is currently available. - **PBRImageType** No content is currently available. -- **PBRImageVersion** No content is currently available. +- **PBRImageVersion** The version of the push-button reset image. - **PBRRecoveryStrategy** No content is currently available. - **PBRStartedFrom** No content is currently available. -- **SessionID** No content is currently available. +- **SessionID** The ID of this push-button reset session. ### Microsoft.Windows.PBR.PBRRestoreLicenseFailed @@ -4326,7 +4550,7 @@ No content is currently available. The following fields are available: -- **SessionID** No content is currently available. +- **SessionID** The ID of this push-button reset session. ### Microsoft.Windows.PBR.PBRSucceed @@ -4336,8 +4560,8 @@ No content is currently available. The following fields are available: - **OSVersion** No content is currently available. -- **PBRType** No content is currently available. -- **SessionID** No content is currently available. +- **PBRType** The type of push-button reset. +- **SessionID** The ID of this push-button reset session. ### Microsoft.Windows.PBR.PBRUserCancelled @@ -4346,9 +4570,9 @@ No content is currently available. The following fields are available: -- **CancelPage** No content is currently available. -- **PBRVariation** No content is currently available. -- **SessionID** No content is currently available. +- **CancelPage** The ID of the page where the user clicked Cancel. +- **PBRVariation** The type of push-button reset. +- **SessionID** The ID of this push-button reset session. ### Microsoft.Windows.PBR.PBRVersionsMistmatch @@ -4358,8 +4582,8 @@ No content is currently available. The following fields are available: - **OSVersion** No content is currently available. -- **REVersion** No content is currently available. -- **SessionID** No content is currently available. +- **REVersion** The version of Windows Recovery Environment (WinRE). +- **SessionID** The ID of this push-button reset session. ### Microsoft.Windows.PBR.PBRWinREInstallationFailed @@ -4368,7 +4592,7 @@ No content is currently available. The following fields are available: -- **SessionID** No content is currently available. +- **SessionID** The ID of this push-button reset session. ### Microsoft.Windows.PBR.PhaseFinished @@ -4377,11 +4601,11 @@ No content is currently available. The following fields are available: -- **error** No content is currently available. -- **phase** No content is currently available. -- **sessionID** No content is currently available. -- **succeeded** No content is currently available. -- **timestamp** No content is currently available. +- **error** The result code for this phase of push-button reset. +- **phase** The name of this push-button reset phase. +- **sessionID** The ID of this push-button reset session. +- **succeeded** Indicates whether this phase of push-button reset executed successfully. +- **timestamp** The timestamp for this push-button reset event. ### Microsoft.Windows.PBR.PhaseStarted @@ -4390,9 +4614,9 @@ No content is currently available. The following fields are available: -- **phase** No content is currently available. -- **sessionID** No content is currently available. -- **timestamp** No content is currently available. +- **phase** The name of this phase of push-button reset. +- **sessionID** The ID of this push-button reset session. +- **timestamp** The timestamp for this push-button reset event. ### Microsoft.Windows.PBR.ReconstructionInfo @@ -4401,12 +4625,12 @@ No content is currently available. The following fields are available: -- **numPackagesAbandoned** No content is currently available. -- **numPackagesFailed** No content is currently available. -- **sessionID** No content is currently available. -- **slowMode** No content is currently available. +- **numPackagesAbandoned** The number of packages that were abandoned during the reconstruction operation of push-button reset. +- **numPackagesFailed** The number of packages that failed during the reconstruction operation of push-button reset. +- **sessionID** The ID of this push-button reset session. +- **slowMode** The mode of reconstruction. - **targetVersion** No content is currently available. -- **timestamp** No content is currently available. +- **timestamp** The timestamp of this push-button reset event. ### Microsoft.Windows.PBR.ResetOptions @@ -4415,12 +4639,12 @@ No content is currently available. The following fields are available: -- **overwriteSpace** No content is currently available. -- **preserveWorkplace** No content is currently available. -- **scenario** No content is currently available. -- **sessionID** No content is currently available. -- **timestamp** No content is currently available. -- **wipeData** No content is currently available. +- **overwriteSpace** Indicates whether the option was selected to erase data during push-button reset. +- **preserveWorkplace** Indicates whether the option was selected to reserve the workplace during push-button reset. +- **scenario** The selected scenario for the push-button on reset operation. +- **sessionID** The ID of this push-button on reset session. +- **timestamp** The timestamp of this push-button on reset event. +- **wipeData** Indicates whether the option was selected to wipe additional drives during push-button reset. ### Microsoft.Windows.PBR.RetryQueued @@ -4429,9 +4653,9 @@ No content is currently available. The following fields are available: -- **attempt** No content is currently available. -- **sessionID** No content is currently available. -- **timestamp** No content is currently available. +- **attempt** The number of retry attempts that were made +- **sessionID** The ID of this push-button reset session. +- **timestamp** The timestamp of this push-button reset event. ### Microsoft.Windows.PBR.ReturnedToOldOS @@ -4440,8 +4664,8 @@ No content is currently available. The following fields are available: -- **sessionID** No content is currently available. -- **timestamp** No content is currently available. +- **sessionID** The ID of this push-button reset session. +- **timestamp** The timestamp of this push-button reset event. ### Microsoft.Windows.PBR.ReturnTaskSchedulingFailed @@ -4450,10 +4674,10 @@ No content is currently available. The following fields are available: -- **errorCode** No content is currently available. -- **sessionID** No content is currently available. -- **taskName** No content is currently available. -- **timestamp** No content is currently available. +- **errorCode** The error that occurred while scheduling the task. +- **sessionID** The ID of this push-button reset session. +- **taskName** The name of the task. +- **timestamp** The ID of this push-button reset event. ### Microsoft.Windows.PBR.RollbackFinished @@ -4462,10 +4686,10 @@ No content is currently available. The following fields are available: -- **error** No content is currently available. -- **sessionID** No content is currently available. -- **succeeded** No content is currently available. -- **timestamp** No content is currently available. +- **error** Any errors that occurred during rollback to the old operating system. +- **sessionID** The ID of this push-button reset session. +- **succeeded** Indicates whether the rollback succeeded. +- **timestamp** The timestamp of this push-button reset event. ### Microsoft.Windows.PBR.RollbackStarted @@ -4474,8 +4698,8 @@ No content is currently available. The following fields are available: -- **sessionID** No content is currently available. -- **timestamp** No content is currently available. +- **sessionID** The ID of this push-button reset session. +- **timestamp** The timestamp of this push-button reset event. ### Microsoft.Windows.PBR.ScenarioNotSupported @@ -4484,10 +4708,10 @@ No content is currently available. The following fields are available: -- **errorCode** No content is currently available. -- **reason** No content is currently available. -- **sessionID** No content is currently available. -- **timestamp** No content is currently available. +- **errorCode** The error that occurred. +- **reason** The reason why this push-button reset scenario is not supported. +- **sessionID** The ID for this push-button reset session. +- **timestamp** The timestamp of this push-button reset event. ### Microsoft.Windows.PBR.SessionCreated @@ -4496,8 +4720,8 @@ No content is currently available. The following fields are available: -- **sessionID** No content is currently available. -- **timestamp** No content is currently available. +- **sessionID** The ID of this push-button reset session. +- **timestamp** The timestamp of this push-button reset event. ### Microsoft.Windows.PBR.SessionResumed @@ -4506,8 +4730,8 @@ No content is currently available. The following fields are available: -- **sessionID** No content is currently available. -- **timestamp** No content is currently available. +- **sessionID** The ID of this push-button reset session. +- **timestamp** The timestamp of this push-button reset event. ### Microsoft.Windows.PBR.SessionSaved @@ -4516,8 +4740,8 @@ No content is currently available. The following fields are available: -- **sessionID** No content is currently available. -- **timestamp** No content is currently available. +- **sessionID** The ID of this push-button reset session. +- **timestamp** The timestamp of this push-button reset event. ### Microsoft.Windows.PBR.SetupExecuteFinished @@ -4527,8 +4751,8 @@ No content is currently available. The following fields are available: - **sessionID** No content is currently available. -- **systemState** No content is currently available. -- **timestamp** No content is currently available. +- **systemState** Information about the system state of the Setup Platform operation. +- **timestamp** The timestamp of this push-button reset event. ### Microsoft.Windows.PBR.SetupExecuteStarted @@ -4537,8 +4761,8 @@ No content is currently available. The following fields are available: -- **sessionID** No content is currently available. -- **timestamp** No content is currently available. +- **sessionID** The ID of this push-button reset session. +- **timestamp** The timestamp for this push-button reset event. ### Microsoft.Windows.PBR.SetupFinalizeStarted @@ -4547,8 +4771,8 @@ No content is currently available. The following fields are available: -- **sessionID** No content is currently available. -- **timestamp** No content is currently available. +- **sessionID** The ID of this push-button reset session. +- **timestamp** The timestamp for this push-button reset event. ### Microsoft.Windows.PBR.SetupOperationFailed @@ -4557,11 +4781,11 @@ No content is currently available. The following fields are available: -- **errorCode** No content is currently available. -- **sessionID** No content is currently available. -- **setupExecutionOperation** No content is currently available. -- **setupExecutionPhase** No content is currently available. -- **timestamp** No content is currently available. +- **errorCode** An error that occurred during the setup phase of push-button reset. +- **sessionID** The ID of this push-button reset session. +- **setupExecutionOperation** The name of the Setup Platform operation. +- **setupExecutionPhase** The phase of the setup operation that failed. +- **timestamp** The timestamp of this push-button reset event. ### Microsoft.Windows.PBR.SystemInfoField @@ -4570,10 +4794,10 @@ No content is currently available. The following fields are available: -- **name** No content is currently available. -- **sessionID** No content is currently available. -- **timestamp** No content is currently available. -- **value** No content is currently available. +- **name** Name of the system information field. +- **sessionID** The ID of this push-button reset session. +- **timestamp** The timestamp of this push-button reset event. +- **value** The system information field value. ### Microsoft.Windows.PBR.SystemInfoListItem @@ -4582,11 +4806,11 @@ No content is currently available. The following fields are available: -- **index** No content is currently available. -- **name** No content is currently available. -- **sessionID** No content is currently available. -- **timestamp** No content is currently available. -- **value** No content is currently available. +- **index** The index number associated with the system information item. +- **name** The name of the list of system information items. +- **sessionID** The ID of this push-button reset session. +- **timestamp** The timestamp for this push-button reset event. +- **value** The value of the system information item. ### Microsoft.Windows.PBR.SystemInfoSenseFinished @@ -4595,10 +4819,10 @@ No content is currently available. The following fields are available: -- **error** No content is currently available. -- **sessionID** No content is currently available. -- **succeeded** No content is currently available. -- **timestamp** No content is currently available. +- **error** The error code if an error occurred while querying for system information. +- **sessionID** The ID of this push-button reset session. +- **succeeded** Indicates whether the query for system information was successful. +- **timestamp** The timestamp of this push-button reset event. ### Microsoft.Windows.PBR.SystemInfoSenseStarted @@ -4607,8 +4831,8 @@ No content is currently available. The following fields are available: -- **sessionID** No content is currently available. -- **timestamp** No content is currently available. +- **sessionID** The ID of this push-button reset event. +- **timestamp** The timestamp of this push-button reset event. ### Microsoft.Windows.PBR.UserAcknowledgeCleanupWarning @@ -4617,8 +4841,8 @@ No content is currently available. The following fields are available: -- **sessionID** No content is currently available. -- **timestamp** No content is currently available. +- **sessionID** The ID of this push-button reset session. +- **timestamp** The timestamp for this push-button reset event. ### Microsoft.Windows.PBR.UserCancel @@ -4627,9 +4851,9 @@ No content is currently available. The following fields are available: -- **pageID** No content is currently available. -- **sessionID** No content is currently available. -- **timestamp** No content is currently available. +- **pageID** The page ID for the page the user canceled. +- **sessionID** The ID of this push-button reset session. +- **timestamp** The timestamp for this push-button reset event. ### Microsoft.Windows.PBR.UserConfirmStart @@ -4638,8 +4862,8 @@ No content is currently available. The following fields are available: -- **sessionID** No content is currently available. -- **timestamp** No content is currently available. +- **sessionID** The ID of this push-button reset session. +- **timestamp** The timestamp for this push-button reset event. ### Microsoft.Windows.PBR.WinREInstallFinished @@ -4648,10 +4872,10 @@ No content is currently available. The following fields are available: -- **errorCode** No content is currently available. -- **sessionID** No content is currently available. -- **success** No content is currently available. -- **timestamp** No content is currently available. +- **errorCode** Any error that occurred during the Windows Recovery Environment (WinRE) installation. +- **sessionID** The ID of this push-button reset session. +- **success** Indicates whether the Windows Recovery Environment (WinRE) installation successfully completed. +- **timestamp** The timestamp for this push-button reset event. ### Microsoft.Windows.PBR.WinREInstallStarted @@ -4660,8 +4884,8 @@ No content is currently available. The following fields are available: -- **sessionID** No content is currently available. -- **timestamp** No content is currently available. +- **sessionID** The ID of this push-button reset session. +- **timestamp** The timestamp for this push-button reset event. ### Microsoft.Windows.Security.WSC.DatastoreMigratedVersion @@ -4670,9 +4894,9 @@ This event provides information about the datastore migration and whether it was The following fields are available: -- **datastoreisvtype** No content is currently available. -- **datastoremigrated** No content is currently available. -- **status** No content is currently available. +- **datastoreisvtype** The product category of the datastore. +- **datastoremigrated** The version of the datastore that was migrated. +- **status** The result code of the migration. ### Microsoft.Windows.Security.WSC.GetCallerViaWdsp @@ -4735,28 +4959,28 @@ No content is currently available. The following fields are available: -- **errorCode** No content is currently available. +- **errorCode** The error code if there was a failure during uninstallation of the latest cumulative Windows update package. ### Microsoft.Windows.SysReset.LCUUninstall -No content is currently available. +This event is sent when the latest cumulative Windows update was uninstalled on a device. The following fields are available: -- **errorCode** No content is currently available. -- **packageName** No content is currently available. -- **removalTime** No content is currently available. +- **errorCode** An error that occurred while the Windows update package was being uninstalled. +- **packageName** The name of the Windows update package that is being uninstalled. +- **removalTime** The amount of time it took to uninstall the Windows update package. ### Microsoft.Windows.SysReset.PBRBlockedByPolicy -No content is currently available. +This event is sent when a push-button reset operation is blocked by the System Administrator. The following fields are available: -- **PBRBlocked** No content is currently available. -- **PBRType** No content is currently available. +- **PBRBlocked** Reason the push-button reset operation was blocked. +- **PBRType** The type of push-button reset operation that was blocked. ### Microsoft.Windows.SysReset.PBREngineInitFailed @@ -4790,13 +5014,13 @@ The following fields are available: ### Microsoft.Windows.SystemReset.EsimPresentCheck -No content is currently available. +This event is sent when a device is checked to see whether it has an embedded SIM (eSIM). The following fields are available: -- **errorCode** No content is currently available. -- **esimPresent** No content is currently available. -- **sessionID** No content is currently available. +- **errorCode** Any error that occurred while checking for the presence of an embedded SIM. +- **esimPresent** Indicates whether an embedded SIM is present on the device. +- **sessionID** The ID of this session. ### Microsoft.Windows.SystemReset.PBRCorruptionRepairOption @@ -4813,12 +5037,12 @@ The following fields are available: ### Microsoft.Windows.SystemReset.RepairNeeded -No content is currently available. +This event provides information about whether a system reset needs repair. The following fields are available: -- **repairNeeded** No content is currently available. -- **sessionID** No content is currently available. +- **repairNeeded** Indicates whether there was corruption in the system reset which needs repair. +- **sessionID** The ID of this push-button reset session. ### Microsoft.Xbox.XamTelemetry.AppActivationError @@ -7406,19 +7630,19 @@ The following fields are available: - **OwningScenarioId** The scenario ID the client that called the begin scenario function. - **ReturnCode** The return code for the begin scenario operation. - **ScenarioId** The scenario ID that is internal to the reserve manager. -- **SoftReserveSize** No content is currently available. -- **SoftReserveUsedSpace** No content is currently available. +- **SoftReserveSize** The size of the soft reserve. +- **SoftReserveUsedSpace** The amount of soft reserve space that was used. ### Microsoft.Windows.UpdateReserveManager.ClearReserve -No content is currently available. +This event is sent when the Update Reserve Manager clears one of the reserves. The following fields are available: -- **FinalReserveUsedSpace** No content is currently available. -- **InitialReserveUsedSpace** No content is currently available. -- **ReserveId** No content is currently available. +- **FinalReserveUsedSpace** The amount of used space for the reserve after it was cleared. +- **InitialReserveUsedSpace** The amount of used space for the reserve before it was cleared. +- **ReserveId** The ID of the reserve that needs to be cleared. ### Microsoft.Windows.UpdateReserveManager.ClearSoftReserve @@ -7557,8 +7781,8 @@ This event is sent when the Update Reserve Manager needs to adjust the size of t The following fields are available: - **ChangeSize** The change in the hard reserve size based on the addition or removal of optional content. -- **Disposition** No content is currently available. -- **Flags** No content is currently available. +- **Disposition** The parameter for the hard reserve adjustment function. +- **Flags** The flags passed to the hard reserve adjustment function. - **PendingHardReserveAdjustment** The final change to the hard reserve size. - **UpdateType** Indicates whether the change is an increase or decrease in the size of the hard reserve. From 6d94f92d119702fd58fb35a2dc28a4b2042b5c0e Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Tue, 12 Mar 2019 09:00:25 -0700 Subject: [PATCH 039/492] kick --- windows/configuration/wcd/wcd-time.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/wcd/wcd-time.md b/windows/configuration/wcd/wcd-time.md index 52ade98614..53ddcd5768 100644 --- a/windows/configuration/wcd/wcd-time.md +++ b/windows/configuration/wcd/wcd-time.md @@ -13,7 +13,7 @@ ms.date: 09/06/2017 # Time -Use **Time** to configure settings for time zone setup for Windows 10, version (TBD) and later. +Use **Time** to configure settings for time zone setup for Windows 10, version (TBD) and later. ## Applies to From 69c866cdb8abfd71ae970761a553a8904d871876 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Tue, 12 Mar 2019 09:11:35 -0700 Subject: [PATCH 040/492] dataclassmapping --- windows/configuration/wcd/wcd-cellular.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/configuration/wcd/wcd-cellular.md b/windows/configuration/wcd/wcd-cellular.md index f6c9545c4a..1019d87dd8 100644 --- a/windows/configuration/wcd/wcd-cellular.md +++ b/windows/configuration/wcd/wcd-cellular.md @@ -52,6 +52,10 @@ Enter the destination path for the BrandingIcon .ico file. Enter the service provider name for the mobile operator. +### DataClassMappingTable + +Enter a customized string for the appropriate [data class](https://docs.microsoft.com/windows/desktop/api/mbnapi/ne-mbnapi-mbn_data_class). + ### NetworkBlockList Enter a comma-separated list of mobile country code (MCC) and mobile network code (MCC) pairs (MCC:MNC). From 0d9297789312bb864eddb6ad42dd1277846cabec Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Tue, 12 Mar 2019 09:28:16 -0700 Subject: [PATCH 041/492] enablecortanavoice --- windows/configuration/wcd/wcd-changes.md | 2 ++ windows/configuration/wcd/wcd-oobe.md | 30 +++++++++++++++--------- 2 files changed, 21 insertions(+), 11 deletions(-) diff --git a/windows/configuration/wcd/wcd-changes.md b/windows/configuration/wcd/wcd-changes.md index f235ced4e7..909614945c 100644 --- a/windows/configuration/wcd/wcd-changes.md +++ b/windows/configuration/wcd/wcd-changes.md @@ -18,6 +18,8 @@ ms.date: 10/02/2018 - [DeviceUpdateCenter](wcd-deviceupdatecenter.md) - [Privacy](wcd-privacy.md) - [Time](wcd-time.md) +- [Cellular > DataClassMappingTable](wcd-cellular.md#dataclassmappingtable) +- [OOBE > EnableCortanaVoice](wcd-oobe.md#enablecortanavoice) ## Settings removed in Windows 10, version ? diff --git a/windows/configuration/wcd/wcd-oobe.md b/windows/configuration/wcd/wcd-oobe.md index 35acf44bc2..8c3e9913d9 100644 --- a/windows/configuration/wcd/wcd-oobe.md +++ b/windows/configuration/wcd/wcd-oobe.md @@ -19,9 +19,27 @@ Use to configure settings for the Out Of Box Experience (OOBE). | Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | :---: | :---: | :---: | :---: | :---: | +| [Desktop > EnableCortanaVoice](#enablecortanavoice) | X | | | | | +| [Desktop > HideOobe](#hided) | X | | | | | | [Mobile > EnforceEnterpriseProvisioning](#nforce) | | X | | | | | [Mobile > HideOobe](#hidem) | | X | | | | -| [Desktop > HideOobe](#hided) | X | | | | | + + + + +## EnableCortanaVoice + +Use this setting to control whether Cortana voice-over is enabled during OOBE. The voice-over is disabled by default. Select **True** to enable voice-over during OOBE on Windows 10 Pro, Education, and Enterprise. + + +## HideOobe for desktop + +When set to **True**, it hides the interactive OOBE flow for Windows 10. + +>[!NOTE] +>You must create a user account if you set the value to true or the device will not be usable. + +When set to **False**, the OOBE screens are displayed. ## EnforceEnterpriseProvisioning @@ -35,14 +53,4 @@ When set to **False**, it does not force the OOBE flow to the enterprise provisi When set to **True**, it hides the interactive OOBE flow for Windows 10 Mobile. -When set to **False**, the OOBE screens are displayed. - - -## HideOobe for desktop - -When set to **True**, it hides the interactive OOBE flow for Windows 10. - ->[!NOTE] ->You must create a user account if you set the value to true or the device will not be usable. - When set to **False**, the OOBE screens are displayed. \ No newline at end of file From d3b8b81f0229a494b1db52579589ecd2c31bec44 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Tue, 12 Mar 2019 11:22:20 -0700 Subject: [PATCH 042/492] tweak --- windows/configuration/wcd/wcd-oobe.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/wcd/wcd-oobe.md b/windows/configuration/wcd/wcd-oobe.md index 8c3e9913d9..b6ca14a3ca 100644 --- a/windows/configuration/wcd/wcd-oobe.md +++ b/windows/configuration/wcd/wcd-oobe.md @@ -29,7 +29,7 @@ Use to configure settings for the Out Of Box Experience (OOBE). ## EnableCortanaVoice -Use this setting to control whether Cortana voice-over is enabled during OOBE. The voice-over is disabled by default. Select **True** to enable voice-over during OOBE on Windows 10 Pro, Education, and Enterprise. +Use this setting to control whether Cortana voice-over is enabled during OOBE. The voice-over is disabled by default on Windows 10 Pro, Education, and Enterprise. The voice-over is enabled by default on Windows 10 Home. Select **True** to enable voice-over during OOBE. ## HideOobe for desktop From afc765a3568c666251a9d43ff34e1780826970b2 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 12 Mar 2019 16:33:28 -0700 Subject: [PATCH 043/492] new build 3/12/2019 4:33 PM --- ...ndows-diagnostic-events-and-fields-1703.md | 71 +- ...ndows-diagnostic-events-and-fields-1709.md | 18 +- ...ndows-diagnostic-events-and-fields-1803.md | 16 +- ...ndows-diagnostic-events-and-fields-1809.md | 15449 ++++++++-------- 4 files changed, 7947 insertions(+), 7607 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index ab42290c6b..2e2ac4486f 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -7,13 +7,13 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security localizationpriority: high -audience: ITPro author: brianlic-msft ms.author: brianlic manager: dansimp ms.collection: M365-security-compliance ms.topic: article -ms.date: 02/15/2019 +audience: ITPro +ms.date: 03/12/2019 --- @@ -1822,61 +1822,6 @@ The following fields are available: ## Diagnostic data events -### TelClientSynthetic.AbnormalShutdown_0 - -This event sends data about boot IDs for which a normal clean shutdown was not observed, to help keep Windows up to date. - -The following fields are available: - -- **AbnormalShutdownBootId** Retrieves the Boot ID for which the abnormal shutdown was observed. -- **CrashDumpEnabled** Indicates whether crash dumps are enabled. -- **CumulativeCrashCount** Cumulative count of operating system crashes since the BootId reset. -- **CurrentBootId** BootId at the time the abnormal shutdown event was being reported. -- **FirmwareResetReasonEmbeddedController** Firmware-supplied reason for the reset. -- **FirmwareResetReasonEmbeddedControllerAdditional** Additional data related to the reset reason provided by the firmware. -- **FirmwareResetReasonPch** Hardware-supplied reason for the reset. -- **FirmwareResetReasonPchAdditional** Additional data related to the reset reason provided by the hardware. -- **FirmwareResetReasonSupplied** Indicates whether the firmware supplied any reset reason. -- **FirmwareType** ID of the FirmwareType as enumerated in DimFirmwareType. -- **HardwareWatchdogTimerGeneratedLastReset** Indicates whether the hardware watchdog timer caused the last reset. -- **HardwareWatchdogTimerPresent** Indicates whether hardware watchdog timer was present or not. -- **LastBugCheckBootId** The Boot ID of the last captured crash. -- **LastBugCheckCode** Code that indicates the type of error. -- **LastBugCheckContextFlags** Additional crash dump settings. -- **LastBugCheckOriginalDumpType** The type of crash dump the system intended to save. -- **LastBugCheckOtherSettings** Other crash dump settings. -- **LastBugCheckParameter1** The first parameter with additional info on the type of the error. -- **LastBugCheckProgress** Progress towards writing out the last crash dump. -- **LastSuccessfullyShutdownBootId** The Boot ID of the last fully successful shutdown. -- **PowerButtonCumulativePressCount** Indicates the number of times the power button has been pressed ("pressed" not to be confused with "released"). -- **PowerButtonCumulativeReleaseCount** Indicates the number of times the power button has been released ("released" not to be confused with "pressed"). -- **PowerButtonErrorCount** Indicates the number of times there was an error attempting to record Power Button metrics (e.g.: due to a failure to lock/update the bootstat file). -- **PowerButtonLastPressBootId** The Boot ID of the last time the Power Button was detected to have been pressed ("pressed" not to be confused with "released"). -- **PowerButtonLastPressTime** The date and time the Power Button was most recently pressed ("pressed" not to be confused with "released"). -- **PowerButtonLastReleaseBootId** The Boot ID of the last time the Power Button was released ("released" not to be confused with "pressed"). -- **PowerButtonLastReleaseTime** The date and time the Power Button was most recently released ("released" not to be confused with "pressed"). -- **PowerButtonPressCurrentCsPhase** Represents the phase of Connected Standby exit when the power button was pressed. -- **PowerButtonPressIsShutdownInProgress** Indicates whether a system shutdown was in progress at the last time the Power Button was pressed. -- **PowerButtonPressLastPowerWatchdogStage** The last stage completed when the Power Button was most recently pressed. -- **PowerButtonPressPowerWatchdogArmed** Indicates whether or not the watchdog for the monitor was active at the time of the last power button press. -- **TransitionInfoBootId** The Boot ID of the captured transition information. -- **TransitionInfoCSCount** The total number of times the system transitioned from "Connected Standby" mode to "On" when the last marker was saved. -- **TransitionInfoCSEntryReason** Indicates the reason the device last entered "Connected Standby" mode ("entered" not to be confused with "exited"). -- **TransitionInfoCSExitReason** Indicates the reason the device last exited "Connected Standby" mode ("exited" not to be confused with "entered"). -- **TransitionInfoCSInProgress** Indicates whether the system was in or entering Connected Standby mode when the last marker was saved. -- **TransitionInfoLastReferenceTimeChecksum** The checksum of TransitionInfoLastReferenceTimestamp. -- **TransitionInfoLastReferenceTimestamp** The date and time that the marker was last saved. -- **TransitionInfoPowerButtonTimestamp** The most recent date and time when the Power Button was pressed (collected via a different mechanism than PowerButtonLastPressTime). -- **TransitionInfoSleepInProgress** Indicates whether the system was in or entering Sleep mode when the last marker was saved. -- **TransitionInfoSleepTranstionsToOn** The total number of times the system transitioned from Sleep mode to on, when the last marker was saved. -- **TransitionInfoSystemRunning** Indicates whether the system was running when the last marker was saved. -- **TransitionInfoSystemShutdownInProgress** Indicates whether a device shutdown was in progress when the power button was pressed. -- **TransitionInfoUserShutdownInProgress** Indicates whether a user shutdown was in progress when the power button was pressed. -- **TransitionLatestCheckpointId** Represents a unique identifier for a checkpoint during the device state transition. -- **TransitionLatestCheckpointSeqNumber** Represents the chronological sequence number of the checkpoint. -- **TransitionLatestCheckpointType** Represents the type of the checkpoint, which can be the start of a phase, end of a phase, or just informational. - - ### TelClientSynthetic.AuthorizationInfo_RuntimeTransition This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect. @@ -4236,7 +4181,7 @@ The following fields are available: - **RelatedCV** The Correlation Vector that was used before the most recent change to a new Correlation Vector. - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download. - **RevisionNumber** The revision number of the specified piece of content. -- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Windows Store, etc.). - **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade. - **ShippingMobileOperator** The mobile operator linked to the device when the device shipped. - **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). @@ -5127,12 +5072,12 @@ This event lists the reboot reason when an app is going to reboot. The following fields are available: -- **BootId** The boot ID. +- **BootId** The system boot ID. - **BoottimeSinceLastShutdown** The boot time since the last shutdown. - **RebootReason** Reason for the reboot. -## Microsoft Store events +## Windows Store events ### Microsoft.Windows.Store.Partner.ReportApplication @@ -6296,6 +6241,12 @@ This event sends data specific to the FixupEditionId mitigation used for OS Upda ## Windows Update Reserve Manager events +### Microsoft.Windows.UpdateReserveManager.InitializeUpdateReserveManager + +This event returns data about the Update Reserve Manager, including whether it’s been initialized. + + + ### Microsoft.Windows.UpdateReserveManager.RemovePendingHardReserveAdjustment This event is sent when the Update Reserve Manager removes a pending hard reserve adjustment. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index 658324d8b4..d6a2e128d8 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -7,13 +7,13 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security localizationpriority: high -audience: ITPro author: brianlic-msft ms.author: brianlic manager: dansimp ms.collection: M365-security-compliance ms.topic: article -ms.date: 02/15/2019 +audience: ITPro +ms.date: 03/12/2019 --- @@ -68,7 +68,7 @@ The following fields are available: - **DecisionSystemBios_19H1Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. - **DecisionSystemBios_RS4** The total DecisionSystemBios objects targeting Windows 10 version, 1803 present on this device. - **InventoryApplicationFile** The count of the number of this particular object type present on this device. -- **InventoryLanguagePack** The count of the number of this particular object type present on this device. +- **InventoryLanguagePack** The count of InventoryLanguagePack objects present on this machine. - **InventoryMediaCenter** The count of the number of this particular object type present on this device. - **InventorySystemBios** The count of the number of this particular object type present on this device. - **InventoryUplevelDriverPackage** The count of the number of this particular object type present on this device. @@ -4128,7 +4128,7 @@ The following fields are available: - **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) - **RevisionNumber** Unique revision number of Update - **ServerId** Identifier for the service to which the software distribution client is connecting, such as Windows Update and Microsoft Store. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc) - **SystemBIOSMajorRelease** Major version of the BIOS. - **SystemBIOSMinorRelease** Minor version of the BIOS. - **UpdateId** Unique Update ID @@ -4192,7 +4192,7 @@ The following fields are available: - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download. - **RevisionNumber** The revision number of the specified piece of content. -- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Windows Store, etc.). - **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade. - **ShippingMobileOperator** The mobile operator linked to the device when the device shipped. - **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). @@ -5298,7 +5298,7 @@ The following fields are available: - **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson). -## Microsoft Store events +## Windows Store events ### Microsoft.Windows.Store.Partner.ReportApplication @@ -6514,6 +6514,12 @@ The following fields are available: ## Windows Update Reserve Manager events +### Microsoft.Windows.UpdateReserveManager.InitializeUpdateReserveManager + +This event returns data about the Update Reserve Manager, including whether it’s been initialized. + + + ### Microsoft.Windows.UpdateReserveManager.RemovePendingHardReserveAdjustment This event is sent when the Update Reserve Manager removes a pending hard reserve adjustment. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index 55e5adf886..e88b4da389 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -7,13 +7,13 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security localizationpriority: high -audience: ITPro author: brianlic-msft ms.author: brianlic manager: dansimp ms.collection: M365-security-compliance ms.topic: article -ms.date: 02/15/2019 +audience: ITPro +ms.date: 03/12/2019 --- @@ -4934,7 +4934,7 @@ The following fields are available: - **FlightId** The specific id of the flight the device is getting - **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) - **RevisionNumber** Identifies the revision number of this specific piece of content -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc) - **SystemBIOSMajorRelease** Major release version of the system bios - **SystemBIOSMinorRelease** Minor release version of the system bios - **UpdateId** Identifier associated with the specific piece of content @@ -4997,7 +4997,7 @@ The following fields are available: - **RelatedCV** The Correlation Vector that was used before the most recent change to a new Correlation Vector. - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download. - **RevisionNumber** The revision number of the specified piece of content. -- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Windows Store, etc.). - **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade. - **ShippingMobileOperator** The mobile operator linked to the device when the device shipped. - **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). @@ -5988,7 +5988,7 @@ The following fields are available: - **PertProb** Constant used in algorithm for randomization. -## Microsoft Store events +## Windows Store events ### Microsoft.Windows.Store.StoreActivating @@ -7646,6 +7646,12 @@ This event is sent when the Update Reserve Manager returns an error from one of +### Microsoft.Windows.UpdateReserveManager.InitializeUpdateReserveManager + +This event returns data about the Update Reserve Manager, including whether it’s been initialized. + + + ### Microsoft.Windows.UpdateReserveManager.PrepareTIForReserveInitialization This event is sent when the Update Reserve Manager prepares the Trusted Installer to initialize reserves on the next boot. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index f8a042ef3d..fd7cd31194 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -1,7536 +1,7913 @@ ---- -description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. -title: Windows 10, version 1809 basic diagnostic events and fields (Windows 10) -keywords: privacy, telemetry -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -localizationpriority: high -audience: ITPro -author: brianlic-msft -ms.author: brianlic -manager: dansimp -ms.collection: M365-security-compliance -ms.topic: article -ms.date: 02/15/2019 ---- - - -# Windows 10, version 1809 basic level Windows diagnostic events and fields - - **Applies to** - -- Windows 10, version 1809 - - -The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information. - -The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. - -Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief description is provided for each field. Every event generated includes common data, which collects device data. - -You can learn more about Windows functional and diagnostic data through these articles: - - -- [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) -- [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) -- [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) -- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) -- [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) - - - - -## Account trace logging provider events - -### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.General - -This event provides information about application properties to indicate the successful execution. - -The following fields are available: - -- **AppMode** Indicates the mode the app is being currently run around privileges. -- **ExitCode** Indicates the exit code of the app. -- **Help** Indicates if the app needs to be launched in the help mode. -- **ParseError** Indicates if there was a parse error during the execution. -- **RightsAcquired** Indicates if the right privileges were acquired for successful execution. -- **RightsWereEnabled** Indicates if the right privileges were enabled for successful execution. -- **TestMode** Indicates whether the app is being run in test mode. - - -### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.GetCount - -This event provides information about the properties of user accounts in the Administrator group. - -The following fields are available: - -- **Internal** Indicates the internal property associated with the count group. -- **LastError** The error code (if applicable) for the cause of the failure to get the count of the user account. -- **Result** The HResult error. - - -## AppLocker events - -### Microsoft.Windows.Security.AppLockerCSP.ActivityStoppedAutomatically - -Automatically closed activity for start/stop operations that aren't explicitly closed. - - - -### Microsoft.Windows.Security.AppLockerCSP.AddParams - -Parameters passed to Add function of the AppLockerCSP Node. - -The following fields are available: - -- **child** The child URI of the node to add. -- **uri** URI of the node relative to %SYSTEM32%/AppLocker. - - -### Microsoft.Windows.Security.AppLockerCSP.AddStart - -Start of "Add" Operation for the AppLockerCSP Node. - - - -### Microsoft.Windows.Security.AppLockerCSP.AddStop - -End of "Add" Operation for AppLockerCSP Node. - -The following fields are available: - -- **hr** The HRESULT returned by Add function in AppLockerCSP. - - -### Microsoft.Windows.Security.AppLockerCSP.CAppLockerCSP::Rollback - -Result of the 'Rollback' operation in AppLockerCSP. - -The following fields are available: - -- **oldId** Previous id for the CSP transaction. -- **txId** Current id for the CSP transaction. - - -### Microsoft.Windows.Security.AppLockerCSP.ClearParams - -Parameters passed to the "Clear" operation for AppLockerCSP. - -The following fields are available: - -- **uri** The URI relative to the %SYSTEM32%\AppLocker folder. - - -### Microsoft.Windows.Security.AppLockerCSP.ClearStart - -Start of the "Clear" operation for the AppLockerCSP Node. - - - -### Microsoft.Windows.Security.AppLockerCSP.ClearStop - -End of the "Clear" operation for the AppLockerCSP node. - -The following fields are available: - -- **hr** HRESULT reported at the end of the 'Clear' function. - - -### Microsoft.Windows.Security.AppLockerCSP.ConfigManagerNotificationStart - -Start of the "ConfigManagerNotification" operation for AppLockerCSP. - -The following fields are available: - -- **NotifyState** State sent by ConfigManager to AppLockerCSP. - - -### Microsoft.Windows.Security.AppLockerCSP.ConfigManagerNotificationStop - -End of the "ConfigManagerNotification" operation for AppLockerCSP. - -The following fields are available: - -- **hr** HRESULT returned by the ConfigManagerNotification function in AppLockerCSP. - - -### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceParams - -Parameters passed to the CreateNodeInstance function of the AppLockerCSP node. - -The following fields are available: - -- **NodeId** NodeId passed to CreateNodeInstance. -- **nodeOps** NodeOperations parameter passed to CreateNodeInstance. -- **uri** URI passed to CreateNodeInstance, relative to %SYSTEM32%\AppLocker. - - -### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceStart - -Start of the "CreateNodeInstance" operation for the AppLockerCSP node. - - - -### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceStop - -End of the "CreateNodeInstance" operation for the AppLockerCSP node - -The following fields are available: - -- **hr** HRESULT returned by the CreateNodeInstance function in AppLockerCSP. - - -### Microsoft.Windows.Security.AppLockerCSP.DeleteChildParams - -Parameters passed to the DeleteChild function of the AppLockerCSP node. - -The following fields are available: - -- **child** The child URI of the node to delete. -- **uri** URI relative to %SYSTEM32%\AppLocker. - - -### Microsoft.Windows.Security.AppLockerCSP.DeleteChildStart - -Start of the "DeleteChild" operation for the AppLockerCSP node. - - - -### Microsoft.Windows.Security.AppLockerCSP.DeleteChildStop - -End of the "DeleteChild" operation for the AppLockerCSP node. - -The following fields are available: - -- **hr** HRESULT returned by the DeleteChild function in AppLockerCSP. - - -### Microsoft.Windows.Security.AppLockerCSP.EnumPolicies - -Logged URI relative to %SYSTEM32%\AppLocker, if the Plugin GUID is null, or the CSP doesn't believe the old policy is present. - -The following fields are available: - -- **uri** URI relative to %SYSTEM32%\AppLocker. - - -### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesParams - -Parameters passed to the GetChildNodeNames function of the AppLockerCSP node. - -The following fields are available: - -- **uri** URI relative to %SYSTEM32%/AppLocker for MDM node. - - -### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesStart - -Start of the "GetChildNodeNames" operation for the AppLockerCSP node. - - - -### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesStop - -End of the "GetChildNodeNames" operation for the AppLockerCSP node. - -The following fields are available: - -- **child[0]** If function succeeded, the first child's name, else "NA". -- **count** If function succeeded, the number of child node names returned by the function, else 0. -- **hr** HRESULT returned by the GetChildNodeNames function of AppLockerCSP. - - -### Microsoft.Windows.Security.AppLockerCSP.GetLatestId - -The result of 'GetLatestId' in AppLockerCSP (the latest time stamped GUID). - -The following fields are available: - -- **dirId** The latest directory identifier found by GetLatestId. -- **id** The id returned by GetLatestId if id > 0 - otherwise the dirId parameter. - - -### Microsoft.Windows.Security.AppLockerCSP.HResultException - -HRESULT thrown by any arbitrary function in AppLockerCSP. - -The following fields are available: - -- **file** File in the OS code base in which the exception occurs. -- **function** Function in the OS code base in which the exception occurs. -- **hr** HRESULT that is reported. -- **line** Line in the file in the OS code base in which the exception occurs. - - -### Microsoft.Windows.Security.AppLockerCSP.SetValueParams - -Parameters passed to the SetValue function of the AppLockerCSP node. - -The following fields are available: - -- **dataLength** Length of the value to set. -- **uri** The node URI to that should contain the value, relative to %SYSTEM32%\AppLocker. - - -### Microsoft.Windows.Security.AppLockerCSP.SetValueStart - -Start of the "SetValue" operation for the AppLockerCSP node. - - - -### Microsoft.Windows.Security.AppLockerCSP.SetValueStop - -End of the "SetValue" operation for the AppLockerCSP node. - -The following fields are available: - -- **hr** HRESULT returned by the SetValue function in AppLockerCSP. - - -### Microsoft.Windows.Security.AppLockerCSP.TryRemediateMissingPolicies - -EntryPoint of fix step or policy remediation, includes URI relative to %SYSTEM32%\AppLocker that needs to be fixed. - -The following fields are available: - -- **uri** URI for node relative to %SYSTEM32%/AppLocker. - - -## Appraiser events - -### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount - -This event lists the types of objects and how many of each exist on the client device. This allows for a quick way to ensure that the records present on the server match what is present on the client. - -The following fields are available: - -- **DatasourceApplicationFile_19ASetup** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_19H1** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers. -- **DatasourceApplicationFile_RS2** An ID for the system, calculated by hashing hardware identifiers. -- **DatasourceApplicationFile_RS3** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS4** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS4Setup** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS5** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS5Setup** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_TH1** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_TH2** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_19ASetup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_19H1** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS1** The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on this device. -- **DatasourceDevicePnp_RS2** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS3** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS3Setup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS4** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS4Setup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS5** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS5Setup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_TH1** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_TH2** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_19ASetup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_19H1** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS1** The total DataSourceDriverPackage objects targeting Windows 10 version 1607 on this device. -- **DatasourceDriverPackage_RS2** The total DataSourceDriverPackage objects targeting Windows 10, version 1703 on this device. -- **DatasourceDriverPackage_RS3** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS3Setup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS4** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS4Setup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS5** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS5Setup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_TH1** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_TH2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_19ASetup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS1** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1607 on this device. -- **DataSourceMatchingInfoBlock_RS2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS3** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS4Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS5Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_TH1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_19ASetup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS1** The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. -- **DataSourceMatchingInfoPassive_RS2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS3** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS4Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS5Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_19ASetup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_RS1** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. -- **DataSourceMatchingInfoPostUpgrade_RS2** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device. -- **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device. -- **DataSourceMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_RS4Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_RS5Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_TH1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_19ASetup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_19H1** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_19H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS1** The total DatasourceSystemBios objects targeting Windows 10 version 1607 present on this device. -- **DatasourceSystemBios_RS2** The total DatasourceSystemBios objects targeting Windows 10 version 1703 present on this device. -- **DatasourceSystemBios_RS3** The total DatasourceSystemBios objects targeting Windows 10 version 1709 present on this device. -- **DatasourceSystemBios_RS3Setup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS4** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS4Setup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS5** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS5Setup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_TH1** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_TH2** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_19H1** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS1** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS2** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS3** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS4** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS5** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_TH1** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_TH2** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_19H1** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS1** The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this device. -- **DecisionDevicePnp_RS2** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS3** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS3Setup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS4** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS5** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_TH1** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_TH2** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_19H1** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS1** The total DecisionDriverPackage objects targeting Windows 10 version 1607 on this device. -- **DecisionDriverPackage_RS2** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS3** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS3Setup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS4** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS5** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_TH1** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_TH2** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_RS1** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1607 present on this device. -- **DecisionMatchingInfoBlock_RS2** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device. -- **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1709 present on this device. -- **DecisionMatchingInfoBlock_RS4** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1803 present on this device. -- **DecisionMatchingInfoBlock_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_TH1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_RS1** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. -- **DecisionMatchingInfoPassive_RS2** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1703 on this device. -- **DecisionMatchingInfoPassive_RS3** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1803 on this device. -- **DecisionMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_RS1** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. -- **DecisionMatchingInfoPostUpgrade_RS2** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device. -- **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device. -- **DecisionMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_TH1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_19H1** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_19H1Setup** The total DecisionMediaCenter objects targeting the next release of Windows on this device. -- **DecisionMediaCenter_RS1** The total DecisionMediaCenter objects targeting Windows 10 version 1607 present on this device. -- **DecisionMediaCenter_RS2** The total DecisionMediaCenter objects targeting Windows 10 version 1703 present on this device. -- **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting Windows 10 version 1709 present on this device. -- **DecisionMediaCenter_RS4** The total DecisionMediaCenter objects targeting Windows 10 version 1803 present on this device. -- **DecisionMediaCenter_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_RS5** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_TH1** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_TH2** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_19ASetup** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **DecisionSystemBios_19H1** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_19H1Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **DecisionSystemBios_RS1** The total DecisionSystemBios objects targeting Windows 10 version 1607 on this device. -- **DecisionSystemBios_RS2** The total DecisionSystemBios objects targeting Windows 10 version 1703 on this device. -- **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting Windows 10 version 1709 on this device. -- **DecisionSystemBios_RS3Setup** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_RS4** The total DecisionSystemBios objects targeting Windows 10 version, 1803 present on this device. -- **DecisionSystemBios_RS4Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **DecisionSystemBios_RS5** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **DecisionSystemBios_RS5Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **DecisionSystemBios_TH1** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_TH2** The count of the number of this particular object type present on this device. -- **DecisionSystemProcessor_RS2** The count of the number of this particular object type present on this device. -- **DecisionTest_RS1** An ID for the system, calculated by hashing hardware identifiers. -- **InventoryApplicationFile** The count of the number of this particular object type present on this device. -- **InventoryDeviceContainer** A count of device container objects in cache. -- **InventoryDevicePnp** A count of device Plug and Play objects in cache. -- **InventoryDriverBinary** A count of driver binary objects in cache. -- **InventoryDriverPackage** A count of device objects in cache. -- **InventoryLanguagePack** The count of the number of this particular object type present on this device. -- **InventoryMediaCenter** The count of the number of this particular object type present on this device. -- **InventorySystemBios** The count of the number of this particular object type present on this device. -- **InventorySystemMachine** The count of the number of this particular object type present on this device. -- **InventorySystemProcessor** The count of the number of this particular object type present on this device. -- **InventoryTest** The count of the number of this particular object type present on this device. -- **InventoryUplevelDriverPackage** The count of the number of this particular object type present on this device. -- **PCFP** The count of the number of this particular object type present on this device. -- **SystemMemory** The count of the number of this particular object type present on this device. -- **SystemProcessorCompareExchange** The count of the number of this particular object type present on this device. -- **SystemProcessorLahfSahf** The count of the number of this particular object type present on this device. -- **SystemProcessorNx** The total number of objects of this type present on this device. -- **SystemProcessorPrefetchW** The total number of objects of this type present on this device. -- **SystemProcessorSse2** The total number of objects of this type present on this device. -- **SystemTouch** The count of the number of this particular object type present on this device. -- **SystemWim** The total number of objects of this type present on this device. -- **SystemWindowsActivationStatus** The count of the number of this particular object type present on this device. -- **SystemWlan** The total number of objects of this type present on this device. -- **Wmdrm_19ASetup** The count of the number of this particular object type present on this device. -- **Wmdrm_19H1** The count of the number of this particular object type present on this device. -- **Wmdrm_19H1Setup** The total Wmdrm objects targeting the next release of Windows on this device. -- **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers. -- **Wmdrm_RS2** An ID for the system, calculated by hashing hardware identifiers. -- **Wmdrm_RS3** An ID for the system, calculated by hashing hardware identifiers. -- **Wmdrm_RS4** The total Wmdrm objects targeting Windows 10, version 1803 present on this device. -- **Wmdrm_RS4Setup** The count of the number of this particular object type present on this device. -- **Wmdrm_RS5** The count of the number of this particular object type present on this device. -- **Wmdrm_RS5Setup** The count of the number of this particular object type present on this device. -- **Wmdrm_TH1** The count of the number of this particular object type present on this device. -- **Wmdrm_TH2** The count of the number of this particular object type present on this device. - - -### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd - -Represents the basic metadata about specific application files installed on the system. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file that is generating the events. -- **AvDisplayName** If the app is an anti-virus app, this is its display name. -- **CompatModelIndex** The compatibility prediction for this file. -- **HasCitData** Indicates whether the file is present in CIT data. -- **HasUpgradeExe** Indicates whether the anti-virus app has an upgrade.exe file. -- **IsAv** Is the file an anti-virus reporting EXE? -- **ResolveAttempted** This will always be an empty string when sending telemetry. -- **SdbEntries** An array of fields that indicates the SDB entries that apply to this file. - - -### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove - -This event indicates that the DatasourceApplicationFile object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileStartSync - -This event indicates that a new set of DatasourceApplicationFileAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd - -This event sends compatibility data for a Plug and Play device, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **ActiveNetworkConnection** Indicates whether the device is an active network device. -- **AppraiserVersion** The version of the appraiser file generating the events. -- **CosDeviceRating** An enumeration that indicates if there is a driver on the target operating system. -- **CosDeviceSolution** An enumeration that indicates how a driver on the target operating system is available. -- **CosDeviceSolutionUrl** Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd . Empty string -- **CosPopulatedFromId** The expected uplevel driver matching ID based on driver coverage data. -- **IsBootCritical** Indicates whether the device boot is critical. -- **UplevelInboxDriver** Indicates whether there is a driver uplevel for this device. -- **WuDriverCoverage** Indicates whether there is a driver uplevel for this device, according to Windows Update. -- **WuDriverUpdateId** The Windows Update ID of the applicable uplevel driver. -- **WuPopulatedFromId** The expected uplevel driver matching ID based on driver coverage from Windows Update. - - -### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove - -This event indicates that the DatasourceDevicePnp object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpStartSync - -This event indicates that a new set of DatasourceDevicePnpAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageAdd - -This event sends compatibility database data about driver packages to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageStartSync - -This event indicates that a new set of DatasourceDriverPackageAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd - -This event sends blocking data about any compatibility blocking entries hit on the system that are not directly related to specific applications or devices, to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove - -This event indicates that the DataSourceMatchingInfoBlock object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync - -This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events have been sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd - -This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove - -This event indicates that the DataSourceMatchingInfoPassive object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync - -This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd - -This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove - -This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync - -This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd - -This event sends compatibility database information about the BIOS to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosRemove - -This event indicates that the DatasourceSystemBios object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync - -This event indicates that a new set of DatasourceSystemBiosAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionApplicationFileAdd - -This event sends compatibility decision data about a file to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file that is generating the events. -- **BlockAlreadyInbox** The uplevel runtime block on the file already existed on the current OS. -- **BlockingApplication** Indicates whether there are any application issues that interfere with the upgrade due to the file in question. -- **DisplayGenericMessage** Will be a generic message be shown for this file? -- **DisplayGenericMessageGated** Indicates whether a generic message be shown for this file. -- **HardBlock** This file is blocked in the SDB. -- **HasUxBlockOverride** Does the file have a block that is overridden by a tag in the SDB? -- **MigApplication** Does the file have a MigXML from the SDB associated with it that applies to the current upgrade mode? -- **MigRemoval** Does the file have a MigXML from the SDB that will cause the app to be removed on upgrade? -- **NeedsDismissAction** Will the file cause an action that can be dimissed? -- **NeedsInstallPostUpgradeData** After upgrade, the file will have a post-upgrade notification to install a replacement for the app. -- **NeedsNotifyPostUpgradeData** Does the file have a notification that should be shown after upgrade? -- **NeedsReinstallPostUpgradeData** After upgrade, this file will have a post-upgrade notification to reinstall the app. -- **NeedsUninstallAction** The file must be uninstalled to complete the upgrade. -- **SdbBlockUpgrade** The file is tagged as blocking upgrade in the SDB, -- **SdbBlockUpgradeCanReinstall** The file is tagged as blocking upgrade in the SDB. It can be reinstalled after upgrade. -- **SdbBlockUpgradeUntilUpdate** The file is tagged as blocking upgrade in the SDB. If the app is updated, the upgrade can proceed. -- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the SDB. It does not block upgrade. -- **SdbReinstallUpgradeWarn** The file is tagged as needing to be reinstalled after upgrade with a warning in the SDB. It does not block upgrade. -- **SoftBlock** The file is softblocked in the SDB and has a warning. - - -### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove - -This event indicates Indicates that the DecisionApplicationFile object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionApplicationFileStartSync - -This event indicates that a new set of DecisionApplicationFileAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd - -This event sends compatibility decision data about a PNP device to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file generating the events. -- **AssociatedDriverIsBlocked** Is the driver associated with this PNP device blocked? -- **AssociatedDriverWillNotMigrate** Will the driver associated with this plug-and-play device migrate? -- **BlockAssociatedDriver** Should the driver associated with this PNP device be blocked? -- **BlockingDevice** Is this PNP device blocking upgrade? -- **BlockUpgradeIfDriverBlocked** Is the PNP device both boot critical and does not have a driver included with the OS? -- **BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork** Is this PNP device the only active network device? -- **DisplayGenericMessage** Will a generic message be shown during Setup for this PNP device? -- **DisplayGenericMessageGated** Indicates whether a generic message will be shown during Setup for this PNP device. -- **DriverAvailableInbox** Is a driver included with the operating system for this PNP device? -- **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update? -- **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device? -- **DriverBlockOverridden** Is there is a driver block on the device that has been overridden? -- **NeedsDismissAction** Will the user would need to dismiss a warning during Setup for this device? -- **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS? -- **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade? -- **SdbDriverBlockOverridden** Is there an SDB block on the PNP device that blocks upgrade, but that block was overridden? - - -### Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove - -This event indicates that the DecisionDevicePnp object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionDevicePnpStartSync - -The DecisionDevicePnpStartSync event indicates that a new set of DecisionDevicePnpAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionDriverPackageAdd - -This event sends decision data about driver package compatibility to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file generating the events. -- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for this driver package. -- **DriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden? -- **DriverIsDeviceBlocked** Was the driver package was blocked because of a device block? -- **DriverIsDriverBlocked** Is the driver package blocked because of a driver block? -- **DriverIsTroubleshooterBlocked** Indicates whether the driver package is blocked because of a troubleshooter block. -- **DriverShouldNotMigrate** Should the driver package be migrated during upgrade? -- **SdbDriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden? - - -### Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove - -This event indicates that the DecisionDriverPackage object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionDriverPackageStartSync - -This event indicates that a new set of DecisionDriverPackageAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd - -This event sends compatibility decision data about blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file generating the events. -- **BlockingApplication** Are there are any application issues that interfere with upgrade due to matching info blocks? -- **DisplayGenericMessage** Will a generic message be shown for this block? -- **NeedsUninstallAction** Does the user need to take an action in setup due to a matching info block? -- **SdbBlockUpgrade** Is a matching info block blocking upgrade? -- **SdbBlockUpgradeCanReinstall** Is a matching info block blocking upgrade, but has the can reinstall tag? -- **SdbBlockUpgradeUntilUpdate** Is a matching info block blocking upgrade but has the until update tag? - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockRemove - -This event indicates that the DecisionMatchingInfoBlock object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockStartSync - -This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd - -This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **BlockingApplication** Are there any application issues that interfere with upgrade due to matching info blocks? -- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown due to matching info blocks. -- **MigApplication** Is there a matching info block with a mig for the current mode of upgrade? - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveRemove - -This event Indicates that the DecisionMatchingInfoPassive object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync - -This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeAdd - -This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **NeedsInstallPostUpgradeData** Will the file have a notification after upgrade to install a replacement for the app? -- **NeedsNotifyPostUpgradeData** Should a notification be shown for this file after upgrade? -- **NeedsReinstallPostUpgradeData** Will the file have a notification after upgrade to reinstall the app? -- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the compatibility database (but is not blocking upgrade). - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeRemove - -This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync - -This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMediaCenterAdd - -This event sends decision data about the presence of Windows Media Center, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **BlockingApplication** Is there any application issues that interfere with upgrade due to Windows Media Center? -- **MediaCenterActivelyUsed** If Windows Media Center is supported on the edition, has it been run at least once and are the MediaCenterIndicators are true? -- **MediaCenterIndicators** Do any indicators imply that Windows Media Center is in active use? -- **MediaCenterInUse** Is Windows Media Center actively being used? -- **MediaCenterPaidOrActivelyUsed** Is Windows Media Center actively being used or is it running on a supported edition? -- **NeedsDismissAction** Are there any actions that can be dismissed coming from Windows Media Center? - - -### Microsoft.Windows.Appraiser.General.DecisionMediaCenterRemove - -This event indicates that the DecisionMediaCenter object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMediaCenterStartSync - -This event indicates that a new set of DecisionMediaCenterAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionSystemBiosAdd - -This event sends compatibility decision data about the BIOS to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **Blocking** Is the device blocked from upgrade due to a BIOS block? -- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for the bios. -- **HasBiosBlock** Does the device have a BIOS block? - - -### Microsoft.Windows.Appraiser.General.DecisionSystemBiosRemove - -This event indicates that the DecisionSystemBios object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync - -This event indicates that a new set of DecisionSystemBiosAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.GatedRegChange - -This event sends data about the results of running a set of quick-blocking instructions, to help keep Windows up to date. - -The following fields are available: - -- **NewData** The data in the registry value after the scan completed. -- **OldData** The previous data in the registry value before the scan ran. -- **PCFP** An ID for the system calculated by hashing hardware identifiers. -- **RegKey** The registry key name for which a result is being sent. -- **RegValue** The registry value for which a result is being sent. -- **Time** The client time of the event. - - -### Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd - -This event represents the basic metadata about a file on the system. The file must be part of an app and either have a block in the compatibility database or be part of an antivirus program. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **AvDisplayName** If the app is an antivirus app, this is its display name. -- **AvProductState** Indicates whether the antivirus program is turned on and the signatures are up to date. -- **BinaryType** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64. -- **BinFileVersion** An attempt to clean up FileVersion at the client that tries to place the version into 4 octets. -- **BinProductVersion** An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets. -- **BoeProgramId** If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata. -- **CompanyName** The company name of the vendor who developed this file. -- **FileId** A hash that uniquely identifies a file. -- **FileVersion** The File version field from the file metadata under Properties -> Details. -- **HasUpgradeExe** Indicates whether the antivirus app has an upgrade.exe file. -- **IsAv** Indicates whether the file an antivirus reporting EXE. -- **LinkDate** The date and time that this file was linked on. -- **LowerCaseLongPath** The full file path to the file that was inventoried on the device. -- **Name** The name of the file that was inventoried. -- **ProductName** The Product name field from the file metadata under Properties -> Details. -- **ProductVersion** The Product version field from the file metadata under Properties -> Details. -- **ProgramId** A hash of the Name, Version, Publisher, and Language of an application used to identify it. -- **Size** The size of the file (in hexadecimal bytes). - - -### Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove - -This event indicates that the InventoryApplicationFile object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync - -This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventoryLanguagePackAdd - -This event sends data about the number of language packs installed on the system, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **HasLanguagePack** Indicates whether this device has 2 or more language packs. -- **LanguagePackCount** The number of language packs are installed. - - -### Microsoft.Windows.Appraiser.General.InventoryLanguagePackRemove - -This event indicates that the InventoryLanguagePack object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventoryLanguagePackStartSync - -This event indicates that a new set of InventoryLanguagePackAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventoryMediaCenterAdd - -This event sends true/false data about decision points used to understand whether Windows Media Center is used on the system, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **EverLaunched** Has Windows Media Center ever been launched? -- **HasConfiguredTv** Has the user configured a TV tuner through Windows Media Center? -- **HasExtendedUserAccounts** Are any Windows Media Center Extender user accounts configured? -- **HasWatchedFolders** Are any folders configured for Windows Media Center to watch? -- **IsDefaultLauncher** Is Windows Media Center the default app for opening music or video files? -- **IsPaid** Is the user running a Windows Media Center edition that implies they paid for Windows Media Center? -- **IsSupported** Does the running OS support Windows Media Center? - - -### Microsoft.Windows.Appraiser.General.InventoryMediaCenterRemove - -This event indicates that the InventoryMediaCenter object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventoryMediaCenterStartSync - -This event indicates that a new set of InventoryMediaCenterAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventorySystemBiosAdd - -This event sends basic metadata about the BIOS to determine whether it has a compatibility block. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **biosDate** The release date of the BIOS in UTC format. -- **BiosDate** The release date of the BIOS in UTC format. -- **biosName** The name field from Win32_BIOS. -- **BiosName** The name field from Win32_BIOS. -- **manufacturer** The manufacturer field from Win32_ComputerSystem. -- **Manufacturer** The manufacturer field from Win32_ComputerSystem. -- **model** The model field from Win32_ComputerSystem. -- **Model** The model field from Win32_ComputerSystem. - - -### Microsoft.Windows.Appraiser.General.InventorySystemBiosRemove - -This event indicates that the InventorySystemBios object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventorySystemBiosStartSync - -This event indicates that a new set of InventorySystemBiosAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd - -This event is only runs during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. Is critical to understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **BootCritical** Is the driver package marked as boot critical? -- **Build** The build value from the driver package. -- **CatalogFile** The name of the catalog file within the driver package. -- **Class** The device class from the driver package. -- **ClassGuid** The device class unique ID from the driver package. -- **Date** The date from the driver package. -- **Inbox** Is the driver package of a driver that is included with Windows? -- **OriginalName** The original name of the INF file before it was renamed. Generally a path under $WINDOWS.~BT\Drivers\DU. -- **Provider** The provider of the driver package. -- **PublishedName** The name of the INF file after it was renamed. -- **Revision** The revision of the driver package. -- **SignatureStatus** Indicates if the driver package is signed. Unknown = 0, Unsigned = 1, Signed = 2. -- **VersionMajor** The major version of the driver package. -- **VersionMinor** The minor version of the driver package. - - -### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove - -This event indicates that the InventoryUplevelDriverPackage object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageStartSync - -This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.RunContext - -This event indicates what should be expected in the data payload. - -The following fields are available: - -- **AppraiserBranch** The source branch in which the currently running version of Appraiser was built. -- **AppraiserProcess** The name of the process that launched Appraiser. -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **CensusId** A unique hardware identifier. -- **Context** Indicates what mode Appraiser is running in. Example: Setup or Telemetry. -- **PCFP** An ID for the system calculated by hashing hardware identifiers. -- **Subcontext** Indicates what categories of incompatibilities appraiser is scanning for. Can be N/A, Resolve, or a semicolon-delimited list that can include App, Dev, Sys, Gat, or Rescan. -- **Time** The client time of the event. - - -### Microsoft.Windows.Appraiser.General.SystemMemoryAdd - -This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **Blocking** Is the device from upgrade due to memory restrictions? -- **MemoryRequirementViolated** Was a memory requirement violated? -- **pageFile** The current committed memory limit for the system or the current process, whichever is smaller (in bytes). -- **ram** The amount of memory on the device. -- **ramKB** The amount of memory (in KB). -- **virtual** The size of the user-mode portion of the virtual address space of the calling process (in bytes). -- **virtualKB** The amount of virtual memory (in KB). - - -### Microsoft.Windows.Appraiser.General.SystemMemoryRemove - -This event that the SystemMemory object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemMemoryStartSync - -This event indicates that a new set of SystemMemoryAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeAdd - -This event sends data indicating whether the system supports the CompareExchange128 CPU requirement, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **Blocking** Is the upgrade blocked due to the processor? -- **CompareExchange128Support** Does the CPU support CompareExchange128? - - -### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeRemove - -This event indicates that the SystemProcessorCompareExchange object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeStartSync - -This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd - -This event sends data indicating whether the system supports the LahfSahf CPU requirement, to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **Blocking** Is the upgrade blocked due to the processor? -- **LahfSahfSupport** Does the CPU support LAHF/SAHF? - - -### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfRemove - -This event indicates that the SystemProcessorLahfSahf object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfStartSync - -This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd - -This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **Blocking** Is the upgrade blocked due to the processor? -- **NXDriverResult** The result of the driver used to do a non-deterministic check for NX support. -- **NXProcessorSupport** Does the processor support NX? - - -### Microsoft.Windows.Appraiser.General.SystemProcessorNxRemove - -This event indicates that the SystemProcessorNx object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorNxStartSync - -This event indicates that a new set of SystemProcessorNxAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd - -This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **Blocking** Is the upgrade blocked due to the processor? -- **PrefetchWSupport** Does the processor support PrefetchW? - - -### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWRemove - -This event indicates that the SystemProcessorPrefetchW object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync - -This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Add - -This event sends data indicating whether the system supports the SSE2 CPU requirement, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **Blocking** Is the upgrade blocked due to the processor? -- **SSE2ProcessorSupport** Does the processor support SSE2? - - -### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Remove - -This event indicates that the SystemProcessorSse2 object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorSse2StartSync - -This event indicates that a new set of SystemProcessorSse2Add events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemTouchAdd - -This event sends data indicating whether the system supports touch, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **IntegratedTouchDigitizerPresent** Is there an integrated touch digitizer? -- **MaximumTouches** The maximum number of touch points supported by the device hardware. - - -### Microsoft.Windows.Appraiser.General.SystemTouchRemove - -This event indicates that the SystemTouch object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemTouchStartSync - -This event indicates that a new set of SystemTouchAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemWimAdd - -This event sends data indicating whether the operating system is running from a compressed Windows Imaging Format (WIM) file, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **IsWimBoot** Is the current operating system running from a compressed WIM file? -- **RegistryWimBootValue** The raw value from the registry that is used to indicate if the device is running from a WIM. - - -### Microsoft.Windows.Appraiser.General.SystemWimRemove - -This event indicates that the SystemWim object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemWimStartSync - -This event indicates that a new set of SystemWimAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusAdd - -This event sends data indicating whether the current operating system is activated, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **WindowsIsLicensedApiValue** The result from the API that's used to indicate if operating system is activated. -- **WindowsNotActivatedDecision** Is the current operating system activated? - - -### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusRemove - -This event indicates that the SystemWindowsActivationStatus object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusStartSync - -This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemWlanAdd - -This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **Blocking** Is the upgrade blocked because of an emulated WLAN driver? -- **HasWlanBlock** Does the emulated WLAN driver have an upgrade block? -- **WlanEmulatedDriver** Does the device have an emulated WLAN driver? -- **WlanExists** Does the device support WLAN at all? -- **WlanModulePresent** Are any WLAN modules present? -- **WlanNativeDriver** Does the device have a non-emulated WLAN driver? - - -### Microsoft.Windows.Appraiser.General.SystemWlanRemove - -This event indicates that the SystemWlan object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemWlanStartSync - -This event indicates that a new set of SystemWlanAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.TelemetryRunHealth - -This event indicates the parameters and result of a telemetry (diagnostic) run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date. - -The following fields are available: - -- **AppraiserBranch** The source branch in which the version of Appraiser that is running was built. -- **AppraiserDataVersion** The version of the data files being used by the Appraiser telemetry run. -- **AppraiserProcess** The name of the process that launched Appraiser. -- **AppraiserVersion** The file version (major, minor and build) of the Appraiser DLL, concatenated without dots. -- **AuxFinal** Obsolete, always set to false. -- **AuxInitial** Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app. -- **DeadlineDate** A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan. -- **EnterpriseRun** Indicates if the telemetry run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter. -- **FullSync** Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent. -- **InboxDataVersion** The original version of the data files before retrieving any newer version. -- **IndicatorsWritten** Indicates if all relevant UEX indicators were successfully written or updated. -- **InventoryFullSync** Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent. -- **PCFP** An ID for the system calculated by hashing hardware identifiers. -- **PerfBackoff** Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal. -- **PerfBackoffInsurance** Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row. -- **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device. -- **RunDate** The date that the telemetry run was stated, expressed as a filetime. -- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional telemetry on an infrequent schedule and only from machines at telemetry levels higher than Basic. -- **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information. -- **RunResult** The hresult of the Appraiser telemetry run. -- **ScheduledUploadDay** The day scheduled for the upload. -- **SendingUtc** Indicates if the Appraiser client is sending events during the current telemetry run. -- **StoreHandleIsNotNull** Obsolete, always set to false -- **TelementrySent** Indicates if telemetry was successfully sent. -- **ThrottlingUtc** Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also telemetry reliability. -- **Time** The client time of the event. -- **VerboseMode** Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging. -- **WhyFullSyncWithoutTablePrefix** Indicates the reason or reasons that a full sync was generated. - - -### Microsoft.Windows.Appraiser.General.WmdrmAdd - -This event sends data about the usage of older digital rights management on the system, to help keep Windows up to date. This data does not indicate the details of the media using the digital rights management, only whether any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able to be removed once all mitigations are in place. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **BlockingApplication** Same as NeedsDismissAction. -- **NeedsDismissAction** Indicates if a dismissible message is needed to warn the user about a potential loss of data due to DRM deprecation. -- **WmdrmApiResult** Raw value of the API used to gather DRM state. -- **WmdrmCdRipped** Indicates if the system has any files encrypted with personal DRM, which was used for ripped CDs. -- **WmdrmIndicators** WmdrmCdRipped OR WmdrmPurchased. -- **WmdrmInUse** WmdrmIndicators AND dismissible block in setup was not dismissed. -- **WmdrmNonPermanent** Indicates if the system has any files with non-permanent licenses. -- **WmdrmPurchased** Indicates if the system has any files with permanent licenses. - - -### Microsoft.Windows.Appraiser.General.WmdrmRemove - -This event indicates that the Wmdrm object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.WmdrmStartSync - -This event indicates that a new set of WmdrmAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -## Census events - -### Census.App - -Provides information on IE and Census versions running on the device - -The following fields are available: - -- **AppraiserEnterpriseErrorCode** The error code of the last Appraiser enterprise run. -- **AppraiserErrorCode** The error code of the last Appraiser run. -- **AppraiserRunEndTimeStamp** The end time of the last Appraiser run. -- **AppraiserRunIsInProgressOrCrashed** Flag that indicates if the Appraiser run is in progress or has crashed. -- **AppraiserRunStartTimeStamp** The start time of the last Appraiser run. -- **AppraiserTaskEnabled** Whether the Appraiser task is enabled. -- **AppraiserTaskExitCode** The Appraiser task exist code. -- **AppraiserTaskLastRun** The last runtime for the Appraiser task. -- **CensusVersion** The version of Census that generated the current data for this device. -- **IEVersion** The version of Internet Explorer that is running on the device. - - -### Census.Battery - -This event sends type and capacity data about the battery on the device, as well as the number of connected standby devices in use, type to help keep Windows up to date. - -The following fields are available: - -- **InternalBatteryCapablities** Represents information about what the battery is capable of doing. -- **InternalBatteryCapacityCurrent** Represents the battery's current fully charged capacity in mWh (or relative). Compare this value to DesignedCapacity  to estimate the battery's wear. -- **InternalBatteryCapacityDesign** Represents the theoretical capacity of the battery when new, in mWh. -- **InternalBatteryNumberOfCharges** Provides the number of battery charges. This is used when creating new products and validating that existing products meets targeted functionality performance. -- **IsAlwaysOnAlwaysConnectedCapable** Represents whether the battery enables the device to be AlwaysOnAlwaysConnected . Boolean value. - - -### Census.Camera - -This event sends data about the resolution of cameras on the device, to help keep Windows up to date. - -The following fields are available: - -- **FrontFacingCameraResolution** Represents the resolution of the front facing camera in megapixels. If a front facing camera does not exist, then the value is 0. -- **RearFacingCameraResolution** Represents the resolution of the rear facing camera in megapixels. If a rear facing camera does not exist, then the value is 0. - - -### Census.Enterprise - -This event sends data about Azure presence, type, and cloud domain use in order to provide an understanding of the use and integration of devices in an enterprise, cloud, and server environment. - -The following fields are available: - -- **AADDeviceId** Azure Active Directory device ID. -- **AzureOSIDPresent** Represents the field used to identify an Azure machine. -- **AzureVMType** Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs. -- **CDJType** Represents the type of cloud domain joined for the machine. -- **CommercialId** Represents the GUID for the commercial entity which the device is a member of.  Will be used to reflect insights back to customers. -- **ContainerType** The type of container, such as process or virtual machine hosted. -- **EnrollmentType** Defines the type of MDM enrollment on the device. -- **HashedDomain** The hashed representation of the user domain used for login. -- **IsCloudDomainJoined** Is this device joined to an Azure Active Directory (AAD) tenant? true/false -- **IsDERequirementMet** Represents if the device can do device encryption. -- **IsDeviceProtected** Represents if Device protected by BitLocker/Device Encryption -- **IsDomainJoined** Indicates whether a machine is joined to a domain. -- **IsEDPEnabled** Represents if Enterprise data protected on the device. -- **IsMDMEnrolled** Whether the device has been MDM Enrolled or not. -- **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID -- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise SCCM environment. -- **ServerFeatures** Represents the features installed on a Windows   Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. -- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier - - -### Census.Firmware - -This event sends data about the BIOS and startup embedded in the device, to help keep Windows up to date. - -The following fields are available: - -- **FirmwareManufacturer** Represents the manufacturer of the device's firmware (BIOS). -- **FirmwareReleaseDate** Represents the date the current firmware was released. -- **FirmwareType** Represents the firmware type. The various types can be unknown, BIOS, UEFI. -- **FirmwareVersion** Represents the version of the current firmware. - - -### Census.Flighting - -This event sends Windows Insider data from customers participating in improvement testing and feedback programs, to help keep Windows up to date. - -The following fields are available: - -- **DeviceSampleRate** The telemetry sample rate assigned to the device. -- **EnablePreviewBuilds** Used to enable Windows Insider builds on a device. -- **FlightIds** A list of the different Windows Insider builds on this device. -- **FlightingBranchName** The name of the Windows Insider branch currently used by the device. -- **IsFlightsDisabled** Represents if the device is participating in the Windows Insider program. -- **MSA_Accounts** Represents a list of hashed IDs of the Microsoft Accounts that are flighting (pre-release builds) on this device. -- **SSRK** Retrieves the mobile targeting settings. - - -### Census.Hardware - -This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level setting, and TPM support, to help keep Windows up to date. - -The following fields are available: - -- **ActiveMicCount** The number of active microphones attached to the device. -- **ChassisType** Represents the type of device chassis, such as desktop or low profile desktop. The possible values can range between 1 - 36. -- **ComputerHardwareID** Identifies a device class that is represented by a hash of different SMBIOS fields. -- **D3DMaxFeatureLevel** Supported Direct3D version. -- **DeviceColor** Indicates a color of the device. -- **DeviceForm** Indicates the form as per the device classification. -- **DeviceName** The device name that is set by the user. -- **DigitizerSupport** Is a digitizer supported? -- **DUID** The device unique ID. -- **Gyroscope** Indicates whether the device has a gyroscope (a mechanical component that measures and maintains orientation). -- **InventoryId** The device ID used for compatibility testing. -- **Magnetometer** Indicates whether the device has a magnetometer (a mechanical component that works like a compass). -- **NFCProximity** Indicates whether the device supports NFC (a set of communication protocols that helps establish communication when applicable devices are brought close together.) -- **OEMDigitalMarkerFileName** The name of the file placed in the \Windows\system32\drivers directory that specifies the OEM and model name of the device. -- **OEMManufacturerName** The device manufacturer name. The OEMName for an inactive device is not reprocessed even if the clean OEM name is changed at a later date. -- **OEMModelBaseBoard** The baseboard model used by the OEM. -- **OEMModelBaseBoardVersion** Differentiates between developer and retail devices. -- **OEMModelName** The device model name. -- **OEMModelNumber** The device model number. -- **OEMModelSKU** The device edition that is defined by the manufacturer. -- **OEMModelSystemFamily** The system family set on the device by an OEM. -- **OEMModelSystemVersion** The system model version set on the device by the OEM. -- **OEMOptionalIdentifier** A Microsoft assigned value that represents a specific OEM subsidiary. -- **OEMSerialNumber** The serial number of the device that is set by the manufacturer. -- **PhoneManufacturer** The friendly name of the phone manufacturer. -- **PowerPlatformRole** The OEM preferred power management profile. It's used to help to identify the basic form factor of the device. -- **SoCName** The firmware manufacturer of the device. -- **StudyID** Used to identify retail and non-retail device. -- **TelemetryLevel** The telemetry level the user has opted into, such as Basic or Enhanced. -- **TelemetryLevelLimitEnhanced** The telemetry level for Windows Analytics-based solutions. -- **TelemetrySettingAuthority** Determines who set the telemetry level, such as GP, MDM, or the user. -- **TPMManufacturerId** The ID of the TPM manufacturer. -- **TPMManufacturerVersion** The version of the TPM manufacturer. -- **TPMVersion** The supported Trusted Platform Module (TPM) on the device. If no TPM is present, the value is 0. -- **VoiceSupported** Does the device have a cellular radio capable of making voice calls? - - -### Census.Memory - -This event sends data about the memory on the device, including ROM and RAM, to help keep Windows up to date. - -The following fields are available: - -- **TotalPhysicalRAM** Represents the physical memory (in MB). -- **TotalVisibleMemory** Represents the memory that is not reserved by the system. - - -### Census.Network - -This event sends data about the mobile and cellular network used by the device (mobile service provider, network, device ID, and service cost factors), to help keep Windows up to date. - -The following fields are available: - -- **IMEI0** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage. -- **IMEI1** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage. -- **MCC0** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. -- **MCC1** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. -- **MEID** Represents the Mobile Equipment Identity (MEID). MEID is a worldwide unique phone ID assigned to CDMA phones. MEID replaces electronic serial number (ESN), and is equivalent to IMEI for GSM and WCDMA phones. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. -- **MNC0** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. -- **MNC1** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. -- **MobileOperatorBilling** Represents the telephone company that provides services for mobile phone users. -- **MobileOperatorCommercialized** Represents which reseller and geography the phone is commercialized for. This is the set of values on the phone for who and where it was intended to be used. For example, the commercialized mobile operator code AT&T in the US would be ATT-US. -- **MobileOperatorNetwork0** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage. -- **MobileOperatorNetwork1** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage. -- **NetworkAdapterGUID** The GUID of the primary network adapter. -- **NetworkCost** Represents the network cost associated with a connection. -- **SPN0** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage. -- **SPN1** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage. - - -### Census.OS - -This event sends data about the operating system such as the version, locale, update service configuration, when and how it was originally installed, and whether it is a virtual device, to help keep Windows up to date. - -The following fields are available: - -- **ActivationChannel** Retrieves the retail license key or Volume license key for a machine. -- **AssignedAccessStatus** Kiosk configuration mode. -- **CompactOS** Indicates if the Compact OS feature from Win10 is enabled. -- **DeveloperUnlockStatus** Represents if a device has been developer unlocked by the user or Group Policy. -- **DeviceTimeZone** The time zone that is set on the device. Example: Pacific Standard Time -- **GenuineState** Retrieves the ID Value specifying the OS Genuine check. -- **InstallationType** Retrieves the type of OS installation. (Clean, Upgrade, Reset, Refresh, Update). -- **InstallLanguage** The first language installed on the user machine. -- **IsDeviceRetailDemo** Retrieves if the device is running in demo mode. -- **IsEduData** Returns Boolean if the education data policy is enabled. -- **IsPortableOperatingSystem** Retrieves whether OS is running Windows-To-Go -- **IsSecureBootEnabled** Retrieves whether Boot chain is signed under UEFI. -- **LanguagePacks** The list of language packages installed on the device. -- **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store. -- **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine. -- **OSEdition** Retrieves the version of the current OS. -- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc -- **OSOOBEDateTime** Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC). -- **OSSKU** Retrieves the Friendly Name of OS Edition. -- **OSSubscriptionStatus** Represents the existing status for enterprise subscription feature for PRO machines. -- **OSSubscriptionTypeId** Returns boolean for enterprise subscription feature for selected PRO machines. -- **OSTimeZoneBiasInMins** Retrieves the time zone set on machine. -- **OSUILocale** Retrieves the locale of the UI that is currently used by the OS. -- **ProductActivationResult** Returns Boolean if the OS Activation was successful. -- **ProductActivationTime** Returns the OS Activation time for tracking piracy issues. -- **ProductKeyID2** Retrieves the License key if the machine is updated with a new license key. -- **RACw7Id** Retrieves the Microsoft Reliability Analysis Component (RAC) Win7 Identifier. RAC is used to monitor and analyze system usage and reliability. -- **ServiceMachineIP** Retrieves the IP address of the KMS host used for anti-piracy. -- **ServiceMachinePort** Retrieves the port of the KMS host used for anti-piracy. -- **ServiceProductKeyID** Retrieves the License key of the KMS -- **SharedPCMode** Returns Boolean for education devices used as shared cart -- **Signature** Retrieves if it is a signature machine sold by Microsoft store. -- **SLICStatus** Whether a SLIC table exists on the device. -- **SLICVersion** Returns OS type/version from SLIC table. - - -### Census.PrivacySettings - -This event provides information about the device level privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represent the authority that set the value. The effective consent (first 8 bits) is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority (last 8 bits) is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = system, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings. - -The following fields are available: - -- **Activity** Current state of the activity history setting. -- **ActivityHistoryCloudSync** Current state of the activity history cloud sync setting. -- **ActivityHistoryCollection** Current state of the activity history collection setting. -- **AdvertisingId** Current state of the advertising ID setting. -- **AppDiagnostics** Current state of the app diagnostics setting. -- **Appointments** Current state of the calendar setting. -- **Bluetooth** Current state of the Bluetooth capability setting. -- **BluetoothSync** Current state of the Bluetooth sync capability setting. -- **BroadFileSystemAccess** Current state of the broad file system access setting. -- **CellularData** Current state of the cellular data capability setting. -- **Chat** Current state of the chat setting. -- **Contacts** Current state of the contacts setting. -- **DocumentsLibrary** Current state of the documents library setting. -- **Email** Current state of the email setting. -- **FindMyDevice** Current state of the "find my device" setting. -- **GazeInput** Current state of the gaze input setting. -- **HumanInterfaceDevice** Current state of the human interface device setting. -- **InkTypeImprovement** Current state of the improve inking and typing setting. -- **Location** Current state of the location setting. -- **LocationHistory** Current state of the location history setting. -- **LocationHistoryCloudSync** Current state of the location history cloud sync setting. -- **LocationHistoryOnTimeline** Current state of the location history on timeline setting. -- **Microphone** Current state of the microphone setting. -- **PhoneCall** Current state of the phone call setting. -- **PhoneCallHistory** Current state of the call history setting. -- **PicturesLibrary** Current state of the pictures library setting. -- **Radios** Current state of the radios setting. -- **SensorsCustom** Current state of the custom sensor setting. -- **SerialCommunication** Current state of the serial communication setting. -- **Sms** Current state of the text messaging setting. -- **SpeechPersonalization** Current state of the speech services setting. -- **USB** Current state of the USB setting. -- **UserAccountInformation** Current state of the account information setting. -- **UserDataTasks** Current state of the tasks setting. -- **UserNotificationListener** Current state of the notifications setting. -- **VideosLibrary** Current state of the videos library setting. -- **Webcam** Current state of the camera setting. -- **WiFiDirect** Current state of the Wi-Fi direct setting. - - -### Census.Processor - -Provides information on several important data points about Processor settings - -The following fields are available: - -- **KvaShadow** This is the micro code information of the processor. -- **MMSettingOverride** Microcode setting of the processor. -- **MMSettingOverrideMask** Microcode setting override of the processor. -- **PreviousUpdateRevision** Previous microcode revision -- **ProcessorArchitecture** Retrieves the processor architecture of the installed operating system. -- **ProcessorClockSpeed** Clock speed of the processor in MHz. -- **ProcessorCores** Number of logical cores in the processor. -- **ProcessorIdentifier** Processor Identifier of a manufacturer. -- **ProcessorManufacturer** Name of the processor manufacturer. -- **ProcessorModel** Name of the processor model. -- **ProcessorPhysicalCores** Number of physical cores in the processor. -- **ProcessorUpdateRevision** The microcode revision. -- **ProcessorUpdateStatus** Enum value that represents the processor microcode load status -- **SocketCount** Count of CPU sockets. -- **SpeculationControl** Indicates whether the system has enabled protections needed to validate the speculation control vulnerability. - - -### Census.Security - -This event provides information on about security settings used to help keep Windows up to date and secure. - -The following fields are available: - -- **AvailableSecurityProperties** This field helps to enumerate and report state on the relevant security properties for Device Guard. -- **CGRunning** Credential Guard isolates and hardens key system and user secrets against compromise, helping to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already running via a local or network based vector. This field tells if Credential Guard is running. -- **DGState** This field summarizes the Device Guard state. -- **HVCIRunning** Hypervisor Code Integrity (HVCI) enables Device Guard to help protect kernel mode processes and drivers from vulnerability exploits and zero days. HVCI uses the processor’s functionality to force all software running in kernel mode to safely allocate memory. This field tells if HVCI is running. -- **IsSawGuest** Indicates whether the device is running as a Secure Admin Workstation Guest. -- **IsSawHost** Indicates whether the device is running as a Secure Admin Workstation Host. -- **RequiredSecurityProperties** Describes the required security properties to enable virtualization-based security. -- **SecureBootCapable** Systems that support Secure Boot can have the feature turned off via BIOS. This field tells if the system is capable of running Secure Boot, regardless of the BIOS setting. -- **SModeState** The Windows S mode trail state. -- **VBSState** Virtualization-based security (VBS) uses the hypervisor to help protect the kernel and other parts of the operating system. Credential Guard and Hypervisor Code Integrity (HVCI) both depend on VBS to isolate/protect secrets, and kernel-mode code integrity validation. VBS has a tri-state that can be Disabled, Enabled, or Running. - - -### Census.Speech - -This event is used to gather basic speech settings on the device. - -The following fields are available: - -- **AboveLockEnabled** Cortana setting that represents if Cortana can be invoked when the device is locked. -- **GPAllowInputPersonalization** Indicates if a Group Policy setting has enabled speech functionalities. -- **HolographicSpeechInputDisabled** Holographic setting that represents if the attached HMD devices have speech functionality disabled by the user. -- **HolographicSpeechInputDisabledRemote** Indicates if a remote policy has disabled speech functionalities for the HMD devices. -- **KeyVer** Version information for the census speech event. -- **KWSEnabled** Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS). -- **MDMAllowInputPersonalization** Indicates if an MDM policy has enabled speech functionalities. -- **RemotelyManaged** Indicates if the device is being controlled by a remote administrator (MDM or Group Policy) in the context of speech functionalities. -- **SpeakerIdEnabled** Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice. -- **SpeechServicesEnabled** Windows setting that represents whether a user is opted-in for speech services on the device. -- **SpeechServicesValueSource** Indicates the deciding factor for the effective online speech recognition privacy policy settings: remote admin, local admin, or user preference. - - -### Census.Storage - -This event sends data about the total capacity of the system volume and primary disk, to help keep Windows up to date. - -The following fields are available: - -- **PrimaryDiskTotalCapacity** Retrieves the amount of disk space on the primary disk of the device in MB. -- **PrimaryDiskType** Retrieves an enumerator value of type STORAGE_BUS_TYPE that indicates the type of bus to which the device is connected. This should be used to interpret the raw device properties at the end of this structure (if any). -- **StorageReservePassedPolicy** Indicates whether the Storage Reserve policy, which ensures that updates have enough disk space and customers are on the latest OS, is enabled on this device. -- **SystemVolumeTotalCapacity** Retrieves the size of the partition that the System volume is installed on in MB. - - -### Census.Userdefault - -This event sends data about the current user's default preferences for browser and several of the most popular extensions and protocols, to help keep Windows up to date. - -The following fields are available: - -- **CalendarType** The calendar identifiers that are used to specify different calendars. -- **DefaultApp** The current uer's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf. -- **DefaultBrowserProgId** The ProgramId of the current user's default browser. -- **LongDateFormat** The long date format the user has selected. -- **ShortDateFormat** The short date format the user has selected. - - -### Census.UserDisplay - -This event sends data about the logical/physical display size, resolution and number of internal/external displays, and VRAM on the system, to help keep Windows up to date. - -The following fields are available: - -- **InternalPrimaryDisplayLogicalDPIX** Retrieves the logical DPI in the x-direction of the internal display. -- **InternalPrimaryDisplayLogicalDPIY** Retrieves the logical DPI in the y-direction of the internal display. -- **InternalPrimaryDisplayPhysicalDPIX** Retrieves the physical DPI in the x-direction of the internal display. -- **InternalPrimaryDisplayPhysicalDPIY** Retrieves the physical DPI in the y-direction of the internal display. -- **InternalPrimaryDisplayResolutionHorizontal** Retrieves the number of pixels in the horizontal direction of the internal display. -- **InternalPrimaryDisplayResolutionVertical** Retrieves the number of pixels in the vertical direction of the internal display. -- **InternalPrimaryDisplaySizePhysicalH** Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches . -- **InternalPrimaryDisplaySizePhysicalY** Retrieves the physical vertical length of the display in mm. Used for calculating the diagonal length in inches -- **NumberofExternalDisplays** Retrieves the number of external displays connected to the machine -- **NumberofInternalDisplays** Retrieves the number of internal displays in a machine. -- **VRAMDedicated** Retrieves the video RAM in MB. -- **VRAMDedicatedSystem** Retrieves the amount of memory on the dedicated video card. -- **VRAMSharedSystem** Retrieves the amount of RAM memory that the video card can use. - - -### Census.UserNLS - -This event sends data about the default app language, input, and display language preferences set by the user, to help keep Windows up to date. - -The following fields are available: - -- **DefaultAppLanguage** The current user Default App Language. -- **DisplayLanguage** The current user preferred Windows Display Language. -- **HomeLocation** The current user location, which is populated using GetUserGeoId() function. -- **KeyboardInputLanguages** The Keyboard input languages installed on the device. -- **SpeechInputLanguages** The Speech Input languages installed on the device. - - -### Census.UserPrivacySettings - -This event provides information about the current users privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represents the authority that set the value. The effective consent is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = user, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings. - -The following fields are available: - -- **Activity** Current state of the activity history setting. -- **ActivityHistoryCloudSync** Current state of the activity history cloud sync setting. -- **ActivityHistoryCollection** Current state of the activity history collection setting. -- **AdvertisingId** Current state of the advertising ID setting. -- **AppDiagnostics** Current state of the app diagnostics setting. -- **Appointments** Current state of the calendar setting. -- **Bluetooth** Current state of the Bluetooth capability setting. -- **BluetoothSync** Current state of the Bluetooth sync capability setting. -- **BroadFileSystemAccess** Current state of the broad file system access setting. -- **CellularData** Current state of the cellular data capability setting. -- **Chat** Current state of the chat setting. -- **Contacts** Current state of the contacts setting. -- **DocumentsLibrary** Current state of the documents library setting. -- **Email** Current state of the email setting. -- **GazeInput** Current state of the gaze input setting. -- **HumanInterfaceDevice** Current state of the human interface device setting. -- **InkTypeImprovement** Current state of the improve inking and typing setting. -- **InkTypePersonalization** Current state of the inking and typing personalization setting. -- **Location** Current state of the location setting. -- **LocationHistory** Current state of the location history setting. -- **LocationHistoryCloudSync** Current state of the location history cloud synchronization setting. -- **LocationHistoryOnTimeline** Current state of the location history on timeline setting. -- **Microphone** Current state of the microphone setting. -- **PhoneCall** Current state of the phone call setting. -- **PhoneCallHistory** Current state of the call history setting. -- **PicturesLibrary** Current state of the pictures library setting. -- **Radios** Current state of the radios setting. -- **SensorsCustom** Current state of the custom sensor setting. -- **SerialCommunication** Current state of the serial communication setting. -- **Sms** Current state of the text messaging setting. -- **SpeechPersonalization** Current state of the speech services setting. -- **USB** Current state of the USB setting. -- **UserAccountInformation** Current state of the account information setting. -- **UserDataTasks** Current state of the tasks setting. -- **UserNotificationListener** Current state of the notifications setting. -- **VideosLibrary** Current state of the videos library setting. -- **Webcam** Current state of the camera setting. -- **WiFiDirect** Current state of the Wi-Fi direct setting. - - -### Census.VM - -This event sends data indicating whether virtualization is enabled on the device, and its various characteristics, to help keep Windows up to date. - -The following fields are available: - -- **CloudService** Indicates which cloud service, if any, that this virtual machine is running within. -- **HyperVisor** Retrieves whether the current OS is running on top of a Hypervisor. -- **IOMMUPresent** Represents if an input/output memory management unit (IOMMU) is present. -- **IsVDI** Is the device using Virtual Desktop Infrastructure? -- **IsVirtualDevice** Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#1 Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field should not be relied upon for non-Hv#1 Hypervisors. -- **SLATSupported** Represents whether Second Level Address Translation (SLAT) is supported by the hardware. -- **VirtualizationFirmwareEnabled** Represents whether virtualization is enabled in the firmware. - - -### Census.WU - -This event sends data about the Windows update server and other App store policies, to help keep Windows up to date. - -The following fields are available: - -- **AppraiserGatedStatus** Indicates whether a device has been gated for upgrading. -- **AppStoreAutoUpdate** Retrieves the Appstore settings for auto upgrade. (Enable/Disabled). -- **AppStoreAutoUpdateMDM** Retrieves the App Auto Update value for MDM: 0 - Disallowed. 1 - Allowed. 2 - Not configured. Default: [2] Not configured -- **AppStoreAutoUpdatePolicy** Retrieves the Microsoft Store App Auto Update group policy setting -- **DelayUpgrade** Retrieves the Windows upgrade flag for delaying upgrades. -- **OSAssessmentFeatureOutOfDate** How many days has it been since a the last feature update was released but the device did not install it? -- **OSAssessmentForFeatureUpdate** Is the device is on the latest feature update? -- **OSAssessmentForQualityUpdate** Is the device on the latest quality update? -- **OSAssessmentForSecurityUpdate** Is the device on the latest security update? -- **OSAssessmentQualityOutOfDate** How many days has it been since a the last quality update was released but the device did not install it? -- **OSAssessmentReleaseInfoTime** The freshness of release information used to perform an assessment. -- **OSRollbackCount** The number of times feature updates have rolled back on the device. -- **OSRolledBack** A flag that represents when a feature update has rolled back during setup. -- **OSUninstalled** A flag that represents when a feature update is uninstalled on a device . -- **OSWUAutoUpdateOptions** Retrieves the auto update settings on the device. -- **OSWUAutoUpdateOptionsSource** The source of auto update setting that appears in the OSWUAutoUpdateOptions field. For example: Group Policy (GP), Mobile Device Management (MDM), and Default. -- **UninstallActive** A flag that represents when a device has uninstalled a previous upgrade recently. -- **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS). -- **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates. -- **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades. -- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network. -- **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier. -- **WUPauseState** Retrieves WU setting to determine if updates are paused. -- **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default). - - -### Census.Xbox - -This event sends data about the Xbox Console, such as Serial Number and DeviceId, to help keep Windows up to date. - -The following fields are available: - -- **XboxConsolePreferredLanguage** Retrieves the preferred language selected by the user on Xbox console. -- **XboxConsoleSerialNumber** Retrieves the serial number of the Xbox console. -- **XboxLiveDeviceId** Retrieves the unique device ID of the console. -- **XboxLiveSandboxId** Retrieves the developer sandbox ID if the device is internal to Microsoft. - - -## Common data extensions - -### Common Data Extensions.app - -Describes the properties of the running application. This extension could be populated by a client app or a web app. - -The following fields are available: - -- **asId** An integer value that represents the app session. This value starts at 0 on the first app launch and increments after each subsequent app launch per boot session. -- **env** The environment from which the event was logged. -- **expId** Associates a flight, such as an OS flight, or an experiment, such as a web site UX experiment, with an event. -- **id** Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application. -- **locale** The locale of the app. -- **name** The name of the app. -- **userId** The userID as known by the application. -- **ver** Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app. - - -### Common Data Extensions.container - -Describes the properties of the container for events logged within a container. - -The following fields are available: - -- **epoch** An ID that's incremented for each SDK initialization. -- **localId** The device ID as known by the client. -- **osVer** The operating system version. -- **seq** An ID that's incremented for each event. -- **type** The container type. Examples: Process or VMHost - - -### Common Data Extensions.cs - -Describes properties related to the schema of the event. - -The following fields are available: - -- **sig** A common schema signature that identifies new and modified event schemas. - - -### Common Data Extensions.device - -Describes the device-related fields. - -The following fields are available: - -- **deviceClass** The device classification. For example, Desktop, Server, or Mobile. -- **localId** A locally-defined unique ID for the device. This is not the human-readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId -- **make** Device manufacturer. -- **model** Device model. - - -### Common Data Extensions.Envelope - -Represents an envelope that contains all of the common data extensions. - -The following fields are available: - -- **cV** Represents the Correlation Vector: A single field for tracking partial order of related telemetry events across component boundaries. -- **data** Represents the optional unique diagnostic data for a particular event schema. -- **ext_app** Describes the properties of the running application. This extension could be populated by either a client app or a web app. See [Common Data Extensions.app](#common-data-extensionsapp). -- **ext_container** Describes the properties of the container for events logged within a container. See [Common Data Extensions.container](#common-data-extensionscontainer). -- **ext_cs** Describes properties related to the schema of the event. See [Common Data Extensions.cs](#common-data-extensionscs). -- **ext_device** Describes the device-related fields. See [Common Data Extensions.device](#common-data-extensionsdevice). -- **ext_os** Describes the operating system properties that would be populated by the client. See [Common Data Extensions.os](#common-data-extensionsos). -- **ext_receipts** Describes the fields related to time as provided by the client for debugging purposes. See [Common Data Extensions.receipts](#common-data-extensionsreceipts). -- **ext_sdk** Describes the fields related to a platform library required for a specific SDK. See [Common Data Extensions.sdk](#common-data-extensionssdk). -- **ext_user** Describes the fields related to a user. See [Common Data Extensions.user](#common-data-extensionsuser). -- **ext_utc** Describes the fields that might be populated by a logging library on Windows. See [Common Data Extensions.utc](#common-data-extensionsutc). -- **ext_xbl** Describes the fields related to XBOX Live. See [Common Data Extensions.xbl](#common-data-extensionsxbl). -- **flags** Represents a collection of bits that describe how the event should be processed by the Connected User Experience and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency. -- **iKey** Represents an ID for applications or other logical groupings of events. -- **name** Represents the uniquely qualified name for the event. -- **popSample** Represents the effective sample rate for this event at the time it was generated by a client. -- **time** Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the client. This should be in ISO 8601 format. -- **ver** Represents the major and minor version of the extension. - - -### Common Data Extensions.os - -Describes some properties of the operating system. - -The following fields are available: - -- **bootId** An integer value that represents the boot session. This value starts at 0 on first boot after OS install and increments after every reboot. -- **expId** Represents the experiment ID. The standard for associating a flight, such as an OS flight (pre-release build), or an experiment, such as a web site UX experiment, with an event is to record the flight / experiment IDs in Part A of the common schema. -- **locale** Represents the locale of the operating system. -- **name** Represents the operating system name. -- **ver** Represents the major and minor version of the extension. - - -### Common Data Extensions.receipts - -Represents various time information as provided by the client and helps for debugging purposes. - -The following fields are available: - -- **originalTime** The original event time. -- **uploadTime** The time the event was uploaded. - - -### Common Data Extensions.sdk - -Used by platform specific libraries to record fields that are required for a specific SDK. - -The following fields are available: - -- **epoch** An ID that is incremented for each SDK initialization. -- **installId** An ID that's created during the initialization of the SDK for the first time. -- **libVer** The SDK version. -- **seq** An ID that is incremented for each event. - - -### Common Data Extensions.user - -Describes the fields related to a user. - -The following fields are available: - -- **authId** This is an ID of the user associated with this event that is deduced from a token such as a Microsoft Account ticket or an XBOX token. -- **locale** The language and region. -- **localId** Represents a unique user identity that is created locally and added by the client. This is not the user's account ID. - - -### Common Data Extensions.utc - -Describes the properties that could be populated by a logging library on Windows. - -The following fields are available: - -- **aId** Represents the ETW ActivityId. Logged via TraceLogging or directly via ETW. -- **bSeq** Upload buffer sequence number in the format: buffer identifier:sequence number -- **cat** Represents a bitmask of the ETW Keywords associated with the event. -- **cpId** The composer ID, such as Reference, Desktop, Phone, Holographic, Hub, IoT Composer. -- **epoch** Represents the epoch and seqNum fields, which help track how many events were fired and how many events were uploaded, and enables identification of data lost during upload and de-duplication of events on the ingress server. -- **flags** Represents the bitmap that captures various Windows specific flags. -- **mon** Combined monitor and event sequence numbers in the format: monitor sequence : event sequence -- **op** Represents the ETW Op Code. -- **raId** Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW. -- **seq** Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue. The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server. -- **stId** Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID. - - -### Common Data Extensions.xbl - -Describes the fields that are related to XBOX Live. - -The following fields are available: - -- **claims** Any additional claims whose short claim name hasn't been added to this structure. -- **did** XBOX device ID -- **dty** XBOX device type -- **dvr** The version of the operating system on the device. -- **eid** A unique ID that represents the developer entity. -- **exp** Expiration time -- **ip** The IP address of the client device. -- **nbf** Not before time -- **pid** A comma separated list of PUIDs listed as base10 numbers. -- **sbx** XBOX sandbox identifier -- **sid** The service instance ID. -- **sty** The service type. -- **tid** The XBOX Live title ID. -- **tvr** The XBOX Live title version. -- **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts. -- **xid** A list of base10-encoded XBOX User IDs. - - -## Common data fields - -### Ms.Device.DeviceInventoryChange - -Describes the installation state for all hardware and software components available on a particular device. - -The following fields are available: - -- **action** The change that was invoked on a device inventory object. -- **inventoryId** Device ID used for Compatibility testing -- **objectInstanceId** Object identity which is unique within the device scope. -- **objectType** Indicates the object type that the event applies to. -- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. - - -## Compatibility events - -### Microsoft.Windows.Compatibility.Apphelp.SdbFix - -Product instrumentation for helping debug/troubleshoot issues with inbox compatibility components. - -The following fields are available: - -- **AppName** Name of the application impacted by SDB. -- **FixID** SDB GUID. -- **Flags** List of flags applied. -- **ImageName** Name of file. - - -## Component-based servicing events - -### CbsServicingProvider.CbsCapabilityEnumeration - -This event reports on the results of scanning for optional Windows content on Windows Update. - -The following fields are available: - -- **architecture** Indicates the scan was limited to the specified architecture. -- **capabilityCount** The number of optional content packages found during the scan. -- **clientId** The name of the application requesting the optional content. -- **duration** The amount of time it took to complete the scan. -- **hrStatus** The HReturn code of the scan. -- **language** Indicates the scan was limited to the specified language. -- **majorVersion** Indicates the scan was limited to the specified major version. -- **minorVersion** Indicates the scan was limited to the specified minor version. -- **namespace** Indicates the scan was limited to packages in the specified namespace. -- **sourceFilter** A bitmask indicating the scan checked for locally available optional content. -- **stackBuild** The build number of the servicing stack. -- **stackMajorVersion** The major version number of the servicing stack. -- **stackMinorVersion** The minor version number of the servicing stack. -- **stackRevision** The revision number of the servicing stack. - - -### CbsServicingProvider.CbsCapabilitySessionFinalize - -This event provides information about the results of installing or uninstalling optional Windows content from Windows Update. - -The following fields are available: - -- **capabilities** The names of the optional content packages that were installed. -- **clientId** The name of the application requesting the optional content. -- **currentID** The ID of the current install session. -- **downloadSource** The source of the download. -- **highestState** The highest final install state of the optional content. -- **hrLCUReservicingStatus** Indicates whether the optional content was updated to the latest available version. -- **hrStatus** The HReturn code of the install operation. -- **rebootCount** The number of reboots required to complete the install. -- **retryID** The session ID that will be used to retry a failed operation. -- **retryStatus** Indicates whether the install will be retried in the event of failure. -- **stackBuild** The build number of the servicing stack. -- **stackMajorVersion** The major version number of the servicing stack. -- **stackMinorVersion** The minor version number of the servicing stack. -- **stackRevision** The revision number of the servicing stack. - - -### CbsServicingProvider.CbsCapabilitySessionPended - -This event provides information about the results of installing optional Windows content that requires a reboot to keep Windows up to date. - -The following fields are available: - -- **clientId** The name of the application requesting the optional content. -- **pendingDecision** Indicates the cause of reboot, if applicable. - - -### CbsServicingProvider.CbsLateAcquisition - -This event sends data to indicate if some Operating System packages could not be updated as part of an upgrade, to help keep Windows up to date. - -The following fields are available: - -- **Features** The list of feature packages that could not be updated. -- **RetryID** The ID identifying the retry attempt to update the listed packages. - - -### CbsServicingProvider.CbsPackageRemoval - -This event provides information about the results of uninstalling a Windows Cumulative Security Update to help keep Windows up to date. - -The following fields are available: - -- **buildVersion** The build number of the security update being uninstalled. -- **clientId** The name of the application requesting the uninstall. -- **currentStateEnd** The final state of the update after the operation. -- **failureDetails** Information about the cause of a failure, if applicable. -- **failureSourceEnd** The stage during the uninstall where the failure occurred. -- **hrStatusEnd** The overall exit code of the operation. -- **initiatedOffline** Indicates if the uninstall was initiated for a mounted Windows image. -- **majorVersion** The major version number of the security update being uninstalled. -- **minorVersion** The minor version number of the security update being uninstalled. -- **originalState** The starting state of the update before the operation. -- **pendingDecision** Indicates the cause of reboot, if applicable. -- **primitiveExecutionContext** The state during system startup when the uninstall was completed. -- **revisionVersion** The revision number of the security update being uninstalled. -- **transactionCanceled** Indicates whether the uninstall was cancelled. - - -### CbsServicingProvider.CbsQualityUpdateInstall - -This event reports on the performance and reliability results of installing Servicing content from Windows Update to keep Windows up to date. - -The following fields are available: - -- **buildVersion** The build version number of the update package. -- **clientId** The name of the application requesting the optional content. -- **corruptionHistoryFlags** A bitmask of the types of component store corruption that have caused update failures on the device. -- **corruptionType** An enumeration listing the type of data corruption responsible for the current update failure. -- **currentStateEnd** The final state of the package after the operation has completed. -- **doqTimeSeconds** The time in seconds spent updating drivers. -- **executeTimeSeconds** The number of seconds required to execute the install. -- **failureDetails** The driver or installer that caused the update to fail. -- **failureSourceEnd** An enumeration indicating at what phase of the update a failure occurred. -- **hrStatusEnd** The return code of the install operation. -- **initiatedOffline** A true or false value indicating whether the package was installed into an offline Windows Imaging Format (WIM) file. -- **majorVersion** The major version number of the update package. -- **minorVersion** The minor version number of the update package. -- **originalState** The starting state of the package. -- **overallTimeSeconds** The time (in seconds) to perform the overall servicing operation. -- **planTimeSeconds** The time in seconds required to plan the update operations. -- **poqTimeSeconds** The time in seconds processing file and registry operations. -- **postRebootTimeSeconds** The time (in seconds) to do startup processing for the update. -- **preRebootTimeSeconds** The time (in seconds) between execution of the installation and the reboot. -- **primitiveExecutionContext** An enumeration indicating at what phase of shutdown or startup the update was installed. -- **rebootCount** The number of reboots required to install the update. -- **rebootTimeSeconds** The time (in seconds) before startup processing begins for the update. -- **resolveTimeSeconds** The time in seconds required to resolve the packages that are part of the update. -- **revisionVersion** The revision version number of the update package. -- **rptTimeSeconds** The time in seconds spent executing installer plugins. -- **shutdownTimeSeconds** The time (in seconds) required to do shutdown processing for the update. -- **stackRevision** The revision number of the servicing stack. -- **stageTimeSeconds** The time (in seconds) required to stage all files that are part of the update. - - -## Deployment extensions - -### DeploymentTelemetry.Deployment_End - -This event indicates that a Deployment 360 API has completed. - -The following fields are available: - -- **ClientId** Client ID of the user utilizing the D360 API. -- **ErrorCode** Error code of action. -- **FlightId** The specific ID of the Windows Insider build the device is getting. -- **Mode** Phase in upgrade. -- **RelatedCV** The correction vector (CV) of any other related events -- **Result** End result of the action. - - -### DeploymentTelemetry.Deployment_SetupBoxLaunch - -This event indicates that the Deployment 360 APIs have launched Setup Box. - -The following fields are available: - -- **ClientId** The client ID of the user utilizing the D360 API. -- **FlightId** The specific ID of the Windows Insider build the device is getting. -- **Quiet** Whether Setup will run in quiet mode or full mode. -- **RelatedCV** The correlation vector (CV) of any other related events. -- **SetupMode** The current setup phase. - - -### DeploymentTelemetry.Deployment_SetupBoxResult - -This event indicates that the Deployment 360 APIs have received a return from Setup Box. - -The following fields are available: - -- **ClientId** Client ID of the user utilizing the D360 API. -- **ErrorCode** Error code of the action. -- **FlightId** The specific ID of the Windows Insider build the device is getting. -- **Quiet** Indicates whether Setup will run in quiet mode or full mode. -- **RelatedCV** The correlation vector (CV) of any other related events. -- **SetupMode** The current Setup phase. - - -### DeploymentTelemetry.Deployment_Start - -This event indicates that a Deployment 360 API has been called. - -The following fields are available: - -- **ClientId** Client ID of the user utilizing the D360 API. -- **FlightId** The specific ID of the Windows Insider build the device is getting. -- **Mode** The current phase of the upgrade. -- **RelatedCV** The correlation vector (CV) of any other related events. - - -## Diagnostic data events - -### TelClientSynthetic.AuthorizationInfo_RuntimeTransition - -This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect. - -The following fields are available: - -- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. -- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. -- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. -- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. -- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. -- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. -- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. -- **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise. -- **CanReportScenarios** True if we can report scenario completions, false otherwise. -- **PreviousPermissions** Bitmask of previous telemetry state. -- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. - - -### TelClientSynthetic.AuthorizationInfo_Startup - -Fired by UTC at startup to signal what data we are allowed to collect. - -The following fields are available: - -- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. -- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. -- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. -- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. -- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. -- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. -- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. -- **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise. -- **CanReportScenarios** True if we can report scenario completions, false otherwise. -- **PreviousPermissions** Bitmask of previous telemetry state. -- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. - - -### TelClientSynthetic.ConnectivityHeartBeat_0 - -This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network. - -The following fields are available: - -- **CensusExitCode** Returns last execution codes from census client run. -- **CensusStartTime** Returns timestamp corresponding to last successful census run. -- **CensusTaskEnabled** Returns Boolean value for the census task (Enable/Disable) on client machine. -- **LastConnectivityLossTime** Retrieves the last time the device lost free network. -- **NetworkState** Retrieves the network state: 0 = No network. 1 = Restricted network. 2 = Free network. -- **NoNetworkTime** Retrieves the time spent with no network (since the last time) in seconds. -- **RestrictedNetworkTime** Retrieves the time spent on a metered (cost restricted) network in seconds. - - -### TelClientSynthetic.HeartBeat_5 - -This event sends data about the health and quality of the diagnostic data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device. - -The following fields are available: - -- **AgentConnectionErrorsCount** Number of non-timeout errors associated with the host/agent channel. -- **CensusExitCode** The last exit code of the Census task. -- **CensusStartTime** Time of last Census run. -- **CensusTaskEnabled** True if Census is enabled, false otherwise. -- **CompressedBytesUploaded** Number of compressed bytes uploaded. -- **ConsumerDroppedCount** Number of events dropped at consumer layer of telemetry client. -- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. -- **CriticalDataThrottleDroppedCount** The number of critical data sampled events that were dropped because of throttling. -- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event DB. -- **DbCriticalDroppedCount** Total number of dropped critical events in event DB. -- **DbDroppedCount** Number of events dropped due to DB fullness. -- **DbDroppedFailureCount** Number of events dropped due to DB failures. -- **DbDroppedFullCount** Number of events dropped due to DB fullness. -- **DecodingDroppedCount** Number of events dropped due to decoding failures. -- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. -- **EtwDroppedBufferCount** Number of buffers dropped in the UTC ETW session. -- **EtwDroppedCount** Number of events dropped at ETW layer of telemetry client. -- **EventsPersistedCount** Number of events that reached the PersistEvent stage. -- **EventStoreLifetimeResetCounter** Number of times event DB was reset for the lifetime of UTC. -- **EventStoreResetCounter** Number of times event DB was reset. -- **EventStoreResetSizeSum** Total size of event DB across all resets reports in this instance. -- **EventSubStoreResetCounter** Number of times event DB was reset. -- **EventSubStoreResetSizeSum** Total size of event DB across all resets reports in this instance. -- **EventsUploaded** Number of events uploaded. -- **Flags** Flags indicating device state such as network state, battery state, and opt-in state. -- **FullTriggerBufferDroppedCount** Number of events dropped due to trigger buffer being full. -- **HeartBeatSequenceNumber** The sequence number of this heartbeat. -- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. -- **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel. -- **LastEventSizeOffender** Event name of last event which exceeded max event size. -- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. -- **MaxActiveAgentConnectionCount** The maximum number of active agents during this heartbeat timeframe. -- **MaxInUseScenarioCounter** Soft maximum number of scenarios loaded by UTC. -- **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events). -- **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. -- **SettingsHttpAttempts** Number of attempts to contact OneSettings service. -- **SettingsHttpFailures** The number of failures from contacting the OneSettings service. -- **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers. -- **TopUploaderErrors** List of top errors received from the upload endpoint. -- **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client. -- **UploaderErrorCount** Number of errors received from the upload endpoint. -- **VortexFailuresTimeout** The number of timeout failures received from Vortex. -- **VortexHttpAttempts** Number of attempts to contact Vortex. -- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. -- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. -- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. -- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. - - -### TelClientSynthetic.HeartBeat_Aria_5 - -This event is the telemetry client ARIA heartbeat. - -The following fields are available: - -- **CompressedBytesUploaded** Number of compressed bytes uploaded. -- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. -- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event database. -- **DbCriticalDroppedCount** Total number of dropped critical events in event database. -- **DbDroppedCount** Number of events dropped at the database layer. -- **DbDroppedFailureCount** Number of events dropped due to database failures. -- **DbDroppedFullCount** Number of events dropped due to database being full. -- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. -- **EventsPersistedCount** Number of events that reached the PersistEvent stage. -- **EventStoreLifetimeResetCounter** Number of times the event store has been reset. -- **EventStoreResetCounter** Number of times the event store has been reset during this heartbeat. -- **EventStoreResetSizeSum** Size of event store reset in bytes. -- **EventsUploaded** Number of events uploaded. -- **HeartBeatSequenceNumber** The sequence number of this heartbeat. -- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. -- **LastEventSizeOffender** Event name of last event which exceeded max event size. -- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. -- **PreviousHeartBeatTime** The FILETIME of the previous heartbeat fire. -- **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. -- **SettingsHttpAttempts** Number of attempts to contact OneSettings service. -- **SettingsHttpFailures** Number of failures from contacting OneSettings service. -- **TopUploaderErrors** List of top errors received from the upload endpoint. -- **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client. -- **UploaderErrorCount** Number of errors received from the upload endpoint. -- **VortexFailuresTimeout** Number of time out failures received from Vortex. -- **VortexHttpAttempts** Number of attempts to contact Vortex. -- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. -- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. -- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. -- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. - - -### TelClientSynthetic.HeartBeat_Seville_5 - -This event is sent by the universal telemetry client (UTC) as a heartbeat signal for Sense. - -The following fields are available: - -- **AgentConnectionErrorsCount** Number of non-timeout errors associated with the host or agent channel. -- **CompressedBytesUploaded** Number of compressed bytes uploaded. -- **ConsumerDroppedCount** Number of events dropped at consumer layer of the telemetry client. -- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. -- **CriticalDataThrottleDroppedCount** Number of critical data sampled events dropped due to throttling. -- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event database. -- **DailyUploadQuotaInBytes** Daily upload quota for Sense in bytes (only in in-proc mode). -- **DbCriticalDroppedCount** Total number of dropped critical events in event database. -- **DbDroppedCount** Number of events dropped due to database being full. -- **DbDroppedFailureCount** Number of events dropped due to database failures. -- **DbDroppedFullCount** Number of events dropped due to database being full. -- **DecodingDroppedCount** Number of events dropped due to decoding failures. -- **DiskSizeInBytes** Size of event store for Sense in bytes (only in in-proc mode). -- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. -- **EtwDroppedBufferCount** Number of buffers dropped in the universal telemetry client (UTC) event tracing for Windows (ETW) session. -- **EtwDroppedCount** Number of events dropped at the event tracing for Windows (ETW) layer of telemetry client. -- **EventsPersistedCount** Number of events that reached the PersistEvent stage. -- **EventStoreLifetimeResetCounter** Number of times event the database was reset for the lifetime of the universal telemetry client (UTC). -- **EventStoreResetCounter** Number of times the event database was reset. -- **EventStoreResetSizeSum** Total size of the event database across all resets reports in this instance. -- **EventsUploaded** Number of events uploaded. -- **Flags** Flags indicating device state, such as network state, battery state, and opt-in state. -- **FullTriggerBufferDroppedCount** Number of events dropped due to trigger buffer being full. -- **HeartBeatSequenceNumber** The sequence number of this heartbeat. -- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. -- **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel. -- **LastEventSizeOffender** Event name of last event which exceeded the maximum event size. -- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. -- **MaxActiveAgentConnectionCount** Maximum number of active agents during this heartbeat timeframe. -- **NormalUploadTimerMillis** Number of milliseconds between each upload of normal events for SENSE (only in in-proc mode). -- **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events). -- **RepeatedUploadFailureDropped** Number of events lost due to repeated failed uploaded attempts. -- **SettingsHttpAttempts** Number of attempts to contact OneSettings service. -- **SettingsHttpFailures** Number of failures from contacting the OneSettings service. -- **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers. -- **TopUploaderErrors** Top uploader errors, grouped by endpoint and error type. -- **UploaderDroppedCount** Number of events dropped at the uploader layer of the telemetry client. -- **UploaderErrorCount** Number of input for the TopUploaderErrors mode estimation. -- **VortexFailuresTimeout** Number of time out failures received from Vortex. -- **VortexHttpAttempts** Number of attempts to contact Vortex. -- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. -- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. -- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. -- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. - - -## Direct to update events - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicabilityGenericFailure - -This event indicatse that we have received an unexpected error in the Direct to Update (DTU) Coordinators CheckApplicability call. - -The following fields are available: - -- **CampaignID** ID of the campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Cleanup call. - -The following fields are available: - -- **CampaignID** Campaign ID being run -- **ClientID** Client ID being run -- **CoordinatorVersion** Coordinator version of DTU -- **CV** Correlation vector -- **hResult** HRESULT of the failure - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupSuccess - -This event indicates that the Coordinator Cleanup call succeeded. - -The following fields are available: - -- **CampaignID** Campaign ID being run -- **ClientID** Client ID being run -- **CoordinatorVersion** Coordinator version of DTU -- **CV** Correlation vector - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Commit call. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitSuccess - -This event indicates that the Coordinator Commit call succeeded. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Download call. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadIgnoredFailure - -This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Download call that will be ignored. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadSuccess - -This event indicates that the Coordinator Download call succeeded. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator HandleShutdown call. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinate version of DTU. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownSuccess - -This event indicates that the Coordinator HandleShutdown call succeeded. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Initialize call. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeSuccess - -This event indicates that the Coordinator Initialize call succeeded. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Install call. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallIgnoredFailure - -This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Install call that will be ignored. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallSuccess - -This event indicates that the Coordinator Install call succeeded. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorProgressCallBack - -This event indicates that the Coordinator's progress callback has been called. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **DeployPhase** Current Deploy Phase. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorSetCommitReadySuccess - -This event indicates that the Coordinator SetCommitReady call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiNotShown - -This event indicates that the Coordinator WaitForRebootUi call succeeded. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSelection - -This event indicates that the user selected an option on the Reboot UI. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **rebootUiSelection** Selection on the Reboot UI. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSuccess - -This event indicates that the Coordinator WaitForRebootUi call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler CheckApplicabilityInternal call. - -The following fields are available: - -- **CampaignID** ID of the campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalSuccess - -This event indicates that the Handler CheckApplicabilityInternal call succeeded. - -The following fields are available: - -- **ApplicabilityResult** The result of the applicability check. -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilitySuccess - -This event indicates that the Handler CheckApplicability call succeeded. - -The following fields are available: - -- **ApplicabilityResult** The result code indicating whether the update is applicable. -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **CV_new** New correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckIfCoordinatorMinApplicableVersionSuccess - -This event indicates that the Handler CheckIfCoordinatorMinApplicableVersion call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **CheckIfCoordinatorMinApplicableVersionResult** Result of CheckIfCoordinatorMinApplicableVersion function. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Commit call. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **CV_new** New correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitSuccess - -This event indicates that the Handler Commit call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run.run -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **CV_new** New correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabFailure - -This event indicates that the Handler Download and Extract cab call failed. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **DownloadAndExtractCabFunction_failureReason** Reason why the update download and extract process failed. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabSuccess - -This event indicates that the Handler Download and Extract cab call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Download call. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadSuccess - -This event indicates that the Handler Download call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Initialize call. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **DownloadAndExtractCabFunction_hResult** HRESULT of the download and extract. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeSuccess - -This event indicates that the Handler Initialize call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **DownloadAndExtractCabFunction_hResult** HRESULT of the download and extraction. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Install call. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallSuccess - -This event indicates that the Coordinator Install call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerSetCommitReadySuccess - -This event indicates that the Handler SetCommitReady call succeeded. - -The following fields are available: - -- **CampaignID** ID of the campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler WaitForRebootUi call. - -The following fields are available: - -- **CampaignID** The ID of the campaigning being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **hResult** The HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiSuccess - -This event indicates that the Handler WaitForRebootUi call succeeded. - -The following fields are available: - -- **CampaignID** ID of the campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -## DxgKernelTelemetry events - -### DxgKrnlTelemetry.GPUAdapterInventoryV2 - -This event sends basic GPU and display driver information to keep Windows and display drivers up-to-date. - -The following fields are available: - -- **AdapterTypeValue** The numeric value indicating the type of Graphics adapter. -- **aiSeqId** The event sequence ID. -- **bootId** The system boot ID. -- **BrightnessVersionViaDDI** The version of the Display Brightness Interface. -- **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload. -- **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes). -- **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes). -- **DisplayAdapterLuid** The display adapter LUID. -- **DriverDate** The date of the display driver. -- **DriverRank** The rank of the display driver. -- **DriverVersion** The display driver version. -- **DX10UMDFilePath** The file path to the location of the DirectX 10 Display User Mode Driver in the Driver Store. -- **DX11UMDFilePath** The file path to the location of the DirectX 11 Display User Mode Driver in the Driver Store. -- **DX12UMDFilePath** The file path to the location of the DirectX 12 Display User Mode Driver in the Driver Store. -- **DX9UMDFilePath** The file path to the location of the DirectX 9 Display User Mode Driver in the Driver Store. -- **GPUDeviceID** The GPU device ID. -- **GPUPreemptionLevel** The maximum preemption level supported by GPU for graphics payload. -- **GPURevisionID** The GPU revision ID. -- **GPUVendorID** The GPU vendor ID. -- **InterfaceId** The GPU interface ID. -- **IsDisplayDevice** Does the GPU have displaying capabilities? -- **IsHwSchSupported** Indicates whether the adapter supports hardware scheduling. -- **IsHybridDiscrete** Does the GPU have discrete GPU capabilities in a hybrid device? -- **IsHybridIntegrated** Does the GPU have integrated GPU capabilities in a hybrid device? -- **IsLDA** Is the GPU comprised of Linked Display Adapters? -- **IsMiracastSupported** Does the GPU support Miracast? -- **IsMismatchLDA** Is at least one device in the Linked Display Adapters chain from a different vendor? -- **IsMPOSupported** Does the GPU support Multi-Plane Overlays? -- **IsMsMiracastSupported** Are the GPU Miracast capabilities driven by a Microsoft solution? -- **IsPostAdapter** Is this GPU the POST GPU in the device? -- **IsRemovable** TRUE if the adapter supports being disabled or removed. -- **IsRenderDevice** Does the GPU have rendering capabilities? -- **IsSoftwareDevice** Is this a software implementation of the GPU? -- **KMDFilePath** The file path to the location of the Display Kernel Mode Driver in the Driver Store. -- **MeasureEnabled** Is the device listening to MICROSOFT_KEYWORD_MEASURES? -- **MsHybridDiscrete** Indicates whether the adapter is a discrete adapter in a hybrid configuration. -- **NumVidPnSources** The number of supported display output sources. -- **NumVidPnTargets** The number of supported display output targets. -- **SharedSystemMemoryB** The amount of system memory shared by GPU and CPU (in bytes). -- **SubSystemID** The subsystem ID. -- **SubVendorID** The GPU sub vendor ID. -- **TelemetryEnabled** Is the device listening to MICROSOFT_KEYWORD_TELEMETRY? -- **TelInvEvntTrigger** What triggered this event to be logged? Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling) -- **version** The event version. -- **WDDMVersion** The Windows Display Driver Model version. - - -## Failover Clustering events - -### Microsoft.Windows.Server.FailoverClusteringCritical.ClusterSummary2 - -This event returns information about how many resources and of what type are in the server cluster. This data is collected to keep Windows Server safe, secure, and up to date. The data includes information about whether hardware is configured correctly, if the software is patched correctly, and assists in preventing crashes by attributing issues (like fatal errors) to workloads and system configurations. - -The following fields are available: - -- **autoAssignSite** The cluster parameter: auto site. -- **autoBalancerLevel** The cluster parameter: auto balancer level. -- **autoBalancerMode** The cluster parameter: auto balancer mode. -- **blockCacheSize** The configured size of the block cache. -- **ClusterAdConfiguration** The ad configuration of the cluster. -- **clusterAdType** The cluster parameter: mgmt_point_type. -- **clusterDumpPolicy** The cluster configured dump policy. -- **clusterFunctionalLevel** The current cluster functional level. -- **clusterGuid** The unique identifier for the cluster. -- **clusterWitnessType** The witness type the cluster is configured for. -- **countNodesInSite** The number of nodes in the cluster. -- **crossSiteDelay** The cluster parameter: CrossSiteDelay. -- **crossSiteThreshold** The cluster parameter: CrossSiteThreshold. -- **crossSubnetDelay** The cluster parameter: CrossSubnetDelay. -- **crossSubnetThreshold** The cluster parameter: CrossSubnetThreshold. -- **csvCompatibleFilters** The cluster parameter: ClusterCsvCompatibleFilters. -- **csvIncompatibleFilters** The cluster parameter: ClusterCsvIncompatibleFilters. -- **csvResourceCount** The number of resources in the cluster. -- **currentNodeSite** The name configured for the current site for the cluster. -- **dasModeBusType** The direct storage bus type of the storage spaces. -- **downLevelNodeCount** The number of nodes in the cluster that are running down-level. -- **drainOnShutdown** Specifies whether a node should be drained when it is shut down. -- **dynamicQuorumEnabled** Specifies whether dynamic Quorum has been enabled. -- **enforcedAntiAffinity** The cluster parameter: enforced anti affinity. -- **genAppNames** The win32 service name of a clustered service. -- **genSvcNames** The command line of a clustered genapp. -- **hangRecoveryAction** The cluster parameter: hang recovery action. -- **hangTimeOut** Specifies the “hang time out” parameter for the cluster. -- **isCalabria** Specifies whether storage spaces direct is enabled. -- **isMixedMode** Identifies if the cluster is running with different version of OS for nodes. -- **isRunningDownLevel** Identifies if the current node is running down-level. -- **logLevel** Specifies the granularity that is logged in the cluster log. -- **logSize** Specifies the size of the cluster log. -- **lowerQuorumPriorityNodeId** The cluster parameter: lower quorum priority node ID. -- **minNeverPreempt** The cluster parameter: minimum never preempt. -- **minPreemptor** The cluster parameter: minimum preemptor priority. -- **netftIpsecEnabled** The parameter: netftIpsecEnabled. -- **NodeCount** The number of nodes in the cluster. -- **nodeId** The current node number in the cluster. -- **nodeResourceCounts** Specifies the number of node resources. -- **nodeResourceOnlineCounts** Specifies the number of node resources that are online. -- **numberOfSites** The number of different sites. -- **numNodesInNoSite** The number of nodes not belonging to a site. -- **plumbAllCrossSubnetRoutes** The cluster parameter: plumb all cross subnet routes. -- **preferredSite** The preferred site location. -- **privateCloudWitness** Specifies whether a private cloud witness exists for this cluster. -- **quarantineDuration** The quarantine duration. -- **quarantineThreshold** The quarantine threshold. -- **quorumArbitrationTimeout** In the event of an arbitration event, this specifies the quorum timeout period. -- **resiliencyLevel** Specifies the level of resiliency. -- **resourceCounts** Specifies the number of resources. -- **resourceTypeCounts** Specifies the number of resource types in the cluster. -- **resourceTypes** Data representative of each resource type. -- **resourceTypesPath** Data representative of the DLL path for each resource type. -- **sameSubnetDelay** The cluster parameter: same subnet delay. -- **sameSubnetThreshold** The cluster parameter: same subnet threshold. -- **secondsInMixedMode** The amount of time (in seconds) that the cluster has been in mixed mode (nodes with different operating system versions in the same cluster). -- **securityLevel** The cluster parameter: security level. -- **securityLevelForStorage** The cluster parameter: security level for storage. -- **sharedVolumeBlockCacheSize** Specifies the block cache size for shared for shared volumes. -- **shutdownTimeoutMinutes** Specifies the amount of time it takes to time out when shutting down. -- **upNodeCount** Specifies the number of nodes that are up (online). -- **useClientAccessNetworksForCsv** The cluster parameter: use client access networks for CSV. -- **vmIsolationTime** The cluster parameter: VM isolation time. -- **witnessDatabaseWriteTimeout** Specifies the timeout period for writing to the quorum witness database. - - -## Fault Reporting events - -### Microsoft.Windows.FaultReporting.AppCrashEvent - -This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes\" by a user DO NOT emit this event. - -The following fields are available: - -- **AppName** The name of the app that has crashed. -- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend. -- **AppTimeStamp** The date/time stamp of the app. -- **AppVersion** The version of the app that has crashed. -- **ExceptionCode** The exception code returned by the process that has crashed. -- **ExceptionOffset** The address where the exception had occurred. -- **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting. -- **FriendlyAppName** The description of the app that has crashed, if different from the AppName. Otherwise, the process name. -- **IsFatal** True/False to indicate whether the crash resulted in process termination. -- **ModName** Exception module name (e.g. bar.dll). -- **ModTimeStamp** The date/time stamp of the module. -- **ModVersion** The version of the module that has crashed. -- **PackageFullName** Store application identity. -- **PackageRelativeAppId** Store application identity. -- **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. -- **ProcessCreateTime** The time of creation of the process that has crashed. -- **ProcessId** The ID of the process that has crashed. -- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. -- **TargetAppId** The kernel reported AppId of the application being reported. -- **TargetAppVer** The specific version of the application being reported -- **TargetAsId** The sequence number for the hanging process. - - -## Feature update events - -### Microsoft.Windows.Upgrade.Uninstall.UninstallFinalizedAndRebootTriggered - -This event indicates that the uninstall was properly configured and that a system reboot was initiated. - - - -### Microsoft.Windows.Upgrade.Uninstall.UninstallGoBackButtonClicked - -This event sends basic metadata about the starting point of uninstalling a feature update, which helps ensure customers can safely revert to a well-known state if the update caused any problems. - - - -## Hang Reporting events - -### Microsoft.Windows.HangReporting.AppHangEvent - -This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. - -The following fields are available: - -- **AppName** The name of the app that has hung. -- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the telemetry backend. -- **AppVersion** The version of the app that has hung. -- **IsFatal** True/False based on whether the hung application caused the creation of a Fatal Hang Report. -- **PackageFullName** Store application identity. -- **PackageRelativeAppId** Store application identity. -- **ProcessArchitecture** Architecture of the hung process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. -- **ProcessCreateTime** The time of creation of the process that has hung. -- **ProcessId** The ID of the process that has hung. -- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. -- **TargetAppId** The kernel reported AppId of the application being reported. -- **TargetAppVer** The specific version of the application being reported. -- **TargetAsId** The sequence number for the hanging process. -- **TypeCode** Bitmap describing the hang type. -- **WaitingOnAppName** If this is a cross process hang waiting for an application, this has the name of the application. -- **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it is waiting. -- **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting. -- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application id of the package. - - -## Inventory events - -### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum - -This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object. - -The following fields are available: - -- **Device** A count of device objects in cache. -- **DeviceCensus** A count of device census objects in cache. -- **DriverPackageExtended** A count of driverpackageextended objects in cache. -- **File** A count of file objects in cache. -- **FileSigningInfo** A count of file signing objects in cache. -- **Generic** A count of generic objects in cache. -- **HwItem** A count of hwitem objects in cache. -- **InventoryApplication** A count of application objects in cache. -- **InventoryApplicationAppV** A count of application AppV objects in cache. -- **InventoryApplicationDriver** A count of application driver objects in cache -- **InventoryApplicationFile** A count of application file objects in cache. -- **InventoryApplicationFramework** A count of application framework objects in cache -- **InventoryApplicationShortcut** A count of application shortcut objects in cache -- **InventoryDeviceContainer** A count of device container objects in cache. -- **InventoryDeviceInterface** A count of Plug and Play device interface objects in cache. -- **InventoryDeviceMediaClass** A count of device media objects in cache. -- **InventoryDevicePnp** A count of device Plug and Play objects in cache. -- **InventoryDeviceUsbHubClass** A count of device usb objects in cache -- **InventoryDriverBinary** A count of driver binary objects in cache. -- **InventoryDriverPackage** A count of device objects in cache. -- **InventoryMiscellaneousOfficeAddIn** A count of office add-in objects in cache -- **InventoryMiscellaneousOfficeAddInUsage** A count of office add-in usage objects in cache. -- **InventoryMiscellaneousOfficeIdentifiers** A count of office identifier objects in cache -- **InventoryMiscellaneousOfficeIESettings** A count of office ie settings objects in cache -- **InventoryMiscellaneousOfficeInsights** A count of office insights objects in cache -- **InventoryMiscellaneousOfficeProducts** A count of office products objects in cache -- **InventoryMiscellaneousOfficeSettings** A count of office settings objects in cache -- **InventoryMiscellaneousOfficeVBA** A count of office vba objects in cache -- **InventoryMiscellaneousOfficeVBARuleViolations** A count of office vba rule violations objects in cache -- **InventoryMiscellaneousUUPInfo** A count of uup info objects in cache -- **Metadata** A count of metadata objects in cache. -- **Orphan** A count of orphan file objects in cache. -- **Programs** A count of program objects in cache. - - -### Microsoft.Windows.Inventory.Core.AmiTelCacheFileInfo - -Diagnostic data about the inventory cache. - -The following fields are available: - -- **CacheFileSize** Size of the cache. -- **InventoryVersion** Inventory version of the cache. -- **TempCacheCount** Number of temp caches created. -- **TempCacheDeletedCount** Number of temp caches deleted. - - -### Microsoft.Windows.Inventory.Core.AmiTelCacheVersions - -This event sends inventory component versions for the Device Inventory data. - -The following fields are available: - -- **aeinv** The version of the App inventory component. -- **devinv** The file version of the Device inventory component. - - -### Microsoft.Windows.Inventory.Core.InventoryApplicationAdd - -This event sends basic metadata about an application on the system to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **HiddenArp** Indicates whether a program hides itself from showing up in ARP. -- **InstallDate** The date the application was installed (a best guess based on folder creation date heuristics). -- **InstallDateArpLastModified** The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015 00:00:00 -- **InstallDateFromLinkFile** The estimated date of install based on the links to the files. Passed as an array. -- **InstallDateMsi** The install date if the application was installed via Microsoft Installer (MSI). Passed as an array. -- **InventoryVersion** The version of the inventory file generating the events. -- **Language** The language code of the program. -- **MsiPackageCode** A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage. -- **MsiProductCode** A GUID that describe the MSI Product. -- **Name** The name of the application. -- **OSVersionAtInstallTime** The four octets from the OS version at the time of the application's install. -- **PackageFullName** The package full name for a Store application. -- **ProgramInstanceId** A hash of the file IDs in an app. -- **Publisher** The Publisher of the application. Location pulled from depends on the 'Source' field. -- **RootDirPath** The path to the root directory where the program was installed. -- **Source** How the program was installed (for example, ARP, MSI, Appx). -- **StoreAppType** A sub-classification for the type of Microsoft Store app, such as UWP or Win8StoreApp. -- **Type** One of ("Application", "Hotfix", "BOE", "Service", "Unknown"). Application indicates Win32 or Appx app, Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is a service. Application and BOE are the ones most likely seen. -- **Version** The version number of the program. - - -### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverAdd - -This event represents what drivers an application installs. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory component. -- **ProgramIds** The unique program identifier the driver is associated with. - - -### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync - -The InventoryApplicationDriverStartSync event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory component. - - -### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd - -This event provides the basic metadata about the frameworks an application may depend on. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **FileId** A hash that uniquely identifies a file. -- **Frameworks** The list of frameworks this file depends on. -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync - -This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryApplicationRemove - -This event indicates that a new set of InventoryDevicePnpAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryApplicationStartSync - -This event indicates that a new set of InventoryApplicationAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd - -This event sends basic metadata about a device container (such as a monitor or printer as opposed to a Plug and Play device) to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Categories** A comma separated list of functional categories in which the container belongs. -- **DiscoveryMethod** The discovery method for the device container. -- **FriendlyName** The name of the device container. -- **InventoryVersion** The version of the inventory file generating the events. -- **IsActive** Is the device connected, or has it been seen in the last 14 days? -- **IsConnected** For a physically attached device, this value is the same as IsPresent. For wireless a device, this value represents a communication link. -- **IsMachineContainer** Is the container the root device itself? -- **IsNetworked** Is this a networked device? -- **IsPaired** Does the device container require pairing? -- **Manufacturer** The manufacturer name for the device container. -- **ModelId** A unique model ID. -- **ModelName** The model name. -- **ModelNumber** The model number for the device container. -- **PrimaryCategory** The primary category for the device container. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerRemove - -This event indicates that the InventoryDeviceContainer object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerStartSync - -This event indicates that a new set of InventoryDeviceContainerAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd - -This event retrieves information about what sensor interfaces are available on the device. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Accelerometer3D** Indicates if an Accelerator3D sensor is found. -- **ActivityDetection** Indicates if an Activity Detection sensor is found. -- **AmbientLight** Indicates if an Ambient Light sensor is found. -- **Barometer** Indicates if a Barometer sensor is found. -- **Custom** Indicates if a Custom sensor is found. -- **EnergyMeter** Indicates if an Energy sensor is found. -- **FloorElevation** Indicates if a Floor Elevation sensor is found. -- **GeomagneticOrientation** Indicates if a Geo Magnetic Orientation sensor is found. -- **GravityVector** Indicates if a Gravity Detector sensor is found. -- **Gyrometer3D** Indicates if a Gyrometer3D sensor is found. -- **Humidity** Indicates if a Humidity sensor is found. -- **InventoryVersion** The version of the inventory file generating the events. -- **LinearAccelerometer** Indicates if a Linear Accelerometer sensor is found. -- **Magnetometer3D** Indicates if a Magnetometer3D sensor is found. -- **Orientation** Indicates if an Orientation sensor is found. -- **Pedometer** Indicates if a Pedometer sensor is found. -- **Proximity** Indicates if a Proximity sensor is found. -- **RelativeOrientation** Indicates if a Relative Orientation sensor is found. -- **SimpleDeviceOrientation** Indicates if a Simple Device Orientation sensor is found. -- **Temperature** Indicates if a Temperature sensor is found. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync - -This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd - -This event sends additional metadata about a Plug and Play device that is specific to a particular class of devices to help keep Windows up to date while reducing overall size of data payload. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **audio.captureDriver** Audio device capture driver. Example: hdaudio.inf:db04a16ce4e8d6ee:HdAudModel:10.0.14887.1000:hdaudio\func_01 -- **audio.renderDriver** Audio device render driver. Example: hdaudio.inf:db04a16ce4e8d6ee:HdAudModel:10.0.14889.1001:hdaudio\func_01 -- **Audio_CaptureDriver** The Audio device capture driver endpoint. -- **Audio_RenderDriver** The Audio device render driver endpoint. -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove - -This event indicates that the InventoryDeviceMediaClassRemove object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassStartSync - -This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd - -This event represents the basic metadata about a plug and play (PNP) device and its associated driver. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **BusReportedDescription** The description of the device reported by the bux. -- **Class** The device setup class of the driver loaded for the device. -- **ClassGuid** The device class unique identifier of the driver package loaded on the device. -- **COMPID** The list of “Compatible IDs” for this device. -- **ContainerId** The system-supplied unique identifier that specifies which group(s) the device(s) installed on the parent (main) device belong to. -- **Description** The description of the device. -- **DeviceInterfaceClasses** The device interfaces that this device implements. -- **DeviceState** Identifies the current state of the parent (main) device. -- **DriverId** The unique identifier for the installed driver. -- **DriverName** The name of the driver image file. -- **DriverPackageStrongName** The immediate parent directory name in the Directory field of InventoryDriverPackage. -- **DriverVerDate** The date associated with the driver installed on the device. -- **DriverVerVersion** The version number of the driver installed on the device. -- **Enumerator** Identifies the bus that enumerated the device. -- **ExtendedInfs** The extended INF file names. -- **HWID** A list of hardware IDs for the device. -- **Inf** The name of the INF file (possibly renamed by the OS, such as oemXX.inf). -- **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx -- **InventoryVersion** The version number of the inventory process generating the events. -- **LowerClassFilters** The identifiers of the Lower Class filters installed for the device. -- **LowerFilters** The identifiers of the Lower filters installed for the device. -- **Manufacturer** The manufacturer of the device. -- **MatchingID** The Hardware ID or Compatible ID that Windows uses to install a device instance. -- **Model** Identifies the model of the device. -- **ParentId** The Device Instance ID of the parent of the device. -- **ProblemCode** The error code currently returned by the device, if applicable. -- **Provider** Identifies the device provider. -- **Service** The name of the device service. -- **STACKID** The list of hardware IDs for the stack. -- **UpperClassFilters** The identifiers of the Upper Class filters installed for the device. -- **UpperFilters** The identifiers of the Upper filters installed for the device. - - -### Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove - -This event indicates that the InventoryDevicePnpRemove object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDevicePnpStartSync - -This event indicates that a new set of InventoryDevicePnpAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd - -This event sends basic metadata about the USB hubs on the device. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. -- **TotalUserConnectablePorts** Total number of connectable USB ports. -- **TotalUserConnectableTypeCPorts** Total number of connectable USB Type C ports. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassStartSync - -This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent. - - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd - -This event provides the basic metadata about driver binaries running on the system. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **DriverCheckSum** The checksum of the driver file. -- **DriverCompany** The company name that developed the driver. -- **DriverInBox** Is the driver included with the operating system? -- **DriverIsKernelMode** Is it a kernel mode driver? -- **DriverName** The file name of the driver. -- **DriverPackageStrongName** The strong name of the driver package -- **DriverSigned** The strong name of the driver package -- **DriverTimeStamp** The low 32 bits of the time stamp of the driver file. -- **DriverType** A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8. define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE 0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64 0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15. define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED 0x800000. -- **DriverVersion** The version of the driver file. -- **ImageSize** The size of the driver file. -- **Inf** The name of the INF file. -- **InventoryVersion** The version of the inventory file generating the events. -- **Product** The product name that is included in the driver file. -- **ProductVersion** The product version that is included in the driver file. -- **Service** The name of the service that is installed for the device. -- **WdfVersion** The Windows Driver Framework version. - - -### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove - -This event indicates that the InventoryDriverBinary object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryStartSync - -This event indicates that a new set of InventoryDriverBinaryAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd - -This event sends basic metadata about drive packages installed on the system to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Class** The class name for the device driver. -- **ClassGuid** The class GUID for the device driver. -- **Date** The driver package date. -- **Directory** The path to the driver package. -- **DriverInBox** Is the driver included with the operating system? -- **Inf** The INF name of the driver package. -- **InventoryVersion** The version of the inventory file generating the events. -- **Provider** The provider for the driver package. -- **SubmissionId** The HLK submission ID for the driver package. -- **Version** The version of the driver package. - - -### Microsoft.Windows.Inventory.Core.InventoryDriverPackageRemove - -This event indicates that the InventoryDriverPackageRemove object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDriverPackageStartSync - -This event indicates that a new set of InventoryDriverPackageAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.StartUtcJsonTrace - -This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the beginning of the event download, and that tracing should begin. - - - -### Microsoft.Windows.Inventory.Core.StopUtcJsonTrace - -This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the end of the event download, and that tracing should end. - - - -### Microsoft.Windows.Inventory.General.AppHealthStaticAdd - -This event sends details collected for a specific application on the source device. - -The following fields are available: - -- **AhaVersion** The binary version of the App Health Analyzer tool. -- **ApplicationErrors** The count of application errors from the event log. -- **Bitness** The architecture type of the application (16 Bit or 32 bit or 64 bit). -- **device_level** Various JRE/JAVA versions installed on a particular device. -- **ExtendedProperties** Attribute used for aggregating all other attributes under this event type. -- **Jar** Flag to determine if an app has a Java JAR file dependency. -- **Jre** Flag to determine if an app has JRE framework dependency. -- **Jre_version** JRE versions an app has declared framework dependency for. -- **Name** Name of the application. -- **NonDPIAware** Flag to determine if an app is non-DPI aware. -- **NumBinaries** Count of all binaries (.sys,.dll,.ini) from application install location. -- **RequiresAdmin** Flag to determine if an app requests admin privileges for execution. -- **RequiresAdminv2** Additional flag to determine if an app requests admin privileges for execution. -- **RequiresUIAccess** Flag to determine if an app is based on UI features for accessibility. -- **VB6** Flag to determine if an app is based on VB6 framework. -- **VB6v2** Additional flag to determine if an app is based on VB6 framework. -- **Version** Version of the application. -- **VersionCheck** Flag to determine if an app has a static dependency on OS version. -- **VersionCheckv2** Additional flag to determine if an app has a static dependency on OS version. - - -### Microsoft.Windows.Inventory.General.AppHealthStaticStartSync - -This event indicates the beginning of a series of AppHealthStaticAdd events. - -The following fields are available: - -- **AllowTelemetry** Indicates the presence of the 'allowtelemetry' command line argument. -- **CommandLineArgs** Command line arguments passed when launching the App Health Analyzer executable. -- **Enhanced** Indicates the presence of the 'enhanced' command line argument. -- **StartTime** UTC date and time at which this event was sent. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd - -Provides data on the installed Office Add-ins. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AddinCLSID** The class identifier key for the Microsoft Office add-in. -- **AddInCLSID** The class identifier key for the Microsoft Office add-in. -- **AddInId** The identifier for the Microsoft Office add-in. -- **AddinType** The type of the Microsoft Office add-in. -- **BinFileTimestamp** The timestamp of the Office add-in. -- **BinFileVersion** The version of the Microsoft Office add-in. -- **Description** Description of the Microsoft Office add-in. -- **FileId** The file identifier of the Microsoft Office add-in. -- **FileSize** The file size of the Microsoft Office add-in. -- **FriendlyName** The friendly name for the Microsoft Office add-in. -- **FullPath** The full path to the Microsoft Office add-in. -- **InventoryVersion** The version of the inventory binary generating the events. -- **LoadBehavior** Integer that describes the load behavior. -- **LoadTime** Load time for the Office add-in. -- **OfficeApplication** The Microsoft Office application associated with the add-in. -- **OfficeArchitecture** The architecture of the add-in. -- **OfficeVersion** The Microsoft Office version for this add-in. -- **OutlookCrashingAddin** Indicates whether crashes have been found for this add-in. -- **ProductCompany** The name of the company associated with the Office add-in. -- **ProductName** The product name associated with the Microsoft Office add-in. -- **ProductVersion** The version associated with the Office add-in. -- **ProgramId** The unique program identifier of the Microsoft Office add-in. -- **Provider** Name of the provider for this add-in. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove - -Indicates that this particular data object represented by the objectInstanceId is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync - -This event indicates that a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd - -Provides data on the Office identifiers. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. -- **OAudienceData** Sub-identifier for Microsoft Office release management, identifying the pilot group for a device -- **OAudienceId** Microsoft Office identifier for Microsoft Office release management, identifying the pilot group for a device -- **OMID** Identifier for the Office SQM Machine -- **OPlatform** Whether the installed Microsoft Office product is 32-bit or 64-bit -- **OTenantId** Unique GUID representing the Microsoft O365 Tenant -- **OVersion** Installed version of Microsoft Office. For example, 16.0.8602.1000 -- **OWowMID** Legacy Microsoft Office telemetry identifier (SQM Machine ID) for WoW systems (32-bit Microsoft Office on 64-bit Windows) - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync - -Diagnostic event to indicate a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd - -Provides data on Office-related Internet Explorer features. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. -- **OIeFeatureAddon** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_ADDON_MANAGEMENT feature lets applications hosting the WebBrowser Control to respect add-on management selections made using the Add-on Manager feature of Internet Explorer. Add-ons disabled by the user or by administrative group policy will also be disabled in applications that enable this feature. -- **OIeMachineLockdown** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_LOCALMACHINE_LOCKDOWN feature is enabled, Internet Explorer applies security restrictions on content loaded from the user's local machine, which helps prevent malicious behavior involving local files. -- **OIeMimeHandling** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_MIME_HANDLING feature control is enabled, Internet Explorer handles MIME types more securely. Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2) -- **OIeMimeSniffing** Flag indicating which Microsoft Office products have this setting enabled. Determines a file's type by examining its bit signature. Windows Internet Explorer uses this information to determine how to render the file. The FEATURE_MIME_SNIFFING feature, when enabled, allows to be set differently for each security zone by using the URLACTION_FEATURE_MIME_SNIFFING URL action flag -- **OIeNoAxInstall** Flag indicating which Microsoft Office products have this setting enabled. When a webpage attempts to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request. When a webpage tries to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request -- **OIeNoDownload** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_RESTRICT_FILEDOWNLOAD feature blocks file download requests that navigate to a resource, that display a file download dialog box, or that are not initiated explicitly by a user action (for example, a mouse click or key press). Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2) -- **OIeObjectCaching** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_OBJECT_CACHING feature prevents webpages from accessing or instantiating ActiveX controls cached from different domains or security contexts -- **OIePasswordDisable** Flag indicating which Microsoft Office products have this setting enabled. After Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2), Internet Explorer no longer allows usernames and passwords to be specified in URLs that use the HTTP or HTTPS protocols. URLs using other protocols, such as FTP, still allow usernames and passwords -- **OIeSafeBind** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SAFE_BINDTOOBJECT feature performs additional safety checks when calling MonikerBindToObject to create and initialize Microsoft ActiveX controls. Specifically, prevent the control from being created if COMPAT_EVIL_DONT_LOAD is in the registry for the control -- **OIeSecurityBand** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SECURITYBAND feature controls the display of the Internet Explorer Information bar. When enabled, the Information bar appears when file download or code installation is restricted -- **OIeUncSaveCheck** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_UNC_SAVEDFILECHECK feature enables the Mark of the Web (MOTW) for local files loaded from network locations that have been shared by using the Universal Naming Convention (UNC) -- **OIeValidateUrl** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_VALIDATE_NAVIGATE_URL feature control prevents Windows Internet Explorer from navigating to a badly formed URL -- **OIeWebOcPopup** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_WEBOC_POPUPMANAGEMENT feature allows applications hosting the WebBrowser Control to receive the default Internet Explorer pop-up window management behavior -- **OIeWinRestrict** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_WINDOW_RESTRICTIONS feature adds several restrictions to the size and behavior of popup windows -- **OIeZoneElevate** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_ZONE_ELEVATION feature prevents pages in one zone from navigating to pages in a higher security zone unless the navigation is generated by the user - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync - -Diagnostic event to indicate a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd - -This event provides insight data on the installed Office products - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. -- **OfficeApplication** The name of the Office application. -- **OfficeArchitecture** The bitness of the Office application. -- **OfficeVersion** The version of the Office application. -- **Value** The insights collected about this entity. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsRemove - -Indicates that this particular data object represented by the objectInstanceId is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync - -This diagnostic event indicates that a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd - -Describes Office Products installed. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. -- **OC2rApps** A GUID the describes the Office Click-To-Run apps -- **OC2rSkus** Comma-delimited list (CSV) of Office Click-To-Run products installed on the device. For example, Office 2016 ProPlus -- **OMsiApps** Comma-delimited list (CSV) of Office MSI products installed on the device. For example, Microsoft Word -- **OProductCodes** A GUID that describes the Office MSI products - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync - -Diagnostic event to indicate a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd - -This event describes various Office settings - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **BrowserFlags** Browser flags for Office-related products -- **ExchangeProviderFlags** Provider policies for Office Exchange -- **InventoryVersion** The version of the inventory binary generating the events. -- **SharedComputerLicensing** Office shared computer licensing policies - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync - -Indicates a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAAdd - -This event provides a summary rollup count of conditions encountered while performing a local scan of Office files, analyzing for known VBA programmability compatibility issues between legacy office version and ProPlus, and between 32 and 64-bit versions - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Design** Count of files with design issues found. -- **Design_x64** Count of files with 64 bit design issues found. -- **DuplicateVBA** Count of files with duplicate VBA code. -- **HasVBA** Count of files with VBA code. -- **Inaccessible** Count of files that were inaccessible for scanning. -- **InventoryVersion** The version of the inventory binary generating the events. -- **Issues** Count of files with issues detected. -- **Issues_x64** Count of files with 64-bit issues detected. -- **IssuesNone** Count of files with no issues detected. -- **IssuesNone_x64** Count of files with no 64-bit issues detected. -- **Locked** Count of files that were locked, preventing scanning. -- **NoVBA** Count of files with no VBA inside. -- **Protected** Count of files that were password protected, preventing scanning. -- **RemLimited** Count of files that require limited remediation changes. -- **RemLimited_x64** Count of files that require limited remediation changes for 64-bit issues. -- **RemSignificant** Count of files that require significant remediation changes. -- **RemSignificant_x64** Count of files that require significant remediation changes for 64-bit issues. -- **Score** Overall compatibility score calculated for scanned content. -- **Score_x64** Overall 64-bit compatibility score calculated for scanned content. -- **Total** Total number of files scanned. -- **Validation** Count of files that require additional manual validation. -- **Validation_x64** Count of files that require additional manual validation for 64-bit issues. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARemove - -Indicates that this particular data object represented by the objectInstanceId is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsAdd - -This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated with the validation rule - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Count** Count of total Microsoft Office VBA rule violations -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsRemove - -Indicates that this particular data object represented by the objectInstanceId is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync - -This event indicates that a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync - -Diagnostic event to indicate a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd - -Provides data on Unified Update Platform (UUP) products and what version they are at. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Identifier** UUP identifier -- **LastActivatedVersion** Last activated version -- **PreviousVersion** Previous version -- **Source** UUP source -- **Version** UUP version - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoRemove - -Indicates that this particular data object represented by the objectInstanceId is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoStartSync - -Diagnostic event to indicate a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - - - -### Microsoft.Windows.Inventory.Indicators.Checksum - -This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events. - -The following fields are available: - -- **CensusId** A unique hardware identifier. -- **ChecksumDictionary** A count of each operating system indicator. -- **PCFP** Equivalent to the InventoryId field that is found in other core events. - - -### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd - -These events represent the basic metadata about the OS indicators installed on the system which are used for keeping the device up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **IndicatorValue** The indicator value. -- **Value** Describes an operating system indicator that may be relevant for the device upgrade. - - -### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove - -This event is a counterpart to InventoryMiscellaneousUexIndicatorAdd that indicates that the item has been removed. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - - - -### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync - -This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - - - -## Kernel events - -### IO - -This event indicates the number of bytes read from or read by the OS and written to or written by the OS upon system startup. - -The following fields are available: - -- **BytesRead** The total number of bytes read from or read by the OS upon system startup. -- **BytesWritten** The total number of bytes written to or written by the OS upon system startup. - - -### Microsoft.Windows.Kernel.BootEnvironment.OsLaunch - -OS information collected during Boot, used to evaluate the success of the upgrade process. - -The following fields are available: - -- **BootApplicationId** This field tells us what the OS Loader Application Identifier is. -- **BootAttemptCount** The number of consecutive times the boot manager has attempted to boot into this operating system. -- **BootSequence** The current Boot ID, used to correlate events related to a particular boot session. -- **BootStatusPolicy** Identifies the applicable Boot Status Policy. -- **BootType** Identifies the type of boot (e.g.: "Cold", "Hiber", "Resume"). -- **EventTimestamp** Seconds elapsed since an arbitrary time point. This can be used to identify the time difference in successive boot attempts being made. -- **FirmwareResetReasonEmbeddedController** Reason for system reset provided by firmware. -- **FirmwareResetReasonEmbeddedControllerAdditional** Additional information on system reset reason provided by firmware if needed. -- **FirmwareResetReasonPch** Reason for system reset provided by firmware. -- **FirmwareResetReasonPchAdditional** Additional information on system reset reason provided by firmware if needed. -- **FirmwareResetReasonSupplied** Flag indicating that a reason for system reset was provided by firmware. -- **IO** Amount of data written to and read from the disk by the OS Loader during boot. See [IO](#io). -- **LastBootSucceeded** Flag indicating whether the last boot was successful. -- **LastShutdownSucceeded** Flag indicating whether the last shutdown was successful. -- **MaxAbove4GbFreeRange** This field describes the largest memory range available above 4Gb. -- **MaxBelow4GbFreeRange** This field describes the largest memory range available below 4Gb. -- **MeasuredLaunchPrepared** This field tells us if the OS launch was initiated using Measured/Secure Boot over DRTM (Dynamic Root of Trust for Measurement). -- **MeasuredLaunchResume** This field tells us if Dynamic Root of Trust for Measurement (DRTM) was used when resuming from hibernation. -- **MenuPolicy** Type of advanced options menu that should be shown to the user (Legacy, Standard, etc.). -- **RecoveryEnabled** Indicates whether recovery is enabled. -- **SecureLaunchPrepared** This field indicates if DRTM was prepared during boot. -- **TcbLaunch** Indicates whether the Trusted Computing Base was used during the boot flow. -- **UserInputTime** The amount of time the loader application spent waiting for user input. - - -## Miracast events - -### Microsoft.Windows.Cast.Miracast.MiracastSessionEnd - -This event sends data at the end of a Miracast session that helps determine RTSP related Miracast failures along with some statistics about the session - -The following fields are available: - -- **AudioChannelCount** The number of audio channels. -- **AudioSampleRate** The sample rate of audio in terms of samples per second. -- **AudioSubtype** The unique subtype identifier of the audio codec (encoding method) used for audio encoding. -- **AverageBitrate** The average video bitrate used during the Miracast session, in bits per second. -- **AverageDataRate** The average available bandwidth reported by the WiFi driver during the Miracast session, in bits per second. -- **AveragePacketSendTimeInMs** The average time required for the network to send a sample, in milliseconds. -- **ConnectorType** The type of connector used during the Miracast session. -- **EncodeAverageTimeMS** The average time to encode a frame of video, in milliseconds. -- **EncodeCount** The count of total frames encoded in the session. -- **EncodeMaxTimeMS** The maximum time to encode a frame, in milliseconds. -- **EncodeMinTimeMS** The minimum time to encode a frame, in milliseconds. -- **EncoderCreationTimeInMs** The time required to create the video encoder, in milliseconds. -- **ErrorSource** Identifies the component that encountered an error that caused a disconnect, if applicable. -- **FirstFrameTime** The time (tick count) when the first frame is sent. -- **FirstLatencyMode** The first latency mode. -- **FrameAverageTimeMS** Average time to process an entire frame, in milliseconds. -- **FrameCount** The total number of frames processed. -- **FrameMaxTimeMS** The maximum time required to process an entire frame, in milliseconds. -- **FrameMinTimeMS** The minimum time required to process an entire frame, in milliseconds. -- **Glitches** The number of frames that failed to be delivered on time. -- **HardwareCursorEnabled** Indicates if hardware cursor was enabled when the connection ended. -- **HDCPState** The state of HDCP (High-bandwidth Digital Content Protection) when the connection ended. -- **HighestBitrate** The highest video bitrate used during the Miracast session, in bits per second. -- **HighestDataRate** The highest available bandwidth reported by the WiFi driver, in bits per second. -- **LastLatencyMode** The last reported latency mode. -- **LogTimeReference** The reference time, in tick counts. -- **LowestBitrate** The lowest video bitrate used during the Miracast session, in bits per second. -- **LowestDataRate** The lowest video bitrate used during the Miracast session, in bits per second. -- **MediaErrorCode** The error code reported by the media session, if applicable. -- **MiracastEntry** The time (tick count) when the Miracast driver was first loaded. -- **MiracastM1** The time (tick count) when the M1 request was sent. -- **MiracastM2** The time (tick count) when the M2 request was sent. -- **MiracastM3** The time (tick count) when the M3 request was sent. -- **MiracastM4** The time (tick count) when the M4 request was sent. -- **MiracastM5** The time (tick count) when the M5 request was sent. -- **MiracastM6** The time (tick count) when the M6 request was sent. -- **MiracastM7** The time (tick count) when the M7 request was sent. -- **MiracastSessionState** The state of the Miracast session when the connection ended. -- **MiracastStreaming** The time (tick count) when the Miracast session first started processing frames. -- **ProfileCount** The count of profiles generated from the receiver M4 response. -- **ProfileCountAfterFiltering** The count of profiles after filtering based on available bandwidth and encoder capabilities. -- **RefreshRate** The refresh rate set on the remote display. -- **RotationSupported** Indicates if the Miracast receiver supports display rotation. -- **RTSPSessionId** The unique identifier of the RTSP session. This matches the RTSP session ID for the receiver for the same session. -- **SessionGuid** The unique identifier of to correlate various Miracast events from a session. -- **SinkHadEdid** Indicates if the Miracast receiver reported an EDID. -- **SupportMicrosoftColorSpaceConversion** Indicates whether the Microsoft color space conversion for extra color fidelity is supported by the receiver. -- **SupportsMicrosoftDiagnostics** Indicates whether the Miracast receiver supports the Microsoft Diagnostics Miracast extension. -- **SupportsMicrosoftFormatChange** Indicates whether the Miracast receiver supports the Microsoft Format Change Miracast extension. -- **SupportsMicrosoftLatencyManagement** Indicates whether the Miracast receiver supports the Microsoft Latency Management Miracast extension. -- **SupportsMicrosoftRTCP** Indicates whether the Miracast receiver supports the Microsoft RTCP Miracast extension. -- **SupportsMicrosoftVideoFormats** Indicates whether the Miracast receiver supports Microsoft video format for 3:2 resolution. -- **SupportsWiDi** Indicates whether Miracast receiver supports Intel WiDi extensions. -- **TeardownErrorCode** The error code reason for teardown provided by the receiver, if applicable. -- **TeardownErrorReason** The text string reason for teardown provided by the receiver, if applicable. -- **UIBCEndState** Indicates whether UIBC was enabled when the connection ended. -- **UIBCEverEnabled** Indicates whether UIBC was ever enabled. -- **UIBCStatus** The result code reported by the UIBC setup process. -- **VideoBitrate** The starting bitrate for the video encoder. -- **VideoCodecLevel** The encoding level used for encoding, specific to the video subtype. -- **VideoHeight** The height of encoded video frames. -- **VideoSubtype** The unique subtype identifier of the video codec (encoding method) used for video encoding. -- **VideoWidth** The width of encoded video frames. -- **WFD2Supported** Indicates if the Miracast receiver supports WFD2 protocol. - - -## OneDrive events - -### Microsoft.OneDrive.Sync.Setup.APIOperation - -This event includes basic data about install and uninstall OneDrive API operations. - -The following fields are available: - -- **APIName** The name of the API. -- **Duration** How long the operation took. -- **IsSuccess** Was the operation successful? -- **ResultCode** The result code. -- **ScenarioName** The name of the scenario. - - -### Microsoft.OneDrive.Sync.Setup.EndExperience - -This event includes a success or failure summary of the installation. - -The following fields are available: - -- **APIName** The name of the API. -- **HResult** HResult of the operation -- **IsSuccess** Whether the operation is successful or not -- **ScenarioName** The name of the scenario. - - -### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation - -This event is related to the OS version when the OS is upgraded with OneDrive installed. - -The following fields are available: - -- **CurrentOneDriveVersion** The current version of OneDrive. -- **CurrentOSBuildBranch** The current branch of the operating system. -- **CurrentOSBuildNumber** The current build number of the operating system. -- **CurrentOSVersion** The current version of the operating system. -- **HResult** The HResult of the operation. -- **SourceOSBuildBranch** The source branch of the operating system. -- **SourceOSBuildNumber** The source build number of the operating system. -- **SourceOSVersion** The source version of the operating system. - - -### Microsoft.OneDrive.Sync.Setup.RegisterStandaloneUpdaterAPIOperation - -This event is related to registering or unregistering the OneDrive update task. - -The following fields are available: - -- **APIName** The name of the API. -- **IsSuccess** Was the operation successful? -- **RegisterNewTaskResult** The HResult of the RegisterNewTask operation. -- **ScenarioName** The name of the scenario. -- **UnregisterOldTaskResult** The HResult of the UnregisterOldTask operation. - - -### Microsoft.OneDrive.Sync.Updater.ComponentInstallState - -This event includes basic data about the installation state of dependent OneDrive components. - -The following fields are available: - -- **ComponentName** The name of the dependent component. -- **isInstalled** Is the dependent component installed? - - -### Microsoft.OneDrive.Sync.Updater.OverlayIconStatus - -This event indicates if the OneDrive overlay icon is working correctly. 0 = healthy; 1 = can be fixed; 2 = broken - -The following fields are available: - -- **32bit** The status of the OneDrive overlay icon on a 32-bit operating system. -- **64bit** The status of the OneDrive overlay icon on a 64-bit operating system. - - -### Microsoft.OneDrive.Sync.Updater.UpdateOverallResult - -This event sends information describing the result of the update. - -The following fields are available: - -- **hr** The HResult of the operation. -- **IsLoggingEnabled** Indicates whether logging is enabled for the updater. -- **UpdaterVersion** The version of the updater. - - -### Microsoft.OneDrive.Sync.Updater.UpdateXmlDownloadHResult - -This event determines the status when downloading the OneDrive update configuration file. - -The following fields are available: - -- **hr** The HResult of the operation. - - -### Microsoft.OneDrive.Sync.Updater.WebConnectionStatus - -This event determines the error code that was returned when verifying Internet connectivity. - -The following fields are available: - -- **winInetError** The HResult of the operation. - - -## Privacy consent logging events - -### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted - -This event is used to determine whether the user successfully completed the privacy consent experience. - -The following fields are available: - -- **presentationVersion** Which display version of the privacy consent experience the user completed -- **privacyConsentState** The current state of the privacy consent experience -- **settingsVersion** Which setting version of the privacy consent experience the user completed -- **userOobeExitReason** The exit reason of the privacy consent experience - - -### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentStatus - -Event tells us effectiveness of new privacy experience. - -The following fields are available: - -- **isAdmin** whether the person who is logging in is an admin -- **isExistingUser** whether the account existed in a downlevel OS -- **isLaunching** Whether or not the privacy consent experience will be launched -- **isSilentElevation** whether the user has most restrictive UAC controls -- **privacyConsentState** whether the user has completed privacy experience -- **userRegionCode** The current user's region setting - - -### wilActivity - -This event provides a Windows Internal Library context used for Product and Service diagnostics. - -The following fields are available: - -- **callContext** The function where the failure occurred. -- **currentContextId** The ID of the current call context where the failure occurred. -- **currentContextMessage** The message of the current call context where the failure occurred. -- **currentContextName** The name of the current call context where the failure occurred. -- **failureCount** The number of failures for this failure ID. -- **failureId** The ID of the failure that occurred. -- **failureType** The type of the failure that occurred. -- **fileName** The file name where the failure occurred. -- **function** The function where the failure occurred. -- **hresult** The HResult of the overall activity. -- **lineNumber** The line number where the failure occurred. -- **message** The message of the failure that occurred. -- **module** The module where the failure occurred. -- **originatingContextId** The ID of the originating call context that resulted in the failure. -- **originatingContextMessage** The message of the originating call context that resulted in the failure. -- **originatingContextName** The name of the originating call context that resulted in the failure. -- **threadId** The ID of the thread on which the activity is executing. - - -## Sediment events - -### Microsoft.Windows.Sediment.Info.DetailedState - -This event is sent when detailed state information is needed from an update trial run. - -The following fields are available: - -- **Data** Data relevant to the state, such as what percent of disk space the directory takes up. -- **Id** Identifies the trial being run, such as a disk related trial. -- **ReleaseVer** The version of the component. -- **State** The state of the reporting data from the trial, such as the top-level directory analysis. -- **Time** The time the event was fired. - - -### Microsoft.Windows.Sediment.Info.Error - -This event indicates an error in the updater payload. This information assists in keeping Windows up to date. - -The following fields are available: - -- **FailureType** The type of error encountered. -- **FileName** The code file in which the error occurred. -- **HResult** The failure error code. -- **LineNumber** The line number in the code file at which the error occurred. -- **ReleaseVer** The version information for the component in which the error occurred. -- **Time** The system time at which the error occurred. - - -### Microsoft.Windows.Sediment.Info.PhaseChange - -The event indicates progress made by the updater. This information assists in keeping Windows up to date. - -The following fields are available: - -- **NewPhase** The phase of progress made. -- **ReleaseVer** The version information for the component in which the change occurred. -- **Time** The system time at which the phase chance occurred. - - -## Setup events - -### SetupPlatformTel.SetupPlatformTelActivityEvent - -This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up to date. - -The following fields are available: - -- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. -- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. -- **Value** Value associated with the corresponding event name. For example, time-related events will include the system time - - -### SetupPlatformTel.SetupPlatformTelActivityStarted - -This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. - -The following fields are available: - -- **Name** The name of the dynamic update type. Example: GDR driver - - -### SetupPlatformTel.SetupPlatformTelActivityStopped - -This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. - - - -### SetupPlatformTel.SetupPlatformTelEvent - -This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios. - -The following fields are available: - -- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. -- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. -- **Value** Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time. - - -## Software update events - -### SoftwareUpdateClientTelemetry.CheckForUpdates - -Scan process event on Windows Update client. See the EventScenario field for specifics (started/failed/succeeded). - -The following fields are available: - -- **ActivityMatchingId** Contains a unique ID identifying a single CheckForUpdates session from initialization to completion. -- **AllowCachedResults** Indicates if the scan allowed using cached results. -- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable -- **BiosFamily** The family of the BIOS (Basic Input Output System). -- **BiosName** The name of the device BIOS. -- **BiosReleaseDate** The release date of the device BIOS. -- **BiosSKUNumber** The sku number of the device BIOS. -- **BIOSVendor** The vendor of the BIOS. -- **BiosVersion** The version of the BIOS. -- **BranchReadinessLevel** The servicing branch configured on the device. -- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. -- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. -- **CapabilityDetectoidGuid** The GUID for a hardware applicability detectoid that could not be evaluated. -- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. -- **CDNId** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. -- **ClientVersion** The version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No data is currently reported in this field. Expected value for this field is 0. -- **Context** Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown -- **CurrentMobileOperator** The mobile operator the device is currently connected to. -- **DeferralPolicySources** Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000). -- **DeferredUpdates** Update IDs which are currently being deferred until a later time -- **DeviceModel** What is the device model. -- **DriverError** The error code hit during a driver scan. This is 0 if no error was encountered. -- **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled. -- **DriverSyncPassPerformed** Were drivers scanned this time? -- **EventInstanceID** A globally unique identifier for event instance. -- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. -- **ExtendedMetadataCabUrl** Hostname that is used to download an update. -- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. -- **FailedUpdateGuids** The GUIDs for the updates that failed to be evaluated during the scan. -- **FailedUpdatesCount** The number of updates that failed to be evaluated during the scan. -- **FeatureUpdateDeferral** The deferral period configured for feature OS updates on the device (in days). -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FeatureUpdatePausePeriod** The pause duration configured for feature OS updates on the device (in days). -- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). -- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). -- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. -- **IntentPFNs** Intended application-set metadata for atomic update scenarios. -- **IPVersion** Indicates whether the download took place over IPv4 or IPv6 -- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. -- **IsWUfBFederatedScanDisabled** Indicates if Windows Update for Business federated scan is disabled on the device. -- **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce -- **MSIError** The last error that was encountered during a scan for updates. -- **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6 -- **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete -- **NumberOfApplicationsCategoryScanEvaluated** The number of categories (apps) for which an app update scan checked -- **NumberOfLoop** The number of round trips the scan required -- **NumberOfNewUpdatesFromServiceSync** The number of updates which were seen for the first time in this scan -- **NumberOfUpdatesEvaluated** The total number of updates which were evaluated as a part of the scan -- **NumFailedMetadataSignatures** The number of metadata signatures checks which failed for new metadata synced down. -- **Online** Indicates if this was an online scan. -- **PausedUpdates** A list of UpdateIds which that currently being paused. -- **PauseFeatureUpdatesEndTime** If feature OS updates are paused on the device, this is the date and time for the end of the pause time window. -- **PauseFeatureUpdatesStartTime** If feature OS updates are paused on the device, this is the date and time for the beginning of the pause time window. -- **PauseQualityUpdatesEndTime** If quality OS updates are paused on the device, this is the date and time for the end of the pause time window. -- **PauseQualityUpdatesStartTime** If quality OS updates are paused on the device, this is the date and time for the beginning of the pause time window. -- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting (pre-release builds) being introduced. -- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided. -- **QualityUpdateDeferral** The deferral period configured for quality OS updates on the device (in days). -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **QualityUpdatePausePeriod** The pause duration configured for quality OS updates on the device (in days). -- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one -- **ScanDurationInSeconds** The number of seconds a scan took -- **ScanEnqueueTime** The number of seconds it took to initialize a scan -- **ScanProps** This is a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits are used; all remaining bits are reserved and set to zero. Bit 0 (0x1): IsInteractive - is set to 1 if the scan is requested by a user, or 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker - is set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates). -- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.). -- **ServiceUrl** The environment URL a device is configured to scan with -- **ShippingMobileOperator** The mobile operator that a device shipped on. -- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult). -- **SyncType** Describes the type of scan the event was -- **SystemBIOSMajorRelease** Major version of the BIOS. -- **SystemBIOSMinorRelease** Minor version of the BIOS. -- **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null. -- **TotalNumMetadataSignatures** The total number of metadata signatures checks done for new metadata that was synced down. -- **WebServiceRetryMethods** Web service method requests that needed to be retried to complete operation. -- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. - - -### SoftwareUpdateClientTelemetry.Commit - -This event tracks the commit process post the update installation when software update client is trying to update the device. - -The following fields are available: - -- **BiosFamily** Device family as defined in the system BIOS -- **BiosName** Name of the system BIOS -- **BiosReleaseDate** Release date of the system BIOS -- **BiosSKUNumber** Device SKU as defined in the system BIOS -- **BIOSVendor** Vendor of the system BIOS -- **BiosVersion** Version of the system BIOS -- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. -- **BundleRevisionNumber** Identifies the revision number of the content bundle -- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client -- **ClientVersion** Version number of the software distribution client -- **DeploymentProviderMode** The mode of operation of the update deployment provider. -- **DeviceModel** Device model as defined in the system bios -- **EventInstanceID** A globally unique identifier for event instance -- **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc. -- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver". -- **FlightId** The specific id of the flight the device is getting -- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) -- **RevisionNumber** Identifies the revision number of this specific piece of content -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) -- **SystemBIOSMajorRelease** Major release version of the system bios -- **SystemBIOSMinorRelease** Minor release version of the system bios -- **UpdateId** Identifier associated with the specific piece of content -- **WUDeviceID** Unique device id controlled by the software distribution client - - -### SoftwareUpdateClientTelemetry.Download - -Download process event for target update on Windows Update client. See the EventScenario field for specifics (started/failed/succeeded). - -The following fields are available: - -- **ActiveDownloadTime** How long the download took, in seconds, excluding time where the update wasn't actively being downloaded. -- **AppXBlockHashFailures** Indicates the number of blocks that failed hash validation during download of the app payload. -- **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded. -- **AppXDownloadScope** Indicates the scope of the download for application content. -- **AppXScope** Indicates the scope of the app download. -- **BiosFamily** The family of the BIOS (Basic Input Output System). -- **BiosName** The name of the device BIOS. -- **BiosReleaseDate** The release date of the device BIOS. -- **BiosSKUNumber** The sku number of the device BIOS. -- **BIOSVendor** The vendor of the BIOS. -- **BiosVersion** The version of the BIOS. -- **BundleBytesDownloaded** Number of bytes downloaded for the specific content bundle. -- **BundleId** Identifier associated with the specific content bundle. -- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. -- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to download. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **BytesDownloaded** Number of bytes that were downloaded for an individual piece of content (not the entire bundle). -- **CachedEngineVersion** The version of the “Self-Initiated Healing” (SIH) engine that is cached on the device, if applicable. -- **CallerApplicationName** The name provided by the application that initiated API calls into the software distribution client. -- **CbsDownloadMethod** Indicates whether the download was a full- or a partial-file download. -- **CbsMethod** The method used for downloading the update content related to the Component Based Servicing (CBS) technology. -- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. -- **CDNId** ID which defines which CDN the software distribution client downloaded the content from. -- **ClientVersion** The version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. -- **ConnectTime** Indicates the cumulative amount of time (in seconds) it took to establish the connection for all updates in an update bundle. -- **CurrentMobileOperator** The mobile operator the device is currently connected to. -- **DeviceModel** The model of the device. -- **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority. -- **DownloadProps** Information about the download operation. -- **DownloadType** Differentiates the download type of “Self-Initiated Healing” (SIH) downloads between Metadata and Payload downloads. -- **EventInstanceID** A globally unique identifier for event instance. -- **EventScenario** Indicates the purpose for sending this event: whether because the software distribution just started downloading content; or whether it was cancelled, succeeded, or failed. -- **EventType** Identifies the type of the event (Child, Bundle, or Driver). -- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). -- **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight. -- **FlightId** The specific ID of the flight (pre-release build) the device is getting. -- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). -- **HandlerType** Indicates what kind of content is being downloaded (app, driver, windows patch, etc.). -- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. -- **HostName** The hostname URL the content is downloading from. -- **IPVersion** Indicates whether the download took place over IPv4 or IPv6. -- **IsDependentSet** Indicates whether a driver is a part of a larger System Hardware/Firmware Update -- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. -- **NetworkCost** A flag indicating the cost of the network (congested, fixed, variable, over data limit, roaming, etc.) used for downloading the update content. -- **NetworkCostBitMask** Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.) -- **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered." -- **PackageFullName** The package name of the content. -- **PhonePreviewEnabled** Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced. -- **PostDnldTime** Time (in seconds) taken to signal download completion after the last job completed downloading the payload. -- **ProcessName** The process name of the application that initiated API calls, in the event where CallerApplicationName was not provided. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **Reason** A 32-bit integer representing the reason the update is blocked from being downloaded in the background. -- **RegulationReason** The reason that the update is regulated -- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content. -- **RelatedCV** The Correlation Vector that was used before the most recent change to a new Correlation Vector. -- **RepeatFailCount** Indicates whether this specific content has previously failed. -- **RepeatFailFlag** Indicates whether this specific content previously failed to download. -- **RevisionNumber** The revision number of the specified piece of content. -- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). -- **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade. -- **ShippingMobileOperator** The mobile operator linked to the device when the device shipped. -- **SizeCalcTime** Time (in seconds) taken to calculate the total download size of the payload. -- **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). -- **SystemBIOSMajorRelease** Major version of the BIOS. -- **SystemBIOSMinorRelease** Minor version of the BIOS. -- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. -- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. -- **TargetMetadataVersion** The version of the currently downloading (or most recently downloaded) package. -- **ThrottlingServiceHResult** Result code (success/failure) while contacting a web service to determine whether this device should download content yet. -- **TimeToEstablishConnection** Time (in milliseconds) it took to establish the connection prior to beginning downloaded. -- **TotalExpectedBytes** The total size (in Bytes) expected to be downloaded. -- **UpdateId** An identifier associated with the specific piece of content. -- **UpdateID** An identifier associated with the specific piece of content. -- **UpdateImportance** Indicates whether the content was marked as Important, Recommended, or Optional. -- **UsedDO** Indicates whether the download used the Delivery Optimization (DO) service. -- **UsedSystemVolume** Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive. -- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. - - -### SoftwareUpdateClientTelemetry.DownloadCheckpoint - -This event provides a checkpoint between each of the Windows Update download phases for UUP content - -The following fields are available: - -- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client -- **ClientVersion** The version number of the software distribution client -- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed -- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver" -- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough -- **FileId** A hash that uniquely identifies a file -- **FileName** Name of the downloaded file -- **FlightId** The unique identifier for each flight -- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one -- **RevisionNumber** Unique revision number of Update -- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.) -- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult) -- **UpdateId** Unique Update ID -- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue - - -### SoftwareUpdateClientTelemetry.DownloadHeartbeat - -This event allows tracking of ongoing downloads and contains data to explain the current state of the download - -The following fields are available: - -- **BytesTotal** Total bytes to transfer for this content -- **BytesTransferred** Total bytes transferred for this content at the time of heartbeat -- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client -- **ClientVersion** The version number of the software distribution client -- **ConnectionStatus** Indicates the connectivity state of the device at the time of heartbeat -- **CurrentError** Last (transient) error encountered by the active download -- **DownloadFlags** Flags indicating if power state is ignored -- **DownloadState** Current state of the active download for this content (queued, suspended, or progressing) -- **EventType** Possible values are "Child", "Bundle", or "Driver" -- **FlightId** The unique identifier for each flight -- **IsNetworkMetered** Indicates whether Windows considered the current network to be ?metered" -- **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any -- **MOUpdateDownloadLimit** Mobile operator cap on size of operating system update downloads, if any -- **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby) -- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one -- **ResumeCount** Number of times this active download has resumed from a suspended state -- **RevisionNumber** Identifies the revision number of this specific piece of content -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) -- **SuspendCount** Number of times this active download has entered a suspended state -- **SuspendReason** Last reason for why this active download entered a suspended state -- **UpdateId** Identifier associated with the specific piece of content -- **WUDeviceID** Unique device id controlled by the software distribution client - - -### SoftwareUpdateClientTelemetry.Install - -This event sends tracking data about the software distribution client installation of the content for that update, to help keep Windows up to date. - -The following fields are available: - -- **BiosFamily** The family of the BIOS (Basic Input Output System). -- **BiosName** The name of the device BIOS. -- **BiosReleaseDate** The release date of the device BIOS. -- **BiosSKUNumber** The sku number of the device BIOS. -- **BIOSVendor** The vendor of the BIOS. -- **BiosVersion** The version of the BIOS. -- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. -- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. -- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to install. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. -- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. -- **ClientVersion** The version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No value is currently reported in this field. Expected value for this field is 0. -- **CSIErrorType** The stage of CBS installation where it failed. -- **CurrentMobileOperator** The mobile operator to which the device is currently connected. -- **DeploymentProviderMode** The mode of operation of the update deployment provider. -- **DeviceModel** The device model. -- **DriverPingBack** Contains information about the previous driver and system state. -- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required. -- **EventInstanceID** A globally unique identifier for event instance. -- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. -- **EventType** Possible values are Child, Bundle, or Driver. -- **ExtendedErrorCode** The extended error code. -- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode is not specific enough. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBranch** The branch that a device is on if participating in the Windows Insider Program. -- **FlightBuildNumber** If this installation was for a Windows Insider build, this is the build number of that build. -- **FlightId** The specific ID of the Windows Insider build the device is getting. -- **FlightRing** The ring that a device is on if participating in the Windows Insider Program. -- **HandlerType** Indicates what kind of content is being installed (for example, app, driver, Windows update). -- **HardwareId** If this install was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. -- **InstallProps** A bitmask for future flags associated with the install operation. No value is currently reported in this field. Expected value for this field is 0. -- **IntentPFNs** Intended application-set metadata for atomic update scenarios. -- **IsDependentSet** Indicates whether the driver is part of a larger System Hardware/Firmware update. -- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. -- **IsFirmware** Indicates whether this update is a firmware update. -- **IsSuccessFailurePostReboot** Indicates whether the update succeeded and then failed after a restart. -- **IsWUfBDualScanEnabled** Indicates whether Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Indicates whether Windows Update for Business is enabled on the device. -- **MergedUpdate** Indicates whether the OS update and a BSP update merged for installation. -- **MsiAction** The stage of MSI installation where it failed. -- **MsiProductCode** The unique identifier of the MSI installer. -- **PackageFullName** The package name of the content being installed. -- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting being introduced. -- **ProcessName** The process name of the caller who initiated API calls, in the event that CallerApplicationName was not provided. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one -- **RepeatFailCount** Indicates whether this specific piece of content has previously failed. -- **RepeatFailFlag** Indicates whether this specific piece of content previously failed to install. -- **RevisionNumber** The revision number of this specific piece of content. -- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). -- **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway. -- **ShippingMobileOperator** The mobile operator that a device shipped on. -- **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult). -- **SystemBIOSMajorRelease** Major version of the BIOS. -- **SystemBIOSMinorRelease** Minor version of the BIOS. -- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. -- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. -- **TransactionCode** The ID that represents a given MSI installation. -- **UpdateId** Unique update ID. -- **UpdateID** An identifier associated with the specific piece of content. -- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional. -- **UsedSystemVolume** Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive. -- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. - - -### SoftwareUpdateClientTelemetry.Revert - -Revert event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded). - -The following fields are available: - -- **BundleId** Identifier associated with the specific content bundle. Should not be all zeros if the BundleId was found. -- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **ClientVersion** Version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. -- **CSIErrorType** Stage of CBS installation that failed. -- **DriverPingBack** Contains information about the previous driver and system state. -- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required. -- **EventInstanceID** A globally unique identifier for event instance. -- **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). -- **EventType** Event type (Child, Bundle, Release, or Driver). -- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode is not specific enough. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBuildNumber** Indicates the build number of the flight. -- **FlightId** The specific ID of the flight the device is getting. -- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). -- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. -- **IsFirmware** Indicates whether an update was a firmware update. -- **IsSuccessFailurePostReboot** Indicates whether an initial success was a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. -- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. -- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. -- **RepeatFailCount** Indicates whether this specific piece of content has previously failed. -- **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.). -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. -- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. -- **UpdateId** The identifier associated with the specific piece of content. -- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). -- **UsedSystemVolume** Indicates whether the device's main system storage drive or an alternate storage drive was used. -- **WUDeviceID** Unique device ID controlled by the software distribution client. - - -### SoftwareUpdateClientTelemetry.TaskRun - -Start event for Server Initiated Healing client. See EventScenario field for specifics (for example, started/completed). - -The following fields are available: - -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **ClientVersion** Version number of the software distribution client. -- **CmdLineArgs** Command line arguments passed in by the caller. -- **EventInstanceID** A globally unique identifier for the event instance. -- **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.). -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **WUDeviceID** Unique device ID controlled by the software distribution client. - - -### SoftwareUpdateClientTelemetry.Uninstall - -Uninstall event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded). - -The following fields are available: - -- **BundleId** The identifier associated with the specific content bundle. This should not be all zeros if the bundleID was found. -- **BundleRepeatFailCount** Indicates whether this particular update bundle previously failed. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **CallerApplicationName** Name of the application making the Windows Update request. Used to identify context of request. -- **ClientVersion** Version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. -- **DriverPingBack** Contains information about the previous driver and system state. -- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers when a recovery is required. -- **EventInstanceID** A globally unique identifier for event instance. -- **EventScenario** Indicates the purpose of the event (a scan started, succeded, failed, etc.). -- **EventType** Indicates the event type. Possible values are "Child", "Bundle", "Release" or "Driver". -- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode is not specific enough. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBuildNumber** Indicates the build number of the flight. -- **FlightId** The specific ID of the flight the device is getting. -- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). -- **HardwareId** If the download was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. -- **IsFirmware** Indicates whether an update was a firmware update. -- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. -- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. -- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. -- **RepeatFailCount** Indicates whether this specific piece of content previously failed. -- **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.). -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. -- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. -- **UpdateId** Identifier associated with the specific piece of content. -- **UpdateImportance** Indicates the importance of a driver and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). -- **UsedSystemVolume** Indicates whether the device’s main system storage drive or an alternate storage drive was used. -- **WUDeviceID** Unique device ID controlled by the software distribution client. - - -### SoftwareUpdateClientTelemetry.UpdateDetected - -This event sends data about an AppX app that has been updated from the Microsoft Store, including what app needs an update and what version/architecture is required, in order to understand and address problems with apps getting required updates. - -The following fields are available: - -- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable. -- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. -- **IntentPFNs** Intended application-set metadata for atomic update scenarios. -- **NumberOfApplicableUpdates** The number of updates ultimately deemed applicable to the system after the detection process is complete. -- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. -- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.). -- **WUDeviceID** The unique device ID controlled by the software distribution client. - - -### SoftwareUpdateClientTelemetry.UpdateMetadataIntegrity - -Ensures Windows Updates are secure and complete. Event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack. - -The following fields are available: - -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **EndpointUrl** The endpoint URL where the device obtains update metadata. This is used to distinguish between test, staging, and production environments. -- **EventScenario** The purpose of this event, such as scan started, scan succeeded, or scan failed. -- **ExtendedStatusCode** The secondary status code of the event. -- **LeafCertId** The integral ID from the FragmentSigning data for the certificate that failed. -- **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate. -- **MetadataIntegrityMode** The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce -- **MetadataSignature** A base64-encoded string of the signature associated with the update metadata (specified by revision ID). -- **RawMode** The raw unparsed mode string from the SLS response. This field is null if not applicable. -- **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable. -- **RevisionId** The revision ID for a specific piece of content. -- **RevisionNumber** The revision number for a specific piece of content. -- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Microsoft Store -- **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate. -- **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate. -- **SHA256OfTimestampToken** An encoded string of the timestamp token. -- **SignatureAlgorithm** The hash algorithm for the metadata signature. -- **SLSPrograms** A test program to which a device may have opted in. Example: Insider Fast -- **StatusCode** The status code of the event. -- **TimestampTokenCertThumbprint** The thumbprint of the encoded timestamp token. -- **TimestampTokenId** The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed. -- **UpdateId** The update ID for a specific piece of content. -- **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp. - - -## System Resource Usage Monitor events - -### Microsoft.Windows.Srum.Sdp.CpuUsage - -This event provides information on CPU usage. - -The following fields are available: - -- **UsageMax** The maximum of hourly average CPU usage. -- **UsageMean** The mean of hourly average CPU usage. -- **UsageMedian** The median of hourly average CPU usage. -- **UsageTwoHourMaxMean** The mean of the maximum of every two hour of hourly average CPU usage. -- **UsageTwoHourMedianMean** The mean of the median of every two hour of hourly average CPU usage. - - -### Microsoft.Windows.Srum.Sdp.NetworkUsage - -This event provides information on network usage. - -The following fields are available: - -- **AdapterGuid** The unique ID of the adapter. -- **BytesTotalMax** The maximum of the hourly average bytes total. -- **BytesTotalMean** The mean of the hourly average bytes total. -- **BytesTotalMedian** The median of the hourly average bytes total. -- **BytesTotalTwoHourMaxMean** The mean of the maximum of every two hours of hourly average bytes total. -- **BytesTotalTwoHourMedianMean** The mean of the median of every two hour of hourly average bytes total. -- **LinkSpeed** The adapter link speed. - - -## Update events - -### Update360Telemetry.Revert - -This event sends data relating to the Revert phase of updating Windows. - -The following fields are available: - -- **ErrorCode** The error code returned for the Revert phase. -- **FlightId** Unique ID for the flight (test instance version). -- **ObjectId** The unique value for each Update Agent mode. -- **RebootRequired** Indicates reboot is required. -- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. -- **Result** The HResult of the event. -- **RevertResult** The result code returned for the Revert operation. -- **ScenarioId** The ID of the update scenario. -- **SessionId** The ID of the update attempt. -- **UpdateId** The ID of the update. - - -### Update360Telemetry.UpdateAgentCommit - -This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. - -The following fields are available: - -- **ErrorCode** The error code returned for the current install phase. -- **FlightId** Unique ID for each flight. -- **ObjectId** Unique value for each Update Agent mode. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **Result** Outcome of the install phase of the update. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentDownloadRequest - -This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. - -The following fields are available: - -- **DeletedCorruptFiles** Boolean indicating whether corrupt payload was deleted. -- **DownloadRequests** Number of times a download was retried. -- **ErrorCode** The error code returned for the current download request phase. -- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. -- **FlightId** Unique ID for each flight. -- **InternalFailureResult** Indicates a non-fatal error from a plugin. -- **ObjectId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). -- **PackageCategoriesSkipped** Indicates package categories that were skipped, if applicable. -- **PackageCountOptional** Number of optional packages requested. -- **PackageCountRequired** Number of required packages requested. -- **PackageCountTotal** Total number of packages needed. -- **PackageCountTotalCanonical** Total number of canonical packages. -- **PackageCountTotalDiff** Total number of diff packages. -- **PackageCountTotalExpress** Total number of express packages. -- **PackageExpressType** Type of express package. -- **PackageSizeCanonical** Size of canonical packages in bytes. -- **PackageSizeDiff** Size of diff packages in bytes. -- **PackageSizeExpress** Size of express packages in bytes. -- **RangeRequestState** Indicates the range request type used. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **Result** Outcome of the download request phase of update. -- **SandboxTaggedForReserves** The sandbox for reserves. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each attempt (same value for initialize, download, install commit phases). -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentExpand - -This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. - -The following fields are available: - -- **ElapsedTickCount** Time taken for expand phase. -- **EndFreeSpace** Free space after expand phase. -- **EndSandboxSize** Sandbox size after expand phase. -- **ErrorCode** The error code returned for the current install phase. -- **FlightId** Unique ID for each flight. -- **ObjectId** Unique value for each Update Agent mode. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each update attempt. -- **StartFreeSpace** Free space before expand phase. -- **StartSandboxSize** Sandbox size after expand phase. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentFellBackToCanonical - -This event collects information when express could not be used and we fall back to canonical during the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. - -The following fields are available: - -- **FlightId** Unique ID for each flight. -- **ObjectId** Unique value for each Update Agent mode. -- **PackageCount** Number of packages that feel back to canonical. -- **PackageList** PackageIds which fell back to canonical. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentInitialize - -This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. - -The following fields are available: - -- **ErrorCode** The error code returned for the current install phase. -- **FlightId** Unique ID for each flight. -- **FlightMetadata** Contains the FlightId and the build being flighted. -- **ObjectId** Unique value for each Update Agent mode. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **Result** Outcome of the install phase of the update. -- **ScenarioId** Indicates the update scenario. -- **SessionData** String containing instructions to update agent for processing FODs and DUICs (Null for other scenarios). -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentInstall - -This event sends data for the install phase of updating Windows. - -The following fields are available: - -- **ErrorCode** The error code returned for the current install phase. -- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. -- **FlightId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). -- **InternalFailureResult** Indicates a non-fatal error from a plugin. -- **ObjectId** Correlation vector value generated from the latest USO scan. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **Result** The result for the current install phase. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentMerge - -The UpdateAgentMerge event sends data on the merge phase when updating Windows. - -The following fields are available: - -- **ErrorCode** The error code returned for the current merge phase. -- **FlightId** Unique ID for each flight. -- **MergeId** The unique ID to join two update sessions being merged. -- **ObjectId** Unique value for each Update Agent mode. -- **RelatedCV** Related correlation vector value. -- **Result** Outcome of the merge phase of the update. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each attempt. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentMitigationResult - -This event sends data indicating the result of each update agent mitigation. - -The following fields are available: - -- **Applicable** Indicates whether the mitigation is applicable for the current update. -- **CommandCount** The number of command operations in the mitigation entry. -- **CustomCount** The number of custom operations in the mitigation entry. -- **FileCount** The number of file operations in the mitigation entry. -- **FlightId** Unique identifier for each flight. -- **Index** The mitigation index of this particular mitigation. -- **MitigationScenario** The update scenario in which the mitigation was executed. -- **Name** The friendly name of the mitigation. -- **ObjectId** Unique value for each Update Agent mode. -- **OperationIndex** The mitigation operation index (in the event of a failure). -- **OperationName** The friendly name of the mitigation operation (in the event of failure). -- **RegistryCount** The number of registry operations in the mitigation entry. -- **RelatedCV** The correlation vector value generated from the latest USO scan. -- **Result** The HResult of this operation. -- **ScenarioId** The update agent scenario ID. -- **SessionId** Unique value for each update attempt. -- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). -- **UpdateId** Unique ID for each Update. - - -### Update360Telemetry.UpdateAgentMitigationSummary - -This event sends a summary of all the update agent mitigations available for an this update. - -The following fields are available: - -- **Applicable** The count of mitigations that were applicable to the system and scenario. -- **Failed** The count of mitigations that failed. -- **FlightId** Unique identifier for each flight. -- **MitigationScenario** The update scenario in which the mitigations were attempted. -- **ObjectId** The unique value for each Update Agent mode. -- **RelatedCV** The correlation vector value generated from the latest USO scan. -- **Result** The HResult of this operation. -- **ScenarioId** The update agent scenario ID. -- **SessionId** Unique value for each update attempt. -- **TimeDiff** The amount of time spent performing all mitigations (in 100-nanosecond increments). -- **Total** Total number of mitigations that were available. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentModeStart - -This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. - -The following fields are available: - -- **FlightId** Unique ID for each flight. -- **Mode** Indicates the mode that has started. -- **ObjectId** Unique value for each Update Agent mode. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each update. -- **Version** Version of update - - -### Update360Telemetry.UpdateAgentOneSettings - -This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. - -The following fields are available: - -- **Count** The count of applicable OneSettings for the device. -- **FlightId** Unique ID for the flight (test instance version). -- **ObjectId** The unique value for each Update Agent mode. -- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. -- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. -- **Result** The HResult of the event. -- **ScenarioId** The ID of the update scenario. -- **SessionId** The ID of the update attempt. -- **UpdateId** The ID of the update. -- **Values** The values sent back to the device, if applicable. - - -### Update360Telemetry.UpdateAgentPostRebootResult - -This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. - -The following fields are available: - -- **ErrorCode** The error code returned for the current post reboot phase. -- **FlightId** The specific ID of the Windows Insider build the device is getting. -- **ObjectId** Unique value for each Update Agent mode. -- **PostRebootResult** Indicates the Hresult. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentReboot - -This event sends information indicating that a request has been sent to suspend an update. - -The following fields are available: - -- **ErrorCode** The error code returned for the current reboot. -- **FlightId** Unique ID for the flight (test instance version). -- **ObjectId** The unique value for each Update Agent mode. -- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. -- **Result** The HResult of the event. -- **ScenarioId** The ID of the update scenario. -- **SessionId** The ID of the update attempt. -- **UpdateId** The ID of the update. - - -### Update360Telemetry.UpdateAgentSetupBoxLaunch - -The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. - -The following fields are available: - -- **ContainsExpressPackage** Indicates whether the download package is express. -- **FlightId** Unique ID for each flight. -- **FreeSpace** Free space on OS partition. -- **InstallCount** Number of install attempts using the same sandbox. -- **ObjectId** Unique value for each Update Agent mode. -- **Quiet** Indicates whether setup is running in quiet mode. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **SandboxSize** Size of the sandbox. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each update attempt. -- **SetupMode** Mode of setup to be launched. -- **UpdateId** Unique ID for each Update. -- **UserSession** Indicates whether install was invoked by user actions. - - -## Update notification events - -### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignManagerHeartbeat - -This event is sent at the start of the CampaignManager event and is intended to be used as a heartbeat. - -The following fields are available: - -- **CampaignConfigVersion** Configuration version for the current campaign. -- **CampaignID** Currently campaign that is running on Update Notification Pipeline (UNP). -- **ConfigCatalogVersion** Current catalog version of UNP. -- **ContentVersion** Content version for the current campaign on UNP. -- **CV** Correlation vector. -- **DetectorVersion** Most recently run detector version for the current campaign on UNP. -- **GlobalEventCounter** Client-side counter that indicates the event ordering sent by the user. -- **PackageVersion** Current UNP package version. - - -## Upgrade events - -### FacilitatorTelemetry.DCATDownload - -This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to help keep Windows up-to-date and secure. - -The following fields are available: - -- **DownloadSize** Download size of payload. -- **ElapsedTime** Time taken to download payload. -- **MediaFallbackUsed** Used to determine if we used Media CompDBs to figure out package requirements for the upgrade. -- **ResultCode** Result returned by the Facilitator DCAT call. -- **Scenario** Dynamic update scenario (Image DU, or Setup DU). -- **Type** Type of package that was downloaded. -- **UpdateId** The ID of the update that was downloaded. - - -### FacilitatorTelemetry.DUDownload - -This event returns data about the download of supplemental packages critical to upgrading a device to the next version of Windows. - -The following fields are available: - -- **DownloadRequestAttributes** The attributes sent for download. -- **PackageCategoriesFailed** Lists the categories of packages that failed to download. -- **PackageCategoriesSkipped** Lists the categories of package downloads that were skipped. -- **ResultCode** The result of the event execution. -- **Scenario** Identifies the active Download scenario. -- **Url** The URL the download request was sent to. -- **Version** Identifies the version of Facilitator used. - - -### FacilitatorTelemetry.InitializeDU - -This event determines whether devices received additional or critical supplemental content during an OS upgrade. - -The following fields are available: - -- **DCATUrl** The Delivery Catalog (DCAT) URL we send the request to. -- **DownloadRequestAttributes** The attributes we send to DCAT. -- **ResultCode** The result returned from the initiation of Facilitator with the URL/attributes. -- **Scenario** Dynamic Update scenario (Image DU, or Setup DU). -- **Url** The Delivery Catalog (DCAT) URL we send the request to. -- **Version** Version of Facilitator. - - -### Setup360Telemetry.Downlevel - -This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up-to-date and secure. - -The following fields are available: - -- **ClientId** If using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but it can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the downlevel OS. -- **HostOsSkuName** The operating system edition which is running Setup360 instance (downlevel OS). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. -- **ReportId** In the Windows Update scenario, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. -- **Setup360Extended** More detailed information about phase/action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360 (for example, Predownload, Install, Finalize, Rollback). -- **Setup360Result** The result of Setup360 (HRESULT used to diagnose errors). -- **Setup360Scenario** The Setup360 flow type (for example, Boot, Media, Update, MCT). -- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS). -- **State** Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled. -- **TestId** An ID that uniquely identifies a group of events. -- **WuId** This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId. - - -### Setup360Telemetry.Finalize - -This event sends data indicating that the device has started the phase of finalizing the upgrade, to help keep Windows up-to-date and secure. - -The following fields are available: - -- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the previous OS. -- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe -- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. -- **Setup360Extended** More detailed information about the phase/action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. -- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. -- **TestId** ID that uniquely identifies a group of events. -- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. - - -### Setup360Telemetry.OsUninstall - -This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, it indicates the outcome of an OS uninstall. - -The following fields are available: - -- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the previous OS. -- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. -- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. -- **Setup360Extended** Detailed information about the phase or action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT -- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. -- **TestId** ID that uniquely identifies a group of events. -- **WuId** Windows Update client ID. - - -### Setup360Telemetry.PostRebootInstall - -This event sends data indicating that the device has invoked the post reboot install phase of the upgrade, to help keep Windows up-to-date. - -The following fields are available: - -- **ClientId** With Windows Update, this is the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the previous OS. -- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. -- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. -- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback -- **Setup360Result** The result of Setup360. This is an HRESULT error code that's used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT -- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled -- **TestId** A string to uniquely identify a group of events. -- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as ClientId. - - -### Setup360Telemetry.PreDownloadQuiet - -This event sends data indicating that the device has invoked the predownload quiet phase of the upgrade, to help keep Windows up to date. - -The following fields are available: - -- **ClientId** Using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the previous OS. -- **HostOsSkuName** The OS edition which is running Setup360 instance (previous operating system). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. -- **ReportId** Using Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. -- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. -- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled. -- **TestId** ID that uniquely identifies a group of events. -- **WuId** This is the Windows Update Client ID. Using Windows Update, this is the same as the clientId. - - -### Setup360Telemetry.PreDownloadUX - -This event sends data regarding OS Updates and Upgrades from Windows 7.X, Windows 8.X, Windows 10 and RS, to help keep Windows up-to-date and secure. Specifically, it indicates the outcome of the PredownloadUX portion of the update process. - -The following fields are available: - -- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **HostOSBuildNumber** The build number of the previous operating system. -- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous operating system). -- **InstanceId** Unique GUID that identifies each instance of setuphost.exe. -- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. -- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. -- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS). -- **State** The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled. -- **TestId** ID that uniquely identifies a group of events. -- **WuId** Windows Update client ID. - - -### Setup360Telemetry.PreInstallQuiet - -This event sends data indicating that the device has invoked the preinstall quiet phase of the upgrade, to help keep Windows up-to-date. - -The following fields are available: - -- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the previous OS. -- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe -- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. -- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. -- **Setup360Scenario** Setup360 flow type (Boot, Media, Update, MCT). -- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. -- **TestId** A string to uniquely identify a group of events. -- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. - - -### Setup360Telemetry.PreInstallUX - -This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10, to help keep Windows up-to-date. Specifically, it indicates the outcome of the PreinstallUX portion of the update process. - -The following fields are available: - -- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the previous OS. -- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. -- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. -- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type, Example: Boot, Media, Update, MCT. -- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. -- **TestId** A string to uniquely identify a group of events. -- **WuId** Windows Update client ID. - - -### Setup360Telemetry.Setup360 - -This event sends data about OS deployment scenarios, to help keep Windows up-to-date. - -The following fields are available: - -- **ClientId** Retrieves the upgrade ID. In the Windows Update scenario, this will be the Windows Update client ID. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FieldName** Retrieves the data point. -- **FlightData** Specifies a unique identifier for each group of Windows Insider builds. -- **InstanceId** Retrieves a unique identifier for each instance of a setup session. -- **ReportId** Retrieves the report ID. -- **ScenarioId** Retrieves the deployment scenario. -- **Value** Retrieves the value associated with the corresponding FieldName. - - -### Setup360Telemetry.Setup360DynamicUpdate - -This event helps determine whether the device received supplemental content during an operating system upgrade, to help keep Windows up-to-date. - -The following fields are available: - -- **FlightData** Specifies a unique identifier for each group of Windows Insider builds. -- **InstanceId** Retrieves a unique identifier for each instance of a setup session. -- **Operation** Facilitator’s last known operation (scan, download, etc.). -- **ReportId** ID for tying together events stream side. -- **ResultCode** Result returned for the entire setup operation. -- **Scenario** Dynamic Update scenario (Image DU, or Setup DU). -- **ScenarioId** Identifies the update scenario. -- **TargetBranch** Branch of the target OS. -- **TargetBuild** Build of the target OS. - - -### Setup360Telemetry.Setup360MitigationResult - -This event sends data indicating the result of each setup mitigation. - -The following fields are available: - -- **Applicable** TRUE if the mitigation is applicable for the current update. -- **ClientId** In the Windows Update scenario, this is the client ID passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **CommandCount** The number of command operations in the mitigation entry. -- **CustomCount** The number of custom operations in the mitigation entry. -- **FileCount** The number of file operations in the mitigation entry. -- **FlightData** The unique identifier for each flight (test release). -- **Index** The mitigation index of this particular mitigation. -- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE. -- **MitigationScenario** The update scenario in which the mitigation was executed. -- **Name** The friendly (descriptive) name of the mitigation. -- **OperationIndex** The mitigation operation index (in the event of a failure). -- **OperationName** The friendly (descriptive) name of the mitigation operation (in the event of failure). -- **RegistryCount** The number of registry operations in the mitigation entry. -- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM. -- **Result** HResult of this operation. -- **ScenarioId** Setup360 flow type. -- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). - - -### Setup360Telemetry.Setup360MitigationSummary - -This event sends a summary of all the setup mitigations available for this update. - -The following fields are available: - -- **Applicable** The count of mitigations that were applicable to the system and scenario. -- **ClientId** The Windows Update client ID passed to Setup. -- **Failed** The count of mitigations that failed. -- **FlightData** The unique identifier for each flight (test release). -- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE. -- **MitigationScenario** The update scenario in which the mitigations were attempted. -- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM. -- **Result** HResult of this operation. -- **ScenarioId** Setup360 flow type. -- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). -- **Total** The total number of mitigations that were available. - - -### Setup360Telemetry.Setup360OneSettings - -This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. - -The following fields are available: - -- **ClientId** The Windows Update client ID passed to Setup. -- **Count** The count of applicable OneSettings for the device. -- **FlightData** The ID for the flight (test instance version). -- **InstanceId** The GUID (Globally-Unique ID) that identifies each instance of setuphost.exe. -- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. -- **ReportId** The Update ID passed to Setup. -- **Result** The HResult of the event error. -- **ScenarioId** The update scenario ID. -- **Values** Values sent back to the device, if applicable. - - -### Setup360Telemetry.UnexpectedEvent - -This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date. - -The following fields are available: - -- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the previous OS. -- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe -- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. -- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. -- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. -- **TestId** A string to uniquely identify a group of events. -- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. - - -## Windows as a Service diagnostic events - -### Microsoft.Windows.WaaSMedic.SummaryEvent - -Result of the WaaSMedic operation. - -The following fields are available: - -- **callerApplication** The name of the calling application. -- **detectionSummary** Result of each applicable detection that was run. -- **featureAssessmentImpact** WaaS Assessment impact for feature updates. -- **hrEngineResult** Error code from the engine operation. -- **insufficientSessions** Device not eligible for diagnostics. -- **isInteractiveMode** The user started a run of WaaSMedic. -- **isManaged** Device is managed for updates. -- **isWUConnected** Device is connected to Windows Update. -- **noMoreActions** No more applicable diagnostics. -- **qualityAssessmentImpact** WaaS Assessment impact for quality updates. -- **remediationSummary** Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on. -- **usingBackupFeatureAssessment** Relying on backup feature assessment. -- **usingBackupQualityAssessment** Relying on backup quality assessment. -- **usingCachedFeatureAssessment** WaaS Medic run did not get OS build age from the network on the previous run. -- **usingCachedQualityAssessment** WaaS Medic run did not get OS revision age from the network on the previous run. -- **versionString** Version of the WaaSMedic engine. -- **waasMedicRunMode** Indicates whether this was a background regular run of the medic or whether it was triggered by a user launching Windows Update Troubleshooter. - - -## Windows Error Reporting events - -### Microsoft.Windows.WERVertical.OSCrash - -This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event. - -The following fields are available: - -- **BootId** Uint32 identifying the boot number for this device. -- **BugCheckCode** Uint64 "bugcheck code" that identifies a proximate cause of the bug check. -- **BugCheckParameter1** Uint64 parameter providing additional information. -- **BugCheckParameter2** Uint64 parameter providing additional information. -- **BugCheckParameter3** Uint64 parameter providing additional information. -- **BugCheckParameter4** Uint64 parameter providing additional information. -- **DumpFileAttributes** Codes that identify the type of data contained in the dump file -- **DumpFileSize** Size of the dump file -- **IsValidDumpFile** True if the dump file is valid for the debugger, false otherwise -- **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson). - - -## Windows Error Reporting MTT events - -### Microsoft.Windows.WER.MTT.Denominator - -This event provides a denominator to calculate MTTF (mean-time-to-failure) for crashes and other errors, to help keep Windows up to date. - -The following fields are available: - -- **DPRange** Maximum mean value range. -- **DPValue** Randomized bit value (0 or 1) that can be reconstituted over a large population to estimate the mean. -- **Value** Standard UTC emitted DP value structure See [Value](#value). - - -### Value - -This event returns data about Mean Time to Failure (MTTF) for Windows devices. It is the primary means of estimating reliability problems in Basic Diagnostic reporting with very strong privacy guarantees. Since Basic Diagnostic reporting does not include system up-time, and since that information is important to ensuring the safe and stable operation of Windows, the data provided by this event provides that data in a manner which does not threaten a user’s privacy. - -The following fields are available: - -- **Algorithm** The algorithm used to preserve privacy. -- **DPRange** The upper bound of the range being measured. -- **DPValue** The randomized response returned by the client. -- **Epsilon** The level of privacy to be applied. -- **HistType** The histogram type if the algorithm is a histogram algorithm. -- **PertProb** The probability the entry will be Perturbed if the algorithm chosen is “heavy-hitters”. - - -## Microsoft Store events - -### Microsoft.Windows.Store.StoreActivating - -This event sends tracking data about when the Store app activation via protocol URI is in progress, to help keep Windows up to date. - - - -### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation - -This event is sent when an installation or update is canceled by a user or the system and is used to help keep Windows Apps up to date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. -- **AttemptNumber** Number of retry attempts before it was canceled. -- **BundleId** The Item Bundle ID. -- **CategoryId** The Item Category ID. -- **ClientAppId** The identity of the app that initiated this operation. -- **HResult** The result code of the last action performed before this operation. -- **IsBundle** Is this a bundle? -- **IsInteractive** Was this requested by a user? -- **IsMandatory** Was this a mandatory update? -- **IsRemediation** Was this a remediation install? -- **IsRestore** Is this automatically restoring a previously acquired product? -- **IsUpdate** Flag indicating if this is an update. -- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). -- **PFN** The product family name of the product being installed. -- **ProductId** The identity of the package or packages being installed. -- **SystemAttemptNumber** The total number of automatic attempts at installation before it was canceled. -- **UserAttemptNumber** The total number of user attempts at installation before it was canceled. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.BeginGetInstalledContentIds - -This event is sent when an inventory of the apps installed is started to determine whether updates for those apps are available. It's used to help keep Windows up-to-date and secure. - - - -### Microsoft.Windows.StoreAgent.Telemetry.BeginUpdateMetadataPrepare - -This event is sent when the Store Agent cache is refreshed with any available package updates. It's used to help keep Windows up-to-date and secure. - - - -### Microsoft.Windows.StoreAgent.Telemetry.CancelInstallation - -This event is sent when an app update or installation is canceled while in interactive mode. This can be canceled by the user or the system. It's used to help keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The names of all package or packages to be downloaded and installed. -- **AttemptNumber** Total number of installation attempts. -- **BundleId** The identity of the Windows Insider build that is associated with this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **IsBundle** Is this a bundle? -- **IsInteractive** Was this requested by a user? -- **IsMandatory** Is this a mandatory update? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this an automatic restore of a previously acquired product? -- **IsUpdate** Is this a product update? -- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). -- **PFN** The name of all packages to be downloaded and installed. -- **PreviousHResult** The previous HResult code. -- **PreviousInstallState** Previous installation state before it was canceled. -- **ProductId** The name of the package or packages requested for installation. -- **RelatedCV** Correlation Vector of a previous performed action on this product. -- **SystemAttemptNumber** Total number of automatic attempts to install before it was canceled. -- **UserAttemptNumber** Total number of user attempts to install before it was canceled. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.CompleteInstallOperationRequest - -This event is sent at the end of app installations or updates to help keep Windows up-to-date and secure. - -The following fields are available: - -- **CatalogId** The Store Product ID of the app being installed. -- **HResult** HResult code of the action being performed. -- **IsBundle** Is this a bundle? -- **PackageFamilyName** The name of the package being installed. -- **ProductId** The Store Product ID of the product being installed. -- **SkuId** Specific edition of the item being installed. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndAcquireLicense - -This event is sent after the license is acquired when a product is being installed. It's used to help keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** Includes a set of package full names for each app that is part of an atomic set. -- **AttemptNumber** The total number of attempts to acquire this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **HResult** HResult code to show the result of the operation (success/failure). -- **IsBundle** Is this a bundle? -- **IsInteractive** Did the user initiate the installation? -- **IsMandatory** Is this a mandatory update? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this happening after a device restore? -- **IsUpdate** Is this an update? -- **PFN** Product Family Name of the product being installed. -- **ProductId** The Store Product ID for the product being installed. -- **SystemAttemptNumber** The number of attempts by the system to acquire this product. -- **UserAttemptNumber** The number of attempts by the user to acquire this product -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndDownload - -This event is sent after an app is downloaded to help keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed. -- **AttemptNumber** Number of retry attempts before it was canceled. -- **BundleId** The identity of the Windows Insider build associated with this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **DownloadSize** The total size of the download. -- **ExtendedHResult** Any extended HResult error codes. -- **HResult** The result code of the last action performed. -- **IsBundle** Is this a bundle? -- **IsInteractive** Is this initiated by the user? -- **IsMandatory** Is this a mandatory installation? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this a restore of a previously acquired product? -- **IsUpdate** Is this an update? -- **ParentBundleId** The parent bundle ID (if it's part of a bundle). -- **PFN** The Product Family Name of the app being download. -- **ProductId** The Store Product ID for the product being installed. -- **SystemAttemptNumber** The number of attempts by the system to download. -- **UserAttemptNumber** The number of attempts by the user to download. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndFrameworkUpdate - -This event is sent when an app update requires an updated Framework package and the process starts to download it. It is used to help keep Windows up-to-date and secure. - -The following fields are available: - -- **HResult** The result code of the last action performed before this operation. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndGetInstalledContentIds - -This event is sent after sending the inventory of the products installed to determine whether updates for those products are available. It's used to help keep Windows up-to-date and secure. - -The following fields are available: - -- **HResult** The result code of the last action performed before this operation. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndInstall - -This event is sent after a product has been installed to help keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. -- **AttemptNumber** The number of retry attempts before it was canceled. -- **BundleId** The identity of the build associated with this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **ExtendedHResult** The extended HResult error code. -- **HResult** The result code of the last action performed. -- **IsBundle** Is this a bundle? -- **IsInteractive** Is this an interactive installation? -- **IsMandatory** Is this a mandatory installation? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this automatically restoring a previously acquired product? -- **IsUpdate** Is this an update? -- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). -- **PFN** Product Family Name of the product being installed. -- **ProductId** The Store Product ID for the product being installed. -- **SystemAttemptNumber** The total number of system attempts. -- **UserAttemptNumber** The total number of user attempts. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndScanForUpdates - -This event is sent after a scan for product updates to determine if there are packages to install. It's used to help keep Windows up-to-date and secure. - -The following fields are available: - -- **ClientAppId** The identity of the app that initiated this operation. -- **HResult** The result code of the last action performed. -- **IsApplicability** Is this request to only check if there are any applicable packages to install? -- **IsInteractive** Is this user requested? -- **IsOnline** Is the request doing an online check? - - -### Microsoft.Windows.StoreAgent.Telemetry.EndSearchUpdatePackages - -This event is sent after searching for update packages to install. It is used to help keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. -- **AttemptNumber** The total number of retry attempts before it was canceled. -- **BundleId** The identity of the build associated with this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **HResult** The result code of the last action performed. -- **IsBundle** Is this a bundle? -- **IsInteractive** Is this user requested? -- **IsMandatory** Is this a mandatory update? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this restoring previously acquired content? -- **IsUpdate** Is this an update? -- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). -- **PFN** The name of the package or packages requested for install. -- **ProductId** The Store Product ID for the product being installed. -- **SystemAttemptNumber** The total number of system attempts. -- **UserAttemptNumber** The total number of user attempts. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndStageUserData - -This event is sent after restoring user data (if any) that needs to be restored following a product install. It is used to keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed. -- **AttemptNumber** The total number of retry attempts before it was canceled. -- **BundleId** The identity of the build associated with this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **HResult** The result code of the last action performed. -- **IsBundle** Is this a bundle? -- **IsInteractive** Is this user requested? -- **IsMandatory** Is this a mandatory update? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this restoring previously acquired content? -- **IsUpdate** Is this an update? -- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). -- **PFN** The name of the package or packages requested for install. -- **ProductId** The Store Product ID for the product being installed. -- **SystemAttemptNumber** The total number of system attempts. -- **UserAttemptNumber** The total number of system attempts. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndUpdateMetadataPrepare - -This event is sent after a scan for available app updates to help keep Windows up-to-date and secure. - -The following fields are available: - -- **HResult** The result code of the last action performed. - - -### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentComplete - -This event is sent at the end of an app install or update to help keep Windows up-to-date and secure. - -The following fields are available: - -- **CatalogId** The name of the product catalog from which this app was chosen. -- **FailedRetry** Indicates whether the installation or update retry was successful. -- **HResult** The HResult code of the operation. -- **PFN** The Package Family Name of the app that is being installed or updated. -- **ProductId** The product ID of the app that is being updated or installed. - - -### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate - -This event is sent at the beginning of an app install or update to help keep Windows up-to-date and secure. - -The following fields are available: - -- **CatalogId** The name of the product catalog from which this app was chosen. -- **FulfillmentPluginId** The ID of the plugin needed to install the package type of the product. -- **PFN** The Package Family Name of the app that is being installed or updated. -- **PluginTelemetryData** Diagnostic information specific to the package-type plug-in. -- **ProductId** The product ID of the app that is being updated or installed. - - -### Microsoft.Windows.StoreAgent.Telemetry.InstallOperationRequest - -This event is sent when a product install or update is initiated, to help keep Windows up-to-date and secure. - -The following fields are available: - -- **BundleId** The identity of the build associated with this product. -- **CatalogId** If this product is from a private catalog, the Store Product ID for the product being installed. -- **ProductId** The Store Product ID for the product being installed. -- **SkuId** Specific edition ID being installed. -- **VolumePath** The disk path of the installation. - - -### Microsoft.Windows.StoreAgent.Telemetry.PauseInstallation - -This event is sent when a product install or update is paused (either by a user or the system), to help keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. -- **AttemptNumber** The total number of retry attempts before it was canceled. -- **BundleId** The identity of the build associated with this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **IsBundle** Is this a bundle? -- **IsInteractive** Is this user requested? -- **IsMandatory** Is this a mandatory update? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this restoring previously acquired content? -- **IsUpdate** Is this an update? -- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). -- **PFN** The Product Full Name. -- **PreviousHResult** The result code of the last action performed before this operation. -- **PreviousInstallState** Previous state before the installation or update was paused. -- **ProductId** The Store Product ID for the product being installed. -- **RelatedCV** Correlation Vector of a previous performed action on this product. -- **SystemAttemptNumber** The total number of system attempts. -- **UserAttemptNumber** The total number of user attempts. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.ResumeInstallation - -This event is sent when a product install or update is resumed (either by a user or the system), to help keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. -- **AttemptNumber** The number of retry attempts before it was canceled. -- **BundleId** The identity of the build associated with this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **HResult** The result code of the last action performed before this operation. -- **IsBundle** Is this a bundle? -- **IsInteractive** Is this user requested? -- **IsMandatory** Is this a mandatory update? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this restoring previously acquired content? -- **IsUpdate** Is this an update? -- **IsUserRetry** Did the user initiate the retry? -- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). -- **PFN** The name of the package or packages requested for install. -- **PreviousHResult** The previous HResult error code. -- **PreviousInstallState** Previous state before the installation was paused. -- **ProductId** The Store Product ID for the product being installed. -- **RelatedCV** Correlation Vector for the original install before it was resumed. -- **ResumeClientId** The ID of the app that initiated the resume operation. -- **SystemAttemptNumber** The total number of system attempts. -- **UserAttemptNumber** The total number of user attempts. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.ResumeOperationRequest - -This event is sent when a product install or update is resumed by a user or on installation retries, to help keep Windows up-to-date and secure. - -The following fields are available: - -- **ProductId** The Store Product ID for the product being installed. - - -### Microsoft.Windows.StoreAgent.Telemetry.SearchForUpdateOperationRequest - -This event is sent when searching for update packages to install, to help keep Windows up-to-date and secure. - -The following fields are available: - -- **CatalogId** The Store Catalog ID for the product being installed. -- **ProductId** The Store Product ID for the product being installed. -- **SkuId** Specfic edition of the app being updated. - - -### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest - -This event occurs when an update is requested for an app, to help keep Windows up-to-date and secure. - -The following fields are available: - -- **PFamN** The name of the app that is requested for update. - - -## Windows System Kit events - -### Microsoft.Windows.Kits.WSK.WskImageCreate - -This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate “image” creation failures. - -The following fields are available: - -- **Phase** The image creation phase. Values are “Start” or “End”. -- **WskVersion** The version of the Windows System Kit being used. - - -### Microsoft.Windows.Kits.WSK.WskImageCustomization - -This event sends simple Product and Service usage data when a user is using the Windows System Kit to create/modify configuration files allowing the customization of a new OS image with Apps or Drivers. The data includes the version of the Windows System Kit, the state of the event, the customization type (drivers or apps) and the mode (new or updating) and is used to help investigate configuration file creation failures. - -The following fields are available: - -- **CustomizationMode** Indicates the mode of the customization (new or updating). -- **CustomizationType** Indicates the type of customization (drivers or apps). -- **Mode** The mode of update to image configuration files. Values are “New” or “Update”. -- **Phase** The image creation phase. Values are “Start” or “End”. -- **Type** The type of update to image configuration files. Values are “Apps” or “Drivers”. -- **WskVersion** The version of the Windows System Kit being used. - - -### Microsoft.Windows.Kits.WSK.WskWorkspaceCreate - -This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new workspace for generating OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate workspace creation failures. - -The following fields are available: - -- **Architecture** The OS architecture that the workspace will target. Values are one of: “AMD64”, “ARM64”, “x86”, or “ARM”. -- **OsEdition** The Operating System Edition that the workspace will target. -- **Phase** The image creation phase. Values are “Start” or “End”. -- **WorkspaceArchitecture** The operating system architecture that the workspace will target. -- **WorkspaceOsEdition** The operating system edition that the workspace will target. -- **WskVersion** The version of the Windows System Kit being used. - - -## Windows Update Delivery Optimization events - -### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled - -This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads. - -The following fields are available: - -- **background** Is the download being done in the background? -- **bytesFromCacheServer** Bytes received from a cache host. -- **bytesFromCDN** The number of bytes received from a CDN source. -- **bytesFromGroupPeers** The number of bytes received from a peer in the same group. -- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same group. -- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. -- **bytesFromPeers** The number of bytes received from a peer in the same LAN. -- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. -- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. -- **cdnIp** The IP Address of the source CDN (Content Delivery Network). -- **cdnUrl** The URL of the source CDN (Content Delivery Network). -- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. -- **errorCode** The error code that was returned. -- **experimentId** When running a test, this is used to correlate events that are part of the same test. -- **fileID** The ID of the file being downloaded. -- **gCurMemoryStreamBytes** Current usage for memory streaming. -- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. -- **isVpn** Indicates whether the device is connected to a VPN (Virtual Private Network). -- **jobID** Identifier for the Windows Update job. -- **predefinedCallerName** The name of the API Caller. -- **reasonCode** Reason the action or event occurred. -- **routeToCacheServer** The cache server setting, source, and value. -- **sessionID** The ID of the file download session. -- **updateID** The ID of the update being downloaded. -- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. - - -### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted - -This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads. - -The following fields are available: - -- **background** Is the download a background download? -- **bytesFromCacheServer** Bytes received from a cache host. -- **bytesFromCDN** The number of bytes received from a CDN source. -- **bytesFromGroupPeers** The number of bytes received from a peer in the same domain group. -- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same domain group. -- **bytesFromLinkLocalPeers** The number of bytes received from local peers. -- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. -- **bytesFromPeers** The number of bytes received from a peer in the same LAN. -- **bytesRequested** The total number of bytes requested for download. -- **cacheServerConnectionCount** Number of connections made to cache hosts. -- **cdnConnectionCount** The total number of connections made to the CDN. -- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. -- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. -- **cdnIp** The IP address of the source CDN. -- **cdnUrl** Url of the source Content Distribution Network (CDN). -- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. -- **doErrorCode** The Delivery Optimization error code that was returned. -- **downlinkBps** The maximum measured available download bandwidth (in bytes per second). -- **downlinkUsageBps** The download speed (in bytes per second). -- **downloadMode** The download mode used for this file download session. -- **downloadModeReason** Reason for the download. -- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). -- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. -- **fileID** The ID of the file being downloaded. -- **fileSize** The size of the file being downloaded. -- **gCurMemoryStreamBytes** Current usage for memory streaming. -- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. -- **groupConnectionCount** The total number of connections made to peers in the same group. -- **internetConnectionCount** The total number of connections made to peers not in the same LAN or the same group. -- **isEncrypted** TRUE if the file is encrypted and will be decrypted after download. -- **isVpn** Is the device connected to a Virtual Private Network? -- **jobID** Identifier for the Windows Update job. -- **lanConnectionCount** The total number of connections made to peers in the same LAN. -- **linkLocalConnectionCount** The number of connections made to peers in the same Link-local network. -- **numPeers** The total number of peers used for this download. -- **numPeersLocal** The total number of local peers used for this download. -- **predefinedCallerName** The name of the API Caller. -- **restrictedUpload** Is the upload restricted? -- **routeToCacheServer** The cache server setting, source, and value. -- **sessionID** The ID of the download session. -- **totalTimeMs** Duration of the download (in seconds). -- **updateID** The ID of the update being downloaded. -- **uplinkBps** The maximum measured available upload bandwidth (in bytes per second). -- **uplinkUsageBps** The upload speed (in bytes per second). -- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. - - -### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused - -This event represents a temporary suspension of a download with Delivery Optimization. It's used to understand and address problems regarding downloads. - -The following fields are available: - -- **background** Is the download a background download? -- **cdnUrl** The URL of the source CDN (Content Delivery Network). -- **errorCode** The error code that was returned. -- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. -- **fileID** The ID of the file being paused. -- **isVpn** Is the device connected to a Virtual Private Network? -- **jobID** Identifier for the Windows Update job. -- **predefinedCallerName** The name of the API Caller object. -- **reasonCode** The reason for pausing the download. -- **routeToCacheServer** The cache server setting, source, and value. -- **sessionID** The ID of the download session. -- **updateID** The ID of the update being paused. - - -### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted - -This event sends data describing the start of a new download to enable Delivery Optimization. It's used to understand and address problems regarding downloads. - -The following fields are available: - -- **background** Indicates whether the download is happening in the background. -- **bytesRequested** Number of bytes requested for the download. -- **cdnUrl** The URL of the source Content Distribution Network (CDN). -- **costFlags** A set of flags representing network cost. -- **deviceProfile** Identifies the usage or form factor (such as Desktop, Xbox, or VM). -- **diceRoll** Random number used for determining if a client will use peering. -- **doClientVersion** The version of the Delivery Optimization client. -- **doErrorCode** The Delivery Optimization error code that was returned. -- **downloadMode** The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100). -- **downloadModeReason** Reason for the download. -- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). -- **errorCode** The error code that was returned. -- **experimentId** ID used to correlate client/services calls that are part of the same test during A/B testing. -- **fileID** The ID of the file being downloaded. -- **filePath** The path to where the downloaded file will be written. -- **fileSize** Total file size of the file that was downloaded. -- **fileSizeCaller** Value for total file size provided by our caller. -- **groupID** ID for the group. -- **isEncrypted** Indicates whether the download is encrypted. -- **isVpn** Indicates whether the device is connected to a Virtual Private Network. -- **jobID** The ID of the Windows Update job. -- **peerID** The ID for this delivery optimization client. -- **predefinedCallerName** Name of the API caller. -- **routeToCacheServer** Cache server setting, source, and value. -- **sessionID** The ID for the file download session. -- **setConfigs** A JSON representation of the configurations that have been set, and their sources. -- **updateID** The ID of the update being downloaded. -- **usedMemoryStream** Indicates whether the download used memory streaming. - - -### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication - -This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads. - -The following fields are available: - -- **cdnHeaders** The HTTP headers returned by the CDN. -- **cdnIp** The IP address of the CDN. -- **cdnUrl** The URL of the CDN. -- **errorCode** The error code that was returned. -- **errorCount** The total number of times this error code was seen since the last FailureCdnCommunication event was encountered. -- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. -- **fileID** The ID of the file being downloaded. -- **httpStatusCode** The HTTP status code returned by the CDN. -- **isHeadRequest** The type of HTTP request that was sent to the CDN. Example: HEAD or GET -- **peerType** The type of peer (LAN, Group, Internet, CDN, Cache Host, etc.). -- **requestOffset** The byte offset within the file in the sent request. -- **requestSize** The size of the range requested from the CDN. -- **responseSize** The size of the range response received from the CDN. -- **sessionID** The ID of the download session. - - -### Microsoft.OSG.DU.DeliveryOptClient.JobError - -This event represents a Windows Update job error. It allows for investigation of top errors. - -The following fields are available: - -- **cdnIp** The IP Address of the source CDN (Content Delivery Network). -- **doErrorCode** Error code returned for delivery optimization. -- **errorCode** The error code returned. -- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. -- **fileID** The ID of the file being downloaded. -- **jobID** The Windows Update job ID. - - -## Windows Update events - -### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentAnalysisSummary - -This event collects information regarding the state of devices and drivers on the system following a reboot after the install phase of the new device manifest UUP (Unified Update Platform) update scenario which is used to install a device manifest describing a set of driver packages. - -The following fields are available: - -- **activated** Whether the entire device manifest update is considered activated and in use. -- **analysisErrorCount** The number of driver packages that could not be analyzed because errors occurred during analysis. -- **flightId** Unique ID for each flight. -- **missingDriverCount** The number of driver packages delivered by the device manifest that are missing from the system. -- **missingUpdateCount** The number of updates in the device manifest that are missing from the system. -- **objectId** Unique value for each diagnostics session. -- **publishedCount** The number of drivers packages delivered by the device manifest that are published and available to be used on devices. -- **relatedCV** Correlation vector value generated from the latest USO scan. -- **scenarioId** Indicates the update scenario. -- **sessionId** Unique value for each update session. -- **summary** A summary string that contains basic information about driver packages that are part of the device manifest and any devices on the system that those driver packages match. -- **summaryAppendError** A Boolean indicating if there was an error appending more information to the summary string. -- **truncatedDeviceCount** The number of devices missing from the summary string because there is not enough room in the string. -- **truncatedDriverCount** The number of driver packages missing from the summary string because there is not enough room in the string. -- **unpublishedCount** How many drivers packages that were delivered by the device manifest that are still unpublished and unavailable to be used on devices. -- **updateId** The unique ID for each update. - - -### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentCommit - -This event collects information regarding the final commit phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. - -The following fields are available: - -- **errorCode** The error code returned for the current session initialization. -- **flightId** The unique identifier for each flight. -- **objectId** The unique GUID for each diagnostics session. -- **relatedCV** A correlation vector value generated from the latest USO scan. -- **result** Outcome of the initialization of the session. -- **scenarioId** Identifies the Update scenario. -- **sessionId** The unique value for each update session. -- **updateId** The unique identifier for each Update. - - -### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentDownloadRequest - -This event collects information regarding the download request phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. - -The following fields are available: - -- **deletedCorruptFiles** Indicates if UpdateAgent found any corrupt payload files and whether the payload was deleted. -- **errorCode** The error code returned for the current session initialization. -- **flightId** The unique identifier for each flight. -- **objectId** Unique value for each Update Agent mode. -- **packageCountOptional** Number of optional packages requested. -- **packageCountRequired** Number of required packages requested. -- **packageCountTotal** Total number of packages needed. -- **packageCountTotalCanonical** Total number of canonical packages. -- **packageCountTotalDiff** Total number of diff packages. -- **packageCountTotalExpress** Total number of express packages. -- **packageSizeCanonical** Size of canonical packages in bytes. -- **packageSizeDiff** Size of diff packages in bytes. -- **packageSizeExpress** Size of express packages in bytes. -- **rangeRequestState** Represents the state of the download range request. -- **relatedCV** Correlation vector value generated from the latest USO scan. -- **result** Result of the download request phase of update. -- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. -- **sessionId** Unique value for each Update Agent mode attempt. -- **updateId** Unique ID for each update. - - -### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInitialize - -This event sends data for initializing a new update session for the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. - -The following fields are available: - -- **errorCode** The error code returned for the current session initialization. -- **flightId** The unique identifier for each flight. -- **flightMetadata** Contains the FlightId and the build being flighted. -- **objectId** Unique value for each Update Agent mode. -- **relatedCV** Correlation vector value generated from the latest USO scan. -- **result** Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled. -- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. -- **sessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios). -- **sessionId** Unique value for each Update Agent mode attempt. -- **updateId** Unique ID for each update. - - -### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInstall - -This event collects information regarding the install phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. - -The following fields are available: - -- **errorCode** The error code returned for the current install phase. -- **flightId** The unique identifier for each flight (pre-release builds). -- **objectId** The unique identifier for each diagnostics session. -- **relatedCV** Correlation vector value generated from the latest scan. -- **result** Outcome of the install phase of the update. -- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate -- **sessionId** The unique identifier for each update session. -- **updateId** The unique identifier for each Update. - - -### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentModeStart - -This event sends data for the start of each mode during the process of updating device manifest assets via the UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. - -The following fields are available: - -- **flightId** The unique identifier for each flight (pre-release builds). -- **mode** Indicates the active Update Agent mode. -- **objectId** Unique value for each diagnostics session. -- **relatedCV** Correlation vector value generated from the latest scan. -- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. -- **sessionId** The unique identifier for each update session. -- **updateId** The unique identifier for each Update. - - -### Microsoft.Windows.Update.NotificationUx.DialogNotificationToBeDisplayed - -This event indicates that a notification dialog box is about to be displayed to user. - -The following fields are available: - -- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode. -- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before the RebootFailed dialog box is shown. -- **DaysSinceRebootRequired** Number of days since restart was required. -- **DeviceLocalTime** The local time on the device sending the event. -- **EngagedModeLimit** The number of days to switch between DTE dialog boxes. -- **EnterAutoModeLimit** The maximum number of days for a device to enter Auto Reboot mode. -- **ETag** OneSettings versioning value. -- **IsForcedEnabled** Indicates whether Forced Reboot mode is enabled for this device. -- **IsUltimateForcedEnabled** Indicates whether Ultimate Forced Reboot mode is enabled for this device. -- **NotificationUxState** Indicates which dialog box is shown. -- **NotificationUxStateString** Indicates which dialog box is shown. -- **RebootUxState** Indicates the state of the restart (Engaged, Auto, Forced, or UltimateForced). -- **RebootUxStateString** Indicates the state of the restart (Engaged, Auto, Forced, or UltimateForced). -- **RebootVersion** Version of DTE. -- **SkipToAutoModeLimit** The minimum length of time to pass in restart pending before a device can be put into auto mode. -- **UpdateId** The ID of the update that is pending restart to finish installation. -- **UpdateRevision** The revision of the update that is pending restart to finish installation. -- **UtcTime** The time the dialog box notification will be displayed, in Coordinated Universal Time. - - -### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootAcceptAutoDialog - -This event indicates that the Enhanced Engaged restart "accept automatically" dialog box was displayed. - -The following fields are available: - -- **DeviceLocalTime** The local time on the device sending the event. -- **ETag** OneSettings versioning value. -- **ExitCode** Indicates how users exited the dialog box. -- **RebootVersion** Version of DTE. -- **UpdateId** The ID of the update that is pending restart to finish installation. -- **UpdateRevision** The revision of the update that is pending restart to finish installation. -- **UserResponseString** The option that user chose on this dialog box. -- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time. - - -### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootFirstReminderDialog - -This event indicates that the Enhanced Engaged restart "first reminder" dialog box was displayed.. - -The following fields are available: - -- **DeviceLocalTime** The local time on the device sending the event. -- **ETag** OneSettings versioning value. -- **ExitCode** Indicates how users exited the dialog box. -- **RebootVersion** Version of DTE. -- **UpdateId** The ID of the update that is pending restart to finish installation. -- **UpdateRevision** The revision of the update that is pending restart to finish installation. -- **UserResponseString** The option that user chose in this dialog box. -- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time. - - -### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootFailedDialog - -This event indicates that the Enhanced Engaged restart "restart failed" dialog box was displayed. - -The following fields are available: - -- **DeviceLocalTime** The local time of the device sending the event. -- **ETag** OneSettings versioning value. -- **ExitCode** Indicates how users exited the dialog box. -- **RebootVersion** Version of DTE. -- **UpdateId** The ID of the update that is pending restart to finish installation. -- **UpdateRevision** The revision of the update that is pending restart to finish installation. -- **UserResponseString** The option that the user chose in this dialog box. -- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time. - - -### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootImminentDialog - -This event indicates that the Enhanced Engaged restart "restart imminent" dialog box was displayed. - -The following fields are available: - -- **DeviceLocalTime** Time the dialog box was shown on the local device. -- **ETag** OneSettings versioning value. -- **ExitCode** Indicates how users exited the dialog box. -- **RebootVersion** Version of DTE. -- **UpdateId** The ID of the update that is pending restart to finish installation. -- **UpdateRevision** The revision of the update that is pending restart to finish installation. -- **UserResponseString** The option that user chose in this dialog box. -- **UtcTime** The time that dialog box was displayed, in Coordinated Universal Time. - - -### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootReminderDialog - -This event returns information relating to the Enhanced Engaged reboot reminder dialog that was displayed. - -The following fields are available: - -- **DeviceLocalTime** The time at which the reboot reminder dialog was shown (based on the local device time settings). -- **ETag** The OneSettings versioning value. -- **ExitCode** Indicates how users exited the reboot reminder dialog box. -- **RebootVersion** The version of the DTE (Direct-to-Engaged). -- **UpdateId** The ID of the update that is waiting for reboot to finish installation. -- **UpdateRevision** The revision of the update that is waiting for reboot to finish installation. -- **UserResponseString** The option chosen by the user on the reboot dialog box. -- **UtcTime** The time at which the reboot reminder dialog was shown (in UTC). - - -### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootReminderToast - -This event indicates that the Enhanced Engaged restart reminder pop-up banner was displayed. - -The following fields are available: - -- **DeviceLocalTime** The local time on the device sending the event. -- **ETag** OneSettings versioning value. -- **ExitCode** Indicates how users exited the pop-up banner. -- **RebootVersion** The version of the reboot logic. -- **UpdateId** The ID of the update that is pending restart to finish installation. -- **UpdateRevision** The revision of the update that is pending restart to finish installation. -- **UserResponseString** The option that the user chose in the pop-up banner. -- **UtcTime** The time that the pop-up banner was displayed, in Coordinated Universal Time. - - -### Microsoft.Windows.Update.NotificationUx.RebootScheduled - -Indicates when a reboot is scheduled by the system or a user for a security, quality, or feature update. - -The following fields are available: - -- **activeHoursApplicable** Indicates whether an Active Hours policy is present on the device. -- **IsEnhancedEngagedReboot** Indicates whether this is an Enhanced Engaged reboot. -- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action. -- **rebootOutsideOfActiveHours** Indicates whether a restart is scheduled outside of active hours. -- **rebootScheduledByUser** Indicates whether the restart was scheduled by user (if not, it was scheduled automatically). -- **rebootState** The current state of the restart. -- **rebootUsingSmartScheduler** Indicates whether the reboot is scheduled by smart scheduler. -- **revisionNumber** Revision number of the update that is getting installed with this restart. -- **scheduledRebootTime** Time of the scheduled restart. -- **scheduledRebootTimeInUTC** Time of the scheduled restart in Coordinated Universal Time. -- **updateId** ID of the update that is getting installed with this restart. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.ActivityRestrictedByActiveHoursPolicy - -This event indicates a policy is present that may restrict update activity to outside of active hours. - -The following fields are available: - -- **activeHoursEnd** The end of the active hours window. -- **activeHoursStart** The start of the active hours window. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.BlockedByActiveHours - -This event indicates that update activity was blocked because it is within the active hours window. - -The following fields are available: - -- **activeHoursEnd** The end of the active hours window. -- **activeHoursStart** The start of the active hours window. -- **updatePhase** The current state of the update process. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.BlockedByBatteryLevel - -This event indicates that Windows Update activity was blocked due to low battery level. - -The following fields are available: - -- **batteryLevel** The current battery charge capacity. -- **batteryLevelThreshold** The battery capacity threshold to stop update activity. -- **updatePhase** The current state of the update process. -- **wuDeviceid** Device ID. - - -### Microsoft.Windows.Update.Orchestrator.DeferRestart - -This event indicates that a restart required for installing updates was postponed. - -The following fields are available: - -- **displayNeededReason** List of reasons for needing display. -- **eventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). -- **filteredDeferReason** Applicable filtered reasons why reboot was postponed (such as user active, or low battery). -- **gameModeReason** Name of the executable that caused the game mode state check to start. -- **ignoredReason** List of reasons that were intentionally ignored. -- **IgnoreReasonsForRestart** List of reasons why restart was deferred. -- **revisionNumber** Update ID revision number. -- **systemNeededReason** List of reasons why system is needed. -- **updateId** Update ID. -- **updateScenarioType** Update session type. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.Detection - -This event indicates that a scan for a Windows Update occurred. - -The following fields are available: - -- **deferReason** The reason why the device could not check for updates. -- **detectionBlockingPolicy** The Policy that blocked detection. -- **detectionBlockreason** The reason detection did not complete. -- **detectionRetryMode** Indicates whether we will try to scan again. -- **errorCode** The error code returned for the current process. -- **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. -- **flightID** The unique identifier for the flight (Windows Insider pre-release build) should be delivered to the device, if applicable. -- **interactive** Indicates whether the user initiated the session. -- **networkStatus** Indicates if the device is connected to the internet. -- **revisionNumber** The Update revision number. -- **scanTriggerSource** The source of the triggered scan. -- **updateId** The unique identifier of the Update. -- **updateScenarioType** Identifies the type of update session being performed. -- **wuDeviceid** The unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.DisplayNeeded - -This event indicates the reboot was postponed due to needing a display. - -The following fields are available: - -- **displayNeededReason** Reason the display is needed. -- **eventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. -- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours. -- **revisionNumber** Revision number of the update. -- **updateId** Update ID. -- **updateScenarioType** The update session type. -- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated. -- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue - - -### Microsoft.Windows.Update.Orchestrator.Download - -This event sends launch data for a Windows Update download to help keep Windows up to date. - -The following fields are available: - -- **deferReason** Reason for download not completing. -- **errorCode** An error code represented as a hexadecimal value. -- **eventScenario** End-to-end update session ID. -- **flightID** The specific ID of the Windows Insider build the device is getting. -- **interactive** Indicates whether the session is user initiated. -- **revisionNumber** Update revision number. -- **updateId** Update ID. -- **updateScenarioType** The update session type. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.DTUCompletedWhenWuFlightPendingCommit - -This event indicates that DTU completed installation of the electronic software delivery (ESD), when Windows Update was already in Pending Commit phase of the feature update. - -The following fields are available: - -- **wuDeviceid** Device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.DTUEnabled - -This event indicates that Inbox DTU functionality was enabled. - -The following fields are available: - -- **wuDeviceid** Device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.DTUInitiated - -This event indicates that Inbox DTU functionality was intiated. - -The following fields are available: - -- **dtuErrorCode** Return code from creating the DTU Com Server. -- **isDtuApplicable** Determination of whether DTU is applicable to the machine it is running on. -- **wuDeviceid** Device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.EscalationRiskLevels - -This event is sent during update scan, download, or install, and indicates that the device is at risk of being out-of-date. - -The following fields are available: - -- **configVersion** The escalation configuration version on the device. -- **downloadElapsedTime** Indicates how long since the download is required on device. -- **downloadRiskLevel** At-risk level of download phase. -- **installElapsedTime** Indicates how long since the install is required on device. -- **installRiskLevel** The at-risk level of install phase. -- **isSediment** Assessment of whether is device is at risk. -- **scanElapsedTime** Indicates how long since the scan is required on device. -- **scanRiskLevel** At-risk level of the scan phase. -- **wuDeviceid** Device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.FailedToAddTimeTriggerToScanTask - -This event indicated that USO failed to add a trigger time to a task. - -The following fields are available: - -- **errorCode** The Windows Update error code. -- **wuDeviceid** The Windows Update device ID. - - -### Microsoft.Windows.Update.Orchestrator.FlightInapplicable - -This event indicates that the update is no longer applicable to this device. - -The following fields are available: - -- **EventPublishedTime** Time when this event was generated. -- **flightID** The specific ID of the Windows Insider build. -- **inapplicableReason** The reason why the update is inapplicable. -- **revisionNumber** Update revision number. -- **updateId** Unique Windows Update ID. -- **updateScenarioType** Update session type. -- **UpdateStatus** Last status of update. -- **UUPFallBackConfigured** Indicates whether UUP fallback is configured. -- **wuDeviceid** Unique Device ID. - - -### Microsoft.Windows.Update.Orchestrator.InitiatingReboot - -This event sends data about an Orchestrator requesting a reboot from power management to help keep Windows up to date. - -The following fields are available: - -- **EventPublishedTime** Time of the event. -- **flightID** Unique update ID -- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action. -- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours. -- **revisionNumber** Revision number of the update. -- **updateId** Update ID. -- **updateScenarioType** The update session type. -- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.Install - -This event sends launch data for a Windows Update install to help keep Windows up to date. - -The following fields are available: - -- **batteryLevel** Current battery capacity in mWh or percentage left. -- **deferReason** Reason for install not completing. -- **errorCode** The error code reppresented by a hexadecimal value. -- **eventScenario** End-to-end update session ID. -- **flightID** The ID of the Windows Insider build the device is getting. -- **flightUpdate** Indicates whether the update is a Windows Insider build. -- **ForcedRebootReminderSet** A boolean value that indicates if a forced reboot will happen for updates. -- **IgnoreReasonsForRestart** The reason(s) a Postpone Restart command was ignored. -- **installCommitfailedtime** The time it took for a reboot to happen but the upgrade failed to progress. -- **installRebootinitiatetime** The time it took for a reboot to be attempted. -- **interactive** Identifies if session is user initiated. -- **minutesToCommit** The time it took to install updates. -- **rebootOutsideOfActiveHours** Indicates whether a reboot is scheduled outside of active hours. -- **revisionNumber** Update revision number. -- **updateId** Update ID. -- **updateScenarioType** The update session type. -- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.LowUptimes - -This event is sent if a device is identified as not having sufficient uptime to reliably process updates in order to keep secure. - -The following fields are available: - -- **availableHistoryMinutes** The number of minutes available from the local machine activity history. -- **isLowUptimeMachine** Is the machine considered low uptime or not. -- **lowUptimeMinHours** Current setting for the minimum number of hours needed to not be considered low uptime. -- **lowUptimeQueryDays** Current setting for the number of recent days to check for uptime. -- **uptimeMinutes** Number of minutes of uptime measured. -- **wuDeviceid** Unique device ID for Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.OneshotUpdateDetection - -This event returns data about scans initiated through settings UI, or background scans that are urgent; to help keep Windows up to date. - -The following fields are available: - -- **externalOneshotupdate** The last time a task-triggered scan was completed. -- **interactiveOneshotupdate** The last time an interactive scan was completed. -- **oldlastscanOneshotupdate** The last time a scan completed successfully. -- **wuDeviceid** The Windows Update Device GUID (Globally-Unique ID). - - -### Microsoft.Windows.Update.Orchestrator.PreShutdownStart - -This event is generated before the shutdown and commit operations. - -The following fields are available: - -- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. - - -### Microsoft.Windows.Update.Orchestrator.RebootFailed - -This event sends information about whether an update required a reboot and reasons for failure, to help keep Windows up to date. - -The following fields are available: - -- **batteryLevel** Current battery capacity in mWh or percentage left. -- **deferReason** Reason for install not completing. -- **EventPublishedTime** The time that the reboot failure occurred. -- **flightID** Unique update ID. -- **rebootOutsideOfActiveHours** Indicates whether a reboot was scheduled outside of active hours. -- **RebootResults** Hex code indicating failure reason. Typically, we expect this to be a specific USO generated hex code. -- **revisionNumber** Update revision number. -- **updateId** Update ID. -- **updateScenarioType** The update session type. -- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.RefreshSettings - -This event sends basic data about the version of upgrade settings applied to the system to help keep Windows up to date. - -The following fields are available: - -- **errorCode** Hex code for the error message, to allow lookup of the specific error. -- **settingsDownloadTime** Timestamp of the last attempt to acquire settings. -- **settingsETag** Version identifier for the settings. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask - -This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows up to date. - -The following fields are available: - -- **RebootTaskMissedTimeUTC** The time when the reboot task was scheduled to run, but did not. -- **RebootTaskNextTimeUTC** The time when the reboot task was rescheduled for. -- **RebootTaskRestoredTime** Time at which this reboot task was restored. -- **wuDeviceid** Device ID for the device on which the reboot is restored. - - -### Microsoft.Windows.Update.Orchestrator.ScanTriggered - -This event indicates that Update Orchestrator has started a scan operation. - -The following fields are available: - -- **errorCode** The error code returned for the current scan operation. -- **eventScenario** Indicates the purpose of sending this event. -- **interactive** Indicates whether the scan is interactive. -- **isDTUEnabled** Indicates whether DTU (internal abbreviation for Direct Feature Update) channel is enabled on the client system. -- **isScanPastSla** Indicates whether the SLA has elapsed for scanning. -- **isScanPastTriggerSla** Indicates whether the SLA has elapsed for triggering a scan. -- **minutesOverScanSla** Indicates how many minutes the scan exceeded the scan SLA. -- **minutesOverScanTriggerSla** Indicates how many minutes the scan exceeded the scan trigger SLA. -- **scanTriggerSource** Indicates what caused the scan. -- **updateScenarioType** The update session type. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.StickUpdate - -This event is sent when the update service orchestrator (USO) indicates the update cannot be superseded by a newer update. - -The following fields are available: - -- **updateId** Identifier associated with the specific piece of content. -- **wuDeviceid** Unique device ID controlled by the software distribution client. - - -### Microsoft.Windows.Update.Orchestrator.SystemNeeded - -This event sends data about why a device is unable to reboot, to help keep Windows up to date. - -The following fields are available: - -- **eventScenario** End-to-end update session ID. -- **rebootOutsideOfActiveHours** Indicates whether a reboot is scheduled outside of active hours. -- **revisionNumber** Update revision number. -- **systemNeededReason** List of apps or tasks that are preventing the system from restarting. -- **updateId** Update ID. -- **updateScenarioType** The update session type. -- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.TerminatedByActiveHours - -This event indicates that update activity was stopped due to active hours starting. - -The following fields are available: - -- **activeHoursEnd** The end of the active hours window. -- **activeHoursStart** The start of the active hours window. -- **updatePhase** The current state of the update process. -- **wuDeviceid** The device identifier. - - -### Microsoft.Windows.Update.Orchestrator.TerminatedByBatteryLevel - -This event is sent when update activity was stopped due to a low battery level. - -The following fields are available: - -- **batteryLevel** The current battery charge capacity. -- **batteryLevelThreshold** The battery capacity threshold to stop update activity. -- **updatePhase** The current state of the update process. -- **wuDeviceid** The device identifier. - - -### Microsoft.Windows.Update.Orchestrator.UnstickUpdate - -This event is sent when the update service orchestrator (USO) indicates that the update can be superseded by a newer update. - -The following fields are available: - -- **updateId** Identifier associated with the specific piece of content. -- **wuDeviceid** Unique device ID controlled by the software distribution client. - - -### Microsoft.Windows.Update.Orchestrator.UpdatePolicyCacheRefresh - -This event sends data on whether Update Management Policies were enabled on a device, to help keep Windows up to date. - -The following fields are available: - -- **configuredPoliciescount** Number of policies on the device. -- **policiesNamevaluesource** Policy name and source of policy (group policy, MDM or flight). -- **policyCacherefreshtime** Time when policy cache was refreshed. -- **updateInstalluxsetting** Indicates whether a user has set policies via a user experience option. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.UpdateRebootRequired - -This event sends data about whether an update required a reboot to help keep Windows up to date. - -The following fields are available: - -- **flightID** The specific ID of the Windows Insider build the device is getting. -- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action. -- **revisionNumber** Update revision number. -- **updateId** Update ID. -- **updateScenarioType** The update session type. -- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.updateSettingsFlushFailed - -This event sends information about an update that encountered problems and was not able to complete. - -The following fields are available: - -- **errorCode** The error code encountered. -- **wuDeviceid** The ID of the device in which the error occurred. - - -### Microsoft.Windows.Update.Orchestrator.UsoSession - -This event represents the state of the USO service at start and completion. - -The following fields are available: - -- **activeSessionid** A unique session GUID. -- **eventScenario** The state of the update action. -- **interactive** Is the USO session interactive? -- **lastErrorcode** The last error that was encountered. -- **lastErrorstate** The state of the update when the last error was encountered. -- **sessionType** A GUID that refers to the update session type. -- **updateScenarioType** A descriptive update session type. -- **wuDeviceid** The Windows Update device GUID. - - -### Microsoft.Windows.Update.Ux.MusNotification.EnhancedEngagedRebootUxState - -This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes values for the timing of how eDTE will progress through each phase of the reboot. - -The following fields are available: - -- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode. -- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before a Reboot Failed dialog will be shown. -- **DeviceLocalTime** The date and time (based on the device date/time settings) the reboot mode changed. -- **EngagedModeLimit** The number of days to switch between DTE (Direct-to-Engaged) dialogs. -- **EnterAutoModeLimit** The maximum number of days a device can enter Auto Reboot mode. -- **ETag** The Entity Tag that represents the OneSettings version. -- **IsForcedEnabled** Identifies whether Forced Reboot mode is enabled for the device. -- **IsUltimateForcedEnabled** Identifies whether Ultimate Forced Reboot mode is enabled for the device. -- **OldestUpdateLocalTime** The date and time (based on the device date/time settings) this update’s reboot began pending. -- **RebootUxState** Identifies the reboot state: Engaged, Auto, Forced, UltimateForced. -- **RebootVersion** The version of the DTE (Direct-to-Engaged). -- **SkipToAutoModeLimit** The maximum number of days to switch to start while in Auto Reboot mode. -- **UpdateId** The ID of the update that is waiting for reboot to finish installation. -- **UpdateRevision** The revision of the update that is waiting for reboot to finish installation. - - -### Microsoft.Windows.Update.Ux.MusNotification.RebootNoLongerNeeded - -This event is sent when a security update has successfully completed. - -The following fields are available: - -- **UtcTime** The Coordinated Universal Time that the restart was no longer needed. - - -### Microsoft.Windows.Update.Ux.MusNotification.RebootScheduled - -This event sends basic information about scheduling an update-related reboot, to get security updates and to help keep Windows up-to-date. - -The following fields are available: - -- **activeHoursApplicable** Indicates whether Active Hours applies on this device. -- **IsEnhancedEngagedReboot** Indicates whether Enhanced reboot was enabled. -- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action. -- **rebootOutsideOfActiveHours** True, if a reboot is scheduled outside of active hours. False, otherwise. -- **rebootScheduledByUser** True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically. -- **rebootState** Current state of the reboot. -- **rebootUsingSmartScheduler** Indicates that the reboot is scheduled by SmartScheduler. -- **revisionNumber** Revision number of the OS. -- **scheduledRebootTime** Time scheduled for the reboot. -- **scheduledRebootTimeInUTC** Time scheduled for the reboot, in UTC. -- **updateId** Identifies which update is being scheduled. -- **wuDeviceid** The unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Ux.MusNotification.UxBrokerScheduledTask - -This event is sent when MUSE broker schedules a task. - -The following fields are available: - -- **TaskArgument** The arguments with which the task is scheduled. -- **TaskName** Name of the task. - - -### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled - -This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up to date. - -The following fields are available: - -- **activeHoursApplicable** Is the restart respecting Active Hours? -- **IsEnhancedEngagedReboot** TRUE if the reboot path is Enhanced Engaged. Otherwise, FALSE. -- **rebootArgument** The arguments that are passed to the OS for the restarted. -- **rebootOutsideOfActiveHours** Was the restart scheduled outside of Active Hours? -- **rebootScheduledByUser** Was the restart scheduled by the user? If the value is false, the restart was scheduled by the device. -- **rebootState** The state of the restart. -- **rebootUsingSmartScheduler** TRUE if the reboot should be performed by the Smart Scheduler. Otherwise, FALSE. -- **revisionNumber** The revision number of the OS being updated. -- **scheduledRebootTime** Time of the scheduled reboot -- **scheduledRebootTimeInUTC** Time of the scheduled restart, in Coordinated Universal Time. -- **updateId** The Windows Update device GUID. -- **wuDeviceid** The Windows Update device GUID. - - -## Windows Update mitigation events - -### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages - -This event sends data specific to the CleanupSafeOsImages mitigation used for OS Updates. - -The following fields are available: - -- **ClientId** The client ID used by Windows Update. -- **FlightId** The ID of each Windows Insider build the device received. -- **InstanceId** A unique device ID that identifies each update instance. -- **MitigationScenario** The update scenario in which the mitigation was executed. -- **MountedImageCount** The number of mounted images. -- **MountedImageMatches** The number of mounted image matches. -- **MountedImagesFailed** The number of mounted images that could not be removed. -- **MountedImagesRemoved** The number of mounted images that were successfully removed. -- **MountedImagesSkipped** The number of mounted images that were not found. -- **RelatedCV** The correlation vector value generated from the latest USO scan. -- **Result** HResult of this operation. -- **ScenarioId** ID indicating the mitigation scenario. -- **ScenarioSupported** Indicates whether the scenario was supported. -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each Windows Update. -- **WuId** Unique ID for the Windows Update client. - - -### Mitigation360Telemetry.MitigationCustom.FixAppXReparsePoints - -This event sends data specific to the FixAppXReparsePoints mitigation used for OS updates. - -The following fields are available: - -- **ClientId** Unique identifier for each flight. -- **FlightId** Unique GUID that identifies each instances of setuphost.exe. -- **InstanceId** The update scenario in which the mitigation was executed. -- **MitigationScenario** Correlation vector value generated from the latest USO scan. -- **RelatedCV** Number of reparse points that are corrupted but we failed to fix them. -- **ReparsePointsFailed** Number of reparse points that were corrupted and were fixed by this mitigation. -- **ReparsePointsFixed** Number of reparse points that are not corrupted and no action is required. -- **ReparsePointsSkipped** HResult of this operation. -- **Result** ID indicating the mitigation scenario. -- **ScenarioId** Indicates whether the scenario was supported. -- **ScenarioSupported** Unique value for each update attempt. -- **SessionId** Unique ID for each Update. -- **UpdateId** Unique ID for the Windows Update client. -- **WuId** Unique ID for the Windows Update client. - - -### Mitigation360Telemetry.MitigationCustom.FixupEditionId - -This event sends data specific to the FixupEditionId mitigation used for OS updates. - -The following fields are available: - -- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **EditionIdUpdated** Determine whether EditionId was changed. -- **FlightId** Unique identifier for each flight. -- **InstanceId** Unique GUID that identifies each instances of setuphost.exe. -- **MitigationScenario** The update scenario in which the mitigation was executed. -- **ProductEditionId** Expected EditionId value based on GetProductInfo. -- **ProductType** Value returned by GetProductInfo. -- **RegistryEditionId** EditionId value in the registry. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **Result** HResult of this operation. -- **ScenarioId** ID indicating the mitigation scenario. -- **ScenarioSupported** Indicates whether the scenario was supported. -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each update. -- **WuId** Unique ID for the Windows Update client. - - -## Windows Update Reserve Manager events - -### Microsoft.Windows.UpdateReserveManager.CommitPendingHardReserveAdjustment - -This event is sent when the Update Reserve Manager commits a hard reserve adjustment that was pending. - -The following fields are available: - -- **FinalAdjustment** Final adjustment for the hard reserve following the addition or removal of optional content. -- **InitialAdjustment** Initial intended adjustment for the hard reserve following the addition/removal of optional content. - - -### Microsoft.Windows.UpdateReserveManager.FunctionReturnedError - -This event is sent when the Update Reserve Manager returns an error from one of its internal functions. - -The following fields are available: - -- **FailedExpression** The failed expression that was returned. -- **FailedFile** The binary file that contained the failed function. -- **FailedFunction** The name of the function that originated the failure. -- **FailedLine** The line number of the failure. -- **ReturnCode** The return code of the function. - - -### Microsoft.Windows.UpdateReserveManager.PrepareTIForReserveInitialization - -This event is sent when the Update Reserve Manager prepares the Trusted Installer to initialize reserves on the next boot. - -The following fields are available: - -- **Flags** The flags that are passed to the function to prepare the Trusted Installer for reserve initialization. - - -### Microsoft.Windows.UpdateReserveManager.RemovePendingHardReserveAdjustment - -This event is sent when the Update Reserve Manager removes a pending hard reserve adjustment. - - - -### Microsoft.Windows.UpdateReserveManager.UpdatePendingHardReserveAdjustment - -This event is sent when the Update Reserve Manager needs to adjust the size of the hard reserve after the option content is installed. - -The following fields are available: - -- **ChangeSize** The change in the hard reserve size based on the addition or removal of optional content. -- **PendingHardReserveAdjustment** The final change to the hard reserve size. -- **UpdateType** Indicates whether the change is an increase or decrease in the size of the hard reserve. - - -## Winlogon events - -### Microsoft.Windows.Security.Winlogon.SetupCompleteLogon - -This event signals the completion of the setup process. It happens only once during the first logon. - - - -## XBOX events - -### Microsoft.Xbox.XamTelemetry.AppActivationError - -This event indicates whether the system detected an activation error in the app. - -The following fields are available: - -- **ActivationUri** Activation URI (Uniform Resource Identifier) used in the attempt to activate the app. -- **AppId** The Xbox LIVE Title ID. -- **AppUserModelId** The AUMID (Application User Model ID) of the app to activate. -- **Result** The HResult error. -- **UserId** The Xbox LIVE User ID (XUID). - - -### Microsoft.Xbox.XamTelemetry.AppActivity - -This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc. - -The following fields are available: - -- **AppActionId** The ID of the application action. -- **AppCurrentVisibilityState** The ID of the current application visibility state. -- **AppId** The Xbox LIVE Title ID of the app. -- **AppPackageFullName** The full name of the application package. -- **AppPreviousVisibilityState** The ID of the previous application visibility state. -- **AppSessionId** The application session ID. -- **AppType** The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa). -- **BCACode** The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application. -- **DurationMs** The amount of time (in milliseconds) since the last application state transition. -- **IsTrialLicense** This boolean value is TRUE if the application is on a trial license. -- **LicenseType** The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 - Offline, 4 - Disc). -- **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license. -- **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application. -- **UserId** The XUID (Xbox User ID) of the current user. - - - +--- +description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. +title: Windows 10, version 1809 basic diagnostic events and fields (Windows 10) +keywords: privacy, telemetry +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: brianlic-msft +ms.author: brianlic +manager: dansimp +ms.collection: M365-security-compliance +ms.topic: article +audience: ITPro +ms.date: 03/12/2019 +--- + + +# Windows 10, version 1809 basic level Windows diagnostic events and fields + + **Applies to** + +- Windows 10, version 1809 + + +The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information. + +The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. + +Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief description is provided for each field. Every event generated includes common data, which collects device data. + +You can learn more about Windows functional and diagnostic data through these articles: + + +- [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) +- [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) +- [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) +- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) +- [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) + + + + +## Account trace logging provider events + +### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.General + +This event provides information about application properties to indicate the successful execution. + +The following fields are available: + +- **AppMode** Indicates the mode the app is being currently run around privileges. +- **ExitCode** Indicates the exit code of the app. +- **Help** Indicates if the app needs to be launched in the help mode. +- **ParseError** Indicates if there was a parse error during the execution. +- **RightsAcquired** Indicates if the right privileges were acquired for successful execution. +- **RightsWereEnabled** Indicates if the right privileges were enabled for successful execution. +- **TestMode** Indicates whether the app is being run in test mode. + + +### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.GetCount + +This event provides information about the properties of user accounts in the Administrator group. + +The following fields are available: + +- **Internal** Indicates the internal property associated with the count group. +- **LastError** The error code (if applicable) for the cause of the failure to get the count of the user account. +- **Result** The HResult error. + + +## AppLocker events + +### Microsoft.Windows.Security.AppLockerCSP.ActivityStoppedAutomatically + +Automatically closed activity for start/stop operations that aren't explicitly closed. + + + +### Microsoft.Windows.Security.AppLockerCSP.AddParams + +Parameters passed to Add function of the AppLockerCSP Node. + +The following fields are available: + +- **child** The child URI of the node to add. +- **uri** URI of the node relative to %SYSTEM32%/AppLocker. + + +### Microsoft.Windows.Security.AppLockerCSP.AddStart + +Start of "Add" Operation for the AppLockerCSP Node. + + + +### Microsoft.Windows.Security.AppLockerCSP.AddStop + +End of "Add" Operation for AppLockerCSP Node. + +The following fields are available: + +- **hr** The HRESULT returned by Add function in AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.CAppLockerCSP::Rollback + +Result of the 'Rollback' operation in AppLockerCSP. + +The following fields are available: + +- **oldId** Previous id for the CSP transaction. +- **txId** Current id for the CSP transaction. + + +### Microsoft.Windows.Security.AppLockerCSP.ClearParams + +Parameters passed to the "Clear" operation for AppLockerCSP. + +The following fields are available: + +- **uri** The URI relative to the %SYSTEM32%\AppLocker folder. + + +### Microsoft.Windows.Security.AppLockerCSP.ClearStart + +Start of the "Clear" operation for the AppLockerCSP Node. + + + +### Microsoft.Windows.Security.AppLockerCSP.ClearStop + +End of the "Clear" operation for the AppLockerCSP node. + +The following fields are available: + +- **hr** HRESULT reported at the end of the 'Clear' function. + + +### Microsoft.Windows.Security.AppLockerCSP.ConfigManagerNotificationStart + +Start of the "ConfigManagerNotification" operation for AppLockerCSP. + +The following fields are available: + +- **NotifyState** State sent by ConfigManager to AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.ConfigManagerNotificationStop + +End of the "ConfigManagerNotification" operation for AppLockerCSP. + +The following fields are available: + +- **hr** HRESULT returned by the ConfigManagerNotification function in AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceParams + +Parameters passed to the CreateNodeInstance function of the AppLockerCSP node. + +The following fields are available: + +- **NodeId** NodeId passed to CreateNodeInstance. +- **nodeOps** NodeOperations parameter passed to CreateNodeInstance. +- **uri** URI passed to CreateNodeInstance, relative to %SYSTEM32%\AppLocker. + + +### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceStart + +Start of the "CreateNodeInstance" operation for the AppLockerCSP node. + + + +### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceStop + +End of the "CreateNodeInstance" operation for the AppLockerCSP node + +The following fields are available: + +- **hr** HRESULT returned by the CreateNodeInstance function in AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.DeleteChildParams + +Parameters passed to the DeleteChild function of the AppLockerCSP node. + +The following fields are available: + +- **child** The child URI of the node to delete. +- **uri** URI relative to %SYSTEM32%\AppLocker. + + +### Microsoft.Windows.Security.AppLockerCSP.DeleteChildStart + +Start of the "DeleteChild" operation for the AppLockerCSP node. + + + +### Microsoft.Windows.Security.AppLockerCSP.DeleteChildStop + +End of the "DeleteChild" operation for the AppLockerCSP node. + +The following fields are available: + +- **hr** HRESULT returned by the DeleteChild function in AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.EnumPolicies + +Logged URI relative to %SYSTEM32%\AppLocker, if the Plugin GUID is null, or the CSP doesn't believe the old policy is present. + +The following fields are available: + +- **uri** URI relative to %SYSTEM32%\AppLocker. + + +### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesParams + +Parameters passed to the GetChildNodeNames function of the AppLockerCSP node. + +The following fields are available: + +- **uri** URI relative to %SYSTEM32%/AppLocker for MDM node. + + +### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesStart + +Start of the "GetChildNodeNames" operation for the AppLockerCSP node. + + + +### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesStop + +End of the "GetChildNodeNames" operation for the AppLockerCSP node. + +The following fields are available: + +- **child[0]** If function succeeded, the first child's name, else "NA". +- **count** If function succeeded, the number of child node names returned by the function, else 0. +- **hr** HRESULT returned by the GetChildNodeNames function of AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.GetLatestId + +The result of 'GetLatestId' in AppLockerCSP (the latest time stamped GUID). + +The following fields are available: + +- **dirId** The latest directory identifier found by GetLatestId. +- **id** The id returned by GetLatestId if id > 0 - otherwise the dirId parameter. + + +### Microsoft.Windows.Security.AppLockerCSP.HResultException + +HRESULT thrown by any arbitrary function in AppLockerCSP. + +The following fields are available: + +- **file** File in the OS code base in which the exception occurs. +- **function** Function in the OS code base in which the exception occurs. +- **hr** HRESULT that is reported. +- **line** Line in the file in the OS code base in which the exception occurs. + + +### Microsoft.Windows.Security.AppLockerCSP.SetValueParams + +Parameters passed to the SetValue function of the AppLockerCSP node. + +The following fields are available: + +- **dataLength** Length of the value to set. +- **uri** The node URI to that should contain the value, relative to %SYSTEM32%\AppLocker. + + +### Microsoft.Windows.Security.AppLockerCSP.SetValueStart + +Start of the "SetValue" operation for the AppLockerCSP node. + + + +### Microsoft.Windows.Security.AppLockerCSP.SetValueStop + +End of the "SetValue" operation for the AppLockerCSP node. + +The following fields are available: + +- **hr** HRESULT returned by the SetValue function in AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.TryRemediateMissingPolicies + +EntryPoint of fix step or policy remediation, includes URI relative to %SYSTEM32%\AppLocker that needs to be fixed. + +The following fields are available: + +- **uri** URI for node relative to %SYSTEM32%/AppLocker. + + +## Appraiser events + +### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount + +This event lists the types of objects and how many of each exist on the client device. This allows for a quick way to ensure that the records present on the server match what is present on the client. + +The following fields are available: + +- **DatasourceApplicationFile_19ASetup** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_19H1** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers. +- **DatasourceApplicationFile_RS2** An ID for the system, calculated by hashing hardware identifiers. +- **DatasourceApplicationFile_RS3** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS3Setup** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS4** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS4Setup** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS5** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS5Setup** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_TH1** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_TH2** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_19ASetup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_19H1** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS1** The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on this device. +- **DatasourceDevicePnp_RS2** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS3** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS3Setup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS4** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS4Setup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS5** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS5Setup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_TH1** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_TH2** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_19ASetup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_19H1** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS1** The total DataSourceDriverPackage objects targeting Windows 10 version 1607 on this device. +- **DatasourceDriverPackage_RS2** The total DataSourceDriverPackage objects targeting Windows 10, version 1703 on this device. +- **DatasourceDriverPackage_RS3** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS3Setup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS4** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS4Setup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS5** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS5Setup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_TH1** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_TH2** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_19ASetup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS1** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1607 on this device. +- **DataSourceMatchingInfoBlock_RS2** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS3** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS3Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS4Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS5Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_TH1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_19ASetup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS1** The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. +- **DataSourceMatchingInfoPassive_RS2** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS3** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS3Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS4Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS5Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_19ASetup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS1** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. +- **DataSourceMatchingInfoPostUpgrade_RS2** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device. +- **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device. +- **DataSourceMatchingInfoPostUpgrade_RS3Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS4Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS5Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_TH1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_19ASetup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_19H1** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_19H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS1** The total DatasourceSystemBios objects targeting Windows 10 version 1607 present on this device. +- **DatasourceSystemBios_RS2** The total DatasourceSystemBios objects targeting Windows 10 version 1703 present on this device. +- **DatasourceSystemBios_RS3** The total DatasourceSystemBios objects targeting Windows 10 version 1709 present on this device. +- **DatasourceSystemBios_RS3Setup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS4** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS4Setup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS5** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS5Setup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_TH1** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_TH2** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_19H1** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS1** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS2** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS3** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS4** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS5** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_TH1** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_TH2** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_19H1** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS1** The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this device. +- **DecisionDevicePnp_RS2** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS3** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS4** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS5** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_TH1** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_TH2** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_19H1** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS1** The total DecisionDriverPackage objects targeting Windows 10 version 1607 on this device. +- **DecisionDriverPackage_RS2** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS3** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS4** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS5** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_TH1** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_TH2** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_RS1** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1607 present on this device. +- **DecisionMatchingInfoBlock_RS2** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device. +- **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1709 present on this device. +- **DecisionMatchingInfoBlock_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_RS4** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1803 present on this device. +- **DecisionMatchingInfoBlock_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_TH1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_RS1** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. +- **DecisionMatchingInfoPassive_RS2** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1703 on this device. +- **DecisionMatchingInfoPassive_RS3** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1803 on this device. +- **DecisionMatchingInfoPassive_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS1** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. +- **DecisionMatchingInfoPostUpgrade_RS2** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device. +- **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device. +- **DecisionMatchingInfoPostUpgrade_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_TH1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_19H1** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_19H1Setup** The total DecisionMediaCenter objects targeting the next release of Windows on this device. +- **DecisionMediaCenter_RS1** The total DecisionMediaCenter objects targeting Windows 10 version 1607 present on this device. +- **DecisionMediaCenter_RS2** The total DecisionMediaCenter objects targeting Windows 10 version 1703 present on this device. +- **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting Windows 10 version 1709 present on this device. +- **DecisionMediaCenter_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_RS4** The total DecisionMediaCenter objects targeting Windows 10 version 1803 present on this device. +- **DecisionMediaCenter_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_RS5** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_TH1** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_TH2** The count of the number of this particular object type present on this device. +- **DecisionSystemBios_19ASetup** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_19H1** The count of the number of this particular object type present on this device. +- **DecisionSystemBios_19H1Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_RS1** The total DecisionSystemBios objects targeting Windows 10 version 1607 on this device. +- **DecisionSystemBios_RS2** The total DecisionSystemBios objects targeting Windows 10 version 1703 on this device. +- **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting Windows 10 version 1709 on this device. +- **DecisionSystemBios_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionSystemBios_RS4** The total DecisionSystemBios objects targeting Windows 10 version, 1803 present on this device. +- **DecisionSystemBios_RS4Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_RS5** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_RS5Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_TH1** The count of the number of this particular object type present on this device. +- **DecisionSystemBios_TH2** The count of the number of this particular object type present on this device. +- **DecisionSystemProcessor_RS2** The count of the number of this particular object type present on this device. +- **DecisionTest_RS1** An ID for the system, calculated by hashing hardware identifiers. +- **InventoryApplicationFile** The count of the number of this particular object type present on this device. +- **InventoryDeviceContainer** A count of device container objects in cache. +- **InventoryDevicePnp** A count of device Plug and Play objects in cache. +- **InventoryDriverBinary** A count of driver binary objects in cache. +- **InventoryDriverPackage** A count of device objects in cache. +- **InventoryLanguagePack** The count of the number of this particular object type present on this device. +- **InventoryMediaCenter** The count of the number of this particular object type present on this device. +- **InventorySystemBios** The count of the number of this particular object type present on this device. +- **InventorySystemMachine** The count of the number of this particular object type present on this device. +- **InventorySystemProcessor** The count of the number of this particular object type present on this device. +- **InventoryTest** The count of the number of this particular object type present on this device. +- **InventoryUplevelDriverPackage** The count of the number of this particular object type present on this device. +- **PCFP** The count of the number of this particular object type present on this device. +- **SystemMemory** The count of the number of this particular object type present on this device. +- **SystemProcessorCompareExchange** The count of the number of this particular object type present on this device. +- **SystemProcessorLahfSahf** The count of the number of this particular object type present on this device. +- **SystemProcessorNx** The total number of objects of this type present on this device. +- **SystemProcessorPrefetchW** The total number of objects of this type present on this device. +- **SystemProcessorSse2** The total number of objects of this type present on this device. +- **SystemTouch** The count of the number of this particular object type present on this device. +- **SystemWim** The total number of objects of this type present on this device. +- **SystemWindowsActivationStatus** The count of the number of this particular object type present on this device. +- **SystemWlan** The total number of objects of this type present on this device. +- **Wmdrm_19ASetup** The count of the number of this particular object type present on this device. +- **Wmdrm_19H1** The count of the number of this particular object type present on this device. +- **Wmdrm_19H1Setup** The total Wmdrm objects targeting the next release of Windows on this device. +- **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers. +- **Wmdrm_RS2** An ID for the system, calculated by hashing hardware identifiers. +- **Wmdrm_RS3** An ID for the system, calculated by hashing hardware identifiers. +- **Wmdrm_RS3Setup** The count of the number of this particular object type present on this device. +- **Wmdrm_RS4** The total Wmdrm objects targeting Windows 10, version 1803 present on this device. +- **Wmdrm_RS4Setup** The count of the number of this particular object type present on this device. +- **Wmdrm_RS5** The count of the number of this particular object type present on this device. +- **Wmdrm_RS5Setup** The count of the number of this particular object type present on this device. +- **Wmdrm_TH1** The count of the number of this particular object type present on this device. +- **Wmdrm_TH2** The count of the number of this particular object type present on this device. + + +### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd + +Represents the basic metadata about specific application files installed on the system. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file that is generating the events. +- **AvDisplayName** If the app is an anti-virus app, this is its display name. +- **CompatModelIndex** The compatibility prediction for this file. +- **HasCitData** Indicates whether the file is present in CIT data. +- **HasUpgradeExe** Indicates whether the anti-virus app has an upgrade.exe file. +- **IsAv** Is the file an anti-virus reporting EXE? +- **ResolveAttempted** This will always be an empty string when sending telemetry. +- **SdbEntries** An array of fields that indicates the SDB entries that apply to this file. + + +### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove + +This event indicates that the DatasourceApplicationFile object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileStartSync + +This event indicates that a new set of DatasourceApplicationFileAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd + +This event sends compatibility data for a Plug and Play device, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **ActiveNetworkConnection** Indicates whether the device is an active network device. +- **AppraiserVersion** The version of the appraiser file generating the events. +- **CosDeviceRating** An enumeration that indicates if there is a driver on the target operating system. +- **CosDeviceSolution** An enumeration that indicates how a driver on the target operating system is available. +- **CosDeviceSolutionUrl** Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd . Empty string +- **CosPopulatedFromId** The expected uplevel driver matching ID based on driver coverage data. +- **IsBootCritical** Indicates whether the device boot is critical. +- **UplevelInboxDriver** Indicates whether there is a driver uplevel for this device. +- **WuDriverCoverage** Indicates whether there is a driver uplevel for this device, according to Windows Update. +- **WuDriverUpdateId** The Windows Update ID of the applicable uplevel driver. +- **WuPopulatedFromId** The expected uplevel driver matching ID based on driver coverage from Windows Update. + + +### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove + +This event indicates that the DatasourceDevicePnp object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpStartSync + +This event indicates that a new set of DatasourceDevicePnpAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageAdd + +This event sends compatibility database data about driver packages to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageStartSync + +This event indicates that a new set of DatasourceDriverPackageAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd + +This event sends blocking data about any compatibility blocking entries hit on the system that are not directly related to specific applications or devices, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove + +This event indicates that the DataSourceMatchingInfoBlock object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync + +This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events have been sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd + +This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove + +This event indicates that the DataSourceMatchingInfoPassive object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync + +This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd + +This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove + +This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync + +This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd + +This event sends compatibility database information about the BIOS to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosRemove + +This event indicates that the DatasourceSystemBios object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync + +This event indicates that a new set of DatasourceSystemBiosAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionApplicationFileAdd + +This event sends compatibility decision data about a file to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file that is generating the events. +- **BlockAlreadyInbox** The uplevel runtime block on the file already existed on the current OS. +- **BlockingApplication** Indicates whether there are any application issues that interfere with the upgrade due to the file in question. +- **DisplayGenericMessage** Will be a generic message be shown for this file? +- **DisplayGenericMessageGated** Indicates whether a generic message be shown for this file. +- **HardBlock** This file is blocked in the SDB. +- **HasUxBlockOverride** Does the file have a block that is overridden by a tag in the SDB? +- **MigApplication** Does the file have a MigXML from the SDB associated with it that applies to the current upgrade mode? +- **MigRemoval** Does the file have a MigXML from the SDB that will cause the app to be removed on upgrade? +- **NeedsDismissAction** Will the file cause an action that can be dimissed? +- **NeedsInstallPostUpgradeData** After upgrade, the file will have a post-upgrade notification to install a replacement for the app. +- **NeedsNotifyPostUpgradeData** Does the file have a notification that should be shown after upgrade? +- **NeedsReinstallPostUpgradeData** After upgrade, this file will have a post-upgrade notification to reinstall the app. +- **NeedsUninstallAction** The file must be uninstalled to complete the upgrade. +- **SdbBlockUpgrade** The file is tagged as blocking upgrade in the SDB, +- **SdbBlockUpgradeCanReinstall** The file is tagged as blocking upgrade in the SDB. It can be reinstalled after upgrade. +- **SdbBlockUpgradeUntilUpdate** The file is tagged as blocking upgrade in the SDB. If the app is updated, the upgrade can proceed. +- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the SDB. It does not block upgrade. +- **SdbReinstallUpgradeWarn** The file is tagged as needing to be reinstalled after upgrade with a warning in the SDB. It does not block upgrade. +- **SoftBlock** The file is softblocked in the SDB and has a warning. + + +### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove + +This event indicates Indicates that the DecisionApplicationFile object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionApplicationFileStartSync + +This event indicates that a new set of DecisionApplicationFileAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd + +This event sends compatibility decision data about a PNP device to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **AssociatedDriverIsBlocked** Is the driver associated with this PNP device blocked? +- **AssociatedDriverWillNotMigrate** Will the driver associated with this plug-and-play device migrate? +- **BlockAssociatedDriver** Should the driver associated with this PNP device be blocked? +- **BlockingDevice** Is this PNP device blocking upgrade? +- **BlockUpgradeIfDriverBlocked** Is the PNP device both boot critical and does not have a driver included with the OS? +- **BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork** Is this PNP device the only active network device? +- **DisplayGenericMessage** Will a generic message be shown during Setup for this PNP device? +- **DisplayGenericMessageGated** Indicates whether a generic message will be shown during Setup for this PNP device. +- **DriverAvailableInbox** Is a driver included with the operating system for this PNP device? +- **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update? +- **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device? +- **DriverBlockOverridden** Is there is a driver block on the device that has been overridden? +- **NeedsDismissAction** Will the user would need to dismiss a warning during Setup for this device? +- **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS? +- **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade? +- **SdbDriverBlockOverridden** Is there an SDB block on the PNP device that blocks upgrade, but that block was overridden? + + +### Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove + +This event indicates that the DecisionDevicePnp object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionDevicePnpStartSync + +The DecisionDevicePnpStartSync event indicates that a new set of DecisionDevicePnpAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionDriverPackageAdd + +This event sends decision data about driver package compatibility to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for this driver package. +- **DriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden? +- **DriverIsDeviceBlocked** Was the driver package was blocked because of a device block? +- **DriverIsDriverBlocked** Is the driver package blocked because of a driver block? +- **DriverIsTroubleshooterBlocked** Indicates whether the driver package is blocked because of a troubleshooter block. +- **DriverShouldNotMigrate** Should the driver package be migrated during upgrade? +- **SdbDriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden? + + +### Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove + +This event indicates that the DecisionDriverPackage object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionDriverPackageStartSync + +This event indicates that a new set of DecisionDriverPackageAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd + +This event sends compatibility decision data about blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **BlockingApplication** Are there are any application issues that interfere with upgrade due to matching info blocks? +- **DisplayGenericMessage** Will a generic message be shown for this block? +- **NeedsUninstallAction** Does the user need to take an action in setup due to a matching info block? +- **SdbBlockUpgrade** Is a matching info block blocking upgrade? +- **SdbBlockUpgradeCanReinstall** Is a matching info block blocking upgrade, but has the can reinstall tag? +- **SdbBlockUpgradeUntilUpdate** Is a matching info block blocking upgrade but has the until update tag? + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockRemove + +This event indicates that the DecisionMatchingInfoBlock object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockStartSync + +This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd + +This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **BlockingApplication** Are there any application issues that interfere with upgrade due to matching info blocks? +- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown due to matching info blocks. +- **MigApplication** Is there a matching info block with a mig for the current mode of upgrade? + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveRemove + +This event Indicates that the DecisionMatchingInfoPassive object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync + +This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeAdd + +This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **NeedsInstallPostUpgradeData** Will the file have a notification after upgrade to install a replacement for the app? +- **NeedsNotifyPostUpgradeData** Should a notification be shown for this file after upgrade? +- **NeedsReinstallPostUpgradeData** Will the file have a notification after upgrade to reinstall the app? +- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the compatibility database (but is not blocking upgrade). + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeRemove + +This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync + +This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMediaCenterAdd + +This event sends decision data about the presence of Windows Media Center, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **BlockingApplication** Is there any application issues that interfere with upgrade due to Windows Media Center? +- **MediaCenterActivelyUsed** If Windows Media Center is supported on the edition, has it been run at least once and are the MediaCenterIndicators are true? +- **MediaCenterIndicators** Do any indicators imply that Windows Media Center is in active use? +- **MediaCenterInUse** Is Windows Media Center actively being used? +- **MediaCenterPaidOrActivelyUsed** Is Windows Media Center actively being used or is it running on a supported edition? +- **NeedsDismissAction** Are there any actions that can be dismissed coming from Windows Media Center? + + +### Microsoft.Windows.Appraiser.General.DecisionMediaCenterRemove + +This event indicates that the DecisionMediaCenter object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMediaCenterStartSync + +This event indicates that a new set of DecisionMediaCenterAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemBiosAdd + +This event sends compatibility decision data about the BIOS to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Blocking** Is the device blocked from upgrade due to a BIOS block? +- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for the bios. +- **HasBiosBlock** Does the device have a BIOS block? + + +### Microsoft.Windows.Appraiser.General.DecisionSystemBiosRemove + +This event indicates that the DecisionSystemBios object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync + +This event indicates that a new set of DecisionSystemBiosAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.GatedRegChange + +This event sends data about the results of running a set of quick-blocking instructions, to help keep Windows up to date. + +The following fields are available: + +- **NewData** The data in the registry value after the scan completed. +- **OldData** The previous data in the registry value before the scan ran. +- **PCFP** An ID for the system calculated by hashing hardware identifiers. +- **RegKey** The registry key name for which a result is being sent. +- **RegValue** The registry value for which a result is being sent. +- **Time** The client time of the event. + + +### Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd + +This event represents the basic metadata about a file on the system. The file must be part of an app and either have a block in the compatibility database or be part of an antivirus program. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **AvDisplayName** If the app is an antivirus app, this is its display name. +- **AvProductState** Indicates whether the antivirus program is turned on and the signatures are up to date. +- **BinaryType** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64. +- **BinFileVersion** An attempt to clean up FileVersion at the client that tries to place the version into 4 octets. +- **BinProductVersion** An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets. +- **BoeProgramId** If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata. +- **CompanyName** The company name of the vendor who developed this file. +- **FileId** A hash that uniquely identifies a file. +- **FileVersion** The File version field from the file metadata under Properties -> Details. +- **HasUpgradeExe** Indicates whether the antivirus app has an upgrade.exe file. +- **IsAv** Indicates whether the file an antivirus reporting EXE. +- **LinkDate** The date and time that this file was linked on. +- **LowerCaseLongPath** The full file path to the file that was inventoried on the device. +- **Name** The name of the file that was inventoried. +- **ProductName** The Product name field from the file metadata under Properties -> Details. +- **ProductVersion** The Product version field from the file metadata under Properties -> Details. +- **ProgramId** A hash of the Name, Version, Publisher, and Language of an application used to identify it. +- **Size** The size of the file (in hexadecimal bytes). + + +### Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove + +This event indicates that the InventoryApplicationFile object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync + +This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryLanguagePackAdd + +This event sends data about the number of language packs installed on the system, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **HasLanguagePack** Indicates whether this device has 2 or more language packs. +- **LanguagePackCount** The number of language packs are installed. + + +### Microsoft.Windows.Appraiser.General.InventoryLanguagePackRemove + +This event indicates that the InventoryLanguagePack object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryLanguagePackStartSync + +This event indicates that a new set of InventoryLanguagePackAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryMediaCenterAdd + +This event sends true/false data about decision points used to understand whether Windows Media Center is used on the system, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **EverLaunched** Has Windows Media Center ever been launched? +- **HasConfiguredTv** Has the user configured a TV tuner through Windows Media Center? +- **HasExtendedUserAccounts** Are any Windows Media Center Extender user accounts configured? +- **HasWatchedFolders** Are any folders configured for Windows Media Center to watch? +- **IsDefaultLauncher** Is Windows Media Center the default app for opening music or video files? +- **IsPaid** Is the user running a Windows Media Center edition that implies they paid for Windows Media Center? +- **IsSupported** Does the running OS support Windows Media Center? + + +### Microsoft.Windows.Appraiser.General.InventoryMediaCenterRemove + +This event indicates that the InventoryMediaCenter object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryMediaCenterStartSync + +This event indicates that a new set of InventoryMediaCenterAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventorySystemBiosAdd + +This event sends basic metadata about the BIOS to determine whether it has a compatibility block. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **biosDate** The release date of the BIOS in UTC format. +- **BiosDate** The release date of the BIOS in UTC format. +- **biosName** The name field from Win32_BIOS. +- **BiosName** The name field from Win32_BIOS. +- **manufacturer** The manufacturer field from Win32_ComputerSystem. +- **Manufacturer** The manufacturer field from Win32_ComputerSystem. +- **model** The model field from Win32_ComputerSystem. +- **Model** The model field from Win32_ComputerSystem. + + +### Microsoft.Windows.Appraiser.General.InventorySystemBiosRemove + +This event indicates that the InventorySystemBios object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventorySystemBiosStartSync + +This event indicates that a new set of InventorySystemBiosAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd + +This event is only runs during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. Is critical to understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **BootCritical** Is the driver package marked as boot critical? +- **Build** The build value from the driver package. +- **CatalogFile** The name of the catalog file within the driver package. +- **Class** The device class from the driver package. +- **ClassGuid** The device class unique ID from the driver package. +- **Date** The date from the driver package. +- **Inbox** Is the driver package of a driver that is included with Windows? +- **OriginalName** The original name of the INF file before it was renamed. Generally a path under $WINDOWS.~BT\Drivers\DU. +- **Provider** The provider of the driver package. +- **PublishedName** The name of the INF file after it was renamed. +- **Revision** The revision of the driver package. +- **SignatureStatus** Indicates if the driver package is signed. Unknown = 0, Unsigned = 1, Signed = 2. +- **VersionMajor** The major version of the driver package. +- **VersionMinor** The minor version of the driver package. + + +### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove + +This event indicates that the InventoryUplevelDriverPackage object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageStartSync + +This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.RunContext + +This event indicates what should be expected in the data payload. + +The following fields are available: + +- **AppraiserBranch** The source branch in which the currently running version of Appraiser was built. +- **AppraiserProcess** The name of the process that launched Appraiser. +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **CensusId** A unique hardware identifier. +- **Context** Indicates what mode Appraiser is running in. Example: Setup or Telemetry. +- **PCFP** An ID for the system calculated by hashing hardware identifiers. +- **Subcontext** Indicates what categories of incompatibilities appraiser is scanning for. Can be N/A, Resolve, or a semicolon-delimited list that can include App, Dev, Sys, Gat, or Rescan. +- **Time** The client time of the event. + + +### Microsoft.Windows.Appraiser.General.SystemMemoryAdd + +This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Blocking** Is the device from upgrade due to memory restrictions? +- **MemoryRequirementViolated** Was a memory requirement violated? +- **pageFile** The current committed memory limit for the system or the current process, whichever is smaller (in bytes). +- **ram** The amount of memory on the device. +- **ramKB** The amount of memory (in KB). +- **virtual** The size of the user-mode portion of the virtual address space of the calling process (in bytes). +- **virtualKB** The amount of virtual memory (in KB). + + +### Microsoft.Windows.Appraiser.General.SystemMemoryRemove + +This event that the SystemMemory object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemMemoryStartSync + +This event indicates that a new set of SystemMemoryAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeAdd + +This event sends data indicating whether the system supports the CompareExchange128 CPU requirement, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **CompareExchange128Support** Does the CPU support CompareExchange128? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeRemove + +This event indicates that the SystemProcessorCompareExchange object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeStartSync + +This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd + +This event sends data indicating whether the system supports the LahfSahf CPU requirement, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **LahfSahfSupport** Does the CPU support LAHF/SAHF? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfRemove + +This event indicates that the SystemProcessorLahfSahf object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfStartSync + +This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd + +This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **NXDriverResult** The result of the driver used to do a non-deterministic check for NX support. +- **NXProcessorSupport** Does the processor support NX? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorNxRemove + +This event indicates that the SystemProcessorNx object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorNxStartSync + +This event indicates that a new set of SystemProcessorNxAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd + +This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **PrefetchWSupport** Does the processor support PrefetchW? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWRemove + +This event indicates that the SystemProcessorPrefetchW object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync + +This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Add + +This event sends data indicating whether the system supports the SSE2 CPU requirement, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **SSE2ProcessorSupport** Does the processor support SSE2? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Remove + +This event indicates that the SystemProcessorSse2 object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorSse2StartSync + +This event indicates that a new set of SystemProcessorSse2Add events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemTouchAdd + +This event sends data indicating whether the system supports touch, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **IntegratedTouchDigitizerPresent** Is there an integrated touch digitizer? +- **MaximumTouches** The maximum number of touch points supported by the device hardware. + + +### Microsoft.Windows.Appraiser.General.SystemTouchRemove + +This event indicates that the SystemTouch object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemTouchStartSync + +This event indicates that a new set of SystemTouchAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWimAdd + +This event sends data indicating whether the operating system is running from a compressed Windows Imaging Format (WIM) file, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **IsWimBoot** Is the current operating system running from a compressed WIM file? +- **RegistryWimBootValue** The raw value from the registry that is used to indicate if the device is running from a WIM. + + +### Microsoft.Windows.Appraiser.General.SystemWimRemove + +This event indicates that the SystemWim object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWimStartSync + +This event indicates that a new set of SystemWimAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusAdd + +This event sends data indicating whether the current operating system is activated, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **WindowsIsLicensedApiValue** The result from the API that's used to indicate if operating system is activated. +- **WindowsNotActivatedDecision** Is the current operating system activated? + + +### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusRemove + +This event indicates that the SystemWindowsActivationStatus object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusStartSync + +This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWlanAdd + +This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked because of an emulated WLAN driver? +- **HasWlanBlock** Does the emulated WLAN driver have an upgrade block? +- **WlanEmulatedDriver** Does the device have an emulated WLAN driver? +- **WlanExists** Does the device support WLAN at all? +- **WlanModulePresent** Are any WLAN modules present? +- **WlanNativeDriver** Does the device have a non-emulated WLAN driver? + + +### Microsoft.Windows.Appraiser.General.SystemWlanRemove + +This event indicates that the SystemWlan object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWlanStartSync + +This event indicates that a new set of SystemWlanAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.TelemetryRunHealth + +This event indicates the parameters and result of a telemetry (diagnostic) run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date. + +The following fields are available: + +- **AppraiserBranch** The source branch in which the version of Appraiser that is running was built. +- **AppraiserDataVersion** The version of the data files being used by the Appraiser telemetry run. +- **AppraiserProcess** The name of the process that launched Appraiser. +- **AppraiserVersion** The file version (major, minor and build) of the Appraiser DLL, concatenated without dots. +- **AuxFinal** Obsolete, always set to false. +- **AuxInitial** Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app. +- **DeadlineDate** A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan. +- **EnterpriseRun** Indicates if the telemetry run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter. +- **FullSync** Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent. +- **InboxDataVersion** The original version of the data files before retrieving any newer version. +- **IndicatorsWritten** Indicates if all relevant UEX indicators were successfully written or updated. +- **InventoryFullSync** Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent. +- **PCFP** An ID for the system calculated by hashing hardware identifiers. +- **PerfBackoff** Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal. +- **PerfBackoffInsurance** Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row. +- **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device. +- **RunDate** The date that the telemetry run was stated, expressed as a filetime. +- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional telemetry on an infrequent schedule and only from machines at telemetry levels higher than Basic. +- **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information. +- **RunResult** The hresult of the Appraiser telemetry run. +- **ScheduledUploadDay** The day scheduled for the upload. +- **SendingUtc** Indicates if the Appraiser client is sending events during the current telemetry run. +- **StoreHandleIsNotNull** Obsolete, always set to false +- **TelementrySent** Indicates if telemetry was successfully sent. +- **ThrottlingUtc** Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also telemetry reliability. +- **Time** The client time of the event. +- **VerboseMode** Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging. +- **WhyFullSyncWithoutTablePrefix** Indicates the reason or reasons that a full sync was generated. + + +### Microsoft.Windows.Appraiser.General.WmdrmAdd + +This event sends data about the usage of older digital rights management on the system, to help keep Windows up to date. This data does not indicate the details of the media using the digital rights management, only whether any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able to be removed once all mitigations are in place. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **BlockingApplication** Same as NeedsDismissAction. +- **NeedsDismissAction** Indicates if a dismissible message is needed to warn the user about a potential loss of data due to DRM deprecation. +- **WmdrmApiResult** Raw value of the API used to gather DRM state. +- **WmdrmCdRipped** Indicates if the system has any files encrypted with personal DRM, which was used for ripped CDs. +- **WmdrmIndicators** WmdrmCdRipped OR WmdrmPurchased. +- **WmdrmInUse** WmdrmIndicators AND dismissible block in setup was not dismissed. +- **WmdrmNonPermanent** Indicates if the system has any files with non-permanent licenses. +- **WmdrmPurchased** Indicates if the system has any files with permanent licenses. + + +### Microsoft.Windows.Appraiser.General.WmdrmRemove + +This event indicates that the Wmdrm object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.WmdrmStartSync + +This event indicates that a new set of WmdrmAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +## Census events + +### Census.App + +Provides information on IE and Census versions running on the device + +The following fields are available: + +- **AppraiserEnterpriseErrorCode** The error code of the last Appraiser enterprise run. +- **AppraiserErrorCode** The error code of the last Appraiser run. +- **AppraiserRunEndTimeStamp** The end time of the last Appraiser run. +- **AppraiserRunIsInProgressOrCrashed** Flag that indicates if the Appraiser run is in progress or has crashed. +- **AppraiserRunStartTimeStamp** The start time of the last Appraiser run. +- **AppraiserTaskEnabled** Whether the Appraiser task is enabled. +- **AppraiserTaskExitCode** The Appraiser task exist code. +- **AppraiserTaskLastRun** The last runtime for the Appraiser task. +- **CensusVersion** The version of Census that generated the current data for this device. +- **IEVersion** The version of Internet Explorer that is running on the device. + + +### Census.Battery + +This event sends type and capacity data about the battery on the device, as well as the number of connected standby devices in use, type to help keep Windows up to date. + +The following fields are available: + +- **InternalBatteryCapablities** Represents information about what the battery is capable of doing. +- **InternalBatteryCapacityCurrent** Represents the battery's current fully charged capacity in mWh (or relative). Compare this value to DesignedCapacity  to estimate the battery's wear. +- **InternalBatteryCapacityDesign** Represents the theoretical capacity of the battery when new, in mWh. +- **InternalBatteryNumberOfCharges** Provides the number of battery charges. This is used when creating new products and validating that existing products meets targeted functionality performance. +- **IsAlwaysOnAlwaysConnectedCapable** Represents whether the battery enables the device to be AlwaysOnAlwaysConnected . Boolean value. + + +### Census.Camera + +This event sends data about the resolution of cameras on the device, to help keep Windows up to date. + +The following fields are available: + +- **FrontFacingCameraResolution** Represents the resolution of the front facing camera in megapixels. If a front facing camera does not exist, then the value is 0. +- **RearFacingCameraResolution** Represents the resolution of the rear facing camera in megapixels. If a rear facing camera does not exist, then the value is 0. + + +### Census.Enterprise + +This event sends data about Azure presence, type, and cloud domain use in order to provide an understanding of the use and integration of devices in an enterprise, cloud, and server environment. + +The following fields are available: + +- **AADDeviceId** Azure Active Directory device ID. +- **AzureOSIDPresent** Represents the field used to identify an Azure machine. +- **AzureVMType** Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs. +- **CDJType** Represents the type of cloud domain joined for the machine. +- **CommercialId** Represents the GUID for the commercial entity which the device is a member of.  Will be used to reflect insights back to customers. +- **ContainerType** The type of container, such as process or virtual machine hosted. +- **EnrollmentType** Defines the type of MDM enrollment on the device. +- **HashedDomain** The hashed representation of the user domain used for login. +- **IsCloudDomainJoined** Is this device joined to an Azure Active Directory (AAD) tenant? true/false +- **IsDERequirementMet** Represents if the device can do device encryption. +- **IsDeviceProtected** Represents if Device protected by BitLocker/Device Encryption +- **IsDomainJoined** Indicates whether a machine is joined to a domain. +- **IsEDPEnabled** Represents if Enterprise data protected on the device. +- **IsMDMEnrolled** Whether the device has been MDM Enrolled or not. +- **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID +- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise SCCM environment. +- **ServerFeatures** Represents the features installed on a Windows   Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. +- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier + + +### Census.Firmware + +This event sends data about the BIOS and startup embedded in the device, to help keep Windows up to date. + +The following fields are available: + +- **FirmwareManufacturer** Represents the manufacturer of the device's firmware (BIOS). +- **FirmwareReleaseDate** Represents the date the current firmware was released. +- **FirmwareType** Represents the firmware type. The various types can be unknown, BIOS, UEFI. +- **FirmwareVersion** Represents the version of the current firmware. + + +### Census.Flighting + +This event sends Windows Insider data from customers participating in improvement testing and feedback programs, to help keep Windows up to date. + +The following fields are available: + +- **DeviceSampleRate** The telemetry sample rate assigned to the device. +- **EnablePreviewBuilds** Used to enable Windows Insider builds on a device. +- **FlightIds** A list of the different Windows Insider builds on this device. +- **FlightingBranchName** The name of the Windows Insider branch currently used by the device. +- **IsFlightsDisabled** Represents if the device is participating in the Windows Insider program. +- **MSA_Accounts** Represents a list of hashed IDs of the Microsoft Accounts that are flighting (pre-release builds) on this device. +- **SSRK** Retrieves the mobile targeting settings. + + +### Census.Hardware + +This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level setting, and TPM support, to help keep Windows up to date. + +The following fields are available: + +- **ActiveMicCount** The number of active microphones attached to the device. +- **ChassisType** Represents the type of device chassis, such as desktop or low profile desktop. The possible values can range between 1 - 36. +- **ComputerHardwareID** Identifies a device class that is represented by a hash of different SMBIOS fields. +- **D3DMaxFeatureLevel** Supported Direct3D version. +- **DeviceColor** Indicates a color of the device. +- **DeviceForm** Indicates the form as per the device classification. +- **DeviceName** The device name that is set by the user. +- **DigitizerSupport** Is a digitizer supported? +- **DUID** The device unique ID. +- **Gyroscope** Indicates whether the device has a gyroscope (a mechanical component that measures and maintains orientation). +- **InventoryId** The device ID used for compatibility testing. +- **Magnetometer** Indicates whether the device has a magnetometer (a mechanical component that works like a compass). +- **NFCProximity** Indicates whether the device supports NFC (a set of communication protocols that helps establish communication when applicable devices are brought close together.) +- **OEMDigitalMarkerFileName** The name of the file placed in the \Windows\system32\drivers directory that specifies the OEM and model name of the device. +- **OEMManufacturerName** The device manufacturer name. The OEMName for an inactive device is not reprocessed even if the clean OEM name is changed at a later date. +- **OEMModelBaseBoard** The baseboard model used by the OEM. +- **OEMModelBaseBoardVersion** Differentiates between developer and retail devices. +- **OEMModelName** The device model name. +- **OEMModelNumber** The device model number. +- **OEMModelSKU** The device edition that is defined by the manufacturer. +- **OEMModelSystemFamily** The system family set on the device by an OEM. +- **OEMModelSystemVersion** The system model version set on the device by the OEM. +- **OEMOptionalIdentifier** A Microsoft assigned value that represents a specific OEM subsidiary. +- **OEMSerialNumber** The serial number of the device that is set by the manufacturer. +- **PhoneManufacturer** The friendly name of the phone manufacturer. +- **PowerPlatformRole** The OEM preferred power management profile. It's used to help to identify the basic form factor of the device. +- **SoCName** The firmware manufacturer of the device. +- **StudyID** Used to identify retail and non-retail device. +- **TelemetryLevel** The telemetry level the user has opted into, such as Basic or Enhanced. +- **TelemetryLevelLimitEnhanced** The telemetry level for Windows Analytics-based solutions. +- **TelemetrySettingAuthority** Determines who set the telemetry level, such as GP, MDM, or the user. +- **TPMManufacturerId** The ID of the TPM manufacturer. +- **TPMManufacturerVersion** The version of the TPM manufacturer. +- **TPMVersion** The supported Trusted Platform Module (TPM) on the device. If no TPM is present, the value is 0. +- **VoiceSupported** Does the device have a cellular radio capable of making voice calls? + + +### Census.Memory + +This event sends data about the memory on the device, including ROM and RAM, to help keep Windows up to date. + +The following fields are available: + +- **TotalPhysicalRAM** Represents the physical memory (in MB). +- **TotalVisibleMemory** Represents the memory that is not reserved by the system. + + +### Census.Network + +This event sends data about the mobile and cellular network used by the device (mobile service provider, network, device ID, and service cost factors), to help keep Windows up to date. + +The following fields are available: + +- **IMEI0** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage. +- **IMEI1** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage. +- **MCC0** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **MCC1** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **MEID** Represents the Mobile Equipment Identity (MEID). MEID is a worldwide unique phone ID assigned to CDMA phones. MEID replaces electronic serial number (ESN), and is equivalent to IMEI for GSM and WCDMA phones. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. +- **MNC0** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **MNC1** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **MobileOperatorBilling** Represents the telephone company that provides services for mobile phone users. +- **MobileOperatorCommercialized** Represents which reseller and geography the phone is commercialized for. This is the set of values on the phone for who and where it was intended to be used. For example, the commercialized mobile operator code AT&T in the US would be ATT-US. +- **MobileOperatorNetwork0** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage. +- **MobileOperatorNetwork1** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage. +- **NetworkAdapterGUID** The GUID of the primary network adapter. +- **NetworkCost** Represents the network cost associated with a connection. +- **SPN0** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage. +- **SPN1** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage. + + +### Census.OS + +This event sends data about the operating system such as the version, locale, update service configuration, when and how it was originally installed, and whether it is a virtual device, to help keep Windows up to date. + +The following fields are available: + +- **ActivationChannel** Retrieves the retail license key or Volume license key for a machine. +- **AssignedAccessStatus** Kiosk configuration mode. +- **CompactOS** Indicates if the Compact OS feature from Win10 is enabled. +- **DeveloperUnlockStatus** Represents if a device has been developer unlocked by the user or Group Policy. +- **DeviceTimeZone** The time zone that is set on the device. Example: Pacific Standard Time +- **GenuineState** Retrieves the ID Value specifying the OS Genuine check. +- **InstallationType** Retrieves the type of OS installation. (Clean, Upgrade, Reset, Refresh, Update). +- **InstallLanguage** The first language installed on the user machine. +- **IsDeviceRetailDemo** Retrieves if the device is running in demo mode. +- **IsEduData** Returns Boolean if the education data policy is enabled. +- **IsPortableOperatingSystem** Retrieves whether OS is running Windows-To-Go +- **IsSecureBootEnabled** Retrieves whether Boot chain is signed under UEFI. +- **LanguagePacks** The list of language packages installed on the device. +- **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store. +- **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine. +- **OSEdition** Retrieves the version of the current OS. +- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc +- **OSOOBEDateTime** Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC). +- **OSSKU** Retrieves the Friendly Name of OS Edition. +- **OSSubscriptionStatus** Represents the existing status for enterprise subscription feature for PRO machines. +- **OSSubscriptionTypeId** Returns boolean for enterprise subscription feature for selected PRO machines. +- **OSTimeZoneBiasInMins** Retrieves the time zone set on machine. +- **OSUILocale** Retrieves the locale of the UI that is currently used by the OS. +- **ProductActivationResult** Returns Boolean if the OS Activation was successful. +- **ProductActivationTime** Returns the OS Activation time for tracking piracy issues. +- **ProductKeyID2** Retrieves the License key if the machine is updated with a new license key. +- **RACw7Id** Retrieves the Microsoft Reliability Analysis Component (RAC) Win7 Identifier. RAC is used to monitor and analyze system usage and reliability. +- **ServiceMachineIP** Retrieves the IP address of the KMS host used for anti-piracy. +- **ServiceMachinePort** Retrieves the port of the KMS host used for anti-piracy. +- **ServiceProductKeyID** Retrieves the License key of the KMS +- **SharedPCMode** Returns Boolean for education devices used as shared cart +- **Signature** Retrieves if it is a signature machine sold by Microsoft store. +- **SLICStatus** Whether a SLIC table exists on the device. +- **SLICVersion** Returns OS type/version from SLIC table. + + +### Census.PrivacySettings + +This event provides information about the device level privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represent the authority that set the value. The effective consent (first 8 bits) is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority (last 8 bits) is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = system, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings. + +The following fields are available: + +- **Activity** Current state of the activity history setting. +- **ActivityHistoryCloudSync** Current state of the activity history cloud sync setting. +- **ActivityHistoryCollection** Current state of the activity history collection setting. +- **AdvertisingId** Current state of the advertising ID setting. +- **AppDiagnostics** Current state of the app diagnostics setting. +- **Appointments** Current state of the calendar setting. +- **Bluetooth** Current state of the Bluetooth capability setting. +- **BluetoothSync** Current state of the Bluetooth sync capability setting. +- **BroadFileSystemAccess** Current state of the broad file system access setting. +- **CellularData** Current state of the cellular data capability setting. +- **Chat** Current state of the chat setting. +- **Contacts** Current state of the contacts setting. +- **DocumentsLibrary** Current state of the documents library setting. +- **Email** Current state of the email setting. +- **FindMyDevice** Current state of the "find my device" setting. +- **GazeInput** Current state of the gaze input setting. +- **HumanInterfaceDevice** Current state of the human interface device setting. +- **InkTypeImprovement** Current state of the improve inking and typing setting. +- **Location** Current state of the location setting. +- **LocationHistory** Current state of the location history setting. +- **LocationHistoryCloudSync** Current state of the location history cloud sync setting. +- **LocationHistoryOnTimeline** Current state of the location history on timeline setting. +- **Microphone** Current state of the microphone setting. +- **PhoneCall** Current state of the phone call setting. +- **PhoneCallHistory** Current state of the call history setting. +- **PicturesLibrary** Current state of the pictures library setting. +- **Radios** Current state of the radios setting. +- **SensorsCustom** Current state of the custom sensor setting. +- **SerialCommunication** Current state of the serial communication setting. +- **Sms** Current state of the text messaging setting. +- **SpeechPersonalization** Current state of the speech services setting. +- **USB** Current state of the USB setting. +- **UserAccountInformation** Current state of the account information setting. +- **UserDataTasks** Current state of the tasks setting. +- **UserNotificationListener** Current state of the notifications setting. +- **VideosLibrary** Current state of the videos library setting. +- **Webcam** Current state of the camera setting. +- **WiFiDirect** Current state of the Wi-Fi direct setting. + + +### Census.Processor + +Provides information on several important data points about Processor settings + +The following fields are available: + +- **KvaShadow** This is the micro code information of the processor. +- **MMSettingOverride** Microcode setting of the processor. +- **MMSettingOverrideMask** Microcode setting override of the processor. +- **PreviousUpdateRevision** Previous microcode revision +- **ProcessorArchitecture** Retrieves the processor architecture of the installed operating system. +- **ProcessorClockSpeed** Clock speed of the processor in MHz. +- **ProcessorCores** Number of logical cores in the processor. +- **ProcessorIdentifier** Processor Identifier of a manufacturer. +- **ProcessorManufacturer** Name of the processor manufacturer. +- **ProcessorModel** Name of the processor model. +- **ProcessorPhysicalCores** Number of physical cores in the processor. +- **ProcessorUpdateRevision** The microcode revision. +- **ProcessorUpdateStatus** Enum value that represents the processor microcode load status +- **SocketCount** Count of CPU sockets. +- **SpeculationControl** Indicates whether the system has enabled protections needed to validate the speculation control vulnerability. + + +### Census.Security + +This event provides information on about security settings used to help keep Windows up to date and secure. + +The following fields are available: + +- **AvailableSecurityProperties** This field helps to enumerate and report state on the relevant security properties for Device Guard. +- **CGRunning** Credential Guard isolates and hardens key system and user secrets against compromise, helping to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already running via a local or network based vector. This field tells if Credential Guard is running. +- **DGState** This field summarizes the Device Guard state. +- **HVCIRunning** Hypervisor Code Integrity (HVCI) enables Device Guard to help protect kernel mode processes and drivers from vulnerability exploits and zero days. HVCI uses the processor’s functionality to force all software running in kernel mode to safely allocate memory. This field tells if HVCI is running. +- **IsSawGuest** Indicates whether the device is running as a Secure Admin Workstation Guest. +- **IsSawHost** Indicates whether the device is running as a Secure Admin Workstation Host. +- **RequiredSecurityProperties** Describes the required security properties to enable virtualization-based security. +- **SecureBootCapable** Systems that support Secure Boot can have the feature turned off via BIOS. This field tells if the system is capable of running Secure Boot, regardless of the BIOS setting. +- **SModeState** The Windows S mode trail state. +- **VBSState** Virtualization-based security (VBS) uses the hypervisor to help protect the kernel and other parts of the operating system. Credential Guard and Hypervisor Code Integrity (HVCI) both depend on VBS to isolate/protect secrets, and kernel-mode code integrity validation. VBS has a tri-state that can be Disabled, Enabled, or Running. + + +### Census.Speech + +This event is used to gather basic speech settings on the device. + +The following fields are available: + +- **AboveLockEnabled** Cortana setting that represents if Cortana can be invoked when the device is locked. +- **GPAllowInputPersonalization** Indicates if a Group Policy setting has enabled speech functionalities. +- **HolographicSpeechInputDisabled** Holographic setting that represents if the attached HMD devices have speech functionality disabled by the user. +- **HolographicSpeechInputDisabledRemote** Indicates if a remote policy has disabled speech functionalities for the HMD devices. +- **KeyVer** Version information for the census speech event. +- **KWSEnabled** Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS). +- **MDMAllowInputPersonalization** Indicates if an MDM policy has enabled speech functionalities. +- **RemotelyManaged** Indicates if the device is being controlled by a remote administrator (MDM or Group Policy) in the context of speech functionalities. +- **SpeakerIdEnabled** Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice. +- **SpeechServicesEnabled** Windows setting that represents whether a user is opted-in for speech services on the device. +- **SpeechServicesValueSource** Indicates the deciding factor for the effective online speech recognition privacy policy settings: remote admin, local admin, or user preference. + + +### Census.Storage + +This event sends data about the total capacity of the system volume and primary disk, to help keep Windows up to date. + +The following fields are available: + +- **PrimaryDiskTotalCapacity** Retrieves the amount of disk space on the primary disk of the device in MB. +- **PrimaryDiskType** Retrieves an enumerator value of type STORAGE_BUS_TYPE that indicates the type of bus to which the device is connected. This should be used to interpret the raw device properties at the end of this structure (if any). +- **StorageReservePassedPolicy** Indicates whether the Storage Reserve policy, which ensures that updates have enough disk space and customers are on the latest OS, is enabled on this device. +- **SystemVolumeTotalCapacity** Retrieves the size of the partition that the System volume is installed on in MB. + + +### Census.Userdefault + +This event sends data about the current user's default preferences for browser and several of the most popular extensions and protocols, to help keep Windows up to date. + +The following fields are available: + +- **CalendarType** The calendar identifiers that are used to specify different calendars. +- **DefaultApp** The current uer's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf. +- **DefaultBrowserProgId** The ProgramId of the current user's default browser. +- **LongDateFormat** The long date format the user has selected. +- **ShortDateFormat** The short date format the user has selected. + + +### Census.UserDisplay + +This event sends data about the logical/physical display size, resolution and number of internal/external displays, and VRAM on the system, to help keep Windows up to date. + +The following fields are available: + +- **InternalPrimaryDisplayLogicalDPIX** Retrieves the logical DPI in the x-direction of the internal display. +- **InternalPrimaryDisplayLogicalDPIY** Retrieves the logical DPI in the y-direction of the internal display. +- **InternalPrimaryDisplayPhysicalDPIX** Retrieves the physical DPI in the x-direction of the internal display. +- **InternalPrimaryDisplayPhysicalDPIY** Retrieves the physical DPI in the y-direction of the internal display. +- **InternalPrimaryDisplayResolutionHorizontal** Retrieves the number of pixels in the horizontal direction of the internal display. +- **InternalPrimaryDisplayResolutionVertical** Retrieves the number of pixels in the vertical direction of the internal display. +- **InternalPrimaryDisplaySizePhysicalH** Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches . +- **InternalPrimaryDisplaySizePhysicalY** Retrieves the physical vertical length of the display in mm. Used for calculating the diagonal length in inches +- **NumberofExternalDisplays** Retrieves the number of external displays connected to the machine +- **NumberofInternalDisplays** Retrieves the number of internal displays in a machine. +- **VRAMDedicated** Retrieves the video RAM in MB. +- **VRAMDedicatedSystem** Retrieves the amount of memory on the dedicated video card. +- **VRAMSharedSystem** Retrieves the amount of RAM memory that the video card can use. + + +### Census.UserNLS + +This event sends data about the default app language, input, and display language preferences set by the user, to help keep Windows up to date. + +The following fields are available: + +- **DefaultAppLanguage** The current user Default App Language. +- **DisplayLanguage** The current user preferred Windows Display Language. +- **HomeLocation** The current user location, which is populated using GetUserGeoId() function. +- **KeyboardInputLanguages** The Keyboard input languages installed on the device. +- **SpeechInputLanguages** The Speech Input languages installed on the device. + + +### Census.UserPrivacySettings + +This event provides information about the current users privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represents the authority that set the value. The effective consent is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = user, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings. + +The following fields are available: + +- **Activity** Current state of the activity history setting. +- **ActivityHistoryCloudSync** Current state of the activity history cloud sync setting. +- **ActivityHistoryCollection** Current state of the activity history collection setting. +- **AdvertisingId** Current state of the advertising ID setting. +- **AppDiagnostics** Current state of the app diagnostics setting. +- **Appointments** Current state of the calendar setting. +- **Bluetooth** Current state of the Bluetooth capability setting. +- **BluetoothSync** Current state of the Bluetooth sync capability setting. +- **BroadFileSystemAccess** Current state of the broad file system access setting. +- **CellularData** Current state of the cellular data capability setting. +- **Chat** Current state of the chat setting. +- **Contacts** Current state of the contacts setting. +- **DocumentsLibrary** Current state of the documents library setting. +- **Email** Current state of the email setting. +- **GazeInput** Current state of the gaze input setting. +- **HumanInterfaceDevice** Current state of the human interface device setting. +- **InkTypeImprovement** Current state of the improve inking and typing setting. +- **InkTypePersonalization** Current state of the inking and typing personalization setting. +- **Location** Current state of the location setting. +- **LocationHistory** Current state of the location history setting. +- **LocationHistoryCloudSync** Current state of the location history cloud synchronization setting. +- **LocationHistoryOnTimeline** Current state of the location history on timeline setting. +- **Microphone** Current state of the microphone setting. +- **PhoneCall** Current state of the phone call setting. +- **PhoneCallHistory** Current state of the call history setting. +- **PicturesLibrary** Current state of the pictures library setting. +- **Radios** Current state of the radios setting. +- **SensorsCustom** Current state of the custom sensor setting. +- **SerialCommunication** Current state of the serial communication setting. +- **Sms** Current state of the text messaging setting. +- **SpeechPersonalization** Current state of the speech services setting. +- **USB** Current state of the USB setting. +- **UserAccountInformation** Current state of the account information setting. +- **UserDataTasks** Current state of the tasks setting. +- **UserNotificationListener** Current state of the notifications setting. +- **VideosLibrary** Current state of the videos library setting. +- **Webcam** Current state of the camera setting. +- **WiFiDirect** Current state of the Wi-Fi direct setting. + + +### Census.VM + +This event sends data indicating whether virtualization is enabled on the device, and its various characteristics, to help keep Windows up to date. + +The following fields are available: + +- **CloudService** Indicates which cloud service, if any, that this virtual machine is running within. +- **HyperVisor** Retrieves whether the current OS is running on top of a Hypervisor. +- **IOMMUPresent** Represents if an input/output memory management unit (IOMMU) is present. +- **IsVDI** Is the device using Virtual Desktop Infrastructure? +- **IsVirtualDevice** Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#1 Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field should not be relied upon for non-Hv#1 Hypervisors. +- **SLATSupported** Represents whether Second Level Address Translation (SLAT) is supported by the hardware. +- **VirtualizationFirmwareEnabled** Represents whether virtualization is enabled in the firmware. + + +### Census.WU + +This event sends data about the Windows update server and other App store policies, to help keep Windows up to date. + +The following fields are available: + +- **AppraiserGatedStatus** Indicates whether a device has been gated for upgrading. +- **AppStoreAutoUpdate** Retrieves the Appstore settings for auto upgrade. (Enable/Disabled). +- **AppStoreAutoUpdateMDM** Retrieves the App Auto Update value for MDM: 0 - Disallowed. 1 - Allowed. 2 - Not configured. Default: [2] Not configured +- **AppStoreAutoUpdatePolicy** Retrieves the Microsoft Store App Auto Update group policy setting +- **DelayUpgrade** Retrieves the Windows upgrade flag for delaying upgrades. +- **OSAssessmentFeatureOutOfDate** How many days has it been since a the last feature update was released but the device did not install it? +- **OSAssessmentForFeatureUpdate** Is the device is on the latest feature update? +- **OSAssessmentForQualityUpdate** Is the device on the latest quality update? +- **OSAssessmentForSecurityUpdate** Is the device on the latest security update? +- **OSAssessmentQualityOutOfDate** How many days has it been since a the last quality update was released but the device did not install it? +- **OSAssessmentReleaseInfoTime** The freshness of release information used to perform an assessment. +- **OSRollbackCount** The number of times feature updates have rolled back on the device. +- **OSRolledBack** A flag that represents when a feature update has rolled back during setup. +- **OSUninstalled** A flag that represents when a feature update is uninstalled on a device . +- **OSWUAutoUpdateOptions** Retrieves the auto update settings on the device. +- **OSWUAutoUpdateOptionsSource** The source of auto update setting that appears in the OSWUAutoUpdateOptions field. For example: Group Policy (GP), Mobile Device Management (MDM), and Default. +- **UninstallActive** A flag that represents when a device has uninstalled a previous upgrade recently. +- **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS). +- **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates. +- **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades. +- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network. +- **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier. +- **WUPauseState** Retrieves WU setting to determine if updates are paused. +- **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default). + + +### Census.Xbox + +This event sends data about the Xbox Console, such as Serial Number and DeviceId, to help keep Windows up to date. + +The following fields are available: + +- **XboxConsolePreferredLanguage** Retrieves the preferred language selected by the user on Xbox console. +- **XboxConsoleSerialNumber** Retrieves the serial number of the Xbox console. +- **XboxLiveDeviceId** Retrieves the unique device ID of the console. +- **XboxLiveSandboxId** Retrieves the developer sandbox ID if the device is internal to Microsoft. + + +## Common data extensions + +### Common Data Extensions.app + +Describes the properties of the running application. This extension could be populated by a client app or a web app. + +The following fields are available: + +- **asId** An integer value that represents the app session. This value starts at 0 on the first app launch and increments after each subsequent app launch per boot session. +- **env** The environment from which the event was logged. +- **expId** Associates a flight, such as an OS flight, or an experiment, such as a web site UX experiment, with an event. +- **id** Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application. +- **locale** The locale of the app. +- **name** The name of the app. +- **userId** The userID as known by the application. +- **ver** Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app. + + +### Common Data Extensions.container + +Describes the properties of the container for events logged within a container. + +The following fields are available: + +- **epoch** An ID that's incremented for each SDK initialization. +- **localId** The device ID as known by the client. +- **osVer** The operating system version. +- **seq** An ID that's incremented for each event. +- **type** The container type. Examples: Process or VMHost + + +### Common Data Extensions.cs + +Describes properties related to the schema of the event. + +The following fields are available: + +- **sig** A common schema signature that identifies new and modified event schemas. + + +### Common Data Extensions.device + +Describes the device-related fields. + +The following fields are available: + +- **deviceClass** The device classification. For example, Desktop, Server, or Mobile. +- **localId** A locally-defined unique ID for the device. This is not the human-readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId +- **make** Device manufacturer. +- **model** Device model. + + +### Common Data Extensions.Envelope + +Represents an envelope that contains all of the common data extensions. + +The following fields are available: + +- **cV** Represents the Correlation Vector: A single field for tracking partial order of related telemetry events across component boundaries. +- **data** Represents the optional unique diagnostic data for a particular event schema. +- **ext_app** Describes the properties of the running application. This extension could be populated by either a client app or a web app. See [Common Data Extensions.app](#common-data-extensionsapp). +- **ext_container** Describes the properties of the container for events logged within a container. See [Common Data Extensions.container](#common-data-extensionscontainer). +- **ext_cs** Describes properties related to the schema of the event. See [Common Data Extensions.cs](#common-data-extensionscs). +- **ext_device** Describes the device-related fields. See [Common Data Extensions.device](#common-data-extensionsdevice). +- **ext_os** Describes the operating system properties that would be populated by the client. See [Common Data Extensions.os](#common-data-extensionsos). +- **ext_receipts** Describes the fields related to time as provided by the client for debugging purposes. See [Common Data Extensions.receipts](#common-data-extensionsreceipts). +- **ext_sdk** Describes the fields related to a platform library required for a specific SDK. See [Common Data Extensions.sdk](#common-data-extensionssdk). +- **ext_user** Describes the fields related to a user. See [Common Data Extensions.user](#common-data-extensionsuser). +- **ext_utc** Describes the fields that might be populated by a logging library on Windows. See [Common Data Extensions.utc](#common-data-extensionsutc). +- **ext_xbl** Describes the fields related to XBOX Live. See [Common Data Extensions.xbl](#common-data-extensionsxbl). +- **flags** Represents a collection of bits that describe how the event should be processed by the Connected User Experience and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency. +- **iKey** Represents an ID for applications or other logical groupings of events. +- **name** Represents the uniquely qualified name for the event. +- **popSample** Represents the effective sample rate for this event at the time it was generated by a client. +- **time** Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the client. This should be in ISO 8601 format. +- **ver** Represents the major and minor version of the extension. + + +### Common Data Extensions.os + +Describes some properties of the operating system. + +The following fields are available: + +- **bootId** An integer value that represents the boot session. This value starts at 0 on first boot after OS install and increments after every reboot. +- **expId** Represents the experiment ID. The standard for associating a flight, such as an OS flight (pre-release build), or an experiment, such as a web site UX experiment, with an event is to record the flight / experiment IDs in Part A of the common schema. +- **locale** Represents the locale of the operating system. +- **name** Represents the operating system name. +- **ver** Represents the major and minor version of the extension. + + +### Common Data Extensions.receipts + +Represents various time information as provided by the client and helps for debugging purposes. + +The following fields are available: + +- **originalTime** The original event time. +- **uploadTime** The time the event was uploaded. + + +### Common Data Extensions.sdk + +Used by platform specific libraries to record fields that are required for a specific SDK. + +The following fields are available: + +- **epoch** An ID that is incremented for each SDK initialization. +- **installId** An ID that's created during the initialization of the SDK for the first time. +- **libVer** The SDK version. +- **seq** An ID that is incremented for each event. + + +### Common Data Extensions.user + +Describes the fields related to a user. + +The following fields are available: + +- **authId** This is an ID of the user associated with this event that is deduced from a token such as a Microsoft Account ticket or an XBOX token. +- **locale** The language and region. +- **localId** Represents a unique user identity that is created locally and added by the client. This is not the user's account ID. + + +### Common Data Extensions.utc + +Describes the properties that could be populated by a logging library on Windows. + +The following fields are available: + +- **aId** Represents the ETW ActivityId. Logged via TraceLogging or directly via ETW. +- **bSeq** Upload buffer sequence number in the format: buffer identifier:sequence number +- **cat** Represents a bitmask of the ETW Keywords associated with the event. +- **cpId** The composer ID, such as Reference, Desktop, Phone, Holographic, Hub, IoT Composer. +- **epoch** Represents the epoch and seqNum fields, which help track how many events were fired and how many events were uploaded, and enables identification of data lost during upload and de-duplication of events on the ingress server. +- **flags** Represents the bitmap that captures various Windows specific flags. +- **mon** Combined monitor and event sequence numbers in the format: monitor sequence : event sequence +- **op** Represents the ETW Op Code. +- **raId** Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW. +- **seq** Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue. The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server. +- **stId** Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID. + + +### Common Data Extensions.xbl + +Describes the fields that are related to XBOX Live. + +The following fields are available: + +- **claims** Any additional claims whose short claim name hasn't been added to this structure. +- **did** XBOX device ID +- **dty** XBOX device type +- **dvr** The version of the operating system on the device. +- **eid** A unique ID that represents the developer entity. +- **exp** Expiration time +- **ip** The IP address of the client device. +- **nbf** Not before time +- **pid** A comma separated list of PUIDs listed as base10 numbers. +- **sbx** XBOX sandbox identifier +- **sid** The service instance ID. +- **sty** The service type. +- **tid** The XBOX Live title ID. +- **tvr** The XBOX Live title version. +- **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts. +- **xid** A list of base10-encoded XBOX User IDs. + + +## Common data fields + +### Ms.Device.DeviceInventoryChange + +Describes the installation state for all hardware and software components available on a particular device. + +The following fields are available: + +- **action** The change that was invoked on a device inventory object. +- **inventoryId** Device ID used for Compatibility testing +- **objectIîstanceId** No content is currently available. +- **objectInstanceId** Object identity which is unique within the device scope. +- **objectType** Indicates the object type that the event applies to. +- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. + + +## Compatibility events + +### Microsoft.Windows.Compatibility.Apphelp.SdbFix + +Product instrumentation for helping debug/troubleshoot issues with inbox compatibility components. + +The following fields are available: + +- **AppName** Name of the application impacted by SDB. +- **FixID** SDB GUID. +- **Flags** List of flags applied. +- **ImageName** Name of file. + + +## Component-based servicing events + +### CbsServicingProvider.CbsCapabilityEnumeration + +This event reports on the results of scanning for optional Windows content on Windows Update. + +The following fields are available: + +- **architecture** Indicates the scan was limited to the specified architecture. +- **capabilityCount** The number of optional content packages found during the scan. +- **clientId** The name of the application requesting the optional content. +- **duration** The amount of time it took to complete the scan. +- **hrStatus** The HReturn code of the scan. +- **language** Indicates the scan was limited to the specified language. +- **majorVersion** Indicates the scan was limited to the specified major version. +- **minorVersion** Indicates the scan was limited to the specified minor version. +- **namespace** Indicates the scan was limited to packages in the specified namespace. +- **sourceFilter** A bitmask indicating the scan checked for locally available optional content. +- **stackBuild** The build number of the servicing stack. +- **stackMajorVersion** The major version number of the servicing stack. +- **stackMinorVersion** The minor version number of the servicing stack. +- **stackRevision** The revision number of the servicing stack. + + +### CbsServicingProvider.CbsCapabilitySessionFinalize + +This event provides information about the results of installing or uninstalling optional Windows content from Windows Update. + +The following fields are available: + +- **capabilities** The names of the optional content packages that were installed. +- **clientId** The name of the application requesting the optional content. +- **currentID** The ID of the current install session. +- **downloadSource** The source of the download. +- **highestState** The highest final install state of the optional content. +- **hrLCUReservicingStatus** Indicates whether the optional content was updated to the latest available version. +- **hrStatus** The HReturn code of the install operation. +- **rebootCount** The number of reboots required to complete the install. +- **retryID** The session ID that will be used to retry a failed operation. +- **retryStatus** Indicates whether the install will be retried in the event of failure. +- **stackBuild** The build number of the servicing stack. +- **stackMajorVersion** The major version number of the servicing stack. +- **stackMinorVersion** The minor version number of the servicing stack. +- **stackRevision** The revision number of the servicing stack. + + +### CbsServicingProvider.CbsCapabilitySessionPended + +This event provides information about the results of installing optional Windows content that requires a reboot to keep Windows up to date. + +The following fields are available: + +- **clientId** The name of the application requesting the optional content. +- **pendingDecision** Indicates the cause of reboot, if applicable. + + +### CbsServicingProvider.CbsLateAcquisition + +This event sends data to indicate if some Operating System packages could not be updated as part of an upgrade, to help keep Windows up to date. + +The following fields are available: + +- **Features** The list of feature packages that could not be updated. +- **RetryID** The ID identifying the retry attempt to update the listed packages. + + +### CbsServicingProvider.CbsPackageRemoval + +This event provides information about the results of uninstalling a Windows Cumulative Security Update to help keep Windows up to date. + +The following fields are available: + +- **buildVersion** The build number of the security update being uninstalled. +- **clientId** The name of the application requesting the uninstall. +- **currentStateEnd** The final state of the update after the operation. +- **failureDetails** Information about the cause of a failure, if applicable. +- **failureSourceEnd** The stage during the uninstall where the failure occurred. +- **hrStatusEnd** The overall exit code of the operation. +- **initiatedOffline** Indicates if the uninstall was initiated for a mounted Windows image. +- **majorVersion** The major version number of the security update being uninstalled. +- **minorVersion** The minor version number of the security update being uninstalled. +- **originalState** The starting state of the update before the operation. +- **pendingDecision** Indicates the cause of reboot, if applicable. +- **primitiveExecutionContext** The state during system startup when the uninstall was completed. +- **revisionVersion** The revision number of the security update being uninstalled. +- **transactionCanceled** Indicates whether the uninstall was cancelled. + + +### CbsServicingProvider.CbsQualityUpdateInstall + +This event reports on the performance and reliability results of installing Servicing content from Windows Update to keep Windows up to date. + +The following fields are available: + +- **buildVersion** The build version number of the update package. +- **clientId** The name of the application requesting the optional content. +- **corruptionHistoryFlags** A bitmask of the types of component store corruption that have caused update failures on the device. +- **corruptionType** An enumeration listing the type of data corruption responsible for the current update failure. +- **currentStateEnd** The final state of the package after the operation has completed. +- **doqTimeSeconds** The time in seconds spent updating drivers. +- **executeTimeSeconds** The number of seconds required to execute the install. +- **failureDetails** The driver or installer that caused the update to fail. +- **failureSourceEnd** An enumeration indicating at what phase of the update a failure occurred. +- **hrStatusEnd** The return code of the install operation. +- **initiatedOffline** A true or false value indicating whether the package was installed into an offline Windows Imaging Format (WIM) file. +- **majorVersion** The major version number of the update package. +- **minorVersion** The minor version number of the update package. +- **originalState** The starting state of the package. +- **overallTimeSeconds** The time (in seconds) to perform the overall servicing operation. +- **planTimeSeconds** The time in seconds required to plan the update operations. +- **poqTimeSeconds** The time in seconds processing file and registry operations. +- **postRebootTimeSeconds** The time (in seconds) to do startup processing for the update. +- **preRebootTimeSeconds** The time (in seconds) between execution of the installation and the reboot. +- **primitiveExecutionContext** An enumeration indicating at what phase of shutdown or startup the update was installed. +- **rebootCount** The number of reboots required to install the update. +- **rebootTimeSeconds** The time (in seconds) before startup processing begins for the update. +- **resolveTimeSeconds** The time in seconds required to resolve the packages that are part of the update. +- **revisionVersion** The revision version number of the update package. +- **rptTimeSeconds** The time in seconds spent executing installer plugins. +- **shutdownTimeSeconds** The time (in seconds) required to do shutdown processing for the update. +- **stackRevision** The revision number of the servicing stack. +- **stageTimeSeconds** The time (in seconds) required to stage all files that are part of the update. + + +## Deployment extensions + +### DeploymentTelemetry.Deployment_End + +This event indicates that a Deployment 360 API has completed. + +The following fields are available: + +- **ClientId** Client ID of the user utilizing the D360 API. +- **ErrorCode** Error code of action. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **Mode** Phase in upgrade. +- **RelatedCV** The correction vector (CV) of any other related events +- **Result** End result of the action. + + +### DeploymentTelemetry.Deployment_SetupBoxLaunch + +This event indicates that the Deployment 360 APIs have launched Setup Box. + +The following fields are available: + +- **ClientId** The client ID of the user utilizing the D360 API. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **Quiet** Whether Setup will run in quiet mode or full mode. +- **RelatedCV** The correlation vector (CV) of any other related events. +- **SetupMode** The current setup phase. + + +### DeploymentTelemetry.Deployment_SetupBoxResult + +This event indicates that the Deployment 360 APIs have received a return from Setup Box. + +The following fields are available: + +- **ClientId** Client ID of the user utilizing the D360 API. +- **ErrorCode** Error code of the action. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **Quiet** Indicates whether Setup will run in quiet mode or full mode. +- **RelatedCV** The correlation vector (CV) of any other related events. +- **SetupMode** The current Setup phase. + + +### DeploymentTelemetry.Deployment_Start + +This event indicates that a Deployment 360 API has been called. + +The following fields are available: + +- **ClientId** Client ID of the user utilizing the D360 API. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **Mode** The current phase of the upgrade. +- **RelatedCV** The correlation vector (CV) of any other related events. + + +## Diagnostic data events + +### TelClientSynthetic.AuthorizationInfo_RuntimeTransition + +This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect. + +The following fields are available: + +- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. +- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. +- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. +- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. +- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. +- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. +- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. +- **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise. +- **CanReportScenarios** True if we can report scenario completions, false otherwise. +- **PreviousPermissions** Bitmask of previous telemetry state. +- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. + + +### TelClientSynthetic.AuthorizationInfo_Startup + +Fired by UTC at startup to signal what data we are allowed to collect. + +The following fields are available: + +- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. +- **CanCol|ectCoreTelemetry** No content is currently available. +- **CanCollactCoreTelemetry** No content is currently available. +- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. +- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. +- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. +- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. +- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. +- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. +- **CanPerformDiagnostigEscalations** No content is currently available. +- **CanPerformDkagnosticEscalations** No content is currently available. +- **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise. +- **CanReportScanarios** No content is currently available. +- **CanReportScenarios** True if we can report scenario completions, false otherwise. +- **PreviousPermissions** Bitmask of previous telemetry state. +- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. + + +### TelClientSynthetic.ConnectivityHeartBeat_0 + +This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network. + +The following fields are available: + +- **CensusExitCode** Returns last execution codes from census client run. +- **CensusStartTime** Returns timestamp corresponding to last successful census run. +- **CensusTaskEnabled** Returns Boolean value for the census task (Enable/Disable) on client machine. +- **LastConnectivityLossTime** Retrieves the last time the device lost free network. +- **NetworkState** Retrieves the network state: 0 = No network. 1 = Restricted network. 2 = Free network. +- **NoNetworkTime** Retrieves the time spent with no network (since the last time) in seconds. +- **RestrictedNetworkTime** Retrieves the time spent on a metered (cost restricted) network in seconds. + + +### TelClientSynthetic.HeartBeat_5 + +This event sends data about the health and quality of the diagnostic data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device. + +The following fields are available: + +- **AgentConnctionErrorsCount** No content is currently available. +- **AgentConnectionErrorsCount** Number of non-timeout errors associated with the host/agent channel. +- **AgenticenectionErrorsCount** No content is currently available. +- **CeesusExitCode** No content is currently available. +- **CeesusStartTime** No content is currently available. +- **CeesusTaskEnabled** No content is currently available. +- **CensusExitCode** The last exit code of the Census task. +- **CensusStartTime** Time of last Census run. +- **CensusTaskEnabled** True if Census is enabled, false otherwise. +- **CompressedBytesUploaded** Number of compressed bytes uploaded. +- **ConsumerDroppedCount** Number of events dropped at consumer layer of telemetry client. +- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. +- **CriticalDataDbLroppedCount** No content is currently available. +- **CriticalDataDhrottleDroppedCount** No content is currently available. +- **CriticalDataThrottleDroppedCount** The number of critical data sampled events that were dropped because of throttling. +- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event DB. +- **CriticamOverflowEntersCounter** No content is currently available. +- **DbCriticalDroppedCount** Total number of dropped critical events in event DB. +- **DbDroppedCount** Number of events dropped due to DB fullness. +- **DbDroppedFailureCount** Number of events dropped due to DB failures. +- **DbDroppedFullCount** Number of events dropped due to DB fullness. +- **DbDroppedOailureCount** No content is currently available. +- **DbDroppedOullCount** No content is currently available. +- **DecodingDroppedCount** Number of events dropped due to decoding failures. +- **DhrottledDroppedCount** No content is currently available. +- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. +- **EtwDroppedBufferCount** Number of buffers dropped in the UTC ETW session. +- **EtwDroppedCount** Number of events dropped at ETW layer of telemetry client. +- **Eve~tStoreResetCounter** No content is currently available. +- **EventSC06eLifetimeResetCounter** No content is currently available. +- **EventSC06eResetCounter** No content is currently available. +- **EventSC06eResetSizeSum** No content is currently available. +- **EventsPersistedCount** Number of events that reached the PersistEvent stage. +- **EventStoreLifetimeResetCounter** Number of times event DB was reset for the lifetime of UTC. +- **EventStoreResetCounter** Number of times event DB was reset. +- **EventStoreResetSizeSum** Total size of event DB across all resets reports in this instance. +- **EventSubStoreResetCounter** Number of times event DB was reset. +- **EventSubStoreResetSizeSum** Total size of event DB across all resets reports in this instance. +- **EventsUploaded** Number of events uploaded. +- **Flags** Flags indicating device state such as network state, battery state, and opt-in state. +- **FullTriggerBufferDroppedCount** Number of events dropped due to trigger buffer being full. +- **HeartBeatSequenceNumber** The sequence number of this heartbeat. +- **icesumerDroppedCount** No content is currently available. +- **icmpressedBytesUploaded** No content is currently available. +- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. +- **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel. +- **LastAgenticenectionError** No content is currently available. +- **LastEventSizeOffender** Event name of last event which exceeded max event size. +- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. +- **LastreReseizeOffender** No content is currently available. +- **MaxActiveAgentConnectionCount** The maximum number of active agents during this heartbeat timeframe. +- **MaxActiveAgenticenectionCount** No content is currently available. +- **MaxInUseScenarioCounter** Soft maximum number of scenarios loaded by UTC. +- **Olags** No content is currently available. +- **OullTriggerBufferDroppedCount** No content is currently available. +- **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events). +- **PrivacyBlockedCount** The number of events blocked due to privacy settings or tags. +- **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. +- **SettingsHttpAttempts** Number of attempts to contact OneSettings service. +- **SettingsHttpFailures** The number of failures from contacting the OneSettings service. +- **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers. +- **TopUploaderErrors** List of top errors received from the upload endpoint. +- **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client. +- **UploaderErrorCount** Number of errors received from the upload endpoint. +- **VortexFailuresTimeout** The number of timeout failures received from Vortex. +- **VortexHttpAttempts** Number of attempts to contact Vortex. +- **VortexHttpFailures4xS** No content is currently available. +- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. +- **VortexHttpFailures5xS** No content is currently available. +- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. +- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. +- **VortexHttpResponsesWihDroppedEvents** No content is currently available. +- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. + + +### TelClientSynthetic.HeartBeat_Aria_5 + +This event is the telemetry client ARIA heartbeat. + +The following fields are available: + +- **CompressedBytesUploaded** Number of compressed bytes uploaded. +- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. +- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event database. +- **DbCriticalDroppedCount** Total number of dropped critical events in event database. +- **DbDroppedCount** Number of events dropped at the database layer. +- **DbDroppedFailureCount** Number of events dropped due to database failures. +- **DbDroppedFullCount** Number of events dropped due to database being full. +- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. +- **EventsPersistedCount** Number of events that reached the PersistEvent stage. +- **EventStoreLifetimeResetCounter** Number of times the event store has been reset. +- **EventStoreResetCounter** Number of times the event store has been reset during this heartbeat. +- **EventStoreResetSizeSum** Size of event store reset in bytes. +- **EventsUploaded** Number of events uploaded. +- **HeartBeatSequenceNumber** The sequence number of this heartbeat. +- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. +- **LastEventSizeOffender** Event name of last event which exceeded max event size. +- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. +- **PreviousHeartBeatTime** The FILETIME of the previous heartbeat fire. +- **PrivacyBlockedCount** The number of events blocked due to privacy settings or tags. +- **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. +- **SettingsHttpAttempts** Number of attempts to contact OneSettings service. +- **SettingsHttpFailures** Number of failures from contacting OneSettings service. +- **TopUploaderErrors** List of top errors received from the upload endpoint. +- **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client. +- **UploaderErrorCount** Number of errors received from the upload endpoint. +- **VortexFailuresTimeout** Number of time out failures received from Vortex. +- **VortexHttpAttempts** Number of attempts to contact Vortex. +- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. +- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. +- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. +- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. + + +### TelClientSynthetic.HeartBeat_Seville_5 + +This event is sent by the universal telemetry client (UTC) as a heartbeat signal for Sense. + +The following fields are available: + +- **AgentConnectionErrorsCount** Number of non-timeout errors associated with the host or agent channel. +- **CompressedBytesUploaded** Number of compressed bytes uploaded. +- **ConsumerDroppedCount** Number of events dropped at consumer layer of the telemetry client. +- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. +- **CriticalDataThrottleDroppedCount** Number of critical data sampled events dropped due to throttling. +- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event database. +- **DailyUploadQuotaInBytes** Daily upload quota for Sense in bytes (only in in-proc mode). +- **DbCriticalDroppedCount** Total number of dropped critical events in event database. +- **DbDroppedCount** Number of events dropped due to database being full. +- **DbDroppedFailureCount** Number of events dropped due to database failures. +- **DbDroppedFullCount** Number of events dropped due to database being full. +- **DecodingDroppedCount** Number of events dropped due to decoding failures. +- **DiskSizeInBytes** Size of event store for Sense in bytes (only in in-proc mode). +- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. +- **EtwDroppedBufferCount** Number of buffers dropped in the universal telemetry client (UTC) event tracing for Windows (ETW) session. +- **EtwDroppedCount** Number of events dropped at the event tracing for Windows (ETW) layer of telemetry client. +- **EventsPersistedCount** Number of events that reached the PersistEvent stage. +- **EventStoreLifetimeResetCounter** Number of times event the database was reset for the lifetime of the universal telemetry client (UTC). +- **EventStoreResetCounter** Number of times the event database was reset. +- **EventStoreResetSizeSum** Total size of the event database across all resets reports in this instance. +- **EventsUploaded** Number of events uploaded. +- **Flags** Flags indicating device state, such as network state, battery state, and opt-in state. +- **FullTriggerBufferDroppedCount** Number of events dropped due to trigger buffer being full. +- **HeartBeatSequenceNumber** The sequence number of this heartbeat. +- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. +- **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel. +- **LastEventSizeOffender** Event name of last event which exceeded the maximum event size. +- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. +- **MaxActiveAgentConnectionCount** Maximum number of active agents during this heartbeat timeframe. +- **NormalUploadTimerMillis** Number of milliseconds between each upload of normal events for SENSE (only in in-proc mode). +- **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events). +- **RepeatedUploadFailureDropped** Number of events lost due to repeated failed uploaded attempts. +- **SettingsHttpAttempts** Number of attempts to contact OneSettings service. +- **SettingsHttpFailures** Number of failures from contacting the OneSettings service. +- **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers. +- **TopUploaderErrors** Top uploader errors, grouped by endpoint and error type. +- **UploaderDroppedCount** Number of events dropped at the uploader layer of the telemetry client. +- **UploaderErrorCount** Number of input for the TopUploaderErrors mode estimation. +- **VortexFailuresTimeout** Number of time out failures received from Vortex. +- **VortexHttpAttempts** Number of attempts to contact Vortex. +- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. +- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. +- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. +- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. + + +## Direct to update events + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicability + +Event to indicate that the Coordinator CheckApplicability call succeeded. + +The following fields are available: + +- **ApplicabilityResult** Result of CheckApplicability function. +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **IsDeviceAADDomainJoined** Indicates whether the device is logged in to the AAD (Azure Active Directory) domain. +- **IsDeviceADDomainJoined** Indicates whether the device is logged in to the AD (Active Directory) domain. +- **IsDeviceCloverTrail** Indicates whether the device has a Clover Trail system installed. +- **IsDeviceFeatureUpdatingPaused** Indicates whether Feature Update is paused on the device. +- **IsDeviceNetworkMetered** Indicates whether the device is connected to a metered network. +- **IsDeviceOobeBlocked** Indicates whether user approval is required to install updates on the device. +- **IsDeviceRequireUpdateApproval** Indicates whether user approval is required to install updates on the device. +- **IsDeviceSccmManaged** Indicates whether the device is running the Microsoft SCCM (System Center Configuration Manager) to keep the operating system and applications up to date. +- **IsDeviceUninstallActive** Indicates whether the OS (operating system) on the device was recently updated. +- **IsDeviceUpdateNotificationLevel** Indicates whether the device has a set policy to control update notifications. +- **IsDeviceUpdateServiceManaged** Indicates whether the device uses WSUS (Windows Server Update Services). +- **IsDeviceZeroExhaust** Indicates whether the device subscribes to the Zero Exhaust policy to minimize connections from Windows to Microsoft. +- **IsGreaterThanMaxRetry** Indicates whether the DTU (Direct to Update) service has exceeded its maximum retry count. +- **IsVolumeLicensed** Indicates whether a volume license was used to authenticate the operating system or applications on the device. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicabilityGenericFailure + +This event indicatse that we have received an unexpected error in the Direct to Update (DTU) Coordinators CheckApplicability call. + +The following fields are available: + +- **CampaignID** ID of the campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Cleanup call. + +The following fields are available: + +- **CampaignID** Campaign ID being run +- **ClientID** Client ID being run +- **CoordinatorVersion** Coordinator version of DTU +- **CV** Correlation vector +- **hResult** HRESULT of the failure + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupSuccess + +This event indicates that the Coordinator Cleanup call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run +- **ClientID** Client ID being run +- **CoordinatorVersion** Coordinator version of DTU +- **CV** Correlation vector + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Commit call. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitSuccess + +This event indicates that the Coordinator Commit call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Download call. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadIgnoredFailure + +This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Download call that will be ignored. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadSuccess + +This event indicates that the Coordinator Download call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator HandleShutdown call. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinate version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownSuccess + +This event indicates that the Coordinator HandleShutdown call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Initialize call. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeSuccess + +This event indicates that the Coordinator Initialize call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Install call. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallIgnoredFailure + +This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Install call that will be ignored. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallSuccess + +This event indicates that the Coordinator Install call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorProgressCallBack + +This event indicates that the Coordinator's progress callback has been called. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **DeployPhase** Current Deploy Phase. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorSetCommitReadySuccess + +This event indicates that the Coordinator SetCommitReady call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiNotShown + +This event indicates that the Coordinator WaitForRebootUi call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSelection + +This event indicates that the user selected an option on the Reboot UI. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **rebootUiSelection** Selection on the Reboot UI. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSuccess + +This event indicates that the Coordinator WaitForRebootUi call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler CheckApplicabilityInternal call. + +The following fields are available: + +- **CampaignID** ID of the campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalSuccess + +This event indicates that the Handler CheckApplicabilityInternal call succeeded. + +The following fields are available: + +- **ApplicabilityResult** The result of the applicability check. +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilitySuccess + +This event indicates that the Handler CheckApplicability call succeeded. + +The following fields are available: + +- **ApplicabilityResult** The result code indicating whether the update is applicable. +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **CV_new** New correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckIfCoordinatorMinApplicableVersionSuccess + +This event indicates that the Handler CheckIfCoordinatorMinApplicableVersion call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **CheckIfCoordinatorMinApplicableVersionResult** Result of CheckIfCoordinatorMinApplicableVersion function. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Commit call. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **CV_new** New correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitSuccess + +This event indicates that the Handler Commit call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run.run +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **CV_new** New correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabFailure + +This event indicates that the Handler Download and Extract cab call failed. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **DownloadAndExtractCabFunction_failureReason** Reason why the update download and extract process failed. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabSuccess + +This event indicates that the Handler Download and Extract cab call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Download call. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadSuccess + +This event indicates that the Handler Download call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Initialize call. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **DownloadAndExtractCabFunction_hResult** HRESULT of the download and extract. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeSuccess + +This event indicates that the Handler Initialize call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **DownloadAndExtractCabFunction_hResult** HRESULT of the download and extraction. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Install call. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallSuccess + +This event indicates that the Coordinator Install call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerSetCommitReadySuccess + +This event indicates that the Handler SetCommitReady call succeeded. + +The following fields are available: + +- **CampaignID** ID of the campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler WaitForRebootUi call. + +The following fields are available: + +- **CampaignID** The ID of the campaigning being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** The HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiSuccess + +This event indicates that the Handler WaitForRebootUi call succeeded. + +The following fields are available: + +- **CampaignID** ID of the campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +## DxgKernelTelemetry events + +### DxgKrnlTelemetry.GPUAdapterInventoryV2 + +This event sends basic GPU and display driver information to keep Windows and display drivers up-to-date. + +The following fields are available: + +- **AdapterDypeValue** No content is currently available. +- **AdapterTypeValue** The numeric value indicating the type of Graphics adapter. +- **aiSeqId** The event sequence ID. +- **bootId** The system boot ID. +- **BrightnessVersionViaDDI** The version of the Display Brightness Interface. +- **BvightnessVersionViaDDI** No content is currently available. +- **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload. +- **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes). +- **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes). +- **DisplayAdapterLuid** The display adapter LUID. +- **Driver48,k** No content is currently available. +- **DriverDate** The date of the display driver. +- **DriverRa~k** No content is currently available. +- **DriverRank** The rank of the display driver. +- **DriverVersion** The display driver version. +- **DX10UMDFilePath** The file path to the location of the DirectX 10 Display User Mode Driver in the Driver Store. +- **DX11UMDFilePath** The file path to the location of the DirectX 11 Display User Mode Driver in the Driver Store. +- **DX12UMDFilePath** The file path to the location of the DirectX 12 Display User Mode Driver in the Driver Store. +- **DX9]MDFilePath** No content is currently available. +- **DX9UMDFilePath** The file path to the location of the DirectX 9 Display User Mode Driver in the Driver Store. +- **GPUDeviceID** The GPU device ID. +- **GPUPree}ptionLevel** No content is currently available. +- **GPUPreemptionLdvel** No content is currently available. +- **GPUPreemptionLevel** The maximum preemption level supported by GPU for graphics payload. +- **GPURevisionID** The GPU revision ID. +- **GPUVendoeID** No content is currently available. +- **GPUVendorID** The GPU vendor ID. +- **InterbaceId** No content is currently available. +- **InterfaceId** The GPU interface ID. +- **IqMPOSupported** No content is currently available. +- **IrRemovable** No content is currently available. +- **IsDisp|ayDevice** No content is currently available. +- **IsDisplayDevice** Does the GPU have displaying capabilities? +- **IsHwSchSupported** Indicates whether the adapter supports hardware scheduling. +- **IsHybridDiscrete** Does the GPU have discrete GPU capabilities in a hybrid device? +- **IsHybridIntdgrated** No content is currently available. +- **IsHybridIntegrated** Does the GPU have integrated GPU capabilities in a hybrid device? +- **IsLDA** Is the GPU comprised of Linked Display Adapters? +- **IsMiracastSupported** Does the GPU support Miracast? +- **IsMismatchLDA** Is at least one device in the Linked Display Adapters chain from a different vendor? +- **IsMPOCupported** No content is currently available. +- **IsMPOSuppor|ed** No content is currently available. +- **IsMPOSupported** Does the GPU support Multi-Plane Overlays? +- **IsMsMiracastSupported** Are the GPU Miracast capabilities driven by a Microsoft solution? +- **IsPostAdapter** Is this GPU the POST GPU in the device? +- **IsRemovable** TRUE if the adapter supports being disabled or removed. +- **IsRenderDevice** Does the GPU have rendering capabilities? +- **IsSoftwareDevice** Is this a software implementation of the GPU? +- **IsSoftwareDevicg** No content is currently available. +- **KMDFilePath** The file path to the location of the Display Kernel Mode Driver in the Driver Store. +- **MeasureEnabled** Is the device listening to MICROSOFT_KEYWORD_MEASURES? +- **MsHybridDiscrete** Indicates whether the adapter is a discrete adapter in a hybrid configuration. +- **NumVidPnSources** The number of supported display output sources. +- **NumVidPnTargets** The number of supported display output targets. +- **SharedSystemMemoryB** The amount of system memory shared by GPU and CPU (in bytes). +- **SubSyste}ID** No content is currently available. +- **SubSystemID** The subsystem ID. +- **SubVendoeID** No content is currently available. +- **SubVendorID** The GPU sub vendor ID. +- **TelematryEnabled** No content is currently available. +- **TelemetryEnabled** Is the device listening to MICROSOFT_KEYWORD_TELEMETRY? +- **TelInvEvntTrigger** What triggered this event to be logged? Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling) +- **version** The event version. +- **WDDMVersion** The Windows Display Driver Model version. + + +## Failover Clustering events + +### Microsoft.Windows.Server.FailoverClusteringCritical.ClusterSummary2 + +This event returns information about how many resources and of what type are in the server cluster. This data is collected to keep Windows Server safe, secure, and up to date. The data includes information about whether hardware is configured correctly, if the software is patched correctly, and assists in preventing crashes by attributing issues (like fatal errors) to workloads and system configurations. + +The following fields are available: + +- **autoAssignSite** The cluster parameter: auto site. +- **autoBalancerLevel** The cluster parameter: auto balancer level. +- **autoBalancerMode** The cluster parameter: auto balancer mode. +- **blockCacheSize** The configured size of the block cache. +- **ClusterAdConfiguration** The ad configuration of the cluster. +- **clusterAdType** The cluster parameter: mgmt_point_type. +- **clusterDumpPolicy** The cluster configured dump policy. +- **clusterFunctionalLevel** The current cluster functional level. +- **clusterGuid** The unique identifier for the cluster. +- **clusterWitnessType** The witness type the cluster is configured for. +- **countNodesInSite** The number of nodes in the cluster. +- **crossSiteDelay** The cluster parameter: CrossSiteDelay. +- **crossSiteThreshold** The cluster parameter: CrossSiteThreshold. +- **crossSubnetDelay** The cluster parameter: CrossSubnetDelay. +- **crossSubnetThreshold** The cluster parameter: CrossSubnetThreshold. +- **csvCompatibleFilters** The cluster parameter: ClusterCsvCompatibleFilters. +- **csvIncompatibleFilters** The cluster parameter: ClusterCsvIncompatibleFilters. +- **csvResourceCount** The number of resources in the cluster. +- **currentNodeSite** The name configured for the current site for the cluster. +- **dasModeBusType** The direct storage bus type of the storage spaces. +- **downLevelNodeCount** The number of nodes in the cluster that are running down-level. +- **drainOnShutdown** Specifies whether a node should be drained when it is shut down. +- **dynamicQuorumEnabled** Specifies whether dynamic Quorum has been enabled. +- **enforcedAntiAffinity** The cluster parameter: enforced anti affinity. +- **genAppNames** The win32 service name of a clustered service. +- **genSvcNames** The command line of a clustered genapp. +- **hangRecoveryAction** The cluster parameter: hang recovery action. +- **hangTimeOut** Specifies the “hang time out” parameter for the cluster. +- **isCalabria** Specifies whether storage spaces direct is enabled. +- **isMixedMode** Identifies if the cluster is running with different version of OS for nodes. +- **isRunningDownLevel** Identifies if the current node is running down-level. +- **logLevel** Specifies the granularity that is logged in the cluster log. +- **logSize** Specifies the size of the cluster log. +- **lowerQuorumPriorityNodeId** The cluster parameter: lower quorum priority node ID. +- **minNeverPreempt** The cluster parameter: minimum never preempt. +- **minPreemptor** The cluster parameter: minimum preemptor priority. +- **netftIpsecEnabled** The parameter: netftIpsecEnabled. +- **NodeCount** The number of nodes in the cluster. +- **nodeId** The current node number in the cluster. +- **nodeResourceCounts** Specifies the number of node resources. +- **nodeResourceOnlineCounts** Specifies the number of node resources that are online. +- **numberOfSites** The number of different sites. +- **numNodesInNoSite** The number of nodes not belonging to a site. +- **plumbAllCrossSubnetRoutes** The cluster parameter: plumb all cross subnet routes. +- **preferredSite** The preferred site location. +- **privateCloudWitness** Specifies whether a private cloud witness exists for this cluster. +- **quarantineDuration** The quarantine duration. +- **quarantineThreshold** The quarantine threshold. +- **quorumArbitrationTimeout** In the event of an arbitration event, this specifies the quorum timeout period. +- **resiliencyLevel** Specifies the level of resiliency. +- **resourceCounts** Specifies the number of resources. +- **resourceTypeCounts** Specifies the number of resource types in the cluster. +- **resourceTypes** Data representative of each resource type. +- **resourceTypesPath** Data representative of the DLL path for each resource type. +- **sameSubnetDelay** The cluster parameter: same subnet delay. +- **sameSubnetThreshold** The cluster parameter: same subnet threshold. +- **secondsInMixedMode** The amount of time (in seconds) that the cluster has been in mixed mode (nodes with different operating system versions in the same cluster). +- **securityLevel** The cluster parameter: security level. +- **securityLevelForStorage** The cluster parameter: security level for storage. +- **sharedVolumeBlockCacheSize** Specifies the block cache size for shared for shared volumes. +- **shutdownTimeoutMinutes** Specifies the amount of time it takes to time out when shutting down. +- **upNodeCount** Specifies the number of nodes that are up (online). +- **useClientAccessNetworksForCsv** The cluster parameter: use client access networks for CSV. +- **vmIsolationTime** The cluster parameter: VM isolation time. +- **witnessDatabaseWriteTimeout** Specifies the timeout period for writing to the quorum witness database. + + +## Fault Reporting events + +### Microsoft.Windows.FaultReporting.AppCrashEvent + +This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes\" by a user DO NOT emit this event. + +The following fields are available: + +- **@ackageRelativeAppId** No content is currently available. +- **AppName** The name of the app that has crashed. +- **AppSeqsionGuid** No content is currently available. +- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend. +- **AppTimeStamp** The date/time stamp of the app. +- **AppVersion** The version of the app that has crashed. +- **AptName** No content is currently available. +- **DargetAppId** No content is currently available. +- **ExceptionCode** The exception code returned by the process that has crashed. +- **ExceptionOffset** The address where the exception had occurred. +- **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting. +- **FriendlyAppName** The description of the app that has crashed, if different from the AppName. Otherwise, the process name. +- **IsFatal** True/False to indicate whether the crash resulted in process termination. +- **ModName** Exception module name (e.g. bar.dll). +- **ModNamevaultsv** No content is currently available. +- **ModTimeStamp** The date/time stamp of the module. +- **ModVersion** The version of the module that has crashed. +- **PackageFullName** Store application identity. +- **PackageRelaatieAppId** No content is currently available. +- **PackageRelativeAppId** Store application identity. +- **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. +- **ProcessCreateTime** The time of creation of the process that has crashed. +- **ProcessId** The ID of the process that has crashed. +- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. +- **TargetAppId** The kernel reported AppId of the application being reported. +- **TargetAppVer** The specific version of the application being reported +- **TargetAsId** The sequence number for the hanging process. + + +## Feature update events + +### Microsoft.Windows.Upgrade.Uninstall.UninstallFinalizedAndRebootTriggered + +This event indicates that the uninstall was properly configured and that a system reboot was initiated. + + + +### Microsoft.Windows.Upgrade.Uninstall.UninstallGoBackButtonClicked + +This event sends basic metadata about the starting point of uninstalling a feature update, which helps ensure customers can safely revert to a well-known state if the update caused any problems. + + + +## Hang Reporting events + +### Microsoft.Windows.HangReporting.AppHangEvent + +This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. + +The following fields are available: + +- **AppName** The name of the app that has hung. +- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the telemetry backend. +- **AppVersion** The version of the app that has hung. +- **IsFatal** True/False based on whether the hung application caused the creation of a Fatal Hang Report. +- **PackageFullName** Store application identity. +- **PackageRelativeAppId** Store application identity. +- **ProcessArchitecture** Architecture of the hung process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. +- **ProcessCreateTime** The time of creation of the process that has hung. +- **ProcessId** The ID of the process that has hung. +- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. +- **TargetAppId** The kernel reported AppId of the application being reported. +- **TargetAppVer** The specific version of the application being reported. +- **TargetAsId** The sequence number for the hanging process. +- **TypeCode** Bitmap describing the hang type. +- **WaitingOnAppName** If this is a cross process hang waiting for an application, this has the name of the application. +- **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it is waiting. +- **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting. +- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application id of the package. + + +## Inventory events + +### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum + +This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object. + +The following fields are available: + +- **Device** A count of device objects in cache. +- **DeviceCensus** A count of device census objects in cache. +- **DriverPackageExtended** A count of driverpackageextended objects in cache. +- **File** A count of file objects in cache. +- **FileSigningInfo** A count of file signing objects in cache. +- **Generic** A count of generic objects in cache. +- **HwItem** A count of hwitem objects in cache. +- **InventoryApplication** A count of application objects in cache. +- **InventoryApplicationAppV** A count of application AppV objects in cache. +- **InventoryApplicationDriver** A count of application driver objects in cache +- **InventoryApplicationFile** A count of application file objects in cache. +- **InventoryApplicationFramework** A count of application framework objects in cache +- **InventoryApplicationShortcut** A count of application shortcut objects in cache +- **InventoryDeviceContainer** A count of device container objects in cache. +- **InventoryDeviceInterface** A count of Plug and Play device interface objects in cache. +- **InventoryDeviceMediaClass** A count of device media objects in cache. +- **InventoryDevicePnp** A count of device Plug and Play objects in cache. +- **InventoryDeviceUsbHubClass** A count of device usb objects in cache +- **InventoryDriverBinary** A count of driver binary objects in cache. +- **InventoryDriverPackage** A count of device objects in cache. +- **InventoryMiscellaneousOfficeAddIn** A count of office add-in objects in cache +- **InventoryMiscellaneousOfficeAddInUsage** A count of office add-in usage objects in cache. +- **InventoryMiscellaneousOfficeIdentifiers** A count of office identifier objects in cache +- **InventoryMiscellaneousOfficeIESettings** A count of office ie settings objects in cache +- **InventoryMiscellaneousOfficeInsights** A count of office insights objects in cache +- **InventoryMiscellaneousOfficeProducts** A count of office products objects in cache +- **InventoryMiscellaneousOfficeSettings** A count of office settings objects in cache +- **InventoryMiscellaneousOfficeVBA** A count of office vba objects in cache +- **InventoryMiscellaneousOfficeVBARuleViolations** A count of office vba rule violations objects in cache +- **InventoryMiscellaneousUUPInfo** A count of uup info objects in cache +- **Metadata** A count of metadata objects in cache. +- **Orphan** A count of orphan file objects in cache. +- **Programs** A count of program objects in cache. + + +### Microsoft.Windows.Inventory.Core.AmiTelCacheFileInfo + +Diagnostic data about the inventory cache. + +The following fields are available: + +- **CacheFileSize** Size of the cache. +- **InventoryVersion** Inventory version of the cache. +- **TempCacheCount** Number of temp caches created. +- **TempCacheDeletedCount** Number of temp caches deleted. + + +### Microsoft.Windows.Inventory.Core.AmiTelCacheVersions + +This event sends inventory component versions for the Device Inventory data. + +The following fields are available: + +- **aeinv** The version of the App inventory component. +- **devinv** The file version of the Device inventory component. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationAdd + +This event sends basic metadata about an application on the system to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **HiddenArp** Indicates whether a program hides itself from showing up in ARP. +- **InstallDate** The date the application was installed (a best guess based on folder creation date heuristics). +- **InstallDateArpLastModified** The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015 00:00:00 +- **InstallDateFromLinkFile** The estimated date of install based on the links to the files. Passed as an array. +- **InstallDateMsi** The install date if the application was installed via Microsoft Installer (MSI). Passed as an array. +- **InventoryVersion** The version of the inventory file generating the events. +- **Language** The language code of the program. +- **MsiPackageCode** A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage. +- **MsiProductCode** A GUID that describe the MSI Product. +- **Name** The name of the application. +- **OSVersionAtInstallTime** The four octets from the OS version at the time of the application's install. +- **PackageFullName** The package full name for a Store application. +- **ProgramInstanceId** A hash of the file IDs in an app. +- **Publisher** The Publisher of the application. Location pulled from depends on the 'Source' field. +- **RootDirPath** The path to the root directory where the program was installed. +- **Source** How the program was installed (for example, ARP, MSI, Appx). +- **StoreAppType** A sub-classification for the type of Microsoft Store app, such as UWP or Win8StoreApp. +- **Type** One of ("Application", "Hotfix", "BOE", "Service", "Unknown"). Application indicates Win32 or Appx app, Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is a service. Application and BOE are the ones most likely seen. +- **Version** The version number of the program. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverAdd + +This event represents what drivers an application installs. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory component. +- **ProgramIds** The unique program identifier the driver is associated with. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync + +The InventoryApplicationDriverStartSync event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory component. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd + +This event provides the basic metadata about the frameworks an application may depend on. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **FileId** A hash that uniquely identifies a file. +- **Frameworks** The list of frameworks this file depends on. +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync + +This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationRemove + +This event indicates that a new set of InventoryDevicePnpAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationStartSync + +This event indicates that a new set of InventoryApplicationAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd + +This event sends basic metadata about a device container (such as a monitor or printer as opposed to a Plug and Play device) to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Categories** A comma separated list of functional categories in which the container belongs. +- **DiscoveryMethod** The discovery method for the device container. +- **FriendlyName** The name of the device container. +- **InventoryVersion** The version of the inventory file generating the events. +- **IsActive** Is the device connected, or has it been seen in the last 14 days? +- **IsConnected** For a physically attached device, this value is the same as IsPresent. For wireless a device, this value represents a communication link. +- **IsMachineContainer** Is the container the root device itself? +- **IsNetworked** Is this a networked device? +- **IsPaired** Does the device container require pairing? +- **Manufacturer** The manufacturer name for the device container. +- **ModelId** A unique model ID. +- **ModelName** The model name. +- **ModelNumber** The model number for the device container. +- **PrimaryCategory** The primary category for the device container. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerRemove + +This event indicates that the InventoryDeviceContainer object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerStartSync + +This event indicates that a new set of InventoryDeviceContainerAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd + +This event retrieves information about what sensor interfaces are available on the device. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Accelerometer3D** Indicates if an Accelerator3D sensor is found. +- **ActivityDetection** Indicates if an Activity Detection sensor is found. +- **AmbientLight** Indicates if an Ambient Light sensor is found. +- **Barometer** Indicates if a Barometer sensor is found. +- **Custom** Indicates if a Custom sensor is found. +- **EnergyMeter** Indicates if an Energy sensor is found. +- **FloorElevation** Indicates if a Floor Elevation sensor is found. +- **GeomagneticOrientation** Indicates if a Geo Magnetic Orientation sensor is found. +- **GravityVector** Indicates if a Gravity Detector sensor is found. +- **Gyrometer3D** Indicates if a Gyrometer3D sensor is found. +- **Humidity** Indicates if a Humidity sensor is found. +- **InventoryVersion** The version of the inventory file generating the events. +- **LinearAccelerometer** Indicates if a Linear Accelerometer sensor is found. +- **Magnetometer3D** Indicates if a Magnetometer3D sensor is found. +- **Orientation** Indicates if an Orientation sensor is found. +- **Pedometer** Indicates if a Pedometer sensor is found. +- **Proximity** Indicates if a Proximity sensor is found. +- **RelativeOrientation** Indicates if a Relative Orientation sensor is found. +- **SimpleDeviceOrientation** Indicates if a Simple Device Orientation sensor is found. +- **Temperature** Indicates if a Temperature sensor is found. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync + +This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd + +This event sends additional metadata about a Plug and Play device that is specific to a particular class of devices to help keep Windows up to date while reducing overall size of data payload. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **audio.captureDriver** Audio device capture driver. Example: hdaudio.inf:db04a16ce4e8d6ee:HdAudModel:10.0.14887.1000:hdaudio\func_01 +- **audio.renderDriver** Audio device render driver. Example: hdaudio.inf:db04a16ce4e8d6ee:HdAudModel:10.0.14889.1001:hdaudio\func_01 +- **Audio_CaptureDriver** The Audio device capture driver endpoint. +- **Audio_RenderDriver** The Audio device render driver endpoint. +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove + +This event indicates that the InventoryDeviceMediaClassRemove object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassStartSync + +This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd + +This event represents the basic metadata about a plug and play (PNP) device and its associated driver. + +This event includes fields from [Ms.Dedevi.DedeviInventoryChange](#msdedevidedeviinventorychange). + +The following fields are available: + +- **basedata** No content is currently available. See [basedata](#basedata). +- **BusReportedDescription** The description of the device reported by the bux. +- **Class** The device setup class of the driver loaded for the device. +- **ClassGuid** The device class unique identifier of the driver package loaded on the device. +- **COMPID** The list of “Compatible IDs” for this device. +- **COMPID.Count** No content is currently available. +- **ContainerId** The system-supplied unique identifier that specifies which group(s) the device(s) installed on the parent (main) device belong to. +- **Description** The description of the device. +- **DeviceInterfaceClasses** The device interfaces that this device implements. +- **DeviceState** Identifies the current state of the parent (main) device. +- **DriverId** The unique identifier for the installed driver. +- **DriverName** The name of the driver image file. +- **DriverPackageStrongName** The immediate parent directory name in the Directory field of InventoryDriverPackage. +- **DriverVerDate** The date associated with the driver installed on the device. +- **DriverVerVersion** The version number of the driver installed on the device. +- **Enumerator** Identifies the bus that enumerated the device. +- **ExtendedInfs** The extended INF file names. +- **HWID** A list of hardware IDs for the device. +- **HWID.Count** No content is currently available. +- **Inf** The name of the INF file (possibly renamed by the OS, such as oemXX.inf). +- **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx +- **InventoryVersion** The version number of the inventory process generating the events. +- **LowerClassFilters** The identifiers of the Lower Class filters installed for the device. +- **LowerFilters** The identifiers of the Lower filters installed for the device. +- **Manufacturer** The manufacturer of the device. +- **MatchingID** The Hardware ID or Compatible ID that Windows uses to install a device instance. +- **Model** Identifies the model of the device. +- **ParentId** The Device Instance ID of the parent of the device. +- **ProblemCode** The error code currently returned by the device, if applicable. +- **Provider** Identifies the device provider. +- **Service** The name of the device service. +- **STACKID** The list of hardware IDs for the stack. +- **STACKID.Count** No content is currently available. +- **UpperClassFilters** The identifiers of the Upper Class filters installed for the device. +- **UpperFilters** The identifiers of the Upper filters installed for the device. + + +### Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove + +This event indicates that the InventoryDevicePnpRemove object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDevicePnpStartSync + +This event indicates that a new set of InventoryDevicePnpAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd + +This event sends basic metadata about the USB hubs on the device. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. +- **TotalUserConnectablePorts** Total number of connectable USB ports. +- **TotalUserConnectableTypeCPorts** Total number of connectable USB Type C ports. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassStartSync + +This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent. + +This event includes fields from [Ms.De~ice.DeviceInventoryChange](#msde~icedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd + +This event provides the basic metadata about driver binaries running on the system. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **DriverCheckSum** The checksum of the driver file. +- **DriverCompany** The company name that developed the driver. +- **DriverInBox** Is the driver included with the operating system? +- **DriverIsKernelMode** Is it a kernel mode driver? +- **DriverName** The file name of the driver. +- **DriverPackageStrongName** The strong name of the driver package +- **DriverSigned** The strong name of the driver package +- **DriverTimeStamp** The low 32 bits of the time stamp of the driver file. +- **DriverType** A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8. define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE 0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64 0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15. define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED 0x800000. +- **DriverVersion** The version of the driver file. +- **ImageSize** The size of the driver file. +- **Inf** The name of the INF file. +- **InventoryVersion** The version of the inventory file generating the events. +- **Product** The product name that is included in the driver file. +- **ProductVersio~** No content is currently available. +- **ProductVersion** The product version that is included in the driver file. +- **Service** The name of the service that is installed for the device. +- **WdfVersion** The Windows Driver Framework version. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove + +This event indicates that the InventoryDriverBinary object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryStartSync + +This event indicates that a new set of InventoryDriverBinaryAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd + +This event sends basic metadata about drive packages installed on the system to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Class** The class name for the device driver. +- **ClassGuid** The class GUID for the device driver. +- **Date** The driver package date. +- **Directory** The path to the driver package. +- **DriverInBox** Is the driver included with the operating system? +- **Inf** The INF name of the driver package. +- **InventoryVersion** The version of the inventory file generating the events. +- **Provider** The provider for the driver package. +- **SubmissionId** The HLK submission ID for the driver package. +- **Version** The version of the driver package. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverPackageRemove + +This event indicates that the InventoryDriverPackageRemove object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverPackageStartSync + +This event indicates that a new set of InventoryDriverPackageAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.StartUtcJsonTrace + +This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the beginning of the event download, and that tracing should begin. + + + +### Microsoft.Windows.Inventory.Core.StopUtcJsonTrace + +This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the end of the event download, and that tracing should end. + + + +### Microsoft.Windows.Inventory.General.AppHealthStaticAdd + +This event sends details collected for a specific application on the source device. + +The following fields are available: + +- **AhaVersion** The binary version of the App Health Analyzer tool. +- **ApplicationErrors** The count of application errors from the event log. +- **Bitness** The architecture type of the application (16 Bit or 32 bit or 64 bit). +- **device_level** Various JRE/JAVA versions installed on a particular device. +- **ExtendedProperties** Attribute used for aggregating all other attributes under this event type. +- **Jar** Flag to determine if an app has a Java JAR file dependency. +- **Jre** Flag to determine if an app has JRE framework dependency. +- **Jre_version** JRE versions an app has declared framework dependency for. +- **Name** Name of the application. +- **NonDPIAware** Flag to determine if an app is non-DPI aware. +- **NumBinaries** Count of all binaries (.sys,.dll,.ini) from application install location. +- **RequiresAdmin** Flag to determine if an app requests admin privileges for execution. +- **RequiresAdminv2** Additional flag to determine if an app requests admin privileges for execution. +- **RequiresUIAccess** Flag to determine if an app is based on UI features for accessibility. +- **VB6** Flag to determine if an app is based on VB6 framework. +- **VB6v2** Additional flag to determine if an app is based on VB6 framework. +- **Version** Version of the application. +- **VersionCheck** Flag to determine if an app has a static dependency on OS version. +- **VersionCheckv2** Additional flag to determine if an app has a static dependency on OS version. + + +### Microsoft.Windows.Inventory.General.AppHealthStaticStartSync + +This event indicates the beginning of a series of AppHealthStaticAdd events. + +The following fields are available: + +- **AllowTelemetry** Indicates the presence of the 'allowtelemetry' command line argument. +- **CommandLineArgs** Command line arguments passed when launching the App Health Analyzer executable. +- **Enhanced** Indicates the presence of the 'enhanced' command line argument. +- **StartTime** UTC date and time at which this event was sent. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd + +Provides data on the installed Office Add-ins. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AddinCLSID** The class identifier key for the Microsoft Office add-in. +- **AddInCLSID** The class identifier key for the Microsoft Office add-in. +- **AddInId** The identifier for the Microsoft Office add-in. +- **AddinType** The type of the Microsoft Office add-in. +- **BinFileTimestamp** The timestamp of the Office add-in. +- **BinFileVersion** The version of the Microsoft Office add-in. +- **Description** Description of the Microsoft Office add-in. +- **FileId** The file identifier of the Microsoft Office add-in. +- **FileSize** The file size of the Microsoft Office add-in. +- **FriendlyName** The friendly name for the Microsoft Office add-in. +- **FullPath** The full path to the Microsoft Office add-in. +- **InventoryVersion** The version of the inventory binary generating the events. +- **LoadBehavior** Integer that describes the load behavior. +- **LoadTime** Load time for the Office add-in. +- **OfficeApplication** The Microsoft Office application associated with the add-in. +- **OfficeArchitecture** The architecture of the add-in. +- **OfficeVersion** The Microsoft Office version for this add-in. +- **OutlookCrashingAddin** Indicates whether crashes have been found for this add-in. +- **ProductCompany** The name of the company associated with the Office add-in. +- **ProductName** The product name associated with the Microsoft Office add-in. +- **ProductVersion** The version associated with the Office add-in. +- **ProgramId** The unique program identifier of the Microsoft Office add-in. +- **Provider** Name of the provider for this add-in. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove + +Indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync + +This event indicates that a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd + +Provides data on the Office identifiers. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. +- **OAudienceData** Sub-identifier for Microsoft Office release management, identifying the pilot group for a device +- **OAudienceId** Microsoft Office identifier for Microsoft Office release management, identifying the pilot group for a device +- **OMID** Identifier for the Office SQM Machine +- **OPlatform** Whether the installed Microsoft Office product is 32-bit or 64-bit +- **OTenantId** Unique GUID representing the Microsoft O365 Tenant +- **OVersion** Installed version of Microsoft Office. For example, 16.0.8602.1000 +- **OWowMID** Legacy Microsoft Office telemetry identifier (SQM Machine ID) for WoW systems (32-bit Microsoft Office on 64-bit Windows) + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd + +Provides data on Office-related Internet Explorer features. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. +- **OIeFeatureAddon** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_ADDON_MANAGEMENT feature lets applications hosting the WebBrowser Control to respect add-on management selections made using the Add-on Manager feature of Internet Explorer. Add-ons disabled by the user or by administrative group policy will also be disabled in applications that enable this feature. +- **OIeMachineLockdown** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_LOCALMACHINE_LOCKDOWN feature is enabled, Internet Explorer applies security restrictions on content loaded from the user's local machine, which helps prevent malicious behavior involving local files. +- **OIeMimeHandling** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_MIME_HANDLING feature control is enabled, Internet Explorer handles MIME types more securely. Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2) +- **OIeMimeSniffing** Flag indicating which Microsoft Office products have this setting enabled. Determines a file's type by examining its bit signature. Windows Internet Explorer uses this information to determine how to render the file. The FEATURE_MIME_SNIFFING feature, when enabled, allows to be set differently for each security zone by using the URLACTION_FEATURE_MIME_SNIFFING URL action flag +- **OIeNoAxInstall** Flag indicating which Microsoft Office products have this setting enabled. When a webpage attempts to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request. When a webpage tries to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request +- **OIeNoDownload** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_RESTRICT_FILEDOWNLOAD feature blocks file download requests that navigate to a resource, that display a file download dialog box, or that are not initiated explicitly by a user action (for example, a mouse click or key press). Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2) +- **OIeObjectCaching** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_OBJECT_CACHING feature prevents webpages from accessing or instantiating ActiveX controls cached from different domains or security contexts +- **OIePasswordDisable** Flag indicating which Microsoft Office products have this setting enabled. After Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2), Internet Explorer no longer allows usernames and passwords to be specified in URLs that use the HTTP or HTTPS protocols. URLs using other protocols, such as FTP, still allow usernames and passwords +- **OIeSafeBind** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SAFE_BINDTOOBJECT feature performs additional safety checks when calling MonikerBindToObject to create and initialize Microsoft ActiveX controls. Specifically, prevent the control from being created if COMPAT_EVIL_DONT_LOAD is in the registry for the control +- **OIeSecurityBand** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SECURITYBAND feature controls the display of the Internet Explorer Information bar. When enabled, the Information bar appears when file download or code installation is restricted +- **OIeUncSaveCheck** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_UNC_SAVEDFILECHECK feature enables the Mark of the Web (MOTW) for local files loaded from network locations that have been shared by using the Universal Naming Convention (UNC) +- **OIeValidateUrl** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_VALIDATE_NAVIGATE_URL feature control prevents Windows Internet Explorer from navigating to a badly formed URL +- **OIeWebOcPopup** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_WEBOC_POPUPMANAGEMENT feature allows applications hosting the WebBrowser Control to receive the default Internet Explorer pop-up window management behavior +- **OIeWinRestrict** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_WINDOW_RESTRICTIONS feature adds several restrictions to the size and behavior of popup windows +- **OIeZoneElevate** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_ZONE_ELEVATION feature prevents pages in one zone from navigating to pages in a higher security zone unless the navigation is generated by the user + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd + +This event provides insight data on the installed Office products + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. +- **OfficeApplication** The name of the Office application. +- **OfficeArchitecture** The bitness of the Office application. +- **OfficeVersion** The version of the Office application. +- **Value** The insights collected about this entity. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsRemove + +Indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync + +This diagnostic event indicates that a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd + +Describes Office Products installed. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. +- **OC2rApps** A GUID the describes the Office Click-To-Run apps +- **OC2rSkus** Comma-delimited list (CSV) of Office Click-To-Run products installed on the device. For example, Office 2016 ProPlus +- **OMsiApps** Comma-delimited list (CSV) of Office MSI products installed on the device. For example, Microsoft Word +- **OProductCodes** A GUID that describes the Office MSI products + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd + +This event describes various Office settings + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **BrowserFlags** Browser flags for Office-related products +- **ExchangeProviderFlags** Provider policies for Office Exchange +- **InventoryVersion** The version of the inventory binary generating the events. +- **SharedComputerLicensing** Office shared computer licensing policies + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync + +Indicates a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAAdd + +This event provides a summary rollup count of conditions encountered while performing a local scan of Office files, analyzing for known VBA programmability compatibility issues between legacy office version and ProPlus, and between 32 and 64-bit versions + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Design** Count of files with design issues found. +- **Design_x64** Count of files with 64 bit design issues found. +- **DuplicateVBA** Count of files with duplicate VBA code. +- **HasVBA** Count of files with VBA code. +- **Inaccessible** Count of files that were inaccessible for scanning. +- **InventoryVersion** The version of the inventory binary generating the events. +- **Issues** Count of files with issues detected. +- **Issues_x64** Count of files with 64-bit issues detected. +- **IssuesNone** Count of files with no issues detected. +- **IssuesNone_x64** Count of files with no 64-bit issues detected. +- **Locked** Count of files that were locked, preventing scanning. +- **NoVBA** Count of files with no VBA inside. +- **Protected** Count of files that were password protected, preventing scanning. +- **RemLimited** Count of files that require limited remediation changes. +- **RemLimited_x64** Count of files that require limited remediation changes for 64-bit issues. +- **RemSignificant** Count of files that require significant remediation changes. +- **RemSignificant_x64** Count of files that require significant remediation changes for 64-bit issues. +- **Score** Overall compatibility score calculated for scanned content. +- **Score_x64** Overall 64-bit compatibility score calculated for scanned content. +- **Total** Total number of files scanned. +- **Validation** Count of files that require additional manual validation. +- **Validation_x64** Count of files that require additional manual validation for 64-bit issues. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARemove + +Indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsAdd + +This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated with the validation rule + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Count** Count of total Microsoft Office VBA rule violations +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsRemove + +Indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync + +This event indicates that a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd + +Provides data on Unified Update Platform (UUP) products and what version they are at. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Identifier** UUP identifier +- **LastActivatedVersion** Last activated version +- **PreviousVersion** Previous version +- **Source** UUP source +- **Version** UUP version + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoRemove + +Indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +### Microsoft.Windows.Inventory.Indicators.Checksum + +This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events. + +The following fields are available: + +- **CensusId** A unique hardware identifier. +- **ChecksumDictionary** A count of each operating system indicator. +- **PCFP** Equivalent to the InventoryId field that is found in other core events. + + +### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd + +These events represent the basic metadata about the OS indicators installed on the system which are used for keeping the device up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **IndicatorValue** The indicator value. +- **Value** Describes an operating system indicator that may be relevant for the device upgrade. + + +### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove + +This event is a counterpart to InventoryMiscellaneousUexIndicatorAdd that indicates that the item has been removed. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync + +This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +## Kernel events + +### IO + +This event indicates the number of bytes read from or read by the OS and written to or written by the OS upon system startup. + +The following fields are available: + +- **BytesRead** The total number of bytes read from or read by the OS upon system startup. +- **BytesWritten** The total number of bytes written to or written by the OS upon system startup. +- **f** No content is currently available. See [f](#f). + + +### Microsoft.Windows.Kernel.BootEnvironment.OsLaunch + +OS information collected during Boot, used to evaluate the success of the upgrade process. + +The following fields are available: + +- **BootApplicationId** This field tells us what the OS Loader Application Identifier is. +- **BootAttemptCount** The number of consecutive times the boot manager has attempted to boot into this operating system. +- **BootSequence** The current Boot ID, used to correlate events related to a particular boot session. +- **BootStatusPolicy** Identifies the applicable Boot Status Policy. +- **BootType** Identifies the type of boot (e.g.: "Cold", "Hiber", "Resume"). +- **EventTimestamp** Seconds elapsed since an arbitrary time point. This can be used to identify the time difference in successive boot attempts being made. +- **FirmwareResetReasonEmbeddedController** Reason for system reset provided by firmware. +- **FirmwareResetReasonEmbeddedControllerAdditional** Additional information on system reset reason provided by firmware if needed. +- **FirmwareResetReasonPch** Reason for system reset provided by firmware. +- **FirmwareResetReasonPchAdditional** Additional information on system reset reason provided by firmware if needed. +- **FirmwareResetReasonSupplied** Flag indicating that a reason for system reset was provided by firmware. +- **IO** Amount of data written to and read from the disk by the OS Loader during boot. See [IO](#io). +- **LastBootSucceeded** Flag indicating whether the last boot was successful. +- **LastShutdownSucceeded** Flag indicating whether the last shutdown was successful. +- **MaxAbove4GbFreeRange** This field describes the largest memory range available above 4Gb. +- **MaxBelow4GbFreeRange** This field describes the largest memory range available below 4Gb. +- **MeasuredLaunchPrepared** This field tells us if the OS launch was initiated using Measured/Secure Boot over DRTM (Dynamic Root of Trust for Measurement). +- **MeasuredLaunchResume** This field tells us if Dynamic Root of Trust for Measurement (DRTM) was used when resuming from hibernation. +- **MenuPolicy** Type of advanced options menu that should be shown to the user (Legacy, Standard, etc.). +- **RecoveryEnabled** Indicates whether recovery is enabled. +- **SecureLaunchPrepared** This field indicates if DRTM was prepared during boot. +- **TcbLaunch** Indicates whether the Trusted Computing Base was used during the boot flow. +- **UserInputTime** The amount of time the loader application spent waiting for user input. + + +## Miracast events + +### Microsoft.Windows.Cast.Miracast.MiracastSessionEnd + +This event sends data at the end of a Miracast session that helps determine RTSP related Miracast failures along with some statistics about the session + +The following fields are available: + +- **AudioChannelCount** The number of audio channels. +- **AudioSampleRate** The sample rate of audio in terms of samples per second. +- **AudioSubtype** The unique subtype identifier of the audio codec (encoding method) used for audio encoding. +- **AverageBitrate** The average video bitrate used during the Miracast session, in bits per second. +- **AverageDataRate** The average available bandwidth reported by the WiFi driver during the Miracast session, in bits per second. +- **AveragePacketSendTimeInMs** The average time required for the network to send a sample, in milliseconds. +- **ConnectorType** The type of connector used during the Miracast session. +- **EncodeAverageTimeMS** The average time to encode a frame of video, in milliseconds. +- **EncodeCount** The count of total frames encoded in the session. +- **EncodeMaxTimeMS** The maximum time to encode a frame, in milliseconds. +- **EncodeMinTimeMS** The minimum time to encode a frame, in milliseconds. +- **EncoderCreationTimeInMs** The time required to create the video encoder, in milliseconds. +- **ErrorSource** Identifies the component that encountered an error that caused a disconnect, if applicable. +- **FirstFrameTime** The time (tick count) when the first frame is sent. +- **FirstLatencyMode** The first latency mode. +- **FrameAverageTimeMS** Average time to process an entire frame, in milliseconds. +- **FrameCount** The total number of frames processed. +- **FrameMaxTimeMS** The maximum time required to process an entire frame, in milliseconds. +- **FrameMinTimeMS** The minimum time required to process an entire frame, in milliseconds. +- **Glitches** The number of frames that failed to be delivered on time. +- **HardwareCursorEnabled** Indicates if hardware cursor was enabled when the connection ended. +- **HDCPState** The state of HDCP (High-bandwidth Digital Content Protection) when the connection ended. +- **HighestBitrate** The highest video bitrate used during the Miracast session, in bits per second. +- **HighestDataRate** The highest available bandwidth reported by the WiFi driver, in bits per second. +- **LastLatencyMode** The last reported latency mode. +- **LogTimeReference** The reference time, in tick counts. +- **LowestBitrate** The lowest video bitrate used during the Miracast session, in bits per second. +- **LowestDataRate** The lowest video bitrate used during the Miracast session, in bits per second. +- **MediaErrorCode** The error code reported by the media session, if applicable. +- **MiracastEntry** The time (tick count) when the Miracast driver was first loaded. +- **MiracastM1** The time (tick count) when the M1 request was sent. +- **MiracastM2** The time (tick count) when the M2 request was sent. +- **MiracastM3** The time (tick count) when the M3 request was sent. +- **MiracastM4** The time (tick count) when the M4 request was sent. +- **MiracastM5** The time (tick count) when the M5 request was sent. +- **MiracastM6** The time (tick count) when the M6 request was sent. +- **MiracastM7** The time (tick count) when the M7 request was sent. +- **MiracastSessionState** The state of the Miracast session when the connection ended. +- **MiracastStreaming** The time (tick count) when the Miracast session first started processing frames. +- **ProfileCount** The count of profiles generated from the receiver M4 response. +- **ProfileCountAfterFiltering** The count of profiles after filtering based on available bandwidth and encoder capabilities. +- **RefreshRate** The refresh rate set on the remote display. +- **RotationSupported** Indicates if the Miracast receiver supports display rotation. +- **RTSPSessionId** The unique identifier of the RTSP session. This matches the RTSP session ID for the receiver for the same session. +- **SessionGuid** The unique identifier of to correlate various Miracast events from a session. +- **SinkHadEdid** Indicates if the Miracast receiver reported an EDID. +- **SupportMicrosoftColorSpaceConversion** Indicates whether the Microsoft color space conversion for extra color fidelity is supported by the receiver. +- **SupportsMicrosoftDiagnostics** Indicates whether the Miracast receiver supports the Microsoft Diagnostics Miracast extension. +- **SupportsMicrosoftFormatChange** Indicates whether the Miracast receiver supports the Microsoft Format Change Miracast extension. +- **SupportsMicrosoftLatencyManagement** Indicates whether the Miracast receiver supports the Microsoft Latency Management Miracast extension. +- **SupportsMicrosoftRTCP** Indicates whether the Miracast receiver supports the Microsoft RTCP Miracast extension. +- **SupportsMicrosoftVideoFormats** Indicates whether the Miracast receiver supports Microsoft video format for 3:2 resolution. +- **SupportsWiDi** Indicates whether Miracast receiver supports Intel WiDi extensions. +- **TeardownErrorCode** The error code reason for teardown provided by the receiver, if applicable. +- **TeardownErrorReason** The text string reason for teardown provided by the receiver, if applicable. +- **UIBCEndState** Indicates whether UIBC was enabled when the connection ended. +- **UIBCEverEnabled** Indicates whether UIBC was ever enabled. +- **UIBCStatus** The result code reported by the UIBC setup process. +- **VideoBitrate** The starting bitrate for the video encoder. +- **VideoCodecLevel** The encoding level used for encoding, specific to the video subtype. +- **VideoHeight** The height of encoded video frames. +- **VideoSubtype** The unique subtype identifier of the video codec (encoding method) used for video encoding. +- **VideoWidth** The width of encoded video frames. +- **WFD2Supported** Indicates if the Miracast receiver supports WFD2 protocol. + + +## OneDrive events + +### Microsoft.OneDrive.Sync.Setup.APIOperation + +This event includes basic data about install and uninstall OneDrive API operations. + +The following fields are available: + +- **APIName** The name of the API. +- **Duration** How long the operation took. +- **IsSuccess** Was the operation successful? +- **ResultCode** The result code. +- **ScenarioName** The name of the scenario. + + +### Microsoft.OneDrive.Sync.Setup.EndExperience + +This event includes a success or failure summary of the installation. + +The following fields are available: + +- **APIName** The name of the API. +- **HResult** HResult of the operation +- **IsSuccess** Whether the operation is successful or not +- **ScenarioName** The name of the scenario. + + +### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation + +This event is related to the OS version when the OS is upgraded with OneDrive installed. + +The following fields are available: + +- **CurrentOneDriveVersion** The current version of OneDrive. +- **CurrentOSBuildBranch** The current branch of the operating system. +- **CurrentOSBuildNumber** The current build number of the operating system. +- **CurrentOSVersion** The current version of the operating system. +- **HResult** The HResult of the operation. +- **SourceOSBuildBranch** The source branch of the operating system. +- **SourceOSBuildNumber** The source build number of the operating system. +- **SourceOSVersion** The source version of the operating system. + + +### Microsoft.OneDrive.Sync.Setup.RegisterStandaloneUpdaterAPIOperation + +This event is related to registering or unregistering the OneDrive update task. + +The following fields are available: + +- **APIName** The name of the API. +- **IsSuccess** Was the operation successful? +- **RegisterNewTaskResult** The HResult of the RegisterNewTask operation. +- **ScenarioName** The name of the scenario. +- **UnregisterOldTaskResult** The HResult of the UnregisterOldTask operation. + + +### Microsoft.OneDrive.Sync.Updater.ComponentInstallState + +This event includes basic data about the installation state of dependent OneDrive components. + +The following fields are available: + +- **ComponentName** The name of the dependent component. +- **isInstalled** Is the dependent component installed? + + +### Microsoft.OneDrive.Sync.Updater.OverlayIconStatus + +This event indicates if the OneDrive overlay icon is working correctly. 0 = healthy; 1 = can be fixed; 2 = broken + +The following fields are available: + +- **32bit** The status of the OneDrive overlay icon on a 32-bit operating system. +- **64bit** The status of the OneDrive overlay icon on a 64-bit operating system. + + +### Microsoft.OneDrive.Sync.Updater.UpdateOverallResult + +This event sends information describing the result of the update. + +The following fields are available: + +- **hr** The HResult of the operation. +- **IsLoggingEnabled** Indicates whether logging is enabled for the updater. +- **UpdaterVersion** The version of the updater. + + +### Microsoft.OneDrive.Sync.Updater.UpdateXmlDownloadHResult + +This event determines the status when downloading the OneDrive update configuration file. + +The following fields are available: + +- **hr** The HResult of the operation. + + +### Microsoft.OneDrive.Sync.Updater.WebConnectionStatus + +This event determines the error code that was returned when verifying Internet connectivity. + +The following fields are available: + +- **winInetError** The HResult of the operation. + + +## Privacy consent logging events + +### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted + +This event is used to determine whether the user successfully completed the privacy consent experience. + +The following fields are available: + +- **presentationVersion** Which display version of the privacy consent experience the user completed +- **privacyConsentState** The current state of the privacy consent experience +- **settingsVersion** Which setting version of the privacy consent experience the user completed +- **userOobeExitReason** The exit reason of the privacy consent experience + + +### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentStatus + +Event tells us effectiveness of new privacy experience. + +The following fields are available: + +- **isAdmin** whether the person who is logging in is an admin +- **isExistingUser** whether the account existed in a downlevel OS +- **isLaunching** Whether or not the privacy consent experience will be launched +- **isSilentElevation** whether the user has most restrictive UAC controls +- **privacyConsentState** whether the user has completed privacy experience +- **userRegionCode** The current user's region setting + + +### wilActivity + +This event provides a Windows Internal Library context used for Product and Service diagnostics. + +The following fields are available: + +- **-149ngContextMessage** No content is currently available. +- **3645entContextName** No content is currently available. +- **379rentContextName** No content is currently available. +- **532rentContextName** No content is currently available. +- **677rentContextName** No content is currently available. +- **8108entContextName** No content is currently available. +- **8251entContextName** No content is currently available. +- **902rentContextName** No content is currently available. +- **9567ngContextMessage** No content is currently available. +- **9717ngContextMessage** No content is currently available. +- **callContext** The function where the failure occurred. +- **currentContextId** The ID of the current call context where the failure occurred. +- **currentContextMessage** The message of the current call context where the failure occurred. +- **currentContextMessaon** No content is currently available. +- **currentContextName** The name of the current call context where the failure occurred. +- **failureCount** The number of failures for this failure ID. +- **failureId** The ID of the failure that occurred. +- **failureType** The type of the failure that occurred. +- **fileName** The file name where the failure occurred. +- **functige** No content is currently available. +- **function** The function where the failure occurred. +- **hresult** The HResult of the overall activity. +- **lineNumber** The line number where the failure occurred. +- **message** The message of the failure that occurred. +- **module** The module where the failure occurred. +- **ori1-0467ngContextMessage** No content is currently available. +- **ori1-1210ngContextMessage** No content is currently available. +- **ori1143-7ngContextMessage** No content is currently available. +- **ori1-1945ngContextMessage** No content is currently available. +- **ori13s090ngContextMessage** No content is currently available. +- **ori1-4671entContextName** No content is currently available. +- **ori1-5108ngContextMessage** No content is currently available. +- **ori1-5686ngContextMessage** No content is currently available. +- **ori1n:667ngContextMessage** No content is currently available. +- **ori1n8488ngContextMessage** No content is currently available. +- **ori1-s4o5ngContextMessage** No content is currently available. +- **ori808467ngContextMessage** No content is currently available. +- **originatingContextId** The ID of the originating call context that resulted in the failure. +- **originatingContextMessage** The message of the originating call context that resulted in the failure. +- **originatingContextName** The name of the originating call context that resulted in the failure. +- **threadId** The ID of the thread on which the activity is executing. + + +## Sediment events + +### Microsoft.Windows.Sediment.Info.DetailedState + +This event is sent when detailed state information is needed from an update trial run. + +The following fields are available: + +- **Data** Data relevant to the state, such as what percent of disk space the directory takes up. +- **Id** Identifies the trial being run, such as a disk related trial. +- **ReleaseVer** The version of the component. +- **State** The state of the reporting data from the trial, such as the top-level directory analysis. +- **Time** The time the event was fired. + + +### Microsoft.Windows.Sediment.Info.Error + +This event indicates an error in the updater payload. This information assists in keeping Windows up to date. + +The following fields are available: + +- **FailureType** The type of error encountered. +- **FileName** The code file in which the error occurred. +- **HResult** The failure error code. +- **LineNumber** The line number in the code file at which the error occurred. +- **ReleaseVer** The version information for the component in which the error occurred. +- **Time** The system time at which the error occurred. + + +### Microsoft.Windows.Sediment.Info.PhaseChange + +The event indicates progress made by the updater. This information assists in keeping Windows up to date. + +The following fields are available: + +- **NewPhase** The phase of progress made. +- **ReleaseVer** The version information for the component in which the change occurred. +- **Time** The system time at which the phase chance occurred. + + +## Setup events + +### SetupPlatformTel.SetupPlatformTelActivityEvent + +This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up to date. + +The following fields are available: + +- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. +- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. +- **Value** Value associated with the corresponding event name. For example, time-related events will include the system time + + +### SetupPlatformTel.SetupPlatformTelActivityStarted + +This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. + +The following fields are available: + +- **Name** The name of the dynamic update type. Example: GDR driver + + +### SetupPlatformTel.SetupPlatformTelActivityStopped + +This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. + + + +### SetupPlatformTel.SetupPlatformTelEvent + +This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios. + +The following fields are available: + +- **Falue** No content is currently available. +- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. +- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. +- **Value** Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time. + + +## Software update events + +### SoftwareUpdateClientTelemetry.CheckForUpdates + +Scan process event on Windows Update client. See the EventScenario field for specifics (started/failed/succeeded). + +The following fields are available: + +- **ActivityMatchingId** Contains a unique ID identifying a single CheckForUpdates session from initialization to completion. +- **AllowCachedResults** Indicates if the scan allowed using cached results. +- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable +- **BiosFamily** The family of the BIOS (Basic Input Output System). +- **BiosName** The name of the device BIOS. +- **BiosReleaseDate** The release date of the device BIOS. +- **BiosSKUNumber** The sku number of the device BIOS. +- **BIOSVendor** The vendor of the BIOS. +- **BiosVersion** The version of the BIOS. +- **BranchReadinessLevel** The servicing branch configured on the device. +- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. +- **CapabilityDetectoidGuid** The GUID for a hardware applicability detectoid that could not be evaluated. +- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. +- **CDNId** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. +- **ClientVersion** The version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No data is currently reported in this field. Expected value for this field is 0. +- **Context** Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown +- **CurrentMobileOperator** The mobile operator the device is currently connected to. +- **DeferralPolicySources** Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000). +- **DeferredUpdates** Update IDs which are currently being deferred until a later time +- **DeviceModel** What is the device model. +- **DriverError** The error code hit during a driver scan. This is 0 if no error was encountered. +- **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled. +- **DriverSyncPassPerformed** Were drivers scanned this time? +- **EventInstanceID** A globally unique identifier for event instance. +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. +- **ExtendedetadataICabUrl** No content is currently available. +- **ExtendedMetadataCabUrl** Hostname that is used to download an update. +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. +- **FailedUpdateGuids** The GUIDs for the updates that failed to be evaluated during the scan. +- **FailedUpdatesCount** The number of updates that failed to be evaluated during the scan. +- **FeatureUpdateDeferral** The deferral period configured for feature OS updates on the device (in days). +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FeatureUpdatePausePeriod** The pause duration configured for feature OS updates on the device (in days). +- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). +- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). +- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. +- **IntentPFNs** Intended application-set metadata for atomic update scenarios. +- **IPVersion** Indicates whether the download took place over IPv4 or IPv6 +- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. +- **IsWUfBFederatedScanDisabled** Indicates if Windows Update for Business federated scan is disabled on the device. +- **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce +- **MSIError** The last error that was encountered during a scan for updates. +- **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6 +- **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete +- **NumberOfApplicationsCategoryScanEvaluated** The number of categories (apps) for which an app update scan checked +- **NumberOfLoop** The number of round trips the scan required +- **NumberOfNewUpdatesFromServiceSync** The number of updates which were seen for the first time in this scan +- **NumberOfUpdatesEvaluated** The total number of updates which were evaluated as a part of the scan +- **NumFailedetadataISignatures** No content is currently available. +- **NumFailedMetadataSignatures** The number of metadata signatures checks which failed for new metadata synced down. +- **Online** Indicates if this was an online scan. +- **PausedUpdates** A list of UpdateIds which that currently being paused. +- **PauseFeatureUpdatesEndTime** If feature OS updates are paused on the device, this is the date and time for the end of the pause time window. +- **PauseFeatureUpdatesStartTime** If feature OS updates are paused on the device, this is the date and time for the beginning of the pause time window. +- **PauseQualityUpdatesEndTime** If quality OS updates are paused on the device, this is the date and time for the end of the pause time window. +- **PauseQualityUpdatesStartTime** If quality OS updates are paused on the device, this is the date and time for the beginning of the pause time window. +- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting (pre-release builds) being introduced. +- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided. +- **QualityUpdateDeferral** The deferral period configured for quality OS updates on the device (in days). +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **QualityUpdatePausePeriod** The pause duration configured for quality OS updates on the device (in days). +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one +- **ScanDurationInSeconds** The number of seconds a scan took +- **ScanEnqueueTime** The number of seconds it took to initialize a scan +- **ScanProps** This is a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits are used; all remaining bits are reserved and set to zero. Bit 0 (0x1): IsInteractive - is set to 1 if the scan is requested by a user, or 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker - is set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates). +- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.). +- **ServiceUrl** The environment URL a device is configured to scan with +- **ShippingMobileOperator** The mobile operator that a device shipped on. +- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult). +- **SyncType** Describes the type of scan the event was +- **SystemBIOSMajorRelease** Major version of the BIOS. +- **SystemBIOSMinorRelease** Minor version of the BIOS. +- **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null. +- **TotalNumetadataISignatures** No content is currently available. +- **TotalNumMetadataSignatures** The total number of metadata signatures checks done for new metadata that was synced down. +- **WebServiceRetryMethods** Web service method requests that needed to be retried to complete operation. +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. + + +### SoftwareUpdateClientTelemetry.Commit + +This event tracks the commit process post the update installation when software update client is trying to update the device. + +The following fields are available: + +- **BiosFamily** Device family as defined in the system BIOS +- **BiosName** Name of the system BIOS +- **BiosReleaseDate** Release date of the system BIOS +- **BiosSKUNumber** Device SKU as defined in the system BIOS +- **BIOSVendor** Vendor of the system BIOS +- **BiosVersion** Version of the system BIOS +- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. +- **BundleRevisionNumbe2** No content is currently available. +- **BundleRevisionNumber** Identifies the revision number of the content bundle +- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client +- **ClientVersion** Version number of the software distribution client +- **DeploymentProviderMode** The mode of operation of the update deployment provider. +- **DeviceModel** Device model as defined in the system bios +- **EventInstanceID** A globally unique identifier for event instance +- **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc. +- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver". +- **FlightId** The specific id of the flight the device is getting +- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) +- **RevisionNumber** Identifies the revision number of this specific piece of content +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc) +- **SystemBIOSMajorRelease** Major release version of the system bios +- **SystemBIOSMinorRelease** Minor release version of the system bios +- **UpdateId** Identifier associated with the specific piece of content +- **WUDeviceID** Unique device id controlled by the software distribution client + + +### SoftwareUpdateClientTelemetry.Download + +Download process event for target update on Windows Update client. See the EventScenario field for specifics (started/failed/succeeded). + +The following fields are available: + +- **ActiveDownloadTime** How long the download took, in seconds, excluding time where the update wasn't actively being downloaded. +- **AppXBlockHalhFailures** No content is currently available. +- **AppXBlockHashFailures** Indicates the number of blocks that failed hash validation during download of the app payload. +- **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded. +- **AppXBoockHashFailures** No content is currently available. +- **AppXDownloadScope** Indicates the scope of the download for application content. +- **AppXScope** Indicates the scope of the app download. +- **AppXScopr** No content is currently available. +- **B}ndleId** No content is currently available. +- **BiosFamily** The family of the BIOS (Basic Input Output System). +- **BiosName** The name of the device BIOS. +- **BiosReleaseDate** The release date of the device BIOS. +- **BiosSKUNumber** The sku number of the device BIOS. +- **BIOSVendor** The vendor of the BIOS. +- **BiosVersion** The version of the BIOS. +- **BundleBytesDownloaded** Number of bytes downloaded for the specific content bundle. +- **BundleId** Identifier associated with the specific content bundle. +- **BundleRepeatFailCoqnt** No content is currently available. +- **BundleRepeatFailCoun.** No content is currently available. +- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. +- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to download. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **BytesDownloaded** Number of bytes that were downloaded for an individual piece of content (not the entire bundle). +- **BytesDownnoaded** No content is currently available. +- **C`llerApplicationName** No content is currently available. +- **CachedEngineVersion** The version of the “Self-Initiated Healing” (SIH) engine that is cached on the device, if applicable. +- **CallerApplicationname** No content is currently available. +- **CallerApplicationName** The name provided by the application that initiated API calls into the software distribution client. +- **CalLerApplicationName** No content is currently available. +- **CallerApplictionaName** No content is currently available. +- **CbsDownloadMethod** Indicates whether the download was a full- or a partial-file download. +- **CbsMethod** The method used for downloading the update content related to the Component Based Servicing (CBS) technology. +- **CDNCotntryCode** No content is currently available. +- **CDNCoun.ryCdel** No content is currently available. +- **CDNCoundryCode** No content is currently available. +- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. +- **CDNd** No content is currently available. +- **CDNId** ID which defines which CDN the software distribution client downloaded the content from. +- **ClientVersion** The version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. +- **ConnectTime** Indicates the cumulative amount of time (in seconds) it took to establish the connection for all updates in an update bundle. +- **CtatusCode** No content is currently available. +- **CurrentMobileOperator** The mobile operator the device is currently connected to. +- **DeviceModel** The model of the device. +- **DownhoadProps** No content is currently available. +- **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority. +- **DownloadProps** Information about the download operation properties in the form of a bitmask. +- **DownloadType** Differentiates the download type of “Self-Initiated Healing” (SIH) downloads between Metadata and Payload downloads. +- **DownloedPriority** No content is currently available. +- **DventInstanceID** No content is currently available. +- **e:4|SInstanceID** No content is currently available. +- **e:4|SScenario** No content is currently available. +- **E:4|State** No content is currently available. +- **EöentInstanceID** No content is currently available. +- **Eve.tScenario** No content is currently available. +- **EventInst.9ceID** No content is currently available. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventInstAnceID** No content is currently available. +- **EventPype** No content is currently available. +- **EventScanario** No content is currently available. +- **eventScenario** No content is currently available. +- **EventScenario** Indicates the purpose for sending this event: whether because the software distribution just started downloading content; or whether it was cancelled, succeeded, or failed. +- **EventType** Identifies the type of the event (Child, Bundle, or Driver). +- **EventTypr** No content is currently available. +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. +- **ExtendedtartusCdel** No content is currently available. +- **FeatureUpdatePaser** No content is currently available. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **Fli.c9BuildNumber** No content is currently available. +- **Fli.c9Id** No content is currently available. +- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). +- **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight. +- **FlightId** The specific ID of the flight (pre-release build) the device is getting. +- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). +- **HandlerType** Indicates what kind of content is being downloaded (app, driver, windows patch, etc.). +- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. +- **HospName** No content is currently available. +- **HostName** The hostname URL the content is downloading from. +- **Hst.Name** No content is currently available. +- **IPVersion** Indicates whether the download took place over IPv4 or IPv6. +- **IsDependentSet** Indicates whether a driver is a part of a larger System Hardware/Firmware Update +- **IsWQfBEnabled** No content is currently available. +- **IsWUfBDualCcanEnabled** No content is currently available. +- **IsWUfBdualScanEnabled** No content is currently available. +- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnablad** No content is currently available. +- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. +- **NetworkCost** A flag indicating the cost of the network (congested, fixed, variable, over data limit, roaming, etc.) used for downloading the update content. +- **NetworkCostBitMask** Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.) +- **NetworkCst.** No content is currently available. +- **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered." +- **NetworkRestrictiontartus** No content is currently available. +- **oadPriority** No content is currently available. +- **PackageFullName** The package name of the content. +- **PegulationResult** No content is currently available. +- **PhonePreviewEnabled** Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced. +- **PostDnldDime** No content is currently available. +- **PostDnldTime** Time (in seconds) taken to signal download completion after the last job completed downloading the payload. +- **ProcessName** The process name of the application that initiated API calls, in the event where CallerApplicationName was not provided. +- **Pst.DnldTime** No content is currently available. +- **PvocessName** No content is currently available. +- **QpdateId** No content is currently available. +- **QualityreUpdaPause** No content is currently available. +- **QualityUpdatePa}se** No content is currently available. +- **QualityUpdatePaser** No content is currently available. +- **QualityUpdatePatse** No content is currently available. +- **QualityUpdatePausa** No content is currently available. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RdvisionNumber** No content is currently available. +- **Reason** A 32-bit integer representing the reason the update is blocked from being downloaded in the background. +- **ReguiationResult** No content is currently available. +- **RegulationReason** The reason that the update is regulated +- **regulationResult** No content is currently available. +- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content. +- **RegulatIonResult** No content is currently available. +- **ReiatedCV** No content is currently available. +- **RelatedCS** No content is currently available. +- **RelatedCV** The Correlation Vector that was used before the most recent change to a new Correlation Vector. +- **RelntedCV** No content is currently available. +- **RepeatFailCoun.** No content is currently available. +- **RepeatFailCount** Indicates whether this specific content has previously failed. +- **RepeatFailFlag** Indicates whether this specific content previously failed to download. +- **RevisionNumber** The revision number of the specified piece of content. +- **SericeCGuid** No content is currently available. +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Windows Store, etc.). +- **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade. +- **ShippingMobileOperator** The mobile operator linked to the device when the device shipped. +- **SizeCalcTime** Time (in seconds) taken to calculate the total download size of the payload. +- **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). +- **SystemBIOSMajorRelease** Major version of the BIOS. +- **SystemBIOSMinorRelease** Minor version of the BIOS. +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **TargetMetadataVersion** The version of the currently downloading (or most recently downloaded) package. +- **tartusCdel** No content is currently available. +- **ThrottlingServiceHResult** Result code (success/failure) while contacting a web service to determine whether this device should download content yet. +- **TimeToEstablishConnection** Time (in milliseconds) it took to establish the connection prior to beginning downloaded. +- **tizeCalcTime** No content is currently available. +- **TotalExpectedBytes** The total size (in Bytes) expected to be downloaded. +- **Upda|eImportance** No content is currently available. +- **UpdateId** An identifier associated with the specific piece of content. +- **UpdateID** An identifier associated with the specific piece of content. +- **UpdateImporEvent** No content is currently available. +- **UpdateImpornstan** No content is currently available. +- **UpdateImport.9ce** No content is currently available. +- **UpdateImportance** Indicates whether the content was marked as Important, Recommended, or Optional. +- **Use** No content is currently available. +- **UsedDO** Indicates whether the download used the Delivery Optimization (DO) service. +- **UsedSystemVolume** Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive. +- **WUDericeID** No content is currently available. +- **WUDeviceId** No content is currently available. +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. +- **WUDviceCID** No content is currently available. + + +### SoftwareUpdateClientTelemetry.DownloadCheckpoint + +This event provides a checkpoint between each of the Windows Update download phases for UUP content + +The following fields are available: + +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client +- **ClientVersion** The version number of the software distribution client +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed +- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver" +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough +- **FileId** A hash that uniquely identifies a file +- **FileName** Name of the downloaded file +- **FlightId** The unique identifier for each flight +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one +- **RevisionNumber** Unique revision number of Update +- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.) +- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult) +- **UpdateId** Unique Update ID +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue + + +### SoftwareUpdateClientTelemetry.DownloadHeartbeat + +This event allows tracking of ongoing downloads and contains data to explain the current state of the download + +The following fields are available: + +- **BytesTotal** Total bytes to transfer for this content +- **BytesTransferred** Total bytes transferred for this content at the time of heartbeat +- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client +- **ClientVersion** The version number of the software distribution client +- **ConnectionStatus** Indicates the connectivity state of the device at the time of heartbeat +- **CurrentError** Last (transient) error encountered by the active download +- **DownloadFlags** Flags indicating if power state is ignored +- **DownloadState** Current state of the active download for this content (queued, suspended, or progressing) +- **EventType** Possible values are "Child", "Bundle", or "Driver" +- **FlightId** The unique identifier for each flight +- **IsNetworkMetered** Indicates whether Windows considered the current network to be ?metered" +- **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any +- **MOUpdateDownloadLimit** Mobile operator cap on size of operating system update downloads, if any +- **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby) +- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one +- **ResumeCount** Number of times this active download has resumed from a suspended state +- **RevisionNumber** Identifies the revision number of this specific piece of content +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) +- **SuspendCount** Number of times this active download has entered a suspended state +- **SuspendReason** Last reason for why this active download entered a suspended state +- **UpdateId** Identifier associated with the specific piece of content +- **WUDeviceID** Unique device id controlled by the software distribution client + + +### SoftwareUpdateClientTelemetry.Install + +This event sends tracking data about the software distribution client installation of the content for that update, to help keep Windows up to date. + +The following fields are available: + +- **BiosFamily** The family of the BIOS (Basic Input Output System). +- **BiosName** The name of the device BIOS. +- **BiosReleaseDate** The release date of the device BIOS. +- **BiosSKUNumber** The sku number of the device BIOS. +- **BIOSVendor** The vendor of the BIOS. +- **BiosVersion** The version of the BIOS. +- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. +- **BundleRepeatFailCoun.** No content is currently available. +- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. +- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to install. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. +- **CallerApplictionaName** No content is currently available. +- **ClientVersion** The version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No value is currently reported in this field. Expected value for this field is 0. +- **CSIErrorType** The stage of CBS installation where it failed. +- **CSIErrorTypr** No content is currently available. +- **CurrentMobileOperator** The mobile operator to which the device is currently connected. +- **DeploymentProviderMode** The mode of operation of the update deployment provider. +- **DeviceModel** The device model. +- **DriverPingBack** Contains information about the previous driver and system state. +- **DriverRecoverqIds** No content is currently available. +- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required. +- **DriverRecoverySds** No content is currently available. +- **DriverRecownloIds** No content is currently available. +- **EvåntInstanceID** No content is currently available. +- **Even|InstanceID** No content is currently available. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventInstapceID** No content is currently available. +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. +- **EventType** Possible values are Child, Bundle, or Driver. +- **EventTypr** No content is currently available. +- **ExtendedErrorCdel** No content is currently available. +- **ExtendedErrorCode** The extended error code. +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode is not specific enough. +- **ExtendedtartusCdel** No content is currently available. +- **ExtendefStatusCode** No content is currently available. +- **FeatureUpdatePaser** No content is currently available. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FeatureUpdateUause** No content is currently available. +- **FlightBranch** The branch that a device is on if participating in the Windows Insider Program. +- **FlightBuildNumber** If this installation was for a Windows Insider build, this is the build number of that build. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **FlightRing** The ring that a device is on if participating in the Windows Insider Program. +- **HandlerType** Indicates what kind of content is being installed (for example, app, driver, Windows update). +- **HandlerTypr** No content is currently available. +- **HardwareId** If this install was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. +- **InstallProps** A bitmask for future flags associated with the install operation. No value is currently reported in this field. Expected value for this field is 0. +- **IntentPFNs** Intended application-set metadata for atomic update scenarios. +- **IsDependentSet** Indicates whether the driver is part of a larger System Hardware/Firmware update. +- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. +- **IsFirmware** Indicates whether this update is a firmware update. +- **IsKcfBDualScanEnabled** No content is currently available. +- **IsKcfBEnabled** No content is currently available. +- **IsSuccessFailurePostReboot** Indicates whether the update succeeded and then failed after a restart. +- **IsSuccessFailurePostReotId** No content is currently available. +- **IsSuccessFailurePst.Reboot** No content is currently available. +- **IsWUfBDualScanEnabled** Indicates whether Windows Update for Business dual scan is enabled on the device. +- **IsWufBEnabled** No content is currently available. +- **IsWUfBEnabled** Indicates whether Windows Update for Business is enabled on the device. +- **IsWVfBDualScanEnabled** No content is currently available. +- **IsWVfBEnabled** No content is currently available. +- **lundleId** No content is currently available. +- **lundleRepeatFailCount** No content is currently available. +- **lundleRevisionNumber** No content is currently available. +- **MergedUpdate** Indicates whether the OS update and a BSP update merged for installation. +- **MsiAction** The stage of MSI installation where it failed. +- **MsiProductCdel** No content is currently available. +- **MsiProductCode** The unique identifier of the MSI installer. +- **PackageBullName** No content is currently available. +- **PackageFullName** The package name of the content being installed. +- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting being introduced. +- **ProcessName** The process name of the caller who initiated API calls, in the event that CallerApplicationName was not provided. +- **QualityUpdatePaser** No content is currently available. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **QualityUpdateUause** No content is currently available. +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one +- **RepeatFailCoun.** No content is currently available. +- **RepeatFailCount** Indicates whether this specific piece of content has previously failed. +- **RepeatFailFlag** Indicates whether this specific piece of content previously failed to install. +- **RevisionNumber** The revision number of this specific piece of content. +- **SericeCGuid** No content is currently available. +- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). +- **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway. +- **ShippingMobileOperator** The mobile operator that a device shipped on. +- **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult). +- **SystemBIOSMajorRelease** Major version of the BIOS. +- **SystemBIOSMinorRelease** Minor version of the BIOS. +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersaon** No content is currently available. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **TargetingVession** No content is currently available. +- **tartusCdel** No content is currently available. +- **TransactionCdel** No content is currently available. +- **TransactionCode** The ID that represents a given MSI installation. +- **UpdateId** Unique update ID. +- **UpdateID** An identifier associated with the specific piece of content. +- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional. +- **UpdateImportapce** No content is currently available. +- **UsedSystemVolume** Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive. +- **WUDdviceID** No content is currently available. +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. +- **WUDevi'eID** No content is currently available. +- **WUDviceCID** No content is currently available. + + +### SoftwareUpdateClientTelemetry.Revert + +Revert event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded). + +The following fields are available: + +- **BundleId** Identifier associated with the specific content bundle. Should not be all zeros if the BundleId was found. +- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **ClientVersion** Version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. +- **CSIErrorType** Stage of CBS installation that failed. +- **DriverPingBack** Contains information about the previous driver and system state. +- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). +- **EventType** Event type (Child, Bundle, Release, or Driver). +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode is not specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBuildNumber** Indicates the build number of the flight. +- **FlightId** The specific ID of the flight the device is getting. +- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). +- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. +- **IsFirmware** Indicates whether an update was a firmware update. +- **IsSuccessFailurePostReboot** Indicates whether an initial success was a failure after a reboot. +- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. +- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. +- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. +- **RepeatFailCount** Indicates whether this specific piece of content has previously failed. +- **RevisionNumber** Identifies the revision number of this specific piece of content. +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **UpdateId** The identifier associated with the specific piece of content. +- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). +- **UsedSystemVolume** Indicates whether the device's main system storage drive or an alternate storage drive was used. +- **WUDeviceID** Unique device ID controlled by the software distribution client. + + +### SoftwareUpdateClientTelemetry.TaskRun + +Start event for Server Initiated Healing client. See EventScenario field for specifics (for example, started/completed). + +The following fields are available: + +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **ClientVersion** Version number of the software distribution client. +- **CmdLineArgs** Command line arguments passed in by the caller. +- **EventInstanceID** A globally unique identifier for the event instance. +- **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **WUDeviceID** Unique device ID controlled by the software distribution client. + + +### SoftwareUpdateClientTelemetry.Uninstall + +Uninstall event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded). + +The following fields are available: + +- **BundleId** The identifier associated with the specific content bundle. This should not be all zeros if the bundleID was found. +- **BundleRepeatFailCount** Indicates whether this particular update bundle previously failed. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CallerApplicationName** Name of the application making the Windows Update request. Used to identify context of request. +- **ClientVersion** Version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. +- **DriverPingBack** Contains information about the previous driver and system state. +- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers when a recovery is required. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventScenario** Indicates the purpose of the event (a scan started, succeded, failed, etc.). +- **EventType** Indicates the event type. Possible values are "Child", "Bundle", "Release" or "Driver". +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode is not specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBuildNumber** Indicates the build number of the flight. +- **FlightId** The specific ID of the flight the device is getting. +- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). +- **HardwareId** If the download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. +- **IsFirmware** Indicates whether an update was a firmware update. +- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. +- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. +- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. +- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. +- **RepeatFailCount** Indicates whether this specific piece of content previously failed. +- **RevisionNumber** Identifies the revision number of this specific piece of content. +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **UpdateId** Identifier associated with the specific piece of content. +- **UpdateImportance** Indicates the importance of a driver and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). +- **UsedSystemVolume** Indicates whether the device’s main system storage drive or an alternate storage drive was used. +- **WUDeviceID** Unique device ID controlled by the software distribution client. + + +### SoftwareUpdateClientTelemetry.UpdateDetected + +This event sends data about an AppX app that has been updated from the Microsoft Store, including what app needs an update and what version/architecture is required, in order to understand and address problems with apps getting required updates. + +The following fields are available: + +- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable. +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. +- **IntentPFNs** Intended application-set metadata for atomic update scenarios. +- **NumberOfApplicableUpdates** The number of updates ultimately deemed applicable to the system after the detection process is complete. +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. +- **RelntedCV** No content is currently available. +- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.). +- **umberOfApplicableUpdates** No content is currently available. +- **WUDeviceID** The unique device ID controlled by the software distribution client. +- **xHDeviceID** No content is currently available. + + +### SoftwareUpdateClientTelemetry.UpdateMetadataIntegrity + +Ensures Windows Updates are secure and complete. Event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack. + +The following fields are available: + +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **CallerLoglicationName** No content is currently available. +- **EndpointUrl** URL of the endpoint where client obtains update metadata. Used to identify test vs staging vs production environments. +- **EventScenario** The purpose of this event, such as scan started, scan succeeded, or scan failed. +- **ExtendedStatusCode** The secondary status code of the event. +- **ExtendefStatusCode** No content is currently available. +- **LeafCertId** The integral ID from the FragmentSigning data for the certificate that failed. +- **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate. +- **MetadataIntegrityMode** The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce +- **MetadataSignature** A base64-encoded string of the signature associated with the update metadata (specified by revision ID). +- **RawMode** The raw unparsed mode string from the SLS response. This field is null if not applicable. +- **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable. +- **RcwMode** No content is currently available. +- **RevisionId** The revision ID for a specific piece of content. +- **RevisionNumber** The revision number for a specific piece of content. +- **SedviceGuid** No content is currently available. +- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Microsoft Store +- **ServiceGuidEndpointUrl** No content is currently available. +- **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate. +- **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate. +- **SHA256OfTimestampToken** An encoded string of the timestamp token. +- **SignatureAlgorithm** The hash algorithm for the metadata signature. +- **SLSPrograms** A test program to which a device may have opted in. Example: Insider Fast +- **StatusCode** The status code of the event. +- **TimestampTokenCertThumbprint** The thumbprint of the encoded timestamp token. +- **TimestampTokenId** The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed. +- **UpdateId** The update ID for a specific piece of content. +- **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp. + + +## System Resource Usage Monitor events + +### Microsoft.Windows.Srum.Sdp.CpuUsage + +This event provides information on CPU usage. + +The following fields are available: + +- **UsageMax** The maximum of hourly average CPU usage. +- **UsageMean** The mean of hourly average CPU usage. +- **UsageMedian** The median of hourly average CPU usage. +- **UsageTwoHourMaxMean** The mean of the maximum of every two hour of hourly average CPU usage. +- **UsageTwoHourMedianMean** The mean of the median of every two hour of hourly average CPU usage. + + +### Microsoft.Windows.Srum.Sdp.NetworkUsage + +This event provides information on network usage. + +The following fields are available: + +- **AdapterGuid** The unique ID of the adapter. +- **BytesTotalMax** The maximum of the hourly average bytes total. +- **BytesTotalMean** The mean of the hourly average bytes total. +- **BytesTotalMedian** The median of the hourly average bytes total. +- **BytesTotalTwoHourMaxMean** The mean of the maximum of every two hours of hourly average bytes total. +- **BytesTotalTwoHourMedianMean** The mean of the median of every two hour of hourly average bytes total. +- **LinkSpeed** The adapter link speed. + + +## Update events + +### Update360Telemetry.Revert + +This event sends data relating to the Revert phase of updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the Revert phase. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **RebootRequired** Indicates reboot is required. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **RevertResult** The result code returned for the Revert operation. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. + + +### Update360Telemetry.UpdateAgentCommit + +This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **ErrorCode** The error code returned for the current install phase. +- **FlightId** Unique ID for each flight. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Outcome of the install phase of the update. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentDownloadRequest + +This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. + +The following fields are available: + +- **DeletedCorruptFiles** Boolean indicating whether corrupt payload was deleted. +- **DownloadRequests** Number of times a download was retried. +- **ErrorCode** The error code returned for the current download request phase. +- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. +- **FlightId** Unique ID for each flight. +- **InternalFailureResult** Indicates a non-fatal error from a plugin. +- **ObjectId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). +- **PackageCategoriesSkipped** Indicates package categories that were skipped, if applicable. +- **PackageCountOptional** Number of optional packages requested. +- **PackageCountRequired** Number of required packages requested. +- **PackageCountTotal** Total number of packages needed. +- **PackageCountTotalCanonical** Total number of canonical packages. +- **PackageCountTotalDiff** Total number of diff packages. +- **PackageCountTotalExpress** Total number of express packages. +- **PackageCountTotalPSFX** The total number of PSFX packages. +- **PackageExpressType** Type of express package. +- **PackageSizeCanonical** Size of canonical packages in bytes. +- **PackageSizeDiff** Size of diff packages in bytes. +- **PackageSizeExpress** Size of express packages in bytes. +- **PackageSizePSFX** The size of PSFX packages, in bytes. +- **RangeRequestState** Indicates the range request type used. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Outcome of the download request phase of update. +- **SandboxTaggedForReserves** The sandbox for reserves. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each attempt (same value for initialize, download, install commit phases). +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentExpand + +This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **ElapsedTickCount** Time taken for expand phase. +- **EndFreeSpace** Free space after expand phase. +- **EndSandboxSize** Sandbox size after expand phase. +- **ErrorCode** The error code returned for the current install phase. +- **FlightId** Unique ID for each flight. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **StartFreeSpace** Free space before expand phase. +- **StartSandboxSize** Sandbox size after expand phase. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentFellBackToCanonical + +This event collects information when express could not be used and we fall back to canonical during the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **FlightId** Unique ID for each flight. +- **ObjectId** Unique value for each Update Agent mode. +- **PackageCount** Number of packages that feel back to canonical. +- **PackageList** PackageIds which fell back to canonical. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentInitialize + +This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. + +The following fields are available: + +- **ErrorCode** The error code returned for the current install phase. +- **essionData** No content is currently available. +- **FlightId** Unique ID for each flight. +- **FlightMetadata** Contains the FlightId and the build being flighted. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Outcome of the install phase of the update. +- **ScenarioId** Indicates the update scenario. +- **SessionData** String containing instructions to update agent for processing FODs and DUICs (Null for other scenarios). +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentInstall + +This event sends data for the install phase of updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the current install phase. +- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. +- **FlightId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). +- **InternalFailureResult** Indicates a non-fatal error from a plugin. +- **ObjectId** Correlation vector value generated from the latest USO scan. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** The result for the current install phase. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentMerge + +The UpdateAgentMerge event sends data on the merge phase when updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the current merge phase. +- **FlightId** Unique ID for each flight. +- **MergeId** The unique ID to join two update sessions being merged. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Related correlation vector value. +- **Result** Outcome of the merge phase of the update. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentMitigationResult + +This event sends data indicating the result of each update agent mitigation. + +The following fields are available: + +- **Applicable** Indicates whether the mitigation is applicable for the current update. +- **CommandCount** The number of command operations in the mitigation entry. +- **CustomCount** The number of custom operations in the mitigation entry. +- **FileCount** The number of file operations in the mitigation entry. +- **FlightId** Unique identifier for each flight. +- **Index** The mitigation index of this particular mitigation. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **Name** The friendly name of the mitigation. +- **ObjectId** Unique value for each Update Agent mode. +- **OperationIndex** The mitigation operation index (in the event of a failure). +- **OperationName** The friendly name of the mitigation operation (in the event of failure). +- **RegistryCount** The number of registry operations in the mitigation entry. +- **RelatedCV** The correlation vector value generated from the latest USO scan. +- **Result** The HResult of this operation. +- **ScenarioId** The update agent scenario ID. +- **SessionId** Unique value for each update attempt. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). +- **UpdateId** Unique ID for each Update. + + +### Update360Telemetry.UpdateAgentMitigationSummary + +This event sends a summary of all the update agent mitigations available for an this update. + +The following fields are available: + +- **Applicable** The count of mitigations that were applicable to the system and scenario. +- **Failed** The count of mitigations that failed. +- **FlightId** Unique identifier for each flight. +- **Friled** No content is currently available. +- **MitigationScenario** The update scenario in which the mitigations were attempted. +- **ObjectId** The unique value for each Update Agent mode. +- **RelatedCV** The correlation vector value generated from the latest USO scan. +- **Result** The HResult of this operation. +- **ScenarioId** The update agent scenario ID. +- **SessionId** Unique value for each update attempt. +- **TimeDiff** The amount of time spent performing all mitigations (in 100-nanosecond increments). +- **Total** Total number of mitigations that were available. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentModeStart + +This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. + +The following fields are available: + +- **FlightId** Unique ID for each flight. +- **Mode** Indicates the mode that has started. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. +- **Version** Version of update + + +### Update360Telemetry.UpdateAgentOneSettings + +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **Count** The count of applicable OneSettings for the device. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. +- **Values** The values sent back to the device, if applicable. + + +### Update360Telemetry.UpdateAgentPostRebootResult + +This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. + +The following fields are available: + +- **ErrorCode** The error code returned for the current post reboot phase. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **ObjectId** Unique value for each Update Agent mode. +- **PostRebootResult** Indicates the Hresult. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentReboot + +This event sends information indicating that a request has been sent to suspend an update. + +The following fields are available: + +- **ErrorCode** The error code returned for the current reboot. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. + + +### Update360Telemetry.UpdateAgentSetupBoxLaunch + +The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. + +The following fields are available: + +- **ContainsExpressPackage** Indicates whether the download package is express. +- **FlightId** Unique ID for each flight. +- **FreeSpace** Free space on OS partition. +- **InstallCount** Number of install attempts using the same sandbox. +- **ObjectId** Unique value for each Update Agent mode. +- **Quiet** Indicates whether setup is running in quiet mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **SandboxSize** Size of the sandbox. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **SetupMode** Mode of setup to be launched. +- **UpdateId** Unique ID for each Update. +- **UserSession** Indicates whether install was invoked by user actions. + + +## Update notification events + +### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignManagerHeartbeat + +This event is sent at the start of the CampaignManager event and is intended to be used as a heartbeat. + +The following fields are available: + +- **CampaignConfigVersion** Configuration version for the current campaign. +- **CampaignID** Currently campaign that is running on Update Notification Pipeline (UNP). +- **ConfigCatalogVersion** Current catalog version of UNP. +- **ContentVersion** Content version for the current campaign on UNP. +- **CV** Correlation vector. +- **DetectorVersion** Most recently run detector version for the current campaign on UNP. +- **GlobalEventCounter** Client-side counter that indicates the event ordering sent by the user. +- **PackageVersion** Current UNP package version. + + +## Upgrade events + +### FacilitatorTelemetry.DCATDownload + +This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **DownloadSize** Download size of payload. +- **ElapsedTime** Time taken to download payload. +- **MediaFallbackUsed** Used to determine if we used Media CompDBs to figure out package requirements for the upgrade. +- **ResultCode** Result returned by the Facilitator DCAT call. +- **Scenario** Dynamic update scenario (Image DU, or Setup DU). +- **Type** Type of package that was downloaded. +- **UpdateId** The ID of the update that was downloaded. + + +### FacilitatorTelemetry.DUDownload + +This event returns data about the download of supplemental packages critical to upgrading a device to the next version of Windows. + +The following fields are available: + +- **DownloadRequestAttributes** The attributes sent for download. +- **PackageCategoriesFailed** Lists the categories of packages that failed to download. +- **PackageCategoriesSkipped** Lists the categories of package downloads that were skipped. +- **ResultCode** The result of the event execution. +- **Scenario** Identifies the active Download scenario. +- **Url** The URL the download request was sent to. +- **Version** Identifies the version of Facilitator used. + + +### FacilitatorTelemetry.InitializeDU + +This event determines whether devices received additional or critical supplemental content during an OS upgrade. + +The following fields are available: + +- **DCATUrl** The Delivery Catalog (DCAT) URL we send the request to. +- **DownloadRequestAttributes** The attributes we send to DCAT. +- **ResultCode** The result returned from the initiation of Facilitator with the URL/attributes. +- **Scenario** Dynamic Update scenario (Image DU, or Setup DU). +- **Url** The Delivery Catalog (DCAT) URL we send the request to. +- **Version** Version of Facilitator. + + +### Setup360Telemetry.Downlevel + +This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ClientId** If using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but it can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the downlevel OS. +- **HostOsSkuName** The operating system edition which is running Setup360 instance (downlevel OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** In the Windows Update scenario, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** More detailed information about phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360 (for example, Predownload, Install, Finalize, Rollback). +- **Setup360Result** The result of Setup360 (HRESULT used to diagnose errors). +- **Setup360Scenario** The Setup360 flow type (for example, Boot, Media, Update, MCT). +- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS). +- **State** Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** An ID that uniquely identifies a group of events. +- **WuId** This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId. + + +### Setup360Telemetry.Finalize + +This event sends data indicating that the device has started the phase of finalizing the upgrade, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** More detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** ID that uniquely identifies a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. + + +### Setup360Telemetry.OsUninstall + +This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, it indicates the outcome of an OS uninstall. + +The following fields are available: + +- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase or action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** ID that uniquely identifies a group of events. +- **WuId** Windows Update client ID. + + +### Setup360Telemetry.PostRebootInstall + +This event sends data indicating that the device has invoked the post reboot install phase of the upgrade, to help keep Windows up-to-date. + +The following fields are available: + +- **ClientId** With Windows Update, this is the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback +- **Setup360Result** The result of Setup360. This is an HRESULT error code that's used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled +- **TestId** A string to uniquely identify a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as ClientId. + + +### Setup360Telemetry.PreDownloadQuiet + +This event sends data indicating that the device has invoked the predownload quiet phase of the upgrade, to help keep Windows up to date. + +The following fields are available: + +- **ClientId** Using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous operating system). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** Using Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled. +- **TestId** ID that uniquely identifies a group of events. +- **WuId** This is the Windows Update Client ID. Using Windows Update, this is the same as the clientId. + + +### Setup360Telemetry.PreDownloadUX + +This event sends data regarding OS Updates and Upgrades from Windows 7.X, Windows 8.X, Windows 10 and RS, to help keep Windows up-to-date and secure. Specifically, it indicates the outcome of the PredownloadUX portion of the update process. + +The following fields are available: + +- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **HostOSBuildNumber** The build number of the previous operating system. +- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous operating system). +- **InstanceId** Unique GUID that identifies each instance of setuphost.exe. +- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS). +- **State** The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** ID that uniquely identifies a group of events. +- **WuId** Windows Update client ID. + + +### Setup360Telemetry.PreInstallQuiet + +This event sends data indicating that the device has invoked the preinstall quiet phase of the upgrade, to help keep Windows up-to-date. + +The following fields are available: + +- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. +- **Setup360Scenario** Setup360 flow type (Boot, Media, Update, MCT). +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** A string to uniquely identify a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. + + +### Setup360Telemetry.PreInstallUX + +This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10, to help keep Windows up-to-date. Specifically, it indicates the outcome of the PreinstallUX portion of the update process. + +The following fields are available: + +- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type, Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** A string to uniquely identify a group of events. +- **WuId** Windows Update client ID. + + +### Setup360Telemetry.Setup360 + +This event sends data about OS deployment scenarios, to help keep Windows up-to-date. + +The following fields are available: + +- **ClientId** Retrieves the upgrade ID. In the Windows Update scenario, this will be the Windows Update client ID. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FieldName** Retrieves the data point. +- **FlightData** Specifies a unique identifier for each group of Windows Insider builds. +- **InstanãeId** No content is currently available. +- **InstanceId** Retrieves a unique identifier for each instance of a setup session. +- **ReportId** Retrieves the report ID. +- **ScenarioId** Retrieves the deployment scenario. +- **value** No content is currently available. +- **Value** Retrieves the value associated with the corresponding FieldName. + + +### Setup360Telemetry.Setup360DynamicUpdate + +This event helps determine whether the device received supplemental content during an operating system upgrade, to help keep Windows up-to-date. + +The following fields are available: + +- **FlightData** Specifies a unique identifier for each group of Windows Insider builds. +- **InstanceId** Retrieves a unique identifier for each instance of a setup session. +- **Operation** Facilitator’s last known operation (scan, download, etc.). +- **ReportId** ID for tying together events stream side. +- **ResultCode** Result returned for the entire setup operation. +- **Scenario** Dynamic Update scenario (Image DU, or Setup DU). +- **ScenarioId** Identifies the update scenario. +- **TargetBranch** Branch of the target OS. +- **TargetBuild** Build of the target OS. + + +### Setup360Telemetry.Setup360MitigationResult + +This event sends data indicating the result of each setup mitigation. + +The following fields are available: + +- **Applicable** TRUE if the mitigation is applicable for the current update. +- **ClientId** In the Windows Update scenario, this is the client ID passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **CommandCount** The number of command operations in the mitigation entry. +- **CustomCount** The number of custom operations in the mitigation entry. +- **FileCount** The number of file operations in the mitigation entry. +- **FlightData** The unique identifier for each flight (test release). +- **Index** The mitigation index of this particular mitigation. +- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **Name** The friendly (descriptive) name of the mitigation. +- **OperationIndex** The mitigation operation index (in the event of a failure). +- **OperationName** The friendly (descriptive) name of the mitigation operation (in the event of failure). +- **RegistryCount** The number of registry operations in the mitigation entry. +- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM. +- **Result** HResult of this operation. +- **ScenarioId** Setup360 flow type. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). + + +### Setup360Telemetry.Setup360MitigationSummary + +This event sends a summary of all the setup mitigations available for this update. + +The following fields are available: + +- **Applicable** The count of mitigations that were applicable to the system and scenario. +- **ClientId** The Windows Update client ID passed to Setup. +- **Failed** The count of mitigations that failed. +- **FlightData** The unique identifier for each flight (test release). +- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE. +- **MitigationScenario** The update scenario in which the mitigations were attempted. +- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM. +- **Result** HResult of this operation. +- **ScenarioId** Setup360 flow type. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). +- **Total** The total number of mitigations that were available. + + +### Setup360Telemetry.Setup360OneSettings + +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **ClientId** The Windows Update client ID passed to Setup. +- **Count** The count of applicable OneSettings for the device. +- **FlightData** The ID for the flight (test instance version). +- **InstanceId** The GUID (Globally-Unique ID) that identifies each instance of setuphost.exe. +- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. +- **ReportId** The Update ID passed to Setup. +- **Result** The HResult of the event error. +- **ScenarioId** The update scenario ID. +- **Values** Values sent back to the device, if applicable. + + +### Setup360Telemetry.UnexpectedEvent + +This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date. + +The following fields are available: + +- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe +- **o-Ste** No content is currently available. +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** A string to uniquely identify a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. + + +## Windows as a Service diagnostic events + +### Microsoft.Windows.WaaSMedic.SummaryEvent + +Result of the WaaSMedic operation. + +The following fields are available: + +- **callerApplication** The name of the calling application. +- **detectionSummary** Result of each applicable detection that was run. +- **featureAssessmentImpact** WaaS Assessment impact for feature updates. +- **hrEngineResult** Error code from the engine operation. +- **insufficientSessions** Device not eligible for diagnostics. +- **isInteractiveMode** The user started a run of WaaSMedic. +- **isManaged** Device is managed for updates. +- **isWUConnected** Device is connected to Windows Update. +- **noMoreActions** No more applicable diagnostics. +- **qualityAssessmentImpact** WaaS Assessment impact for quality updates. +- **remediationSummary** Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on. +- **usingBackupFeatureAssessment** Relying on backup feature assessment. +- **usingBackupQualityAssessment** Relying on backup quality assessment. +- **usingCachedFeatureAssessment** WaaS Medic run did not get OS build age from the network on the previous run. +- **usingCachedQualityAssessment** WaaS Medic run did not get OS revision age from the network on the previous run. +- **versionString** Version of the WaaSMedic engine. +- **waasMedicRunMode** Indicates whether this was a background regular run of the medic or whether it was triggered by a user launching Windows Update Troubleshooter. + + +## Windows Error Reporting events + +### Microsoft.Windows.WERVertical.OSCrash + +This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event. + +The following fields are available: + +- **BootId** Uint32 identifying the boot number for this device. +- **BugCheckCode** Uint64 "bugcheck code" that identifies a proximate cause of the bug check. +- **BugCheckPar%meter2** No content is currently available. +- **BugCheckParameter1** Uint64 parameter providing additional information. +- **BugCheckParameter2** Uint64 parameter providing additional information. +- **BugCheckParameter3** Uint64 parameter providing additional information. +- **BugCheckParameter4** Uint64 parameter providing additional information. +- **DumpFileAttributes** Codes that identify the type of data contained in the dump file +- **DumpFileSize** Size of the dump file +- **IsValidDumpFile** True if the dump file is valid for the debugger, false otherwise +- **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson). + + +## Windows Error Reporting MTT events + +### Microsoft.Windows.WER.MTT.Denominator + +This event provides a denominator to calculate MTTF (mean-time-to-failure) for crashes and other errors, to help keep Windows up to date. + +The following fields are available: + +- **DPRange** Maximum mean value range. +- **DPValue** Randomized bit value (0 or 1) that can be reconstituted over a large population to estimate the mean. +- **Value** Standard UTC emitted DP value structure See [Value](#value). + + +### Value + +This event returns data about Mean Time to Failure (MTTF) for Windows devices. It is the primary means of estimating reliability problems in Basic Diagnostic reporting with very strong privacy guarantees. Since Basic Diagnostic reporting does not include system up-time, and since that information is important to ensuring the safe and stable operation of Windows, the data provided by this event provides that data in a manner which does not threaten a user’s privacy. + +The following fields are available: + +- **Algorithm** The algorithm used to preserve privacy. +- **DPRange** The upper bound of the range being measured. +- **DPValue** The randomized response returned by the client. +- **Epsilon** The level of privacy to be applied. +- **HistType** The histogram type if the algorithm is a histogram algorithm. +- **PertProb** The probability the entry will be Perturbed if the algorithm chosen is “heavy-hitters”. + + +## Windows Store events + +### Microsoft.Windows.Store.StoreActivating + +This event sends tracking data about when the Store app activation via protocol URI is in progress, to help keep Windows up to date. + + + +### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation + +This event is sent when an installation or update is canceled by a user or the system and is used to help keep Windows Apps up to date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AggregatedPackageFullNcmes** No content is currently available. +- **AttemptNumber** Number of retry attempts before it was canceled. +- **BundleId** The Item Bundle ID. +- **Bundlele** No content is currently available. +- **CategoryId** The Item Category ID. +- **Categoryle** No content is currently available. +- **ClientAppId** The identity of the app that initiated this operation. +- **ClientApple** No content is currently available. +- **HResult** The result code of the last action performed before this operation. +- **IsBundle** Is this a bundle? +- **IsInteractive** Was this requested by a user? +- **IsMandatory** Was this a mandatory update? +- **IsRemediation** Was this a remediation install? +- **IsRestore** Is this automatically restoring a previously acquired product? +- **IsUpdate** Flag indicating if this is an update. +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **ParentBundlele** No content is currently available. +- **PFN** The product family name of the product being installed. +- **Producele** No content is currently available. +- **ProductId** The identity of the package or packages being installed. +- **S{stemAttemptNumber** No content is currently available. +- **SystemAttemptNumber** The total number of automatic attempts at installation before it was canceled. +- **UserAttemptNumber** The total number of user attempts at installation before it was canceled. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.BeginGetInstalledContentIds + +This event is sent when an inventory of the apps installed is started to determine whether updates for those apps are available. It's used to help keep Windows up-to-date and secure. + + + +### Microsoft.Windows.StoreAgent.Telemetry.BeginUpdateMetadataPrepare + +This event is sent when the Store Agent cache is refreshed with any available package updates. It's used to help keep Windows up-to-date and secure. + + + +### Microsoft.Windows.StoreAgent.Telemetry.CancelInstallation + +This event is sent when an app update or installation is canceled while in interactive mode. This can be canceled by the user or the system. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all package or packages to be downloaded and installed. +- **AttemptNumber** Total number of installation attempts. +- **BundleId** The identity of the Windows Insider build that is associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **IsBundle** Is this a bundle? +- **IsInteractive** Was this requested by a user? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this an automatic restore of a previously acquired product? +- **IsUpdate** Is this a product update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of all packages to be downloaded and installed. +- **PreviousHResult** The previous HResult code. +- **PreviousInstallState** Previous installation state before it was canceled. +- **ProductId** The name of the package or packages requested for installation. +- **RelatedCV** Correlation Vector of a previous performed action on this product. +- **SystemAttemptNumber** Total number of automatic attempts to install before it was canceled. +- **UserAttemptNumber** Total number of user attempts to install before it was canceled. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.CompleteInstallOperationRequest + +This event is sent at the end of app installations or updates to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The Store Product ID of the app being installed. +- **HResult** HResult code of the action being performed. +- **IsBundle** Is this a bundle? +- **PackageFamilyName** The name of the package being installed. +- **ProductId** The Store Product ID of the product being installed. +- **SkuId** Specific edition of the item being installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndAcquireLicense + +This event is sent after the license is acquired when a product is being installed. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNaies** No content is currently available. +- **AggregatedpackageFullNames** No content is currently available. +- **AggregatedPackageFullNames** Includes a set of package full names for each app that is part of an atomic set. +- **AttemptNumber** The total number of attempts to acquire this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** HResult code to show the result of the operation (success/failure). +- **IsBundle** Is this a bundle? +- **IsInteractive** Did the user initiate the installation? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this happening after a device restore? +- **IsUp`ate** No content is currently available. +- **IsUpdate** Is this an update? +- **ParentBuneleId** No content is currently available. +- **PFN** Product Family Name of the product being installed. +- **Produc|Id** No content is currently available. +- **productId** No content is currently available. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The number of attempts by the system to acquire this product. +- **UserAttemptNumber** The number of attempts by the user to acquire this product +- **UserCttemptNumber** No content is currently available. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndDownload + +This event is sent after an app is downloaded to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullLames** No content is currently available. +- **AggregatedPackageFullNaðes** No content is currently available. +- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed. +- **AttemptNumber** Number of retry attempts before it was canceled. +- **BundleId** The identity of the Windows Insider build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **CategoryIf** No content is currently available. +- **ClientAppId** The identity of the app that initiated this operation. +- **DownloadSize** The total size of the download. +- **ExtendedHResult** Any extended HResult error codes. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this initiated by the user? +- **IsMandatory** Is this a mandatory installation? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this a restore of a previously acquired product? +- **IsUpdate** Is this an update? +- **ParentBundleId** The parent bundle ID (if it's part of a bundle). +- **PFN** The Product Family Name of the app being download. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The number of attempts by the system to download. +- **UserAttemptNum`er** No content is currently available. +- **UserAttemptNumber** The number of attempts by the user to download. +- **UserCttemptNumber** No content is currently available. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndFrameworkUpdate + +This event is sent when an app update requires an updated Framework package and the process starts to download it. It is used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **HResult** The result code of the last action performed before this operation. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndGetInstalledContentIds + +This event is sent after sending the inventory of the products installed to determine whether updates for those products are available. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **HResult** The result code of the last action performed before this operation. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndInstall + +This event is sent after a product has been installed to help keep Windows up-to-date and secure. + +The following fields are available: + +- **__TlgCÖ__** No content is currently available. +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **ExtendedHResult** The extended HResult error code. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this an interactive installation? +- **IsInteragtive** No content is currently available. +- **IsMandatory** Is this a mandatory installation? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this automatically restoring a previously acquired product? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** Product Family Name of the product being installed. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndScanForUpdates + +This event is sent after a scan for product updates to determine if there are packages to install. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed. +- **IsApplicability** Is this request to only check if there are any applicable packages to install? +- **IsInteractive** Is this user requested? +- **IsOnline** Is the request doing an online check? + + +### Microsoft.Windows.StoreAgent.Telemetry.EndSearchUpdatePackages + +This event is sent after searching for update packages to install. It is used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The total number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of the package or packages requested for install. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndStageUserData + +This event is sent after restoring user data (if any) that needs to be restored following a product install. It is used to keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed. +- **AttemptNumber** The total number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of the package or packages requested for install. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of system attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndUpdateMetadataPrepare + +This event is sent after a scan for available app updates to help keep Windows up-to-date and secure. + +The following fields are available: + +- **HResult** The result code of the last action performed. + + +### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentComplete + +This event is sent at the end of an app install or update to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The name of the product catalog from which this app was chosen. +- **CatanogId** No content is currently available. +- **CatdlogId** No content is currently available. +- **FailedRetry** Indicates whether the installation or update retry was successful. +- **HResult** The HResult code of the operation. +- **JResult** No content is currently available. +- **PFN** The Package Family Name of the app that is being installed or updated. +- **Producele** No content is currently available. +- **ProductId** The product ID of the app that is being updated or installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate + +This event is sent at the beginning of an app install or update to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The name of the product catalog from which this app was chosen. +- **FulfillmentPluginId** The ID of the plugin needed to install the package type of the product. +- **PFN** The Package Family Name of the app that is being installed or updated. +- **PluginTelemetryData** Diagnostic information specific to the package-type plug-in. +- **ProductId** The product ID of the app that is being updated or installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.InstallOperationRequest + +This event is sent when a product install or update is initiated, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **BundleId** The identity of the build associated with this product. +- **CatalogId** If this product is from a private catalog, the Store Product ID for the product being installed. +- **ProductId** The Store Product ID for the product being installed. +- **SkuId** Specific edition ID being installed. +- **VolumePath** The disk path of the installation. + + +### Microsoft.Windows.StoreAgent.Telemetry.PauseInstallation + +This event is sent when a product install or update is paused (either by a user or the system), to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The total number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The Product Full Name. +- **PreviousHResult** The result code of the last action performed before this operation. +- **PreviousInstallState** Previous state before the installation or update was paused. +- **ProductId** The Store Product ID for the product being installed. +- **RelatedCV** Correlation Vector of a previous performed action on this product. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.ResumeInstallation + +This event is sent when a product install or update is resumed (either by a user or the system), to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **categoryId** No content is currently available. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed before this operation. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **IsUserRetry** Did the user initiate the retry? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of the package or packages requested for install. +- **PreviousHResult** The previous HResult error code. +- **PreviousInstallState** Previous state before the installation was paused. +- **ProductId** The Store Product ID for the product being installed. +- **RelatedCV** Correlation Vector for the original install before it was resumed. +- **ResumeClientId** The ID of the app that initiated the resume operation. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.ResumeOperationRequest + +This event is sent when a product install or update is resumed by a user or on installation retries, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ProductId** The Store Product ID for the product being installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.SearchForUpdateOperationRequest + +This event is sent when searching for update packages to install, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The Store Catalog ID for the product being installed. +- **ProductId** The Store Product ID for the product being installed. +- **SkuId** Specfic edition of the app being updated. + + +### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest + +This event occurs when an update is requested for an app, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **PFamN** The name of the app that is requested for update. + + +## Windows System Kit events + +### Microsoft.Windows.Kits.WSK.WskImageCreate + +This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate “image” creation failures. + +The following fields are available: + +- **Phase** The image creation phase. Values are “Start” or “End”. +- **WskVersion** The version of the Windows System Kit being used. + + +### Microsoft.Windows.Kits.WSK.WskImageCustomization + +This event sends simple Product and Service usage data when a user is using the Windows System Kit to create/modify configuration files allowing the customization of a new OS image with Apps or Drivers. The data includes the version of the Windows System Kit, the state of the event, the customization type (drivers or apps) and the mode (new or updating) and is used to help investigate configuration file creation failures. + +The following fields are available: + +- **CustomizationMode** Indicates the mode of the customization (new or updating). +- **CustomizationType** Indicates the type of customization (drivers or apps). +- **Mode** The mode of update to image configuration files. Values are “New” or “Update”. +- **Phase** The image creation phase. Values are “Start” or “End”. +- **Type** The type of update to image configuration files. Values are “Apps” or “Drivers”. +- **WskVersion** The version of the Windows System Kit being used. + + +### Microsoft.Windows.Kits.WSK.WskWorkspaceCreate + +This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new workspace for generating OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate workspace creation failures. + +The following fields are available: + +- **Architecture** The OS architecture that the workspace will target. Values are one of: “AMD64”, “ARM64”, “x86”, or “ARM”. +- **OsEdition** The Operating System Edition that the workspace will target. +- **Phase** The image creation phase. Values are “Start” or “End”. +- **WorkspaceArchitecture** The operating system architecture that the workspace will target. +- **WorkspaceOsEdition** The operating system edition that the workspace will target. +- **WskVersion** The version of the Windows System Kit being used. + + +## Windows Update Delivery Optimization events + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled + +This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **background** Is the download being done in the background? +- **bytesFromCacheServer** Bytes received from a cache host. +- **bytesFromCDN** The number of bytes received from a CDN source. +- **bytesFromGroupPeers** The number of bytes received from a peer in the same group. +- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same group. +- **bytesFromLinkLocalPeers** The number of bytes received from local peers. +- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. +- **bytesFromPeers** The number of bytes received from a peer in the same LAN. +- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. +- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. +- **cdnIp** The IP Address of the source CDN (Content Delivery Network). +- **cdnUrl** The URL of the source CDN (Content Delivery Network). +- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. +- **errorCode** The error code that was returned. +- **experimentId** When running a test, this is used to correlate events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **gCurMemoryStreamBytes** Current usage for memory streaming. +- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. +- **isVpn** Indicates whether the device is connected to a VPN (Virtual Private Network). +- **jobID** Identifier for the Windows Update job. +- **predefinedCallerName** The name of the API Caller. +- **reasonCode** Reason the action or event occurred. +- **routeToCacheServer** The cache server setting, source, and value. +- **sessionID** The ID of the file download session. +- **updateID** The ID of the update being downloaded. +- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted + +This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **#dnErrorCounts** No content is currently available. +- **__TlgCVß_** No content is currently available. +- **|anConnectionCount** No content is currently available. +- **}plinkUsageBps** No content is currently available. +- **0redefinedCallerName** No content is currently available. +- **b6nConnectionCount** No content is currently available. +- **b6nErrorCodes** No content is currently available. +- **b6nErrorCounts** No content is currently available. +- **b6nIp** No content is currently available. +- **b6nUrl** No content is currently available. +- **background** Is the download a background download? +- **bytesFrkmIntPeers** No content is currently available. +- **bytesFromCacheSedver** No content is currently available. +- **bytesFromCacheServer** Bytes received from a cache host. +- **bytesFromCdN** No content is currently available. +- **bytesFromCDN** The number of bytes received from a CDN source. +- **bytesFromGroupPeers** The number of bytes received from a peer in the same domain group. +- **bytesFromIntÐeers** No content is currently available. +- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same domain group. +- **bytesFromLinkLocalPeers** The number of bytes received from local peers. +- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. +- **bytesFromPeers** The number of bytes received from a peer in the same LAN. +- **bytesRequested** The total number of bytes requested for download. +- **cacheSarverConnectionCount** No content is currently available. +- **cacheSedverConnectionCount** No content is currently available. +- **cacheServerConndctionCount** No content is currently available. +- **cacheServerConnectionCoujt** No content is currently available. +- **cacheServerConnectionCount** Number of connections made to cache hosts. +- **cdnConnectionCount** The total number of connections made to the CDN. +- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. +- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. +- **cdnIp** The IP address of the source CDN. +- **cdnSonnectionCount** No content is currently available. +- **cdnUrl** Url of the source Content Distribution Network (CDN). +- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. +- **dkwnloadModeSrc** No content is currently available. +- **doErrorCode** The Delivery Optimization error code that was returned. +- **dowflinkBps** No content is currently available. +- **downlinkBps** The maximum measured available download bandwidth (in bytes per second). +- **downlinkUsageBps** The download speed (in bytes per second). +- **downloadMode** The download mode used for this file download session. +- **doWnloadMode** No content is currently available. +- **downloadModeReason** Reason for the download. +- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). +- **downloadMofeSrc** No content is currently available. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **fileSize** The size of the file being downloaded. +- **gCurMemoryStreamBytes** Current usage for memory streaming. +- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. +- **groupConjectionCount** No content is currently available. +- **groupConnectionCount** The total number of connections made to peers in the same group. +- **internetConnectionCount** The total number of connections made to peers not in the same LAN or the same group. +- **internetConnectionCountdownlinkBps** No content is currently available. +- **isEjcrypted** No content is currently available. +- **isEncryptdd** No content is currently available. +- **isEncrypted** TRUE if the file is encrypted and will be decrypted after download. +- **isVpn** Is the device connected to a Virtual Private Network? +- **jobID** Identifier for the Windows Update job. +- **lanConnectionCount** The total number of connections made to peers in the same LAN. +- **linkLocalConnectionCount** The number of connections made to peers in the same Link-local network. +- **numPeers** The total number of peers used for this download. +- **numPeersLocal** The total number of local peers used for this download. +- **predefi.edCallerName** No content is currently available. +- **predefinedCallerName** The name of the API Caller. +- **predefinedCalleRName** No content is currently available. +- **restrictedUpload** Is the upload restricted? +- **romteToCacheServer** No content is currently available. +- **roupeToCacheServer** No content is currently available. +- **routeTnCacheServer** No content is currently available. +- **routeToCacheSedver** No content is currently available. +- **routeToCacheServer** The cache server setting, source, and value. +- **sessionID** The ID of the download session. +- **totalTimeMs** Duration of the download (in seconds). +- **updateID** The ID of the update being downloaded. +- **uplinkBps** The maximum measured available upload bandwidth (in bytes per second). +- **uplinkUsageBps** The upload speed (in bytes per second). +- **uplinkUsegeBps** No content is currently available. +- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused + +This event represents a temporary suspension of a download with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **backgground** No content is currently available. +- **backgro}nd** No content is currently available. +- **backgrou|d** No content is currently available. +- **background** Is the download a background download? +- **c`nUrl** No content is currently available. +- **cdnUrl** The URL of the source CDN (Content Delivery Network). +- **errorBode** No content is currently available. +- **errorCode** The error code that was returned. +- **expebimentId** No content is currently available. +- **expebimentIderrorCode** No content is currently available. +- **experiientId** No content is currently available. +- **experimenpId** No content is currently available. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being paused. +- **isVp|** No content is currently available. +- **isVpn** Is the device connected to a Virtual Private Network? +- **jobID** Identifier for the Windows Update job. +- **predefinedCallerName** The name of the API Caller object. +- **reasonCod%** No content is currently available. +- **reasonCode** The reason for pausing the download. +- **recsonCodesessiolID** No content is currently available. +- **routeToCacheSedver** No content is currently available. +- **routeToCacheServer** The cache server setting, source, and value. +- **sessionID** The ID of the download session. +- **updateID** The ID of the update being paused. +- **updateMD** No content is currently available. + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted + +This event sends data describing the start of a new download to enable Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **b6nUrl** No content is currently available. +- **background** Indicates whether the download is happening in the background. +- **bacoground** No content is currently available. +- **bileSizeCaller** No content is currently available. +- **bytesRequested** Number of bytes requested for the download. +- **cdnUrl** The URL of the source Content Distribution Network (CDN). +- **costFlags** A set of flags representing network cost. +- **costFlaos** No content is currently available. +- **deviceProfile** Identifies the usage or form factor (such as Desktop, Xbox, or VM). +- **diceRoll** Random number used for determining if a client will use peering. +- **doClientVersion** The version of the Delivery Optimization client. +- **doErrorC/de** No content is currently available. +- **doErrorCode** The Delivery Optimization error code that was returned. +- **doErrorCoee** No content is currently available. +- **downloadMode** The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100). +- **downloadModeReason** Reason for the download. +- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). +- **errorCode** The error code that was returned. +- **experimejtId** No content is currently available. +- **experimentId** ID used to correlate client/services calls that are part of the same test during A/B testing. +- **faleID** No content is currently available. +- **fiheID** No content is currently available. +- **fileID** The ID of the file being downloaded. +- **filePat(** No content is currently available. +- **filePath** The path to where the downloaded file will be written. +- **fileSize** Total file size of the file that was downloaded. +- **fileSizeCaller** Value for total file size provided by our caller. +- **groqpID** No content is currently available. +- **groupID** ID for the group. +- **isEncrypted** Indicates whether the download is encrypted. +- **isFpn** No content is currently available. +- **isVpn** Indicates whether the device is connected to a Virtual Private Network. +- **jobID** The ID of the Windows Update job. +- **peerID** The ID for this delivery optimization client. +- **predefinedCallerName** Name of the API caller. +- **rimentId** No content is currently available. +- **routeToCacheSedver** No content is currently available. +- **routeToCacheServer** Cache server setting, source, and value. +- **sessionID** The ID for the file download session. +- **sessmonID** No content is currently available. +- **setConfigs** A JSON representation of the configurations that have been set, and their sources. +- **updateID** The ID of the update being downloaded. +- **updateYD** No content is currently available. +- **usedMemoryStream** Indicates whether the download used memory streaming. + + +### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication + +This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **cdnHeaders** The HTTP headers returned by the CDN. +- **cdnIp** The IP address of the CDN. +- **cdnUrl** The URL of the CDN. +- **eErrorCode** No content is currently available. +- **eErrorCunt** No content is currently available. +- **errorCode** The error code that was returned. +- **errorCount** The total number of times this error code was seen since the last FailureCdnCommunication event was encountered. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **htppStatusCode** No content is currently available. +- **httpStatusCode** The HTTP status code returned by the CDN. +- **isHeadRequest** The type of HTTP request that was sent to the CDN. Example: HEAD or GET +- **peerType** The type of peer (LAN, Group, Internet, CDN, Cache Host, etc.). +- **requestOffset** The byte offset within the file in the sent request. +- **requestSize** The size of the range requested from the CDN. +- **responseSize** The size of the range response received from the CDN. +- **sessionID** The ID of the download session. + + +### Microsoft.OSG.DU.DeliveryOptClient.JobError + +This event represents a Windows Update job error. It allows for investigation of top errors. + +The following fields are available: + +- **cdnIp** The IP Address of the source CDN (Content Delivery Network). +- **doErrorCode** Error code returned for delivery optimization. +- **errorCode** The error code returned. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **jobID** The Windows Update job ID. + + +## Windows Update events + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentAnalysisSummary + +This event collects information regarding the state of devices and drivers on the system following a reboot after the install phase of the new device manifest UUP (Unified Update Platform) update scenario which is used to install a device manifest describing a set of driver packages. + +The following fields are available: + +- **activated** Whether the entire device manifest update is considered activated and in use. +- **analysisErrorCount** The number of driver packages that could not be analyzed because errors occurred during analysis. +- **flightId** Unique ID for each flight. +- **missingDriverCount** The number of driver packages delivered by the device manifest that are missing from the system. +- **missingUpdateCount** The number of updates in the device manifest that are missing from the system. +- **objectId** Unique value for each diagnostics session. +- **publishedCount** The number of drivers packages delivered by the device manifest that are published and available to be used on devices. +- **relatedCV** Correlation vector value generated from the latest USO scan. +- **scenarioId** Indicates the update scenario. +- **sessionId** Unique value for each update session. +- **summary** A summary string that contains basic information about driver packages that are part of the device manifest and any devices on the system that those driver packages match. +- **summaryAppendError** A Boolean indicating if there was an error appending more information to the summary string. +- **truncatedDeviceCount** The number of devices missing from the summary string because there is not enough room in the string. +- **truncatedDriverCount** The number of driver packages missing from the summary string because there is not enough room in the string. +- **unpublishedCount** How many drivers packages that were delivered by the device manifest that are still unpublished and unavailable to be used on devices. +- **updateId** The unique ID for each update. + + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentCommit + +This event collects information regarding the final commit phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. + +The following fields are available: + +- **errorCode** The error code returned for the current session initialization. +- **flightId** The unique identifier for each flight. +- **objectId** The unique GUID for each diagnostics session. +- **relatedCV** A correlation vector value generated from the latest USO scan. +- **result** Outcome of the initialization of the session. +- **scenarioId** Identifies the Update scenario. +- **sessionId** The unique value for each update session. +- **updateId** The unique identifier for each Update. + + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentDownloadRequest + +This event collects information regarding the download request phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. + +The following fields are available: + +- **deletedCorruptFiles** Indicates if UpdateAgent found any corrupt payload files and whether the payload was deleted. +- **errorCode** The error code returned for the current session initialization. +- **flightId** The unique identifier for each flight. +- **objectId** Unique value for each Update Agent mode. +- **packageCountOptional** Number of optional packages requested. +- **packageCountRequired** Number of required packages requested. +- **packageCountTotal** Total number of packages needed. +- **packageCountTotalCanonical** Total number of canonical packages. +- **packageCountTotalDiff** Total number of diff packages. +- **packageCountTotalExpress** Total number of express packages. +- **packageSizeCanonical** Size of canonical packages in bytes. +- **packageSizeDiff** Size of diff packages in bytes. +- **packageSizeExpress** Size of express packages in bytes. +- **rangeRequestState** Represents the state of the download range request. +- **relatedCV** Correlation vector value generated from the latest USO scan. +- **result** Result of the download request phase of update. +- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. +- **sessionId** Unique value for each Update Agent mode attempt. +- **updateId** Unique ID for each update. + + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInitialize + +This event sends data for initializing a new update session for the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. + +The following fields are available: + +- **errorCode** The error code returned for the current session initialization. +- **flightId** The unique identifier for each flight. +- **flightMetadata** Contains the FlightId and the build being flighted. +- **objectId** Unique value for each Update Agent mode. +- **relatedCV** Correlation vector value generated from the latest USO scan. +- **result** Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled. +- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. +- **sessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios). +- **sessionId** Unique value for each Update Agent mode attempt. +- **updateId** Unique ID for each update. + + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInstall + +This event collects information regarding the install phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. + +The following fields are available: + +- **errorCode** The error code returned for the current install phase. +- **flightId** The unique identifier for each flight (pre-release builds). +- **objectId** The unique identifier for each diagnostics session. +- **relatedCV** Correlation vector value generated from the latest scan. +- **result** Outcome of the install phase of the update. +- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate +- **sessionId** The unique identifier for each update session. +- **updateId** The unique identifier for each Update. + + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentModeStart + +This event sends data for the start of each mode during the process of updating device manifest assets via the UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. + +The following fields are available: + +- **flightId** The unique identifier for each flight (pre-release builds). +- **mode** Indicates the active Update Agent mode. +- **objectId** Unique value for each diagnostics session. +- **relatedCV** Correlation vector value generated from the latest scan. +- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. +- **sessionId** The unique identifier for each update session. +- **updateId** The unique identifier for each Update. + + +### Microsoft.Windows.Update.NotificationUx.DialogNotificationToBeDisplayed + +This event indicates that a notification dialog box is about to be displayed to user. + +The following fields are available: + +- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode. +- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before the RebootFailed dialog box is shown. +- **DaysSinceRebootRequired** Number of days since restart was required. +- **DeviceLocalTime** The local time on the device sending the event. +- **EngagedModeLimit** The number of days to switch between DTE dialog boxes. +- **EnterAutoModeLimit** The maximum number of days for a device to enter Auto Reboot mode. +- **ETag** OneSettings versioning value. +- **IsForcedEnabled** Indicates whether Forced Reboot mode is enabled for this device. +- **IsUltimateForcedEnabled** Indicates whether Ultimate Forced Reboot mode is enabled for this device. +- **NotificationUxState** Indicates which dialog box is shown. +- **NotificationUxStateString** Indicates which dialog box is shown. +- **RebootUxState** Indicates the state of the restart (Engaged, Auto, Forced, or UltimateForced). +- **RebootUxStateString** Indicates the state of the restart (Engaged, Auto, Forced, or UltimateForced). +- **RebootVersion** Version of DTE. +- **SkipToAutoModeLimit** The minimum length of time to pass in restart pending before a device can be put into auto mode. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UtcTime** The time the dialog box notification will be displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootAcceptAutoDialog + +This event indicates that the Enhanced Engaged restart "accept automatically" dialog box was displayed. + +The following fields are available: + +- **DeviceLocalTime** The local time on the device sending the event. +- **ETag** OneSettings versioning value. +- **ExitCode** Indicates how users exited the dialog box. +- **RebootVersion** Version of DTE. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UserResponseString** The option that user chose on this dialog box. +- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootFirstReminderDialog + +This event indicates that the Enhanced Engaged restart "first reminder" dialog box was displayed.. + +The following fields are available: + +- **DeviceLocalTime** The local time on the device sending the event. +- **ETag** OneSettings versioning value. +- **ExitCode** Indicates how users exited the dialog box. +- **RebootVersion** Version of DTE. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UserResponseString** The option that user chose in this dialog box. +- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootFailedDialog + +This event indicates that the Enhanced Engaged restart "restart failed" dialog box was displayed. + +The following fields are available: + +- **DeviceLocalTime** The local time of the device sending the event. +- **ETag** OneSettings versioning value. +- **ExitCode** Indicates how users exited the dialog box. +- **RebootVersion** Version of DTE. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UserResponseString** The option that the user chose in this dialog box. +- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootImminentDialog + +This event indicates that the Enhanced Engaged restart "restart imminent" dialog box was displayed. + +The following fields are available: + +- **DeviceLocalTime** Time the dialog box was shown on the local device. +- **ETag** OneSettings versioning value. +- **ExitCode** Indicates how users exited the dialog box. +- **RebootVersion** Version of DTE. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UserResponseString** The option that user chose in this dialog box. +- **UtcTime** The time that dialog box was displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootReminderDialog + +This event returns information relating to the Enhanced Engaged reboot reminder dialog that was displayed. + +The following fields are available: + +- **DeviceLocalTime** The time at which the reboot reminder dialog was shown (based on the local device time settings). +- **ETag** The OneSettings versioning value. +- **ExitCode** Indicates how users exited the reboot reminder dialog box. +- **RebootVersion** The version of the DTE (Direct-to-Engaged). +- **UpdateId** The ID of the update that is waiting for reboot to finish installation. +- **UpdateRevision** The revision of the update that is waiting for reboot to finish installation. +- **UserResponseString** The option chosen by the user on the reboot dialog box. +- **UtcTime** The time at which the reboot reminder dialog was shown (in UTC). + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootReminderToast + +This event indicates that the Enhanced Engaged restart reminder pop-up banner was displayed. + +The following fields are available: + +- **DeviceLocalTime** The local time on the device sending the event. +- **ETag** OneSettings versioning value. +- **ExitCode** Indicates how users exited the pop-up banner. +- **RebootVersion** The version of the reboot logic. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UserResponseString** The option that the user chose in the pop-up banner. +- **UtcTime** The time that the pop-up banner was displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.RebootScheduled + +Indicates when a reboot is scheduled by the system or a user for a security, quality, or feature update. + +The following fields are available: + +- **activeHoursApplicable** Indicates whether an Active Hours policy is present on the device. +- **IsEnhancedEngagedReboot** Indicates whether this is an Enhanced Engaged reboot. +- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action. +- **rebootOutsideOfActiveHours** Indicates whether a restart is scheduled outside of active hours. +- **rebootScheduledByUser** Indicates whether the restart was scheduled by user (if not, it was scheduled automatically). +- **rebootState** The current state of the restart. +- **rebootUsingSmartScheduler** Indicates whether the reboot is scheduled by smart scheduler. +- **revisionNumber** Revision number of the update that is getting installed with this restart. +- **scheduledRebootTime** Time of the scheduled restart. +- **scheduledRebootTimeInUTC** Time of the scheduled restart in Coordinated Universal Time. +- **updateId** ID of the update that is getting installed with this restart. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.ActivityRestrictedByActiveHoursPolicy + +This event indicates a policy is present that may restrict update activity to outside of active hours. + +The following fields are available: + +- **activeHoursEnd** The end of the active hours window. +- **activeHoursStart** The start of the active hours window. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.BlockedByActiveHours + +This event indicates that update activity was blocked because it is within the active hours window. + +The following fields are available: + +- **activeHoursEnd** The end of the active hours window. +- **activeHoursStart** The start of the active hours window. +- **updatePhase** The current state of the update process. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.BlockedByBatteryLevel + +This event indicates that Windows Update activity was blocked due to low battery level. + +The following fields are available: + +- **batteryLevel** The current battery charge capacity. +- **batteryLevelThreshold** The battery capacity threshold to stop update activity. +- **updatePhase** The current state of the update process. +- **wuDeviceid** Device ID. + + +### Microsoft.Windows.Update.Orchestrator.DeferRestart + +This event indicates that a restart required for installing updates was postponed. + +The following fields are available: + +- **displayNeededReason** List of reasons for needing display. +- **eventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). +- **filteredDeferReason** Applicable filtered reasons why reboot was postponed (such as user active, or low battery). +- **gameModeReason** Name of the executable that caused the game mode state check to start. +- **ignoredReason** List of reasons that were intentionally ignored. +- **IgnoreReasonsForRestart** List of reasons why restart was deferred. +- **revisionNumber** Update ID revision number. +- **systemNeededReason** List of reasons why system is needed. +- **updateId** Update ID. +- **updateScenarioType** Update session type. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.Detection + +This event indicates that a scan for a Windows Update occurred. + +The following fields are available: + +- **deferReason** The reason why the device could not check for updates. +- **detectionBlockingPolicy** The Policy that blocked detection. +- **detectionBlockreason** The reason detection did not complete. +- **detectionRetryMode** Indicates whether we will try to scan again. +- **errorCode** The error code returned for the current process. +- **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. +- **flightID** The unique identifier for the flight (Windows Insider pre-release build) should be delivered to the device, if applicable. +- **interactive** Indicates whether the user initiated the session. +- **networkStatus** Indicates if the device is connected to the internet. +- **revisionNumber** The Update revision number. +- **scanTriggerSource** The source of the triggered scan. +- **updateId** The unique identifier of the Update. +- **updateScenarioType** Identifies the type of update session being performed. +- **wuDeviceid** The unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.DisplayNeeded + +This event indicates the reboot was postponed due to needing a display. + +The following fields are available: + +- **displayNeededReason** Reason the display is needed. +- **eventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. +- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours. +- **revisionNumber** Revision number of the update. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated. +- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue + + +### Microsoft.Windows.Update.Orchestrator.Download + +This event sends launch data for a Windows Update download to help keep Windows up to date. + +The following fields are available: + +- **deferReason** Reason for download not completing. +- **e:4|SScenario** No content is currently available. +- **errorCode** An error code represented as a hexadecimal value. +- **eventScenario** End-to-end update session ID. +- **flightID** The specific ID of the Windows Insider build the device is getting. +- **interactive** Indicates whether the session is user initiated. +- **interactiveelatedCVerrorCode** No content is currently available. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenariotate** No content is currently available. +- **updateScenarioType** The update session type. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.DTUCompletedWhenWuFlightPendingCommit + +This event indicates that DTU completed installation of the electronic software delivery (ESD), when Windows Update was already in Pending Commit phase of the feature update. + +The following fields are available: + +- **wuDeviceid** Device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.DTUEnabled + +This event indicates that Inbox DTU functionality was enabled. + +The following fields are available: + +- **wuDeviceid** Device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.DTUInitiated + +This event indicates that Inbox DTU functionality was intiated. + +The following fields are available: + +- **dtuErrorCode** Return code from creating the DTU Com Server. +- **isDtuApplicable** Determination of whether DTU is applicable to the machine it is running on. +- **wuDeviceid** Device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.EscalationRiskLevels + +This event is sent during update scan, download, or install, and indicates that the device is at risk of being out-of-date. + +The following fields are available: + +- **configVersion** The escalation configuration version on the device. +- **downloadElapsedTime** Indicates how long since the download is required on device. +- **downloadRiskLevel** At-risk level of download phase. +- **installElapsedTime** Indicates how long since the install is required on device. +- **installRiskLevel** The at-risk level of install phase. +- **isSediment** Assessment of whether is device is at risk. +- **scanElapsedTime** Indicates how long since the scan is required on device. +- **scanRiskLevel** At-risk level of the scan phase. +- **wuDeviceid** Device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.FailedToAddTimeTriggerToScanTask + +This event indicated that USO failed to add a trigger time to a task. + +The following fields are available: + +- **errorCode** The Windows Update error code. +- **wuDeviceid** The Windows Update device ID. + + +### Microsoft.Windows.Update.Orchestrator.FlightInapplicable + +This event indicates that the update is no longer applicable to this device. + +The following fields are available: + +- **EventPublishedTime** Time when this event was generated. +- **flightID** The specific ID of the Windows Insider build. +- **inapplicableReason** The reason why the update is inapplicable. +- **revisionNumber** Update revision number. +- **updateId** Unique Windows Update ID. +- **updateScenarioType** Update session type. +- **UpdateStatus** Last status of update. +- **UUPFallBackConfigured** Indicates whether UUP fallback is configured. +- **wuDeviceid** Unique Device ID. + + +### Microsoft.Windows.Update.Orchestrator.InitiatingReboot + +This event sends data about an Orchestrator requesting a reboot from power management to help keep Windows up to date. + +The following fields are available: + +- **EventPublishedTime** Time of the event. +- **flightID** Unique update ID +- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action. +- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours. +- **revisionNumber** Revision number of the update. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.Install + +This event sends launch data for a Windows Update install to help keep Windows up to date. + +The following fields are available: + +- **batteryLevel** Current battery capacity in mWh or percentage left. +- **defeec-9-0S** No content is currently available. +- **deferReason** Reason for install not completing. +- **errorCode** The error code reppresented by a hexadecimal value. +- **eventScenario** End-to-end update session ID. +- **flightID** The ID of the Windows Insider build the device is getting. +- **flightUpdate** Indicates whether the update is a Windows Insider build. +- **ForcedRebootReminderSet** A boolean value that indicates if a forced reboot will happen for updates. +- **Ignorec-9-0SsFoec-start** No content is currently available. +- **IgnoreReasonsForRestart** The reason(s) a Postpone Restart command was ignored. +- **installCommitfailedtime** The time it took for a reboot to happen but the upgrade failed to progress. +- **installRebootinitiatetime** The time it took for a reboot to be attempted. +- **interactive** Identifies if session is user initiated. +- **minutesToCommit** The time it took to install updates. +- **rebootOutsideOfActiveHours** Indicates whether a reboot is scheduled outside of active hours. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateMd** No content is currently available. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.LowUptimes + +This event is sent if a device is identified as not having sufficient uptime to reliably process updates in order to keep secure. + +The following fields are available: + +- **availableHistoryMinutes** The number of minutes available from the local machine activity history. +- **isLowUptimeMachine** Is the machine considered low uptime or not. +- **lowUptimeMinHours** Current setting for the minimum number of hours needed to not be considered low uptime. +- **lowUptimeQueryDays** Current setting for the number of recent days to check for uptime. +- **uptimeMinutes** Number of minutes of uptime measured. +- **wuDeviceid** Unique device ID for Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.OneshotUpdateDetection + +This event returns data about scans initiated through settings UI, or background scans that are urgent; to help keep Windows up to date. + +The following fields are available: + +- **externalOneshotupdate** The last time a task-triggered scan was completed. +- **interactiveOneshotupdate** The last time an interactive scan was completed. +- **oldlastscanOneshotupdate** The last time a scan completed successfully. +- **wuDeviceid** The Windows Update Device GUID (Globally-Unique ID). + + +### Microsoft.Windows.Update.Orchestrator.PreShutdownStart + +This event is generated before the shutdown and commit operations. + +The following fields are available: + +- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. + + +### Microsoft.Windows.Update.Orchestrator.RebootFailed + +This event sends information about whether an update required a reboot and reasons for failure, to help keep Windows up to date. + +The following fields are available: + +- **batteryLevel** Current battery capacity in mWh or percentage left. +- **deferReason** Reason for install not completing. +- **EventPublishedTime** The time that the reboot failure occurred. +- **flightID** Unique update ID. +- **rebootOutsideOfActiveHours** Indicates whether a reboot was scheduled outside of active hours. +- **RebootResults** Hex code indicating failure reason. Typically, we expect this to be a specific USO generated hex code. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.RefreshSettings + +This event sends basic data about the version of upgrade settings applied to the system to help keep Windows up to date. + +The following fields are available: + +- **errorCode** Hex code for the error message, to allow lookup of the specific error. +- **settingsDownloadTime** Timestamp of the last attempt to acquire settings. +- **settingsETag** Version identifier for the settings. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask + +This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows up to date. + +The following fields are available: + +- **RebootTaskMissedTimeUTC** The time when the reboot task was scheduled to run, but did not. +- **RebootTaskNextTimeUTC** The time when the reboot task was rescheduled for. +- **RebootTaskRestoredTime** Time at which this reboot task was restored. +- **wuDeviceid** Device ID for the device on which the reboot is restored. + + +### Microsoft.Windows.Update.Orchestrator.ScanTriggered + +This event indicates that Update Orchestrator has started a scan operation. + +The following fields are available: + +- **errorCode** The error code returned for the current scan operation. +- **eventScenario** Indicates the purpose of sending this event. +- **interactive** Indicates whether the scan is interactive. +- **isDTUEnabled** Indicates whether DTU (internal abbreviation for Direct Feature Update) channel is enabled on the client system. +- **isScanPastSla** Indicates whether the SLA has elapsed for scanning. +- **isScanPastTriggerSla** Indicates whether the SLA has elapsed for triggering a scan. +- **minutesOverScanSla** Indicates how many minutes the scan exceeded the scan SLA. +- **minutesOverScanTriggerSla** Indicates how many minutes the scan exceeded the scan trigger SLA. +- **scanTriggerSource** Indicates what caused the scan. +- **updateScenarioType** The update session type. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.StickUpdate + +This event is sent when the update service orchestrator (USO) indicates the update cannot be superseded by a newer update. + +The following fields are available: + +- **updateAd** No content is currently available. +- **updateId** Identifier associated with the specific piece of content. +- **wuDeviceid** Unique device ID controlled by the software distribution client. + + +### Microsoft.Windows.Update.Orchestrator.SystemNeeded + +This event sends data about why a device is unable to reboot, to help keep Windows up to date. + +The following fields are available: + +- **eventScenario** End-to-end update session ID. +- **rebootOutsideOfActiveHours** Indicates whether a reboot is scheduled outside of active hours. +- **revisionNumber** Update revision number. +- **systemNeededReason** List of apps or tasks that are preventing the system from restarting. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.TerminatedByActiveHours + +This event indicates that update activity was stopped due to active hours starting. + +The following fields are available: + +- **activeHoursEnd** The end of the active hours window. +- **activeHoursStart** The start of the active hours window. +- **updatePhase** The current state of the update process. +- **wuDeviceid** The device identifier. + + +### Microsoft.Windows.Update.Orchestrator.TerminatedByBatteryLevel + +This event is sent when update activity was stopped due to a low battery level. + +The following fields are available: + +- **batteryLevel** The current battery charge capacity. +- **batteryLevelThreshold** The battery capacity threshold to stop update activity. +- **updatePhase** The current state of the update process. +- **wuDeviceid** The device identifier. + + +### Microsoft.Windows.Update.Orchestrator.UnstickUpdate + +This event is sent when the update service orchestrator (USO) indicates that the update can be superseded by a newer update. + +The following fields are available: + +- **updateId** Identifier associated with the specific piece of content. +- **wuDeviceid** Unique device ID controlled by the software distribution client. + + +### Microsoft.Windows.Update.Orchestrator.UpdatePolicyCacheRefresh + +This event sends data on whether Update Management Policies were enabled on a device, to help keep Windows up to date. + +The following fields are available: + +- **configuredPoliciescount** Number of policies on the device. +- **policiesNamevaluesource** Policy name and source of policy (group policy, MDM or flight). +- **policyCacherefreshtime** Time when policy cache was refreshed. +- **updateInstalluxsetting** Indicates whether a user has set policies via a user experience option. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.UpdateRebootRequired + +This event sends data about whether an update required a reboot to help keep Windows up to date. + +The following fields are available: + +- **flightID** The specific ID of the Windows Insider build the device is getting. +- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.updateSettingsFlushFailed + +This event sends information about an update that encountered problems and was not able to complete. + +The following fields are available: + +- **errorCode** The error code encountered. +- **wuDeviceid** The ID of the device in which the error occurred. + + +### Microsoft.Windows.Update.Orchestrator.UsoSession + +This event represents the state of the USO service at start and completion. + +The following fields are available: + +- **activeSessionid** A unique session GUID. +- **eventScenario** The state of the update action. +- **interactive** Is the USO session interactive? +- **lastErrorcode** The last error that was encountered. +- **lastErrorstate** The state of the update when the last error was encountered. +- **sessionType** A GUID that refers to the update session type. +- **updateScenarioType** A descriptive update session type. +- **wuDeviceid** The Windows Update device GUID. + + +### Microsoft.Windows.Update.Ux.MusNotification.EnhancedEngagedRebootUxState + +This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes values for the timing of how eDTE will progress through each phase of the reboot. + +The following fields are available: + +- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode. +- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before a Reboot Failed dialog will be shown. +- **DeviceLocalTime** The date and time (based on the device date/time settings) the reboot mode changed. +- **EngagedModeLimit** The number of days to switch between DTE (Direct-to-Engaged) dialogs. +- **EnterAutoModeLimit** The maximum number of days a device can enter Auto Reboot mode. +- **ETag** The Entity Tag that represents the OneSettings version. +- **IsForcedEnabled** Identifies whether Forced Reboot mode is enabled for the device. +- **IsUltimateForcedEnabled** Identifies whether Ultimate Forced Reboot mode is enabled for the device. +- **OldestUpdateLocalTime** The date and time (based on the device date/time settings) this update’s reboot began pending. +- **RebootUxState** Identifies the reboot state: Engaged, Auto, Forced, UltimateForced. +- **RebootVersion** The version of the DTE (Direct-to-Engaged). +- **SkipToAutoModeLimit** The maximum number of days to switch to start while in Auto Reboot mode. +- **UpdateId** The ID of the update that is waiting for reboot to finish installation. +- **UpdateRevision** The revision of the update that is waiting for reboot to finish installation. + + +### Microsoft.Windows.Update.Ux.MusNotification.RebootNoLongerNeeded + +This event is sent when a security update has successfully completed. + +The following fields are available: + +- **UtcTime** The Coordinated Universal Time that the restart was no longer needed. + + +### Microsoft.Windows.Update.Ux.MusNotification.RebootScheduled + +This event sends basic information about scheduling an update-related reboot, to get security updates and to help keep Windows up-to-date. + +The following fields are available: + +- **activeHoursApplicable** Indicates whether Active Hours applies on this device. +- **IsEnhancedEngagedReboot** Indicates whether Enhanced reboot was enabled. +- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action. +- **rebootOutsideOfActiveHours** True, if a reboot is scheduled outside of active hours. False, otherwise. +- **rebootScheduledByUser** True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically. +- **rebootState** Current state of the reboot. +- **rebootUsingSmartScheduler** Indicates that the reboot is scheduled by SmartScheduler. +- **revisionNumber** Revision number of the OS. +- **scheduledRebootTime** Time scheduled for the reboot. +- **scheduledRebootTimeInUTC** Time scheduled for the reboot, in UTC. +- **updateId** Identifies which update is being scheduled. +- **wuDeviceid** The unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Ux.MusNotification.UxBrokerScheduledTask + +This event is sent when MUSE broker schedules a task. + +The following fields are available: + +- **TaskArgument** The arguments with which the task is scheduled. +- **TaskName** Name of the task. + + +### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled + +This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up to date. + +The following fields are available: + +- **activeHoursApplicable** Is the restart respecting Active Hours? +- **IsEnhancedEngagedReboot** TRUE if the reboot path is Enhanced Engaged. Otherwise, FALSE. +- **rebootArgument** The arguments that are passed to the OS for the restarted. +- **rebootOutsideOfActiveHours** Was the restart scheduled outside of Active Hours? +- **rebootScheduledByUser** Was the restart scheduled by the user? If the value is false, the restart was scheduled by the device. +- **rebootState** The state of the restart. +- **rebootUsingSmartScheduler** TRUE if the reboot should be performed by the Smart Scheduler. Otherwise, FALSE. +- **revisionNumber** The revision number of the OS being updated. +- **scheduledRebootTime** Time of the scheduled reboot +- **scheduledRebootTimeInUTC** Time of the scheduled restart, in Coordinated Universal Time. +- **updateId** The Windows Update device GUID. +- **wuDeviceid** The Windows Update device GUID. + + +## Windows Update mitigation events + +### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages + +This event sends data specific to the CleanupSafeOsImages mitigation used for OS Updates. + +The following fields are available: + +- **ClientId** The client ID used by Windows Update. +- **FlightId** The ID of each Windows Insider build the device received. +- **InstanceId** A unique device ID that identifies each update instance. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **MountedImageCount** The number of mounted images. +- **MountedImageMatches** The number of mounted image matches. +- **MountedImagesFailed** The number of mounted images that could not be removed. +- **MountedImagesRemoved** The number of mounted images that were successfully removed. +- **MountedImagesSkipped** The number of mounted images that were not found. +- **RelatedCV** The correlation vector value generated from the latest USO scan. +- **Result** HResult of this operation. +- **ScenarioId** ID indicating the mitigation scenario. +- **ScenarioSupported** Indicates whether the scenario was supported. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each Windows Update. +- **WuId** Unique ID for the Windows Update client. + + +### Mitigation360Telemetry.MitigationCustom.FixAppXReparsePoints + +This event sends data specific to the FixAppXReparsePoints mitigation used for OS updates. + +The following fields are available: + +- **ClientId** Unique identifier for each flight. +- **FlightId** Unique GUID that identifies each instances of setuphost.exe. +- **InstanceId** The update scenario in which the mitigation was executed. +- **MitigationScenario** Correlation vector value generated from the latest USO scan. +- **RelatedCV** Number of reparse points that are corrupted but we failed to fix them. +- **ReparsePointsFailed** Number of reparse points that were corrupted and were fixed by this mitigation. +- **ReparsePointsFixed** Number of reparse points that are not corrupted and no action is required. +- **ReparsePointsSkipped** HResult of this operation. +- **Result** ID indicating the mitigation scenario. +- **ScenarioId** Indicates whether the scenario was supported. +- **ScenarioSupported** Unique value for each update attempt. +- **SessionId** Unique ID for each Update. +- **UpdateId** Unique ID for the Windows Update client. +- **WuId** Unique ID for the Windows Update client. + + +### Mitigation360Telemetry.MitigationCustom.FixupEditionId + +This event sends data specific to the FixupEditionId mitigation used for OS updates. + +The following fields are available: + +- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **EditionIdUpdated** Determine whether EditionId was changed. +- **FlightId** Unique identifier for each flight. +- **InstanceId** Unique GUID that identifies each instances of setuphost.exe. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **ProductEditionId** Expected EditionId value based on GetProductInfo. +- **ProductType** Value returned by GetProductInfo. +- **RegistryEditionId** EditionId value in the registry. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** HResult of this operation. +- **ScenarioId** ID indicating the mitigation scenario. +- **ScenarioSupported** Indicates whether the scenario was supported. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. +- **WuId** Unique ID for the Windows Update client. + + +## Windows Update Reserve Manager events + +### Microsoft.Windows.UpdateReserveManager.CommitPendingHardReserveAdjustment + +This event is sent when the Update Reserve Manager commits a hard reserve adjustment that was pending. + +The following fields are available: + +- **FinalAdjustment** Final adjustment for the hard reserve following the addition or removal of optional content. +- **InitialAdjustment** Initial intended adjustment for the hard reserve following the addition/removal of optional content. + + +### Microsoft.Windows.UpdateReserveManager.FunctionReturnedError + +This event is sent when the Update Reserve Manager returns an error from one of its internal functions. + +The following fields are available: + +- **FailedExpression** The failed expression that was returned. +- **FailedFile** The binary file that contained the failed function. +- **FailedFunction** The name of the function that originated the failure. +- **FailedLine** The line number of the failure. +- **ReturnCode** The return code of the function. + + +### Microsoft.Windows.UpdateReserveManager.InitializeUpdateReserveManager + +This event returns data about the Update Reserve Manager, including whether it’s been initialized. + +The following fields are available: + +- **ClientId** The ID of the caller application. +- **Flags** The enumerated flags used to initialize the manager. +- **FlightId** The flight ID of the content the calling client is currently operating with. +- **Offline** Indicates whether or the reserve manager is called during offline operations. +- **PolicyPassed** Indicates whether the machine is able to use reserves. +- **ReturnCode** Return code of the operation. +- **Version** The version of the Update Reserve Manager. + + +### Microsoft.Windows.UpdateReserveManager.PrepareTIForReserveInitialization + +This event is sent when the Update Reserve Manager prepares the Trusted Installer to initialize reserves on the next boot. + +The following fields are available: + +- **Flags** The flags that are passed to the function to prepare the Trusted Installer for reserve initialization. + + +### Microsoft.Windows.UpdateReserveManager.RemovePendingHardReserveAdjustment + +This event is sent when the Update Reserve Manager removes a pending hard reserve adjustment. + + + +### Microsoft.Windows.UpdateReserveManager.UpdatePendingHardReserveAdjustment + +This event is sent when the Update Reserve Manager needs to adjust the size of the hard reserve after the option content is installed. + +The following fields are available: + +- **ChangeSize** The change in the hard reserve size based on the addition or removal of optional content. +- **Disposition** The parameter for the hard reserve adjustment function. +- **Flags** The flags passed to the hard reserve adjustment function. +- **PendingHardReserveAdjustment** The final change to the hard reserve size. +- **UpdateType** Indicates whether the change is an increase or decrease in the size of the hard reserve. + + +## Winlogon events + +### Microsoft.Windows.Security.Winlogon.SetupCompleteLogon + +This event signals the completion of the setup process. It happens only once during the first logon. + + + +## XBOX events + +### Microsoft.Xbox.XamTelemetry.AppActivationError + +This event indicates whether the system detected an activation error in the app. + +The following fields are available: + +- **ActivationUri** Activation URI (Uniform Resource Identifier) used in the attempt to activate the app. +- **AppId** The Xbox LIVE Title ID. +- **AppUserModelId** The AUMID (Application User Model ID) of the app to activate. +- **Result** The HResult error. +- **UserId** The Xbox LIVE User ID (XUID). + + +### Microsoft.Xbox.XamTelemetry.AppActivity + +This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc. + +The following fields are available: + +- **AppActionId** The ID of the application action. +- **AppCurrentVisibilityState** The ID of the current application visibility state. +- **AppId** The Xbox LIVE Title ID of the app. +- **AppPackageFullName** The full name of the application package. +- **AppPreviousVisibilityState** The ID of the previous application visibility state. +- **AppSessionId** The application session ID. +- **AppType** The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa). +- **BCACode** The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application. +- **DurationMs** The amount of time (in milliseconds) since the last application state transition. +- **IsTrialLicense** This boolean value is TRUE if the application is on a trial license. +- **LicenseType** The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 - Offline, 4 - Disc). +- **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license. +- **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application. +- **UserId** The XUID (Xbox User ID) of the current user. + + + From b958493992a0f8e3b9518844f867cc7740444f84 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 12 Mar 2019 16:37:06 -0700 Subject: [PATCH 044/492] new build 3/12/2019 4:37 PM --- ...ndows-diagnostic-events-and-fields-1703.md | 8 +- ...ndows-diagnostic-events-and-fields-1709.md | 10 +- ...ndows-diagnostic-events-and-fields-1803.md | 8 +- ...ndows-diagnostic-events-and-fields-1809.md | 15449 ++++++++-------- 4 files changed, 7926 insertions(+), 7549 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index 30e23dda88..2e2ac4486f 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/05/2019 +ms.date: 03/12/2019 --- @@ -4181,7 +4181,7 @@ The following fields are available: - **RelatedCV** The Correlation Vector that was used before the most recent change to a new Correlation Vector. - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download. - **RevisionNumber** The revision number of the specified piece of content. -- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Windows Store, etc.). - **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade. - **ShippingMobileOperator** The mobile operator linked to the device when the device shipped. - **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). @@ -5072,12 +5072,12 @@ This event lists the reboot reason when an app is going to reboot. The following fields are available: -- **BootId** The boot ID. +- **BootId** The system boot ID. - **BoottimeSinceLastShutdown** The boot time since the last shutdown. - **RebootReason** Reason for the reboot. -## Microsoft Store events +## Windows Store events ### Microsoft.Windows.Store.Partner.ReportApplication diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index 58818d2e66..d6a2e128d8 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/05/2019 +ms.date: 03/12/2019 --- @@ -68,7 +68,7 @@ The following fields are available: - **DecisionSystemBios_19H1Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. - **DecisionSystemBios_RS4** The total DecisionSystemBios objects targeting Windows 10 version, 1803 present on this device. - **InventoryApplicationFile** The count of the number of this particular object type present on this device. -- **InventoryLanguagePack** The count of the number of this particular object type present on this device. +- **InventoryLanguagePack** The count of InventoryLanguagePack objects present on this machine. - **InventoryMediaCenter** The count of the number of this particular object type present on this device. - **InventorySystemBios** The count of the number of this particular object type present on this device. - **InventoryUplevelDriverPackage** The count of the number of this particular object type present on this device. @@ -4128,7 +4128,7 @@ The following fields are available: - **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) - **RevisionNumber** Unique revision number of Update - **ServerId** Identifier for the service to which the software distribution client is connecting, such as Windows Update and Microsoft Store. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc) - **SystemBIOSMajorRelease** Major version of the BIOS. - **SystemBIOSMinorRelease** Minor version of the BIOS. - **UpdateId** Unique Update ID @@ -4192,7 +4192,7 @@ The following fields are available: - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download. - **RevisionNumber** The revision number of the specified piece of content. -- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Windows Store, etc.). - **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade. - **ShippingMobileOperator** The mobile operator linked to the device when the device shipped. - **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). @@ -5298,7 +5298,7 @@ The following fields are available: - **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson). -## Microsoft Store events +## Windows Store events ### Microsoft.Windows.Store.Partner.ReportApplication diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index 2108b3c666..e88b4da389 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/05/2019 +ms.date: 03/12/2019 --- @@ -4934,7 +4934,7 @@ The following fields are available: - **FlightId** The specific id of the flight the device is getting - **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) - **RevisionNumber** Identifies the revision number of this specific piece of content -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc) - **SystemBIOSMajorRelease** Major release version of the system bios - **SystemBIOSMinorRelease** Minor release version of the system bios - **UpdateId** Identifier associated with the specific piece of content @@ -4997,7 +4997,7 @@ The following fields are available: - **RelatedCV** The Correlation Vector that was used before the most recent change to a new Correlation Vector. - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download. - **RevisionNumber** The revision number of the specified piece of content. -- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Windows Store, etc.). - **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade. - **ShippingMobileOperator** The mobile operator linked to the device when the device shipped. - **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). @@ -5988,7 +5988,7 @@ The following fields are available: - **PertProb** Constant used in algorithm for randomization. -## Microsoft Store events +## Windows Store events ### Microsoft.Windows.Store.StoreActivating diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index f8a042ef3d..fd7cd31194 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -1,7536 +1,7913 @@ ---- -description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. -title: Windows 10, version 1809 basic diagnostic events and fields (Windows 10) -keywords: privacy, telemetry -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -localizationpriority: high -audience: ITPro -author: brianlic-msft -ms.author: brianlic -manager: dansimp -ms.collection: M365-security-compliance -ms.topic: article -ms.date: 02/15/2019 ---- - - -# Windows 10, version 1809 basic level Windows diagnostic events and fields - - **Applies to** - -- Windows 10, version 1809 - - -The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information. - -The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. - -Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief description is provided for each field. Every event generated includes common data, which collects device data. - -You can learn more about Windows functional and diagnostic data through these articles: - - -- [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) -- [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) -- [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) -- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) -- [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) - - - - -## Account trace logging provider events - -### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.General - -This event provides information about application properties to indicate the successful execution. - -The following fields are available: - -- **AppMode** Indicates the mode the app is being currently run around privileges. -- **ExitCode** Indicates the exit code of the app. -- **Help** Indicates if the app needs to be launched in the help mode. -- **ParseError** Indicates if there was a parse error during the execution. -- **RightsAcquired** Indicates if the right privileges were acquired for successful execution. -- **RightsWereEnabled** Indicates if the right privileges were enabled for successful execution. -- **TestMode** Indicates whether the app is being run in test mode. - - -### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.GetCount - -This event provides information about the properties of user accounts in the Administrator group. - -The following fields are available: - -- **Internal** Indicates the internal property associated with the count group. -- **LastError** The error code (if applicable) for the cause of the failure to get the count of the user account. -- **Result** The HResult error. - - -## AppLocker events - -### Microsoft.Windows.Security.AppLockerCSP.ActivityStoppedAutomatically - -Automatically closed activity for start/stop operations that aren't explicitly closed. - - - -### Microsoft.Windows.Security.AppLockerCSP.AddParams - -Parameters passed to Add function of the AppLockerCSP Node. - -The following fields are available: - -- **child** The child URI of the node to add. -- **uri** URI of the node relative to %SYSTEM32%/AppLocker. - - -### Microsoft.Windows.Security.AppLockerCSP.AddStart - -Start of "Add" Operation for the AppLockerCSP Node. - - - -### Microsoft.Windows.Security.AppLockerCSP.AddStop - -End of "Add" Operation for AppLockerCSP Node. - -The following fields are available: - -- **hr** The HRESULT returned by Add function in AppLockerCSP. - - -### Microsoft.Windows.Security.AppLockerCSP.CAppLockerCSP::Rollback - -Result of the 'Rollback' operation in AppLockerCSP. - -The following fields are available: - -- **oldId** Previous id for the CSP transaction. -- **txId** Current id for the CSP transaction. - - -### Microsoft.Windows.Security.AppLockerCSP.ClearParams - -Parameters passed to the "Clear" operation for AppLockerCSP. - -The following fields are available: - -- **uri** The URI relative to the %SYSTEM32%\AppLocker folder. - - -### Microsoft.Windows.Security.AppLockerCSP.ClearStart - -Start of the "Clear" operation for the AppLockerCSP Node. - - - -### Microsoft.Windows.Security.AppLockerCSP.ClearStop - -End of the "Clear" operation for the AppLockerCSP node. - -The following fields are available: - -- **hr** HRESULT reported at the end of the 'Clear' function. - - -### Microsoft.Windows.Security.AppLockerCSP.ConfigManagerNotificationStart - -Start of the "ConfigManagerNotification" operation for AppLockerCSP. - -The following fields are available: - -- **NotifyState** State sent by ConfigManager to AppLockerCSP. - - -### Microsoft.Windows.Security.AppLockerCSP.ConfigManagerNotificationStop - -End of the "ConfigManagerNotification" operation for AppLockerCSP. - -The following fields are available: - -- **hr** HRESULT returned by the ConfigManagerNotification function in AppLockerCSP. - - -### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceParams - -Parameters passed to the CreateNodeInstance function of the AppLockerCSP node. - -The following fields are available: - -- **NodeId** NodeId passed to CreateNodeInstance. -- **nodeOps** NodeOperations parameter passed to CreateNodeInstance. -- **uri** URI passed to CreateNodeInstance, relative to %SYSTEM32%\AppLocker. - - -### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceStart - -Start of the "CreateNodeInstance" operation for the AppLockerCSP node. - - - -### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceStop - -End of the "CreateNodeInstance" operation for the AppLockerCSP node - -The following fields are available: - -- **hr** HRESULT returned by the CreateNodeInstance function in AppLockerCSP. - - -### Microsoft.Windows.Security.AppLockerCSP.DeleteChildParams - -Parameters passed to the DeleteChild function of the AppLockerCSP node. - -The following fields are available: - -- **child** The child URI of the node to delete. -- **uri** URI relative to %SYSTEM32%\AppLocker. - - -### Microsoft.Windows.Security.AppLockerCSP.DeleteChildStart - -Start of the "DeleteChild" operation for the AppLockerCSP node. - - - -### Microsoft.Windows.Security.AppLockerCSP.DeleteChildStop - -End of the "DeleteChild" operation for the AppLockerCSP node. - -The following fields are available: - -- **hr** HRESULT returned by the DeleteChild function in AppLockerCSP. - - -### Microsoft.Windows.Security.AppLockerCSP.EnumPolicies - -Logged URI relative to %SYSTEM32%\AppLocker, if the Plugin GUID is null, or the CSP doesn't believe the old policy is present. - -The following fields are available: - -- **uri** URI relative to %SYSTEM32%\AppLocker. - - -### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesParams - -Parameters passed to the GetChildNodeNames function of the AppLockerCSP node. - -The following fields are available: - -- **uri** URI relative to %SYSTEM32%/AppLocker for MDM node. - - -### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesStart - -Start of the "GetChildNodeNames" operation for the AppLockerCSP node. - - - -### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesStop - -End of the "GetChildNodeNames" operation for the AppLockerCSP node. - -The following fields are available: - -- **child[0]** If function succeeded, the first child's name, else "NA". -- **count** If function succeeded, the number of child node names returned by the function, else 0. -- **hr** HRESULT returned by the GetChildNodeNames function of AppLockerCSP. - - -### Microsoft.Windows.Security.AppLockerCSP.GetLatestId - -The result of 'GetLatestId' in AppLockerCSP (the latest time stamped GUID). - -The following fields are available: - -- **dirId** The latest directory identifier found by GetLatestId. -- **id** The id returned by GetLatestId if id > 0 - otherwise the dirId parameter. - - -### Microsoft.Windows.Security.AppLockerCSP.HResultException - -HRESULT thrown by any arbitrary function in AppLockerCSP. - -The following fields are available: - -- **file** File in the OS code base in which the exception occurs. -- **function** Function in the OS code base in which the exception occurs. -- **hr** HRESULT that is reported. -- **line** Line in the file in the OS code base in which the exception occurs. - - -### Microsoft.Windows.Security.AppLockerCSP.SetValueParams - -Parameters passed to the SetValue function of the AppLockerCSP node. - -The following fields are available: - -- **dataLength** Length of the value to set. -- **uri** The node URI to that should contain the value, relative to %SYSTEM32%\AppLocker. - - -### Microsoft.Windows.Security.AppLockerCSP.SetValueStart - -Start of the "SetValue" operation for the AppLockerCSP node. - - - -### Microsoft.Windows.Security.AppLockerCSP.SetValueStop - -End of the "SetValue" operation for the AppLockerCSP node. - -The following fields are available: - -- **hr** HRESULT returned by the SetValue function in AppLockerCSP. - - -### Microsoft.Windows.Security.AppLockerCSP.TryRemediateMissingPolicies - -EntryPoint of fix step or policy remediation, includes URI relative to %SYSTEM32%\AppLocker that needs to be fixed. - -The following fields are available: - -- **uri** URI for node relative to %SYSTEM32%/AppLocker. - - -## Appraiser events - -### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount - -This event lists the types of objects and how many of each exist on the client device. This allows for a quick way to ensure that the records present on the server match what is present on the client. - -The following fields are available: - -- **DatasourceApplicationFile_19ASetup** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_19H1** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers. -- **DatasourceApplicationFile_RS2** An ID for the system, calculated by hashing hardware identifiers. -- **DatasourceApplicationFile_RS3** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS4** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS4Setup** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS5** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS5Setup** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_TH1** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_TH2** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_19ASetup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_19H1** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS1** The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on this device. -- **DatasourceDevicePnp_RS2** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS3** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS3Setup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS4** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS4Setup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS5** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS5Setup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_TH1** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_TH2** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_19ASetup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_19H1** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS1** The total DataSourceDriverPackage objects targeting Windows 10 version 1607 on this device. -- **DatasourceDriverPackage_RS2** The total DataSourceDriverPackage objects targeting Windows 10, version 1703 on this device. -- **DatasourceDriverPackage_RS3** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS3Setup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS4** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS4Setup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS5** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS5Setup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_TH1** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_TH2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_19ASetup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS1** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1607 on this device. -- **DataSourceMatchingInfoBlock_RS2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS3** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS4Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS5Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_TH1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_19ASetup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS1** The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. -- **DataSourceMatchingInfoPassive_RS2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS3** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS4Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS5Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_19ASetup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_RS1** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. -- **DataSourceMatchingInfoPostUpgrade_RS2** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device. -- **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device. -- **DataSourceMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_RS4Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_RS5Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_TH1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_19ASetup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_19H1** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_19H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS1** The total DatasourceSystemBios objects targeting Windows 10 version 1607 present on this device. -- **DatasourceSystemBios_RS2** The total DatasourceSystemBios objects targeting Windows 10 version 1703 present on this device. -- **DatasourceSystemBios_RS3** The total DatasourceSystemBios objects targeting Windows 10 version 1709 present on this device. -- **DatasourceSystemBios_RS3Setup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS4** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS4Setup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS5** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS5Setup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_TH1** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_TH2** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_19H1** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS1** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS2** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS3** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS4** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS5** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_TH1** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_TH2** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_19H1** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS1** The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this device. -- **DecisionDevicePnp_RS2** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS3** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS3Setup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS4** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS5** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_TH1** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_TH2** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_19H1** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS1** The total DecisionDriverPackage objects targeting Windows 10 version 1607 on this device. -- **DecisionDriverPackage_RS2** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS3** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS3Setup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS4** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS5** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_TH1** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_TH2** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_RS1** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1607 present on this device. -- **DecisionMatchingInfoBlock_RS2** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device. -- **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1709 present on this device. -- **DecisionMatchingInfoBlock_RS4** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1803 present on this device. -- **DecisionMatchingInfoBlock_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_TH1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_RS1** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. -- **DecisionMatchingInfoPassive_RS2** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1703 on this device. -- **DecisionMatchingInfoPassive_RS3** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1803 on this device. -- **DecisionMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_RS1** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. -- **DecisionMatchingInfoPostUpgrade_RS2** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device. -- **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device. -- **DecisionMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_TH1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_19H1** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_19H1Setup** The total DecisionMediaCenter objects targeting the next release of Windows on this device. -- **DecisionMediaCenter_RS1** The total DecisionMediaCenter objects targeting Windows 10 version 1607 present on this device. -- **DecisionMediaCenter_RS2** The total DecisionMediaCenter objects targeting Windows 10 version 1703 present on this device. -- **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting Windows 10 version 1709 present on this device. -- **DecisionMediaCenter_RS4** The total DecisionMediaCenter objects targeting Windows 10 version 1803 present on this device. -- **DecisionMediaCenter_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_RS5** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_TH1** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_TH2** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_19ASetup** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **DecisionSystemBios_19H1** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_19H1Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **DecisionSystemBios_RS1** The total DecisionSystemBios objects targeting Windows 10 version 1607 on this device. -- **DecisionSystemBios_RS2** The total DecisionSystemBios objects targeting Windows 10 version 1703 on this device. -- **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting Windows 10 version 1709 on this device. -- **DecisionSystemBios_RS3Setup** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_RS4** The total DecisionSystemBios objects targeting Windows 10 version, 1803 present on this device. -- **DecisionSystemBios_RS4Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **DecisionSystemBios_RS5** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **DecisionSystemBios_RS5Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **DecisionSystemBios_TH1** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_TH2** The count of the number of this particular object type present on this device. -- **DecisionSystemProcessor_RS2** The count of the number of this particular object type present on this device. -- **DecisionTest_RS1** An ID for the system, calculated by hashing hardware identifiers. -- **InventoryApplicationFile** The count of the number of this particular object type present on this device. -- **InventoryDeviceContainer** A count of device container objects in cache. -- **InventoryDevicePnp** A count of device Plug and Play objects in cache. -- **InventoryDriverBinary** A count of driver binary objects in cache. -- **InventoryDriverPackage** A count of device objects in cache. -- **InventoryLanguagePack** The count of the number of this particular object type present on this device. -- **InventoryMediaCenter** The count of the number of this particular object type present on this device. -- **InventorySystemBios** The count of the number of this particular object type present on this device. -- **InventorySystemMachine** The count of the number of this particular object type present on this device. -- **InventorySystemProcessor** The count of the number of this particular object type present on this device. -- **InventoryTest** The count of the number of this particular object type present on this device. -- **InventoryUplevelDriverPackage** The count of the number of this particular object type present on this device. -- **PCFP** The count of the number of this particular object type present on this device. -- **SystemMemory** The count of the number of this particular object type present on this device. -- **SystemProcessorCompareExchange** The count of the number of this particular object type present on this device. -- **SystemProcessorLahfSahf** The count of the number of this particular object type present on this device. -- **SystemProcessorNx** The total number of objects of this type present on this device. -- **SystemProcessorPrefetchW** The total number of objects of this type present on this device. -- **SystemProcessorSse2** The total number of objects of this type present on this device. -- **SystemTouch** The count of the number of this particular object type present on this device. -- **SystemWim** The total number of objects of this type present on this device. -- **SystemWindowsActivationStatus** The count of the number of this particular object type present on this device. -- **SystemWlan** The total number of objects of this type present on this device. -- **Wmdrm_19ASetup** The count of the number of this particular object type present on this device. -- **Wmdrm_19H1** The count of the number of this particular object type present on this device. -- **Wmdrm_19H1Setup** The total Wmdrm objects targeting the next release of Windows on this device. -- **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers. -- **Wmdrm_RS2** An ID for the system, calculated by hashing hardware identifiers. -- **Wmdrm_RS3** An ID for the system, calculated by hashing hardware identifiers. -- **Wmdrm_RS4** The total Wmdrm objects targeting Windows 10, version 1803 present on this device. -- **Wmdrm_RS4Setup** The count of the number of this particular object type present on this device. -- **Wmdrm_RS5** The count of the number of this particular object type present on this device. -- **Wmdrm_RS5Setup** The count of the number of this particular object type present on this device. -- **Wmdrm_TH1** The count of the number of this particular object type present on this device. -- **Wmdrm_TH2** The count of the number of this particular object type present on this device. - - -### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd - -Represents the basic metadata about specific application files installed on the system. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file that is generating the events. -- **AvDisplayName** If the app is an anti-virus app, this is its display name. -- **CompatModelIndex** The compatibility prediction for this file. -- **HasCitData** Indicates whether the file is present in CIT data. -- **HasUpgradeExe** Indicates whether the anti-virus app has an upgrade.exe file. -- **IsAv** Is the file an anti-virus reporting EXE? -- **ResolveAttempted** This will always be an empty string when sending telemetry. -- **SdbEntries** An array of fields that indicates the SDB entries that apply to this file. - - -### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove - -This event indicates that the DatasourceApplicationFile object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileStartSync - -This event indicates that a new set of DatasourceApplicationFileAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd - -This event sends compatibility data for a Plug and Play device, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **ActiveNetworkConnection** Indicates whether the device is an active network device. -- **AppraiserVersion** The version of the appraiser file generating the events. -- **CosDeviceRating** An enumeration that indicates if there is a driver on the target operating system. -- **CosDeviceSolution** An enumeration that indicates how a driver on the target operating system is available. -- **CosDeviceSolutionUrl** Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd . Empty string -- **CosPopulatedFromId** The expected uplevel driver matching ID based on driver coverage data. -- **IsBootCritical** Indicates whether the device boot is critical. -- **UplevelInboxDriver** Indicates whether there is a driver uplevel for this device. -- **WuDriverCoverage** Indicates whether there is a driver uplevel for this device, according to Windows Update. -- **WuDriverUpdateId** The Windows Update ID of the applicable uplevel driver. -- **WuPopulatedFromId** The expected uplevel driver matching ID based on driver coverage from Windows Update. - - -### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove - -This event indicates that the DatasourceDevicePnp object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpStartSync - -This event indicates that a new set of DatasourceDevicePnpAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageAdd - -This event sends compatibility database data about driver packages to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageStartSync - -This event indicates that a new set of DatasourceDriverPackageAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd - -This event sends blocking data about any compatibility blocking entries hit on the system that are not directly related to specific applications or devices, to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove - -This event indicates that the DataSourceMatchingInfoBlock object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync - -This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events have been sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd - -This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove - -This event indicates that the DataSourceMatchingInfoPassive object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync - -This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd - -This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove - -This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync - -This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd - -This event sends compatibility database information about the BIOS to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosRemove - -This event indicates that the DatasourceSystemBios object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync - -This event indicates that a new set of DatasourceSystemBiosAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionApplicationFileAdd - -This event sends compatibility decision data about a file to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file that is generating the events. -- **BlockAlreadyInbox** The uplevel runtime block on the file already existed on the current OS. -- **BlockingApplication** Indicates whether there are any application issues that interfere with the upgrade due to the file in question. -- **DisplayGenericMessage** Will be a generic message be shown for this file? -- **DisplayGenericMessageGated** Indicates whether a generic message be shown for this file. -- **HardBlock** This file is blocked in the SDB. -- **HasUxBlockOverride** Does the file have a block that is overridden by a tag in the SDB? -- **MigApplication** Does the file have a MigXML from the SDB associated with it that applies to the current upgrade mode? -- **MigRemoval** Does the file have a MigXML from the SDB that will cause the app to be removed on upgrade? -- **NeedsDismissAction** Will the file cause an action that can be dimissed? -- **NeedsInstallPostUpgradeData** After upgrade, the file will have a post-upgrade notification to install a replacement for the app. -- **NeedsNotifyPostUpgradeData** Does the file have a notification that should be shown after upgrade? -- **NeedsReinstallPostUpgradeData** After upgrade, this file will have a post-upgrade notification to reinstall the app. -- **NeedsUninstallAction** The file must be uninstalled to complete the upgrade. -- **SdbBlockUpgrade** The file is tagged as blocking upgrade in the SDB, -- **SdbBlockUpgradeCanReinstall** The file is tagged as blocking upgrade in the SDB. It can be reinstalled after upgrade. -- **SdbBlockUpgradeUntilUpdate** The file is tagged as blocking upgrade in the SDB. If the app is updated, the upgrade can proceed. -- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the SDB. It does not block upgrade. -- **SdbReinstallUpgradeWarn** The file is tagged as needing to be reinstalled after upgrade with a warning in the SDB. It does not block upgrade. -- **SoftBlock** The file is softblocked in the SDB and has a warning. - - -### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove - -This event indicates Indicates that the DecisionApplicationFile object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionApplicationFileStartSync - -This event indicates that a new set of DecisionApplicationFileAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd - -This event sends compatibility decision data about a PNP device to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file generating the events. -- **AssociatedDriverIsBlocked** Is the driver associated with this PNP device blocked? -- **AssociatedDriverWillNotMigrate** Will the driver associated with this plug-and-play device migrate? -- **BlockAssociatedDriver** Should the driver associated with this PNP device be blocked? -- **BlockingDevice** Is this PNP device blocking upgrade? -- **BlockUpgradeIfDriverBlocked** Is the PNP device both boot critical and does not have a driver included with the OS? -- **BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork** Is this PNP device the only active network device? -- **DisplayGenericMessage** Will a generic message be shown during Setup for this PNP device? -- **DisplayGenericMessageGated** Indicates whether a generic message will be shown during Setup for this PNP device. -- **DriverAvailableInbox** Is a driver included with the operating system for this PNP device? -- **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update? -- **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device? -- **DriverBlockOverridden** Is there is a driver block on the device that has been overridden? -- **NeedsDismissAction** Will the user would need to dismiss a warning during Setup for this device? -- **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS? -- **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade? -- **SdbDriverBlockOverridden** Is there an SDB block on the PNP device that blocks upgrade, but that block was overridden? - - -### Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove - -This event indicates that the DecisionDevicePnp object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionDevicePnpStartSync - -The DecisionDevicePnpStartSync event indicates that a new set of DecisionDevicePnpAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionDriverPackageAdd - -This event sends decision data about driver package compatibility to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file generating the events. -- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for this driver package. -- **DriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden? -- **DriverIsDeviceBlocked** Was the driver package was blocked because of a device block? -- **DriverIsDriverBlocked** Is the driver package blocked because of a driver block? -- **DriverIsTroubleshooterBlocked** Indicates whether the driver package is blocked because of a troubleshooter block. -- **DriverShouldNotMigrate** Should the driver package be migrated during upgrade? -- **SdbDriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden? - - -### Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove - -This event indicates that the DecisionDriverPackage object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionDriverPackageStartSync - -This event indicates that a new set of DecisionDriverPackageAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd - -This event sends compatibility decision data about blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file generating the events. -- **BlockingApplication** Are there are any application issues that interfere with upgrade due to matching info blocks? -- **DisplayGenericMessage** Will a generic message be shown for this block? -- **NeedsUninstallAction** Does the user need to take an action in setup due to a matching info block? -- **SdbBlockUpgrade** Is a matching info block blocking upgrade? -- **SdbBlockUpgradeCanReinstall** Is a matching info block blocking upgrade, but has the can reinstall tag? -- **SdbBlockUpgradeUntilUpdate** Is a matching info block blocking upgrade but has the until update tag? - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockRemove - -This event indicates that the DecisionMatchingInfoBlock object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockStartSync - -This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd - -This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **BlockingApplication** Are there any application issues that interfere with upgrade due to matching info blocks? -- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown due to matching info blocks. -- **MigApplication** Is there a matching info block with a mig for the current mode of upgrade? - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveRemove - -This event Indicates that the DecisionMatchingInfoPassive object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync - -This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeAdd - -This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **NeedsInstallPostUpgradeData** Will the file have a notification after upgrade to install a replacement for the app? -- **NeedsNotifyPostUpgradeData** Should a notification be shown for this file after upgrade? -- **NeedsReinstallPostUpgradeData** Will the file have a notification after upgrade to reinstall the app? -- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the compatibility database (but is not blocking upgrade). - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeRemove - -This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync - -This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMediaCenterAdd - -This event sends decision data about the presence of Windows Media Center, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **BlockingApplication** Is there any application issues that interfere with upgrade due to Windows Media Center? -- **MediaCenterActivelyUsed** If Windows Media Center is supported on the edition, has it been run at least once and are the MediaCenterIndicators are true? -- **MediaCenterIndicators** Do any indicators imply that Windows Media Center is in active use? -- **MediaCenterInUse** Is Windows Media Center actively being used? -- **MediaCenterPaidOrActivelyUsed** Is Windows Media Center actively being used or is it running on a supported edition? -- **NeedsDismissAction** Are there any actions that can be dismissed coming from Windows Media Center? - - -### Microsoft.Windows.Appraiser.General.DecisionMediaCenterRemove - -This event indicates that the DecisionMediaCenter object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMediaCenterStartSync - -This event indicates that a new set of DecisionMediaCenterAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionSystemBiosAdd - -This event sends compatibility decision data about the BIOS to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **Blocking** Is the device blocked from upgrade due to a BIOS block? -- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for the bios. -- **HasBiosBlock** Does the device have a BIOS block? - - -### Microsoft.Windows.Appraiser.General.DecisionSystemBiosRemove - -This event indicates that the DecisionSystemBios object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync - -This event indicates that a new set of DecisionSystemBiosAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.GatedRegChange - -This event sends data about the results of running a set of quick-blocking instructions, to help keep Windows up to date. - -The following fields are available: - -- **NewData** The data in the registry value after the scan completed. -- **OldData** The previous data in the registry value before the scan ran. -- **PCFP** An ID for the system calculated by hashing hardware identifiers. -- **RegKey** The registry key name for which a result is being sent. -- **RegValue** The registry value for which a result is being sent. -- **Time** The client time of the event. - - -### Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd - -This event represents the basic metadata about a file on the system. The file must be part of an app and either have a block in the compatibility database or be part of an antivirus program. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **AvDisplayName** If the app is an antivirus app, this is its display name. -- **AvProductState** Indicates whether the antivirus program is turned on and the signatures are up to date. -- **BinaryType** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64. -- **BinFileVersion** An attempt to clean up FileVersion at the client that tries to place the version into 4 octets. -- **BinProductVersion** An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets. -- **BoeProgramId** If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata. -- **CompanyName** The company name of the vendor who developed this file. -- **FileId** A hash that uniquely identifies a file. -- **FileVersion** The File version field from the file metadata under Properties -> Details. -- **HasUpgradeExe** Indicates whether the antivirus app has an upgrade.exe file. -- **IsAv** Indicates whether the file an antivirus reporting EXE. -- **LinkDate** The date and time that this file was linked on. -- **LowerCaseLongPath** The full file path to the file that was inventoried on the device. -- **Name** The name of the file that was inventoried. -- **ProductName** The Product name field from the file metadata under Properties -> Details. -- **ProductVersion** The Product version field from the file metadata under Properties -> Details. -- **ProgramId** A hash of the Name, Version, Publisher, and Language of an application used to identify it. -- **Size** The size of the file (in hexadecimal bytes). - - -### Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove - -This event indicates that the InventoryApplicationFile object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync - -This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventoryLanguagePackAdd - -This event sends data about the number of language packs installed on the system, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **HasLanguagePack** Indicates whether this device has 2 or more language packs. -- **LanguagePackCount** The number of language packs are installed. - - -### Microsoft.Windows.Appraiser.General.InventoryLanguagePackRemove - -This event indicates that the InventoryLanguagePack object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventoryLanguagePackStartSync - -This event indicates that a new set of InventoryLanguagePackAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventoryMediaCenterAdd - -This event sends true/false data about decision points used to understand whether Windows Media Center is used on the system, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **EverLaunched** Has Windows Media Center ever been launched? -- **HasConfiguredTv** Has the user configured a TV tuner through Windows Media Center? -- **HasExtendedUserAccounts** Are any Windows Media Center Extender user accounts configured? -- **HasWatchedFolders** Are any folders configured for Windows Media Center to watch? -- **IsDefaultLauncher** Is Windows Media Center the default app for opening music or video files? -- **IsPaid** Is the user running a Windows Media Center edition that implies they paid for Windows Media Center? -- **IsSupported** Does the running OS support Windows Media Center? - - -### Microsoft.Windows.Appraiser.General.InventoryMediaCenterRemove - -This event indicates that the InventoryMediaCenter object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventoryMediaCenterStartSync - -This event indicates that a new set of InventoryMediaCenterAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventorySystemBiosAdd - -This event sends basic metadata about the BIOS to determine whether it has a compatibility block. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **biosDate** The release date of the BIOS in UTC format. -- **BiosDate** The release date of the BIOS in UTC format. -- **biosName** The name field from Win32_BIOS. -- **BiosName** The name field from Win32_BIOS. -- **manufacturer** The manufacturer field from Win32_ComputerSystem. -- **Manufacturer** The manufacturer field from Win32_ComputerSystem. -- **model** The model field from Win32_ComputerSystem. -- **Model** The model field from Win32_ComputerSystem. - - -### Microsoft.Windows.Appraiser.General.InventorySystemBiosRemove - -This event indicates that the InventorySystemBios object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventorySystemBiosStartSync - -This event indicates that a new set of InventorySystemBiosAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd - -This event is only runs during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. Is critical to understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **BootCritical** Is the driver package marked as boot critical? -- **Build** The build value from the driver package. -- **CatalogFile** The name of the catalog file within the driver package. -- **Class** The device class from the driver package. -- **ClassGuid** The device class unique ID from the driver package. -- **Date** The date from the driver package. -- **Inbox** Is the driver package of a driver that is included with Windows? -- **OriginalName** The original name of the INF file before it was renamed. Generally a path under $WINDOWS.~BT\Drivers\DU. -- **Provider** The provider of the driver package. -- **PublishedName** The name of the INF file after it was renamed. -- **Revision** The revision of the driver package. -- **SignatureStatus** Indicates if the driver package is signed. Unknown = 0, Unsigned = 1, Signed = 2. -- **VersionMajor** The major version of the driver package. -- **VersionMinor** The minor version of the driver package. - - -### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove - -This event indicates that the InventoryUplevelDriverPackage object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageStartSync - -This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.RunContext - -This event indicates what should be expected in the data payload. - -The following fields are available: - -- **AppraiserBranch** The source branch in which the currently running version of Appraiser was built. -- **AppraiserProcess** The name of the process that launched Appraiser. -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **CensusId** A unique hardware identifier. -- **Context** Indicates what mode Appraiser is running in. Example: Setup or Telemetry. -- **PCFP** An ID for the system calculated by hashing hardware identifiers. -- **Subcontext** Indicates what categories of incompatibilities appraiser is scanning for. Can be N/A, Resolve, or a semicolon-delimited list that can include App, Dev, Sys, Gat, or Rescan. -- **Time** The client time of the event. - - -### Microsoft.Windows.Appraiser.General.SystemMemoryAdd - -This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **Blocking** Is the device from upgrade due to memory restrictions? -- **MemoryRequirementViolated** Was a memory requirement violated? -- **pageFile** The current committed memory limit for the system or the current process, whichever is smaller (in bytes). -- **ram** The amount of memory on the device. -- **ramKB** The amount of memory (in KB). -- **virtual** The size of the user-mode portion of the virtual address space of the calling process (in bytes). -- **virtualKB** The amount of virtual memory (in KB). - - -### Microsoft.Windows.Appraiser.General.SystemMemoryRemove - -This event that the SystemMemory object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemMemoryStartSync - -This event indicates that a new set of SystemMemoryAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeAdd - -This event sends data indicating whether the system supports the CompareExchange128 CPU requirement, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **Blocking** Is the upgrade blocked due to the processor? -- **CompareExchange128Support** Does the CPU support CompareExchange128? - - -### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeRemove - -This event indicates that the SystemProcessorCompareExchange object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeStartSync - -This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd - -This event sends data indicating whether the system supports the LahfSahf CPU requirement, to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **Blocking** Is the upgrade blocked due to the processor? -- **LahfSahfSupport** Does the CPU support LAHF/SAHF? - - -### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfRemove - -This event indicates that the SystemProcessorLahfSahf object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfStartSync - -This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd - -This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **Blocking** Is the upgrade blocked due to the processor? -- **NXDriverResult** The result of the driver used to do a non-deterministic check for NX support. -- **NXProcessorSupport** Does the processor support NX? - - -### Microsoft.Windows.Appraiser.General.SystemProcessorNxRemove - -This event indicates that the SystemProcessorNx object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorNxStartSync - -This event indicates that a new set of SystemProcessorNxAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd - -This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **Blocking** Is the upgrade blocked due to the processor? -- **PrefetchWSupport** Does the processor support PrefetchW? - - -### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWRemove - -This event indicates that the SystemProcessorPrefetchW object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync - -This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Add - -This event sends data indicating whether the system supports the SSE2 CPU requirement, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **Blocking** Is the upgrade blocked due to the processor? -- **SSE2ProcessorSupport** Does the processor support SSE2? - - -### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Remove - -This event indicates that the SystemProcessorSse2 object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorSse2StartSync - -This event indicates that a new set of SystemProcessorSse2Add events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemTouchAdd - -This event sends data indicating whether the system supports touch, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **IntegratedTouchDigitizerPresent** Is there an integrated touch digitizer? -- **MaximumTouches** The maximum number of touch points supported by the device hardware. - - -### Microsoft.Windows.Appraiser.General.SystemTouchRemove - -This event indicates that the SystemTouch object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemTouchStartSync - -This event indicates that a new set of SystemTouchAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemWimAdd - -This event sends data indicating whether the operating system is running from a compressed Windows Imaging Format (WIM) file, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **IsWimBoot** Is the current operating system running from a compressed WIM file? -- **RegistryWimBootValue** The raw value from the registry that is used to indicate if the device is running from a WIM. - - -### Microsoft.Windows.Appraiser.General.SystemWimRemove - -This event indicates that the SystemWim object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemWimStartSync - -This event indicates that a new set of SystemWimAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusAdd - -This event sends data indicating whether the current operating system is activated, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **WindowsIsLicensedApiValue** The result from the API that's used to indicate if operating system is activated. -- **WindowsNotActivatedDecision** Is the current operating system activated? - - -### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusRemove - -This event indicates that the SystemWindowsActivationStatus object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusStartSync - -This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemWlanAdd - -This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **Blocking** Is the upgrade blocked because of an emulated WLAN driver? -- **HasWlanBlock** Does the emulated WLAN driver have an upgrade block? -- **WlanEmulatedDriver** Does the device have an emulated WLAN driver? -- **WlanExists** Does the device support WLAN at all? -- **WlanModulePresent** Are any WLAN modules present? -- **WlanNativeDriver** Does the device have a non-emulated WLAN driver? - - -### Microsoft.Windows.Appraiser.General.SystemWlanRemove - -This event indicates that the SystemWlan object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemWlanStartSync - -This event indicates that a new set of SystemWlanAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.TelemetryRunHealth - -This event indicates the parameters and result of a telemetry (diagnostic) run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date. - -The following fields are available: - -- **AppraiserBranch** The source branch in which the version of Appraiser that is running was built. -- **AppraiserDataVersion** The version of the data files being used by the Appraiser telemetry run. -- **AppraiserProcess** The name of the process that launched Appraiser. -- **AppraiserVersion** The file version (major, minor and build) of the Appraiser DLL, concatenated without dots. -- **AuxFinal** Obsolete, always set to false. -- **AuxInitial** Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app. -- **DeadlineDate** A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan. -- **EnterpriseRun** Indicates if the telemetry run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter. -- **FullSync** Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent. -- **InboxDataVersion** The original version of the data files before retrieving any newer version. -- **IndicatorsWritten** Indicates if all relevant UEX indicators were successfully written or updated. -- **InventoryFullSync** Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent. -- **PCFP** An ID for the system calculated by hashing hardware identifiers. -- **PerfBackoff** Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal. -- **PerfBackoffInsurance** Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row. -- **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device. -- **RunDate** The date that the telemetry run was stated, expressed as a filetime. -- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional telemetry on an infrequent schedule and only from machines at telemetry levels higher than Basic. -- **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information. -- **RunResult** The hresult of the Appraiser telemetry run. -- **ScheduledUploadDay** The day scheduled for the upload. -- **SendingUtc** Indicates if the Appraiser client is sending events during the current telemetry run. -- **StoreHandleIsNotNull** Obsolete, always set to false -- **TelementrySent** Indicates if telemetry was successfully sent. -- **ThrottlingUtc** Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also telemetry reliability. -- **Time** The client time of the event. -- **VerboseMode** Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging. -- **WhyFullSyncWithoutTablePrefix** Indicates the reason or reasons that a full sync was generated. - - -### Microsoft.Windows.Appraiser.General.WmdrmAdd - -This event sends data about the usage of older digital rights management on the system, to help keep Windows up to date. This data does not indicate the details of the media using the digital rights management, only whether any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able to be removed once all mitigations are in place. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **BlockingApplication** Same as NeedsDismissAction. -- **NeedsDismissAction** Indicates if a dismissible message is needed to warn the user about a potential loss of data due to DRM deprecation. -- **WmdrmApiResult** Raw value of the API used to gather DRM state. -- **WmdrmCdRipped** Indicates if the system has any files encrypted with personal DRM, which was used for ripped CDs. -- **WmdrmIndicators** WmdrmCdRipped OR WmdrmPurchased. -- **WmdrmInUse** WmdrmIndicators AND dismissible block in setup was not dismissed. -- **WmdrmNonPermanent** Indicates if the system has any files with non-permanent licenses. -- **WmdrmPurchased** Indicates if the system has any files with permanent licenses. - - -### Microsoft.Windows.Appraiser.General.WmdrmRemove - -This event indicates that the Wmdrm object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.WmdrmStartSync - -This event indicates that a new set of WmdrmAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -## Census events - -### Census.App - -Provides information on IE and Census versions running on the device - -The following fields are available: - -- **AppraiserEnterpriseErrorCode** The error code of the last Appraiser enterprise run. -- **AppraiserErrorCode** The error code of the last Appraiser run. -- **AppraiserRunEndTimeStamp** The end time of the last Appraiser run. -- **AppraiserRunIsInProgressOrCrashed** Flag that indicates if the Appraiser run is in progress or has crashed. -- **AppraiserRunStartTimeStamp** The start time of the last Appraiser run. -- **AppraiserTaskEnabled** Whether the Appraiser task is enabled. -- **AppraiserTaskExitCode** The Appraiser task exist code. -- **AppraiserTaskLastRun** The last runtime for the Appraiser task. -- **CensusVersion** The version of Census that generated the current data for this device. -- **IEVersion** The version of Internet Explorer that is running on the device. - - -### Census.Battery - -This event sends type and capacity data about the battery on the device, as well as the number of connected standby devices in use, type to help keep Windows up to date. - -The following fields are available: - -- **InternalBatteryCapablities** Represents information about what the battery is capable of doing. -- **InternalBatteryCapacityCurrent** Represents the battery's current fully charged capacity in mWh (or relative). Compare this value to DesignedCapacity  to estimate the battery's wear. -- **InternalBatteryCapacityDesign** Represents the theoretical capacity of the battery when new, in mWh. -- **InternalBatteryNumberOfCharges** Provides the number of battery charges. This is used when creating new products and validating that existing products meets targeted functionality performance. -- **IsAlwaysOnAlwaysConnectedCapable** Represents whether the battery enables the device to be AlwaysOnAlwaysConnected . Boolean value. - - -### Census.Camera - -This event sends data about the resolution of cameras on the device, to help keep Windows up to date. - -The following fields are available: - -- **FrontFacingCameraResolution** Represents the resolution of the front facing camera in megapixels. If a front facing camera does not exist, then the value is 0. -- **RearFacingCameraResolution** Represents the resolution of the rear facing camera in megapixels. If a rear facing camera does not exist, then the value is 0. - - -### Census.Enterprise - -This event sends data about Azure presence, type, and cloud domain use in order to provide an understanding of the use and integration of devices in an enterprise, cloud, and server environment. - -The following fields are available: - -- **AADDeviceId** Azure Active Directory device ID. -- **AzureOSIDPresent** Represents the field used to identify an Azure machine. -- **AzureVMType** Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs. -- **CDJType** Represents the type of cloud domain joined for the machine. -- **CommercialId** Represents the GUID for the commercial entity which the device is a member of.  Will be used to reflect insights back to customers. -- **ContainerType** The type of container, such as process or virtual machine hosted. -- **EnrollmentType** Defines the type of MDM enrollment on the device. -- **HashedDomain** The hashed representation of the user domain used for login. -- **IsCloudDomainJoined** Is this device joined to an Azure Active Directory (AAD) tenant? true/false -- **IsDERequirementMet** Represents if the device can do device encryption. -- **IsDeviceProtected** Represents if Device protected by BitLocker/Device Encryption -- **IsDomainJoined** Indicates whether a machine is joined to a domain. -- **IsEDPEnabled** Represents if Enterprise data protected on the device. -- **IsMDMEnrolled** Whether the device has been MDM Enrolled or not. -- **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID -- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise SCCM environment. -- **ServerFeatures** Represents the features installed on a Windows   Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. -- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier - - -### Census.Firmware - -This event sends data about the BIOS and startup embedded in the device, to help keep Windows up to date. - -The following fields are available: - -- **FirmwareManufacturer** Represents the manufacturer of the device's firmware (BIOS). -- **FirmwareReleaseDate** Represents the date the current firmware was released. -- **FirmwareType** Represents the firmware type. The various types can be unknown, BIOS, UEFI. -- **FirmwareVersion** Represents the version of the current firmware. - - -### Census.Flighting - -This event sends Windows Insider data from customers participating in improvement testing and feedback programs, to help keep Windows up to date. - -The following fields are available: - -- **DeviceSampleRate** The telemetry sample rate assigned to the device. -- **EnablePreviewBuilds** Used to enable Windows Insider builds on a device. -- **FlightIds** A list of the different Windows Insider builds on this device. -- **FlightingBranchName** The name of the Windows Insider branch currently used by the device. -- **IsFlightsDisabled** Represents if the device is participating in the Windows Insider program. -- **MSA_Accounts** Represents a list of hashed IDs of the Microsoft Accounts that are flighting (pre-release builds) on this device. -- **SSRK** Retrieves the mobile targeting settings. - - -### Census.Hardware - -This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level setting, and TPM support, to help keep Windows up to date. - -The following fields are available: - -- **ActiveMicCount** The number of active microphones attached to the device. -- **ChassisType** Represents the type of device chassis, such as desktop or low profile desktop. The possible values can range between 1 - 36. -- **ComputerHardwareID** Identifies a device class that is represented by a hash of different SMBIOS fields. -- **D3DMaxFeatureLevel** Supported Direct3D version. -- **DeviceColor** Indicates a color of the device. -- **DeviceForm** Indicates the form as per the device classification. -- **DeviceName** The device name that is set by the user. -- **DigitizerSupport** Is a digitizer supported? -- **DUID** The device unique ID. -- **Gyroscope** Indicates whether the device has a gyroscope (a mechanical component that measures and maintains orientation). -- **InventoryId** The device ID used for compatibility testing. -- **Magnetometer** Indicates whether the device has a magnetometer (a mechanical component that works like a compass). -- **NFCProximity** Indicates whether the device supports NFC (a set of communication protocols that helps establish communication when applicable devices are brought close together.) -- **OEMDigitalMarkerFileName** The name of the file placed in the \Windows\system32\drivers directory that specifies the OEM and model name of the device. -- **OEMManufacturerName** The device manufacturer name. The OEMName for an inactive device is not reprocessed even if the clean OEM name is changed at a later date. -- **OEMModelBaseBoard** The baseboard model used by the OEM. -- **OEMModelBaseBoardVersion** Differentiates between developer and retail devices. -- **OEMModelName** The device model name. -- **OEMModelNumber** The device model number. -- **OEMModelSKU** The device edition that is defined by the manufacturer. -- **OEMModelSystemFamily** The system family set on the device by an OEM. -- **OEMModelSystemVersion** The system model version set on the device by the OEM. -- **OEMOptionalIdentifier** A Microsoft assigned value that represents a specific OEM subsidiary. -- **OEMSerialNumber** The serial number of the device that is set by the manufacturer. -- **PhoneManufacturer** The friendly name of the phone manufacturer. -- **PowerPlatformRole** The OEM preferred power management profile. It's used to help to identify the basic form factor of the device. -- **SoCName** The firmware manufacturer of the device. -- **StudyID** Used to identify retail and non-retail device. -- **TelemetryLevel** The telemetry level the user has opted into, such as Basic or Enhanced. -- **TelemetryLevelLimitEnhanced** The telemetry level for Windows Analytics-based solutions. -- **TelemetrySettingAuthority** Determines who set the telemetry level, such as GP, MDM, or the user. -- **TPMManufacturerId** The ID of the TPM manufacturer. -- **TPMManufacturerVersion** The version of the TPM manufacturer. -- **TPMVersion** The supported Trusted Platform Module (TPM) on the device. If no TPM is present, the value is 0. -- **VoiceSupported** Does the device have a cellular radio capable of making voice calls? - - -### Census.Memory - -This event sends data about the memory on the device, including ROM and RAM, to help keep Windows up to date. - -The following fields are available: - -- **TotalPhysicalRAM** Represents the physical memory (in MB). -- **TotalVisibleMemory** Represents the memory that is not reserved by the system. - - -### Census.Network - -This event sends data about the mobile and cellular network used by the device (mobile service provider, network, device ID, and service cost factors), to help keep Windows up to date. - -The following fields are available: - -- **IMEI0** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage. -- **IMEI1** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage. -- **MCC0** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. -- **MCC1** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. -- **MEID** Represents the Mobile Equipment Identity (MEID). MEID is a worldwide unique phone ID assigned to CDMA phones. MEID replaces electronic serial number (ESN), and is equivalent to IMEI for GSM and WCDMA phones. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. -- **MNC0** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. -- **MNC1** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. -- **MobileOperatorBilling** Represents the telephone company that provides services for mobile phone users. -- **MobileOperatorCommercialized** Represents which reseller and geography the phone is commercialized for. This is the set of values on the phone for who and where it was intended to be used. For example, the commercialized mobile operator code AT&T in the US would be ATT-US. -- **MobileOperatorNetwork0** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage. -- **MobileOperatorNetwork1** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage. -- **NetworkAdapterGUID** The GUID of the primary network adapter. -- **NetworkCost** Represents the network cost associated with a connection. -- **SPN0** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage. -- **SPN1** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage. - - -### Census.OS - -This event sends data about the operating system such as the version, locale, update service configuration, when and how it was originally installed, and whether it is a virtual device, to help keep Windows up to date. - -The following fields are available: - -- **ActivationChannel** Retrieves the retail license key or Volume license key for a machine. -- **AssignedAccessStatus** Kiosk configuration mode. -- **CompactOS** Indicates if the Compact OS feature from Win10 is enabled. -- **DeveloperUnlockStatus** Represents if a device has been developer unlocked by the user or Group Policy. -- **DeviceTimeZone** The time zone that is set on the device. Example: Pacific Standard Time -- **GenuineState** Retrieves the ID Value specifying the OS Genuine check. -- **InstallationType** Retrieves the type of OS installation. (Clean, Upgrade, Reset, Refresh, Update). -- **InstallLanguage** The first language installed on the user machine. -- **IsDeviceRetailDemo** Retrieves if the device is running in demo mode. -- **IsEduData** Returns Boolean if the education data policy is enabled. -- **IsPortableOperatingSystem** Retrieves whether OS is running Windows-To-Go -- **IsSecureBootEnabled** Retrieves whether Boot chain is signed under UEFI. -- **LanguagePacks** The list of language packages installed on the device. -- **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store. -- **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine. -- **OSEdition** Retrieves the version of the current OS. -- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc -- **OSOOBEDateTime** Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC). -- **OSSKU** Retrieves the Friendly Name of OS Edition. -- **OSSubscriptionStatus** Represents the existing status for enterprise subscription feature for PRO machines. -- **OSSubscriptionTypeId** Returns boolean for enterprise subscription feature for selected PRO machines. -- **OSTimeZoneBiasInMins** Retrieves the time zone set on machine. -- **OSUILocale** Retrieves the locale of the UI that is currently used by the OS. -- **ProductActivationResult** Returns Boolean if the OS Activation was successful. -- **ProductActivationTime** Returns the OS Activation time for tracking piracy issues. -- **ProductKeyID2** Retrieves the License key if the machine is updated with a new license key. -- **RACw7Id** Retrieves the Microsoft Reliability Analysis Component (RAC) Win7 Identifier. RAC is used to monitor and analyze system usage and reliability. -- **ServiceMachineIP** Retrieves the IP address of the KMS host used for anti-piracy. -- **ServiceMachinePort** Retrieves the port of the KMS host used for anti-piracy. -- **ServiceProductKeyID** Retrieves the License key of the KMS -- **SharedPCMode** Returns Boolean for education devices used as shared cart -- **Signature** Retrieves if it is a signature machine sold by Microsoft store. -- **SLICStatus** Whether a SLIC table exists on the device. -- **SLICVersion** Returns OS type/version from SLIC table. - - -### Census.PrivacySettings - -This event provides information about the device level privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represent the authority that set the value. The effective consent (first 8 bits) is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority (last 8 bits) is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = system, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings. - -The following fields are available: - -- **Activity** Current state of the activity history setting. -- **ActivityHistoryCloudSync** Current state of the activity history cloud sync setting. -- **ActivityHistoryCollection** Current state of the activity history collection setting. -- **AdvertisingId** Current state of the advertising ID setting. -- **AppDiagnostics** Current state of the app diagnostics setting. -- **Appointments** Current state of the calendar setting. -- **Bluetooth** Current state of the Bluetooth capability setting. -- **BluetoothSync** Current state of the Bluetooth sync capability setting. -- **BroadFileSystemAccess** Current state of the broad file system access setting. -- **CellularData** Current state of the cellular data capability setting. -- **Chat** Current state of the chat setting. -- **Contacts** Current state of the contacts setting. -- **DocumentsLibrary** Current state of the documents library setting. -- **Email** Current state of the email setting. -- **FindMyDevice** Current state of the "find my device" setting. -- **GazeInput** Current state of the gaze input setting. -- **HumanInterfaceDevice** Current state of the human interface device setting. -- **InkTypeImprovement** Current state of the improve inking and typing setting. -- **Location** Current state of the location setting. -- **LocationHistory** Current state of the location history setting. -- **LocationHistoryCloudSync** Current state of the location history cloud sync setting. -- **LocationHistoryOnTimeline** Current state of the location history on timeline setting. -- **Microphone** Current state of the microphone setting. -- **PhoneCall** Current state of the phone call setting. -- **PhoneCallHistory** Current state of the call history setting. -- **PicturesLibrary** Current state of the pictures library setting. -- **Radios** Current state of the radios setting. -- **SensorsCustom** Current state of the custom sensor setting. -- **SerialCommunication** Current state of the serial communication setting. -- **Sms** Current state of the text messaging setting. -- **SpeechPersonalization** Current state of the speech services setting. -- **USB** Current state of the USB setting. -- **UserAccountInformation** Current state of the account information setting. -- **UserDataTasks** Current state of the tasks setting. -- **UserNotificationListener** Current state of the notifications setting. -- **VideosLibrary** Current state of the videos library setting. -- **Webcam** Current state of the camera setting. -- **WiFiDirect** Current state of the Wi-Fi direct setting. - - -### Census.Processor - -Provides information on several important data points about Processor settings - -The following fields are available: - -- **KvaShadow** This is the micro code information of the processor. -- **MMSettingOverride** Microcode setting of the processor. -- **MMSettingOverrideMask** Microcode setting override of the processor. -- **PreviousUpdateRevision** Previous microcode revision -- **ProcessorArchitecture** Retrieves the processor architecture of the installed operating system. -- **ProcessorClockSpeed** Clock speed of the processor in MHz. -- **ProcessorCores** Number of logical cores in the processor. -- **ProcessorIdentifier** Processor Identifier of a manufacturer. -- **ProcessorManufacturer** Name of the processor manufacturer. -- **ProcessorModel** Name of the processor model. -- **ProcessorPhysicalCores** Number of physical cores in the processor. -- **ProcessorUpdateRevision** The microcode revision. -- **ProcessorUpdateStatus** Enum value that represents the processor microcode load status -- **SocketCount** Count of CPU sockets. -- **SpeculationControl** Indicates whether the system has enabled protections needed to validate the speculation control vulnerability. - - -### Census.Security - -This event provides information on about security settings used to help keep Windows up to date and secure. - -The following fields are available: - -- **AvailableSecurityProperties** This field helps to enumerate and report state on the relevant security properties for Device Guard. -- **CGRunning** Credential Guard isolates and hardens key system and user secrets against compromise, helping to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already running via a local or network based vector. This field tells if Credential Guard is running. -- **DGState** This field summarizes the Device Guard state. -- **HVCIRunning** Hypervisor Code Integrity (HVCI) enables Device Guard to help protect kernel mode processes and drivers from vulnerability exploits and zero days. HVCI uses the processor’s functionality to force all software running in kernel mode to safely allocate memory. This field tells if HVCI is running. -- **IsSawGuest** Indicates whether the device is running as a Secure Admin Workstation Guest. -- **IsSawHost** Indicates whether the device is running as a Secure Admin Workstation Host. -- **RequiredSecurityProperties** Describes the required security properties to enable virtualization-based security. -- **SecureBootCapable** Systems that support Secure Boot can have the feature turned off via BIOS. This field tells if the system is capable of running Secure Boot, regardless of the BIOS setting. -- **SModeState** The Windows S mode trail state. -- **VBSState** Virtualization-based security (VBS) uses the hypervisor to help protect the kernel and other parts of the operating system. Credential Guard and Hypervisor Code Integrity (HVCI) both depend on VBS to isolate/protect secrets, and kernel-mode code integrity validation. VBS has a tri-state that can be Disabled, Enabled, or Running. - - -### Census.Speech - -This event is used to gather basic speech settings on the device. - -The following fields are available: - -- **AboveLockEnabled** Cortana setting that represents if Cortana can be invoked when the device is locked. -- **GPAllowInputPersonalization** Indicates if a Group Policy setting has enabled speech functionalities. -- **HolographicSpeechInputDisabled** Holographic setting that represents if the attached HMD devices have speech functionality disabled by the user. -- **HolographicSpeechInputDisabledRemote** Indicates if a remote policy has disabled speech functionalities for the HMD devices. -- **KeyVer** Version information for the census speech event. -- **KWSEnabled** Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS). -- **MDMAllowInputPersonalization** Indicates if an MDM policy has enabled speech functionalities. -- **RemotelyManaged** Indicates if the device is being controlled by a remote administrator (MDM or Group Policy) in the context of speech functionalities. -- **SpeakerIdEnabled** Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice. -- **SpeechServicesEnabled** Windows setting that represents whether a user is opted-in for speech services on the device. -- **SpeechServicesValueSource** Indicates the deciding factor for the effective online speech recognition privacy policy settings: remote admin, local admin, or user preference. - - -### Census.Storage - -This event sends data about the total capacity of the system volume and primary disk, to help keep Windows up to date. - -The following fields are available: - -- **PrimaryDiskTotalCapacity** Retrieves the amount of disk space on the primary disk of the device in MB. -- **PrimaryDiskType** Retrieves an enumerator value of type STORAGE_BUS_TYPE that indicates the type of bus to which the device is connected. This should be used to interpret the raw device properties at the end of this structure (if any). -- **StorageReservePassedPolicy** Indicates whether the Storage Reserve policy, which ensures that updates have enough disk space and customers are on the latest OS, is enabled on this device. -- **SystemVolumeTotalCapacity** Retrieves the size of the partition that the System volume is installed on in MB. - - -### Census.Userdefault - -This event sends data about the current user's default preferences for browser and several of the most popular extensions and protocols, to help keep Windows up to date. - -The following fields are available: - -- **CalendarType** The calendar identifiers that are used to specify different calendars. -- **DefaultApp** The current uer's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf. -- **DefaultBrowserProgId** The ProgramId of the current user's default browser. -- **LongDateFormat** The long date format the user has selected. -- **ShortDateFormat** The short date format the user has selected. - - -### Census.UserDisplay - -This event sends data about the logical/physical display size, resolution and number of internal/external displays, and VRAM on the system, to help keep Windows up to date. - -The following fields are available: - -- **InternalPrimaryDisplayLogicalDPIX** Retrieves the logical DPI in the x-direction of the internal display. -- **InternalPrimaryDisplayLogicalDPIY** Retrieves the logical DPI in the y-direction of the internal display. -- **InternalPrimaryDisplayPhysicalDPIX** Retrieves the physical DPI in the x-direction of the internal display. -- **InternalPrimaryDisplayPhysicalDPIY** Retrieves the physical DPI in the y-direction of the internal display. -- **InternalPrimaryDisplayResolutionHorizontal** Retrieves the number of pixels in the horizontal direction of the internal display. -- **InternalPrimaryDisplayResolutionVertical** Retrieves the number of pixels in the vertical direction of the internal display. -- **InternalPrimaryDisplaySizePhysicalH** Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches . -- **InternalPrimaryDisplaySizePhysicalY** Retrieves the physical vertical length of the display in mm. Used for calculating the diagonal length in inches -- **NumberofExternalDisplays** Retrieves the number of external displays connected to the machine -- **NumberofInternalDisplays** Retrieves the number of internal displays in a machine. -- **VRAMDedicated** Retrieves the video RAM in MB. -- **VRAMDedicatedSystem** Retrieves the amount of memory on the dedicated video card. -- **VRAMSharedSystem** Retrieves the amount of RAM memory that the video card can use. - - -### Census.UserNLS - -This event sends data about the default app language, input, and display language preferences set by the user, to help keep Windows up to date. - -The following fields are available: - -- **DefaultAppLanguage** The current user Default App Language. -- **DisplayLanguage** The current user preferred Windows Display Language. -- **HomeLocation** The current user location, which is populated using GetUserGeoId() function. -- **KeyboardInputLanguages** The Keyboard input languages installed on the device. -- **SpeechInputLanguages** The Speech Input languages installed on the device. - - -### Census.UserPrivacySettings - -This event provides information about the current users privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represents the authority that set the value. The effective consent is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = user, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings. - -The following fields are available: - -- **Activity** Current state of the activity history setting. -- **ActivityHistoryCloudSync** Current state of the activity history cloud sync setting. -- **ActivityHistoryCollection** Current state of the activity history collection setting. -- **AdvertisingId** Current state of the advertising ID setting. -- **AppDiagnostics** Current state of the app diagnostics setting. -- **Appointments** Current state of the calendar setting. -- **Bluetooth** Current state of the Bluetooth capability setting. -- **BluetoothSync** Current state of the Bluetooth sync capability setting. -- **BroadFileSystemAccess** Current state of the broad file system access setting. -- **CellularData** Current state of the cellular data capability setting. -- **Chat** Current state of the chat setting. -- **Contacts** Current state of the contacts setting. -- **DocumentsLibrary** Current state of the documents library setting. -- **Email** Current state of the email setting. -- **GazeInput** Current state of the gaze input setting. -- **HumanInterfaceDevice** Current state of the human interface device setting. -- **InkTypeImprovement** Current state of the improve inking and typing setting. -- **InkTypePersonalization** Current state of the inking and typing personalization setting. -- **Location** Current state of the location setting. -- **LocationHistory** Current state of the location history setting. -- **LocationHistoryCloudSync** Current state of the location history cloud synchronization setting. -- **LocationHistoryOnTimeline** Current state of the location history on timeline setting. -- **Microphone** Current state of the microphone setting. -- **PhoneCall** Current state of the phone call setting. -- **PhoneCallHistory** Current state of the call history setting. -- **PicturesLibrary** Current state of the pictures library setting. -- **Radios** Current state of the radios setting. -- **SensorsCustom** Current state of the custom sensor setting. -- **SerialCommunication** Current state of the serial communication setting. -- **Sms** Current state of the text messaging setting. -- **SpeechPersonalization** Current state of the speech services setting. -- **USB** Current state of the USB setting. -- **UserAccountInformation** Current state of the account information setting. -- **UserDataTasks** Current state of the tasks setting. -- **UserNotificationListener** Current state of the notifications setting. -- **VideosLibrary** Current state of the videos library setting. -- **Webcam** Current state of the camera setting. -- **WiFiDirect** Current state of the Wi-Fi direct setting. - - -### Census.VM - -This event sends data indicating whether virtualization is enabled on the device, and its various characteristics, to help keep Windows up to date. - -The following fields are available: - -- **CloudService** Indicates which cloud service, if any, that this virtual machine is running within. -- **HyperVisor** Retrieves whether the current OS is running on top of a Hypervisor. -- **IOMMUPresent** Represents if an input/output memory management unit (IOMMU) is present. -- **IsVDI** Is the device using Virtual Desktop Infrastructure? -- **IsVirtualDevice** Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#1 Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field should not be relied upon for non-Hv#1 Hypervisors. -- **SLATSupported** Represents whether Second Level Address Translation (SLAT) is supported by the hardware. -- **VirtualizationFirmwareEnabled** Represents whether virtualization is enabled in the firmware. - - -### Census.WU - -This event sends data about the Windows update server and other App store policies, to help keep Windows up to date. - -The following fields are available: - -- **AppraiserGatedStatus** Indicates whether a device has been gated for upgrading. -- **AppStoreAutoUpdate** Retrieves the Appstore settings for auto upgrade. (Enable/Disabled). -- **AppStoreAutoUpdateMDM** Retrieves the App Auto Update value for MDM: 0 - Disallowed. 1 - Allowed. 2 - Not configured. Default: [2] Not configured -- **AppStoreAutoUpdatePolicy** Retrieves the Microsoft Store App Auto Update group policy setting -- **DelayUpgrade** Retrieves the Windows upgrade flag for delaying upgrades. -- **OSAssessmentFeatureOutOfDate** How many days has it been since a the last feature update was released but the device did not install it? -- **OSAssessmentForFeatureUpdate** Is the device is on the latest feature update? -- **OSAssessmentForQualityUpdate** Is the device on the latest quality update? -- **OSAssessmentForSecurityUpdate** Is the device on the latest security update? -- **OSAssessmentQualityOutOfDate** How many days has it been since a the last quality update was released but the device did not install it? -- **OSAssessmentReleaseInfoTime** The freshness of release information used to perform an assessment. -- **OSRollbackCount** The number of times feature updates have rolled back on the device. -- **OSRolledBack** A flag that represents when a feature update has rolled back during setup. -- **OSUninstalled** A flag that represents when a feature update is uninstalled on a device . -- **OSWUAutoUpdateOptions** Retrieves the auto update settings on the device. -- **OSWUAutoUpdateOptionsSource** The source of auto update setting that appears in the OSWUAutoUpdateOptions field. For example: Group Policy (GP), Mobile Device Management (MDM), and Default. -- **UninstallActive** A flag that represents when a device has uninstalled a previous upgrade recently. -- **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS). -- **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates. -- **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades. -- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network. -- **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier. -- **WUPauseState** Retrieves WU setting to determine if updates are paused. -- **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default). - - -### Census.Xbox - -This event sends data about the Xbox Console, such as Serial Number and DeviceId, to help keep Windows up to date. - -The following fields are available: - -- **XboxConsolePreferredLanguage** Retrieves the preferred language selected by the user on Xbox console. -- **XboxConsoleSerialNumber** Retrieves the serial number of the Xbox console. -- **XboxLiveDeviceId** Retrieves the unique device ID of the console. -- **XboxLiveSandboxId** Retrieves the developer sandbox ID if the device is internal to Microsoft. - - -## Common data extensions - -### Common Data Extensions.app - -Describes the properties of the running application. This extension could be populated by a client app or a web app. - -The following fields are available: - -- **asId** An integer value that represents the app session. This value starts at 0 on the first app launch and increments after each subsequent app launch per boot session. -- **env** The environment from which the event was logged. -- **expId** Associates a flight, such as an OS flight, or an experiment, such as a web site UX experiment, with an event. -- **id** Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application. -- **locale** The locale of the app. -- **name** The name of the app. -- **userId** The userID as known by the application. -- **ver** Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app. - - -### Common Data Extensions.container - -Describes the properties of the container for events logged within a container. - -The following fields are available: - -- **epoch** An ID that's incremented for each SDK initialization. -- **localId** The device ID as known by the client. -- **osVer** The operating system version. -- **seq** An ID that's incremented for each event. -- **type** The container type. Examples: Process or VMHost - - -### Common Data Extensions.cs - -Describes properties related to the schema of the event. - -The following fields are available: - -- **sig** A common schema signature that identifies new and modified event schemas. - - -### Common Data Extensions.device - -Describes the device-related fields. - -The following fields are available: - -- **deviceClass** The device classification. For example, Desktop, Server, or Mobile. -- **localId** A locally-defined unique ID for the device. This is not the human-readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId -- **make** Device manufacturer. -- **model** Device model. - - -### Common Data Extensions.Envelope - -Represents an envelope that contains all of the common data extensions. - -The following fields are available: - -- **cV** Represents the Correlation Vector: A single field for tracking partial order of related telemetry events across component boundaries. -- **data** Represents the optional unique diagnostic data for a particular event schema. -- **ext_app** Describes the properties of the running application. This extension could be populated by either a client app or a web app. See [Common Data Extensions.app](#common-data-extensionsapp). -- **ext_container** Describes the properties of the container for events logged within a container. See [Common Data Extensions.container](#common-data-extensionscontainer). -- **ext_cs** Describes properties related to the schema of the event. See [Common Data Extensions.cs](#common-data-extensionscs). -- **ext_device** Describes the device-related fields. See [Common Data Extensions.device](#common-data-extensionsdevice). -- **ext_os** Describes the operating system properties that would be populated by the client. See [Common Data Extensions.os](#common-data-extensionsos). -- **ext_receipts** Describes the fields related to time as provided by the client for debugging purposes. See [Common Data Extensions.receipts](#common-data-extensionsreceipts). -- **ext_sdk** Describes the fields related to a platform library required for a specific SDK. See [Common Data Extensions.sdk](#common-data-extensionssdk). -- **ext_user** Describes the fields related to a user. See [Common Data Extensions.user](#common-data-extensionsuser). -- **ext_utc** Describes the fields that might be populated by a logging library on Windows. See [Common Data Extensions.utc](#common-data-extensionsutc). -- **ext_xbl** Describes the fields related to XBOX Live. See [Common Data Extensions.xbl](#common-data-extensionsxbl). -- **flags** Represents a collection of bits that describe how the event should be processed by the Connected User Experience and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency. -- **iKey** Represents an ID for applications or other logical groupings of events. -- **name** Represents the uniquely qualified name for the event. -- **popSample** Represents the effective sample rate for this event at the time it was generated by a client. -- **time** Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the client. This should be in ISO 8601 format. -- **ver** Represents the major and minor version of the extension. - - -### Common Data Extensions.os - -Describes some properties of the operating system. - -The following fields are available: - -- **bootId** An integer value that represents the boot session. This value starts at 0 on first boot after OS install and increments after every reboot. -- **expId** Represents the experiment ID. The standard for associating a flight, such as an OS flight (pre-release build), or an experiment, such as a web site UX experiment, with an event is to record the flight / experiment IDs in Part A of the common schema. -- **locale** Represents the locale of the operating system. -- **name** Represents the operating system name. -- **ver** Represents the major and minor version of the extension. - - -### Common Data Extensions.receipts - -Represents various time information as provided by the client and helps for debugging purposes. - -The following fields are available: - -- **originalTime** The original event time. -- **uploadTime** The time the event was uploaded. - - -### Common Data Extensions.sdk - -Used by platform specific libraries to record fields that are required for a specific SDK. - -The following fields are available: - -- **epoch** An ID that is incremented for each SDK initialization. -- **installId** An ID that's created during the initialization of the SDK for the first time. -- **libVer** The SDK version. -- **seq** An ID that is incremented for each event. - - -### Common Data Extensions.user - -Describes the fields related to a user. - -The following fields are available: - -- **authId** This is an ID of the user associated with this event that is deduced from a token such as a Microsoft Account ticket or an XBOX token. -- **locale** The language and region. -- **localId** Represents a unique user identity that is created locally and added by the client. This is not the user's account ID. - - -### Common Data Extensions.utc - -Describes the properties that could be populated by a logging library on Windows. - -The following fields are available: - -- **aId** Represents the ETW ActivityId. Logged via TraceLogging or directly via ETW. -- **bSeq** Upload buffer sequence number in the format: buffer identifier:sequence number -- **cat** Represents a bitmask of the ETW Keywords associated with the event. -- **cpId** The composer ID, such as Reference, Desktop, Phone, Holographic, Hub, IoT Composer. -- **epoch** Represents the epoch and seqNum fields, which help track how many events were fired and how many events were uploaded, and enables identification of data lost during upload and de-duplication of events on the ingress server. -- **flags** Represents the bitmap that captures various Windows specific flags. -- **mon** Combined monitor and event sequence numbers in the format: monitor sequence : event sequence -- **op** Represents the ETW Op Code. -- **raId** Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW. -- **seq** Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue. The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server. -- **stId** Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID. - - -### Common Data Extensions.xbl - -Describes the fields that are related to XBOX Live. - -The following fields are available: - -- **claims** Any additional claims whose short claim name hasn't been added to this structure. -- **did** XBOX device ID -- **dty** XBOX device type -- **dvr** The version of the operating system on the device. -- **eid** A unique ID that represents the developer entity. -- **exp** Expiration time -- **ip** The IP address of the client device. -- **nbf** Not before time -- **pid** A comma separated list of PUIDs listed as base10 numbers. -- **sbx** XBOX sandbox identifier -- **sid** The service instance ID. -- **sty** The service type. -- **tid** The XBOX Live title ID. -- **tvr** The XBOX Live title version. -- **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts. -- **xid** A list of base10-encoded XBOX User IDs. - - -## Common data fields - -### Ms.Device.DeviceInventoryChange - -Describes the installation state for all hardware and software components available on a particular device. - -The following fields are available: - -- **action** The change that was invoked on a device inventory object. -- **inventoryId** Device ID used for Compatibility testing -- **objectInstanceId** Object identity which is unique within the device scope. -- **objectType** Indicates the object type that the event applies to. -- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. - - -## Compatibility events - -### Microsoft.Windows.Compatibility.Apphelp.SdbFix - -Product instrumentation for helping debug/troubleshoot issues with inbox compatibility components. - -The following fields are available: - -- **AppName** Name of the application impacted by SDB. -- **FixID** SDB GUID. -- **Flags** List of flags applied. -- **ImageName** Name of file. - - -## Component-based servicing events - -### CbsServicingProvider.CbsCapabilityEnumeration - -This event reports on the results of scanning for optional Windows content on Windows Update. - -The following fields are available: - -- **architecture** Indicates the scan was limited to the specified architecture. -- **capabilityCount** The number of optional content packages found during the scan. -- **clientId** The name of the application requesting the optional content. -- **duration** The amount of time it took to complete the scan. -- **hrStatus** The HReturn code of the scan. -- **language** Indicates the scan was limited to the specified language. -- **majorVersion** Indicates the scan was limited to the specified major version. -- **minorVersion** Indicates the scan was limited to the specified minor version. -- **namespace** Indicates the scan was limited to packages in the specified namespace. -- **sourceFilter** A bitmask indicating the scan checked for locally available optional content. -- **stackBuild** The build number of the servicing stack. -- **stackMajorVersion** The major version number of the servicing stack. -- **stackMinorVersion** The minor version number of the servicing stack. -- **stackRevision** The revision number of the servicing stack. - - -### CbsServicingProvider.CbsCapabilitySessionFinalize - -This event provides information about the results of installing or uninstalling optional Windows content from Windows Update. - -The following fields are available: - -- **capabilities** The names of the optional content packages that were installed. -- **clientId** The name of the application requesting the optional content. -- **currentID** The ID of the current install session. -- **downloadSource** The source of the download. -- **highestState** The highest final install state of the optional content. -- **hrLCUReservicingStatus** Indicates whether the optional content was updated to the latest available version. -- **hrStatus** The HReturn code of the install operation. -- **rebootCount** The number of reboots required to complete the install. -- **retryID** The session ID that will be used to retry a failed operation. -- **retryStatus** Indicates whether the install will be retried in the event of failure. -- **stackBuild** The build number of the servicing stack. -- **stackMajorVersion** The major version number of the servicing stack. -- **stackMinorVersion** The minor version number of the servicing stack. -- **stackRevision** The revision number of the servicing stack. - - -### CbsServicingProvider.CbsCapabilitySessionPended - -This event provides information about the results of installing optional Windows content that requires a reboot to keep Windows up to date. - -The following fields are available: - -- **clientId** The name of the application requesting the optional content. -- **pendingDecision** Indicates the cause of reboot, if applicable. - - -### CbsServicingProvider.CbsLateAcquisition - -This event sends data to indicate if some Operating System packages could not be updated as part of an upgrade, to help keep Windows up to date. - -The following fields are available: - -- **Features** The list of feature packages that could not be updated. -- **RetryID** The ID identifying the retry attempt to update the listed packages. - - -### CbsServicingProvider.CbsPackageRemoval - -This event provides information about the results of uninstalling a Windows Cumulative Security Update to help keep Windows up to date. - -The following fields are available: - -- **buildVersion** The build number of the security update being uninstalled. -- **clientId** The name of the application requesting the uninstall. -- **currentStateEnd** The final state of the update after the operation. -- **failureDetails** Information about the cause of a failure, if applicable. -- **failureSourceEnd** The stage during the uninstall where the failure occurred. -- **hrStatusEnd** The overall exit code of the operation. -- **initiatedOffline** Indicates if the uninstall was initiated for a mounted Windows image. -- **majorVersion** The major version number of the security update being uninstalled. -- **minorVersion** The minor version number of the security update being uninstalled. -- **originalState** The starting state of the update before the operation. -- **pendingDecision** Indicates the cause of reboot, if applicable. -- **primitiveExecutionContext** The state during system startup when the uninstall was completed. -- **revisionVersion** The revision number of the security update being uninstalled. -- **transactionCanceled** Indicates whether the uninstall was cancelled. - - -### CbsServicingProvider.CbsQualityUpdateInstall - -This event reports on the performance and reliability results of installing Servicing content from Windows Update to keep Windows up to date. - -The following fields are available: - -- **buildVersion** The build version number of the update package. -- **clientId** The name of the application requesting the optional content. -- **corruptionHistoryFlags** A bitmask of the types of component store corruption that have caused update failures on the device. -- **corruptionType** An enumeration listing the type of data corruption responsible for the current update failure. -- **currentStateEnd** The final state of the package after the operation has completed. -- **doqTimeSeconds** The time in seconds spent updating drivers. -- **executeTimeSeconds** The number of seconds required to execute the install. -- **failureDetails** The driver or installer that caused the update to fail. -- **failureSourceEnd** An enumeration indicating at what phase of the update a failure occurred. -- **hrStatusEnd** The return code of the install operation. -- **initiatedOffline** A true or false value indicating whether the package was installed into an offline Windows Imaging Format (WIM) file. -- **majorVersion** The major version number of the update package. -- **minorVersion** The minor version number of the update package. -- **originalState** The starting state of the package. -- **overallTimeSeconds** The time (in seconds) to perform the overall servicing operation. -- **planTimeSeconds** The time in seconds required to plan the update operations. -- **poqTimeSeconds** The time in seconds processing file and registry operations. -- **postRebootTimeSeconds** The time (in seconds) to do startup processing for the update. -- **preRebootTimeSeconds** The time (in seconds) between execution of the installation and the reboot. -- **primitiveExecutionContext** An enumeration indicating at what phase of shutdown or startup the update was installed. -- **rebootCount** The number of reboots required to install the update. -- **rebootTimeSeconds** The time (in seconds) before startup processing begins for the update. -- **resolveTimeSeconds** The time in seconds required to resolve the packages that are part of the update. -- **revisionVersion** The revision version number of the update package. -- **rptTimeSeconds** The time in seconds spent executing installer plugins. -- **shutdownTimeSeconds** The time (in seconds) required to do shutdown processing for the update. -- **stackRevision** The revision number of the servicing stack. -- **stageTimeSeconds** The time (in seconds) required to stage all files that are part of the update. - - -## Deployment extensions - -### DeploymentTelemetry.Deployment_End - -This event indicates that a Deployment 360 API has completed. - -The following fields are available: - -- **ClientId** Client ID of the user utilizing the D360 API. -- **ErrorCode** Error code of action. -- **FlightId** The specific ID of the Windows Insider build the device is getting. -- **Mode** Phase in upgrade. -- **RelatedCV** The correction vector (CV) of any other related events -- **Result** End result of the action. - - -### DeploymentTelemetry.Deployment_SetupBoxLaunch - -This event indicates that the Deployment 360 APIs have launched Setup Box. - -The following fields are available: - -- **ClientId** The client ID of the user utilizing the D360 API. -- **FlightId** The specific ID of the Windows Insider build the device is getting. -- **Quiet** Whether Setup will run in quiet mode or full mode. -- **RelatedCV** The correlation vector (CV) of any other related events. -- **SetupMode** The current setup phase. - - -### DeploymentTelemetry.Deployment_SetupBoxResult - -This event indicates that the Deployment 360 APIs have received a return from Setup Box. - -The following fields are available: - -- **ClientId** Client ID of the user utilizing the D360 API. -- **ErrorCode** Error code of the action. -- **FlightId** The specific ID of the Windows Insider build the device is getting. -- **Quiet** Indicates whether Setup will run in quiet mode or full mode. -- **RelatedCV** The correlation vector (CV) of any other related events. -- **SetupMode** The current Setup phase. - - -### DeploymentTelemetry.Deployment_Start - -This event indicates that a Deployment 360 API has been called. - -The following fields are available: - -- **ClientId** Client ID of the user utilizing the D360 API. -- **FlightId** The specific ID of the Windows Insider build the device is getting. -- **Mode** The current phase of the upgrade. -- **RelatedCV** The correlation vector (CV) of any other related events. - - -## Diagnostic data events - -### TelClientSynthetic.AuthorizationInfo_RuntimeTransition - -This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect. - -The following fields are available: - -- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. -- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. -- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. -- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. -- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. -- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. -- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. -- **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise. -- **CanReportScenarios** True if we can report scenario completions, false otherwise. -- **PreviousPermissions** Bitmask of previous telemetry state. -- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. - - -### TelClientSynthetic.AuthorizationInfo_Startup - -Fired by UTC at startup to signal what data we are allowed to collect. - -The following fields are available: - -- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. -- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. -- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. -- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. -- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. -- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. -- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. -- **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise. -- **CanReportScenarios** True if we can report scenario completions, false otherwise. -- **PreviousPermissions** Bitmask of previous telemetry state. -- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. - - -### TelClientSynthetic.ConnectivityHeartBeat_0 - -This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network. - -The following fields are available: - -- **CensusExitCode** Returns last execution codes from census client run. -- **CensusStartTime** Returns timestamp corresponding to last successful census run. -- **CensusTaskEnabled** Returns Boolean value for the census task (Enable/Disable) on client machine. -- **LastConnectivityLossTime** Retrieves the last time the device lost free network. -- **NetworkState** Retrieves the network state: 0 = No network. 1 = Restricted network. 2 = Free network. -- **NoNetworkTime** Retrieves the time spent with no network (since the last time) in seconds. -- **RestrictedNetworkTime** Retrieves the time spent on a metered (cost restricted) network in seconds. - - -### TelClientSynthetic.HeartBeat_5 - -This event sends data about the health and quality of the diagnostic data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device. - -The following fields are available: - -- **AgentConnectionErrorsCount** Number of non-timeout errors associated with the host/agent channel. -- **CensusExitCode** The last exit code of the Census task. -- **CensusStartTime** Time of last Census run. -- **CensusTaskEnabled** True if Census is enabled, false otherwise. -- **CompressedBytesUploaded** Number of compressed bytes uploaded. -- **ConsumerDroppedCount** Number of events dropped at consumer layer of telemetry client. -- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. -- **CriticalDataThrottleDroppedCount** The number of critical data sampled events that were dropped because of throttling. -- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event DB. -- **DbCriticalDroppedCount** Total number of dropped critical events in event DB. -- **DbDroppedCount** Number of events dropped due to DB fullness. -- **DbDroppedFailureCount** Number of events dropped due to DB failures. -- **DbDroppedFullCount** Number of events dropped due to DB fullness. -- **DecodingDroppedCount** Number of events dropped due to decoding failures. -- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. -- **EtwDroppedBufferCount** Number of buffers dropped in the UTC ETW session. -- **EtwDroppedCount** Number of events dropped at ETW layer of telemetry client. -- **EventsPersistedCount** Number of events that reached the PersistEvent stage. -- **EventStoreLifetimeResetCounter** Number of times event DB was reset for the lifetime of UTC. -- **EventStoreResetCounter** Number of times event DB was reset. -- **EventStoreResetSizeSum** Total size of event DB across all resets reports in this instance. -- **EventSubStoreResetCounter** Number of times event DB was reset. -- **EventSubStoreResetSizeSum** Total size of event DB across all resets reports in this instance. -- **EventsUploaded** Number of events uploaded. -- **Flags** Flags indicating device state such as network state, battery state, and opt-in state. -- **FullTriggerBufferDroppedCount** Number of events dropped due to trigger buffer being full. -- **HeartBeatSequenceNumber** The sequence number of this heartbeat. -- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. -- **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel. -- **LastEventSizeOffender** Event name of last event which exceeded max event size. -- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. -- **MaxActiveAgentConnectionCount** The maximum number of active agents during this heartbeat timeframe. -- **MaxInUseScenarioCounter** Soft maximum number of scenarios loaded by UTC. -- **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events). -- **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. -- **SettingsHttpAttempts** Number of attempts to contact OneSettings service. -- **SettingsHttpFailures** The number of failures from contacting the OneSettings service. -- **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers. -- **TopUploaderErrors** List of top errors received from the upload endpoint. -- **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client. -- **UploaderErrorCount** Number of errors received from the upload endpoint. -- **VortexFailuresTimeout** The number of timeout failures received from Vortex. -- **VortexHttpAttempts** Number of attempts to contact Vortex. -- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. -- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. -- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. -- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. - - -### TelClientSynthetic.HeartBeat_Aria_5 - -This event is the telemetry client ARIA heartbeat. - -The following fields are available: - -- **CompressedBytesUploaded** Number of compressed bytes uploaded. -- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. -- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event database. -- **DbCriticalDroppedCount** Total number of dropped critical events in event database. -- **DbDroppedCount** Number of events dropped at the database layer. -- **DbDroppedFailureCount** Number of events dropped due to database failures. -- **DbDroppedFullCount** Number of events dropped due to database being full. -- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. -- **EventsPersistedCount** Number of events that reached the PersistEvent stage. -- **EventStoreLifetimeResetCounter** Number of times the event store has been reset. -- **EventStoreResetCounter** Number of times the event store has been reset during this heartbeat. -- **EventStoreResetSizeSum** Size of event store reset in bytes. -- **EventsUploaded** Number of events uploaded. -- **HeartBeatSequenceNumber** The sequence number of this heartbeat. -- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. -- **LastEventSizeOffender** Event name of last event which exceeded max event size. -- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. -- **PreviousHeartBeatTime** The FILETIME of the previous heartbeat fire. -- **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. -- **SettingsHttpAttempts** Number of attempts to contact OneSettings service. -- **SettingsHttpFailures** Number of failures from contacting OneSettings service. -- **TopUploaderErrors** List of top errors received from the upload endpoint. -- **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client. -- **UploaderErrorCount** Number of errors received from the upload endpoint. -- **VortexFailuresTimeout** Number of time out failures received from Vortex. -- **VortexHttpAttempts** Number of attempts to contact Vortex. -- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. -- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. -- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. -- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. - - -### TelClientSynthetic.HeartBeat_Seville_5 - -This event is sent by the universal telemetry client (UTC) as a heartbeat signal for Sense. - -The following fields are available: - -- **AgentConnectionErrorsCount** Number of non-timeout errors associated with the host or agent channel. -- **CompressedBytesUploaded** Number of compressed bytes uploaded. -- **ConsumerDroppedCount** Number of events dropped at consumer layer of the telemetry client. -- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. -- **CriticalDataThrottleDroppedCount** Number of critical data sampled events dropped due to throttling. -- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event database. -- **DailyUploadQuotaInBytes** Daily upload quota for Sense in bytes (only in in-proc mode). -- **DbCriticalDroppedCount** Total number of dropped critical events in event database. -- **DbDroppedCount** Number of events dropped due to database being full. -- **DbDroppedFailureCount** Number of events dropped due to database failures. -- **DbDroppedFullCount** Number of events dropped due to database being full. -- **DecodingDroppedCount** Number of events dropped due to decoding failures. -- **DiskSizeInBytes** Size of event store for Sense in bytes (only in in-proc mode). -- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. -- **EtwDroppedBufferCount** Number of buffers dropped in the universal telemetry client (UTC) event tracing for Windows (ETW) session. -- **EtwDroppedCount** Number of events dropped at the event tracing for Windows (ETW) layer of telemetry client. -- **EventsPersistedCount** Number of events that reached the PersistEvent stage. -- **EventStoreLifetimeResetCounter** Number of times event the database was reset for the lifetime of the universal telemetry client (UTC). -- **EventStoreResetCounter** Number of times the event database was reset. -- **EventStoreResetSizeSum** Total size of the event database across all resets reports in this instance. -- **EventsUploaded** Number of events uploaded. -- **Flags** Flags indicating device state, such as network state, battery state, and opt-in state. -- **FullTriggerBufferDroppedCount** Number of events dropped due to trigger buffer being full. -- **HeartBeatSequenceNumber** The sequence number of this heartbeat. -- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. -- **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel. -- **LastEventSizeOffender** Event name of last event which exceeded the maximum event size. -- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. -- **MaxActiveAgentConnectionCount** Maximum number of active agents during this heartbeat timeframe. -- **NormalUploadTimerMillis** Number of milliseconds between each upload of normal events for SENSE (only in in-proc mode). -- **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events). -- **RepeatedUploadFailureDropped** Number of events lost due to repeated failed uploaded attempts. -- **SettingsHttpAttempts** Number of attempts to contact OneSettings service. -- **SettingsHttpFailures** Number of failures from contacting the OneSettings service. -- **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers. -- **TopUploaderErrors** Top uploader errors, grouped by endpoint and error type. -- **UploaderDroppedCount** Number of events dropped at the uploader layer of the telemetry client. -- **UploaderErrorCount** Number of input for the TopUploaderErrors mode estimation. -- **VortexFailuresTimeout** Number of time out failures received from Vortex. -- **VortexHttpAttempts** Number of attempts to contact Vortex. -- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. -- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. -- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. -- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. - - -## Direct to update events - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicabilityGenericFailure - -This event indicatse that we have received an unexpected error in the Direct to Update (DTU) Coordinators CheckApplicability call. - -The following fields are available: - -- **CampaignID** ID of the campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Cleanup call. - -The following fields are available: - -- **CampaignID** Campaign ID being run -- **ClientID** Client ID being run -- **CoordinatorVersion** Coordinator version of DTU -- **CV** Correlation vector -- **hResult** HRESULT of the failure - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupSuccess - -This event indicates that the Coordinator Cleanup call succeeded. - -The following fields are available: - -- **CampaignID** Campaign ID being run -- **ClientID** Client ID being run -- **CoordinatorVersion** Coordinator version of DTU -- **CV** Correlation vector - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Commit call. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitSuccess - -This event indicates that the Coordinator Commit call succeeded. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Download call. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadIgnoredFailure - -This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Download call that will be ignored. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadSuccess - -This event indicates that the Coordinator Download call succeeded. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator HandleShutdown call. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinate version of DTU. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownSuccess - -This event indicates that the Coordinator HandleShutdown call succeeded. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Initialize call. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeSuccess - -This event indicates that the Coordinator Initialize call succeeded. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Install call. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallIgnoredFailure - -This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Install call that will be ignored. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallSuccess - -This event indicates that the Coordinator Install call succeeded. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorProgressCallBack - -This event indicates that the Coordinator's progress callback has been called. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **DeployPhase** Current Deploy Phase. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorSetCommitReadySuccess - -This event indicates that the Coordinator SetCommitReady call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiNotShown - -This event indicates that the Coordinator WaitForRebootUi call succeeded. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSelection - -This event indicates that the user selected an option on the Reboot UI. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **rebootUiSelection** Selection on the Reboot UI. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSuccess - -This event indicates that the Coordinator WaitForRebootUi call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler CheckApplicabilityInternal call. - -The following fields are available: - -- **CampaignID** ID of the campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalSuccess - -This event indicates that the Handler CheckApplicabilityInternal call succeeded. - -The following fields are available: - -- **ApplicabilityResult** The result of the applicability check. -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilitySuccess - -This event indicates that the Handler CheckApplicability call succeeded. - -The following fields are available: - -- **ApplicabilityResult** The result code indicating whether the update is applicable. -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **CV_new** New correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckIfCoordinatorMinApplicableVersionSuccess - -This event indicates that the Handler CheckIfCoordinatorMinApplicableVersion call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **CheckIfCoordinatorMinApplicableVersionResult** Result of CheckIfCoordinatorMinApplicableVersion function. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Commit call. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **CV_new** New correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitSuccess - -This event indicates that the Handler Commit call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run.run -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **CV_new** New correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabFailure - -This event indicates that the Handler Download and Extract cab call failed. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **DownloadAndExtractCabFunction_failureReason** Reason why the update download and extract process failed. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabSuccess - -This event indicates that the Handler Download and Extract cab call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Download call. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadSuccess - -This event indicates that the Handler Download call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Initialize call. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **DownloadAndExtractCabFunction_hResult** HRESULT of the download and extract. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeSuccess - -This event indicates that the Handler Initialize call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **DownloadAndExtractCabFunction_hResult** HRESULT of the download and extraction. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Install call. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallSuccess - -This event indicates that the Coordinator Install call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerSetCommitReadySuccess - -This event indicates that the Handler SetCommitReady call succeeded. - -The following fields are available: - -- **CampaignID** ID of the campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler WaitForRebootUi call. - -The following fields are available: - -- **CampaignID** The ID of the campaigning being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **hResult** The HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiSuccess - -This event indicates that the Handler WaitForRebootUi call succeeded. - -The following fields are available: - -- **CampaignID** ID of the campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -## DxgKernelTelemetry events - -### DxgKrnlTelemetry.GPUAdapterInventoryV2 - -This event sends basic GPU and display driver information to keep Windows and display drivers up-to-date. - -The following fields are available: - -- **AdapterTypeValue** The numeric value indicating the type of Graphics adapter. -- **aiSeqId** The event sequence ID. -- **bootId** The system boot ID. -- **BrightnessVersionViaDDI** The version of the Display Brightness Interface. -- **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload. -- **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes). -- **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes). -- **DisplayAdapterLuid** The display adapter LUID. -- **DriverDate** The date of the display driver. -- **DriverRank** The rank of the display driver. -- **DriverVersion** The display driver version. -- **DX10UMDFilePath** The file path to the location of the DirectX 10 Display User Mode Driver in the Driver Store. -- **DX11UMDFilePath** The file path to the location of the DirectX 11 Display User Mode Driver in the Driver Store. -- **DX12UMDFilePath** The file path to the location of the DirectX 12 Display User Mode Driver in the Driver Store. -- **DX9UMDFilePath** The file path to the location of the DirectX 9 Display User Mode Driver in the Driver Store. -- **GPUDeviceID** The GPU device ID. -- **GPUPreemptionLevel** The maximum preemption level supported by GPU for graphics payload. -- **GPURevisionID** The GPU revision ID. -- **GPUVendorID** The GPU vendor ID. -- **InterfaceId** The GPU interface ID. -- **IsDisplayDevice** Does the GPU have displaying capabilities? -- **IsHwSchSupported** Indicates whether the adapter supports hardware scheduling. -- **IsHybridDiscrete** Does the GPU have discrete GPU capabilities in a hybrid device? -- **IsHybridIntegrated** Does the GPU have integrated GPU capabilities in a hybrid device? -- **IsLDA** Is the GPU comprised of Linked Display Adapters? -- **IsMiracastSupported** Does the GPU support Miracast? -- **IsMismatchLDA** Is at least one device in the Linked Display Adapters chain from a different vendor? -- **IsMPOSupported** Does the GPU support Multi-Plane Overlays? -- **IsMsMiracastSupported** Are the GPU Miracast capabilities driven by a Microsoft solution? -- **IsPostAdapter** Is this GPU the POST GPU in the device? -- **IsRemovable** TRUE if the adapter supports being disabled or removed. -- **IsRenderDevice** Does the GPU have rendering capabilities? -- **IsSoftwareDevice** Is this a software implementation of the GPU? -- **KMDFilePath** The file path to the location of the Display Kernel Mode Driver in the Driver Store. -- **MeasureEnabled** Is the device listening to MICROSOFT_KEYWORD_MEASURES? -- **MsHybridDiscrete** Indicates whether the adapter is a discrete adapter in a hybrid configuration. -- **NumVidPnSources** The number of supported display output sources. -- **NumVidPnTargets** The number of supported display output targets. -- **SharedSystemMemoryB** The amount of system memory shared by GPU and CPU (in bytes). -- **SubSystemID** The subsystem ID. -- **SubVendorID** The GPU sub vendor ID. -- **TelemetryEnabled** Is the device listening to MICROSOFT_KEYWORD_TELEMETRY? -- **TelInvEvntTrigger** What triggered this event to be logged? Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling) -- **version** The event version. -- **WDDMVersion** The Windows Display Driver Model version. - - -## Failover Clustering events - -### Microsoft.Windows.Server.FailoverClusteringCritical.ClusterSummary2 - -This event returns information about how many resources and of what type are in the server cluster. This data is collected to keep Windows Server safe, secure, and up to date. The data includes information about whether hardware is configured correctly, if the software is patched correctly, and assists in preventing crashes by attributing issues (like fatal errors) to workloads and system configurations. - -The following fields are available: - -- **autoAssignSite** The cluster parameter: auto site. -- **autoBalancerLevel** The cluster parameter: auto balancer level. -- **autoBalancerMode** The cluster parameter: auto balancer mode. -- **blockCacheSize** The configured size of the block cache. -- **ClusterAdConfiguration** The ad configuration of the cluster. -- **clusterAdType** The cluster parameter: mgmt_point_type. -- **clusterDumpPolicy** The cluster configured dump policy. -- **clusterFunctionalLevel** The current cluster functional level. -- **clusterGuid** The unique identifier for the cluster. -- **clusterWitnessType** The witness type the cluster is configured for. -- **countNodesInSite** The number of nodes in the cluster. -- **crossSiteDelay** The cluster parameter: CrossSiteDelay. -- **crossSiteThreshold** The cluster parameter: CrossSiteThreshold. -- **crossSubnetDelay** The cluster parameter: CrossSubnetDelay. -- **crossSubnetThreshold** The cluster parameter: CrossSubnetThreshold. -- **csvCompatibleFilters** The cluster parameter: ClusterCsvCompatibleFilters. -- **csvIncompatibleFilters** The cluster parameter: ClusterCsvIncompatibleFilters. -- **csvResourceCount** The number of resources in the cluster. -- **currentNodeSite** The name configured for the current site for the cluster. -- **dasModeBusType** The direct storage bus type of the storage spaces. -- **downLevelNodeCount** The number of nodes in the cluster that are running down-level. -- **drainOnShutdown** Specifies whether a node should be drained when it is shut down. -- **dynamicQuorumEnabled** Specifies whether dynamic Quorum has been enabled. -- **enforcedAntiAffinity** The cluster parameter: enforced anti affinity. -- **genAppNames** The win32 service name of a clustered service. -- **genSvcNames** The command line of a clustered genapp. -- **hangRecoveryAction** The cluster parameter: hang recovery action. -- **hangTimeOut** Specifies the “hang time out” parameter for the cluster. -- **isCalabria** Specifies whether storage spaces direct is enabled. -- **isMixedMode** Identifies if the cluster is running with different version of OS for nodes. -- **isRunningDownLevel** Identifies if the current node is running down-level. -- **logLevel** Specifies the granularity that is logged in the cluster log. -- **logSize** Specifies the size of the cluster log. -- **lowerQuorumPriorityNodeId** The cluster parameter: lower quorum priority node ID. -- **minNeverPreempt** The cluster parameter: minimum never preempt. -- **minPreemptor** The cluster parameter: minimum preemptor priority. -- **netftIpsecEnabled** The parameter: netftIpsecEnabled. -- **NodeCount** The number of nodes in the cluster. -- **nodeId** The current node number in the cluster. -- **nodeResourceCounts** Specifies the number of node resources. -- **nodeResourceOnlineCounts** Specifies the number of node resources that are online. -- **numberOfSites** The number of different sites. -- **numNodesInNoSite** The number of nodes not belonging to a site. -- **plumbAllCrossSubnetRoutes** The cluster parameter: plumb all cross subnet routes. -- **preferredSite** The preferred site location. -- **privateCloudWitness** Specifies whether a private cloud witness exists for this cluster. -- **quarantineDuration** The quarantine duration. -- **quarantineThreshold** The quarantine threshold. -- **quorumArbitrationTimeout** In the event of an arbitration event, this specifies the quorum timeout period. -- **resiliencyLevel** Specifies the level of resiliency. -- **resourceCounts** Specifies the number of resources. -- **resourceTypeCounts** Specifies the number of resource types in the cluster. -- **resourceTypes** Data representative of each resource type. -- **resourceTypesPath** Data representative of the DLL path for each resource type. -- **sameSubnetDelay** The cluster parameter: same subnet delay. -- **sameSubnetThreshold** The cluster parameter: same subnet threshold. -- **secondsInMixedMode** The amount of time (in seconds) that the cluster has been in mixed mode (nodes with different operating system versions in the same cluster). -- **securityLevel** The cluster parameter: security level. -- **securityLevelForStorage** The cluster parameter: security level for storage. -- **sharedVolumeBlockCacheSize** Specifies the block cache size for shared for shared volumes. -- **shutdownTimeoutMinutes** Specifies the amount of time it takes to time out when shutting down. -- **upNodeCount** Specifies the number of nodes that are up (online). -- **useClientAccessNetworksForCsv** The cluster parameter: use client access networks for CSV. -- **vmIsolationTime** The cluster parameter: VM isolation time. -- **witnessDatabaseWriteTimeout** Specifies the timeout period for writing to the quorum witness database. - - -## Fault Reporting events - -### Microsoft.Windows.FaultReporting.AppCrashEvent - -This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes\" by a user DO NOT emit this event. - -The following fields are available: - -- **AppName** The name of the app that has crashed. -- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend. -- **AppTimeStamp** The date/time stamp of the app. -- **AppVersion** The version of the app that has crashed. -- **ExceptionCode** The exception code returned by the process that has crashed. -- **ExceptionOffset** The address where the exception had occurred. -- **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting. -- **FriendlyAppName** The description of the app that has crashed, if different from the AppName. Otherwise, the process name. -- **IsFatal** True/False to indicate whether the crash resulted in process termination. -- **ModName** Exception module name (e.g. bar.dll). -- **ModTimeStamp** The date/time stamp of the module. -- **ModVersion** The version of the module that has crashed. -- **PackageFullName** Store application identity. -- **PackageRelativeAppId** Store application identity. -- **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. -- **ProcessCreateTime** The time of creation of the process that has crashed. -- **ProcessId** The ID of the process that has crashed. -- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. -- **TargetAppId** The kernel reported AppId of the application being reported. -- **TargetAppVer** The specific version of the application being reported -- **TargetAsId** The sequence number for the hanging process. - - -## Feature update events - -### Microsoft.Windows.Upgrade.Uninstall.UninstallFinalizedAndRebootTriggered - -This event indicates that the uninstall was properly configured and that a system reboot was initiated. - - - -### Microsoft.Windows.Upgrade.Uninstall.UninstallGoBackButtonClicked - -This event sends basic metadata about the starting point of uninstalling a feature update, which helps ensure customers can safely revert to a well-known state if the update caused any problems. - - - -## Hang Reporting events - -### Microsoft.Windows.HangReporting.AppHangEvent - -This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. - -The following fields are available: - -- **AppName** The name of the app that has hung. -- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the telemetry backend. -- **AppVersion** The version of the app that has hung. -- **IsFatal** True/False based on whether the hung application caused the creation of a Fatal Hang Report. -- **PackageFullName** Store application identity. -- **PackageRelativeAppId** Store application identity. -- **ProcessArchitecture** Architecture of the hung process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. -- **ProcessCreateTime** The time of creation of the process that has hung. -- **ProcessId** The ID of the process that has hung. -- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. -- **TargetAppId** The kernel reported AppId of the application being reported. -- **TargetAppVer** The specific version of the application being reported. -- **TargetAsId** The sequence number for the hanging process. -- **TypeCode** Bitmap describing the hang type. -- **WaitingOnAppName** If this is a cross process hang waiting for an application, this has the name of the application. -- **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it is waiting. -- **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting. -- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application id of the package. - - -## Inventory events - -### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum - -This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object. - -The following fields are available: - -- **Device** A count of device objects in cache. -- **DeviceCensus** A count of device census objects in cache. -- **DriverPackageExtended** A count of driverpackageextended objects in cache. -- **File** A count of file objects in cache. -- **FileSigningInfo** A count of file signing objects in cache. -- **Generic** A count of generic objects in cache. -- **HwItem** A count of hwitem objects in cache. -- **InventoryApplication** A count of application objects in cache. -- **InventoryApplicationAppV** A count of application AppV objects in cache. -- **InventoryApplicationDriver** A count of application driver objects in cache -- **InventoryApplicationFile** A count of application file objects in cache. -- **InventoryApplicationFramework** A count of application framework objects in cache -- **InventoryApplicationShortcut** A count of application shortcut objects in cache -- **InventoryDeviceContainer** A count of device container objects in cache. -- **InventoryDeviceInterface** A count of Plug and Play device interface objects in cache. -- **InventoryDeviceMediaClass** A count of device media objects in cache. -- **InventoryDevicePnp** A count of device Plug and Play objects in cache. -- **InventoryDeviceUsbHubClass** A count of device usb objects in cache -- **InventoryDriverBinary** A count of driver binary objects in cache. -- **InventoryDriverPackage** A count of device objects in cache. -- **InventoryMiscellaneousOfficeAddIn** A count of office add-in objects in cache -- **InventoryMiscellaneousOfficeAddInUsage** A count of office add-in usage objects in cache. -- **InventoryMiscellaneousOfficeIdentifiers** A count of office identifier objects in cache -- **InventoryMiscellaneousOfficeIESettings** A count of office ie settings objects in cache -- **InventoryMiscellaneousOfficeInsights** A count of office insights objects in cache -- **InventoryMiscellaneousOfficeProducts** A count of office products objects in cache -- **InventoryMiscellaneousOfficeSettings** A count of office settings objects in cache -- **InventoryMiscellaneousOfficeVBA** A count of office vba objects in cache -- **InventoryMiscellaneousOfficeVBARuleViolations** A count of office vba rule violations objects in cache -- **InventoryMiscellaneousUUPInfo** A count of uup info objects in cache -- **Metadata** A count of metadata objects in cache. -- **Orphan** A count of orphan file objects in cache. -- **Programs** A count of program objects in cache. - - -### Microsoft.Windows.Inventory.Core.AmiTelCacheFileInfo - -Diagnostic data about the inventory cache. - -The following fields are available: - -- **CacheFileSize** Size of the cache. -- **InventoryVersion** Inventory version of the cache. -- **TempCacheCount** Number of temp caches created. -- **TempCacheDeletedCount** Number of temp caches deleted. - - -### Microsoft.Windows.Inventory.Core.AmiTelCacheVersions - -This event sends inventory component versions for the Device Inventory data. - -The following fields are available: - -- **aeinv** The version of the App inventory component. -- **devinv** The file version of the Device inventory component. - - -### Microsoft.Windows.Inventory.Core.InventoryApplicationAdd - -This event sends basic metadata about an application on the system to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **HiddenArp** Indicates whether a program hides itself from showing up in ARP. -- **InstallDate** The date the application was installed (a best guess based on folder creation date heuristics). -- **InstallDateArpLastModified** The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015 00:00:00 -- **InstallDateFromLinkFile** The estimated date of install based on the links to the files. Passed as an array. -- **InstallDateMsi** The install date if the application was installed via Microsoft Installer (MSI). Passed as an array. -- **InventoryVersion** The version of the inventory file generating the events. -- **Language** The language code of the program. -- **MsiPackageCode** A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage. -- **MsiProductCode** A GUID that describe the MSI Product. -- **Name** The name of the application. -- **OSVersionAtInstallTime** The four octets from the OS version at the time of the application's install. -- **PackageFullName** The package full name for a Store application. -- **ProgramInstanceId** A hash of the file IDs in an app. -- **Publisher** The Publisher of the application. Location pulled from depends on the 'Source' field. -- **RootDirPath** The path to the root directory where the program was installed. -- **Source** How the program was installed (for example, ARP, MSI, Appx). -- **StoreAppType** A sub-classification for the type of Microsoft Store app, such as UWP or Win8StoreApp. -- **Type** One of ("Application", "Hotfix", "BOE", "Service", "Unknown"). Application indicates Win32 or Appx app, Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is a service. Application and BOE are the ones most likely seen. -- **Version** The version number of the program. - - -### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverAdd - -This event represents what drivers an application installs. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory component. -- **ProgramIds** The unique program identifier the driver is associated with. - - -### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync - -The InventoryApplicationDriverStartSync event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory component. - - -### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd - -This event provides the basic metadata about the frameworks an application may depend on. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **FileId** A hash that uniquely identifies a file. -- **Frameworks** The list of frameworks this file depends on. -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync - -This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryApplicationRemove - -This event indicates that a new set of InventoryDevicePnpAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryApplicationStartSync - -This event indicates that a new set of InventoryApplicationAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd - -This event sends basic metadata about a device container (such as a monitor or printer as opposed to a Plug and Play device) to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Categories** A comma separated list of functional categories in which the container belongs. -- **DiscoveryMethod** The discovery method for the device container. -- **FriendlyName** The name of the device container. -- **InventoryVersion** The version of the inventory file generating the events. -- **IsActive** Is the device connected, or has it been seen in the last 14 days? -- **IsConnected** For a physically attached device, this value is the same as IsPresent. For wireless a device, this value represents a communication link. -- **IsMachineContainer** Is the container the root device itself? -- **IsNetworked** Is this a networked device? -- **IsPaired** Does the device container require pairing? -- **Manufacturer** The manufacturer name for the device container. -- **ModelId** A unique model ID. -- **ModelName** The model name. -- **ModelNumber** The model number for the device container. -- **PrimaryCategory** The primary category for the device container. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerRemove - -This event indicates that the InventoryDeviceContainer object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerStartSync - -This event indicates that a new set of InventoryDeviceContainerAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd - -This event retrieves information about what sensor interfaces are available on the device. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Accelerometer3D** Indicates if an Accelerator3D sensor is found. -- **ActivityDetection** Indicates if an Activity Detection sensor is found. -- **AmbientLight** Indicates if an Ambient Light sensor is found. -- **Barometer** Indicates if a Barometer sensor is found. -- **Custom** Indicates if a Custom sensor is found. -- **EnergyMeter** Indicates if an Energy sensor is found. -- **FloorElevation** Indicates if a Floor Elevation sensor is found. -- **GeomagneticOrientation** Indicates if a Geo Magnetic Orientation sensor is found. -- **GravityVector** Indicates if a Gravity Detector sensor is found. -- **Gyrometer3D** Indicates if a Gyrometer3D sensor is found. -- **Humidity** Indicates if a Humidity sensor is found. -- **InventoryVersion** The version of the inventory file generating the events. -- **LinearAccelerometer** Indicates if a Linear Accelerometer sensor is found. -- **Magnetometer3D** Indicates if a Magnetometer3D sensor is found. -- **Orientation** Indicates if an Orientation sensor is found. -- **Pedometer** Indicates if a Pedometer sensor is found. -- **Proximity** Indicates if a Proximity sensor is found. -- **RelativeOrientation** Indicates if a Relative Orientation sensor is found. -- **SimpleDeviceOrientation** Indicates if a Simple Device Orientation sensor is found. -- **Temperature** Indicates if a Temperature sensor is found. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync - -This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd - -This event sends additional metadata about a Plug and Play device that is specific to a particular class of devices to help keep Windows up to date while reducing overall size of data payload. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **audio.captureDriver** Audio device capture driver. Example: hdaudio.inf:db04a16ce4e8d6ee:HdAudModel:10.0.14887.1000:hdaudio\func_01 -- **audio.renderDriver** Audio device render driver. Example: hdaudio.inf:db04a16ce4e8d6ee:HdAudModel:10.0.14889.1001:hdaudio\func_01 -- **Audio_CaptureDriver** The Audio device capture driver endpoint. -- **Audio_RenderDriver** The Audio device render driver endpoint. -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove - -This event indicates that the InventoryDeviceMediaClassRemove object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassStartSync - -This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd - -This event represents the basic metadata about a plug and play (PNP) device and its associated driver. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **BusReportedDescription** The description of the device reported by the bux. -- **Class** The device setup class of the driver loaded for the device. -- **ClassGuid** The device class unique identifier of the driver package loaded on the device. -- **COMPID** The list of “Compatible IDs” for this device. -- **ContainerId** The system-supplied unique identifier that specifies which group(s) the device(s) installed on the parent (main) device belong to. -- **Description** The description of the device. -- **DeviceInterfaceClasses** The device interfaces that this device implements. -- **DeviceState** Identifies the current state of the parent (main) device. -- **DriverId** The unique identifier for the installed driver. -- **DriverName** The name of the driver image file. -- **DriverPackageStrongName** The immediate parent directory name in the Directory field of InventoryDriverPackage. -- **DriverVerDate** The date associated with the driver installed on the device. -- **DriverVerVersion** The version number of the driver installed on the device. -- **Enumerator** Identifies the bus that enumerated the device. -- **ExtendedInfs** The extended INF file names. -- **HWID** A list of hardware IDs for the device. -- **Inf** The name of the INF file (possibly renamed by the OS, such as oemXX.inf). -- **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx -- **InventoryVersion** The version number of the inventory process generating the events. -- **LowerClassFilters** The identifiers of the Lower Class filters installed for the device. -- **LowerFilters** The identifiers of the Lower filters installed for the device. -- **Manufacturer** The manufacturer of the device. -- **MatchingID** The Hardware ID or Compatible ID that Windows uses to install a device instance. -- **Model** Identifies the model of the device. -- **ParentId** The Device Instance ID of the parent of the device. -- **ProblemCode** The error code currently returned by the device, if applicable. -- **Provider** Identifies the device provider. -- **Service** The name of the device service. -- **STACKID** The list of hardware IDs for the stack. -- **UpperClassFilters** The identifiers of the Upper Class filters installed for the device. -- **UpperFilters** The identifiers of the Upper filters installed for the device. - - -### Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove - -This event indicates that the InventoryDevicePnpRemove object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDevicePnpStartSync - -This event indicates that a new set of InventoryDevicePnpAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd - -This event sends basic metadata about the USB hubs on the device. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. -- **TotalUserConnectablePorts** Total number of connectable USB ports. -- **TotalUserConnectableTypeCPorts** Total number of connectable USB Type C ports. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassStartSync - -This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent. - - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd - -This event provides the basic metadata about driver binaries running on the system. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **DriverCheckSum** The checksum of the driver file. -- **DriverCompany** The company name that developed the driver. -- **DriverInBox** Is the driver included with the operating system? -- **DriverIsKernelMode** Is it a kernel mode driver? -- **DriverName** The file name of the driver. -- **DriverPackageStrongName** The strong name of the driver package -- **DriverSigned** The strong name of the driver package -- **DriverTimeStamp** The low 32 bits of the time stamp of the driver file. -- **DriverType** A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8. define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE 0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64 0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15. define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED 0x800000. -- **DriverVersion** The version of the driver file. -- **ImageSize** The size of the driver file. -- **Inf** The name of the INF file. -- **InventoryVersion** The version of the inventory file generating the events. -- **Product** The product name that is included in the driver file. -- **ProductVersion** The product version that is included in the driver file. -- **Service** The name of the service that is installed for the device. -- **WdfVersion** The Windows Driver Framework version. - - -### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove - -This event indicates that the InventoryDriverBinary object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryStartSync - -This event indicates that a new set of InventoryDriverBinaryAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd - -This event sends basic metadata about drive packages installed on the system to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Class** The class name for the device driver. -- **ClassGuid** The class GUID for the device driver. -- **Date** The driver package date. -- **Directory** The path to the driver package. -- **DriverInBox** Is the driver included with the operating system? -- **Inf** The INF name of the driver package. -- **InventoryVersion** The version of the inventory file generating the events. -- **Provider** The provider for the driver package. -- **SubmissionId** The HLK submission ID for the driver package. -- **Version** The version of the driver package. - - -### Microsoft.Windows.Inventory.Core.InventoryDriverPackageRemove - -This event indicates that the InventoryDriverPackageRemove object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDriverPackageStartSync - -This event indicates that a new set of InventoryDriverPackageAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.StartUtcJsonTrace - -This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the beginning of the event download, and that tracing should begin. - - - -### Microsoft.Windows.Inventory.Core.StopUtcJsonTrace - -This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the end of the event download, and that tracing should end. - - - -### Microsoft.Windows.Inventory.General.AppHealthStaticAdd - -This event sends details collected for a specific application on the source device. - -The following fields are available: - -- **AhaVersion** The binary version of the App Health Analyzer tool. -- **ApplicationErrors** The count of application errors from the event log. -- **Bitness** The architecture type of the application (16 Bit or 32 bit or 64 bit). -- **device_level** Various JRE/JAVA versions installed on a particular device. -- **ExtendedProperties** Attribute used for aggregating all other attributes under this event type. -- **Jar** Flag to determine if an app has a Java JAR file dependency. -- **Jre** Flag to determine if an app has JRE framework dependency. -- **Jre_version** JRE versions an app has declared framework dependency for. -- **Name** Name of the application. -- **NonDPIAware** Flag to determine if an app is non-DPI aware. -- **NumBinaries** Count of all binaries (.sys,.dll,.ini) from application install location. -- **RequiresAdmin** Flag to determine if an app requests admin privileges for execution. -- **RequiresAdminv2** Additional flag to determine if an app requests admin privileges for execution. -- **RequiresUIAccess** Flag to determine if an app is based on UI features for accessibility. -- **VB6** Flag to determine if an app is based on VB6 framework. -- **VB6v2** Additional flag to determine if an app is based on VB6 framework. -- **Version** Version of the application. -- **VersionCheck** Flag to determine if an app has a static dependency on OS version. -- **VersionCheckv2** Additional flag to determine if an app has a static dependency on OS version. - - -### Microsoft.Windows.Inventory.General.AppHealthStaticStartSync - -This event indicates the beginning of a series of AppHealthStaticAdd events. - -The following fields are available: - -- **AllowTelemetry** Indicates the presence of the 'allowtelemetry' command line argument. -- **CommandLineArgs** Command line arguments passed when launching the App Health Analyzer executable. -- **Enhanced** Indicates the presence of the 'enhanced' command line argument. -- **StartTime** UTC date and time at which this event was sent. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd - -Provides data on the installed Office Add-ins. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AddinCLSID** The class identifier key for the Microsoft Office add-in. -- **AddInCLSID** The class identifier key for the Microsoft Office add-in. -- **AddInId** The identifier for the Microsoft Office add-in. -- **AddinType** The type of the Microsoft Office add-in. -- **BinFileTimestamp** The timestamp of the Office add-in. -- **BinFileVersion** The version of the Microsoft Office add-in. -- **Description** Description of the Microsoft Office add-in. -- **FileId** The file identifier of the Microsoft Office add-in. -- **FileSize** The file size of the Microsoft Office add-in. -- **FriendlyName** The friendly name for the Microsoft Office add-in. -- **FullPath** The full path to the Microsoft Office add-in. -- **InventoryVersion** The version of the inventory binary generating the events. -- **LoadBehavior** Integer that describes the load behavior. -- **LoadTime** Load time for the Office add-in. -- **OfficeApplication** The Microsoft Office application associated with the add-in. -- **OfficeArchitecture** The architecture of the add-in. -- **OfficeVersion** The Microsoft Office version for this add-in. -- **OutlookCrashingAddin** Indicates whether crashes have been found for this add-in. -- **ProductCompany** The name of the company associated with the Office add-in. -- **ProductName** The product name associated with the Microsoft Office add-in. -- **ProductVersion** The version associated with the Office add-in. -- **ProgramId** The unique program identifier of the Microsoft Office add-in. -- **Provider** Name of the provider for this add-in. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove - -Indicates that this particular data object represented by the objectInstanceId is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync - -This event indicates that a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd - -Provides data on the Office identifiers. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. -- **OAudienceData** Sub-identifier for Microsoft Office release management, identifying the pilot group for a device -- **OAudienceId** Microsoft Office identifier for Microsoft Office release management, identifying the pilot group for a device -- **OMID** Identifier for the Office SQM Machine -- **OPlatform** Whether the installed Microsoft Office product is 32-bit or 64-bit -- **OTenantId** Unique GUID representing the Microsoft O365 Tenant -- **OVersion** Installed version of Microsoft Office. For example, 16.0.8602.1000 -- **OWowMID** Legacy Microsoft Office telemetry identifier (SQM Machine ID) for WoW systems (32-bit Microsoft Office on 64-bit Windows) - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync - -Diagnostic event to indicate a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd - -Provides data on Office-related Internet Explorer features. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. -- **OIeFeatureAddon** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_ADDON_MANAGEMENT feature lets applications hosting the WebBrowser Control to respect add-on management selections made using the Add-on Manager feature of Internet Explorer. Add-ons disabled by the user or by administrative group policy will also be disabled in applications that enable this feature. -- **OIeMachineLockdown** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_LOCALMACHINE_LOCKDOWN feature is enabled, Internet Explorer applies security restrictions on content loaded from the user's local machine, which helps prevent malicious behavior involving local files. -- **OIeMimeHandling** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_MIME_HANDLING feature control is enabled, Internet Explorer handles MIME types more securely. Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2) -- **OIeMimeSniffing** Flag indicating which Microsoft Office products have this setting enabled. Determines a file's type by examining its bit signature. Windows Internet Explorer uses this information to determine how to render the file. The FEATURE_MIME_SNIFFING feature, when enabled, allows to be set differently for each security zone by using the URLACTION_FEATURE_MIME_SNIFFING URL action flag -- **OIeNoAxInstall** Flag indicating which Microsoft Office products have this setting enabled. When a webpage attempts to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request. When a webpage tries to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request -- **OIeNoDownload** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_RESTRICT_FILEDOWNLOAD feature blocks file download requests that navigate to a resource, that display a file download dialog box, or that are not initiated explicitly by a user action (for example, a mouse click or key press). Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2) -- **OIeObjectCaching** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_OBJECT_CACHING feature prevents webpages from accessing or instantiating ActiveX controls cached from different domains or security contexts -- **OIePasswordDisable** Flag indicating which Microsoft Office products have this setting enabled. After Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2), Internet Explorer no longer allows usernames and passwords to be specified in URLs that use the HTTP or HTTPS protocols. URLs using other protocols, such as FTP, still allow usernames and passwords -- **OIeSafeBind** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SAFE_BINDTOOBJECT feature performs additional safety checks when calling MonikerBindToObject to create and initialize Microsoft ActiveX controls. Specifically, prevent the control from being created if COMPAT_EVIL_DONT_LOAD is in the registry for the control -- **OIeSecurityBand** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SECURITYBAND feature controls the display of the Internet Explorer Information bar. When enabled, the Information bar appears when file download or code installation is restricted -- **OIeUncSaveCheck** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_UNC_SAVEDFILECHECK feature enables the Mark of the Web (MOTW) for local files loaded from network locations that have been shared by using the Universal Naming Convention (UNC) -- **OIeValidateUrl** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_VALIDATE_NAVIGATE_URL feature control prevents Windows Internet Explorer from navigating to a badly formed URL -- **OIeWebOcPopup** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_WEBOC_POPUPMANAGEMENT feature allows applications hosting the WebBrowser Control to receive the default Internet Explorer pop-up window management behavior -- **OIeWinRestrict** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_WINDOW_RESTRICTIONS feature adds several restrictions to the size and behavior of popup windows -- **OIeZoneElevate** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_ZONE_ELEVATION feature prevents pages in one zone from navigating to pages in a higher security zone unless the navigation is generated by the user - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync - -Diagnostic event to indicate a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd - -This event provides insight data on the installed Office products - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. -- **OfficeApplication** The name of the Office application. -- **OfficeArchitecture** The bitness of the Office application. -- **OfficeVersion** The version of the Office application. -- **Value** The insights collected about this entity. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsRemove - -Indicates that this particular data object represented by the objectInstanceId is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync - -This diagnostic event indicates that a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd - -Describes Office Products installed. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. -- **OC2rApps** A GUID the describes the Office Click-To-Run apps -- **OC2rSkus** Comma-delimited list (CSV) of Office Click-To-Run products installed on the device. For example, Office 2016 ProPlus -- **OMsiApps** Comma-delimited list (CSV) of Office MSI products installed on the device. For example, Microsoft Word -- **OProductCodes** A GUID that describes the Office MSI products - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync - -Diagnostic event to indicate a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd - -This event describes various Office settings - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **BrowserFlags** Browser flags for Office-related products -- **ExchangeProviderFlags** Provider policies for Office Exchange -- **InventoryVersion** The version of the inventory binary generating the events. -- **SharedComputerLicensing** Office shared computer licensing policies - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync - -Indicates a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAAdd - -This event provides a summary rollup count of conditions encountered while performing a local scan of Office files, analyzing for known VBA programmability compatibility issues between legacy office version and ProPlus, and between 32 and 64-bit versions - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Design** Count of files with design issues found. -- **Design_x64** Count of files with 64 bit design issues found. -- **DuplicateVBA** Count of files with duplicate VBA code. -- **HasVBA** Count of files with VBA code. -- **Inaccessible** Count of files that were inaccessible for scanning. -- **InventoryVersion** The version of the inventory binary generating the events. -- **Issues** Count of files with issues detected. -- **Issues_x64** Count of files with 64-bit issues detected. -- **IssuesNone** Count of files with no issues detected. -- **IssuesNone_x64** Count of files with no 64-bit issues detected. -- **Locked** Count of files that were locked, preventing scanning. -- **NoVBA** Count of files with no VBA inside. -- **Protected** Count of files that were password protected, preventing scanning. -- **RemLimited** Count of files that require limited remediation changes. -- **RemLimited_x64** Count of files that require limited remediation changes for 64-bit issues. -- **RemSignificant** Count of files that require significant remediation changes. -- **RemSignificant_x64** Count of files that require significant remediation changes for 64-bit issues. -- **Score** Overall compatibility score calculated for scanned content. -- **Score_x64** Overall 64-bit compatibility score calculated for scanned content. -- **Total** Total number of files scanned. -- **Validation** Count of files that require additional manual validation. -- **Validation_x64** Count of files that require additional manual validation for 64-bit issues. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARemove - -Indicates that this particular data object represented by the objectInstanceId is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsAdd - -This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated with the validation rule - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Count** Count of total Microsoft Office VBA rule violations -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsRemove - -Indicates that this particular data object represented by the objectInstanceId is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync - -This event indicates that a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync - -Diagnostic event to indicate a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd - -Provides data on Unified Update Platform (UUP) products and what version they are at. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Identifier** UUP identifier -- **LastActivatedVersion** Last activated version -- **PreviousVersion** Previous version -- **Source** UUP source -- **Version** UUP version - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoRemove - -Indicates that this particular data object represented by the objectInstanceId is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoStartSync - -Diagnostic event to indicate a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - - - -### Microsoft.Windows.Inventory.Indicators.Checksum - -This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events. - -The following fields are available: - -- **CensusId** A unique hardware identifier. -- **ChecksumDictionary** A count of each operating system indicator. -- **PCFP** Equivalent to the InventoryId field that is found in other core events. - - -### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd - -These events represent the basic metadata about the OS indicators installed on the system which are used for keeping the device up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **IndicatorValue** The indicator value. -- **Value** Describes an operating system indicator that may be relevant for the device upgrade. - - -### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove - -This event is a counterpart to InventoryMiscellaneousUexIndicatorAdd that indicates that the item has been removed. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - - - -### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync - -This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - - - -## Kernel events - -### IO - -This event indicates the number of bytes read from or read by the OS and written to or written by the OS upon system startup. - -The following fields are available: - -- **BytesRead** The total number of bytes read from or read by the OS upon system startup. -- **BytesWritten** The total number of bytes written to or written by the OS upon system startup. - - -### Microsoft.Windows.Kernel.BootEnvironment.OsLaunch - -OS information collected during Boot, used to evaluate the success of the upgrade process. - -The following fields are available: - -- **BootApplicationId** This field tells us what the OS Loader Application Identifier is. -- **BootAttemptCount** The number of consecutive times the boot manager has attempted to boot into this operating system. -- **BootSequence** The current Boot ID, used to correlate events related to a particular boot session. -- **BootStatusPolicy** Identifies the applicable Boot Status Policy. -- **BootType** Identifies the type of boot (e.g.: "Cold", "Hiber", "Resume"). -- **EventTimestamp** Seconds elapsed since an arbitrary time point. This can be used to identify the time difference in successive boot attempts being made. -- **FirmwareResetReasonEmbeddedController** Reason for system reset provided by firmware. -- **FirmwareResetReasonEmbeddedControllerAdditional** Additional information on system reset reason provided by firmware if needed. -- **FirmwareResetReasonPch** Reason for system reset provided by firmware. -- **FirmwareResetReasonPchAdditional** Additional information on system reset reason provided by firmware if needed. -- **FirmwareResetReasonSupplied** Flag indicating that a reason for system reset was provided by firmware. -- **IO** Amount of data written to and read from the disk by the OS Loader during boot. See [IO](#io). -- **LastBootSucceeded** Flag indicating whether the last boot was successful. -- **LastShutdownSucceeded** Flag indicating whether the last shutdown was successful. -- **MaxAbove4GbFreeRange** This field describes the largest memory range available above 4Gb. -- **MaxBelow4GbFreeRange** This field describes the largest memory range available below 4Gb. -- **MeasuredLaunchPrepared** This field tells us if the OS launch was initiated using Measured/Secure Boot over DRTM (Dynamic Root of Trust for Measurement). -- **MeasuredLaunchResume** This field tells us if Dynamic Root of Trust for Measurement (DRTM) was used when resuming from hibernation. -- **MenuPolicy** Type of advanced options menu that should be shown to the user (Legacy, Standard, etc.). -- **RecoveryEnabled** Indicates whether recovery is enabled. -- **SecureLaunchPrepared** This field indicates if DRTM was prepared during boot. -- **TcbLaunch** Indicates whether the Trusted Computing Base was used during the boot flow. -- **UserInputTime** The amount of time the loader application spent waiting for user input. - - -## Miracast events - -### Microsoft.Windows.Cast.Miracast.MiracastSessionEnd - -This event sends data at the end of a Miracast session that helps determine RTSP related Miracast failures along with some statistics about the session - -The following fields are available: - -- **AudioChannelCount** The number of audio channels. -- **AudioSampleRate** The sample rate of audio in terms of samples per second. -- **AudioSubtype** The unique subtype identifier of the audio codec (encoding method) used for audio encoding. -- **AverageBitrate** The average video bitrate used during the Miracast session, in bits per second. -- **AverageDataRate** The average available bandwidth reported by the WiFi driver during the Miracast session, in bits per second. -- **AveragePacketSendTimeInMs** The average time required for the network to send a sample, in milliseconds. -- **ConnectorType** The type of connector used during the Miracast session. -- **EncodeAverageTimeMS** The average time to encode a frame of video, in milliseconds. -- **EncodeCount** The count of total frames encoded in the session. -- **EncodeMaxTimeMS** The maximum time to encode a frame, in milliseconds. -- **EncodeMinTimeMS** The minimum time to encode a frame, in milliseconds. -- **EncoderCreationTimeInMs** The time required to create the video encoder, in milliseconds. -- **ErrorSource** Identifies the component that encountered an error that caused a disconnect, if applicable. -- **FirstFrameTime** The time (tick count) when the first frame is sent. -- **FirstLatencyMode** The first latency mode. -- **FrameAverageTimeMS** Average time to process an entire frame, in milliseconds. -- **FrameCount** The total number of frames processed. -- **FrameMaxTimeMS** The maximum time required to process an entire frame, in milliseconds. -- **FrameMinTimeMS** The minimum time required to process an entire frame, in milliseconds. -- **Glitches** The number of frames that failed to be delivered on time. -- **HardwareCursorEnabled** Indicates if hardware cursor was enabled when the connection ended. -- **HDCPState** The state of HDCP (High-bandwidth Digital Content Protection) when the connection ended. -- **HighestBitrate** The highest video bitrate used during the Miracast session, in bits per second. -- **HighestDataRate** The highest available bandwidth reported by the WiFi driver, in bits per second. -- **LastLatencyMode** The last reported latency mode. -- **LogTimeReference** The reference time, in tick counts. -- **LowestBitrate** The lowest video bitrate used during the Miracast session, in bits per second. -- **LowestDataRate** The lowest video bitrate used during the Miracast session, in bits per second. -- **MediaErrorCode** The error code reported by the media session, if applicable. -- **MiracastEntry** The time (tick count) when the Miracast driver was first loaded. -- **MiracastM1** The time (tick count) when the M1 request was sent. -- **MiracastM2** The time (tick count) when the M2 request was sent. -- **MiracastM3** The time (tick count) when the M3 request was sent. -- **MiracastM4** The time (tick count) when the M4 request was sent. -- **MiracastM5** The time (tick count) when the M5 request was sent. -- **MiracastM6** The time (tick count) when the M6 request was sent. -- **MiracastM7** The time (tick count) when the M7 request was sent. -- **MiracastSessionState** The state of the Miracast session when the connection ended. -- **MiracastStreaming** The time (tick count) when the Miracast session first started processing frames. -- **ProfileCount** The count of profiles generated from the receiver M4 response. -- **ProfileCountAfterFiltering** The count of profiles after filtering based on available bandwidth and encoder capabilities. -- **RefreshRate** The refresh rate set on the remote display. -- **RotationSupported** Indicates if the Miracast receiver supports display rotation. -- **RTSPSessionId** The unique identifier of the RTSP session. This matches the RTSP session ID for the receiver for the same session. -- **SessionGuid** The unique identifier of to correlate various Miracast events from a session. -- **SinkHadEdid** Indicates if the Miracast receiver reported an EDID. -- **SupportMicrosoftColorSpaceConversion** Indicates whether the Microsoft color space conversion for extra color fidelity is supported by the receiver. -- **SupportsMicrosoftDiagnostics** Indicates whether the Miracast receiver supports the Microsoft Diagnostics Miracast extension. -- **SupportsMicrosoftFormatChange** Indicates whether the Miracast receiver supports the Microsoft Format Change Miracast extension. -- **SupportsMicrosoftLatencyManagement** Indicates whether the Miracast receiver supports the Microsoft Latency Management Miracast extension. -- **SupportsMicrosoftRTCP** Indicates whether the Miracast receiver supports the Microsoft RTCP Miracast extension. -- **SupportsMicrosoftVideoFormats** Indicates whether the Miracast receiver supports Microsoft video format for 3:2 resolution. -- **SupportsWiDi** Indicates whether Miracast receiver supports Intel WiDi extensions. -- **TeardownErrorCode** The error code reason for teardown provided by the receiver, if applicable. -- **TeardownErrorReason** The text string reason for teardown provided by the receiver, if applicable. -- **UIBCEndState** Indicates whether UIBC was enabled when the connection ended. -- **UIBCEverEnabled** Indicates whether UIBC was ever enabled. -- **UIBCStatus** The result code reported by the UIBC setup process. -- **VideoBitrate** The starting bitrate for the video encoder. -- **VideoCodecLevel** The encoding level used for encoding, specific to the video subtype. -- **VideoHeight** The height of encoded video frames. -- **VideoSubtype** The unique subtype identifier of the video codec (encoding method) used for video encoding. -- **VideoWidth** The width of encoded video frames. -- **WFD2Supported** Indicates if the Miracast receiver supports WFD2 protocol. - - -## OneDrive events - -### Microsoft.OneDrive.Sync.Setup.APIOperation - -This event includes basic data about install and uninstall OneDrive API operations. - -The following fields are available: - -- **APIName** The name of the API. -- **Duration** How long the operation took. -- **IsSuccess** Was the operation successful? -- **ResultCode** The result code. -- **ScenarioName** The name of the scenario. - - -### Microsoft.OneDrive.Sync.Setup.EndExperience - -This event includes a success or failure summary of the installation. - -The following fields are available: - -- **APIName** The name of the API. -- **HResult** HResult of the operation -- **IsSuccess** Whether the operation is successful or not -- **ScenarioName** The name of the scenario. - - -### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation - -This event is related to the OS version when the OS is upgraded with OneDrive installed. - -The following fields are available: - -- **CurrentOneDriveVersion** The current version of OneDrive. -- **CurrentOSBuildBranch** The current branch of the operating system. -- **CurrentOSBuildNumber** The current build number of the operating system. -- **CurrentOSVersion** The current version of the operating system. -- **HResult** The HResult of the operation. -- **SourceOSBuildBranch** The source branch of the operating system. -- **SourceOSBuildNumber** The source build number of the operating system. -- **SourceOSVersion** The source version of the operating system. - - -### Microsoft.OneDrive.Sync.Setup.RegisterStandaloneUpdaterAPIOperation - -This event is related to registering or unregistering the OneDrive update task. - -The following fields are available: - -- **APIName** The name of the API. -- **IsSuccess** Was the operation successful? -- **RegisterNewTaskResult** The HResult of the RegisterNewTask operation. -- **ScenarioName** The name of the scenario. -- **UnregisterOldTaskResult** The HResult of the UnregisterOldTask operation. - - -### Microsoft.OneDrive.Sync.Updater.ComponentInstallState - -This event includes basic data about the installation state of dependent OneDrive components. - -The following fields are available: - -- **ComponentName** The name of the dependent component. -- **isInstalled** Is the dependent component installed? - - -### Microsoft.OneDrive.Sync.Updater.OverlayIconStatus - -This event indicates if the OneDrive overlay icon is working correctly. 0 = healthy; 1 = can be fixed; 2 = broken - -The following fields are available: - -- **32bit** The status of the OneDrive overlay icon on a 32-bit operating system. -- **64bit** The status of the OneDrive overlay icon on a 64-bit operating system. - - -### Microsoft.OneDrive.Sync.Updater.UpdateOverallResult - -This event sends information describing the result of the update. - -The following fields are available: - -- **hr** The HResult of the operation. -- **IsLoggingEnabled** Indicates whether logging is enabled for the updater. -- **UpdaterVersion** The version of the updater. - - -### Microsoft.OneDrive.Sync.Updater.UpdateXmlDownloadHResult - -This event determines the status when downloading the OneDrive update configuration file. - -The following fields are available: - -- **hr** The HResult of the operation. - - -### Microsoft.OneDrive.Sync.Updater.WebConnectionStatus - -This event determines the error code that was returned when verifying Internet connectivity. - -The following fields are available: - -- **winInetError** The HResult of the operation. - - -## Privacy consent logging events - -### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted - -This event is used to determine whether the user successfully completed the privacy consent experience. - -The following fields are available: - -- **presentationVersion** Which display version of the privacy consent experience the user completed -- **privacyConsentState** The current state of the privacy consent experience -- **settingsVersion** Which setting version of the privacy consent experience the user completed -- **userOobeExitReason** The exit reason of the privacy consent experience - - -### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentStatus - -Event tells us effectiveness of new privacy experience. - -The following fields are available: - -- **isAdmin** whether the person who is logging in is an admin -- **isExistingUser** whether the account existed in a downlevel OS -- **isLaunching** Whether or not the privacy consent experience will be launched -- **isSilentElevation** whether the user has most restrictive UAC controls -- **privacyConsentState** whether the user has completed privacy experience -- **userRegionCode** The current user's region setting - - -### wilActivity - -This event provides a Windows Internal Library context used for Product and Service diagnostics. - -The following fields are available: - -- **callContext** The function where the failure occurred. -- **currentContextId** The ID of the current call context where the failure occurred. -- **currentContextMessage** The message of the current call context where the failure occurred. -- **currentContextName** The name of the current call context where the failure occurred. -- **failureCount** The number of failures for this failure ID. -- **failureId** The ID of the failure that occurred. -- **failureType** The type of the failure that occurred. -- **fileName** The file name where the failure occurred. -- **function** The function where the failure occurred. -- **hresult** The HResult of the overall activity. -- **lineNumber** The line number where the failure occurred. -- **message** The message of the failure that occurred. -- **module** The module where the failure occurred. -- **originatingContextId** The ID of the originating call context that resulted in the failure. -- **originatingContextMessage** The message of the originating call context that resulted in the failure. -- **originatingContextName** The name of the originating call context that resulted in the failure. -- **threadId** The ID of the thread on which the activity is executing. - - -## Sediment events - -### Microsoft.Windows.Sediment.Info.DetailedState - -This event is sent when detailed state information is needed from an update trial run. - -The following fields are available: - -- **Data** Data relevant to the state, such as what percent of disk space the directory takes up. -- **Id** Identifies the trial being run, such as a disk related trial. -- **ReleaseVer** The version of the component. -- **State** The state of the reporting data from the trial, such as the top-level directory analysis. -- **Time** The time the event was fired. - - -### Microsoft.Windows.Sediment.Info.Error - -This event indicates an error in the updater payload. This information assists in keeping Windows up to date. - -The following fields are available: - -- **FailureType** The type of error encountered. -- **FileName** The code file in which the error occurred. -- **HResult** The failure error code. -- **LineNumber** The line number in the code file at which the error occurred. -- **ReleaseVer** The version information for the component in which the error occurred. -- **Time** The system time at which the error occurred. - - -### Microsoft.Windows.Sediment.Info.PhaseChange - -The event indicates progress made by the updater. This information assists in keeping Windows up to date. - -The following fields are available: - -- **NewPhase** The phase of progress made. -- **ReleaseVer** The version information for the component in which the change occurred. -- **Time** The system time at which the phase chance occurred. - - -## Setup events - -### SetupPlatformTel.SetupPlatformTelActivityEvent - -This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up to date. - -The following fields are available: - -- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. -- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. -- **Value** Value associated with the corresponding event name. For example, time-related events will include the system time - - -### SetupPlatformTel.SetupPlatformTelActivityStarted - -This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. - -The following fields are available: - -- **Name** The name of the dynamic update type. Example: GDR driver - - -### SetupPlatformTel.SetupPlatformTelActivityStopped - -This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. - - - -### SetupPlatformTel.SetupPlatformTelEvent - -This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios. - -The following fields are available: - -- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. -- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. -- **Value** Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time. - - -## Software update events - -### SoftwareUpdateClientTelemetry.CheckForUpdates - -Scan process event on Windows Update client. See the EventScenario field for specifics (started/failed/succeeded). - -The following fields are available: - -- **ActivityMatchingId** Contains a unique ID identifying a single CheckForUpdates session from initialization to completion. -- **AllowCachedResults** Indicates if the scan allowed using cached results. -- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable -- **BiosFamily** The family of the BIOS (Basic Input Output System). -- **BiosName** The name of the device BIOS. -- **BiosReleaseDate** The release date of the device BIOS. -- **BiosSKUNumber** The sku number of the device BIOS. -- **BIOSVendor** The vendor of the BIOS. -- **BiosVersion** The version of the BIOS. -- **BranchReadinessLevel** The servicing branch configured on the device. -- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. -- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. -- **CapabilityDetectoidGuid** The GUID for a hardware applicability detectoid that could not be evaluated. -- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. -- **CDNId** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. -- **ClientVersion** The version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No data is currently reported in this field. Expected value for this field is 0. -- **Context** Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown -- **CurrentMobileOperator** The mobile operator the device is currently connected to. -- **DeferralPolicySources** Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000). -- **DeferredUpdates** Update IDs which are currently being deferred until a later time -- **DeviceModel** What is the device model. -- **DriverError** The error code hit during a driver scan. This is 0 if no error was encountered. -- **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled. -- **DriverSyncPassPerformed** Were drivers scanned this time? -- **EventInstanceID** A globally unique identifier for event instance. -- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. -- **ExtendedMetadataCabUrl** Hostname that is used to download an update. -- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. -- **FailedUpdateGuids** The GUIDs for the updates that failed to be evaluated during the scan. -- **FailedUpdatesCount** The number of updates that failed to be evaluated during the scan. -- **FeatureUpdateDeferral** The deferral period configured for feature OS updates on the device (in days). -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FeatureUpdatePausePeriod** The pause duration configured for feature OS updates on the device (in days). -- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). -- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). -- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. -- **IntentPFNs** Intended application-set metadata for atomic update scenarios. -- **IPVersion** Indicates whether the download took place over IPv4 or IPv6 -- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. -- **IsWUfBFederatedScanDisabled** Indicates if Windows Update for Business federated scan is disabled on the device. -- **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce -- **MSIError** The last error that was encountered during a scan for updates. -- **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6 -- **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete -- **NumberOfApplicationsCategoryScanEvaluated** The number of categories (apps) for which an app update scan checked -- **NumberOfLoop** The number of round trips the scan required -- **NumberOfNewUpdatesFromServiceSync** The number of updates which were seen for the first time in this scan -- **NumberOfUpdatesEvaluated** The total number of updates which were evaluated as a part of the scan -- **NumFailedMetadataSignatures** The number of metadata signatures checks which failed for new metadata synced down. -- **Online** Indicates if this was an online scan. -- **PausedUpdates** A list of UpdateIds which that currently being paused. -- **PauseFeatureUpdatesEndTime** If feature OS updates are paused on the device, this is the date and time for the end of the pause time window. -- **PauseFeatureUpdatesStartTime** If feature OS updates are paused on the device, this is the date and time for the beginning of the pause time window. -- **PauseQualityUpdatesEndTime** If quality OS updates are paused on the device, this is the date and time for the end of the pause time window. -- **PauseQualityUpdatesStartTime** If quality OS updates are paused on the device, this is the date and time for the beginning of the pause time window. -- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting (pre-release builds) being introduced. -- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided. -- **QualityUpdateDeferral** The deferral period configured for quality OS updates on the device (in days). -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **QualityUpdatePausePeriod** The pause duration configured for quality OS updates on the device (in days). -- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one -- **ScanDurationInSeconds** The number of seconds a scan took -- **ScanEnqueueTime** The number of seconds it took to initialize a scan -- **ScanProps** This is a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits are used; all remaining bits are reserved and set to zero. Bit 0 (0x1): IsInteractive - is set to 1 if the scan is requested by a user, or 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker - is set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates). -- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.). -- **ServiceUrl** The environment URL a device is configured to scan with -- **ShippingMobileOperator** The mobile operator that a device shipped on. -- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult). -- **SyncType** Describes the type of scan the event was -- **SystemBIOSMajorRelease** Major version of the BIOS. -- **SystemBIOSMinorRelease** Minor version of the BIOS. -- **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null. -- **TotalNumMetadataSignatures** The total number of metadata signatures checks done for new metadata that was synced down. -- **WebServiceRetryMethods** Web service method requests that needed to be retried to complete operation. -- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. - - -### SoftwareUpdateClientTelemetry.Commit - -This event tracks the commit process post the update installation when software update client is trying to update the device. - -The following fields are available: - -- **BiosFamily** Device family as defined in the system BIOS -- **BiosName** Name of the system BIOS -- **BiosReleaseDate** Release date of the system BIOS -- **BiosSKUNumber** Device SKU as defined in the system BIOS -- **BIOSVendor** Vendor of the system BIOS -- **BiosVersion** Version of the system BIOS -- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. -- **BundleRevisionNumber** Identifies the revision number of the content bundle -- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client -- **ClientVersion** Version number of the software distribution client -- **DeploymentProviderMode** The mode of operation of the update deployment provider. -- **DeviceModel** Device model as defined in the system bios -- **EventInstanceID** A globally unique identifier for event instance -- **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc. -- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver". -- **FlightId** The specific id of the flight the device is getting -- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) -- **RevisionNumber** Identifies the revision number of this specific piece of content -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) -- **SystemBIOSMajorRelease** Major release version of the system bios -- **SystemBIOSMinorRelease** Minor release version of the system bios -- **UpdateId** Identifier associated with the specific piece of content -- **WUDeviceID** Unique device id controlled by the software distribution client - - -### SoftwareUpdateClientTelemetry.Download - -Download process event for target update on Windows Update client. See the EventScenario field for specifics (started/failed/succeeded). - -The following fields are available: - -- **ActiveDownloadTime** How long the download took, in seconds, excluding time where the update wasn't actively being downloaded. -- **AppXBlockHashFailures** Indicates the number of blocks that failed hash validation during download of the app payload. -- **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded. -- **AppXDownloadScope** Indicates the scope of the download for application content. -- **AppXScope** Indicates the scope of the app download. -- **BiosFamily** The family of the BIOS (Basic Input Output System). -- **BiosName** The name of the device BIOS. -- **BiosReleaseDate** The release date of the device BIOS. -- **BiosSKUNumber** The sku number of the device BIOS. -- **BIOSVendor** The vendor of the BIOS. -- **BiosVersion** The version of the BIOS. -- **BundleBytesDownloaded** Number of bytes downloaded for the specific content bundle. -- **BundleId** Identifier associated with the specific content bundle. -- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. -- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to download. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **BytesDownloaded** Number of bytes that were downloaded for an individual piece of content (not the entire bundle). -- **CachedEngineVersion** The version of the “Self-Initiated Healing” (SIH) engine that is cached on the device, if applicable. -- **CallerApplicationName** The name provided by the application that initiated API calls into the software distribution client. -- **CbsDownloadMethod** Indicates whether the download was a full- or a partial-file download. -- **CbsMethod** The method used for downloading the update content related to the Component Based Servicing (CBS) technology. -- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. -- **CDNId** ID which defines which CDN the software distribution client downloaded the content from. -- **ClientVersion** The version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. -- **ConnectTime** Indicates the cumulative amount of time (in seconds) it took to establish the connection for all updates in an update bundle. -- **CurrentMobileOperator** The mobile operator the device is currently connected to. -- **DeviceModel** The model of the device. -- **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority. -- **DownloadProps** Information about the download operation. -- **DownloadType** Differentiates the download type of “Self-Initiated Healing” (SIH) downloads between Metadata and Payload downloads. -- **EventInstanceID** A globally unique identifier for event instance. -- **EventScenario** Indicates the purpose for sending this event: whether because the software distribution just started downloading content; or whether it was cancelled, succeeded, or failed. -- **EventType** Identifies the type of the event (Child, Bundle, or Driver). -- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). -- **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight. -- **FlightId** The specific ID of the flight (pre-release build) the device is getting. -- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). -- **HandlerType** Indicates what kind of content is being downloaded (app, driver, windows patch, etc.). -- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. -- **HostName** The hostname URL the content is downloading from. -- **IPVersion** Indicates whether the download took place over IPv4 or IPv6. -- **IsDependentSet** Indicates whether a driver is a part of a larger System Hardware/Firmware Update -- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. -- **NetworkCost** A flag indicating the cost of the network (congested, fixed, variable, over data limit, roaming, etc.) used for downloading the update content. -- **NetworkCostBitMask** Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.) -- **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered." -- **PackageFullName** The package name of the content. -- **PhonePreviewEnabled** Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced. -- **PostDnldTime** Time (in seconds) taken to signal download completion after the last job completed downloading the payload. -- **ProcessName** The process name of the application that initiated API calls, in the event where CallerApplicationName was not provided. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **Reason** A 32-bit integer representing the reason the update is blocked from being downloaded in the background. -- **RegulationReason** The reason that the update is regulated -- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content. -- **RelatedCV** The Correlation Vector that was used before the most recent change to a new Correlation Vector. -- **RepeatFailCount** Indicates whether this specific content has previously failed. -- **RepeatFailFlag** Indicates whether this specific content previously failed to download. -- **RevisionNumber** The revision number of the specified piece of content. -- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). -- **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade. -- **ShippingMobileOperator** The mobile operator linked to the device when the device shipped. -- **SizeCalcTime** Time (in seconds) taken to calculate the total download size of the payload. -- **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). -- **SystemBIOSMajorRelease** Major version of the BIOS. -- **SystemBIOSMinorRelease** Minor version of the BIOS. -- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. -- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. -- **TargetMetadataVersion** The version of the currently downloading (or most recently downloaded) package. -- **ThrottlingServiceHResult** Result code (success/failure) while contacting a web service to determine whether this device should download content yet. -- **TimeToEstablishConnection** Time (in milliseconds) it took to establish the connection prior to beginning downloaded. -- **TotalExpectedBytes** The total size (in Bytes) expected to be downloaded. -- **UpdateId** An identifier associated with the specific piece of content. -- **UpdateID** An identifier associated with the specific piece of content. -- **UpdateImportance** Indicates whether the content was marked as Important, Recommended, or Optional. -- **UsedDO** Indicates whether the download used the Delivery Optimization (DO) service. -- **UsedSystemVolume** Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive. -- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. - - -### SoftwareUpdateClientTelemetry.DownloadCheckpoint - -This event provides a checkpoint between each of the Windows Update download phases for UUP content - -The following fields are available: - -- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client -- **ClientVersion** The version number of the software distribution client -- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed -- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver" -- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough -- **FileId** A hash that uniquely identifies a file -- **FileName** Name of the downloaded file -- **FlightId** The unique identifier for each flight -- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one -- **RevisionNumber** Unique revision number of Update -- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.) -- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult) -- **UpdateId** Unique Update ID -- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue - - -### SoftwareUpdateClientTelemetry.DownloadHeartbeat - -This event allows tracking of ongoing downloads and contains data to explain the current state of the download - -The following fields are available: - -- **BytesTotal** Total bytes to transfer for this content -- **BytesTransferred** Total bytes transferred for this content at the time of heartbeat -- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client -- **ClientVersion** The version number of the software distribution client -- **ConnectionStatus** Indicates the connectivity state of the device at the time of heartbeat -- **CurrentError** Last (transient) error encountered by the active download -- **DownloadFlags** Flags indicating if power state is ignored -- **DownloadState** Current state of the active download for this content (queued, suspended, or progressing) -- **EventType** Possible values are "Child", "Bundle", or "Driver" -- **FlightId** The unique identifier for each flight -- **IsNetworkMetered** Indicates whether Windows considered the current network to be ?metered" -- **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any -- **MOUpdateDownloadLimit** Mobile operator cap on size of operating system update downloads, if any -- **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby) -- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one -- **ResumeCount** Number of times this active download has resumed from a suspended state -- **RevisionNumber** Identifies the revision number of this specific piece of content -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) -- **SuspendCount** Number of times this active download has entered a suspended state -- **SuspendReason** Last reason for why this active download entered a suspended state -- **UpdateId** Identifier associated with the specific piece of content -- **WUDeviceID** Unique device id controlled by the software distribution client - - -### SoftwareUpdateClientTelemetry.Install - -This event sends tracking data about the software distribution client installation of the content for that update, to help keep Windows up to date. - -The following fields are available: - -- **BiosFamily** The family of the BIOS (Basic Input Output System). -- **BiosName** The name of the device BIOS. -- **BiosReleaseDate** The release date of the device BIOS. -- **BiosSKUNumber** The sku number of the device BIOS. -- **BIOSVendor** The vendor of the BIOS. -- **BiosVersion** The version of the BIOS. -- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. -- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. -- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to install. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. -- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. -- **ClientVersion** The version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No value is currently reported in this field. Expected value for this field is 0. -- **CSIErrorType** The stage of CBS installation where it failed. -- **CurrentMobileOperator** The mobile operator to which the device is currently connected. -- **DeploymentProviderMode** The mode of operation of the update deployment provider. -- **DeviceModel** The device model. -- **DriverPingBack** Contains information about the previous driver and system state. -- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required. -- **EventInstanceID** A globally unique identifier for event instance. -- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. -- **EventType** Possible values are Child, Bundle, or Driver. -- **ExtendedErrorCode** The extended error code. -- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode is not specific enough. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBranch** The branch that a device is on if participating in the Windows Insider Program. -- **FlightBuildNumber** If this installation was for a Windows Insider build, this is the build number of that build. -- **FlightId** The specific ID of the Windows Insider build the device is getting. -- **FlightRing** The ring that a device is on if participating in the Windows Insider Program. -- **HandlerType** Indicates what kind of content is being installed (for example, app, driver, Windows update). -- **HardwareId** If this install was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. -- **InstallProps** A bitmask for future flags associated with the install operation. No value is currently reported in this field. Expected value for this field is 0. -- **IntentPFNs** Intended application-set metadata for atomic update scenarios. -- **IsDependentSet** Indicates whether the driver is part of a larger System Hardware/Firmware update. -- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. -- **IsFirmware** Indicates whether this update is a firmware update. -- **IsSuccessFailurePostReboot** Indicates whether the update succeeded and then failed after a restart. -- **IsWUfBDualScanEnabled** Indicates whether Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Indicates whether Windows Update for Business is enabled on the device. -- **MergedUpdate** Indicates whether the OS update and a BSP update merged for installation. -- **MsiAction** The stage of MSI installation where it failed. -- **MsiProductCode** The unique identifier of the MSI installer. -- **PackageFullName** The package name of the content being installed. -- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting being introduced. -- **ProcessName** The process name of the caller who initiated API calls, in the event that CallerApplicationName was not provided. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one -- **RepeatFailCount** Indicates whether this specific piece of content has previously failed. -- **RepeatFailFlag** Indicates whether this specific piece of content previously failed to install. -- **RevisionNumber** The revision number of this specific piece of content. -- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). -- **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway. -- **ShippingMobileOperator** The mobile operator that a device shipped on. -- **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult). -- **SystemBIOSMajorRelease** Major version of the BIOS. -- **SystemBIOSMinorRelease** Minor version of the BIOS. -- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. -- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. -- **TransactionCode** The ID that represents a given MSI installation. -- **UpdateId** Unique update ID. -- **UpdateID** An identifier associated with the specific piece of content. -- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional. -- **UsedSystemVolume** Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive. -- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. - - -### SoftwareUpdateClientTelemetry.Revert - -Revert event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded). - -The following fields are available: - -- **BundleId** Identifier associated with the specific content bundle. Should not be all zeros if the BundleId was found. -- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **ClientVersion** Version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. -- **CSIErrorType** Stage of CBS installation that failed. -- **DriverPingBack** Contains information about the previous driver and system state. -- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required. -- **EventInstanceID** A globally unique identifier for event instance. -- **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). -- **EventType** Event type (Child, Bundle, Release, or Driver). -- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode is not specific enough. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBuildNumber** Indicates the build number of the flight. -- **FlightId** The specific ID of the flight the device is getting. -- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). -- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. -- **IsFirmware** Indicates whether an update was a firmware update. -- **IsSuccessFailurePostReboot** Indicates whether an initial success was a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. -- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. -- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. -- **RepeatFailCount** Indicates whether this specific piece of content has previously failed. -- **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.). -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. -- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. -- **UpdateId** The identifier associated with the specific piece of content. -- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). -- **UsedSystemVolume** Indicates whether the device's main system storage drive or an alternate storage drive was used. -- **WUDeviceID** Unique device ID controlled by the software distribution client. - - -### SoftwareUpdateClientTelemetry.TaskRun - -Start event for Server Initiated Healing client. See EventScenario field for specifics (for example, started/completed). - -The following fields are available: - -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **ClientVersion** Version number of the software distribution client. -- **CmdLineArgs** Command line arguments passed in by the caller. -- **EventInstanceID** A globally unique identifier for the event instance. -- **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.). -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **WUDeviceID** Unique device ID controlled by the software distribution client. - - -### SoftwareUpdateClientTelemetry.Uninstall - -Uninstall event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded). - -The following fields are available: - -- **BundleId** The identifier associated with the specific content bundle. This should not be all zeros if the bundleID was found. -- **BundleRepeatFailCount** Indicates whether this particular update bundle previously failed. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **CallerApplicationName** Name of the application making the Windows Update request. Used to identify context of request. -- **ClientVersion** Version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. -- **DriverPingBack** Contains information about the previous driver and system state. -- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers when a recovery is required. -- **EventInstanceID** A globally unique identifier for event instance. -- **EventScenario** Indicates the purpose of the event (a scan started, succeded, failed, etc.). -- **EventType** Indicates the event type. Possible values are "Child", "Bundle", "Release" or "Driver". -- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode is not specific enough. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBuildNumber** Indicates the build number of the flight. -- **FlightId** The specific ID of the flight the device is getting. -- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). -- **HardwareId** If the download was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. -- **IsFirmware** Indicates whether an update was a firmware update. -- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. -- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. -- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. -- **RepeatFailCount** Indicates whether this specific piece of content previously failed. -- **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.). -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. -- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. -- **UpdateId** Identifier associated with the specific piece of content. -- **UpdateImportance** Indicates the importance of a driver and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). -- **UsedSystemVolume** Indicates whether the device’s main system storage drive or an alternate storage drive was used. -- **WUDeviceID** Unique device ID controlled by the software distribution client. - - -### SoftwareUpdateClientTelemetry.UpdateDetected - -This event sends data about an AppX app that has been updated from the Microsoft Store, including what app needs an update and what version/architecture is required, in order to understand and address problems with apps getting required updates. - -The following fields are available: - -- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable. -- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. -- **IntentPFNs** Intended application-set metadata for atomic update scenarios. -- **NumberOfApplicableUpdates** The number of updates ultimately deemed applicable to the system after the detection process is complete. -- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. -- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.). -- **WUDeviceID** The unique device ID controlled by the software distribution client. - - -### SoftwareUpdateClientTelemetry.UpdateMetadataIntegrity - -Ensures Windows Updates are secure and complete. Event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack. - -The following fields are available: - -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **EndpointUrl** The endpoint URL where the device obtains update metadata. This is used to distinguish between test, staging, and production environments. -- **EventScenario** The purpose of this event, such as scan started, scan succeeded, or scan failed. -- **ExtendedStatusCode** The secondary status code of the event. -- **LeafCertId** The integral ID from the FragmentSigning data for the certificate that failed. -- **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate. -- **MetadataIntegrityMode** The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce -- **MetadataSignature** A base64-encoded string of the signature associated with the update metadata (specified by revision ID). -- **RawMode** The raw unparsed mode string from the SLS response. This field is null if not applicable. -- **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable. -- **RevisionId** The revision ID for a specific piece of content. -- **RevisionNumber** The revision number for a specific piece of content. -- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Microsoft Store -- **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate. -- **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate. -- **SHA256OfTimestampToken** An encoded string of the timestamp token. -- **SignatureAlgorithm** The hash algorithm for the metadata signature. -- **SLSPrograms** A test program to which a device may have opted in. Example: Insider Fast -- **StatusCode** The status code of the event. -- **TimestampTokenCertThumbprint** The thumbprint of the encoded timestamp token. -- **TimestampTokenId** The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed. -- **UpdateId** The update ID for a specific piece of content. -- **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp. - - -## System Resource Usage Monitor events - -### Microsoft.Windows.Srum.Sdp.CpuUsage - -This event provides information on CPU usage. - -The following fields are available: - -- **UsageMax** The maximum of hourly average CPU usage. -- **UsageMean** The mean of hourly average CPU usage. -- **UsageMedian** The median of hourly average CPU usage. -- **UsageTwoHourMaxMean** The mean of the maximum of every two hour of hourly average CPU usage. -- **UsageTwoHourMedianMean** The mean of the median of every two hour of hourly average CPU usage. - - -### Microsoft.Windows.Srum.Sdp.NetworkUsage - -This event provides information on network usage. - -The following fields are available: - -- **AdapterGuid** The unique ID of the adapter. -- **BytesTotalMax** The maximum of the hourly average bytes total. -- **BytesTotalMean** The mean of the hourly average bytes total. -- **BytesTotalMedian** The median of the hourly average bytes total. -- **BytesTotalTwoHourMaxMean** The mean of the maximum of every two hours of hourly average bytes total. -- **BytesTotalTwoHourMedianMean** The mean of the median of every two hour of hourly average bytes total. -- **LinkSpeed** The adapter link speed. - - -## Update events - -### Update360Telemetry.Revert - -This event sends data relating to the Revert phase of updating Windows. - -The following fields are available: - -- **ErrorCode** The error code returned for the Revert phase. -- **FlightId** Unique ID for the flight (test instance version). -- **ObjectId** The unique value for each Update Agent mode. -- **RebootRequired** Indicates reboot is required. -- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. -- **Result** The HResult of the event. -- **RevertResult** The result code returned for the Revert operation. -- **ScenarioId** The ID of the update scenario. -- **SessionId** The ID of the update attempt. -- **UpdateId** The ID of the update. - - -### Update360Telemetry.UpdateAgentCommit - -This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. - -The following fields are available: - -- **ErrorCode** The error code returned for the current install phase. -- **FlightId** Unique ID for each flight. -- **ObjectId** Unique value for each Update Agent mode. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **Result** Outcome of the install phase of the update. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentDownloadRequest - -This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. - -The following fields are available: - -- **DeletedCorruptFiles** Boolean indicating whether corrupt payload was deleted. -- **DownloadRequests** Number of times a download was retried. -- **ErrorCode** The error code returned for the current download request phase. -- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. -- **FlightId** Unique ID for each flight. -- **InternalFailureResult** Indicates a non-fatal error from a plugin. -- **ObjectId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). -- **PackageCategoriesSkipped** Indicates package categories that were skipped, if applicable. -- **PackageCountOptional** Number of optional packages requested. -- **PackageCountRequired** Number of required packages requested. -- **PackageCountTotal** Total number of packages needed. -- **PackageCountTotalCanonical** Total number of canonical packages. -- **PackageCountTotalDiff** Total number of diff packages. -- **PackageCountTotalExpress** Total number of express packages. -- **PackageExpressType** Type of express package. -- **PackageSizeCanonical** Size of canonical packages in bytes. -- **PackageSizeDiff** Size of diff packages in bytes. -- **PackageSizeExpress** Size of express packages in bytes. -- **RangeRequestState** Indicates the range request type used. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **Result** Outcome of the download request phase of update. -- **SandboxTaggedForReserves** The sandbox for reserves. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each attempt (same value for initialize, download, install commit phases). -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentExpand - -This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. - -The following fields are available: - -- **ElapsedTickCount** Time taken for expand phase. -- **EndFreeSpace** Free space after expand phase. -- **EndSandboxSize** Sandbox size after expand phase. -- **ErrorCode** The error code returned for the current install phase. -- **FlightId** Unique ID for each flight. -- **ObjectId** Unique value for each Update Agent mode. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each update attempt. -- **StartFreeSpace** Free space before expand phase. -- **StartSandboxSize** Sandbox size after expand phase. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentFellBackToCanonical - -This event collects information when express could not be used and we fall back to canonical during the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. - -The following fields are available: - -- **FlightId** Unique ID for each flight. -- **ObjectId** Unique value for each Update Agent mode. -- **PackageCount** Number of packages that feel back to canonical. -- **PackageList** PackageIds which fell back to canonical. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentInitialize - -This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. - -The following fields are available: - -- **ErrorCode** The error code returned for the current install phase. -- **FlightId** Unique ID for each flight. -- **FlightMetadata** Contains the FlightId and the build being flighted. -- **ObjectId** Unique value for each Update Agent mode. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **Result** Outcome of the install phase of the update. -- **ScenarioId** Indicates the update scenario. -- **SessionData** String containing instructions to update agent for processing FODs and DUICs (Null for other scenarios). -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentInstall - -This event sends data for the install phase of updating Windows. - -The following fields are available: - -- **ErrorCode** The error code returned for the current install phase. -- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. -- **FlightId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). -- **InternalFailureResult** Indicates a non-fatal error from a plugin. -- **ObjectId** Correlation vector value generated from the latest USO scan. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **Result** The result for the current install phase. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentMerge - -The UpdateAgentMerge event sends data on the merge phase when updating Windows. - -The following fields are available: - -- **ErrorCode** The error code returned for the current merge phase. -- **FlightId** Unique ID for each flight. -- **MergeId** The unique ID to join two update sessions being merged. -- **ObjectId** Unique value for each Update Agent mode. -- **RelatedCV** Related correlation vector value. -- **Result** Outcome of the merge phase of the update. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each attempt. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentMitigationResult - -This event sends data indicating the result of each update agent mitigation. - -The following fields are available: - -- **Applicable** Indicates whether the mitigation is applicable for the current update. -- **CommandCount** The number of command operations in the mitigation entry. -- **CustomCount** The number of custom operations in the mitigation entry. -- **FileCount** The number of file operations in the mitigation entry. -- **FlightId** Unique identifier for each flight. -- **Index** The mitigation index of this particular mitigation. -- **MitigationScenario** The update scenario in which the mitigation was executed. -- **Name** The friendly name of the mitigation. -- **ObjectId** Unique value for each Update Agent mode. -- **OperationIndex** The mitigation operation index (in the event of a failure). -- **OperationName** The friendly name of the mitigation operation (in the event of failure). -- **RegistryCount** The number of registry operations in the mitigation entry. -- **RelatedCV** The correlation vector value generated from the latest USO scan. -- **Result** The HResult of this operation. -- **ScenarioId** The update agent scenario ID. -- **SessionId** Unique value for each update attempt. -- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). -- **UpdateId** Unique ID for each Update. - - -### Update360Telemetry.UpdateAgentMitigationSummary - -This event sends a summary of all the update agent mitigations available for an this update. - -The following fields are available: - -- **Applicable** The count of mitigations that were applicable to the system and scenario. -- **Failed** The count of mitigations that failed. -- **FlightId** Unique identifier for each flight. -- **MitigationScenario** The update scenario in which the mitigations were attempted. -- **ObjectId** The unique value for each Update Agent mode. -- **RelatedCV** The correlation vector value generated from the latest USO scan. -- **Result** The HResult of this operation. -- **ScenarioId** The update agent scenario ID. -- **SessionId** Unique value for each update attempt. -- **TimeDiff** The amount of time spent performing all mitigations (in 100-nanosecond increments). -- **Total** Total number of mitigations that were available. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentModeStart - -This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. - -The following fields are available: - -- **FlightId** Unique ID for each flight. -- **Mode** Indicates the mode that has started. -- **ObjectId** Unique value for each Update Agent mode. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each update. -- **Version** Version of update - - -### Update360Telemetry.UpdateAgentOneSettings - -This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. - -The following fields are available: - -- **Count** The count of applicable OneSettings for the device. -- **FlightId** Unique ID for the flight (test instance version). -- **ObjectId** The unique value for each Update Agent mode. -- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. -- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. -- **Result** The HResult of the event. -- **ScenarioId** The ID of the update scenario. -- **SessionId** The ID of the update attempt. -- **UpdateId** The ID of the update. -- **Values** The values sent back to the device, if applicable. - - -### Update360Telemetry.UpdateAgentPostRebootResult - -This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. - -The following fields are available: - -- **ErrorCode** The error code returned for the current post reboot phase. -- **FlightId** The specific ID of the Windows Insider build the device is getting. -- **ObjectId** Unique value for each Update Agent mode. -- **PostRebootResult** Indicates the Hresult. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentReboot - -This event sends information indicating that a request has been sent to suspend an update. - -The following fields are available: - -- **ErrorCode** The error code returned for the current reboot. -- **FlightId** Unique ID for the flight (test instance version). -- **ObjectId** The unique value for each Update Agent mode. -- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. -- **Result** The HResult of the event. -- **ScenarioId** The ID of the update scenario. -- **SessionId** The ID of the update attempt. -- **UpdateId** The ID of the update. - - -### Update360Telemetry.UpdateAgentSetupBoxLaunch - -The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. - -The following fields are available: - -- **ContainsExpressPackage** Indicates whether the download package is express. -- **FlightId** Unique ID for each flight. -- **FreeSpace** Free space on OS partition. -- **InstallCount** Number of install attempts using the same sandbox. -- **ObjectId** Unique value for each Update Agent mode. -- **Quiet** Indicates whether setup is running in quiet mode. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **SandboxSize** Size of the sandbox. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each update attempt. -- **SetupMode** Mode of setup to be launched. -- **UpdateId** Unique ID for each Update. -- **UserSession** Indicates whether install was invoked by user actions. - - -## Update notification events - -### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignManagerHeartbeat - -This event is sent at the start of the CampaignManager event and is intended to be used as a heartbeat. - -The following fields are available: - -- **CampaignConfigVersion** Configuration version for the current campaign. -- **CampaignID** Currently campaign that is running on Update Notification Pipeline (UNP). -- **ConfigCatalogVersion** Current catalog version of UNP. -- **ContentVersion** Content version for the current campaign on UNP. -- **CV** Correlation vector. -- **DetectorVersion** Most recently run detector version for the current campaign on UNP. -- **GlobalEventCounter** Client-side counter that indicates the event ordering sent by the user. -- **PackageVersion** Current UNP package version. - - -## Upgrade events - -### FacilitatorTelemetry.DCATDownload - -This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to help keep Windows up-to-date and secure. - -The following fields are available: - -- **DownloadSize** Download size of payload. -- **ElapsedTime** Time taken to download payload. -- **MediaFallbackUsed** Used to determine if we used Media CompDBs to figure out package requirements for the upgrade. -- **ResultCode** Result returned by the Facilitator DCAT call. -- **Scenario** Dynamic update scenario (Image DU, or Setup DU). -- **Type** Type of package that was downloaded. -- **UpdateId** The ID of the update that was downloaded. - - -### FacilitatorTelemetry.DUDownload - -This event returns data about the download of supplemental packages critical to upgrading a device to the next version of Windows. - -The following fields are available: - -- **DownloadRequestAttributes** The attributes sent for download. -- **PackageCategoriesFailed** Lists the categories of packages that failed to download. -- **PackageCategoriesSkipped** Lists the categories of package downloads that were skipped. -- **ResultCode** The result of the event execution. -- **Scenario** Identifies the active Download scenario. -- **Url** The URL the download request was sent to. -- **Version** Identifies the version of Facilitator used. - - -### FacilitatorTelemetry.InitializeDU - -This event determines whether devices received additional or critical supplemental content during an OS upgrade. - -The following fields are available: - -- **DCATUrl** The Delivery Catalog (DCAT) URL we send the request to. -- **DownloadRequestAttributes** The attributes we send to DCAT. -- **ResultCode** The result returned from the initiation of Facilitator with the URL/attributes. -- **Scenario** Dynamic Update scenario (Image DU, or Setup DU). -- **Url** The Delivery Catalog (DCAT) URL we send the request to. -- **Version** Version of Facilitator. - - -### Setup360Telemetry.Downlevel - -This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up-to-date and secure. - -The following fields are available: - -- **ClientId** If using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but it can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the downlevel OS. -- **HostOsSkuName** The operating system edition which is running Setup360 instance (downlevel OS). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. -- **ReportId** In the Windows Update scenario, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. -- **Setup360Extended** More detailed information about phase/action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360 (for example, Predownload, Install, Finalize, Rollback). -- **Setup360Result** The result of Setup360 (HRESULT used to diagnose errors). -- **Setup360Scenario** The Setup360 flow type (for example, Boot, Media, Update, MCT). -- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS). -- **State** Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled. -- **TestId** An ID that uniquely identifies a group of events. -- **WuId** This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId. - - -### Setup360Telemetry.Finalize - -This event sends data indicating that the device has started the phase of finalizing the upgrade, to help keep Windows up-to-date and secure. - -The following fields are available: - -- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the previous OS. -- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe -- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. -- **Setup360Extended** More detailed information about the phase/action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. -- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. -- **TestId** ID that uniquely identifies a group of events. -- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. - - -### Setup360Telemetry.OsUninstall - -This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, it indicates the outcome of an OS uninstall. - -The following fields are available: - -- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the previous OS. -- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. -- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. -- **Setup360Extended** Detailed information about the phase or action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT -- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. -- **TestId** ID that uniquely identifies a group of events. -- **WuId** Windows Update client ID. - - -### Setup360Telemetry.PostRebootInstall - -This event sends data indicating that the device has invoked the post reboot install phase of the upgrade, to help keep Windows up-to-date. - -The following fields are available: - -- **ClientId** With Windows Update, this is the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the previous OS. -- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. -- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. -- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback -- **Setup360Result** The result of Setup360. This is an HRESULT error code that's used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT -- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled -- **TestId** A string to uniquely identify a group of events. -- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as ClientId. - - -### Setup360Telemetry.PreDownloadQuiet - -This event sends data indicating that the device has invoked the predownload quiet phase of the upgrade, to help keep Windows up to date. - -The following fields are available: - -- **ClientId** Using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the previous OS. -- **HostOsSkuName** The OS edition which is running Setup360 instance (previous operating system). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. -- **ReportId** Using Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. -- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. -- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled. -- **TestId** ID that uniquely identifies a group of events. -- **WuId** This is the Windows Update Client ID. Using Windows Update, this is the same as the clientId. - - -### Setup360Telemetry.PreDownloadUX - -This event sends data regarding OS Updates and Upgrades from Windows 7.X, Windows 8.X, Windows 10 and RS, to help keep Windows up-to-date and secure. Specifically, it indicates the outcome of the PredownloadUX portion of the update process. - -The following fields are available: - -- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **HostOSBuildNumber** The build number of the previous operating system. -- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous operating system). -- **InstanceId** Unique GUID that identifies each instance of setuphost.exe. -- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. -- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. -- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS). -- **State** The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled. -- **TestId** ID that uniquely identifies a group of events. -- **WuId** Windows Update client ID. - - -### Setup360Telemetry.PreInstallQuiet - -This event sends data indicating that the device has invoked the preinstall quiet phase of the upgrade, to help keep Windows up-to-date. - -The following fields are available: - -- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the previous OS. -- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe -- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. -- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. -- **Setup360Scenario** Setup360 flow type (Boot, Media, Update, MCT). -- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. -- **TestId** A string to uniquely identify a group of events. -- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. - - -### Setup360Telemetry.PreInstallUX - -This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10, to help keep Windows up-to-date. Specifically, it indicates the outcome of the PreinstallUX portion of the update process. - -The following fields are available: - -- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the previous OS. -- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. -- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. -- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type, Example: Boot, Media, Update, MCT. -- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. -- **TestId** A string to uniquely identify a group of events. -- **WuId** Windows Update client ID. - - -### Setup360Telemetry.Setup360 - -This event sends data about OS deployment scenarios, to help keep Windows up-to-date. - -The following fields are available: - -- **ClientId** Retrieves the upgrade ID. In the Windows Update scenario, this will be the Windows Update client ID. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FieldName** Retrieves the data point. -- **FlightData** Specifies a unique identifier for each group of Windows Insider builds. -- **InstanceId** Retrieves a unique identifier for each instance of a setup session. -- **ReportId** Retrieves the report ID. -- **ScenarioId** Retrieves the deployment scenario. -- **Value** Retrieves the value associated with the corresponding FieldName. - - -### Setup360Telemetry.Setup360DynamicUpdate - -This event helps determine whether the device received supplemental content during an operating system upgrade, to help keep Windows up-to-date. - -The following fields are available: - -- **FlightData** Specifies a unique identifier for each group of Windows Insider builds. -- **InstanceId** Retrieves a unique identifier for each instance of a setup session. -- **Operation** Facilitator’s last known operation (scan, download, etc.). -- **ReportId** ID for tying together events stream side. -- **ResultCode** Result returned for the entire setup operation. -- **Scenario** Dynamic Update scenario (Image DU, or Setup DU). -- **ScenarioId** Identifies the update scenario. -- **TargetBranch** Branch of the target OS. -- **TargetBuild** Build of the target OS. - - -### Setup360Telemetry.Setup360MitigationResult - -This event sends data indicating the result of each setup mitigation. - -The following fields are available: - -- **Applicable** TRUE if the mitigation is applicable for the current update. -- **ClientId** In the Windows Update scenario, this is the client ID passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **CommandCount** The number of command operations in the mitigation entry. -- **CustomCount** The number of custom operations in the mitigation entry. -- **FileCount** The number of file operations in the mitigation entry. -- **FlightData** The unique identifier for each flight (test release). -- **Index** The mitigation index of this particular mitigation. -- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE. -- **MitigationScenario** The update scenario in which the mitigation was executed. -- **Name** The friendly (descriptive) name of the mitigation. -- **OperationIndex** The mitigation operation index (in the event of a failure). -- **OperationName** The friendly (descriptive) name of the mitigation operation (in the event of failure). -- **RegistryCount** The number of registry operations in the mitigation entry. -- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM. -- **Result** HResult of this operation. -- **ScenarioId** Setup360 flow type. -- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). - - -### Setup360Telemetry.Setup360MitigationSummary - -This event sends a summary of all the setup mitigations available for this update. - -The following fields are available: - -- **Applicable** The count of mitigations that were applicable to the system and scenario. -- **ClientId** The Windows Update client ID passed to Setup. -- **Failed** The count of mitigations that failed. -- **FlightData** The unique identifier for each flight (test release). -- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE. -- **MitigationScenario** The update scenario in which the mitigations were attempted. -- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM. -- **Result** HResult of this operation. -- **ScenarioId** Setup360 flow type. -- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). -- **Total** The total number of mitigations that were available. - - -### Setup360Telemetry.Setup360OneSettings - -This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. - -The following fields are available: - -- **ClientId** The Windows Update client ID passed to Setup. -- **Count** The count of applicable OneSettings for the device. -- **FlightData** The ID for the flight (test instance version). -- **InstanceId** The GUID (Globally-Unique ID) that identifies each instance of setuphost.exe. -- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. -- **ReportId** The Update ID passed to Setup. -- **Result** The HResult of the event error. -- **ScenarioId** The update scenario ID. -- **Values** Values sent back to the device, if applicable. - - -### Setup360Telemetry.UnexpectedEvent - -This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date. - -The following fields are available: - -- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the previous OS. -- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe -- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. -- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. -- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. -- **TestId** A string to uniquely identify a group of events. -- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. - - -## Windows as a Service diagnostic events - -### Microsoft.Windows.WaaSMedic.SummaryEvent - -Result of the WaaSMedic operation. - -The following fields are available: - -- **callerApplication** The name of the calling application. -- **detectionSummary** Result of each applicable detection that was run. -- **featureAssessmentImpact** WaaS Assessment impact for feature updates. -- **hrEngineResult** Error code from the engine operation. -- **insufficientSessions** Device not eligible for diagnostics. -- **isInteractiveMode** The user started a run of WaaSMedic. -- **isManaged** Device is managed for updates. -- **isWUConnected** Device is connected to Windows Update. -- **noMoreActions** No more applicable diagnostics. -- **qualityAssessmentImpact** WaaS Assessment impact for quality updates. -- **remediationSummary** Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on. -- **usingBackupFeatureAssessment** Relying on backup feature assessment. -- **usingBackupQualityAssessment** Relying on backup quality assessment. -- **usingCachedFeatureAssessment** WaaS Medic run did not get OS build age from the network on the previous run. -- **usingCachedQualityAssessment** WaaS Medic run did not get OS revision age from the network on the previous run. -- **versionString** Version of the WaaSMedic engine. -- **waasMedicRunMode** Indicates whether this was a background regular run of the medic or whether it was triggered by a user launching Windows Update Troubleshooter. - - -## Windows Error Reporting events - -### Microsoft.Windows.WERVertical.OSCrash - -This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event. - -The following fields are available: - -- **BootId** Uint32 identifying the boot number for this device. -- **BugCheckCode** Uint64 "bugcheck code" that identifies a proximate cause of the bug check. -- **BugCheckParameter1** Uint64 parameter providing additional information. -- **BugCheckParameter2** Uint64 parameter providing additional information. -- **BugCheckParameter3** Uint64 parameter providing additional information. -- **BugCheckParameter4** Uint64 parameter providing additional information. -- **DumpFileAttributes** Codes that identify the type of data contained in the dump file -- **DumpFileSize** Size of the dump file -- **IsValidDumpFile** True if the dump file is valid for the debugger, false otherwise -- **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson). - - -## Windows Error Reporting MTT events - -### Microsoft.Windows.WER.MTT.Denominator - -This event provides a denominator to calculate MTTF (mean-time-to-failure) for crashes and other errors, to help keep Windows up to date. - -The following fields are available: - -- **DPRange** Maximum mean value range. -- **DPValue** Randomized bit value (0 or 1) that can be reconstituted over a large population to estimate the mean. -- **Value** Standard UTC emitted DP value structure See [Value](#value). - - -### Value - -This event returns data about Mean Time to Failure (MTTF) for Windows devices. It is the primary means of estimating reliability problems in Basic Diagnostic reporting with very strong privacy guarantees. Since Basic Diagnostic reporting does not include system up-time, and since that information is important to ensuring the safe and stable operation of Windows, the data provided by this event provides that data in a manner which does not threaten a user’s privacy. - -The following fields are available: - -- **Algorithm** The algorithm used to preserve privacy. -- **DPRange** The upper bound of the range being measured. -- **DPValue** The randomized response returned by the client. -- **Epsilon** The level of privacy to be applied. -- **HistType** The histogram type if the algorithm is a histogram algorithm. -- **PertProb** The probability the entry will be Perturbed if the algorithm chosen is “heavy-hitters”. - - -## Microsoft Store events - -### Microsoft.Windows.Store.StoreActivating - -This event sends tracking data about when the Store app activation via protocol URI is in progress, to help keep Windows up to date. - - - -### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation - -This event is sent when an installation or update is canceled by a user or the system and is used to help keep Windows Apps up to date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. -- **AttemptNumber** Number of retry attempts before it was canceled. -- **BundleId** The Item Bundle ID. -- **CategoryId** The Item Category ID. -- **ClientAppId** The identity of the app that initiated this operation. -- **HResult** The result code of the last action performed before this operation. -- **IsBundle** Is this a bundle? -- **IsInteractive** Was this requested by a user? -- **IsMandatory** Was this a mandatory update? -- **IsRemediation** Was this a remediation install? -- **IsRestore** Is this automatically restoring a previously acquired product? -- **IsUpdate** Flag indicating if this is an update. -- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). -- **PFN** The product family name of the product being installed. -- **ProductId** The identity of the package or packages being installed. -- **SystemAttemptNumber** The total number of automatic attempts at installation before it was canceled. -- **UserAttemptNumber** The total number of user attempts at installation before it was canceled. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.BeginGetInstalledContentIds - -This event is sent when an inventory of the apps installed is started to determine whether updates for those apps are available. It's used to help keep Windows up-to-date and secure. - - - -### Microsoft.Windows.StoreAgent.Telemetry.BeginUpdateMetadataPrepare - -This event is sent when the Store Agent cache is refreshed with any available package updates. It's used to help keep Windows up-to-date and secure. - - - -### Microsoft.Windows.StoreAgent.Telemetry.CancelInstallation - -This event is sent when an app update or installation is canceled while in interactive mode. This can be canceled by the user or the system. It's used to help keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The names of all package or packages to be downloaded and installed. -- **AttemptNumber** Total number of installation attempts. -- **BundleId** The identity of the Windows Insider build that is associated with this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **IsBundle** Is this a bundle? -- **IsInteractive** Was this requested by a user? -- **IsMandatory** Is this a mandatory update? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this an automatic restore of a previously acquired product? -- **IsUpdate** Is this a product update? -- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). -- **PFN** The name of all packages to be downloaded and installed. -- **PreviousHResult** The previous HResult code. -- **PreviousInstallState** Previous installation state before it was canceled. -- **ProductId** The name of the package or packages requested for installation. -- **RelatedCV** Correlation Vector of a previous performed action on this product. -- **SystemAttemptNumber** Total number of automatic attempts to install before it was canceled. -- **UserAttemptNumber** Total number of user attempts to install before it was canceled. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.CompleteInstallOperationRequest - -This event is sent at the end of app installations or updates to help keep Windows up-to-date and secure. - -The following fields are available: - -- **CatalogId** The Store Product ID of the app being installed. -- **HResult** HResult code of the action being performed. -- **IsBundle** Is this a bundle? -- **PackageFamilyName** The name of the package being installed. -- **ProductId** The Store Product ID of the product being installed. -- **SkuId** Specific edition of the item being installed. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndAcquireLicense - -This event is sent after the license is acquired when a product is being installed. It's used to help keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** Includes a set of package full names for each app that is part of an atomic set. -- **AttemptNumber** The total number of attempts to acquire this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **HResult** HResult code to show the result of the operation (success/failure). -- **IsBundle** Is this a bundle? -- **IsInteractive** Did the user initiate the installation? -- **IsMandatory** Is this a mandatory update? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this happening after a device restore? -- **IsUpdate** Is this an update? -- **PFN** Product Family Name of the product being installed. -- **ProductId** The Store Product ID for the product being installed. -- **SystemAttemptNumber** The number of attempts by the system to acquire this product. -- **UserAttemptNumber** The number of attempts by the user to acquire this product -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndDownload - -This event is sent after an app is downloaded to help keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed. -- **AttemptNumber** Number of retry attempts before it was canceled. -- **BundleId** The identity of the Windows Insider build associated with this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **DownloadSize** The total size of the download. -- **ExtendedHResult** Any extended HResult error codes. -- **HResult** The result code of the last action performed. -- **IsBundle** Is this a bundle? -- **IsInteractive** Is this initiated by the user? -- **IsMandatory** Is this a mandatory installation? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this a restore of a previously acquired product? -- **IsUpdate** Is this an update? -- **ParentBundleId** The parent bundle ID (if it's part of a bundle). -- **PFN** The Product Family Name of the app being download. -- **ProductId** The Store Product ID for the product being installed. -- **SystemAttemptNumber** The number of attempts by the system to download. -- **UserAttemptNumber** The number of attempts by the user to download. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndFrameworkUpdate - -This event is sent when an app update requires an updated Framework package and the process starts to download it. It is used to help keep Windows up-to-date and secure. - -The following fields are available: - -- **HResult** The result code of the last action performed before this operation. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndGetInstalledContentIds - -This event is sent after sending the inventory of the products installed to determine whether updates for those products are available. It's used to help keep Windows up-to-date and secure. - -The following fields are available: - -- **HResult** The result code of the last action performed before this operation. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndInstall - -This event is sent after a product has been installed to help keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. -- **AttemptNumber** The number of retry attempts before it was canceled. -- **BundleId** The identity of the build associated with this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **ExtendedHResult** The extended HResult error code. -- **HResult** The result code of the last action performed. -- **IsBundle** Is this a bundle? -- **IsInteractive** Is this an interactive installation? -- **IsMandatory** Is this a mandatory installation? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this automatically restoring a previously acquired product? -- **IsUpdate** Is this an update? -- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). -- **PFN** Product Family Name of the product being installed. -- **ProductId** The Store Product ID for the product being installed. -- **SystemAttemptNumber** The total number of system attempts. -- **UserAttemptNumber** The total number of user attempts. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndScanForUpdates - -This event is sent after a scan for product updates to determine if there are packages to install. It's used to help keep Windows up-to-date and secure. - -The following fields are available: - -- **ClientAppId** The identity of the app that initiated this operation. -- **HResult** The result code of the last action performed. -- **IsApplicability** Is this request to only check if there are any applicable packages to install? -- **IsInteractive** Is this user requested? -- **IsOnline** Is the request doing an online check? - - -### Microsoft.Windows.StoreAgent.Telemetry.EndSearchUpdatePackages - -This event is sent after searching for update packages to install. It is used to help keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. -- **AttemptNumber** The total number of retry attempts before it was canceled. -- **BundleId** The identity of the build associated with this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **HResult** The result code of the last action performed. -- **IsBundle** Is this a bundle? -- **IsInteractive** Is this user requested? -- **IsMandatory** Is this a mandatory update? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this restoring previously acquired content? -- **IsUpdate** Is this an update? -- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). -- **PFN** The name of the package or packages requested for install. -- **ProductId** The Store Product ID for the product being installed. -- **SystemAttemptNumber** The total number of system attempts. -- **UserAttemptNumber** The total number of user attempts. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndStageUserData - -This event is sent after restoring user data (if any) that needs to be restored following a product install. It is used to keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed. -- **AttemptNumber** The total number of retry attempts before it was canceled. -- **BundleId** The identity of the build associated with this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **HResult** The result code of the last action performed. -- **IsBundle** Is this a bundle? -- **IsInteractive** Is this user requested? -- **IsMandatory** Is this a mandatory update? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this restoring previously acquired content? -- **IsUpdate** Is this an update? -- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). -- **PFN** The name of the package or packages requested for install. -- **ProductId** The Store Product ID for the product being installed. -- **SystemAttemptNumber** The total number of system attempts. -- **UserAttemptNumber** The total number of system attempts. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndUpdateMetadataPrepare - -This event is sent after a scan for available app updates to help keep Windows up-to-date and secure. - -The following fields are available: - -- **HResult** The result code of the last action performed. - - -### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentComplete - -This event is sent at the end of an app install or update to help keep Windows up-to-date and secure. - -The following fields are available: - -- **CatalogId** The name of the product catalog from which this app was chosen. -- **FailedRetry** Indicates whether the installation or update retry was successful. -- **HResult** The HResult code of the operation. -- **PFN** The Package Family Name of the app that is being installed or updated. -- **ProductId** The product ID of the app that is being updated or installed. - - -### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate - -This event is sent at the beginning of an app install or update to help keep Windows up-to-date and secure. - -The following fields are available: - -- **CatalogId** The name of the product catalog from which this app was chosen. -- **FulfillmentPluginId** The ID of the plugin needed to install the package type of the product. -- **PFN** The Package Family Name of the app that is being installed or updated. -- **PluginTelemetryData** Diagnostic information specific to the package-type plug-in. -- **ProductId** The product ID of the app that is being updated or installed. - - -### Microsoft.Windows.StoreAgent.Telemetry.InstallOperationRequest - -This event is sent when a product install or update is initiated, to help keep Windows up-to-date and secure. - -The following fields are available: - -- **BundleId** The identity of the build associated with this product. -- **CatalogId** If this product is from a private catalog, the Store Product ID for the product being installed. -- **ProductId** The Store Product ID for the product being installed. -- **SkuId** Specific edition ID being installed. -- **VolumePath** The disk path of the installation. - - -### Microsoft.Windows.StoreAgent.Telemetry.PauseInstallation - -This event is sent when a product install or update is paused (either by a user or the system), to help keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. -- **AttemptNumber** The total number of retry attempts before it was canceled. -- **BundleId** The identity of the build associated with this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **IsBundle** Is this a bundle? -- **IsInteractive** Is this user requested? -- **IsMandatory** Is this a mandatory update? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this restoring previously acquired content? -- **IsUpdate** Is this an update? -- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). -- **PFN** The Product Full Name. -- **PreviousHResult** The result code of the last action performed before this operation. -- **PreviousInstallState** Previous state before the installation or update was paused. -- **ProductId** The Store Product ID for the product being installed. -- **RelatedCV** Correlation Vector of a previous performed action on this product. -- **SystemAttemptNumber** The total number of system attempts. -- **UserAttemptNumber** The total number of user attempts. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.ResumeInstallation - -This event is sent when a product install or update is resumed (either by a user or the system), to help keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. -- **AttemptNumber** The number of retry attempts before it was canceled. -- **BundleId** The identity of the build associated with this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **HResult** The result code of the last action performed before this operation. -- **IsBundle** Is this a bundle? -- **IsInteractive** Is this user requested? -- **IsMandatory** Is this a mandatory update? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this restoring previously acquired content? -- **IsUpdate** Is this an update? -- **IsUserRetry** Did the user initiate the retry? -- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). -- **PFN** The name of the package or packages requested for install. -- **PreviousHResult** The previous HResult error code. -- **PreviousInstallState** Previous state before the installation was paused. -- **ProductId** The Store Product ID for the product being installed. -- **RelatedCV** Correlation Vector for the original install before it was resumed. -- **ResumeClientId** The ID of the app that initiated the resume operation. -- **SystemAttemptNumber** The total number of system attempts. -- **UserAttemptNumber** The total number of user attempts. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.ResumeOperationRequest - -This event is sent when a product install or update is resumed by a user or on installation retries, to help keep Windows up-to-date and secure. - -The following fields are available: - -- **ProductId** The Store Product ID for the product being installed. - - -### Microsoft.Windows.StoreAgent.Telemetry.SearchForUpdateOperationRequest - -This event is sent when searching for update packages to install, to help keep Windows up-to-date and secure. - -The following fields are available: - -- **CatalogId** The Store Catalog ID for the product being installed. -- **ProductId** The Store Product ID for the product being installed. -- **SkuId** Specfic edition of the app being updated. - - -### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest - -This event occurs when an update is requested for an app, to help keep Windows up-to-date and secure. - -The following fields are available: - -- **PFamN** The name of the app that is requested for update. - - -## Windows System Kit events - -### Microsoft.Windows.Kits.WSK.WskImageCreate - -This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate “image” creation failures. - -The following fields are available: - -- **Phase** The image creation phase. Values are “Start” or “End”. -- **WskVersion** The version of the Windows System Kit being used. - - -### Microsoft.Windows.Kits.WSK.WskImageCustomization - -This event sends simple Product and Service usage data when a user is using the Windows System Kit to create/modify configuration files allowing the customization of a new OS image with Apps or Drivers. The data includes the version of the Windows System Kit, the state of the event, the customization type (drivers or apps) and the mode (new or updating) and is used to help investigate configuration file creation failures. - -The following fields are available: - -- **CustomizationMode** Indicates the mode of the customization (new or updating). -- **CustomizationType** Indicates the type of customization (drivers or apps). -- **Mode** The mode of update to image configuration files. Values are “New” or “Update”. -- **Phase** The image creation phase. Values are “Start” or “End”. -- **Type** The type of update to image configuration files. Values are “Apps” or “Drivers”. -- **WskVersion** The version of the Windows System Kit being used. - - -### Microsoft.Windows.Kits.WSK.WskWorkspaceCreate - -This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new workspace for generating OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate workspace creation failures. - -The following fields are available: - -- **Architecture** The OS architecture that the workspace will target. Values are one of: “AMD64”, “ARM64”, “x86”, or “ARM”. -- **OsEdition** The Operating System Edition that the workspace will target. -- **Phase** The image creation phase. Values are “Start” or “End”. -- **WorkspaceArchitecture** The operating system architecture that the workspace will target. -- **WorkspaceOsEdition** The operating system edition that the workspace will target. -- **WskVersion** The version of the Windows System Kit being used. - - -## Windows Update Delivery Optimization events - -### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled - -This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads. - -The following fields are available: - -- **background** Is the download being done in the background? -- **bytesFromCacheServer** Bytes received from a cache host. -- **bytesFromCDN** The number of bytes received from a CDN source. -- **bytesFromGroupPeers** The number of bytes received from a peer in the same group. -- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same group. -- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. -- **bytesFromPeers** The number of bytes received from a peer in the same LAN. -- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. -- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. -- **cdnIp** The IP Address of the source CDN (Content Delivery Network). -- **cdnUrl** The URL of the source CDN (Content Delivery Network). -- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. -- **errorCode** The error code that was returned. -- **experimentId** When running a test, this is used to correlate events that are part of the same test. -- **fileID** The ID of the file being downloaded. -- **gCurMemoryStreamBytes** Current usage for memory streaming. -- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. -- **isVpn** Indicates whether the device is connected to a VPN (Virtual Private Network). -- **jobID** Identifier for the Windows Update job. -- **predefinedCallerName** The name of the API Caller. -- **reasonCode** Reason the action or event occurred. -- **routeToCacheServer** The cache server setting, source, and value. -- **sessionID** The ID of the file download session. -- **updateID** The ID of the update being downloaded. -- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. - - -### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted - -This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads. - -The following fields are available: - -- **background** Is the download a background download? -- **bytesFromCacheServer** Bytes received from a cache host. -- **bytesFromCDN** The number of bytes received from a CDN source. -- **bytesFromGroupPeers** The number of bytes received from a peer in the same domain group. -- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same domain group. -- **bytesFromLinkLocalPeers** The number of bytes received from local peers. -- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. -- **bytesFromPeers** The number of bytes received from a peer in the same LAN. -- **bytesRequested** The total number of bytes requested for download. -- **cacheServerConnectionCount** Number of connections made to cache hosts. -- **cdnConnectionCount** The total number of connections made to the CDN. -- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. -- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. -- **cdnIp** The IP address of the source CDN. -- **cdnUrl** Url of the source Content Distribution Network (CDN). -- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. -- **doErrorCode** The Delivery Optimization error code that was returned. -- **downlinkBps** The maximum measured available download bandwidth (in bytes per second). -- **downlinkUsageBps** The download speed (in bytes per second). -- **downloadMode** The download mode used for this file download session. -- **downloadModeReason** Reason for the download. -- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). -- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. -- **fileID** The ID of the file being downloaded. -- **fileSize** The size of the file being downloaded. -- **gCurMemoryStreamBytes** Current usage for memory streaming. -- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. -- **groupConnectionCount** The total number of connections made to peers in the same group. -- **internetConnectionCount** The total number of connections made to peers not in the same LAN or the same group. -- **isEncrypted** TRUE if the file is encrypted and will be decrypted after download. -- **isVpn** Is the device connected to a Virtual Private Network? -- **jobID** Identifier for the Windows Update job. -- **lanConnectionCount** The total number of connections made to peers in the same LAN. -- **linkLocalConnectionCount** The number of connections made to peers in the same Link-local network. -- **numPeers** The total number of peers used for this download. -- **numPeersLocal** The total number of local peers used for this download. -- **predefinedCallerName** The name of the API Caller. -- **restrictedUpload** Is the upload restricted? -- **routeToCacheServer** The cache server setting, source, and value. -- **sessionID** The ID of the download session. -- **totalTimeMs** Duration of the download (in seconds). -- **updateID** The ID of the update being downloaded. -- **uplinkBps** The maximum measured available upload bandwidth (in bytes per second). -- **uplinkUsageBps** The upload speed (in bytes per second). -- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. - - -### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused - -This event represents a temporary suspension of a download with Delivery Optimization. It's used to understand and address problems regarding downloads. - -The following fields are available: - -- **background** Is the download a background download? -- **cdnUrl** The URL of the source CDN (Content Delivery Network). -- **errorCode** The error code that was returned. -- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. -- **fileID** The ID of the file being paused. -- **isVpn** Is the device connected to a Virtual Private Network? -- **jobID** Identifier for the Windows Update job. -- **predefinedCallerName** The name of the API Caller object. -- **reasonCode** The reason for pausing the download. -- **routeToCacheServer** The cache server setting, source, and value. -- **sessionID** The ID of the download session. -- **updateID** The ID of the update being paused. - - -### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted - -This event sends data describing the start of a new download to enable Delivery Optimization. It's used to understand and address problems regarding downloads. - -The following fields are available: - -- **background** Indicates whether the download is happening in the background. -- **bytesRequested** Number of bytes requested for the download. -- **cdnUrl** The URL of the source Content Distribution Network (CDN). -- **costFlags** A set of flags representing network cost. -- **deviceProfile** Identifies the usage or form factor (such as Desktop, Xbox, or VM). -- **diceRoll** Random number used for determining if a client will use peering. -- **doClientVersion** The version of the Delivery Optimization client. -- **doErrorCode** The Delivery Optimization error code that was returned. -- **downloadMode** The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100). -- **downloadModeReason** Reason for the download. -- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). -- **errorCode** The error code that was returned. -- **experimentId** ID used to correlate client/services calls that are part of the same test during A/B testing. -- **fileID** The ID of the file being downloaded. -- **filePath** The path to where the downloaded file will be written. -- **fileSize** Total file size of the file that was downloaded. -- **fileSizeCaller** Value for total file size provided by our caller. -- **groupID** ID for the group. -- **isEncrypted** Indicates whether the download is encrypted. -- **isVpn** Indicates whether the device is connected to a Virtual Private Network. -- **jobID** The ID of the Windows Update job. -- **peerID** The ID for this delivery optimization client. -- **predefinedCallerName** Name of the API caller. -- **routeToCacheServer** Cache server setting, source, and value. -- **sessionID** The ID for the file download session. -- **setConfigs** A JSON representation of the configurations that have been set, and their sources. -- **updateID** The ID of the update being downloaded. -- **usedMemoryStream** Indicates whether the download used memory streaming. - - -### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication - -This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads. - -The following fields are available: - -- **cdnHeaders** The HTTP headers returned by the CDN. -- **cdnIp** The IP address of the CDN. -- **cdnUrl** The URL of the CDN. -- **errorCode** The error code that was returned. -- **errorCount** The total number of times this error code was seen since the last FailureCdnCommunication event was encountered. -- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. -- **fileID** The ID of the file being downloaded. -- **httpStatusCode** The HTTP status code returned by the CDN. -- **isHeadRequest** The type of HTTP request that was sent to the CDN. Example: HEAD or GET -- **peerType** The type of peer (LAN, Group, Internet, CDN, Cache Host, etc.). -- **requestOffset** The byte offset within the file in the sent request. -- **requestSize** The size of the range requested from the CDN. -- **responseSize** The size of the range response received from the CDN. -- **sessionID** The ID of the download session. - - -### Microsoft.OSG.DU.DeliveryOptClient.JobError - -This event represents a Windows Update job error. It allows for investigation of top errors. - -The following fields are available: - -- **cdnIp** The IP Address of the source CDN (Content Delivery Network). -- **doErrorCode** Error code returned for delivery optimization. -- **errorCode** The error code returned. -- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. -- **fileID** The ID of the file being downloaded. -- **jobID** The Windows Update job ID. - - -## Windows Update events - -### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentAnalysisSummary - -This event collects information regarding the state of devices and drivers on the system following a reboot after the install phase of the new device manifest UUP (Unified Update Platform) update scenario which is used to install a device manifest describing a set of driver packages. - -The following fields are available: - -- **activated** Whether the entire device manifest update is considered activated and in use. -- **analysisErrorCount** The number of driver packages that could not be analyzed because errors occurred during analysis. -- **flightId** Unique ID for each flight. -- **missingDriverCount** The number of driver packages delivered by the device manifest that are missing from the system. -- **missingUpdateCount** The number of updates in the device manifest that are missing from the system. -- **objectId** Unique value for each diagnostics session. -- **publishedCount** The number of drivers packages delivered by the device manifest that are published and available to be used on devices. -- **relatedCV** Correlation vector value generated from the latest USO scan. -- **scenarioId** Indicates the update scenario. -- **sessionId** Unique value for each update session. -- **summary** A summary string that contains basic information about driver packages that are part of the device manifest and any devices on the system that those driver packages match. -- **summaryAppendError** A Boolean indicating if there was an error appending more information to the summary string. -- **truncatedDeviceCount** The number of devices missing from the summary string because there is not enough room in the string. -- **truncatedDriverCount** The number of driver packages missing from the summary string because there is not enough room in the string. -- **unpublishedCount** How many drivers packages that were delivered by the device manifest that are still unpublished and unavailable to be used on devices. -- **updateId** The unique ID for each update. - - -### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentCommit - -This event collects information regarding the final commit phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. - -The following fields are available: - -- **errorCode** The error code returned for the current session initialization. -- **flightId** The unique identifier for each flight. -- **objectId** The unique GUID for each diagnostics session. -- **relatedCV** A correlation vector value generated from the latest USO scan. -- **result** Outcome of the initialization of the session. -- **scenarioId** Identifies the Update scenario. -- **sessionId** The unique value for each update session. -- **updateId** The unique identifier for each Update. - - -### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentDownloadRequest - -This event collects information regarding the download request phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. - -The following fields are available: - -- **deletedCorruptFiles** Indicates if UpdateAgent found any corrupt payload files and whether the payload was deleted. -- **errorCode** The error code returned for the current session initialization. -- **flightId** The unique identifier for each flight. -- **objectId** Unique value for each Update Agent mode. -- **packageCountOptional** Number of optional packages requested. -- **packageCountRequired** Number of required packages requested. -- **packageCountTotal** Total number of packages needed. -- **packageCountTotalCanonical** Total number of canonical packages. -- **packageCountTotalDiff** Total number of diff packages. -- **packageCountTotalExpress** Total number of express packages. -- **packageSizeCanonical** Size of canonical packages in bytes. -- **packageSizeDiff** Size of diff packages in bytes. -- **packageSizeExpress** Size of express packages in bytes. -- **rangeRequestState** Represents the state of the download range request. -- **relatedCV** Correlation vector value generated from the latest USO scan. -- **result** Result of the download request phase of update. -- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. -- **sessionId** Unique value for each Update Agent mode attempt. -- **updateId** Unique ID for each update. - - -### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInitialize - -This event sends data for initializing a new update session for the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. - -The following fields are available: - -- **errorCode** The error code returned for the current session initialization. -- **flightId** The unique identifier for each flight. -- **flightMetadata** Contains the FlightId and the build being flighted. -- **objectId** Unique value for each Update Agent mode. -- **relatedCV** Correlation vector value generated from the latest USO scan. -- **result** Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled. -- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. -- **sessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios). -- **sessionId** Unique value for each Update Agent mode attempt. -- **updateId** Unique ID for each update. - - -### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInstall - -This event collects information regarding the install phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. - -The following fields are available: - -- **errorCode** The error code returned for the current install phase. -- **flightId** The unique identifier for each flight (pre-release builds). -- **objectId** The unique identifier for each diagnostics session. -- **relatedCV** Correlation vector value generated from the latest scan. -- **result** Outcome of the install phase of the update. -- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate -- **sessionId** The unique identifier for each update session. -- **updateId** The unique identifier for each Update. - - -### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentModeStart - -This event sends data for the start of each mode during the process of updating device manifest assets via the UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. - -The following fields are available: - -- **flightId** The unique identifier for each flight (pre-release builds). -- **mode** Indicates the active Update Agent mode. -- **objectId** Unique value for each diagnostics session. -- **relatedCV** Correlation vector value generated from the latest scan. -- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. -- **sessionId** The unique identifier for each update session. -- **updateId** The unique identifier for each Update. - - -### Microsoft.Windows.Update.NotificationUx.DialogNotificationToBeDisplayed - -This event indicates that a notification dialog box is about to be displayed to user. - -The following fields are available: - -- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode. -- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before the RebootFailed dialog box is shown. -- **DaysSinceRebootRequired** Number of days since restart was required. -- **DeviceLocalTime** The local time on the device sending the event. -- **EngagedModeLimit** The number of days to switch between DTE dialog boxes. -- **EnterAutoModeLimit** The maximum number of days for a device to enter Auto Reboot mode. -- **ETag** OneSettings versioning value. -- **IsForcedEnabled** Indicates whether Forced Reboot mode is enabled for this device. -- **IsUltimateForcedEnabled** Indicates whether Ultimate Forced Reboot mode is enabled for this device. -- **NotificationUxState** Indicates which dialog box is shown. -- **NotificationUxStateString** Indicates which dialog box is shown. -- **RebootUxState** Indicates the state of the restart (Engaged, Auto, Forced, or UltimateForced). -- **RebootUxStateString** Indicates the state of the restart (Engaged, Auto, Forced, or UltimateForced). -- **RebootVersion** Version of DTE. -- **SkipToAutoModeLimit** The minimum length of time to pass in restart pending before a device can be put into auto mode. -- **UpdateId** The ID of the update that is pending restart to finish installation. -- **UpdateRevision** The revision of the update that is pending restart to finish installation. -- **UtcTime** The time the dialog box notification will be displayed, in Coordinated Universal Time. - - -### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootAcceptAutoDialog - -This event indicates that the Enhanced Engaged restart "accept automatically" dialog box was displayed. - -The following fields are available: - -- **DeviceLocalTime** The local time on the device sending the event. -- **ETag** OneSettings versioning value. -- **ExitCode** Indicates how users exited the dialog box. -- **RebootVersion** Version of DTE. -- **UpdateId** The ID of the update that is pending restart to finish installation. -- **UpdateRevision** The revision of the update that is pending restart to finish installation. -- **UserResponseString** The option that user chose on this dialog box. -- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time. - - -### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootFirstReminderDialog - -This event indicates that the Enhanced Engaged restart "first reminder" dialog box was displayed.. - -The following fields are available: - -- **DeviceLocalTime** The local time on the device sending the event. -- **ETag** OneSettings versioning value. -- **ExitCode** Indicates how users exited the dialog box. -- **RebootVersion** Version of DTE. -- **UpdateId** The ID of the update that is pending restart to finish installation. -- **UpdateRevision** The revision of the update that is pending restart to finish installation. -- **UserResponseString** The option that user chose in this dialog box. -- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time. - - -### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootFailedDialog - -This event indicates that the Enhanced Engaged restart "restart failed" dialog box was displayed. - -The following fields are available: - -- **DeviceLocalTime** The local time of the device sending the event. -- **ETag** OneSettings versioning value. -- **ExitCode** Indicates how users exited the dialog box. -- **RebootVersion** Version of DTE. -- **UpdateId** The ID of the update that is pending restart to finish installation. -- **UpdateRevision** The revision of the update that is pending restart to finish installation. -- **UserResponseString** The option that the user chose in this dialog box. -- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time. - - -### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootImminentDialog - -This event indicates that the Enhanced Engaged restart "restart imminent" dialog box was displayed. - -The following fields are available: - -- **DeviceLocalTime** Time the dialog box was shown on the local device. -- **ETag** OneSettings versioning value. -- **ExitCode** Indicates how users exited the dialog box. -- **RebootVersion** Version of DTE. -- **UpdateId** The ID of the update that is pending restart to finish installation. -- **UpdateRevision** The revision of the update that is pending restart to finish installation. -- **UserResponseString** The option that user chose in this dialog box. -- **UtcTime** The time that dialog box was displayed, in Coordinated Universal Time. - - -### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootReminderDialog - -This event returns information relating to the Enhanced Engaged reboot reminder dialog that was displayed. - -The following fields are available: - -- **DeviceLocalTime** The time at which the reboot reminder dialog was shown (based on the local device time settings). -- **ETag** The OneSettings versioning value. -- **ExitCode** Indicates how users exited the reboot reminder dialog box. -- **RebootVersion** The version of the DTE (Direct-to-Engaged). -- **UpdateId** The ID of the update that is waiting for reboot to finish installation. -- **UpdateRevision** The revision of the update that is waiting for reboot to finish installation. -- **UserResponseString** The option chosen by the user on the reboot dialog box. -- **UtcTime** The time at which the reboot reminder dialog was shown (in UTC). - - -### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootReminderToast - -This event indicates that the Enhanced Engaged restart reminder pop-up banner was displayed. - -The following fields are available: - -- **DeviceLocalTime** The local time on the device sending the event. -- **ETag** OneSettings versioning value. -- **ExitCode** Indicates how users exited the pop-up banner. -- **RebootVersion** The version of the reboot logic. -- **UpdateId** The ID of the update that is pending restart to finish installation. -- **UpdateRevision** The revision of the update that is pending restart to finish installation. -- **UserResponseString** The option that the user chose in the pop-up banner. -- **UtcTime** The time that the pop-up banner was displayed, in Coordinated Universal Time. - - -### Microsoft.Windows.Update.NotificationUx.RebootScheduled - -Indicates when a reboot is scheduled by the system or a user for a security, quality, or feature update. - -The following fields are available: - -- **activeHoursApplicable** Indicates whether an Active Hours policy is present on the device. -- **IsEnhancedEngagedReboot** Indicates whether this is an Enhanced Engaged reboot. -- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action. -- **rebootOutsideOfActiveHours** Indicates whether a restart is scheduled outside of active hours. -- **rebootScheduledByUser** Indicates whether the restart was scheduled by user (if not, it was scheduled automatically). -- **rebootState** The current state of the restart. -- **rebootUsingSmartScheduler** Indicates whether the reboot is scheduled by smart scheduler. -- **revisionNumber** Revision number of the update that is getting installed with this restart. -- **scheduledRebootTime** Time of the scheduled restart. -- **scheduledRebootTimeInUTC** Time of the scheduled restart in Coordinated Universal Time. -- **updateId** ID of the update that is getting installed with this restart. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.ActivityRestrictedByActiveHoursPolicy - -This event indicates a policy is present that may restrict update activity to outside of active hours. - -The following fields are available: - -- **activeHoursEnd** The end of the active hours window. -- **activeHoursStart** The start of the active hours window. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.BlockedByActiveHours - -This event indicates that update activity was blocked because it is within the active hours window. - -The following fields are available: - -- **activeHoursEnd** The end of the active hours window. -- **activeHoursStart** The start of the active hours window. -- **updatePhase** The current state of the update process. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.BlockedByBatteryLevel - -This event indicates that Windows Update activity was blocked due to low battery level. - -The following fields are available: - -- **batteryLevel** The current battery charge capacity. -- **batteryLevelThreshold** The battery capacity threshold to stop update activity. -- **updatePhase** The current state of the update process. -- **wuDeviceid** Device ID. - - -### Microsoft.Windows.Update.Orchestrator.DeferRestart - -This event indicates that a restart required for installing updates was postponed. - -The following fields are available: - -- **displayNeededReason** List of reasons for needing display. -- **eventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). -- **filteredDeferReason** Applicable filtered reasons why reboot was postponed (such as user active, or low battery). -- **gameModeReason** Name of the executable that caused the game mode state check to start. -- **ignoredReason** List of reasons that were intentionally ignored. -- **IgnoreReasonsForRestart** List of reasons why restart was deferred. -- **revisionNumber** Update ID revision number. -- **systemNeededReason** List of reasons why system is needed. -- **updateId** Update ID. -- **updateScenarioType** Update session type. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.Detection - -This event indicates that a scan for a Windows Update occurred. - -The following fields are available: - -- **deferReason** The reason why the device could not check for updates. -- **detectionBlockingPolicy** The Policy that blocked detection. -- **detectionBlockreason** The reason detection did not complete. -- **detectionRetryMode** Indicates whether we will try to scan again. -- **errorCode** The error code returned for the current process. -- **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. -- **flightID** The unique identifier for the flight (Windows Insider pre-release build) should be delivered to the device, if applicable. -- **interactive** Indicates whether the user initiated the session. -- **networkStatus** Indicates if the device is connected to the internet. -- **revisionNumber** The Update revision number. -- **scanTriggerSource** The source of the triggered scan. -- **updateId** The unique identifier of the Update. -- **updateScenarioType** Identifies the type of update session being performed. -- **wuDeviceid** The unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.DisplayNeeded - -This event indicates the reboot was postponed due to needing a display. - -The following fields are available: - -- **displayNeededReason** Reason the display is needed. -- **eventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. -- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours. -- **revisionNumber** Revision number of the update. -- **updateId** Update ID. -- **updateScenarioType** The update session type. -- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated. -- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue - - -### Microsoft.Windows.Update.Orchestrator.Download - -This event sends launch data for a Windows Update download to help keep Windows up to date. - -The following fields are available: - -- **deferReason** Reason for download not completing. -- **errorCode** An error code represented as a hexadecimal value. -- **eventScenario** End-to-end update session ID. -- **flightID** The specific ID of the Windows Insider build the device is getting. -- **interactive** Indicates whether the session is user initiated. -- **revisionNumber** Update revision number. -- **updateId** Update ID. -- **updateScenarioType** The update session type. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.DTUCompletedWhenWuFlightPendingCommit - -This event indicates that DTU completed installation of the electronic software delivery (ESD), when Windows Update was already in Pending Commit phase of the feature update. - -The following fields are available: - -- **wuDeviceid** Device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.DTUEnabled - -This event indicates that Inbox DTU functionality was enabled. - -The following fields are available: - -- **wuDeviceid** Device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.DTUInitiated - -This event indicates that Inbox DTU functionality was intiated. - -The following fields are available: - -- **dtuErrorCode** Return code from creating the DTU Com Server. -- **isDtuApplicable** Determination of whether DTU is applicable to the machine it is running on. -- **wuDeviceid** Device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.EscalationRiskLevels - -This event is sent during update scan, download, or install, and indicates that the device is at risk of being out-of-date. - -The following fields are available: - -- **configVersion** The escalation configuration version on the device. -- **downloadElapsedTime** Indicates how long since the download is required on device. -- **downloadRiskLevel** At-risk level of download phase. -- **installElapsedTime** Indicates how long since the install is required on device. -- **installRiskLevel** The at-risk level of install phase. -- **isSediment** Assessment of whether is device is at risk. -- **scanElapsedTime** Indicates how long since the scan is required on device. -- **scanRiskLevel** At-risk level of the scan phase. -- **wuDeviceid** Device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.FailedToAddTimeTriggerToScanTask - -This event indicated that USO failed to add a trigger time to a task. - -The following fields are available: - -- **errorCode** The Windows Update error code. -- **wuDeviceid** The Windows Update device ID. - - -### Microsoft.Windows.Update.Orchestrator.FlightInapplicable - -This event indicates that the update is no longer applicable to this device. - -The following fields are available: - -- **EventPublishedTime** Time when this event was generated. -- **flightID** The specific ID of the Windows Insider build. -- **inapplicableReason** The reason why the update is inapplicable. -- **revisionNumber** Update revision number. -- **updateId** Unique Windows Update ID. -- **updateScenarioType** Update session type. -- **UpdateStatus** Last status of update. -- **UUPFallBackConfigured** Indicates whether UUP fallback is configured. -- **wuDeviceid** Unique Device ID. - - -### Microsoft.Windows.Update.Orchestrator.InitiatingReboot - -This event sends data about an Orchestrator requesting a reboot from power management to help keep Windows up to date. - -The following fields are available: - -- **EventPublishedTime** Time of the event. -- **flightID** Unique update ID -- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action. -- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours. -- **revisionNumber** Revision number of the update. -- **updateId** Update ID. -- **updateScenarioType** The update session type. -- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.Install - -This event sends launch data for a Windows Update install to help keep Windows up to date. - -The following fields are available: - -- **batteryLevel** Current battery capacity in mWh or percentage left. -- **deferReason** Reason for install not completing. -- **errorCode** The error code reppresented by a hexadecimal value. -- **eventScenario** End-to-end update session ID. -- **flightID** The ID of the Windows Insider build the device is getting. -- **flightUpdate** Indicates whether the update is a Windows Insider build. -- **ForcedRebootReminderSet** A boolean value that indicates if a forced reboot will happen for updates. -- **IgnoreReasonsForRestart** The reason(s) a Postpone Restart command was ignored. -- **installCommitfailedtime** The time it took for a reboot to happen but the upgrade failed to progress. -- **installRebootinitiatetime** The time it took for a reboot to be attempted. -- **interactive** Identifies if session is user initiated. -- **minutesToCommit** The time it took to install updates. -- **rebootOutsideOfActiveHours** Indicates whether a reboot is scheduled outside of active hours. -- **revisionNumber** Update revision number. -- **updateId** Update ID. -- **updateScenarioType** The update session type. -- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.LowUptimes - -This event is sent if a device is identified as not having sufficient uptime to reliably process updates in order to keep secure. - -The following fields are available: - -- **availableHistoryMinutes** The number of minutes available from the local machine activity history. -- **isLowUptimeMachine** Is the machine considered low uptime or not. -- **lowUptimeMinHours** Current setting for the minimum number of hours needed to not be considered low uptime. -- **lowUptimeQueryDays** Current setting for the number of recent days to check for uptime. -- **uptimeMinutes** Number of minutes of uptime measured. -- **wuDeviceid** Unique device ID for Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.OneshotUpdateDetection - -This event returns data about scans initiated through settings UI, or background scans that are urgent; to help keep Windows up to date. - -The following fields are available: - -- **externalOneshotupdate** The last time a task-triggered scan was completed. -- **interactiveOneshotupdate** The last time an interactive scan was completed. -- **oldlastscanOneshotupdate** The last time a scan completed successfully. -- **wuDeviceid** The Windows Update Device GUID (Globally-Unique ID). - - -### Microsoft.Windows.Update.Orchestrator.PreShutdownStart - -This event is generated before the shutdown and commit operations. - -The following fields are available: - -- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. - - -### Microsoft.Windows.Update.Orchestrator.RebootFailed - -This event sends information about whether an update required a reboot and reasons for failure, to help keep Windows up to date. - -The following fields are available: - -- **batteryLevel** Current battery capacity in mWh or percentage left. -- **deferReason** Reason for install not completing. -- **EventPublishedTime** The time that the reboot failure occurred. -- **flightID** Unique update ID. -- **rebootOutsideOfActiveHours** Indicates whether a reboot was scheduled outside of active hours. -- **RebootResults** Hex code indicating failure reason. Typically, we expect this to be a specific USO generated hex code. -- **revisionNumber** Update revision number. -- **updateId** Update ID. -- **updateScenarioType** The update session type. -- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.RefreshSettings - -This event sends basic data about the version of upgrade settings applied to the system to help keep Windows up to date. - -The following fields are available: - -- **errorCode** Hex code for the error message, to allow lookup of the specific error. -- **settingsDownloadTime** Timestamp of the last attempt to acquire settings. -- **settingsETag** Version identifier for the settings. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask - -This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows up to date. - -The following fields are available: - -- **RebootTaskMissedTimeUTC** The time when the reboot task was scheduled to run, but did not. -- **RebootTaskNextTimeUTC** The time when the reboot task was rescheduled for. -- **RebootTaskRestoredTime** Time at which this reboot task was restored. -- **wuDeviceid** Device ID for the device on which the reboot is restored. - - -### Microsoft.Windows.Update.Orchestrator.ScanTriggered - -This event indicates that Update Orchestrator has started a scan operation. - -The following fields are available: - -- **errorCode** The error code returned for the current scan operation. -- **eventScenario** Indicates the purpose of sending this event. -- **interactive** Indicates whether the scan is interactive. -- **isDTUEnabled** Indicates whether DTU (internal abbreviation for Direct Feature Update) channel is enabled on the client system. -- **isScanPastSla** Indicates whether the SLA has elapsed for scanning. -- **isScanPastTriggerSla** Indicates whether the SLA has elapsed for triggering a scan. -- **minutesOverScanSla** Indicates how many minutes the scan exceeded the scan SLA. -- **minutesOverScanTriggerSla** Indicates how many minutes the scan exceeded the scan trigger SLA. -- **scanTriggerSource** Indicates what caused the scan. -- **updateScenarioType** The update session type. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.StickUpdate - -This event is sent when the update service orchestrator (USO) indicates the update cannot be superseded by a newer update. - -The following fields are available: - -- **updateId** Identifier associated with the specific piece of content. -- **wuDeviceid** Unique device ID controlled by the software distribution client. - - -### Microsoft.Windows.Update.Orchestrator.SystemNeeded - -This event sends data about why a device is unable to reboot, to help keep Windows up to date. - -The following fields are available: - -- **eventScenario** End-to-end update session ID. -- **rebootOutsideOfActiveHours** Indicates whether a reboot is scheduled outside of active hours. -- **revisionNumber** Update revision number. -- **systemNeededReason** List of apps or tasks that are preventing the system from restarting. -- **updateId** Update ID. -- **updateScenarioType** The update session type. -- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.TerminatedByActiveHours - -This event indicates that update activity was stopped due to active hours starting. - -The following fields are available: - -- **activeHoursEnd** The end of the active hours window. -- **activeHoursStart** The start of the active hours window. -- **updatePhase** The current state of the update process. -- **wuDeviceid** The device identifier. - - -### Microsoft.Windows.Update.Orchestrator.TerminatedByBatteryLevel - -This event is sent when update activity was stopped due to a low battery level. - -The following fields are available: - -- **batteryLevel** The current battery charge capacity. -- **batteryLevelThreshold** The battery capacity threshold to stop update activity. -- **updatePhase** The current state of the update process. -- **wuDeviceid** The device identifier. - - -### Microsoft.Windows.Update.Orchestrator.UnstickUpdate - -This event is sent when the update service orchestrator (USO) indicates that the update can be superseded by a newer update. - -The following fields are available: - -- **updateId** Identifier associated with the specific piece of content. -- **wuDeviceid** Unique device ID controlled by the software distribution client. - - -### Microsoft.Windows.Update.Orchestrator.UpdatePolicyCacheRefresh - -This event sends data on whether Update Management Policies were enabled on a device, to help keep Windows up to date. - -The following fields are available: - -- **configuredPoliciescount** Number of policies on the device. -- **policiesNamevaluesource** Policy name and source of policy (group policy, MDM or flight). -- **policyCacherefreshtime** Time when policy cache was refreshed. -- **updateInstalluxsetting** Indicates whether a user has set policies via a user experience option. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.UpdateRebootRequired - -This event sends data about whether an update required a reboot to help keep Windows up to date. - -The following fields are available: - -- **flightID** The specific ID of the Windows Insider build the device is getting. -- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action. -- **revisionNumber** Update revision number. -- **updateId** Update ID. -- **updateScenarioType** The update session type. -- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.updateSettingsFlushFailed - -This event sends information about an update that encountered problems and was not able to complete. - -The following fields are available: - -- **errorCode** The error code encountered. -- **wuDeviceid** The ID of the device in which the error occurred. - - -### Microsoft.Windows.Update.Orchestrator.UsoSession - -This event represents the state of the USO service at start and completion. - -The following fields are available: - -- **activeSessionid** A unique session GUID. -- **eventScenario** The state of the update action. -- **interactive** Is the USO session interactive? -- **lastErrorcode** The last error that was encountered. -- **lastErrorstate** The state of the update when the last error was encountered. -- **sessionType** A GUID that refers to the update session type. -- **updateScenarioType** A descriptive update session type. -- **wuDeviceid** The Windows Update device GUID. - - -### Microsoft.Windows.Update.Ux.MusNotification.EnhancedEngagedRebootUxState - -This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes values for the timing of how eDTE will progress through each phase of the reboot. - -The following fields are available: - -- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode. -- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before a Reboot Failed dialog will be shown. -- **DeviceLocalTime** The date and time (based on the device date/time settings) the reboot mode changed. -- **EngagedModeLimit** The number of days to switch between DTE (Direct-to-Engaged) dialogs. -- **EnterAutoModeLimit** The maximum number of days a device can enter Auto Reboot mode. -- **ETag** The Entity Tag that represents the OneSettings version. -- **IsForcedEnabled** Identifies whether Forced Reboot mode is enabled for the device. -- **IsUltimateForcedEnabled** Identifies whether Ultimate Forced Reboot mode is enabled for the device. -- **OldestUpdateLocalTime** The date and time (based on the device date/time settings) this update’s reboot began pending. -- **RebootUxState** Identifies the reboot state: Engaged, Auto, Forced, UltimateForced. -- **RebootVersion** The version of the DTE (Direct-to-Engaged). -- **SkipToAutoModeLimit** The maximum number of days to switch to start while in Auto Reboot mode. -- **UpdateId** The ID of the update that is waiting for reboot to finish installation. -- **UpdateRevision** The revision of the update that is waiting for reboot to finish installation. - - -### Microsoft.Windows.Update.Ux.MusNotification.RebootNoLongerNeeded - -This event is sent when a security update has successfully completed. - -The following fields are available: - -- **UtcTime** The Coordinated Universal Time that the restart was no longer needed. - - -### Microsoft.Windows.Update.Ux.MusNotification.RebootScheduled - -This event sends basic information about scheduling an update-related reboot, to get security updates and to help keep Windows up-to-date. - -The following fields are available: - -- **activeHoursApplicable** Indicates whether Active Hours applies on this device. -- **IsEnhancedEngagedReboot** Indicates whether Enhanced reboot was enabled. -- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action. -- **rebootOutsideOfActiveHours** True, if a reboot is scheduled outside of active hours. False, otherwise. -- **rebootScheduledByUser** True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically. -- **rebootState** Current state of the reboot. -- **rebootUsingSmartScheduler** Indicates that the reboot is scheduled by SmartScheduler. -- **revisionNumber** Revision number of the OS. -- **scheduledRebootTime** Time scheduled for the reboot. -- **scheduledRebootTimeInUTC** Time scheduled for the reboot, in UTC. -- **updateId** Identifies which update is being scheduled. -- **wuDeviceid** The unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Ux.MusNotification.UxBrokerScheduledTask - -This event is sent when MUSE broker schedules a task. - -The following fields are available: - -- **TaskArgument** The arguments with which the task is scheduled. -- **TaskName** Name of the task. - - -### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled - -This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up to date. - -The following fields are available: - -- **activeHoursApplicable** Is the restart respecting Active Hours? -- **IsEnhancedEngagedReboot** TRUE if the reboot path is Enhanced Engaged. Otherwise, FALSE. -- **rebootArgument** The arguments that are passed to the OS for the restarted. -- **rebootOutsideOfActiveHours** Was the restart scheduled outside of Active Hours? -- **rebootScheduledByUser** Was the restart scheduled by the user? If the value is false, the restart was scheduled by the device. -- **rebootState** The state of the restart. -- **rebootUsingSmartScheduler** TRUE if the reboot should be performed by the Smart Scheduler. Otherwise, FALSE. -- **revisionNumber** The revision number of the OS being updated. -- **scheduledRebootTime** Time of the scheduled reboot -- **scheduledRebootTimeInUTC** Time of the scheduled restart, in Coordinated Universal Time. -- **updateId** The Windows Update device GUID. -- **wuDeviceid** The Windows Update device GUID. - - -## Windows Update mitigation events - -### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages - -This event sends data specific to the CleanupSafeOsImages mitigation used for OS Updates. - -The following fields are available: - -- **ClientId** The client ID used by Windows Update. -- **FlightId** The ID of each Windows Insider build the device received. -- **InstanceId** A unique device ID that identifies each update instance. -- **MitigationScenario** The update scenario in which the mitigation was executed. -- **MountedImageCount** The number of mounted images. -- **MountedImageMatches** The number of mounted image matches. -- **MountedImagesFailed** The number of mounted images that could not be removed. -- **MountedImagesRemoved** The number of mounted images that were successfully removed. -- **MountedImagesSkipped** The number of mounted images that were not found. -- **RelatedCV** The correlation vector value generated from the latest USO scan. -- **Result** HResult of this operation. -- **ScenarioId** ID indicating the mitigation scenario. -- **ScenarioSupported** Indicates whether the scenario was supported. -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each Windows Update. -- **WuId** Unique ID for the Windows Update client. - - -### Mitigation360Telemetry.MitigationCustom.FixAppXReparsePoints - -This event sends data specific to the FixAppXReparsePoints mitigation used for OS updates. - -The following fields are available: - -- **ClientId** Unique identifier for each flight. -- **FlightId** Unique GUID that identifies each instances of setuphost.exe. -- **InstanceId** The update scenario in which the mitigation was executed. -- **MitigationScenario** Correlation vector value generated from the latest USO scan. -- **RelatedCV** Number of reparse points that are corrupted but we failed to fix them. -- **ReparsePointsFailed** Number of reparse points that were corrupted and were fixed by this mitigation. -- **ReparsePointsFixed** Number of reparse points that are not corrupted and no action is required. -- **ReparsePointsSkipped** HResult of this operation. -- **Result** ID indicating the mitigation scenario. -- **ScenarioId** Indicates whether the scenario was supported. -- **ScenarioSupported** Unique value for each update attempt. -- **SessionId** Unique ID for each Update. -- **UpdateId** Unique ID for the Windows Update client. -- **WuId** Unique ID for the Windows Update client. - - -### Mitigation360Telemetry.MitigationCustom.FixupEditionId - -This event sends data specific to the FixupEditionId mitigation used for OS updates. - -The following fields are available: - -- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **EditionIdUpdated** Determine whether EditionId was changed. -- **FlightId** Unique identifier for each flight. -- **InstanceId** Unique GUID that identifies each instances of setuphost.exe. -- **MitigationScenario** The update scenario in which the mitigation was executed. -- **ProductEditionId** Expected EditionId value based on GetProductInfo. -- **ProductType** Value returned by GetProductInfo. -- **RegistryEditionId** EditionId value in the registry. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **Result** HResult of this operation. -- **ScenarioId** ID indicating the mitigation scenario. -- **ScenarioSupported** Indicates whether the scenario was supported. -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each update. -- **WuId** Unique ID for the Windows Update client. - - -## Windows Update Reserve Manager events - -### Microsoft.Windows.UpdateReserveManager.CommitPendingHardReserveAdjustment - -This event is sent when the Update Reserve Manager commits a hard reserve adjustment that was pending. - -The following fields are available: - -- **FinalAdjustment** Final adjustment for the hard reserve following the addition or removal of optional content. -- **InitialAdjustment** Initial intended adjustment for the hard reserve following the addition/removal of optional content. - - -### Microsoft.Windows.UpdateReserveManager.FunctionReturnedError - -This event is sent when the Update Reserve Manager returns an error from one of its internal functions. - -The following fields are available: - -- **FailedExpression** The failed expression that was returned. -- **FailedFile** The binary file that contained the failed function. -- **FailedFunction** The name of the function that originated the failure. -- **FailedLine** The line number of the failure. -- **ReturnCode** The return code of the function. - - -### Microsoft.Windows.UpdateReserveManager.PrepareTIForReserveInitialization - -This event is sent when the Update Reserve Manager prepares the Trusted Installer to initialize reserves on the next boot. - -The following fields are available: - -- **Flags** The flags that are passed to the function to prepare the Trusted Installer for reserve initialization. - - -### Microsoft.Windows.UpdateReserveManager.RemovePendingHardReserveAdjustment - -This event is sent when the Update Reserve Manager removes a pending hard reserve adjustment. - - - -### Microsoft.Windows.UpdateReserveManager.UpdatePendingHardReserveAdjustment - -This event is sent when the Update Reserve Manager needs to adjust the size of the hard reserve after the option content is installed. - -The following fields are available: - -- **ChangeSize** The change in the hard reserve size based on the addition or removal of optional content. -- **PendingHardReserveAdjustment** The final change to the hard reserve size. -- **UpdateType** Indicates whether the change is an increase or decrease in the size of the hard reserve. - - -## Winlogon events - -### Microsoft.Windows.Security.Winlogon.SetupCompleteLogon - -This event signals the completion of the setup process. It happens only once during the first logon. - - - -## XBOX events - -### Microsoft.Xbox.XamTelemetry.AppActivationError - -This event indicates whether the system detected an activation error in the app. - -The following fields are available: - -- **ActivationUri** Activation URI (Uniform Resource Identifier) used in the attempt to activate the app. -- **AppId** The Xbox LIVE Title ID. -- **AppUserModelId** The AUMID (Application User Model ID) of the app to activate. -- **Result** The HResult error. -- **UserId** The Xbox LIVE User ID (XUID). - - -### Microsoft.Xbox.XamTelemetry.AppActivity - -This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc. - -The following fields are available: - -- **AppActionId** The ID of the application action. -- **AppCurrentVisibilityState** The ID of the current application visibility state. -- **AppId** The Xbox LIVE Title ID of the app. -- **AppPackageFullName** The full name of the application package. -- **AppPreviousVisibilityState** The ID of the previous application visibility state. -- **AppSessionId** The application session ID. -- **AppType** The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa). -- **BCACode** The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application. -- **DurationMs** The amount of time (in milliseconds) since the last application state transition. -- **IsTrialLicense** This boolean value is TRUE if the application is on a trial license. -- **LicenseType** The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 - Offline, 4 - Disc). -- **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license. -- **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application. -- **UserId** The XUID (Xbox User ID) of the current user. - - - +--- +description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. +title: Windows 10, version 1809 basic diagnostic events and fields (Windows 10) +keywords: privacy, telemetry +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: brianlic-msft +ms.author: brianlic +manager: dansimp +ms.collection: M365-security-compliance +ms.topic: article +audience: ITPro +ms.date: 03/12/2019 +--- + + +# Windows 10, version 1809 basic level Windows diagnostic events and fields + + **Applies to** + +- Windows 10, version 1809 + + +The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information. + +The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. + +Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief description is provided for each field. Every event generated includes common data, which collects device data. + +You can learn more about Windows functional and diagnostic data through these articles: + + +- [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) +- [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) +- [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) +- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) +- [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) + + + + +## Account trace logging provider events + +### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.General + +This event provides information about application properties to indicate the successful execution. + +The following fields are available: + +- **AppMode** Indicates the mode the app is being currently run around privileges. +- **ExitCode** Indicates the exit code of the app. +- **Help** Indicates if the app needs to be launched in the help mode. +- **ParseError** Indicates if there was a parse error during the execution. +- **RightsAcquired** Indicates if the right privileges were acquired for successful execution. +- **RightsWereEnabled** Indicates if the right privileges were enabled for successful execution. +- **TestMode** Indicates whether the app is being run in test mode. + + +### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.GetCount + +This event provides information about the properties of user accounts in the Administrator group. + +The following fields are available: + +- **Internal** Indicates the internal property associated with the count group. +- **LastError** The error code (if applicable) for the cause of the failure to get the count of the user account. +- **Result** The HResult error. + + +## AppLocker events + +### Microsoft.Windows.Security.AppLockerCSP.ActivityStoppedAutomatically + +Automatically closed activity for start/stop operations that aren't explicitly closed. + + + +### Microsoft.Windows.Security.AppLockerCSP.AddParams + +Parameters passed to Add function of the AppLockerCSP Node. + +The following fields are available: + +- **child** The child URI of the node to add. +- **uri** URI of the node relative to %SYSTEM32%/AppLocker. + + +### Microsoft.Windows.Security.AppLockerCSP.AddStart + +Start of "Add" Operation for the AppLockerCSP Node. + + + +### Microsoft.Windows.Security.AppLockerCSP.AddStop + +End of "Add" Operation for AppLockerCSP Node. + +The following fields are available: + +- **hr** The HRESULT returned by Add function in AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.CAppLockerCSP::Rollback + +Result of the 'Rollback' operation in AppLockerCSP. + +The following fields are available: + +- **oldId** Previous id for the CSP transaction. +- **txId** Current id for the CSP transaction. + + +### Microsoft.Windows.Security.AppLockerCSP.ClearParams + +Parameters passed to the "Clear" operation for AppLockerCSP. + +The following fields are available: + +- **uri** The URI relative to the %SYSTEM32%\AppLocker folder. + + +### Microsoft.Windows.Security.AppLockerCSP.ClearStart + +Start of the "Clear" operation for the AppLockerCSP Node. + + + +### Microsoft.Windows.Security.AppLockerCSP.ClearStop + +End of the "Clear" operation for the AppLockerCSP node. + +The following fields are available: + +- **hr** HRESULT reported at the end of the 'Clear' function. + + +### Microsoft.Windows.Security.AppLockerCSP.ConfigManagerNotificationStart + +Start of the "ConfigManagerNotification" operation for AppLockerCSP. + +The following fields are available: + +- **NotifyState** State sent by ConfigManager to AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.ConfigManagerNotificationStop + +End of the "ConfigManagerNotification" operation for AppLockerCSP. + +The following fields are available: + +- **hr** HRESULT returned by the ConfigManagerNotification function in AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceParams + +Parameters passed to the CreateNodeInstance function of the AppLockerCSP node. + +The following fields are available: + +- **NodeId** NodeId passed to CreateNodeInstance. +- **nodeOps** NodeOperations parameter passed to CreateNodeInstance. +- **uri** URI passed to CreateNodeInstance, relative to %SYSTEM32%\AppLocker. + + +### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceStart + +Start of the "CreateNodeInstance" operation for the AppLockerCSP node. + + + +### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceStop + +End of the "CreateNodeInstance" operation for the AppLockerCSP node + +The following fields are available: + +- **hr** HRESULT returned by the CreateNodeInstance function in AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.DeleteChildParams + +Parameters passed to the DeleteChild function of the AppLockerCSP node. + +The following fields are available: + +- **child** The child URI of the node to delete. +- **uri** URI relative to %SYSTEM32%\AppLocker. + + +### Microsoft.Windows.Security.AppLockerCSP.DeleteChildStart + +Start of the "DeleteChild" operation for the AppLockerCSP node. + + + +### Microsoft.Windows.Security.AppLockerCSP.DeleteChildStop + +End of the "DeleteChild" operation for the AppLockerCSP node. + +The following fields are available: + +- **hr** HRESULT returned by the DeleteChild function in AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.EnumPolicies + +Logged URI relative to %SYSTEM32%\AppLocker, if the Plugin GUID is null, or the CSP doesn't believe the old policy is present. + +The following fields are available: + +- **uri** URI relative to %SYSTEM32%\AppLocker. + + +### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesParams + +Parameters passed to the GetChildNodeNames function of the AppLockerCSP node. + +The following fields are available: + +- **uri** URI relative to %SYSTEM32%/AppLocker for MDM node. + + +### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesStart + +Start of the "GetChildNodeNames" operation for the AppLockerCSP node. + + + +### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesStop + +End of the "GetChildNodeNames" operation for the AppLockerCSP node. + +The following fields are available: + +- **child[0]** If function succeeded, the first child's name, else "NA". +- **count** If function succeeded, the number of child node names returned by the function, else 0. +- **hr** HRESULT returned by the GetChildNodeNames function of AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.GetLatestId + +The result of 'GetLatestId' in AppLockerCSP (the latest time stamped GUID). + +The following fields are available: + +- **dirId** The latest directory identifier found by GetLatestId. +- **id** The id returned by GetLatestId if id > 0 - otherwise the dirId parameter. + + +### Microsoft.Windows.Security.AppLockerCSP.HResultException + +HRESULT thrown by any arbitrary function in AppLockerCSP. + +The following fields are available: + +- **file** File in the OS code base in which the exception occurs. +- **function** Function in the OS code base in which the exception occurs. +- **hr** HRESULT that is reported. +- **line** Line in the file in the OS code base in which the exception occurs. + + +### Microsoft.Windows.Security.AppLockerCSP.SetValueParams + +Parameters passed to the SetValue function of the AppLockerCSP node. + +The following fields are available: + +- **dataLength** Length of the value to set. +- **uri** The node URI to that should contain the value, relative to %SYSTEM32%\AppLocker. + + +### Microsoft.Windows.Security.AppLockerCSP.SetValueStart + +Start of the "SetValue" operation for the AppLockerCSP node. + + + +### Microsoft.Windows.Security.AppLockerCSP.SetValueStop + +End of the "SetValue" operation for the AppLockerCSP node. + +The following fields are available: + +- **hr** HRESULT returned by the SetValue function in AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.TryRemediateMissingPolicies + +EntryPoint of fix step or policy remediation, includes URI relative to %SYSTEM32%\AppLocker that needs to be fixed. + +The following fields are available: + +- **uri** URI for node relative to %SYSTEM32%/AppLocker. + + +## Appraiser events + +### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount + +This event lists the types of objects and how many of each exist on the client device. This allows for a quick way to ensure that the records present on the server match what is present on the client. + +The following fields are available: + +- **DatasourceApplicationFile_19ASetup** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_19H1** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers. +- **DatasourceApplicationFile_RS2** An ID for the system, calculated by hashing hardware identifiers. +- **DatasourceApplicationFile_RS3** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS3Setup** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS4** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS4Setup** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS5** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS5Setup** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_TH1** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_TH2** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_19ASetup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_19H1** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS1** The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on this device. +- **DatasourceDevicePnp_RS2** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS3** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS3Setup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS4** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS4Setup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS5** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS5Setup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_TH1** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_TH2** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_19ASetup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_19H1** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS1** The total DataSourceDriverPackage objects targeting Windows 10 version 1607 on this device. +- **DatasourceDriverPackage_RS2** The total DataSourceDriverPackage objects targeting Windows 10, version 1703 on this device. +- **DatasourceDriverPackage_RS3** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS3Setup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS4** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS4Setup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS5** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS5Setup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_TH1** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_TH2** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_19ASetup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS1** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1607 on this device. +- **DataSourceMatchingInfoBlock_RS2** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS3** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS3Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS4Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS5Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_TH1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_19ASetup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS1** The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. +- **DataSourceMatchingInfoPassive_RS2** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS3** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS3Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS4Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS5Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_19ASetup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS1** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. +- **DataSourceMatchingInfoPostUpgrade_RS2** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device. +- **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device. +- **DataSourceMatchingInfoPostUpgrade_RS3Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS4Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS5Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_TH1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_19ASetup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_19H1** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_19H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS1** The total DatasourceSystemBios objects targeting Windows 10 version 1607 present on this device. +- **DatasourceSystemBios_RS2** The total DatasourceSystemBios objects targeting Windows 10 version 1703 present on this device. +- **DatasourceSystemBios_RS3** The total DatasourceSystemBios objects targeting Windows 10 version 1709 present on this device. +- **DatasourceSystemBios_RS3Setup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS4** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS4Setup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS5** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS5Setup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_TH1** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_TH2** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_19H1** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS1** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS2** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS3** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS4** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS5** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_TH1** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_TH2** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_19H1** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS1** The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this device. +- **DecisionDevicePnp_RS2** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS3** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS4** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS5** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_TH1** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_TH2** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_19H1** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS1** The total DecisionDriverPackage objects targeting Windows 10 version 1607 on this device. +- **DecisionDriverPackage_RS2** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS3** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS4** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS5** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_TH1** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_TH2** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_RS1** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1607 present on this device. +- **DecisionMatchingInfoBlock_RS2** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device. +- **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1709 present on this device. +- **DecisionMatchingInfoBlock_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_RS4** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1803 present on this device. +- **DecisionMatchingInfoBlock_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_TH1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_RS1** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. +- **DecisionMatchingInfoPassive_RS2** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1703 on this device. +- **DecisionMatchingInfoPassive_RS3** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1803 on this device. +- **DecisionMatchingInfoPassive_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS1** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. +- **DecisionMatchingInfoPostUpgrade_RS2** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device. +- **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device. +- **DecisionMatchingInfoPostUpgrade_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_TH1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_19H1** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_19H1Setup** The total DecisionMediaCenter objects targeting the next release of Windows on this device. +- **DecisionMediaCenter_RS1** The total DecisionMediaCenter objects targeting Windows 10 version 1607 present on this device. +- **DecisionMediaCenter_RS2** The total DecisionMediaCenter objects targeting Windows 10 version 1703 present on this device. +- **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting Windows 10 version 1709 present on this device. +- **DecisionMediaCenter_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_RS4** The total DecisionMediaCenter objects targeting Windows 10 version 1803 present on this device. +- **DecisionMediaCenter_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_RS5** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_TH1** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_TH2** The count of the number of this particular object type present on this device. +- **DecisionSystemBios_19ASetup** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_19H1** The count of the number of this particular object type present on this device. +- **DecisionSystemBios_19H1Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_RS1** The total DecisionSystemBios objects targeting Windows 10 version 1607 on this device. +- **DecisionSystemBios_RS2** The total DecisionSystemBios objects targeting Windows 10 version 1703 on this device. +- **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting Windows 10 version 1709 on this device. +- **DecisionSystemBios_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionSystemBios_RS4** The total DecisionSystemBios objects targeting Windows 10 version, 1803 present on this device. +- **DecisionSystemBios_RS4Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_RS5** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_RS5Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_TH1** The count of the number of this particular object type present on this device. +- **DecisionSystemBios_TH2** The count of the number of this particular object type present on this device. +- **DecisionSystemProcessor_RS2** The count of the number of this particular object type present on this device. +- **DecisionTest_RS1** An ID for the system, calculated by hashing hardware identifiers. +- **InventoryApplicationFile** The count of the number of this particular object type present on this device. +- **InventoryDeviceContainer** A count of device container objects in cache. +- **InventoryDevicePnp** A count of device Plug and Play objects in cache. +- **InventoryDriverBinary** A count of driver binary objects in cache. +- **InventoryDriverPackage** A count of device objects in cache. +- **InventoryLanguagePack** The count of the number of this particular object type present on this device. +- **InventoryMediaCenter** The count of the number of this particular object type present on this device. +- **InventorySystemBios** The count of the number of this particular object type present on this device. +- **InventorySystemMachine** The count of the number of this particular object type present on this device. +- **InventorySystemProcessor** The count of the number of this particular object type present on this device. +- **InventoryTest** The count of the number of this particular object type present on this device. +- **InventoryUplevelDriverPackage** The count of the number of this particular object type present on this device. +- **PCFP** The count of the number of this particular object type present on this device. +- **SystemMemory** The count of the number of this particular object type present on this device. +- **SystemProcessorCompareExchange** The count of the number of this particular object type present on this device. +- **SystemProcessorLahfSahf** The count of the number of this particular object type present on this device. +- **SystemProcessorNx** The total number of objects of this type present on this device. +- **SystemProcessorPrefetchW** The total number of objects of this type present on this device. +- **SystemProcessorSse2** The total number of objects of this type present on this device. +- **SystemTouch** The count of the number of this particular object type present on this device. +- **SystemWim** The total number of objects of this type present on this device. +- **SystemWindowsActivationStatus** The count of the number of this particular object type present on this device. +- **SystemWlan** The total number of objects of this type present on this device. +- **Wmdrm_19ASetup** The count of the number of this particular object type present on this device. +- **Wmdrm_19H1** The count of the number of this particular object type present on this device. +- **Wmdrm_19H1Setup** The total Wmdrm objects targeting the next release of Windows on this device. +- **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers. +- **Wmdrm_RS2** An ID for the system, calculated by hashing hardware identifiers. +- **Wmdrm_RS3** An ID for the system, calculated by hashing hardware identifiers. +- **Wmdrm_RS3Setup** The count of the number of this particular object type present on this device. +- **Wmdrm_RS4** The total Wmdrm objects targeting Windows 10, version 1803 present on this device. +- **Wmdrm_RS4Setup** The count of the number of this particular object type present on this device. +- **Wmdrm_RS5** The count of the number of this particular object type present on this device. +- **Wmdrm_RS5Setup** The count of the number of this particular object type present on this device. +- **Wmdrm_TH1** The count of the number of this particular object type present on this device. +- **Wmdrm_TH2** The count of the number of this particular object type present on this device. + + +### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd + +Represents the basic metadata about specific application files installed on the system. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file that is generating the events. +- **AvDisplayName** If the app is an anti-virus app, this is its display name. +- **CompatModelIndex** The compatibility prediction for this file. +- **HasCitData** Indicates whether the file is present in CIT data. +- **HasUpgradeExe** Indicates whether the anti-virus app has an upgrade.exe file. +- **IsAv** Is the file an anti-virus reporting EXE? +- **ResolveAttempted** This will always be an empty string when sending telemetry. +- **SdbEntries** An array of fields that indicates the SDB entries that apply to this file. + + +### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove + +This event indicates that the DatasourceApplicationFile object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileStartSync + +This event indicates that a new set of DatasourceApplicationFileAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd + +This event sends compatibility data for a Plug and Play device, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **ActiveNetworkConnection** Indicates whether the device is an active network device. +- **AppraiserVersion** The version of the appraiser file generating the events. +- **CosDeviceRating** An enumeration that indicates if there is a driver on the target operating system. +- **CosDeviceSolution** An enumeration that indicates how a driver on the target operating system is available. +- **CosDeviceSolutionUrl** Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd . Empty string +- **CosPopulatedFromId** The expected uplevel driver matching ID based on driver coverage data. +- **IsBootCritical** Indicates whether the device boot is critical. +- **UplevelInboxDriver** Indicates whether there is a driver uplevel for this device. +- **WuDriverCoverage** Indicates whether there is a driver uplevel for this device, according to Windows Update. +- **WuDriverUpdateId** The Windows Update ID of the applicable uplevel driver. +- **WuPopulatedFromId** The expected uplevel driver matching ID based on driver coverage from Windows Update. + + +### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove + +This event indicates that the DatasourceDevicePnp object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpStartSync + +This event indicates that a new set of DatasourceDevicePnpAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageAdd + +This event sends compatibility database data about driver packages to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageStartSync + +This event indicates that a new set of DatasourceDriverPackageAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd + +This event sends blocking data about any compatibility blocking entries hit on the system that are not directly related to specific applications or devices, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove + +This event indicates that the DataSourceMatchingInfoBlock object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync + +This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events have been sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd + +This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove + +This event indicates that the DataSourceMatchingInfoPassive object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync + +This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd + +This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove + +This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync + +This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd + +This event sends compatibility database information about the BIOS to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosRemove + +This event indicates that the DatasourceSystemBios object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync + +This event indicates that a new set of DatasourceSystemBiosAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionApplicationFileAdd + +This event sends compatibility decision data about a file to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file that is generating the events. +- **BlockAlreadyInbox** The uplevel runtime block on the file already existed on the current OS. +- **BlockingApplication** Indicates whether there are any application issues that interfere with the upgrade due to the file in question. +- **DisplayGenericMessage** Will be a generic message be shown for this file? +- **DisplayGenericMessageGated** Indicates whether a generic message be shown for this file. +- **HardBlock** This file is blocked in the SDB. +- **HasUxBlockOverride** Does the file have a block that is overridden by a tag in the SDB? +- **MigApplication** Does the file have a MigXML from the SDB associated with it that applies to the current upgrade mode? +- **MigRemoval** Does the file have a MigXML from the SDB that will cause the app to be removed on upgrade? +- **NeedsDismissAction** Will the file cause an action that can be dimissed? +- **NeedsInstallPostUpgradeData** After upgrade, the file will have a post-upgrade notification to install a replacement for the app. +- **NeedsNotifyPostUpgradeData** Does the file have a notification that should be shown after upgrade? +- **NeedsReinstallPostUpgradeData** After upgrade, this file will have a post-upgrade notification to reinstall the app. +- **NeedsUninstallAction** The file must be uninstalled to complete the upgrade. +- **SdbBlockUpgrade** The file is tagged as blocking upgrade in the SDB, +- **SdbBlockUpgradeCanReinstall** The file is tagged as blocking upgrade in the SDB. It can be reinstalled after upgrade. +- **SdbBlockUpgradeUntilUpdate** The file is tagged as blocking upgrade in the SDB. If the app is updated, the upgrade can proceed. +- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the SDB. It does not block upgrade. +- **SdbReinstallUpgradeWarn** The file is tagged as needing to be reinstalled after upgrade with a warning in the SDB. It does not block upgrade. +- **SoftBlock** The file is softblocked in the SDB and has a warning. + + +### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove + +This event indicates Indicates that the DecisionApplicationFile object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionApplicationFileStartSync + +This event indicates that a new set of DecisionApplicationFileAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd + +This event sends compatibility decision data about a PNP device to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **AssociatedDriverIsBlocked** Is the driver associated with this PNP device blocked? +- **AssociatedDriverWillNotMigrate** Will the driver associated with this plug-and-play device migrate? +- **BlockAssociatedDriver** Should the driver associated with this PNP device be blocked? +- **BlockingDevice** Is this PNP device blocking upgrade? +- **BlockUpgradeIfDriverBlocked** Is the PNP device both boot critical and does not have a driver included with the OS? +- **BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork** Is this PNP device the only active network device? +- **DisplayGenericMessage** Will a generic message be shown during Setup for this PNP device? +- **DisplayGenericMessageGated** Indicates whether a generic message will be shown during Setup for this PNP device. +- **DriverAvailableInbox** Is a driver included with the operating system for this PNP device? +- **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update? +- **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device? +- **DriverBlockOverridden** Is there is a driver block on the device that has been overridden? +- **NeedsDismissAction** Will the user would need to dismiss a warning during Setup for this device? +- **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS? +- **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade? +- **SdbDriverBlockOverridden** Is there an SDB block on the PNP device that blocks upgrade, but that block was overridden? + + +### Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove + +This event indicates that the DecisionDevicePnp object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionDevicePnpStartSync + +The DecisionDevicePnpStartSync event indicates that a new set of DecisionDevicePnpAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionDriverPackageAdd + +This event sends decision data about driver package compatibility to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for this driver package. +- **DriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden? +- **DriverIsDeviceBlocked** Was the driver package was blocked because of a device block? +- **DriverIsDriverBlocked** Is the driver package blocked because of a driver block? +- **DriverIsTroubleshooterBlocked** Indicates whether the driver package is blocked because of a troubleshooter block. +- **DriverShouldNotMigrate** Should the driver package be migrated during upgrade? +- **SdbDriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden? + + +### Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove + +This event indicates that the DecisionDriverPackage object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionDriverPackageStartSync + +This event indicates that a new set of DecisionDriverPackageAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd + +This event sends compatibility decision data about blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **BlockingApplication** Are there are any application issues that interfere with upgrade due to matching info blocks? +- **DisplayGenericMessage** Will a generic message be shown for this block? +- **NeedsUninstallAction** Does the user need to take an action in setup due to a matching info block? +- **SdbBlockUpgrade** Is a matching info block blocking upgrade? +- **SdbBlockUpgradeCanReinstall** Is a matching info block blocking upgrade, but has the can reinstall tag? +- **SdbBlockUpgradeUntilUpdate** Is a matching info block blocking upgrade but has the until update tag? + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockRemove + +This event indicates that the DecisionMatchingInfoBlock object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockStartSync + +This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd + +This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **BlockingApplication** Are there any application issues that interfere with upgrade due to matching info blocks? +- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown due to matching info blocks. +- **MigApplication** Is there a matching info block with a mig for the current mode of upgrade? + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveRemove + +This event Indicates that the DecisionMatchingInfoPassive object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync + +This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeAdd + +This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **NeedsInstallPostUpgradeData** Will the file have a notification after upgrade to install a replacement for the app? +- **NeedsNotifyPostUpgradeData** Should a notification be shown for this file after upgrade? +- **NeedsReinstallPostUpgradeData** Will the file have a notification after upgrade to reinstall the app? +- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the compatibility database (but is not blocking upgrade). + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeRemove + +This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync + +This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMediaCenterAdd + +This event sends decision data about the presence of Windows Media Center, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **BlockingApplication** Is there any application issues that interfere with upgrade due to Windows Media Center? +- **MediaCenterActivelyUsed** If Windows Media Center is supported on the edition, has it been run at least once and are the MediaCenterIndicators are true? +- **MediaCenterIndicators** Do any indicators imply that Windows Media Center is in active use? +- **MediaCenterInUse** Is Windows Media Center actively being used? +- **MediaCenterPaidOrActivelyUsed** Is Windows Media Center actively being used or is it running on a supported edition? +- **NeedsDismissAction** Are there any actions that can be dismissed coming from Windows Media Center? + + +### Microsoft.Windows.Appraiser.General.DecisionMediaCenterRemove + +This event indicates that the DecisionMediaCenter object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMediaCenterStartSync + +This event indicates that a new set of DecisionMediaCenterAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemBiosAdd + +This event sends compatibility decision data about the BIOS to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Blocking** Is the device blocked from upgrade due to a BIOS block? +- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for the bios. +- **HasBiosBlock** Does the device have a BIOS block? + + +### Microsoft.Windows.Appraiser.General.DecisionSystemBiosRemove + +This event indicates that the DecisionSystemBios object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync + +This event indicates that a new set of DecisionSystemBiosAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.GatedRegChange + +This event sends data about the results of running a set of quick-blocking instructions, to help keep Windows up to date. + +The following fields are available: + +- **NewData** The data in the registry value after the scan completed. +- **OldData** The previous data in the registry value before the scan ran. +- **PCFP** An ID for the system calculated by hashing hardware identifiers. +- **RegKey** The registry key name for which a result is being sent. +- **RegValue** The registry value for which a result is being sent. +- **Time** The client time of the event. + + +### Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd + +This event represents the basic metadata about a file on the system. The file must be part of an app and either have a block in the compatibility database or be part of an antivirus program. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **AvDisplayName** If the app is an antivirus app, this is its display name. +- **AvProductState** Indicates whether the antivirus program is turned on and the signatures are up to date. +- **BinaryType** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64. +- **BinFileVersion** An attempt to clean up FileVersion at the client that tries to place the version into 4 octets. +- **BinProductVersion** An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets. +- **BoeProgramId** If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata. +- **CompanyName** The company name of the vendor who developed this file. +- **FileId** A hash that uniquely identifies a file. +- **FileVersion** The File version field from the file metadata under Properties -> Details. +- **HasUpgradeExe** Indicates whether the antivirus app has an upgrade.exe file. +- **IsAv** Indicates whether the file an antivirus reporting EXE. +- **LinkDate** The date and time that this file was linked on. +- **LowerCaseLongPath** The full file path to the file that was inventoried on the device. +- **Name** The name of the file that was inventoried. +- **ProductName** The Product name field from the file metadata under Properties -> Details. +- **ProductVersion** The Product version field from the file metadata under Properties -> Details. +- **ProgramId** A hash of the Name, Version, Publisher, and Language of an application used to identify it. +- **Size** The size of the file (in hexadecimal bytes). + + +### Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove + +This event indicates that the InventoryApplicationFile object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync + +This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryLanguagePackAdd + +This event sends data about the number of language packs installed on the system, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **HasLanguagePack** Indicates whether this device has 2 or more language packs. +- **LanguagePackCount** The number of language packs are installed. + + +### Microsoft.Windows.Appraiser.General.InventoryLanguagePackRemove + +This event indicates that the InventoryLanguagePack object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryLanguagePackStartSync + +This event indicates that a new set of InventoryLanguagePackAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryMediaCenterAdd + +This event sends true/false data about decision points used to understand whether Windows Media Center is used on the system, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **EverLaunched** Has Windows Media Center ever been launched? +- **HasConfiguredTv** Has the user configured a TV tuner through Windows Media Center? +- **HasExtendedUserAccounts** Are any Windows Media Center Extender user accounts configured? +- **HasWatchedFolders** Are any folders configured for Windows Media Center to watch? +- **IsDefaultLauncher** Is Windows Media Center the default app for opening music or video files? +- **IsPaid** Is the user running a Windows Media Center edition that implies they paid for Windows Media Center? +- **IsSupported** Does the running OS support Windows Media Center? + + +### Microsoft.Windows.Appraiser.General.InventoryMediaCenterRemove + +This event indicates that the InventoryMediaCenter object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryMediaCenterStartSync + +This event indicates that a new set of InventoryMediaCenterAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventorySystemBiosAdd + +This event sends basic metadata about the BIOS to determine whether it has a compatibility block. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **biosDate** The release date of the BIOS in UTC format. +- **BiosDate** The release date of the BIOS in UTC format. +- **biosName** The name field from Win32_BIOS. +- **BiosName** The name field from Win32_BIOS. +- **manufacturer** The manufacturer field from Win32_ComputerSystem. +- **Manufacturer** The manufacturer field from Win32_ComputerSystem. +- **model** The model field from Win32_ComputerSystem. +- **Model** The model field from Win32_ComputerSystem. + + +### Microsoft.Windows.Appraiser.General.InventorySystemBiosRemove + +This event indicates that the InventorySystemBios object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventorySystemBiosStartSync + +This event indicates that a new set of InventorySystemBiosAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd + +This event is only runs during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. Is critical to understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **BootCritical** Is the driver package marked as boot critical? +- **Build** The build value from the driver package. +- **CatalogFile** The name of the catalog file within the driver package. +- **Class** The device class from the driver package. +- **ClassGuid** The device class unique ID from the driver package. +- **Date** The date from the driver package. +- **Inbox** Is the driver package of a driver that is included with Windows? +- **OriginalName** The original name of the INF file before it was renamed. Generally a path under $WINDOWS.~BT\Drivers\DU. +- **Provider** The provider of the driver package. +- **PublishedName** The name of the INF file after it was renamed. +- **Revision** The revision of the driver package. +- **SignatureStatus** Indicates if the driver package is signed. Unknown = 0, Unsigned = 1, Signed = 2. +- **VersionMajor** The major version of the driver package. +- **VersionMinor** The minor version of the driver package. + + +### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove + +This event indicates that the InventoryUplevelDriverPackage object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageStartSync + +This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.RunContext + +This event indicates what should be expected in the data payload. + +The following fields are available: + +- **AppraiserBranch** The source branch in which the currently running version of Appraiser was built. +- **AppraiserProcess** The name of the process that launched Appraiser. +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **CensusId** A unique hardware identifier. +- **Context** Indicates what mode Appraiser is running in. Example: Setup or Telemetry. +- **PCFP** An ID for the system calculated by hashing hardware identifiers. +- **Subcontext** Indicates what categories of incompatibilities appraiser is scanning for. Can be N/A, Resolve, or a semicolon-delimited list that can include App, Dev, Sys, Gat, or Rescan. +- **Time** The client time of the event. + + +### Microsoft.Windows.Appraiser.General.SystemMemoryAdd + +This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Blocking** Is the device from upgrade due to memory restrictions? +- **MemoryRequirementViolated** Was a memory requirement violated? +- **pageFile** The current committed memory limit for the system or the current process, whichever is smaller (in bytes). +- **ram** The amount of memory on the device. +- **ramKB** The amount of memory (in KB). +- **virtual** The size of the user-mode portion of the virtual address space of the calling process (in bytes). +- **virtualKB** The amount of virtual memory (in KB). + + +### Microsoft.Windows.Appraiser.General.SystemMemoryRemove + +This event that the SystemMemory object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemMemoryStartSync + +This event indicates that a new set of SystemMemoryAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeAdd + +This event sends data indicating whether the system supports the CompareExchange128 CPU requirement, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **CompareExchange128Support** Does the CPU support CompareExchange128? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeRemove + +This event indicates that the SystemProcessorCompareExchange object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeStartSync + +This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd + +This event sends data indicating whether the system supports the LahfSahf CPU requirement, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **LahfSahfSupport** Does the CPU support LAHF/SAHF? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfRemove + +This event indicates that the SystemProcessorLahfSahf object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfStartSync + +This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd + +This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **NXDriverResult** The result of the driver used to do a non-deterministic check for NX support. +- **NXProcessorSupport** Does the processor support NX? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorNxRemove + +This event indicates that the SystemProcessorNx object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorNxStartSync + +This event indicates that a new set of SystemProcessorNxAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd + +This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **PrefetchWSupport** Does the processor support PrefetchW? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWRemove + +This event indicates that the SystemProcessorPrefetchW object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync + +This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Add + +This event sends data indicating whether the system supports the SSE2 CPU requirement, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **SSE2ProcessorSupport** Does the processor support SSE2? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Remove + +This event indicates that the SystemProcessorSse2 object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorSse2StartSync + +This event indicates that a new set of SystemProcessorSse2Add events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemTouchAdd + +This event sends data indicating whether the system supports touch, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **IntegratedTouchDigitizerPresent** Is there an integrated touch digitizer? +- **MaximumTouches** The maximum number of touch points supported by the device hardware. + + +### Microsoft.Windows.Appraiser.General.SystemTouchRemove + +This event indicates that the SystemTouch object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemTouchStartSync + +This event indicates that a new set of SystemTouchAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWimAdd + +This event sends data indicating whether the operating system is running from a compressed Windows Imaging Format (WIM) file, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **IsWimBoot** Is the current operating system running from a compressed WIM file? +- **RegistryWimBootValue** The raw value from the registry that is used to indicate if the device is running from a WIM. + + +### Microsoft.Windows.Appraiser.General.SystemWimRemove + +This event indicates that the SystemWim object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWimStartSync + +This event indicates that a new set of SystemWimAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusAdd + +This event sends data indicating whether the current operating system is activated, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **WindowsIsLicensedApiValue** The result from the API that's used to indicate if operating system is activated. +- **WindowsNotActivatedDecision** Is the current operating system activated? + + +### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusRemove + +This event indicates that the SystemWindowsActivationStatus object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusStartSync + +This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWlanAdd + +This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked because of an emulated WLAN driver? +- **HasWlanBlock** Does the emulated WLAN driver have an upgrade block? +- **WlanEmulatedDriver** Does the device have an emulated WLAN driver? +- **WlanExists** Does the device support WLAN at all? +- **WlanModulePresent** Are any WLAN modules present? +- **WlanNativeDriver** Does the device have a non-emulated WLAN driver? + + +### Microsoft.Windows.Appraiser.General.SystemWlanRemove + +This event indicates that the SystemWlan object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWlanStartSync + +This event indicates that a new set of SystemWlanAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.TelemetryRunHealth + +This event indicates the parameters and result of a telemetry (diagnostic) run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date. + +The following fields are available: + +- **AppraiserBranch** The source branch in which the version of Appraiser that is running was built. +- **AppraiserDataVersion** The version of the data files being used by the Appraiser telemetry run. +- **AppraiserProcess** The name of the process that launched Appraiser. +- **AppraiserVersion** The file version (major, minor and build) of the Appraiser DLL, concatenated without dots. +- **AuxFinal** Obsolete, always set to false. +- **AuxInitial** Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app. +- **DeadlineDate** A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan. +- **EnterpriseRun** Indicates if the telemetry run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter. +- **FullSync** Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent. +- **InboxDataVersion** The original version of the data files before retrieving any newer version. +- **IndicatorsWritten** Indicates if all relevant UEX indicators were successfully written or updated. +- **InventoryFullSync** Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent. +- **PCFP** An ID for the system calculated by hashing hardware identifiers. +- **PerfBackoff** Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal. +- **PerfBackoffInsurance** Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row. +- **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device. +- **RunDate** The date that the telemetry run was stated, expressed as a filetime. +- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional telemetry on an infrequent schedule and only from machines at telemetry levels higher than Basic. +- **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information. +- **RunResult** The hresult of the Appraiser telemetry run. +- **ScheduledUploadDay** The day scheduled for the upload. +- **SendingUtc** Indicates if the Appraiser client is sending events during the current telemetry run. +- **StoreHandleIsNotNull** Obsolete, always set to false +- **TelementrySent** Indicates if telemetry was successfully sent. +- **ThrottlingUtc** Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also telemetry reliability. +- **Time** The client time of the event. +- **VerboseMode** Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging. +- **WhyFullSyncWithoutTablePrefix** Indicates the reason or reasons that a full sync was generated. + + +### Microsoft.Windows.Appraiser.General.WmdrmAdd + +This event sends data about the usage of older digital rights management on the system, to help keep Windows up to date. This data does not indicate the details of the media using the digital rights management, only whether any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able to be removed once all mitigations are in place. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **BlockingApplication** Same as NeedsDismissAction. +- **NeedsDismissAction** Indicates if a dismissible message is needed to warn the user about a potential loss of data due to DRM deprecation. +- **WmdrmApiResult** Raw value of the API used to gather DRM state. +- **WmdrmCdRipped** Indicates if the system has any files encrypted with personal DRM, which was used for ripped CDs. +- **WmdrmIndicators** WmdrmCdRipped OR WmdrmPurchased. +- **WmdrmInUse** WmdrmIndicators AND dismissible block in setup was not dismissed. +- **WmdrmNonPermanent** Indicates if the system has any files with non-permanent licenses. +- **WmdrmPurchased** Indicates if the system has any files with permanent licenses. + + +### Microsoft.Windows.Appraiser.General.WmdrmRemove + +This event indicates that the Wmdrm object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.WmdrmStartSync + +This event indicates that a new set of WmdrmAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +## Census events + +### Census.App + +Provides information on IE and Census versions running on the device + +The following fields are available: + +- **AppraiserEnterpriseErrorCode** The error code of the last Appraiser enterprise run. +- **AppraiserErrorCode** The error code of the last Appraiser run. +- **AppraiserRunEndTimeStamp** The end time of the last Appraiser run. +- **AppraiserRunIsInProgressOrCrashed** Flag that indicates if the Appraiser run is in progress or has crashed. +- **AppraiserRunStartTimeStamp** The start time of the last Appraiser run. +- **AppraiserTaskEnabled** Whether the Appraiser task is enabled. +- **AppraiserTaskExitCode** The Appraiser task exist code. +- **AppraiserTaskLastRun** The last runtime for the Appraiser task. +- **CensusVersion** The version of Census that generated the current data for this device. +- **IEVersion** The version of Internet Explorer that is running on the device. + + +### Census.Battery + +This event sends type and capacity data about the battery on the device, as well as the number of connected standby devices in use, type to help keep Windows up to date. + +The following fields are available: + +- **InternalBatteryCapablities** Represents information about what the battery is capable of doing. +- **InternalBatteryCapacityCurrent** Represents the battery's current fully charged capacity in mWh (or relative). Compare this value to DesignedCapacity  to estimate the battery's wear. +- **InternalBatteryCapacityDesign** Represents the theoretical capacity of the battery when new, in mWh. +- **InternalBatteryNumberOfCharges** Provides the number of battery charges. This is used when creating new products and validating that existing products meets targeted functionality performance. +- **IsAlwaysOnAlwaysConnectedCapable** Represents whether the battery enables the device to be AlwaysOnAlwaysConnected . Boolean value. + + +### Census.Camera + +This event sends data about the resolution of cameras on the device, to help keep Windows up to date. + +The following fields are available: + +- **FrontFacingCameraResolution** Represents the resolution of the front facing camera in megapixels. If a front facing camera does not exist, then the value is 0. +- **RearFacingCameraResolution** Represents the resolution of the rear facing camera in megapixels. If a rear facing camera does not exist, then the value is 0. + + +### Census.Enterprise + +This event sends data about Azure presence, type, and cloud domain use in order to provide an understanding of the use and integration of devices in an enterprise, cloud, and server environment. + +The following fields are available: + +- **AADDeviceId** Azure Active Directory device ID. +- **AzureOSIDPresent** Represents the field used to identify an Azure machine. +- **AzureVMType** Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs. +- **CDJType** Represents the type of cloud domain joined for the machine. +- **CommercialId** Represents the GUID for the commercial entity which the device is a member of.  Will be used to reflect insights back to customers. +- **ContainerType** The type of container, such as process or virtual machine hosted. +- **EnrollmentType** Defines the type of MDM enrollment on the device. +- **HashedDomain** The hashed representation of the user domain used for login. +- **IsCloudDomainJoined** Is this device joined to an Azure Active Directory (AAD) tenant? true/false +- **IsDERequirementMet** Represents if the device can do device encryption. +- **IsDeviceProtected** Represents if Device protected by BitLocker/Device Encryption +- **IsDomainJoined** Indicates whether a machine is joined to a domain. +- **IsEDPEnabled** Represents if Enterprise data protected on the device. +- **IsMDMEnrolled** Whether the device has been MDM Enrolled or not. +- **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID +- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise SCCM environment. +- **ServerFeatures** Represents the features installed on a Windows   Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. +- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier + + +### Census.Firmware + +This event sends data about the BIOS and startup embedded in the device, to help keep Windows up to date. + +The following fields are available: + +- **FirmwareManufacturer** Represents the manufacturer of the device's firmware (BIOS). +- **FirmwareReleaseDate** Represents the date the current firmware was released. +- **FirmwareType** Represents the firmware type. The various types can be unknown, BIOS, UEFI. +- **FirmwareVersion** Represents the version of the current firmware. + + +### Census.Flighting + +This event sends Windows Insider data from customers participating in improvement testing and feedback programs, to help keep Windows up to date. + +The following fields are available: + +- **DeviceSampleRate** The telemetry sample rate assigned to the device. +- **EnablePreviewBuilds** Used to enable Windows Insider builds on a device. +- **FlightIds** A list of the different Windows Insider builds on this device. +- **FlightingBranchName** The name of the Windows Insider branch currently used by the device. +- **IsFlightsDisabled** Represents if the device is participating in the Windows Insider program. +- **MSA_Accounts** Represents a list of hashed IDs of the Microsoft Accounts that are flighting (pre-release builds) on this device. +- **SSRK** Retrieves the mobile targeting settings. + + +### Census.Hardware + +This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level setting, and TPM support, to help keep Windows up to date. + +The following fields are available: + +- **ActiveMicCount** The number of active microphones attached to the device. +- **ChassisType** Represents the type of device chassis, such as desktop or low profile desktop. The possible values can range between 1 - 36. +- **ComputerHardwareID** Identifies a device class that is represented by a hash of different SMBIOS fields. +- **D3DMaxFeatureLevel** Supported Direct3D version. +- **DeviceColor** Indicates a color of the device. +- **DeviceForm** Indicates the form as per the device classification. +- **DeviceName** The device name that is set by the user. +- **DigitizerSupport** Is a digitizer supported? +- **DUID** The device unique ID. +- **Gyroscope** Indicates whether the device has a gyroscope (a mechanical component that measures and maintains orientation). +- **InventoryId** The device ID used for compatibility testing. +- **Magnetometer** Indicates whether the device has a magnetometer (a mechanical component that works like a compass). +- **NFCProximity** Indicates whether the device supports NFC (a set of communication protocols that helps establish communication when applicable devices are brought close together.) +- **OEMDigitalMarkerFileName** The name of the file placed in the \Windows\system32\drivers directory that specifies the OEM and model name of the device. +- **OEMManufacturerName** The device manufacturer name. The OEMName for an inactive device is not reprocessed even if the clean OEM name is changed at a later date. +- **OEMModelBaseBoard** The baseboard model used by the OEM. +- **OEMModelBaseBoardVersion** Differentiates between developer and retail devices. +- **OEMModelName** The device model name. +- **OEMModelNumber** The device model number. +- **OEMModelSKU** The device edition that is defined by the manufacturer. +- **OEMModelSystemFamily** The system family set on the device by an OEM. +- **OEMModelSystemVersion** The system model version set on the device by the OEM. +- **OEMOptionalIdentifier** A Microsoft assigned value that represents a specific OEM subsidiary. +- **OEMSerialNumber** The serial number of the device that is set by the manufacturer. +- **PhoneManufacturer** The friendly name of the phone manufacturer. +- **PowerPlatformRole** The OEM preferred power management profile. It's used to help to identify the basic form factor of the device. +- **SoCName** The firmware manufacturer of the device. +- **StudyID** Used to identify retail and non-retail device. +- **TelemetryLevel** The telemetry level the user has opted into, such as Basic or Enhanced. +- **TelemetryLevelLimitEnhanced** The telemetry level for Windows Analytics-based solutions. +- **TelemetrySettingAuthority** Determines who set the telemetry level, such as GP, MDM, or the user. +- **TPMManufacturerId** The ID of the TPM manufacturer. +- **TPMManufacturerVersion** The version of the TPM manufacturer. +- **TPMVersion** The supported Trusted Platform Module (TPM) on the device. If no TPM is present, the value is 0. +- **VoiceSupported** Does the device have a cellular radio capable of making voice calls? + + +### Census.Memory + +This event sends data about the memory on the device, including ROM and RAM, to help keep Windows up to date. + +The following fields are available: + +- **TotalPhysicalRAM** Represents the physical memory (in MB). +- **TotalVisibleMemory** Represents the memory that is not reserved by the system. + + +### Census.Network + +This event sends data about the mobile and cellular network used by the device (mobile service provider, network, device ID, and service cost factors), to help keep Windows up to date. + +The following fields are available: + +- **IMEI0** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage. +- **IMEI1** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage. +- **MCC0** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **MCC1** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **MEID** Represents the Mobile Equipment Identity (MEID). MEID is a worldwide unique phone ID assigned to CDMA phones. MEID replaces electronic serial number (ESN), and is equivalent to IMEI for GSM and WCDMA phones. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. +- **MNC0** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **MNC1** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **MobileOperatorBilling** Represents the telephone company that provides services for mobile phone users. +- **MobileOperatorCommercialized** Represents which reseller and geography the phone is commercialized for. This is the set of values on the phone for who and where it was intended to be used. For example, the commercialized mobile operator code AT&T in the US would be ATT-US. +- **MobileOperatorNetwork0** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage. +- **MobileOperatorNetwork1** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage. +- **NetworkAdapterGUID** The GUID of the primary network adapter. +- **NetworkCost** Represents the network cost associated with a connection. +- **SPN0** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage. +- **SPN1** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage. + + +### Census.OS + +This event sends data about the operating system such as the version, locale, update service configuration, when and how it was originally installed, and whether it is a virtual device, to help keep Windows up to date. + +The following fields are available: + +- **ActivationChannel** Retrieves the retail license key or Volume license key for a machine. +- **AssignedAccessStatus** Kiosk configuration mode. +- **CompactOS** Indicates if the Compact OS feature from Win10 is enabled. +- **DeveloperUnlockStatus** Represents if a device has been developer unlocked by the user or Group Policy. +- **DeviceTimeZone** The time zone that is set on the device. Example: Pacific Standard Time +- **GenuineState** Retrieves the ID Value specifying the OS Genuine check. +- **InstallationType** Retrieves the type of OS installation. (Clean, Upgrade, Reset, Refresh, Update). +- **InstallLanguage** The first language installed on the user machine. +- **IsDeviceRetailDemo** Retrieves if the device is running in demo mode. +- **IsEduData** Returns Boolean if the education data policy is enabled. +- **IsPortableOperatingSystem** Retrieves whether OS is running Windows-To-Go +- **IsSecureBootEnabled** Retrieves whether Boot chain is signed under UEFI. +- **LanguagePacks** The list of language packages installed on the device. +- **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store. +- **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine. +- **OSEdition** Retrieves the version of the current OS. +- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc +- **OSOOBEDateTime** Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC). +- **OSSKU** Retrieves the Friendly Name of OS Edition. +- **OSSubscriptionStatus** Represents the existing status for enterprise subscription feature for PRO machines. +- **OSSubscriptionTypeId** Returns boolean for enterprise subscription feature for selected PRO machines. +- **OSTimeZoneBiasInMins** Retrieves the time zone set on machine. +- **OSUILocale** Retrieves the locale of the UI that is currently used by the OS. +- **ProductActivationResult** Returns Boolean if the OS Activation was successful. +- **ProductActivationTime** Returns the OS Activation time for tracking piracy issues. +- **ProductKeyID2** Retrieves the License key if the machine is updated with a new license key. +- **RACw7Id** Retrieves the Microsoft Reliability Analysis Component (RAC) Win7 Identifier. RAC is used to monitor and analyze system usage and reliability. +- **ServiceMachineIP** Retrieves the IP address of the KMS host used for anti-piracy. +- **ServiceMachinePort** Retrieves the port of the KMS host used for anti-piracy. +- **ServiceProductKeyID** Retrieves the License key of the KMS +- **SharedPCMode** Returns Boolean for education devices used as shared cart +- **Signature** Retrieves if it is a signature machine sold by Microsoft store. +- **SLICStatus** Whether a SLIC table exists on the device. +- **SLICVersion** Returns OS type/version from SLIC table. + + +### Census.PrivacySettings + +This event provides information about the device level privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represent the authority that set the value. The effective consent (first 8 bits) is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority (last 8 bits) is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = system, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings. + +The following fields are available: + +- **Activity** Current state of the activity history setting. +- **ActivityHistoryCloudSync** Current state of the activity history cloud sync setting. +- **ActivityHistoryCollection** Current state of the activity history collection setting. +- **AdvertisingId** Current state of the advertising ID setting. +- **AppDiagnostics** Current state of the app diagnostics setting. +- **Appointments** Current state of the calendar setting. +- **Bluetooth** Current state of the Bluetooth capability setting. +- **BluetoothSync** Current state of the Bluetooth sync capability setting. +- **BroadFileSystemAccess** Current state of the broad file system access setting. +- **CellularData** Current state of the cellular data capability setting. +- **Chat** Current state of the chat setting. +- **Contacts** Current state of the contacts setting. +- **DocumentsLibrary** Current state of the documents library setting. +- **Email** Current state of the email setting. +- **FindMyDevice** Current state of the "find my device" setting. +- **GazeInput** Current state of the gaze input setting. +- **HumanInterfaceDevice** Current state of the human interface device setting. +- **InkTypeImprovement** Current state of the improve inking and typing setting. +- **Location** Current state of the location setting. +- **LocationHistory** Current state of the location history setting. +- **LocationHistoryCloudSync** Current state of the location history cloud sync setting. +- **LocationHistoryOnTimeline** Current state of the location history on timeline setting. +- **Microphone** Current state of the microphone setting. +- **PhoneCall** Current state of the phone call setting. +- **PhoneCallHistory** Current state of the call history setting. +- **PicturesLibrary** Current state of the pictures library setting. +- **Radios** Current state of the radios setting. +- **SensorsCustom** Current state of the custom sensor setting. +- **SerialCommunication** Current state of the serial communication setting. +- **Sms** Current state of the text messaging setting. +- **SpeechPersonalization** Current state of the speech services setting. +- **USB** Current state of the USB setting. +- **UserAccountInformation** Current state of the account information setting. +- **UserDataTasks** Current state of the tasks setting. +- **UserNotificationListener** Current state of the notifications setting. +- **VideosLibrary** Current state of the videos library setting. +- **Webcam** Current state of the camera setting. +- **WiFiDirect** Current state of the Wi-Fi direct setting. + + +### Census.Processor + +Provides information on several important data points about Processor settings + +The following fields are available: + +- **KvaShadow** This is the micro code information of the processor. +- **MMSettingOverride** Microcode setting of the processor. +- **MMSettingOverrideMask** Microcode setting override of the processor. +- **PreviousUpdateRevision** Previous microcode revision +- **ProcessorArchitecture** Retrieves the processor architecture of the installed operating system. +- **ProcessorClockSpeed** Clock speed of the processor in MHz. +- **ProcessorCores** Number of logical cores in the processor. +- **ProcessorIdentifier** Processor Identifier of a manufacturer. +- **ProcessorManufacturer** Name of the processor manufacturer. +- **ProcessorModel** Name of the processor model. +- **ProcessorPhysicalCores** Number of physical cores in the processor. +- **ProcessorUpdateRevision** The microcode revision. +- **ProcessorUpdateStatus** Enum value that represents the processor microcode load status +- **SocketCount** Count of CPU sockets. +- **SpeculationControl** Indicates whether the system has enabled protections needed to validate the speculation control vulnerability. + + +### Census.Security + +This event provides information on about security settings used to help keep Windows up to date and secure. + +The following fields are available: + +- **AvailableSecurityProperties** This field helps to enumerate and report state on the relevant security properties for Device Guard. +- **CGRunning** Credential Guard isolates and hardens key system and user secrets against compromise, helping to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already running via a local or network based vector. This field tells if Credential Guard is running. +- **DGState** This field summarizes the Device Guard state. +- **HVCIRunning** Hypervisor Code Integrity (HVCI) enables Device Guard to help protect kernel mode processes and drivers from vulnerability exploits and zero days. HVCI uses the processor’s functionality to force all software running in kernel mode to safely allocate memory. This field tells if HVCI is running. +- **IsSawGuest** Indicates whether the device is running as a Secure Admin Workstation Guest. +- **IsSawHost** Indicates whether the device is running as a Secure Admin Workstation Host. +- **RequiredSecurityProperties** Describes the required security properties to enable virtualization-based security. +- **SecureBootCapable** Systems that support Secure Boot can have the feature turned off via BIOS. This field tells if the system is capable of running Secure Boot, regardless of the BIOS setting. +- **SModeState** The Windows S mode trail state. +- **VBSState** Virtualization-based security (VBS) uses the hypervisor to help protect the kernel and other parts of the operating system. Credential Guard and Hypervisor Code Integrity (HVCI) both depend on VBS to isolate/protect secrets, and kernel-mode code integrity validation. VBS has a tri-state that can be Disabled, Enabled, or Running. + + +### Census.Speech + +This event is used to gather basic speech settings on the device. + +The following fields are available: + +- **AboveLockEnabled** Cortana setting that represents if Cortana can be invoked when the device is locked. +- **GPAllowInputPersonalization** Indicates if a Group Policy setting has enabled speech functionalities. +- **HolographicSpeechInputDisabled** Holographic setting that represents if the attached HMD devices have speech functionality disabled by the user. +- **HolographicSpeechInputDisabledRemote** Indicates if a remote policy has disabled speech functionalities for the HMD devices. +- **KeyVer** Version information for the census speech event. +- **KWSEnabled** Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS). +- **MDMAllowInputPersonalization** Indicates if an MDM policy has enabled speech functionalities. +- **RemotelyManaged** Indicates if the device is being controlled by a remote administrator (MDM or Group Policy) in the context of speech functionalities. +- **SpeakerIdEnabled** Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice. +- **SpeechServicesEnabled** Windows setting that represents whether a user is opted-in for speech services on the device. +- **SpeechServicesValueSource** Indicates the deciding factor for the effective online speech recognition privacy policy settings: remote admin, local admin, or user preference. + + +### Census.Storage + +This event sends data about the total capacity of the system volume and primary disk, to help keep Windows up to date. + +The following fields are available: + +- **PrimaryDiskTotalCapacity** Retrieves the amount of disk space on the primary disk of the device in MB. +- **PrimaryDiskType** Retrieves an enumerator value of type STORAGE_BUS_TYPE that indicates the type of bus to which the device is connected. This should be used to interpret the raw device properties at the end of this structure (if any). +- **StorageReservePassedPolicy** Indicates whether the Storage Reserve policy, which ensures that updates have enough disk space and customers are on the latest OS, is enabled on this device. +- **SystemVolumeTotalCapacity** Retrieves the size of the partition that the System volume is installed on in MB. + + +### Census.Userdefault + +This event sends data about the current user's default preferences for browser and several of the most popular extensions and protocols, to help keep Windows up to date. + +The following fields are available: + +- **CalendarType** The calendar identifiers that are used to specify different calendars. +- **DefaultApp** The current uer's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf. +- **DefaultBrowserProgId** The ProgramId of the current user's default browser. +- **LongDateFormat** The long date format the user has selected. +- **ShortDateFormat** The short date format the user has selected. + + +### Census.UserDisplay + +This event sends data about the logical/physical display size, resolution and number of internal/external displays, and VRAM on the system, to help keep Windows up to date. + +The following fields are available: + +- **InternalPrimaryDisplayLogicalDPIX** Retrieves the logical DPI in the x-direction of the internal display. +- **InternalPrimaryDisplayLogicalDPIY** Retrieves the logical DPI in the y-direction of the internal display. +- **InternalPrimaryDisplayPhysicalDPIX** Retrieves the physical DPI in the x-direction of the internal display. +- **InternalPrimaryDisplayPhysicalDPIY** Retrieves the physical DPI in the y-direction of the internal display. +- **InternalPrimaryDisplayResolutionHorizontal** Retrieves the number of pixels in the horizontal direction of the internal display. +- **InternalPrimaryDisplayResolutionVertical** Retrieves the number of pixels in the vertical direction of the internal display. +- **InternalPrimaryDisplaySizePhysicalH** Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches . +- **InternalPrimaryDisplaySizePhysicalY** Retrieves the physical vertical length of the display in mm. Used for calculating the diagonal length in inches +- **NumberofExternalDisplays** Retrieves the number of external displays connected to the machine +- **NumberofInternalDisplays** Retrieves the number of internal displays in a machine. +- **VRAMDedicated** Retrieves the video RAM in MB. +- **VRAMDedicatedSystem** Retrieves the amount of memory on the dedicated video card. +- **VRAMSharedSystem** Retrieves the amount of RAM memory that the video card can use. + + +### Census.UserNLS + +This event sends data about the default app language, input, and display language preferences set by the user, to help keep Windows up to date. + +The following fields are available: + +- **DefaultAppLanguage** The current user Default App Language. +- **DisplayLanguage** The current user preferred Windows Display Language. +- **HomeLocation** The current user location, which is populated using GetUserGeoId() function. +- **KeyboardInputLanguages** The Keyboard input languages installed on the device. +- **SpeechInputLanguages** The Speech Input languages installed on the device. + + +### Census.UserPrivacySettings + +This event provides information about the current users privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represents the authority that set the value. The effective consent is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = user, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings. + +The following fields are available: + +- **Activity** Current state of the activity history setting. +- **ActivityHistoryCloudSync** Current state of the activity history cloud sync setting. +- **ActivityHistoryCollection** Current state of the activity history collection setting. +- **AdvertisingId** Current state of the advertising ID setting. +- **AppDiagnostics** Current state of the app diagnostics setting. +- **Appointments** Current state of the calendar setting. +- **Bluetooth** Current state of the Bluetooth capability setting. +- **BluetoothSync** Current state of the Bluetooth sync capability setting. +- **BroadFileSystemAccess** Current state of the broad file system access setting. +- **CellularData** Current state of the cellular data capability setting. +- **Chat** Current state of the chat setting. +- **Contacts** Current state of the contacts setting. +- **DocumentsLibrary** Current state of the documents library setting. +- **Email** Current state of the email setting. +- **GazeInput** Current state of the gaze input setting. +- **HumanInterfaceDevice** Current state of the human interface device setting. +- **InkTypeImprovement** Current state of the improve inking and typing setting. +- **InkTypePersonalization** Current state of the inking and typing personalization setting. +- **Location** Current state of the location setting. +- **LocationHistory** Current state of the location history setting. +- **LocationHistoryCloudSync** Current state of the location history cloud synchronization setting. +- **LocationHistoryOnTimeline** Current state of the location history on timeline setting. +- **Microphone** Current state of the microphone setting. +- **PhoneCall** Current state of the phone call setting. +- **PhoneCallHistory** Current state of the call history setting. +- **PicturesLibrary** Current state of the pictures library setting. +- **Radios** Current state of the radios setting. +- **SensorsCustom** Current state of the custom sensor setting. +- **SerialCommunication** Current state of the serial communication setting. +- **Sms** Current state of the text messaging setting. +- **SpeechPersonalization** Current state of the speech services setting. +- **USB** Current state of the USB setting. +- **UserAccountInformation** Current state of the account information setting. +- **UserDataTasks** Current state of the tasks setting. +- **UserNotificationListener** Current state of the notifications setting. +- **VideosLibrary** Current state of the videos library setting. +- **Webcam** Current state of the camera setting. +- **WiFiDirect** Current state of the Wi-Fi direct setting. + + +### Census.VM + +This event sends data indicating whether virtualization is enabled on the device, and its various characteristics, to help keep Windows up to date. + +The following fields are available: + +- **CloudService** Indicates which cloud service, if any, that this virtual machine is running within. +- **HyperVisor** Retrieves whether the current OS is running on top of a Hypervisor. +- **IOMMUPresent** Represents if an input/output memory management unit (IOMMU) is present. +- **IsVDI** Is the device using Virtual Desktop Infrastructure? +- **IsVirtualDevice** Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#1 Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field should not be relied upon for non-Hv#1 Hypervisors. +- **SLATSupported** Represents whether Second Level Address Translation (SLAT) is supported by the hardware. +- **VirtualizationFirmwareEnabled** Represents whether virtualization is enabled in the firmware. + + +### Census.WU + +This event sends data about the Windows update server and other App store policies, to help keep Windows up to date. + +The following fields are available: + +- **AppraiserGatedStatus** Indicates whether a device has been gated for upgrading. +- **AppStoreAutoUpdate** Retrieves the Appstore settings for auto upgrade. (Enable/Disabled). +- **AppStoreAutoUpdateMDM** Retrieves the App Auto Update value for MDM: 0 - Disallowed. 1 - Allowed. 2 - Not configured. Default: [2] Not configured +- **AppStoreAutoUpdatePolicy** Retrieves the Microsoft Store App Auto Update group policy setting +- **DelayUpgrade** Retrieves the Windows upgrade flag for delaying upgrades. +- **OSAssessmentFeatureOutOfDate** How many days has it been since a the last feature update was released but the device did not install it? +- **OSAssessmentForFeatureUpdate** Is the device is on the latest feature update? +- **OSAssessmentForQualityUpdate** Is the device on the latest quality update? +- **OSAssessmentForSecurityUpdate** Is the device on the latest security update? +- **OSAssessmentQualityOutOfDate** How many days has it been since a the last quality update was released but the device did not install it? +- **OSAssessmentReleaseInfoTime** The freshness of release information used to perform an assessment. +- **OSRollbackCount** The number of times feature updates have rolled back on the device. +- **OSRolledBack** A flag that represents when a feature update has rolled back during setup. +- **OSUninstalled** A flag that represents when a feature update is uninstalled on a device . +- **OSWUAutoUpdateOptions** Retrieves the auto update settings on the device. +- **OSWUAutoUpdateOptionsSource** The source of auto update setting that appears in the OSWUAutoUpdateOptions field. For example: Group Policy (GP), Mobile Device Management (MDM), and Default. +- **UninstallActive** A flag that represents when a device has uninstalled a previous upgrade recently. +- **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS). +- **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates. +- **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades. +- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network. +- **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier. +- **WUPauseState** Retrieves WU setting to determine if updates are paused. +- **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default). + + +### Census.Xbox + +This event sends data about the Xbox Console, such as Serial Number and DeviceId, to help keep Windows up to date. + +The following fields are available: + +- **XboxConsolePreferredLanguage** Retrieves the preferred language selected by the user on Xbox console. +- **XboxConsoleSerialNumber** Retrieves the serial number of the Xbox console. +- **XboxLiveDeviceId** Retrieves the unique device ID of the console. +- **XboxLiveSandboxId** Retrieves the developer sandbox ID if the device is internal to Microsoft. + + +## Common data extensions + +### Common Data Extensions.app + +Describes the properties of the running application. This extension could be populated by a client app or a web app. + +The following fields are available: + +- **asId** An integer value that represents the app session. This value starts at 0 on the first app launch and increments after each subsequent app launch per boot session. +- **env** The environment from which the event was logged. +- **expId** Associates a flight, such as an OS flight, or an experiment, such as a web site UX experiment, with an event. +- **id** Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application. +- **locale** The locale of the app. +- **name** The name of the app. +- **userId** The userID as known by the application. +- **ver** Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app. + + +### Common Data Extensions.container + +Describes the properties of the container for events logged within a container. + +The following fields are available: + +- **epoch** An ID that's incremented for each SDK initialization. +- **localId** The device ID as known by the client. +- **osVer** The operating system version. +- **seq** An ID that's incremented for each event. +- **type** The container type. Examples: Process or VMHost + + +### Common Data Extensions.cs + +Describes properties related to the schema of the event. + +The following fields are available: + +- **sig** A common schema signature that identifies new and modified event schemas. + + +### Common Data Extensions.device + +Describes the device-related fields. + +The following fields are available: + +- **deviceClass** The device classification. For example, Desktop, Server, or Mobile. +- **localId** A locally-defined unique ID for the device. This is not the human-readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId +- **make** Device manufacturer. +- **model** Device model. + + +### Common Data Extensions.Envelope + +Represents an envelope that contains all of the common data extensions. + +The following fields are available: + +- **cV** Represents the Correlation Vector: A single field for tracking partial order of related telemetry events across component boundaries. +- **data** Represents the optional unique diagnostic data for a particular event schema. +- **ext_app** Describes the properties of the running application. This extension could be populated by either a client app or a web app. See [Common Data Extensions.app](#common-data-extensionsapp). +- **ext_container** Describes the properties of the container for events logged within a container. See [Common Data Extensions.container](#common-data-extensionscontainer). +- **ext_cs** Describes properties related to the schema of the event. See [Common Data Extensions.cs](#common-data-extensionscs). +- **ext_device** Describes the device-related fields. See [Common Data Extensions.device](#common-data-extensionsdevice). +- **ext_os** Describes the operating system properties that would be populated by the client. See [Common Data Extensions.os](#common-data-extensionsos). +- **ext_receipts** Describes the fields related to time as provided by the client for debugging purposes. See [Common Data Extensions.receipts](#common-data-extensionsreceipts). +- **ext_sdk** Describes the fields related to a platform library required for a specific SDK. See [Common Data Extensions.sdk](#common-data-extensionssdk). +- **ext_user** Describes the fields related to a user. See [Common Data Extensions.user](#common-data-extensionsuser). +- **ext_utc** Describes the fields that might be populated by a logging library on Windows. See [Common Data Extensions.utc](#common-data-extensionsutc). +- **ext_xbl** Describes the fields related to XBOX Live. See [Common Data Extensions.xbl](#common-data-extensionsxbl). +- **flags** Represents a collection of bits that describe how the event should be processed by the Connected User Experience and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency. +- **iKey** Represents an ID for applications or other logical groupings of events. +- **name** Represents the uniquely qualified name for the event. +- **popSample** Represents the effective sample rate for this event at the time it was generated by a client. +- **time** Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the client. This should be in ISO 8601 format. +- **ver** Represents the major and minor version of the extension. + + +### Common Data Extensions.os + +Describes some properties of the operating system. + +The following fields are available: + +- **bootId** An integer value that represents the boot session. This value starts at 0 on first boot after OS install and increments after every reboot. +- **expId** Represents the experiment ID. The standard for associating a flight, such as an OS flight (pre-release build), or an experiment, such as a web site UX experiment, with an event is to record the flight / experiment IDs in Part A of the common schema. +- **locale** Represents the locale of the operating system. +- **name** Represents the operating system name. +- **ver** Represents the major and minor version of the extension. + + +### Common Data Extensions.receipts + +Represents various time information as provided by the client and helps for debugging purposes. + +The following fields are available: + +- **originalTime** The original event time. +- **uploadTime** The time the event was uploaded. + + +### Common Data Extensions.sdk + +Used by platform specific libraries to record fields that are required for a specific SDK. + +The following fields are available: + +- **epoch** An ID that is incremented for each SDK initialization. +- **installId** An ID that's created during the initialization of the SDK for the first time. +- **libVer** The SDK version. +- **seq** An ID that is incremented for each event. + + +### Common Data Extensions.user + +Describes the fields related to a user. + +The following fields are available: + +- **authId** This is an ID of the user associated with this event that is deduced from a token such as a Microsoft Account ticket or an XBOX token. +- **locale** The language and region. +- **localId** Represents a unique user identity that is created locally and added by the client. This is not the user's account ID. + + +### Common Data Extensions.utc + +Describes the properties that could be populated by a logging library on Windows. + +The following fields are available: + +- **aId** Represents the ETW ActivityId. Logged via TraceLogging or directly via ETW. +- **bSeq** Upload buffer sequence number in the format: buffer identifier:sequence number +- **cat** Represents a bitmask of the ETW Keywords associated with the event. +- **cpId** The composer ID, such as Reference, Desktop, Phone, Holographic, Hub, IoT Composer. +- **epoch** Represents the epoch and seqNum fields, which help track how many events were fired and how many events were uploaded, and enables identification of data lost during upload and de-duplication of events on the ingress server. +- **flags** Represents the bitmap that captures various Windows specific flags. +- **mon** Combined monitor and event sequence numbers in the format: monitor sequence : event sequence +- **op** Represents the ETW Op Code. +- **raId** Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW. +- **seq** Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue. The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server. +- **stId** Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID. + + +### Common Data Extensions.xbl + +Describes the fields that are related to XBOX Live. + +The following fields are available: + +- **claims** Any additional claims whose short claim name hasn't been added to this structure. +- **did** XBOX device ID +- **dty** XBOX device type +- **dvr** The version of the operating system on the device. +- **eid** A unique ID that represents the developer entity. +- **exp** Expiration time +- **ip** The IP address of the client device. +- **nbf** Not before time +- **pid** A comma separated list of PUIDs listed as base10 numbers. +- **sbx** XBOX sandbox identifier +- **sid** The service instance ID. +- **sty** The service type. +- **tid** The XBOX Live title ID. +- **tvr** The XBOX Live title version. +- **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts. +- **xid** A list of base10-encoded XBOX User IDs. + + +## Common data fields + +### Ms.Device.DeviceInventoryChange + +Describes the installation state for all hardware and software components available on a particular device. + +The following fields are available: + +- **action** The change that was invoked on a device inventory object. +- **inventoryId** Device ID used for Compatibility testing +- **objectIîstanceId** No content is currently available. +- **objectInstanceId** Object identity which is unique within the device scope. +- **objectType** Indicates the object type that the event applies to. +- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. + + +## Compatibility events + +### Microsoft.Windows.Compatibility.Apphelp.SdbFix + +Product instrumentation for helping debug/troubleshoot issues with inbox compatibility components. + +The following fields are available: + +- **AppName** Name of the application impacted by SDB. +- **FixID** SDB GUID. +- **Flags** List of flags applied. +- **ImageName** Name of file. + + +## Component-based servicing events + +### CbsServicingProvider.CbsCapabilityEnumeration + +This event reports on the results of scanning for optional Windows content on Windows Update. + +The following fields are available: + +- **architecture** Indicates the scan was limited to the specified architecture. +- **capabilityCount** The number of optional content packages found during the scan. +- **clientId** The name of the application requesting the optional content. +- **duration** The amount of time it took to complete the scan. +- **hrStatus** The HReturn code of the scan. +- **language** Indicates the scan was limited to the specified language. +- **majorVersion** Indicates the scan was limited to the specified major version. +- **minorVersion** Indicates the scan was limited to the specified minor version. +- **namespace** Indicates the scan was limited to packages in the specified namespace. +- **sourceFilter** A bitmask indicating the scan checked for locally available optional content. +- **stackBuild** The build number of the servicing stack. +- **stackMajorVersion** The major version number of the servicing stack. +- **stackMinorVersion** The minor version number of the servicing stack. +- **stackRevision** The revision number of the servicing stack. + + +### CbsServicingProvider.CbsCapabilitySessionFinalize + +This event provides information about the results of installing or uninstalling optional Windows content from Windows Update. + +The following fields are available: + +- **capabilities** The names of the optional content packages that were installed. +- **clientId** The name of the application requesting the optional content. +- **currentID** The ID of the current install session. +- **downloadSource** The source of the download. +- **highestState** The highest final install state of the optional content. +- **hrLCUReservicingStatus** Indicates whether the optional content was updated to the latest available version. +- **hrStatus** The HReturn code of the install operation. +- **rebootCount** The number of reboots required to complete the install. +- **retryID** The session ID that will be used to retry a failed operation. +- **retryStatus** Indicates whether the install will be retried in the event of failure. +- **stackBuild** The build number of the servicing stack. +- **stackMajorVersion** The major version number of the servicing stack. +- **stackMinorVersion** The minor version number of the servicing stack. +- **stackRevision** The revision number of the servicing stack. + + +### CbsServicingProvider.CbsCapabilitySessionPended + +This event provides information about the results of installing optional Windows content that requires a reboot to keep Windows up to date. + +The following fields are available: + +- **clientId** The name of the application requesting the optional content. +- **pendingDecision** Indicates the cause of reboot, if applicable. + + +### CbsServicingProvider.CbsLateAcquisition + +This event sends data to indicate if some Operating System packages could not be updated as part of an upgrade, to help keep Windows up to date. + +The following fields are available: + +- **Features** The list of feature packages that could not be updated. +- **RetryID** The ID identifying the retry attempt to update the listed packages. + + +### CbsServicingProvider.CbsPackageRemoval + +This event provides information about the results of uninstalling a Windows Cumulative Security Update to help keep Windows up to date. + +The following fields are available: + +- **buildVersion** The build number of the security update being uninstalled. +- **clientId** The name of the application requesting the uninstall. +- **currentStateEnd** The final state of the update after the operation. +- **failureDetails** Information about the cause of a failure, if applicable. +- **failureSourceEnd** The stage during the uninstall where the failure occurred. +- **hrStatusEnd** The overall exit code of the operation. +- **initiatedOffline** Indicates if the uninstall was initiated for a mounted Windows image. +- **majorVersion** The major version number of the security update being uninstalled. +- **minorVersion** The minor version number of the security update being uninstalled. +- **originalState** The starting state of the update before the operation. +- **pendingDecision** Indicates the cause of reboot, if applicable. +- **primitiveExecutionContext** The state during system startup when the uninstall was completed. +- **revisionVersion** The revision number of the security update being uninstalled. +- **transactionCanceled** Indicates whether the uninstall was cancelled. + + +### CbsServicingProvider.CbsQualityUpdateInstall + +This event reports on the performance and reliability results of installing Servicing content from Windows Update to keep Windows up to date. + +The following fields are available: + +- **buildVersion** The build version number of the update package. +- **clientId** The name of the application requesting the optional content. +- **corruptionHistoryFlags** A bitmask of the types of component store corruption that have caused update failures on the device. +- **corruptionType** An enumeration listing the type of data corruption responsible for the current update failure. +- **currentStateEnd** The final state of the package after the operation has completed. +- **doqTimeSeconds** The time in seconds spent updating drivers. +- **executeTimeSeconds** The number of seconds required to execute the install. +- **failureDetails** The driver or installer that caused the update to fail. +- **failureSourceEnd** An enumeration indicating at what phase of the update a failure occurred. +- **hrStatusEnd** The return code of the install operation. +- **initiatedOffline** A true or false value indicating whether the package was installed into an offline Windows Imaging Format (WIM) file. +- **majorVersion** The major version number of the update package. +- **minorVersion** The minor version number of the update package. +- **originalState** The starting state of the package. +- **overallTimeSeconds** The time (in seconds) to perform the overall servicing operation. +- **planTimeSeconds** The time in seconds required to plan the update operations. +- **poqTimeSeconds** The time in seconds processing file and registry operations. +- **postRebootTimeSeconds** The time (in seconds) to do startup processing for the update. +- **preRebootTimeSeconds** The time (in seconds) between execution of the installation and the reboot. +- **primitiveExecutionContext** An enumeration indicating at what phase of shutdown or startup the update was installed. +- **rebootCount** The number of reboots required to install the update. +- **rebootTimeSeconds** The time (in seconds) before startup processing begins for the update. +- **resolveTimeSeconds** The time in seconds required to resolve the packages that are part of the update. +- **revisionVersion** The revision version number of the update package. +- **rptTimeSeconds** The time in seconds spent executing installer plugins. +- **shutdownTimeSeconds** The time (in seconds) required to do shutdown processing for the update. +- **stackRevision** The revision number of the servicing stack. +- **stageTimeSeconds** The time (in seconds) required to stage all files that are part of the update. + + +## Deployment extensions + +### DeploymentTelemetry.Deployment_End + +This event indicates that a Deployment 360 API has completed. + +The following fields are available: + +- **ClientId** Client ID of the user utilizing the D360 API. +- **ErrorCode** Error code of action. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **Mode** Phase in upgrade. +- **RelatedCV** The correction vector (CV) of any other related events +- **Result** End result of the action. + + +### DeploymentTelemetry.Deployment_SetupBoxLaunch + +This event indicates that the Deployment 360 APIs have launched Setup Box. + +The following fields are available: + +- **ClientId** The client ID of the user utilizing the D360 API. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **Quiet** Whether Setup will run in quiet mode or full mode. +- **RelatedCV** The correlation vector (CV) of any other related events. +- **SetupMode** The current setup phase. + + +### DeploymentTelemetry.Deployment_SetupBoxResult + +This event indicates that the Deployment 360 APIs have received a return from Setup Box. + +The following fields are available: + +- **ClientId** Client ID of the user utilizing the D360 API. +- **ErrorCode** Error code of the action. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **Quiet** Indicates whether Setup will run in quiet mode or full mode. +- **RelatedCV** The correlation vector (CV) of any other related events. +- **SetupMode** The current Setup phase. + + +### DeploymentTelemetry.Deployment_Start + +This event indicates that a Deployment 360 API has been called. + +The following fields are available: + +- **ClientId** Client ID of the user utilizing the D360 API. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **Mode** The current phase of the upgrade. +- **RelatedCV** The correlation vector (CV) of any other related events. + + +## Diagnostic data events + +### TelClientSynthetic.AuthorizationInfo_RuntimeTransition + +This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect. + +The following fields are available: + +- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. +- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. +- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. +- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. +- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. +- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. +- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. +- **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise. +- **CanReportScenarios** True if we can report scenario completions, false otherwise. +- **PreviousPermissions** Bitmask of previous telemetry state. +- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. + + +### TelClientSynthetic.AuthorizationInfo_Startup + +Fired by UTC at startup to signal what data we are allowed to collect. + +The following fields are available: + +- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. +- **CanCol|ectCoreTelemetry** No content is currently available. +- **CanCollactCoreTelemetry** No content is currently available. +- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. +- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. +- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. +- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. +- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. +- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. +- **CanPerformDiagnostigEscalations** No content is currently available. +- **CanPerformDkagnosticEscalations** No content is currently available. +- **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise. +- **CanReportScanarios** No content is currently available. +- **CanReportScenarios** True if we can report scenario completions, false otherwise. +- **PreviousPermissions** Bitmask of previous telemetry state. +- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. + + +### TelClientSynthetic.ConnectivityHeartBeat_0 + +This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network. + +The following fields are available: + +- **CensusExitCode** Returns last execution codes from census client run. +- **CensusStartTime** Returns timestamp corresponding to last successful census run. +- **CensusTaskEnabled** Returns Boolean value for the census task (Enable/Disable) on client machine. +- **LastConnectivityLossTime** Retrieves the last time the device lost free network. +- **NetworkState** Retrieves the network state: 0 = No network. 1 = Restricted network. 2 = Free network. +- **NoNetworkTime** Retrieves the time spent with no network (since the last time) in seconds. +- **RestrictedNetworkTime** Retrieves the time spent on a metered (cost restricted) network in seconds. + + +### TelClientSynthetic.HeartBeat_5 + +This event sends data about the health and quality of the diagnostic data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device. + +The following fields are available: + +- **AgentConnctionErrorsCount** No content is currently available. +- **AgentConnectionErrorsCount** Number of non-timeout errors associated with the host/agent channel. +- **AgenticenectionErrorsCount** No content is currently available. +- **CeesusExitCode** No content is currently available. +- **CeesusStartTime** No content is currently available. +- **CeesusTaskEnabled** No content is currently available. +- **CensusExitCode** The last exit code of the Census task. +- **CensusStartTime** Time of last Census run. +- **CensusTaskEnabled** True if Census is enabled, false otherwise. +- **CompressedBytesUploaded** Number of compressed bytes uploaded. +- **ConsumerDroppedCount** Number of events dropped at consumer layer of telemetry client. +- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. +- **CriticalDataDbLroppedCount** No content is currently available. +- **CriticalDataDhrottleDroppedCount** No content is currently available. +- **CriticalDataThrottleDroppedCount** The number of critical data sampled events that were dropped because of throttling. +- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event DB. +- **CriticamOverflowEntersCounter** No content is currently available. +- **DbCriticalDroppedCount** Total number of dropped critical events in event DB. +- **DbDroppedCount** Number of events dropped due to DB fullness. +- **DbDroppedFailureCount** Number of events dropped due to DB failures. +- **DbDroppedFullCount** Number of events dropped due to DB fullness. +- **DbDroppedOailureCount** No content is currently available. +- **DbDroppedOullCount** No content is currently available. +- **DecodingDroppedCount** Number of events dropped due to decoding failures. +- **DhrottledDroppedCount** No content is currently available. +- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. +- **EtwDroppedBufferCount** Number of buffers dropped in the UTC ETW session. +- **EtwDroppedCount** Number of events dropped at ETW layer of telemetry client. +- **Eve~tStoreResetCounter** No content is currently available. +- **EventSC06eLifetimeResetCounter** No content is currently available. +- **EventSC06eResetCounter** No content is currently available. +- **EventSC06eResetSizeSum** No content is currently available. +- **EventsPersistedCount** Number of events that reached the PersistEvent stage. +- **EventStoreLifetimeResetCounter** Number of times event DB was reset for the lifetime of UTC. +- **EventStoreResetCounter** Number of times event DB was reset. +- **EventStoreResetSizeSum** Total size of event DB across all resets reports in this instance. +- **EventSubStoreResetCounter** Number of times event DB was reset. +- **EventSubStoreResetSizeSum** Total size of event DB across all resets reports in this instance. +- **EventsUploaded** Number of events uploaded. +- **Flags** Flags indicating device state such as network state, battery state, and opt-in state. +- **FullTriggerBufferDroppedCount** Number of events dropped due to trigger buffer being full. +- **HeartBeatSequenceNumber** The sequence number of this heartbeat. +- **icesumerDroppedCount** No content is currently available. +- **icmpressedBytesUploaded** No content is currently available. +- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. +- **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel. +- **LastAgenticenectionError** No content is currently available. +- **LastEventSizeOffender** Event name of last event which exceeded max event size. +- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. +- **LastreReseizeOffender** No content is currently available. +- **MaxActiveAgentConnectionCount** The maximum number of active agents during this heartbeat timeframe. +- **MaxActiveAgenticenectionCount** No content is currently available. +- **MaxInUseScenarioCounter** Soft maximum number of scenarios loaded by UTC. +- **Olags** No content is currently available. +- **OullTriggerBufferDroppedCount** No content is currently available. +- **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events). +- **PrivacyBlockedCount** The number of events blocked due to privacy settings or tags. +- **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. +- **SettingsHttpAttempts** Number of attempts to contact OneSettings service. +- **SettingsHttpFailures** The number of failures from contacting the OneSettings service. +- **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers. +- **TopUploaderErrors** List of top errors received from the upload endpoint. +- **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client. +- **UploaderErrorCount** Number of errors received from the upload endpoint. +- **VortexFailuresTimeout** The number of timeout failures received from Vortex. +- **VortexHttpAttempts** Number of attempts to contact Vortex. +- **VortexHttpFailures4xS** No content is currently available. +- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. +- **VortexHttpFailures5xS** No content is currently available. +- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. +- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. +- **VortexHttpResponsesWihDroppedEvents** No content is currently available. +- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. + + +### TelClientSynthetic.HeartBeat_Aria_5 + +This event is the telemetry client ARIA heartbeat. + +The following fields are available: + +- **CompressedBytesUploaded** Number of compressed bytes uploaded. +- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. +- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event database. +- **DbCriticalDroppedCount** Total number of dropped critical events in event database. +- **DbDroppedCount** Number of events dropped at the database layer. +- **DbDroppedFailureCount** Number of events dropped due to database failures. +- **DbDroppedFullCount** Number of events dropped due to database being full. +- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. +- **EventsPersistedCount** Number of events that reached the PersistEvent stage. +- **EventStoreLifetimeResetCounter** Number of times the event store has been reset. +- **EventStoreResetCounter** Number of times the event store has been reset during this heartbeat. +- **EventStoreResetSizeSum** Size of event store reset in bytes. +- **EventsUploaded** Number of events uploaded. +- **HeartBeatSequenceNumber** The sequence number of this heartbeat. +- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. +- **LastEventSizeOffender** Event name of last event which exceeded max event size. +- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. +- **PreviousHeartBeatTime** The FILETIME of the previous heartbeat fire. +- **PrivacyBlockedCount** The number of events blocked due to privacy settings or tags. +- **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. +- **SettingsHttpAttempts** Number of attempts to contact OneSettings service. +- **SettingsHttpFailures** Number of failures from contacting OneSettings service. +- **TopUploaderErrors** List of top errors received from the upload endpoint. +- **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client. +- **UploaderErrorCount** Number of errors received from the upload endpoint. +- **VortexFailuresTimeout** Number of time out failures received from Vortex. +- **VortexHttpAttempts** Number of attempts to contact Vortex. +- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. +- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. +- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. +- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. + + +### TelClientSynthetic.HeartBeat_Seville_5 + +This event is sent by the universal telemetry client (UTC) as a heartbeat signal for Sense. + +The following fields are available: + +- **AgentConnectionErrorsCount** Number of non-timeout errors associated with the host or agent channel. +- **CompressedBytesUploaded** Number of compressed bytes uploaded. +- **ConsumerDroppedCount** Number of events dropped at consumer layer of the telemetry client. +- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. +- **CriticalDataThrottleDroppedCount** Number of critical data sampled events dropped due to throttling. +- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event database. +- **DailyUploadQuotaInBytes** Daily upload quota for Sense in bytes (only in in-proc mode). +- **DbCriticalDroppedCount** Total number of dropped critical events in event database. +- **DbDroppedCount** Number of events dropped due to database being full. +- **DbDroppedFailureCount** Number of events dropped due to database failures. +- **DbDroppedFullCount** Number of events dropped due to database being full. +- **DecodingDroppedCount** Number of events dropped due to decoding failures. +- **DiskSizeInBytes** Size of event store for Sense in bytes (only in in-proc mode). +- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. +- **EtwDroppedBufferCount** Number of buffers dropped in the universal telemetry client (UTC) event tracing for Windows (ETW) session. +- **EtwDroppedCount** Number of events dropped at the event tracing for Windows (ETW) layer of telemetry client. +- **EventsPersistedCount** Number of events that reached the PersistEvent stage. +- **EventStoreLifetimeResetCounter** Number of times event the database was reset for the lifetime of the universal telemetry client (UTC). +- **EventStoreResetCounter** Number of times the event database was reset. +- **EventStoreResetSizeSum** Total size of the event database across all resets reports in this instance. +- **EventsUploaded** Number of events uploaded. +- **Flags** Flags indicating device state, such as network state, battery state, and opt-in state. +- **FullTriggerBufferDroppedCount** Number of events dropped due to trigger buffer being full. +- **HeartBeatSequenceNumber** The sequence number of this heartbeat. +- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. +- **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel. +- **LastEventSizeOffender** Event name of last event which exceeded the maximum event size. +- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. +- **MaxActiveAgentConnectionCount** Maximum number of active agents during this heartbeat timeframe. +- **NormalUploadTimerMillis** Number of milliseconds between each upload of normal events for SENSE (only in in-proc mode). +- **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events). +- **RepeatedUploadFailureDropped** Number of events lost due to repeated failed uploaded attempts. +- **SettingsHttpAttempts** Number of attempts to contact OneSettings service. +- **SettingsHttpFailures** Number of failures from contacting the OneSettings service. +- **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers. +- **TopUploaderErrors** Top uploader errors, grouped by endpoint and error type. +- **UploaderDroppedCount** Number of events dropped at the uploader layer of the telemetry client. +- **UploaderErrorCount** Number of input for the TopUploaderErrors mode estimation. +- **VortexFailuresTimeout** Number of time out failures received from Vortex. +- **VortexHttpAttempts** Number of attempts to contact Vortex. +- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. +- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. +- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. +- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. + + +## Direct to update events + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicability + +Event to indicate that the Coordinator CheckApplicability call succeeded. + +The following fields are available: + +- **ApplicabilityResult** Result of CheckApplicability function. +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **IsDeviceAADDomainJoined** Indicates whether the device is logged in to the AAD (Azure Active Directory) domain. +- **IsDeviceADDomainJoined** Indicates whether the device is logged in to the AD (Active Directory) domain. +- **IsDeviceCloverTrail** Indicates whether the device has a Clover Trail system installed. +- **IsDeviceFeatureUpdatingPaused** Indicates whether Feature Update is paused on the device. +- **IsDeviceNetworkMetered** Indicates whether the device is connected to a metered network. +- **IsDeviceOobeBlocked** Indicates whether user approval is required to install updates on the device. +- **IsDeviceRequireUpdateApproval** Indicates whether user approval is required to install updates on the device. +- **IsDeviceSccmManaged** Indicates whether the device is running the Microsoft SCCM (System Center Configuration Manager) to keep the operating system and applications up to date. +- **IsDeviceUninstallActive** Indicates whether the OS (operating system) on the device was recently updated. +- **IsDeviceUpdateNotificationLevel** Indicates whether the device has a set policy to control update notifications. +- **IsDeviceUpdateServiceManaged** Indicates whether the device uses WSUS (Windows Server Update Services). +- **IsDeviceZeroExhaust** Indicates whether the device subscribes to the Zero Exhaust policy to minimize connections from Windows to Microsoft. +- **IsGreaterThanMaxRetry** Indicates whether the DTU (Direct to Update) service has exceeded its maximum retry count. +- **IsVolumeLicensed** Indicates whether a volume license was used to authenticate the operating system or applications on the device. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicabilityGenericFailure + +This event indicatse that we have received an unexpected error in the Direct to Update (DTU) Coordinators CheckApplicability call. + +The following fields are available: + +- **CampaignID** ID of the campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Cleanup call. + +The following fields are available: + +- **CampaignID** Campaign ID being run +- **ClientID** Client ID being run +- **CoordinatorVersion** Coordinator version of DTU +- **CV** Correlation vector +- **hResult** HRESULT of the failure + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupSuccess + +This event indicates that the Coordinator Cleanup call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run +- **ClientID** Client ID being run +- **CoordinatorVersion** Coordinator version of DTU +- **CV** Correlation vector + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Commit call. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitSuccess + +This event indicates that the Coordinator Commit call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Download call. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadIgnoredFailure + +This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Download call that will be ignored. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadSuccess + +This event indicates that the Coordinator Download call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator HandleShutdown call. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinate version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownSuccess + +This event indicates that the Coordinator HandleShutdown call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Initialize call. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeSuccess + +This event indicates that the Coordinator Initialize call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Install call. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallIgnoredFailure + +This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Install call that will be ignored. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallSuccess + +This event indicates that the Coordinator Install call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorProgressCallBack + +This event indicates that the Coordinator's progress callback has been called. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **DeployPhase** Current Deploy Phase. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorSetCommitReadySuccess + +This event indicates that the Coordinator SetCommitReady call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiNotShown + +This event indicates that the Coordinator WaitForRebootUi call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSelection + +This event indicates that the user selected an option on the Reboot UI. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **rebootUiSelection** Selection on the Reboot UI. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSuccess + +This event indicates that the Coordinator WaitForRebootUi call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler CheckApplicabilityInternal call. + +The following fields are available: + +- **CampaignID** ID of the campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalSuccess + +This event indicates that the Handler CheckApplicabilityInternal call succeeded. + +The following fields are available: + +- **ApplicabilityResult** The result of the applicability check. +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilitySuccess + +This event indicates that the Handler CheckApplicability call succeeded. + +The following fields are available: + +- **ApplicabilityResult** The result code indicating whether the update is applicable. +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **CV_new** New correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckIfCoordinatorMinApplicableVersionSuccess + +This event indicates that the Handler CheckIfCoordinatorMinApplicableVersion call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **CheckIfCoordinatorMinApplicableVersionResult** Result of CheckIfCoordinatorMinApplicableVersion function. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Commit call. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **CV_new** New correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitSuccess + +This event indicates that the Handler Commit call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run.run +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **CV_new** New correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabFailure + +This event indicates that the Handler Download and Extract cab call failed. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **DownloadAndExtractCabFunction_failureReason** Reason why the update download and extract process failed. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabSuccess + +This event indicates that the Handler Download and Extract cab call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Download call. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadSuccess + +This event indicates that the Handler Download call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Initialize call. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **DownloadAndExtractCabFunction_hResult** HRESULT of the download and extract. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeSuccess + +This event indicates that the Handler Initialize call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **DownloadAndExtractCabFunction_hResult** HRESULT of the download and extraction. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Install call. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallSuccess + +This event indicates that the Coordinator Install call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerSetCommitReadySuccess + +This event indicates that the Handler SetCommitReady call succeeded. + +The following fields are available: + +- **CampaignID** ID of the campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler WaitForRebootUi call. + +The following fields are available: + +- **CampaignID** The ID of the campaigning being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** The HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiSuccess + +This event indicates that the Handler WaitForRebootUi call succeeded. + +The following fields are available: + +- **CampaignID** ID of the campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +## DxgKernelTelemetry events + +### DxgKrnlTelemetry.GPUAdapterInventoryV2 + +This event sends basic GPU and display driver information to keep Windows and display drivers up-to-date. + +The following fields are available: + +- **AdapterDypeValue** No content is currently available. +- **AdapterTypeValue** The numeric value indicating the type of Graphics adapter. +- **aiSeqId** The event sequence ID. +- **bootId** The system boot ID. +- **BrightnessVersionViaDDI** The version of the Display Brightness Interface. +- **BvightnessVersionViaDDI** No content is currently available. +- **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload. +- **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes). +- **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes). +- **DisplayAdapterLuid** The display adapter LUID. +- **Driver48,k** No content is currently available. +- **DriverDate** The date of the display driver. +- **DriverRa~k** No content is currently available. +- **DriverRank** The rank of the display driver. +- **DriverVersion** The display driver version. +- **DX10UMDFilePath** The file path to the location of the DirectX 10 Display User Mode Driver in the Driver Store. +- **DX11UMDFilePath** The file path to the location of the DirectX 11 Display User Mode Driver in the Driver Store. +- **DX12UMDFilePath** The file path to the location of the DirectX 12 Display User Mode Driver in the Driver Store. +- **DX9]MDFilePath** No content is currently available. +- **DX9UMDFilePath** The file path to the location of the DirectX 9 Display User Mode Driver in the Driver Store. +- **GPUDeviceID** The GPU device ID. +- **GPUPree}ptionLevel** No content is currently available. +- **GPUPreemptionLdvel** No content is currently available. +- **GPUPreemptionLevel** The maximum preemption level supported by GPU for graphics payload. +- **GPURevisionID** The GPU revision ID. +- **GPUVendoeID** No content is currently available. +- **GPUVendorID** The GPU vendor ID. +- **InterbaceId** No content is currently available. +- **InterfaceId** The GPU interface ID. +- **IqMPOSupported** No content is currently available. +- **IrRemovable** No content is currently available. +- **IsDisp|ayDevice** No content is currently available. +- **IsDisplayDevice** Does the GPU have displaying capabilities? +- **IsHwSchSupported** Indicates whether the adapter supports hardware scheduling. +- **IsHybridDiscrete** Does the GPU have discrete GPU capabilities in a hybrid device? +- **IsHybridIntdgrated** No content is currently available. +- **IsHybridIntegrated** Does the GPU have integrated GPU capabilities in a hybrid device? +- **IsLDA** Is the GPU comprised of Linked Display Adapters? +- **IsMiracastSupported** Does the GPU support Miracast? +- **IsMismatchLDA** Is at least one device in the Linked Display Adapters chain from a different vendor? +- **IsMPOCupported** No content is currently available. +- **IsMPOSuppor|ed** No content is currently available. +- **IsMPOSupported** Does the GPU support Multi-Plane Overlays? +- **IsMsMiracastSupported** Are the GPU Miracast capabilities driven by a Microsoft solution? +- **IsPostAdapter** Is this GPU the POST GPU in the device? +- **IsRemovable** TRUE if the adapter supports being disabled or removed. +- **IsRenderDevice** Does the GPU have rendering capabilities? +- **IsSoftwareDevice** Is this a software implementation of the GPU? +- **IsSoftwareDevicg** No content is currently available. +- **KMDFilePath** The file path to the location of the Display Kernel Mode Driver in the Driver Store. +- **MeasureEnabled** Is the device listening to MICROSOFT_KEYWORD_MEASURES? +- **MsHybridDiscrete** Indicates whether the adapter is a discrete adapter in a hybrid configuration. +- **NumVidPnSources** The number of supported display output sources. +- **NumVidPnTargets** The number of supported display output targets. +- **SharedSystemMemoryB** The amount of system memory shared by GPU and CPU (in bytes). +- **SubSyste}ID** No content is currently available. +- **SubSystemID** The subsystem ID. +- **SubVendoeID** No content is currently available. +- **SubVendorID** The GPU sub vendor ID. +- **TelematryEnabled** No content is currently available. +- **TelemetryEnabled** Is the device listening to MICROSOFT_KEYWORD_TELEMETRY? +- **TelInvEvntTrigger** What triggered this event to be logged? Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling) +- **version** The event version. +- **WDDMVersion** The Windows Display Driver Model version. + + +## Failover Clustering events + +### Microsoft.Windows.Server.FailoverClusteringCritical.ClusterSummary2 + +This event returns information about how many resources and of what type are in the server cluster. This data is collected to keep Windows Server safe, secure, and up to date. The data includes information about whether hardware is configured correctly, if the software is patched correctly, and assists in preventing crashes by attributing issues (like fatal errors) to workloads and system configurations. + +The following fields are available: + +- **autoAssignSite** The cluster parameter: auto site. +- **autoBalancerLevel** The cluster parameter: auto balancer level. +- **autoBalancerMode** The cluster parameter: auto balancer mode. +- **blockCacheSize** The configured size of the block cache. +- **ClusterAdConfiguration** The ad configuration of the cluster. +- **clusterAdType** The cluster parameter: mgmt_point_type. +- **clusterDumpPolicy** The cluster configured dump policy. +- **clusterFunctionalLevel** The current cluster functional level. +- **clusterGuid** The unique identifier for the cluster. +- **clusterWitnessType** The witness type the cluster is configured for. +- **countNodesInSite** The number of nodes in the cluster. +- **crossSiteDelay** The cluster parameter: CrossSiteDelay. +- **crossSiteThreshold** The cluster parameter: CrossSiteThreshold. +- **crossSubnetDelay** The cluster parameter: CrossSubnetDelay. +- **crossSubnetThreshold** The cluster parameter: CrossSubnetThreshold. +- **csvCompatibleFilters** The cluster parameter: ClusterCsvCompatibleFilters. +- **csvIncompatibleFilters** The cluster parameter: ClusterCsvIncompatibleFilters. +- **csvResourceCount** The number of resources in the cluster. +- **currentNodeSite** The name configured for the current site for the cluster. +- **dasModeBusType** The direct storage bus type of the storage spaces. +- **downLevelNodeCount** The number of nodes in the cluster that are running down-level. +- **drainOnShutdown** Specifies whether a node should be drained when it is shut down. +- **dynamicQuorumEnabled** Specifies whether dynamic Quorum has been enabled. +- **enforcedAntiAffinity** The cluster parameter: enforced anti affinity. +- **genAppNames** The win32 service name of a clustered service. +- **genSvcNames** The command line of a clustered genapp. +- **hangRecoveryAction** The cluster parameter: hang recovery action. +- **hangTimeOut** Specifies the “hang time out” parameter for the cluster. +- **isCalabria** Specifies whether storage spaces direct is enabled. +- **isMixedMode** Identifies if the cluster is running with different version of OS for nodes. +- **isRunningDownLevel** Identifies if the current node is running down-level. +- **logLevel** Specifies the granularity that is logged in the cluster log. +- **logSize** Specifies the size of the cluster log. +- **lowerQuorumPriorityNodeId** The cluster parameter: lower quorum priority node ID. +- **minNeverPreempt** The cluster parameter: minimum never preempt. +- **minPreemptor** The cluster parameter: minimum preemptor priority. +- **netftIpsecEnabled** The parameter: netftIpsecEnabled. +- **NodeCount** The number of nodes in the cluster. +- **nodeId** The current node number in the cluster. +- **nodeResourceCounts** Specifies the number of node resources. +- **nodeResourceOnlineCounts** Specifies the number of node resources that are online. +- **numberOfSites** The number of different sites. +- **numNodesInNoSite** The number of nodes not belonging to a site. +- **plumbAllCrossSubnetRoutes** The cluster parameter: plumb all cross subnet routes. +- **preferredSite** The preferred site location. +- **privateCloudWitness** Specifies whether a private cloud witness exists for this cluster. +- **quarantineDuration** The quarantine duration. +- **quarantineThreshold** The quarantine threshold. +- **quorumArbitrationTimeout** In the event of an arbitration event, this specifies the quorum timeout period. +- **resiliencyLevel** Specifies the level of resiliency. +- **resourceCounts** Specifies the number of resources. +- **resourceTypeCounts** Specifies the number of resource types in the cluster. +- **resourceTypes** Data representative of each resource type. +- **resourceTypesPath** Data representative of the DLL path for each resource type. +- **sameSubnetDelay** The cluster parameter: same subnet delay. +- **sameSubnetThreshold** The cluster parameter: same subnet threshold. +- **secondsInMixedMode** The amount of time (in seconds) that the cluster has been in mixed mode (nodes with different operating system versions in the same cluster). +- **securityLevel** The cluster parameter: security level. +- **securityLevelForStorage** The cluster parameter: security level for storage. +- **sharedVolumeBlockCacheSize** Specifies the block cache size for shared for shared volumes. +- **shutdownTimeoutMinutes** Specifies the amount of time it takes to time out when shutting down. +- **upNodeCount** Specifies the number of nodes that are up (online). +- **useClientAccessNetworksForCsv** The cluster parameter: use client access networks for CSV. +- **vmIsolationTime** The cluster parameter: VM isolation time. +- **witnessDatabaseWriteTimeout** Specifies the timeout period for writing to the quorum witness database. + + +## Fault Reporting events + +### Microsoft.Windows.FaultReporting.AppCrashEvent + +This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes\" by a user DO NOT emit this event. + +The following fields are available: + +- **@ackageRelativeAppId** No content is currently available. +- **AppName** The name of the app that has crashed. +- **AppSeqsionGuid** No content is currently available. +- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend. +- **AppTimeStamp** The date/time stamp of the app. +- **AppVersion** The version of the app that has crashed. +- **AptName** No content is currently available. +- **DargetAppId** No content is currently available. +- **ExceptionCode** The exception code returned by the process that has crashed. +- **ExceptionOffset** The address where the exception had occurred. +- **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting. +- **FriendlyAppName** The description of the app that has crashed, if different from the AppName. Otherwise, the process name. +- **IsFatal** True/False to indicate whether the crash resulted in process termination. +- **ModName** Exception module name (e.g. bar.dll). +- **ModNamevaultsv** No content is currently available. +- **ModTimeStamp** The date/time stamp of the module. +- **ModVersion** The version of the module that has crashed. +- **PackageFullName** Store application identity. +- **PackageRelaatieAppId** No content is currently available. +- **PackageRelativeAppId** Store application identity. +- **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. +- **ProcessCreateTime** The time of creation of the process that has crashed. +- **ProcessId** The ID of the process that has crashed. +- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. +- **TargetAppId** The kernel reported AppId of the application being reported. +- **TargetAppVer** The specific version of the application being reported +- **TargetAsId** The sequence number for the hanging process. + + +## Feature update events + +### Microsoft.Windows.Upgrade.Uninstall.UninstallFinalizedAndRebootTriggered + +This event indicates that the uninstall was properly configured and that a system reboot was initiated. + + + +### Microsoft.Windows.Upgrade.Uninstall.UninstallGoBackButtonClicked + +This event sends basic metadata about the starting point of uninstalling a feature update, which helps ensure customers can safely revert to a well-known state if the update caused any problems. + + + +## Hang Reporting events + +### Microsoft.Windows.HangReporting.AppHangEvent + +This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. + +The following fields are available: + +- **AppName** The name of the app that has hung. +- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the telemetry backend. +- **AppVersion** The version of the app that has hung. +- **IsFatal** True/False based on whether the hung application caused the creation of a Fatal Hang Report. +- **PackageFullName** Store application identity. +- **PackageRelativeAppId** Store application identity. +- **ProcessArchitecture** Architecture of the hung process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. +- **ProcessCreateTime** The time of creation of the process that has hung. +- **ProcessId** The ID of the process that has hung. +- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. +- **TargetAppId** The kernel reported AppId of the application being reported. +- **TargetAppVer** The specific version of the application being reported. +- **TargetAsId** The sequence number for the hanging process. +- **TypeCode** Bitmap describing the hang type. +- **WaitingOnAppName** If this is a cross process hang waiting for an application, this has the name of the application. +- **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it is waiting. +- **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting. +- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application id of the package. + + +## Inventory events + +### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum + +This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object. + +The following fields are available: + +- **Device** A count of device objects in cache. +- **DeviceCensus** A count of device census objects in cache. +- **DriverPackageExtended** A count of driverpackageextended objects in cache. +- **File** A count of file objects in cache. +- **FileSigningInfo** A count of file signing objects in cache. +- **Generic** A count of generic objects in cache. +- **HwItem** A count of hwitem objects in cache. +- **InventoryApplication** A count of application objects in cache. +- **InventoryApplicationAppV** A count of application AppV objects in cache. +- **InventoryApplicationDriver** A count of application driver objects in cache +- **InventoryApplicationFile** A count of application file objects in cache. +- **InventoryApplicationFramework** A count of application framework objects in cache +- **InventoryApplicationShortcut** A count of application shortcut objects in cache +- **InventoryDeviceContainer** A count of device container objects in cache. +- **InventoryDeviceInterface** A count of Plug and Play device interface objects in cache. +- **InventoryDeviceMediaClass** A count of device media objects in cache. +- **InventoryDevicePnp** A count of device Plug and Play objects in cache. +- **InventoryDeviceUsbHubClass** A count of device usb objects in cache +- **InventoryDriverBinary** A count of driver binary objects in cache. +- **InventoryDriverPackage** A count of device objects in cache. +- **InventoryMiscellaneousOfficeAddIn** A count of office add-in objects in cache +- **InventoryMiscellaneousOfficeAddInUsage** A count of office add-in usage objects in cache. +- **InventoryMiscellaneousOfficeIdentifiers** A count of office identifier objects in cache +- **InventoryMiscellaneousOfficeIESettings** A count of office ie settings objects in cache +- **InventoryMiscellaneousOfficeInsights** A count of office insights objects in cache +- **InventoryMiscellaneousOfficeProducts** A count of office products objects in cache +- **InventoryMiscellaneousOfficeSettings** A count of office settings objects in cache +- **InventoryMiscellaneousOfficeVBA** A count of office vba objects in cache +- **InventoryMiscellaneousOfficeVBARuleViolations** A count of office vba rule violations objects in cache +- **InventoryMiscellaneousUUPInfo** A count of uup info objects in cache +- **Metadata** A count of metadata objects in cache. +- **Orphan** A count of orphan file objects in cache. +- **Programs** A count of program objects in cache. + + +### Microsoft.Windows.Inventory.Core.AmiTelCacheFileInfo + +Diagnostic data about the inventory cache. + +The following fields are available: + +- **CacheFileSize** Size of the cache. +- **InventoryVersion** Inventory version of the cache. +- **TempCacheCount** Number of temp caches created. +- **TempCacheDeletedCount** Number of temp caches deleted. + + +### Microsoft.Windows.Inventory.Core.AmiTelCacheVersions + +This event sends inventory component versions for the Device Inventory data. + +The following fields are available: + +- **aeinv** The version of the App inventory component. +- **devinv** The file version of the Device inventory component. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationAdd + +This event sends basic metadata about an application on the system to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **HiddenArp** Indicates whether a program hides itself from showing up in ARP. +- **InstallDate** The date the application was installed (a best guess based on folder creation date heuristics). +- **InstallDateArpLastModified** The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015 00:00:00 +- **InstallDateFromLinkFile** The estimated date of install based on the links to the files. Passed as an array. +- **InstallDateMsi** The install date if the application was installed via Microsoft Installer (MSI). Passed as an array. +- **InventoryVersion** The version of the inventory file generating the events. +- **Language** The language code of the program. +- **MsiPackageCode** A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage. +- **MsiProductCode** A GUID that describe the MSI Product. +- **Name** The name of the application. +- **OSVersionAtInstallTime** The four octets from the OS version at the time of the application's install. +- **PackageFullName** The package full name for a Store application. +- **ProgramInstanceId** A hash of the file IDs in an app. +- **Publisher** The Publisher of the application. Location pulled from depends on the 'Source' field. +- **RootDirPath** The path to the root directory where the program was installed. +- **Source** How the program was installed (for example, ARP, MSI, Appx). +- **StoreAppType** A sub-classification for the type of Microsoft Store app, such as UWP or Win8StoreApp. +- **Type** One of ("Application", "Hotfix", "BOE", "Service", "Unknown"). Application indicates Win32 or Appx app, Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is a service. Application and BOE are the ones most likely seen. +- **Version** The version number of the program. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverAdd + +This event represents what drivers an application installs. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory component. +- **ProgramIds** The unique program identifier the driver is associated with. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync + +The InventoryApplicationDriverStartSync event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory component. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd + +This event provides the basic metadata about the frameworks an application may depend on. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **FileId** A hash that uniquely identifies a file. +- **Frameworks** The list of frameworks this file depends on. +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync + +This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationRemove + +This event indicates that a new set of InventoryDevicePnpAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationStartSync + +This event indicates that a new set of InventoryApplicationAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd + +This event sends basic metadata about a device container (such as a monitor or printer as opposed to a Plug and Play device) to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Categories** A comma separated list of functional categories in which the container belongs. +- **DiscoveryMethod** The discovery method for the device container. +- **FriendlyName** The name of the device container. +- **InventoryVersion** The version of the inventory file generating the events. +- **IsActive** Is the device connected, or has it been seen in the last 14 days? +- **IsConnected** For a physically attached device, this value is the same as IsPresent. For wireless a device, this value represents a communication link. +- **IsMachineContainer** Is the container the root device itself? +- **IsNetworked** Is this a networked device? +- **IsPaired** Does the device container require pairing? +- **Manufacturer** The manufacturer name for the device container. +- **ModelId** A unique model ID. +- **ModelName** The model name. +- **ModelNumber** The model number for the device container. +- **PrimaryCategory** The primary category for the device container. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerRemove + +This event indicates that the InventoryDeviceContainer object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerStartSync + +This event indicates that a new set of InventoryDeviceContainerAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd + +This event retrieves information about what sensor interfaces are available on the device. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Accelerometer3D** Indicates if an Accelerator3D sensor is found. +- **ActivityDetection** Indicates if an Activity Detection sensor is found. +- **AmbientLight** Indicates if an Ambient Light sensor is found. +- **Barometer** Indicates if a Barometer sensor is found. +- **Custom** Indicates if a Custom sensor is found. +- **EnergyMeter** Indicates if an Energy sensor is found. +- **FloorElevation** Indicates if a Floor Elevation sensor is found. +- **GeomagneticOrientation** Indicates if a Geo Magnetic Orientation sensor is found. +- **GravityVector** Indicates if a Gravity Detector sensor is found. +- **Gyrometer3D** Indicates if a Gyrometer3D sensor is found. +- **Humidity** Indicates if a Humidity sensor is found. +- **InventoryVersion** The version of the inventory file generating the events. +- **LinearAccelerometer** Indicates if a Linear Accelerometer sensor is found. +- **Magnetometer3D** Indicates if a Magnetometer3D sensor is found. +- **Orientation** Indicates if an Orientation sensor is found. +- **Pedometer** Indicates if a Pedometer sensor is found. +- **Proximity** Indicates if a Proximity sensor is found. +- **RelativeOrientation** Indicates if a Relative Orientation sensor is found. +- **SimpleDeviceOrientation** Indicates if a Simple Device Orientation sensor is found. +- **Temperature** Indicates if a Temperature sensor is found. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync + +This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd + +This event sends additional metadata about a Plug and Play device that is specific to a particular class of devices to help keep Windows up to date while reducing overall size of data payload. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **audio.captureDriver** Audio device capture driver. Example: hdaudio.inf:db04a16ce4e8d6ee:HdAudModel:10.0.14887.1000:hdaudio\func_01 +- **audio.renderDriver** Audio device render driver. Example: hdaudio.inf:db04a16ce4e8d6ee:HdAudModel:10.0.14889.1001:hdaudio\func_01 +- **Audio_CaptureDriver** The Audio device capture driver endpoint. +- **Audio_RenderDriver** The Audio device render driver endpoint. +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove + +This event indicates that the InventoryDeviceMediaClassRemove object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassStartSync + +This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd + +This event represents the basic metadata about a plug and play (PNP) device and its associated driver. + +This event includes fields from [Ms.Dedevi.DedeviInventoryChange](#msdedevidedeviinventorychange). + +The following fields are available: + +- **basedata** No content is currently available. See [basedata](#basedata). +- **BusReportedDescription** The description of the device reported by the bux. +- **Class** The device setup class of the driver loaded for the device. +- **ClassGuid** The device class unique identifier of the driver package loaded on the device. +- **COMPID** The list of “Compatible IDs” for this device. +- **COMPID.Count** No content is currently available. +- **ContainerId** The system-supplied unique identifier that specifies which group(s) the device(s) installed on the parent (main) device belong to. +- **Description** The description of the device. +- **DeviceInterfaceClasses** The device interfaces that this device implements. +- **DeviceState** Identifies the current state of the parent (main) device. +- **DriverId** The unique identifier for the installed driver. +- **DriverName** The name of the driver image file. +- **DriverPackageStrongName** The immediate parent directory name in the Directory field of InventoryDriverPackage. +- **DriverVerDate** The date associated with the driver installed on the device. +- **DriverVerVersion** The version number of the driver installed on the device. +- **Enumerator** Identifies the bus that enumerated the device. +- **ExtendedInfs** The extended INF file names. +- **HWID** A list of hardware IDs for the device. +- **HWID.Count** No content is currently available. +- **Inf** The name of the INF file (possibly renamed by the OS, such as oemXX.inf). +- **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx +- **InventoryVersion** The version number of the inventory process generating the events. +- **LowerClassFilters** The identifiers of the Lower Class filters installed for the device. +- **LowerFilters** The identifiers of the Lower filters installed for the device. +- **Manufacturer** The manufacturer of the device. +- **MatchingID** The Hardware ID or Compatible ID that Windows uses to install a device instance. +- **Model** Identifies the model of the device. +- **ParentId** The Device Instance ID of the parent of the device. +- **ProblemCode** The error code currently returned by the device, if applicable. +- **Provider** Identifies the device provider. +- **Service** The name of the device service. +- **STACKID** The list of hardware IDs for the stack. +- **STACKID.Count** No content is currently available. +- **UpperClassFilters** The identifiers of the Upper Class filters installed for the device. +- **UpperFilters** The identifiers of the Upper filters installed for the device. + + +### Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove + +This event indicates that the InventoryDevicePnpRemove object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDevicePnpStartSync + +This event indicates that a new set of InventoryDevicePnpAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd + +This event sends basic metadata about the USB hubs on the device. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. +- **TotalUserConnectablePorts** Total number of connectable USB ports. +- **TotalUserConnectableTypeCPorts** Total number of connectable USB Type C ports. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassStartSync + +This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent. + +This event includes fields from [Ms.De~ice.DeviceInventoryChange](#msde~icedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd + +This event provides the basic metadata about driver binaries running on the system. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **DriverCheckSum** The checksum of the driver file. +- **DriverCompany** The company name that developed the driver. +- **DriverInBox** Is the driver included with the operating system? +- **DriverIsKernelMode** Is it a kernel mode driver? +- **DriverName** The file name of the driver. +- **DriverPackageStrongName** The strong name of the driver package +- **DriverSigned** The strong name of the driver package +- **DriverTimeStamp** The low 32 bits of the time stamp of the driver file. +- **DriverType** A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8. define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE 0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64 0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15. define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED 0x800000. +- **DriverVersion** The version of the driver file. +- **ImageSize** The size of the driver file. +- **Inf** The name of the INF file. +- **InventoryVersion** The version of the inventory file generating the events. +- **Product** The product name that is included in the driver file. +- **ProductVersio~** No content is currently available. +- **ProductVersion** The product version that is included in the driver file. +- **Service** The name of the service that is installed for the device. +- **WdfVersion** The Windows Driver Framework version. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove + +This event indicates that the InventoryDriverBinary object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryStartSync + +This event indicates that a new set of InventoryDriverBinaryAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd + +This event sends basic metadata about drive packages installed on the system to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Class** The class name for the device driver. +- **ClassGuid** The class GUID for the device driver. +- **Date** The driver package date. +- **Directory** The path to the driver package. +- **DriverInBox** Is the driver included with the operating system? +- **Inf** The INF name of the driver package. +- **InventoryVersion** The version of the inventory file generating the events. +- **Provider** The provider for the driver package. +- **SubmissionId** The HLK submission ID for the driver package. +- **Version** The version of the driver package. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverPackageRemove + +This event indicates that the InventoryDriverPackageRemove object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverPackageStartSync + +This event indicates that a new set of InventoryDriverPackageAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.StartUtcJsonTrace + +This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the beginning of the event download, and that tracing should begin. + + + +### Microsoft.Windows.Inventory.Core.StopUtcJsonTrace + +This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the end of the event download, and that tracing should end. + + + +### Microsoft.Windows.Inventory.General.AppHealthStaticAdd + +This event sends details collected for a specific application on the source device. + +The following fields are available: + +- **AhaVersion** The binary version of the App Health Analyzer tool. +- **ApplicationErrors** The count of application errors from the event log. +- **Bitness** The architecture type of the application (16 Bit or 32 bit or 64 bit). +- **device_level** Various JRE/JAVA versions installed on a particular device. +- **ExtendedProperties** Attribute used for aggregating all other attributes under this event type. +- **Jar** Flag to determine if an app has a Java JAR file dependency. +- **Jre** Flag to determine if an app has JRE framework dependency. +- **Jre_version** JRE versions an app has declared framework dependency for. +- **Name** Name of the application. +- **NonDPIAware** Flag to determine if an app is non-DPI aware. +- **NumBinaries** Count of all binaries (.sys,.dll,.ini) from application install location. +- **RequiresAdmin** Flag to determine if an app requests admin privileges for execution. +- **RequiresAdminv2** Additional flag to determine if an app requests admin privileges for execution. +- **RequiresUIAccess** Flag to determine if an app is based on UI features for accessibility. +- **VB6** Flag to determine if an app is based on VB6 framework. +- **VB6v2** Additional flag to determine if an app is based on VB6 framework. +- **Version** Version of the application. +- **VersionCheck** Flag to determine if an app has a static dependency on OS version. +- **VersionCheckv2** Additional flag to determine if an app has a static dependency on OS version. + + +### Microsoft.Windows.Inventory.General.AppHealthStaticStartSync + +This event indicates the beginning of a series of AppHealthStaticAdd events. + +The following fields are available: + +- **AllowTelemetry** Indicates the presence of the 'allowtelemetry' command line argument. +- **CommandLineArgs** Command line arguments passed when launching the App Health Analyzer executable. +- **Enhanced** Indicates the presence of the 'enhanced' command line argument. +- **StartTime** UTC date and time at which this event was sent. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd + +Provides data on the installed Office Add-ins. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AddinCLSID** The class identifier key for the Microsoft Office add-in. +- **AddInCLSID** The class identifier key for the Microsoft Office add-in. +- **AddInId** The identifier for the Microsoft Office add-in. +- **AddinType** The type of the Microsoft Office add-in. +- **BinFileTimestamp** The timestamp of the Office add-in. +- **BinFileVersion** The version of the Microsoft Office add-in. +- **Description** Description of the Microsoft Office add-in. +- **FileId** The file identifier of the Microsoft Office add-in. +- **FileSize** The file size of the Microsoft Office add-in. +- **FriendlyName** The friendly name for the Microsoft Office add-in. +- **FullPath** The full path to the Microsoft Office add-in. +- **InventoryVersion** The version of the inventory binary generating the events. +- **LoadBehavior** Integer that describes the load behavior. +- **LoadTime** Load time for the Office add-in. +- **OfficeApplication** The Microsoft Office application associated with the add-in. +- **OfficeArchitecture** The architecture of the add-in. +- **OfficeVersion** The Microsoft Office version for this add-in. +- **OutlookCrashingAddin** Indicates whether crashes have been found for this add-in. +- **ProductCompany** The name of the company associated with the Office add-in. +- **ProductName** The product name associated with the Microsoft Office add-in. +- **ProductVersion** The version associated with the Office add-in. +- **ProgramId** The unique program identifier of the Microsoft Office add-in. +- **Provider** Name of the provider for this add-in. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove + +Indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync + +This event indicates that a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd + +Provides data on the Office identifiers. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. +- **OAudienceData** Sub-identifier for Microsoft Office release management, identifying the pilot group for a device +- **OAudienceId** Microsoft Office identifier for Microsoft Office release management, identifying the pilot group for a device +- **OMID** Identifier for the Office SQM Machine +- **OPlatform** Whether the installed Microsoft Office product is 32-bit or 64-bit +- **OTenantId** Unique GUID representing the Microsoft O365 Tenant +- **OVersion** Installed version of Microsoft Office. For example, 16.0.8602.1000 +- **OWowMID** Legacy Microsoft Office telemetry identifier (SQM Machine ID) for WoW systems (32-bit Microsoft Office on 64-bit Windows) + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd + +Provides data on Office-related Internet Explorer features. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. +- **OIeFeatureAddon** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_ADDON_MANAGEMENT feature lets applications hosting the WebBrowser Control to respect add-on management selections made using the Add-on Manager feature of Internet Explorer. Add-ons disabled by the user or by administrative group policy will also be disabled in applications that enable this feature. +- **OIeMachineLockdown** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_LOCALMACHINE_LOCKDOWN feature is enabled, Internet Explorer applies security restrictions on content loaded from the user's local machine, which helps prevent malicious behavior involving local files. +- **OIeMimeHandling** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_MIME_HANDLING feature control is enabled, Internet Explorer handles MIME types more securely. Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2) +- **OIeMimeSniffing** Flag indicating which Microsoft Office products have this setting enabled. Determines a file's type by examining its bit signature. Windows Internet Explorer uses this information to determine how to render the file. The FEATURE_MIME_SNIFFING feature, when enabled, allows to be set differently for each security zone by using the URLACTION_FEATURE_MIME_SNIFFING URL action flag +- **OIeNoAxInstall** Flag indicating which Microsoft Office products have this setting enabled. When a webpage attempts to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request. When a webpage tries to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request +- **OIeNoDownload** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_RESTRICT_FILEDOWNLOAD feature blocks file download requests that navigate to a resource, that display a file download dialog box, or that are not initiated explicitly by a user action (for example, a mouse click or key press). Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2) +- **OIeObjectCaching** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_OBJECT_CACHING feature prevents webpages from accessing or instantiating ActiveX controls cached from different domains or security contexts +- **OIePasswordDisable** Flag indicating which Microsoft Office products have this setting enabled. After Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2), Internet Explorer no longer allows usernames and passwords to be specified in URLs that use the HTTP or HTTPS protocols. URLs using other protocols, such as FTP, still allow usernames and passwords +- **OIeSafeBind** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SAFE_BINDTOOBJECT feature performs additional safety checks when calling MonikerBindToObject to create and initialize Microsoft ActiveX controls. Specifically, prevent the control from being created if COMPAT_EVIL_DONT_LOAD is in the registry for the control +- **OIeSecurityBand** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SECURITYBAND feature controls the display of the Internet Explorer Information bar. When enabled, the Information bar appears when file download or code installation is restricted +- **OIeUncSaveCheck** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_UNC_SAVEDFILECHECK feature enables the Mark of the Web (MOTW) for local files loaded from network locations that have been shared by using the Universal Naming Convention (UNC) +- **OIeValidateUrl** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_VALIDATE_NAVIGATE_URL feature control prevents Windows Internet Explorer from navigating to a badly formed URL +- **OIeWebOcPopup** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_WEBOC_POPUPMANAGEMENT feature allows applications hosting the WebBrowser Control to receive the default Internet Explorer pop-up window management behavior +- **OIeWinRestrict** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_WINDOW_RESTRICTIONS feature adds several restrictions to the size and behavior of popup windows +- **OIeZoneElevate** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_ZONE_ELEVATION feature prevents pages in one zone from navigating to pages in a higher security zone unless the navigation is generated by the user + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd + +This event provides insight data on the installed Office products + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. +- **OfficeApplication** The name of the Office application. +- **OfficeArchitecture** The bitness of the Office application. +- **OfficeVersion** The version of the Office application. +- **Value** The insights collected about this entity. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsRemove + +Indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync + +This diagnostic event indicates that a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd + +Describes Office Products installed. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. +- **OC2rApps** A GUID the describes the Office Click-To-Run apps +- **OC2rSkus** Comma-delimited list (CSV) of Office Click-To-Run products installed on the device. For example, Office 2016 ProPlus +- **OMsiApps** Comma-delimited list (CSV) of Office MSI products installed on the device. For example, Microsoft Word +- **OProductCodes** A GUID that describes the Office MSI products + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd + +This event describes various Office settings + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **BrowserFlags** Browser flags for Office-related products +- **ExchangeProviderFlags** Provider policies for Office Exchange +- **InventoryVersion** The version of the inventory binary generating the events. +- **SharedComputerLicensing** Office shared computer licensing policies + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync + +Indicates a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAAdd + +This event provides a summary rollup count of conditions encountered while performing a local scan of Office files, analyzing for known VBA programmability compatibility issues between legacy office version and ProPlus, and between 32 and 64-bit versions + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Design** Count of files with design issues found. +- **Design_x64** Count of files with 64 bit design issues found. +- **DuplicateVBA** Count of files with duplicate VBA code. +- **HasVBA** Count of files with VBA code. +- **Inaccessible** Count of files that were inaccessible for scanning. +- **InventoryVersion** The version of the inventory binary generating the events. +- **Issues** Count of files with issues detected. +- **Issues_x64** Count of files with 64-bit issues detected. +- **IssuesNone** Count of files with no issues detected. +- **IssuesNone_x64** Count of files with no 64-bit issues detected. +- **Locked** Count of files that were locked, preventing scanning. +- **NoVBA** Count of files with no VBA inside. +- **Protected** Count of files that were password protected, preventing scanning. +- **RemLimited** Count of files that require limited remediation changes. +- **RemLimited_x64** Count of files that require limited remediation changes for 64-bit issues. +- **RemSignificant** Count of files that require significant remediation changes. +- **RemSignificant_x64** Count of files that require significant remediation changes for 64-bit issues. +- **Score** Overall compatibility score calculated for scanned content. +- **Score_x64** Overall 64-bit compatibility score calculated for scanned content. +- **Total** Total number of files scanned. +- **Validation** Count of files that require additional manual validation. +- **Validation_x64** Count of files that require additional manual validation for 64-bit issues. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARemove + +Indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsAdd + +This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated with the validation rule + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Count** Count of total Microsoft Office VBA rule violations +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsRemove + +Indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync + +This event indicates that a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd + +Provides data on Unified Update Platform (UUP) products and what version they are at. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Identifier** UUP identifier +- **LastActivatedVersion** Last activated version +- **PreviousVersion** Previous version +- **Source** UUP source +- **Version** UUP version + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoRemove + +Indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +### Microsoft.Windows.Inventory.Indicators.Checksum + +This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events. + +The following fields are available: + +- **CensusId** A unique hardware identifier. +- **ChecksumDictionary** A count of each operating system indicator. +- **PCFP** Equivalent to the InventoryId field that is found in other core events. + + +### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd + +These events represent the basic metadata about the OS indicators installed on the system which are used for keeping the device up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **IndicatorValue** The indicator value. +- **Value** Describes an operating system indicator that may be relevant for the device upgrade. + + +### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove + +This event is a counterpart to InventoryMiscellaneousUexIndicatorAdd that indicates that the item has been removed. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync + +This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +## Kernel events + +### IO + +This event indicates the number of bytes read from or read by the OS and written to or written by the OS upon system startup. + +The following fields are available: + +- **BytesRead** The total number of bytes read from or read by the OS upon system startup. +- **BytesWritten** The total number of bytes written to or written by the OS upon system startup. +- **f** No content is currently available. See [f](#f). + + +### Microsoft.Windows.Kernel.BootEnvironment.OsLaunch + +OS information collected during Boot, used to evaluate the success of the upgrade process. + +The following fields are available: + +- **BootApplicationId** This field tells us what the OS Loader Application Identifier is. +- **BootAttemptCount** The number of consecutive times the boot manager has attempted to boot into this operating system. +- **BootSequence** The current Boot ID, used to correlate events related to a particular boot session. +- **BootStatusPolicy** Identifies the applicable Boot Status Policy. +- **BootType** Identifies the type of boot (e.g.: "Cold", "Hiber", "Resume"). +- **EventTimestamp** Seconds elapsed since an arbitrary time point. This can be used to identify the time difference in successive boot attempts being made. +- **FirmwareResetReasonEmbeddedController** Reason for system reset provided by firmware. +- **FirmwareResetReasonEmbeddedControllerAdditional** Additional information on system reset reason provided by firmware if needed. +- **FirmwareResetReasonPch** Reason for system reset provided by firmware. +- **FirmwareResetReasonPchAdditional** Additional information on system reset reason provided by firmware if needed. +- **FirmwareResetReasonSupplied** Flag indicating that a reason for system reset was provided by firmware. +- **IO** Amount of data written to and read from the disk by the OS Loader during boot. See [IO](#io). +- **LastBootSucceeded** Flag indicating whether the last boot was successful. +- **LastShutdownSucceeded** Flag indicating whether the last shutdown was successful. +- **MaxAbove4GbFreeRange** This field describes the largest memory range available above 4Gb. +- **MaxBelow4GbFreeRange** This field describes the largest memory range available below 4Gb. +- **MeasuredLaunchPrepared** This field tells us if the OS launch was initiated using Measured/Secure Boot over DRTM (Dynamic Root of Trust for Measurement). +- **MeasuredLaunchResume** This field tells us if Dynamic Root of Trust for Measurement (DRTM) was used when resuming from hibernation. +- **MenuPolicy** Type of advanced options menu that should be shown to the user (Legacy, Standard, etc.). +- **RecoveryEnabled** Indicates whether recovery is enabled. +- **SecureLaunchPrepared** This field indicates if DRTM was prepared during boot. +- **TcbLaunch** Indicates whether the Trusted Computing Base was used during the boot flow. +- **UserInputTime** The amount of time the loader application spent waiting for user input. + + +## Miracast events + +### Microsoft.Windows.Cast.Miracast.MiracastSessionEnd + +This event sends data at the end of a Miracast session that helps determine RTSP related Miracast failures along with some statistics about the session + +The following fields are available: + +- **AudioChannelCount** The number of audio channels. +- **AudioSampleRate** The sample rate of audio in terms of samples per second. +- **AudioSubtype** The unique subtype identifier of the audio codec (encoding method) used for audio encoding. +- **AverageBitrate** The average video bitrate used during the Miracast session, in bits per second. +- **AverageDataRate** The average available bandwidth reported by the WiFi driver during the Miracast session, in bits per second. +- **AveragePacketSendTimeInMs** The average time required for the network to send a sample, in milliseconds. +- **ConnectorType** The type of connector used during the Miracast session. +- **EncodeAverageTimeMS** The average time to encode a frame of video, in milliseconds. +- **EncodeCount** The count of total frames encoded in the session. +- **EncodeMaxTimeMS** The maximum time to encode a frame, in milliseconds. +- **EncodeMinTimeMS** The minimum time to encode a frame, in milliseconds. +- **EncoderCreationTimeInMs** The time required to create the video encoder, in milliseconds. +- **ErrorSource** Identifies the component that encountered an error that caused a disconnect, if applicable. +- **FirstFrameTime** The time (tick count) when the first frame is sent. +- **FirstLatencyMode** The first latency mode. +- **FrameAverageTimeMS** Average time to process an entire frame, in milliseconds. +- **FrameCount** The total number of frames processed. +- **FrameMaxTimeMS** The maximum time required to process an entire frame, in milliseconds. +- **FrameMinTimeMS** The minimum time required to process an entire frame, in milliseconds. +- **Glitches** The number of frames that failed to be delivered on time. +- **HardwareCursorEnabled** Indicates if hardware cursor was enabled when the connection ended. +- **HDCPState** The state of HDCP (High-bandwidth Digital Content Protection) when the connection ended. +- **HighestBitrate** The highest video bitrate used during the Miracast session, in bits per second. +- **HighestDataRate** The highest available bandwidth reported by the WiFi driver, in bits per second. +- **LastLatencyMode** The last reported latency mode. +- **LogTimeReference** The reference time, in tick counts. +- **LowestBitrate** The lowest video bitrate used during the Miracast session, in bits per second. +- **LowestDataRate** The lowest video bitrate used during the Miracast session, in bits per second. +- **MediaErrorCode** The error code reported by the media session, if applicable. +- **MiracastEntry** The time (tick count) when the Miracast driver was first loaded. +- **MiracastM1** The time (tick count) when the M1 request was sent. +- **MiracastM2** The time (tick count) when the M2 request was sent. +- **MiracastM3** The time (tick count) when the M3 request was sent. +- **MiracastM4** The time (tick count) when the M4 request was sent. +- **MiracastM5** The time (tick count) when the M5 request was sent. +- **MiracastM6** The time (tick count) when the M6 request was sent. +- **MiracastM7** The time (tick count) when the M7 request was sent. +- **MiracastSessionState** The state of the Miracast session when the connection ended. +- **MiracastStreaming** The time (tick count) when the Miracast session first started processing frames. +- **ProfileCount** The count of profiles generated from the receiver M4 response. +- **ProfileCountAfterFiltering** The count of profiles after filtering based on available bandwidth and encoder capabilities. +- **RefreshRate** The refresh rate set on the remote display. +- **RotationSupported** Indicates if the Miracast receiver supports display rotation. +- **RTSPSessionId** The unique identifier of the RTSP session. This matches the RTSP session ID for the receiver for the same session. +- **SessionGuid** The unique identifier of to correlate various Miracast events from a session. +- **SinkHadEdid** Indicates if the Miracast receiver reported an EDID. +- **SupportMicrosoftColorSpaceConversion** Indicates whether the Microsoft color space conversion for extra color fidelity is supported by the receiver. +- **SupportsMicrosoftDiagnostics** Indicates whether the Miracast receiver supports the Microsoft Diagnostics Miracast extension. +- **SupportsMicrosoftFormatChange** Indicates whether the Miracast receiver supports the Microsoft Format Change Miracast extension. +- **SupportsMicrosoftLatencyManagement** Indicates whether the Miracast receiver supports the Microsoft Latency Management Miracast extension. +- **SupportsMicrosoftRTCP** Indicates whether the Miracast receiver supports the Microsoft RTCP Miracast extension. +- **SupportsMicrosoftVideoFormats** Indicates whether the Miracast receiver supports Microsoft video format for 3:2 resolution. +- **SupportsWiDi** Indicates whether Miracast receiver supports Intel WiDi extensions. +- **TeardownErrorCode** The error code reason for teardown provided by the receiver, if applicable. +- **TeardownErrorReason** The text string reason for teardown provided by the receiver, if applicable. +- **UIBCEndState** Indicates whether UIBC was enabled when the connection ended. +- **UIBCEverEnabled** Indicates whether UIBC was ever enabled. +- **UIBCStatus** The result code reported by the UIBC setup process. +- **VideoBitrate** The starting bitrate for the video encoder. +- **VideoCodecLevel** The encoding level used for encoding, specific to the video subtype. +- **VideoHeight** The height of encoded video frames. +- **VideoSubtype** The unique subtype identifier of the video codec (encoding method) used for video encoding. +- **VideoWidth** The width of encoded video frames. +- **WFD2Supported** Indicates if the Miracast receiver supports WFD2 protocol. + + +## OneDrive events + +### Microsoft.OneDrive.Sync.Setup.APIOperation + +This event includes basic data about install and uninstall OneDrive API operations. + +The following fields are available: + +- **APIName** The name of the API. +- **Duration** How long the operation took. +- **IsSuccess** Was the operation successful? +- **ResultCode** The result code. +- **ScenarioName** The name of the scenario. + + +### Microsoft.OneDrive.Sync.Setup.EndExperience + +This event includes a success or failure summary of the installation. + +The following fields are available: + +- **APIName** The name of the API. +- **HResult** HResult of the operation +- **IsSuccess** Whether the operation is successful or not +- **ScenarioName** The name of the scenario. + + +### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation + +This event is related to the OS version when the OS is upgraded with OneDrive installed. + +The following fields are available: + +- **CurrentOneDriveVersion** The current version of OneDrive. +- **CurrentOSBuildBranch** The current branch of the operating system. +- **CurrentOSBuildNumber** The current build number of the operating system. +- **CurrentOSVersion** The current version of the operating system. +- **HResult** The HResult of the operation. +- **SourceOSBuildBranch** The source branch of the operating system. +- **SourceOSBuildNumber** The source build number of the operating system. +- **SourceOSVersion** The source version of the operating system. + + +### Microsoft.OneDrive.Sync.Setup.RegisterStandaloneUpdaterAPIOperation + +This event is related to registering or unregistering the OneDrive update task. + +The following fields are available: + +- **APIName** The name of the API. +- **IsSuccess** Was the operation successful? +- **RegisterNewTaskResult** The HResult of the RegisterNewTask operation. +- **ScenarioName** The name of the scenario. +- **UnregisterOldTaskResult** The HResult of the UnregisterOldTask operation. + + +### Microsoft.OneDrive.Sync.Updater.ComponentInstallState + +This event includes basic data about the installation state of dependent OneDrive components. + +The following fields are available: + +- **ComponentName** The name of the dependent component. +- **isInstalled** Is the dependent component installed? + + +### Microsoft.OneDrive.Sync.Updater.OverlayIconStatus + +This event indicates if the OneDrive overlay icon is working correctly. 0 = healthy; 1 = can be fixed; 2 = broken + +The following fields are available: + +- **32bit** The status of the OneDrive overlay icon on a 32-bit operating system. +- **64bit** The status of the OneDrive overlay icon on a 64-bit operating system. + + +### Microsoft.OneDrive.Sync.Updater.UpdateOverallResult + +This event sends information describing the result of the update. + +The following fields are available: + +- **hr** The HResult of the operation. +- **IsLoggingEnabled** Indicates whether logging is enabled for the updater. +- **UpdaterVersion** The version of the updater. + + +### Microsoft.OneDrive.Sync.Updater.UpdateXmlDownloadHResult + +This event determines the status when downloading the OneDrive update configuration file. + +The following fields are available: + +- **hr** The HResult of the operation. + + +### Microsoft.OneDrive.Sync.Updater.WebConnectionStatus + +This event determines the error code that was returned when verifying Internet connectivity. + +The following fields are available: + +- **winInetError** The HResult of the operation. + + +## Privacy consent logging events + +### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted + +This event is used to determine whether the user successfully completed the privacy consent experience. + +The following fields are available: + +- **presentationVersion** Which display version of the privacy consent experience the user completed +- **privacyConsentState** The current state of the privacy consent experience +- **settingsVersion** Which setting version of the privacy consent experience the user completed +- **userOobeExitReason** The exit reason of the privacy consent experience + + +### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentStatus + +Event tells us effectiveness of new privacy experience. + +The following fields are available: + +- **isAdmin** whether the person who is logging in is an admin +- **isExistingUser** whether the account existed in a downlevel OS +- **isLaunching** Whether or not the privacy consent experience will be launched +- **isSilentElevation** whether the user has most restrictive UAC controls +- **privacyConsentState** whether the user has completed privacy experience +- **userRegionCode** The current user's region setting + + +### wilActivity + +This event provides a Windows Internal Library context used for Product and Service diagnostics. + +The following fields are available: + +- **-149ngContextMessage** No content is currently available. +- **3645entContextName** No content is currently available. +- **379rentContextName** No content is currently available. +- **532rentContextName** No content is currently available. +- **677rentContextName** No content is currently available. +- **8108entContextName** No content is currently available. +- **8251entContextName** No content is currently available. +- **902rentContextName** No content is currently available. +- **9567ngContextMessage** No content is currently available. +- **9717ngContextMessage** No content is currently available. +- **callContext** The function where the failure occurred. +- **currentContextId** The ID of the current call context where the failure occurred. +- **currentContextMessage** The message of the current call context where the failure occurred. +- **currentContextMessaon** No content is currently available. +- **currentContextName** The name of the current call context where the failure occurred. +- **failureCount** The number of failures for this failure ID. +- **failureId** The ID of the failure that occurred. +- **failureType** The type of the failure that occurred. +- **fileName** The file name where the failure occurred. +- **functige** No content is currently available. +- **function** The function where the failure occurred. +- **hresult** The HResult of the overall activity. +- **lineNumber** The line number where the failure occurred. +- **message** The message of the failure that occurred. +- **module** The module where the failure occurred. +- **ori1-0467ngContextMessage** No content is currently available. +- **ori1-1210ngContextMessage** No content is currently available. +- **ori1143-7ngContextMessage** No content is currently available. +- **ori1-1945ngContextMessage** No content is currently available. +- **ori13s090ngContextMessage** No content is currently available. +- **ori1-4671entContextName** No content is currently available. +- **ori1-5108ngContextMessage** No content is currently available. +- **ori1-5686ngContextMessage** No content is currently available. +- **ori1n:667ngContextMessage** No content is currently available. +- **ori1n8488ngContextMessage** No content is currently available. +- **ori1-s4o5ngContextMessage** No content is currently available. +- **ori808467ngContextMessage** No content is currently available. +- **originatingContextId** The ID of the originating call context that resulted in the failure. +- **originatingContextMessage** The message of the originating call context that resulted in the failure. +- **originatingContextName** The name of the originating call context that resulted in the failure. +- **threadId** The ID of the thread on which the activity is executing. + + +## Sediment events + +### Microsoft.Windows.Sediment.Info.DetailedState + +This event is sent when detailed state information is needed from an update trial run. + +The following fields are available: + +- **Data** Data relevant to the state, such as what percent of disk space the directory takes up. +- **Id** Identifies the trial being run, such as a disk related trial. +- **ReleaseVer** The version of the component. +- **State** The state of the reporting data from the trial, such as the top-level directory analysis. +- **Time** The time the event was fired. + + +### Microsoft.Windows.Sediment.Info.Error + +This event indicates an error in the updater payload. This information assists in keeping Windows up to date. + +The following fields are available: + +- **FailureType** The type of error encountered. +- **FileName** The code file in which the error occurred. +- **HResult** The failure error code. +- **LineNumber** The line number in the code file at which the error occurred. +- **ReleaseVer** The version information for the component in which the error occurred. +- **Time** The system time at which the error occurred. + + +### Microsoft.Windows.Sediment.Info.PhaseChange + +The event indicates progress made by the updater. This information assists in keeping Windows up to date. + +The following fields are available: + +- **NewPhase** The phase of progress made. +- **ReleaseVer** The version information for the component in which the change occurred. +- **Time** The system time at which the phase chance occurred. + + +## Setup events + +### SetupPlatformTel.SetupPlatformTelActivityEvent + +This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up to date. + +The following fields are available: + +- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. +- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. +- **Value** Value associated with the corresponding event name. For example, time-related events will include the system time + + +### SetupPlatformTel.SetupPlatformTelActivityStarted + +This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. + +The following fields are available: + +- **Name** The name of the dynamic update type. Example: GDR driver + + +### SetupPlatformTel.SetupPlatformTelActivityStopped + +This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. + + + +### SetupPlatformTel.SetupPlatformTelEvent + +This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios. + +The following fields are available: + +- **Falue** No content is currently available. +- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. +- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. +- **Value** Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time. + + +## Software update events + +### SoftwareUpdateClientTelemetry.CheckForUpdates + +Scan process event on Windows Update client. See the EventScenario field for specifics (started/failed/succeeded). + +The following fields are available: + +- **ActivityMatchingId** Contains a unique ID identifying a single CheckForUpdates session from initialization to completion. +- **AllowCachedResults** Indicates if the scan allowed using cached results. +- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable +- **BiosFamily** The family of the BIOS (Basic Input Output System). +- **BiosName** The name of the device BIOS. +- **BiosReleaseDate** The release date of the device BIOS. +- **BiosSKUNumber** The sku number of the device BIOS. +- **BIOSVendor** The vendor of the BIOS. +- **BiosVersion** The version of the BIOS. +- **BranchReadinessLevel** The servicing branch configured on the device. +- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. +- **CapabilityDetectoidGuid** The GUID for a hardware applicability detectoid that could not be evaluated. +- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. +- **CDNId** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. +- **ClientVersion** The version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No data is currently reported in this field. Expected value for this field is 0. +- **Context** Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown +- **CurrentMobileOperator** The mobile operator the device is currently connected to. +- **DeferralPolicySources** Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000). +- **DeferredUpdates** Update IDs which are currently being deferred until a later time +- **DeviceModel** What is the device model. +- **DriverError** The error code hit during a driver scan. This is 0 if no error was encountered. +- **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled. +- **DriverSyncPassPerformed** Were drivers scanned this time? +- **EventInstanceID** A globally unique identifier for event instance. +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. +- **ExtendedetadataICabUrl** No content is currently available. +- **ExtendedMetadataCabUrl** Hostname that is used to download an update. +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. +- **FailedUpdateGuids** The GUIDs for the updates that failed to be evaluated during the scan. +- **FailedUpdatesCount** The number of updates that failed to be evaluated during the scan. +- **FeatureUpdateDeferral** The deferral period configured for feature OS updates on the device (in days). +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FeatureUpdatePausePeriod** The pause duration configured for feature OS updates on the device (in days). +- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). +- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). +- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. +- **IntentPFNs** Intended application-set metadata for atomic update scenarios. +- **IPVersion** Indicates whether the download took place over IPv4 or IPv6 +- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. +- **IsWUfBFederatedScanDisabled** Indicates if Windows Update for Business federated scan is disabled on the device. +- **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce +- **MSIError** The last error that was encountered during a scan for updates. +- **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6 +- **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete +- **NumberOfApplicationsCategoryScanEvaluated** The number of categories (apps) for which an app update scan checked +- **NumberOfLoop** The number of round trips the scan required +- **NumberOfNewUpdatesFromServiceSync** The number of updates which were seen for the first time in this scan +- **NumberOfUpdatesEvaluated** The total number of updates which were evaluated as a part of the scan +- **NumFailedetadataISignatures** No content is currently available. +- **NumFailedMetadataSignatures** The number of metadata signatures checks which failed for new metadata synced down. +- **Online** Indicates if this was an online scan. +- **PausedUpdates** A list of UpdateIds which that currently being paused. +- **PauseFeatureUpdatesEndTime** If feature OS updates are paused on the device, this is the date and time for the end of the pause time window. +- **PauseFeatureUpdatesStartTime** If feature OS updates are paused on the device, this is the date and time for the beginning of the pause time window. +- **PauseQualityUpdatesEndTime** If quality OS updates are paused on the device, this is the date and time for the end of the pause time window. +- **PauseQualityUpdatesStartTime** If quality OS updates are paused on the device, this is the date and time for the beginning of the pause time window. +- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting (pre-release builds) being introduced. +- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided. +- **QualityUpdateDeferral** The deferral period configured for quality OS updates on the device (in days). +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **QualityUpdatePausePeriod** The pause duration configured for quality OS updates on the device (in days). +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one +- **ScanDurationInSeconds** The number of seconds a scan took +- **ScanEnqueueTime** The number of seconds it took to initialize a scan +- **ScanProps** This is a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits are used; all remaining bits are reserved and set to zero. Bit 0 (0x1): IsInteractive - is set to 1 if the scan is requested by a user, or 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker - is set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates). +- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.). +- **ServiceUrl** The environment URL a device is configured to scan with +- **ShippingMobileOperator** The mobile operator that a device shipped on. +- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult). +- **SyncType** Describes the type of scan the event was +- **SystemBIOSMajorRelease** Major version of the BIOS. +- **SystemBIOSMinorRelease** Minor version of the BIOS. +- **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null. +- **TotalNumetadataISignatures** No content is currently available. +- **TotalNumMetadataSignatures** The total number of metadata signatures checks done for new metadata that was synced down. +- **WebServiceRetryMethods** Web service method requests that needed to be retried to complete operation. +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. + + +### SoftwareUpdateClientTelemetry.Commit + +This event tracks the commit process post the update installation when software update client is trying to update the device. + +The following fields are available: + +- **BiosFamily** Device family as defined in the system BIOS +- **BiosName** Name of the system BIOS +- **BiosReleaseDate** Release date of the system BIOS +- **BiosSKUNumber** Device SKU as defined in the system BIOS +- **BIOSVendor** Vendor of the system BIOS +- **BiosVersion** Version of the system BIOS +- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. +- **BundleRevisionNumbe2** No content is currently available. +- **BundleRevisionNumber** Identifies the revision number of the content bundle +- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client +- **ClientVersion** Version number of the software distribution client +- **DeploymentProviderMode** The mode of operation of the update deployment provider. +- **DeviceModel** Device model as defined in the system bios +- **EventInstanceID** A globally unique identifier for event instance +- **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc. +- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver". +- **FlightId** The specific id of the flight the device is getting +- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) +- **RevisionNumber** Identifies the revision number of this specific piece of content +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc) +- **SystemBIOSMajorRelease** Major release version of the system bios +- **SystemBIOSMinorRelease** Minor release version of the system bios +- **UpdateId** Identifier associated with the specific piece of content +- **WUDeviceID** Unique device id controlled by the software distribution client + + +### SoftwareUpdateClientTelemetry.Download + +Download process event for target update on Windows Update client. See the EventScenario field for specifics (started/failed/succeeded). + +The following fields are available: + +- **ActiveDownloadTime** How long the download took, in seconds, excluding time where the update wasn't actively being downloaded. +- **AppXBlockHalhFailures** No content is currently available. +- **AppXBlockHashFailures** Indicates the number of blocks that failed hash validation during download of the app payload. +- **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded. +- **AppXBoockHashFailures** No content is currently available. +- **AppXDownloadScope** Indicates the scope of the download for application content. +- **AppXScope** Indicates the scope of the app download. +- **AppXScopr** No content is currently available. +- **B}ndleId** No content is currently available. +- **BiosFamily** The family of the BIOS (Basic Input Output System). +- **BiosName** The name of the device BIOS. +- **BiosReleaseDate** The release date of the device BIOS. +- **BiosSKUNumber** The sku number of the device BIOS. +- **BIOSVendor** The vendor of the BIOS. +- **BiosVersion** The version of the BIOS. +- **BundleBytesDownloaded** Number of bytes downloaded for the specific content bundle. +- **BundleId** Identifier associated with the specific content bundle. +- **BundleRepeatFailCoqnt** No content is currently available. +- **BundleRepeatFailCoun.** No content is currently available. +- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. +- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to download. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **BytesDownloaded** Number of bytes that were downloaded for an individual piece of content (not the entire bundle). +- **BytesDownnoaded** No content is currently available. +- **C`llerApplicationName** No content is currently available. +- **CachedEngineVersion** The version of the “Self-Initiated Healing” (SIH) engine that is cached on the device, if applicable. +- **CallerApplicationname** No content is currently available. +- **CallerApplicationName** The name provided by the application that initiated API calls into the software distribution client. +- **CalLerApplicationName** No content is currently available. +- **CallerApplictionaName** No content is currently available. +- **CbsDownloadMethod** Indicates whether the download was a full- or a partial-file download. +- **CbsMethod** The method used for downloading the update content related to the Component Based Servicing (CBS) technology. +- **CDNCotntryCode** No content is currently available. +- **CDNCoun.ryCdel** No content is currently available. +- **CDNCoundryCode** No content is currently available. +- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. +- **CDNd** No content is currently available. +- **CDNId** ID which defines which CDN the software distribution client downloaded the content from. +- **ClientVersion** The version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. +- **ConnectTime** Indicates the cumulative amount of time (in seconds) it took to establish the connection for all updates in an update bundle. +- **CtatusCode** No content is currently available. +- **CurrentMobileOperator** The mobile operator the device is currently connected to. +- **DeviceModel** The model of the device. +- **DownhoadProps** No content is currently available. +- **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority. +- **DownloadProps** Information about the download operation properties in the form of a bitmask. +- **DownloadType** Differentiates the download type of “Self-Initiated Healing” (SIH) downloads between Metadata and Payload downloads. +- **DownloedPriority** No content is currently available. +- **DventInstanceID** No content is currently available. +- **e:4|SInstanceID** No content is currently available. +- **e:4|SScenario** No content is currently available. +- **E:4|State** No content is currently available. +- **EöentInstanceID** No content is currently available. +- **Eve.tScenario** No content is currently available. +- **EventInst.9ceID** No content is currently available. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventInstAnceID** No content is currently available. +- **EventPype** No content is currently available. +- **EventScanario** No content is currently available. +- **eventScenario** No content is currently available. +- **EventScenario** Indicates the purpose for sending this event: whether because the software distribution just started downloading content; or whether it was cancelled, succeeded, or failed. +- **EventType** Identifies the type of the event (Child, Bundle, or Driver). +- **EventTypr** No content is currently available. +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. +- **ExtendedtartusCdel** No content is currently available. +- **FeatureUpdatePaser** No content is currently available. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **Fli.c9BuildNumber** No content is currently available. +- **Fli.c9Id** No content is currently available. +- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). +- **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight. +- **FlightId** The specific ID of the flight (pre-release build) the device is getting. +- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). +- **HandlerType** Indicates what kind of content is being downloaded (app, driver, windows patch, etc.). +- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. +- **HospName** No content is currently available. +- **HostName** The hostname URL the content is downloading from. +- **Hst.Name** No content is currently available. +- **IPVersion** Indicates whether the download took place over IPv4 or IPv6. +- **IsDependentSet** Indicates whether a driver is a part of a larger System Hardware/Firmware Update +- **IsWQfBEnabled** No content is currently available. +- **IsWUfBDualCcanEnabled** No content is currently available. +- **IsWUfBdualScanEnabled** No content is currently available. +- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnablad** No content is currently available. +- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. +- **NetworkCost** A flag indicating the cost of the network (congested, fixed, variable, over data limit, roaming, etc.) used for downloading the update content. +- **NetworkCostBitMask** Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.) +- **NetworkCst.** No content is currently available. +- **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered." +- **NetworkRestrictiontartus** No content is currently available. +- **oadPriority** No content is currently available. +- **PackageFullName** The package name of the content. +- **PegulationResult** No content is currently available. +- **PhonePreviewEnabled** Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced. +- **PostDnldDime** No content is currently available. +- **PostDnldTime** Time (in seconds) taken to signal download completion after the last job completed downloading the payload. +- **ProcessName** The process name of the application that initiated API calls, in the event where CallerApplicationName was not provided. +- **Pst.DnldTime** No content is currently available. +- **PvocessName** No content is currently available. +- **QpdateId** No content is currently available. +- **QualityreUpdaPause** No content is currently available. +- **QualityUpdatePa}se** No content is currently available. +- **QualityUpdatePaser** No content is currently available. +- **QualityUpdatePatse** No content is currently available. +- **QualityUpdatePausa** No content is currently available. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RdvisionNumber** No content is currently available. +- **Reason** A 32-bit integer representing the reason the update is blocked from being downloaded in the background. +- **ReguiationResult** No content is currently available. +- **RegulationReason** The reason that the update is regulated +- **regulationResult** No content is currently available. +- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content. +- **RegulatIonResult** No content is currently available. +- **ReiatedCV** No content is currently available. +- **RelatedCS** No content is currently available. +- **RelatedCV** The Correlation Vector that was used before the most recent change to a new Correlation Vector. +- **RelntedCV** No content is currently available. +- **RepeatFailCoun.** No content is currently available. +- **RepeatFailCount** Indicates whether this specific content has previously failed. +- **RepeatFailFlag** Indicates whether this specific content previously failed to download. +- **RevisionNumber** The revision number of the specified piece of content. +- **SericeCGuid** No content is currently available. +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Windows Store, etc.). +- **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade. +- **ShippingMobileOperator** The mobile operator linked to the device when the device shipped. +- **SizeCalcTime** Time (in seconds) taken to calculate the total download size of the payload. +- **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). +- **SystemBIOSMajorRelease** Major version of the BIOS. +- **SystemBIOSMinorRelease** Minor version of the BIOS. +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **TargetMetadataVersion** The version of the currently downloading (or most recently downloaded) package. +- **tartusCdel** No content is currently available. +- **ThrottlingServiceHResult** Result code (success/failure) while contacting a web service to determine whether this device should download content yet. +- **TimeToEstablishConnection** Time (in milliseconds) it took to establish the connection prior to beginning downloaded. +- **tizeCalcTime** No content is currently available. +- **TotalExpectedBytes** The total size (in Bytes) expected to be downloaded. +- **Upda|eImportance** No content is currently available. +- **UpdateId** An identifier associated with the specific piece of content. +- **UpdateID** An identifier associated with the specific piece of content. +- **UpdateImporEvent** No content is currently available. +- **UpdateImpornstan** No content is currently available. +- **UpdateImport.9ce** No content is currently available. +- **UpdateImportance** Indicates whether the content was marked as Important, Recommended, or Optional. +- **Use** No content is currently available. +- **UsedDO** Indicates whether the download used the Delivery Optimization (DO) service. +- **UsedSystemVolume** Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive. +- **WUDericeID** No content is currently available. +- **WUDeviceId** No content is currently available. +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. +- **WUDviceCID** No content is currently available. + + +### SoftwareUpdateClientTelemetry.DownloadCheckpoint + +This event provides a checkpoint between each of the Windows Update download phases for UUP content + +The following fields are available: + +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client +- **ClientVersion** The version number of the software distribution client +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed +- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver" +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough +- **FileId** A hash that uniquely identifies a file +- **FileName** Name of the downloaded file +- **FlightId** The unique identifier for each flight +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one +- **RevisionNumber** Unique revision number of Update +- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.) +- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult) +- **UpdateId** Unique Update ID +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue + + +### SoftwareUpdateClientTelemetry.DownloadHeartbeat + +This event allows tracking of ongoing downloads and contains data to explain the current state of the download + +The following fields are available: + +- **BytesTotal** Total bytes to transfer for this content +- **BytesTransferred** Total bytes transferred for this content at the time of heartbeat +- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client +- **ClientVersion** The version number of the software distribution client +- **ConnectionStatus** Indicates the connectivity state of the device at the time of heartbeat +- **CurrentError** Last (transient) error encountered by the active download +- **DownloadFlags** Flags indicating if power state is ignored +- **DownloadState** Current state of the active download for this content (queued, suspended, or progressing) +- **EventType** Possible values are "Child", "Bundle", or "Driver" +- **FlightId** The unique identifier for each flight +- **IsNetworkMetered** Indicates whether Windows considered the current network to be ?metered" +- **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any +- **MOUpdateDownloadLimit** Mobile operator cap on size of operating system update downloads, if any +- **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby) +- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one +- **ResumeCount** Number of times this active download has resumed from a suspended state +- **RevisionNumber** Identifies the revision number of this specific piece of content +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) +- **SuspendCount** Number of times this active download has entered a suspended state +- **SuspendReason** Last reason for why this active download entered a suspended state +- **UpdateId** Identifier associated with the specific piece of content +- **WUDeviceID** Unique device id controlled by the software distribution client + + +### SoftwareUpdateClientTelemetry.Install + +This event sends tracking data about the software distribution client installation of the content for that update, to help keep Windows up to date. + +The following fields are available: + +- **BiosFamily** The family of the BIOS (Basic Input Output System). +- **BiosName** The name of the device BIOS. +- **BiosReleaseDate** The release date of the device BIOS. +- **BiosSKUNumber** The sku number of the device BIOS. +- **BIOSVendor** The vendor of the BIOS. +- **BiosVersion** The version of the BIOS. +- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. +- **BundleRepeatFailCoun.** No content is currently available. +- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. +- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to install. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. +- **CallerApplictionaName** No content is currently available. +- **ClientVersion** The version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No value is currently reported in this field. Expected value for this field is 0. +- **CSIErrorType** The stage of CBS installation where it failed. +- **CSIErrorTypr** No content is currently available. +- **CurrentMobileOperator** The mobile operator to which the device is currently connected. +- **DeploymentProviderMode** The mode of operation of the update deployment provider. +- **DeviceModel** The device model. +- **DriverPingBack** Contains information about the previous driver and system state. +- **DriverRecoverqIds** No content is currently available. +- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required. +- **DriverRecoverySds** No content is currently available. +- **DriverRecownloIds** No content is currently available. +- **EvåntInstanceID** No content is currently available. +- **Even|InstanceID** No content is currently available. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventInstapceID** No content is currently available. +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. +- **EventType** Possible values are Child, Bundle, or Driver. +- **EventTypr** No content is currently available. +- **ExtendedErrorCdel** No content is currently available. +- **ExtendedErrorCode** The extended error code. +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode is not specific enough. +- **ExtendedtartusCdel** No content is currently available. +- **ExtendefStatusCode** No content is currently available. +- **FeatureUpdatePaser** No content is currently available. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FeatureUpdateUause** No content is currently available. +- **FlightBranch** The branch that a device is on if participating in the Windows Insider Program. +- **FlightBuildNumber** If this installation was for a Windows Insider build, this is the build number of that build. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **FlightRing** The ring that a device is on if participating in the Windows Insider Program. +- **HandlerType** Indicates what kind of content is being installed (for example, app, driver, Windows update). +- **HandlerTypr** No content is currently available. +- **HardwareId** If this install was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. +- **InstallProps** A bitmask for future flags associated with the install operation. No value is currently reported in this field. Expected value for this field is 0. +- **IntentPFNs** Intended application-set metadata for atomic update scenarios. +- **IsDependentSet** Indicates whether the driver is part of a larger System Hardware/Firmware update. +- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. +- **IsFirmware** Indicates whether this update is a firmware update. +- **IsKcfBDualScanEnabled** No content is currently available. +- **IsKcfBEnabled** No content is currently available. +- **IsSuccessFailurePostReboot** Indicates whether the update succeeded and then failed after a restart. +- **IsSuccessFailurePostReotId** No content is currently available. +- **IsSuccessFailurePst.Reboot** No content is currently available. +- **IsWUfBDualScanEnabled** Indicates whether Windows Update for Business dual scan is enabled on the device. +- **IsWufBEnabled** No content is currently available. +- **IsWUfBEnabled** Indicates whether Windows Update for Business is enabled on the device. +- **IsWVfBDualScanEnabled** No content is currently available. +- **IsWVfBEnabled** No content is currently available. +- **lundleId** No content is currently available. +- **lundleRepeatFailCount** No content is currently available. +- **lundleRevisionNumber** No content is currently available. +- **MergedUpdate** Indicates whether the OS update and a BSP update merged for installation. +- **MsiAction** The stage of MSI installation where it failed. +- **MsiProductCdel** No content is currently available. +- **MsiProductCode** The unique identifier of the MSI installer. +- **PackageBullName** No content is currently available. +- **PackageFullName** The package name of the content being installed. +- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting being introduced. +- **ProcessName** The process name of the caller who initiated API calls, in the event that CallerApplicationName was not provided. +- **QualityUpdatePaser** No content is currently available. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **QualityUpdateUause** No content is currently available. +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one +- **RepeatFailCoun.** No content is currently available. +- **RepeatFailCount** Indicates whether this specific piece of content has previously failed. +- **RepeatFailFlag** Indicates whether this specific piece of content previously failed to install. +- **RevisionNumber** The revision number of this specific piece of content. +- **SericeCGuid** No content is currently available. +- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). +- **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway. +- **ShippingMobileOperator** The mobile operator that a device shipped on. +- **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult). +- **SystemBIOSMajorRelease** Major version of the BIOS. +- **SystemBIOSMinorRelease** Minor version of the BIOS. +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersaon** No content is currently available. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **TargetingVession** No content is currently available. +- **tartusCdel** No content is currently available. +- **TransactionCdel** No content is currently available. +- **TransactionCode** The ID that represents a given MSI installation. +- **UpdateId** Unique update ID. +- **UpdateID** An identifier associated with the specific piece of content. +- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional. +- **UpdateImportapce** No content is currently available. +- **UsedSystemVolume** Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive. +- **WUDdviceID** No content is currently available. +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. +- **WUDevi'eID** No content is currently available. +- **WUDviceCID** No content is currently available. + + +### SoftwareUpdateClientTelemetry.Revert + +Revert event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded). + +The following fields are available: + +- **BundleId** Identifier associated with the specific content bundle. Should not be all zeros if the BundleId was found. +- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **ClientVersion** Version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. +- **CSIErrorType** Stage of CBS installation that failed. +- **DriverPingBack** Contains information about the previous driver and system state. +- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). +- **EventType** Event type (Child, Bundle, Release, or Driver). +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode is not specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBuildNumber** Indicates the build number of the flight. +- **FlightId** The specific ID of the flight the device is getting. +- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). +- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. +- **IsFirmware** Indicates whether an update was a firmware update. +- **IsSuccessFailurePostReboot** Indicates whether an initial success was a failure after a reboot. +- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. +- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. +- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. +- **RepeatFailCount** Indicates whether this specific piece of content has previously failed. +- **RevisionNumber** Identifies the revision number of this specific piece of content. +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **UpdateId** The identifier associated with the specific piece of content. +- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). +- **UsedSystemVolume** Indicates whether the device's main system storage drive or an alternate storage drive was used. +- **WUDeviceID** Unique device ID controlled by the software distribution client. + + +### SoftwareUpdateClientTelemetry.TaskRun + +Start event for Server Initiated Healing client. See EventScenario field for specifics (for example, started/completed). + +The following fields are available: + +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **ClientVersion** Version number of the software distribution client. +- **CmdLineArgs** Command line arguments passed in by the caller. +- **EventInstanceID** A globally unique identifier for the event instance. +- **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **WUDeviceID** Unique device ID controlled by the software distribution client. + + +### SoftwareUpdateClientTelemetry.Uninstall + +Uninstall event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded). + +The following fields are available: + +- **BundleId** The identifier associated with the specific content bundle. This should not be all zeros if the bundleID was found. +- **BundleRepeatFailCount** Indicates whether this particular update bundle previously failed. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CallerApplicationName** Name of the application making the Windows Update request. Used to identify context of request. +- **ClientVersion** Version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. +- **DriverPingBack** Contains information about the previous driver and system state. +- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers when a recovery is required. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventScenario** Indicates the purpose of the event (a scan started, succeded, failed, etc.). +- **EventType** Indicates the event type. Possible values are "Child", "Bundle", "Release" or "Driver". +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode is not specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBuildNumber** Indicates the build number of the flight. +- **FlightId** The specific ID of the flight the device is getting. +- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). +- **HardwareId** If the download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. +- **IsFirmware** Indicates whether an update was a firmware update. +- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. +- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. +- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. +- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. +- **RepeatFailCount** Indicates whether this specific piece of content previously failed. +- **RevisionNumber** Identifies the revision number of this specific piece of content. +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **UpdateId** Identifier associated with the specific piece of content. +- **UpdateImportance** Indicates the importance of a driver and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). +- **UsedSystemVolume** Indicates whether the device’s main system storage drive or an alternate storage drive was used. +- **WUDeviceID** Unique device ID controlled by the software distribution client. + + +### SoftwareUpdateClientTelemetry.UpdateDetected + +This event sends data about an AppX app that has been updated from the Microsoft Store, including what app needs an update and what version/architecture is required, in order to understand and address problems with apps getting required updates. + +The following fields are available: + +- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable. +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. +- **IntentPFNs** Intended application-set metadata for atomic update scenarios. +- **NumberOfApplicableUpdates** The number of updates ultimately deemed applicable to the system after the detection process is complete. +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. +- **RelntedCV** No content is currently available. +- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.). +- **umberOfApplicableUpdates** No content is currently available. +- **WUDeviceID** The unique device ID controlled by the software distribution client. +- **xHDeviceID** No content is currently available. + + +### SoftwareUpdateClientTelemetry.UpdateMetadataIntegrity + +Ensures Windows Updates are secure and complete. Event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack. + +The following fields are available: + +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **CallerLoglicationName** No content is currently available. +- **EndpointUrl** URL of the endpoint where client obtains update metadata. Used to identify test vs staging vs production environments. +- **EventScenario** The purpose of this event, such as scan started, scan succeeded, or scan failed. +- **ExtendedStatusCode** The secondary status code of the event. +- **ExtendefStatusCode** No content is currently available. +- **LeafCertId** The integral ID from the FragmentSigning data for the certificate that failed. +- **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate. +- **MetadataIntegrityMode** The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce +- **MetadataSignature** A base64-encoded string of the signature associated with the update metadata (specified by revision ID). +- **RawMode** The raw unparsed mode string from the SLS response. This field is null if not applicable. +- **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable. +- **RcwMode** No content is currently available. +- **RevisionId** The revision ID for a specific piece of content. +- **RevisionNumber** The revision number for a specific piece of content. +- **SedviceGuid** No content is currently available. +- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Microsoft Store +- **ServiceGuidEndpointUrl** No content is currently available. +- **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate. +- **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate. +- **SHA256OfTimestampToken** An encoded string of the timestamp token. +- **SignatureAlgorithm** The hash algorithm for the metadata signature. +- **SLSPrograms** A test program to which a device may have opted in. Example: Insider Fast +- **StatusCode** The status code of the event. +- **TimestampTokenCertThumbprint** The thumbprint of the encoded timestamp token. +- **TimestampTokenId** The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed. +- **UpdateId** The update ID for a specific piece of content. +- **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp. + + +## System Resource Usage Monitor events + +### Microsoft.Windows.Srum.Sdp.CpuUsage + +This event provides information on CPU usage. + +The following fields are available: + +- **UsageMax** The maximum of hourly average CPU usage. +- **UsageMean** The mean of hourly average CPU usage. +- **UsageMedian** The median of hourly average CPU usage. +- **UsageTwoHourMaxMean** The mean of the maximum of every two hour of hourly average CPU usage. +- **UsageTwoHourMedianMean** The mean of the median of every two hour of hourly average CPU usage. + + +### Microsoft.Windows.Srum.Sdp.NetworkUsage + +This event provides information on network usage. + +The following fields are available: + +- **AdapterGuid** The unique ID of the adapter. +- **BytesTotalMax** The maximum of the hourly average bytes total. +- **BytesTotalMean** The mean of the hourly average bytes total. +- **BytesTotalMedian** The median of the hourly average bytes total. +- **BytesTotalTwoHourMaxMean** The mean of the maximum of every two hours of hourly average bytes total. +- **BytesTotalTwoHourMedianMean** The mean of the median of every two hour of hourly average bytes total. +- **LinkSpeed** The adapter link speed. + + +## Update events + +### Update360Telemetry.Revert + +This event sends data relating to the Revert phase of updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the Revert phase. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **RebootRequired** Indicates reboot is required. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **RevertResult** The result code returned for the Revert operation. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. + + +### Update360Telemetry.UpdateAgentCommit + +This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **ErrorCode** The error code returned for the current install phase. +- **FlightId** Unique ID for each flight. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Outcome of the install phase of the update. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentDownloadRequest + +This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. + +The following fields are available: + +- **DeletedCorruptFiles** Boolean indicating whether corrupt payload was deleted. +- **DownloadRequests** Number of times a download was retried. +- **ErrorCode** The error code returned for the current download request phase. +- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. +- **FlightId** Unique ID for each flight. +- **InternalFailureResult** Indicates a non-fatal error from a plugin. +- **ObjectId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). +- **PackageCategoriesSkipped** Indicates package categories that were skipped, if applicable. +- **PackageCountOptional** Number of optional packages requested. +- **PackageCountRequired** Number of required packages requested. +- **PackageCountTotal** Total number of packages needed. +- **PackageCountTotalCanonical** Total number of canonical packages. +- **PackageCountTotalDiff** Total number of diff packages. +- **PackageCountTotalExpress** Total number of express packages. +- **PackageCountTotalPSFX** The total number of PSFX packages. +- **PackageExpressType** Type of express package. +- **PackageSizeCanonical** Size of canonical packages in bytes. +- **PackageSizeDiff** Size of diff packages in bytes. +- **PackageSizeExpress** Size of express packages in bytes. +- **PackageSizePSFX** The size of PSFX packages, in bytes. +- **RangeRequestState** Indicates the range request type used. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Outcome of the download request phase of update. +- **SandboxTaggedForReserves** The sandbox for reserves. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each attempt (same value for initialize, download, install commit phases). +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentExpand + +This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **ElapsedTickCount** Time taken for expand phase. +- **EndFreeSpace** Free space after expand phase. +- **EndSandboxSize** Sandbox size after expand phase. +- **ErrorCode** The error code returned for the current install phase. +- **FlightId** Unique ID for each flight. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **StartFreeSpace** Free space before expand phase. +- **StartSandboxSize** Sandbox size after expand phase. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentFellBackToCanonical + +This event collects information when express could not be used and we fall back to canonical during the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **FlightId** Unique ID for each flight. +- **ObjectId** Unique value for each Update Agent mode. +- **PackageCount** Number of packages that feel back to canonical. +- **PackageList** PackageIds which fell back to canonical. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentInitialize + +This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. + +The following fields are available: + +- **ErrorCode** The error code returned for the current install phase. +- **essionData** No content is currently available. +- **FlightId** Unique ID for each flight. +- **FlightMetadata** Contains the FlightId and the build being flighted. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Outcome of the install phase of the update. +- **ScenarioId** Indicates the update scenario. +- **SessionData** String containing instructions to update agent for processing FODs and DUICs (Null for other scenarios). +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentInstall + +This event sends data for the install phase of updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the current install phase. +- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. +- **FlightId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). +- **InternalFailureResult** Indicates a non-fatal error from a plugin. +- **ObjectId** Correlation vector value generated from the latest USO scan. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** The result for the current install phase. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentMerge + +The UpdateAgentMerge event sends data on the merge phase when updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the current merge phase. +- **FlightId** Unique ID for each flight. +- **MergeId** The unique ID to join two update sessions being merged. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Related correlation vector value. +- **Result** Outcome of the merge phase of the update. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentMitigationResult + +This event sends data indicating the result of each update agent mitigation. + +The following fields are available: + +- **Applicable** Indicates whether the mitigation is applicable for the current update. +- **CommandCount** The number of command operations in the mitigation entry. +- **CustomCount** The number of custom operations in the mitigation entry. +- **FileCount** The number of file operations in the mitigation entry. +- **FlightId** Unique identifier for each flight. +- **Index** The mitigation index of this particular mitigation. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **Name** The friendly name of the mitigation. +- **ObjectId** Unique value for each Update Agent mode. +- **OperationIndex** The mitigation operation index (in the event of a failure). +- **OperationName** The friendly name of the mitigation operation (in the event of failure). +- **RegistryCount** The number of registry operations in the mitigation entry. +- **RelatedCV** The correlation vector value generated from the latest USO scan. +- **Result** The HResult of this operation. +- **ScenarioId** The update agent scenario ID. +- **SessionId** Unique value for each update attempt. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). +- **UpdateId** Unique ID for each Update. + + +### Update360Telemetry.UpdateAgentMitigationSummary + +This event sends a summary of all the update agent mitigations available for an this update. + +The following fields are available: + +- **Applicable** The count of mitigations that were applicable to the system and scenario. +- **Failed** The count of mitigations that failed. +- **FlightId** Unique identifier for each flight. +- **Friled** No content is currently available. +- **MitigationScenario** The update scenario in which the mitigations were attempted. +- **ObjectId** The unique value for each Update Agent mode. +- **RelatedCV** The correlation vector value generated from the latest USO scan. +- **Result** The HResult of this operation. +- **ScenarioId** The update agent scenario ID. +- **SessionId** Unique value for each update attempt. +- **TimeDiff** The amount of time spent performing all mitigations (in 100-nanosecond increments). +- **Total** Total number of mitigations that were available. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentModeStart + +This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. + +The following fields are available: + +- **FlightId** Unique ID for each flight. +- **Mode** Indicates the mode that has started. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. +- **Version** Version of update + + +### Update360Telemetry.UpdateAgentOneSettings + +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **Count** The count of applicable OneSettings for the device. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. +- **Values** The values sent back to the device, if applicable. + + +### Update360Telemetry.UpdateAgentPostRebootResult + +This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. + +The following fields are available: + +- **ErrorCode** The error code returned for the current post reboot phase. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **ObjectId** Unique value for each Update Agent mode. +- **PostRebootResult** Indicates the Hresult. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentReboot + +This event sends information indicating that a request has been sent to suspend an update. + +The following fields are available: + +- **ErrorCode** The error code returned for the current reboot. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. + + +### Update360Telemetry.UpdateAgentSetupBoxLaunch + +The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. + +The following fields are available: + +- **ContainsExpressPackage** Indicates whether the download package is express. +- **FlightId** Unique ID for each flight. +- **FreeSpace** Free space on OS partition. +- **InstallCount** Number of install attempts using the same sandbox. +- **ObjectId** Unique value for each Update Agent mode. +- **Quiet** Indicates whether setup is running in quiet mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **SandboxSize** Size of the sandbox. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **SetupMode** Mode of setup to be launched. +- **UpdateId** Unique ID for each Update. +- **UserSession** Indicates whether install was invoked by user actions. + + +## Update notification events + +### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignManagerHeartbeat + +This event is sent at the start of the CampaignManager event and is intended to be used as a heartbeat. + +The following fields are available: + +- **CampaignConfigVersion** Configuration version for the current campaign. +- **CampaignID** Currently campaign that is running on Update Notification Pipeline (UNP). +- **ConfigCatalogVersion** Current catalog version of UNP. +- **ContentVersion** Content version for the current campaign on UNP. +- **CV** Correlation vector. +- **DetectorVersion** Most recently run detector version for the current campaign on UNP. +- **GlobalEventCounter** Client-side counter that indicates the event ordering sent by the user. +- **PackageVersion** Current UNP package version. + + +## Upgrade events + +### FacilitatorTelemetry.DCATDownload + +This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **DownloadSize** Download size of payload. +- **ElapsedTime** Time taken to download payload. +- **MediaFallbackUsed** Used to determine if we used Media CompDBs to figure out package requirements for the upgrade. +- **ResultCode** Result returned by the Facilitator DCAT call. +- **Scenario** Dynamic update scenario (Image DU, or Setup DU). +- **Type** Type of package that was downloaded. +- **UpdateId** The ID of the update that was downloaded. + + +### FacilitatorTelemetry.DUDownload + +This event returns data about the download of supplemental packages critical to upgrading a device to the next version of Windows. + +The following fields are available: + +- **DownloadRequestAttributes** The attributes sent for download. +- **PackageCategoriesFailed** Lists the categories of packages that failed to download. +- **PackageCategoriesSkipped** Lists the categories of package downloads that were skipped. +- **ResultCode** The result of the event execution. +- **Scenario** Identifies the active Download scenario. +- **Url** The URL the download request was sent to. +- **Version** Identifies the version of Facilitator used. + + +### FacilitatorTelemetry.InitializeDU + +This event determines whether devices received additional or critical supplemental content during an OS upgrade. + +The following fields are available: + +- **DCATUrl** The Delivery Catalog (DCAT) URL we send the request to. +- **DownloadRequestAttributes** The attributes we send to DCAT. +- **ResultCode** The result returned from the initiation of Facilitator with the URL/attributes. +- **Scenario** Dynamic Update scenario (Image DU, or Setup DU). +- **Url** The Delivery Catalog (DCAT) URL we send the request to. +- **Version** Version of Facilitator. + + +### Setup360Telemetry.Downlevel + +This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ClientId** If using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but it can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the downlevel OS. +- **HostOsSkuName** The operating system edition which is running Setup360 instance (downlevel OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** In the Windows Update scenario, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** More detailed information about phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360 (for example, Predownload, Install, Finalize, Rollback). +- **Setup360Result** The result of Setup360 (HRESULT used to diagnose errors). +- **Setup360Scenario** The Setup360 flow type (for example, Boot, Media, Update, MCT). +- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS). +- **State** Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** An ID that uniquely identifies a group of events. +- **WuId** This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId. + + +### Setup360Telemetry.Finalize + +This event sends data indicating that the device has started the phase of finalizing the upgrade, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** More detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** ID that uniquely identifies a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. + + +### Setup360Telemetry.OsUninstall + +This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, it indicates the outcome of an OS uninstall. + +The following fields are available: + +- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase or action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** ID that uniquely identifies a group of events. +- **WuId** Windows Update client ID. + + +### Setup360Telemetry.PostRebootInstall + +This event sends data indicating that the device has invoked the post reboot install phase of the upgrade, to help keep Windows up-to-date. + +The following fields are available: + +- **ClientId** With Windows Update, this is the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback +- **Setup360Result** The result of Setup360. This is an HRESULT error code that's used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled +- **TestId** A string to uniquely identify a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as ClientId. + + +### Setup360Telemetry.PreDownloadQuiet + +This event sends data indicating that the device has invoked the predownload quiet phase of the upgrade, to help keep Windows up to date. + +The following fields are available: + +- **ClientId** Using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous operating system). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** Using Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled. +- **TestId** ID that uniquely identifies a group of events. +- **WuId** This is the Windows Update Client ID. Using Windows Update, this is the same as the clientId. + + +### Setup360Telemetry.PreDownloadUX + +This event sends data regarding OS Updates and Upgrades from Windows 7.X, Windows 8.X, Windows 10 and RS, to help keep Windows up-to-date and secure. Specifically, it indicates the outcome of the PredownloadUX portion of the update process. + +The following fields are available: + +- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **HostOSBuildNumber** The build number of the previous operating system. +- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous operating system). +- **InstanceId** Unique GUID that identifies each instance of setuphost.exe. +- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS). +- **State** The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** ID that uniquely identifies a group of events. +- **WuId** Windows Update client ID. + + +### Setup360Telemetry.PreInstallQuiet + +This event sends data indicating that the device has invoked the preinstall quiet phase of the upgrade, to help keep Windows up-to-date. + +The following fields are available: + +- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. +- **Setup360Scenario** Setup360 flow type (Boot, Media, Update, MCT). +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** A string to uniquely identify a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. + + +### Setup360Telemetry.PreInstallUX + +This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10, to help keep Windows up-to-date. Specifically, it indicates the outcome of the PreinstallUX portion of the update process. + +The following fields are available: + +- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type, Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** A string to uniquely identify a group of events. +- **WuId** Windows Update client ID. + + +### Setup360Telemetry.Setup360 + +This event sends data about OS deployment scenarios, to help keep Windows up-to-date. + +The following fields are available: + +- **ClientId** Retrieves the upgrade ID. In the Windows Update scenario, this will be the Windows Update client ID. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FieldName** Retrieves the data point. +- **FlightData** Specifies a unique identifier for each group of Windows Insider builds. +- **InstanãeId** No content is currently available. +- **InstanceId** Retrieves a unique identifier for each instance of a setup session. +- **ReportId** Retrieves the report ID. +- **ScenarioId** Retrieves the deployment scenario. +- **value** No content is currently available. +- **Value** Retrieves the value associated with the corresponding FieldName. + + +### Setup360Telemetry.Setup360DynamicUpdate + +This event helps determine whether the device received supplemental content during an operating system upgrade, to help keep Windows up-to-date. + +The following fields are available: + +- **FlightData** Specifies a unique identifier for each group of Windows Insider builds. +- **InstanceId** Retrieves a unique identifier for each instance of a setup session. +- **Operation** Facilitator’s last known operation (scan, download, etc.). +- **ReportId** ID for tying together events stream side. +- **ResultCode** Result returned for the entire setup operation. +- **Scenario** Dynamic Update scenario (Image DU, or Setup DU). +- **ScenarioId** Identifies the update scenario. +- **TargetBranch** Branch of the target OS. +- **TargetBuild** Build of the target OS. + + +### Setup360Telemetry.Setup360MitigationResult + +This event sends data indicating the result of each setup mitigation. + +The following fields are available: + +- **Applicable** TRUE if the mitigation is applicable for the current update. +- **ClientId** In the Windows Update scenario, this is the client ID passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **CommandCount** The number of command operations in the mitigation entry. +- **CustomCount** The number of custom operations in the mitigation entry. +- **FileCount** The number of file operations in the mitigation entry. +- **FlightData** The unique identifier for each flight (test release). +- **Index** The mitigation index of this particular mitigation. +- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **Name** The friendly (descriptive) name of the mitigation. +- **OperationIndex** The mitigation operation index (in the event of a failure). +- **OperationName** The friendly (descriptive) name of the mitigation operation (in the event of failure). +- **RegistryCount** The number of registry operations in the mitigation entry. +- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM. +- **Result** HResult of this operation. +- **ScenarioId** Setup360 flow type. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). + + +### Setup360Telemetry.Setup360MitigationSummary + +This event sends a summary of all the setup mitigations available for this update. + +The following fields are available: + +- **Applicable** The count of mitigations that were applicable to the system and scenario. +- **ClientId** The Windows Update client ID passed to Setup. +- **Failed** The count of mitigations that failed. +- **FlightData** The unique identifier for each flight (test release). +- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE. +- **MitigationScenario** The update scenario in which the mitigations were attempted. +- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM. +- **Result** HResult of this operation. +- **ScenarioId** Setup360 flow type. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). +- **Total** The total number of mitigations that were available. + + +### Setup360Telemetry.Setup360OneSettings + +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **ClientId** The Windows Update client ID passed to Setup. +- **Count** The count of applicable OneSettings for the device. +- **FlightData** The ID for the flight (test instance version). +- **InstanceId** The GUID (Globally-Unique ID) that identifies each instance of setuphost.exe. +- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. +- **ReportId** The Update ID passed to Setup. +- **Result** The HResult of the event error. +- **ScenarioId** The update scenario ID. +- **Values** Values sent back to the device, if applicable. + + +### Setup360Telemetry.UnexpectedEvent + +This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date. + +The following fields are available: + +- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe +- **o-Ste** No content is currently available. +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** A string to uniquely identify a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. + + +## Windows as a Service diagnostic events + +### Microsoft.Windows.WaaSMedic.SummaryEvent + +Result of the WaaSMedic operation. + +The following fields are available: + +- **callerApplication** The name of the calling application. +- **detectionSummary** Result of each applicable detection that was run. +- **featureAssessmentImpact** WaaS Assessment impact for feature updates. +- **hrEngineResult** Error code from the engine operation. +- **insufficientSessions** Device not eligible for diagnostics. +- **isInteractiveMode** The user started a run of WaaSMedic. +- **isManaged** Device is managed for updates. +- **isWUConnected** Device is connected to Windows Update. +- **noMoreActions** No more applicable diagnostics. +- **qualityAssessmentImpact** WaaS Assessment impact for quality updates. +- **remediationSummary** Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on. +- **usingBackupFeatureAssessment** Relying on backup feature assessment. +- **usingBackupQualityAssessment** Relying on backup quality assessment. +- **usingCachedFeatureAssessment** WaaS Medic run did not get OS build age from the network on the previous run. +- **usingCachedQualityAssessment** WaaS Medic run did not get OS revision age from the network on the previous run. +- **versionString** Version of the WaaSMedic engine. +- **waasMedicRunMode** Indicates whether this was a background regular run of the medic or whether it was triggered by a user launching Windows Update Troubleshooter. + + +## Windows Error Reporting events + +### Microsoft.Windows.WERVertical.OSCrash + +This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event. + +The following fields are available: + +- **BootId** Uint32 identifying the boot number for this device. +- **BugCheckCode** Uint64 "bugcheck code" that identifies a proximate cause of the bug check. +- **BugCheckPar%meter2** No content is currently available. +- **BugCheckParameter1** Uint64 parameter providing additional information. +- **BugCheckParameter2** Uint64 parameter providing additional information. +- **BugCheckParameter3** Uint64 parameter providing additional information. +- **BugCheckParameter4** Uint64 parameter providing additional information. +- **DumpFileAttributes** Codes that identify the type of data contained in the dump file +- **DumpFileSize** Size of the dump file +- **IsValidDumpFile** True if the dump file is valid for the debugger, false otherwise +- **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson). + + +## Windows Error Reporting MTT events + +### Microsoft.Windows.WER.MTT.Denominator + +This event provides a denominator to calculate MTTF (mean-time-to-failure) for crashes and other errors, to help keep Windows up to date. + +The following fields are available: + +- **DPRange** Maximum mean value range. +- **DPValue** Randomized bit value (0 or 1) that can be reconstituted over a large population to estimate the mean. +- **Value** Standard UTC emitted DP value structure See [Value](#value). + + +### Value + +This event returns data about Mean Time to Failure (MTTF) for Windows devices. It is the primary means of estimating reliability problems in Basic Diagnostic reporting with very strong privacy guarantees. Since Basic Diagnostic reporting does not include system up-time, and since that information is important to ensuring the safe and stable operation of Windows, the data provided by this event provides that data in a manner which does not threaten a user’s privacy. + +The following fields are available: + +- **Algorithm** The algorithm used to preserve privacy. +- **DPRange** The upper bound of the range being measured. +- **DPValue** The randomized response returned by the client. +- **Epsilon** The level of privacy to be applied. +- **HistType** The histogram type if the algorithm is a histogram algorithm. +- **PertProb** The probability the entry will be Perturbed if the algorithm chosen is “heavy-hitters”. + + +## Windows Store events + +### Microsoft.Windows.Store.StoreActivating + +This event sends tracking data about when the Store app activation via protocol URI is in progress, to help keep Windows up to date. + + + +### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation + +This event is sent when an installation or update is canceled by a user or the system and is used to help keep Windows Apps up to date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AggregatedPackageFullNcmes** No content is currently available. +- **AttemptNumber** Number of retry attempts before it was canceled. +- **BundleId** The Item Bundle ID. +- **Bundlele** No content is currently available. +- **CategoryId** The Item Category ID. +- **Categoryle** No content is currently available. +- **ClientAppId** The identity of the app that initiated this operation. +- **ClientApple** No content is currently available. +- **HResult** The result code of the last action performed before this operation. +- **IsBundle** Is this a bundle? +- **IsInteractive** Was this requested by a user? +- **IsMandatory** Was this a mandatory update? +- **IsRemediation** Was this a remediation install? +- **IsRestore** Is this automatically restoring a previously acquired product? +- **IsUpdate** Flag indicating if this is an update. +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **ParentBundlele** No content is currently available. +- **PFN** The product family name of the product being installed. +- **Producele** No content is currently available. +- **ProductId** The identity of the package or packages being installed. +- **S{stemAttemptNumber** No content is currently available. +- **SystemAttemptNumber** The total number of automatic attempts at installation before it was canceled. +- **UserAttemptNumber** The total number of user attempts at installation before it was canceled. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.BeginGetInstalledContentIds + +This event is sent when an inventory of the apps installed is started to determine whether updates for those apps are available. It's used to help keep Windows up-to-date and secure. + + + +### Microsoft.Windows.StoreAgent.Telemetry.BeginUpdateMetadataPrepare + +This event is sent when the Store Agent cache is refreshed with any available package updates. It's used to help keep Windows up-to-date and secure. + + + +### Microsoft.Windows.StoreAgent.Telemetry.CancelInstallation + +This event is sent when an app update or installation is canceled while in interactive mode. This can be canceled by the user or the system. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all package or packages to be downloaded and installed. +- **AttemptNumber** Total number of installation attempts. +- **BundleId** The identity of the Windows Insider build that is associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **IsBundle** Is this a bundle? +- **IsInteractive** Was this requested by a user? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this an automatic restore of a previously acquired product? +- **IsUpdate** Is this a product update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of all packages to be downloaded and installed. +- **PreviousHResult** The previous HResult code. +- **PreviousInstallState** Previous installation state before it was canceled. +- **ProductId** The name of the package or packages requested for installation. +- **RelatedCV** Correlation Vector of a previous performed action on this product. +- **SystemAttemptNumber** Total number of automatic attempts to install before it was canceled. +- **UserAttemptNumber** Total number of user attempts to install before it was canceled. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.CompleteInstallOperationRequest + +This event is sent at the end of app installations or updates to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The Store Product ID of the app being installed. +- **HResult** HResult code of the action being performed. +- **IsBundle** Is this a bundle? +- **PackageFamilyName** The name of the package being installed. +- **ProductId** The Store Product ID of the product being installed. +- **SkuId** Specific edition of the item being installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndAcquireLicense + +This event is sent after the license is acquired when a product is being installed. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNaies** No content is currently available. +- **AggregatedpackageFullNames** No content is currently available. +- **AggregatedPackageFullNames** Includes a set of package full names for each app that is part of an atomic set. +- **AttemptNumber** The total number of attempts to acquire this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** HResult code to show the result of the operation (success/failure). +- **IsBundle** Is this a bundle? +- **IsInteractive** Did the user initiate the installation? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this happening after a device restore? +- **IsUp`ate** No content is currently available. +- **IsUpdate** Is this an update? +- **ParentBuneleId** No content is currently available. +- **PFN** Product Family Name of the product being installed. +- **Produc|Id** No content is currently available. +- **productId** No content is currently available. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The number of attempts by the system to acquire this product. +- **UserAttemptNumber** The number of attempts by the user to acquire this product +- **UserCttemptNumber** No content is currently available. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndDownload + +This event is sent after an app is downloaded to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullLames** No content is currently available. +- **AggregatedPackageFullNaðes** No content is currently available. +- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed. +- **AttemptNumber** Number of retry attempts before it was canceled. +- **BundleId** The identity of the Windows Insider build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **CategoryIf** No content is currently available. +- **ClientAppId** The identity of the app that initiated this operation. +- **DownloadSize** The total size of the download. +- **ExtendedHResult** Any extended HResult error codes. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this initiated by the user? +- **IsMandatory** Is this a mandatory installation? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this a restore of a previously acquired product? +- **IsUpdate** Is this an update? +- **ParentBundleId** The parent bundle ID (if it's part of a bundle). +- **PFN** The Product Family Name of the app being download. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The number of attempts by the system to download. +- **UserAttemptNum`er** No content is currently available. +- **UserAttemptNumber** The number of attempts by the user to download. +- **UserCttemptNumber** No content is currently available. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndFrameworkUpdate + +This event is sent when an app update requires an updated Framework package and the process starts to download it. It is used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **HResult** The result code of the last action performed before this operation. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndGetInstalledContentIds + +This event is sent after sending the inventory of the products installed to determine whether updates for those products are available. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **HResult** The result code of the last action performed before this operation. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndInstall + +This event is sent after a product has been installed to help keep Windows up-to-date and secure. + +The following fields are available: + +- **__TlgCÖ__** No content is currently available. +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **ExtendedHResult** The extended HResult error code. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this an interactive installation? +- **IsInteragtive** No content is currently available. +- **IsMandatory** Is this a mandatory installation? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this automatically restoring a previously acquired product? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** Product Family Name of the product being installed. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndScanForUpdates + +This event is sent after a scan for product updates to determine if there are packages to install. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed. +- **IsApplicability** Is this request to only check if there are any applicable packages to install? +- **IsInteractive** Is this user requested? +- **IsOnline** Is the request doing an online check? + + +### Microsoft.Windows.StoreAgent.Telemetry.EndSearchUpdatePackages + +This event is sent after searching for update packages to install. It is used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The total number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of the package or packages requested for install. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndStageUserData + +This event is sent after restoring user data (if any) that needs to be restored following a product install. It is used to keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed. +- **AttemptNumber** The total number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of the package or packages requested for install. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of system attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndUpdateMetadataPrepare + +This event is sent after a scan for available app updates to help keep Windows up-to-date and secure. + +The following fields are available: + +- **HResult** The result code of the last action performed. + + +### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentComplete + +This event is sent at the end of an app install or update to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The name of the product catalog from which this app was chosen. +- **CatanogId** No content is currently available. +- **CatdlogId** No content is currently available. +- **FailedRetry** Indicates whether the installation or update retry was successful. +- **HResult** The HResult code of the operation. +- **JResult** No content is currently available. +- **PFN** The Package Family Name of the app that is being installed or updated. +- **Producele** No content is currently available. +- **ProductId** The product ID of the app that is being updated or installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate + +This event is sent at the beginning of an app install or update to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The name of the product catalog from which this app was chosen. +- **FulfillmentPluginId** The ID of the plugin needed to install the package type of the product. +- **PFN** The Package Family Name of the app that is being installed or updated. +- **PluginTelemetryData** Diagnostic information specific to the package-type plug-in. +- **ProductId** The product ID of the app that is being updated or installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.InstallOperationRequest + +This event is sent when a product install or update is initiated, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **BundleId** The identity of the build associated with this product. +- **CatalogId** If this product is from a private catalog, the Store Product ID for the product being installed. +- **ProductId** The Store Product ID for the product being installed. +- **SkuId** Specific edition ID being installed. +- **VolumePath** The disk path of the installation. + + +### Microsoft.Windows.StoreAgent.Telemetry.PauseInstallation + +This event is sent when a product install or update is paused (either by a user or the system), to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The total number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The Product Full Name. +- **PreviousHResult** The result code of the last action performed before this operation. +- **PreviousInstallState** Previous state before the installation or update was paused. +- **ProductId** The Store Product ID for the product being installed. +- **RelatedCV** Correlation Vector of a previous performed action on this product. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.ResumeInstallation + +This event is sent when a product install or update is resumed (either by a user or the system), to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **categoryId** No content is currently available. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed before this operation. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **IsUserRetry** Did the user initiate the retry? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of the package or packages requested for install. +- **PreviousHResult** The previous HResult error code. +- **PreviousInstallState** Previous state before the installation was paused. +- **ProductId** The Store Product ID for the product being installed. +- **RelatedCV** Correlation Vector for the original install before it was resumed. +- **ResumeClientId** The ID of the app that initiated the resume operation. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.ResumeOperationRequest + +This event is sent when a product install or update is resumed by a user or on installation retries, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ProductId** The Store Product ID for the product being installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.SearchForUpdateOperationRequest + +This event is sent when searching for update packages to install, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The Store Catalog ID for the product being installed. +- **ProductId** The Store Product ID for the product being installed. +- **SkuId** Specfic edition of the app being updated. + + +### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest + +This event occurs when an update is requested for an app, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **PFamN** The name of the app that is requested for update. + + +## Windows System Kit events + +### Microsoft.Windows.Kits.WSK.WskImageCreate + +This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate “image” creation failures. + +The following fields are available: + +- **Phase** The image creation phase. Values are “Start” or “End”. +- **WskVersion** The version of the Windows System Kit being used. + + +### Microsoft.Windows.Kits.WSK.WskImageCustomization + +This event sends simple Product and Service usage data when a user is using the Windows System Kit to create/modify configuration files allowing the customization of a new OS image with Apps or Drivers. The data includes the version of the Windows System Kit, the state of the event, the customization type (drivers or apps) and the mode (new or updating) and is used to help investigate configuration file creation failures. + +The following fields are available: + +- **CustomizationMode** Indicates the mode of the customization (new or updating). +- **CustomizationType** Indicates the type of customization (drivers or apps). +- **Mode** The mode of update to image configuration files. Values are “New” or “Update”. +- **Phase** The image creation phase. Values are “Start” or “End”. +- **Type** The type of update to image configuration files. Values are “Apps” or “Drivers”. +- **WskVersion** The version of the Windows System Kit being used. + + +### Microsoft.Windows.Kits.WSK.WskWorkspaceCreate + +This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new workspace for generating OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate workspace creation failures. + +The following fields are available: + +- **Architecture** The OS architecture that the workspace will target. Values are one of: “AMD64”, “ARM64”, “x86”, or “ARM”. +- **OsEdition** The Operating System Edition that the workspace will target. +- **Phase** The image creation phase. Values are “Start” or “End”. +- **WorkspaceArchitecture** The operating system architecture that the workspace will target. +- **WorkspaceOsEdition** The operating system edition that the workspace will target. +- **WskVersion** The version of the Windows System Kit being used. + + +## Windows Update Delivery Optimization events + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled + +This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **background** Is the download being done in the background? +- **bytesFromCacheServer** Bytes received from a cache host. +- **bytesFromCDN** The number of bytes received from a CDN source. +- **bytesFromGroupPeers** The number of bytes received from a peer in the same group. +- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same group. +- **bytesFromLinkLocalPeers** The number of bytes received from local peers. +- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. +- **bytesFromPeers** The number of bytes received from a peer in the same LAN. +- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. +- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. +- **cdnIp** The IP Address of the source CDN (Content Delivery Network). +- **cdnUrl** The URL of the source CDN (Content Delivery Network). +- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. +- **errorCode** The error code that was returned. +- **experimentId** When running a test, this is used to correlate events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **gCurMemoryStreamBytes** Current usage for memory streaming. +- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. +- **isVpn** Indicates whether the device is connected to a VPN (Virtual Private Network). +- **jobID** Identifier for the Windows Update job. +- **predefinedCallerName** The name of the API Caller. +- **reasonCode** Reason the action or event occurred. +- **routeToCacheServer** The cache server setting, source, and value. +- **sessionID** The ID of the file download session. +- **updateID** The ID of the update being downloaded. +- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted + +This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **#dnErrorCounts** No content is currently available. +- **__TlgCVß_** No content is currently available. +- **|anConnectionCount** No content is currently available. +- **}plinkUsageBps** No content is currently available. +- **0redefinedCallerName** No content is currently available. +- **b6nConnectionCount** No content is currently available. +- **b6nErrorCodes** No content is currently available. +- **b6nErrorCounts** No content is currently available. +- **b6nIp** No content is currently available. +- **b6nUrl** No content is currently available. +- **background** Is the download a background download? +- **bytesFrkmIntPeers** No content is currently available. +- **bytesFromCacheSedver** No content is currently available. +- **bytesFromCacheServer** Bytes received from a cache host. +- **bytesFromCdN** No content is currently available. +- **bytesFromCDN** The number of bytes received from a CDN source. +- **bytesFromGroupPeers** The number of bytes received from a peer in the same domain group. +- **bytesFromIntÐeers** No content is currently available. +- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same domain group. +- **bytesFromLinkLocalPeers** The number of bytes received from local peers. +- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. +- **bytesFromPeers** The number of bytes received from a peer in the same LAN. +- **bytesRequested** The total number of bytes requested for download. +- **cacheSarverConnectionCount** No content is currently available. +- **cacheSedverConnectionCount** No content is currently available. +- **cacheServerConndctionCount** No content is currently available. +- **cacheServerConnectionCoujt** No content is currently available. +- **cacheServerConnectionCount** Number of connections made to cache hosts. +- **cdnConnectionCount** The total number of connections made to the CDN. +- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. +- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. +- **cdnIp** The IP address of the source CDN. +- **cdnSonnectionCount** No content is currently available. +- **cdnUrl** Url of the source Content Distribution Network (CDN). +- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. +- **dkwnloadModeSrc** No content is currently available. +- **doErrorCode** The Delivery Optimization error code that was returned. +- **dowflinkBps** No content is currently available. +- **downlinkBps** The maximum measured available download bandwidth (in bytes per second). +- **downlinkUsageBps** The download speed (in bytes per second). +- **downloadMode** The download mode used for this file download session. +- **doWnloadMode** No content is currently available. +- **downloadModeReason** Reason for the download. +- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). +- **downloadMofeSrc** No content is currently available. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **fileSize** The size of the file being downloaded. +- **gCurMemoryStreamBytes** Current usage for memory streaming. +- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. +- **groupConjectionCount** No content is currently available. +- **groupConnectionCount** The total number of connections made to peers in the same group. +- **internetConnectionCount** The total number of connections made to peers not in the same LAN or the same group. +- **internetConnectionCountdownlinkBps** No content is currently available. +- **isEjcrypted** No content is currently available. +- **isEncryptdd** No content is currently available. +- **isEncrypted** TRUE if the file is encrypted and will be decrypted after download. +- **isVpn** Is the device connected to a Virtual Private Network? +- **jobID** Identifier for the Windows Update job. +- **lanConnectionCount** The total number of connections made to peers in the same LAN. +- **linkLocalConnectionCount** The number of connections made to peers in the same Link-local network. +- **numPeers** The total number of peers used for this download. +- **numPeersLocal** The total number of local peers used for this download. +- **predefi.edCallerName** No content is currently available. +- **predefinedCallerName** The name of the API Caller. +- **predefinedCalleRName** No content is currently available. +- **restrictedUpload** Is the upload restricted? +- **romteToCacheServer** No content is currently available. +- **roupeToCacheServer** No content is currently available. +- **routeTnCacheServer** No content is currently available. +- **routeToCacheSedver** No content is currently available. +- **routeToCacheServer** The cache server setting, source, and value. +- **sessionID** The ID of the download session. +- **totalTimeMs** Duration of the download (in seconds). +- **updateID** The ID of the update being downloaded. +- **uplinkBps** The maximum measured available upload bandwidth (in bytes per second). +- **uplinkUsageBps** The upload speed (in bytes per second). +- **uplinkUsegeBps** No content is currently available. +- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused + +This event represents a temporary suspension of a download with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **backgground** No content is currently available. +- **backgro}nd** No content is currently available. +- **backgrou|d** No content is currently available. +- **background** Is the download a background download? +- **c`nUrl** No content is currently available. +- **cdnUrl** The URL of the source CDN (Content Delivery Network). +- **errorBode** No content is currently available. +- **errorCode** The error code that was returned. +- **expebimentId** No content is currently available. +- **expebimentIderrorCode** No content is currently available. +- **experiientId** No content is currently available. +- **experimenpId** No content is currently available. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being paused. +- **isVp|** No content is currently available. +- **isVpn** Is the device connected to a Virtual Private Network? +- **jobID** Identifier for the Windows Update job. +- **predefinedCallerName** The name of the API Caller object. +- **reasonCod%** No content is currently available. +- **reasonCode** The reason for pausing the download. +- **recsonCodesessiolID** No content is currently available. +- **routeToCacheSedver** No content is currently available. +- **routeToCacheServer** The cache server setting, source, and value. +- **sessionID** The ID of the download session. +- **updateID** The ID of the update being paused. +- **updateMD** No content is currently available. + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted + +This event sends data describing the start of a new download to enable Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **b6nUrl** No content is currently available. +- **background** Indicates whether the download is happening in the background. +- **bacoground** No content is currently available. +- **bileSizeCaller** No content is currently available. +- **bytesRequested** Number of bytes requested for the download. +- **cdnUrl** The URL of the source Content Distribution Network (CDN). +- **costFlags** A set of flags representing network cost. +- **costFlaos** No content is currently available. +- **deviceProfile** Identifies the usage or form factor (such as Desktop, Xbox, or VM). +- **diceRoll** Random number used for determining if a client will use peering. +- **doClientVersion** The version of the Delivery Optimization client. +- **doErrorC/de** No content is currently available. +- **doErrorCode** The Delivery Optimization error code that was returned. +- **doErrorCoee** No content is currently available. +- **downloadMode** The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100). +- **downloadModeReason** Reason for the download. +- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). +- **errorCode** The error code that was returned. +- **experimejtId** No content is currently available. +- **experimentId** ID used to correlate client/services calls that are part of the same test during A/B testing. +- **faleID** No content is currently available. +- **fiheID** No content is currently available. +- **fileID** The ID of the file being downloaded. +- **filePat(** No content is currently available. +- **filePath** The path to where the downloaded file will be written. +- **fileSize** Total file size of the file that was downloaded. +- **fileSizeCaller** Value for total file size provided by our caller. +- **groqpID** No content is currently available. +- **groupID** ID for the group. +- **isEncrypted** Indicates whether the download is encrypted. +- **isFpn** No content is currently available. +- **isVpn** Indicates whether the device is connected to a Virtual Private Network. +- **jobID** The ID of the Windows Update job. +- **peerID** The ID for this delivery optimization client. +- **predefinedCallerName** Name of the API caller. +- **rimentId** No content is currently available. +- **routeToCacheSedver** No content is currently available. +- **routeToCacheServer** Cache server setting, source, and value. +- **sessionID** The ID for the file download session. +- **sessmonID** No content is currently available. +- **setConfigs** A JSON representation of the configurations that have been set, and their sources. +- **updateID** The ID of the update being downloaded. +- **updateYD** No content is currently available. +- **usedMemoryStream** Indicates whether the download used memory streaming. + + +### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication + +This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **cdnHeaders** The HTTP headers returned by the CDN. +- **cdnIp** The IP address of the CDN. +- **cdnUrl** The URL of the CDN. +- **eErrorCode** No content is currently available. +- **eErrorCunt** No content is currently available. +- **errorCode** The error code that was returned. +- **errorCount** The total number of times this error code was seen since the last FailureCdnCommunication event was encountered. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **htppStatusCode** No content is currently available. +- **httpStatusCode** The HTTP status code returned by the CDN. +- **isHeadRequest** The type of HTTP request that was sent to the CDN. Example: HEAD or GET +- **peerType** The type of peer (LAN, Group, Internet, CDN, Cache Host, etc.). +- **requestOffset** The byte offset within the file in the sent request. +- **requestSize** The size of the range requested from the CDN. +- **responseSize** The size of the range response received from the CDN. +- **sessionID** The ID of the download session. + + +### Microsoft.OSG.DU.DeliveryOptClient.JobError + +This event represents a Windows Update job error. It allows for investigation of top errors. + +The following fields are available: + +- **cdnIp** The IP Address of the source CDN (Content Delivery Network). +- **doErrorCode** Error code returned for delivery optimization. +- **errorCode** The error code returned. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **jobID** The Windows Update job ID. + + +## Windows Update events + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentAnalysisSummary + +This event collects information regarding the state of devices and drivers on the system following a reboot after the install phase of the new device manifest UUP (Unified Update Platform) update scenario which is used to install a device manifest describing a set of driver packages. + +The following fields are available: + +- **activated** Whether the entire device manifest update is considered activated and in use. +- **analysisErrorCount** The number of driver packages that could not be analyzed because errors occurred during analysis. +- **flightId** Unique ID for each flight. +- **missingDriverCount** The number of driver packages delivered by the device manifest that are missing from the system. +- **missingUpdateCount** The number of updates in the device manifest that are missing from the system. +- **objectId** Unique value for each diagnostics session. +- **publishedCount** The number of drivers packages delivered by the device manifest that are published and available to be used on devices. +- **relatedCV** Correlation vector value generated from the latest USO scan. +- **scenarioId** Indicates the update scenario. +- **sessionId** Unique value for each update session. +- **summary** A summary string that contains basic information about driver packages that are part of the device manifest and any devices on the system that those driver packages match. +- **summaryAppendError** A Boolean indicating if there was an error appending more information to the summary string. +- **truncatedDeviceCount** The number of devices missing from the summary string because there is not enough room in the string. +- **truncatedDriverCount** The number of driver packages missing from the summary string because there is not enough room in the string. +- **unpublishedCount** How many drivers packages that were delivered by the device manifest that are still unpublished and unavailable to be used on devices. +- **updateId** The unique ID for each update. + + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentCommit + +This event collects information regarding the final commit phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. + +The following fields are available: + +- **errorCode** The error code returned for the current session initialization. +- **flightId** The unique identifier for each flight. +- **objectId** The unique GUID for each diagnostics session. +- **relatedCV** A correlation vector value generated from the latest USO scan. +- **result** Outcome of the initialization of the session. +- **scenarioId** Identifies the Update scenario. +- **sessionId** The unique value for each update session. +- **updateId** The unique identifier for each Update. + + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentDownloadRequest + +This event collects information regarding the download request phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. + +The following fields are available: + +- **deletedCorruptFiles** Indicates if UpdateAgent found any corrupt payload files and whether the payload was deleted. +- **errorCode** The error code returned for the current session initialization. +- **flightId** The unique identifier for each flight. +- **objectId** Unique value for each Update Agent mode. +- **packageCountOptional** Number of optional packages requested. +- **packageCountRequired** Number of required packages requested. +- **packageCountTotal** Total number of packages needed. +- **packageCountTotalCanonical** Total number of canonical packages. +- **packageCountTotalDiff** Total number of diff packages. +- **packageCountTotalExpress** Total number of express packages. +- **packageSizeCanonical** Size of canonical packages in bytes. +- **packageSizeDiff** Size of diff packages in bytes. +- **packageSizeExpress** Size of express packages in bytes. +- **rangeRequestState** Represents the state of the download range request. +- **relatedCV** Correlation vector value generated from the latest USO scan. +- **result** Result of the download request phase of update. +- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. +- **sessionId** Unique value for each Update Agent mode attempt. +- **updateId** Unique ID for each update. + + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInitialize + +This event sends data for initializing a new update session for the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. + +The following fields are available: + +- **errorCode** The error code returned for the current session initialization. +- **flightId** The unique identifier for each flight. +- **flightMetadata** Contains the FlightId and the build being flighted. +- **objectId** Unique value for each Update Agent mode. +- **relatedCV** Correlation vector value generated from the latest USO scan. +- **result** Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled. +- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. +- **sessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios). +- **sessionId** Unique value for each Update Agent mode attempt. +- **updateId** Unique ID for each update. + + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInstall + +This event collects information regarding the install phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. + +The following fields are available: + +- **errorCode** The error code returned for the current install phase. +- **flightId** The unique identifier for each flight (pre-release builds). +- **objectId** The unique identifier for each diagnostics session. +- **relatedCV** Correlation vector value generated from the latest scan. +- **result** Outcome of the install phase of the update. +- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate +- **sessionId** The unique identifier for each update session. +- **updateId** The unique identifier for each Update. + + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentModeStart + +This event sends data for the start of each mode during the process of updating device manifest assets via the UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. + +The following fields are available: + +- **flightId** The unique identifier for each flight (pre-release builds). +- **mode** Indicates the active Update Agent mode. +- **objectId** Unique value for each diagnostics session. +- **relatedCV** Correlation vector value generated from the latest scan. +- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. +- **sessionId** The unique identifier for each update session. +- **updateId** The unique identifier for each Update. + + +### Microsoft.Windows.Update.NotificationUx.DialogNotificationToBeDisplayed + +This event indicates that a notification dialog box is about to be displayed to user. + +The following fields are available: + +- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode. +- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before the RebootFailed dialog box is shown. +- **DaysSinceRebootRequired** Number of days since restart was required. +- **DeviceLocalTime** The local time on the device sending the event. +- **EngagedModeLimit** The number of days to switch between DTE dialog boxes. +- **EnterAutoModeLimit** The maximum number of days for a device to enter Auto Reboot mode. +- **ETag** OneSettings versioning value. +- **IsForcedEnabled** Indicates whether Forced Reboot mode is enabled for this device. +- **IsUltimateForcedEnabled** Indicates whether Ultimate Forced Reboot mode is enabled for this device. +- **NotificationUxState** Indicates which dialog box is shown. +- **NotificationUxStateString** Indicates which dialog box is shown. +- **RebootUxState** Indicates the state of the restart (Engaged, Auto, Forced, or UltimateForced). +- **RebootUxStateString** Indicates the state of the restart (Engaged, Auto, Forced, or UltimateForced). +- **RebootVersion** Version of DTE. +- **SkipToAutoModeLimit** The minimum length of time to pass in restart pending before a device can be put into auto mode. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UtcTime** The time the dialog box notification will be displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootAcceptAutoDialog + +This event indicates that the Enhanced Engaged restart "accept automatically" dialog box was displayed. + +The following fields are available: + +- **DeviceLocalTime** The local time on the device sending the event. +- **ETag** OneSettings versioning value. +- **ExitCode** Indicates how users exited the dialog box. +- **RebootVersion** Version of DTE. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UserResponseString** The option that user chose on this dialog box. +- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootFirstReminderDialog + +This event indicates that the Enhanced Engaged restart "first reminder" dialog box was displayed.. + +The following fields are available: + +- **DeviceLocalTime** The local time on the device sending the event. +- **ETag** OneSettings versioning value. +- **ExitCode** Indicates how users exited the dialog box. +- **RebootVersion** Version of DTE. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UserResponseString** The option that user chose in this dialog box. +- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootFailedDialog + +This event indicates that the Enhanced Engaged restart "restart failed" dialog box was displayed. + +The following fields are available: + +- **DeviceLocalTime** The local time of the device sending the event. +- **ETag** OneSettings versioning value. +- **ExitCode** Indicates how users exited the dialog box. +- **RebootVersion** Version of DTE. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UserResponseString** The option that the user chose in this dialog box. +- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootImminentDialog + +This event indicates that the Enhanced Engaged restart "restart imminent" dialog box was displayed. + +The following fields are available: + +- **DeviceLocalTime** Time the dialog box was shown on the local device. +- **ETag** OneSettings versioning value. +- **ExitCode** Indicates how users exited the dialog box. +- **RebootVersion** Version of DTE. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UserResponseString** The option that user chose in this dialog box. +- **UtcTime** The time that dialog box was displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootReminderDialog + +This event returns information relating to the Enhanced Engaged reboot reminder dialog that was displayed. + +The following fields are available: + +- **DeviceLocalTime** The time at which the reboot reminder dialog was shown (based on the local device time settings). +- **ETag** The OneSettings versioning value. +- **ExitCode** Indicates how users exited the reboot reminder dialog box. +- **RebootVersion** The version of the DTE (Direct-to-Engaged). +- **UpdateId** The ID of the update that is waiting for reboot to finish installation. +- **UpdateRevision** The revision of the update that is waiting for reboot to finish installation. +- **UserResponseString** The option chosen by the user on the reboot dialog box. +- **UtcTime** The time at which the reboot reminder dialog was shown (in UTC). + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootReminderToast + +This event indicates that the Enhanced Engaged restart reminder pop-up banner was displayed. + +The following fields are available: + +- **DeviceLocalTime** The local time on the device sending the event. +- **ETag** OneSettings versioning value. +- **ExitCode** Indicates how users exited the pop-up banner. +- **RebootVersion** The version of the reboot logic. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UserResponseString** The option that the user chose in the pop-up banner. +- **UtcTime** The time that the pop-up banner was displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.RebootScheduled + +Indicates when a reboot is scheduled by the system or a user for a security, quality, or feature update. + +The following fields are available: + +- **activeHoursApplicable** Indicates whether an Active Hours policy is present on the device. +- **IsEnhancedEngagedReboot** Indicates whether this is an Enhanced Engaged reboot. +- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action. +- **rebootOutsideOfActiveHours** Indicates whether a restart is scheduled outside of active hours. +- **rebootScheduledByUser** Indicates whether the restart was scheduled by user (if not, it was scheduled automatically). +- **rebootState** The current state of the restart. +- **rebootUsingSmartScheduler** Indicates whether the reboot is scheduled by smart scheduler. +- **revisionNumber** Revision number of the update that is getting installed with this restart. +- **scheduledRebootTime** Time of the scheduled restart. +- **scheduledRebootTimeInUTC** Time of the scheduled restart in Coordinated Universal Time. +- **updateId** ID of the update that is getting installed with this restart. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.ActivityRestrictedByActiveHoursPolicy + +This event indicates a policy is present that may restrict update activity to outside of active hours. + +The following fields are available: + +- **activeHoursEnd** The end of the active hours window. +- **activeHoursStart** The start of the active hours window. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.BlockedByActiveHours + +This event indicates that update activity was blocked because it is within the active hours window. + +The following fields are available: + +- **activeHoursEnd** The end of the active hours window. +- **activeHoursStart** The start of the active hours window. +- **updatePhase** The current state of the update process. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.BlockedByBatteryLevel + +This event indicates that Windows Update activity was blocked due to low battery level. + +The following fields are available: + +- **batteryLevel** The current battery charge capacity. +- **batteryLevelThreshold** The battery capacity threshold to stop update activity. +- **updatePhase** The current state of the update process. +- **wuDeviceid** Device ID. + + +### Microsoft.Windows.Update.Orchestrator.DeferRestart + +This event indicates that a restart required for installing updates was postponed. + +The following fields are available: + +- **displayNeededReason** List of reasons for needing display. +- **eventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). +- **filteredDeferReason** Applicable filtered reasons why reboot was postponed (such as user active, or low battery). +- **gameModeReason** Name of the executable that caused the game mode state check to start. +- **ignoredReason** List of reasons that were intentionally ignored. +- **IgnoreReasonsForRestart** List of reasons why restart was deferred. +- **revisionNumber** Update ID revision number. +- **systemNeededReason** List of reasons why system is needed. +- **updateId** Update ID. +- **updateScenarioType** Update session type. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.Detection + +This event indicates that a scan for a Windows Update occurred. + +The following fields are available: + +- **deferReason** The reason why the device could not check for updates. +- **detectionBlockingPolicy** The Policy that blocked detection. +- **detectionBlockreason** The reason detection did not complete. +- **detectionRetryMode** Indicates whether we will try to scan again. +- **errorCode** The error code returned for the current process. +- **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. +- **flightID** The unique identifier for the flight (Windows Insider pre-release build) should be delivered to the device, if applicable. +- **interactive** Indicates whether the user initiated the session. +- **networkStatus** Indicates if the device is connected to the internet. +- **revisionNumber** The Update revision number. +- **scanTriggerSource** The source of the triggered scan. +- **updateId** The unique identifier of the Update. +- **updateScenarioType** Identifies the type of update session being performed. +- **wuDeviceid** The unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.DisplayNeeded + +This event indicates the reboot was postponed due to needing a display. + +The following fields are available: + +- **displayNeededReason** Reason the display is needed. +- **eventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. +- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours. +- **revisionNumber** Revision number of the update. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated. +- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue + + +### Microsoft.Windows.Update.Orchestrator.Download + +This event sends launch data for a Windows Update download to help keep Windows up to date. + +The following fields are available: + +- **deferReason** Reason for download not completing. +- **e:4|SScenario** No content is currently available. +- **errorCode** An error code represented as a hexadecimal value. +- **eventScenario** End-to-end update session ID. +- **flightID** The specific ID of the Windows Insider build the device is getting. +- **interactive** Indicates whether the session is user initiated. +- **interactiveelatedCVerrorCode** No content is currently available. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenariotate** No content is currently available. +- **updateScenarioType** The update session type. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.DTUCompletedWhenWuFlightPendingCommit + +This event indicates that DTU completed installation of the electronic software delivery (ESD), when Windows Update was already in Pending Commit phase of the feature update. + +The following fields are available: + +- **wuDeviceid** Device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.DTUEnabled + +This event indicates that Inbox DTU functionality was enabled. + +The following fields are available: + +- **wuDeviceid** Device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.DTUInitiated + +This event indicates that Inbox DTU functionality was intiated. + +The following fields are available: + +- **dtuErrorCode** Return code from creating the DTU Com Server. +- **isDtuApplicable** Determination of whether DTU is applicable to the machine it is running on. +- **wuDeviceid** Device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.EscalationRiskLevels + +This event is sent during update scan, download, or install, and indicates that the device is at risk of being out-of-date. + +The following fields are available: + +- **configVersion** The escalation configuration version on the device. +- **downloadElapsedTime** Indicates how long since the download is required on device. +- **downloadRiskLevel** At-risk level of download phase. +- **installElapsedTime** Indicates how long since the install is required on device. +- **installRiskLevel** The at-risk level of install phase. +- **isSediment** Assessment of whether is device is at risk. +- **scanElapsedTime** Indicates how long since the scan is required on device. +- **scanRiskLevel** At-risk level of the scan phase. +- **wuDeviceid** Device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.FailedToAddTimeTriggerToScanTask + +This event indicated that USO failed to add a trigger time to a task. + +The following fields are available: + +- **errorCode** The Windows Update error code. +- **wuDeviceid** The Windows Update device ID. + + +### Microsoft.Windows.Update.Orchestrator.FlightInapplicable + +This event indicates that the update is no longer applicable to this device. + +The following fields are available: + +- **EventPublishedTime** Time when this event was generated. +- **flightID** The specific ID of the Windows Insider build. +- **inapplicableReason** The reason why the update is inapplicable. +- **revisionNumber** Update revision number. +- **updateId** Unique Windows Update ID. +- **updateScenarioType** Update session type. +- **UpdateStatus** Last status of update. +- **UUPFallBackConfigured** Indicates whether UUP fallback is configured. +- **wuDeviceid** Unique Device ID. + + +### Microsoft.Windows.Update.Orchestrator.InitiatingReboot + +This event sends data about an Orchestrator requesting a reboot from power management to help keep Windows up to date. + +The following fields are available: + +- **EventPublishedTime** Time of the event. +- **flightID** Unique update ID +- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action. +- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours. +- **revisionNumber** Revision number of the update. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.Install + +This event sends launch data for a Windows Update install to help keep Windows up to date. + +The following fields are available: + +- **batteryLevel** Current battery capacity in mWh or percentage left. +- **defeec-9-0S** No content is currently available. +- **deferReason** Reason for install not completing. +- **errorCode** The error code reppresented by a hexadecimal value. +- **eventScenario** End-to-end update session ID. +- **flightID** The ID of the Windows Insider build the device is getting. +- **flightUpdate** Indicates whether the update is a Windows Insider build. +- **ForcedRebootReminderSet** A boolean value that indicates if a forced reboot will happen for updates. +- **Ignorec-9-0SsFoec-start** No content is currently available. +- **IgnoreReasonsForRestart** The reason(s) a Postpone Restart command was ignored. +- **installCommitfailedtime** The time it took for a reboot to happen but the upgrade failed to progress. +- **installRebootinitiatetime** The time it took for a reboot to be attempted. +- **interactive** Identifies if session is user initiated. +- **minutesToCommit** The time it took to install updates. +- **rebootOutsideOfActiveHours** Indicates whether a reboot is scheduled outside of active hours. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateMd** No content is currently available. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.LowUptimes + +This event is sent if a device is identified as not having sufficient uptime to reliably process updates in order to keep secure. + +The following fields are available: + +- **availableHistoryMinutes** The number of minutes available from the local machine activity history. +- **isLowUptimeMachine** Is the machine considered low uptime or not. +- **lowUptimeMinHours** Current setting for the minimum number of hours needed to not be considered low uptime. +- **lowUptimeQueryDays** Current setting for the number of recent days to check for uptime. +- **uptimeMinutes** Number of minutes of uptime measured. +- **wuDeviceid** Unique device ID for Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.OneshotUpdateDetection + +This event returns data about scans initiated through settings UI, or background scans that are urgent; to help keep Windows up to date. + +The following fields are available: + +- **externalOneshotupdate** The last time a task-triggered scan was completed. +- **interactiveOneshotupdate** The last time an interactive scan was completed. +- **oldlastscanOneshotupdate** The last time a scan completed successfully. +- **wuDeviceid** The Windows Update Device GUID (Globally-Unique ID). + + +### Microsoft.Windows.Update.Orchestrator.PreShutdownStart + +This event is generated before the shutdown and commit operations. + +The following fields are available: + +- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. + + +### Microsoft.Windows.Update.Orchestrator.RebootFailed + +This event sends information about whether an update required a reboot and reasons for failure, to help keep Windows up to date. + +The following fields are available: + +- **batteryLevel** Current battery capacity in mWh or percentage left. +- **deferReason** Reason for install not completing. +- **EventPublishedTime** The time that the reboot failure occurred. +- **flightID** Unique update ID. +- **rebootOutsideOfActiveHours** Indicates whether a reboot was scheduled outside of active hours. +- **RebootResults** Hex code indicating failure reason. Typically, we expect this to be a specific USO generated hex code. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.RefreshSettings + +This event sends basic data about the version of upgrade settings applied to the system to help keep Windows up to date. + +The following fields are available: + +- **errorCode** Hex code for the error message, to allow lookup of the specific error. +- **settingsDownloadTime** Timestamp of the last attempt to acquire settings. +- **settingsETag** Version identifier for the settings. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask + +This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows up to date. + +The following fields are available: + +- **RebootTaskMissedTimeUTC** The time when the reboot task was scheduled to run, but did not. +- **RebootTaskNextTimeUTC** The time when the reboot task was rescheduled for. +- **RebootTaskRestoredTime** Time at which this reboot task was restored. +- **wuDeviceid** Device ID for the device on which the reboot is restored. + + +### Microsoft.Windows.Update.Orchestrator.ScanTriggered + +This event indicates that Update Orchestrator has started a scan operation. + +The following fields are available: + +- **errorCode** The error code returned for the current scan operation. +- **eventScenario** Indicates the purpose of sending this event. +- **interactive** Indicates whether the scan is interactive. +- **isDTUEnabled** Indicates whether DTU (internal abbreviation for Direct Feature Update) channel is enabled on the client system. +- **isScanPastSla** Indicates whether the SLA has elapsed for scanning. +- **isScanPastTriggerSla** Indicates whether the SLA has elapsed for triggering a scan. +- **minutesOverScanSla** Indicates how many minutes the scan exceeded the scan SLA. +- **minutesOverScanTriggerSla** Indicates how many minutes the scan exceeded the scan trigger SLA. +- **scanTriggerSource** Indicates what caused the scan. +- **updateScenarioType** The update session type. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.StickUpdate + +This event is sent when the update service orchestrator (USO) indicates the update cannot be superseded by a newer update. + +The following fields are available: + +- **updateAd** No content is currently available. +- **updateId** Identifier associated with the specific piece of content. +- **wuDeviceid** Unique device ID controlled by the software distribution client. + + +### Microsoft.Windows.Update.Orchestrator.SystemNeeded + +This event sends data about why a device is unable to reboot, to help keep Windows up to date. + +The following fields are available: + +- **eventScenario** End-to-end update session ID. +- **rebootOutsideOfActiveHours** Indicates whether a reboot is scheduled outside of active hours. +- **revisionNumber** Update revision number. +- **systemNeededReason** List of apps or tasks that are preventing the system from restarting. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.TerminatedByActiveHours + +This event indicates that update activity was stopped due to active hours starting. + +The following fields are available: + +- **activeHoursEnd** The end of the active hours window. +- **activeHoursStart** The start of the active hours window. +- **updatePhase** The current state of the update process. +- **wuDeviceid** The device identifier. + + +### Microsoft.Windows.Update.Orchestrator.TerminatedByBatteryLevel + +This event is sent when update activity was stopped due to a low battery level. + +The following fields are available: + +- **batteryLevel** The current battery charge capacity. +- **batteryLevelThreshold** The battery capacity threshold to stop update activity. +- **updatePhase** The current state of the update process. +- **wuDeviceid** The device identifier. + + +### Microsoft.Windows.Update.Orchestrator.UnstickUpdate + +This event is sent when the update service orchestrator (USO) indicates that the update can be superseded by a newer update. + +The following fields are available: + +- **updateId** Identifier associated with the specific piece of content. +- **wuDeviceid** Unique device ID controlled by the software distribution client. + + +### Microsoft.Windows.Update.Orchestrator.UpdatePolicyCacheRefresh + +This event sends data on whether Update Management Policies were enabled on a device, to help keep Windows up to date. + +The following fields are available: + +- **configuredPoliciescount** Number of policies on the device. +- **policiesNamevaluesource** Policy name and source of policy (group policy, MDM or flight). +- **policyCacherefreshtime** Time when policy cache was refreshed. +- **updateInstalluxsetting** Indicates whether a user has set policies via a user experience option. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.UpdateRebootRequired + +This event sends data about whether an update required a reboot to help keep Windows up to date. + +The following fields are available: + +- **flightID** The specific ID of the Windows Insider build the device is getting. +- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.updateSettingsFlushFailed + +This event sends information about an update that encountered problems and was not able to complete. + +The following fields are available: + +- **errorCode** The error code encountered. +- **wuDeviceid** The ID of the device in which the error occurred. + + +### Microsoft.Windows.Update.Orchestrator.UsoSession + +This event represents the state of the USO service at start and completion. + +The following fields are available: + +- **activeSessionid** A unique session GUID. +- **eventScenario** The state of the update action. +- **interactive** Is the USO session interactive? +- **lastErrorcode** The last error that was encountered. +- **lastErrorstate** The state of the update when the last error was encountered. +- **sessionType** A GUID that refers to the update session type. +- **updateScenarioType** A descriptive update session type. +- **wuDeviceid** The Windows Update device GUID. + + +### Microsoft.Windows.Update.Ux.MusNotification.EnhancedEngagedRebootUxState + +This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes values for the timing of how eDTE will progress through each phase of the reboot. + +The following fields are available: + +- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode. +- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before a Reboot Failed dialog will be shown. +- **DeviceLocalTime** The date and time (based on the device date/time settings) the reboot mode changed. +- **EngagedModeLimit** The number of days to switch between DTE (Direct-to-Engaged) dialogs. +- **EnterAutoModeLimit** The maximum number of days a device can enter Auto Reboot mode. +- **ETag** The Entity Tag that represents the OneSettings version. +- **IsForcedEnabled** Identifies whether Forced Reboot mode is enabled for the device. +- **IsUltimateForcedEnabled** Identifies whether Ultimate Forced Reboot mode is enabled for the device. +- **OldestUpdateLocalTime** The date and time (based on the device date/time settings) this update’s reboot began pending. +- **RebootUxState** Identifies the reboot state: Engaged, Auto, Forced, UltimateForced. +- **RebootVersion** The version of the DTE (Direct-to-Engaged). +- **SkipToAutoModeLimit** The maximum number of days to switch to start while in Auto Reboot mode. +- **UpdateId** The ID of the update that is waiting for reboot to finish installation. +- **UpdateRevision** The revision of the update that is waiting for reboot to finish installation. + + +### Microsoft.Windows.Update.Ux.MusNotification.RebootNoLongerNeeded + +This event is sent when a security update has successfully completed. + +The following fields are available: + +- **UtcTime** The Coordinated Universal Time that the restart was no longer needed. + + +### Microsoft.Windows.Update.Ux.MusNotification.RebootScheduled + +This event sends basic information about scheduling an update-related reboot, to get security updates and to help keep Windows up-to-date. + +The following fields are available: + +- **activeHoursApplicable** Indicates whether Active Hours applies on this device. +- **IsEnhancedEngagedReboot** Indicates whether Enhanced reboot was enabled. +- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action. +- **rebootOutsideOfActiveHours** True, if a reboot is scheduled outside of active hours. False, otherwise. +- **rebootScheduledByUser** True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically. +- **rebootState** Current state of the reboot. +- **rebootUsingSmartScheduler** Indicates that the reboot is scheduled by SmartScheduler. +- **revisionNumber** Revision number of the OS. +- **scheduledRebootTime** Time scheduled for the reboot. +- **scheduledRebootTimeInUTC** Time scheduled for the reboot, in UTC. +- **updateId** Identifies which update is being scheduled. +- **wuDeviceid** The unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Ux.MusNotification.UxBrokerScheduledTask + +This event is sent when MUSE broker schedules a task. + +The following fields are available: + +- **TaskArgument** The arguments with which the task is scheduled. +- **TaskName** Name of the task. + + +### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled + +This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up to date. + +The following fields are available: + +- **activeHoursApplicable** Is the restart respecting Active Hours? +- **IsEnhancedEngagedReboot** TRUE if the reboot path is Enhanced Engaged. Otherwise, FALSE. +- **rebootArgument** The arguments that are passed to the OS for the restarted. +- **rebootOutsideOfActiveHours** Was the restart scheduled outside of Active Hours? +- **rebootScheduledByUser** Was the restart scheduled by the user? If the value is false, the restart was scheduled by the device. +- **rebootState** The state of the restart. +- **rebootUsingSmartScheduler** TRUE if the reboot should be performed by the Smart Scheduler. Otherwise, FALSE. +- **revisionNumber** The revision number of the OS being updated. +- **scheduledRebootTime** Time of the scheduled reboot +- **scheduledRebootTimeInUTC** Time of the scheduled restart, in Coordinated Universal Time. +- **updateId** The Windows Update device GUID. +- **wuDeviceid** The Windows Update device GUID. + + +## Windows Update mitigation events + +### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages + +This event sends data specific to the CleanupSafeOsImages mitigation used for OS Updates. + +The following fields are available: + +- **ClientId** The client ID used by Windows Update. +- **FlightId** The ID of each Windows Insider build the device received. +- **InstanceId** A unique device ID that identifies each update instance. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **MountedImageCount** The number of mounted images. +- **MountedImageMatches** The number of mounted image matches. +- **MountedImagesFailed** The number of mounted images that could not be removed. +- **MountedImagesRemoved** The number of mounted images that were successfully removed. +- **MountedImagesSkipped** The number of mounted images that were not found. +- **RelatedCV** The correlation vector value generated from the latest USO scan. +- **Result** HResult of this operation. +- **ScenarioId** ID indicating the mitigation scenario. +- **ScenarioSupported** Indicates whether the scenario was supported. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each Windows Update. +- **WuId** Unique ID for the Windows Update client. + + +### Mitigation360Telemetry.MitigationCustom.FixAppXReparsePoints + +This event sends data specific to the FixAppXReparsePoints mitigation used for OS updates. + +The following fields are available: + +- **ClientId** Unique identifier for each flight. +- **FlightId** Unique GUID that identifies each instances of setuphost.exe. +- **InstanceId** The update scenario in which the mitigation was executed. +- **MitigationScenario** Correlation vector value generated from the latest USO scan. +- **RelatedCV** Number of reparse points that are corrupted but we failed to fix them. +- **ReparsePointsFailed** Number of reparse points that were corrupted and were fixed by this mitigation. +- **ReparsePointsFixed** Number of reparse points that are not corrupted and no action is required. +- **ReparsePointsSkipped** HResult of this operation. +- **Result** ID indicating the mitigation scenario. +- **ScenarioId** Indicates whether the scenario was supported. +- **ScenarioSupported** Unique value for each update attempt. +- **SessionId** Unique ID for each Update. +- **UpdateId** Unique ID for the Windows Update client. +- **WuId** Unique ID for the Windows Update client. + + +### Mitigation360Telemetry.MitigationCustom.FixupEditionId + +This event sends data specific to the FixupEditionId mitigation used for OS updates. + +The following fields are available: + +- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **EditionIdUpdated** Determine whether EditionId was changed. +- **FlightId** Unique identifier for each flight. +- **InstanceId** Unique GUID that identifies each instances of setuphost.exe. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **ProductEditionId** Expected EditionId value based on GetProductInfo. +- **ProductType** Value returned by GetProductInfo. +- **RegistryEditionId** EditionId value in the registry. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** HResult of this operation. +- **ScenarioId** ID indicating the mitigation scenario. +- **ScenarioSupported** Indicates whether the scenario was supported. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. +- **WuId** Unique ID for the Windows Update client. + + +## Windows Update Reserve Manager events + +### Microsoft.Windows.UpdateReserveManager.CommitPendingHardReserveAdjustment + +This event is sent when the Update Reserve Manager commits a hard reserve adjustment that was pending. + +The following fields are available: + +- **FinalAdjustment** Final adjustment for the hard reserve following the addition or removal of optional content. +- **InitialAdjustment** Initial intended adjustment for the hard reserve following the addition/removal of optional content. + + +### Microsoft.Windows.UpdateReserveManager.FunctionReturnedError + +This event is sent when the Update Reserve Manager returns an error from one of its internal functions. + +The following fields are available: + +- **FailedExpression** The failed expression that was returned. +- **FailedFile** The binary file that contained the failed function. +- **FailedFunction** The name of the function that originated the failure. +- **FailedLine** The line number of the failure. +- **ReturnCode** The return code of the function. + + +### Microsoft.Windows.UpdateReserveManager.InitializeUpdateReserveManager + +This event returns data about the Update Reserve Manager, including whether it’s been initialized. + +The following fields are available: + +- **ClientId** The ID of the caller application. +- **Flags** The enumerated flags used to initialize the manager. +- **FlightId** The flight ID of the content the calling client is currently operating with. +- **Offline** Indicates whether or the reserve manager is called during offline operations. +- **PolicyPassed** Indicates whether the machine is able to use reserves. +- **ReturnCode** Return code of the operation. +- **Version** The version of the Update Reserve Manager. + + +### Microsoft.Windows.UpdateReserveManager.PrepareTIForReserveInitialization + +This event is sent when the Update Reserve Manager prepares the Trusted Installer to initialize reserves on the next boot. + +The following fields are available: + +- **Flags** The flags that are passed to the function to prepare the Trusted Installer for reserve initialization. + + +### Microsoft.Windows.UpdateReserveManager.RemovePendingHardReserveAdjustment + +This event is sent when the Update Reserve Manager removes a pending hard reserve adjustment. + + + +### Microsoft.Windows.UpdateReserveManager.UpdatePendingHardReserveAdjustment + +This event is sent when the Update Reserve Manager needs to adjust the size of the hard reserve after the option content is installed. + +The following fields are available: + +- **ChangeSize** The change in the hard reserve size based on the addition or removal of optional content. +- **Disposition** The parameter for the hard reserve adjustment function. +- **Flags** The flags passed to the hard reserve adjustment function. +- **PendingHardReserveAdjustment** The final change to the hard reserve size. +- **UpdateType** Indicates whether the change is an increase or decrease in the size of the hard reserve. + + +## Winlogon events + +### Microsoft.Windows.Security.Winlogon.SetupCompleteLogon + +This event signals the completion of the setup process. It happens only once during the first logon. + + + +## XBOX events + +### Microsoft.Xbox.XamTelemetry.AppActivationError + +This event indicates whether the system detected an activation error in the app. + +The following fields are available: + +- **ActivationUri** Activation URI (Uniform Resource Identifier) used in the attempt to activate the app. +- **AppId** The Xbox LIVE Title ID. +- **AppUserModelId** The AUMID (Application User Model ID) of the app to activate. +- **Result** The HResult error. +- **UserId** The Xbox LIVE User ID (XUID). + + +### Microsoft.Xbox.XamTelemetry.AppActivity + +This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc. + +The following fields are available: + +- **AppActionId** The ID of the application action. +- **AppCurrentVisibilityState** The ID of the current application visibility state. +- **AppId** The Xbox LIVE Title ID of the app. +- **AppPackageFullName** The full name of the application package. +- **AppPreviousVisibilityState** The ID of the previous application visibility state. +- **AppSessionId** The application session ID. +- **AppType** The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa). +- **BCACode** The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application. +- **DurationMs** The amount of time (in milliseconds) since the last application state transition. +- **IsTrialLicense** This boolean value is TRUE if the application is on a trial license. +- **LicenseType** The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 - Offline, 4 - Disc). +- **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license. +- **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application. +- **UserId** The XUID (Xbox User ID) of the current user. + + + From 172404220c94a5c293ac9af9aa253f8e7dea7d5e Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Wed, 13 Mar 2019 07:20:22 -0700 Subject: [PATCH 045/492] add link to customize-oobe --- windows/configuration/wcd/wcd-oobe.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/wcd/wcd-oobe.md b/windows/configuration/wcd/wcd-oobe.md index b6ca14a3ca..ddb01d2e29 100644 --- a/windows/configuration/wcd/wcd-oobe.md +++ b/windows/configuration/wcd/wcd-oobe.md @@ -13,7 +13,7 @@ ms.date: 09/06/2017 # OOBE (Windows Configuration Designer reference) -Use to configure settings for the Out Of Box Experience (OOBE). +Use to configure settings for the [Out Of Box Experience (OOBE)](https://docs.microsoft.com/windows-hardware/customize/desktop/customize-oobe). ## Applies to From eff5194528d223fb57c241491751021f252970a1 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Wed, 13 Mar 2019 07:23:55 -0700 Subject: [PATCH 046/492] oobe all editions --- windows/configuration/wcd/wcd-oobe.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/wcd/wcd-oobe.md b/windows/configuration/wcd/wcd-oobe.md index ddb01d2e29..5e91bed7c9 100644 --- a/windows/configuration/wcd/wcd-oobe.md +++ b/windows/configuration/wcd/wcd-oobe.md @@ -29,7 +29,7 @@ Use to configure settings for the [Out Of Box Experience (OOBE)](https://docs.mi ## EnableCortanaVoice -Use this setting to control whether Cortana voice-over is enabled during OOBE. The voice-over is disabled by default on Windows 10 Pro, Education, and Enterprise. The voice-over is enabled by default on Windows 10 Home. Select **True** to enable voice-over during OOBE. +Use this setting to control whether Cortana voice-over is enabled during OOBE. The voice-over is disabled by default on Windows 10 Pro, Education, and Enterprise. The voice-over is enabled by default on Windows 10 Home. Select **True** to enable voice-over during OOBE on all Windows 10 editions. ## HideOobe for desktop From 26e3f090475c4bb697652667b7652a88b64ae185 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Wed, 13 Mar 2019 07:36:36 -0700 Subject: [PATCH 047/492] storage3d --- windows/configuration/TOC.md | 1 + windows/configuration/wcd/wcd-changes.md | 1 + .../wcd/wcd-storaged3inmodernstandby.md | 25 +++++++++++++++++++ windows/configuration/wcd/wcd.md | 1 + 4 files changed, 28 insertions(+) create mode 100644 windows/configuration/wcd/wcd-storaged3inmodernstandby.md diff --git a/windows/configuration/TOC.md b/windows/configuration/TOC.md index b0edfde74e..c0ad05a8bd 100644 --- a/windows/configuration/TOC.md +++ b/windows/configuration/TOC.md @@ -112,6 +112,7 @@ #### [Start](wcd/wcd-start.md) #### [StartupApp](wcd/wcd-startupapp.md) #### [StartupBackgroundTasks](wcd/wcd-startupbackgroundtasks.md) +#### [StorageD3InModernStandby](wcd/wcd-storaged3inmodernstandby.md) #### [SurfaceHubManagement](wcd/wcd-surfacehubmanagement.md) #### [TabletMode](wcd/wcd-tabletmode.md) #### [TakeATest](wcd/wcd-takeatest.md) diff --git a/windows/configuration/wcd/wcd-changes.md b/windows/configuration/wcd/wcd-changes.md index 909614945c..962549f74e 100644 --- a/windows/configuration/wcd/wcd-changes.md +++ b/windows/configuration/wcd/wcd-changes.md @@ -20,6 +20,7 @@ ms.date: 10/02/2018 - [Time](wcd-time.md) - [Cellular > DataClassMappingTable](wcd-cellular.md#dataclassmappingtable) - [OOBE > EnableCortanaVoice](wcd-oobe.md#enablecortanavoice) +- [StorageD3InModernStandby](wcd/wcd-storaged3inmodernstandby.md) ## Settings removed in Windows 10, version ? diff --git a/windows/configuration/wcd/wcd-storaged3inmodernstandby.md b/windows/configuration/wcd/wcd-storaged3inmodernstandby.md new file mode 100644 index 0000000000..a866ee0dab --- /dev/null +++ b/windows/configuration/wcd/wcd-storaged3inmodernstandby.md @@ -0,0 +1,25 @@ +--- +title: StorageD3InModernStandby (Windows 10) +description: This section describes the StorageD3InModernStandby settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.topic: article +ms.date: 09/06/2017 +--- + +# StorageD3InModernStandby (Windows Configuration Designer reference) + +Use **StorageD3InModernStandby** to enable or disable low power state (D3) during standby. When this setting is configured to **Enable Storage Device D3**, SATA and NVMe devices will be able to enter the D3 state when the system transits to modern standby state, if they are using a Microsoft inbox driver such as StorAHCI, StorNVMe. + +[Learn more about device power states.](https://docs.microsoft.com/windows-hardware/drivers/kernel/device-power-states) + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| All settings | X | X | X | | X | + diff --git a/windows/configuration/wcd/wcd.md b/windows/configuration/wcd/wcd.md index b19b249d08..47631ec5f0 100644 --- a/windows/configuration/wcd/wcd.md +++ b/windows/configuration/wcd/wcd.md @@ -72,6 +72,7 @@ This section describes the settings that you can configure in [provisioning pack | [Start](wcd-start.md) | X | X | | | | | [StartupApp](wcd-startupapp.md) | | | | | X | | [StartupBackgroundTasks](wcd-startupbackgroundtasks.md) | | | | | X | +| [StorageD3InModernStandby](wcd/wcd-storaged3inmodernstandby.md) |X | X | X | | X | | [SurfaceHubManagement](wcd-surfacehubmanagement.md) | | | X | | | | [TabletMode](wcd-tabletmode.md) |X | X | X | X | | | [TakeATest](wcd-takeatest.md) | X | | | | | From f1f5739a02260dbe008c5c5fd085793535a967f5 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Wed, 13 Mar 2019 07:54:18 -0700 Subject: [PATCH 048/492] fix link --- windows/configuration/wcd/wcd-changes.md | 2 +- windows/configuration/wcd/wcd.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/configuration/wcd/wcd-changes.md b/windows/configuration/wcd/wcd-changes.md index 962549f74e..4f84e272f5 100644 --- a/windows/configuration/wcd/wcd-changes.md +++ b/windows/configuration/wcd/wcd-changes.md @@ -20,7 +20,7 @@ ms.date: 10/02/2018 - [Time](wcd-time.md) - [Cellular > DataClassMappingTable](wcd-cellular.md#dataclassmappingtable) - [OOBE > EnableCortanaVoice](wcd-oobe.md#enablecortanavoice) -- [StorageD3InModernStandby](wcd/wcd-storaged3inmodernstandby.md) +- [StorageD3InModernStandby](wcd-storaged3inmodernstandby.md) ## Settings removed in Windows 10, version ? diff --git a/windows/configuration/wcd/wcd.md b/windows/configuration/wcd/wcd.md index 47631ec5f0..2c764902cc 100644 --- a/windows/configuration/wcd/wcd.md +++ b/windows/configuration/wcd/wcd.md @@ -72,7 +72,7 @@ This section describes the settings that you can configure in [provisioning pack | [Start](wcd-start.md) | X | X | | | | | [StartupApp](wcd-startupapp.md) | | | | | X | | [StartupBackgroundTasks](wcd-startupbackgroundtasks.md) | | | | | X | -| [StorageD3InModernStandby](wcd/wcd-storaged3inmodernstandby.md) |X | X | X | | X | +| [StorageD3InModernStandby](wcd-storaged3inmodernstandby.md) |X | X | X | | X | | [SurfaceHubManagement](wcd-surfacehubmanagement.md) | | | X | | | | [TabletMode](wcd-tabletmode.md) |X | X | X | X | | | [TakeATest](wcd-takeatest.md) | X | | | | | From 7607f7772c32985857bb25f3c7fde47698a18b4f Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 13 Mar 2019 08:32:49 -0700 Subject: [PATCH 049/492] new build 3/13/2019 8:32 AM --- ...ndows-diagnostic-events-and-fields-1903.md | 68 +++++++++---------- 1 file changed, 34 insertions(+), 34 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index ac9b7be4f3..cd3421c1a4 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/12/2019 +ms.date: 03/13/2019 --- @@ -1744,7 +1744,7 @@ The following fields are available: - **AdvertisingId** Current state of the advertising ID setting. - **AppDiagnostics** Current state of the app diagnostics setting. - **Appointments** Current state of the calendar setting. -- **AppointmentsSystem** No content is currently available. +- **AppointmentsSystem** Current state of the calendar setting. - **Bluetooth** Current state of the Bluetooth capability setting. - **BluetoothSync** Current state of the Bluetooth sync capability setting. - **BroadFileSystemAccess** Current state of the broad file system access setting. @@ -1752,10 +1752,10 @@ The following fields are available: - **Chat** Current state of the chat setting. - **ChatSystem** Current state of the chat setting. - **Contacts** Current state of the contacts setting. -- **ContactsSystem** No content is currently available. +- **ContactsSystem** Current state of the Contacts setting. - **DocumentsLibrary** Current state of the documents library setting. - **Email** Current state of the email setting. -- **EmailSystem** No content is currently available. +- **EmailSystem** Current state of the email setting. - **FindMyDevice** Current state of the "find my device" setting. - **GazeInput** Current state of the gaze input setting. - **HumanInterfaceDevice** Current state of the human interface device setting. @@ -1767,7 +1767,7 @@ The following fields are available: - **Microphone** Current state of the microphone setting. - **PhoneCall** Current state of the phone call setting. - **PhoneCallHistory** Current state of the call history setting. -- **PhoneCallHistorySystem** No content is currently available. +- **PhoneCallHistorySystem** Current state of the call history setting. - **PicturesLibrary** Current state of the pictures library setting. - **Radios** Current state of the radios setting. - **SensorsCustom** Current state of the custom sensor setting. @@ -1777,7 +1777,7 @@ The following fields are available: - **USB** Current state of the USB setting. - **UserAccountInformation** Current state of the account information setting. - **UserDataTasks** Current state of the tasks setting. -- **UserDataTasksSystem** No content is currently available. +- **UserDataTasksSystem** Current state of the tasks setting. - **UserNotificationListener** Current state of the notifications setting. - **VideosLibrary** Current state of the videos library setting. - **Webcam** Current state of the camera setting. @@ -1915,18 +1915,18 @@ The following fields are available: - **AdvertisingId** Current state of the advertising ID setting. - **AppDiagnostics** Current state of the app diagnostics setting. - **Appointments** Current state of the calendar setting. -- **AppointmentsSystem** No content is currently available. +- **AppointmentsSystem** Current state of the calendar setting. - **Bluetooth** Current state of the Bluetooth capability setting. - **BluetoothSync** Current state of the Bluetooth sync capability setting. - **BroadFileSystemAccess** Current state of the broad file system access setting. - **CellularData** Current state of the cellular data capability setting. - **Chat** Current state of the chat setting. -- **ChatSystem** No content is currently available. +- **ChatSystem** Current state of the chat setting. - **Contacts** Current state of the contacts setting. -- **ContactsSystem** No content is currently available. +- **ContactsSystem** Current state of the Contacts setting. - **DocumentsLibrary** Current state of the documents library setting. - **Email** Current state of the email setting. -- **EmailSystem** No content is currently available. +- **EmailSystem** Current state of the email setting. - **GazeInput** Current state of the gaze input setting. - **HumanInterfaceDevice** Current state of the human interface device setting. - **InkTypeImprovement** Current state of the improve inking and typing setting. @@ -1938,7 +1938,7 @@ The following fields are available: - **Microphone** Current state of the microphone setting. - **PhoneCall** Current state of the phone call setting. - **PhoneCallHistory** Current state of the call history setting. -- **PhoneCallHistorySystem** No content is currently available. +- **PhoneCallHistorySystem** Current state of the call history setting. - **PicturesLibrary** Current state of the pictures library setting. - **Radios** Current state of the radios setting. - **SensorsCustom** Current state of the custom sensor setting. @@ -1948,7 +1948,7 @@ The following fields are available: - **USB** Current state of the USB setting. - **UserAccountInformation** Current state of the account information setting. - **UserDataTasks** Current state of the tasks setting. -- **UserDataTasksSystem** No content is currently available. +- **UserDataTasksSystem** Current state of the tasks setting. - **UserNotificationListener** Current state of the notifications setting. - **VideosLibrary** Current state of the videos library setting. - **Webcam** Current state of the camera setting. @@ -3772,27 +3772,27 @@ The following fields are available: ### Microsoft.Windows.Kernel.DeviceConfig.DeviceConfig -No content is currently available. +This critical device configuration event provides information about drivers for a driver installation that took place within the kernel. The following fields are available: -- **ClassGuid** No content is currently available. -- **DeviceInstanceId** No content is currently available. -- **DriverDate** No content is currently available. -- **DriverFlightIds** No content is currently available. -- **DriverInfName** No content is currently available. -- **DriverProvider** No content is currently available. -- **DriverSubmissionId** No content is currently available. -- **DriverVersion** No content is currently available. -- **ExtensionDrivers** No content is currently available. -- **FirstHardwareId** No content is currently available. -- **InboxDriver** No content is currently available. -- **InstallDate** No content is currently available. -- **LastCompatibleId** No content is currently available. -- **Legacy** No content is currently available. -- **NeedReboot** No content is currently available. -- **SetupMode** No content is currently available. -- **StatusCode** No content is currently available. +- **ClassGuid** The unique ID for the device class. +- **DeviceInstanceId** The unique ID for the device on the system. +- **DriverDate** The date the driver was installed. +- **DriverFlightIds** The IDs for the driver flights. +- **DriverInfName** Driver INF file name. +- **DriverProvider** The driver manufacturer or provider. +- **DriverSubmissionId** The driver submission ID assigned by the hardware developer center. +- **DriverVersion** The driver version number. +- **ExtensionDrivers** The list of extension driver INF files, extension IDs, and associated flight IDs. +- **FirstHardwareId** The ID in the hardware ID list that provides the most specific device description. +- **InboxDriver** Indicates whether the driver package is included with Windows. +- **InstallDate** Date the driver was installed. +- **LastCompatibleId** The ID in the hardware ID list that provides the least specific device description. +- **Legacy** Indicates whether the driver is a legacy driver. +- **NeedReboot** Indicates whether the driver requires a reboot. +- **SetupMode** Indicates whether the device configuration occurred during the initial installation of the device. +- **StatusCode** The NTSTATUS of device configuration operation. ### Microsoft.Windows.Kernel.PnP.AggregateClearDevNodeProblem @@ -5353,7 +5353,7 @@ The following fields are available: - **FlightId** The specific id of the flight the device is getting - **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) - **RevisionNumber** Identifies the revision number of this specific piece of content -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc) +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). - **SystemBIOSMajorRelease** Major release version of the system bios - **SystemBIOSMinorRelease** Minor release version of the system bios - **UpdateId** Identifier associated with the specific piece of content @@ -5427,7 +5427,7 @@ The following fields are available: - **RepeatFailCount** Indicates whether this specific content has previously failed. - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download. - **RevisionNumber** The revision number of the specified piece of content. -- **ServiceGuid** An ID that represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). - **Setup360Phase** If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway. - **ShippingMobileOperator** The mobile operator that a device shipped on. - **SizeCalcTime** Time taken (in seconds) to calculate the total download size of the payload. @@ -5606,7 +5606,7 @@ The following fields are available: - **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. - **RepeatFailCount** Indicates whether this specific piece of content has previously failed. - **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). - **StatusCode** Result code of the event (success, cancellation, failure code HResult). - **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. - **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. @@ -5668,7 +5668,7 @@ The following fields are available: - **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. - **RepeatFailCount** Indicates whether this specific piece of content previously failed. - **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). - **StatusCode** Result code of the event (success, cancellation, failure code HResult). - **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. - **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. From 36ebe477a6ddc7c10db110d8e58e5adc31f39ef6 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 13 Mar 2019 08:32:57 -0700 Subject: [PATCH 050/492] new build 3/13/2019 8:32 AM --- ...ndows-diagnostic-events-and-fields-1703.md | 4 +- ...ndows-diagnostic-events-and-fields-1709.md | 6 +- ...ndows-diagnostic-events-and-fields-1803.md | 6 +- ...ndows-diagnostic-events-and-fields-1809.md | 64 +++++++------------ 4 files changed, 32 insertions(+), 48 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index 2e2ac4486f..3fad353220 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/12/2019 +ms.date: 03/13/2019 --- @@ -4181,7 +4181,7 @@ The following fields are available: - **RelatedCV** The Correlation Vector that was used before the most recent change to a new Correlation Vector. - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download. - **RevisionNumber** The revision number of the specified piece of content. -- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Windows Store, etc.). +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). - **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade. - **ShippingMobileOperator** The mobile operator linked to the device when the device shipped. - **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index d6a2e128d8..4a60d0147d 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/12/2019 +ms.date: 03/13/2019 --- @@ -4128,7 +4128,7 @@ The following fields are available: - **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) - **RevisionNumber** Unique revision number of Update - **ServerId** Identifier for the service to which the software distribution client is connecting, such as Windows Update and Microsoft Store. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc) +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). - **SystemBIOSMajorRelease** Major version of the BIOS. - **SystemBIOSMinorRelease** Minor version of the BIOS. - **UpdateId** Unique Update ID @@ -4192,7 +4192,7 @@ The following fields are available: - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download. - **RevisionNumber** The revision number of the specified piece of content. -- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Windows Store, etc.). +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). - **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade. - **ShippingMobileOperator** The mobile operator linked to the device when the device shipped. - **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index e88b4da389..d472800547 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/12/2019 +ms.date: 03/13/2019 --- @@ -4934,7 +4934,7 @@ The following fields are available: - **FlightId** The specific id of the flight the device is getting - **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) - **RevisionNumber** Identifies the revision number of this specific piece of content -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc) +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). - **SystemBIOSMajorRelease** Major release version of the system bios - **SystemBIOSMinorRelease** Minor release version of the system bios - **UpdateId** Identifier associated with the specific piece of content @@ -4997,7 +4997,7 @@ The following fields are available: - **RelatedCV** The Correlation Vector that was used before the most recent change to a new Correlation Vector. - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download. - **RevisionNumber** The revision number of the specified piece of content. -- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Windows Store, etc.). +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). - **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade. - **ShippingMobileOperator** The mobile operator linked to the device when the device shipped. - **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index fd7cd31194..85613743bd 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/12/2019 +ms.date: 03/13/2019 --- @@ -2676,6 +2676,7 @@ The following fields are available: - **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. - **CanCol|ectCoreTelemetry** No content is currently available. - **CanCollactCoreTelemetry** No content is currently available. +- **CanCollec|AnyTelemetry** No content is currently available. - **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. - **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. - **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. @@ -2721,6 +2722,7 @@ The following fields are available: - **CensusExitCode** The last exit code of the Census task. - **CensusStartTime** Time of last Census run. - **CensusTaskEnabled** True if Census is enabled, false otherwise. +- **CensusTaskEnavled** No content is currently available. - **CompressedBytesUploaded** Number of compressed bytes uploaded. - **ConsumerDroppedCount** Number of events dropped at consumer layer of telemetry client. - **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. @@ -3392,6 +3394,7 @@ The following fields are available: - **aiSeqId** The event sequence ID. - **bootId** The system boot ID. - **BrightnessVersionViaDDI** The version of the Display Brightness Interface. +- **BrightnessVersIonViaDDI** No content is currently available. - **BvightnessVersionViaDDI** No content is currently available. - **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload. - **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes). @@ -3436,9 +3439,12 @@ The following fields are available: - **IsRenderDevice** Does the GPU have rendering capabilities? - **IsSoftwareDevice** Is this a software implementation of the GPU? - **IsSoftwareDevicg** No content is currently available. +- **KMD@ilePath** No content is currently available. - **KMDFilePath** The file path to the location of the Display Kernel Mode Driver in the Driver Store. - **MeasureEnabled** Is the device listening to MICROSOFT_KEYWORD_MEASURES? - **MsHybridDiscrete** Indicates whether the adapter is a discrete adapter in a hybrid configuration. +- **NumTidPlTarMets** No content is currently available. +- **NumVidPDSouPces** No content is currently available. - **NumVidPnSources** The number of supported display output sources. - **NumVidPnTargets** The number of supported display output targets. - **SharedSystemMemoryB** The amount of system memory shared by GPU and CPU (in bytes). @@ -3543,6 +3549,7 @@ The following fields are available: - **AppTimeStamp** The date/time stamp of the app. - **AppVersion** The version of the app that has crashed. - **AptName** No content is currently available. +- **AptSessionGuid** No content is currently available. - **DargetAppId** No content is currently available. - **ExceptionCode** The exception code returned by the process that has crashed. - **ExceptionOffset** The address where the exception had occurred. @@ -3553,16 +3560,23 @@ The following fields are available: - **ModNamevaultsv** No content is currently available. - **ModTimeStamp** The date/time stamp of the module. - **ModVersion** The version of the module that has crashed. +- **PaccageFullName** No content is currently available. - **PackageFullName** Store application identity. - **PackageRelaatieAppId** No content is currently available. +- **PackageRelativaAppId** No content is currently available. - **PackageRelativeAppId** Store application identity. - **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. - **ProcessCreateTime** The time of creation of the process that has crashed. - **ProcessId** The ID of the process that has crashed. +- **RepkrtId** No content is currently available. - **ReportId** A GUID used to identify the report. This can used to track the report across Watson. +- **TargepAppVer** No content is currently available. +- **TargetAppI`** No content is currently available. - **TargetAppId** The kernel reported AppId of the application being reported. - **TargetAppVer** The specific version of the application being reported - **TargetAsId** The sequence number for the hanging process. +- **TargetAwId** No content is currently available. +- **TrocessArchitecture** No content is currently available. ## Feature update events @@ -3683,6 +3697,7 @@ The following fields are available: - **HiddenArp** Indicates whether a program hides itself from showing up in ARP. - **InstallDate** The date the application was installed (a best guess based on folder creation date heuristics). - **InstallDateArpLastModified** The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015 00:00:00 +- **InstallDateArpLasuModified** No content is currently available. - **InstallDateFromLinkFile** The estimated date of install based on the links to the files. Passed as an array. - **InstallDateMsi** The install date if the application was installed via Microsoft Installer (MSI). Passed as an array. - **InventoryVersion** The version of the inventory file generating the events. @@ -4505,7 +4520,6 @@ The following fields are available: - **BytesRead** The total number of bytes read from or read by the OS upon system startup. - **BytesWritten** The total number of bytes written to or written by the OS upon system startup. -- **f** No content is currently available. See [f](#f). ### Microsoft.Windows.Kernel.BootEnvironment.OsLaunch @@ -4978,7 +4992,6 @@ The following fields are available: - **BIOSVendor** Vendor of the system BIOS - **BiosVersion** Version of the system BIOS - **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. -- **BundleRevisionNumbe2** No content is currently available. - **BundleRevisionNumber** Identifies the revision number of the content bundle - **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client - **ClientVersion** Version number of the software distribution client @@ -4990,7 +5003,7 @@ The following fields are available: - **FlightId** The specific id of the flight the device is getting - **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) - **RevisionNumber** Identifies the revision number of this specific piece of content -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc) +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). - **SystemBIOSMajorRelease** Major release version of the system bios - **SystemBIOSMinorRelease** Minor release version of the system bios - **UpdateId** Identifier associated with the specific piece of content @@ -5007,10 +5020,8 @@ The following fields are available: - **AppXBlockHalhFailures** No content is currently available. - **AppXBlockHashFailures** Indicates the number of blocks that failed hash validation during download of the app payload. - **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded. -- **AppXBoockHashFailures** No content is currently available. - **AppXDownloadScope** Indicates the scope of the download for application content. - **AppXScope** Indicates the scope of the app download. -- **AppXScopr** No content is currently available. - **B}ndleId** No content is currently available. - **BiosFamily** The family of the BIOS (Basic Input Output System). - **BiosName** The name of the device BIOS. @@ -5021,25 +5032,19 @@ The following fields are available: - **BundleBytesDownloaded** Number of bytes downloaded for the specific content bundle. - **BundleId** Identifier associated with the specific content bundle. - **BundleRepeatFailCoqnt** No content is currently available. -- **BundleRepeatFailCoun.** No content is currently available. - **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. - **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to download. - **BundleRevisionNumber** Identifies the revision number of the content bundle. - **BytesDownloaded** Number of bytes that were downloaded for an individual piece of content (not the entire bundle). -- **BytesDownnoaded** No content is currently available. - **C`llerApplicationName** No content is currently available. - **CachedEngineVersion** The version of the “Self-Initiated Healing” (SIH) engine that is cached on the device, if applicable. - **CallerApplicationname** No content is currently available. - **CallerApplicationName** The name provided by the application that initiated API calls into the software distribution client. -- **CalLerApplicationName** No content is currently available. -- **CallerApplictionaName** No content is currently available. - **CbsDownloadMethod** Indicates whether the download was a full- or a partial-file download. - **CbsMethod** The method used for downloading the update content related to the Component Based Servicing (CBS) technology. - **CDNCotntryCode** No content is currently available. -- **CDNCoun.ryCdel** No content is currently available. - **CDNCoundryCode** No content is currently available. - **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. -- **CDNd** No content is currently available. - **CDNId** ID which defines which CDN the software distribution client downloaded the content from. - **ClientVersion** The version number of the software distribution client. - **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. @@ -5052,24 +5057,17 @@ The following fields are available: - **DownloadProps** Information about the download operation properties in the form of a bitmask. - **DownloadType** Differentiates the download type of “Self-Initiated Healing” (SIH) downloads between Metadata and Payload downloads. - **DownloedPriority** No content is currently available. -- **DventInstanceID** No content is currently available. - **e:4|SInstanceID** No content is currently available. - **e:4|SScenario** No content is currently available. - **E:4|State** No content is currently available. - **EöentInstanceID** No content is currently available. -- **Eve.tScenario** No content is currently available. -- **EventInst.9ceID** No content is currently available. - **EventInstanceID** A globally unique identifier for event instance. - **EventInstAnceID** No content is currently available. -- **EventPype** No content is currently available. - **EventScanario** No content is currently available. - **eventScenario** No content is currently available. - **EventScenario** Indicates the purpose for sending this event: whether because the software distribution just started downloading content; or whether it was cancelled, succeeded, or failed. - **EventType** Identifies the type of the event (Child, Bundle, or Driver). -- **EventTypr** No content is currently available. - **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. -- **ExtendedtartusCdel** No content is currently available. -- **FeatureUpdatePaser** No content is currently available. - **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. - **Fli.c9BuildNumber** No content is currently available. - **Fli.c9Id** No content is currently available. @@ -5082,7 +5080,6 @@ The following fields are available: - **HomeMobileOperator** The mobile operator that the device was originally intended to work with. - **HospName** No content is currently available. - **HostName** The hostname URL the content is downloading from. -- **Hst.Name** No content is currently available. - **IPVersion** Indicates whether the download took place over IPv4 or IPv6. - **IsDependentSet** Indicates whether a driver is a part of a larger System Hardware/Firmware Update - **IsWQfBEnabled** No content is currently available. @@ -5093,26 +5090,18 @@ The following fields are available: - **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. - **NetworkCost** A flag indicating the cost of the network (congested, fixed, variable, over data limit, roaming, etc.) used for downloading the update content. - **NetworkCostBitMask** Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.) -- **NetworkCst.** No content is currently available. - **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered." -- **NetworkRestrictiontartus** No content is currently available. -- **oadPriority** No content is currently available. - **PackageFullName** The package name of the content. -- **PegulationResult** No content is currently available. - **PhonePreviewEnabled** Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced. - **PostDnldDime** No content is currently available. - **PostDnldTime** Time (in seconds) taken to signal download completion after the last job completed downloading the payload. - **ProcessName** The process name of the application that initiated API calls, in the event where CallerApplicationName was not provided. -- **Pst.DnldTime** No content is currently available. - **PvocessName** No content is currently available. -- **QpdateId** No content is currently available. - **QualityreUpdaPause** No content is currently available. - **QualityUpdatePa}se** No content is currently available. -- **QualityUpdatePaser** No content is currently available. - **QualityUpdatePatse** No content is currently available. - **QualityUpdatePausa** No content is currently available. - **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RdvisionNumber** No content is currently available. - **Reason** A 32-bit integer representing the reason the update is blocked from being downloaded in the background. - **ReguiationResult** No content is currently available. - **RegulationReason** The reason that the update is regulated @@ -5120,15 +5109,12 @@ The following fields are available: - **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content. - **RegulatIonResult** No content is currently available. - **ReiatedCV** No content is currently available. -- **RelatedCS** No content is currently available. - **RelatedCV** The Correlation Vector that was used before the most recent change to a new Correlation Vector. - **RelntedCV** No content is currently available. -- **RepeatFailCoun.** No content is currently available. - **RepeatFailCount** Indicates whether this specific content has previously failed. - **RepeatFailFlag** Indicates whether this specific content previously failed to download. - **RevisionNumber** The revision number of the specified piece of content. -- **SericeCGuid** No content is currently available. -- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Windows Store, etc.). +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). - **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade. - **ShippingMobileOperator** The mobile operator linked to the device when the device shipped. - **SizeCalcTime** Time (in seconds) taken to calculate the total download size of the payload. @@ -5138,25 +5124,19 @@ The following fields are available: - **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. - **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. - **TargetMetadataVersion** The version of the currently downloading (or most recently downloaded) package. -- **tartusCdel** No content is currently available. - **ThrottlingServiceHResult** Result code (success/failure) while contacting a web service to determine whether this device should download content yet. - **TimeToEstablishConnection** Time (in milliseconds) it took to establish the connection prior to beginning downloaded. -- **tizeCalcTime** No content is currently available. - **TotalExpectedBytes** The total size (in Bytes) expected to be downloaded. - **Upda|eImportance** No content is currently available. - **UpdateId** An identifier associated with the specific piece of content. - **UpdateID** An identifier associated with the specific piece of content. -- **UpdateImporEvent** No content is currently available. - **UpdateImpornstan** No content is currently available. -- **UpdateImport.9ce** No content is currently available. - **UpdateImportance** Indicates whether the content was marked as Important, Recommended, or Optional. - **Use** No content is currently available. - **UsedDO** Indicates whether the download used the Delivery Optimization (DO) service. - **UsedSystemVolume** Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive. -- **WUDericeID** No content is currently available. - **WUDeviceId** No content is currently available. - **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. -- **WUDviceCID** No content is currently available. ### SoftwareUpdateClientTelemetry.DownloadCheckpoint @@ -5360,7 +5340,7 @@ The following fields are available: - **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. - **RepeatFailCount** Indicates whether this specific piece of content has previously failed. - **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). - **StatusCode** Result code of the event (success, cancellation, failure code HResult). - **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. - **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. @@ -5420,7 +5400,7 @@ The following fields are available: - **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. - **RepeatFailCount** Indicates whether this specific piece of content previously failed. - **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). - **StatusCode** Result code of the event (success, cancellation, failure code HResult). - **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. - **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. @@ -5460,6 +5440,7 @@ The following fields are available: - **EventScenario** The purpose of this event, such as scan started, scan succeeded, or scan failed. - **ExtendedStatusCode** The secondary status code of the event. - **ExtendefStatusCode** No content is currently available. +- **imeZoScenario** No content is currently available. - **LeafCertId** The integral ID from the FragmentSigning data for the certificate that failed. - **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate. - **MetadataIntegrityMode** The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce @@ -6362,6 +6343,7 @@ The following fields are available: - **Produc|Id** No content is currently available. - **productId** No content is currently available. - **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNueber** No content is currently available. - **SystemAttemptNumber** The number of attempts by the system to acquire this product. - **UserAttemptNumber** The number of attempts by the user to acquire this product - **UserCttemptNumber** No content is currently available. @@ -6782,6 +6764,7 @@ The following fields are available: - **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). - **downloadMofeSrc** No content is currently available. - **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **expiresAt** The time when the content will expire from the Delivery Optimization Cache. - **fileID** The ID of the file being downloaded. - **fileSize** The size of the file being downloaded. - **gCurMemoryStreamBytes** Current usage for memory streaming. @@ -6795,6 +6778,7 @@ The following fields are available: - **isEncrypted** TRUE if the file is encrypted and will be decrypted after download. - **isVpn** Is the device connected to a Virtual Private Network? - **jobID** Identifier for the Windows Update job. +- **lanConnectionCo}nt** No content is currently available. - **lanConnectionCount** The total number of connections made to peers in the same LAN. - **linkLocalConnectionCount** The number of connections made to peers in the same Link-local network. - **numPeers** The total number of peers used for this download. From 1d26a3157f7624ed3031a279b6bce5da2c47e91b Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Wed, 13 Mar 2019 08:58:11 -0700 Subject: [PATCH 051/492] localpoliciessecurityoptions --- windows/configuration/wcd/wcd-policies.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md index 5da3446971..8afa0ad845 100644 --- a/windows/configuration/wcd/wcd-policies.md +++ b/windows/configuration/wcd/wcd-policies.md @@ -337,6 +337,14 @@ To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in 5. Open the project again in Windows Configuration Designer. 6. Export the package. Ensure you do not revisit the created policies under Kiosk Browser or else the null character will be removed. +## LocalPoliciesSecurityOptions + +| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | :---: | +| [InteractiveLogon_DoNotDisplayLastSignedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin) | X | | | | | | +| [Shutdown_AllowSystemtobeShutDownWithoutHavingToLogOn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon) | X | | | | | | +| [UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers) | X | | | | | | + ## Location | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | From 7888f4cae72a5805ab9e2a88f391165f26a51370 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Wed, 13 Mar 2019 09:10:12 -0700 Subject: [PATCH 052/492] policies > power --- windows/configuration/wcd/wcd-policies.md | 25 +++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md index 8afa0ad845..b77939b03c 100644 --- a/windows/configuration/wcd/wcd-policies.md +++ b/windows/configuration/wcd/wcd-policies.md @@ -351,6 +351,31 @@ To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in | --- | --- | :---: | :---: | :---: | :---: | :---: | | [EnableLocation](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#location-enablelocation) | Do not use. | | | | | | +## Power + +| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | :---: | +| [AllowStandbyStatesWhenSleepingOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#allowstandbystateswhensleepingonbattery) | X | | | | | | +| [AllowStandbyWhenSleepingPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#allowstandbystateswhensleepingpluggedin) | X | | | | | | +| [DisplayOffTimeoutOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#displayofftimeoutonbattery) | X | | | | | | +| [DisplayOffTimeoutPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#displayofftimeoutpluggedin) | X | | | | | | +| [EnergySaverBatteryThresholdOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#energysaverbatterythresholdonbattery) | X | | | | | | +| [EnergySaverBatteryThresholdPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#EnergySaverBatteryThresholdPluggedIn) | X | | | | | | +| [HibernateTimeoutOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#hibernatetimeoutonbattery) | X | | | | | | +| [HibernateTimeoutPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#hibernatetimeoutpluggedin) | X | | | | | | +| [SelectLidCloseActionOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#selectlidcloseactiononbattery) | X | | | | | | +| [SelectLidCloseActionPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#selectlidcloseactionpluggedin) | X | | | | | | +| [SelectPowerButtonActionOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#selectpowerbuttonactiononbattery) | X | | | | | | +| [SelectPowerButtonActionPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#selectpowerbuttonactionpluggedin) | X | | | | | | +| [SelectSleepButtonActionOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#selectsleepbuttonactiononbattery) | X | | | | | | +| [SelectSleepButtonActionPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#selectsleepbuttonactionpluggedin) | X | | | | | | +| [StandbyTimeoutOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#StandbyTimeoutOnBattery) | X | | | | | | +| [StandbyTimeoutPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#standbytimeoutpluggedin) | X | | | | | | +| [TurnOffHybridSleepOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#turnoffhybridsleeponbattery) | X | | | | | | +| [TurnOffHybridSleepPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#turnoffhybridsleeppluggedin) | X | | | | | | +| [UnattendedSleepTimeoutOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#unattendedsleeptimeoutonbattery) | X | | | | | | +| [UnattendedSleepTimeoutPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#unattendedsleeptimeoutpluggedin) | X | | | | | | + ## Privacy From 808f6c3224008e30620ed14633a5fedc6a5e8133 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Wed, 13 Mar 2019 09:22:32 -0700 Subject: [PATCH 053/492] fix tables --- windows/configuration/wcd/wcd-policies.md | 47 +++++++++++------------ 1 file changed, 23 insertions(+), 24 deletions(-) diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md index b77939b03c..81758ffcf3 100644 --- a/windows/configuration/wcd/wcd-policies.md +++ b/windows/configuration/wcd/wcd-policies.md @@ -341,9 +341,9 @@ To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [InteractiveLogon_DoNotDisplayLastSignedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin) | X | | | | | | -| [Shutdown_AllowSystemtobeShutDownWithoutHavingToLogOn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon) | X | | | | | | -| [UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers) | X | | | | | | +| [InteractiveLogon_DoNotDisplayLastSignedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin) | | X | | | | | +| [Shutdown_AllowSystemtobeShutDownWithoutHavingToLogOn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon) | | X | | | | | +| [UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers) | | X | | | | | ## Location @@ -355,27 +355,26 @@ To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowStandbyStatesWhenSleepingOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#allowstandbystateswhensleepingonbattery) | X | | | | | | -| [AllowStandbyWhenSleepingPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#allowstandbystateswhensleepingpluggedin) | X | | | | | | -| [DisplayOffTimeoutOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#displayofftimeoutonbattery) | X | | | | | | -| [DisplayOffTimeoutPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#displayofftimeoutpluggedin) | X | | | | | | -| [EnergySaverBatteryThresholdOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#energysaverbatterythresholdonbattery) | X | | | | | | -| [EnergySaverBatteryThresholdPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#EnergySaverBatteryThresholdPluggedIn) | X | | | | | | -| [HibernateTimeoutOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#hibernatetimeoutonbattery) | X | | | | | | -| [HibernateTimeoutPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#hibernatetimeoutpluggedin) | X | | | | | | -| [SelectLidCloseActionOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#selectlidcloseactiononbattery) | X | | | | | | -| [SelectLidCloseActionPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#selectlidcloseactionpluggedin) | X | | | | | | -| [SelectPowerButtonActionOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#selectpowerbuttonactiononbattery) | X | | | | | | -| [SelectPowerButtonActionPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#selectpowerbuttonactionpluggedin) | X | | | | | | -| [SelectSleepButtonActionOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#selectsleepbuttonactiononbattery) | X | | | | | | -| [SelectSleepButtonActionPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#selectsleepbuttonactionpluggedin) | X | | | | | | -| [StandbyTimeoutOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#StandbyTimeoutOnBattery) | X | | | | | | -| [StandbyTimeoutPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#standbytimeoutpluggedin) | X | | | | | | -| [TurnOffHybridSleepOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#turnoffhybridsleeponbattery) | X | | | | | | -| [TurnOffHybridSleepPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#turnoffhybridsleeppluggedin) | X | | | | | | -| [UnattendedSleepTimeoutOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#unattendedsleeptimeoutonbattery) | X | | | | | | -| [UnattendedSleepTimeoutPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#unattendedsleeptimeoutpluggedin) | X | | | | | | - +| [AllowStandbyStatesWhenSleepingOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#allowstandbystateswhensleepingonbattery) | | X | | | | | +| [AllowStandbyWhenSleepingPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#allowstandbystateswhensleepingpluggedin) | | X | | | | | +| [DisplayOffTimeoutOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#displayofftimeoutonbattery) | | X | | | | | +| [DisplayOffTimeoutPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#displayofftimeoutpluggedin) | | X | | | | | +| [EnergySaverBatteryThresholdOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#energysaverbatterythresholdonbattery) | | X | | | | | +| [EnergySaverBatteryThresholdPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#EnergySaverBatteryThresholdPluggedIn) | | X | | | | | +| [HibernateTimeoutOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#hibernatetimeoutonbattery) | | X | | | | | +| [HibernateTimeoutPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#hibernatetimeoutpluggedin) | | X | | | | | +| [SelectLidCloseActionOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#selectlidcloseactiononbattery) | | X | | | | | +| [SelectLidCloseActionPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#selectlidcloseactionpluggedin) | | X | | | | | +| [SelectPowerButtonActionOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#selectpowerbuttonactiononbattery) | | X | | | | | +| [SelectPowerButtonActionPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#selectpowerbuttonactionpluggedin) | | X | | | | | +| [SelectSleepButtonActionOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#selectsleepbuttonactiononbattery) | | X | | | | | +| [SelectSleepButtonActionPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#selectsleepbuttonactionpluggedin) | | X | | | | | +| [StandbyTimeoutOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#StandbyTimeoutOnBattery) | | X | | | | | +| [StandbyTimeoutPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#standbytimeoutpluggedin) | | X | | | | | +| [TurnOffHybridSleepOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#turnoffhybridsleeponbattery) | | X | | | | | +| [TurnOffHybridSleepPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#turnoffhybridsleeppluggedin) | | X | | | | | +| [UnattendedSleepTimeoutOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#unattendedsleeptimeoutonbattery) | | X | | | | | +| [UnattendedSleepTimeoutPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#unattendedsleeptimeoutpluggedin) | | X | | | | | ## Privacy From 771968bd6d55abb2a13d63b8706131e0392d1fc1 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Wed, 13 Mar 2019 09:33:50 -0700 Subject: [PATCH 054/492] fix power links --- windows/configuration/wcd/wcd-policies.md | 46 +++++++++++------------ 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md index 81758ffcf3..6841fc2423 100644 --- a/windows/configuration/wcd/wcd-policies.md +++ b/windows/configuration/wcd/wcd-policies.md @@ -341,9 +341,9 @@ To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [InteractiveLogon_DoNotDisplayLastSignedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin) | | X | | | | | -| [Shutdown_AllowSystemtobeShutDownWithoutHavingToLogOn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon) | | X | | | | | -| [UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers) | | X | | | | | +| [InteractiveLogon_DoNotDisplayLastSignedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin) | Specify whether the Windows sign-in screen will show the username of the last person who signed in. | X | | | | | +| [Shutdown_AllowSystemtobeShutDownWithoutHavingToLogOn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon) | Specify whether a computer can be shut down without signing in. | X | | | | | +| [UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers) | Configure how an elevation prompt should behave for standard users. | X | | | | | ## Location @@ -355,26 +355,26 @@ To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowStandbyStatesWhenSleepingOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#allowstandbystateswhensleepingonbattery) | | X | | | | | -| [AllowStandbyWhenSleepingPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#allowstandbystateswhensleepingpluggedin) | | X | | | | | -| [DisplayOffTimeoutOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#displayofftimeoutonbattery) | | X | | | | | -| [DisplayOffTimeoutPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#displayofftimeoutpluggedin) | | X | | | | | -| [EnergySaverBatteryThresholdOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#energysaverbatterythresholdonbattery) | | X | | | | | -| [EnergySaverBatteryThresholdPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#EnergySaverBatteryThresholdPluggedIn) | | X | | | | | -| [HibernateTimeoutOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#hibernatetimeoutonbattery) | | X | | | | | -| [HibernateTimeoutPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#hibernatetimeoutpluggedin) | | X | | | | | -| [SelectLidCloseActionOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#selectlidcloseactiononbattery) | | X | | | | | -| [SelectLidCloseActionPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#selectlidcloseactionpluggedin) | | X | | | | | -| [SelectPowerButtonActionOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#selectpowerbuttonactiononbattery) | | X | | | | | -| [SelectPowerButtonActionPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#selectpowerbuttonactionpluggedin) | | X | | | | | -| [SelectSleepButtonActionOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#selectsleepbuttonactiononbattery) | | X | | | | | -| [SelectSleepButtonActionPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#selectsleepbuttonactionpluggedin) | | X | | | | | -| [StandbyTimeoutOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#StandbyTimeoutOnBattery) | | X | | | | | -| [StandbyTimeoutPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#standbytimeoutpluggedin) | | X | | | | | -| [TurnOffHybridSleepOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#turnoffhybridsleeponbattery) | | X | | | | | -| [TurnOffHybridSleepPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#turnoffhybridsleeppluggedin) | | X | | | | | -| [UnattendedSleepTimeoutOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#unattendedsleeptimeoutonbattery) | | X | | | | | -| [UnattendedSleepTimeoutPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#unattendedsleeptimeoutpluggedin) | | X | | | | | +| [AllowStandbyStatesWhenSleepingOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#allowstandbystateswhensleepingonbattery) | | X | | | | | +| [AllowStandbyWhenSleepingPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#allowstandbystateswhensleepingpluggedin) | | X | | | | | +| [DisplayOffTimeoutOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#displayofftimeoutonbattery) | | X | | | | | +| [DisplayOffTimeoutPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#displayofftimeoutpluggedin) | | X | | | | | +| [EnergySaverBatteryThresholdOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#energysaverbatterythresholdonbattery) | | X | | | | | +| [EnergySaverBatteryThresholdPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#EnergySaverBatteryThresholdPluggedIn) | | X | | | | | +| [HibernateTimeoutOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#hibernatetimeoutonbattery) | | X | | | | | +| [HibernateTimeoutPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#hibernatetimeoutpluggedin) | | X | | | | | +| [SelectLidCloseActionOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#selectlidcloseactiononbattery) | | X | | | | | +| [SelectLidCloseActionPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#selectlidcloseactionpluggedin) | | X | | | | | +| [SelectPowerButtonActionOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#selectpowerbuttonactiononbattery) | | X | | | | | +| [SelectPowerButtonActionPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#selectpowerbuttonactionpluggedin) | | X | | | | | +| [SelectSleepButtonActionOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#selectsleepbuttonactiononbattery) | | X | | | | | +| [SelectSleepButtonActionPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#selectsleepbuttonactionpluggedin) | | X | | | | | +| [StandbyTimeoutOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#StandbyTimeoutOnBattery) | | X | | | | | +| [StandbyTimeoutPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#standbytimeoutpluggedin) | | X | | | | | +| [TurnOffHybridSleepOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#turnoffhybridsleeponbattery) | | X | | | | | +| [TurnOffHybridSleepPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#turnoffhybridsleeppluggedin) | | X | | | | | +| [UnattendedSleepTimeoutOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#unattendedsleeptimeoutonbattery) | | X | | | | | +| [UnattendedSleepTimeoutPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#unattendedsleeptimeoutpluggedin) | | X | | | | | ## Privacy From c0baa2a12ee832d58480b021ba967c719747a43f Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Wed, 13 Mar 2019 10:19:01 -0700 Subject: [PATCH 055/492] sync --- windows/configuration/wcd/wcd-changes.md | 2 ++ windows/configuration/wcd/wcd-policies.md | 19 ++++++++++--------- 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/windows/configuration/wcd/wcd-changes.md b/windows/configuration/wcd/wcd-changes.md index 4f84e272f5..0100391209 100644 --- a/windows/configuration/wcd/wcd-changes.md +++ b/windows/configuration/wcd/wcd-changes.md @@ -20,6 +20,8 @@ ms.date: 10/02/2018 - [Time](wcd-time.md) - [Cellular > DataClassMappingTable](wcd-cellular.md#dataclassmappingtable) - [OOBE > EnableCortanaVoice](wcd-oobe.md#enablecortanavoice) +- [Policies > LocalPoliciesSecurityOptions](wcd-policies.md#localpoliciessecurityoptions) +- [Policies > Power](wcd-policies.md#power) - [StorageD3InModernStandby](wcd-storaged3inmodernstandby.md) ## Settings removed in Windows 10, version ? diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md index 6841fc2423..1ad4d0c2ac 100644 --- a/windows/configuration/wcd/wcd-policies.md +++ b/windows/configuration/wcd/wcd-policies.md @@ -355,15 +355,16 @@ To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowStandbyStatesWhenSleepingOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#allowstandbystateswhensleepingonbattery) | | X | | | | | -| [AllowStandbyWhenSleepingPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#allowstandbystateswhensleepingpluggedin) | | X | | | | | -| [DisplayOffTimeoutOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#displayofftimeoutonbattery) | | X | | | | | -| [DisplayOffTimeoutPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#displayofftimeoutpluggedin) | | X | | | | | -| [EnergySaverBatteryThresholdOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#energysaverbatterythresholdonbattery) | | X | | | | | -| [EnergySaverBatteryThresholdPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#EnergySaverBatteryThresholdPluggedIn) | | X | | | | | -| [HibernateTimeoutOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#hibernatetimeoutonbattery) | | X | | | | | -| [HibernateTimeoutPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#hibernatetimeoutpluggedin) | | X | | | | | -| [SelectLidCloseActionOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#selectlidcloseactiononbattery) | | X | | | | | +| [AllowStandbyStatesWhenSleepingOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#allowstandbystateswhensleepingonbattery) | Specify whether Windows can use standby states when putting the computer in a sleep state while on battery. | X | | | | | +| [AllowStandbyWhenSleepingPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#allowstandbystateswhensleepingpluggedin) | Specify whether Windows can use standby states when putting the computer in a sleep state while plugged in. | X | | | | | +| [DisplayOffTimeoutOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#displayofftimeoutonbattery) | Specify the period of inactivity before Windows turns off the display while on battery. | X | | | | | +| [DisplayOffTimeoutPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#displayofftimeoutpluggedin) | Specify the period of inactivity before Windows turns off the display while plugged in. | X | | | | | +| [EnergySaverBatteryThresholdOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#energysaverbatterythresholdonbattery) | Specify the battery charge level at which Energy Saver is turned on while on battery. | X | | | | | +| [EnergySaverBatteryThresholdPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#EnergySaverBatteryThresholdPluggedIn) | Specify the battery charge level at which Energy Saver is turned on while plugged in. | X | | | | | +| [HibernateTimeoutOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#hibernatetimeoutonbattery) | Specify the period of inactivity before Windows transitions the system to hibernate while on battery. | X | | | | | +| [HibernateTimeoutPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#hibernatetimeoutpluggedin) | Specify the period of inactivity before Windows transitions the system to hibernate while plugged in. | X | | | | | +| [RequirePasswordWhenComputerWakesOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#requirepasswordwhencomputerwakesonbattery) | | X | | | | | +| [RequirePasswordWhenComputerWakesPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#requirepasswordwhencomputerwakespluggedin) | | X | | | | | | [SelectLidCloseActionPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#selectlidcloseactionpluggedin) | | X | | | | | | [SelectPowerButtonActionOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#selectpowerbuttonactiononbattery) | | X | | | | | | [SelectPowerButtonActionPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#selectpowerbuttonactionpluggedin) | | X | | | | | From 2b70eca0f1d7364025771acfe27cb037e80f366c Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Wed, 13 Mar 2019 12:32:01 -0700 Subject: [PATCH 056/492] finish power policies --- windows/configuration/wcd/wcd-policies.md | 27 ++++++++++++----------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md index 1ad4d0c2ac..814e7fbc1d 100644 --- a/windows/configuration/wcd/wcd-policies.md +++ b/windows/configuration/wcd/wcd-policies.md @@ -363,19 +363,20 @@ To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in | [EnergySaverBatteryThresholdPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#EnergySaverBatteryThresholdPluggedIn) | Specify the battery charge level at which Energy Saver is turned on while plugged in. | X | | | | | | [HibernateTimeoutOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#hibernatetimeoutonbattery) | Specify the period of inactivity before Windows transitions the system to hibernate while on battery. | X | | | | | | [HibernateTimeoutPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#hibernatetimeoutpluggedin) | Specify the period of inactivity before Windows transitions the system to hibernate while plugged in. | X | | | | | -| [RequirePasswordWhenComputerWakesOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#requirepasswordwhencomputerwakesonbattery) | | X | | | | | -| [RequirePasswordWhenComputerWakesPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#requirepasswordwhencomputerwakespluggedin) | | X | | | | | -| [SelectLidCloseActionPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#selectlidcloseactionpluggedin) | | X | | | | | -| [SelectPowerButtonActionOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#selectpowerbuttonactiononbattery) | | X | | | | | -| [SelectPowerButtonActionPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#selectpowerbuttonactionpluggedin) | | X | | | | | -| [SelectSleepButtonActionOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#selectsleepbuttonactiononbattery) | | X | | | | | -| [SelectSleepButtonActionPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#selectsleepbuttonactionpluggedin) | | X | | | | | -| [StandbyTimeoutOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#StandbyTimeoutOnBattery) | | X | | | | | -| [StandbyTimeoutPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#standbytimeoutpluggedin) | | X | | | | | -| [TurnOffHybridSleepOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#turnoffhybridsleeponbattery) | | X | | | | | -| [TurnOffHybridSleepPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#turnoffhybridsleeppluggedin) | | X | | | | | -| [UnattendedSleepTimeoutOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#unattendedsleeptimeoutonbattery) | | X | | | | | -| [UnattendedSleepTimeoutPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#unattendedsleeptimeoutpluggedin) | | X | | | | | +| [RequirePasswordWhenComputerWakesOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#requirepasswordwhencomputerwakesonbattery) | Specify whether the user is prompted for a password when the system resumes from sleep while on battery. | X | | | | | +| [RequirePasswordWhenComputerWakesPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#requirepasswordwhencomputerwakespluggedin) | Specify whether the user is prompted for a password when the system resumes from sleep while plugged in. | X | | | | | +| [SelectLidCloseActionBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#selectlidcloseactionpluggedin) | Select the action to be taken when a user closes the lid on a mobile device while on battery. | X | | | | | +| [SelectLidCloseActionPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#selectlidcloseactionpluggedin) | Select the action to be taken when a user closes the lid on a mobile device while on plugged in. | X | | | | | +| [SelectPowerButtonActionOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#selectpowerbuttonactiononbattery) | Select the action to be taken when the user presses the power button while on battery. | X | | | | | +| [SelectPowerButtonActionPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#selectpowerbuttonactionpluggedin) | Select the action to be taken when the user presses the power button while on plugged in. | X | | | | | +| [SelectSleepButtonActionOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#selectsleepbuttonactiononbattery) | Select the action to be taken when the user presses the sleep button while on battery. | X | | | | | +| [SelectSleepButtonActionPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#selectsleepbuttonactionpluggedin) | Select the action to be taken when the user presses the sleep button while plugged in. | X | | | | | +| [StandbyTimeoutOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#StandbyTimeoutOnBattery) | Specify the period of inactivity before Windows transitions the system to sleep while on battery. | X | | | | | +| [StandbyTimeoutPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#standbytimeoutpluggedin) | Specify the period of inactivity before Windows transitions the system to sleep while plugged in. | X | | | | | +| [TurnOffHybridSleepOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#turnoffhybridsleeponbattery) | Turn off hybrid sleep while on battery. | X | | | | | +| [TurnOffHybridSleepPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#turnoffhybridsleeppluggedin) | Turn off hybrid sleep while plugged in. | X | | | | | +| [UnattendedSleepTimeoutOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#unattendedsleeptimeoutonbattery) | Specify the period of inactivity before Windows transitions the system to sleep automatically when a user is not present while on battery. | X | | | | | +| [UnattendedSleepTimeoutPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#unattendedsleeptimeoutpluggedin) | Specify the period of inactivity before Windows transitions the system to sleep automatically when a user is not present while plugged in. | X | | | | | ## Privacy From 93c25b80e4e7a7385419b04495f5217cad0554c1 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Wed, 13 Mar 2019 12:38:00 -0700 Subject: [PATCH 057/492] update timezone --- windows/configuration/wcd/wcd-time.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/windows/configuration/wcd/wcd-time.md b/windows/configuration/wcd/wcd-time.md index 53ddcd5768..57086da3c3 100644 --- a/windows/configuration/wcd/wcd-time.md +++ b/windows/configuration/wcd/wcd-time.md @@ -23,7 +23,15 @@ Use **Time** to configure settings for time zone setup for Windows 10, version ( ## ProvisionSetTimeZone -Set to **True** to skip time zone assignment when the first user signs in. +Set to **True** to skip time zone assignment when the first user signs in, in which case the device will remain in its default time zone. For the proper configuration, you should also use **Policies > TimeLanguageSettings > ConfigureTimeZone** to set the default time zone. + +>[!TIP] +>Configuring a time zone in **Policies > TimeLanguageSettings > ConfigureTimeZone** accomplishes the same purpose as setting **ProvisionSetTimeZone** to **True**, so you don't need to configure both settings. + +Set to **False** for time zone assignment to occur when the first user signs in. The user will be prompted to select a time zone during first sign-in. + +>[!NOTE] +>Do not set **Time > ProvisionSetTimeZone** to **False** and also set a time zone in **Policies > TimeLanguageSettings > ConfigureTimeZone**. + -Set to **False** for time zone assignment to occur when the first user signs in. From f423a5a632b6148886a3250073ee5ba225d81455 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Fri, 15 Mar 2019 06:13:18 -0700 Subject: [PATCH 058/492] fix cortana voice setting --- windows/configuration/wcd/wcd-oobe.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/wcd/wcd-oobe.md b/windows/configuration/wcd/wcd-oobe.md index 5e91bed7c9..6bf1ca1d44 100644 --- a/windows/configuration/wcd/wcd-oobe.md +++ b/windows/configuration/wcd/wcd-oobe.md @@ -29,7 +29,7 @@ Use to configure settings for the [Out Of Box Experience (OOBE)](https://docs.mi ## EnableCortanaVoice -Use this setting to control whether Cortana voice-over is enabled during OOBE. The voice-over is disabled by default on Windows 10 Pro, Education, and Enterprise. The voice-over is enabled by default on Windows 10 Home. Select **True** to enable voice-over during OOBE on all Windows 10 editions. +Use this setting to control whether Cortana voice-over is enabled during OOBE. The voice-over is disabled by default on Windows 10 Pro, Education, and Enterprise. The voice-over is enabled by default on Windows 10 Home. Select **True** to enable voice-over during OOBE, or **False** to disable voice-over during OOBE. ## HideOobe for desktop From 4c2d4f7ba9ebcfbb6ab09b4aa7e896c069a0caa3 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 15 Mar 2019 09:16:55 -0700 Subject: [PATCH 059/492] new build 3/15/2019 9:16 AM --- ...ndows-diagnostic-events-and-fields-1903.md | 164 +++++++++++------- 1 file changed, 106 insertions(+), 58 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index cd3421c1a4..2faca0d1a1 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/13/2019 +ms.date: 03/15/2019 --- @@ -3797,30 +3797,30 @@ The following fields are available: ### Microsoft.Windows.Kernel.PnP.AggregateClearDevNodeProblem -No content is currently available. +This event is sent when a problem code is cleared from a device. The following fields are available: -- **Count** No content is currently available. -- **DeviceInstanceId** No content is currently available. -- **LastProblem** No content is currently available. -- **LastProblemStatus** No content is currently available. -- **ServiceName** No content is currently available. +- **Count** The total number of events. +- **DeviceInstanceId** The unique identifier of the device on the system. +- **LastProblem** The previous problem that was cleared. +- **LastProblemStatus** The previous NTSTATUS value that was cleared. +- **ServiceName** The name of the driver or service attached to the device. ### Microsoft.Windows.Kernel.PnP.AggregateSetDevNodeProblem -No content is currently available. +This event is sent when a new problem code is assigned to a device. The following fields are available: -- **Count** No content is currently available. -- **DeviceInstanceId** No content is currently available. -- **LastProblem** No content is currently available. -- **LastProblemStatus** No content is currently available. -- **Problem** No content is currently available. -- **ProblemStatus** No content is currently available. -- **ServiceName** No content is currently available. +- **Count** The total number of events. +- **DeviceInstanceId** The unique identifier of the device in the system. +- **LastProblem** The previous problem code that was set on the device. +- **LastProblemStatus** The previous NTSTATUS value that was set on the device. +- **Problem** The new problem code that was set on the device. +- **ProblemStatus** The new NTSTATUS value that was set on the device. +- **ServiceName** The driver or service name that is attached to the device. ## Miracast events @@ -3901,84 +3901,84 @@ The following fields are available: ### MicArrayGeometry -No content is currently available. +This event provides information about the layout of the individual microphone elements in the microphone array. The following fields are available: -- **MicCoords** No content is currently available. -- **usFrequencyBandHi** No content is currently available. -- **usFrequencyBandLo** No content is currently available. -- **usMicArrayType** No content is currently available. -- **usNumberOfMicrophones** No content is currently available. -- **usVersion** No content is currently available. -- **wHorizontalAngleBegin** No content is currently available. -- **wHorizontalAngleEnd** No content is currently available. -- **wVerticalAngleBegin** No content is currently available. -- **wVerticalAngleEnd** No content is currently available. +- **MicCoords** The location and orientation of the microphone element. +- **usFrequencyBandHi** The high end of the frequency range for the microphone. +- **usFrequencyBandLo** The low end of the frequency range for the microphone. +- **usMicArrayType** The type of the microphone array. +- **usNumberOfMicrophones** The number of microphones in the array. +- **usVersion** The version of the microphone array specification. +- **wHorizontalAngleBegin** The horizontal angle of the start of the working volume (reported as radians times 10,000). +- **wHorizontalAngleEnd** The horizontal angle of the end of the working volume (reported as radians times 10,000). +- **wVerticalAngleBegin** The vertical angle of the start of the working volume (reported as radians times 10,000). +- **wVerticalAngleEnd** The vertical angle of the end of the working volume (reported as radians times 10,000). ### MicCoords -No content is currently available. +This event provides information about the location and orientation of the microphone element. The following fields are available: -- **usType** No content is currently available. -- **wHorizontalAngle** No content is currently available. -- **wVerticalAngle** No content is currently available. -- **wXCoord** No content is currently available. -- **wYCoord** No content is currently available. -- **wZCoord** No content is currently available. +- **usType** The type of microphone. +- **wHorizontalAngle** The horizontal angle of the microphone (reported as radians times 10,000). +- **wVerticalAngle** The vertical angle of the microphone (reported as radians times 10,000). +- **wXCoord** The x-coordinate of the microphone. +- **wYCoord** The y-coordinate of the microphone. +- **wZCoord** The z-coordinate of the microphone. ### Microsoft.Windows.Audio.EndpointBuilder.DeviceInfo -No content is currently available. +This event logs the successful enumeration of an audio endpoint (such as a microphone or speaker) and provides information about the audio endpoint. The following fields are available: -- **BusEnumeratorName** No content is currently available. -- **ContainerId** No content is currently available. -- **DeviceInstanceId** No content is currently available. -- **EndpointDevnodeId** No content is currently available. +- **BusEnumeratorName** The name of the bus enumerator (for example, HDAUDIO or USB). +- **ContainerId** An identifier that uniquely groups the functional devices associated with a single-function or multifunction device. +- **DeviceInstanceId** The unique identifier for this instance of the device. +- **EndpointDevnodeId** The IMMDevice identifier of the associated devnode. - **endpointEffectClsid** No content is currently available. - **endpointEffectModule** No content is currently available. -- **EndpointFormFactor** No content is currently available. -- **endpointID** No content is currently available. -- **endpointInstanceId** No content is currently available. -- **Flow** No content is currently available. +- **EndpointFormFactor** The enumeration value for the form factor of the endpoint device (for example speaker, microphone, remote network device). +- **endpointID** The unique identifier for the audio endpoint. +- **endpointInstanceId** The unique identifier for the software audio endpoint. Used for joining to other audio event. +- **Flow** Indicates whether the endpoint is capture (1) or render (0). - **globalEffectClsid** No content is currently available. - **globalEffectModule** No content is currently available. -- **HWID** No content is currently available. -- **IsBluetooth** No content is currently available. +- **HWID** The hardware identifier for the endpoint. +- **IsBluetooth** Indicates whether the device is a Bluetooth device. - **isFarField** No content is currently available. -- **IsSideband** No content is currently available. -- **IsUSB** No content is currently available. -- **JackSubType** No content is currently available. +- **IsSideband** Indicates whether the device is a sideband device. +- **IsUSB** Indicates whether the device is a USB device. +- **JackSubType** A unique ID representing the KS node type of the endpoint. - **localEffectClsid** No content is currently available. - **localEffectModule** No content is currently available. -- **MicArrayGeometry** No content is currently available. See [MicArrayGeometry](#micarraygeometry). +- **MicArrayGeometry** Describes the microphone array, including the microphone position, coordinates, type, and frequency range. See [MicArrayGeometry](#micarraygeometry). - **modeEffectClsid** No content is currently available. - **modeEffectModule** No content is currently available. -- **persistentId** No content is currently available. +- **persistentId** A unique ID for this endpoint which is retained across migrations. - **streamEffectClsid** No content is currently available. - **streamEffectModule** No content is currently available. ### Microsoft.Windows.DriverInstall.DeviceInstall -No content is currently available. +This critical event sends device instance properties for the driver installation that took place. The following fields are available: -- **ClassGuid** No content is currently available. -- **ClassLowerFilters** No content is currently available. -- **ClassUpperFilters** No content is currently available. -- **CoInstallers** No content is currently available. -- **ConfigFlags** No content is currently available. -- **DeviceConfigured** No content is currently available. -- **DeviceInstanceId** No content is currently available. -- **DeviceStack** No content is currently available. +- **ClassGuid** The unique ID for the device class. +- **ClassLowerFilters** The list of lower filter class drivers. +- **ClassUpperFilters** The list of upper filter class drivers. +- **CoInstallers** The list of coinstallers. +- **ConfigFlags** The device configuration flags. +- **DeviceConfigured** Indicates whether this device was configured through the kernel configuration. +- **DeviceInstanceId** The unique identifier of the device in the system. +- **DeviceStack** The device stack of the driver being installed. - **DriverDate** No content is currently available. - **DriverDescription** No content is currently available. - **DriverInfName** No content is currently available. @@ -5045,6 +5045,34 @@ The following fields are available: - **sessionID** The ID of this push-button reset session. +### Microsoft.Windows.UEFI.ESRT + +No content is currently available. + +The following fields are available: + +- **DriverFirmwareFilename** No content is currently available. +- **DriverFirmwarePolicy** No content is currently available. +- **DriverFirmwareStatus** No content is currently available. +- **DriverFirmwareVersion** No content is currently available. +- **FirmareLastAttemptVersion** No content is currently available. +- **FirmwareId** No content is currently available. +- **FirmwareLastAttemptStatus** No content is currently available. +- **FirmwareLastAttemptVersion** No content is currently available. +- **FirmwareType** No content is currently available. +- **FirmwareVersion** No content is currently available. +- **InitiateUpdate** No content is currently available. +- **LastAttemptDate** No content is currently available. +- **LastAttemptStatus** No content is currently available. +- **LastAttemptVersion** No content is currently available. +- **LowestSupportedFirmwareVersion** No content is currently available. +- **MaxRetryCount** No content is currently available. +- **PartA_PrivTags** No content is currently available. +- **RetryCount** No content is currently available. +- **Status** No content is currently available. +- **UpdateAttempted** No content is currently available. + + ### Microsoft.Xbox.XamTelemetry.AppActivationError This event indicates whether the system detected an activation error in the app. @@ -7165,6 +7193,26 @@ The following fields are available: - **wuDeviceid** The unique device ID used by Windows Update. +### Microsoft.Windows.Update.Orchestrator.DetectionActivity + +No content is currently available. + +The following fields are available: + +- **applicableUpdateIdList** No content is currently available. +- **applicableUpdateList** No content is currently available. +- **durationInSeconds** No content is currently available. +- **expeditedMode** No content is currently available. +- **networkCostPolicy** No content is currently available. +- **scanTriggerSource** No content is currently available. +- **scenario** No content is currently available. +- **scenarioReason** No content is currently available. +- **seekerUpdateIdList** No content is currently available. +- **seekerUpdateList** No content is currently available. +- **services** No content is currently available. +- **wilActivity** No content is currently available. See [wilActivity](#wilactivity). + + ### Microsoft.Windows.Update.Orchestrator.DisplayNeeded This event indicates the reboot was postponed due to needing a display. From 5f6aea33f705ed73bf7902534a6b512d09efa791 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 15 Mar 2019 09:17:00 -0700 Subject: [PATCH 060/492] new build 3/15/2019 9:16 AM --- ...ndows-diagnostic-events-and-fields-1703.md | 19 +- ...ndows-diagnostic-events-and-fields-1709.md | 19 +- ...ndows-diagnostic-events-and-fields-1803.md | 19 +- ...ndows-diagnostic-events-and-fields-1809.md | 175 ++++++------------ 4 files changed, 115 insertions(+), 117 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index 3fad353220..4aebdedd33 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/13/2019 +ms.date: 03/15/2019 --- @@ -2954,6 +2954,23 @@ The following fields are available: - **winInetError** The HResult of the operation. +## Other events + +### Microsoft.Windows.Shell.PrivacyNotifierLogging.PrivacyNotifierCompleted + +No content is currently available. + +The following fields are available: + +- **cleanupTask** No content is currently available. +- **cleanupTaskResult** No content is currently available. +- **deviceEvaluated** No content is currently available. +- **deviceImpacted** No content is currently available. +- **modalAction** No content is currently available. +- **modalResult** No content is currently available. +- **resetSettingsResult** No content is currently available. + + ## Remediation events ### Microsoft.Windows.Remediation.Applicable diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index 4a60d0147d..0fa19351b5 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/13/2019 +ms.date: 03/15/2019 --- @@ -3107,6 +3107,23 @@ The following fields are available: - **winInetError** The HResult of the operation. +## Other events + +### Microsoft.Windows.Shell.PrivacyNotifierLogging.PrivacyNotifierCompleted + +No content is currently available. + +The following fields are available: + +- **cleanupTask** No content is currently available. +- **cleanupTaskResult** No content is currently available. +- **deviceEvaluated** No content is currently available. +- **deviceImpacted** No content is currently available. +- **modalAction** No content is currently available. +- **modalResult** No content is currently available. +- **resetSettingsResult** No content is currently available. + + ## Remediation events ### Microsoft.Windows.Remediation.Applicable diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index d472800547..cc061437ac 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/13/2019 +ms.date: 03/15/2019 --- @@ -4061,6 +4061,23 @@ The following fields are available: - **winInetError** The HResult of the operation. +## Other events + +### Microsoft.Windows.Shell.PrivacyNotifierLogging.PrivacyNotifierCompleted + +No content is currently available. + +The following fields are available: + +- **cleanupTask** No content is currently available. +- **cleanupTaskResult** No content is currently available. +- **deviceEvaluated** No content is currently available. +- **deviceImpacted** No content is currently available. +- **modalAction** No content is currently available. +- **modalResult** No content is currently available. +- **resetSettingsResult** No content is currently available. + + ## Privacy consent logging events ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index 85613743bd..db961c12d8 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/13/2019 +ms.date: 03/15/2019 --- @@ -2208,6 +2208,7 @@ The following fields are available: - **UserNotificationListener** Current state of the notifications setting. - **VideosLibrary** Current state of the videos library setting. - **Webcam** Current state of the camera setting. +- **WiFaDirect** No content is currently available. - **WiFiDirect** Current state of the Wi-Fi direct setting. @@ -2446,8 +2447,8 @@ Describes the installation state for all hardware and software components availa The following fields are available: - **action** The change that was invoked on a device inventory object. +- **cction** No content is currently available. - **inventoryId** Device ID used for Compatibility testing -- **objectIîstanceId** No content is currently available. - **objectInstanceId** Object identity which is unique within the device scope. - **objectType** Indicates the object type that the event applies to. - **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. @@ -2674,19 +2675,13 @@ Fired by UTC at startup to signal what data we are allowed to collect. The following fields are available: - **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. -- **CanCol|ectCoreTelemetry** No content is currently available. -- **CanCollactCoreTelemetry** No content is currently available. -- **CanCollec|AnyTelemetry** No content is currently available. - **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. - **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. - **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. - **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. - **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. - **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. -- **CanPerformDiagnostigEscalations** No content is currently available. -- **CanPerformDkagnosticEscalations** No content is currently available. - **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise. -- **CanReportScanarios** No content is currently available. - **CanReportScenarios** True if we can report scenario completions, false otherwise. - **PreviousPermissions** Bitmask of previous telemetry state. - **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. @@ -2713,39 +2708,23 @@ This event sends data about the health and quality of the diagnostic data from t The following fields are available: -- **AgentConnctionErrorsCount** No content is currently available. - **AgentConnectionErrorsCount** Number of non-timeout errors associated with the host/agent channel. -- **AgenticenectionErrorsCount** No content is currently available. -- **CeesusExitCode** No content is currently available. -- **CeesusStartTime** No content is currently available. -- **CeesusTaskEnabled** No content is currently available. - **CensusExitCode** The last exit code of the Census task. - **CensusStartTime** Time of last Census run. - **CensusTaskEnabled** True if Census is enabled, false otherwise. -- **CensusTaskEnavled** No content is currently available. - **CompressedBytesUploaded** Number of compressed bytes uploaded. - **ConsumerDroppedCount** Number of events dropped at consumer layer of telemetry client. - **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. -- **CriticalDataDbLroppedCount** No content is currently available. -- **CriticalDataDhrottleDroppedCount** No content is currently available. - **CriticalDataThrottleDroppedCount** The number of critical data sampled events that were dropped because of throttling. - **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event DB. -- **CriticamOverflowEntersCounter** No content is currently available. - **DbCriticalDroppedCount** Total number of dropped critical events in event DB. - **DbDroppedCount** Number of events dropped due to DB fullness. - **DbDroppedFailureCount** Number of events dropped due to DB failures. - **DbDroppedFullCount** Number of events dropped due to DB fullness. -- **DbDroppedOailureCount** No content is currently available. -- **DbDroppedOullCount** No content is currently available. - **DecodingDroppedCount** Number of events dropped due to decoding failures. -- **DhrottledDroppedCount** No content is currently available. - **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. - **EtwDroppedBufferCount** Number of buffers dropped in the UTC ETW session. - **EtwDroppedCount** Number of events dropped at ETW layer of telemetry client. -- **Eve~tStoreResetCounter** No content is currently available. -- **EventSC06eLifetimeResetCounter** No content is currently available. -- **EventSC06eResetCounter** No content is currently available. -- **EventSC06eResetSizeSum** No content is currently available. - **EventsPersistedCount** Number of events that reached the PersistEvent stage. - **EventStoreLifetimeResetCounter** Number of times event DB was reset for the lifetime of UTC. - **EventStoreResetCounter** Number of times event DB was reset. @@ -2756,19 +2735,12 @@ The following fields are available: - **Flags** Flags indicating device state such as network state, battery state, and opt-in state. - **FullTriggerBufferDroppedCount** Number of events dropped due to trigger buffer being full. - **HeartBeatSequenceNumber** The sequence number of this heartbeat. -- **icesumerDroppedCount** No content is currently available. -- **icmpressedBytesUploaded** No content is currently available. - **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. - **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel. -- **LastAgenticenectionError** No content is currently available. - **LastEventSizeOffender** Event name of last event which exceeded max event size. - **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. -- **LastreReseizeOffender** No content is currently available. - **MaxActiveAgentConnectionCount** The maximum number of active agents during this heartbeat timeframe. -- **MaxActiveAgenticenectionCount** No content is currently available. - **MaxInUseScenarioCounter** Soft maximum number of scenarios loaded by UTC. -- **Olags** No content is currently available. -- **OullTriggerBufferDroppedCount** No content is currently available. - **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events). - **PrivacyBlockedCount** The number of events blocked due to privacy settings or tags. - **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. @@ -2780,12 +2752,9 @@ The following fields are available: - **UploaderErrorCount** Number of errors received from the upload endpoint. - **VortexFailuresTimeout** The number of timeout failures received from Vortex. - **VortexHttpAttempts** Number of attempts to contact Vortex. -- **VortexHttpFailures4xS** No content is currently available. - **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. -- **VortexHttpFailures5xS** No content is currently available. - **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. - **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. -- **VortexHttpResponsesWihDroppedEvents** No content is currently available. - **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. @@ -3391,25 +3360,35 @@ The following fields are available: - **AdapterDypeValue** No content is currently available. - **AdapterTypeValue** The numeric value indicating the type of Graphics adapter. +- **aiseqId** No content is currently available. - **aiSeqId** The event sequence ID. +- **AsPostAdapter** No content is currently available. - **bootId** The system boot ID. +- **BrightnessVersion'iaDDI** No content is currently available. - **BrightnessVersionViaDDI** The version of the Display Brightness Interface. - **BrightnessVersIonViaDDI** No content is currently available. - **BvightnessVersionViaDDI** No content is currently available. +- **Com2utePreemptionLevel** No content is currently available. - **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload. - **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes). - **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes). +- **DicplayAdapterLuid** No content is currently available. - **DisplayAdapterLuid** The display adapter LUID. - **Driver48,k** No content is currently available. - **DriverDate** The date of the display driver. +- **DriverFersion** No content is currently available. - **DriverRa~k** No content is currently available. - **DriverRank** The rank of the display driver. - **DriverVersion** The display driver version. - **DX10UMDFilePath** The file path to the location of the DirectX 10 Display User Mode Driver in the Driver Store. +- **DX11UMDFile@ath** No content is currently available. - **DX11UMDFilePath** The file path to the location of the DirectX 11 Display User Mode Driver in the Driver Store. +- **DX12EMDFilePath** No content is currently available. - **DX12UMDFilePath** The file path to the location of the DirectX 12 Display User Mode Driver in the Driver Store. - **DX9]MDFilePath** No content is currently available. +- **DX9EMDFilePath** No content is currently available. - **DX9UMDFilePath** The file path to the location of the DirectX 9 Display User Mode Driver in the Driver Store. +- **G@UVendorID** No content is currently available. - **GPUDeviceID** The GPU device ID. - **GPUPree}ptionLevel** No content is currently available. - **GPUPreemptionLdvel** No content is currently available. @@ -3417,10 +3396,13 @@ The following fields are available: - **GPURevisionID** The GPU revision ID. - **GPUVendoeID** No content is currently available. - **GPUVendorID** The GPU vendor ID. +- **I¤MismatchLDA** No content is currently available. - **InterbaceId** No content is currently available. - **InterfaceId** The GPU interface ID. +- **IÓDisplayDevice** No content is currently available. - **IqMPOSupported** No content is currently available. - **IrRemovable** No content is currently available. +- **IsCoftwareDevice** No content is currently available. - **IsDisp|ayDevice** No content is currently available. - **IsDisplayDevice** Does the GPU have displaying capabilities? - **IsHwSchSupported** Indicates whether the adapter supports hardware scheduling. @@ -3428,7 +3410,9 @@ The following fields are available: - **IsHybridIntdgrated** No content is currently available. - **IsHybridIntegrated** Does the GPU have integrated GPU capabilities in a hybrid device? - **IsLDA** Is the GPU comprised of Linked Display Adapters? +- **IsMicmatchLDA** No content is currently available. - **IsMiracastSupported** Does the GPU support Miracast? +- **IsMism`tchLDA** No content is currently available. - **IsMismatchLDA** Is at least one device in the Linked Display Adapters chain from a different vendor? - **IsMPOCupported** No content is currently available. - **IsMPOSuppor|ed** No content is currently available. @@ -3447,9 +3431,11 @@ The following fields are available: - **NumVidPDSouPces** No content is currently available. - **NumVidPnSources** The number of supported display output sources. - **NumVidPnTargets** The number of supported display output targets. +- **SharedCystemMemoryB** No content is currently available. - **SharedSystemMemoryB** The amount of system memory shared by GPU and CPU (in bytes). - **SubSyste}ID** No content is currently available. - **SubSystemID** The subsystem ID. +- **SubSystemKD** No content is currently available. - **SubVendoeID** No content is currently available. - **SubVendorID** The GPU sub vendor ID. - **TelematryEnabled** No content is currently available. @@ -3558,16 +3544,20 @@ The following fields are available: - **IsFatal** True/False to indicate whether the crash resulted in process termination. - **ModName** Exception module name (e.g. bar.dll). - **ModNamevaultsv** No content is currently available. +- **ModNaoe** No content is currently available. - **ModTimeStamp** The date/time stamp of the module. - **ModVersion** The version of the module that has crashed. - **PaccageFullName** No content is currently available. - **PackageFullName** Store application identity. +- **PackageFuLlName** No content is currently available. - **PackageRelaatieAppId** No content is currently available. - **PackageRelativaAppId** No content is currently available. - **PackageRelativeAppId** Store application identity. - **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. +- **ProcessCreateDime** No content is currently available. - **ProcessCreateTime** The time of creation of the process that has crashed. - **ProcessId** The ID of the process that has crashed. +- **PRocessId** No content is currently available. - **RepkrtId** No content is currently available. - **ReportId** A GUID used to identify the report. This can used to track the report across Watson. - **TargepAppVer** No content is currently available. @@ -3659,6 +3649,7 @@ The following fields are available: - **InventoryMiscellaneousOfficeVBA** A count of office vba objects in cache - **InventoryMiscellaneousOfficeVBARuleViolations** A count of office vba rule violations objects in cache - **InventoryMiscellaneousUUPInfo** A count of uup info objects in cache +- **InventoryMiscnfo** No content is currently available. - **Metadata** A count of metadata objects in cache. - **Orphan** A count of orphan file objects in cache. - **Programs** A count of program objects in cache. @@ -3696,6 +3687,7 @@ The following fields are available: - **HiddenArp** Indicates whether a program hides itself from showing up in ARP. - **InstallDate** The date the application was installed (a best guess based on folder creation date heuristics). +- **InstallDateArpLastModifi** No content is currently available. - **InstallDateArpLastModified** The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015 00:00:00 - **InstallDateArpLasuModified** No content is currently available. - **InstallDateFromLinkFile** The estimated date of install based on the links to the files. Passed as an array. @@ -3705,14 +3697,17 @@ The following fields are available: - **MsiPackageCode** A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage. - **MsiProductCode** A GUID that describe the MSI Product. - **Name** The name of the application. +- **Order** No content is currently available. - **OSVersionAtInstallTime** The four octets from the OS version at the time of the application's install. - **PackageFullName** The package full name for a Store application. +- **PackagmFullName** No content is currently available. - **ProgramInstanceId** A hash of the file IDs in an app. - **Publisher** The Publisher of the application. Location pulled from depends on the 'Source' field. - **RootDirPath** The path to the root directory where the program was installed. - **Source** How the program was installed (for example, ARP, MSI, Appx). - **StoreAppType** A sub-classification for the type of Microsoft Store app, such as UWP or Win8StoreApp. - **Type** One of ("Application", "Hotfix", "BOE", "Service", "Unknown"). Application indicates Win32 or Appx app, Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is a service. Application and BOE are the ones most likely seen. +- **Value** No content is currently available. - **Version** The version number of the program. @@ -3902,7 +3897,7 @@ The following fields are available: This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent. -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). +This event includes fields from [Ms.Device.De~iceInventoryChange](#msdevicede~iceinventorychange). The following fields are available: @@ -3929,6 +3924,7 @@ The following fields are available: - **DeviceState** Identifies the current state of the parent (main) device. - **DriverId** The unique identifier for the installed driver. - **DriverName** The name of the driver image file. +- **DriverP!ckageStrongName** No content is currently available. - **DriverPackageStrongName** The immediate parent directory name in the Directory field of InventoryDriverPackage. - **DriverVerDate** The date associated with the driver installed on the device. - **DriverVerVersion** The version number of the driver installed on the device. @@ -3937,11 +3933,13 @@ The following fields are available: - **HWID** A list of hardware IDs for the device. - **HWID.Count** No content is currently available. - **Inf** The name of the INF file (possibly renamed by the OS, such as oemXX.inf). +- **InstallCtate** No content is currently available. - **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx - **InventoryVersion** The version number of the inventory process generating the events. - **LowerClassFilters** The identifiers of the Lower Class filters installed for the device. - **LowerFilters** The identifiers of the Lower filters installed for the device. - **Manufacturer** The manufacturer of the device. +- **Manufccturer** No content is currently available. - **MatchingID** The Hardware ID or Compatible ID that Windows uses to install a device instance. - **Model** Identifies the model of the device. - **ParentId** The Device Instance ID of the parent of the device. @@ -4534,6 +4532,7 @@ The following fields are available: - **BootStatusPolicy** Identifies the applicable Boot Status Policy. - **BootType** Identifies the type of boot (e.g.: "Cold", "Hiber", "Resume"). - **EventTimestamp** Seconds elapsed since an arbitrary time point. This can be used to identify the time difference in successive boot attempts being made. +- **Firmw!reResetReasonEmbeddedControllerAdditional** No content is currently available. - **FirmwareResetReasonEmbeddedController** Reason for system reset provided by firmware. - **FirmwareResetReasonEmbeddedControllerAdditional** Additional information on system reset reason provided by firmware if needed. - **FirmwareResetReasonPch** Reason for system reset provided by firmware. @@ -4898,6 +4897,7 @@ Scan process event on Windows Update client. See the EventScenario field for spe The following fields are available: - **ActivityMatchingId** Contains a unique ID identifying a single CheckForUpdates session from initialization to completion. +- **AllowCachedResul|s** No content is currently available. - **AllowCachedResults** Indicates if the scan allowed using cached results. - **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable - **BiosFamily** The family of the BIOS (Basic Input Output System). @@ -4949,6 +4949,7 @@ The following fields are available: - **NumberOfNewUpdatesFromServiceSync** The number of updates which were seen for the first time in this scan - **NumberOfUpdatesEvaluated** The total number of updates which were evaluated as a part of the scan - **NumFailedetadataISignatures** No content is currently available. +- **NumFailedMetadatabignatures** No content is currently available. - **NumFailedMetadataSignatures** The number of metadata signatures checks which failed for new metadata synced down. - **Online** Indicates if this was an online scan. - **PausedUpdates** A list of UpdateIds which that currently being paused. @@ -4974,6 +4975,7 @@ The following fields are available: - **SystemBIOSMinorRelease** Minor version of the BIOS. - **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null. - **TotalNumetadataISignatures** No content is currently available. +- **TotalNumMetadatabignatures** No content is currently available. - **TotalNumMetadataSignatures** The total number of metadata signatures checks done for new metadata that was synced down. - **WebServiceRetryMethods** Web service method requests that needed to be retried to complete operation. - **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. @@ -5017,12 +5019,10 @@ Download process event for target update on Windows Update client. See the Event The following fields are available: - **ActiveDownloadTime** How long the download took, in seconds, excluding time where the update wasn't actively being downloaded. -- **AppXBlockHalhFailures** No content is currently available. - **AppXBlockHashFailures** Indicates the number of blocks that failed hash validation during download of the app payload. - **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded. - **AppXDownloadScope** Indicates the scope of the download for application content. - **AppXScope** Indicates the scope of the app download. -- **B}ndleId** No content is currently available. - **BiosFamily** The family of the BIOS (Basic Input Output System). - **BiosName** The name of the device BIOS. - **BiosReleaseDate** The release date of the device BIOS. @@ -5031,46 +5031,29 @@ The following fields are available: - **BiosVersion** The version of the BIOS. - **BundleBytesDownloaded** Number of bytes downloaded for the specific content bundle. - **BundleId** Identifier associated with the specific content bundle. -- **BundleRepeatFailCoqnt** No content is currently available. - **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. - **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to download. - **BundleRevisionNumber** Identifies the revision number of the content bundle. - **BytesDownloaded** Number of bytes that were downloaded for an individual piece of content (not the entire bundle). -- **C`llerApplicationName** No content is currently available. - **CachedEngineVersion** The version of the “Self-Initiated Healing” (SIH) engine that is cached on the device, if applicable. -- **CallerApplicationname** No content is currently available. - **CallerApplicationName** The name provided by the application that initiated API calls into the software distribution client. - **CbsDownloadMethod** Indicates whether the download was a full- or a partial-file download. - **CbsMethod** The method used for downloading the update content related to the Component Based Servicing (CBS) technology. -- **CDNCotntryCode** No content is currently available. -- **CDNCoundryCode** No content is currently available. - **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. - **CDNId** ID which defines which CDN the software distribution client downloaded the content from. - **ClientVersion** The version number of the software distribution client. - **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. - **ConnectTime** Indicates the cumulative amount of time (in seconds) it took to establish the connection for all updates in an update bundle. -- **CtatusCode** No content is currently available. - **CurrentMobileOperator** The mobile operator the device is currently connected to. - **DeviceModel** The model of the device. -- **DownhoadProps** No content is currently available. - **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority. - **DownloadProps** Information about the download operation properties in the form of a bitmask. - **DownloadType** Differentiates the download type of “Self-Initiated Healing” (SIH) downloads between Metadata and Payload downloads. -- **DownloedPriority** No content is currently available. -- **e:4|SInstanceID** No content is currently available. -- **e:4|SScenario** No content is currently available. -- **E:4|State** No content is currently available. -- **EöentInstanceID** No content is currently available. - **EventInstanceID** A globally unique identifier for event instance. -- **EventInstAnceID** No content is currently available. -- **EventScanario** No content is currently available. -- **eventScenario** No content is currently available. - **EventScenario** Indicates the purpose for sending this event: whether because the software distribution just started downloading content; or whether it was cancelled, succeeded, or failed. - **EventType** Identifies the type of the event (Child, Bundle, or Driver). - **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. - **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **Fli.c9BuildNumber** No content is currently available. -- **Fli.c9Id** No content is currently available. - **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). - **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight. - **FlightId** The specific ID of the flight (pre-release build) the device is getting. @@ -5078,39 +5061,23 @@ The following fields are available: - **HandlerType** Indicates what kind of content is being downloaded (app, driver, windows patch, etc.). - **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. - **HomeMobileOperator** The mobile operator that the device was originally intended to work with. -- **HospName** No content is currently available. - **HostName** The hostname URL the content is downloading from. - **IPVersion** Indicates whether the download took place over IPv4 or IPv6. - **IsDependentSet** Indicates whether a driver is a part of a larger System Hardware/Firmware Update -- **IsWQfBEnabled** No content is currently available. -- **IsWUfBDualCcanEnabled** No content is currently available. -- **IsWUfBdualScanEnabled** No content is currently available. - **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnablad** No content is currently available. - **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. - **NetworkCost** A flag indicating the cost of the network (congested, fixed, variable, over data limit, roaming, etc.) used for downloading the update content. - **NetworkCostBitMask** Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.) - **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered." - **PackageFullName** The package name of the content. - **PhonePreviewEnabled** Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced. -- **PostDnldDime** No content is currently available. - **PostDnldTime** Time (in seconds) taken to signal download completion after the last job completed downloading the payload. - **ProcessName** The process name of the application that initiated API calls, in the event where CallerApplicationName was not provided. -- **PvocessName** No content is currently available. -- **QualityreUpdaPause** No content is currently available. -- **QualityUpdatePa}se** No content is currently available. -- **QualityUpdatePatse** No content is currently available. -- **QualityUpdatePausa** No content is currently available. - **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. - **Reason** A 32-bit integer representing the reason the update is blocked from being downloaded in the background. -- **ReguiationResult** No content is currently available. - **RegulationReason** The reason that the update is regulated -- **regulationResult** No content is currently available. - **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content. -- **RegulatIonResult** No content is currently available. -- **ReiatedCV** No content is currently available. - **RelatedCV** The Correlation Vector that was used before the most recent change to a new Correlation Vector. -- **RelntedCV** No content is currently available. - **RepeatFailCount** Indicates whether this specific content has previously failed. - **RepeatFailFlag** Indicates whether this specific content previously failed to download. - **RevisionNumber** The revision number of the specified piece of content. @@ -5118,6 +5085,7 @@ The following fields are available: - **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade. - **ShippingMobileOperator** The mobile operator linked to the device when the device shipped. - **SizeCalcTime** Time (in seconds) taken to calculate the total download size of the payload. +- **SonnectTime** No content is currently available. - **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). - **SystemBIOSMajorRelease** Major version of the BIOS. - **SystemBIOSMinorRelease** Minor version of the BIOS. @@ -5127,15 +5095,11 @@ The following fields are available: - **ThrottlingServiceHResult** Result code (success/failure) while contacting a web service to determine whether this device should download content yet. - **TimeToEstablishConnection** Time (in milliseconds) it took to establish the connection prior to beginning downloaded. - **TotalExpectedBytes** The total size (in Bytes) expected to be downloaded. -- **Upda|eImportance** No content is currently available. - **UpdateId** An identifier associated with the specific piece of content. - **UpdateID** An identifier associated with the specific piece of content. -- **UpdateImpornstan** No content is currently available. - **UpdateImportance** Indicates whether the content was marked as Important, Recommended, or Optional. -- **Use** No content is currently available. - **UsedDO** Indicates whether the download used the Delivery Optimization (DO) service. - **UsedSystemVolume** Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive. -- **WUDeviceId** No content is currently available. - **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. @@ -5204,46 +5168,30 @@ The following fields are available: - **BIOSVendor** The vendor of the BIOS. - **BiosVersion** The version of the BIOS. - **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. -- **BundleRepeatFailCoun.** No content is currently available. - **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. - **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to install. - **BundleRevisionNumber** Identifies the revision number of the content bundle. - **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. - **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. -- **CallerApplictionaName** No content is currently available. - **ClientVersion** The version number of the software distribution client. - **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No value is currently reported in this field. Expected value for this field is 0. - **CSIErrorType** The stage of CBS installation where it failed. -- **CSIErrorTypr** No content is currently available. - **CurrentMobileOperator** The mobile operator to which the device is currently connected. - **DeploymentProviderMode** The mode of operation of the update deployment provider. - **DeviceModel** The device model. - **DriverPingBack** Contains information about the previous driver and system state. -- **DriverRecoverqIds** No content is currently available. - **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required. -- **DriverRecoverySds** No content is currently available. -- **DriverRecownloIds** No content is currently available. -- **EvåntInstanceID** No content is currently available. -- **Even|InstanceID** No content is currently available. - **EventInstanceID** A globally unique identifier for event instance. -- **EventInstapceID** No content is currently available. - **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. - **EventType** Possible values are Child, Bundle, or Driver. -- **EventTypr** No content is currently available. -- **ExtendedErrorCdel** No content is currently available. - **ExtendedErrorCode** The extended error code. - **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode is not specific enough. -- **ExtendedtartusCdel** No content is currently available. -- **ExtendefStatusCode** No content is currently available. -- **FeatureUpdatePaser** No content is currently available. - **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FeatureUpdateUause** No content is currently available. - **FlightBranch** The branch that a device is on if participating in the Windows Insider Program. - **FlightBuildNumber** If this installation was for a Windows Insider build, this is the build number of that build. - **FlightId** The specific ID of the Windows Insider build the device is getting. - **FlightRing** The ring that a device is on if participating in the Windows Insider Program. - **HandlerType** Indicates what kind of content is being installed (for example, app, driver, Windows update). -- **HandlerTypr** No content is currently available. - **HardwareId** If this install was for a driver targeted to a particular device model, this ID indicates the model of the device. - **HomeMobileOperator** The mobile operator that the device was originally intended to work with. - **InstallProps** A bitmask for future flags associated with the install operation. No value is currently reported in this field. Expected value for this field is 0. @@ -5251,36 +5199,20 @@ The following fields are available: - **IsDependentSet** Indicates whether the driver is part of a larger System Hardware/Firmware update. - **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. - **IsFirmware** Indicates whether this update is a firmware update. -- **IsKcfBDualScanEnabled** No content is currently available. -- **IsKcfBEnabled** No content is currently available. - **IsSuccessFailurePostReboot** Indicates whether the update succeeded and then failed after a restart. -- **IsSuccessFailurePostReotId** No content is currently available. -- **IsSuccessFailurePst.Reboot** No content is currently available. - **IsWUfBDualScanEnabled** Indicates whether Windows Update for Business dual scan is enabled on the device. -- **IsWufBEnabled** No content is currently available. - **IsWUfBEnabled** Indicates whether Windows Update for Business is enabled on the device. -- **IsWVfBDualScanEnabled** No content is currently available. -- **IsWVfBEnabled** No content is currently available. -- **lundleId** No content is currently available. -- **lundleRepeatFailCount** No content is currently available. -- **lundleRevisionNumber** No content is currently available. - **MergedUpdate** Indicates whether the OS update and a BSP update merged for installation. - **MsiAction** The stage of MSI installation where it failed. -- **MsiProductCdel** No content is currently available. - **MsiProductCode** The unique identifier of the MSI installer. -- **PackageBullName** No content is currently available. - **PackageFullName** The package name of the content being installed. - **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting being introduced. - **ProcessName** The process name of the caller who initiated API calls, in the event that CallerApplicationName was not provided. -- **QualityUpdatePaser** No content is currently available. - **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **QualityUpdateUause** No content is currently available. - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one -- **RepeatFailCoun.** No content is currently available. - **RepeatFailCount** Indicates whether this specific piece of content has previously failed. - **RepeatFailFlag** Indicates whether this specific piece of content previously failed to install. - **RevisionNumber** The revision number of this specific piece of content. -- **SericeCGuid** No content is currently available. - **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). - **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway. - **ShippingMobileOperator** The mobile operator that a device shipped on. @@ -5288,21 +5220,13 @@ The following fields are available: - **SystemBIOSMajorRelease** Major version of the BIOS. - **SystemBIOSMinorRelease** Minor version of the BIOS. - **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. -- **TargetingVersaon** No content is currently available. - **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. -- **TargetingVession** No content is currently available. -- **tartusCdel** No content is currently available. -- **TransactionCdel** No content is currently available. - **TransactionCode** The ID that represents a given MSI installation. - **UpdateId** Unique update ID. - **UpdateID** An identifier associated with the specific piece of content. - **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional. -- **UpdateImportapce** No content is currently available. - **UsedSystemVolume** Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive. -- **WUDdviceID** No content is currently available. - **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. -- **WUDevi'eID** No content is currently available. -- **WUDviceCID** No content is currently available. ### SoftwareUpdateClientTelemetry.Revert @@ -5437,6 +5361,7 @@ The following fields are available: - **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. - **CallerLoglicationName** No content is currently available. - **EndpointUrl** URL of the endpoint where client obtains update metadata. Used to identify test vs staging vs production environments. +- **EventSbenario** No content is currently available. - **EventScenario** The purpose of this event, such as scan started, scan succeeded, or scan failed. - **ExtendedStatusCode** The secondary status code of the event. - **ExtendefStatusCode** No content is currently available. @@ -6157,14 +6082,21 @@ Result of the WaaSMedic operation. The following fields are available: - **callerApplication** The name of the calling application. +- **capsuleCount** The number of Sediment Pack capsules. +- **capsuleFailureCount** The number of capsule failures. - **detectionSummary** Result of each applicable detection that was run. - **featureAssessmentImpact** WaaS Assessment impact for feature updates. +- **hrEngineBlockReason** Indicates the reason for stopping WaaSMedic. - **hrEngineResult** Error code from the engine operation. +- **hrLastSandboxError** The last error sent by the WaaSMedic sandbox. +- **initSummary** Summary data of the initialization method. - **insufficientSessions** Device not eligible for diagnostics. - **isInteractiveMode** The user started a run of WaaSMedic. - **isManaged** Device is managed for updates. - **isWUConnected** Device is connected to Windows Update. - **noMoreActions** No more applicable diagnostics. +- **pluginFailureCount** The number of plugins that have failed. +- **pluginsCount** The number of plugins. - **qualityAssessmentImpact** WaaS Assessment impact for quality updates. - **remediationSummary** Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on. - **usingBackupFeatureAssessment** Relying on backup feature assessment. @@ -6786,6 +6718,7 @@ The following fields are available: - **predefi.edCallerName** No content is currently available. - **predefinedCallerName** The name of the API Caller. - **predefinedCalleRName** No content is currently available. +- **rcdnIp** No content is currently available. - **restrictedUpload** Is the upload restricted? - **romteToCacheServer** No content is currently available. - **roupeToCacheServer** No content is currently available. @@ -6807,10 +6740,13 @@ This event represents a temporary suspension of a download with Delivery Optimiz The following fields are available: +- **AddinType** No content is currently available. - **backgground** No content is currently available. - **backgro}nd** No content is currently available. - **backgrou|d** No content is currently available. - **background** Is the download a background download? +- **BinFileTimestamp** No content is currently available. +- **BinFileVersion** No content is currently available. - **c`nUrl** No content is currently available. - **cdnUrl** The URL of the source CDN (Content Delivery Network). - **errorBode** No content is currently available. @@ -6821,10 +6757,21 @@ The following fields are available: - **experimenpId** No content is currently available. - **experimentId** When running a test, this is used to correlate with other events that are part of the same test. - **fileID** The ID of the file being paused. +- **FileId** No content is currently available. +- **FileSize** No content is currently available. - **isVp|** No content is currently available. - **isVpn** Is the device connected to a Virtual Private Network? - **jobID** Identifier for the Windows Update job. +- **LoadBehavior** No content is currently available. +- **LSID** No content is currently available. +- **OfficeArchitecture** No content is currently available. +- **OutlookCrashingAddin** No content is currently available. - **predefinedCallerName** The name of the API Caller object. +- **ProductCompany** No content is currently available. +- **ProductName** No content is currently available. +- **ProductVersion** No content is currently available. +- **ProgramId** No content is currently available. +- **Provider** No content is currently available. - **reasonCod%** No content is currently available. - **reasonCode** The reason for pausing the download. - **recsonCodesessiolID** No content is currently available. From 095289ebc8c759389688c10cef72c5356807698d Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Mon, 18 Mar 2019 06:36:12 -0700 Subject: [PATCH 061/492] update main wcd settings table --- windows/configuration/wcd/wcd-changes.md | 2 ++ windows/configuration/wcd/wcd.md | 29 ++++++++++++------------ 2 files changed, 16 insertions(+), 15 deletions(-) diff --git a/windows/configuration/wcd/wcd-changes.md b/windows/configuration/wcd/wcd-changes.md index 0100391209..b846faedb0 100644 --- a/windows/configuration/wcd/wcd-changes.md +++ b/windows/configuration/wcd/wcd-changes.md @@ -26,6 +26,8 @@ ms.date: 10/02/2018 ## Settings removed in Windows 10, version ? +- [WLAN](wcd-wlan.md) + ## Settings added in Windows 10, version 1809 diff --git a/windows/configuration/wcd/wcd.md b/windows/configuration/wcd/wcd.md index 2c764902cc..732e57f9cb 100644 --- a/windows/configuration/wcd/wcd.md +++ b/windows/configuration/wcd/wcd.md @@ -24,35 +24,34 @@ This section describes the settings that you can configure in [provisioning pack | [ADMXIngestion](wcd-admxingestion.md) | X | | | | | | [AssignedAccess](wcd-assignedaccess.md) | X | | | X | | | [AutomaticTime](wcd-automatictime.md) | | X | | | | -| [Browser](wcd-browser.md) | X | X | X | X | | +| [Browser](wcd-browser.md) | X | X | X | | | | [CallAndMessagingEnhancement](wcd-callandmessagingenhancement.md) | | X | | | | | [Calling](wcd-calling.md) | | X | | | | | [CellCore](wcd-cellcore.md) | X | X | | | | | [Cellular](wcd-cellular.md) | X | | | | | | [Certificates](wcd-certificates.md) | X | X | X | X | X | | [CleanPC](wcd-cleanpc.md) | X | | | | | -| [Connections](wcd-connections.md) | X | X | X | X | | +| [Connections](wcd-connections.md) | X | X | X | | | | [ConnectivityProfiles](wcd-connectivityprofiles.md) | X | X | X | X | | -| [CountryAndRegion](wcd-countryandregion.md) | X | X | X | X | | +| [CountryAndRegion](wcd-countryandregion.md) | X | X | X | | | | [DesktopBackgroundAndColors](wcd-desktopbackgroundandcolors.md) | X | | | | | | [DeveloperSetup](wcd-developersetup.md) | | | | X | | -| [DeviceFormFactor](wcd-deviceformfactor.md) | X | X | X | X | | +| [DeviceFormFactor](wcd-deviceformfactor.md) | X | X | X | | | | [DeviceInfo](wcd-deviceinfo.md) | | X | | | | | [DeviceManagement](wcd-devicemanagement.md) | X | X | X | X | | | [DeviceUpdateCenter](wcd-deviceupdatecenter.md) | X | | | | | -| [DMClient](wcd-dmclient.md) | X | X | X | X | X | -| [EditionUpgrade](wcd-editionupgrade.md) | X | X | X | X | | +| [DMClient](wcd-dmclient.md) | X | X | X | | X | +| [EditionUpgrade](wcd-editionupgrade.md) | X | X | | X | | | [EmbeddedLockdownProfiles](wcd-embeddedlockdownprofiles.md) | | X | | | | | [FirewallConfiguration](wcd-firewallconfiguration.md) | | | | | X | | [FirstExperience](wcd-firstexperience.md) | | | | X | | -| [Folders](wcd-folders.md) |X | X | X | X | | -| [HotSpot](wcd-hotspot.md) | | | | | | +| [Folders](wcd-folders.md) |X | X | X | | | | [InitialSetup](wcd-initialsetup.md) | | X | | | | | [InternetExplorer](wcd-internetexplorer.md) | | X | | | | | [KioskBrowser](wcd-kioskbrowser.md) | | | | | X | | [Licensing](wcd-licensing.md) | X | | | | | | [Location](wcd-location.md) | | | | | X | -| [Maps](wcd-maps.md) |X | X | X | X | | +| [Maps](wcd-maps.md) |X | X | X | | | | [Messaging](wcd-messaging.md) | | X | | | | | [ModemConfigurations](wcd-modemconfigurations.md) | | X | | | | | [Multivariant](wcd-multivariant.md) | | X | | | | @@ -74,18 +73,18 @@ This section describes the settings that you can configure in [provisioning pack | [StartupBackgroundTasks](wcd-startupbackgroundtasks.md) | | | | | X | | [StorageD3InModernStandby](wcd-storaged3inmodernstandby.md) |X | X | X | | X | | [SurfaceHubManagement](wcd-surfacehubmanagement.md) | | | X | | | -| [TabletMode](wcd-tabletmode.md) |X | X | X | X | | +| [TabletMode](wcd-tabletmode.md) |X | X | X | | | | [TakeATest](wcd-takeatest.md) | X | | | | | | [TextInput](wcd-textinput.md) | | X | | | | | [Theme](wcd-theme.md) | | X | | | | | [Time](wcd-time.md) | X | | | | | | [UnifiedWriteFilter](wcd-unifiedwritefilter.md) | X | | | | X | -| [UniversalAppInstall](wcd-universalappinstall.md) | X | X | X | X | X | -| [UniversalAppUninstall](wcd-universalappuninstall.md) | X | X | X | X | X | -| [WeakCharger](wcd-weakcharger.md) |X | X | X | X | | +| [UniversalAppInstall](wcd-universalappinstall.md) | X | X | X | | X | +| [UniversalAppUninstall](wcd-universalappuninstall.md) | X | X | X | | X | +| [UsbErrorsOEMOverride](wcd-usberrorsoemoverride.md) | X | X | X | | | +| [WeakCharger](wcd-weakcharger.md) |X | X | X | | | | [WindowsHelloForBusiness](wcd-windowshelloforbusiness.md) | X | | | | | | [WindowsTeamSettings](wcd-windowsteamsettings.md) | | | X | | | -| [WLAN](wcd-wlan.md) | | | | X | | -| [Workplace](wcd-workplace.md) |X | X | X | X | X | +| [Workplace](wcd-workplace.md) |X | X | X | | X | From a588eef3d1ab0f5be3a63727d73f6a65b174d713 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Mon, 18 Mar 2019 07:02:55 -0700 Subject: [PATCH 062/492] update policies table --- windows/configuration/wcd/wcd-policies.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md index 814e7fbc1d..bf34e59012 100644 --- a/windows/configuration/wcd/wcd-policies.md +++ b/windows/configuration/wcd/wcd-policies.md @@ -154,7 +154,7 @@ PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Star | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowCamera](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#camera-allowcamera) | Disable or enable the camera. | X | X | X | X | | +| [AllowCamera](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#camera-allowcamera) | Disable or enable the camera. | X | X | X | | | ## Connectivity @@ -568,7 +568,7 @@ ConfigureTelemetryOptInSettingsUx | This policy setting determines whether peopl | [AllowInternetSharing](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowinternetsharing) | Allow Internet sharing. | X | X | | | | | [AllowManualWiFiConfiguration](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowmanualwificonfiguration) | Allow connecting to Wi-Fi outside of MDM server-installed networks. | | X | | | | | [AllowWiFi](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowwifi) | Allow Wi-Fi connections. | | X | | | | -| [WLANScanMode](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#wifi-wlanscanmode) | Configure the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected. | X | X | X | X | X | +| [WLANScanMode](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#wifi-wlanscanmode) | Configure the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected. | X | X | X | | X | ## WindowsInkWorkspace From 1950fb1506f2687de20e4b46d838ba6d7b9bd4b1 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Mon, 18 Mar 2019 09:00:14 -0700 Subject: [PATCH 063/492] new build 3/18/2019 9:00 AM --- .../basic-level-windows-diagnostic-events-and-fields-1903.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index 2faca0d1a1..1a86bd7a44 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/15/2019 +ms.date: 03/18/2019 --- From 1dc64b7d1c411e8de476cc69ee71ee0ff7f91dcb Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Mon, 18 Mar 2019 09:00:25 -0700 Subject: [PATCH 064/492] new build 3/18/2019 9:00 AM --- ...ndows-diagnostic-events-and-fields-1703.md | 2 +- ...ndows-diagnostic-events-and-fields-1709.md | 2 +- ...ndows-diagnostic-events-and-fields-1803.md | 2 +- ...ndows-diagnostic-events-and-fields-1809.md | 97 ++++++++++--------- 4 files changed, 56 insertions(+), 47 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index 4aebdedd33..ed6399b844 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/15/2019 +ms.date: 03/18/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index 0fa19351b5..280f37035d 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/15/2019 +ms.date: 03/18/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index cc061437ac..f030734e75 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/15/2019 +ms.date: 03/18/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index db961c12d8..57eaedd246 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/15/2019 +ms.date: 03/18/2019 --- @@ -850,6 +850,7 @@ The following fields are available: - **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update? - **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device? - **DriverBlockOverridden** Is there is a driver block on the device that has been overridden? +- **DriverJlockOverridden** No content is currently available. - **NeedsDismissAction** Will the user would need to dismiss a warning during Setup for this device? - **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS? - **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade? @@ -1978,6 +1979,7 @@ The following fields are available: - **IsSecureBootEnabled** Retrieves whether Boot chain is signed under UEFI. - **LanguagePacks** The list of language packages installed on the device. - **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store. +- **OA3xOriginalProducoKzyàPŒïdjstDr})D6ài3êryyjMachineIP** No content is currently available. - **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine. - **OSEdition** Retrieves the version of the current OS. - **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc @@ -2028,6 +2030,7 @@ The following fields are available: - **LocationHistory** Current state of the location history setting. - **LocationHistoryCloudSync** Current state of the location history cloud sync setting. - **LocationHistoryOnTimeline** Current state of the location history on timeline setting. +- **LocTîÿxV4ocationHistory** No content is currently available. - **Microphone** Current state of the microphone setting. - **PhoneCall** Current state of the phone call setting. - **PhoneCallHistory** Current state of the call history setting. @@ -2147,6 +2150,8 @@ The following fields are available: - **InternalPrimaryDisplaySizePhysicalY** Retrieves the physical vertical length of the display in mm. Used for calculating the diagonal length in inches - **NumberofExternalDisplays** Retrieves the number of external displays connected to the machine - **NumberofInternalDisplays** Retrieves the number of internal displays in a machine. +- **OumberofExternalDisplays** No content is currently available. +- **OumberofInternalDisplays** No content is currently available. - **VRAMDedicated** Retrieves the video RAM in MB. - **VRAMDedicatedSystem** Retrieves the amount of memory on the dedicated video card. - **VRAMSharedSystem** Retrieves the amount of RAM memory that the video card can use. @@ -2267,6 +2272,7 @@ The following fields are available: - **XboxConsolePreferredLanguage** Retrieves the preferred language selected by the user on Xbox console. - **XboxConsoleSerialNumber** Retrieves the serial number of the Xbox console. +- **XboxConsoleSerialOumber** No content is currently available. - **XboxLiveDeviceId** Retrieves the unique device ID of the console. - **XboxLiveSandboxId** Retrieves the developer sandbox ID if the device is internal to Microsoft. @@ -2446,12 +2452,14 @@ Describes the installation state for all hardware and software components availa The following fields are available: +- **ac|ion** No content is currently available. - **action** The change that was invoked on a device inventory object. - **cction** No content is currently available. - **inventoryId** Device ID used for Compatibility testing - **objectInstanceId** Object identity which is unique within the device scope. - **objectType** Indicates the object type that the event applies to. - **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. +- **synkId** No content is currently available. ## Compatibility events @@ -2709,6 +2717,7 @@ This event sends data about the health and quality of the diagnostic data from t The following fields are available: - **AgentConnectionErrorsCount** Number of non-timeout errors associated with the host/agent channel. +- **AgentConnectionrrorCsCount** No content is currently available. - **CensusExitCode** The last exit code of the Census task. - **CensusStartTime** Time of last Census run. - **CensusTaskEnabled** True if Census is enabled, false otherwise. @@ -2722,7 +2731,9 @@ The following fields are available: - **DbDroppedFailureCount** Number of events dropped due to DB failures. - **DbDroppedFullCount** Number of events dropped due to DB fullness. - **DecodingDroppedCount** Number of events dropped due to decoding failures. +- **DecodthiDroppedCount** No content is currently available. - **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. +- **EnterthiCriticalOverflowDroppedCounter** No content is currently available. - **EtwDroppedBufferCount** Number of buffers dropped in the UTC ETW session. - **EtwDroppedCount** Number of events dropped at ETW layer of telemetry client. - **EventsPersistedCount** Number of events that reached the PersistEvent stage. @@ -2737,17 +2748,24 @@ The following fields are available: - **HeartBeatSequenceNumber** The sequence number of this heartbeat. - **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. - **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel. +- **LastAgentConnectionrrorC** No content is currently available. - **LastEventSizeOffender** Event name of last event which exceeded max event size. - **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. - **MaxActiveAgentConnectionCount** The maximum number of active agents during this heartbeat timeframe. - **MaxInUseScenarioCounter** Soft maximum number of scenarios loaded by UTC. +- **MaxInUseScenaryoCounter** No content is currently available. - **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events). - **PrivacyBlockedCount** The number of events blocked due to privacy settings or tags. +- **RepeatedUploadFailqreDpopped** No content is currently available. - **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. - **SettingsHttpAttempts** Number of attempts to contact OneSettings service. - **SettingsHttpFailures** The number of failures from contacting the OneSettings service. +- **SettthisHttpAttempts** No content is currently available. +- **SettthisHttpFailures** No content is currently available. - **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers. - **TopUploaderErrors** List of top errors received from the upload endpoint. +- **TopUploaderrrorCs** No content is currently available. +- **UphoaderErporCount** No content is currently available. - **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client. - **UploaderErrorCount** Number of errors received from the upload endpoint. - **VortexFailuresTimeout** The number of timeout failures received from Vortex. @@ -2756,6 +2774,7 @@ The following fields are available: - **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. - **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. - **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. +- **틠"怀⋖��"ꀀ⋙��"怀⋛"倀⋢** No content is currently available. ### TelClientSynthetic.HeartBeat_Aria_5 @@ -2772,6 +2791,7 @@ The following fields are available: - **DbDroppedFailureCount** Number of events dropped due to database failures. - **DbDroppedFullCount** Number of events dropped due to database being full. - **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. +- **Eve~tStoreResetCounter** No content is currently available. - **EventsPersistedCount** Number of events that reached the PersistEvent stage. - **EventStoreLifetimeResetCounter** Number of times the event store has been reset. - **EventStoreResetCounter** Number of times the event store has been reset during this heartbeat. @@ -3358,87 +3378,50 @@ This event sends basic GPU and display driver information to keep Windows and di The following fields are available: -- **AdapterDypeValue** No content is currently available. - **AdapterTypeValue** The numeric value indicating the type of Graphics adapter. -- **aiseqId** No content is currently available. - **aiSeqId** The event sequence ID. -- **AsPostAdapter** No content is currently available. +- **AsMiracastSupported** No content is currently available. - **bootId** The system boot ID. -- **BrightnessVersion'iaDDI** No content is currently available. - **BrightnessVersionViaDDI** The version of the Display Brightness Interface. -- **BrightnessVersIonViaDDI** No content is currently available. -- **BvightnessVersionViaDDI** No content is currently available. -- **Com2utePreemptionLevel** No content is currently available. - **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload. - **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes). - **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes). -- **DicplayAdapterLuid** No content is currently available. +- **DisplaqAdapterLuid** No content is currently available. - **DisplayAdapterLuid** The display adapter LUID. -- **Driver48,k** No content is currently available. - **DriverDate** The date of the display driver. -- **DriverFersion** No content is currently available. -- **DriverRa~k** No content is currently available. - **DriverRank** The rank of the display driver. - **DriverVersion** The display driver version. - **DX10UMDFilePath** The file path to the location of the DirectX 10 Display User Mode Driver in the Driver Store. - **DX11UMDFile@ath** No content is currently available. - **DX11UMDFilePath** The file path to the location of the DirectX 11 Display User Mode Driver in the Driver Store. -- **DX12EMDFilePath** No content is currently available. - **DX12UMDFilePath** The file path to the location of the DirectX 12 Display User Mode Driver in the Driver Store. -- **DX9]MDFilePath** No content is currently available. -- **DX9EMDFilePath** No content is currently available. - **DX9UMDFilePath** The file path to the location of the DirectX 9 Display User Mode Driver in the Driver Store. -- **G@UVendorID** No content is currently available. - **GPUDeviceID** The GPU device ID. -- **GPUPree}ptionLevel** No content is currently available. -- **GPUPreemptionLdvel** No content is currently available. - **GPUPreemptionLevel** The maximum preemption level supported by GPU for graphics payload. - **GPURevisionID** The GPU revision ID. -- **GPUVendoeID** No content is currently available. - **GPUVendorID** The GPU vendor ID. -- **I¤MismatchLDA** No content is currently available. -- **InterbaceId** No content is currently available. - **InterfaceId** The GPU interface ID. -- **IÓDisplayDevice** No content is currently available. -- **IqMPOSupported** No content is currently available. -- **IrRemovable** No content is currently available. -- **IsCoftwareDevice** No content is currently available. -- **IsDisp|ayDevice** No content is currently available. - **IsDisplayDevice** Does the GPU have displaying capabilities? - **IsHwSchSupported** Indicates whether the adapter supports hardware scheduling. - **IsHybridDiscrete** Does the GPU have discrete GPU capabilities in a hybrid device? -- **IsHybridIntdgrated** No content is currently available. - **IsHybridIntegrated** Does the GPU have integrated GPU capabilities in a hybrid device? - **IsLDA** Is the GPU comprised of Linked Display Adapters? -- **IsMicmatchLDA** No content is currently available. - **IsMiracastSupported** Does the GPU support Miracast? -- **IsMism`tchLDA** No content is currently available. - **IsMismatchLDA** Is at least one device in the Linked Display Adapters chain from a different vendor? -- **IsMPOCupported** No content is currently available. -- **IsMPOSuppor|ed** No content is currently available. - **IsMPOSupported** Does the GPU support Multi-Plane Overlays? - **IsMsMiracastSupported** Are the GPU Miracast capabilities driven by a Microsoft solution? - **IsPostAdapter** Is this GPU the POST GPU in the device? - **IsRemovable** TRUE if the adapter supports being disabled or removed. - **IsRenderDevice** Does the GPU have rendering capabilities? - **IsSoftwareDevice** Is this a software implementation of the GPU? -- **IsSoftwareDevicg** No content is currently available. -- **KMD@ilePath** No content is currently available. - **KMDFilePath** The file path to the location of the Display Kernel Mode Driver in the Driver Store. - **MeasureEnabled** Is the device listening to MICROSOFT_KEYWORD_MEASURES? - **MsHybridDiscrete** Indicates whether the adapter is a discrete adapter in a hybrid configuration. -- **NumTidPlTarMets** No content is currently available. -- **NumVidPDSouPces** No content is currently available. - **NumVidPnSources** The number of supported display output sources. - **NumVidPnTargets** The number of supported display output targets. -- **SharedCystemMemoryB** No content is currently available. - **SharedSystemMemoryB** The amount of system memory shared by GPU and CPU (in bytes). -- **SubSyste}ID** No content is currently available. - **SubSystemID** The subsystem ID. -- **SubSystemKD** No content is currently available. -- **SubVendoeID** No content is currently available. - **SubVendorID** The GPU sub vendor ID. -- **TelematryEnabled** No content is currently available. - **TelemetryEnabled** Is the device listening to MICROSOFT_KEYWORD_TELEMETRY? - **TelInvEvntTrigger** What triggered this event to be logged? Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling) - **version** The event version. @@ -3540,21 +3523,19 @@ The following fields are available: - **ExceptionCode** The exception code returned by the process that has crashed. - **ExceptionOffset** The address where the exception had occurred. - **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting. +- **FoiendlyAppName** No content is currently available. - **FriendlyAppName** The description of the app that has crashed, if different from the AppName. Otherwise, the process name. - **IsFatal** True/False to indicate whether the crash resulted in process termination. - **ModName** Exception module name (e.g. bar.dll). - **ModNamevaultsv** No content is currently available. -- **ModNaoe** No content is currently available. - **ModTimeStamp** The date/time stamp of the module. - **ModVersion** The version of the module that has crashed. - **PaccageFullName** No content is currently available. - **PackageFullName** Store application identity. -- **PackageFuLlName** No content is currently available. - **PackageRelaatieAppId** No content is currently available. - **PackageRelativaAppId** No content is currently available. - **PackageRelativeAppId** Store application identity. - **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. -- **ProcessCreateDime** No content is currently available. - **ProcessCreateTime** The time of creation of the process that has crashed. - **ProcessId** The ID of the process that has crashed. - **PRocessId** No content is currently available. @@ -3567,6 +3548,7 @@ The following fields are available: - **TargetAsId** The sequence number for the hanging process. - **TargetAwId** No content is currently available. - **TrocessArchitecture** No content is currently available. +- **TrocessCreateTime** No content is currently available. ## Feature update events @@ -3908,7 +3890,7 @@ The following fields are available: This event represents the basic metadata about a plug and play (PNP) device and its associated driver. -This event includes fields from [Ms.Dedevi.DedeviInventoryChange](#msdedevidedeviinventorychange). +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). The following fields are available: @@ -3932,6 +3914,7 @@ The following fields are available: - **ExtendedInfs** The extended INF file names. - **HWID** A list of hardware IDs for the device. - **HWID.Count** No content is currently available. +- **IlstallStcte** No content is currently available. - **Inf** The name of the INF file (possibly renamed by the OS, such as oemXX.inf). - **InstallCtate** No content is currently available. - **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx @@ -3943,12 +3926,16 @@ The following fields are available: - **MatchingID** The Hardware ID or Compatible ID that Windows uses to install a device instance. - **Model** Identifies the model of the device. - **ParentId** The Device Instance ID of the parent of the device. +- **Part@_Ms.Devkce.DeviaeInventmryChangg** No content is currently available. See [Part@_Ms.Devkce.DeviaeInventmryChangg](#part@_msdevkcedeviaeinventmrychangg). - **ProblemCode** The error code currently returned by the device, if applicable. - **Provider** Identifies the device provider. - **Service** The name of the device service. +- **STACKAD** No content is currently available. - **STACKID** The list of hardware IDs for the stack. - **STACKID.Count** No content is currently available. +- **UpperAlassFilvers** No content is currently available. - **UpperClassFilters** The identifiers of the Upper Class filters installed for the device. +- **UpperFilteps** No content is currently available. - **UpperFilters** The identifiers of the Upper filters installed for the device. @@ -4016,6 +4003,8 @@ The following fields are available: - **DriverTimeStamp** The low 32 bits of the time stamp of the driver file. - **DriverType** A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8. define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE 0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64 0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15. define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED 0x800000. - **DriverVersion** The version of the driver file. +- **DviverCompany** No content is currently available. +- **Imagesize** No content is currently available. - **ImageSize** The size of the driver file. - **Inf** The name of the INF file. - **InventoryVersion** The version of the inventory file generating the events. @@ -4805,6 +4794,7 @@ The following fields are available: - **originatingContextId** The ID of the originating call context that resulted in the failure. - **originatingContextMessage** The message of the originating call context that resulted in the failure. - **originatingContextName** The name of the originating call context that resulted in the failure. +- **threa0Id** No content is currently available. - **threadId** The ID of the thread on which the activity is executing. @@ -4896,9 +4886,12 @@ Scan process event on Windows Update client. See the EventScenario field for spe The following fields are available: +- **AativityMatchingId** No content is currently available. - **ActivityMatchingId** Contains a unique ID identifying a single CheckForUpdates session from initialization to completion. +- **ActivityMatcjingId** No content is currently available. - **AllowCachedResul|s** No content is currently available. - **AllowCachedResults** Indicates if the scan allowed using cached results. +- **AllowCachedRmsults** No content is currently available. - **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable - **BiosFamily** The family of the BIOS (Basic Input Output System). - **BiosName** The name of the device BIOS. @@ -4922,6 +4915,7 @@ The following fields are available: - **DriverError** The error code hit during a driver scan. This is 0 if no error was encountered. - **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled. - **DriverSyncPassPerformed** Were drivers scanned this time? +- **DriverSyncPasSPerformed** No content is currently available. - **EventInstanceID** A globally unique identifier for event instance. - **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. - **ExtendedetadataICabUrl** No content is currently available. @@ -4931,6 +4925,7 @@ The following fields are available: - **FailedUpdatesCount** The number of updates that failed to be evaluated during the scan. - **FeatureUpdateDeferral** The deferral period configured for feature OS updates on the device (in days). - **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FeatureUpdatePausePerimd** No content is currently available. - **FeatureUpdatePausePeriod** The pause duration configured for feature OS updates on the device (in days). - **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). - **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). @@ -4938,10 +4933,12 @@ The following fields are available: - **IntentPFNs** Intended application-set metadata for atomic update scenarios. - **IPVersion** Indicates whether the download took place over IPv4 or IPv6 - **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEna`led** No content is currently available. - **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. - **IsWUfBFederatedScanDisabled** Indicates if Windows Update for Business federated scan is disabled on the device. - **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce - **MSIError** The last error that was encountered during a scan for updates. +- **NetworkConneativityDetected** No content is currently available. - **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6 - **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete - **NumberOfApplicationsCategoryScanEvaluated** The number of categories (apps) for which an app update scan checked @@ -4966,6 +4963,7 @@ The following fields are available: - **ScanDurationInSeconds** The number of seconds a scan took - **ScanEnqueueTime** The number of seconds it took to initialize a scan - **ScanProps** This is a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits are used; all remaining bits are reserved and set to zero. Bit 0 (0x1): IsInteractive - is set to 1 if the scan is requested by a user, or 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker - is set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates). +- **ServiaeUrl** No content is currently available. - **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.). - **ServiceUrl** The environment URL a device is configured to scan with - **ShippingMobileOperator** The mobile operator that a device shipped on. @@ -5020,6 +5018,7 @@ The following fields are available: - **ActiveDownloadTime** How long the download took, in seconds, excluding time where the update wasn't actively being downloaded. - **AppXBlockHashFailures** Indicates the number of blocks that failed hash validation during download of the app payload. +- **AppXBlocKHashFailures** No content is currently available. - **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded. - **AppXDownloadScope** Indicates the scope of the download for application content. - **AppXScope** Indicates the scope of the app download. @@ -5037,6 +5036,7 @@ The following fields are available: - **BytesDownloaded** Number of bytes that were downloaded for an individual piece of content (not the entire bundle). - **CachedEngineVersion** The version of the “Self-Initiated Healing” (SIH) engine that is cached on the device, if applicable. - **CallerApplicationName** The name provided by the application that initiated API calls into the software distribution client. +- **CallerApplicavionName** No content is currently available. - **CbsDownloadMethod** Indicates whether the download was a full- or a partial-file download. - **CbsMethod** The method used for downloading the update content related to the Component Based Servicing (CBS) technology. - **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. @@ -5077,6 +5077,7 @@ The following fields are available: - **Reason** A 32-bit integer representing the reason the update is blocked from being downloaded in the background. - **RegulationReason** The reason that the update is regulated - **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content. +- **RegulitionResult** No content is currently available. - **RelatedCV** The Correlation Vector that was used before the most recent change to a new Correlation Vector. - **RepeatFailCount** Indicates whether this specific content has previously failed. - **RepeatFailFlag** Indicates whether this specific content previously failed to download. @@ -5179,6 +5180,7 @@ The following fields are available: - **CurrentMobileOperator** The mobile operator to which the device is currently connected. - **DeploymentProviderMode** The mode of operation of the update deployment provider. - **DeviceModel** The device model. +- **DriverPifgBack** No content is currently available. - **DriverPingBack** Contains information about the previous driver and system state. - **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required. - **EventInstanceID** A globally unique identifier for event instance. @@ -5652,6 +5654,7 @@ The following fields are available: - **Count** The count of applicable OneSettings for the device. - **FlightId** Unique ID for the flight (test instance version). +- **Obj%ctId** No content is currently available. - **ObjectId** The unique value for each Update Agent mode. - **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. - **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. @@ -6666,6 +6669,7 @@ The following fields are available: - **bytesFromCacheServer** Bytes received from a cache host. - **bytesFromCdN** No content is currently available. - **bytesFromCDN** The number of bytes received from a CDN source. +- **bytesFromGpoupPeers** No content is currently available. - **bytesFromGroupPeers** The number of bytes received from a peer in the same domain group. - **bytesFromIntÐeers** No content is currently available. - **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same domain group. @@ -6703,6 +6707,7 @@ The following fields are available: - **gMaxMemoryStreamBytes** Maximum usage for memory streaming. - **groupConjectionCount** No content is currently available. - **groupConnectionCount** The total number of connections made to peers in the same group. +- **internetConnectionCnunt** No content is currently available. - **internetConnectionCount** The total number of connections made to peers not in the same LAN or the same group. - **internetConnectionCountdownlinkBps** No content is currently available. - **isEjcrypted** No content is currently available. @@ -6762,6 +6767,7 @@ The following fields are available: - **isVp|** No content is currently available. - **isVpn** Is the device connected to a Virtual Private Network? - **jobID** Identifier for the Windows Update job. +- **ksVpn** No content is currently available. - **LoadBehavior** No content is currently available. - **LSID** No content is currently available. - **OfficeArchitecture** No content is currently available. @@ -6827,6 +6833,7 @@ The following fields are available: - **routeToCacheSedver** No content is currently available. - **routeToCacheServer** Cache server setting, source, and value. - **sessionID** The ID for the file download session. +- **sessionIF** No content is currently available. - **sessmonID** No content is currently available. - **setConfigs** A JSON representation of the configurations that have been set, and their sources. - **updateID** The ID of the update being downloaded. @@ -6852,6 +6859,7 @@ The following fields are available: - **htppStatusCode** No content is currently available. - **httpStatusCode** The HTTP status code returned by the CDN. - **isHeadRequest** The type of HTTP request that was sent to the CDN. Example: HEAD or GET +- **peerTyp,** No content is currently available. - **peerType** The type of peer (LAN, Group, Internet, CDN, Cache Host, etc.). - **requestOffset** The byte offset within the file in the sent request. - **requestSize** The size of the range requested from the CDN. @@ -6871,6 +6879,7 @@ The following fields are available: - **experimentId** When running a test, this is used to correlate with other events that are part of the same test. - **fileID** The ID of the file being downloaded. - **jobID** The Windows Update job ID. +- **jobKD** No content is currently available. ## Windows Update events From 2f7c31ab8fea6329c5acb39b99b235deacdbd592 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Tue, 19 Mar 2019 08:26:28 -0700 Subject: [PATCH 065/492] version 1903 --- windows/configuration/wcd/wcd-changes.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/configuration/wcd/wcd-changes.md b/windows/configuration/wcd/wcd-changes.md index b846faedb0..785a38cf30 100644 --- a/windows/configuration/wcd/wcd-changes.md +++ b/windows/configuration/wcd/wcd-changes.md @@ -13,7 +13,7 @@ ms.date: 10/02/2018 # Changes to settings in Windows Configuration Designer -## Settings added in Windows 10, version ? +## Settings added in Windows 10, version 1903 - [DeviceUpdateCenter](wcd-deviceupdatecenter.md) - [Privacy](wcd-privacy.md) @@ -24,7 +24,7 @@ ms.date: 10/02/2018 - [Policies > Power](wcd-policies.md#power) - [StorageD3InModernStandby](wcd-storaged3inmodernstandby.md) -## Settings removed in Windows 10, version ? +## Settings removed in Windows 10, version 1903 - [WLAN](wcd-wlan.md) From 630c0fb7caf1bf4a3cb209617ead0a2585959ef8 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 19 Mar 2019 09:08:15 -0700 Subject: [PATCH 066/492] new build 3/19/2019 9:08 AM --- .../basic-level-windows-diagnostic-events-and-fields-1903.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index 1a86bd7a44..03eb191a9a 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/18/2019 +ms.date: 03/19/2019 --- @@ -3130,6 +3130,8 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: +- **Audio.CaptureDriver** No content is currently available. +- **Audio.RenderDriver** No content is currently available. - **Audio_CaptureDriver** The Audio device capture driver endpoint. - **Audio_RenderDriver** The Audio device render driver endpoint. - **InventoryVersion** The version of the inventory file generating the events. From 98569285e4f4f915486532c0c8f4426902d3a7e7 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 19 Mar 2019 09:08:22 -0700 Subject: [PATCH 067/492] new build 3/19/2019 9:08 AM --- ...ndows-diagnostic-events-and-fields-1703.md | 2 +- ...ndows-diagnostic-events-and-fields-1709.md | 2 +- ...ndows-diagnostic-events-and-fields-1803.md | 2 +- ...ndows-diagnostic-events-and-fields-1809.md | 15708 ++++++++-------- 4 files changed, 7858 insertions(+), 7856 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index ed6399b844..28d0314670 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/18/2019 +ms.date: 03/19/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index 280f37035d..16140deb3c 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/18/2019 +ms.date: 03/19/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index f030734e75..cf362ccc46 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/18/2019 +ms.date: 03/19/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index 57eaedd246..1daea9d4d6 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -1,7853 +1,7855 @@ ---- -description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. -title: Windows 10, version 1809 basic diagnostic events and fields (Windows 10) -keywords: privacy, telemetry -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -localizationpriority: high -author: brianlic-msft -ms.author: brianlic -manager: dansimp -ms.collection: M365-security-compliance -ms.topic: article -audience: ITPro -ms.date: 03/18/2019 ---- - - -# Windows 10, version 1809 basic level Windows diagnostic events and fields - - **Applies to** - -- Windows 10, version 1809 - - -The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information. - -The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. - -Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief description is provided for each field. Every event generated includes common data, which collects device data. - -You can learn more about Windows functional and diagnostic data through these articles: - - -- [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) -- [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) -- [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) -- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) -- [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) - - - - -## Account trace logging provider events - -### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.General - -This event provides information about application properties to indicate the successful execution. - -The following fields are available: - -- **AppMode** Indicates the mode the app is being currently run around privileges. -- **ExitCode** Indicates the exit code of the app. -- **Help** Indicates if the app needs to be launched in the help mode. -- **ParseError** Indicates if there was a parse error during the execution. -- **RightsAcquired** Indicates if the right privileges were acquired for successful execution. -- **RightsWereEnabled** Indicates if the right privileges were enabled for successful execution. -- **TestMode** Indicates whether the app is being run in test mode. - - -### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.GetCount - -This event provides information about the properties of user accounts in the Administrator group. - -The following fields are available: - -- **Internal** Indicates the internal property associated with the count group. -- **LastError** The error code (if applicable) for the cause of the failure to get the count of the user account. -- **Result** The HResult error. - - -## AppLocker events - -### Microsoft.Windows.Security.AppLockerCSP.ActivityStoppedAutomatically - -Automatically closed activity for start/stop operations that aren't explicitly closed. - - - -### Microsoft.Windows.Security.AppLockerCSP.AddParams - -Parameters passed to Add function of the AppLockerCSP Node. - -The following fields are available: - -- **child** The child URI of the node to add. -- **uri** URI of the node relative to %SYSTEM32%/AppLocker. - - -### Microsoft.Windows.Security.AppLockerCSP.AddStart - -Start of "Add" Operation for the AppLockerCSP Node. - - - -### Microsoft.Windows.Security.AppLockerCSP.AddStop - -End of "Add" Operation for AppLockerCSP Node. - -The following fields are available: - -- **hr** The HRESULT returned by Add function in AppLockerCSP. - - -### Microsoft.Windows.Security.AppLockerCSP.CAppLockerCSP::Rollback - -Result of the 'Rollback' operation in AppLockerCSP. - -The following fields are available: - -- **oldId** Previous id for the CSP transaction. -- **txId** Current id for the CSP transaction. - - -### Microsoft.Windows.Security.AppLockerCSP.ClearParams - -Parameters passed to the "Clear" operation for AppLockerCSP. - -The following fields are available: - -- **uri** The URI relative to the %SYSTEM32%\AppLocker folder. - - -### Microsoft.Windows.Security.AppLockerCSP.ClearStart - -Start of the "Clear" operation for the AppLockerCSP Node. - - - -### Microsoft.Windows.Security.AppLockerCSP.ClearStop - -End of the "Clear" operation for the AppLockerCSP node. - -The following fields are available: - -- **hr** HRESULT reported at the end of the 'Clear' function. - - -### Microsoft.Windows.Security.AppLockerCSP.ConfigManagerNotificationStart - -Start of the "ConfigManagerNotification" operation for AppLockerCSP. - -The following fields are available: - -- **NotifyState** State sent by ConfigManager to AppLockerCSP. - - -### Microsoft.Windows.Security.AppLockerCSP.ConfigManagerNotificationStop - -End of the "ConfigManagerNotification" operation for AppLockerCSP. - -The following fields are available: - -- **hr** HRESULT returned by the ConfigManagerNotification function in AppLockerCSP. - - -### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceParams - -Parameters passed to the CreateNodeInstance function of the AppLockerCSP node. - -The following fields are available: - -- **NodeId** NodeId passed to CreateNodeInstance. -- **nodeOps** NodeOperations parameter passed to CreateNodeInstance. -- **uri** URI passed to CreateNodeInstance, relative to %SYSTEM32%\AppLocker. - - -### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceStart - -Start of the "CreateNodeInstance" operation for the AppLockerCSP node. - - - -### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceStop - -End of the "CreateNodeInstance" operation for the AppLockerCSP node - -The following fields are available: - -- **hr** HRESULT returned by the CreateNodeInstance function in AppLockerCSP. - - -### Microsoft.Windows.Security.AppLockerCSP.DeleteChildParams - -Parameters passed to the DeleteChild function of the AppLockerCSP node. - -The following fields are available: - -- **child** The child URI of the node to delete. -- **uri** URI relative to %SYSTEM32%\AppLocker. - - -### Microsoft.Windows.Security.AppLockerCSP.DeleteChildStart - -Start of the "DeleteChild" operation for the AppLockerCSP node. - - - -### Microsoft.Windows.Security.AppLockerCSP.DeleteChildStop - -End of the "DeleteChild" operation for the AppLockerCSP node. - -The following fields are available: - -- **hr** HRESULT returned by the DeleteChild function in AppLockerCSP. - - -### Microsoft.Windows.Security.AppLockerCSP.EnumPolicies - -Logged URI relative to %SYSTEM32%\AppLocker, if the Plugin GUID is null, or the CSP doesn't believe the old policy is present. - -The following fields are available: - -- **uri** URI relative to %SYSTEM32%\AppLocker. - - -### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesParams - -Parameters passed to the GetChildNodeNames function of the AppLockerCSP node. - -The following fields are available: - -- **uri** URI relative to %SYSTEM32%/AppLocker for MDM node. - - -### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesStart - -Start of the "GetChildNodeNames" operation for the AppLockerCSP node. - - - -### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesStop - -End of the "GetChildNodeNames" operation for the AppLockerCSP node. - -The following fields are available: - -- **child[0]** If function succeeded, the first child's name, else "NA". -- **count** If function succeeded, the number of child node names returned by the function, else 0. -- **hr** HRESULT returned by the GetChildNodeNames function of AppLockerCSP. - - -### Microsoft.Windows.Security.AppLockerCSP.GetLatestId - -The result of 'GetLatestId' in AppLockerCSP (the latest time stamped GUID). - -The following fields are available: - -- **dirId** The latest directory identifier found by GetLatestId. -- **id** The id returned by GetLatestId if id > 0 - otherwise the dirId parameter. - - -### Microsoft.Windows.Security.AppLockerCSP.HResultException - -HRESULT thrown by any arbitrary function in AppLockerCSP. - -The following fields are available: - -- **file** File in the OS code base in which the exception occurs. -- **function** Function in the OS code base in which the exception occurs. -- **hr** HRESULT that is reported. -- **line** Line in the file in the OS code base in which the exception occurs. - - -### Microsoft.Windows.Security.AppLockerCSP.SetValueParams - -Parameters passed to the SetValue function of the AppLockerCSP node. - -The following fields are available: - -- **dataLength** Length of the value to set. -- **uri** The node URI to that should contain the value, relative to %SYSTEM32%\AppLocker. - - -### Microsoft.Windows.Security.AppLockerCSP.SetValueStart - -Start of the "SetValue" operation for the AppLockerCSP node. - - - -### Microsoft.Windows.Security.AppLockerCSP.SetValueStop - -End of the "SetValue" operation for the AppLockerCSP node. - -The following fields are available: - -- **hr** HRESULT returned by the SetValue function in AppLockerCSP. - - -### Microsoft.Windows.Security.AppLockerCSP.TryRemediateMissingPolicies - -EntryPoint of fix step or policy remediation, includes URI relative to %SYSTEM32%\AppLocker that needs to be fixed. - -The following fields are available: - -- **uri** URI for node relative to %SYSTEM32%/AppLocker. - - -## Appraiser events - -### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount - -This event lists the types of objects and how many of each exist on the client device. This allows for a quick way to ensure that the records present on the server match what is present on the client. - -The following fields are available: - -- **DatasourceApplicationFile_19ASetup** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_19H1** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers. -- **DatasourceApplicationFile_RS2** An ID for the system, calculated by hashing hardware identifiers. -- **DatasourceApplicationFile_RS3** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS3Setup** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS4** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS4Setup** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS5** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS5Setup** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_TH1** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_TH2** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_19ASetup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_19H1** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS1** The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on this device. -- **DatasourceDevicePnp_RS2** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS3** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS3Setup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS4** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS4Setup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS5** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS5Setup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_TH1** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_TH2** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_19ASetup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_19H1** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS1** The total DataSourceDriverPackage objects targeting Windows 10 version 1607 on this device. -- **DatasourceDriverPackage_RS2** The total DataSourceDriverPackage objects targeting Windows 10, version 1703 on this device. -- **DatasourceDriverPackage_RS3** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS3Setup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS4** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS4Setup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS5** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS5Setup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_TH1** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_TH2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_19ASetup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS1** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1607 on this device. -- **DataSourceMatchingInfoBlock_RS2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS3** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS3Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS4Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS5Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_TH1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_19ASetup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS1** The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. -- **DataSourceMatchingInfoPassive_RS2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS3** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS3Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS4Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS5Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_19ASetup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_RS1** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. -- **DataSourceMatchingInfoPostUpgrade_RS2** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device. -- **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device. -- **DataSourceMatchingInfoPostUpgrade_RS3Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_RS4Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_RS5Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_TH1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_19ASetup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_19H1** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_19H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS1** The total DatasourceSystemBios objects targeting Windows 10 version 1607 present on this device. -- **DatasourceSystemBios_RS2** The total DatasourceSystemBios objects targeting Windows 10 version 1703 present on this device. -- **DatasourceSystemBios_RS3** The total DatasourceSystemBios objects targeting Windows 10 version 1709 present on this device. -- **DatasourceSystemBios_RS3Setup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS4** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS4Setup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS5** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS5Setup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_TH1** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_TH2** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_19H1** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS1** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS2** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS3** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS3Setup** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS4** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS5** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_TH1** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_TH2** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_19H1** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS1** The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this device. -- **DecisionDevicePnp_RS2** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS3** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS3Setup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS4** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS5** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_TH1** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_TH2** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_19H1** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS1** The total DecisionDriverPackage objects targeting Windows 10 version 1607 on this device. -- **DecisionDriverPackage_RS2** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS3** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS3Setup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS4** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS5** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_TH1** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_TH2** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_RS1** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1607 present on this device. -- **DecisionMatchingInfoBlock_RS2** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device. -- **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1709 present on this device. -- **DecisionMatchingInfoBlock_RS3Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_RS4** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1803 present on this device. -- **DecisionMatchingInfoBlock_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_TH1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_RS1** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. -- **DecisionMatchingInfoPassive_RS2** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1703 on this device. -- **DecisionMatchingInfoPassive_RS3** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1803 on this device. -- **DecisionMatchingInfoPassive_RS3Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_RS1** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. -- **DecisionMatchingInfoPostUpgrade_RS2** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device. -- **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device. -- **DecisionMatchingInfoPostUpgrade_RS3Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_TH1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_19H1** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_19H1Setup** The total DecisionMediaCenter objects targeting the next release of Windows on this device. -- **DecisionMediaCenter_RS1** The total DecisionMediaCenter objects targeting Windows 10 version 1607 present on this device. -- **DecisionMediaCenter_RS2** The total DecisionMediaCenter objects targeting Windows 10 version 1703 present on this device. -- **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting Windows 10 version 1709 present on this device. -- **DecisionMediaCenter_RS3Setup** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_RS4** The total DecisionMediaCenter objects targeting Windows 10 version 1803 present on this device. -- **DecisionMediaCenter_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_RS5** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_TH1** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_TH2** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_19ASetup** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **DecisionSystemBios_19H1** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_19H1Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **DecisionSystemBios_RS1** The total DecisionSystemBios objects targeting Windows 10 version 1607 on this device. -- **DecisionSystemBios_RS2** The total DecisionSystemBios objects targeting Windows 10 version 1703 on this device. -- **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting Windows 10 version 1709 on this device. -- **DecisionSystemBios_RS3Setup** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_RS4** The total DecisionSystemBios objects targeting Windows 10 version, 1803 present on this device. -- **DecisionSystemBios_RS4Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **DecisionSystemBios_RS5** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **DecisionSystemBios_RS5Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **DecisionSystemBios_TH1** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_TH2** The count of the number of this particular object type present on this device. -- **DecisionSystemProcessor_RS2** The count of the number of this particular object type present on this device. -- **DecisionTest_RS1** An ID for the system, calculated by hashing hardware identifiers. -- **InventoryApplicationFile** The count of the number of this particular object type present on this device. -- **InventoryDeviceContainer** A count of device container objects in cache. -- **InventoryDevicePnp** A count of device Plug and Play objects in cache. -- **InventoryDriverBinary** A count of driver binary objects in cache. -- **InventoryDriverPackage** A count of device objects in cache. -- **InventoryLanguagePack** The count of the number of this particular object type present on this device. -- **InventoryMediaCenter** The count of the number of this particular object type present on this device. -- **InventorySystemBios** The count of the number of this particular object type present on this device. -- **InventorySystemMachine** The count of the number of this particular object type present on this device. -- **InventorySystemProcessor** The count of the number of this particular object type present on this device. -- **InventoryTest** The count of the number of this particular object type present on this device. -- **InventoryUplevelDriverPackage** The count of the number of this particular object type present on this device. -- **PCFP** The count of the number of this particular object type present on this device. -- **SystemMemory** The count of the number of this particular object type present on this device. -- **SystemProcessorCompareExchange** The count of the number of this particular object type present on this device. -- **SystemProcessorLahfSahf** The count of the number of this particular object type present on this device. -- **SystemProcessorNx** The total number of objects of this type present on this device. -- **SystemProcessorPrefetchW** The total number of objects of this type present on this device. -- **SystemProcessorSse2** The total number of objects of this type present on this device. -- **SystemTouch** The count of the number of this particular object type present on this device. -- **SystemWim** The total number of objects of this type present on this device. -- **SystemWindowsActivationStatus** The count of the number of this particular object type present on this device. -- **SystemWlan** The total number of objects of this type present on this device. -- **Wmdrm_19ASetup** The count of the number of this particular object type present on this device. -- **Wmdrm_19H1** The count of the number of this particular object type present on this device. -- **Wmdrm_19H1Setup** The total Wmdrm objects targeting the next release of Windows on this device. -- **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers. -- **Wmdrm_RS2** An ID for the system, calculated by hashing hardware identifiers. -- **Wmdrm_RS3** An ID for the system, calculated by hashing hardware identifiers. -- **Wmdrm_RS3Setup** The count of the number of this particular object type present on this device. -- **Wmdrm_RS4** The total Wmdrm objects targeting Windows 10, version 1803 present on this device. -- **Wmdrm_RS4Setup** The count of the number of this particular object type present on this device. -- **Wmdrm_RS5** The count of the number of this particular object type present on this device. -- **Wmdrm_RS5Setup** The count of the number of this particular object type present on this device. -- **Wmdrm_TH1** The count of the number of this particular object type present on this device. -- **Wmdrm_TH2** The count of the number of this particular object type present on this device. - - -### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd - -Represents the basic metadata about specific application files installed on the system. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file that is generating the events. -- **AvDisplayName** If the app is an anti-virus app, this is its display name. -- **CompatModelIndex** The compatibility prediction for this file. -- **HasCitData** Indicates whether the file is present in CIT data. -- **HasUpgradeExe** Indicates whether the anti-virus app has an upgrade.exe file. -- **IsAv** Is the file an anti-virus reporting EXE? -- **ResolveAttempted** This will always be an empty string when sending telemetry. -- **SdbEntries** An array of fields that indicates the SDB entries that apply to this file. - - -### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove - -This event indicates that the DatasourceApplicationFile object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileStartSync - -This event indicates that a new set of DatasourceApplicationFileAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd - -This event sends compatibility data for a Plug and Play device, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **ActiveNetworkConnection** Indicates whether the device is an active network device. -- **AppraiserVersion** The version of the appraiser file generating the events. -- **CosDeviceRating** An enumeration that indicates if there is a driver on the target operating system. -- **CosDeviceSolution** An enumeration that indicates how a driver on the target operating system is available. -- **CosDeviceSolutionUrl** Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd . Empty string -- **CosPopulatedFromId** The expected uplevel driver matching ID based on driver coverage data. -- **IsBootCritical** Indicates whether the device boot is critical. -- **UplevelInboxDriver** Indicates whether there is a driver uplevel for this device. -- **WuDriverCoverage** Indicates whether there is a driver uplevel for this device, according to Windows Update. -- **WuDriverUpdateId** The Windows Update ID of the applicable uplevel driver. -- **WuPopulatedFromId** The expected uplevel driver matching ID based on driver coverage from Windows Update. - - -### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove - -This event indicates that the DatasourceDevicePnp object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpStartSync - -This event indicates that a new set of DatasourceDevicePnpAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageAdd - -This event sends compatibility database data about driver packages to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageStartSync - -This event indicates that a new set of DatasourceDriverPackageAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd - -This event sends blocking data about any compatibility blocking entries hit on the system that are not directly related to specific applications or devices, to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove - -This event indicates that the DataSourceMatchingInfoBlock object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync - -This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events have been sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd - -This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove - -This event indicates that the DataSourceMatchingInfoPassive object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync - -This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd - -This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove - -This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync - -This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd - -This event sends compatibility database information about the BIOS to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosRemove - -This event indicates that the DatasourceSystemBios object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync - -This event indicates that a new set of DatasourceSystemBiosAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionApplicationFileAdd - -This event sends compatibility decision data about a file to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file that is generating the events. -- **BlockAlreadyInbox** The uplevel runtime block on the file already existed on the current OS. -- **BlockingApplication** Indicates whether there are any application issues that interfere with the upgrade due to the file in question. -- **DisplayGenericMessage** Will be a generic message be shown for this file? -- **DisplayGenericMessageGated** Indicates whether a generic message be shown for this file. -- **HardBlock** This file is blocked in the SDB. -- **HasUxBlockOverride** Does the file have a block that is overridden by a tag in the SDB? -- **MigApplication** Does the file have a MigXML from the SDB associated with it that applies to the current upgrade mode? -- **MigRemoval** Does the file have a MigXML from the SDB that will cause the app to be removed on upgrade? -- **NeedsDismissAction** Will the file cause an action that can be dimissed? -- **NeedsInstallPostUpgradeData** After upgrade, the file will have a post-upgrade notification to install a replacement for the app. -- **NeedsNotifyPostUpgradeData** Does the file have a notification that should be shown after upgrade? -- **NeedsReinstallPostUpgradeData** After upgrade, this file will have a post-upgrade notification to reinstall the app. -- **NeedsUninstallAction** The file must be uninstalled to complete the upgrade. -- **SdbBlockUpgrade** The file is tagged as blocking upgrade in the SDB, -- **SdbBlockUpgradeCanReinstall** The file is tagged as blocking upgrade in the SDB. It can be reinstalled after upgrade. -- **SdbBlockUpgradeUntilUpdate** The file is tagged as blocking upgrade in the SDB. If the app is updated, the upgrade can proceed. -- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the SDB. It does not block upgrade. -- **SdbReinstallUpgradeWarn** The file is tagged as needing to be reinstalled after upgrade with a warning in the SDB. It does not block upgrade. -- **SoftBlock** The file is softblocked in the SDB and has a warning. - - -### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove - -This event indicates Indicates that the DecisionApplicationFile object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionApplicationFileStartSync - -This event indicates that a new set of DecisionApplicationFileAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd - -This event sends compatibility decision data about a PNP device to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file generating the events. -- **AssociatedDriverIsBlocked** Is the driver associated with this PNP device blocked? -- **AssociatedDriverWillNotMigrate** Will the driver associated with this plug-and-play device migrate? -- **BlockAssociatedDriver** Should the driver associated with this PNP device be blocked? -- **BlockingDevice** Is this PNP device blocking upgrade? -- **BlockUpgradeIfDriverBlocked** Is the PNP device both boot critical and does not have a driver included with the OS? -- **BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork** Is this PNP device the only active network device? -- **DisplayGenericMessage** Will a generic message be shown during Setup for this PNP device? -- **DisplayGenericMessageGated** Indicates whether a generic message will be shown during Setup for this PNP device. -- **DriverAvailableInbox** Is a driver included with the operating system for this PNP device? -- **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update? -- **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device? -- **DriverBlockOverridden** Is there is a driver block on the device that has been overridden? -- **DriverJlockOverridden** No content is currently available. -- **NeedsDismissAction** Will the user would need to dismiss a warning during Setup for this device? -- **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS? -- **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade? -- **SdbDriverBlockOverridden** Is there an SDB block on the PNP device that blocks upgrade, but that block was overridden? - - -### Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove - -This event indicates that the DecisionDevicePnp object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionDevicePnpStartSync - -The DecisionDevicePnpStartSync event indicates that a new set of DecisionDevicePnpAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionDriverPackageAdd - -This event sends decision data about driver package compatibility to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file generating the events. -- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for this driver package. -- **DriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden? -- **DriverIsDeviceBlocked** Was the driver package was blocked because of a device block? -- **DriverIsDriverBlocked** Is the driver package blocked because of a driver block? -- **DriverIsTroubleshooterBlocked** Indicates whether the driver package is blocked because of a troubleshooter block. -- **DriverShouldNotMigrate** Should the driver package be migrated during upgrade? -- **SdbDriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden? - - -### Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove - -This event indicates that the DecisionDriverPackage object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionDriverPackageStartSync - -This event indicates that a new set of DecisionDriverPackageAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd - -This event sends compatibility decision data about blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file generating the events. -- **BlockingApplication** Are there are any application issues that interfere with upgrade due to matching info blocks? -- **DisplayGenericMessage** Will a generic message be shown for this block? -- **NeedsUninstallAction** Does the user need to take an action in setup due to a matching info block? -- **SdbBlockUpgrade** Is a matching info block blocking upgrade? -- **SdbBlockUpgradeCanReinstall** Is a matching info block blocking upgrade, but has the can reinstall tag? -- **SdbBlockUpgradeUntilUpdate** Is a matching info block blocking upgrade but has the until update tag? - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockRemove - -This event indicates that the DecisionMatchingInfoBlock object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockStartSync - -This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd - -This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **BlockingApplication** Are there any application issues that interfere with upgrade due to matching info blocks? -- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown due to matching info blocks. -- **MigApplication** Is there a matching info block with a mig for the current mode of upgrade? - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveRemove - -This event Indicates that the DecisionMatchingInfoPassive object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync - -This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeAdd - -This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **NeedsInstallPostUpgradeData** Will the file have a notification after upgrade to install a replacement for the app? -- **NeedsNotifyPostUpgradeData** Should a notification be shown for this file after upgrade? -- **NeedsReinstallPostUpgradeData** Will the file have a notification after upgrade to reinstall the app? -- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the compatibility database (but is not blocking upgrade). - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeRemove - -This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync - -This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMediaCenterAdd - -This event sends decision data about the presence of Windows Media Center, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **BlockingApplication** Is there any application issues that interfere with upgrade due to Windows Media Center? -- **MediaCenterActivelyUsed** If Windows Media Center is supported on the edition, has it been run at least once and are the MediaCenterIndicators are true? -- **MediaCenterIndicators** Do any indicators imply that Windows Media Center is in active use? -- **MediaCenterInUse** Is Windows Media Center actively being used? -- **MediaCenterPaidOrActivelyUsed** Is Windows Media Center actively being used or is it running on a supported edition? -- **NeedsDismissAction** Are there any actions that can be dismissed coming from Windows Media Center? - - -### Microsoft.Windows.Appraiser.General.DecisionMediaCenterRemove - -This event indicates that the DecisionMediaCenter object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMediaCenterStartSync - -This event indicates that a new set of DecisionMediaCenterAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionSystemBiosAdd - -This event sends compatibility decision data about the BIOS to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **Blocking** Is the device blocked from upgrade due to a BIOS block? -- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for the bios. -- **HasBiosBlock** Does the device have a BIOS block? - - -### Microsoft.Windows.Appraiser.General.DecisionSystemBiosRemove - -This event indicates that the DecisionSystemBios object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync - -This event indicates that a new set of DecisionSystemBiosAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.GatedRegChange - -This event sends data about the results of running a set of quick-blocking instructions, to help keep Windows up to date. - -The following fields are available: - -- **NewData** The data in the registry value after the scan completed. -- **OldData** The previous data in the registry value before the scan ran. -- **PCFP** An ID for the system calculated by hashing hardware identifiers. -- **RegKey** The registry key name for which a result is being sent. -- **RegValue** The registry value for which a result is being sent. -- **Time** The client time of the event. - - -### Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd - -This event represents the basic metadata about a file on the system. The file must be part of an app and either have a block in the compatibility database or be part of an antivirus program. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **AvDisplayName** If the app is an antivirus app, this is its display name. -- **AvProductState** Indicates whether the antivirus program is turned on and the signatures are up to date. -- **BinaryType** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64. -- **BinFileVersion** An attempt to clean up FileVersion at the client that tries to place the version into 4 octets. -- **BinProductVersion** An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets. -- **BoeProgramId** If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata. -- **CompanyName** The company name of the vendor who developed this file. -- **FileId** A hash that uniquely identifies a file. -- **FileVersion** The File version field from the file metadata under Properties -> Details. -- **HasUpgradeExe** Indicates whether the antivirus app has an upgrade.exe file. -- **IsAv** Indicates whether the file an antivirus reporting EXE. -- **LinkDate** The date and time that this file was linked on. -- **LowerCaseLongPath** The full file path to the file that was inventoried on the device. -- **Name** The name of the file that was inventoried. -- **ProductName** The Product name field from the file metadata under Properties -> Details. -- **ProductVersion** The Product version field from the file metadata under Properties -> Details. -- **ProgramId** A hash of the Name, Version, Publisher, and Language of an application used to identify it. -- **Size** The size of the file (in hexadecimal bytes). - - -### Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove - -This event indicates that the InventoryApplicationFile object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync - -This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventoryLanguagePackAdd - -This event sends data about the number of language packs installed on the system, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **HasLanguagePack** Indicates whether this device has 2 or more language packs. -- **LanguagePackCount** The number of language packs are installed. - - -### Microsoft.Windows.Appraiser.General.InventoryLanguagePackRemove - -This event indicates that the InventoryLanguagePack object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventoryLanguagePackStartSync - -This event indicates that a new set of InventoryLanguagePackAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventoryMediaCenterAdd - -This event sends true/false data about decision points used to understand whether Windows Media Center is used on the system, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **EverLaunched** Has Windows Media Center ever been launched? -- **HasConfiguredTv** Has the user configured a TV tuner through Windows Media Center? -- **HasExtendedUserAccounts** Are any Windows Media Center Extender user accounts configured? -- **HasWatchedFolders** Are any folders configured for Windows Media Center to watch? -- **IsDefaultLauncher** Is Windows Media Center the default app for opening music or video files? -- **IsPaid** Is the user running a Windows Media Center edition that implies they paid for Windows Media Center? -- **IsSupported** Does the running OS support Windows Media Center? - - -### Microsoft.Windows.Appraiser.General.InventoryMediaCenterRemove - -This event indicates that the InventoryMediaCenter object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventoryMediaCenterStartSync - -This event indicates that a new set of InventoryMediaCenterAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventorySystemBiosAdd - -This event sends basic metadata about the BIOS to determine whether it has a compatibility block. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **biosDate** The release date of the BIOS in UTC format. -- **BiosDate** The release date of the BIOS in UTC format. -- **biosName** The name field from Win32_BIOS. -- **BiosName** The name field from Win32_BIOS. -- **manufacturer** The manufacturer field from Win32_ComputerSystem. -- **Manufacturer** The manufacturer field from Win32_ComputerSystem. -- **model** The model field from Win32_ComputerSystem. -- **Model** The model field from Win32_ComputerSystem. - - -### Microsoft.Windows.Appraiser.General.InventorySystemBiosRemove - -This event indicates that the InventorySystemBios object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventorySystemBiosStartSync - -This event indicates that a new set of InventorySystemBiosAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd - -This event is only runs during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. Is critical to understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **BootCritical** Is the driver package marked as boot critical? -- **Build** The build value from the driver package. -- **CatalogFile** The name of the catalog file within the driver package. -- **Class** The device class from the driver package. -- **ClassGuid** The device class unique ID from the driver package. -- **Date** The date from the driver package. -- **Inbox** Is the driver package of a driver that is included with Windows? -- **OriginalName** The original name of the INF file before it was renamed. Generally a path under $WINDOWS.~BT\Drivers\DU. -- **Provider** The provider of the driver package. -- **PublishedName** The name of the INF file after it was renamed. -- **Revision** The revision of the driver package. -- **SignatureStatus** Indicates if the driver package is signed. Unknown = 0, Unsigned = 1, Signed = 2. -- **VersionMajor** The major version of the driver package. -- **VersionMinor** The minor version of the driver package. - - -### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove - -This event indicates that the InventoryUplevelDriverPackage object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageStartSync - -This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.RunContext - -This event indicates what should be expected in the data payload. - -The following fields are available: - -- **AppraiserBranch** The source branch in which the currently running version of Appraiser was built. -- **AppraiserProcess** The name of the process that launched Appraiser. -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **CensusId** A unique hardware identifier. -- **Context** Indicates what mode Appraiser is running in. Example: Setup or Telemetry. -- **PCFP** An ID for the system calculated by hashing hardware identifiers. -- **Subcontext** Indicates what categories of incompatibilities appraiser is scanning for. Can be N/A, Resolve, or a semicolon-delimited list that can include App, Dev, Sys, Gat, or Rescan. -- **Time** The client time of the event. - - -### Microsoft.Windows.Appraiser.General.SystemMemoryAdd - -This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **Blocking** Is the device from upgrade due to memory restrictions? -- **MemoryRequirementViolated** Was a memory requirement violated? -- **pageFile** The current committed memory limit for the system or the current process, whichever is smaller (in bytes). -- **ram** The amount of memory on the device. -- **ramKB** The amount of memory (in KB). -- **virtual** The size of the user-mode portion of the virtual address space of the calling process (in bytes). -- **virtualKB** The amount of virtual memory (in KB). - - -### Microsoft.Windows.Appraiser.General.SystemMemoryRemove - -This event that the SystemMemory object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemMemoryStartSync - -This event indicates that a new set of SystemMemoryAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeAdd - -This event sends data indicating whether the system supports the CompareExchange128 CPU requirement, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **Blocking** Is the upgrade blocked due to the processor? -- **CompareExchange128Support** Does the CPU support CompareExchange128? - - -### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeRemove - -This event indicates that the SystemProcessorCompareExchange object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeStartSync - -This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd - -This event sends data indicating whether the system supports the LahfSahf CPU requirement, to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **Blocking** Is the upgrade blocked due to the processor? -- **LahfSahfSupport** Does the CPU support LAHF/SAHF? - - -### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfRemove - -This event indicates that the SystemProcessorLahfSahf object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfStartSync - -This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd - -This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **Blocking** Is the upgrade blocked due to the processor? -- **NXDriverResult** The result of the driver used to do a non-deterministic check for NX support. -- **NXProcessorSupport** Does the processor support NX? - - -### Microsoft.Windows.Appraiser.General.SystemProcessorNxRemove - -This event indicates that the SystemProcessorNx object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorNxStartSync - -This event indicates that a new set of SystemProcessorNxAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd - -This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **Blocking** Is the upgrade blocked due to the processor? -- **PrefetchWSupport** Does the processor support PrefetchW? - - -### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWRemove - -This event indicates that the SystemProcessorPrefetchW object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync - -This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Add - -This event sends data indicating whether the system supports the SSE2 CPU requirement, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **Blocking** Is the upgrade blocked due to the processor? -- **SSE2ProcessorSupport** Does the processor support SSE2? - - -### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Remove - -This event indicates that the SystemProcessorSse2 object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorSse2StartSync - -This event indicates that a new set of SystemProcessorSse2Add events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemTouchAdd - -This event sends data indicating whether the system supports touch, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **IntegratedTouchDigitizerPresent** Is there an integrated touch digitizer? -- **MaximumTouches** The maximum number of touch points supported by the device hardware. - - -### Microsoft.Windows.Appraiser.General.SystemTouchRemove - -This event indicates that the SystemTouch object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemTouchStartSync - -This event indicates that a new set of SystemTouchAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemWimAdd - -This event sends data indicating whether the operating system is running from a compressed Windows Imaging Format (WIM) file, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **IsWimBoot** Is the current operating system running from a compressed WIM file? -- **RegistryWimBootValue** The raw value from the registry that is used to indicate if the device is running from a WIM. - - -### Microsoft.Windows.Appraiser.General.SystemWimRemove - -This event indicates that the SystemWim object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemWimStartSync - -This event indicates that a new set of SystemWimAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusAdd - -This event sends data indicating whether the current operating system is activated, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **WindowsIsLicensedApiValue** The result from the API that's used to indicate if operating system is activated. -- **WindowsNotActivatedDecision** Is the current operating system activated? - - -### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusRemove - -This event indicates that the SystemWindowsActivationStatus object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusStartSync - -This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemWlanAdd - -This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **Blocking** Is the upgrade blocked because of an emulated WLAN driver? -- **HasWlanBlock** Does the emulated WLAN driver have an upgrade block? -- **WlanEmulatedDriver** Does the device have an emulated WLAN driver? -- **WlanExists** Does the device support WLAN at all? -- **WlanModulePresent** Are any WLAN modules present? -- **WlanNativeDriver** Does the device have a non-emulated WLAN driver? - - -### Microsoft.Windows.Appraiser.General.SystemWlanRemove - -This event indicates that the SystemWlan object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemWlanStartSync - -This event indicates that a new set of SystemWlanAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.TelemetryRunHealth - -This event indicates the parameters and result of a telemetry (diagnostic) run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date. - -The following fields are available: - -- **AppraiserBranch** The source branch in which the version of Appraiser that is running was built. -- **AppraiserDataVersion** The version of the data files being used by the Appraiser telemetry run. -- **AppraiserProcess** The name of the process that launched Appraiser. -- **AppraiserVersion** The file version (major, minor and build) of the Appraiser DLL, concatenated without dots. -- **AuxFinal** Obsolete, always set to false. -- **AuxInitial** Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app. -- **DeadlineDate** A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan. -- **EnterpriseRun** Indicates if the telemetry run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter. -- **FullSync** Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent. -- **InboxDataVersion** The original version of the data files before retrieving any newer version. -- **IndicatorsWritten** Indicates if all relevant UEX indicators were successfully written or updated. -- **InventoryFullSync** Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent. -- **PCFP** An ID for the system calculated by hashing hardware identifiers. -- **PerfBackoff** Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal. -- **PerfBackoffInsurance** Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row. -- **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device. -- **RunDate** The date that the telemetry run was stated, expressed as a filetime. -- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional telemetry on an infrequent schedule and only from machines at telemetry levels higher than Basic. -- **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information. -- **RunResult** The hresult of the Appraiser telemetry run. -- **ScheduledUploadDay** The day scheduled for the upload. -- **SendingUtc** Indicates if the Appraiser client is sending events during the current telemetry run. -- **StoreHandleIsNotNull** Obsolete, always set to false -- **TelementrySent** Indicates if telemetry was successfully sent. -- **ThrottlingUtc** Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also telemetry reliability. -- **Time** The client time of the event. -- **VerboseMode** Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging. -- **WhyFullSyncWithoutTablePrefix** Indicates the reason or reasons that a full sync was generated. - - -### Microsoft.Windows.Appraiser.General.WmdrmAdd - -This event sends data about the usage of older digital rights management on the system, to help keep Windows up to date. This data does not indicate the details of the media using the digital rights management, only whether any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able to be removed once all mitigations are in place. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **BlockingApplication** Same as NeedsDismissAction. -- **NeedsDismissAction** Indicates if a dismissible message is needed to warn the user about a potential loss of data due to DRM deprecation. -- **WmdrmApiResult** Raw value of the API used to gather DRM state. -- **WmdrmCdRipped** Indicates if the system has any files encrypted with personal DRM, which was used for ripped CDs. -- **WmdrmIndicators** WmdrmCdRipped OR WmdrmPurchased. -- **WmdrmInUse** WmdrmIndicators AND dismissible block in setup was not dismissed. -- **WmdrmNonPermanent** Indicates if the system has any files with non-permanent licenses. -- **WmdrmPurchased** Indicates if the system has any files with permanent licenses. - - -### Microsoft.Windows.Appraiser.General.WmdrmRemove - -This event indicates that the Wmdrm object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.WmdrmStartSync - -This event indicates that a new set of WmdrmAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -## Census events - -### Census.App - -Provides information on IE and Census versions running on the device - -The following fields are available: - -- **AppraiserEnterpriseErrorCode** The error code of the last Appraiser enterprise run. -- **AppraiserErrorCode** The error code of the last Appraiser run. -- **AppraiserRunEndTimeStamp** The end time of the last Appraiser run. -- **AppraiserRunIsInProgressOrCrashed** Flag that indicates if the Appraiser run is in progress or has crashed. -- **AppraiserRunStartTimeStamp** The start time of the last Appraiser run. -- **AppraiserTaskEnabled** Whether the Appraiser task is enabled. -- **AppraiserTaskExitCode** The Appraiser task exist code. -- **AppraiserTaskLastRun** The last runtime for the Appraiser task. -- **CensusVersion** The version of Census that generated the current data for this device. -- **IEVersion** The version of Internet Explorer that is running on the device. - - -### Census.Battery - -This event sends type and capacity data about the battery on the device, as well as the number of connected standby devices in use, type to help keep Windows up to date. - -The following fields are available: - -- **InternalBatteryCapablities** Represents information about what the battery is capable of doing. -- **InternalBatteryCapacityCurrent** Represents the battery's current fully charged capacity in mWh (or relative). Compare this value to DesignedCapacity  to estimate the battery's wear. -- **InternalBatteryCapacityDesign** Represents the theoretical capacity of the battery when new, in mWh. -- **InternalBatteryNumberOfCharges** Provides the number of battery charges. This is used when creating new products and validating that existing products meets targeted functionality performance. -- **IsAlwaysOnAlwaysConnectedCapable** Represents whether the battery enables the device to be AlwaysOnAlwaysConnected . Boolean value. - - -### Census.Camera - -This event sends data about the resolution of cameras on the device, to help keep Windows up to date. - -The following fields are available: - -- **FrontFacingCameraResolution** Represents the resolution of the front facing camera in megapixels. If a front facing camera does not exist, then the value is 0. -- **RearFacingCameraResolution** Represents the resolution of the rear facing camera in megapixels. If a rear facing camera does not exist, then the value is 0. - - -### Census.Enterprise - -This event sends data about Azure presence, type, and cloud domain use in order to provide an understanding of the use and integration of devices in an enterprise, cloud, and server environment. - -The following fields are available: - -- **AADDeviceId** Azure Active Directory device ID. -- **AzureOSIDPresent** Represents the field used to identify an Azure machine. -- **AzureVMType** Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs. -- **CDJType** Represents the type of cloud domain joined for the machine. -- **CommercialId** Represents the GUID for the commercial entity which the device is a member of.  Will be used to reflect insights back to customers. -- **ContainerType** The type of container, such as process or virtual machine hosted. -- **EnrollmentType** Defines the type of MDM enrollment on the device. -- **HashedDomain** The hashed representation of the user domain used for login. -- **IsCloudDomainJoined** Is this device joined to an Azure Active Directory (AAD) tenant? true/false -- **IsDERequirementMet** Represents if the device can do device encryption. -- **IsDeviceProtected** Represents if Device protected by BitLocker/Device Encryption -- **IsDomainJoined** Indicates whether a machine is joined to a domain. -- **IsEDPEnabled** Represents if Enterprise data protected on the device. -- **IsMDMEnrolled** Whether the device has been MDM Enrolled or not. -- **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID -- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise SCCM environment. -- **ServerFeatures** Represents the features installed on a Windows   Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. -- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier - - -### Census.Firmware - -This event sends data about the BIOS and startup embedded in the device, to help keep Windows up to date. - -The following fields are available: - -- **FirmwareManufacturer** Represents the manufacturer of the device's firmware (BIOS). -- **FirmwareReleaseDate** Represents the date the current firmware was released. -- **FirmwareType** Represents the firmware type. The various types can be unknown, BIOS, UEFI. -- **FirmwareVersion** Represents the version of the current firmware. - - -### Census.Flighting - -This event sends Windows Insider data from customers participating in improvement testing and feedback programs, to help keep Windows up to date. - -The following fields are available: - -- **DeviceSampleRate** The telemetry sample rate assigned to the device. -- **EnablePreviewBuilds** Used to enable Windows Insider builds on a device. -- **FlightIds** A list of the different Windows Insider builds on this device. -- **FlightingBranchName** The name of the Windows Insider branch currently used by the device. -- **IsFlightsDisabled** Represents if the device is participating in the Windows Insider program. -- **MSA_Accounts** Represents a list of hashed IDs of the Microsoft Accounts that are flighting (pre-release builds) on this device. -- **SSRK** Retrieves the mobile targeting settings. - - -### Census.Hardware - -This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level setting, and TPM support, to help keep Windows up to date. - -The following fields are available: - -- **ActiveMicCount** The number of active microphones attached to the device. -- **ChassisType** Represents the type of device chassis, such as desktop or low profile desktop. The possible values can range between 1 - 36. -- **ComputerHardwareID** Identifies a device class that is represented by a hash of different SMBIOS fields. -- **D3DMaxFeatureLevel** Supported Direct3D version. -- **DeviceColor** Indicates a color of the device. -- **DeviceForm** Indicates the form as per the device classification. -- **DeviceName** The device name that is set by the user. -- **DigitizerSupport** Is a digitizer supported? -- **DUID** The device unique ID. -- **Gyroscope** Indicates whether the device has a gyroscope (a mechanical component that measures and maintains orientation). -- **InventoryId** The device ID used for compatibility testing. -- **Magnetometer** Indicates whether the device has a magnetometer (a mechanical component that works like a compass). -- **NFCProximity** Indicates whether the device supports NFC (a set of communication protocols that helps establish communication when applicable devices are brought close together.) -- **OEMDigitalMarkerFileName** The name of the file placed in the \Windows\system32\drivers directory that specifies the OEM and model name of the device. -- **OEMManufacturerName** The device manufacturer name. The OEMName for an inactive device is not reprocessed even if the clean OEM name is changed at a later date. -- **OEMModelBaseBoard** The baseboard model used by the OEM. -- **OEMModelBaseBoardVersion** Differentiates between developer and retail devices. -- **OEMModelName** The device model name. -- **OEMModelNumber** The device model number. -- **OEMModelSKU** The device edition that is defined by the manufacturer. -- **OEMModelSystemFamily** The system family set on the device by an OEM. -- **OEMModelSystemVersion** The system model version set on the device by the OEM. -- **OEMOptionalIdentifier** A Microsoft assigned value that represents a specific OEM subsidiary. -- **OEMSerialNumber** The serial number of the device that is set by the manufacturer. -- **PhoneManufacturer** The friendly name of the phone manufacturer. -- **PowerPlatformRole** The OEM preferred power management profile. It's used to help to identify the basic form factor of the device. -- **SoCName** The firmware manufacturer of the device. -- **StudyID** Used to identify retail and non-retail device. -- **TelemetryLevel** The telemetry level the user has opted into, such as Basic or Enhanced. -- **TelemetryLevelLimitEnhanced** The telemetry level for Windows Analytics-based solutions. -- **TelemetrySettingAuthority** Determines who set the telemetry level, such as GP, MDM, or the user. -- **TPMManufacturerId** The ID of the TPM manufacturer. -- **TPMManufacturerVersion** The version of the TPM manufacturer. -- **TPMVersion** The supported Trusted Platform Module (TPM) on the device. If no TPM is present, the value is 0. -- **VoiceSupported** Does the device have a cellular radio capable of making voice calls? - - -### Census.Memory - -This event sends data about the memory on the device, including ROM and RAM, to help keep Windows up to date. - -The following fields are available: - -- **TotalPhysicalRAM** Represents the physical memory (in MB). -- **TotalVisibleMemory** Represents the memory that is not reserved by the system. - - -### Census.Network - -This event sends data about the mobile and cellular network used by the device (mobile service provider, network, device ID, and service cost factors), to help keep Windows up to date. - -The following fields are available: - -- **IMEI0** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage. -- **IMEI1** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage. -- **MCC0** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. -- **MCC1** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. -- **MEID** Represents the Mobile Equipment Identity (MEID). MEID is a worldwide unique phone ID assigned to CDMA phones. MEID replaces electronic serial number (ESN), and is equivalent to IMEI for GSM and WCDMA phones. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. -- **MNC0** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. -- **MNC1** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. -- **MobileOperatorBilling** Represents the telephone company that provides services for mobile phone users. -- **MobileOperatorCommercialized** Represents which reseller and geography the phone is commercialized for. This is the set of values on the phone for who and where it was intended to be used. For example, the commercialized mobile operator code AT&T in the US would be ATT-US. -- **MobileOperatorNetwork0** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage. -- **MobileOperatorNetwork1** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage. -- **NetworkAdapterGUID** The GUID of the primary network adapter. -- **NetworkCost** Represents the network cost associated with a connection. -- **SPN0** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage. -- **SPN1** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage. - - -### Census.OS - -This event sends data about the operating system such as the version, locale, update service configuration, when and how it was originally installed, and whether it is a virtual device, to help keep Windows up to date. - -The following fields are available: - -- **ActivationChannel** Retrieves the retail license key or Volume license key for a machine. -- **AssignedAccessStatus** Kiosk configuration mode. -- **CompactOS** Indicates if the Compact OS feature from Win10 is enabled. -- **DeveloperUnlockStatus** Represents if a device has been developer unlocked by the user or Group Policy. -- **DeviceTimeZone** The time zone that is set on the device. Example: Pacific Standard Time -- **GenuineState** Retrieves the ID Value specifying the OS Genuine check. -- **InstallationType** Retrieves the type of OS installation. (Clean, Upgrade, Reset, Refresh, Update). -- **InstallLanguage** The first language installed on the user machine. -- **IsDeviceRetailDemo** Retrieves if the device is running in demo mode. -- **IsEduData** Returns Boolean if the education data policy is enabled. -- **IsPortableOperatingSystem** Retrieves whether OS is running Windows-To-Go -- **IsSecureBootEnabled** Retrieves whether Boot chain is signed under UEFI. -- **LanguagePacks** The list of language packages installed on the device. -- **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store. -- **OA3xOriginalProducoKzyàPŒïdjstDr})D6ài3êryyjMachineIP** No content is currently available. -- **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine. -- **OSEdition** Retrieves the version of the current OS. -- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc -- **OSOOBEDateTime** Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC). -- **OSSKU** Retrieves the Friendly Name of OS Edition. -- **OSSubscriptionStatus** Represents the existing status for enterprise subscription feature for PRO machines. -- **OSSubscriptionTypeId** Returns boolean for enterprise subscription feature for selected PRO machines. -- **OSTimeZoneBiasInMins** Retrieves the time zone set on machine. -- **OSUILocale** Retrieves the locale of the UI that is currently used by the OS. -- **ProductActivationResult** Returns Boolean if the OS Activation was successful. -- **ProductActivationTime** Returns the OS Activation time for tracking piracy issues. -- **ProductKeyID2** Retrieves the License key if the machine is updated with a new license key. -- **RACw7Id** Retrieves the Microsoft Reliability Analysis Component (RAC) Win7 Identifier. RAC is used to monitor and analyze system usage and reliability. -- **ServiceMachineIP** Retrieves the IP address of the KMS host used for anti-piracy. -- **ServiceMachinePort** Retrieves the port of the KMS host used for anti-piracy. -- **ServiceProductKeyID** Retrieves the License key of the KMS -- **SharedPCMode** Returns Boolean for education devices used as shared cart -- **Signature** Retrieves if it is a signature machine sold by Microsoft store. -- **SLICStatus** Whether a SLIC table exists on the device. -- **SLICVersion** Returns OS type/version from SLIC table. - - -### Census.PrivacySettings - -This event provides information about the device level privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represent the authority that set the value. The effective consent (first 8 bits) is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority (last 8 bits) is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = system, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings. - -The following fields are available: - -- **Activity** Current state of the activity history setting. -- **ActivityHistoryCloudSync** Current state of the activity history cloud sync setting. -- **ActivityHistoryCollection** Current state of the activity history collection setting. -- **AdvertisingId** Current state of the advertising ID setting. -- **AppDiagnostics** Current state of the app diagnostics setting. -- **Appointments** Current state of the calendar setting. -- **Bluetooth** Current state of the Bluetooth capability setting. -- **BluetoothSync** Current state of the Bluetooth sync capability setting. -- **BroadFileSystemAccess** Current state of the broad file system access setting. -- **CellularData** Current state of the cellular data capability setting. -- **Chat** Current state of the chat setting. -- **Contacts** Current state of the contacts setting. -- **DocumentsLibrary** Current state of the documents library setting. -- **Email** Current state of the email setting. -- **FindMyDevice** Current state of the "find my device" setting. -- **GazeInput** Current state of the gaze input setting. -- **HumanInterfaceDevice** Current state of the human interface device setting. -- **InkTypeImprovement** Current state of the improve inking and typing setting. -- **Location** Current state of the location setting. -- **LocationHistory** Current state of the location history setting. -- **LocationHistoryCloudSync** Current state of the location history cloud sync setting. -- **LocationHistoryOnTimeline** Current state of the location history on timeline setting. -- **LocTîÿxV4ocationHistory** No content is currently available. -- **Microphone** Current state of the microphone setting. -- **PhoneCall** Current state of the phone call setting. -- **PhoneCallHistory** Current state of the call history setting. -- **PicturesLibrary** Current state of the pictures library setting. -- **Radios** Current state of the radios setting. -- **SensorsCustom** Current state of the custom sensor setting. -- **SerialCommunication** Current state of the serial communication setting. -- **Sms** Current state of the text messaging setting. -- **SpeechPersonalization** Current state of the speech services setting. -- **USB** Current state of the USB setting. -- **UserAccountInformation** Current state of the account information setting. -- **UserDataTasks** Current state of the tasks setting. -- **UserNotificationListener** Current state of the notifications setting. -- **VideosLibrary** Current state of the videos library setting. -- **Webcam** Current state of the camera setting. -- **WiFiDirect** Current state of the Wi-Fi direct setting. - - -### Census.Processor - -Provides information on several important data points about Processor settings - -The following fields are available: - -- **KvaShadow** This is the micro code information of the processor. -- **MMSettingOverride** Microcode setting of the processor. -- **MMSettingOverrideMask** Microcode setting override of the processor. -- **PreviousUpdateRevision** Previous microcode revision -- **ProcessorArchitecture** Retrieves the processor architecture of the installed operating system. -- **ProcessorClockSpeed** Clock speed of the processor in MHz. -- **ProcessorCores** Number of logical cores in the processor. -- **ProcessorIdentifier** Processor Identifier of a manufacturer. -- **ProcessorManufacturer** Name of the processor manufacturer. -- **ProcessorModel** Name of the processor model. -- **ProcessorPhysicalCores** Number of physical cores in the processor. -- **ProcessorUpdateRevision** The microcode revision. -- **ProcessorUpdateStatus** Enum value that represents the processor microcode load status -- **SocketCount** Count of CPU sockets. -- **SpeculationControl** Indicates whether the system has enabled protections needed to validate the speculation control vulnerability. - - -### Census.Security - -This event provides information on about security settings used to help keep Windows up to date and secure. - -The following fields are available: - -- **AvailableSecurityProperties** This field helps to enumerate and report state on the relevant security properties for Device Guard. -- **CGRunning** Credential Guard isolates and hardens key system and user secrets against compromise, helping to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already running via a local or network based vector. This field tells if Credential Guard is running. -- **DGState** This field summarizes the Device Guard state. -- **HVCIRunning** Hypervisor Code Integrity (HVCI) enables Device Guard to help protect kernel mode processes and drivers from vulnerability exploits and zero days. HVCI uses the processor’s functionality to force all software running in kernel mode to safely allocate memory. This field tells if HVCI is running. -- **IsSawGuest** Indicates whether the device is running as a Secure Admin Workstation Guest. -- **IsSawHost** Indicates whether the device is running as a Secure Admin Workstation Host. -- **RequiredSecurityProperties** Describes the required security properties to enable virtualization-based security. -- **SecureBootCapable** Systems that support Secure Boot can have the feature turned off via BIOS. This field tells if the system is capable of running Secure Boot, regardless of the BIOS setting. -- **SModeState** The Windows S mode trail state. -- **VBSState** Virtualization-based security (VBS) uses the hypervisor to help protect the kernel and other parts of the operating system. Credential Guard and Hypervisor Code Integrity (HVCI) both depend on VBS to isolate/protect secrets, and kernel-mode code integrity validation. VBS has a tri-state that can be Disabled, Enabled, or Running. - - -### Census.Speech - -This event is used to gather basic speech settings on the device. - -The following fields are available: - -- **AboveLockEnabled** Cortana setting that represents if Cortana can be invoked when the device is locked. -- **GPAllowInputPersonalization** Indicates if a Group Policy setting has enabled speech functionalities. -- **HolographicSpeechInputDisabled** Holographic setting that represents if the attached HMD devices have speech functionality disabled by the user. -- **HolographicSpeechInputDisabledRemote** Indicates if a remote policy has disabled speech functionalities for the HMD devices. -- **KeyVer** Version information for the census speech event. -- **KWSEnabled** Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS). -- **MDMAllowInputPersonalization** Indicates if an MDM policy has enabled speech functionalities. -- **RemotelyManaged** Indicates if the device is being controlled by a remote administrator (MDM or Group Policy) in the context of speech functionalities. -- **SpeakerIdEnabled** Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice. -- **SpeechServicesEnabled** Windows setting that represents whether a user is opted-in for speech services on the device. -- **SpeechServicesValueSource** Indicates the deciding factor for the effective online speech recognition privacy policy settings: remote admin, local admin, or user preference. - - -### Census.Storage - -This event sends data about the total capacity of the system volume and primary disk, to help keep Windows up to date. - -The following fields are available: - -- **PrimaryDiskTotalCapacity** Retrieves the amount of disk space on the primary disk of the device in MB. -- **PrimaryDiskType** Retrieves an enumerator value of type STORAGE_BUS_TYPE that indicates the type of bus to which the device is connected. This should be used to interpret the raw device properties at the end of this structure (if any). -- **StorageReservePassedPolicy** Indicates whether the Storage Reserve policy, which ensures that updates have enough disk space and customers are on the latest OS, is enabled on this device. -- **SystemVolumeTotalCapacity** Retrieves the size of the partition that the System volume is installed on in MB. - - -### Census.Userdefault - -This event sends data about the current user's default preferences for browser and several of the most popular extensions and protocols, to help keep Windows up to date. - -The following fields are available: - -- **CalendarType** The calendar identifiers that are used to specify different calendars. -- **DefaultApp** The current uer's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf. -- **DefaultBrowserProgId** The ProgramId of the current user's default browser. -- **LongDateFormat** The long date format the user has selected. -- **ShortDateFormat** The short date format the user has selected. - - -### Census.UserDisplay - -This event sends data about the logical/physical display size, resolution and number of internal/external displays, and VRAM on the system, to help keep Windows up to date. - -The following fields are available: - -- **InternalPrimaryDisplayLogicalDPIX** Retrieves the logical DPI in the x-direction of the internal display. -- **InternalPrimaryDisplayLogicalDPIY** Retrieves the logical DPI in the y-direction of the internal display. -- **InternalPrimaryDisplayPhysicalDPIX** Retrieves the physical DPI in the x-direction of the internal display. -- **InternalPrimaryDisplayPhysicalDPIY** Retrieves the physical DPI in the y-direction of the internal display. -- **InternalPrimaryDisplayResolutionHorizontal** Retrieves the number of pixels in the horizontal direction of the internal display. -- **InternalPrimaryDisplayResolutionVertical** Retrieves the number of pixels in the vertical direction of the internal display. -- **InternalPrimaryDisplaySizePhysicalH** Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches . -- **InternalPrimaryDisplaySizePhysicalY** Retrieves the physical vertical length of the display in mm. Used for calculating the diagonal length in inches -- **NumberofExternalDisplays** Retrieves the number of external displays connected to the machine -- **NumberofInternalDisplays** Retrieves the number of internal displays in a machine. -- **OumberofExternalDisplays** No content is currently available. -- **OumberofInternalDisplays** No content is currently available. -- **VRAMDedicated** Retrieves the video RAM in MB. -- **VRAMDedicatedSystem** Retrieves the amount of memory on the dedicated video card. -- **VRAMSharedSystem** Retrieves the amount of RAM memory that the video card can use. - - -### Census.UserNLS - -This event sends data about the default app language, input, and display language preferences set by the user, to help keep Windows up to date. - -The following fields are available: - -- **DefaultAppLanguage** The current user Default App Language. -- **DisplayLanguage** The current user preferred Windows Display Language. -- **HomeLocation** The current user location, which is populated using GetUserGeoId() function. -- **KeyboardInputLanguages** The Keyboard input languages installed on the device. -- **SpeechInputLanguages** The Speech Input languages installed on the device. - - -### Census.UserPrivacySettings - -This event provides information about the current users privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represents the authority that set the value. The effective consent is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = user, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings. - -The following fields are available: - -- **Activity** Current state of the activity history setting. -- **ActivityHistoryCloudSync** Current state of the activity history cloud sync setting. -- **ActivityHistoryCollection** Current state of the activity history collection setting. -- **AdvertisingId** Current state of the advertising ID setting. -- **AppDiagnostics** Current state of the app diagnostics setting. -- **Appointments** Current state of the calendar setting. -- **Bluetooth** Current state of the Bluetooth capability setting. -- **BluetoothSync** Current state of the Bluetooth sync capability setting. -- **BroadFileSystemAccess** Current state of the broad file system access setting. -- **CellularData** Current state of the cellular data capability setting. -- **Chat** Current state of the chat setting. -- **Contacts** Current state of the contacts setting. -- **DocumentsLibrary** Current state of the documents library setting. -- **Email** Current state of the email setting. -- **GazeInput** Current state of the gaze input setting. -- **HumanInterfaceDevice** Current state of the human interface device setting. -- **InkTypeImprovement** Current state of the improve inking and typing setting. -- **InkTypePersonalization** Current state of the inking and typing personalization setting. -- **Location** Current state of the location setting. -- **LocationHistory** Current state of the location history setting. -- **LocationHistoryCloudSync** Current state of the location history cloud synchronization setting. -- **LocationHistoryOnTimeline** Current state of the location history on timeline setting. -- **Microphone** Current state of the microphone setting. -- **PhoneCall** Current state of the phone call setting. -- **PhoneCallHistory** Current state of the call history setting. -- **PicturesLibrary** Current state of the pictures library setting. -- **Radios** Current state of the radios setting. -- **SensorsCustom** Current state of the custom sensor setting. -- **SerialCommunication** Current state of the serial communication setting. -- **Sms** Current state of the text messaging setting. -- **SpeechPersonalization** Current state of the speech services setting. -- **USB** Current state of the USB setting. -- **UserAccountInformation** Current state of the account information setting. -- **UserDataTasks** Current state of the tasks setting. -- **UserNotificationListener** Current state of the notifications setting. -- **VideosLibrary** Current state of the videos library setting. -- **Webcam** Current state of the camera setting. -- **WiFaDirect** No content is currently available. -- **WiFiDirect** Current state of the Wi-Fi direct setting. - - -### Census.VM - -This event sends data indicating whether virtualization is enabled on the device, and its various characteristics, to help keep Windows up to date. - -The following fields are available: - -- **CloudService** Indicates which cloud service, if any, that this virtual machine is running within. -- **HyperVisor** Retrieves whether the current OS is running on top of a Hypervisor. -- **IOMMUPresent** Represents if an input/output memory management unit (IOMMU) is present. -- **IsVDI** Is the device using Virtual Desktop Infrastructure? -- **IsVirtualDevice** Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#1 Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field should not be relied upon for non-Hv#1 Hypervisors. -- **SLATSupported** Represents whether Second Level Address Translation (SLAT) is supported by the hardware. -- **VirtualizationFirmwareEnabled** Represents whether virtualization is enabled in the firmware. - - -### Census.WU - -This event sends data about the Windows update server and other App store policies, to help keep Windows up to date. - -The following fields are available: - -- **AppraiserGatedStatus** Indicates whether a device has been gated for upgrading. -- **AppStoreAutoUpdate** Retrieves the Appstore settings for auto upgrade. (Enable/Disabled). -- **AppStoreAutoUpdateMDM** Retrieves the App Auto Update value for MDM: 0 - Disallowed. 1 - Allowed. 2 - Not configured. Default: [2] Not configured -- **AppStoreAutoUpdatePolicy** Retrieves the Microsoft Store App Auto Update group policy setting -- **DelayUpgrade** Retrieves the Windows upgrade flag for delaying upgrades. -- **OSAssessmentFeatureOutOfDate** How many days has it been since a the last feature update was released but the device did not install it? -- **OSAssessmentForFeatureUpdate** Is the device is on the latest feature update? -- **OSAssessmentForQualityUpdate** Is the device on the latest quality update? -- **OSAssessmentForSecurityUpdate** Is the device on the latest security update? -- **OSAssessmentQualityOutOfDate** How many days has it been since a the last quality update was released but the device did not install it? -- **OSAssessmentReleaseInfoTime** The freshness of release information used to perform an assessment. -- **OSRollbackCount** The number of times feature updates have rolled back on the device. -- **OSRolledBack** A flag that represents when a feature update has rolled back during setup. -- **OSUninstalled** A flag that represents when a feature update is uninstalled on a device . -- **OSWUAutoUpdateOptions** Retrieves the auto update settings on the device. -- **OSWUAutoUpdateOptionsSource** The source of auto update setting that appears in the OSWUAutoUpdateOptions field. For example: Group Policy (GP), Mobile Device Management (MDM), and Default. -- **UninstallActive** A flag that represents when a device has uninstalled a previous upgrade recently. -- **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS). -- **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates. -- **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades. -- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network. -- **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier. -- **WUPauseState** Retrieves WU setting to determine if updates are paused. -- **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default). - - -### Census.Xbox - -This event sends data about the Xbox Console, such as Serial Number and DeviceId, to help keep Windows up to date. - -The following fields are available: - -- **XboxConsolePreferredLanguage** Retrieves the preferred language selected by the user on Xbox console. -- **XboxConsoleSerialNumber** Retrieves the serial number of the Xbox console. -- **XboxConsoleSerialOumber** No content is currently available. -- **XboxLiveDeviceId** Retrieves the unique device ID of the console. -- **XboxLiveSandboxId** Retrieves the developer sandbox ID if the device is internal to Microsoft. - - -## Common data extensions - -### Common Data Extensions.app - -Describes the properties of the running application. This extension could be populated by a client app or a web app. - -The following fields are available: - -- **asId** An integer value that represents the app session. This value starts at 0 on the first app launch and increments after each subsequent app launch per boot session. -- **env** The environment from which the event was logged. -- **expId** Associates a flight, such as an OS flight, or an experiment, such as a web site UX experiment, with an event. -- **id** Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application. -- **locale** The locale of the app. -- **name** The name of the app. -- **userId** The userID as known by the application. -- **ver** Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app. - - -### Common Data Extensions.container - -Describes the properties of the container for events logged within a container. - -The following fields are available: - -- **epoch** An ID that's incremented for each SDK initialization. -- **localId** The device ID as known by the client. -- **osVer** The operating system version. -- **seq** An ID that's incremented for each event. -- **type** The container type. Examples: Process or VMHost - - -### Common Data Extensions.cs - -Describes properties related to the schema of the event. - -The following fields are available: - -- **sig** A common schema signature that identifies new and modified event schemas. - - -### Common Data Extensions.device - -Describes the device-related fields. - -The following fields are available: - -- **deviceClass** The device classification. For example, Desktop, Server, or Mobile. -- **localId** A locally-defined unique ID for the device. This is not the human-readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId -- **make** Device manufacturer. -- **model** Device model. - - -### Common Data Extensions.Envelope - -Represents an envelope that contains all of the common data extensions. - -The following fields are available: - -- **cV** Represents the Correlation Vector: A single field for tracking partial order of related telemetry events across component boundaries. -- **data** Represents the optional unique diagnostic data for a particular event schema. -- **ext_app** Describes the properties of the running application. This extension could be populated by either a client app or a web app. See [Common Data Extensions.app](#common-data-extensionsapp). -- **ext_container** Describes the properties of the container for events logged within a container. See [Common Data Extensions.container](#common-data-extensionscontainer). -- **ext_cs** Describes properties related to the schema of the event. See [Common Data Extensions.cs](#common-data-extensionscs). -- **ext_device** Describes the device-related fields. See [Common Data Extensions.device](#common-data-extensionsdevice). -- **ext_os** Describes the operating system properties that would be populated by the client. See [Common Data Extensions.os](#common-data-extensionsos). -- **ext_receipts** Describes the fields related to time as provided by the client for debugging purposes. See [Common Data Extensions.receipts](#common-data-extensionsreceipts). -- **ext_sdk** Describes the fields related to a platform library required for a specific SDK. See [Common Data Extensions.sdk](#common-data-extensionssdk). -- **ext_user** Describes the fields related to a user. See [Common Data Extensions.user](#common-data-extensionsuser). -- **ext_utc** Describes the fields that might be populated by a logging library on Windows. See [Common Data Extensions.utc](#common-data-extensionsutc). -- **ext_xbl** Describes the fields related to XBOX Live. See [Common Data Extensions.xbl](#common-data-extensionsxbl). -- **flags** Represents a collection of bits that describe how the event should be processed by the Connected User Experience and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency. -- **iKey** Represents an ID for applications or other logical groupings of events. -- **name** Represents the uniquely qualified name for the event. -- **popSample** Represents the effective sample rate for this event at the time it was generated by a client. -- **time** Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the client. This should be in ISO 8601 format. -- **ver** Represents the major and minor version of the extension. - - -### Common Data Extensions.os - -Describes some properties of the operating system. - -The following fields are available: - -- **bootId** An integer value that represents the boot session. This value starts at 0 on first boot after OS install and increments after every reboot. -- **expId** Represents the experiment ID. The standard for associating a flight, such as an OS flight (pre-release build), or an experiment, such as a web site UX experiment, with an event is to record the flight / experiment IDs in Part A of the common schema. -- **locale** Represents the locale of the operating system. -- **name** Represents the operating system name. -- **ver** Represents the major and minor version of the extension. - - -### Common Data Extensions.receipts - -Represents various time information as provided by the client and helps for debugging purposes. - -The following fields are available: - -- **originalTime** The original event time. -- **uploadTime** The time the event was uploaded. - - -### Common Data Extensions.sdk - -Used by platform specific libraries to record fields that are required for a specific SDK. - -The following fields are available: - -- **epoch** An ID that is incremented for each SDK initialization. -- **installId** An ID that's created during the initialization of the SDK for the first time. -- **libVer** The SDK version. -- **seq** An ID that is incremented for each event. - - -### Common Data Extensions.user - -Describes the fields related to a user. - -The following fields are available: - -- **authId** This is an ID of the user associated with this event that is deduced from a token such as a Microsoft Account ticket or an XBOX token. -- **locale** The language and region. -- **localId** Represents a unique user identity that is created locally and added by the client. This is not the user's account ID. - - -### Common Data Extensions.utc - -Describes the properties that could be populated by a logging library on Windows. - -The following fields are available: - -- **aId** Represents the ETW ActivityId. Logged via TraceLogging or directly via ETW. -- **bSeq** Upload buffer sequence number in the format: buffer identifier:sequence number -- **cat** Represents a bitmask of the ETW Keywords associated with the event. -- **cpId** The composer ID, such as Reference, Desktop, Phone, Holographic, Hub, IoT Composer. -- **epoch** Represents the epoch and seqNum fields, which help track how many events were fired and how many events were uploaded, and enables identification of data lost during upload and de-duplication of events on the ingress server. -- **flags** Represents the bitmap that captures various Windows specific flags. -- **mon** Combined monitor and event sequence numbers in the format: monitor sequence : event sequence -- **op** Represents the ETW Op Code. -- **raId** Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW. -- **seq** Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue. The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server. -- **stId** Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID. - - -### Common Data Extensions.xbl - -Describes the fields that are related to XBOX Live. - -The following fields are available: - -- **claims** Any additional claims whose short claim name hasn't been added to this structure. -- **did** XBOX device ID -- **dty** XBOX device type -- **dvr** The version of the operating system on the device. -- **eid** A unique ID that represents the developer entity. -- **exp** Expiration time -- **ip** The IP address of the client device. -- **nbf** Not before time -- **pid** A comma separated list of PUIDs listed as base10 numbers. -- **sbx** XBOX sandbox identifier -- **sid** The service instance ID. -- **sty** The service type. -- **tid** The XBOX Live title ID. -- **tvr** The XBOX Live title version. -- **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts. -- **xid** A list of base10-encoded XBOX User IDs. - - -## Common data fields - -### Ms.Device.DeviceInventoryChange - -Describes the installation state for all hardware and software components available on a particular device. - -The following fields are available: - -- **ac|ion** No content is currently available. -- **action** The change that was invoked on a device inventory object. -- **cction** No content is currently available. -- **inventoryId** Device ID used for Compatibility testing -- **objectInstanceId** Object identity which is unique within the device scope. -- **objectType** Indicates the object type that the event applies to. -- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. -- **synkId** No content is currently available. - - -## Compatibility events - -### Microsoft.Windows.Compatibility.Apphelp.SdbFix - -Product instrumentation for helping debug/troubleshoot issues with inbox compatibility components. - -The following fields are available: - -- **AppName** Name of the application impacted by SDB. -- **FixID** SDB GUID. -- **Flags** List of flags applied. -- **ImageName** Name of file. - - -## Component-based servicing events - -### CbsServicingProvider.CbsCapabilityEnumeration - -This event reports on the results of scanning for optional Windows content on Windows Update. - -The following fields are available: - -- **architecture** Indicates the scan was limited to the specified architecture. -- **capabilityCount** The number of optional content packages found during the scan. -- **clientId** The name of the application requesting the optional content. -- **duration** The amount of time it took to complete the scan. -- **hrStatus** The HReturn code of the scan. -- **language** Indicates the scan was limited to the specified language. -- **majorVersion** Indicates the scan was limited to the specified major version. -- **minorVersion** Indicates the scan was limited to the specified minor version. -- **namespace** Indicates the scan was limited to packages in the specified namespace. -- **sourceFilter** A bitmask indicating the scan checked for locally available optional content. -- **stackBuild** The build number of the servicing stack. -- **stackMajorVersion** The major version number of the servicing stack. -- **stackMinorVersion** The minor version number of the servicing stack. -- **stackRevision** The revision number of the servicing stack. - - -### CbsServicingProvider.CbsCapabilitySessionFinalize - -This event provides information about the results of installing or uninstalling optional Windows content from Windows Update. - -The following fields are available: - -- **capabilities** The names of the optional content packages that were installed. -- **clientId** The name of the application requesting the optional content. -- **currentID** The ID of the current install session. -- **downloadSource** The source of the download. -- **highestState** The highest final install state of the optional content. -- **hrLCUReservicingStatus** Indicates whether the optional content was updated to the latest available version. -- **hrStatus** The HReturn code of the install operation. -- **rebootCount** The number of reboots required to complete the install. -- **retryID** The session ID that will be used to retry a failed operation. -- **retryStatus** Indicates whether the install will be retried in the event of failure. -- **stackBuild** The build number of the servicing stack. -- **stackMajorVersion** The major version number of the servicing stack. -- **stackMinorVersion** The minor version number of the servicing stack. -- **stackRevision** The revision number of the servicing stack. - - -### CbsServicingProvider.CbsCapabilitySessionPended - -This event provides information about the results of installing optional Windows content that requires a reboot to keep Windows up to date. - -The following fields are available: - -- **clientId** The name of the application requesting the optional content. -- **pendingDecision** Indicates the cause of reboot, if applicable. - - -### CbsServicingProvider.CbsLateAcquisition - -This event sends data to indicate if some Operating System packages could not be updated as part of an upgrade, to help keep Windows up to date. - -The following fields are available: - -- **Features** The list of feature packages that could not be updated. -- **RetryID** The ID identifying the retry attempt to update the listed packages. - - -### CbsServicingProvider.CbsPackageRemoval - -This event provides information about the results of uninstalling a Windows Cumulative Security Update to help keep Windows up to date. - -The following fields are available: - -- **buildVersion** The build number of the security update being uninstalled. -- **clientId** The name of the application requesting the uninstall. -- **currentStateEnd** The final state of the update after the operation. -- **failureDetails** Information about the cause of a failure, if applicable. -- **failureSourceEnd** The stage during the uninstall where the failure occurred. -- **hrStatusEnd** The overall exit code of the operation. -- **initiatedOffline** Indicates if the uninstall was initiated for a mounted Windows image. -- **majorVersion** The major version number of the security update being uninstalled. -- **minorVersion** The minor version number of the security update being uninstalled. -- **originalState** The starting state of the update before the operation. -- **pendingDecision** Indicates the cause of reboot, if applicable. -- **primitiveExecutionContext** The state during system startup when the uninstall was completed. -- **revisionVersion** The revision number of the security update being uninstalled. -- **transactionCanceled** Indicates whether the uninstall was cancelled. - - -### CbsServicingProvider.CbsQualityUpdateInstall - -This event reports on the performance and reliability results of installing Servicing content from Windows Update to keep Windows up to date. - -The following fields are available: - -- **buildVersion** The build version number of the update package. -- **clientId** The name of the application requesting the optional content. -- **corruptionHistoryFlags** A bitmask of the types of component store corruption that have caused update failures on the device. -- **corruptionType** An enumeration listing the type of data corruption responsible for the current update failure. -- **currentStateEnd** The final state of the package after the operation has completed. -- **doqTimeSeconds** The time in seconds spent updating drivers. -- **executeTimeSeconds** The number of seconds required to execute the install. -- **failureDetails** The driver or installer that caused the update to fail. -- **failureSourceEnd** An enumeration indicating at what phase of the update a failure occurred. -- **hrStatusEnd** The return code of the install operation. -- **initiatedOffline** A true or false value indicating whether the package was installed into an offline Windows Imaging Format (WIM) file. -- **majorVersion** The major version number of the update package. -- **minorVersion** The minor version number of the update package. -- **originalState** The starting state of the package. -- **overallTimeSeconds** The time (in seconds) to perform the overall servicing operation. -- **planTimeSeconds** The time in seconds required to plan the update operations. -- **poqTimeSeconds** The time in seconds processing file and registry operations. -- **postRebootTimeSeconds** The time (in seconds) to do startup processing for the update. -- **preRebootTimeSeconds** The time (in seconds) between execution of the installation and the reboot. -- **primitiveExecutionContext** An enumeration indicating at what phase of shutdown or startup the update was installed. -- **rebootCount** The number of reboots required to install the update. -- **rebootTimeSeconds** The time (in seconds) before startup processing begins for the update. -- **resolveTimeSeconds** The time in seconds required to resolve the packages that are part of the update. -- **revisionVersion** The revision version number of the update package. -- **rptTimeSeconds** The time in seconds spent executing installer plugins. -- **shutdownTimeSeconds** The time (in seconds) required to do shutdown processing for the update. -- **stackRevision** The revision number of the servicing stack. -- **stageTimeSeconds** The time (in seconds) required to stage all files that are part of the update. - - -## Deployment extensions - -### DeploymentTelemetry.Deployment_End - -This event indicates that a Deployment 360 API has completed. - -The following fields are available: - -- **ClientId** Client ID of the user utilizing the D360 API. -- **ErrorCode** Error code of action. -- **FlightId** The specific ID of the Windows Insider build the device is getting. -- **Mode** Phase in upgrade. -- **RelatedCV** The correction vector (CV) of any other related events -- **Result** End result of the action. - - -### DeploymentTelemetry.Deployment_SetupBoxLaunch - -This event indicates that the Deployment 360 APIs have launched Setup Box. - -The following fields are available: - -- **ClientId** The client ID of the user utilizing the D360 API. -- **FlightId** The specific ID of the Windows Insider build the device is getting. -- **Quiet** Whether Setup will run in quiet mode or full mode. -- **RelatedCV** The correlation vector (CV) of any other related events. -- **SetupMode** The current setup phase. - - -### DeploymentTelemetry.Deployment_SetupBoxResult - -This event indicates that the Deployment 360 APIs have received a return from Setup Box. - -The following fields are available: - -- **ClientId** Client ID of the user utilizing the D360 API. -- **ErrorCode** Error code of the action. -- **FlightId** The specific ID of the Windows Insider build the device is getting. -- **Quiet** Indicates whether Setup will run in quiet mode or full mode. -- **RelatedCV** The correlation vector (CV) of any other related events. -- **SetupMode** The current Setup phase. - - -### DeploymentTelemetry.Deployment_Start - -This event indicates that a Deployment 360 API has been called. - -The following fields are available: - -- **ClientId** Client ID of the user utilizing the D360 API. -- **FlightId** The specific ID of the Windows Insider build the device is getting. -- **Mode** The current phase of the upgrade. -- **RelatedCV** The correlation vector (CV) of any other related events. - - -## Diagnostic data events - -### TelClientSynthetic.AuthorizationInfo_RuntimeTransition - -This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect. - -The following fields are available: - -- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. -- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. -- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. -- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. -- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. -- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. -- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. -- **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise. -- **CanReportScenarios** True if we can report scenario completions, false otherwise. -- **PreviousPermissions** Bitmask of previous telemetry state. -- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. - - -### TelClientSynthetic.AuthorizationInfo_Startup - -Fired by UTC at startup to signal what data we are allowed to collect. - -The following fields are available: - -- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. -- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. -- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. -- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. -- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. -- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. -- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. -- **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise. -- **CanReportScenarios** True if we can report scenario completions, false otherwise. -- **PreviousPermissions** Bitmask of previous telemetry state. -- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. - - -### TelClientSynthetic.ConnectivityHeartBeat_0 - -This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network. - -The following fields are available: - -- **CensusExitCode** Returns last execution codes from census client run. -- **CensusStartTime** Returns timestamp corresponding to last successful census run. -- **CensusTaskEnabled** Returns Boolean value for the census task (Enable/Disable) on client machine. -- **LastConnectivityLossTime** Retrieves the last time the device lost free network. -- **NetworkState** Retrieves the network state: 0 = No network. 1 = Restricted network. 2 = Free network. -- **NoNetworkTime** Retrieves the time spent with no network (since the last time) in seconds. -- **RestrictedNetworkTime** Retrieves the time spent on a metered (cost restricted) network in seconds. - - -### TelClientSynthetic.HeartBeat_5 - -This event sends data about the health and quality of the diagnostic data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device. - -The following fields are available: - -- **AgentConnectionErrorsCount** Number of non-timeout errors associated with the host/agent channel. -- **AgentConnectionrrorCsCount** No content is currently available. -- **CensusExitCode** The last exit code of the Census task. -- **CensusStartTime** Time of last Census run. -- **CensusTaskEnabled** True if Census is enabled, false otherwise. -- **CompressedBytesUploaded** Number of compressed bytes uploaded. -- **ConsumerDroppedCount** Number of events dropped at consumer layer of telemetry client. -- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. -- **CriticalDataThrottleDroppedCount** The number of critical data sampled events that were dropped because of throttling. -- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event DB. -- **DbCriticalDroppedCount** Total number of dropped critical events in event DB. -- **DbDroppedCount** Number of events dropped due to DB fullness. -- **DbDroppedFailureCount** Number of events dropped due to DB failures. -- **DbDroppedFullCount** Number of events dropped due to DB fullness. -- **DecodingDroppedCount** Number of events dropped due to decoding failures. -- **DecodthiDroppedCount** No content is currently available. -- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. -- **EnterthiCriticalOverflowDroppedCounter** No content is currently available. -- **EtwDroppedBufferCount** Number of buffers dropped in the UTC ETW session. -- **EtwDroppedCount** Number of events dropped at ETW layer of telemetry client. -- **EventsPersistedCount** Number of events that reached the PersistEvent stage. -- **EventStoreLifetimeResetCounter** Number of times event DB was reset for the lifetime of UTC. -- **EventStoreResetCounter** Number of times event DB was reset. -- **EventStoreResetSizeSum** Total size of event DB across all resets reports in this instance. -- **EventSubStoreResetCounter** Number of times event DB was reset. -- **EventSubStoreResetSizeSum** Total size of event DB across all resets reports in this instance. -- **EventsUploaded** Number of events uploaded. -- **Flags** Flags indicating device state such as network state, battery state, and opt-in state. -- **FullTriggerBufferDroppedCount** Number of events dropped due to trigger buffer being full. -- **HeartBeatSequenceNumber** The sequence number of this heartbeat. -- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. -- **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel. -- **LastAgentConnectionrrorC** No content is currently available. -- **LastEventSizeOffender** Event name of last event which exceeded max event size. -- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. -- **MaxActiveAgentConnectionCount** The maximum number of active agents during this heartbeat timeframe. -- **MaxInUseScenarioCounter** Soft maximum number of scenarios loaded by UTC. -- **MaxInUseScenaryoCounter** No content is currently available. -- **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events). -- **PrivacyBlockedCount** The number of events blocked due to privacy settings or tags. -- **RepeatedUploadFailqreDpopped** No content is currently available. -- **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. -- **SettingsHttpAttempts** Number of attempts to contact OneSettings service. -- **SettingsHttpFailures** The number of failures from contacting the OneSettings service. -- **SettthisHttpAttempts** No content is currently available. -- **SettthisHttpFailures** No content is currently available. -- **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers. -- **TopUploaderErrors** List of top errors received from the upload endpoint. -- **TopUploaderrrorCs** No content is currently available. -- **UphoaderErporCount** No content is currently available. -- **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client. -- **UploaderErrorCount** Number of errors received from the upload endpoint. -- **VortexFailuresTimeout** The number of timeout failures received from Vortex. -- **VortexHttpAttempts** Number of attempts to contact Vortex. -- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. -- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. -- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. -- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. -- **틠"怀⋖��"ꀀ⋙��"怀⋛"倀⋢** No content is currently available. - - -### TelClientSynthetic.HeartBeat_Aria_5 - -This event is the telemetry client ARIA heartbeat. - -The following fields are available: - -- **CompressedBytesUploaded** Number of compressed bytes uploaded. -- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. -- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event database. -- **DbCriticalDroppedCount** Total number of dropped critical events in event database. -- **DbDroppedCount** Number of events dropped at the database layer. -- **DbDroppedFailureCount** Number of events dropped due to database failures. -- **DbDroppedFullCount** Number of events dropped due to database being full. -- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. -- **Eve~tStoreResetCounter** No content is currently available. -- **EventsPersistedCount** Number of events that reached the PersistEvent stage. -- **EventStoreLifetimeResetCounter** Number of times the event store has been reset. -- **EventStoreResetCounter** Number of times the event store has been reset during this heartbeat. -- **EventStoreResetSizeSum** Size of event store reset in bytes. -- **EventsUploaded** Number of events uploaded. -- **HeartBeatSequenceNumber** The sequence number of this heartbeat. -- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. -- **LastEventSizeOffender** Event name of last event which exceeded max event size. -- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. -- **PreviousHeartBeatTime** The FILETIME of the previous heartbeat fire. -- **PrivacyBlockedCount** The number of events blocked due to privacy settings or tags. -- **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. -- **SettingsHttpAttempts** Number of attempts to contact OneSettings service. -- **SettingsHttpFailures** Number of failures from contacting OneSettings service. -- **TopUploaderErrors** List of top errors received from the upload endpoint. -- **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client. -- **UploaderErrorCount** Number of errors received from the upload endpoint. -- **VortexFailuresTimeout** Number of time out failures received from Vortex. -- **VortexHttpAttempts** Number of attempts to contact Vortex. -- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. -- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. -- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. -- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. - - -### TelClientSynthetic.HeartBeat_Seville_5 - -This event is sent by the universal telemetry client (UTC) as a heartbeat signal for Sense. - -The following fields are available: - -- **AgentConnectionErrorsCount** Number of non-timeout errors associated with the host or agent channel. -- **CompressedBytesUploaded** Number of compressed bytes uploaded. -- **ConsumerDroppedCount** Number of events dropped at consumer layer of the telemetry client. -- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. -- **CriticalDataThrottleDroppedCount** Number of critical data sampled events dropped due to throttling. -- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event database. -- **DailyUploadQuotaInBytes** Daily upload quota for Sense in bytes (only in in-proc mode). -- **DbCriticalDroppedCount** Total number of dropped critical events in event database. -- **DbDroppedCount** Number of events dropped due to database being full. -- **DbDroppedFailureCount** Number of events dropped due to database failures. -- **DbDroppedFullCount** Number of events dropped due to database being full. -- **DecodingDroppedCount** Number of events dropped due to decoding failures. -- **DiskSizeInBytes** Size of event store for Sense in bytes (only in in-proc mode). -- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. -- **EtwDroppedBufferCount** Number of buffers dropped in the universal telemetry client (UTC) event tracing for Windows (ETW) session. -- **EtwDroppedCount** Number of events dropped at the event tracing for Windows (ETW) layer of telemetry client. -- **EventsPersistedCount** Number of events that reached the PersistEvent stage. -- **EventStoreLifetimeResetCounter** Number of times event the database was reset for the lifetime of the universal telemetry client (UTC). -- **EventStoreResetCounter** Number of times the event database was reset. -- **EventStoreResetSizeSum** Total size of the event database across all resets reports in this instance. -- **EventsUploaded** Number of events uploaded. -- **Flags** Flags indicating device state, such as network state, battery state, and opt-in state. -- **FullTriggerBufferDroppedCount** Number of events dropped due to trigger buffer being full. -- **HeartBeatSequenceNumber** The sequence number of this heartbeat. -- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. -- **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel. -- **LastEventSizeOffender** Event name of last event which exceeded the maximum event size. -- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. -- **MaxActiveAgentConnectionCount** Maximum number of active agents during this heartbeat timeframe. -- **NormalUploadTimerMillis** Number of milliseconds between each upload of normal events for SENSE (only in in-proc mode). -- **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events). -- **RepeatedUploadFailureDropped** Number of events lost due to repeated failed uploaded attempts. -- **SettingsHttpAttempts** Number of attempts to contact OneSettings service. -- **SettingsHttpFailures** Number of failures from contacting the OneSettings service. -- **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers. -- **TopUploaderErrors** Top uploader errors, grouped by endpoint and error type. -- **UploaderDroppedCount** Number of events dropped at the uploader layer of the telemetry client. -- **UploaderErrorCount** Number of input for the TopUploaderErrors mode estimation. -- **VortexFailuresTimeout** Number of time out failures received from Vortex. -- **VortexHttpAttempts** Number of attempts to contact Vortex. -- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. -- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. -- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. -- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. - - -## Direct to update events - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicability - -Event to indicate that the Coordinator CheckApplicability call succeeded. - -The following fields are available: - -- **ApplicabilityResult** Result of CheckApplicability function. -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **IsDeviceAADDomainJoined** Indicates whether the device is logged in to the AAD (Azure Active Directory) domain. -- **IsDeviceADDomainJoined** Indicates whether the device is logged in to the AD (Active Directory) domain. -- **IsDeviceCloverTrail** Indicates whether the device has a Clover Trail system installed. -- **IsDeviceFeatureUpdatingPaused** Indicates whether Feature Update is paused on the device. -- **IsDeviceNetworkMetered** Indicates whether the device is connected to a metered network. -- **IsDeviceOobeBlocked** Indicates whether user approval is required to install updates on the device. -- **IsDeviceRequireUpdateApproval** Indicates whether user approval is required to install updates on the device. -- **IsDeviceSccmManaged** Indicates whether the device is running the Microsoft SCCM (System Center Configuration Manager) to keep the operating system and applications up to date. -- **IsDeviceUninstallActive** Indicates whether the OS (operating system) on the device was recently updated. -- **IsDeviceUpdateNotificationLevel** Indicates whether the device has a set policy to control update notifications. -- **IsDeviceUpdateServiceManaged** Indicates whether the device uses WSUS (Windows Server Update Services). -- **IsDeviceZeroExhaust** Indicates whether the device subscribes to the Zero Exhaust policy to minimize connections from Windows to Microsoft. -- **IsGreaterThanMaxRetry** Indicates whether the DTU (Direct to Update) service has exceeded its maximum retry count. -- **IsVolumeLicensed** Indicates whether a volume license was used to authenticate the operating system or applications on the device. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicabilityGenericFailure - -This event indicatse that we have received an unexpected error in the Direct to Update (DTU) Coordinators CheckApplicability call. - -The following fields are available: - -- **CampaignID** ID of the campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Cleanup call. - -The following fields are available: - -- **CampaignID** Campaign ID being run -- **ClientID** Client ID being run -- **CoordinatorVersion** Coordinator version of DTU -- **CV** Correlation vector -- **hResult** HRESULT of the failure - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupSuccess - -This event indicates that the Coordinator Cleanup call succeeded. - -The following fields are available: - -- **CampaignID** Campaign ID being run -- **ClientID** Client ID being run -- **CoordinatorVersion** Coordinator version of DTU -- **CV** Correlation vector - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Commit call. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitSuccess - -This event indicates that the Coordinator Commit call succeeded. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Download call. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadIgnoredFailure - -This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Download call that will be ignored. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadSuccess - -This event indicates that the Coordinator Download call succeeded. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator HandleShutdown call. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinate version of DTU. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownSuccess - -This event indicates that the Coordinator HandleShutdown call succeeded. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Initialize call. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeSuccess - -This event indicates that the Coordinator Initialize call succeeded. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Install call. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallIgnoredFailure - -This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Install call that will be ignored. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallSuccess - -This event indicates that the Coordinator Install call succeeded. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorProgressCallBack - -This event indicates that the Coordinator's progress callback has been called. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **DeployPhase** Current Deploy Phase. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorSetCommitReadySuccess - -This event indicates that the Coordinator SetCommitReady call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiNotShown - -This event indicates that the Coordinator WaitForRebootUi call succeeded. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSelection - -This event indicates that the user selected an option on the Reboot UI. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **rebootUiSelection** Selection on the Reboot UI. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSuccess - -This event indicates that the Coordinator WaitForRebootUi call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler CheckApplicabilityInternal call. - -The following fields are available: - -- **CampaignID** ID of the campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalSuccess - -This event indicates that the Handler CheckApplicabilityInternal call succeeded. - -The following fields are available: - -- **ApplicabilityResult** The result of the applicability check. -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilitySuccess - -This event indicates that the Handler CheckApplicability call succeeded. - -The following fields are available: - -- **ApplicabilityResult** The result code indicating whether the update is applicable. -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **CV_new** New correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckIfCoordinatorMinApplicableVersionSuccess - -This event indicates that the Handler CheckIfCoordinatorMinApplicableVersion call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **CheckIfCoordinatorMinApplicableVersionResult** Result of CheckIfCoordinatorMinApplicableVersion function. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Commit call. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **CV_new** New correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitSuccess - -This event indicates that the Handler Commit call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run.run -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **CV_new** New correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabFailure - -This event indicates that the Handler Download and Extract cab call failed. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **DownloadAndExtractCabFunction_failureReason** Reason why the update download and extract process failed. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabSuccess - -This event indicates that the Handler Download and Extract cab call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Download call. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadSuccess - -This event indicates that the Handler Download call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Initialize call. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **DownloadAndExtractCabFunction_hResult** HRESULT of the download and extract. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeSuccess - -This event indicates that the Handler Initialize call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **DownloadAndExtractCabFunction_hResult** HRESULT of the download and extraction. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Install call. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallSuccess - -This event indicates that the Coordinator Install call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerSetCommitReadySuccess - -This event indicates that the Handler SetCommitReady call succeeded. - -The following fields are available: - -- **CampaignID** ID of the campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler WaitForRebootUi call. - -The following fields are available: - -- **CampaignID** The ID of the campaigning being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **hResult** The HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiSuccess - -This event indicates that the Handler WaitForRebootUi call succeeded. - -The following fields are available: - -- **CampaignID** ID of the campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -## DxgKernelTelemetry events - -### DxgKrnlTelemetry.GPUAdapterInventoryV2 - -This event sends basic GPU and display driver information to keep Windows and display drivers up-to-date. - -The following fields are available: - -- **AdapterTypeValue** The numeric value indicating the type of Graphics adapter. -- **aiSeqId** The event sequence ID. -- **AsMiracastSupported** No content is currently available. -- **bootId** The system boot ID. -- **BrightnessVersionViaDDI** The version of the Display Brightness Interface. -- **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload. -- **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes). -- **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes). -- **DisplaqAdapterLuid** No content is currently available. -- **DisplayAdapterLuid** The display adapter LUID. -- **DriverDate** The date of the display driver. -- **DriverRank** The rank of the display driver. -- **DriverVersion** The display driver version. -- **DX10UMDFilePath** The file path to the location of the DirectX 10 Display User Mode Driver in the Driver Store. -- **DX11UMDFile@ath** No content is currently available. -- **DX11UMDFilePath** The file path to the location of the DirectX 11 Display User Mode Driver in the Driver Store. -- **DX12UMDFilePath** The file path to the location of the DirectX 12 Display User Mode Driver in the Driver Store. -- **DX9UMDFilePath** The file path to the location of the DirectX 9 Display User Mode Driver in the Driver Store. -- **GPUDeviceID** The GPU device ID. -- **GPUPreemptionLevel** The maximum preemption level supported by GPU for graphics payload. -- **GPURevisionID** The GPU revision ID. -- **GPUVendorID** The GPU vendor ID. -- **InterfaceId** The GPU interface ID. -- **IsDisplayDevice** Does the GPU have displaying capabilities? -- **IsHwSchSupported** Indicates whether the adapter supports hardware scheduling. -- **IsHybridDiscrete** Does the GPU have discrete GPU capabilities in a hybrid device? -- **IsHybridIntegrated** Does the GPU have integrated GPU capabilities in a hybrid device? -- **IsLDA** Is the GPU comprised of Linked Display Adapters? -- **IsMiracastSupported** Does the GPU support Miracast? -- **IsMismatchLDA** Is at least one device in the Linked Display Adapters chain from a different vendor? -- **IsMPOSupported** Does the GPU support Multi-Plane Overlays? -- **IsMsMiracastSupported** Are the GPU Miracast capabilities driven by a Microsoft solution? -- **IsPostAdapter** Is this GPU the POST GPU in the device? -- **IsRemovable** TRUE if the adapter supports being disabled or removed. -- **IsRenderDevice** Does the GPU have rendering capabilities? -- **IsSoftwareDevice** Is this a software implementation of the GPU? -- **KMDFilePath** The file path to the location of the Display Kernel Mode Driver in the Driver Store. -- **MeasureEnabled** Is the device listening to MICROSOFT_KEYWORD_MEASURES? -- **MsHybridDiscrete** Indicates whether the adapter is a discrete adapter in a hybrid configuration. -- **NumVidPnSources** The number of supported display output sources. -- **NumVidPnTargets** The number of supported display output targets. -- **SharedSystemMemoryB** The amount of system memory shared by GPU and CPU (in bytes). -- **SubSystemID** The subsystem ID. -- **SubVendorID** The GPU sub vendor ID. -- **TelemetryEnabled** Is the device listening to MICROSOFT_KEYWORD_TELEMETRY? -- **TelInvEvntTrigger** What triggered this event to be logged? Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling) -- **version** The event version. -- **WDDMVersion** The Windows Display Driver Model version. - - -## Failover Clustering events - -### Microsoft.Windows.Server.FailoverClusteringCritical.ClusterSummary2 - -This event returns information about how many resources and of what type are in the server cluster. This data is collected to keep Windows Server safe, secure, and up to date. The data includes information about whether hardware is configured correctly, if the software is patched correctly, and assists in preventing crashes by attributing issues (like fatal errors) to workloads and system configurations. - -The following fields are available: - -- **autoAssignSite** The cluster parameter: auto site. -- **autoBalancerLevel** The cluster parameter: auto balancer level. -- **autoBalancerMode** The cluster parameter: auto balancer mode. -- **blockCacheSize** The configured size of the block cache. -- **ClusterAdConfiguration** The ad configuration of the cluster. -- **clusterAdType** The cluster parameter: mgmt_point_type. -- **clusterDumpPolicy** The cluster configured dump policy. -- **clusterFunctionalLevel** The current cluster functional level. -- **clusterGuid** The unique identifier for the cluster. -- **clusterWitnessType** The witness type the cluster is configured for. -- **countNodesInSite** The number of nodes in the cluster. -- **crossSiteDelay** The cluster parameter: CrossSiteDelay. -- **crossSiteThreshold** The cluster parameter: CrossSiteThreshold. -- **crossSubnetDelay** The cluster parameter: CrossSubnetDelay. -- **crossSubnetThreshold** The cluster parameter: CrossSubnetThreshold. -- **csvCompatibleFilters** The cluster parameter: ClusterCsvCompatibleFilters. -- **csvIncompatibleFilters** The cluster parameter: ClusterCsvIncompatibleFilters. -- **csvResourceCount** The number of resources in the cluster. -- **currentNodeSite** The name configured for the current site for the cluster. -- **dasModeBusType** The direct storage bus type of the storage spaces. -- **downLevelNodeCount** The number of nodes in the cluster that are running down-level. -- **drainOnShutdown** Specifies whether a node should be drained when it is shut down. -- **dynamicQuorumEnabled** Specifies whether dynamic Quorum has been enabled. -- **enforcedAntiAffinity** The cluster parameter: enforced anti affinity. -- **genAppNames** The win32 service name of a clustered service. -- **genSvcNames** The command line of a clustered genapp. -- **hangRecoveryAction** The cluster parameter: hang recovery action. -- **hangTimeOut** Specifies the “hang time out” parameter for the cluster. -- **isCalabria** Specifies whether storage spaces direct is enabled. -- **isMixedMode** Identifies if the cluster is running with different version of OS for nodes. -- **isRunningDownLevel** Identifies if the current node is running down-level. -- **logLevel** Specifies the granularity that is logged in the cluster log. -- **logSize** Specifies the size of the cluster log. -- **lowerQuorumPriorityNodeId** The cluster parameter: lower quorum priority node ID. -- **minNeverPreempt** The cluster parameter: minimum never preempt. -- **minPreemptor** The cluster parameter: minimum preemptor priority. -- **netftIpsecEnabled** The parameter: netftIpsecEnabled. -- **NodeCount** The number of nodes in the cluster. -- **nodeId** The current node number in the cluster. -- **nodeResourceCounts** Specifies the number of node resources. -- **nodeResourceOnlineCounts** Specifies the number of node resources that are online. -- **numberOfSites** The number of different sites. -- **numNodesInNoSite** The number of nodes not belonging to a site. -- **plumbAllCrossSubnetRoutes** The cluster parameter: plumb all cross subnet routes. -- **preferredSite** The preferred site location. -- **privateCloudWitness** Specifies whether a private cloud witness exists for this cluster. -- **quarantineDuration** The quarantine duration. -- **quarantineThreshold** The quarantine threshold. -- **quorumArbitrationTimeout** In the event of an arbitration event, this specifies the quorum timeout period. -- **resiliencyLevel** Specifies the level of resiliency. -- **resourceCounts** Specifies the number of resources. -- **resourceTypeCounts** Specifies the number of resource types in the cluster. -- **resourceTypes** Data representative of each resource type. -- **resourceTypesPath** Data representative of the DLL path for each resource type. -- **sameSubnetDelay** The cluster parameter: same subnet delay. -- **sameSubnetThreshold** The cluster parameter: same subnet threshold. -- **secondsInMixedMode** The amount of time (in seconds) that the cluster has been in mixed mode (nodes with different operating system versions in the same cluster). -- **securityLevel** The cluster parameter: security level. -- **securityLevelForStorage** The cluster parameter: security level for storage. -- **sharedVolumeBlockCacheSize** Specifies the block cache size for shared for shared volumes. -- **shutdownTimeoutMinutes** Specifies the amount of time it takes to time out when shutting down. -- **upNodeCount** Specifies the number of nodes that are up (online). -- **useClientAccessNetworksForCsv** The cluster parameter: use client access networks for CSV. -- **vmIsolationTime** The cluster parameter: VM isolation time. -- **witnessDatabaseWriteTimeout** Specifies the timeout period for writing to the quorum witness database. - - -## Fault Reporting events - -### Microsoft.Windows.FaultReporting.AppCrashEvent - -This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes\" by a user DO NOT emit this event. - -The following fields are available: - -- **@ackageRelativeAppId** No content is currently available. -- **AppName** The name of the app that has crashed. -- **AppSeqsionGuid** No content is currently available. -- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend. -- **AppTimeStamp** The date/time stamp of the app. -- **AppVersion** The version of the app that has crashed. -- **AptName** No content is currently available. -- **AptSessionGuid** No content is currently available. -- **DargetAppId** No content is currently available. -- **ExceptionCode** The exception code returned by the process that has crashed. -- **ExceptionOffset** The address where the exception had occurred. -- **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting. -- **FoiendlyAppName** No content is currently available. -- **FriendlyAppName** The description of the app that has crashed, if different from the AppName. Otherwise, the process name. -- **IsFatal** True/False to indicate whether the crash resulted in process termination. -- **ModName** Exception module name (e.g. bar.dll). -- **ModNamevaultsv** No content is currently available. -- **ModTimeStamp** The date/time stamp of the module. -- **ModVersion** The version of the module that has crashed. -- **PaccageFullName** No content is currently available. -- **PackageFullName** Store application identity. -- **PackageRelaatieAppId** No content is currently available. -- **PackageRelativaAppId** No content is currently available. -- **PackageRelativeAppId** Store application identity. -- **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. -- **ProcessCreateTime** The time of creation of the process that has crashed. -- **ProcessId** The ID of the process that has crashed. -- **PRocessId** No content is currently available. -- **RepkrtId** No content is currently available. -- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. -- **TargepAppVer** No content is currently available. -- **TargetAppI`** No content is currently available. -- **TargetAppId** The kernel reported AppId of the application being reported. -- **TargetAppVer** The specific version of the application being reported -- **TargetAsId** The sequence number for the hanging process. -- **TargetAwId** No content is currently available. -- **TrocessArchitecture** No content is currently available. -- **TrocessCreateTime** No content is currently available. - - -## Feature update events - -### Microsoft.Windows.Upgrade.Uninstall.UninstallFinalizedAndRebootTriggered - -This event indicates that the uninstall was properly configured and that a system reboot was initiated. - - - -### Microsoft.Windows.Upgrade.Uninstall.UninstallGoBackButtonClicked - -This event sends basic metadata about the starting point of uninstalling a feature update, which helps ensure customers can safely revert to a well-known state if the update caused any problems. - - - -## Hang Reporting events - -### Microsoft.Windows.HangReporting.AppHangEvent - -This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. - -The following fields are available: - -- **AppName** The name of the app that has hung. -- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the telemetry backend. -- **AppVersion** The version of the app that has hung. -- **IsFatal** True/False based on whether the hung application caused the creation of a Fatal Hang Report. -- **PackageFullName** Store application identity. -- **PackageRelativeAppId** Store application identity. -- **ProcessArchitecture** Architecture of the hung process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. -- **ProcessCreateTime** The time of creation of the process that has hung. -- **ProcessId** The ID of the process that has hung. -- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. -- **TargetAppId** The kernel reported AppId of the application being reported. -- **TargetAppVer** The specific version of the application being reported. -- **TargetAsId** The sequence number for the hanging process. -- **TypeCode** Bitmap describing the hang type. -- **WaitingOnAppName** If this is a cross process hang waiting for an application, this has the name of the application. -- **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it is waiting. -- **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting. -- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application id of the package. - - -## Inventory events - -### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum - -This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object. - -The following fields are available: - -- **Device** A count of device objects in cache. -- **DeviceCensus** A count of device census objects in cache. -- **DriverPackageExtended** A count of driverpackageextended objects in cache. -- **File** A count of file objects in cache. -- **FileSigningInfo** A count of file signing objects in cache. -- **Generic** A count of generic objects in cache. -- **HwItem** A count of hwitem objects in cache. -- **InventoryApplication** A count of application objects in cache. -- **InventoryApplicationAppV** A count of application AppV objects in cache. -- **InventoryApplicationDriver** A count of application driver objects in cache -- **InventoryApplicationFile** A count of application file objects in cache. -- **InventoryApplicationFramework** A count of application framework objects in cache -- **InventoryApplicationShortcut** A count of application shortcut objects in cache -- **InventoryDeviceContainer** A count of device container objects in cache. -- **InventoryDeviceInterface** A count of Plug and Play device interface objects in cache. -- **InventoryDeviceMediaClass** A count of device media objects in cache. -- **InventoryDevicePnp** A count of device Plug and Play objects in cache. -- **InventoryDeviceUsbHubClass** A count of device usb objects in cache -- **InventoryDriverBinary** A count of driver binary objects in cache. -- **InventoryDriverPackage** A count of device objects in cache. -- **InventoryMiscellaneousOfficeAddIn** A count of office add-in objects in cache -- **InventoryMiscellaneousOfficeAddInUsage** A count of office add-in usage objects in cache. -- **InventoryMiscellaneousOfficeIdentifiers** A count of office identifier objects in cache -- **InventoryMiscellaneousOfficeIESettings** A count of office ie settings objects in cache -- **InventoryMiscellaneousOfficeInsights** A count of office insights objects in cache -- **InventoryMiscellaneousOfficeProducts** A count of office products objects in cache -- **InventoryMiscellaneousOfficeSettings** A count of office settings objects in cache -- **InventoryMiscellaneousOfficeVBA** A count of office vba objects in cache -- **InventoryMiscellaneousOfficeVBARuleViolations** A count of office vba rule violations objects in cache -- **InventoryMiscellaneousUUPInfo** A count of uup info objects in cache -- **InventoryMiscnfo** No content is currently available. -- **Metadata** A count of metadata objects in cache. -- **Orphan** A count of orphan file objects in cache. -- **Programs** A count of program objects in cache. - - -### Microsoft.Windows.Inventory.Core.AmiTelCacheFileInfo - -Diagnostic data about the inventory cache. - -The following fields are available: - -- **CacheFileSize** Size of the cache. -- **InventoryVersion** Inventory version of the cache. -- **TempCacheCount** Number of temp caches created. -- **TempCacheDeletedCount** Number of temp caches deleted. - - -### Microsoft.Windows.Inventory.Core.AmiTelCacheVersions - -This event sends inventory component versions for the Device Inventory data. - -The following fields are available: - -- **aeinv** The version of the App inventory component. -- **devinv** The file version of the Device inventory component. - - -### Microsoft.Windows.Inventory.Core.InventoryApplicationAdd - -This event sends basic metadata about an application on the system to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **HiddenArp** Indicates whether a program hides itself from showing up in ARP. -- **InstallDate** The date the application was installed (a best guess based on folder creation date heuristics). -- **InstallDateArpLastModifi** No content is currently available. -- **InstallDateArpLastModified** The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015 00:00:00 -- **InstallDateArpLasuModified** No content is currently available. -- **InstallDateFromLinkFile** The estimated date of install based on the links to the files. Passed as an array. -- **InstallDateMsi** The install date if the application was installed via Microsoft Installer (MSI). Passed as an array. -- **InventoryVersion** The version of the inventory file generating the events. -- **Language** The language code of the program. -- **MsiPackageCode** A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage. -- **MsiProductCode** A GUID that describe the MSI Product. -- **Name** The name of the application. -- **Order** No content is currently available. -- **OSVersionAtInstallTime** The four octets from the OS version at the time of the application's install. -- **PackageFullName** The package full name for a Store application. -- **PackagmFullName** No content is currently available. -- **ProgramInstanceId** A hash of the file IDs in an app. -- **Publisher** The Publisher of the application. Location pulled from depends on the 'Source' field. -- **RootDirPath** The path to the root directory where the program was installed. -- **Source** How the program was installed (for example, ARP, MSI, Appx). -- **StoreAppType** A sub-classification for the type of Microsoft Store app, such as UWP or Win8StoreApp. -- **Type** One of ("Application", "Hotfix", "BOE", "Service", "Unknown"). Application indicates Win32 or Appx app, Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is a service. Application and BOE are the ones most likely seen. -- **Value** No content is currently available. -- **Version** The version number of the program. - - -### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverAdd - -This event represents what drivers an application installs. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory component. -- **ProgramIds** The unique program identifier the driver is associated with. - - -### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync - -The InventoryApplicationDriverStartSync event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory component. - - -### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd - -This event provides the basic metadata about the frameworks an application may depend on. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **FileId** A hash that uniquely identifies a file. -- **Frameworks** The list of frameworks this file depends on. -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync - -This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryApplicationRemove - -This event indicates that a new set of InventoryDevicePnpAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryApplicationStartSync - -This event indicates that a new set of InventoryApplicationAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd - -This event sends basic metadata about a device container (such as a monitor or printer as opposed to a Plug and Play device) to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Categories** A comma separated list of functional categories in which the container belongs. -- **DiscoveryMethod** The discovery method for the device container. -- **FriendlyName** The name of the device container. -- **InventoryVersion** The version of the inventory file generating the events. -- **IsActive** Is the device connected, or has it been seen in the last 14 days? -- **IsConnected** For a physically attached device, this value is the same as IsPresent. For wireless a device, this value represents a communication link. -- **IsMachineContainer** Is the container the root device itself? -- **IsNetworked** Is this a networked device? -- **IsPaired** Does the device container require pairing? -- **Manufacturer** The manufacturer name for the device container. -- **ModelId** A unique model ID. -- **ModelName** The model name. -- **ModelNumber** The model number for the device container. -- **PrimaryCategory** The primary category for the device container. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerRemove - -This event indicates that the InventoryDeviceContainer object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerStartSync - -This event indicates that a new set of InventoryDeviceContainerAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd - -This event retrieves information about what sensor interfaces are available on the device. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Accelerometer3D** Indicates if an Accelerator3D sensor is found. -- **ActivityDetection** Indicates if an Activity Detection sensor is found. -- **AmbientLight** Indicates if an Ambient Light sensor is found. -- **Barometer** Indicates if a Barometer sensor is found. -- **Custom** Indicates if a Custom sensor is found. -- **EnergyMeter** Indicates if an Energy sensor is found. -- **FloorElevation** Indicates if a Floor Elevation sensor is found. -- **GeomagneticOrientation** Indicates if a Geo Magnetic Orientation sensor is found. -- **GravityVector** Indicates if a Gravity Detector sensor is found. -- **Gyrometer3D** Indicates if a Gyrometer3D sensor is found. -- **Humidity** Indicates if a Humidity sensor is found. -- **InventoryVersion** The version of the inventory file generating the events. -- **LinearAccelerometer** Indicates if a Linear Accelerometer sensor is found. -- **Magnetometer3D** Indicates if a Magnetometer3D sensor is found. -- **Orientation** Indicates if an Orientation sensor is found. -- **Pedometer** Indicates if a Pedometer sensor is found. -- **Proximity** Indicates if a Proximity sensor is found. -- **RelativeOrientation** Indicates if a Relative Orientation sensor is found. -- **SimpleDeviceOrientation** Indicates if a Simple Device Orientation sensor is found. -- **Temperature** Indicates if a Temperature sensor is found. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync - -This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd - -This event sends additional metadata about a Plug and Play device that is specific to a particular class of devices to help keep Windows up to date while reducing overall size of data payload. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **audio.captureDriver** Audio device capture driver. Example: hdaudio.inf:db04a16ce4e8d6ee:HdAudModel:10.0.14887.1000:hdaudio\func_01 -- **audio.renderDriver** Audio device render driver. Example: hdaudio.inf:db04a16ce4e8d6ee:HdAudModel:10.0.14889.1001:hdaudio\func_01 -- **Audio_CaptureDriver** The Audio device capture driver endpoint. -- **Audio_RenderDriver** The Audio device render driver endpoint. -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove - -This event indicates that the InventoryDeviceMediaClassRemove object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassStartSync - -This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent. - -This event includes fields from [Ms.Device.De~iceInventoryChange](#msdevicede~iceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd - -This event represents the basic metadata about a plug and play (PNP) device and its associated driver. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **basedata** No content is currently available. See [basedata](#basedata). -- **BusReportedDescription** The description of the device reported by the bux. -- **Class** The device setup class of the driver loaded for the device. -- **ClassGuid** The device class unique identifier of the driver package loaded on the device. -- **COMPID** The list of “Compatible IDs” for this device. -- **COMPID.Count** No content is currently available. -- **ContainerId** The system-supplied unique identifier that specifies which group(s) the device(s) installed on the parent (main) device belong to. -- **Description** The description of the device. -- **DeviceInterfaceClasses** The device interfaces that this device implements. -- **DeviceState** Identifies the current state of the parent (main) device. -- **DriverId** The unique identifier for the installed driver. -- **DriverName** The name of the driver image file. -- **DriverP!ckageStrongName** No content is currently available. -- **DriverPackageStrongName** The immediate parent directory name in the Directory field of InventoryDriverPackage. -- **DriverVerDate** The date associated with the driver installed on the device. -- **DriverVerVersion** The version number of the driver installed on the device. -- **Enumerator** Identifies the bus that enumerated the device. -- **ExtendedInfs** The extended INF file names. -- **HWID** A list of hardware IDs for the device. -- **HWID.Count** No content is currently available. -- **IlstallStcte** No content is currently available. -- **Inf** The name of the INF file (possibly renamed by the OS, such as oemXX.inf). -- **InstallCtate** No content is currently available. -- **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx -- **InventoryVersion** The version number of the inventory process generating the events. -- **LowerClassFilters** The identifiers of the Lower Class filters installed for the device. -- **LowerFilters** The identifiers of the Lower filters installed for the device. -- **Manufacturer** The manufacturer of the device. -- **Manufccturer** No content is currently available. -- **MatchingID** The Hardware ID or Compatible ID that Windows uses to install a device instance. -- **Model** Identifies the model of the device. -- **ParentId** The Device Instance ID of the parent of the device. -- **Part@_Ms.Devkce.DeviaeInventmryChangg** No content is currently available. See [Part@_Ms.Devkce.DeviaeInventmryChangg](#part@_msdevkcedeviaeinventmrychangg). -- **ProblemCode** The error code currently returned by the device, if applicable. -- **Provider** Identifies the device provider. -- **Service** The name of the device service. -- **STACKAD** No content is currently available. -- **STACKID** The list of hardware IDs for the stack. -- **STACKID.Count** No content is currently available. -- **UpperAlassFilvers** No content is currently available. -- **UpperClassFilters** The identifiers of the Upper Class filters installed for the device. -- **UpperFilteps** No content is currently available. -- **UpperFilters** The identifiers of the Upper filters installed for the device. - - -### Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove - -This event indicates that the InventoryDevicePnpRemove object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDevicePnpStartSync - -This event indicates that a new set of InventoryDevicePnpAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd - -This event sends basic metadata about the USB hubs on the device. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. -- **TotalUserConnectablePorts** Total number of connectable USB ports. -- **TotalUserConnectableTypeCPorts** Total number of connectable USB Type C ports. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassStartSync - -This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent. - -This event includes fields from [Ms.De~ice.DeviceInventoryChange](#msde~icedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd - -This event provides the basic metadata about driver binaries running on the system. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **DriverCheckSum** The checksum of the driver file. -- **DriverCompany** The company name that developed the driver. -- **DriverInBox** Is the driver included with the operating system? -- **DriverIsKernelMode** Is it a kernel mode driver? -- **DriverName** The file name of the driver. -- **DriverPackageStrongName** The strong name of the driver package -- **DriverSigned** The strong name of the driver package -- **DriverTimeStamp** The low 32 bits of the time stamp of the driver file. -- **DriverType** A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8. define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE 0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64 0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15. define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED 0x800000. -- **DriverVersion** The version of the driver file. -- **DviverCompany** No content is currently available. -- **Imagesize** No content is currently available. -- **ImageSize** The size of the driver file. -- **Inf** The name of the INF file. -- **InventoryVersion** The version of the inventory file generating the events. -- **Product** The product name that is included in the driver file. -- **ProductVersio~** No content is currently available. -- **ProductVersion** The product version that is included in the driver file. -- **Service** The name of the service that is installed for the device. -- **WdfVersion** The Windows Driver Framework version. - - -### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove - -This event indicates that the InventoryDriverBinary object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryStartSync - -This event indicates that a new set of InventoryDriverBinaryAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd - -This event sends basic metadata about drive packages installed on the system to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Class** The class name for the device driver. -- **ClassGuid** The class GUID for the device driver. -- **Date** The driver package date. -- **Directory** The path to the driver package. -- **DriverInBox** Is the driver included with the operating system? -- **Inf** The INF name of the driver package. -- **InventoryVersion** The version of the inventory file generating the events. -- **Provider** The provider for the driver package. -- **SubmissionId** The HLK submission ID for the driver package. -- **Version** The version of the driver package. - - -### Microsoft.Windows.Inventory.Core.InventoryDriverPackageRemove - -This event indicates that the InventoryDriverPackageRemove object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDriverPackageStartSync - -This event indicates that a new set of InventoryDriverPackageAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.StartUtcJsonTrace - -This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the beginning of the event download, and that tracing should begin. - - - -### Microsoft.Windows.Inventory.Core.StopUtcJsonTrace - -This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the end of the event download, and that tracing should end. - - - -### Microsoft.Windows.Inventory.General.AppHealthStaticAdd - -This event sends details collected for a specific application on the source device. - -The following fields are available: - -- **AhaVersion** The binary version of the App Health Analyzer tool. -- **ApplicationErrors** The count of application errors from the event log. -- **Bitness** The architecture type of the application (16 Bit or 32 bit or 64 bit). -- **device_level** Various JRE/JAVA versions installed on a particular device. -- **ExtendedProperties** Attribute used for aggregating all other attributes under this event type. -- **Jar** Flag to determine if an app has a Java JAR file dependency. -- **Jre** Flag to determine if an app has JRE framework dependency. -- **Jre_version** JRE versions an app has declared framework dependency for. -- **Name** Name of the application. -- **NonDPIAware** Flag to determine if an app is non-DPI aware. -- **NumBinaries** Count of all binaries (.sys,.dll,.ini) from application install location. -- **RequiresAdmin** Flag to determine if an app requests admin privileges for execution. -- **RequiresAdminv2** Additional flag to determine if an app requests admin privileges for execution. -- **RequiresUIAccess** Flag to determine if an app is based on UI features for accessibility. -- **VB6** Flag to determine if an app is based on VB6 framework. -- **VB6v2** Additional flag to determine if an app is based on VB6 framework. -- **Version** Version of the application. -- **VersionCheck** Flag to determine if an app has a static dependency on OS version. -- **VersionCheckv2** Additional flag to determine if an app has a static dependency on OS version. - - -### Microsoft.Windows.Inventory.General.AppHealthStaticStartSync - -This event indicates the beginning of a series of AppHealthStaticAdd events. - -The following fields are available: - -- **AllowTelemetry** Indicates the presence of the 'allowtelemetry' command line argument. -- **CommandLineArgs** Command line arguments passed when launching the App Health Analyzer executable. -- **Enhanced** Indicates the presence of the 'enhanced' command line argument. -- **StartTime** UTC date and time at which this event was sent. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd - -Provides data on the installed Office Add-ins. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AddinCLSID** The class identifier key for the Microsoft Office add-in. -- **AddInCLSID** The class identifier key for the Microsoft Office add-in. -- **AddInId** The identifier for the Microsoft Office add-in. -- **AddinType** The type of the Microsoft Office add-in. -- **BinFileTimestamp** The timestamp of the Office add-in. -- **BinFileVersion** The version of the Microsoft Office add-in. -- **Description** Description of the Microsoft Office add-in. -- **FileId** The file identifier of the Microsoft Office add-in. -- **FileSize** The file size of the Microsoft Office add-in. -- **FriendlyName** The friendly name for the Microsoft Office add-in. -- **FullPath** The full path to the Microsoft Office add-in. -- **InventoryVersion** The version of the inventory binary generating the events. -- **LoadBehavior** Integer that describes the load behavior. -- **LoadTime** Load time for the Office add-in. -- **OfficeApplication** The Microsoft Office application associated with the add-in. -- **OfficeArchitecture** The architecture of the add-in. -- **OfficeVersion** The Microsoft Office version for this add-in. -- **OutlookCrashingAddin** Indicates whether crashes have been found for this add-in. -- **ProductCompany** The name of the company associated with the Office add-in. -- **ProductName** The product name associated with the Microsoft Office add-in. -- **ProductVersion** The version associated with the Office add-in. -- **ProgramId** The unique program identifier of the Microsoft Office add-in. -- **Provider** Name of the provider for this add-in. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove - -Indicates that this particular data object represented by the objectInstanceId is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync - -This event indicates that a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd - -Provides data on the Office identifiers. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. -- **OAudienceData** Sub-identifier for Microsoft Office release management, identifying the pilot group for a device -- **OAudienceId** Microsoft Office identifier for Microsoft Office release management, identifying the pilot group for a device -- **OMID** Identifier for the Office SQM Machine -- **OPlatform** Whether the installed Microsoft Office product is 32-bit or 64-bit -- **OTenantId** Unique GUID representing the Microsoft O365 Tenant -- **OVersion** Installed version of Microsoft Office. For example, 16.0.8602.1000 -- **OWowMID** Legacy Microsoft Office telemetry identifier (SQM Machine ID) for WoW systems (32-bit Microsoft Office on 64-bit Windows) - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync - -Diagnostic event to indicate a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd - -Provides data on Office-related Internet Explorer features. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. -- **OIeFeatureAddon** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_ADDON_MANAGEMENT feature lets applications hosting the WebBrowser Control to respect add-on management selections made using the Add-on Manager feature of Internet Explorer. Add-ons disabled by the user or by administrative group policy will also be disabled in applications that enable this feature. -- **OIeMachineLockdown** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_LOCALMACHINE_LOCKDOWN feature is enabled, Internet Explorer applies security restrictions on content loaded from the user's local machine, which helps prevent malicious behavior involving local files. -- **OIeMimeHandling** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_MIME_HANDLING feature control is enabled, Internet Explorer handles MIME types more securely. Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2) -- **OIeMimeSniffing** Flag indicating which Microsoft Office products have this setting enabled. Determines a file's type by examining its bit signature. Windows Internet Explorer uses this information to determine how to render the file. The FEATURE_MIME_SNIFFING feature, when enabled, allows to be set differently for each security zone by using the URLACTION_FEATURE_MIME_SNIFFING URL action flag -- **OIeNoAxInstall** Flag indicating which Microsoft Office products have this setting enabled. When a webpage attempts to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request. When a webpage tries to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request -- **OIeNoDownload** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_RESTRICT_FILEDOWNLOAD feature blocks file download requests that navigate to a resource, that display a file download dialog box, or that are not initiated explicitly by a user action (for example, a mouse click or key press). Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2) -- **OIeObjectCaching** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_OBJECT_CACHING feature prevents webpages from accessing or instantiating ActiveX controls cached from different domains or security contexts -- **OIePasswordDisable** Flag indicating which Microsoft Office products have this setting enabled. After Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2), Internet Explorer no longer allows usernames and passwords to be specified in URLs that use the HTTP or HTTPS protocols. URLs using other protocols, such as FTP, still allow usernames and passwords -- **OIeSafeBind** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SAFE_BINDTOOBJECT feature performs additional safety checks when calling MonikerBindToObject to create and initialize Microsoft ActiveX controls. Specifically, prevent the control from being created if COMPAT_EVIL_DONT_LOAD is in the registry for the control -- **OIeSecurityBand** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SECURITYBAND feature controls the display of the Internet Explorer Information bar. When enabled, the Information bar appears when file download or code installation is restricted -- **OIeUncSaveCheck** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_UNC_SAVEDFILECHECK feature enables the Mark of the Web (MOTW) for local files loaded from network locations that have been shared by using the Universal Naming Convention (UNC) -- **OIeValidateUrl** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_VALIDATE_NAVIGATE_URL feature control prevents Windows Internet Explorer from navigating to a badly formed URL -- **OIeWebOcPopup** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_WEBOC_POPUPMANAGEMENT feature allows applications hosting the WebBrowser Control to receive the default Internet Explorer pop-up window management behavior -- **OIeWinRestrict** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_WINDOW_RESTRICTIONS feature adds several restrictions to the size and behavior of popup windows -- **OIeZoneElevate** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_ZONE_ELEVATION feature prevents pages in one zone from navigating to pages in a higher security zone unless the navigation is generated by the user - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync - -Diagnostic event to indicate a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd - -This event provides insight data on the installed Office products - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. -- **OfficeApplication** The name of the Office application. -- **OfficeArchitecture** The bitness of the Office application. -- **OfficeVersion** The version of the Office application. -- **Value** The insights collected about this entity. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsRemove - -Indicates that this particular data object represented by the objectInstanceId is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync - -This diagnostic event indicates that a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd - -Describes Office Products installed. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. -- **OC2rApps** A GUID the describes the Office Click-To-Run apps -- **OC2rSkus** Comma-delimited list (CSV) of Office Click-To-Run products installed on the device. For example, Office 2016 ProPlus -- **OMsiApps** Comma-delimited list (CSV) of Office MSI products installed on the device. For example, Microsoft Word -- **OProductCodes** A GUID that describes the Office MSI products - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync - -Diagnostic event to indicate a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd - -This event describes various Office settings - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **BrowserFlags** Browser flags for Office-related products -- **ExchangeProviderFlags** Provider policies for Office Exchange -- **InventoryVersion** The version of the inventory binary generating the events. -- **SharedComputerLicensing** Office shared computer licensing policies - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync - -Indicates a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAAdd - -This event provides a summary rollup count of conditions encountered while performing a local scan of Office files, analyzing for known VBA programmability compatibility issues between legacy office version and ProPlus, and between 32 and 64-bit versions - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Design** Count of files with design issues found. -- **Design_x64** Count of files with 64 bit design issues found. -- **DuplicateVBA** Count of files with duplicate VBA code. -- **HasVBA** Count of files with VBA code. -- **Inaccessible** Count of files that were inaccessible for scanning. -- **InventoryVersion** The version of the inventory binary generating the events. -- **Issues** Count of files with issues detected. -- **Issues_x64** Count of files with 64-bit issues detected. -- **IssuesNone** Count of files with no issues detected. -- **IssuesNone_x64** Count of files with no 64-bit issues detected. -- **Locked** Count of files that were locked, preventing scanning. -- **NoVBA** Count of files with no VBA inside. -- **Protected** Count of files that were password protected, preventing scanning. -- **RemLimited** Count of files that require limited remediation changes. -- **RemLimited_x64** Count of files that require limited remediation changes for 64-bit issues. -- **RemSignificant** Count of files that require significant remediation changes. -- **RemSignificant_x64** Count of files that require significant remediation changes for 64-bit issues. -- **Score** Overall compatibility score calculated for scanned content. -- **Score_x64** Overall 64-bit compatibility score calculated for scanned content. -- **Total** Total number of files scanned. -- **Validation** Count of files that require additional manual validation. -- **Validation_x64** Count of files that require additional manual validation for 64-bit issues. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARemove - -Indicates that this particular data object represented by the objectInstanceId is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsAdd - -This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated with the validation rule - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Count** Count of total Microsoft Office VBA rule violations -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsRemove - -Indicates that this particular data object represented by the objectInstanceId is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync - -This event indicates that a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync - -Diagnostic event to indicate a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd - -Provides data on Unified Update Platform (UUP) products and what version they are at. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Identifier** UUP identifier -- **LastActivatedVersion** Last activated version -- **PreviousVersion** Previous version -- **Source** UUP source -- **Version** UUP version - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoRemove - -Indicates that this particular data object represented by the objectInstanceId is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoStartSync - -Diagnostic event to indicate a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - - - -### Microsoft.Windows.Inventory.Indicators.Checksum - -This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events. - -The following fields are available: - -- **CensusId** A unique hardware identifier. -- **ChecksumDictionary** A count of each operating system indicator. -- **PCFP** Equivalent to the InventoryId field that is found in other core events. - - -### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd - -These events represent the basic metadata about the OS indicators installed on the system which are used for keeping the device up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **IndicatorValue** The indicator value. -- **Value** Describes an operating system indicator that may be relevant for the device upgrade. - - -### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove - -This event is a counterpart to InventoryMiscellaneousUexIndicatorAdd that indicates that the item has been removed. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - - - -### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync - -This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - - - -## Kernel events - -### IO - -This event indicates the number of bytes read from or read by the OS and written to or written by the OS upon system startup. - -The following fields are available: - -- **BytesRead** The total number of bytes read from or read by the OS upon system startup. -- **BytesWritten** The total number of bytes written to or written by the OS upon system startup. - - -### Microsoft.Windows.Kernel.BootEnvironment.OsLaunch - -OS information collected during Boot, used to evaluate the success of the upgrade process. - -The following fields are available: - -- **BootApplicationId** This field tells us what the OS Loader Application Identifier is. -- **BootAttemptCount** The number of consecutive times the boot manager has attempted to boot into this operating system. -- **BootSequence** The current Boot ID, used to correlate events related to a particular boot session. -- **BootStatusPolicy** Identifies the applicable Boot Status Policy. -- **BootType** Identifies the type of boot (e.g.: "Cold", "Hiber", "Resume"). -- **EventTimestamp** Seconds elapsed since an arbitrary time point. This can be used to identify the time difference in successive boot attempts being made. -- **Firmw!reResetReasonEmbeddedControllerAdditional** No content is currently available. -- **FirmwareResetReasonEmbeddedController** Reason for system reset provided by firmware. -- **FirmwareResetReasonEmbeddedControllerAdditional** Additional information on system reset reason provided by firmware if needed. -- **FirmwareResetReasonPch** Reason for system reset provided by firmware. -- **FirmwareResetReasonPchAdditional** Additional information on system reset reason provided by firmware if needed. -- **FirmwareResetReasonSupplied** Flag indicating that a reason for system reset was provided by firmware. -- **IO** Amount of data written to and read from the disk by the OS Loader during boot. See [IO](#io). -- **LastBootSucceeded** Flag indicating whether the last boot was successful. -- **LastShutdownSucceeded** Flag indicating whether the last shutdown was successful. -- **MaxAbove4GbFreeRange** This field describes the largest memory range available above 4Gb. -- **MaxBelow4GbFreeRange** This field describes the largest memory range available below 4Gb. -- **MeasuredLaunchPrepared** This field tells us if the OS launch was initiated using Measured/Secure Boot over DRTM (Dynamic Root of Trust for Measurement). -- **MeasuredLaunchResume** This field tells us if Dynamic Root of Trust for Measurement (DRTM) was used when resuming from hibernation. -- **MenuPolicy** Type of advanced options menu that should be shown to the user (Legacy, Standard, etc.). -- **RecoveryEnabled** Indicates whether recovery is enabled. -- **SecureLaunchPrepared** This field indicates if DRTM was prepared during boot. -- **TcbLaunch** Indicates whether the Trusted Computing Base was used during the boot flow. -- **UserInputTime** The amount of time the loader application spent waiting for user input. - - -## Miracast events - -### Microsoft.Windows.Cast.Miracast.MiracastSessionEnd - -This event sends data at the end of a Miracast session that helps determine RTSP related Miracast failures along with some statistics about the session - -The following fields are available: - -- **AudioChannelCount** The number of audio channels. -- **AudioSampleRate** The sample rate of audio in terms of samples per second. -- **AudioSubtype** The unique subtype identifier of the audio codec (encoding method) used for audio encoding. -- **AverageBitrate** The average video bitrate used during the Miracast session, in bits per second. -- **AverageDataRate** The average available bandwidth reported by the WiFi driver during the Miracast session, in bits per second. -- **AveragePacketSendTimeInMs** The average time required for the network to send a sample, in milliseconds. -- **ConnectorType** The type of connector used during the Miracast session. -- **EncodeAverageTimeMS** The average time to encode a frame of video, in milliseconds. -- **EncodeCount** The count of total frames encoded in the session. -- **EncodeMaxTimeMS** The maximum time to encode a frame, in milliseconds. -- **EncodeMinTimeMS** The minimum time to encode a frame, in milliseconds. -- **EncoderCreationTimeInMs** The time required to create the video encoder, in milliseconds. -- **ErrorSource** Identifies the component that encountered an error that caused a disconnect, if applicable. -- **FirstFrameTime** The time (tick count) when the first frame is sent. -- **FirstLatencyMode** The first latency mode. -- **FrameAverageTimeMS** Average time to process an entire frame, in milliseconds. -- **FrameCount** The total number of frames processed. -- **FrameMaxTimeMS** The maximum time required to process an entire frame, in milliseconds. -- **FrameMinTimeMS** The minimum time required to process an entire frame, in milliseconds. -- **Glitches** The number of frames that failed to be delivered on time. -- **HardwareCursorEnabled** Indicates if hardware cursor was enabled when the connection ended. -- **HDCPState** The state of HDCP (High-bandwidth Digital Content Protection) when the connection ended. -- **HighestBitrate** The highest video bitrate used during the Miracast session, in bits per second. -- **HighestDataRate** The highest available bandwidth reported by the WiFi driver, in bits per second. -- **LastLatencyMode** The last reported latency mode. -- **LogTimeReference** The reference time, in tick counts. -- **LowestBitrate** The lowest video bitrate used during the Miracast session, in bits per second. -- **LowestDataRate** The lowest video bitrate used during the Miracast session, in bits per second. -- **MediaErrorCode** The error code reported by the media session, if applicable. -- **MiracastEntry** The time (tick count) when the Miracast driver was first loaded. -- **MiracastM1** The time (tick count) when the M1 request was sent. -- **MiracastM2** The time (tick count) when the M2 request was sent. -- **MiracastM3** The time (tick count) when the M3 request was sent. -- **MiracastM4** The time (tick count) when the M4 request was sent. -- **MiracastM5** The time (tick count) when the M5 request was sent. -- **MiracastM6** The time (tick count) when the M6 request was sent. -- **MiracastM7** The time (tick count) when the M7 request was sent. -- **MiracastSessionState** The state of the Miracast session when the connection ended. -- **MiracastStreaming** The time (tick count) when the Miracast session first started processing frames. -- **ProfileCount** The count of profiles generated from the receiver M4 response. -- **ProfileCountAfterFiltering** The count of profiles after filtering based on available bandwidth and encoder capabilities. -- **RefreshRate** The refresh rate set on the remote display. -- **RotationSupported** Indicates if the Miracast receiver supports display rotation. -- **RTSPSessionId** The unique identifier of the RTSP session. This matches the RTSP session ID for the receiver for the same session. -- **SessionGuid** The unique identifier of to correlate various Miracast events from a session. -- **SinkHadEdid** Indicates if the Miracast receiver reported an EDID. -- **SupportMicrosoftColorSpaceConversion** Indicates whether the Microsoft color space conversion for extra color fidelity is supported by the receiver. -- **SupportsMicrosoftDiagnostics** Indicates whether the Miracast receiver supports the Microsoft Diagnostics Miracast extension. -- **SupportsMicrosoftFormatChange** Indicates whether the Miracast receiver supports the Microsoft Format Change Miracast extension. -- **SupportsMicrosoftLatencyManagement** Indicates whether the Miracast receiver supports the Microsoft Latency Management Miracast extension. -- **SupportsMicrosoftRTCP** Indicates whether the Miracast receiver supports the Microsoft RTCP Miracast extension. -- **SupportsMicrosoftVideoFormats** Indicates whether the Miracast receiver supports Microsoft video format for 3:2 resolution. -- **SupportsWiDi** Indicates whether Miracast receiver supports Intel WiDi extensions. -- **TeardownErrorCode** The error code reason for teardown provided by the receiver, if applicable. -- **TeardownErrorReason** The text string reason for teardown provided by the receiver, if applicable. -- **UIBCEndState** Indicates whether UIBC was enabled when the connection ended. -- **UIBCEverEnabled** Indicates whether UIBC was ever enabled. -- **UIBCStatus** The result code reported by the UIBC setup process. -- **VideoBitrate** The starting bitrate for the video encoder. -- **VideoCodecLevel** The encoding level used for encoding, specific to the video subtype. -- **VideoHeight** The height of encoded video frames. -- **VideoSubtype** The unique subtype identifier of the video codec (encoding method) used for video encoding. -- **VideoWidth** The width of encoded video frames. -- **WFD2Supported** Indicates if the Miracast receiver supports WFD2 protocol. - - -## OneDrive events - -### Microsoft.OneDrive.Sync.Setup.APIOperation - -This event includes basic data about install and uninstall OneDrive API operations. - -The following fields are available: - -- **APIName** The name of the API. -- **Duration** How long the operation took. -- **IsSuccess** Was the operation successful? -- **ResultCode** The result code. -- **ScenarioName** The name of the scenario. - - -### Microsoft.OneDrive.Sync.Setup.EndExperience - -This event includes a success or failure summary of the installation. - -The following fields are available: - -- **APIName** The name of the API. -- **HResult** HResult of the operation -- **IsSuccess** Whether the operation is successful or not -- **ScenarioName** The name of the scenario. - - -### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation - -This event is related to the OS version when the OS is upgraded with OneDrive installed. - -The following fields are available: - -- **CurrentOneDriveVersion** The current version of OneDrive. -- **CurrentOSBuildBranch** The current branch of the operating system. -- **CurrentOSBuildNumber** The current build number of the operating system. -- **CurrentOSVersion** The current version of the operating system. -- **HResult** The HResult of the operation. -- **SourceOSBuildBranch** The source branch of the operating system. -- **SourceOSBuildNumber** The source build number of the operating system. -- **SourceOSVersion** The source version of the operating system. - - -### Microsoft.OneDrive.Sync.Setup.RegisterStandaloneUpdaterAPIOperation - -This event is related to registering or unregistering the OneDrive update task. - -The following fields are available: - -- **APIName** The name of the API. -- **IsSuccess** Was the operation successful? -- **RegisterNewTaskResult** The HResult of the RegisterNewTask operation. -- **ScenarioName** The name of the scenario. -- **UnregisterOldTaskResult** The HResult of the UnregisterOldTask operation. - - -### Microsoft.OneDrive.Sync.Updater.ComponentInstallState - -This event includes basic data about the installation state of dependent OneDrive components. - -The following fields are available: - -- **ComponentName** The name of the dependent component. -- **isInstalled** Is the dependent component installed? - - -### Microsoft.OneDrive.Sync.Updater.OverlayIconStatus - -This event indicates if the OneDrive overlay icon is working correctly. 0 = healthy; 1 = can be fixed; 2 = broken - -The following fields are available: - -- **32bit** The status of the OneDrive overlay icon on a 32-bit operating system. -- **64bit** The status of the OneDrive overlay icon on a 64-bit operating system. - - -### Microsoft.OneDrive.Sync.Updater.UpdateOverallResult - -This event sends information describing the result of the update. - -The following fields are available: - -- **hr** The HResult of the operation. -- **IsLoggingEnabled** Indicates whether logging is enabled for the updater. -- **UpdaterVersion** The version of the updater. - - -### Microsoft.OneDrive.Sync.Updater.UpdateXmlDownloadHResult - -This event determines the status when downloading the OneDrive update configuration file. - -The following fields are available: - -- **hr** The HResult of the operation. - - -### Microsoft.OneDrive.Sync.Updater.WebConnectionStatus - -This event determines the error code that was returned when verifying Internet connectivity. - -The following fields are available: - -- **winInetError** The HResult of the operation. - - -## Privacy consent logging events - -### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted - -This event is used to determine whether the user successfully completed the privacy consent experience. - -The following fields are available: - -- **presentationVersion** Which display version of the privacy consent experience the user completed -- **privacyConsentState** The current state of the privacy consent experience -- **settingsVersion** Which setting version of the privacy consent experience the user completed -- **userOobeExitReason** The exit reason of the privacy consent experience - - -### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentStatus - -Event tells us effectiveness of new privacy experience. - -The following fields are available: - -- **isAdmin** whether the person who is logging in is an admin -- **isExistingUser** whether the account existed in a downlevel OS -- **isLaunching** Whether or not the privacy consent experience will be launched -- **isSilentElevation** whether the user has most restrictive UAC controls -- **privacyConsentState** whether the user has completed privacy experience -- **userRegionCode** The current user's region setting - - -### wilActivity - -This event provides a Windows Internal Library context used for Product and Service diagnostics. - -The following fields are available: - -- **-149ngContextMessage** No content is currently available. -- **3645entContextName** No content is currently available. -- **379rentContextName** No content is currently available. -- **532rentContextName** No content is currently available. -- **677rentContextName** No content is currently available. -- **8108entContextName** No content is currently available. -- **8251entContextName** No content is currently available. -- **902rentContextName** No content is currently available. -- **9567ngContextMessage** No content is currently available. -- **9717ngContextMessage** No content is currently available. -- **callContext** The function where the failure occurred. -- **currentContextId** The ID of the current call context where the failure occurred. -- **currentContextMessage** The message of the current call context where the failure occurred. -- **currentContextMessaon** No content is currently available. -- **currentContextName** The name of the current call context where the failure occurred. -- **failureCount** The number of failures for this failure ID. -- **failureId** The ID of the failure that occurred. -- **failureType** The type of the failure that occurred. -- **fileName** The file name where the failure occurred. -- **functige** No content is currently available. -- **function** The function where the failure occurred. -- **hresult** The HResult of the overall activity. -- **lineNumber** The line number where the failure occurred. -- **message** The message of the failure that occurred. -- **module** The module where the failure occurred. -- **ori1-0467ngContextMessage** No content is currently available. -- **ori1-1210ngContextMessage** No content is currently available. -- **ori1143-7ngContextMessage** No content is currently available. -- **ori1-1945ngContextMessage** No content is currently available. -- **ori13s090ngContextMessage** No content is currently available. -- **ori1-4671entContextName** No content is currently available. -- **ori1-5108ngContextMessage** No content is currently available. -- **ori1-5686ngContextMessage** No content is currently available. -- **ori1n:667ngContextMessage** No content is currently available. -- **ori1n8488ngContextMessage** No content is currently available. -- **ori1-s4o5ngContextMessage** No content is currently available. -- **ori808467ngContextMessage** No content is currently available. -- **originatingContextId** The ID of the originating call context that resulted in the failure. -- **originatingContextMessage** The message of the originating call context that resulted in the failure. -- **originatingContextName** The name of the originating call context that resulted in the failure. -- **threa0Id** No content is currently available. -- **threadId** The ID of the thread on which the activity is executing. - - -## Sediment events - -### Microsoft.Windows.Sediment.Info.DetailedState - -This event is sent when detailed state information is needed from an update trial run. - -The following fields are available: - -- **Data** Data relevant to the state, such as what percent of disk space the directory takes up. -- **Id** Identifies the trial being run, such as a disk related trial. -- **ReleaseVer** The version of the component. -- **State** The state of the reporting data from the trial, such as the top-level directory analysis. -- **Time** The time the event was fired. - - -### Microsoft.Windows.Sediment.Info.Error - -This event indicates an error in the updater payload. This information assists in keeping Windows up to date. - -The following fields are available: - -- **FailureType** The type of error encountered. -- **FileName** The code file in which the error occurred. -- **HResult** The failure error code. -- **LineNumber** The line number in the code file at which the error occurred. -- **ReleaseVer** The version information for the component in which the error occurred. -- **Time** The system time at which the error occurred. - - -### Microsoft.Windows.Sediment.Info.PhaseChange - -The event indicates progress made by the updater. This information assists in keeping Windows up to date. - -The following fields are available: - -- **NewPhase** The phase of progress made. -- **ReleaseVer** The version information for the component in which the change occurred. -- **Time** The system time at which the phase chance occurred. - - -## Setup events - -### SetupPlatformTel.SetupPlatformTelActivityEvent - -This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up to date. - -The following fields are available: - -- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. -- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. -- **Value** Value associated with the corresponding event name. For example, time-related events will include the system time - - -### SetupPlatformTel.SetupPlatformTelActivityStarted - -This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. - -The following fields are available: - -- **Name** The name of the dynamic update type. Example: GDR driver - - -### SetupPlatformTel.SetupPlatformTelActivityStopped - -This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. - - - -### SetupPlatformTel.SetupPlatformTelEvent - -This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios. - -The following fields are available: - -- **Falue** No content is currently available. -- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. -- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. -- **Value** Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time. - - -## Software update events - -### SoftwareUpdateClientTelemetry.CheckForUpdates - -Scan process event on Windows Update client. See the EventScenario field for specifics (started/failed/succeeded). - -The following fields are available: - -- **AativityMatchingId** No content is currently available. -- **ActivityMatchingId** Contains a unique ID identifying a single CheckForUpdates session from initialization to completion. -- **ActivityMatcjingId** No content is currently available. -- **AllowCachedResul|s** No content is currently available. -- **AllowCachedResults** Indicates if the scan allowed using cached results. -- **AllowCachedRmsults** No content is currently available. -- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable -- **BiosFamily** The family of the BIOS (Basic Input Output System). -- **BiosName** The name of the device BIOS. -- **BiosReleaseDate** The release date of the device BIOS. -- **BiosSKUNumber** The sku number of the device BIOS. -- **BIOSVendor** The vendor of the BIOS. -- **BiosVersion** The version of the BIOS. -- **BranchReadinessLevel** The servicing branch configured on the device. -- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. -- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. -- **CapabilityDetectoidGuid** The GUID for a hardware applicability detectoid that could not be evaluated. -- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. -- **CDNId** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. -- **ClientVersion** The version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No data is currently reported in this field. Expected value for this field is 0. -- **Context** Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown -- **CurrentMobileOperator** The mobile operator the device is currently connected to. -- **DeferralPolicySources** Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000). -- **DeferredUpdates** Update IDs which are currently being deferred until a later time -- **DeviceModel** What is the device model. -- **DriverError** The error code hit during a driver scan. This is 0 if no error was encountered. -- **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled. -- **DriverSyncPassPerformed** Were drivers scanned this time? -- **DriverSyncPasSPerformed** No content is currently available. -- **EventInstanceID** A globally unique identifier for event instance. -- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. -- **ExtendedetadataICabUrl** No content is currently available. -- **ExtendedMetadataCabUrl** Hostname that is used to download an update. -- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. -- **FailedUpdateGuids** The GUIDs for the updates that failed to be evaluated during the scan. -- **FailedUpdatesCount** The number of updates that failed to be evaluated during the scan. -- **FeatureUpdateDeferral** The deferral period configured for feature OS updates on the device (in days). -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FeatureUpdatePausePerimd** No content is currently available. -- **FeatureUpdatePausePeriod** The pause duration configured for feature OS updates on the device (in days). -- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). -- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). -- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. -- **IntentPFNs** Intended application-set metadata for atomic update scenarios. -- **IPVersion** Indicates whether the download took place over IPv4 or IPv6 -- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEna`led** No content is currently available. -- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. -- **IsWUfBFederatedScanDisabled** Indicates if Windows Update for Business federated scan is disabled on the device. -- **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce -- **MSIError** The last error that was encountered during a scan for updates. -- **NetworkConneativityDetected** No content is currently available. -- **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6 -- **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete -- **NumberOfApplicationsCategoryScanEvaluated** The number of categories (apps) for which an app update scan checked -- **NumberOfLoop** The number of round trips the scan required -- **NumberOfNewUpdatesFromServiceSync** The number of updates which were seen for the first time in this scan -- **NumberOfUpdatesEvaluated** The total number of updates which were evaluated as a part of the scan -- **NumFailedetadataISignatures** No content is currently available. -- **NumFailedMetadatabignatures** No content is currently available. -- **NumFailedMetadataSignatures** The number of metadata signatures checks which failed for new metadata synced down. -- **Online** Indicates if this was an online scan. -- **PausedUpdates** A list of UpdateIds which that currently being paused. -- **PauseFeatureUpdatesEndTime** If feature OS updates are paused on the device, this is the date and time for the end of the pause time window. -- **PauseFeatureUpdatesStartTime** If feature OS updates are paused on the device, this is the date and time for the beginning of the pause time window. -- **PauseQualityUpdatesEndTime** If quality OS updates are paused on the device, this is the date and time for the end of the pause time window. -- **PauseQualityUpdatesStartTime** If quality OS updates are paused on the device, this is the date and time for the beginning of the pause time window. -- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting (pre-release builds) being introduced. -- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided. -- **QualityUpdateDeferral** The deferral period configured for quality OS updates on the device (in days). -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **QualityUpdatePausePeriod** The pause duration configured for quality OS updates on the device (in days). -- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one -- **ScanDurationInSeconds** The number of seconds a scan took -- **ScanEnqueueTime** The number of seconds it took to initialize a scan -- **ScanProps** This is a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits are used; all remaining bits are reserved and set to zero. Bit 0 (0x1): IsInteractive - is set to 1 if the scan is requested by a user, or 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker - is set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates). -- **ServiaeUrl** No content is currently available. -- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.). -- **ServiceUrl** The environment URL a device is configured to scan with -- **ShippingMobileOperator** The mobile operator that a device shipped on. -- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult). -- **SyncType** Describes the type of scan the event was -- **SystemBIOSMajorRelease** Major version of the BIOS. -- **SystemBIOSMinorRelease** Minor version of the BIOS. -- **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null. -- **TotalNumetadataISignatures** No content is currently available. -- **TotalNumMetadatabignatures** No content is currently available. -- **TotalNumMetadataSignatures** The total number of metadata signatures checks done for new metadata that was synced down. -- **WebServiceRetryMethods** Web service method requests that needed to be retried to complete operation. -- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. - - -### SoftwareUpdateClientTelemetry.Commit - -This event tracks the commit process post the update installation when software update client is trying to update the device. - -The following fields are available: - -- **BiosFamily** Device family as defined in the system BIOS -- **BiosName** Name of the system BIOS -- **BiosReleaseDate** Release date of the system BIOS -- **BiosSKUNumber** Device SKU as defined in the system BIOS -- **BIOSVendor** Vendor of the system BIOS -- **BiosVersion** Version of the system BIOS -- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. -- **BundleRevisionNumber** Identifies the revision number of the content bundle -- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client -- **ClientVersion** Version number of the software distribution client -- **DeploymentProviderMode** The mode of operation of the update deployment provider. -- **DeviceModel** Device model as defined in the system bios -- **EventInstanceID** A globally unique identifier for event instance -- **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc. -- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver". -- **FlightId** The specific id of the flight the device is getting -- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) -- **RevisionNumber** Identifies the revision number of this specific piece of content -- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). -- **SystemBIOSMajorRelease** Major release version of the system bios -- **SystemBIOSMinorRelease** Minor release version of the system bios -- **UpdateId** Identifier associated with the specific piece of content -- **WUDeviceID** Unique device id controlled by the software distribution client - - -### SoftwareUpdateClientTelemetry.Download - -Download process event for target update on Windows Update client. See the EventScenario field for specifics (started/failed/succeeded). - -The following fields are available: - -- **ActiveDownloadTime** How long the download took, in seconds, excluding time where the update wasn't actively being downloaded. -- **AppXBlockHashFailures** Indicates the number of blocks that failed hash validation during download of the app payload. -- **AppXBlocKHashFailures** No content is currently available. -- **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded. -- **AppXDownloadScope** Indicates the scope of the download for application content. -- **AppXScope** Indicates the scope of the app download. -- **BiosFamily** The family of the BIOS (Basic Input Output System). -- **BiosName** The name of the device BIOS. -- **BiosReleaseDate** The release date of the device BIOS. -- **BiosSKUNumber** The sku number of the device BIOS. -- **BIOSVendor** The vendor of the BIOS. -- **BiosVersion** The version of the BIOS. -- **BundleBytesDownloaded** Number of bytes downloaded for the specific content bundle. -- **BundleId** Identifier associated with the specific content bundle. -- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. -- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to download. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **BytesDownloaded** Number of bytes that were downloaded for an individual piece of content (not the entire bundle). -- **CachedEngineVersion** The version of the “Self-Initiated Healing” (SIH) engine that is cached on the device, if applicable. -- **CallerApplicationName** The name provided by the application that initiated API calls into the software distribution client. -- **CallerApplicavionName** No content is currently available. -- **CbsDownloadMethod** Indicates whether the download was a full- or a partial-file download. -- **CbsMethod** The method used for downloading the update content related to the Component Based Servicing (CBS) technology. -- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. -- **CDNId** ID which defines which CDN the software distribution client downloaded the content from. -- **ClientVersion** The version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. -- **ConnectTime** Indicates the cumulative amount of time (in seconds) it took to establish the connection for all updates in an update bundle. -- **CurrentMobileOperator** The mobile operator the device is currently connected to. -- **DeviceModel** The model of the device. -- **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority. -- **DownloadProps** Information about the download operation properties in the form of a bitmask. -- **DownloadType** Differentiates the download type of “Self-Initiated Healing” (SIH) downloads between Metadata and Payload downloads. -- **EventInstanceID** A globally unique identifier for event instance. -- **EventScenario** Indicates the purpose for sending this event: whether because the software distribution just started downloading content; or whether it was cancelled, succeeded, or failed. -- **EventType** Identifies the type of the event (Child, Bundle, or Driver). -- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). -- **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight. -- **FlightId** The specific ID of the flight (pre-release build) the device is getting. -- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). -- **HandlerType** Indicates what kind of content is being downloaded (app, driver, windows patch, etc.). -- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. -- **HostName** The hostname URL the content is downloading from. -- **IPVersion** Indicates whether the download took place over IPv4 or IPv6. -- **IsDependentSet** Indicates whether a driver is a part of a larger System Hardware/Firmware Update -- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. -- **NetworkCost** A flag indicating the cost of the network (congested, fixed, variable, over data limit, roaming, etc.) used for downloading the update content. -- **NetworkCostBitMask** Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.) -- **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered." -- **PackageFullName** The package name of the content. -- **PhonePreviewEnabled** Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced. -- **PostDnldTime** Time (in seconds) taken to signal download completion after the last job completed downloading the payload. -- **ProcessName** The process name of the application that initiated API calls, in the event where CallerApplicationName was not provided. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **Reason** A 32-bit integer representing the reason the update is blocked from being downloaded in the background. -- **RegulationReason** The reason that the update is regulated -- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content. -- **RegulitionResult** No content is currently available. -- **RelatedCV** The Correlation Vector that was used before the most recent change to a new Correlation Vector. -- **RepeatFailCount** Indicates whether this specific content has previously failed. -- **RepeatFailFlag** Indicates whether this specific content previously failed to download. -- **RevisionNumber** The revision number of the specified piece of content. -- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). -- **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade. -- **ShippingMobileOperator** The mobile operator linked to the device when the device shipped. -- **SizeCalcTime** Time (in seconds) taken to calculate the total download size of the payload. -- **SonnectTime** No content is currently available. -- **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). -- **SystemBIOSMajorRelease** Major version of the BIOS. -- **SystemBIOSMinorRelease** Minor version of the BIOS. -- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. -- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. -- **TargetMetadataVersion** The version of the currently downloading (or most recently downloaded) package. -- **ThrottlingServiceHResult** Result code (success/failure) while contacting a web service to determine whether this device should download content yet. -- **TimeToEstablishConnection** Time (in milliseconds) it took to establish the connection prior to beginning downloaded. -- **TotalExpectedBytes** The total size (in Bytes) expected to be downloaded. -- **UpdateId** An identifier associated with the specific piece of content. -- **UpdateID** An identifier associated with the specific piece of content. -- **UpdateImportance** Indicates whether the content was marked as Important, Recommended, or Optional. -- **UsedDO** Indicates whether the download used the Delivery Optimization (DO) service. -- **UsedSystemVolume** Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive. -- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. - - -### SoftwareUpdateClientTelemetry.DownloadCheckpoint - -This event provides a checkpoint between each of the Windows Update download phases for UUP content - -The following fields are available: - -- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client -- **ClientVersion** The version number of the software distribution client -- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed -- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver" -- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough -- **FileId** A hash that uniquely identifies a file -- **FileName** Name of the downloaded file -- **FlightId** The unique identifier for each flight -- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one -- **RevisionNumber** Unique revision number of Update -- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.) -- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult) -- **UpdateId** Unique Update ID -- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue - - -### SoftwareUpdateClientTelemetry.DownloadHeartbeat - -This event allows tracking of ongoing downloads and contains data to explain the current state of the download - -The following fields are available: - -- **BytesTotal** Total bytes to transfer for this content -- **BytesTransferred** Total bytes transferred for this content at the time of heartbeat -- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client -- **ClientVersion** The version number of the software distribution client -- **ConnectionStatus** Indicates the connectivity state of the device at the time of heartbeat -- **CurrentError** Last (transient) error encountered by the active download -- **DownloadFlags** Flags indicating if power state is ignored -- **DownloadState** Current state of the active download for this content (queued, suspended, or progressing) -- **EventType** Possible values are "Child", "Bundle", or "Driver" -- **FlightId** The unique identifier for each flight -- **IsNetworkMetered** Indicates whether Windows considered the current network to be ?metered" -- **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any -- **MOUpdateDownloadLimit** Mobile operator cap on size of operating system update downloads, if any -- **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby) -- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one -- **ResumeCount** Number of times this active download has resumed from a suspended state -- **RevisionNumber** Identifies the revision number of this specific piece of content -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) -- **SuspendCount** Number of times this active download has entered a suspended state -- **SuspendReason** Last reason for why this active download entered a suspended state -- **UpdateId** Identifier associated with the specific piece of content -- **WUDeviceID** Unique device id controlled by the software distribution client - - -### SoftwareUpdateClientTelemetry.Install - -This event sends tracking data about the software distribution client installation of the content for that update, to help keep Windows up to date. - -The following fields are available: - -- **BiosFamily** The family of the BIOS (Basic Input Output System). -- **BiosName** The name of the device BIOS. -- **BiosReleaseDate** The release date of the device BIOS. -- **BiosSKUNumber** The sku number of the device BIOS. -- **BIOSVendor** The vendor of the BIOS. -- **BiosVersion** The version of the BIOS. -- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. -- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. -- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to install. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. -- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. -- **ClientVersion** The version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No value is currently reported in this field. Expected value for this field is 0. -- **CSIErrorType** The stage of CBS installation where it failed. -- **CurrentMobileOperator** The mobile operator to which the device is currently connected. -- **DeploymentProviderMode** The mode of operation of the update deployment provider. -- **DeviceModel** The device model. -- **DriverPifgBack** No content is currently available. -- **DriverPingBack** Contains information about the previous driver and system state. -- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required. -- **EventInstanceID** A globally unique identifier for event instance. -- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. -- **EventType** Possible values are Child, Bundle, or Driver. -- **ExtendedErrorCode** The extended error code. -- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode is not specific enough. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBranch** The branch that a device is on if participating in the Windows Insider Program. -- **FlightBuildNumber** If this installation was for a Windows Insider build, this is the build number of that build. -- **FlightId** The specific ID of the Windows Insider build the device is getting. -- **FlightRing** The ring that a device is on if participating in the Windows Insider Program. -- **HandlerType** Indicates what kind of content is being installed (for example, app, driver, Windows update). -- **HardwareId** If this install was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. -- **InstallProps** A bitmask for future flags associated with the install operation. No value is currently reported in this field. Expected value for this field is 0. -- **IntentPFNs** Intended application-set metadata for atomic update scenarios. -- **IsDependentSet** Indicates whether the driver is part of a larger System Hardware/Firmware update. -- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. -- **IsFirmware** Indicates whether this update is a firmware update. -- **IsSuccessFailurePostReboot** Indicates whether the update succeeded and then failed after a restart. -- **IsWUfBDualScanEnabled** Indicates whether Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Indicates whether Windows Update for Business is enabled on the device. -- **MergedUpdate** Indicates whether the OS update and a BSP update merged for installation. -- **MsiAction** The stage of MSI installation where it failed. -- **MsiProductCode** The unique identifier of the MSI installer. -- **PackageFullName** The package name of the content being installed. -- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting being introduced. -- **ProcessName** The process name of the caller who initiated API calls, in the event that CallerApplicationName was not provided. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one -- **RepeatFailCount** Indicates whether this specific piece of content has previously failed. -- **RepeatFailFlag** Indicates whether this specific piece of content previously failed to install. -- **RevisionNumber** The revision number of this specific piece of content. -- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). -- **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway. -- **ShippingMobileOperator** The mobile operator that a device shipped on. -- **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult). -- **SystemBIOSMajorRelease** Major version of the BIOS. -- **SystemBIOSMinorRelease** Minor version of the BIOS. -- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. -- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. -- **TransactionCode** The ID that represents a given MSI installation. -- **UpdateId** Unique update ID. -- **UpdateID** An identifier associated with the specific piece of content. -- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional. -- **UsedSystemVolume** Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive. -- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. - - -### SoftwareUpdateClientTelemetry.Revert - -Revert event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded). - -The following fields are available: - -- **BundleId** Identifier associated with the specific content bundle. Should not be all zeros if the BundleId was found. -- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **ClientVersion** Version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. -- **CSIErrorType** Stage of CBS installation that failed. -- **DriverPingBack** Contains information about the previous driver and system state. -- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required. -- **EventInstanceID** A globally unique identifier for event instance. -- **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). -- **EventType** Event type (Child, Bundle, Release, or Driver). -- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode is not specific enough. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBuildNumber** Indicates the build number of the flight. -- **FlightId** The specific ID of the flight the device is getting. -- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). -- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. -- **IsFirmware** Indicates whether an update was a firmware update. -- **IsSuccessFailurePostReboot** Indicates whether an initial success was a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. -- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. -- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. -- **RepeatFailCount** Indicates whether this specific piece of content has previously failed. -- **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. -- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. -- **UpdateId** The identifier associated with the specific piece of content. -- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). -- **UsedSystemVolume** Indicates whether the device's main system storage drive or an alternate storage drive was used. -- **WUDeviceID** Unique device ID controlled by the software distribution client. - - -### SoftwareUpdateClientTelemetry.TaskRun - -Start event for Server Initiated Healing client. See EventScenario field for specifics (for example, started/completed). - -The following fields are available: - -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **ClientVersion** Version number of the software distribution client. -- **CmdLineArgs** Command line arguments passed in by the caller. -- **EventInstanceID** A globally unique identifier for the event instance. -- **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.). -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **WUDeviceID** Unique device ID controlled by the software distribution client. - - -### SoftwareUpdateClientTelemetry.Uninstall - -Uninstall event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded). - -The following fields are available: - -- **BundleId** The identifier associated with the specific content bundle. This should not be all zeros if the bundleID was found. -- **BundleRepeatFailCount** Indicates whether this particular update bundle previously failed. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **CallerApplicationName** Name of the application making the Windows Update request. Used to identify context of request. -- **ClientVersion** Version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. -- **DriverPingBack** Contains information about the previous driver and system state. -- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers when a recovery is required. -- **EventInstanceID** A globally unique identifier for event instance. -- **EventScenario** Indicates the purpose of the event (a scan started, succeded, failed, etc.). -- **EventType** Indicates the event type. Possible values are "Child", "Bundle", "Release" or "Driver". -- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode is not specific enough. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBuildNumber** Indicates the build number of the flight. -- **FlightId** The specific ID of the flight the device is getting. -- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). -- **HardwareId** If the download was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. -- **IsFirmware** Indicates whether an update was a firmware update. -- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. -- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. -- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. -- **RepeatFailCount** Indicates whether this specific piece of content previously failed. -- **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. -- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. -- **UpdateId** Identifier associated with the specific piece of content. -- **UpdateImportance** Indicates the importance of a driver and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). -- **UsedSystemVolume** Indicates whether the device’s main system storage drive or an alternate storage drive was used. -- **WUDeviceID** Unique device ID controlled by the software distribution client. - - -### SoftwareUpdateClientTelemetry.UpdateDetected - -This event sends data about an AppX app that has been updated from the Microsoft Store, including what app needs an update and what version/architecture is required, in order to understand and address problems with apps getting required updates. - -The following fields are available: - -- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable. -- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. -- **IntentPFNs** Intended application-set metadata for atomic update scenarios. -- **NumberOfApplicableUpdates** The number of updates ultimately deemed applicable to the system after the detection process is complete. -- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. -- **RelntedCV** No content is currently available. -- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.). -- **umberOfApplicableUpdates** No content is currently available. -- **WUDeviceID** The unique device ID controlled by the software distribution client. -- **xHDeviceID** No content is currently available. - - -### SoftwareUpdateClientTelemetry.UpdateMetadataIntegrity - -Ensures Windows Updates are secure and complete. Event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack. - -The following fields are available: - -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **CallerLoglicationName** No content is currently available. -- **EndpointUrl** URL of the endpoint where client obtains update metadata. Used to identify test vs staging vs production environments. -- **EventSbenario** No content is currently available. -- **EventScenario** The purpose of this event, such as scan started, scan succeeded, or scan failed. -- **ExtendedStatusCode** The secondary status code of the event. -- **ExtendefStatusCode** No content is currently available. -- **imeZoScenario** No content is currently available. -- **LeafCertId** The integral ID from the FragmentSigning data for the certificate that failed. -- **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate. -- **MetadataIntegrityMode** The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce -- **MetadataSignature** A base64-encoded string of the signature associated with the update metadata (specified by revision ID). -- **RawMode** The raw unparsed mode string from the SLS response. This field is null if not applicable. -- **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable. -- **RcwMode** No content is currently available. -- **RevisionId** The revision ID for a specific piece of content. -- **RevisionNumber** The revision number for a specific piece of content. -- **SedviceGuid** No content is currently available. -- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Microsoft Store -- **ServiceGuidEndpointUrl** No content is currently available. -- **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate. -- **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate. -- **SHA256OfTimestampToken** An encoded string of the timestamp token. -- **SignatureAlgorithm** The hash algorithm for the metadata signature. -- **SLSPrograms** A test program to which a device may have opted in. Example: Insider Fast -- **StatusCode** The status code of the event. -- **TimestampTokenCertThumbprint** The thumbprint of the encoded timestamp token. -- **TimestampTokenId** The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed. -- **UpdateId** The update ID for a specific piece of content. -- **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp. - - -## System Resource Usage Monitor events - -### Microsoft.Windows.Srum.Sdp.CpuUsage - -This event provides information on CPU usage. - -The following fields are available: - -- **UsageMax** The maximum of hourly average CPU usage. -- **UsageMean** The mean of hourly average CPU usage. -- **UsageMedian** The median of hourly average CPU usage. -- **UsageTwoHourMaxMean** The mean of the maximum of every two hour of hourly average CPU usage. -- **UsageTwoHourMedianMean** The mean of the median of every two hour of hourly average CPU usage. - - -### Microsoft.Windows.Srum.Sdp.NetworkUsage - -This event provides information on network usage. - -The following fields are available: - -- **AdapterGuid** The unique ID of the adapter. -- **BytesTotalMax** The maximum of the hourly average bytes total. -- **BytesTotalMean** The mean of the hourly average bytes total. -- **BytesTotalMedian** The median of the hourly average bytes total. -- **BytesTotalTwoHourMaxMean** The mean of the maximum of every two hours of hourly average bytes total. -- **BytesTotalTwoHourMedianMean** The mean of the median of every two hour of hourly average bytes total. -- **LinkSpeed** The adapter link speed. - - -## Update events - -### Update360Telemetry.Revert - -This event sends data relating to the Revert phase of updating Windows. - -The following fields are available: - -- **ErrorCode** The error code returned for the Revert phase. -- **FlightId** Unique ID for the flight (test instance version). -- **ObjectId** The unique value for each Update Agent mode. -- **RebootRequired** Indicates reboot is required. -- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. -- **Result** The HResult of the event. -- **RevertResult** The result code returned for the Revert operation. -- **ScenarioId** The ID of the update scenario. -- **SessionId** The ID of the update attempt. -- **UpdateId** The ID of the update. - - -### Update360Telemetry.UpdateAgentCommit - -This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. - -The following fields are available: - -- **ErrorCode** The error code returned for the current install phase. -- **FlightId** Unique ID for each flight. -- **ObjectId** Unique value for each Update Agent mode. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **Result** Outcome of the install phase of the update. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentDownloadRequest - -This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. - -The following fields are available: - -- **DeletedCorruptFiles** Boolean indicating whether corrupt payload was deleted. -- **DownloadRequests** Number of times a download was retried. -- **ErrorCode** The error code returned for the current download request phase. -- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. -- **FlightId** Unique ID for each flight. -- **InternalFailureResult** Indicates a non-fatal error from a plugin. -- **ObjectId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). -- **PackageCategoriesSkipped** Indicates package categories that were skipped, if applicable. -- **PackageCountOptional** Number of optional packages requested. -- **PackageCountRequired** Number of required packages requested. -- **PackageCountTotal** Total number of packages needed. -- **PackageCountTotalCanonical** Total number of canonical packages. -- **PackageCountTotalDiff** Total number of diff packages. -- **PackageCountTotalExpress** Total number of express packages. -- **PackageCountTotalPSFX** The total number of PSFX packages. -- **PackageExpressType** Type of express package. -- **PackageSizeCanonical** Size of canonical packages in bytes. -- **PackageSizeDiff** Size of diff packages in bytes. -- **PackageSizeExpress** Size of express packages in bytes. -- **PackageSizePSFX** The size of PSFX packages, in bytes. -- **RangeRequestState** Indicates the range request type used. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **Result** Outcome of the download request phase of update. -- **SandboxTaggedForReserves** The sandbox for reserves. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each attempt (same value for initialize, download, install commit phases). -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentExpand - -This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. - -The following fields are available: - -- **ElapsedTickCount** Time taken for expand phase. -- **EndFreeSpace** Free space after expand phase. -- **EndSandboxSize** Sandbox size after expand phase. -- **ErrorCode** The error code returned for the current install phase. -- **FlightId** Unique ID for each flight. -- **ObjectId** Unique value for each Update Agent mode. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each update attempt. -- **StartFreeSpace** Free space before expand phase. -- **StartSandboxSize** Sandbox size after expand phase. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentFellBackToCanonical - -This event collects information when express could not be used and we fall back to canonical during the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. - -The following fields are available: - -- **FlightId** Unique ID for each flight. -- **ObjectId** Unique value for each Update Agent mode. -- **PackageCount** Number of packages that feel back to canonical. -- **PackageList** PackageIds which fell back to canonical. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentInitialize - -This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. - -The following fields are available: - -- **ErrorCode** The error code returned for the current install phase. -- **essionData** No content is currently available. -- **FlightId** Unique ID for each flight. -- **FlightMetadata** Contains the FlightId and the build being flighted. -- **ObjectId** Unique value for each Update Agent mode. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **Result** Outcome of the install phase of the update. -- **ScenarioId** Indicates the update scenario. -- **SessionData** String containing instructions to update agent for processing FODs and DUICs (Null for other scenarios). -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentInstall - -This event sends data for the install phase of updating Windows. - -The following fields are available: - -- **ErrorCode** The error code returned for the current install phase. -- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. -- **FlightId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). -- **InternalFailureResult** Indicates a non-fatal error from a plugin. -- **ObjectId** Correlation vector value generated from the latest USO scan. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **Result** The result for the current install phase. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentMerge - -The UpdateAgentMerge event sends data on the merge phase when updating Windows. - -The following fields are available: - -- **ErrorCode** The error code returned for the current merge phase. -- **FlightId** Unique ID for each flight. -- **MergeId** The unique ID to join two update sessions being merged. -- **ObjectId** Unique value for each Update Agent mode. -- **RelatedCV** Related correlation vector value. -- **Result** Outcome of the merge phase of the update. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each attempt. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentMitigationResult - -This event sends data indicating the result of each update agent mitigation. - -The following fields are available: - -- **Applicable** Indicates whether the mitigation is applicable for the current update. -- **CommandCount** The number of command operations in the mitigation entry. -- **CustomCount** The number of custom operations in the mitigation entry. -- **FileCount** The number of file operations in the mitigation entry. -- **FlightId** Unique identifier for each flight. -- **Index** The mitigation index of this particular mitigation. -- **MitigationScenario** The update scenario in which the mitigation was executed. -- **Name** The friendly name of the mitigation. -- **ObjectId** Unique value for each Update Agent mode. -- **OperationIndex** The mitigation operation index (in the event of a failure). -- **OperationName** The friendly name of the mitigation operation (in the event of failure). -- **RegistryCount** The number of registry operations in the mitigation entry. -- **RelatedCV** The correlation vector value generated from the latest USO scan. -- **Result** The HResult of this operation. -- **ScenarioId** The update agent scenario ID. -- **SessionId** Unique value for each update attempt. -- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). -- **UpdateId** Unique ID for each Update. - - -### Update360Telemetry.UpdateAgentMitigationSummary - -This event sends a summary of all the update agent mitigations available for an this update. - -The following fields are available: - -- **Applicable** The count of mitigations that were applicable to the system and scenario. -- **Failed** The count of mitigations that failed. -- **FlightId** Unique identifier for each flight. -- **Friled** No content is currently available. -- **MitigationScenario** The update scenario in which the mitigations were attempted. -- **ObjectId** The unique value for each Update Agent mode. -- **RelatedCV** The correlation vector value generated from the latest USO scan. -- **Result** The HResult of this operation. -- **ScenarioId** The update agent scenario ID. -- **SessionId** Unique value for each update attempt. -- **TimeDiff** The amount of time spent performing all mitigations (in 100-nanosecond increments). -- **Total** Total number of mitigations that were available. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentModeStart - -This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. - -The following fields are available: - -- **FlightId** Unique ID for each flight. -- **Mode** Indicates the mode that has started. -- **ObjectId** Unique value for each Update Agent mode. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each update. -- **Version** Version of update - - -### Update360Telemetry.UpdateAgentOneSettings - -This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. - -The following fields are available: - -- **Count** The count of applicable OneSettings for the device. -- **FlightId** Unique ID for the flight (test instance version). -- **Obj%ctId** No content is currently available. -- **ObjectId** The unique value for each Update Agent mode. -- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. -- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. -- **Result** The HResult of the event. -- **ScenarioId** The ID of the update scenario. -- **SessionId** The ID of the update attempt. -- **UpdateId** The ID of the update. -- **Values** The values sent back to the device, if applicable. - - -### Update360Telemetry.UpdateAgentPostRebootResult - -This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. - -The following fields are available: - -- **ErrorCode** The error code returned for the current post reboot phase. -- **FlightId** The specific ID of the Windows Insider build the device is getting. -- **ObjectId** Unique value for each Update Agent mode. -- **PostRebootResult** Indicates the Hresult. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentReboot - -This event sends information indicating that a request has been sent to suspend an update. - -The following fields are available: - -- **ErrorCode** The error code returned for the current reboot. -- **FlightId** Unique ID for the flight (test instance version). -- **ObjectId** The unique value for each Update Agent mode. -- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. -- **Result** The HResult of the event. -- **ScenarioId** The ID of the update scenario. -- **SessionId** The ID of the update attempt. -- **UpdateId** The ID of the update. - - -### Update360Telemetry.UpdateAgentSetupBoxLaunch - -The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. - -The following fields are available: - -- **ContainsExpressPackage** Indicates whether the download package is express. -- **FlightId** Unique ID for each flight. -- **FreeSpace** Free space on OS partition. -- **InstallCount** Number of install attempts using the same sandbox. -- **ObjectId** Unique value for each Update Agent mode. -- **Quiet** Indicates whether setup is running in quiet mode. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **SandboxSize** Size of the sandbox. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each update attempt. -- **SetupMode** Mode of setup to be launched. -- **UpdateId** Unique ID for each Update. -- **UserSession** Indicates whether install was invoked by user actions. - - -## Update notification events - -### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignManagerHeartbeat - -This event is sent at the start of the CampaignManager event and is intended to be used as a heartbeat. - -The following fields are available: - -- **CampaignConfigVersion** Configuration version for the current campaign. -- **CampaignID** Currently campaign that is running on Update Notification Pipeline (UNP). -- **ConfigCatalogVersion** Current catalog version of UNP. -- **ContentVersion** Content version for the current campaign on UNP. -- **CV** Correlation vector. -- **DetectorVersion** Most recently run detector version for the current campaign on UNP. -- **GlobalEventCounter** Client-side counter that indicates the event ordering sent by the user. -- **PackageVersion** Current UNP package version. - - -## Upgrade events - -### FacilitatorTelemetry.DCATDownload - -This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to help keep Windows up-to-date and secure. - -The following fields are available: - -- **DownloadSize** Download size of payload. -- **ElapsedTime** Time taken to download payload. -- **MediaFallbackUsed** Used to determine if we used Media CompDBs to figure out package requirements for the upgrade. -- **ResultCode** Result returned by the Facilitator DCAT call. -- **Scenario** Dynamic update scenario (Image DU, or Setup DU). -- **Type** Type of package that was downloaded. -- **UpdateId** The ID of the update that was downloaded. - - -### FacilitatorTelemetry.DUDownload - -This event returns data about the download of supplemental packages critical to upgrading a device to the next version of Windows. - -The following fields are available: - -- **DownloadRequestAttributes** The attributes sent for download. -- **PackageCategoriesFailed** Lists the categories of packages that failed to download. -- **PackageCategoriesSkipped** Lists the categories of package downloads that were skipped. -- **ResultCode** The result of the event execution. -- **Scenario** Identifies the active Download scenario. -- **Url** The URL the download request was sent to. -- **Version** Identifies the version of Facilitator used. - - -### FacilitatorTelemetry.InitializeDU - -This event determines whether devices received additional or critical supplemental content during an OS upgrade. - -The following fields are available: - -- **DCATUrl** The Delivery Catalog (DCAT) URL we send the request to. -- **DownloadRequestAttributes** The attributes we send to DCAT. -- **ResultCode** The result returned from the initiation of Facilitator with the URL/attributes. -- **Scenario** Dynamic Update scenario (Image DU, or Setup DU). -- **Url** The Delivery Catalog (DCAT) URL we send the request to. -- **Version** Version of Facilitator. - - -### Setup360Telemetry.Downlevel - -This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up-to-date and secure. - -The following fields are available: - -- **ClientId** If using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but it can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the downlevel OS. -- **HostOsSkuName** The operating system edition which is running Setup360 instance (downlevel OS). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. -- **ReportId** In the Windows Update scenario, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. -- **Setup360Extended** More detailed information about phase/action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360 (for example, Predownload, Install, Finalize, Rollback). -- **Setup360Result** The result of Setup360 (HRESULT used to diagnose errors). -- **Setup360Scenario** The Setup360 flow type (for example, Boot, Media, Update, MCT). -- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS). -- **State** Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled. -- **TestId** An ID that uniquely identifies a group of events. -- **WuId** This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId. - - -### Setup360Telemetry.Finalize - -This event sends data indicating that the device has started the phase of finalizing the upgrade, to help keep Windows up-to-date and secure. - -The following fields are available: - -- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the previous OS. -- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe -- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. -- **Setup360Extended** More detailed information about the phase/action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. -- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. -- **TestId** ID that uniquely identifies a group of events. -- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. - - -### Setup360Telemetry.OsUninstall - -This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, it indicates the outcome of an OS uninstall. - -The following fields are available: - -- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the previous OS. -- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. -- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. -- **Setup360Extended** Detailed information about the phase or action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT -- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. -- **TestId** ID that uniquely identifies a group of events. -- **WuId** Windows Update client ID. - - -### Setup360Telemetry.PostRebootInstall - -This event sends data indicating that the device has invoked the post reboot install phase of the upgrade, to help keep Windows up-to-date. - -The following fields are available: - -- **ClientId** With Windows Update, this is the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the previous OS. -- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. -- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. -- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback -- **Setup360Result** The result of Setup360. This is an HRESULT error code that's used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT -- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled -- **TestId** A string to uniquely identify a group of events. -- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as ClientId. - - -### Setup360Telemetry.PreDownloadQuiet - -This event sends data indicating that the device has invoked the predownload quiet phase of the upgrade, to help keep Windows up to date. - -The following fields are available: - -- **ClientId** Using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the previous OS. -- **HostOsSkuName** The OS edition which is running Setup360 instance (previous operating system). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. -- **ReportId** Using Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. -- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. -- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled. -- **TestId** ID that uniquely identifies a group of events. -- **WuId** This is the Windows Update Client ID. Using Windows Update, this is the same as the clientId. - - -### Setup360Telemetry.PreDownloadUX - -This event sends data regarding OS Updates and Upgrades from Windows 7.X, Windows 8.X, Windows 10 and RS, to help keep Windows up-to-date and secure. Specifically, it indicates the outcome of the PredownloadUX portion of the update process. - -The following fields are available: - -- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **HostOSBuildNumber** The build number of the previous operating system. -- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous operating system). -- **InstanceId** Unique GUID that identifies each instance of setuphost.exe. -- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. -- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. -- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS). -- **State** The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled. -- **TestId** ID that uniquely identifies a group of events. -- **WuId** Windows Update client ID. - - -### Setup360Telemetry.PreInstallQuiet - -This event sends data indicating that the device has invoked the preinstall quiet phase of the upgrade, to help keep Windows up-to-date. - -The following fields are available: - -- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the previous OS. -- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe -- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. -- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. -- **Setup360Scenario** Setup360 flow type (Boot, Media, Update, MCT). -- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. -- **TestId** A string to uniquely identify a group of events. -- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. - - -### Setup360Telemetry.PreInstallUX - -This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10, to help keep Windows up-to-date. Specifically, it indicates the outcome of the PreinstallUX portion of the update process. - -The following fields are available: - -- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the previous OS. -- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. -- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. -- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type, Example: Boot, Media, Update, MCT. -- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. -- **TestId** A string to uniquely identify a group of events. -- **WuId** Windows Update client ID. - - -### Setup360Telemetry.Setup360 - -This event sends data about OS deployment scenarios, to help keep Windows up-to-date. - -The following fields are available: - -- **ClientId** Retrieves the upgrade ID. In the Windows Update scenario, this will be the Windows Update client ID. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FieldName** Retrieves the data point. -- **FlightData** Specifies a unique identifier for each group of Windows Insider builds. -- **InstanãeId** No content is currently available. -- **InstanceId** Retrieves a unique identifier for each instance of a setup session. -- **ReportId** Retrieves the report ID. -- **ScenarioId** Retrieves the deployment scenario. -- **value** No content is currently available. -- **Value** Retrieves the value associated with the corresponding FieldName. - - -### Setup360Telemetry.Setup360DynamicUpdate - -This event helps determine whether the device received supplemental content during an operating system upgrade, to help keep Windows up-to-date. - -The following fields are available: - -- **FlightData** Specifies a unique identifier for each group of Windows Insider builds. -- **InstanceId** Retrieves a unique identifier for each instance of a setup session. -- **Operation** Facilitator’s last known operation (scan, download, etc.). -- **ReportId** ID for tying together events stream side. -- **ResultCode** Result returned for the entire setup operation. -- **Scenario** Dynamic Update scenario (Image DU, or Setup DU). -- **ScenarioId** Identifies the update scenario. -- **TargetBranch** Branch of the target OS. -- **TargetBuild** Build of the target OS. - - -### Setup360Telemetry.Setup360MitigationResult - -This event sends data indicating the result of each setup mitigation. - -The following fields are available: - -- **Applicable** TRUE if the mitigation is applicable for the current update. -- **ClientId** In the Windows Update scenario, this is the client ID passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **CommandCount** The number of command operations in the mitigation entry. -- **CustomCount** The number of custom operations in the mitigation entry. -- **FileCount** The number of file operations in the mitigation entry. -- **FlightData** The unique identifier for each flight (test release). -- **Index** The mitigation index of this particular mitigation. -- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE. -- **MitigationScenario** The update scenario in which the mitigation was executed. -- **Name** The friendly (descriptive) name of the mitigation. -- **OperationIndex** The mitigation operation index (in the event of a failure). -- **OperationName** The friendly (descriptive) name of the mitigation operation (in the event of failure). -- **RegistryCount** The number of registry operations in the mitigation entry. -- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM. -- **Result** HResult of this operation. -- **ScenarioId** Setup360 flow type. -- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). - - -### Setup360Telemetry.Setup360MitigationSummary - -This event sends a summary of all the setup mitigations available for this update. - -The following fields are available: - -- **Applicable** The count of mitigations that were applicable to the system and scenario. -- **ClientId** The Windows Update client ID passed to Setup. -- **Failed** The count of mitigations that failed. -- **FlightData** The unique identifier for each flight (test release). -- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE. -- **MitigationScenario** The update scenario in which the mitigations were attempted. -- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM. -- **Result** HResult of this operation. -- **ScenarioId** Setup360 flow type. -- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). -- **Total** The total number of mitigations that were available. - - -### Setup360Telemetry.Setup360OneSettings - -This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. - -The following fields are available: - -- **ClientId** The Windows Update client ID passed to Setup. -- **Count** The count of applicable OneSettings for the device. -- **FlightData** The ID for the flight (test instance version). -- **InstanceId** The GUID (Globally-Unique ID) that identifies each instance of setuphost.exe. -- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. -- **ReportId** The Update ID passed to Setup. -- **Result** The HResult of the event error. -- **ScenarioId** The update scenario ID. -- **Values** Values sent back to the device, if applicable. - - -### Setup360Telemetry.UnexpectedEvent - -This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date. - -The following fields are available: - -- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the previous OS. -- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe -- **o-Ste** No content is currently available. -- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. -- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. -- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. -- **TestId** A string to uniquely identify a group of events. -- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. - - -## Windows as a Service diagnostic events - -### Microsoft.Windows.WaaSMedic.SummaryEvent - -Result of the WaaSMedic operation. - -The following fields are available: - -- **callerApplication** The name of the calling application. -- **capsuleCount** The number of Sediment Pack capsules. -- **capsuleFailureCount** The number of capsule failures. -- **detectionSummary** Result of each applicable detection that was run. -- **featureAssessmentImpact** WaaS Assessment impact for feature updates. -- **hrEngineBlockReason** Indicates the reason for stopping WaaSMedic. -- **hrEngineResult** Error code from the engine operation. -- **hrLastSandboxError** The last error sent by the WaaSMedic sandbox. -- **initSummary** Summary data of the initialization method. -- **insufficientSessions** Device not eligible for diagnostics. -- **isInteractiveMode** The user started a run of WaaSMedic. -- **isManaged** Device is managed for updates. -- **isWUConnected** Device is connected to Windows Update. -- **noMoreActions** No more applicable diagnostics. -- **pluginFailureCount** The number of plugins that have failed. -- **pluginsCount** The number of plugins. -- **qualityAssessmentImpact** WaaS Assessment impact for quality updates. -- **remediationSummary** Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on. -- **usingBackupFeatureAssessment** Relying on backup feature assessment. -- **usingBackupQualityAssessment** Relying on backup quality assessment. -- **usingCachedFeatureAssessment** WaaS Medic run did not get OS build age from the network on the previous run. -- **usingCachedQualityAssessment** WaaS Medic run did not get OS revision age from the network on the previous run. -- **versionString** Version of the WaaSMedic engine. -- **waasMedicRunMode** Indicates whether this was a background regular run of the medic or whether it was triggered by a user launching Windows Update Troubleshooter. - - -## Windows Error Reporting events - -### Microsoft.Windows.WERVertical.OSCrash - -This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event. - -The following fields are available: - -- **BootId** Uint32 identifying the boot number for this device. -- **BugCheckCode** Uint64 "bugcheck code" that identifies a proximate cause of the bug check. -- **BugCheckPar%meter2** No content is currently available. -- **BugCheckParameter1** Uint64 parameter providing additional information. -- **BugCheckParameter2** Uint64 parameter providing additional information. -- **BugCheckParameter3** Uint64 parameter providing additional information. -- **BugCheckParameter4** Uint64 parameter providing additional information. -- **DumpFileAttributes** Codes that identify the type of data contained in the dump file -- **DumpFileSize** Size of the dump file -- **IsValidDumpFile** True if the dump file is valid for the debugger, false otherwise -- **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson). - - -## Windows Error Reporting MTT events - -### Microsoft.Windows.WER.MTT.Denominator - -This event provides a denominator to calculate MTTF (mean-time-to-failure) for crashes and other errors, to help keep Windows up to date. - -The following fields are available: - -- **DPRange** Maximum mean value range. -- **DPValue** Randomized bit value (0 or 1) that can be reconstituted over a large population to estimate the mean. -- **Value** Standard UTC emitted DP value structure See [Value](#value). - - -### Value - -This event returns data about Mean Time to Failure (MTTF) for Windows devices. It is the primary means of estimating reliability problems in Basic Diagnostic reporting with very strong privacy guarantees. Since Basic Diagnostic reporting does not include system up-time, and since that information is important to ensuring the safe and stable operation of Windows, the data provided by this event provides that data in a manner which does not threaten a user’s privacy. - -The following fields are available: - -- **Algorithm** The algorithm used to preserve privacy. -- **DPRange** The upper bound of the range being measured. -- **DPValue** The randomized response returned by the client. -- **Epsilon** The level of privacy to be applied. -- **HistType** The histogram type if the algorithm is a histogram algorithm. -- **PertProb** The probability the entry will be Perturbed if the algorithm chosen is “heavy-hitters”. - - -## Windows Store events - -### Microsoft.Windows.Store.StoreActivating - -This event sends tracking data about when the Store app activation via protocol URI is in progress, to help keep Windows up to date. - - - -### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation - -This event is sent when an installation or update is canceled by a user or the system and is used to help keep Windows Apps up to date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. -- **AggregatedPackageFullNcmes** No content is currently available. -- **AttemptNumber** Number of retry attempts before it was canceled. -- **BundleId** The Item Bundle ID. -- **Bundlele** No content is currently available. -- **CategoryId** The Item Category ID. -- **Categoryle** No content is currently available. -- **ClientAppId** The identity of the app that initiated this operation. -- **ClientApple** No content is currently available. -- **HResult** The result code of the last action performed before this operation. -- **IsBundle** Is this a bundle? -- **IsInteractive** Was this requested by a user? -- **IsMandatory** Was this a mandatory update? -- **IsRemediation** Was this a remediation install? -- **IsRestore** Is this automatically restoring a previously acquired product? -- **IsUpdate** Flag indicating if this is an update. -- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). -- **ParentBundlele** No content is currently available. -- **PFN** The product family name of the product being installed. -- **Producele** No content is currently available. -- **ProductId** The identity of the package or packages being installed. -- **S{stemAttemptNumber** No content is currently available. -- **SystemAttemptNumber** The total number of automatic attempts at installation before it was canceled. -- **UserAttemptNumber** The total number of user attempts at installation before it was canceled. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.BeginGetInstalledContentIds - -This event is sent when an inventory of the apps installed is started to determine whether updates for those apps are available. It's used to help keep Windows up-to-date and secure. - - - -### Microsoft.Windows.StoreAgent.Telemetry.BeginUpdateMetadataPrepare - -This event is sent when the Store Agent cache is refreshed with any available package updates. It's used to help keep Windows up-to-date and secure. - - - -### Microsoft.Windows.StoreAgent.Telemetry.CancelInstallation - -This event is sent when an app update or installation is canceled while in interactive mode. This can be canceled by the user or the system. It's used to help keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The names of all package or packages to be downloaded and installed. -- **AttemptNumber** Total number of installation attempts. -- **BundleId** The identity of the Windows Insider build that is associated with this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **IsBundle** Is this a bundle? -- **IsInteractive** Was this requested by a user? -- **IsMandatory** Is this a mandatory update? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this an automatic restore of a previously acquired product? -- **IsUpdate** Is this a product update? -- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). -- **PFN** The name of all packages to be downloaded and installed. -- **PreviousHResult** The previous HResult code. -- **PreviousInstallState** Previous installation state before it was canceled. -- **ProductId** The name of the package or packages requested for installation. -- **RelatedCV** Correlation Vector of a previous performed action on this product. -- **SystemAttemptNumber** Total number of automatic attempts to install before it was canceled. -- **UserAttemptNumber** Total number of user attempts to install before it was canceled. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.CompleteInstallOperationRequest - -This event is sent at the end of app installations or updates to help keep Windows up-to-date and secure. - -The following fields are available: - -- **CatalogId** The Store Product ID of the app being installed. -- **HResult** HResult code of the action being performed. -- **IsBundle** Is this a bundle? -- **PackageFamilyName** The name of the package being installed. -- **ProductId** The Store Product ID of the product being installed. -- **SkuId** Specific edition of the item being installed. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndAcquireLicense - -This event is sent after the license is acquired when a product is being installed. It's used to help keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNaies** No content is currently available. -- **AggregatedpackageFullNames** No content is currently available. -- **AggregatedPackageFullNames** Includes a set of package full names for each app that is part of an atomic set. -- **AttemptNumber** The total number of attempts to acquire this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **HResult** HResult code to show the result of the operation (success/failure). -- **IsBundle** Is this a bundle? -- **IsInteractive** Did the user initiate the installation? -- **IsMandatory** Is this a mandatory update? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this happening after a device restore? -- **IsUp`ate** No content is currently available. -- **IsUpdate** Is this an update? -- **ParentBuneleId** No content is currently available. -- **PFN** Product Family Name of the product being installed. -- **Produc|Id** No content is currently available. -- **productId** No content is currently available. -- **ProductId** The Store Product ID for the product being installed. -- **SystemAttemptNueber** No content is currently available. -- **SystemAttemptNumber** The number of attempts by the system to acquire this product. -- **UserAttemptNumber** The number of attempts by the user to acquire this product -- **UserCttemptNumber** No content is currently available. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndDownload - -This event is sent after an app is downloaded to help keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullLames** No content is currently available. -- **AggregatedPackageFullNaðes** No content is currently available. -- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed. -- **AttemptNumber** Number of retry attempts before it was canceled. -- **BundleId** The identity of the Windows Insider build associated with this product. -- **CategoryId** The identity of the package or packages being installed. -- **CategoryIf** No content is currently available. -- **ClientAppId** The identity of the app that initiated this operation. -- **DownloadSize** The total size of the download. -- **ExtendedHResult** Any extended HResult error codes. -- **HResult** The result code of the last action performed. -- **IsBundle** Is this a bundle? -- **IsInteractive** Is this initiated by the user? -- **IsMandatory** Is this a mandatory installation? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this a restore of a previously acquired product? -- **IsUpdate** Is this an update? -- **ParentBundleId** The parent bundle ID (if it's part of a bundle). -- **PFN** The Product Family Name of the app being download. -- **ProductId** The Store Product ID for the product being installed. -- **SystemAttemptNumber** The number of attempts by the system to download. -- **UserAttemptNum`er** No content is currently available. -- **UserAttemptNumber** The number of attempts by the user to download. -- **UserCttemptNumber** No content is currently available. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndFrameworkUpdate - -This event is sent when an app update requires an updated Framework package and the process starts to download it. It is used to help keep Windows up-to-date and secure. - -The following fields are available: - -- **HResult** The result code of the last action performed before this operation. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndGetInstalledContentIds - -This event is sent after sending the inventory of the products installed to determine whether updates for those products are available. It's used to help keep Windows up-to-date and secure. - -The following fields are available: - -- **HResult** The result code of the last action performed before this operation. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndInstall - -This event is sent after a product has been installed to help keep Windows up-to-date and secure. - -The following fields are available: - -- **__TlgCÖ__** No content is currently available. -- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. -- **AttemptNumber** The number of retry attempts before it was canceled. -- **BundleId** The identity of the build associated with this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **ExtendedHResult** The extended HResult error code. -- **HResult** The result code of the last action performed. -- **IsBundle** Is this a bundle? -- **IsInteractive** Is this an interactive installation? -- **IsInteragtive** No content is currently available. -- **IsMandatory** Is this a mandatory installation? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this automatically restoring a previously acquired product? -- **IsUpdate** Is this an update? -- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). -- **PFN** Product Family Name of the product being installed. -- **ProductId** The Store Product ID for the product being installed. -- **SystemAttemptNumber** The total number of system attempts. -- **UserAttemptNumber** The total number of user attempts. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndScanForUpdates - -This event is sent after a scan for product updates to determine if there are packages to install. It's used to help keep Windows up-to-date and secure. - -The following fields are available: - -- **ClientAppId** The identity of the app that initiated this operation. -- **HResult** The result code of the last action performed. -- **IsApplicability** Is this request to only check if there are any applicable packages to install? -- **IsInteractive** Is this user requested? -- **IsOnline** Is the request doing an online check? - - -### Microsoft.Windows.StoreAgent.Telemetry.EndSearchUpdatePackages - -This event is sent after searching for update packages to install. It is used to help keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. -- **AttemptNumber** The total number of retry attempts before it was canceled. -- **BundleId** The identity of the build associated with this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **HResult** The result code of the last action performed. -- **IsBundle** Is this a bundle? -- **IsInteractive** Is this user requested? -- **IsMandatory** Is this a mandatory update? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this restoring previously acquired content? -- **IsUpdate** Is this an update? -- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). -- **PFN** The name of the package or packages requested for install. -- **ProductId** The Store Product ID for the product being installed. -- **SystemAttemptNumber** The total number of system attempts. -- **UserAttemptNumber** The total number of user attempts. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndStageUserData - -This event is sent after restoring user data (if any) that needs to be restored following a product install. It is used to keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed. -- **AttemptNumber** The total number of retry attempts before it was canceled. -- **BundleId** The identity of the build associated with this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **HResult** The result code of the last action performed. -- **IsBundle** Is this a bundle? -- **IsInteractive** Is this user requested? -- **IsMandatory** Is this a mandatory update? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this restoring previously acquired content? -- **IsUpdate** Is this an update? -- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). -- **PFN** The name of the package or packages requested for install. -- **ProductId** The Store Product ID for the product being installed. -- **SystemAttemptNumber** The total number of system attempts. -- **UserAttemptNumber** The total number of system attempts. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndUpdateMetadataPrepare - -This event is sent after a scan for available app updates to help keep Windows up-to-date and secure. - -The following fields are available: - -- **HResult** The result code of the last action performed. - - -### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentComplete - -This event is sent at the end of an app install or update to help keep Windows up-to-date and secure. - -The following fields are available: - -- **CatalogId** The name of the product catalog from which this app was chosen. -- **CatanogId** No content is currently available. -- **CatdlogId** No content is currently available. -- **FailedRetry** Indicates whether the installation or update retry was successful. -- **HResult** The HResult code of the operation. -- **JResult** No content is currently available. -- **PFN** The Package Family Name of the app that is being installed or updated. -- **Producele** No content is currently available. -- **ProductId** The product ID of the app that is being updated or installed. - - -### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate - -This event is sent at the beginning of an app install or update to help keep Windows up-to-date and secure. - -The following fields are available: - -- **CatalogId** The name of the product catalog from which this app was chosen. -- **FulfillmentPluginId** The ID of the plugin needed to install the package type of the product. -- **PFN** The Package Family Name of the app that is being installed or updated. -- **PluginTelemetryData** Diagnostic information specific to the package-type plug-in. -- **ProductId** The product ID of the app that is being updated or installed. - - -### Microsoft.Windows.StoreAgent.Telemetry.InstallOperationRequest - -This event is sent when a product install or update is initiated, to help keep Windows up-to-date and secure. - -The following fields are available: - -- **BundleId** The identity of the build associated with this product. -- **CatalogId** If this product is from a private catalog, the Store Product ID for the product being installed. -- **ProductId** The Store Product ID for the product being installed. -- **SkuId** Specific edition ID being installed. -- **VolumePath** The disk path of the installation. - - -### Microsoft.Windows.StoreAgent.Telemetry.PauseInstallation - -This event is sent when a product install or update is paused (either by a user or the system), to help keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. -- **AttemptNumber** The total number of retry attempts before it was canceled. -- **BundleId** The identity of the build associated with this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **IsBundle** Is this a bundle? -- **IsInteractive** Is this user requested? -- **IsMandatory** Is this a mandatory update? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this restoring previously acquired content? -- **IsUpdate** Is this an update? -- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). -- **PFN** The Product Full Name. -- **PreviousHResult** The result code of the last action performed before this operation. -- **PreviousInstallState** Previous state before the installation or update was paused. -- **ProductId** The Store Product ID for the product being installed. -- **RelatedCV** Correlation Vector of a previous performed action on this product. -- **SystemAttemptNumber** The total number of system attempts. -- **UserAttemptNumber** The total number of user attempts. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.ResumeInstallation - -This event is sent when a product install or update is resumed (either by a user or the system), to help keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. -- **AttemptNumber** The number of retry attempts before it was canceled. -- **BundleId** The identity of the build associated with this product. -- **categoryId** No content is currently available. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **HResult** The result code of the last action performed before this operation. -- **IsBundle** Is this a bundle? -- **IsInteractive** Is this user requested? -- **IsMandatory** Is this a mandatory update? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this restoring previously acquired content? -- **IsUpdate** Is this an update? -- **IsUserRetry** Did the user initiate the retry? -- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). -- **PFN** The name of the package or packages requested for install. -- **PreviousHResult** The previous HResult error code. -- **PreviousInstallState** Previous state before the installation was paused. -- **ProductId** The Store Product ID for the product being installed. -- **RelatedCV** Correlation Vector for the original install before it was resumed. -- **ResumeClientId** The ID of the app that initiated the resume operation. -- **SystemAttemptNumber** The total number of system attempts. -- **UserAttemptNumber** The total number of user attempts. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.ResumeOperationRequest - -This event is sent when a product install or update is resumed by a user or on installation retries, to help keep Windows up-to-date and secure. - -The following fields are available: - -- **ProductId** The Store Product ID for the product being installed. - - -### Microsoft.Windows.StoreAgent.Telemetry.SearchForUpdateOperationRequest - -This event is sent when searching for update packages to install, to help keep Windows up-to-date and secure. - -The following fields are available: - -- **CatalogId** The Store Catalog ID for the product being installed. -- **ProductId** The Store Product ID for the product being installed. -- **SkuId** Specfic edition of the app being updated. - - -### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest - -This event occurs when an update is requested for an app, to help keep Windows up-to-date and secure. - -The following fields are available: - -- **PFamN** The name of the app that is requested for update. - - -## Windows System Kit events - -### Microsoft.Windows.Kits.WSK.WskImageCreate - -This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate “image” creation failures. - -The following fields are available: - -- **Phase** The image creation phase. Values are “Start” or “End”. -- **WskVersion** The version of the Windows System Kit being used. - - -### Microsoft.Windows.Kits.WSK.WskImageCustomization - -This event sends simple Product and Service usage data when a user is using the Windows System Kit to create/modify configuration files allowing the customization of a new OS image with Apps or Drivers. The data includes the version of the Windows System Kit, the state of the event, the customization type (drivers or apps) and the mode (new or updating) and is used to help investigate configuration file creation failures. - -The following fields are available: - -- **CustomizationMode** Indicates the mode of the customization (new or updating). -- **CustomizationType** Indicates the type of customization (drivers or apps). -- **Mode** The mode of update to image configuration files. Values are “New” or “Update”. -- **Phase** The image creation phase. Values are “Start” or “End”. -- **Type** The type of update to image configuration files. Values are “Apps” or “Drivers”. -- **WskVersion** The version of the Windows System Kit being used. - - -### Microsoft.Windows.Kits.WSK.WskWorkspaceCreate - -This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new workspace for generating OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate workspace creation failures. - -The following fields are available: - -- **Architecture** The OS architecture that the workspace will target. Values are one of: “AMD64”, “ARM64”, “x86”, or “ARM”. -- **OsEdition** The Operating System Edition that the workspace will target. -- **Phase** The image creation phase. Values are “Start” or “End”. -- **WorkspaceArchitecture** The operating system architecture that the workspace will target. -- **WorkspaceOsEdition** The operating system edition that the workspace will target. -- **WskVersion** The version of the Windows System Kit being used. - - -## Windows Update Delivery Optimization events - -### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled - -This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads. - -The following fields are available: - -- **background** Is the download being done in the background? -- **bytesFromCacheServer** Bytes received from a cache host. -- **bytesFromCDN** The number of bytes received from a CDN source. -- **bytesFromGroupPeers** The number of bytes received from a peer in the same group. -- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same group. -- **bytesFromLinkLocalPeers** The number of bytes received from local peers. -- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. -- **bytesFromPeers** The number of bytes received from a peer in the same LAN. -- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. -- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. -- **cdnIp** The IP Address of the source CDN (Content Delivery Network). -- **cdnUrl** The URL of the source CDN (Content Delivery Network). -- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. -- **errorCode** The error code that was returned. -- **experimentId** When running a test, this is used to correlate events that are part of the same test. -- **fileID** The ID of the file being downloaded. -- **gCurMemoryStreamBytes** Current usage for memory streaming. -- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. -- **isVpn** Indicates whether the device is connected to a VPN (Virtual Private Network). -- **jobID** Identifier for the Windows Update job. -- **predefinedCallerName** The name of the API Caller. -- **reasonCode** Reason the action or event occurred. -- **routeToCacheServer** The cache server setting, source, and value. -- **sessionID** The ID of the file download session. -- **updateID** The ID of the update being downloaded. -- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. - - -### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted - -This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads. - -The following fields are available: - -- **#dnErrorCounts** No content is currently available. -- **__TlgCVß_** No content is currently available. -- **|anConnectionCount** No content is currently available. -- **}plinkUsageBps** No content is currently available. -- **0redefinedCallerName** No content is currently available. -- **b6nConnectionCount** No content is currently available. -- **b6nErrorCodes** No content is currently available. -- **b6nErrorCounts** No content is currently available. -- **b6nIp** No content is currently available. -- **b6nUrl** No content is currently available. -- **background** Is the download a background download? -- **bytesFrkmIntPeers** No content is currently available. -- **bytesFromCacheSedver** No content is currently available. -- **bytesFromCacheServer** Bytes received from a cache host. -- **bytesFromCdN** No content is currently available. -- **bytesFromCDN** The number of bytes received from a CDN source. -- **bytesFromGpoupPeers** No content is currently available. -- **bytesFromGroupPeers** The number of bytes received from a peer in the same domain group. -- **bytesFromIntÐeers** No content is currently available. -- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same domain group. -- **bytesFromLinkLocalPeers** The number of bytes received from local peers. -- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. -- **bytesFromPeers** The number of bytes received from a peer in the same LAN. -- **bytesRequested** The total number of bytes requested for download. -- **cacheSarverConnectionCount** No content is currently available. -- **cacheSedverConnectionCount** No content is currently available. -- **cacheServerConndctionCount** No content is currently available. -- **cacheServerConnectionCoujt** No content is currently available. -- **cacheServerConnectionCount** Number of connections made to cache hosts. -- **cdnConnectionCount** The total number of connections made to the CDN. -- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. -- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. -- **cdnIp** The IP address of the source CDN. -- **cdnSonnectionCount** No content is currently available. -- **cdnUrl** Url of the source Content Distribution Network (CDN). -- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. -- **dkwnloadModeSrc** No content is currently available. -- **doErrorCode** The Delivery Optimization error code that was returned. -- **dowflinkBps** No content is currently available. -- **downlinkBps** The maximum measured available download bandwidth (in bytes per second). -- **downlinkUsageBps** The download speed (in bytes per second). -- **downloadMode** The download mode used for this file download session. -- **doWnloadMode** No content is currently available. -- **downloadModeReason** Reason for the download. -- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). -- **downloadMofeSrc** No content is currently available. -- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. -- **expiresAt** The time when the content will expire from the Delivery Optimization Cache. -- **fileID** The ID of the file being downloaded. -- **fileSize** The size of the file being downloaded. -- **gCurMemoryStreamBytes** Current usage for memory streaming. -- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. -- **groupConjectionCount** No content is currently available. -- **groupConnectionCount** The total number of connections made to peers in the same group. -- **internetConnectionCnunt** No content is currently available. -- **internetConnectionCount** The total number of connections made to peers not in the same LAN or the same group. -- **internetConnectionCountdownlinkBps** No content is currently available. -- **isEjcrypted** No content is currently available. -- **isEncryptdd** No content is currently available. -- **isEncrypted** TRUE if the file is encrypted and will be decrypted after download. -- **isVpn** Is the device connected to a Virtual Private Network? -- **jobID** Identifier for the Windows Update job. -- **lanConnectionCo}nt** No content is currently available. -- **lanConnectionCount** The total number of connections made to peers in the same LAN. -- **linkLocalConnectionCount** The number of connections made to peers in the same Link-local network. -- **numPeers** The total number of peers used for this download. -- **numPeersLocal** The total number of local peers used for this download. -- **predefi.edCallerName** No content is currently available. -- **predefinedCallerName** The name of the API Caller. -- **predefinedCalleRName** No content is currently available. -- **rcdnIp** No content is currently available. -- **restrictedUpload** Is the upload restricted? -- **romteToCacheServer** No content is currently available. -- **roupeToCacheServer** No content is currently available. -- **routeTnCacheServer** No content is currently available. -- **routeToCacheSedver** No content is currently available. -- **routeToCacheServer** The cache server setting, source, and value. -- **sessionID** The ID of the download session. -- **totalTimeMs** Duration of the download (in seconds). -- **updateID** The ID of the update being downloaded. -- **uplinkBps** The maximum measured available upload bandwidth (in bytes per second). -- **uplinkUsageBps** The upload speed (in bytes per second). -- **uplinkUsegeBps** No content is currently available. -- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. - - -### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused - -This event represents a temporary suspension of a download with Delivery Optimization. It's used to understand and address problems regarding downloads. - -The following fields are available: - -- **AddinType** No content is currently available. -- **backgground** No content is currently available. -- **backgro}nd** No content is currently available. -- **backgrou|d** No content is currently available. -- **background** Is the download a background download? -- **BinFileTimestamp** No content is currently available. -- **BinFileVersion** No content is currently available. -- **c`nUrl** No content is currently available. -- **cdnUrl** The URL of the source CDN (Content Delivery Network). -- **errorBode** No content is currently available. -- **errorCode** The error code that was returned. -- **expebimentId** No content is currently available. -- **expebimentIderrorCode** No content is currently available. -- **experiientId** No content is currently available. -- **experimenpId** No content is currently available. -- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. -- **fileID** The ID of the file being paused. -- **FileId** No content is currently available. -- **FileSize** No content is currently available. -- **isVp|** No content is currently available. -- **isVpn** Is the device connected to a Virtual Private Network? -- **jobID** Identifier for the Windows Update job. -- **ksVpn** No content is currently available. -- **LoadBehavior** No content is currently available. -- **LSID** No content is currently available. -- **OfficeArchitecture** No content is currently available. -- **OutlookCrashingAddin** No content is currently available. -- **predefinedCallerName** The name of the API Caller object. -- **ProductCompany** No content is currently available. -- **ProductName** No content is currently available. -- **ProductVersion** No content is currently available. -- **ProgramId** No content is currently available. -- **Provider** No content is currently available. -- **reasonCod%** No content is currently available. -- **reasonCode** The reason for pausing the download. -- **recsonCodesessiolID** No content is currently available. -- **routeToCacheSedver** No content is currently available. -- **routeToCacheServer** The cache server setting, source, and value. -- **sessionID** The ID of the download session. -- **updateID** The ID of the update being paused. -- **updateMD** No content is currently available. - - -### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted - -This event sends data describing the start of a new download to enable Delivery Optimization. It's used to understand and address problems regarding downloads. - -The following fields are available: - -- **b6nUrl** No content is currently available. -- **background** Indicates whether the download is happening in the background. -- **bacoground** No content is currently available. -- **bileSizeCaller** No content is currently available. -- **bytesRequested** Number of bytes requested for the download. -- **cdnUrl** The URL of the source Content Distribution Network (CDN). -- **costFlags** A set of flags representing network cost. -- **costFlaos** No content is currently available. -- **deviceProfile** Identifies the usage or form factor (such as Desktop, Xbox, or VM). -- **diceRoll** Random number used for determining if a client will use peering. -- **doClientVersion** The version of the Delivery Optimization client. -- **doErrorC/de** No content is currently available. -- **doErrorCode** The Delivery Optimization error code that was returned. -- **doErrorCoee** No content is currently available. -- **downloadMode** The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100). -- **downloadModeReason** Reason for the download. -- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). -- **errorCode** The error code that was returned. -- **experimejtId** No content is currently available. -- **experimentId** ID used to correlate client/services calls that are part of the same test during A/B testing. -- **faleID** No content is currently available. -- **fiheID** No content is currently available. -- **fileID** The ID of the file being downloaded. -- **filePat(** No content is currently available. -- **filePath** The path to where the downloaded file will be written. -- **fileSize** Total file size of the file that was downloaded. -- **fileSizeCaller** Value for total file size provided by our caller. -- **groqpID** No content is currently available. -- **groupID** ID for the group. -- **isEncrypted** Indicates whether the download is encrypted. -- **isFpn** No content is currently available. -- **isVpn** Indicates whether the device is connected to a Virtual Private Network. -- **jobID** The ID of the Windows Update job. -- **peerID** The ID for this delivery optimization client. -- **predefinedCallerName** Name of the API caller. -- **rimentId** No content is currently available. -- **routeToCacheSedver** No content is currently available. -- **routeToCacheServer** Cache server setting, source, and value. -- **sessionID** The ID for the file download session. -- **sessionIF** No content is currently available. -- **sessmonID** No content is currently available. -- **setConfigs** A JSON representation of the configurations that have been set, and their sources. -- **updateID** The ID of the update being downloaded. -- **updateYD** No content is currently available. -- **usedMemoryStream** Indicates whether the download used memory streaming. - - -### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication - -This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads. - -The following fields are available: - -- **cdnHeaders** The HTTP headers returned by the CDN. -- **cdnIp** The IP address of the CDN. -- **cdnUrl** The URL of the CDN. -- **eErrorCode** No content is currently available. -- **eErrorCunt** No content is currently available. -- **errorCode** The error code that was returned. -- **errorCount** The total number of times this error code was seen since the last FailureCdnCommunication event was encountered. -- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. -- **fileID** The ID of the file being downloaded. -- **htppStatusCode** No content is currently available. -- **httpStatusCode** The HTTP status code returned by the CDN. -- **isHeadRequest** The type of HTTP request that was sent to the CDN. Example: HEAD or GET -- **peerTyp,** No content is currently available. -- **peerType** The type of peer (LAN, Group, Internet, CDN, Cache Host, etc.). -- **requestOffset** The byte offset within the file in the sent request. -- **requestSize** The size of the range requested from the CDN. -- **responseSize** The size of the range response received from the CDN. -- **sessionID** The ID of the download session. - - -### Microsoft.OSG.DU.DeliveryOptClient.JobError - -This event represents a Windows Update job error. It allows for investigation of top errors. - -The following fields are available: - -- **cdnIp** The IP Address of the source CDN (Content Delivery Network). -- **doErrorCode** Error code returned for delivery optimization. -- **errorCode** The error code returned. -- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. -- **fileID** The ID of the file being downloaded. -- **jobID** The Windows Update job ID. -- **jobKD** No content is currently available. - - -## Windows Update events - -### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentAnalysisSummary - -This event collects information regarding the state of devices and drivers on the system following a reboot after the install phase of the new device manifest UUP (Unified Update Platform) update scenario which is used to install a device manifest describing a set of driver packages. - -The following fields are available: - -- **activated** Whether the entire device manifest update is considered activated and in use. -- **analysisErrorCount** The number of driver packages that could not be analyzed because errors occurred during analysis. -- **flightId** Unique ID for each flight. -- **missingDriverCount** The number of driver packages delivered by the device manifest that are missing from the system. -- **missingUpdateCount** The number of updates in the device manifest that are missing from the system. -- **objectId** Unique value for each diagnostics session. -- **publishedCount** The number of drivers packages delivered by the device manifest that are published and available to be used on devices. -- **relatedCV** Correlation vector value generated from the latest USO scan. -- **scenarioId** Indicates the update scenario. -- **sessionId** Unique value for each update session. -- **summary** A summary string that contains basic information about driver packages that are part of the device manifest and any devices on the system that those driver packages match. -- **summaryAppendError** A Boolean indicating if there was an error appending more information to the summary string. -- **truncatedDeviceCount** The number of devices missing from the summary string because there is not enough room in the string. -- **truncatedDriverCount** The number of driver packages missing from the summary string because there is not enough room in the string. -- **unpublishedCount** How many drivers packages that were delivered by the device manifest that are still unpublished and unavailable to be used on devices. -- **updateId** The unique ID for each update. - - -### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentCommit - -This event collects information regarding the final commit phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. - -The following fields are available: - -- **errorCode** The error code returned for the current session initialization. -- **flightId** The unique identifier for each flight. -- **objectId** The unique GUID for each diagnostics session. -- **relatedCV** A correlation vector value generated from the latest USO scan. -- **result** Outcome of the initialization of the session. -- **scenarioId** Identifies the Update scenario. -- **sessionId** The unique value for each update session. -- **updateId** The unique identifier for each Update. - - -### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentDownloadRequest - -This event collects information regarding the download request phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. - -The following fields are available: - -- **deletedCorruptFiles** Indicates if UpdateAgent found any corrupt payload files and whether the payload was deleted. -- **errorCode** The error code returned for the current session initialization. -- **flightId** The unique identifier for each flight. -- **objectId** Unique value for each Update Agent mode. -- **packageCountOptional** Number of optional packages requested. -- **packageCountRequired** Number of required packages requested. -- **packageCountTotal** Total number of packages needed. -- **packageCountTotalCanonical** Total number of canonical packages. -- **packageCountTotalDiff** Total number of diff packages. -- **packageCountTotalExpress** Total number of express packages. -- **packageSizeCanonical** Size of canonical packages in bytes. -- **packageSizeDiff** Size of diff packages in bytes. -- **packageSizeExpress** Size of express packages in bytes. -- **rangeRequestState** Represents the state of the download range request. -- **relatedCV** Correlation vector value generated from the latest USO scan. -- **result** Result of the download request phase of update. -- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. -- **sessionId** Unique value for each Update Agent mode attempt. -- **updateId** Unique ID for each update. - - -### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInitialize - -This event sends data for initializing a new update session for the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. - -The following fields are available: - -- **errorCode** The error code returned for the current session initialization. -- **flightId** The unique identifier for each flight. -- **flightMetadata** Contains the FlightId and the build being flighted. -- **objectId** Unique value for each Update Agent mode. -- **relatedCV** Correlation vector value generated from the latest USO scan. -- **result** Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled. -- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. -- **sessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios). -- **sessionId** Unique value for each Update Agent mode attempt. -- **updateId** Unique ID for each update. - - -### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInstall - -This event collects information regarding the install phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. - -The following fields are available: - -- **errorCode** The error code returned for the current install phase. -- **flightId** The unique identifier for each flight (pre-release builds). -- **objectId** The unique identifier for each diagnostics session. -- **relatedCV** Correlation vector value generated from the latest scan. -- **result** Outcome of the install phase of the update. -- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate -- **sessionId** The unique identifier for each update session. -- **updateId** The unique identifier for each Update. - - -### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentModeStart - -This event sends data for the start of each mode during the process of updating device manifest assets via the UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. - -The following fields are available: - -- **flightId** The unique identifier for each flight (pre-release builds). -- **mode** Indicates the active Update Agent mode. -- **objectId** Unique value for each diagnostics session. -- **relatedCV** Correlation vector value generated from the latest scan. -- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. -- **sessionId** The unique identifier for each update session. -- **updateId** The unique identifier for each Update. - - -### Microsoft.Windows.Update.NotificationUx.DialogNotificationToBeDisplayed - -This event indicates that a notification dialog box is about to be displayed to user. - -The following fields are available: - -- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode. -- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before the RebootFailed dialog box is shown. -- **DaysSinceRebootRequired** Number of days since restart was required. -- **DeviceLocalTime** The local time on the device sending the event. -- **EngagedModeLimit** The number of days to switch between DTE dialog boxes. -- **EnterAutoModeLimit** The maximum number of days for a device to enter Auto Reboot mode. -- **ETag** OneSettings versioning value. -- **IsForcedEnabled** Indicates whether Forced Reboot mode is enabled for this device. -- **IsUltimateForcedEnabled** Indicates whether Ultimate Forced Reboot mode is enabled for this device. -- **NotificationUxState** Indicates which dialog box is shown. -- **NotificationUxStateString** Indicates which dialog box is shown. -- **RebootUxState** Indicates the state of the restart (Engaged, Auto, Forced, or UltimateForced). -- **RebootUxStateString** Indicates the state of the restart (Engaged, Auto, Forced, or UltimateForced). -- **RebootVersion** Version of DTE. -- **SkipToAutoModeLimit** The minimum length of time to pass in restart pending before a device can be put into auto mode. -- **UpdateId** The ID of the update that is pending restart to finish installation. -- **UpdateRevision** The revision of the update that is pending restart to finish installation. -- **UtcTime** The time the dialog box notification will be displayed, in Coordinated Universal Time. - - -### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootAcceptAutoDialog - -This event indicates that the Enhanced Engaged restart "accept automatically" dialog box was displayed. - -The following fields are available: - -- **DeviceLocalTime** The local time on the device sending the event. -- **ETag** OneSettings versioning value. -- **ExitCode** Indicates how users exited the dialog box. -- **RebootVersion** Version of DTE. -- **UpdateId** The ID of the update that is pending restart to finish installation. -- **UpdateRevision** The revision of the update that is pending restart to finish installation. -- **UserResponseString** The option that user chose on this dialog box. -- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time. - - -### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootFirstReminderDialog - -This event indicates that the Enhanced Engaged restart "first reminder" dialog box was displayed.. - -The following fields are available: - -- **DeviceLocalTime** The local time on the device sending the event. -- **ETag** OneSettings versioning value. -- **ExitCode** Indicates how users exited the dialog box. -- **RebootVersion** Version of DTE. -- **UpdateId** The ID of the update that is pending restart to finish installation. -- **UpdateRevision** The revision of the update that is pending restart to finish installation. -- **UserResponseString** The option that user chose in this dialog box. -- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time. - - -### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootFailedDialog - -This event indicates that the Enhanced Engaged restart "restart failed" dialog box was displayed. - -The following fields are available: - -- **DeviceLocalTime** The local time of the device sending the event. -- **ETag** OneSettings versioning value. -- **ExitCode** Indicates how users exited the dialog box. -- **RebootVersion** Version of DTE. -- **UpdateId** The ID of the update that is pending restart to finish installation. -- **UpdateRevision** The revision of the update that is pending restart to finish installation. -- **UserResponseString** The option that the user chose in this dialog box. -- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time. - - -### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootImminentDialog - -This event indicates that the Enhanced Engaged restart "restart imminent" dialog box was displayed. - -The following fields are available: - -- **DeviceLocalTime** Time the dialog box was shown on the local device. -- **ETag** OneSettings versioning value. -- **ExitCode** Indicates how users exited the dialog box. -- **RebootVersion** Version of DTE. -- **UpdateId** The ID of the update that is pending restart to finish installation. -- **UpdateRevision** The revision of the update that is pending restart to finish installation. -- **UserResponseString** The option that user chose in this dialog box. -- **UtcTime** The time that dialog box was displayed, in Coordinated Universal Time. - - -### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootReminderDialog - -This event returns information relating to the Enhanced Engaged reboot reminder dialog that was displayed. - -The following fields are available: - -- **DeviceLocalTime** The time at which the reboot reminder dialog was shown (based on the local device time settings). -- **ETag** The OneSettings versioning value. -- **ExitCode** Indicates how users exited the reboot reminder dialog box. -- **RebootVersion** The version of the DTE (Direct-to-Engaged). -- **UpdateId** The ID of the update that is waiting for reboot to finish installation. -- **UpdateRevision** The revision of the update that is waiting for reboot to finish installation. -- **UserResponseString** The option chosen by the user on the reboot dialog box. -- **UtcTime** The time at which the reboot reminder dialog was shown (in UTC). - - -### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootReminderToast - -This event indicates that the Enhanced Engaged restart reminder pop-up banner was displayed. - -The following fields are available: - -- **DeviceLocalTime** The local time on the device sending the event. -- **ETag** OneSettings versioning value. -- **ExitCode** Indicates how users exited the pop-up banner. -- **RebootVersion** The version of the reboot logic. -- **UpdateId** The ID of the update that is pending restart to finish installation. -- **UpdateRevision** The revision of the update that is pending restart to finish installation. -- **UserResponseString** The option that the user chose in the pop-up banner. -- **UtcTime** The time that the pop-up banner was displayed, in Coordinated Universal Time. - - -### Microsoft.Windows.Update.NotificationUx.RebootScheduled - -Indicates when a reboot is scheduled by the system or a user for a security, quality, or feature update. - -The following fields are available: - -- **activeHoursApplicable** Indicates whether an Active Hours policy is present on the device. -- **IsEnhancedEngagedReboot** Indicates whether this is an Enhanced Engaged reboot. -- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action. -- **rebootOutsideOfActiveHours** Indicates whether a restart is scheduled outside of active hours. -- **rebootScheduledByUser** Indicates whether the restart was scheduled by user (if not, it was scheduled automatically). -- **rebootState** The current state of the restart. -- **rebootUsingSmartScheduler** Indicates whether the reboot is scheduled by smart scheduler. -- **revisionNumber** Revision number of the update that is getting installed with this restart. -- **scheduledRebootTime** Time of the scheduled restart. -- **scheduledRebootTimeInUTC** Time of the scheduled restart in Coordinated Universal Time. -- **updateId** ID of the update that is getting installed with this restart. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.ActivityRestrictedByActiveHoursPolicy - -This event indicates a policy is present that may restrict update activity to outside of active hours. - -The following fields are available: - -- **activeHoursEnd** The end of the active hours window. -- **activeHoursStart** The start of the active hours window. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.BlockedByActiveHours - -This event indicates that update activity was blocked because it is within the active hours window. - -The following fields are available: - -- **activeHoursEnd** The end of the active hours window. -- **activeHoursStart** The start of the active hours window. -- **updatePhase** The current state of the update process. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.BlockedByBatteryLevel - -This event indicates that Windows Update activity was blocked due to low battery level. - -The following fields are available: - -- **batteryLevel** The current battery charge capacity. -- **batteryLevelThreshold** The battery capacity threshold to stop update activity. -- **updatePhase** The current state of the update process. -- **wuDeviceid** Device ID. - - -### Microsoft.Windows.Update.Orchestrator.DeferRestart - -This event indicates that a restart required for installing updates was postponed. - -The following fields are available: - -- **displayNeededReason** List of reasons for needing display. -- **eventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). -- **filteredDeferReason** Applicable filtered reasons why reboot was postponed (such as user active, or low battery). -- **gameModeReason** Name of the executable that caused the game mode state check to start. -- **ignoredReason** List of reasons that were intentionally ignored. -- **IgnoreReasonsForRestart** List of reasons why restart was deferred. -- **revisionNumber** Update ID revision number. -- **systemNeededReason** List of reasons why system is needed. -- **updateId** Update ID. -- **updateScenarioType** Update session type. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.Detection - -This event indicates that a scan for a Windows Update occurred. - -The following fields are available: - -- **deferReason** The reason why the device could not check for updates. -- **detectionBlockingPolicy** The Policy that blocked detection. -- **detectionBlockreason** The reason detection did not complete. -- **detectionRetryMode** Indicates whether we will try to scan again. -- **errorCode** The error code returned for the current process. -- **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. -- **flightID** The unique identifier for the flight (Windows Insider pre-release build) should be delivered to the device, if applicable. -- **interactive** Indicates whether the user initiated the session. -- **networkStatus** Indicates if the device is connected to the internet. -- **revisionNumber** The Update revision number. -- **scanTriggerSource** The source of the triggered scan. -- **updateId** The unique identifier of the Update. -- **updateScenarioType** Identifies the type of update session being performed. -- **wuDeviceid** The unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.DisplayNeeded - -This event indicates the reboot was postponed due to needing a display. - -The following fields are available: - -- **displayNeededReason** Reason the display is needed. -- **eventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. -- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours. -- **revisionNumber** Revision number of the update. -- **updateId** Update ID. -- **updateScenarioType** The update session type. -- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated. -- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue - - -### Microsoft.Windows.Update.Orchestrator.Download - -This event sends launch data for a Windows Update download to help keep Windows up to date. - -The following fields are available: - -- **deferReason** Reason for download not completing. -- **e:4|SScenario** No content is currently available. -- **errorCode** An error code represented as a hexadecimal value. -- **eventScenario** End-to-end update session ID. -- **flightID** The specific ID of the Windows Insider build the device is getting. -- **interactive** Indicates whether the session is user initiated. -- **interactiveelatedCVerrorCode** No content is currently available. -- **revisionNumber** Update revision number. -- **updateId** Update ID. -- **updateScenariotate** No content is currently available. -- **updateScenarioType** The update session type. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.DTUCompletedWhenWuFlightPendingCommit - -This event indicates that DTU completed installation of the electronic software delivery (ESD), when Windows Update was already in Pending Commit phase of the feature update. - -The following fields are available: - -- **wuDeviceid** Device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.DTUEnabled - -This event indicates that Inbox DTU functionality was enabled. - -The following fields are available: - -- **wuDeviceid** Device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.DTUInitiated - -This event indicates that Inbox DTU functionality was intiated. - -The following fields are available: - -- **dtuErrorCode** Return code from creating the DTU Com Server. -- **isDtuApplicable** Determination of whether DTU is applicable to the machine it is running on. -- **wuDeviceid** Device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.EscalationRiskLevels - -This event is sent during update scan, download, or install, and indicates that the device is at risk of being out-of-date. - -The following fields are available: - -- **configVersion** The escalation configuration version on the device. -- **downloadElapsedTime** Indicates how long since the download is required on device. -- **downloadRiskLevel** At-risk level of download phase. -- **installElapsedTime** Indicates how long since the install is required on device. -- **installRiskLevel** The at-risk level of install phase. -- **isSediment** Assessment of whether is device is at risk. -- **scanElapsedTime** Indicates how long since the scan is required on device. -- **scanRiskLevel** At-risk level of the scan phase. -- **wuDeviceid** Device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.FailedToAddTimeTriggerToScanTask - -This event indicated that USO failed to add a trigger time to a task. - -The following fields are available: - -- **errorCode** The Windows Update error code. -- **wuDeviceid** The Windows Update device ID. - - -### Microsoft.Windows.Update.Orchestrator.FlightInapplicable - -This event indicates that the update is no longer applicable to this device. - -The following fields are available: - -- **EventPublishedTime** Time when this event was generated. -- **flightID** The specific ID of the Windows Insider build. -- **inapplicableReason** The reason why the update is inapplicable. -- **revisionNumber** Update revision number. -- **updateId** Unique Windows Update ID. -- **updateScenarioType** Update session type. -- **UpdateStatus** Last status of update. -- **UUPFallBackConfigured** Indicates whether UUP fallback is configured. -- **wuDeviceid** Unique Device ID. - - -### Microsoft.Windows.Update.Orchestrator.InitiatingReboot - -This event sends data about an Orchestrator requesting a reboot from power management to help keep Windows up to date. - -The following fields are available: - -- **EventPublishedTime** Time of the event. -- **flightID** Unique update ID -- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action. -- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours. -- **revisionNumber** Revision number of the update. -- **updateId** Update ID. -- **updateScenarioType** The update session type. -- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.Install - -This event sends launch data for a Windows Update install to help keep Windows up to date. - -The following fields are available: - -- **batteryLevel** Current battery capacity in mWh or percentage left. -- **defeec-9-0S** No content is currently available. -- **deferReason** Reason for install not completing. -- **errorCode** The error code reppresented by a hexadecimal value. -- **eventScenario** End-to-end update session ID. -- **flightID** The ID of the Windows Insider build the device is getting. -- **flightUpdate** Indicates whether the update is a Windows Insider build. -- **ForcedRebootReminderSet** A boolean value that indicates if a forced reboot will happen for updates. -- **Ignorec-9-0SsFoec-start** No content is currently available. -- **IgnoreReasonsForRestart** The reason(s) a Postpone Restart command was ignored. -- **installCommitfailedtime** The time it took for a reboot to happen but the upgrade failed to progress. -- **installRebootinitiatetime** The time it took for a reboot to be attempted. -- **interactive** Identifies if session is user initiated. -- **minutesToCommit** The time it took to install updates. -- **rebootOutsideOfActiveHours** Indicates whether a reboot is scheduled outside of active hours. -- **revisionNumber** Update revision number. -- **updateId** Update ID. -- **updateMd** No content is currently available. -- **updateScenarioType** The update session type. -- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.LowUptimes - -This event is sent if a device is identified as not having sufficient uptime to reliably process updates in order to keep secure. - -The following fields are available: - -- **availableHistoryMinutes** The number of minutes available from the local machine activity history. -- **isLowUptimeMachine** Is the machine considered low uptime or not. -- **lowUptimeMinHours** Current setting for the minimum number of hours needed to not be considered low uptime. -- **lowUptimeQueryDays** Current setting for the number of recent days to check for uptime. -- **uptimeMinutes** Number of minutes of uptime measured. -- **wuDeviceid** Unique device ID for Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.OneshotUpdateDetection - -This event returns data about scans initiated through settings UI, or background scans that are urgent; to help keep Windows up to date. - -The following fields are available: - -- **externalOneshotupdate** The last time a task-triggered scan was completed. -- **interactiveOneshotupdate** The last time an interactive scan was completed. -- **oldlastscanOneshotupdate** The last time a scan completed successfully. -- **wuDeviceid** The Windows Update Device GUID (Globally-Unique ID). - - -### Microsoft.Windows.Update.Orchestrator.PreShutdownStart - -This event is generated before the shutdown and commit operations. - -The following fields are available: - -- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. - - -### Microsoft.Windows.Update.Orchestrator.RebootFailed - -This event sends information about whether an update required a reboot and reasons for failure, to help keep Windows up to date. - -The following fields are available: - -- **batteryLevel** Current battery capacity in mWh or percentage left. -- **deferReason** Reason for install not completing. -- **EventPublishedTime** The time that the reboot failure occurred. -- **flightID** Unique update ID. -- **rebootOutsideOfActiveHours** Indicates whether a reboot was scheduled outside of active hours. -- **RebootResults** Hex code indicating failure reason. Typically, we expect this to be a specific USO generated hex code. -- **revisionNumber** Update revision number. -- **updateId** Update ID. -- **updateScenarioType** The update session type. -- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.RefreshSettings - -This event sends basic data about the version of upgrade settings applied to the system to help keep Windows up to date. - -The following fields are available: - -- **errorCode** Hex code for the error message, to allow lookup of the specific error. -- **settingsDownloadTime** Timestamp of the last attempt to acquire settings. -- **settingsETag** Version identifier for the settings. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask - -This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows up to date. - -The following fields are available: - -- **RebootTaskMissedTimeUTC** The time when the reboot task was scheduled to run, but did not. -- **RebootTaskNextTimeUTC** The time when the reboot task was rescheduled for. -- **RebootTaskRestoredTime** Time at which this reboot task was restored. -- **wuDeviceid** Device ID for the device on which the reboot is restored. - - -### Microsoft.Windows.Update.Orchestrator.ScanTriggered - -This event indicates that Update Orchestrator has started a scan operation. - -The following fields are available: - -- **errorCode** The error code returned for the current scan operation. -- **eventScenario** Indicates the purpose of sending this event. -- **interactive** Indicates whether the scan is interactive. -- **isDTUEnabled** Indicates whether DTU (internal abbreviation for Direct Feature Update) channel is enabled on the client system. -- **isScanPastSla** Indicates whether the SLA has elapsed for scanning. -- **isScanPastTriggerSla** Indicates whether the SLA has elapsed for triggering a scan. -- **minutesOverScanSla** Indicates how many minutes the scan exceeded the scan SLA. -- **minutesOverScanTriggerSla** Indicates how many minutes the scan exceeded the scan trigger SLA. -- **scanTriggerSource** Indicates what caused the scan. -- **updateScenarioType** The update session type. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.StickUpdate - -This event is sent when the update service orchestrator (USO) indicates the update cannot be superseded by a newer update. - -The following fields are available: - -- **updateAd** No content is currently available. -- **updateId** Identifier associated with the specific piece of content. -- **wuDeviceid** Unique device ID controlled by the software distribution client. - - -### Microsoft.Windows.Update.Orchestrator.SystemNeeded - -This event sends data about why a device is unable to reboot, to help keep Windows up to date. - -The following fields are available: - -- **eventScenario** End-to-end update session ID. -- **rebootOutsideOfActiveHours** Indicates whether a reboot is scheduled outside of active hours. -- **revisionNumber** Update revision number. -- **systemNeededReason** List of apps or tasks that are preventing the system from restarting. -- **updateId** Update ID. -- **updateScenarioType** The update session type. -- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.TerminatedByActiveHours - -This event indicates that update activity was stopped due to active hours starting. - -The following fields are available: - -- **activeHoursEnd** The end of the active hours window. -- **activeHoursStart** The start of the active hours window. -- **updatePhase** The current state of the update process. -- **wuDeviceid** The device identifier. - - -### Microsoft.Windows.Update.Orchestrator.TerminatedByBatteryLevel - -This event is sent when update activity was stopped due to a low battery level. - -The following fields are available: - -- **batteryLevel** The current battery charge capacity. -- **batteryLevelThreshold** The battery capacity threshold to stop update activity. -- **updatePhase** The current state of the update process. -- **wuDeviceid** The device identifier. - - -### Microsoft.Windows.Update.Orchestrator.UnstickUpdate - -This event is sent when the update service orchestrator (USO) indicates that the update can be superseded by a newer update. - -The following fields are available: - -- **updateId** Identifier associated with the specific piece of content. -- **wuDeviceid** Unique device ID controlled by the software distribution client. - - -### Microsoft.Windows.Update.Orchestrator.UpdatePolicyCacheRefresh - -This event sends data on whether Update Management Policies were enabled on a device, to help keep Windows up to date. - -The following fields are available: - -- **configuredPoliciescount** Number of policies on the device. -- **policiesNamevaluesource** Policy name and source of policy (group policy, MDM or flight). -- **policyCacherefreshtime** Time when policy cache was refreshed. -- **updateInstalluxsetting** Indicates whether a user has set policies via a user experience option. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.UpdateRebootRequired - -This event sends data about whether an update required a reboot to help keep Windows up to date. - -The following fields are available: - -- **flightID** The specific ID of the Windows Insider build the device is getting. -- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action. -- **revisionNumber** Update revision number. -- **updateId** Update ID. -- **updateScenarioType** The update session type. -- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.updateSettingsFlushFailed - -This event sends information about an update that encountered problems and was not able to complete. - -The following fields are available: - -- **errorCode** The error code encountered. -- **wuDeviceid** The ID of the device in which the error occurred. - - -### Microsoft.Windows.Update.Orchestrator.UsoSession - -This event represents the state of the USO service at start and completion. - -The following fields are available: - -- **activeSessionid** A unique session GUID. -- **eventScenario** The state of the update action. -- **interactive** Is the USO session interactive? -- **lastErrorcode** The last error that was encountered. -- **lastErrorstate** The state of the update when the last error was encountered. -- **sessionType** A GUID that refers to the update session type. -- **updateScenarioType** A descriptive update session type. -- **wuDeviceid** The Windows Update device GUID. - - -### Microsoft.Windows.Update.Ux.MusNotification.EnhancedEngagedRebootUxState - -This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes values for the timing of how eDTE will progress through each phase of the reboot. - -The following fields are available: - -- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode. -- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before a Reboot Failed dialog will be shown. -- **DeviceLocalTime** The date and time (based on the device date/time settings) the reboot mode changed. -- **EngagedModeLimit** The number of days to switch between DTE (Direct-to-Engaged) dialogs. -- **EnterAutoModeLimit** The maximum number of days a device can enter Auto Reboot mode. -- **ETag** The Entity Tag that represents the OneSettings version. -- **IsForcedEnabled** Identifies whether Forced Reboot mode is enabled for the device. -- **IsUltimateForcedEnabled** Identifies whether Ultimate Forced Reboot mode is enabled for the device. -- **OldestUpdateLocalTime** The date and time (based on the device date/time settings) this update’s reboot began pending. -- **RebootUxState** Identifies the reboot state: Engaged, Auto, Forced, UltimateForced. -- **RebootVersion** The version of the DTE (Direct-to-Engaged). -- **SkipToAutoModeLimit** The maximum number of days to switch to start while in Auto Reboot mode. -- **UpdateId** The ID of the update that is waiting for reboot to finish installation. -- **UpdateRevision** The revision of the update that is waiting for reboot to finish installation. - - -### Microsoft.Windows.Update.Ux.MusNotification.RebootNoLongerNeeded - -This event is sent when a security update has successfully completed. - -The following fields are available: - -- **UtcTime** The Coordinated Universal Time that the restart was no longer needed. - - -### Microsoft.Windows.Update.Ux.MusNotification.RebootScheduled - -This event sends basic information about scheduling an update-related reboot, to get security updates and to help keep Windows up-to-date. - -The following fields are available: - -- **activeHoursApplicable** Indicates whether Active Hours applies on this device. -- **IsEnhancedEngagedReboot** Indicates whether Enhanced reboot was enabled. -- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action. -- **rebootOutsideOfActiveHours** True, if a reboot is scheduled outside of active hours. False, otherwise. -- **rebootScheduledByUser** True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically. -- **rebootState** Current state of the reboot. -- **rebootUsingSmartScheduler** Indicates that the reboot is scheduled by SmartScheduler. -- **revisionNumber** Revision number of the OS. -- **scheduledRebootTime** Time scheduled for the reboot. -- **scheduledRebootTimeInUTC** Time scheduled for the reboot, in UTC. -- **updateId** Identifies which update is being scheduled. -- **wuDeviceid** The unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Ux.MusNotification.UxBrokerScheduledTask - -This event is sent when MUSE broker schedules a task. - -The following fields are available: - -- **TaskArgument** The arguments with which the task is scheduled. -- **TaskName** Name of the task. - - -### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled - -This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up to date. - -The following fields are available: - -- **activeHoursApplicable** Is the restart respecting Active Hours? -- **IsEnhancedEngagedReboot** TRUE if the reboot path is Enhanced Engaged. Otherwise, FALSE. -- **rebootArgument** The arguments that are passed to the OS for the restarted. -- **rebootOutsideOfActiveHours** Was the restart scheduled outside of Active Hours? -- **rebootScheduledByUser** Was the restart scheduled by the user? If the value is false, the restart was scheduled by the device. -- **rebootState** The state of the restart. -- **rebootUsingSmartScheduler** TRUE if the reboot should be performed by the Smart Scheduler. Otherwise, FALSE. -- **revisionNumber** The revision number of the OS being updated. -- **scheduledRebootTime** Time of the scheduled reboot -- **scheduledRebootTimeInUTC** Time of the scheduled restart, in Coordinated Universal Time. -- **updateId** The Windows Update device GUID. -- **wuDeviceid** The Windows Update device GUID. - - -## Windows Update mitigation events - -### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages - -This event sends data specific to the CleanupSafeOsImages mitigation used for OS Updates. - -The following fields are available: - -- **ClientId** The client ID used by Windows Update. -- **FlightId** The ID of each Windows Insider build the device received. -- **InstanceId** A unique device ID that identifies each update instance. -- **MitigationScenario** The update scenario in which the mitigation was executed. -- **MountedImageCount** The number of mounted images. -- **MountedImageMatches** The number of mounted image matches. -- **MountedImagesFailed** The number of mounted images that could not be removed. -- **MountedImagesRemoved** The number of mounted images that were successfully removed. -- **MountedImagesSkipped** The number of mounted images that were not found. -- **RelatedCV** The correlation vector value generated from the latest USO scan. -- **Result** HResult of this operation. -- **ScenarioId** ID indicating the mitigation scenario. -- **ScenarioSupported** Indicates whether the scenario was supported. -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each Windows Update. -- **WuId** Unique ID for the Windows Update client. - - -### Mitigation360Telemetry.MitigationCustom.FixAppXReparsePoints - -This event sends data specific to the FixAppXReparsePoints mitigation used for OS updates. - -The following fields are available: - -- **ClientId** Unique identifier for each flight. -- **FlightId** Unique GUID that identifies each instances of setuphost.exe. -- **InstanceId** The update scenario in which the mitigation was executed. -- **MitigationScenario** Correlation vector value generated from the latest USO scan. -- **RelatedCV** Number of reparse points that are corrupted but we failed to fix them. -- **ReparsePointsFailed** Number of reparse points that were corrupted and were fixed by this mitigation. -- **ReparsePointsFixed** Number of reparse points that are not corrupted and no action is required. -- **ReparsePointsSkipped** HResult of this operation. -- **Result** ID indicating the mitigation scenario. -- **ScenarioId** Indicates whether the scenario was supported. -- **ScenarioSupported** Unique value for each update attempt. -- **SessionId** Unique ID for each Update. -- **UpdateId** Unique ID for the Windows Update client. -- **WuId** Unique ID for the Windows Update client. - - -### Mitigation360Telemetry.MitigationCustom.FixupEditionId - -This event sends data specific to the FixupEditionId mitigation used for OS updates. - -The following fields are available: - -- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **EditionIdUpdated** Determine whether EditionId was changed. -- **FlightId** Unique identifier for each flight. -- **InstanceId** Unique GUID that identifies each instances of setuphost.exe. -- **MitigationScenario** The update scenario in which the mitigation was executed. -- **ProductEditionId** Expected EditionId value based on GetProductInfo. -- **ProductType** Value returned by GetProductInfo. -- **RegistryEditionId** EditionId value in the registry. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **Result** HResult of this operation. -- **ScenarioId** ID indicating the mitigation scenario. -- **ScenarioSupported** Indicates whether the scenario was supported. -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each update. -- **WuId** Unique ID for the Windows Update client. - - -## Windows Update Reserve Manager events - -### Microsoft.Windows.UpdateReserveManager.CommitPendingHardReserveAdjustment - -This event is sent when the Update Reserve Manager commits a hard reserve adjustment that was pending. - -The following fields are available: - -- **FinalAdjustment** Final adjustment for the hard reserve following the addition or removal of optional content. -- **InitialAdjustment** Initial intended adjustment for the hard reserve following the addition/removal of optional content. - - -### Microsoft.Windows.UpdateReserveManager.FunctionReturnedError - -This event is sent when the Update Reserve Manager returns an error from one of its internal functions. - -The following fields are available: - -- **FailedExpression** The failed expression that was returned. -- **FailedFile** The binary file that contained the failed function. -- **FailedFunction** The name of the function that originated the failure. -- **FailedLine** The line number of the failure. -- **ReturnCode** The return code of the function. - - -### Microsoft.Windows.UpdateReserveManager.InitializeUpdateReserveManager - -This event returns data about the Update Reserve Manager, including whether it’s been initialized. - -The following fields are available: - -- **ClientId** The ID of the caller application. -- **Flags** The enumerated flags used to initialize the manager. -- **FlightId** The flight ID of the content the calling client is currently operating with. -- **Offline** Indicates whether or the reserve manager is called during offline operations. -- **PolicyPassed** Indicates whether the machine is able to use reserves. -- **ReturnCode** Return code of the operation. -- **Version** The version of the Update Reserve Manager. - - -### Microsoft.Windows.UpdateReserveManager.PrepareTIForReserveInitialization - -This event is sent when the Update Reserve Manager prepares the Trusted Installer to initialize reserves on the next boot. - -The following fields are available: - -- **Flags** The flags that are passed to the function to prepare the Trusted Installer for reserve initialization. - - -### Microsoft.Windows.UpdateReserveManager.RemovePendingHardReserveAdjustment - -This event is sent when the Update Reserve Manager removes a pending hard reserve adjustment. - - - -### Microsoft.Windows.UpdateReserveManager.UpdatePendingHardReserveAdjustment - -This event is sent when the Update Reserve Manager needs to adjust the size of the hard reserve after the option content is installed. - -The following fields are available: - -- **ChangeSize** The change in the hard reserve size based on the addition or removal of optional content. -- **Disposition** The parameter for the hard reserve adjustment function. -- **Flags** The flags passed to the hard reserve adjustment function. -- **PendingHardReserveAdjustment** The final change to the hard reserve size. -- **UpdateType** Indicates whether the change is an increase or decrease in the size of the hard reserve. - - -## Winlogon events - -### Microsoft.Windows.Security.Winlogon.SetupCompleteLogon - -This event signals the completion of the setup process. It happens only once during the first logon. - - - -## XBOX events - -### Microsoft.Xbox.XamTelemetry.AppActivationError - -This event indicates whether the system detected an activation error in the app. - -The following fields are available: - -- **ActivationUri** Activation URI (Uniform Resource Identifier) used in the attempt to activate the app. -- **AppId** The Xbox LIVE Title ID. -- **AppUserModelId** The AUMID (Application User Model ID) of the app to activate. -- **Result** The HResult error. -- **UserId** The Xbox LIVE User ID (XUID). - - -### Microsoft.Xbox.XamTelemetry.AppActivity - -This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc. - -The following fields are available: - -- **AppActionId** The ID of the application action. -- **AppCurrentVisibilityState** The ID of the current application visibility state. -- **AppId** The Xbox LIVE Title ID of the app. -- **AppPackageFullName** The full name of the application package. -- **AppPreviousVisibilityState** The ID of the previous application visibility state. -- **AppSessionId** The application session ID. -- **AppType** The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa). -- **BCACode** The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application. -- **DurationMs** The amount of time (in milliseconds) since the last application state transition. -- **IsTrialLicense** This boolean value is TRUE if the application is on a trial license. -- **LicenseType** The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 - Offline, 4 - Disc). -- **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license. -- **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application. -- **UserId** The XUID (Xbox User ID) of the current user. - - - +--- +description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. +title: Windows 10, version 1809 basic diagnostic events and fields (Windows 10) +keywords: privacy, telemetry +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: brianlic-msft +ms.author: brianlic +manager: dansimp +ms.collection: M365-security-compliance +ms.topic: article +audience: ITPro +ms.date: 03/19/2019 +--- + + +# Windows 10, version 1809 basic level Windows diagnostic events and fields + + **Applies to** + +- Windows 10, version 1809 + + +The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information. + +The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. + +Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief description is provided for each field. Every event generated includes common data, which collects device data. + +You can learn more about Windows functional and diagnostic data through these articles: + + +- [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) +- [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) +- [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) +- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) +- [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) + + + + +## Account trace logging provider events + +### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.General + +This event provides information about application properties to indicate the successful execution. + +The following fields are available: + +- **AppMode** Indicates the mode the app is being currently run around privileges. +- **ExitCode** Indicates the exit code of the app. +- **Help** Indicates if the app needs to be launched in the help mode. +- **ParseError** Indicates if there was a parse error during the execution. +- **RightsAcquired** Indicates if the right privileges were acquired for successful execution. +- **RightsWereEnabled** Indicates if the right privileges were enabled for successful execution. +- **TestMode** Indicates whether the app is being run in test mode. + + +### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.GetCount + +This event provides information about the properties of user accounts in the Administrator group. + +The following fields are available: + +- **Internal** Indicates the internal property associated with the count group. +- **LastError** The error code (if applicable) for the cause of the failure to get the count of the user account. +- **Result** The HResult error. + + +## AppLocker events + +### Microsoft.Windows.Security.AppLockerCSP.ActivityStoppedAutomatically + +Automatically closed activity for start/stop operations that aren't explicitly closed. + + + +### Microsoft.Windows.Security.AppLockerCSP.AddParams + +Parameters passed to Add function of the AppLockerCSP Node. + +The following fields are available: + +- **child** The child URI of the node to add. +- **uri** URI of the node relative to %SYSTEM32%/AppLocker. + + +### Microsoft.Windows.Security.AppLockerCSP.AddStart + +Start of "Add" Operation for the AppLockerCSP Node. + + + +### Microsoft.Windows.Security.AppLockerCSP.AddStop + +End of "Add" Operation for AppLockerCSP Node. + +The following fields are available: + +- **hr** The HRESULT returned by Add function in AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.CAppLockerCSP::Rollback + +Result of the 'Rollback' operation in AppLockerCSP. + +The following fields are available: + +- **oldId** Previous id for the CSP transaction. +- **txId** Current id for the CSP transaction. + + +### Microsoft.Windows.Security.AppLockerCSP.ClearParams + +Parameters passed to the "Clear" operation for AppLockerCSP. + +The following fields are available: + +- **uri** The URI relative to the %SYSTEM32%\AppLocker folder. + + +### Microsoft.Windows.Security.AppLockerCSP.ClearStart + +Start of the "Clear" operation for the AppLockerCSP Node. + + + +### Microsoft.Windows.Security.AppLockerCSP.ClearStop + +End of the "Clear" operation for the AppLockerCSP node. + +The following fields are available: + +- **hr** HRESULT reported at the end of the 'Clear' function. + + +### Microsoft.Windows.Security.AppLockerCSP.ConfigManagerNotificationStart + +Start of the "ConfigManagerNotification" operation for AppLockerCSP. + +The following fields are available: + +- **NotifyState** State sent by ConfigManager to AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.ConfigManagerNotificationStop + +End of the "ConfigManagerNotification" operation for AppLockerCSP. + +The following fields are available: + +- **hr** HRESULT returned by the ConfigManagerNotification function in AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceParams + +Parameters passed to the CreateNodeInstance function of the AppLockerCSP node. + +The following fields are available: + +- **NodeId** NodeId passed to CreateNodeInstance. +- **nodeOps** NodeOperations parameter passed to CreateNodeInstance. +- **uri** URI passed to CreateNodeInstance, relative to %SYSTEM32%\AppLocker. + + +### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceStart + +Start of the "CreateNodeInstance" operation for the AppLockerCSP node. + + + +### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceStop + +End of the "CreateNodeInstance" operation for the AppLockerCSP node + +The following fields are available: + +- **hr** HRESULT returned by the CreateNodeInstance function in AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.DeleteChildParams + +Parameters passed to the DeleteChild function of the AppLockerCSP node. + +The following fields are available: + +- **child** The child URI of the node to delete. +- **uri** URI relative to %SYSTEM32%\AppLocker. + + +### Microsoft.Windows.Security.AppLockerCSP.DeleteChildStart + +Start of the "DeleteChild" operation for the AppLockerCSP node. + + + +### Microsoft.Windows.Security.AppLockerCSP.DeleteChildStop + +End of the "DeleteChild" operation for the AppLockerCSP node. + +The following fields are available: + +- **hr** HRESULT returned by the DeleteChild function in AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.EnumPolicies + +Logged URI relative to %SYSTEM32%\AppLocker, if the Plugin GUID is null, or the CSP doesn't believe the old policy is present. + +The following fields are available: + +- **uri** URI relative to %SYSTEM32%\AppLocker. + + +### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesParams + +Parameters passed to the GetChildNodeNames function of the AppLockerCSP node. + +The following fields are available: + +- **uri** URI relative to %SYSTEM32%/AppLocker for MDM node. + + +### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesStart + +Start of the "GetChildNodeNames" operation for the AppLockerCSP node. + + + +### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesStop + +End of the "GetChildNodeNames" operation for the AppLockerCSP node. + +The following fields are available: + +- **child[0]** If function succeeded, the first child's name, else "NA". +- **count** If function succeeded, the number of child node names returned by the function, else 0. +- **hr** HRESULT returned by the GetChildNodeNames function of AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.GetLatestId + +The result of 'GetLatestId' in AppLockerCSP (the latest time stamped GUID). + +The following fields are available: + +- **dirId** The latest directory identifier found by GetLatestId. +- **id** The id returned by GetLatestId if id > 0 - otherwise the dirId parameter. + + +### Microsoft.Windows.Security.AppLockerCSP.HResultException + +HRESULT thrown by any arbitrary function in AppLockerCSP. + +The following fields are available: + +- **file** File in the OS code base in which the exception occurs. +- **function** Function in the OS code base in which the exception occurs. +- **hr** HRESULT that is reported. +- **line** Line in the file in the OS code base in which the exception occurs. + + +### Microsoft.Windows.Security.AppLockerCSP.SetValueParams + +Parameters passed to the SetValue function of the AppLockerCSP node. + +The following fields are available: + +- **dataLength** Length of the value to set. +- **uri** The node URI to that should contain the value, relative to %SYSTEM32%\AppLocker. + + +### Microsoft.Windows.Security.AppLockerCSP.SetValueStart + +Start of the "SetValue" operation for the AppLockerCSP node. + + + +### Microsoft.Windows.Security.AppLockerCSP.SetValueStop + +End of the "SetValue" operation for the AppLockerCSP node. + +The following fields are available: + +- **hr** HRESULT returned by the SetValue function in AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.TryRemediateMissingPolicies + +EntryPoint of fix step or policy remediation, includes URI relative to %SYSTEM32%\AppLocker that needs to be fixed. + +The following fields are available: + +- **uri** URI for node relative to %SYSTEM32%/AppLocker. + + +## Appraiser events + +### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount + +This event lists the types of objects and how many of each exist on the client device. This allows for a quick way to ensure that the records present on the server match what is present on the client. + +The following fields are available: + +- **DatasourceApplicationFile_19ASetup** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_19H1** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers. +- **DatasourceApplicationFile_RS2** An ID for the system, calculated by hashing hardware identifiers. +- **DatasourceApplicationFile_RS3** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS3Setup** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS4** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS4Setup** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS5** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS5Setup** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_TH1** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_TH2** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_19ASetup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_19H1** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS1** The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on this device. +- **DatasourceDevicePnp_RS2** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS3** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS3Setup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS4** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS4Setup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS5** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS5Setup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_TH1** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_TH2** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_19ASetup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_19H1** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS1** The total DataSourceDriverPackage objects targeting Windows 10 version 1607 on this device. +- **DatasourceDriverPackage_RS2** The total DataSourceDriverPackage objects targeting Windows 10, version 1703 on this device. +- **DatasourceDriverPackage_RS3** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS3Setup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS4** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS4Setup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS5** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS5Setup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_TH1** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_TH2** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_19ASetup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS1** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1607 on this device. +- **DataSourceMatchingInfoBlock_RS2** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS3** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS3Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS4Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS5Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_TH1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_19ASetup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS1** The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. +- **DataSourceMatchingInfoPassive_RS2** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS3** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS3Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS4Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS5Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_19ASetup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS1** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. +- **DataSourceMatchingInfoPostUpgrade_RS2** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device. +- **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device. +- **DataSourceMatchingInfoPostUpgrade_RS3Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS4Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS5Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_TH1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_19ASetup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_19H1** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_19H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS1** The total DatasourceSystemBios objects targeting Windows 10 version 1607 present on this device. +- **DatasourceSystemBios_RS2** The total DatasourceSystemBios objects targeting Windows 10 version 1703 present on this device. +- **DatasourceSystemBios_RS3** The total DatasourceSystemBios objects targeting Windows 10 version 1709 present on this device. +- **DatasourceSystemBios_RS3Setup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS4** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS4Setup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS5** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS5Setup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_TH1** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_TH2** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_19H1** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS1** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS2** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS3** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS4** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS5** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_TH1** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_TH2** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_19H1** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS1** The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this device. +- **DecisionDevicePnp_RS2** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS3** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS4** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS5** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_TH1** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_TH2** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_19H1** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS1** The total DecisionDriverPackage objects targeting Windows 10 version 1607 on this device. +- **DecisionDriverPackage_RS2** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS3** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS4** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS5** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_TH1** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_TH2** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_RS1** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1607 present on this device. +- **DecisionMatchingInfoBlock_RS2** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device. +- **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1709 present on this device. +- **DecisionMatchingInfoBlock_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_RS4** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1803 present on this device. +- **DecisionMatchingInfoBlock_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_TH1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_RS1** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. +- **DecisionMatchingInfoPassive_RS2** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1703 on this device. +- **DecisionMatchingInfoPassive_RS3** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1803 on this device. +- **DecisionMatchingInfoPassive_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS1** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. +- **DecisionMatchingInfoPostUpgrade_RS2** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device. +- **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device. +- **DecisionMatchingInfoPostUpgrade_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_TH1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_19H1** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_19H1Setup** The total DecisionMediaCenter objects targeting the next release of Windows on this device. +- **DecisionMediaCenter_RS1** The total DecisionMediaCenter objects targeting Windows 10 version 1607 present on this device. +- **DecisionMediaCenter_RS2** The total DecisionMediaCenter objects targeting Windows 10 version 1703 present on this device. +- **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting Windows 10 version 1709 present on this device. +- **DecisionMediaCenter_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_RS4** The total DecisionMediaCenter objects targeting Windows 10 version 1803 present on this device. +- **DecisionMediaCenter_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_RS5** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_TH1** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_TH2** The count of the number of this particular object type present on this device. +- **DecisionSystemBios_19ASetup** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_19H1** The count of the number of this particular object type present on this device. +- **DecisionSystemBios_19H1Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_RS1** The total DecisionSystemBios objects targeting Windows 10 version 1607 on this device. +- **DecisionSystemBios_RS2** The total DecisionSystemBios objects targeting Windows 10 version 1703 on this device. +- **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting Windows 10 version 1709 on this device. +- **DecisionSystemBios_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionSystemBios_RS4** The total DecisionSystemBios objects targeting Windows 10 version, 1803 present on this device. +- **DecisionSystemBios_RS4Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_RS5** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_RS5Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_TH1** The count of the number of this particular object type present on this device. +- **DecisionSystemBios_TH2** The count of the number of this particular object type present on this device. +- **DecisionSystemProcessor_RS2** The count of the number of this particular object type present on this device. +- **DecisionTest_RS1** An ID for the system, calculated by hashing hardware identifiers. +- **InventoryApplicationFile** The count of the number of this particular object type present on this device. +- **InventoryDeviceContainer** A count of device container objects in cache. +- **InventoryDevicePnp** A count of device Plug and Play objects in cache. +- **InventoryDriverBinary** A count of driver binary objects in cache. +- **InventoryDriverPackage** A count of device objects in cache. +- **InventoryLanguagePack** The count of the number of this particular object type present on this device. +- **InventoryMediaCenter** The count of the number of this particular object type present on this device. +- **InventorySystemBios** The count of the number of this particular object type present on this device. +- **InventorySystemMachine** The count of the number of this particular object type present on this device. +- **InventorySystemProcessor** The count of the number of this particular object type present on this device. +- **InventoryTest** The count of the number of this particular object type present on this device. +- **InventoryUplevelDriverPackage** The count of the number of this particular object type present on this device. +- **PCFP** The count of the number of this particular object type present on this device. +- **SystemMemory** The count of the number of this particular object type present on this device. +- **SystemProcessorCompareExchange** The count of the number of this particular object type present on this device. +- **SystemProcessorLahfSahf** The count of the number of this particular object type present on this device. +- **SystemProcessorNx** The total number of objects of this type present on this device. +- **SystemProcessorPrefetchW** The total number of objects of this type present on this device. +- **SystemProcessorSse2** The total number of objects of this type present on this device. +- **SystemTouch** The count of the number of this particular object type present on this device. +- **SystemWim** The total number of objects of this type present on this device. +- **SystemWindowsActivationStatus** The count of the number of this particular object type present on this device. +- **SystemWlan** The total number of objects of this type present on this device. +- **Wmdrm_19ASetup** The count of the number of this particular object type present on this device. +- **Wmdrm_19H1** The count of the number of this particular object type present on this device. +- **Wmdrm_19H1Setup** The total Wmdrm objects targeting the next release of Windows on this device. +- **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers. +- **Wmdrm_RS2** An ID for the system, calculated by hashing hardware identifiers. +- **Wmdrm_RS3** An ID for the system, calculated by hashing hardware identifiers. +- **Wmdrm_RS3Setup** The count of the number of this particular object type present on this device. +- **Wmdrm_RS4** The total Wmdrm objects targeting Windows 10, version 1803 present on this device. +- **Wmdrm_RS4Setup** The count of the number of this particular object type present on this device. +- **Wmdrm_RS5** The count of the number of this particular object type present on this device. +- **Wmdrm_RS5Setup** The count of the number of this particular object type present on this device. +- **Wmdrm_TH1** The count of the number of this particular object type present on this device. +- **Wmdrm_TH2** The count of the number of this particular object type present on this device. + + +### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd + +Represents the basic metadata about specific application files installed on the system. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file that is generating the events. +- **AvDisplayName** If the app is an anti-virus app, this is its display name. +- **CompatModelIndex** The compatibility prediction for this file. +- **HasCitData** Indicates whether the file is present in CIT data. +- **HasUpgradeExe** Indicates whether the anti-virus app has an upgrade.exe file. +- **IsAv** Is the file an anti-virus reporting EXE? +- **ResolveAttempted** This will always be an empty string when sending telemetry. +- **SdbEntries** An array of fields that indicates the SDB entries that apply to this file. + + +### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove + +This event indicates that the DatasourceApplicationFile object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileStartSync + +This event indicates that a new set of DatasourceApplicationFileAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd + +This event sends compatibility data for a Plug and Play device, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **ActiveNetworkConnection** Indicates whether the device is an active network device. +- **AppraiserVersion** The version of the appraiser file generating the events. +- **CosDeviceRating** An enumeration that indicates if there is a driver on the target operating system. +- **CosDeviceSolution** An enumeration that indicates how a driver on the target operating system is available. +- **CosDeviceSolutionUrl** Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd . Empty string +- **CosPopulatedFromId** The expected uplevel driver matching ID based on driver coverage data. +- **IsBootCritical** Indicates whether the device boot is critical. +- **UplevelInboxDriver** Indicates whether there is a driver uplevel for this device. +- **WuDriverCoverage** Indicates whether there is a driver uplevel for this device, according to Windows Update. +- **WuDriverUpdateId** The Windows Update ID of the applicable uplevel driver. +- **WuPopulatedFromId** The expected uplevel driver matching ID based on driver coverage from Windows Update. + + +### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove + +This event indicates that the DatasourceDevicePnp object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpStartSync + +This event indicates that a new set of DatasourceDevicePnpAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageAdd + +This event sends compatibility database data about driver packages to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageStartSync + +This event indicates that a new set of DatasourceDriverPackageAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd + +This event sends blocking data about any compatibility blocking entries hit on the system that are not directly related to specific applications or devices, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove + +This event indicates that the DataSourceMatchingInfoBlock object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync + +This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events have been sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd + +This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove + +This event indicates that the DataSourceMatchingInfoPassive object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync + +This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd + +This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove + +This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync + +This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd + +This event sends compatibility database information about the BIOS to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosRemove + +This event indicates that the DatasourceSystemBios object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync + +This event indicates that a new set of DatasourceSystemBiosAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionApplicationFileAdd + +This event sends compatibility decision data about a file to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file that is generating the events. +- **BlockAlreadyInbox** The uplevel runtime block on the file already existed on the current OS. +- **BlockingApplication** Indicates whether there are any application issues that interfere with the upgrade due to the file in question. +- **DisplayGenericMessage** Will be a generic message be shown for this file? +- **DisplayGenericMessageGated** Indicates whether a generic message be shown for this file. +- **HardBlock** This file is blocked in the SDB. +- **HasUxBlockOverride** Does the file have a block that is overridden by a tag in the SDB? +- **MigApplication** Does the file have a MigXML from the SDB associated with it that applies to the current upgrade mode? +- **MigRemoval** Does the file have a MigXML from the SDB that will cause the app to be removed on upgrade? +- **NeedsDismissAction** Will the file cause an action that can be dimissed? +- **NeedsInstallPostUpgradeData** After upgrade, the file will have a post-upgrade notification to install a replacement for the app. +- **NeedsNotifyPostUpgradeData** Does the file have a notification that should be shown after upgrade? +- **NeedsReinstallPostUpgradeData** After upgrade, this file will have a post-upgrade notification to reinstall the app. +- **NeedsUninstallAction** The file must be uninstalled to complete the upgrade. +- **SdbBlockUpgrade** The file is tagged as blocking upgrade in the SDB, +- **SdbBlockUpgradeCanReinstall** The file is tagged as blocking upgrade in the SDB. It can be reinstalled after upgrade. +- **SdbBlockUpgradeUntilUpdate** The file is tagged as blocking upgrade in the SDB. If the app is updated, the upgrade can proceed. +- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the SDB. It does not block upgrade. +- **SdbReinstallUpgradeWarn** The file is tagged as needing to be reinstalled after upgrade with a warning in the SDB. It does not block upgrade. +- **SoftBlock** The file is softblocked in the SDB and has a warning. + + +### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove + +This event indicates Indicates that the DecisionApplicationFile object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionApplicationFileStartSync + +This event indicates that a new set of DecisionApplicationFileAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd + +This event sends compatibility decision data about a PNP device to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **AssociatedDriverIsBlocked** Is the driver associated with this PNP device blocked? +- **AssociatedDriverWillNotMigrate** Will the driver associated with this plug-and-play device migrate? +- **BlockAssociatedDriver** Should the driver associated with this PNP device be blocked? +- **BlockingDevice** Is this PNP device blocking upgrade? +- **BlockUpgradeIfDriverBlocked** Is the PNP device both boot critical and does not have a driver included with the OS? +- **BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork** Is this PNP device the only active network device? +- **DisplayGenericMessage** Will a generic message be shown during Setup for this PNP device? +- **DisplayGenericMessageGated** Indicates whether a generic message will be shown during Setup for this PNP device. +- **DriverAvailableInbox** Is a driver included with the operating system for this PNP device? +- **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update? +- **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device? +- **DriverBlockOverridden** Is there is a driver block on the device that has been overridden? +- **DriverJlockOverridden** No content is currently available. +- **NeedsDismissAction** Will the user would need to dismiss a warning during Setup for this device? +- **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS? +- **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade? +- **SdbDriverBlockOverridden** Is there an SDB block on the PNP device that blocks upgrade, but that block was overridden? + + +### Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove + +This event indicates that the DecisionDevicePnp object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionDevicePnpStartSync + +The DecisionDevicePnpStartSync event indicates that a new set of DecisionDevicePnpAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionDriverPackageAdd + +This event sends decision data about driver package compatibility to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for this driver package. +- **DriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden? +- **DriverIsDeviceBlocked** Was the driver package was blocked because of a device block? +- **DriverIsDriverBlocked** Is the driver package blocked because of a driver block? +- **DriverIsTroubleshooterBlocked** Indicates whether the driver package is blocked because of a troubleshooter block. +- **DriverShouldNotMigrate** Should the driver package be migrated during upgrade? +- **SdbDriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden? + + +### Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove + +This event indicates that the DecisionDriverPackage object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionDriverPackageStartSync + +This event indicates that a new set of DecisionDriverPackageAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd + +This event sends compatibility decision data about blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **BlockingApplication** Are there are any application issues that interfere with upgrade due to matching info blocks? +- **DisplayGenericMessage** Will a generic message be shown for this block? +- **NeedsUninstallAction** Does the user need to take an action in setup due to a matching info block? +- **SdbBlockUpgrade** Is a matching info block blocking upgrade? +- **SdbBlockUpgradeCanReinstall** Is a matching info block blocking upgrade, but has the can reinstall tag? +- **SdbBlockUpgradeUntilUpdate** Is a matching info block blocking upgrade but has the until update tag? + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockRemove + +This event indicates that the DecisionMatchingInfoBlock object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockStartSync + +This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd + +This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **BlockingApplication** Are there any application issues that interfere with upgrade due to matching info blocks? +- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown due to matching info blocks. +- **MigApplication** Is there a matching info block with a mig for the current mode of upgrade? + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveRemove + +This event Indicates that the DecisionMatchingInfoPassive object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync + +This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeAdd + +This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **NeedsInstallPostUpgradeData** Will the file have a notification after upgrade to install a replacement for the app? +- **NeedsNotifyPostUpgradeData** Should a notification be shown for this file after upgrade? +- **NeedsReinstallPostUpgradeData** Will the file have a notification after upgrade to reinstall the app? +- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the compatibility database (but is not blocking upgrade). + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeRemove + +This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync + +This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMediaCenterAdd + +This event sends decision data about the presence of Windows Media Center, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **BlockingApplication** Is there any application issues that interfere with upgrade due to Windows Media Center? +- **MediaCenterActivelyUsed** If Windows Media Center is supported on the edition, has it been run at least once and are the MediaCenterIndicators are true? +- **MediaCenterIndicators** Do any indicators imply that Windows Media Center is in active use? +- **MediaCenterInUse** Is Windows Media Center actively being used? +- **MediaCenterPaidOrActivelyUsed** Is Windows Media Center actively being used or is it running on a supported edition? +- **NeedsDismissAction** Are there any actions that can be dismissed coming from Windows Media Center? + + +### Microsoft.Windows.Appraiser.General.DecisionMediaCenterRemove + +This event indicates that the DecisionMediaCenter object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMediaCenterStartSync + +This event indicates that a new set of DecisionMediaCenterAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemBiosAdd + +This event sends compatibility decision data about the BIOS to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Blocking** Is the device blocked from upgrade due to a BIOS block? +- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for the bios. +- **HasBiosBlock** Does the device have a BIOS block? + + +### Microsoft.Windows.Appraiser.General.DecisionSystemBiosRemove + +This event indicates that the DecisionSystemBios object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync + +This event indicates that a new set of DecisionSystemBiosAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.GatedRegChange + +This event sends data about the results of running a set of quick-blocking instructions, to help keep Windows up to date. + +The following fields are available: + +- **NewData** The data in the registry value after the scan completed. +- **OldData** The previous data in the registry value before the scan ran. +- **PCFP** An ID for the system calculated by hashing hardware identifiers. +- **RegKey** The registry key name for which a result is being sent. +- **RegValue** The registry value for which a result is being sent. +- **Time** The client time of the event. + + +### Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd + +This event represents the basic metadata about a file on the system. The file must be part of an app and either have a block in the compatibility database or be part of an antivirus program. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **AvDisplayName** If the app is an antivirus app, this is its display name. +- **AvProductState** Indicates whether the antivirus program is turned on and the signatures are up to date. +- **BinaryType** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64. +- **BinFileVersion** An attempt to clean up FileVersion at the client that tries to place the version into 4 octets. +- **BinProductVersion** An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets. +- **BoeProgramId** If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata. +- **CompanyName** The company name of the vendor who developed this file. +- **FileId** A hash that uniquely identifies a file. +- **FileVersion** The File version field from the file metadata under Properties -> Details. +- **HasUpgradeExe** Indicates whether the antivirus app has an upgrade.exe file. +- **IsAv** Indicates whether the file an antivirus reporting EXE. +- **LinkDate** The date and time that this file was linked on. +- **LowerCaseLongPath** The full file path to the file that was inventoried on the device. +- **Name** The name of the file that was inventoried. +- **ProductName** The Product name field from the file metadata under Properties -> Details. +- **ProductVersion** The Product version field from the file metadata under Properties -> Details. +- **ProgramId** A hash of the Name, Version, Publisher, and Language of an application used to identify it. +- **Size** The size of the file (in hexadecimal bytes). + + +### Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove + +This event indicates that the InventoryApplicationFile object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync + +This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryLanguagePackAdd + +This event sends data about the number of language packs installed on the system, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **HasLanguagePack** Indicates whether this device has 2 or more language packs. +- **LanguagePackCount** The number of language packs are installed. + + +### Microsoft.Windows.Appraiser.General.InventoryLanguagePackRemove + +This event indicates that the InventoryLanguagePack object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryLanguagePackStartSync + +This event indicates that a new set of InventoryLanguagePackAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryMediaCenterAdd + +This event sends true/false data about decision points used to understand whether Windows Media Center is used on the system, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **EverLaunched** Has Windows Media Center ever been launched? +- **HasConfiguredTv** Has the user configured a TV tuner through Windows Media Center? +- **HasExtendedUserAccounts** Are any Windows Media Center Extender user accounts configured? +- **HasWatchedFolders** Are any folders configured for Windows Media Center to watch? +- **IsDefaultLauncher** Is Windows Media Center the default app for opening music or video files? +- **IsPaid** Is the user running a Windows Media Center edition that implies they paid for Windows Media Center? +- **IsSupported** Does the running OS support Windows Media Center? + + +### Microsoft.Windows.Appraiser.General.InventoryMediaCenterRemove + +This event indicates that the InventoryMediaCenter object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryMediaCenterStartSync + +This event indicates that a new set of InventoryMediaCenterAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventorySystemBiosAdd + +This event sends basic metadata about the BIOS to determine whether it has a compatibility block. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **biosDate** The release date of the BIOS in UTC format. +- **BiosDate** The release date of the BIOS in UTC format. +- **biosName** The name field from Win32_BIOS. +- **BiosName** The name field from Win32_BIOS. +- **manufacturer** The manufacturer field from Win32_ComputerSystem. +- **Manufacturer** The manufacturer field from Win32_ComputerSystem. +- **model** The model field from Win32_ComputerSystem. +- **Model** The model field from Win32_ComputerSystem. + + +### Microsoft.Windows.Appraiser.General.InventorySystemBiosRemove + +This event indicates that the InventorySystemBios object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventorySystemBiosStartSync + +This event indicates that a new set of InventorySystemBiosAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd + +This event is only runs during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. Is critical to understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **BootCritical** Is the driver package marked as boot critical? +- **Build** The build value from the driver package. +- **CatalogFile** The name of the catalog file within the driver package. +- **Class** The device class from the driver package. +- **ClassGuid** The device class unique ID from the driver package. +- **Date** The date from the driver package. +- **Inbox** Is the driver package of a driver that is included with Windows? +- **OriginalName** The original name of the INF file before it was renamed. Generally a path under $WINDOWS.~BT\Drivers\DU. +- **Provider** The provider of the driver package. +- **PublishedName** The name of the INF file after it was renamed. +- **Revision** The revision of the driver package. +- **SignatureStatus** Indicates if the driver package is signed. Unknown = 0, Unsigned = 1, Signed = 2. +- **VersionMajor** The major version of the driver package. +- **VersionMinor** The minor version of the driver package. + + +### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove + +This event indicates that the InventoryUplevelDriverPackage object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageStartSync + +This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.RunContext + +This event indicates what should be expected in the data payload. + +The following fields are available: + +- **AppraiserBranch** The source branch in which the currently running version of Appraiser was built. +- **AppraiserProcess** The name of the process that launched Appraiser. +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **CensusId** A unique hardware identifier. +- **Context** Indicates what mode Appraiser is running in. Example: Setup or Telemetry. +- **PCFP** An ID for the system calculated by hashing hardware identifiers. +- **Subcontext** Indicates what categories of incompatibilities appraiser is scanning for. Can be N/A, Resolve, or a semicolon-delimited list that can include App, Dev, Sys, Gat, or Rescan. +- **Time** The client time of the event. + + +### Microsoft.Windows.Appraiser.General.SystemMemoryAdd + +This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Blocking** Is the device from upgrade due to memory restrictions? +- **MemoryRequirementViolated** Was a memory requirement violated? +- **pageFile** The current committed memory limit for the system or the current process, whichever is smaller (in bytes). +- **ram** The amount of memory on the device. +- **ramKB** The amount of memory (in KB). +- **virtual** The size of the user-mode portion of the virtual address space of the calling process (in bytes). +- **virtualKB** The amount of virtual memory (in KB). + + +### Microsoft.Windows.Appraiser.General.SystemMemoryRemove + +This event that the SystemMemory object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemMemoryStartSync + +This event indicates that a new set of SystemMemoryAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeAdd + +This event sends data indicating whether the system supports the CompareExchange128 CPU requirement, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **CompareExchange128Support** Does the CPU support CompareExchange128? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeRemove + +This event indicates that the SystemProcessorCompareExchange object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeStartSync + +This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd + +This event sends data indicating whether the system supports the LahfSahf CPU requirement, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **LahfSahfSupport** Does the CPU support LAHF/SAHF? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfRemove + +This event indicates that the SystemProcessorLahfSahf object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfStartSync + +This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd + +This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **NXDriverResult** The result of the driver used to do a non-deterministic check for NX support. +- **NXProcessorSupport** Does the processor support NX? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorNxRemove + +This event indicates that the SystemProcessorNx object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorNxStartSync + +This event indicates that a new set of SystemProcessorNxAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd + +This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **PrefetchWSupport** Does the processor support PrefetchW? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWRemove + +This event indicates that the SystemProcessorPrefetchW object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync + +This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Add + +This event sends data indicating whether the system supports the SSE2 CPU requirement, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **SSE2ProcessorSupport** Does the processor support SSE2? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Remove + +This event indicates that the SystemProcessorSse2 object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorSse2StartSync + +This event indicates that a new set of SystemProcessorSse2Add events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemTouchAdd + +This event sends data indicating whether the system supports touch, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **IntegratedTouchDigitizerPresent** Is there an integrated touch digitizer? +- **MaximumTouches** The maximum number of touch points supported by the device hardware. + + +### Microsoft.Windows.Appraiser.General.SystemTouchRemove + +This event indicates that the SystemTouch object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemTouchStartSync + +This event indicates that a new set of SystemTouchAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWimAdd + +This event sends data indicating whether the operating system is running from a compressed Windows Imaging Format (WIM) file, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **IsWimBoot** Is the current operating system running from a compressed WIM file? +- **RegistryWimBootValue** The raw value from the registry that is used to indicate if the device is running from a WIM. + + +### Microsoft.Windows.Appraiser.General.SystemWimRemove + +This event indicates that the SystemWim object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWimStartSync + +This event indicates that a new set of SystemWimAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusAdd + +This event sends data indicating whether the current operating system is activated, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **WindowsIsLicensedApiValue** The result from the API that's used to indicate if operating system is activated. +- **WindowsNotActivatedDecision** Is the current operating system activated? + + +### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusRemove + +This event indicates that the SystemWindowsActivationStatus object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusStartSync + +This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWlanAdd + +This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked because of an emulated WLAN driver? +- **HasWlanBlock** Does the emulated WLAN driver have an upgrade block? +- **WlanEmulatedDriver** Does the device have an emulated WLAN driver? +- **WlanExists** Does the device support WLAN at all? +- **WlanModulePresent** Are any WLAN modules present? +- **WlanNativeDriver** Does the device have a non-emulated WLAN driver? + + +### Microsoft.Windows.Appraiser.General.SystemWlanRemove + +This event indicates that the SystemWlan object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWlanStartSync + +This event indicates that a new set of SystemWlanAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.TelemetryRunHealth + +This event indicates the parameters and result of a telemetry (diagnostic) run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date. + +The following fields are available: + +- **AppraiserBranch** The source branch in which the version of Appraiser that is running was built. +- **AppraiserDataVersion** The version of the data files being used by the Appraiser telemetry run. +- **AppraiserProcess** The name of the process that launched Appraiser. +- **AppraiserVersion** The file version (major, minor and build) of the Appraiser DLL, concatenated without dots. +- **AuxFinal** Obsolete, always set to false. +- **AuxInitial** Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app. +- **DeadlineDate** A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan. +- **EnterpriseRun** Indicates if the telemetry run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter. +- **FullSync** Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent. +- **InboxDataVersion** The original version of the data files before retrieving any newer version. +- **IndicatorsWritten** Indicates if all relevant UEX indicators were successfully written or updated. +- **InventoryFullSync** Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent. +- **PCFP** An ID for the system calculated by hashing hardware identifiers. +- **PerfBackoff** Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal. +- **PerfBackoffInsurance** Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row. +- **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device. +- **RunDate** The date that the telemetry run was stated, expressed as a filetime. +- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional telemetry on an infrequent schedule and only from machines at telemetry levels higher than Basic. +- **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information. +- **RunResult** The hresult of the Appraiser telemetry run. +- **ScheduledUploadDay** The day scheduled for the upload. +- **SendingUtc** Indicates if the Appraiser client is sending events during the current telemetry run. +- **StoreHandleIsNotNull** Obsolete, always set to false +- **TelementrySent** Indicates if telemetry was successfully sent. +- **ThrottlingUtc** Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also telemetry reliability. +- **Time** The client time of the event. +- **VerboseMode** Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging. +- **WhyFullSyncWithoutTablePrefix** Indicates the reason or reasons that a full sync was generated. + + +### Microsoft.Windows.Appraiser.General.WmdrmAdd + +This event sends data about the usage of older digital rights management on the system, to help keep Windows up to date. This data does not indicate the details of the media using the digital rights management, only whether any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able to be removed once all mitigations are in place. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **BlockingApplication** Same as NeedsDismissAction. +- **NeedsDismissAction** Indicates if a dismissible message is needed to warn the user about a potential loss of data due to DRM deprecation. +- **WmdrmApiResult** Raw value of the API used to gather DRM state. +- **WmdrmCdRipped** Indicates if the system has any files encrypted with personal DRM, which was used for ripped CDs. +- **WmdrmIndicators** WmdrmCdRipped OR WmdrmPurchased. +- **WmdrmInUse** WmdrmIndicators AND dismissible block in setup was not dismissed. +- **WmdrmNonPermanent** Indicates if the system has any files with non-permanent licenses. +- **WmdrmPurchased** Indicates if the system has any files with permanent licenses. + + +### Microsoft.Windows.Appraiser.General.WmdrmRemove + +This event indicates that the Wmdrm object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.WmdrmStartSync + +This event indicates that a new set of WmdrmAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +## Census events + +### Census.App + +Provides information on IE and Census versions running on the device + +The following fields are available: + +- **AppraiserEnterpriseErrorCode** The error code of the last Appraiser enterprise run. +- **AppraiserErrorCode** The error code of the last Appraiser run. +- **AppraiserRunEndTimeStamp** The end time of the last Appraiser run. +- **AppraiserRunIsInProgressOrCrashed** Flag that indicates if the Appraiser run is in progress or has crashed. +- **AppraiserRunStartTimeStamp** The start time of the last Appraiser run. +- **AppraiserTaskEnabled** Whether the Appraiser task is enabled. +- **AppraiserTaskExitCode** The Appraiser task exist code. +- **AppraiserTaskLastRun** The last runtime for the Appraiser task. +- **CensusVersion** The version of Census that generated the current data for this device. +- **IEVersion** The version of Internet Explorer that is running on the device. + + +### Census.Battery + +This event sends type and capacity data about the battery on the device, as well as the number of connected standby devices in use, type to help keep Windows up to date. + +The following fields are available: + +- **InternalBatteryCapablities** Represents information about what the battery is capable of doing. +- **InternalBatteryCapacityCurrent** Represents the battery's current fully charged capacity in mWh (or relative). Compare this value to DesignedCapacity  to estimate the battery's wear. +- **InternalBatteryCapacityDesign** Represents the theoretical capacity of the battery when new, in mWh. +- **InternalBatteryNumberOfCharges** Provides the number of battery charges. This is used when creating new products and validating that existing products meets targeted functionality performance. +- **IsAlwaysOnAlwaysConnectedCapable** Represents whether the battery enables the device to be AlwaysOnAlwaysConnected . Boolean value. + + +### Census.Camera + +This event sends data about the resolution of cameras on the device, to help keep Windows up to date. + +The following fields are available: + +- **FrontFacingCameraResolution** Represents the resolution of the front facing camera in megapixels. If a front facing camera does not exist, then the value is 0. +- **RearFacingCameraResolution** Represents the resolution of the rear facing camera in megapixels. If a rear facing camera does not exist, then the value is 0. + + +### Census.Enterprise + +This event sends data about Azure presence, type, and cloud domain use in order to provide an understanding of the use and integration of devices in an enterprise, cloud, and server environment. + +The following fields are available: + +- **AADDeviceId** Azure Active Directory device ID. +- **AzureOSIDPresent** Represents the field used to identify an Azure machine. +- **AzureVMType** Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs. +- **CDJType** Represents the type of cloud domain joined for the machine. +- **CommercialId** Represents the GUID for the commercial entity which the device is a member of.  Will be used to reflect insights back to customers. +- **ContainerType** The type of container, such as process or virtual machine hosted. +- **EnrollmentType** Defines the type of MDM enrollment on the device. +- **HashedDomain** The hashed representation of the user domain used for login. +- **IsCloudDomainJoined** Is this device joined to an Azure Active Directory (AAD) tenant? true/false +- **IsDERequirementMet** Represents if the device can do device encryption. +- **IsDeviceProtected** Represents if Device protected by BitLocker/Device Encryption +- **IsDomainJoined** Indicates whether a machine is joined to a domain. +- **IsEDPEnabled** Represents if Enterprise data protected on the device. +- **IsMDMEnrolled** Whether the device has been MDM Enrolled or not. +- **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID +- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise SCCM environment. +- **ServerFeatures** Represents the features installed on a Windows   Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. +- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier + + +### Census.Firmware + +This event sends data about the BIOS and startup embedded in the device, to help keep Windows up to date. + +The following fields are available: + +- **FirmwareManufacturer** Represents the manufacturer of the device's firmware (BIOS). +- **FirmwareReleaseDate** Represents the date the current firmware was released. +- **FirmwareType** Represents the firmware type. The various types can be unknown, BIOS, UEFI. +- **FirmwareVersion** Represents the version of the current firmware. + + +### Census.Flighting + +This event sends Windows Insider data from customers participating in improvement testing and feedback programs, to help keep Windows up to date. + +The following fields are available: + +- **DeviceSampleRate** The telemetry sample rate assigned to the device. +- **EnablePreviewBuilds** Used to enable Windows Insider builds on a device. +- **FlightIds** A list of the different Windows Insider builds on this device. +- **FlightingBranchName** The name of the Windows Insider branch currently used by the device. +- **IsFlightsDisabled** Represents if the device is participating in the Windows Insider program. +- **MSA_Accounts** Represents a list of hashed IDs of the Microsoft Accounts that are flighting (pre-release builds) on this device. +- **SSRK** Retrieves the mobile targeting settings. + + +### Census.Hardware + +This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level setting, and TPM support, to help keep Windows up to date. + +The following fields are available: + +- **ActiveMicCount** The number of active microphones attached to the device. +- **ChassisType** Represents the type of device chassis, such as desktop or low profile desktop. The possible values can range between 1 - 36. +- **ComputerHardwareID** Identifies a device class that is represented by a hash of different SMBIOS fields. +- **D3DMaxFeatureLevel** Supported Direct3D version. +- **DeviceColor** Indicates a color of the device. +- **DeviceForm** Indicates the form as per the device classification. +- **DeviceName** The device name that is set by the user. +- **DigitizerSupport** Is a digitizer supported? +- **DUID** The device unique ID. +- **Gyroscope** Indicates whether the device has a gyroscope (a mechanical component that measures and maintains orientation). +- **InventoryId** The device ID used for compatibility testing. +- **Magnetometer** Indicates whether the device has a magnetometer (a mechanical component that works like a compass). +- **NFCProximity** Indicates whether the device supports NFC (a set of communication protocols that helps establish communication when applicable devices are brought close together.) +- **OEMDigitalMarkerFileName** The name of the file placed in the \Windows\system32\drivers directory that specifies the OEM and model name of the device. +- **OEMManufacturerName** The device manufacturer name. The OEMName for an inactive device is not reprocessed even if the clean OEM name is changed at a later date. +- **OEMModelBaseBoard** The baseboard model used by the OEM. +- **OEMModelBaseBoardVersion** Differentiates between developer and retail devices. +- **OEMModelName** The device model name. +- **OEMModelNumber** The device model number. +- **OEMModelSKU** The device edition that is defined by the manufacturer. +- **OEMModelSystemFamily** The system family set on the device by an OEM. +- **OEMModelSystemVersion** The system model version set on the device by the OEM. +- **OEMOptionalIdentifier** A Microsoft assigned value that represents a specific OEM subsidiary. +- **OEMSerialNumber** The serial number of the device that is set by the manufacturer. +- **PhoneManufacturer** The friendly name of the phone manufacturer. +- **PowerPlatformRole** The OEM preferred power management profile. It's used to help to identify the basic form factor of the device. +- **SoCName** The firmware manufacturer of the device. +- **StudyID** Used to identify retail and non-retail device. +- **TelemetryLevel** The telemetry level the user has opted into, such as Basic or Enhanced. +- **TelemetryLevelLimitEnhanced** The telemetry level for Windows Analytics-based solutions. +- **TelemetrySettingAuthority** Determines who set the telemetry level, such as GP, MDM, or the user. +- **TPMManufacturerId** The ID of the TPM manufacturer. +- **TPMManufacturerVersion** The version of the TPM manufacturer. +- **TPMVersion** The supported Trusted Platform Module (TPM) on the device. If no TPM is present, the value is 0. +- **VoiceSupported** Does the device have a cellular radio capable of making voice calls? + + +### Census.Memory + +This event sends data about the memory on the device, including ROM and RAM, to help keep Windows up to date. + +The following fields are available: + +- **TotalPhysicalRAM** Represents the physical memory (in MB). +- **TotalVisibleMemory** Represents the memory that is not reserved by the system. + + +### Census.Network + +This event sends data about the mobile and cellular network used by the device (mobile service provider, network, device ID, and service cost factors), to help keep Windows up to date. + +The following fields are available: + +- **IMEI0** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage. +- **IMEI1** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage. +- **MCC0** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **MCC1** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **MEID** Represents the Mobile Equipment Identity (MEID). MEID is a worldwide unique phone ID assigned to CDMA phones. MEID replaces electronic serial number (ESN), and is equivalent to IMEI for GSM and WCDMA phones. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. +- **MNC0** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **MNC1** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **MobileOperatorBilling** Represents the telephone company that provides services for mobile phone users. +- **MobileOperatorCommercialized** Represents which reseller and geography the phone is commercialized for. This is the set of values on the phone for who and where it was intended to be used. For example, the commercialized mobile operator code AT&T in the US would be ATT-US. +- **MobileOperatorNetwork0** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage. +- **MobileOperatorNetwork1** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage. +- **NetworkAdapterGUID** The GUID of the primary network adapter. +- **NetworkCost** Represents the network cost associated with a connection. +- **SPN0** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage. +- **SPN1** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage. + + +### Census.OS + +This event sends data about the operating system such as the version, locale, update service configuration, when and how it was originally installed, and whether it is a virtual device, to help keep Windows up to date. + +The following fields are available: + +- **ActivationChannel** Retrieves the retail license key or Volume license key for a machine. +- **AssignedAccessStatus** Kiosk configuration mode. +- **CompactOS** Indicates if the Compact OS feature from Win10 is enabled. +- **DeveloperUnlockStatus** Represents if a device has been developer unlocked by the user or Group Policy. +- **DeviceTimeZone** The time zone that is set on the device. Example: Pacific Standard Time +- **GenuineState** Retrieves the ID Value specifying the OS Genuine check. +- **InstallationType** Retrieves the type of OS installation. (Clean, Upgrade, Reset, Refresh, Update). +- **InstallLanguage** The first language installed on the user machine. +- **IsDeviceRetailDemo** Retrieves if the device is running in demo mode. +- **IsEduData** Returns Boolean if the education data policy is enabled. +- **IsPortableOperatingSystem** Retrieves whether OS is running Windows-To-Go +- **IsSecureBootEnabled** Retrieves whether Boot chain is signed under UEFI. +- **LanguagePacks** The list of language packages installed on the device. +- **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store. +- **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine. +- **OSEdition** Retrieves the version of the current OS. +- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc +- **OSOOBEDateTime** Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC). +- **OSSKU** Retrieves the Friendly Name of OS Edition. +- **OSSubscriptionStatus** Represents the existing status for enterprise subscription feature for PRO machines. +- **OSSubscriptionTypeId** Returns boolean for enterprise subscription feature for selected PRO machines. +- **OSTimeZoneBiasInMins** Retrieves the time zone set on machine. +- **OSUILocale** Retrieves the locale of the UI that is currently used by the OS. +- **ProductActivationResult** Returns Boolean if the OS Activation was successful. +- **ProductActivationTime** Returns the OS Activation time for tracking piracy issues. +- **ProductKeyID2** Retrieves the License key if the machine is updated with a new license key. +- **RACw7Id** Retrieves the Microsoft Reliability Analysis Component (RAC) Win7 Identifier. RAC is used to monitor and analyze system usage and reliability. +- **ServiceMachineIP** Retrieves the IP address of the KMS host used for anti-piracy. +- **ServiceMachinePort** Retrieves the port of the KMS host used for anti-piracy. +- **ServiceProductKeyID** Retrieves the License key of the KMS +- **SharedPCMode** Returns Boolean for education devices used as shared cart +- **Signature** Retrieves if it is a signature machine sold by Microsoft store. +- **SLICStatus** Whether a SLIC table exists on the device. +- **SLICVersion** Returns OS type/version from SLIC table. + + +### Census.PrivacySettings + +This event provides information about the device level privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represent the authority that set the value. The effective consent (first 8 bits) is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority (last 8 bits) is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = system, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings. + +The following fields are available: + +- **Activity** Current state of the activity history setting. +- **ActivityHistoryCloudSync** Current state of the activity history cloud sync setting. +- **ActivityHistoryCollection** Current state of the activity history collection setting. +- **AdvertisingId** Current state of the advertising ID setting. +- **AppDiagnostics** Current state of the app diagnostics setting. +- **Appointments** Current state of the calendar setting. +- **Bluetooth** Current state of the Bluetooth capability setting. +- **BluetoothSync** Current state of the Bluetooth sync capability setting. +- **BroadFileSystemAccess** Current state of the broad file system access setting. +- **CellularData** Current state of the cellular data capability setting. +- **Chat** Current state of the chat setting. +- **Contacts** Current state of the contacts setting. +- **DocumentsLibrary** Current state of the documents library setting. +- **Email** Current state of the email setting. +- **FindMyDevice** Current state of the "find my device" setting. +- **GazeInput** Current state of the gaze input setting. +- **HumanInterfaceDevice** Current state of the human interface device setting. +- **InkTypeImprovement** Current state of the improve inking and typing setting. +- **Location** Current state of the location setting. +- **LocationHistory** Current state of the location history setting. +- **LocationHistoryCloudSync** Current state of the location history cloud sync setting. +- **LocationHistoryOnTimeline** Current state of the location history on timeline setting. +- **LocTîÿxV4ocationHistory** No content is currently available. +- **Microphone** Current state of the microphone setting. +- **PhoneCall** Current state of the phone call setting. +- **PhoneCallHistory** Current state of the call history setting. +- **PicturesLibrary** Current state of the pictures library setting. +- **Radios** Current state of the radios setting. +- **SensorsCustom** Current state of the custom sensor setting. +- **SerialCommunication** Current state of the serial communication setting. +- **Sms** Current state of the text messaging setting. +- **SpeechPersonalization** Current state of the speech services setting. +- **USB** Current state of the USB setting. +- **UserAccountInformation** Current state of the account information setting. +- **UserDataTasks** Current state of the tasks setting. +- **UserNotificationListener** Current state of the notifications setting. +- **VideosLibrary** Current state of the videos library setting. +- **Webcam** Current state of the camera setting. +- **WiFiDirect** Current state of the Wi-Fi direct setting. + + +### Census.Processor + +Provides information on several important data points about Processor settings + +The following fields are available: + +- **KvaShadow** This is the micro code information of the processor. +- **MMSettingOverride** Microcode setting of the processor. +- **MMSettingOverrideMask** Microcode setting override of the processor. +- **PreviousUpdateRevision** Previous microcode revision +- **ProcessorArchitecture** Retrieves the processor architecture of the installed operating system. +- **ProcessorClockSpeed** Clock speed of the processor in MHz. +- **ProcessorCores** Number of logical cores in the processor. +- **ProcessorIdentifier** Processor Identifier of a manufacturer. +- **ProcessorManufacturer** Name of the processor manufacturer. +- **ProcessorModel** Name of the processor model. +- **ProcessorPhysicalCores** Number of physical cores in the processor. +- **ProcessorUpdateRevision** The microcode revision. +- **ProcessorUpdateStatus** Enum value that represents the processor microcode load status +- **SocketCount** Count of CPU sockets. +- **SpeculationControl** Indicates whether the system has enabled protections needed to validate the speculation control vulnerability. + + +### Census.Security + +This event provides information on about security settings used to help keep Windows up to date and secure. + +The following fields are available: + +- **AvailableSecurityProperties** This field helps to enumerate and report state on the relevant security properties for Device Guard. +- **CGRunning** Credential Guard isolates and hardens key system and user secrets against compromise, helping to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already running via a local or network based vector. This field tells if Credential Guard is running. +- **DGState** This field summarizes the Device Guard state. +- **HVCIRunning** Hypervisor Code Integrity (HVCI) enables Device Guard to help protect kernel mode processes and drivers from vulnerability exploits and zero days. HVCI uses the processor’s functionality to force all software running in kernel mode to safely allocate memory. This field tells if HVCI is running. +- **IsSawGuest** Indicates whether the device is running as a Secure Admin Workstation Guest. +- **IsSawHost** Indicates whether the device is running as a Secure Admin Workstation Host. +- **RequiredSecurityProperties** Describes the required security properties to enable virtualization-based security. +- **SecureBootCapable** Systems that support Secure Boot can have the feature turned off via BIOS. This field tells if the system is capable of running Secure Boot, regardless of the BIOS setting. +- **SModeState** The Windows S mode trail state. +- **VBSState** Virtualization-based security (VBS) uses the hypervisor to help protect the kernel and other parts of the operating system. Credential Guard and Hypervisor Code Integrity (HVCI) both depend on VBS to isolate/protect secrets, and kernel-mode code integrity validation. VBS has a tri-state that can be Disabled, Enabled, or Running. + + +### Census.Speech + +This event is used to gather basic speech settings on the device. + +The following fields are available: + +- **AboveLockEnabled** Cortana setting that represents if Cortana can be invoked when the device is locked. +- **GPAllowInputPersonalization** Indicates if a Group Policy setting has enabled speech functionalities. +- **HolographicSpeechInputDisabled** Holographic setting that represents if the attached HMD devices have speech functionality disabled by the user. +- **HolographicSpeechInputDisabledRemote** Indicates if a remote policy has disabled speech functionalities for the HMD devices. +- **KeyVer** Version information for the census speech event. +- **KWSEnabled** Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS). +- **MDMAllowInputPersonalization** Indicates if an MDM policy has enabled speech functionalities. +- **RemotelyManaged** Indicates if the device is being controlled by a remote administrator (MDM or Group Policy) in the context of speech functionalities. +- **SpeakerIdEnabled** Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice. +- **SpeechServicesEnabled** Windows setting that represents whether a user is opted-in for speech services on the device. +- **SpeechServicesValueSource** Indicates the deciding factor for the effective online speech recognition privacy policy settings: remote admin, local admin, or user preference. + + +### Census.Storage + +This event sends data about the total capacity of the system volume and primary disk, to help keep Windows up to date. + +The following fields are available: + +- **PrimaryDiskTotalCapacity** Retrieves the amount of disk space on the primary disk of the device in MB. +- **PrimaryDiskType** Retrieves an enumerator value of type STORAGE_BUS_TYPE that indicates the type of bus to which the device is connected. This should be used to interpret the raw device properties at the end of this structure (if any). +- **StorageReservePassedPolicy** Indicates whether the Storage Reserve policy, which ensures that updates have enough disk space and customers are on the latest OS, is enabled on this device. +- **SystemVolumeTotalCapacity** Retrieves the size of the partition that the System volume is installed on in MB. + + +### Census.Userdefault + +This event sends data about the current user's default preferences for browser and several of the most popular extensions and protocols, to help keep Windows up to date. + +The following fields are available: + +- **CalendarType** The calendar identifiers that are used to specify different calendars. +- **DefaultApp** The current uer's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf. +- **DefaultBrowserProgId** The ProgramId of the current user's default browser. +- **LongDateFormat** The long date format the user has selected. +- **ShortDateFormat** The short date format the user has selected. + + +### Census.UserDisplay + +This event sends data about the logical/physical display size, resolution and number of internal/external displays, and VRAM on the system, to help keep Windows up to date. + +The following fields are available: + +- **ÉnternalPrimaryDisplayLogicalDPIY** No content is currently available. +- **IîternalPrimaryDisplayResolutionVertical** No content is currently available. +- **InterjalPrimaryDisplayResolutionHorizontal** No content is currently available. +- **InternalPrimaðyDisplayPhysicalDPIX** No content is currently available. +- **InternalPrimaryDisplayLogicalDPIX** Retrieves the logical DPI in the x-direction of the internal display. +- **InternalPrimaryDisplayLogicálDPIX** No content is currently available. +- **InternalPrimaryDisplayLogicalDPIY** Retrieves the logical DPI in the y-direction of the internal display. +- **InternalPrimaryDisplayPhysicalDPIX** Retrieves the physical DPI in the x-direction of the internal display. +- **InternalPrimaryDisplayPhysicalDPIY** Retrieves the physical DPI in the y-direction of the internal display. +- **InternalPrimaryDisplayResolutionHorizontal** Retrieves the number of pixels in the horizontal direction of the internal display. +- **InternalPrimaryDisplayResolutionVertical** Retrieves the number of pixels in the vertical direction of the internal display. +- **InternalPrimaryDisplaySizePhysicalH** Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches . +- **InternalPrimaryDisplaySizePhysicalY** Retrieves the physical vertical length of the display in mm. Used for calculating the diagonal length in inches +- **InternalPrimaryDiwplayPhysicalDPIY** No content is currently available. +- **NumberofExternalDisplays** Retrieves the number of external displays connected to the machine +- **NumberofInternalDisplays** Retrieves the number of internal displays in a machine. +- **OumberofExternalDisplays** No content is currently available. +- **OumberofInternalDisplays** No content is currently available. +- **VRAMDedicated** Retrieves the video RAM in MB. +- **VRAMDedicatedSystem** Retrieves the amount of memory on the dedicated video card. +- **VRAMSharedSystem** Retrieves the amount of RAM memory that the video card can use. + + +### Census.UserNLS + +This event sends data about the default app language, input, and display language preferences set by the user, to help keep Windows up to date. + +The following fields are available: + +- **DefaultAppLanguage** The current user Default App Language. +- **DisplayLanguage** The current user preferred Windows Display Language. +- **HomeLocation** The current user location, which is populated using GetUserGeoId() function. +- **KeyboardInputLanguages** The Keyboard input languages installed on the device. +- **SpeechInputLanguages** The Speech Input languages installed on the device. + + +### Census.UserPrivacySettings + +This event provides information about the current users privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represents the authority that set the value. The effective consent is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = user, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings. + +The following fields are available: + +- **Activity** Current state of the activity history setting. +- **ActivityHistoryCloudSync** Current state of the activity history cloud sync setting. +- **ActivityHistoryCollection** Current state of the activity history collection setting. +- **AdvertisingId** Current state of the advertising ID setting. +- **AppDiagnostics** Current state of the app diagnostics setting. +- **Appointments** Current state of the calendar setting. +- **Bluetooth** Current state of the Bluetooth capability setting. +- **BluetoothSync** Current state of the Bluetooth sync capability setting. +- **BroadFileSystemAccess** Current state of the broad file system access setting. +- **CellularData** Current state of the cellular data capability setting. +- **Chat** Current state of the chat setting. +- **Contacts** Current state of the contacts setting. +- **DocumentsLibrary** Current state of the documents library setting. +- **Email** Current state of the email setting. +- **GazeInput** Current state of the gaze input setting. +- **HumanInterfaceDevice** Current state of the human interface device setting. +- **InkTypeImprovement** Current state of the improve inking and typing setting. +- **InkTypePersonalization** Current state of the inking and typing personalization setting. +- **Location** Current state of the location setting. +- **LocationHistory** Current state of the location history setting. +- **LocationHistoryCloudSync** Current state of the location history cloud synchronization setting. +- **LocationHistoryOnTimeline** Current state of the location history on timeline setting. +- **Microphone** Current state of the microphone setting. +- **PhoneCall** Current state of the phone call setting. +- **PhoneCallHistory** Current state of the call history setting. +- **PicturesLibrary** Current state of the pictures library setting. +- **Radios** Current state of the radios setting. +- **SensorsCustom** Current state of the custom sensor setting. +- **SerialCommunication** Current state of the serial communication setting. +- **Sms** Current state of the text messaging setting. +- **SpeechPersonalization** Current state of the speech services setting. +- **USB** Current state of the USB setting. +- **UserAccountInformation** Current state of the account information setting. +- **UserDataTasks** Current state of the tasks setting. +- **UserNotificationListener** Current state of the notifications setting. +- **VideosLibrary** Current state of the videos library setting. +- **Webcam** Current state of the camera setting. +- **WiFiDirect** Current state of the Wi-Fi direct setting. + + +### Census.VM + +This event sends data indicating whether virtualization is enabled on the device, and its various characteristics, to help keep Windows up to date. + +The following fields are available: + +- **CloudService** Indicates which cloud service, if any, that this virtual machine is running within. +- **HyperVisor** Retrieves whether the current OS is running on top of a Hypervisor. +- **IOMMUPresent** Represents if an input/output memory management unit (IOMMU) is present. +- **IsVDI** Is the device using Virtual Desktop Infrastructure? +- **IsVirtualDevice** Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#1 Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field should not be relied upon for non-Hv#1 Hypervisors. +- **SLATSupported** Represents whether Second Level Address Translation (SLAT) is supported by the hardware. +- **VirtualizationFirmwareEnabled** Represents whether virtualization is enabled in the firmware. + + +### Census.WU + +This event sends data about the Windows update server and other App store policies, to help keep Windows up to date. + +The following fields are available: + +- **AppraiserGatedStatus** Indicates whether a device has been gated for upgrading. +- **AppStoreAutoUpdate** Retrieves the Appstore settings for auto upgrade. (Enable/Disabled). +- **AppStoreAutoUpdateMDM** Retrieves the App Auto Update value for MDM: 0 - Disallowed. 1 - Allowed. 2 - Not configured. Default: [2] Not configured +- **AppStoreAutoUpdatePolicy** Retrieves the Microsoft Store App Auto Update group policy setting +- **DelayUpgrade** Retrieves the Windows upgrade flag for delaying upgrades. +- **OSAssessmentFeatureOutOfDate** How many days has it been since a the last feature update was released but the device did not install it? +- **OSAssessmentForFeatureUpdate** Is the device is on the latest feature update? +- **OSAssessmentForQualityUpdate** Is the device on the latest quality update? +- **OSAssessmentForSecurityUpdate** Is the device on the latest security update? +- **OSAssessmentQualityOutOfDate** How many days has it been since a the last quality update was released but the device did not install it? +- **OSAssessmentReleaseInfoTime** The freshness of release information used to perform an assessment. +- **OSRollbackCount** The number of times feature updates have rolled back on the device. +- **OSRolledBack** A flag that represents when a feature update has rolled back during setup. +- **OSUninstalled** A flag that represents when a feature update is uninstalled on a device . +- **OSWUAutoUpdateOptions** Retrieves the auto update settings on the device. +- **OSWUAutoUpdateOptionsSource** The source of auto update setting that appears in the OSWUAutoUpdateOptions field. For example: Group Policy (GP), Mobile Device Management (MDM), and Default. +- **UninstallActive** A flag that represents when a device has uninstalled a previous upgrade recently. +- **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS). +- **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates. +- **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades. +- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network. +- **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier. +- **WUPauseState** Retrieves WU setting to determine if updates are paused. +- **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default). + + +### Census.Xbox + +This event sends data about the Xbox Console, such as Serial Number and DeviceId, to help keep Windows up to date. + +The following fields are available: + +- **XboxConsolePreferredLanguage** Retrieves the preferred language selected by the user on Xbox console. +- **XboxConsoleSerialNumber** Retrieves the serial number of the Xbox console. +- **XboxConsoleSerialOumber** No content is currently available. +- **XboxLiveDeviceId** Retrieves the unique device ID of the console. +- **XboxLiveSandboxId** Retrieves the developer sandbox ID if the device is internal to Microsoft. + + +## Common data extensions + +### Common Data Extensions.app + +Describes the properties of the running application. This extension could be populated by a client app or a web app. + +The following fields are available: + +- **asId** An integer value that represents the app session. This value starts at 0 on the first app launch and increments after each subsequent app launch per boot session. +- **env** The environment from which the event was logged. +- **expId** Associates a flight, such as an OS flight, or an experiment, such as a web site UX experiment, with an event. +- **id** Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application. +- **locale** The locale of the app. +- **name** The name of the app. +- **userId** The userID as known by the application. +- **ver** Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app. + + +### Common Data Extensions.container + +Describes the properties of the container for events logged within a container. + +The following fields are available: + +- **epoch** An ID that's incremented for each SDK initialization. +- **localId** The device ID as known by the client. +- **osVer** The operating system version. +- **seq** An ID that's incremented for each event. +- **type** The container type. Examples: Process or VMHost + + +### Common Data Extensions.cs + +Describes properties related to the schema of the event. + +The following fields are available: + +- **sig** A common schema signature that identifies new and modified event schemas. + + +### Common Data Extensions.device + +Describes the device-related fields. + +The following fields are available: + +- **deviceClass** The device classification. For example, Desktop, Server, or Mobile. +- **localId** A locally-defined unique ID for the device. This is not the human-readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId +- **make** Device manufacturer. +- **model** Device model. + + +### Common Data Extensions.Envelope + +Represents an envelope that contains all of the common data extensions. + +The following fields are available: + +- **cV** Represents the Correlation Vector: A single field for tracking partial order of related telemetry events across component boundaries. +- **data** Represents the optional unique diagnostic data for a particular event schema. +- **ext_app** Describes the properties of the running application. This extension could be populated by either a client app or a web app. See [Common Data Extensions.app](#common-data-extensionsapp). +- **ext_container** Describes the properties of the container for events logged within a container. See [Common Data Extensions.container](#common-data-extensionscontainer). +- **ext_cs** Describes properties related to the schema of the event. See [Common Data Extensions.cs](#common-data-extensionscs). +- **ext_device** Describes the device-related fields. See [Common Data Extensions.device](#common-data-extensionsdevice). +- **ext_os** Describes the operating system properties that would be populated by the client. See [Common Data Extensions.os](#common-data-extensionsos). +- **ext_receipts** Describes the fields related to time as provided by the client for debugging purposes. See [Common Data Extensions.receipts](#common-data-extensionsreceipts). +- **ext_sdk** Describes the fields related to a platform library required for a specific SDK. See [Common Data Extensions.sdk](#common-data-extensionssdk). +- **ext_user** Describes the fields related to a user. See [Common Data Extensions.user](#common-data-extensionsuser). +- **ext_utc** Describes the fields that might be populated by a logging library on Windows. See [Common Data Extensions.utc](#common-data-extensionsutc). +- **ext_xbl** Describes the fields related to XBOX Live. See [Common Data Extensions.xbl](#common-data-extensionsxbl). +- **flags** Represents a collection of bits that describe how the event should be processed by the Connected User Experience and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency. +- **iKey** Represents an ID for applications or other logical groupings of events. +- **name** Represents the uniquely qualified name for the event. +- **popSample** Represents the effective sample rate for this event at the time it was generated by a client. +- **time** Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the client. This should be in ISO 8601 format. +- **ver** Represents the major and minor version of the extension. + + +### Common Data Extensions.os + +Describes some properties of the operating system. + +The following fields are available: + +- **bootId** An integer value that represents the boot session. This value starts at 0 on first boot after OS install and increments after every reboot. +- **expId** Represents the experiment ID. The standard for associating a flight, such as an OS flight (pre-release build), or an experiment, such as a web site UX experiment, with an event is to record the flight / experiment IDs in Part A of the common schema. +- **locale** Represents the locale of the operating system. +- **name** Represents the operating system name. +- **ver** Represents the major and minor version of the extension. + + +### Common Data Extensions.receipts + +Represents various time information as provided by the client and helps for debugging purposes. + +The following fields are available: + +- **originalTime** The original event time. +- **uploadTime** The time the event was uploaded. + + +### Common Data Extensions.sdk + +Used by platform specific libraries to record fields that are required for a specific SDK. + +The following fields are available: + +- **epoch** An ID that is incremented for each SDK initialization. +- **installId** An ID that's created during the initialization of the SDK for the first time. +- **libVer** The SDK version. +- **seq** An ID that is incremented for each event. + + +### Common Data Extensions.user + +Describes the fields related to a user. + +The following fields are available: + +- **authId** This is an ID of the user associated with this event that is deduced from a token such as a Microsoft Account ticket or an XBOX token. +- **locale** The language and region. +- **localId** Represents a unique user identity that is created locally and added by the client. This is not the user's account ID. + + +### Common Data Extensions.utc + +Describes the properties that could be populated by a logging library on Windows. + +The following fields are available: + +- **aId** Represents the ETW ActivityId. Logged via TraceLogging or directly via ETW. +- **bSeq** Upload buffer sequence number in the format: buffer identifier:sequence number +- **cat** Represents a bitmask of the ETW Keywords associated with the event. +- **cpId** The composer ID, such as Reference, Desktop, Phone, Holographic, Hub, IoT Composer. +- **epoch** Represents the epoch and seqNum fields, which help track how many events were fired and how many events were uploaded, and enables identification of data lost during upload and de-duplication of events on the ingress server. +- **flags** Represents the bitmap that captures various Windows specific flags. +- **mon** Combined monitor and event sequence numbers in the format: monitor sequence : event sequence +- **op** Represents the ETW Op Code. +- **raId** Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW. +- **seq** Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue. The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server. +- **stId** Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID. + + +### Common Data Extensions.xbl + +Describes the fields that are related to XBOX Live. + +The following fields are available: + +- **claims** Any additional claims whose short claim name hasn't been added to this structure. +- **did** XBOX device ID +- **dty** XBOX device type +- **dvr** The version of the operating system on the device. +- **eid** A unique ID that represents the developer entity. +- **exp** Expiration time +- **ip** The IP address of the client device. +- **nbf** Not before time +- **pid** A comma separated list of PUIDs listed as base10 numbers. +- **sbx** XBOX sandbox identifier +- **sid** The service instance ID. +- **sty** The service type. +- **tid** The XBOX Live title ID. +- **tvr** The XBOX Live title version. +- **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts. +- **xid** A list of base10-encoded XBOX User IDs. + + +## Common data fields + +### Ms.Device.DeviceInventoryChange + +Describes the installation state for all hardware and software components available on a particular device. + +The following fields are available: + +- **action** The change that was invoked on a device inventory object. +- **inventoryId** Device ID used for Compatibility testing +- **objectInstanceId** Object identity which is unique within the device scope. +- **objectType** Indicates the object type that the event applies to. +- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. + + +## Compatibility events + +### Microsoft.Windows.Compatibility.Apphelp.SdbFix + +Product instrumentation for helping debug/troubleshoot issues with inbox compatibility components. + +The following fields are available: + +- **AppName** Name of the application impacted by SDB. +- **FixID** SDB GUID. +- **Flags** List of flags applied. +- **ImageName** Name of file. + + +## Component-based servicing events + +### CbsServicingProvider.CbsCapabilityEnumeration + +This event reports on the results of scanning for optional Windows content on Windows Update. + +The following fields are available: + +- **architecture** Indicates the scan was limited to the specified architecture. +- **capabilityCount** The number of optional content packages found during the scan. +- **clientId** The name of the application requesting the optional content. +- **duration** The amount of time it took to complete the scan. +- **hrStatus** The HReturn code of the scan. +- **language** Indicates the scan was limited to the specified language. +- **majorVersion** Indicates the scan was limited to the specified major version. +- **minorVersion** Indicates the scan was limited to the specified minor version. +- **namespace** Indicates the scan was limited to packages in the specified namespace. +- **sourceFilter** A bitmask indicating the scan checked for locally available optional content. +- **stackBuild** The build number of the servicing stack. +- **stackMajorVersion** The major version number of the servicing stack. +- **stackMinorVersion** The minor version number of the servicing stack. +- **stackRevision** The revision number of the servicing stack. + + +### CbsServicingProvider.CbsCapabilitySessionFinalize + +This event provides information about the results of installing or uninstalling optional Windows content from Windows Update. + +The following fields are available: + +- **capabilities** The names of the optional content packages that were installed. +- **clientId** The name of the application requesting the optional content. +- **currentID** The ID of the current install session. +- **downloadSource** The source of the download. +- **highestState** The highest final install state of the optional content. +- **hrLCUReservicingStatus** Indicates whether the optional content was updated to the latest available version. +- **hrStatus** The HReturn code of the install operation. +- **rebootCount** The number of reboots required to complete the install. +- **retryID** The session ID that will be used to retry a failed operation. +- **retryStatus** Indicates whether the install will be retried in the event of failure. +- **stackBuild** The build number of the servicing stack. +- **stackMajorVersion** The major version number of the servicing stack. +- **stackMinorVersion** The minor version number of the servicing stack. +- **stackRevision** The revision number of the servicing stack. + + +### CbsServicingProvider.CbsCapabilitySessionPended + +This event provides information about the results of installing optional Windows content that requires a reboot to keep Windows up to date. + +The following fields are available: + +- **clientId** The name of the application requesting the optional content. +- **pendingDecision** Indicates the cause of reboot, if applicable. + + +### CbsServicingProvider.CbsLateAcquisition + +This event sends data to indicate if some Operating System packages could not be updated as part of an upgrade, to help keep Windows up to date. + +The following fields are available: + +- **Features** The list of feature packages that could not be updated. +- **RetryID** The ID identifying the retry attempt to update the listed packages. + + +### CbsServicingProvider.CbsPackageRemoval + +This event provides information about the results of uninstalling a Windows Cumulative Security Update to help keep Windows up to date. + +The following fields are available: + +- **buildVersion** The build number of the security update being uninstalled. +- **clientId** The name of the application requesting the uninstall. +- **currentStateEnd** The final state of the update after the operation. +- **failureDetails** Information about the cause of a failure, if applicable. +- **failureSourceEnd** The stage during the uninstall where the failure occurred. +- **hrStatusEnd** The overall exit code of the operation. +- **initiatedOffline** Indicates if the uninstall was initiated for a mounted Windows image. +- **majorVersion** The major version number of the security update being uninstalled. +- **minorVersion** The minor version number of the security update being uninstalled. +- **originalState** The starting state of the update before the operation. +- **pendingDecision** Indicates the cause of reboot, if applicable. +- **primitiveExecutionContext** The state during system startup when the uninstall was completed. +- **revisionVersion** The revision number of the security update being uninstalled. +- **transactionCanceled** Indicates whether the uninstall was cancelled. + + +### CbsServicingProvider.CbsQualityUpdateInstall + +This event reports on the performance and reliability results of installing Servicing content from Windows Update to keep Windows up to date. + +The following fields are available: + +- **buildVersion** The build version number of the update package. +- **clientId** The name of the application requesting the optional content. +- **corruptionHistoryFlags** A bitmask of the types of component store corruption that have caused update failures on the device. +- **corruptionType** An enumeration listing the type of data corruption responsible for the current update failure. +- **currentStateEnd** The final state of the package after the operation has completed. +- **doqTimeSeconds** The time in seconds spent updating drivers. +- **executeTimeSeconds** The number of seconds required to execute the install. +- **failureDetails** The driver or installer that caused the update to fail. +- **failureSourceEnd** An enumeration indicating at what phase of the update a failure occurred. +- **hrStatusEnd** The return code of the install operation. +- **initiatedOffline** A true or false value indicating whether the package was installed into an offline Windows Imaging Format (WIM) file. +- **majorVersion** The major version number of the update package. +- **minorVersion** The minor version number of the update package. +- **originalState** The starting state of the package. +- **overallTimeSeconds** The time (in seconds) to perform the overall servicing operation. +- **planTimeSeconds** The time in seconds required to plan the update operations. +- **poqTimeSeconds** The time in seconds processing file and registry operations. +- **postRebootTimeSeconds** The time (in seconds) to do startup processing for the update. +- **preRebootTimeSeconds** The time (in seconds) between execution of the installation and the reboot. +- **primitiveExecutionContext** An enumeration indicating at what phase of shutdown or startup the update was installed. +- **rebootCount** The number of reboots required to install the update. +- **rebootTimeSeconds** The time (in seconds) before startup processing begins for the update. +- **resolveTimeSeconds** The time in seconds required to resolve the packages that are part of the update. +- **revisionVersion** The revision version number of the update package. +- **rptTimeSeconds** The time in seconds spent executing installer plugins. +- **shutdownTimeSeconds** The time (in seconds) required to do shutdown processing for the update. +- **stackRevision** The revision number of the servicing stack. +- **stageTimeSeconds** The time (in seconds) required to stage all files that are part of the update. + + +## Deployment extensions + +### DeploymentTelemetry.Deployment_End + +This event indicates that a Deployment 360 API has completed. + +The following fields are available: + +- **ClientId** Client ID of the user utilizing the D360 API. +- **ErrorCode** Error code of action. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **Mode** Phase in upgrade. +- **RelatedCV** The correction vector (CV) of any other related events +- **Result** End result of the action. + + +### DeploymentTelemetry.Deployment_SetupBoxLaunch + +This event indicates that the Deployment 360 APIs have launched Setup Box. + +The following fields are available: + +- **ClientId** The client ID of the user utilizing the D360 API. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **Quiet** Whether Setup will run in quiet mode or full mode. +- **RelatedCV** The correlation vector (CV) of any other related events. +- **SetupMode** The current setup phase. + + +### DeploymentTelemetry.Deployment_SetupBoxResult + +This event indicates that the Deployment 360 APIs have received a return from Setup Box. + +The following fields are available: + +- **ClientId** Client ID of the user utilizing the D360 API. +- **ErrorCode** Error code of the action. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **Quiet** Indicates whether Setup will run in quiet mode or full mode. +- **RelatedCV** The correlation vector (CV) of any other related events. +- **SetupMode** The current Setup phase. + + +### DeploymentTelemetry.Deployment_Start + +This event indicates that a Deployment 360 API has been called. + +The following fields are available: + +- **ClientId** Client ID of the user utilizing the D360 API. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **Mode** The current phase of the upgrade. +- **RelatedCV** The correlation vector (CV) of any other related events. + + +## Diagnostic data events + +### TelClientSynthetic.AuthorizationInfo_RuntimeTransition + +This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect. + +The following fields are available: + +- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. +- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. +- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. +- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. +- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. +- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. +- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. +- **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise. +- **CanReportScenarios** True if we can report scenario completions, false otherwise. +- **PreviousPermissions** Bitmask of previous telemetry state. +- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. + + +### TelClientSynthetic.AuthorizationInfo_Startup + +Fired by UTC at startup to signal what data we are allowed to collect. + +The following fields are available: + +- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. +- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. +- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. +- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. +- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. +- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. +- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. +- **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise. +- **CanReportScenarios** True if we can report scenario completions, false otherwise. +- **PreviousPermissions** Bitmask of previous telemetry state. +- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. + + +### TelClientSynthetic.ConnectivityHeartBeat_0 + +This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network. + +The following fields are available: + +- **CensusExitCode** Returns last execution codes from census client run. +- **CensusStartTime** Returns timestamp corresponding to last successful census run. +- **CensusTaskEnabled** Returns Boolean value for the census task (Enable/Disable) on client machine. +- **LastConnectivityLossTime** Retrieves the last time the device lost free network. +- **NetworkState** Retrieves the network state: 0 = No network. 1 = Restricted network. 2 = Free network. +- **NoNetworkTime** Retrieves the time spent with no network (since the last time) in seconds. +- **RestrictedNetworkTime** Retrieves the time spent on a metered (cost restricted) network in seconds. + + +### TelClientSynthetic.HeartBeat_5 + +This event sends data about the health and quality of the diagnostic data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device. + +The following fields are available: + +- **AgentConnectionErrorsCount** Number of non-timeout errors associated with the host/agent channel. +- **AgentConnectionrrorCsCount** No content is currently available. +- **CensusExitCode** The last exit code of the Census task. +- **CensusStartTime** Time of last Census run. +- **CensusTaskEnabled** True if Census is enabled, false otherwise. +- **CompressedBytesUploaded** Number of compressed bytes uploaded. +- **ConsumerDroppedCount** Number of events dropped at consumer layer of telemetry client. +- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. +- **CriticalDataThrottleDroppedCount** The number of critical data sampled events that were dropped because of throttling. +- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event DB. +- **DbCriticalDroppedCount** Total number of dropped critical events in event DB. +- **DbDroppedCount** Number of events dropped due to DB fullness. +- **DbDroppedFailureCount** Number of events dropped due to DB failures. +- **DbDroppedFullCount** Number of events dropped due to DB fullness. +- **DecodingDroppedCount** Number of events dropped due to decoding failures. +- **DecodthiDroppedCount** No content is currently available. +- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. +- **EnterthiCriticalOverflowDroppedCounter** No content is currently available. +- **EtwDroppedBufferCount** Number of buffers dropped in the UTC ETW session. +- **EtwDroppedCount** Number of events dropped at ETW layer of telemetry client. +- **EventsPersistedCount** Number of events that reached the PersistEvent stage. +- **EventStoreLifetimeResetCounter** Number of times event DB was reset for the lifetime of UTC. +- **EventStoreResetCounter** Number of times event DB was reset. +- **EventStoreResetSizeSum** Total size of event DB across all resets reports in this instance. +- **EventSubStoreResetCounter** Number of times event DB was reset. +- **EventSubStoreResetSizeSum** Total size of event DB across all resets reports in this instance. +- **EventsUploaded** Number of events uploaded. +- **Flags** Flags indicating device state such as network state, battery state, and opt-in state. +- **FullTriggerBufferDroppedCount** Number of events dropped due to trigger buffer being full. +- **HeartBeatSequenceNumber** The sequence number of this heartbeat. +- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. +- **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel. +- **LastAgentConnectionrrorC** No content is currently available. +- **LastEventSizeOffender** Event name of last event which exceeded max event size. +- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. +- **Max8ctiveAgentConnectionCount** No content is currently available. +- **MaxActiveAgentConnectionCount** The maximum number of active agents during this heartbeat timeframe. +- **MaxInUseScenarioCounter** Soft maximum number of scenarios loaded by UTC. +- **MaxInUseScenaryoCounter** No content is currently available. +- **omporessedBytesUploaded** No content is currently available. +- **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events). +- **PrivacyBlockedCount** The number of events blocked due to privacy settings or tags. +- **RepeatedUploadFailqreDpopped** No content is currently available. +- **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. +- **SettingsHttpAttempts** Number of attempts to contact OneSettings service. +- **SettingsHttpFailures** The number of failures from contacting the OneSettings service. +- **SettthisHttpAttempts** No content is currently available. +- **SettthisHttpFailures** No content is currently available. +- **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers. +- **TopUploaderErrors** List of top errors received from the upload endpoint. +- **TopUploaderrrorCs** No content is currently available. +- **UphoaderErporCount** No content is currently available. +- **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client. +- **UploaderErrorCount** Number of errors received from the upload endpoint. +- **VortexFailuresTimeout** The number of timeout failures received from Vortex. +- **VortexHttpAttempts** Number of attempts to contact Vortex. +- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. +- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. +- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. +- **VortexHttpResponsesWirhDroppedEvents** No content is currently available. +- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. + + +### TelClientSynthetic.HeartBeat_Aria_5 + +This event is the telemetry client ARIA heartbeat. + +The following fields are available: + +- **CompressedBytesUploaded** Number of compressed bytes uploaded. +- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. +- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event database. +- **DbCriticalDroppedCount** Total number of dropped critical events in event database. +- **DbDroppedCount** Number of events dropped at the database layer. +- **DbDroppedFailureCount** Number of events dropped due to database failures. +- **DbDroppedFullCount** Number of events dropped due to database being full. +- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. +- **Eve~tStoreResetCounter** No content is currently available. +- **EventsPersistedCount** Number of events that reached the PersistEvent stage. +- **EventStoreLifetimeResetCounter** Number of times the event store has been reset. +- **EventStoreResetCounter** Number of times the event store has been reset during this heartbeat. +- **EventStoreResetSizeSum** Size of event store reset in bytes. +- **EventsUploaded** Number of events uploaded. +- **HeartBeatSequenceNumber** The sequence number of this heartbeat. +- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. +- **LastEventSizeOffender** Event name of last event which exceeded max event size. +- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. +- **PreviousHeartBeatTime** The FILETIME of the previous heartbeat fire. +- **PrivacyBlockedCount** The number of events blocked due to privacy settings or tags. +- **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. +- **SettingsHttpAttempts** Number of attempts to contact OneSettings service. +- **SettingsHttpFailures** Number of failures from contacting OneSettings service. +- **TopUploaderErrors** List of top errors received from the upload endpoint. +- **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client. +- **UploaderErrorCount** Number of errors received from the upload endpoint. +- **VortexFailuresTimeout** Number of time out failures received from Vortex. +- **VortexHttpAttempts** Number of attempts to contact Vortex. +- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. +- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. +- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. +- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. + + +### TelClientSynthetic.HeartBeat_Seville_5 + +This event is sent by the universal telemetry client (UTC) as a heartbeat signal for Sense. + +The following fields are available: + +- **AgentConnectionErrorsCount** Number of non-timeout errors associated with the host or agent channel. +- **CompressedBytesUploaded** Number of compressed bytes uploaded. +- **ConsumerDroppedCount** Number of events dropped at consumer layer of the telemetry client. +- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. +- **CriticalDataThrottleDroppedCount** Number of critical data sampled events dropped due to throttling. +- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event database. +- **DailyUploadQuotaInBytes** Daily upload quota for Sense in bytes (only in in-proc mode). +- **DbCriticalDroppedCount** Total number of dropped critical events in event database. +- **DbDroppedCount** Number of events dropped due to database being full. +- **DbDroppedFailureCount** Number of events dropped due to database failures. +- **DbDroppedFullCount** Number of events dropped due to database being full. +- **DecodingDroppedCount** Number of events dropped due to decoding failures. +- **DiskSizeInBytes** Size of event store for Sense in bytes (only in in-proc mode). +- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. +- **EtwDroppedBufferCount** Number of buffers dropped in the universal telemetry client (UTC) event tracing for Windows (ETW) session. +- **EtwDroppedCount** Number of events dropped at the event tracing for Windows (ETW) layer of telemetry client. +- **EventsPersistedCount** Number of events that reached the PersistEvent stage. +- **EventStoreLifetimeResetCounter** Number of times event the database was reset for the lifetime of the universal telemetry client (UTC). +- **EventStoreResetCounter** Number of times the event database was reset. +- **EventStoreResetSizeSum** Total size of the event database across all resets reports in this instance. +- **EventsUploaded** Number of events uploaded. +- **Flags** Flags indicating device state, such as network state, battery state, and opt-in state. +- **FullTriggerBufferDroppedCount** Number of events dropped due to trigger buffer being full. +- **HeartBeatSequenceNumber** The sequence number of this heartbeat. +- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. +- **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel. +- **LastEventSizeOffender** Event name of last event which exceeded the maximum event size. +- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. +- **MaxActiveAgentConnectionCount** Maximum number of active agents during this heartbeat timeframe. +- **NormalUploadTimerMillis** Number of milliseconds between each upload of normal events for SENSE (only in in-proc mode). +- **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events). +- **RepeatedUploadFailureDropped** Number of events lost due to repeated failed uploaded attempts. +- **SettingsHttpAttempts** Number of attempts to contact OneSettings service. +- **SettingsHttpFailures** Number of failures from contacting the OneSettings service. +- **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers. +- **TopUploaderErrors** Top uploader errors, grouped by endpoint and error type. +- **UploaderDroppedCount** Number of events dropped at the uploader layer of the telemetry client. +- **UploaderErrorCount** Number of input for the TopUploaderErrors mode estimation. +- **VortexFailuresTimeout** Number of time out failures received from Vortex. +- **VortexHttpAttempts** Number of attempts to contact Vortex. +- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. +- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. +- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. +- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. + + +## Direct to update events + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicability + +Event to indicate that the Coordinator CheckApplicability call succeeded. + +The following fields are available: + +- **ApplicabilityResult** Result of CheckApplicability function. +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **IsDeviceAADDomainJoined** Indicates whether the device is logged in to the AAD (Azure Active Directory) domain. +- **IsDeviceADDomainJoined** Indicates whether the device is logged in to the AD (Active Directory) domain. +- **IsDeviceCloverTrail** Indicates whether the device has a Clover Trail system installed. +- **IsDeviceFeatureUpdatingPaused** Indicates whether Feature Update is paused on the device. +- **IsDeviceNetworkMetered** Indicates whether the device is connected to a metered network. +- **IsDeviceOobeBlocked** Indicates whether user approval is required to install updates on the device. +- **IsDeviceRequireUpdateApproval** Indicates whether user approval is required to install updates on the device. +- **IsDeviceSccmManaged** Indicates whether the device is running the Microsoft SCCM (System Center Configuration Manager) to keep the operating system and applications up to date. +- **IsDeviceUninstallActive** Indicates whether the OS (operating system) on the device was recently updated. +- **IsDeviceUpdateNotificationLevel** Indicates whether the device has a set policy to control update notifications. +- **IsDeviceUpdateServiceManaged** Indicates whether the device uses WSUS (Windows Server Update Services). +- **IsDeviceZeroExhaust** Indicates whether the device subscribes to the Zero Exhaust policy to minimize connections from Windows to Microsoft. +- **IsGreaterThanMaxRetry** Indicates whether the DTU (Direct to Update) service has exceeded its maximum retry count. +- **IsVolumeLicensed** Indicates whether a volume license was used to authenticate the operating system or applications on the device. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicabilityGenericFailure + +This event indicatse that we have received an unexpected error in the Direct to Update (DTU) Coordinators CheckApplicability call. + +The following fields are available: + +- **CampaignID** ID of the campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Cleanup call. + +The following fields are available: + +- **CampaignID** Campaign ID being run +- **ClientID** Client ID being run +- **CoordinatorVersion** Coordinator version of DTU +- **CV** Correlation vector +- **hResult** HRESULT of the failure + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupSuccess + +This event indicates that the Coordinator Cleanup call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run +- **ClientID** Client ID being run +- **CoordinatorVersion** Coordinator version of DTU +- **CV** Correlation vector + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Commit call. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitSuccess + +This event indicates that the Coordinator Commit call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Download call. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadIgnoredFailure + +This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Download call that will be ignored. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadSuccess + +This event indicates that the Coordinator Download call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator HandleShutdown call. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinate version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownSuccess + +This event indicates that the Coordinator HandleShutdown call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Initialize call. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeSuccess + +This event indicates that the Coordinator Initialize call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Install call. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallIgnoredFailure + +This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Install call that will be ignored. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallSuccess + +This event indicates that the Coordinator Install call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorProgressCallBack + +This event indicates that the Coordinator's progress callback has been called. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **DeployPhase** Current Deploy Phase. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorSetCommitReadySuccess + +This event indicates that the Coordinator SetCommitReady call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiNotShown + +This event indicates that the Coordinator WaitForRebootUi call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSelection + +This event indicates that the user selected an option on the Reboot UI. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **rebootUiSelection** Selection on the Reboot UI. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSuccess + +This event indicates that the Coordinator WaitForRebootUi call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler CheckApplicabilityInternal call. + +The following fields are available: + +- **CampaignID** ID of the campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalSuccess + +This event indicates that the Handler CheckApplicabilityInternal call succeeded. + +The following fields are available: + +- **ApplicabilityResult** The result of the applicability check. +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilitySuccess + +This event indicates that the Handler CheckApplicability call succeeded. + +The following fields are available: + +- **ApplicabilityResult** The result code indicating whether the update is applicable. +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **CV_new** New correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckIfCoordinatorMinApplicableVersionSuccess + +This event indicates that the Handler CheckIfCoordinatorMinApplicableVersion call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **CheckIfCoordinatorMinApplicableVersionResult** Result of CheckIfCoordinatorMinApplicableVersion function. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Commit call. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **CV_new** New correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitSuccess + +This event indicates that the Handler Commit call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run.run +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **CV_new** New correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabFailure + +This event indicates that the Handler Download and Extract cab call failed. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **DownloadAndExtractCabFunction_failureReason** Reason why the update download and extract process failed. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabSuccess + +This event indicates that the Handler Download and Extract cab call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Download call. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadSuccess + +This event indicates that the Handler Download call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Initialize call. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **DownloadAndExtractCabFunction_hResult** HRESULT of the download and extract. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeSuccess + +This event indicates that the Handler Initialize call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **DownloadAndExtractCabFunction_hResult** HRESULT of the download and extraction. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Install call. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallSuccess + +This event indicates that the Coordinator Install call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerSetCommitReadySuccess + +This event indicates that the Handler SetCommitReady call succeeded. + +The following fields are available: + +- **CampaignID** ID of the campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler WaitForRebootUi call. + +The following fields are available: + +- **CampaignID** The ID of the campaigning being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** The HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiSuccess + +This event indicates that the Handler WaitForRebootUi call succeeded. + +The following fields are available: + +- **CampaignID** ID of the campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +## DxgKernelTelemetry events + +### DxgKrnlTelemetry.GPUAdapterInventoryV2 + +This event sends basic GPU and display driver information to keep Windows and display drivers up-to-date. + +The following fields are available: + +- **AdapterTypeValue** The numeric value indicating the type of Graphics adapter. +- **aiSeqId** The event sequence ID. +- **bootId** The system boot ID. +- **BrightnessVersionViaDDI** The version of the Display Brightness Interface. +- **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload. +- **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes). +- **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes). +- **DedicatedVkdeoMemoryB** No content is currently available. +- **DisplayAdapterLuid** The display adapter LUID. +- **DriverDate** The date of the display driver. +- **DriverRank** The rank of the display driver. +- **DriverVersion** The display driver version. +- **DX10UMDFilePath** The file path to the location of the DirectX 10 Display User Mode Driver in the Driver Store. +- **DX11UMDFilePath** The file path to the location of the DirectX 11 Display User Mode Driver in the Driver Store. +- **DX12UMDFilePath** The file path to the location of the DirectX 12 Display User Mode Driver in the Driver Store. +- **DX9UMDFilePath** The file path to the location of the DirectX 9 Display User Mode Driver in the Driver Store. +- **GPUDeviceID** The GPU device ID. +- **GPUPreemptionLevel** The maximum preemption level supported by GPU for graphics payload. +- **GPURevisionID** The GPU revision ID. +- **GPUVendorID** The GPU vendor ID. +- **GPUVgndorID** No content is currently available. +- **InterfaceId** The GPU interface ID. +- **IsDisplayDevice** Does the GPU have displaying capabilities? +- **IsHwSchSupported** Indicates whether the adapter supports hardware scheduling. +- **IsHybridDiscrete** Does the GPU have discrete GPU capabilities in a hybrid device? +- **IsHybridIntegrated** Does the GPU have integrated GPU capabilities in a hybrid device? +- **IsLDA** Is the GPU comprised of Linked Display Adapters? +- **IsMiracastSupported** Does the GPU support Miracast? +- **IsMismatchLDA** Is at least one device in the Linked Display Adapters chain from a different vendor? +- **IsMPOSupported** Does the GPU support Multi-Plane Overlays? +- **IsMsMiracastSupported** Are the GPU Miracast capabilities driven by a Microsoft solution? +- **IsPostAdapter** Is this GPU the POST GPU in the device? +- **IsRemovable** TRUE if the adapter supports being disabled or removed. +- **IsRenderDevice** Does the GPU have rendering capabilities? +- **IsSoftwareDevice** Is this a software implementation of the GPU? +- **KMDFilePath** The file path to the location of the Display Kernel Mode Driver in the Driver Store. +- **MeasureEnabled** Is the device listening to MICROSOFT_KEYWORD_MEASURES? +- **MsHybridDiscrete** Indicates whether the adapter is a discrete adapter in a hybrid configuration. +- **N}mVidPnSources** No content is currently available. +- **NumVidPnSources** The number of supported display output sources. +- **NumVidPnTargets** The number of supported display output targets. +- **SharedSystemMemoryB** The amount of system memory shared by GPU and CPU (in bytes). +- **SubSystemID** The subsystem ID. +- **SubVendopID** No content is currently available. +- **SubVendorID** The GPU sub vendor ID. +- **TelemetryEnabled** Is the device listening to MICROSOFT_KEYWORD_TELEMETRY? +- **TelInvEvntTrigger** What triggered this event to be logged? Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling) +- **TenemetryEnabled** No content is currently available. +- **TenInvEvntTrigger** No content is currently available. +- **version** The event version. +- **WDDMVersion** The Windows Display Driver Model version. + + +## Failover Clustering events + +### Microsoft.Windows.Server.FailoverClusteringCritical.ClusterSummary2 + +This event returns information about how many resources and of what type are in the server cluster. This data is collected to keep Windows Server safe, secure, and up to date. The data includes information about whether hardware is configured correctly, if the software is patched correctly, and assists in preventing crashes by attributing issues (like fatal errors) to workloads and system configurations. + +The following fields are available: + +- **autoAssignSite** The cluster parameter: auto site. +- **autoBalancerLevel** The cluster parameter: auto balancer level. +- **autoBalancerMode** The cluster parameter: auto balancer mode. +- **blockCacheSize** The configured size of the block cache. +- **ClusterAdConfiguration** The ad configuration of the cluster. +- **clusterAdType** The cluster parameter: mgmt_point_type. +- **clusterDumpPolicy** The cluster configured dump policy. +- **clusterFunctionalLevel** The current cluster functional level. +- **clusterGuid** The unique identifier for the cluster. +- **clusterWitnessType** The witness type the cluster is configured for. +- **countNodesInSite** The number of nodes in the cluster. +- **crossSiteDelay** The cluster parameter: CrossSiteDelay. +- **crossSiteThreshold** The cluster parameter: CrossSiteThreshold. +- **crossSubnetDelay** The cluster parameter: CrossSubnetDelay. +- **crossSubnetThreshold** The cluster parameter: CrossSubnetThreshold. +- **csvCompatibleFilters** The cluster parameter: ClusterCsvCompatibleFilters. +- **csvIncompatibleFilters** The cluster parameter: ClusterCsvIncompatibleFilters. +- **csvResourceCount** The number of resources in the cluster. +- **currentNodeSite** The name configured for the current site for the cluster. +- **dasModeBusType** The direct storage bus type of the storage spaces. +- **downLevelNodeCount** The number of nodes in the cluster that are running down-level. +- **drainOnShutdown** Specifies whether a node should be drained when it is shut down. +- **dynamicQuorumEnabled** Specifies whether dynamic Quorum has been enabled. +- **enforcedAntiAffinity** The cluster parameter: enforced anti affinity. +- **genAppNames** The win32 service name of a clustered service. +- **genSvcNames** The command line of a clustered genapp. +- **hangRecoveryAction** The cluster parameter: hang recovery action. +- **hangTimeOut** Specifies the “hang time out” parameter for the cluster. +- **isCalabria** Specifies whether storage spaces direct is enabled. +- **isMixedMode** Identifies if the cluster is running with different version of OS for nodes. +- **isRunningDownLevel** Identifies if the current node is running down-level. +- **logLevel** Specifies the granularity that is logged in the cluster log. +- **logSize** Specifies the size of the cluster log. +- **lowerQuorumPriorityNodeId** The cluster parameter: lower quorum priority node ID. +- **minNeverPreempt** The cluster parameter: minimum never preempt. +- **minPreemptor** The cluster parameter: minimum preemptor priority. +- **netftIpsecEnabled** The parameter: netftIpsecEnabled. +- **NodeCount** The number of nodes in the cluster. +- **nodeId** The current node number in the cluster. +- **nodeResourceCounts** Specifies the number of node resources. +- **nodeResourceOnlineCounts** Specifies the number of node resources that are online. +- **numberOfSites** The number of different sites. +- **numNodesInNoSite** The number of nodes not belonging to a site. +- **plumbAllCrossSubnetRoutes** The cluster parameter: plumb all cross subnet routes. +- **preferredSite** The preferred site location. +- **privateCloudWitness** Specifies whether a private cloud witness exists for this cluster. +- **quarantineDuration** The quarantine duration. +- **quarantineThreshold** The quarantine threshold. +- **quorumArbitrationTimeout** In the event of an arbitration event, this specifies the quorum timeout period. +- **resiliencyLevel** Specifies the level of resiliency. +- **resourceCounts** Specifies the number of resources. +- **resourceTypeCounts** Specifies the number of resource types in the cluster. +- **resourceTypes** Data representative of each resource type. +- **resourceTypesPath** Data representative of the DLL path for each resource type. +- **sameSubnetDelay** The cluster parameter: same subnet delay. +- **sameSubnetThreshold** The cluster parameter: same subnet threshold. +- **secondsInMixedMode** The amount of time (in seconds) that the cluster has been in mixed mode (nodes with different operating system versions in the same cluster). +- **securityLevel** The cluster parameter: security level. +- **securityLevelForStorage** The cluster parameter: security level for storage. +- **sharedVolumeBlockCacheSize** Specifies the block cache size for shared for shared volumes. +- **shutdownTimeoutMinutes** Specifies the amount of time it takes to time out when shutting down. +- **upNodeCount** Specifies the number of nodes that are up (online). +- **useClientAccessNetworksForCsv** The cluster parameter: use client access networks for CSV. +- **vmIsolationTime** The cluster parameter: VM isolation time. +- **witnessDatabaseWriteTimeout** Specifies the timeout period for writing to the quorum witness database. + + +## Fault Reporting events + +### Microsoft.Windows.FaultReporting.AppCrashEvent + +This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes\" by a user DO NOT emit this event. + +The following fields are available: + +- **AppName** The name of the app that has crashed. +- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend. +- **AppTimeStamp** The date/time stamp of the app. +- **AppVersion** The version of the app that has crashed. +- **ExceptionCode** The exception code returned by the process that has crashed. +- **ExceptionOffset** The address where the exception had occurred. +- **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting. +- **FriendlyAppName** The description of the app that has crashed, if different from the AppName. Otherwise, the process name. +- **IsFatal** True/False to indicate whether the crash resulted in process termination. +- **ModName** Exception module name (e.g. bar.dll). +- **ModTimeStamp** The date/time stamp of the module. +- **ModVersion** The version of the module that has crashed. +- **PackageFullName** Store application identity. +- **PackageRelativeAppId** Store application identity. +- **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. +- **ProcessCreateTime** The time of creation of the process that has crashed. +- **ProcessId** The ID of the process that has crashed. +- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. +- **TargetAppId** The kernel reported AppId of the application being reported. +- **TargetAppVer** The specific version of the application being reported +- **TargetAsId** The sequence number for the hanging process. + + +## Feature update events + +### Microsoft.Windows.Upgrade.Uninstall.UninstallFinalizedAndRebootTriggered + +This event indicates that the uninstall was properly configured and that a system reboot was initiated. + + + +### Microsoft.Windows.Upgrade.Uninstall.UninstallGoBackButtonClicked + +This event sends basic metadata about the starting point of uninstalling a feature update, which helps ensure customers can safely revert to a well-known state if the update caused any problems. + + + +## Hang Reporting events + +### Microsoft.Windows.HangReporting.AppHangEvent + +This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. + +The following fields are available: + +- **AppName** The name of the app that has hung. +- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the telemetry backend. +- **AppVersion** The version of the app that has hung. +- **IsFatal** True/False based on whether the hung application caused the creation of a Fatal Hang Report. +- **PackageFullName** Store application identity. +- **PackageRelativeAppId** Store application identity. +- **ProcessArchitecture** Architecture of the hung process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. +- **ProcessCreateTime** The time of creation of the process that has hung. +- **ProcessId** The ID of the process that has hung. +- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. +- **TargetAppId** The kernel reported AppId of the application being reported. +- **TargetAppVer** The specific version of the application being reported. +- **TargetAsId** The sequence number for the hanging process. +- **TypeCode** Bitmap describing the hang type. +- **WaitingOnAppName** If this is a cross process hang waiting for an application, this has the name of the application. +- **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it is waiting. +- **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting. +- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application id of the package. + + +## Inventory events + +### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum + +This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object. + +The following fields are available: + +- **Device** A count of device objects in cache. +- **DeviceCensus** A count of device census objects in cache. +- **DriverPackageExtended** A count of driverpackageextended objects in cache. +- **File** A count of file objects in cache. +- **FileSigningInfo** A count of file signing objects in cache. +- **Generic** A count of generic objects in cache. +- **HwItem** A count of hwitem objects in cache. +- **InventoryApplication** A count of application objects in cache. +- **InventoryApplicationAppV** A count of application AppV objects in cache. +- **InventoryApplicationDriver** A count of application driver objects in cache +- **InventoryApplicationFile** A count of application file objects in cache. +- **InventoryApplicationFramework** A count of application framework objects in cache +- **InventoryApplicationShortcut** A count of application shortcut objects in cache +- **InventoryDeviceContainer** A count of device container objects in cache. +- **InventoryDeviceInterface** A count of Plug and Play device interface objects in cache. +- **InventoryDeviceMediaClass** A count of device media objects in cache. +- **InventoryDevicePnp** A count of device Plug and Play objects in cache. +- **InventoryDeviceUsbHubClass** A count of device usb objects in cache +- **InventoryDriverBinary** A count of driver binary objects in cache. +- **InventoryDriverPackage** A count of device objects in cache. +- **InventoryMiscellaneousOfficeAddIn** A count of office add-in objects in cache +- **InventoryMiscellaneousOfficeAddInUsage** A count of office add-in usage objects in cache. +- **InventoryMiscellaneousOfficeIdentifiers** A count of office identifier objects in cache +- **InventoryMiscellaneousOfficeIESettings** A count of office ie settings objects in cache +- **InventoryMiscellaneousOfficeInsights** A count of office insights objects in cache +- **InventoryMiscellaneousOfficeProducts** A count of office products objects in cache +- **InventoryMiscellaneousOfficeSettings** A count of office settings objects in cache +- **InventoryMiscellaneousOfficeVBA** A count of office vba objects in cache +- **InventoryMiscellaneousOfficeVBARuleViolations** A count of office vba rule violations objects in cache +- **InventoryMiscellaneousUUPInfo** A count of uup info objects in cache +- **InventoryMiscnfo** No content is currently available. +- **Metadata** A count of metadata objects in cache. +- **Orphan** A count of orphan file objects in cache. +- **Programs** A count of program objects in cache. + + +### Microsoft.Windows.Inventory.Core.AmiTelCacheFileInfo + +Diagnostic data about the inventory cache. + +The following fields are available: + +- **CacheFileSize** Size of the cache. +- **InventoryVersion** Inventory version of the cache. +- **TempCacheCount** Number of temp caches created. +- **TempCacheDeletedCount** Number of temp caches deleted. + + +### Microsoft.Windows.Inventory.Core.AmiTelCacheVersions + +This event sends inventory component versions for the Device Inventory data. + +The following fields are available: + +- **aeinv** The version of the App inventory component. +- **devinv** The file version of the Device inventory component. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationAdd + +This event sends basic metadata about an application on the system to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **HiddenArp** Indicates whether a program hides itself from showing up in ARP. +- **InstallDate** The date the application was installed (a best guess based on folder creation date heuristics). +- **InstallDateArpLastModified** The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015 00:00:00 +- **InstallDateFromLinkFile** The estimated date of install based on the links to the files. Passed as an array. +- **InstallDateMsi** The install date if the application was installed via Microsoft Installer (MSI). Passed as an array. +- **InventoryVersion** The version of the inventory file generating the events. +- **Language** The language code of the program. +- **MsiPackageCode** A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage. +- **MsiProductCode** A GUID that describe the MSI Product. +- **Name** The name of the application. +- **OSVersionAtInstallTime** The four octets from the OS version at the time of the application's install. +- **PackageFullName** The package full name for a Store application. +- **ProgramInstanceId** A hash of the file IDs in an app. +- **Publisher** The Publisher of the application. Location pulled from depends on the 'Source' field. +- **RootDirPath** The path to the root directory where the program was installed. +- **Source** How the program was installed (for example, ARP, MSI, Appx). +- **StoreAppType** A sub-classification for the type of Microsoft Store app, such as UWP or Win8StoreApp. +- **Type** One of ("Application", "Hotfix", "BOE", "Service", "Unknown"). Application indicates Win32 or Appx app, Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is a service. Application and BOE are the ones most likely seen. +- **Version** The version number of the program. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverAdd + +This event represents what drivers an application installs. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory component. +- **ProgramIds** The unique program identifier the driver is associated with. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync + +The InventoryApplicationDriverStartSync event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory component. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd + +This event provides the basic metadata about the frameworks an application may depend on. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **FileId** A hash that uniquely identifies a file. +- **Frameworks** The list of frameworks this file depends on. +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync + +This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationRemove + +This event indicates that a new set of InventoryDevicePnpAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationStartSync + +This event indicates that a new set of InventoryApplicationAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd + +This event sends basic metadata about a device container (such as a monitor or printer as opposed to a Plug and Play device) to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Categories** A comma separated list of functional categories in which the container belongs. +- **DiscoveryMethod** The discovery method for the device container. +- **FriendlyName** The name of the device container. +- **InventoryVersion** The version of the inventory file generating the events. +- **IsActive** Is the device connected, or has it been seen in the last 14 days? +- **IsConnected** For a physically attached device, this value is the same as IsPresent. For wireless a device, this value represents a communication link. +- **IsMachineContainer** Is the container the root device itself? +- **IsMAchineContainer** No content is currently available. +- **IsNetworked** Is this a networked device? +- **IsPaired** Does the device container require pairing? +- **Manufacturer** The manufacturer name for the device container. +- **ModelId** A unique model ID. +- **ModelName** The model name. +- **ModelNumber** The model number for the device container. +- **PrimaryCategory** The primary category for the device container. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerRemove + +This event indicates that the InventoryDeviceContainer object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerStartSync + +This event indicates that a new set of InventoryDeviceContainerAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd + +This event retrieves information about what sensor interfaces are available on the device. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Accelerometer3D** Indicates if an Accelerator3D sensor is found. +- **ActivityDetection** Indicates if an Activity Detection sensor is found. +- **AmbientLight** Indicates if an Ambient Light sensor is found. +- **Barometer** Indicates if a Barometer sensor is found. +- **Custom** Indicates if a Custom sensor is found. +- **EnergyMeter** Indicates if an Energy sensor is found. +- **FloorElevation** Indicates if a Floor Elevation sensor is found. +- **GeomagneticOrientation** Indicates if a Geo Magnetic Orientation sensor is found. +- **GravityVector** Indicates if a Gravity Detector sensor is found. +- **Gyrometer3D** Indicates if a Gyrometer3D sensor is found. +- **Humidity** Indicates if a Humidity sensor is found. +- **InventoryVersion** The version of the inventory file generating the events. +- **LinearAccelerometer** Indicates if a Linear Accelerometer sensor is found. +- **Magnetometer3D** Indicates if a Magnetometer3D sensor is found. +- **Orientation** Indicates if an Orientation sensor is found. +- **Pedometer** Indicates if a Pedometer sensor is found. +- **Proximity** Indicates if a Proximity sensor is found. +- **RelativeOrientation** Indicates if a Relative Orientation sensor is found. +- **SimpleDeviceOrientation** Indicates if a Simple Device Orientation sensor is found. +- **Temperature** Indicates if a Temperature sensor is found. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync + +This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd + +This event sends additional metadata about a Plug and Play device that is specific to a particular class of devices to help keep Windows up to date while reducing overall size of data payload. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **audio.captureDriver** Audio device capture driver. Example: hdaudio.inf:db04a16ce4e8d6ee:HdAudModel:10.0.14887.1000:hdaudio\func_01 +- **audio.renderDriver** Audio device render driver. Example: hdaudio.inf:db04a16ce4e8d6ee:HdAudModel:10.0.14889.1001:hdaudio\func_01 +- **Audio_CaptureDriver** The Audio device capture driver endpoint. +- **Audio_RenderDriver** The Audio device render driver endpoint. +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove + +This event indicates that the InventoryDeviceMediaClassRemove object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassStartSync + +This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent. + +This event includes fields from [Ms.Device.De~iceInventoryChange](#msdevicede~iceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd + +This event represents the basic metadata about a plug and play (PNP) device and its associated driver. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **basedata** No content is currently available. See [basedata](#basedata). +- **BusReportedDescription** The description of the device reported by the bux. +- **Class** The device setup class of the driver loaded for the device. +- **ClassGuid** The device class unique identifier of the driver package loaded on the device. +- **COMPID** The list of “Compatible IDs” for this device. +- **ContainerId** The system-supplied unique identifier that specifies which group(s) the device(s) installed on the parent (main) device belong to. +- **Description** The description of the device. +- **DeviceInterfaceClasses** The device interfaces that this device implements. +- **DeviceState** Identifies the current state of the parent (main) device. +- **DriverId** The unique identifier for the installed driver. +- **DriverName** The name of the driver image file. +- **DriverPackageStrongName** The immediate parent directory name in the Directory field of InventoryDriverPackage. +- **DriveRPackageStrongNaMe** No content is currently available. +- **DriverVerDate** The date associated with the driver installed on the device. +- **DriverVerVersion** The version number of the driver installed on the device. +- **Enumerator** Identifies the bus that enumerated the device. +- **ExtendedInfs** The extended INF file names. +- **HWID** A list of hardware IDs for the device. +- **Inf** The name of the INF file (possibly renamed by the OS, such as oemXX.inf). +- **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx +- **InventoryVersion** The version number of the inventory process generating the events. +- **LowerClassFilters** The identifiers of the Lower Class filters installed for the device. +- **LowerFilters** The identifiers of the Lower filters installed for the device. +- **Manufacturer** The manufacturer of the device. +- **MatchingID** The Hardware ID or Compatible ID that Windows uses to install a device instance. +- **Model** Identifies the model of the device. +- **ParentId** The Device Instance ID of the parent of the device. +- **ProblemCode** The error code currently returned by the device, if applicable. +- **Provider** Identifies the device provider. +- **Service** The name of the device service. +- **STACKID** The list of hardware IDs for the stack. +- **UpperClassFilters** The identifiers of the Upper Class filters installed for the device. +- **UpperFilters** The identifiers of the Upper filters installed for the device. + + +### Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove + +This event indicates that the InventoryDevicePnpRemove object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDevicePnpStartSync + +This event indicates that a new set of InventoryDevicePnpAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd + +This event sends basic metadata about the USB hubs on the device. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. +- **TotalUserConnectablePorts** Total number of connectable USB ports. +- **TotalUserConnectableTypeCPorts** Total number of connectable USB Type C ports. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassStartSync + +This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent. + +This event includes fields from [Ms.De~ice.DeviceInventoryChange](#msde~icedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd + +This event provides the basic metadata about driver binaries running on the system. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Dri6erCompany** No content is currently available. +- **Driv%rPackageStrongName** No content is currently available. +- **Drive2Name** No content is currently available. +- **DriverCheckSum** The checksum of the driver file. +- **DriverCompa.y** No content is currently available. +- **DriverCompany** The company name that developed the driver. +- **DriverInBox** Is the driver included with the operating system? +- **DriverIsKernelMode** Is it a kernel mode driver? +- **DriverName** The file name of the driver. +- **DriverPackageStrongName** The strong name of the driver package +- **DriverSign%d** No content is currently available. +- **DriverSigned** The strong name of the driver package +- **DriverTimeStamp** The low 32 bits of the time stamp of the driver file. +- **DriverType** A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8. define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE 0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64 0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15. define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED 0x800000. +- **DriverVersion** The version of the driver file. +- **DviverCompany** No content is currently available. +- **I.f** No content is currently available. +- **Imagesize** No content is currently available. +- **ImageSize** The size of the driver file. +- **Inf** The name of the INF file. +- **Invento2yVersion** No content is currently available. +- **InventoryVersion** The version of the inventory file generating the events. +- **Product** The product name that is included in the driver file. +- **ProductVersio~** No content is currently available. +- **ProductVersion** The product version that is included in the driver file. +- **Service** The name of the service that is installed for the device. +- **WdfVersion** The Windows Driver Framework version. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove + +This event indicates that the InventoryDriverBinary object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryStartSync + +This event indicates that a new set of InventoryDriverBinaryAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd + +This event sends basic metadata about drive packages installed on the system to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Class** The class name for the device driver. +- **ClassGuid** The class GUID for the device driver. +- **Date** The driver package date. +- **Directory** The path to the driver package. +- **DriverInBox** Is the driver included with the operating system? +- **Inf** The INF name of the driver package. +- **InventoryVersion** The version of the inventory file generating the events. +- **Provider** The provider for the driver package. +- **SubmissionId** The HLK submission ID for the driver package. +- **Version** The version of the driver package. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverPackageRemove + +This event indicates that the InventoryDriverPackageRemove object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverPackageStartSync + +This event indicates that a new set of InventoryDriverPackageAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.StartUtcJsonTrace + +This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the beginning of the event download, and that tracing should begin. + + + +### Microsoft.Windows.Inventory.Core.StopUtcJsonTrace + +This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the end of the event download, and that tracing should end. + + + +### Microsoft.Windows.Inventory.General.AppHealthStaticAdd + +This event sends details collected for a specific application on the source device. + +The following fields are available: + +- **AhaVersion** The binary version of the App Health Analyzer tool. +- **ApplicationErrors** The count of application errors from the event log. +- **Bitness** The architecture type of the application (16 Bit or 32 bit or 64 bit). +- **device_level** Various JRE/JAVA versions installed on a particular device. +- **ExtendedProperties** Attribute used for aggregating all other attributes under this event type. +- **Jar** Flag to determine if an app has a Java JAR file dependency. +- **Jre** Flag to determine if an app has JRE framework dependency. +- **Jre_version** JRE versions an app has declared framework dependency for. +- **Name** Name of the application. +- **NonDPIAware** Flag to determine if an app is non-DPI aware. +- **NumBinaries** Count of all binaries (.sys,.dll,.ini) from application install location. +- **RequiresAdmin** Flag to determine if an app requests admin privileges for execution. +- **RequiresAdminv2** Additional flag to determine if an app requests admin privileges for execution. +- **RequiresUIAccess** Flag to determine if an app is based on UI features for accessibility. +- **VB6** Flag to determine if an app is based on VB6 framework. +- **VB6v2** Additional flag to determine if an app is based on VB6 framework. +- **Version** Version of the application. +- **VersionCheck** Flag to determine if an app has a static dependency on OS version. +- **VersionCheckv2** Additional flag to determine if an app has a static dependency on OS version. + + +### Microsoft.Windows.Inventory.General.AppHealthStaticStartSync + +This event indicates the beginning of a series of AppHealthStaticAdd events. + +The following fields are available: + +- **AllowTelemetry** Indicates the presence of the 'allowtelemetry' command line argument. +- **CommandLineArgs** Command line arguments passed when launching the App Health Analyzer executable. +- **Enhanced** Indicates the presence of the 'enhanced' command line argument. +- **StartTime** UTC date and time at which this event was sent. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd + +Provides data on the installed Office Add-ins. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AddinCLSID** The class identifier key for the Microsoft Office add-in. +- **AddInCLSID** The class identifier key for the Microsoft Office add-in. +- **AddInId** The identifier for the Microsoft Office add-in. +- **AddinType** The type of the Microsoft Office add-in. +- **BinFileTimestamp** The timestamp of the Office add-in. +- **BinFileVersion** The version of the Microsoft Office add-in. +- **Description** Description of the Microsoft Office add-in. +- **FileId** The file identifier of the Microsoft Office add-in. +- **FileSize** The file size of the Microsoft Office add-in. +- **FriendlyName** The friendly name for the Microsoft Office add-in. +- **FullPath** The full path to the Microsoft Office add-in. +- **InventoryVersion** The version of the inventory binary generating the events. +- **LoadBehavior** Integer that describes the load behavior. +- **LoadTime** Load time for the Office add-in. +- **OfficeApplication** The Microsoft Office application associated with the add-in. +- **OfficeArchitecture** The architecture of the add-in. +- **OfficeVersion** The Microsoft Office version for this add-in. +- **OutlookCrashingAddin** Indicates whether crashes have been found for this add-in. +- **ProductCompany** The name of the company associated with the Office add-in. +- **ProductName** The product name associated with the Microsoft Office add-in. +- **ProductVersion** The version associated with the Office add-in. +- **ProgramId** The unique program identifier of the Microsoft Office add-in. +- **Provider** Name of the provider for this add-in. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove + +Indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync + +This event indicates that a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd + +Provides data on the Office identifiers. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. +- **OAudienceData** Sub-identifier for Microsoft Office release management, identifying the pilot group for a device +- **OAudienceId** Microsoft Office identifier for Microsoft Office release management, identifying the pilot group for a device +- **OMID** Identifier for the Office SQM Machine +- **OPlatform** Whether the installed Microsoft Office product is 32-bit or 64-bit +- **OTenantId** Unique GUID representing the Microsoft O365 Tenant +- **OVersion** Installed version of Microsoft Office. For example, 16.0.8602.1000 +- **OWowMID** Legacy Microsoft Office telemetry identifier (SQM Machine ID) for WoW systems (32-bit Microsoft Office on 64-bit Windows) + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd + +Provides data on Office-related Internet Explorer features. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. +- **OIeFeatureAddon** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_ADDON_MANAGEMENT feature lets applications hosting the WebBrowser Control to respect add-on management selections made using the Add-on Manager feature of Internet Explorer. Add-ons disabled by the user or by administrative group policy will also be disabled in applications that enable this feature. +- **OIeMachineLockdown** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_LOCALMACHINE_LOCKDOWN feature is enabled, Internet Explorer applies security restrictions on content loaded from the user's local machine, which helps prevent malicious behavior involving local files. +- **OIeMimeHandling** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_MIME_HANDLING feature control is enabled, Internet Explorer handles MIME types more securely. Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2) +- **OIeMimeSniffing** Flag indicating which Microsoft Office products have this setting enabled. Determines a file's type by examining its bit signature. Windows Internet Explorer uses this information to determine how to render the file. The FEATURE_MIME_SNIFFING feature, when enabled, allows to be set differently for each security zone by using the URLACTION_FEATURE_MIME_SNIFFING URL action flag +- **OIeNoAxInstall** Flag indicating which Microsoft Office products have this setting enabled. When a webpage attempts to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request. When a webpage tries to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request +- **OIeNoDownload** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_RESTRICT_FILEDOWNLOAD feature blocks file download requests that navigate to a resource, that display a file download dialog box, or that are not initiated explicitly by a user action (for example, a mouse click or key press). Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2) +- **OIeObjectCaching** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_OBJECT_CACHING feature prevents webpages from accessing or instantiating ActiveX controls cached from different domains or security contexts +- **OIePasswordDisable** Flag indicating which Microsoft Office products have this setting enabled. After Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2), Internet Explorer no longer allows usernames and passwords to be specified in URLs that use the HTTP or HTTPS protocols. URLs using other protocols, such as FTP, still allow usernames and passwords +- **OIeSafeBind** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SAFE_BINDTOOBJECT feature performs additional safety checks when calling MonikerBindToObject to create and initialize Microsoft ActiveX controls. Specifically, prevent the control from being created if COMPAT_EVIL_DONT_LOAD is in the registry for the control +- **OIeSecurityBand** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SECURITYBAND feature controls the display of the Internet Explorer Information bar. When enabled, the Information bar appears when file download or code installation is restricted +- **OIeUncSaveCheck** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_UNC_SAVEDFILECHECK feature enables the Mark of the Web (MOTW) for local files loaded from network locations that have been shared by using the Universal Naming Convention (UNC) +- **OIeValidateUrl** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_VALIDATE_NAVIGATE_URL feature control prevents Windows Internet Explorer from navigating to a badly formed URL +- **OIeWebOcPopup** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_WEBOC_POPUPMANAGEMENT feature allows applications hosting the WebBrowser Control to receive the default Internet Explorer pop-up window management behavior +- **OIeWinRestrict** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_WINDOW_RESTRICTIONS feature adds several restrictions to the size and behavior of popup windows +- **OIeZoneElevate** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_ZONE_ELEVATION feature prevents pages in one zone from navigating to pages in a higher security zone unless the navigation is generated by the user + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd + +This event provides insight data on the installed Office products + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. +- **OfficeApplication** The name of the Office application. +- **OfficeArchitecture** The bitness of the Office application. +- **OfficeVersion** The version of the Office application. +- **Value** The insights collected about this entity. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsRemove + +Indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync + +This diagnostic event indicates that a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd + +Describes Office Products installed. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. +- **OC2rApps** A GUID the describes the Office Click-To-Run apps +- **OC2rSkus** Comma-delimited list (CSV) of Office Click-To-Run products installed on the device. For example, Office 2016 ProPlus +- **OMsiApps** Comma-delimited list (CSV) of Office MSI products installed on the device. For example, Microsoft Word +- **OProductCodes** A GUID that describes the Office MSI products + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd + +This event describes various Office settings + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **BrowserFlags** Browser flags for Office-related products +- **ExchangeProviderFlags** Provider policies for Office Exchange +- **InventoryVersion** The version of the inventory binary generating the events. +- **SharedComputerLicensing** Office shared computer licensing policies + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync + +Indicates a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAAdd + +This event provides a summary rollup count of conditions encountered while performing a local scan of Office files, analyzing for known VBA programmability compatibility issues between legacy office version and ProPlus, and between 32 and 64-bit versions + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Design** Count of files with design issues found. +- **Design_x64** Count of files with 64 bit design issues found. +- **DuplicateVBA** Count of files with duplicate VBA code. +- **HasVBA** Count of files with VBA code. +- **Inaccessible** Count of files that were inaccessible for scanning. +- **InventoryVersion** The version of the inventory binary generating the events. +- **Issues** Count of files with issues detected. +- **Issues_x64** Count of files with 64-bit issues detected. +- **IssuesNone** Count of files with no issues detected. +- **IssuesNone_x64** Count of files with no 64-bit issues detected. +- **Locked** Count of files that were locked, preventing scanning. +- **NoVBA** Count of files with no VBA inside. +- **Protected** Count of files that were password protected, preventing scanning. +- **RemLimited** Count of files that require limited remediation changes. +- **RemLimited_x64** Count of files that require limited remediation changes for 64-bit issues. +- **RemSignificant** Count of files that require significant remediation changes. +- **RemSignificant_x64** Count of files that require significant remediation changes for 64-bit issues. +- **Score** Overall compatibility score calculated for scanned content. +- **Score_x64** Overall 64-bit compatibility score calculated for scanned content. +- **Total** Total number of files scanned. +- **Validation** Count of files that require additional manual validation. +- **Validation_x64** Count of files that require additional manual validation for 64-bit issues. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARemove + +Indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsAdd + +This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated with the validation rule + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Count** Count of total Microsoft Office VBA rule violations +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsRemove + +Indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync + +This event indicates that a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd + +Provides data on Unified Update Platform (UUP) products and what version they are at. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Identifier** UUP identifier +- **LastActivatedVersion** Last activated version +- **PreviousVersion** Previous version +- **Source** UUP source +- **Version** UUP version + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoRemove + +Indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +### Microsoft.Windows.Inventory.Indicators.Checksum + +This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events. + +The following fields are available: + +- **CensusId** A unique hardware identifier. +- **ChecksumDictionary** A count of each operating system indicator. +- **PCFP** Equivalent to the InventoryId field that is found in other core events. + + +### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd + +These events represent the basic metadata about the OS indicators installed on the system which are used for keeping the device up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **IndicatorValue** The indicator value. +- **Value** Describes an operating system indicator that may be relevant for the device upgrade. + + +### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove + +This event is a counterpart to InventoryMiscellaneousUexIndicatorAdd that indicates that the item has been removed. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync + +This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +## Kernel events + +### IO + +This event indicates the number of bytes read from or read by the OS and written to or written by the OS upon system startup. + +The following fields are available: + +- **BytesRead** The total number of bytes read from or read by the OS upon system startup. +- **BytesWritten** The total number of bytes written to or written by the OS upon system startup. + + +### Microsoft.Windows.Kernel.BootEnvironment.OsLaunch + +OS information collected during Boot, used to evaluate the success of the upgrade process. + +The following fields are available: + +- **BootApplicationId** This field tells us what the OS Loader Application Identifier is. +- **BootAttemptCount** The number of consecutive times the boot manager has attempted to boot into this operating system. +- **BootSequence** The current Boot ID, used to correlate events related to a particular boot session. +- **BootStatusPolicy** Identifies the applicable Boot Status Policy. +- **BootType** Identifies the type of boot (e.g.: "Cold", "Hiber", "Resume"). +- **EventTimestamp** Seconds elapsed since an arbitrary time point. This can be used to identify the time difference in successive boot attempts being made. +- **Firmw!reResetReasonEmbeddedControllerAdditional** No content is currently available. +- **FirmwareResetReasonEmbeddedController** Reason for system reset provided by firmware. +- **FirmwareResetReasonEmbeddedControllerAdditional** Additional information on system reset reason provided by firmware if needed. +- **FirmwareResetReasonPch** Reason for system reset provided by firmware. +- **FirmwareResetReasonPchAdditional** Additional information on system reset reason provided by firmware if needed. +- **FirmwareResetReasonSupplied** Flag indicating that a reason for system reset was provided by firmware. +- **IO** Amount of data written to and read from the disk by the OS Loader during boot. See [IO](#io). +- **LastBootSucceeded** Flag indicating whether the last boot was successful. +- **LastShutdownSucceeded** Flag indicating whether the last shutdown was successful. +- **MaxAbove4GbFreeRange** This field describes the largest memory range available above 4Gb. +- **MaxBelow4GbFreeRange** This field describes the largest memory range available below 4Gb. +- **MeasuredLaunchPrepared** This field tells us if the OS launch was initiated using Measured/Secure Boot over DRTM (Dynamic Root of Trust for Measurement). +- **MeasuredLaunchResume** This field tells us if Dynamic Root of Trust for Measurement (DRTM) was used when resuming from hibernation. +- **MenuPolicy** Type of advanced options menu that should be shown to the user (Legacy, Standard, etc.). +- **RecoveryEnabled** Indicates whether recovery is enabled. +- **SecureLaunchPrepared** This field indicates if DRTM was prepared during boot. +- **TcbLaunch** Indicates whether the Trusted Computing Base was used during the boot flow. +- **UserInputTime** The amount of time the loader application spent waiting for user input. + + +## Miracast events + +### Microsoft.Windows.Cast.Miracast.MiracastSessionEnd + +This event sends data at the end of a Miracast session that helps determine RTSP related Miracast failures along with some statistics about the session + +The following fields are available: + +- **AudioChannelCount** The number of audio channels. +- **AudioSampleRate** The sample rate of audio in terms of samples per second. +- **AudioSubtype** The unique subtype identifier of the audio codec (encoding method) used for audio encoding. +- **AverageBitrate** The average video bitrate used during the Miracast session, in bits per second. +- **AverageDataRate** The average available bandwidth reported by the WiFi driver during the Miracast session, in bits per second. +- **AveragePacketSendTimeInMs** The average time required for the network to send a sample, in milliseconds. +- **ConnectorType** The type of connector used during the Miracast session. +- **EncodeAverageTimeMS** The average time to encode a frame of video, in milliseconds. +- **EncodeCount** The count of total frames encoded in the session. +- **EncodeMaxTimeMS** The maximum time to encode a frame, in milliseconds. +- **EncodeMinTimeMS** The minimum time to encode a frame, in milliseconds. +- **EncoderCreationTimeInMs** The time required to create the video encoder, in milliseconds. +- **ErrorSource** Identifies the component that encountered an error that caused a disconnect, if applicable. +- **FirstFrameTime** The time (tick count) when the first frame is sent. +- **FirstLatencyMode** The first latency mode. +- **FrameAverageTimeMS** Average time to process an entire frame, in milliseconds. +- **FrameCount** The total number of frames processed. +- **FrameMaxTimeMS** The maximum time required to process an entire frame, in milliseconds. +- **FrameMinTimeMS** The minimum time required to process an entire frame, in milliseconds. +- **Glitches** The number of frames that failed to be delivered on time. +- **HardwareCursorEnabled** Indicates if hardware cursor was enabled when the connection ended. +- **HDCPState** The state of HDCP (High-bandwidth Digital Content Protection) when the connection ended. +- **HighestBitrate** The highest video bitrate used during the Miracast session, in bits per second. +- **HighestDataRate** The highest available bandwidth reported by the WiFi driver, in bits per second. +- **LastLatencyMode** The last reported latency mode. +- **LogTimeReference** The reference time, in tick counts. +- **LowestBitrate** The lowest video bitrate used during the Miracast session, in bits per second. +- **LowestDataRate** The lowest video bitrate used during the Miracast session, in bits per second. +- **MediaErrorCode** The error code reported by the media session, if applicable. +- **MiracastEntry** The time (tick count) when the Miracast driver was first loaded. +- **MiracastM1** The time (tick count) when the M1 request was sent. +- **MiracastM2** The time (tick count) when the M2 request was sent. +- **MiracastM3** The time (tick count) when the M3 request was sent. +- **MiracastM4** The time (tick count) when the M4 request was sent. +- **MiracastM5** The time (tick count) when the M5 request was sent. +- **MiracastM6** The time (tick count) when the M6 request was sent. +- **MiracastM7** The time (tick count) when the M7 request was sent. +- **MiracastSessionState** The state of the Miracast session when the connection ended. +- **MiracastStreaming** The time (tick count) when the Miracast session first started processing frames. +- **ProfileCount** The count of profiles generated from the receiver M4 response. +- **ProfileCountAfterFiltering** The count of profiles after filtering based on available bandwidth and encoder capabilities. +- **RefreshRate** The refresh rate set on the remote display. +- **RotationSupported** Indicates if the Miracast receiver supports display rotation. +- **RTSPSessionId** The unique identifier of the RTSP session. This matches the RTSP session ID for the receiver for the same session. +- **SessionGuid** The unique identifier of to correlate various Miracast events from a session. +- **SinkHadEdid** Indicates if the Miracast receiver reported an EDID. +- **SupportMicrosoftColorSpaceConversion** Indicates whether the Microsoft color space conversion for extra color fidelity is supported by the receiver. +- **SupportsMicrosoftDiagnostics** Indicates whether the Miracast receiver supports the Microsoft Diagnostics Miracast extension. +- **SupportsMicrosoftFormatChange** Indicates whether the Miracast receiver supports the Microsoft Format Change Miracast extension. +- **SupportsMicrosoftLatencyManagement** Indicates whether the Miracast receiver supports the Microsoft Latency Management Miracast extension. +- **SupportsMicrosoftRTCP** Indicates whether the Miracast receiver supports the Microsoft RTCP Miracast extension. +- **SupportsMicrosoftVideoFormats** Indicates whether the Miracast receiver supports Microsoft video format for 3:2 resolution. +- **SupportsWiDi** Indicates whether Miracast receiver supports Intel WiDi extensions. +- **TeardownErrorCode** The error code reason for teardown provided by the receiver, if applicable. +- **TeardownErrorReason** The text string reason for teardown provided by the receiver, if applicable. +- **UIBCEndState** Indicates whether UIBC was enabled when the connection ended. +- **UIBCEverEnabled** Indicates whether UIBC was ever enabled. +- **UIBCStatus** The result code reported by the UIBC setup process. +- **VideoBitrate** The starting bitrate for the video encoder. +- **VideoCodecLevel** The encoding level used for encoding, specific to the video subtype. +- **VideoHeight** The height of encoded video frames. +- **VideoSubtype** The unique subtype identifier of the video codec (encoding method) used for video encoding. +- **VideoWidth** The width of encoded video frames. +- **WFD2Supported** Indicates if the Miracast receiver supports WFD2 protocol. + + +## OneDrive events + +### Microsoft.OneDrive.Sync.Setup.APIOperation + +This event includes basic data about install and uninstall OneDrive API operations. + +The following fields are available: + +- **APIName** The name of the API. +- **Duration** How long the operation took. +- **IsSuccess** Was the operation successful? +- **ResultCode** The result code. +- **ScenarioName** The name of the scenario. + + +### Microsoft.OneDrive.Sync.Setup.EndExperience + +This event includes a success or failure summary of the installation. + +The following fields are available: + +- **APIName** The name of the API. +- **HResult** HResult of the operation +- **IsSuccess** Whether the operation is successful or not +- **ScenarioName** The name of the scenario. + + +### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation + +This event is related to the OS version when the OS is upgraded with OneDrive installed. + +The following fields are available: + +- **CurrentOneDriveVersion** The current version of OneDrive. +- **CurrentOSBuildBranch** The current branch of the operating system. +- **CurrentOSBuildNumber** The current build number of the operating system. +- **CurrentOSVersion** The current version of the operating system. +- **HResult** The HResult of the operation. +- **SourceOSBuildBranch** The source branch of the operating system. +- **SourceOSBuildNumber** The source build number of the operating system. +- **SourceOSVersion** The source version of the operating system. + + +### Microsoft.OneDrive.Sync.Setup.RegisterStandaloneUpdaterAPIOperation + +This event is related to registering or unregistering the OneDrive update task. + +The following fields are available: + +- **APIName** The name of the API. +- **IsSuccess** Was the operation successful? +- **RegisterNewTaskResult** The HResult of the RegisterNewTask operation. +- **ScenarioName** The name of the scenario. +- **UnregisterOldTaskResult** The HResult of the UnregisterOldTask operation. + + +### Microsoft.OneDrive.Sync.Updater.ComponentInstallState + +This event includes basic data about the installation state of dependent OneDrive components. + +The following fields are available: + +- **ComponentName** The name of the dependent component. +- **isInstalled** Is the dependent component installed? + + +### Microsoft.OneDrive.Sync.Updater.OverlayIconStatus + +This event indicates if the OneDrive overlay icon is working correctly. 0 = healthy; 1 = can be fixed; 2 = broken + +The following fields are available: + +- **32bit** The status of the OneDrive overlay icon on a 32-bit operating system. +- **64bit** The status of the OneDrive overlay icon on a 64-bit operating system. + + +### Microsoft.OneDrive.Sync.Updater.UpdateOverallResult + +This event sends information describing the result of the update. + +The following fields are available: + +- **hr** The HResult of the operation. +- **IsLoggingEnabled** Indicates whether logging is enabled for the updater. +- **UpdaterVersion** The version of the updater. + + +### Microsoft.OneDrive.Sync.Updater.UpdateXmlDownloadHResult + +This event determines the status when downloading the OneDrive update configuration file. + +The following fields are available: + +- **hr** The HResult of the operation. + + +### Microsoft.OneDrive.Sync.Updater.WebConnectionStatus + +This event determines the error code that was returned when verifying Internet connectivity. + +The following fields are available: + +- **winInetError** The HResult of the operation. + + +## Privacy consent logging events + +### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted + +This event is used to determine whether the user successfully completed the privacy consent experience. + +The following fields are available: + +- **presentationVersion** Which display version of the privacy consent experience the user completed +- **privacyConsentState** The current state of the privacy consent experience +- **settingsVersion** Which setting version of the privacy consent experience the user completed +- **userOobeExitReason** The exit reason of the privacy consent experience + + +### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentStatus + +Event tells us effectiveness of new privacy experience. + +The following fields are available: + +- **isAdmin** whether the person who is logging in is an admin +- **isExistingUser** whether the account existed in a downlevel OS +- **isLaunching** Whether or not the privacy consent experience will be launched +- **isSilentElevation** whether the user has most restrictive UAC controls +- **privacyConsentState** whether the user has completed privacy experience +- **userRegionCode** The current user's region setting + + +### wilActivity + +This event provides a Windows Internal Library context used for Product and Service diagnostics. + +The following fields are available: + +- **-149ngContextMessage** No content is currently available. +- **3645entContextName** No content is currently available. +- **379rentContextName** No content is currently available. +- **532rentContextName** No content is currently available. +- **677rentContextName** No content is currently available. +- **8108entContextName** No content is currently available. +- **8251entContextName** No content is currently available. +- **902rentContextName** No content is currently available. +- **9567ngContextMessage** No content is currently available. +- **9717ngContextMessage** No content is currently available. +- **callContext** The function where the failure occurred. +- **currentContextId** The ID of the current call context where the failure occurred. +- **currentContextMessage** The message of the current call context where the failure occurred. +- **currentContextMessaon** No content is currently available. +- **currentContextName** The name of the current call context where the failure occurred. +- **failureCount** The number of failures for this failure ID. +- **failureId** The ID of the failure that occurred. +- **failureType** The type of the failure that occurred. +- **fileName** The file name where the failure occurred. +- **functige** No content is currently available. +- **function** The function where the failure occurred. +- **hresult** The HResult of the overall activity. +- **lineNumber** The line number where the failure occurred. +- **message** The message of the failure that occurred. +- **module** The module where the failure occurred. +- **ori1-0467ngContextMessage** No content is currently available. +- **ori1-1210ngContextMessage** No content is currently available. +- **ori1143-7ngContextMessage** No content is currently available. +- **ori1-1945ngContextMessage** No content is currently available. +- **ori13s090ngContextMessage** No content is currently available. +- **ori1-4671entContextName** No content is currently available. +- **ori1-5108ngContextMessage** No content is currently available. +- **ori1-5686ngContextMessage** No content is currently available. +- **ori1n:667ngContextMessage** No content is currently available. +- **ori1n8488ngContextMessage** No content is currently available. +- **ori1-s4o5ngContextMessage** No content is currently available. +- **ori808467ngContextMessage** No content is currently available. +- **originatingContextId** The ID of the originating call context that resulted in the failure. +- **originatingContextMessage** The message of the originating call context that resulted in the failure. +- **originatingContextName** The name of the originating call context that resulted in the failure. +- **threa0Id** No content is currently available. +- **threadId** The ID of the thread on which the activity is executing. + + +## Sediment events + +### Microsoft.Windows.Sediment.Info.DetailedState + +This event is sent when detailed state information is needed from an update trial run. + +The following fields are available: + +- **Data** Data relevant to the state, such as what percent of disk space the directory takes up. +- **Id** Identifies the trial being run, such as a disk related trial. +- **ReleaseVer** The version of the component. +- **State** The state of the reporting data from the trial, such as the top-level directory analysis. +- **Time** The time the event was fired. + + +### Microsoft.Windows.Sediment.Info.Error + +This event indicates an error in the updater payload. This information assists in keeping Windows up to date. + +The following fields are available: + +- **FailureType** The type of error encountered. +- **FileName** The code file in which the error occurred. +- **HResult** The failure error code. +- **LineNumber** The line number in the code file at which the error occurred. +- **ReleaseVer** The version information for the component in which the error occurred. +- **Time** The system time at which the error occurred. + + +### Microsoft.Windows.Sediment.Info.PhaseChange + +The event indicates progress made by the updater. This information assists in keeping Windows up to date. + +The following fields are available: + +- **NewPhase** The phase of progress made. +- **ReleaseVer** The version information for the component in which the change occurred. +- **Time** The system time at which the phase chance occurred. + + +## Setup events + +### SetupPlatformTel.SetupPlatformTelActivityEvent + +This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up to date. + +The following fields are available: + +- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. +- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. +- **Value** Value associated with the corresponding event name. For example, time-related events will include the system time + + +### SetupPlatformTel.SetupPlatformTelActivityStarted + +This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. + +The following fields are available: + +- **Name** The name of the dynamic update type. Example: GDR driver + + +### SetupPlatformTel.SetupPlatformTelActivityStopped + +This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. + + + +### SetupPlatformTel.SetupPlatformTelEvent + +This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios. + +The following fields are available: + +- **Falue** No content is currently available. +- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. +- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. +- **Value** Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time. + + +## Software update events + +### SoftwareUpdateClientTelemetry.CheckForUpdates + +Scan process event on Windows Update client. See the EventScenario field for specifics (started/failed/succeeded). + +The following fields are available: + +- **AativityMatchingId** No content is currently available. +- **ActivityMatchingId** Contains a unique ID identifying a single CheckForUpdates session from initialization to completion. +- **ActivityMatcjingId** No content is currently available. +- **AllowCachedResul|s** No content is currently available. +- **AllowCachedResults** Indicates if the scan allowed using cached results. +- **AllowCachedRmsults** No content is currently available. +- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable +- **BiosFamily** The family of the BIOS (Basic Input Output System). +- **BiosName** The name of the device BIOS. +- **BiosReleaseDate** The release date of the device BIOS. +- **BiosSKUNumber** The sku number of the device BIOS. +- **BIOSVendor** The vendor of the BIOS. +- **BiosVersion** The version of the BIOS. +- **BranchReadinessLevel** The servicing branch configured on the device. +- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. +- **CapabilityDetectoidGuid** The GUID for a hardware applicability detectoid that could not be evaluated. +- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. +- **CDNId** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. +- **ClientVersion** The version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No data is currently reported in this field. Expected value for this field is 0. +- **Context** Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown +- **CurrentMobileOperator** The mobile operator the device is currently connected to. +- **DeferralPolicySources** Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000). +- **DeferredUpdates** Update IDs which are currently being deferred until a later time +- **DeviceModel** What is the device model. +- **DriverError** The error code hit during a driver scan. This is 0 if no error was encountered. +- **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled. +- **DriverSyncPassPerformed** Were drivers scanned this time? +- **DriverSyncPasSPerformed** No content is currently available. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. +- **ExtendedetadataICabUrl** No content is currently available. +- **ExtendedMetadataCabUrl** Hostname that is used to download an update. +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. +- **FailedUpdateGuids** The GUIDs for the updates that failed to be evaluated during the scan. +- **FailedUpdatesCount** The number of updates that failed to be evaluated during the scan. +- **FeatureUpdateDeferral** The deferral period configured for feature OS updates on the device (in days). +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FeatureUpdatePausePerimd** No content is currently available. +- **FeatureUpdatePausePeriod** The pause duration configured for feature OS updates on the device (in days). +- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). +- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). +- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. +- **IntentPFNs** Intended application-set metadata for atomic update scenarios. +- **IPVersion** Indicates whether the download took place over IPv4 or IPv6 +- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEna`led** No content is currently available. +- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. +- **IsWUfBFederatedScanDisabled** Indicates if Windows Update for Business federated scan is disabled on the device. +- **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce +- **MSIError** The last error that was encountered during a scan for updates. +- **NetworkConneativityDetected** No content is currently available. +- **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6 +- **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete +- **NumberOfApplicationsCategoryScanEvaluated** The number of categories (apps) for which an app update scan checked +- **NumberOfLoop** The number of round trips the scan required +- **NumberOfNewUpdatesFromServiceSync** The number of updates which were seen for the first time in this scan +- **NumberOfUpdatesEvaluated** The total number of updates which were evaluated as a part of the scan +- **NumFailedetadataISignatures** No content is currently available. +- **NumFailedMetadatabignatures** No content is currently available. +- **NumFailedMetadataSignatures** The number of metadata signatures checks which failed for new metadata synced down. +- **Online** Indicates if this was an online scan. +- **PausedUpdates** A list of UpdateIds which that currently being paused. +- **PauseFeatureUpdatesEndTime** If feature OS updates are paused on the device, this is the date and time for the end of the pause time window. +- **PauseFeatureUpdatesStartTime** If feature OS updates are paused on the device, this is the date and time for the beginning of the pause time window. +- **PauseQualityUpdatesEndTime** If quality OS updates are paused on the device, this is the date and time for the end of the pause time window. +- **PauseQualityUpdatesStartTime** If quality OS updates are paused on the device, this is the date and time for the beginning of the pause time window. +- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting (pre-release builds) being introduced. +- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided. +- **QualityUpdateDeferral** The deferral period configured for quality OS updates on the device (in days). +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **QualityUpdatePausePeriod** The pause duration configured for quality OS updates on the device (in days). +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one +- **ScanDurationInSeconds** The number of seconds a scan took +- **ScanEnqueueTime** The number of seconds it took to initialize a scan +- **ScanProps** This is a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits are used; all remaining bits are reserved and set to zero. Bit 0 (0x1): IsInteractive - is set to 1 if the scan is requested by a user, or 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker - is set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates). +- **ServiaeUrl** No content is currently available. +- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.). +- **ServiceUrl** The environment URL a device is configured to scan with +- **ShippingMobileOperator** The mobile operator that a device shipped on. +- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult). +- **SyncType** Describes the type of scan the event was +- **SystemBIOSMajorRelease** Major version of the BIOS. +- **SystemBIOSMinorRelease** Minor version of the BIOS. +- **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null. +- **TotalNumetadataISignatures** No content is currently available. +- **TotalNumMetadatabignatures** No content is currently available. +- **TotalNumMetadataSignatures** The total number of metadata signatures checks done for new metadata that was synced down. +- **VelatedCV** No content is currently available. +- **WebServiceRetryMethods** Web service method requests that needed to be retried to complete operation. +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. + + +### SoftwareUpdateClientTelemetry.Commit + +This event tracks the commit process post the update installation when software update client is trying to update the device. + +The following fields are available: + +- **BiosFamily** Device family as defined in the system BIOS +- **BiosName** Name of the system BIOS +- **BiosReleaseDate** Release date of the system BIOS +- **BiosSKUNumber** Device SKU as defined in the system BIOS +- **BIOSVendor** Vendor of the system BIOS +- **BiosVersion** Version of the system BIOS +- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. +- **BundleRevisionNumber** Identifies the revision number of the content bundle +- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client +- **ClientVersion** Version number of the software distribution client +- **DeploymentProviderMode** The mode of operation of the update deployment provider. +- **DeviceModel** Device model as defined in the system bios +- **EventInstanceID** A globally unique identifier for event instance +- **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc. +- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver". +- **FlightId** The specific id of the flight the device is getting +- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) +- **RevisionNumber** Identifies the revision number of this specific piece of content +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). +- **SystemBIOSMajorRelease** Major release version of the system bios +- **SystemBIOSMinorRelease** Minor release version of the system bios +- **UpdateId** Identifier associated with the specific piece of content +- **WUDeviceID** Unique device id controlled by the software distribution client + + +### SoftwareUpdateClientTelemetry.Download + +Download process event for target update on Windows Update client. See the EventScenario field for specifics (started/failed/succeeded). + +The following fields are available: + +- **ActiveDownloadTime** How long the download took, in seconds, excluding time where the update wasn't actively being downloaded. +- **AppXBlockHashFailures** Indicates the number of blocks that failed hash validation during download of the app payload. +- **AppXBlocKHashFailures** No content is currently available. +- **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded. +- **AppXDownloadScope** Indicates the scope of the download for application content. +- **AppXScope** Indicates the scope of the app download. +- **BiosFamily** The family of the BIOS (Basic Input Output System). +- **BiosName** The name of the device BIOS. +- **BiosReleaseDate** The release date of the device BIOS. +- **BiosSKUNumber** The sku number of the device BIOS. +- **BIOSVendor** The vendor of the BIOS. +- **BiosVersion** The version of the BIOS. +- **BundleBytesDownloaded** Number of bytes downloaded for the specific content bundle. +- **BundleId** Identifier associated with the specific content bundle. +- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. +- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to download. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **BundleRevisionumber** No content is currently available. +- **BytesDownloaded** Number of bytes that were downloaded for an individual piece of content (not the entire bundle). +- **CachedEngineVersion** The version of the “Self-Initiated Healing” (SIH) engine that is cached on the device, if applicable. +- **CallerApplicationName** The name provided by the application that initiated API calls into the software distribution client. +- **CallerApplicavionName** No content is currently available. +- **CbsDownloadMethod** Indicates whether the download was a full- or a partial-file download. +- **CbsMethod** The method used for downloading the update content related to the Component Based Servicing (CBS) technology. +- **CDNCoun|ryCode** No content is currently available. +- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. +- **CDNId** ID which defines which CDN the software distribution client downloaded the content from. +- **ClientVersion** The version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. +- **ConnectTime** Indicates the cumulative amount of time (in seconds) it took to establish the connection for all updates in an update bundle. +- **CurrentMobileOperator** The mobile operator the device is currently connected to. +- **DeviceModel** The model of the device. +- **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority. +- **DownloadProps** Information about the download operation properties in the form of a bitmask. +- **DownloadType** Differentiates the download type of “Self-Initiated Healing” (SIH) downloads between Metadata and Payload downloads. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventScenario** Indicates the purpose for sending this event: whether because the software distribution just started downloading content; or whether it was cancelled, succeeded, or failed. +- **EventType** Identifies the type of the event (Child, Bundle, or Driver). +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FFightBuildNumber** No content is currently available. +- **FFightId** No content is currently available. +- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). +- **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight. +- **FlightId** The specific ID of the flight (pre-release build) the device is getting. +- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). +- **HandlerType** Indicates what kind of content is being downloaded (app, driver, windows patch, etc.). +- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. +- **HostName** The hostname URL the content is downloading from. +- **IPVersion** Indicates whether the download took place over IPv4 or IPv6. +- **IsDependentSet** Indicates whether a driver is a part of a larger System Hardware/Firmware Update +- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. +- **IsWUfBEnaBled** No content is currently available. +- **NetworkCost** A flag indicating the cost of the network (congested, fixed, variable, over data limit, roaming, etc.) used for downloading the update content. +- **NetworkCostBitMask** Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.) +- **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered." +- **PackageFullName** The package name of the content. +- **PhonePreviewEnabled** Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced. +- **PostDnldTime** Time (in seconds) taken to signal download completion after the last job completed downloading the payload. +- **ProcessName** The process name of the application that initiated API calls, in the event where CallerApplicationName was not provided. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **Reason** A 32-bit integer representing the reason the update is blocked from being downloaded in the background. +- **RegulationReason** The reason that the update is regulated +- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content. +- **RegulitionResult** No content is currently available. +- **RelatedCV** The Correlation Vector that was used before the most recent change to a new Correlation Vector. +- **RepeatFailCount** Indicates whether this specific content has previously failed. +- **RepeatFailFlag** Indicates whether this specific content previously failed to download. +- **RevisionNumber** The revision number of the specified piece of content. +- **RevisionNUmber** No content is currently available. +- **Revisionumber** No content is currently available. +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). +- **ServiceGUid** No content is currently available. +- **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade. +- **ShippingMobileOperator** The mobile operator linked to the device when the device shipped. +- **SizeCalcTime** Time (in seconds) taken to calculate the total download size of the payload. +- **SonnectTime** No content is currently available. +- **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). +- **SystemBIOSMajorRelease** Major version of the BIOS. +- **SystemBIOSMinorRelease** Minor version of the BIOS. +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **TargetMetadataVersion** The version of the currently downloading (or most recently downloaded) package. +- **ThrottlingServiceHResult** Result code (success/failure) while contacting a web service to determine whether this device should download content yet. +- **TimeToEstablishConnection** Time (in milliseconds) it took to establish the connection prior to beginning downloaded. +- **TotalExpectedBytes** The total size (in Bytes) expected to be downloaded. +- **UpdateId** An identifier associated with the specific piece of content. +- **UpdateID** An identifier associated with the specific piece of content. +- **UpdateImportance** Indicates whether the content was marked as Important, Recommended, or Optional. +- **UsedDO** Indicates whether the download used the Delivery Optimization (DO) service. +- **UsedSystemVolume** Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive. +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. + + +### SoftwareUpdateClientTelemetry.DownloadCheckpoint + +This event provides a checkpoint between each of the Windows Update download phases for UUP content + +The following fields are available: + +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client +- **ClientVersion** The version number of the software distribution client +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed +- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver" +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough +- **FileId** A hash that uniquely identifies a file +- **FileName** Name of the downloaded file +- **FlightId** The unique identifier for each flight +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one +- **RevisionNumber** Unique revision number of Update +- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.) +- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult) +- **UpdateId** Unique Update ID +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue + + +### SoftwareUpdateClientTelemetry.DownloadHeartbeat + +This event allows tracking of ongoing downloads and contains data to explain the current state of the download + +The following fields are available: + +- **BytesTotal** Total bytes to transfer for this content +- **BytesTransferred** Total bytes transferred for this content at the time of heartbeat +- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client +- **ClientVersion** The version number of the software distribution client +- **ConnectionStatus** Indicates the connectivity state of the device at the time of heartbeat +- **CurrentError** Last (transient) error encountered by the active download +- **DownloadFlags** Flags indicating if power state is ignored +- **DownloadState** Current state of the active download for this content (queued, suspended, or progressing) +- **EventType** Possible values are "Child", "Bundle", or "Driver" +- **FlightId** The unique identifier for each flight +- **IsNetworkMetered** Indicates whether Windows considered the current network to be ?metered" +- **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any +- **MOUpdateDownloadLimit** Mobile operator cap on size of operating system update downloads, if any +- **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby) +- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one +- **ResumeCount** Number of times this active download has resumed from a suspended state +- **RevisionNumber** Identifies the revision number of this specific piece of content +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) +- **SuspendCount** Number of times this active download has entered a suspended state +- **SuspendReason** Last reason for why this active download entered a suspended state +- **UpdateId** Identifier associated with the specific piece of content +- **WUDeviceID** Unique device id controlled by the software distribution client + + +### SoftwareUpdateClientTelemetry.Install + +This event sends tracking data about the software distribution client installation of the content for that update, to help keep Windows up to date. + +The following fields are available: + +- **BiosFamily** The family of the BIOS (Basic Input Output System). +- **BiosName** The name of the device BIOS. +- **BiosReleaseDate** The release date of the device BIOS. +- **BiosSKUNumber** The sku number of the device BIOS. +- **BIOSVendor** The vendor of the BIOS. +- **BiosVersion** The version of the BIOS. +- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. +- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. +- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to install. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. +- **ClientVersion** The version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No value is currently reported in this field. Expected value for this field is 0. +- **CSIErrorType** The stage of CBS installation where it failed. +- **CurrentMobileOperator** The mobile operator to which the device is currently connected. +- **DeploymentProviderMode** The mode of operation of the update deployment provider. +- **DeviceModel** The device model. +- **DriverPifgBack** No content is currently available. +- **DriverPingBack** Contains information about the previous driver and system state. +- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. +- **EventType** Possible values are Child, Bundle, or Driver. +- **ExtendedErrorCode** The extended error code. +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode is not specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBranch** The branch that a device is on if participating in the Windows Insider Program. +- **FlightBuildNumber** If this installation was for a Windows Insider build, this is the build number of that build. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **FlightRing** The ring that a device is on if participating in the Windows Insider Program. +- **HandlerType** Indicates what kind of content is being installed (for example, app, driver, Windows update). +- **HardwareId** If this install was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. +- **InstallProps** A bitmask for future flags associated with the install operation. No value is currently reported in this field. Expected value for this field is 0. +- **IntentPFNs** Intended application-set metadata for atomic update scenarios. +- **IsDependentSet** Indicates whether the driver is part of a larger System Hardware/Firmware update. +- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. +- **IsFirmware** Indicates whether this update is a firmware update. +- **IsSuccessFailurePostReboot** Indicates whether the update succeeded and then failed after a restart. +- **IsWUfBDualScanEnabled** Indicates whether Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Indicates whether Windows Update for Business is enabled on the device. +- **MergedUpdate** Indicates whether the OS update and a BSP update merged for installation. +- **MsiAction** The stage of MSI installation where it failed. +- **MsiProductCode** The unique identifier of the MSI installer. +- **PackageFullName** The package name of the content being installed. +- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting being introduced. +- **ProcessName** The process name of the caller who initiated API calls, in the event that CallerApplicationName was not provided. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one +- **RepeatFailCount** Indicates whether this specific piece of content has previously failed. +- **RepeatFailFlag** Indicates whether this specific piece of content previously failed to install. +- **RevisionNumber** The revision number of this specific piece of content. +- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). +- **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway. +- **ShippingMobileOperator** The mobile operator that a device shipped on. +- **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult). +- **SystemBIOSMajorRelease** Major version of the BIOS. +- **SystemBIOSMinorRelease** Minor version of the BIOS. +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **TransactionCode** The ID that represents a given MSI installation. +- **UpdateId** Unique update ID. +- **UpdateID** An identifier associated with the specific piece of content. +- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional. +- **UsedSystemVolume** Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive. +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. + + +### SoftwareUpdateClientTelemetry.Revert + +Revert event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded). + +The following fields are available: + +- **BundleId** Identifier associated with the specific content bundle. Should not be all zeros if the BundleId was found. +- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **ClientVersion** Version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. +- **CSIErrorType** Stage of CBS installation that failed. +- **DriverPingBack** Contains information about the previous driver and system state. +- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). +- **EventType** Event type (Child, Bundle, Release, or Driver). +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode is not specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBuildNumber** Indicates the build number of the flight. +- **FlightId** The specific ID of the flight the device is getting. +- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). +- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. +- **IsFirmware** Indicates whether an update was a firmware update. +- **IsSuccessFailurePostReboot** Indicates whether an initial success was a failure after a reboot. +- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. +- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. +- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. +- **RepeatFailCount** Indicates whether this specific piece of content has previously failed. +- **RevisionNumber** Identifies the revision number of this specific piece of content. +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **UpdateId** The identifier associated with the specific piece of content. +- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). +- **UsedSystemVolume** Indicates whether the device's main system storage drive or an alternate storage drive was used. +- **WUDeviceID** Unique device ID controlled by the software distribution client. + + +### SoftwareUpdateClientTelemetry.TaskRun + +Start event for Server Initiated Healing client. See EventScenario field for specifics (for example, started/completed). + +The following fields are available: + +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **ClientVersion** Version number of the software distribution client. +- **CmdLineArgs** Command line arguments passed in by the caller. +- **EventInstanceID** A globally unique identifier for the event instance. +- **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **WUDeviceID** Unique device ID controlled by the software distribution client. + + +### SoftwareUpdateClientTelemetry.Uninstall + +Uninstall event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded). + +The following fields are available: + +- **BundleId** The identifier associated with the specific content bundle. This should not be all zeros if the bundleID was found. +- **BundleRepeatFailCount** Indicates whether this particular update bundle previously failed. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CallerApplicationName** Name of the application making the Windows Update request. Used to identify context of request. +- **ClientVersion** Version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. +- **DriverPingBack** Contains information about the previous driver and system state. +- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers when a recovery is required. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventScenario** Indicates the purpose of the event (a scan started, succeded, failed, etc.). +- **EventType** Indicates the event type. Possible values are "Child", "Bundle", "Release" or "Driver". +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode is not specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBuildNumber** Indicates the build number of the flight. +- **FlightId** The specific ID of the flight the device is getting. +- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). +- **HardwareId** If the download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. +- **IsFirmware** Indicates whether an update was a firmware update. +- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. +- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. +- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. +- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. +- **RepeatFailCount** Indicates whether this specific piece of content previously failed. +- **RevisionNumber** Identifies the revision number of this specific piece of content. +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **UpdateId** Identifier associated with the specific piece of content. +- **UpdateImportance** Indicates the importance of a driver and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). +- **UsedSystemVolume** Indicates whether the device’s main system storage drive or an alternate storage drive was used. +- **WUDeviceID** Unique device ID controlled by the software distribution client. + + +### SoftwareUpdateClientTelemetry.UpdateDetected + +This event sends data about an AppX app that has been updated from the Microsoft Store, including what app needs an update and what version/architecture is required, in order to understand and address problems with apps getting required updates. + +The following fields are available: + +- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable. +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. +- **IntentPFNs** Intended application-set metadata for atomic update scenarios. +- **NumberOfApplicableUpdates** The number of updates ultimately deemed applicable to the system after the detection process is complete. +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. +- **RelntedCV** No content is currently available. +- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.). +- **umberOfApplicableUpdates** No content is currently available. +- **WUDeviceID** The unique device ID controlled by the software distribution client. +- **xHDeviceID** No content is currently available. + + +### SoftwareUpdateClientTelemetry.UpdateMetadataIntegrity + +Ensures Windows Updates are secure and complete. Event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack. + +The following fields are available: + +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **CallerLoglicationName** No content is currently available. +- **EndpointUrl** URL of the endpoint where client obtains update metadata. Used to identify test vs staging vs production environments. +- **EventSbenario** No content is currently available. +- **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc. +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. +- **ExtendefStatusCode** No content is currently available. +- **imeZoScenario** No content is currently available. +- **LeafCertId** The integral ID from the FragmentSigning data for the certificate that failed. +- **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate. +- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce +- **MetadataSignature** A base64-encoded string of the signature associated with the update metadata (specified by revision ID). +- **RawMode** The raw unparsed mode string from the SLS response. This field is null if not applicable. +- **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable. +- **RcwMode** No content is currently available. +- **RevisionId** The revision ID for a specific piece of content. +- **RevisionNumber** The revision number for a specific piece of content. +- **SedviceGuid** No content is currently available. +- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Microsoft Store +- **ServiceGuidEndpointUrl** No content is currently available. +- **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate. +- **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate. +- **SHA256OfTimestampToken** An encoded string of the timestamp token. +- **SignatureAlgorithm** The hash algorithm for the metadata signature. +- **SLSPrograms** A test program a machine may be opted in. Examples include "Canary" and "Insider Fast". +- **StatusCode** Result code of the event (success, cancellation, failure code HResult) +- **TimestampTokenCertThumbprint** The thumbprint of the encoded timestamp token. +- **TimestampTokenId** The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed. +- **UpdateId** The update ID for a specific piece of content. +- **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp. + + +## System Resource Usage Monitor events + +### Microsoft.Windows.Srum.Sdp.CpuUsage + +This event provides information on CPU usage. + +The following fields are available: + +- **UsageMax** The maximum of hourly average CPU usage. +- **UsageMean** The mean of hourly average CPU usage. +- **UsageMedian** The median of hourly average CPU usage. +- **UsageTwoHourMaxMean** The mean of the maximum of every two hour of hourly average CPU usage. +- **UsageTwoHourMedianMean** The mean of the median of every two hour of hourly average CPU usage. + + +### Microsoft.Windows.Srum.Sdp.NetworkUsage + +This event provides information on network usage. + +The following fields are available: + +- **AdapterGuid** The unique ID of the adapter. +- **BytesTotalMax** The maximum of the hourly average bytes total. +- **BytesTotalMean** The mean of the hourly average bytes total. +- **BytesTotalMedian** The median of the hourly average bytes total. +- **BytesTotalTwoHourMaxMean** The mean of the maximum of every two hours of hourly average bytes total. +- **BytesTotalTwoHourMedianMean** The mean of the median of every two hour of hourly average bytes total. +- **LinkSpeed** The adapter link speed. + + +## Update events + +### Update360Telemetry.Revert + +This event sends data relating to the Revert phase of updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the Revert phase. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **RebootRequired** Indicates reboot is required. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **RevertResult** The result code returned for the Revert operation. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. + + +### Update360Telemetry.UpdateAgentCommit + +This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **ErrorCode** The error code returned for the current install phase. +- **FlightId** Unique ID for each flight. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Outcome of the install phase of the update. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentDownloadRequest + +This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. + +The following fields are available: + +- **DeletedCorruptFiles** Boolean indicating whether corrupt payload was deleted. +- **DownloadRequests** Number of times a download was retried. +- **ErrorCode** The error code returned for the current download request phase. +- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. +- **FlightId** Unique ID for each flight. +- **InternalFailureResult** Indicates a non-fatal error from a plugin. +- **ObjectId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). +- **PackageCategoriesSkipped** Indicates package categories that were skipped, if applicable. +- **PackageCountOptional** Number of optional packages requested. +- **PackageCountRequired** Number of required packages requested. +- **PackageCountTotal** Total number of packages needed. +- **PackageCountTotalCanonical** Total number of canonical packages. +- **PackageCountTotalDiff** Total number of diff packages. +- **PackageCountTotalExpress** Total number of express packages. +- **PackageCountTotalPSFX** The total number of PSFX packages. +- **PackageExpressType** Type of express package. +- **PackageSizeCanonical** Size of canonical packages in bytes. +- **PackageSizeDiff** Size of diff packages in bytes. +- **PackageSizeExpress** Size of express packages in bytes. +- **PackageSizePSFX** The size of PSFX packages, in bytes. +- **RangeRequestState** Indicates the range request type used. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Outcome of the download request phase of update. +- **SandboxTaggedForReserves** The sandbox for reserves. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each attempt (same value for initialize, download, install commit phases). +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentExpand + +This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **ElapsedTickCount** Time taken for expand phase. +- **EndFreeSpace** Free space after expand phase. +- **EndSandboxSize** Sandbox size after expand phase. +- **ErrorCode** The error code returned for the current install phase. +- **FlightId** Unique ID for each flight. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **StartFreeSpace** Free space before expand phase. +- **StartSandboxSize** Sandbox size after expand phase. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentFellBackToCanonical + +This event collects information when express could not be used and we fall back to canonical during the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **FlightId** Unique ID for each flight. +- **ObjectId** Unique value for each Update Agent mode. +- **PackageCount** Number of packages that feel back to canonical. +- **PackageList** PackageIds which fell back to canonical. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentInitialize + +This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. + +The following fields are available: + +- **ErrorCode** The error code returned for the current install phase. +- **essionData** No content is currently available. +- **FlightId** Unique ID for each flight. +- **FlightMetadata** Contains the FlightId and the build being flighted. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Outcome of the install phase of the update. +- **ScenarioId** Indicates the update scenario. +- **SessionData** String containing instructions to update agent for processing FODs and DUICs (Null for other scenarios). +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentInstall + +This event sends data for the install phase of updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the current install phase. +- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. +- **FlightId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). +- **InternalFailureResult** Indicates a non-fatal error from a plugin. +- **ObjectId** Correlation vector value generated from the latest USO scan. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** The result for the current install phase. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentMerge + +The UpdateAgentMerge event sends data on the merge phase when updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the current merge phase. +- **FlightId** Unique ID for each flight. +- **MergeId** The unique ID to join two update sessions being merged. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Related correlation vector value. +- **Result** Outcome of the merge phase of the update. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentMitigationResult + +This event sends data indicating the result of each update agent mitigation. + +The following fields are available: + +- **Applicable** Indicates whether the mitigation is applicable for the current update. +- **CommandCount** The number of command operations in the mitigation entry. +- **CustomCount** The number of custom operations in the mitigation entry. +- **FileCount** The number of file operations in the mitigation entry. +- **FlightId** Unique identifier for each flight. +- **Index** The mitigation index of this particular mitigation. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **Name** The friendly name of the mitigation. +- **ObjectId** Unique value for each Update Agent mode. +- **OperationIndex** The mitigation operation index (in the event of a failure). +- **OperationName** The friendly name of the mitigation operation (in the event of failure). +- **RegistryCount** The number of registry operations in the mitigation entry. +- **RelatedCV** The correlation vector value generated from the latest USO scan. +- **Result** The HResult of this operation. +- **ScenarioId** The update agent scenario ID. +- **SessionId** Unique value for each update attempt. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). +- **UpdateId** Unique ID for each Update. + + +### Update360Telemetry.UpdateAgentMitigationSummary + +This event sends a summary of all the update agent mitigations available for an this update. + +The following fields are available: + +- **Applicable** The count of mitigations that were applicable to the system and scenario. +- **Failed** The count of mitigations that failed. +- **FlightId** Unique identifier for each flight. +- **Friled** No content is currently available. +- **MitigationScenario** The update scenario in which the mitigations were attempted. +- **ObjectId** The unique value for each Update Agent mode. +- **RelatedCV** The correlation vector value generated from the latest USO scan. +- **Result** The HResult of this operation. +- **ScenarioId** The update agent scenario ID. +- **SessionId** Unique value for each update attempt. +- **TimeDiff** The amount of time spent performing all mitigations (in 100-nanosecond increments). +- **Total** Total number of mitigations that were available. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentModeStart + +This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. + +The following fields are available: + +- **FlightId** Unique ID for each flight. +- **Mode** Indicates the mode that has started. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. +- **Version** Version of update + + +### Update360Telemetry.UpdateAgentOneSettings + +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **Count** The count of applicable OneSettings for the device. +- **FlightId** Unique ID for the flight (test instance version). +- **Obj%ctId** No content is currently available. +- **ObjectId** The unique value for each Update Agent mode. +- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. +- **Values** The values sent back to the device, if applicable. + + +### Update360Telemetry.UpdateAgentPostRebootResult + +This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. + +The following fields are available: + +- **ErrorCode** The error code returned for the current post reboot phase. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **ObjectId** Unique value for each Update Agent mode. +- **PostRebootResult** Indicates the Hresult. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentReboot + +This event sends information indicating that a request has been sent to suspend an update. + +The following fields are available: + +- **ErrorCode** The error code returned for the current reboot. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. + + +### Update360Telemetry.UpdateAgentSetupBoxLaunch + +The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. + +The following fields are available: + +- **ContainsExpressPackage** Indicates whether the download package is express. +- **FlightId** Unique ID for each flight. +- **FreeSpace** Free space on OS partition. +- **InstallCount** Number of install attempts using the same sandbox. +- **ObjectId** Unique value for each Update Agent mode. +- **Quiet** Indicates whether setup is running in quiet mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **SandboxSize** Size of the sandbox. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **SetupMode** Mode of setup to be launched. +- **UpdateId** Unique ID for each Update. +- **UserSession** Indicates whether install was invoked by user actions. + + +## Update notification events + +### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignManagerHeartbeat + +This event is sent at the start of the CampaignManager event and is intended to be used as a heartbeat. + +The following fields are available: + +- **CampaignConfigVersion** Configuration version for the current campaign. +- **CampaignID** Currently campaign that is running on Update Notification Pipeline (UNP). +- **ConfigCatalogVersion** Current catalog version of UNP. +- **ContentVersion** Content version for the current campaign on UNP. +- **CV** Correlation vector. +- **DetectorVersion** Most recently run detector version for the current campaign on UNP. +- **GlobalEventCounter** Client-side counter that indicates the event ordering sent by the user. +- **PackageVersion** Current UNP package version. + + +## Upgrade events + +### FacilitatorTelemetry.DCATDownload + +This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **DownloadSize** Download size of payload. +- **ElapsedTime** Time taken to download payload. +- **MediaFallbackUsed** Used to determine if we used Media CompDBs to figure out package requirements for the upgrade. +- **ResultCode** Result returned by the Facilitator DCAT call. +- **Scenario** Dynamic update scenario (Image DU, or Setup DU). +- **Type** Type of package that was downloaded. +- **UpdateId** The ID of the update that was downloaded. + + +### FacilitatorTelemetry.DUDownload + +This event returns data about the download of supplemental packages critical to upgrading a device to the next version of Windows. + +The following fields are available: + +- **DownloadRequestAttributes** The attributes sent for download. +- **PackageCategoriesFailed** Lists the categories of packages that failed to download. +- **PackageCategoriesSkipped** Lists the categories of package downloads that were skipped. +- **ResultCode** The result of the event execution. +- **Scenario** Identifies the active Download scenario. +- **Url** The URL the download request was sent to. +- **Version** Identifies the version of Facilitator used. + + +### FacilitatorTelemetry.InitializeDU + +This event determines whether devices received additional or critical supplemental content during an OS upgrade. + +The following fields are available: + +- **DCATUrl** The Delivery Catalog (DCAT) URL we send the request to. +- **DownloadRequestAttributes** The attributes we send to DCAT. +- **ResultCode** The result returned from the initiation of Facilitator with the URL/attributes. +- **Scenario** Dynamic Update scenario (Image DU, or Setup DU). +- **Url** The Delivery Catalog (DCAT) URL we send the request to. +- **Version** Version of Facilitator. + + +### Setup360Telemetry.Downlevel + +This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ClientId** If using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but it can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the downlevel OS. +- **HostOsSkuName** The operating system edition which is running Setup360 instance (downlevel OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** In the Windows Update scenario, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** More detailed information about phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360 (for example, Predownload, Install, Finalize, Rollback). +- **Setup360Result** The result of Setup360 (HRESULT used to diagnose errors). +- **Setup360Scenario** The Setup360 flow type (for example, Boot, Media, Update, MCT). +- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS). +- **State** Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** An ID that uniquely identifies a group of events. +- **WuId** This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId. + + +### Setup360Telemetry.Finalize + +This event sends data indicating that the device has started the phase of finalizing the upgrade, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** More detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** ID that uniquely identifies a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. + + +### Setup360Telemetry.OsUninstall + +This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, it indicates the outcome of an OS uninstall. + +The following fields are available: + +- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase or action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** ID that uniquely identifies a group of events. +- **WuId** Windows Update client ID. + + +### Setup360Telemetry.PostRebootInstall + +This event sends data indicating that the device has invoked the post reboot install phase of the upgrade, to help keep Windows up-to-date. + +The following fields are available: + +- **ClientId** With Windows Update, this is the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback +- **Setup360Result** The result of Setup360. This is an HRESULT error code that's used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled +- **TestId** A string to uniquely identify a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as ClientId. + + +### Setup360Telemetry.PreDownloadQuiet + +This event sends data indicating that the device has invoked the predownload quiet phase of the upgrade, to help keep Windows up to date. + +The following fields are available: + +- **ClientId** Using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous operating system). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** Using Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled. +- **TestId** ID that uniquely identifies a group of events. +- **WuId** This is the Windows Update Client ID. Using Windows Update, this is the same as the clientId. + + +### Setup360Telemetry.PreDownloadUX + +This event sends data regarding OS Updates and Upgrades from Windows 7.X, Windows 8.X, Windows 10 and RS, to help keep Windows up-to-date and secure. Specifically, it indicates the outcome of the PredownloadUX portion of the update process. + +The following fields are available: + +- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **HostOSBuildNumber** The build number of the previous operating system. +- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous operating system). +- **InstanceId** Unique GUID that identifies each instance of setuphost.exe. +- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS). +- **State** The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** ID that uniquely identifies a group of events. +- **WuId** Windows Update client ID. + + +### Setup360Telemetry.PreInstallQuiet + +This event sends data indicating that the device has invoked the preinstall quiet phase of the upgrade, to help keep Windows up-to-date. + +The following fields are available: + +- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. +- **Setup360Scenario** Setup360 flow type (Boot, Media, Update, MCT). +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** A string to uniquely identify a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. + + +### Setup360Telemetry.PreInstallUX + +This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10, to help keep Windows up-to-date. Specifically, it indicates the outcome of the PreinstallUX portion of the update process. + +The following fields are available: + +- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type, Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** A string to uniquely identify a group of events. +- **WuId** Windows Update client ID. + + +### Setup360Telemetry.Setup360 + +This event sends data about OS deployment scenarios, to help keep Windows up-to-date. + +The following fields are available: + +- **ClientId** Retrieves the upgrade ID. In the Windows Update scenario, this will be the Windows Update client ID. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FieldName** Retrieves the data point. +- **FlightData** Specifies a unique identifier for each group of Windows Insider builds. +- **InstanãeId** No content is currently available. +- **InstanceId** Retrieves a unique identifier for each instance of a setup session. +- **ReportId** Retrieves the report ID. +- **ScenarioId** Retrieves the deployment scenario. +- **value** No content is currently available. +- **Value** Retrieves the value associated with the corresponding FieldName. + + +### Setup360Telemetry.Setup360DynamicUpdate + +This event helps determine whether the device received supplemental content during an operating system upgrade, to help keep Windows up-to-date. + +The following fields are available: + +- **FlightData** Specifies a unique identifier for each group of Windows Insider builds. +- **InstanceId** Retrieves a unique identifier for each instance of a setup session. +- **Operation** Facilitator’s last known operation (scan, download, etc.). +- **ReportId** ID for tying together events stream side. +- **ResultCode** Result returned for the entire setup operation. +- **Scenario** Dynamic Update scenario (Image DU, or Setup DU). +- **ScenarioId** Identifies the update scenario. +- **TargetBranch** Branch of the target OS. +- **TargetBuild** Build of the target OS. + + +### Setup360Telemetry.Setup360MitigationResult + +This event sends data indicating the result of each setup mitigation. + +The following fields are available: + +- **Applicable** TRUE if the mitigation is applicable for the current update. +- **ClientId** In the Windows Update scenario, this is the client ID passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **CommandCount** The number of command operations in the mitigation entry. +- **CustomCount** The number of custom operations in the mitigation entry. +- **FileCount** The number of file operations in the mitigation entry. +- **FlightData** The unique identifier for each flight (test release). +- **Index** The mitigation index of this particular mitigation. +- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **Name** The friendly (descriptive) name of the mitigation. +- **OperationIndex** The mitigation operation index (in the event of a failure). +- **OperationName** The friendly (descriptive) name of the mitigation operation (in the event of failure). +- **RegistryCount** The number of registry operations in the mitigation entry. +- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM. +- **Result** HResult of this operation. +- **ScenarioId** Setup360 flow type. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). + + +### Setup360Telemetry.Setup360MitigationSummary + +This event sends a summary of all the setup mitigations available for this update. + +The following fields are available: + +- **Applicable** The count of mitigations that were applicable to the system and scenario. +- **ClientId** The Windows Update client ID passed to Setup. +- **Failed** The count of mitigations that failed. +- **FlightData** The unique identifier for each flight (test release). +- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE. +- **MitigationScenario** The update scenario in which the mitigations were attempted. +- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM. +- **Result** HResult of this operation. +- **ScenarioId** Setup360 flow type. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). +- **Total** The total number of mitigations that were available. + + +### Setup360Telemetry.Setup360OneSettings + +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **ClientId** The Windows Update client ID passed to Setup. +- **Count** The count of applicable OneSettings for the device. +- **FlightData** The ID for the flight (test instance version). +- **InstanceId** The GUID (Globally-Unique ID) that identifies each instance of setuphost.exe. +- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. +- **ReportId** The Update ID passed to Setup. +- **Result** The HResult of the event error. +- **ScenarioId** The update scenario ID. +- **Values** Values sent back to the device, if applicable. + + +### Setup360Telemetry.UnexpectedEvent + +This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date. + +The following fields are available: + +- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe +- **o-Ste** No content is currently available. +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** A string to uniquely identify a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. + + +## Windows as a Service diagnostic events + +### Microsoft.Windows.WaaSMedic.SummaryEvent + +Result of the WaaSMedic operation. + +The following fields are available: + +- **callerApplication** The name of the calling application. +- **capsuleCount** The number of Sediment Pack capsules. +- **capsuleFailureCount** The number of capsule failures. +- **detectionSummary** Result of each applicable detection that was run. +- **featureAssessmentImpact** WaaS Assessment impact for feature updates. +- **hrEngineBlockReason** Indicates the reason for stopping WaaSMedic. +- **hrEngineResult** Error code from the engine operation. +- **hrLastSandboxError** The last error sent by the WaaSMedic sandbox. +- **initSummary** Summary data of the initialization method. +- **insufficientSessions** Device not eligible for diagnostics. +- **isInteractiveMode** The user started a run of WaaSMedic. +- **isManaged** Device is managed for updates. +- **isWUConnected** Device is connected to Windows Update. +- **noMoreActions** No more applicable diagnostics. +- **pluginFailureCount** The number of plugins that have failed. +- **pluginsCount** The number of plugins. +- **qualityAssessmentImpact** WaaS Assessment impact for quality updates. +- **remediationSummary** Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on. +- **usingBackupFeatureAssessment** Relying on backup feature assessment. +- **usingBackupQualityAssessment** Relying on backup quality assessment. +- **usingCachedFeatureAssessment** WaaS Medic run did not get OS build age from the network on the previous run. +- **usingCachedQualityAssessment** WaaS Medic run did not get OS revision age from the network on the previous run. +- **versionbtring** No content is currently available. +- **versionString** Version of the WaaSMedic engine. +- **waasMedicRunMode** Indicates whether this was a background regular run of the medic or whether it was triggered by a user launching Windows Update Troubleshooter. + + +## Windows Error Reporting events + +### Microsoft.Windows.WERVertical.OSCrash + +This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event. + +The following fields are available: + +- **BootId** Uint32 identifying the boot number for this device. +- **BugCheckCode** Uint64 "bugcheck code" that identifies a proximate cause of the bug check. +- **BugCheckPar%meter2** No content is currently available. +- **BugCheckParameter1** Uint64 parameter providing additional information. +- **BugCheckParameter2** Uint64 parameter providing additional information. +- **BugCheckParameter3** Uint64 parameter providing additional information. +- **BugCheckParameter4** Uint64 parameter providing additional information. +- **DumpFileAttributes** Codes that identify the type of data contained in the dump file +- **DumpFileSize** Size of the dump file +- **IsValidDumpFile** True if the dump file is valid for the debugger, false otherwise +- **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson). + + +## Windows Error Reporting MTT events + +### Microsoft.Windows.WER.MTT.Denominator + +This event provides a denominator to calculate MTTF (mean-time-to-failure) for crashes and other errors, to help keep Windows up to date. + +The following fields are available: + +- **DPRange** Maximum mean value range. +- **DPValue** Randomized bit value (0 or 1) that can be reconstituted over a large population to estimate the mean. +- **Value** Standard UTC emitted DP value structure See [Value](#value). + + +### Value + +This event returns data about Mean Time to Failure (MTTF) for Windows devices. It is the primary means of estimating reliability problems in Basic Diagnostic reporting with very strong privacy guarantees. Since Basic Diagnostic reporting does not include system up-time, and since that information is important to ensuring the safe and stable operation of Windows, the data provided by this event provides that data in a manner which does not threaten a user’s privacy. + +The following fields are available: + +- **Algorithm** The algorithm used to preserve privacy. +- **DPRange** The upper bound of the range being measured. +- **DPValue** The randomized response returned by the client. +- **Epsilon** The level of privacy to be applied. +- **HistType** The histogram type if the algorithm is a histogram algorithm. +- **PertProb** The probability the entry will be Perturbed if the algorithm chosen is “heavy-hitters”. + + +## Windows Store events + +### Microsoft.Windows.Store.StoreActivating + +This event sends tracking data about when the Store app activation via protocol URI is in progress, to help keep Windows up to date. + + + +### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation + +This event is sent when an installation or update is canceled by a user or the system and is used to help keep Windows Apps up to date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AggregatedPackageFullNcmes** No content is currently available. +- **AttemptNumber** Number of retry attempts before it was canceled. +- **BundleId** The Item Bundle ID. +- **Bundlele** No content is currently available. +- **CategoryId** The Item Category ID. +- **Categoryle** No content is currently available. +- **ClientAppId** The identity of the app that initiated this operation. +- **ClientApple** No content is currently available. +- **HResult** The result code of the last action performed before this operation. +- **IsBundle** Is this a bundle? +- **IsInteractive** Was this requested by a user? +- **IsMandatory** Was this a mandatory update? +- **IsRemediation** Was this a remediation install? +- **IsRestore** Is this automatically restoring a previously acquired product? +- **IsUpdate** Flag indicating if this is an update. +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **ParentBundlele** No content is currently available. +- **PFN** The product family name of the product being installed. +- **Producele** No content is currently available. +- **ProductId** The identity of the package or packages being installed. +- **S{stemAttemptNumber** No content is currently available. +- **SystemAttemptNumber** The total number of automatic attempts at installation before it was canceled. +- **UserAttemptNumber** The total number of user attempts at installation before it was canceled. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.BeginGetInstalledContentIds + +This event is sent when an inventory of the apps installed is started to determine whether updates for those apps are available. It's used to help keep Windows up-to-date and secure. + + + +### Microsoft.Windows.StoreAgent.Telemetry.BeginUpdateMetadataPrepare + +This event is sent when the Store Agent cache is refreshed with any available package updates. It's used to help keep Windows up-to-date and secure. + + + +### Microsoft.Windows.StoreAgent.Telemetry.CancelInstallation + +This event is sent when an app update or installation is canceled while in interactive mode. This can be canceled by the user or the system. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all package or packages to be downloaded and installed. +- **AttemptNumber** Total number of installation attempts. +- **BundleId** The identity of the Windows Insider build that is associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **IsBundle** Is this a bundle? +- **IsInteractive** Was this requested by a user? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this an automatic restore of a previously acquired product? +- **IsUpdate** Is this a product update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of all packages to be downloaded and installed. +- **PreviousHResult** The previous HResult code. +- **PreviousInstallState** Previous installation state before it was canceled. +- **ProductId** The name of the package or packages requested for installation. +- **RelatedCV** Correlation Vector of a previous performed action on this product. +- **SystemAttemptNumber** Total number of automatic attempts to install before it was canceled. +- **UserAttemptNumber** Total number of user attempts to install before it was canceled. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.CompleteInstallOperationRequest + +This event is sent at the end of app installations or updates to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The Store Product ID of the app being installed. +- **HResult** HResult code of the action being performed. +- **IsBundle** Is this a bundle? +- **PackageFamilyName** The name of the package being installed. +- **ProductId** The Store Product ID of the product being installed. +- **SkuId** Specific edition of the item being installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndAcquireLicense + +This event is sent after the license is acquired when a product is being installed. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNaies** No content is currently available. +- **AggregatedpackageFullNames** No content is currently available. +- **AggregatedPackageFullNames** Includes a set of package full names for each app that is part of an atomic set. +- **AttemptNumber** The total number of attempts to acquire this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** HResult code to show the result of the operation (success/failure). +- **IsBundle** Is this a bundle? +- **IsInteractive** Did the user initiate the installation? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this happening after a device restore? +- **IsUp`ate** No content is currently available. +- **IsUpdate** Is this an update? +- **ParentBuneleId** No content is currently available. +- **PFN** Product Family Name of the product being installed. +- **Produc|Id** No content is currently available. +- **productId** No content is currently available. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNueber** No content is currently available. +- **SystemAttemptNumber** The number of attempts by the system to acquire this product. +- **UserAttemptNumber** The number of attempts by the user to acquire this product +- **UserCttemptNumber** No content is currently available. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndDownload + +This event is sent after an app is downloaded to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullLames** No content is currently available. +- **AggregatedPackageFullNaðes** No content is currently available. +- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed. +- **AsUpdate** No content is currently available. +- **AttemptNumber** Number of retry attempts before it was canceled. +- **BundleId** The identity of the Windows Insider build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **CategoryIf** No content is currently available. +- **ClientAppId** The identity of the app that initiated this operation. +- **DownloadSize** The total size of the download. +- **ExtendedHResult** Any extended HResult error codes. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this initiated by the user? +- **IsMandatory** Is this a mandatory installation? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this a restore of a previously acquired product? +- **IsUpdate** Is this an update? +- **ParentBundleId** The parent bundle ID (if it's part of a bundle). +- **PFN** The Product Family Name of the app being download. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The number of attempts by the system to download. +- **UserAttemptNum`er** No content is currently available. +- **UserAttemptNumber** The number of attempts by the user to download. +- **UserCttemptNumber** No content is currently available. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndFrameworkUpdate + +This event is sent when an app update requires an updated Framework package and the process starts to download it. It is used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **HResult** The result code of the last action performed before this operation. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndGetInstalledContentIds + +This event is sent after sending the inventory of the products installed to determine whether updates for those products are available. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **HResult** The result code of the last action performed before this operation. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndInstall + +This event is sent after a product has been installed to help keep Windows up-to-date and secure. + +The following fields are available: + +- **__TlgCÖ__** No content is currently available. +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **ExtendedHResult** The extended HResult error code. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this an interactive installation? +- **IsInteragtive** No content is currently available. +- **IsMandatory** Is this a mandatory installation? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this automatically restoring a previously acquired product? +- **IsRestorg** No content is currently available. +- **IsUpdate** Is this an update? +- **KsBundle** No content is currently available. +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** Product Family Name of the product being installed. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndScanForUpdates + +This event is sent after a scan for product updates to determine if there are packages to install. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed. +- **IsApplicability** Is this request to only check if there are any applicable packages to install? +- **IsInteractive** Is this user requested? +- **IsOnline** Is the request doing an online check? + + +### Microsoft.Windows.StoreAgent.Telemetry.EndSearchUpdatePackages + +This event is sent after searching for update packages to install. It is used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The total number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of the package or packages requested for install. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndStageUserData + +This event is sent after restoring user data (if any) that needs to be restored following a product install. It is used to keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed. +- **AttemptNumber** The total number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of the package or packages requested for install. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of system attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndUpdateMetadataPrepare + +This event is sent after a scan for available app updates to help keep Windows up-to-date and secure. + +The following fields are available: + +- **HResult** The result code of the last action performed. + + +### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentComplete + +This event is sent at the end of an app install or update to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The name of the product catalog from which this app was chosen. +- **CatanogId** No content is currently available. +- **CatdlogId** No content is currently available. +- **FailedRetry** Indicates whether the installation or update retry was successful. +- **HResult** The HResult code of the operation. +- **JResult** No content is currently available. +- **PFN** The Package Family Name of the app that is being installed or updated. +- **Producele** No content is currently available. +- **ProductId** The product ID of the app that is being updated or installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate + +This event is sent at the beginning of an app install or update to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The name of the product catalog from which this app was chosen. +- **FulfillmentPluginId** The ID of the plugin needed to install the package type of the product. +- **PFN** The Package Family Name of the app that is being installed or updated. +- **PluginTelemetryData** Diagnostic information specific to the package-type plug-in. +- **ProductId** The product ID of the app that is being updated or installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.InstallOperationRequest + +This event is sent when a product install or update is initiated, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **BundleId** The identity of the build associated with this product. +- **CatalogId** If this product is from a private catalog, the Store Product ID for the product being installed. +- **ProductId** The Store Product ID for the product being installed. +- **SkuId** Specific edition ID being installed. +- **VolumePath** The disk path of the installation. + + +### Microsoft.Windows.StoreAgent.Telemetry.PauseInstallation + +This event is sent when a product install or update is paused (either by a user or the system), to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The total number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The Product Full Name. +- **PreviousHResult** The result code of the last action performed before this operation. +- **PreviousInstallState** Previous state before the installation or update was paused. +- **ProductId** The Store Product ID for the product being installed. +- **RelatedCV** Correlation Vector of a previous performed action on this product. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.ResumeInstallation + +This event is sent when a product install or update is resumed (either by a user or the system), to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **categoryId** No content is currently available. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed before this operation. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **IsUserRetry** Did the user initiate the retry? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of the package or packages requested for install. +- **PreviousHResult** The previous HResult error code. +- **PreviousInstallState** Previous state before the installation was paused. +- **ProductId** The Store Product ID for the product being installed. +- **RelatedCV** Correlation Vector for the original install before it was resumed. +- **ResumeClientId** The ID of the app that initiated the resume operation. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.ResumeOperationRequest + +This event is sent when a product install or update is resumed by a user or on installation retries, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ProductId** The Store Product ID for the product being installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.SearchForUpdateOperationRequest + +This event is sent when searching for update packages to install, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The Store Catalog ID for the product being installed. +- **ProductId** The Store Product ID for the product being installed. +- **SkuId** Specfic edition of the app being updated. + + +### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest + +This event occurs when an update is requested for an app, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **PFamN** The name of the app that is requested for update. + + +## Windows System Kit events + +### Microsoft.Windows.Kits.WSK.WskImageCreate + +This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate “image” creation failures. + +The following fields are available: + +- **Phase** The image creation phase. Values are “Start” or “End”. +- **WskVersion** The version of the Windows System Kit being used. + + +### Microsoft.Windows.Kits.WSK.WskImageCustomization + +This event sends simple Product and Service usage data when a user is using the Windows System Kit to create/modify configuration files allowing the customization of a new OS image with Apps or Drivers. The data includes the version of the Windows System Kit, the state of the event, the customization type (drivers or apps) and the mode (new or updating) and is used to help investigate configuration file creation failures. + +The following fields are available: + +- **CustomizationMode** Indicates the mode of the customization (new or updating). +- **CustomizationType** Indicates the type of customization (drivers or apps). +- **Mode** The mode of update to image configuration files. Values are “New” or “Update”. +- **Phase** The image creation phase. Values are “Start” or “End”. +- **Type** The type of update to image configuration files. Values are “Apps” or “Drivers”. +- **WskVersion** The version of the Windows System Kit being used. + + +### Microsoft.Windows.Kits.WSK.WskWorkspaceCreate + +This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new workspace for generating OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate workspace creation failures. + +The following fields are available: + +- **Architecture** The OS architecture that the workspace will target. Values are one of: “AMD64”, “ARM64”, “x86”, or “ARM”. +- **OsEdition** The Operating System Edition that the workspace will target. +- **Phase** The image creation phase. Values are “Start” or “End”. +- **WorkspaceArchitecture** The operating system architecture that the workspace will target. +- **WorkspaceOsEdition** The operating system edition that the workspace will target. +- **WskVersion** The version of the Windows System Kit being used. + + +## Windows Update Delivery Optimization events + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled + +This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **background** Is the download being done in the background? +- **bytesFromCacheServer** Bytes received from a cache host. +- **bytesFromCDN** The number of bytes received from a CDN source. +- **bytesFromGroupPeers** The number of bytes received from a peer in the same group. +- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same group. +- **bytesFromLinkLocalPeers** The number of bytes received from local peers. +- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. +- **bytesFromPeers** The number of bytes received from a peer in the same LAN. +- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. +- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. +- **cdnIp** The IP Address of the source CDN (Content Delivery Network). +- **cdnUrl** The URL of the source CDN (Content Delivery Network). +- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. +- **errorCode** The error code that was returned. +- **experimentId** When running a test, this is used to correlate events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **gCurMemoryStreamBytes** Current usage for memory streaming. +- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. +- **isVpn** Indicates whether the device is connected to a VPN (Virtual Private Network). +- **jobID** Identifier for the Windows Update job. +- **predefinedCallerName** The name of the API Caller. +- **reasonCode** Reason the action or event occurred. +- **routeToCacheServer** The cache server setting, source, and value. +- **sessionID** The ID of the file download session. +- **updateID** The ID of the update being downloaded. +- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted + +This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **#dnErrorCounts** No content is currently available. +- **__TlgCVß_** No content is currently available. +- **|anConnectionCount** No content is currently available. +- **}plinkUsageBps** No content is currently available. +- **0redefinedCallerName** No content is currently available. +- **b6nConnectionCount** No content is currently available. +- **b6nErrorCodes** No content is currently available. +- **b6nErrorCounts** No content is currently available. +- **b6nIp** No content is currently available. +- **b6nUrl** No content is currently available. +- **b9tesFromPeers** No content is currently available. +- **background** Is the download a background download? +- **bytesFrkmIntPeers** No content is currently available. +- **bytesFromCacheSedver** No content is currently available. +- **bytesFromCacheServer** Bytes received from a cache host. +- **bytesFromCdN** No content is currently available. +- **bytesFromCDN** The number of bytes received from a CDN source. +- **bytesFromGpoupPeers** No content is currently available. +- **bytesFromGroupPeers** The number of bytes received from a peer in the same domain group. +- **bytesFromIntÐeers** No content is currently available. +- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same domain group. +- **byTesFromIntPeers** No content is currently available. +- **bytesFromLinkLocalPeers** The number of bytes received from local peers. +- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. +- **bytesFromPeers** The number of bytes received from a peer in the same LAN. +- **bytesRequested** The total number of bytes requested for download. +- **cacheSarverConnectionCount** No content is currently available. +- **cacheSedverConnectionCount** No content is currently available. +- **cacheServerConndctionCount** No content is currently available. +- **cacheServerConnectionCoujt** No content is currently available. +- **cacheServerConnectionCount** Number of connections made to cache hosts. +- **cdnConnectionCount** The total number of connections made to the CDN. +- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. +- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. +- **cdnIp** The IP address of the source CDN. +- **cdnSonnectionCount** No content is currently available. +- **cdnUrl** Url of the source Content Distribution Network (CDN). +- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. +- **dkwnloadModeSrc** No content is currently available. +- **doErrorCode** The Delivery Optimization error code that was returned. +- **dowflinkBps** No content is currently available. +- **downlinkBps** The maximum measured available download bandwidth (in bytes per second). +- **downlinkUsageBps** The download speed (in bytes per second). +- **downloadMode** The download mode used for this file download session. +- **doWnloadMode** No content is currently available. +- **downloadModeReason** Reason for the download. +- **downloadModeS2c** No content is currently available. +- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). +- **downloadMofeSrc** No content is currently available. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **expiresAt** The time when the content will expire from the Delivery Optimization Cache. +- **fileID** The ID of the file being downloaded. +- **fileSize** The size of the file being downloaded. +- **gCurMemoryStreamBytes** Current usage for memory streaming. +- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. +- **groupConjectionCount** No content is currently available. +- **groupConnectionCount** The total number of connections made to peers in the same group. +- **in4ernetConnectionCount** No content is currently available. +- **internetConnectionCnunt** No content is currently available. +- **internetConnectionCount** The total number of connections made to peers not in the same LAN or the same group. +- **internetConnectionCountdownlinkBps** No content is currently available. +- **isEjcrypted** No content is currently available. +- **isEncryptdd** No content is currently available. +- **isEncrypted** TRUE if the file is encrypted and will be decrypted after download. +- **isVpn** Is the device connected to a Virtual Private Network? +- **jobID** Identifier for the Windows Update job. +- **lanConnectionCo}nt** No content is currently available. +- **lanConnectionCount** The total number of connections made to peers in the same LAN. +- **linkLocalConnectionCount** The number of connections made to peers in the same Link-local network. +- **numPeers** The total number of peers used for this download. +- **numPeersLocal** The total number of local peers used for this download. +- **predefi.edCallerName** No content is currently available. +- **predefinedCallerName** The name of the API Caller. +- **predefinedCalleRName** No content is currently available. +- **rcdnIp** No content is currently available. +- **restrictedUpload** Is the upload restricted? +- **romteToCacheServer** No content is currently available. +- **roupeToCacheServer** No content is currently available. +- **routeTnCacheServer** No content is currently available. +- **routeToCacheSedver** No content is currently available. +- **routeToCacheServer** The cache server setting, source, and value. +- **sessionID** The ID of the download session. +- **totalTimeMs** Duration of the download (in seconds). +- **updateID** The ID of the update being downloaded. +- **uplinkBps** The maximum measured available upload bandwidth (in bytes per second). +- **uplinkUsageBps** The upload speed (in bytes per second). +- **uplinkUsegeBps** No content is currently available. +- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused + +This event represents a temporary suspension of a download with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **AddinType** No content is currently available. +- **backgground** No content is currently available. +- **backgro}nd** No content is currently available. +- **backgrou|d** No content is currently available. +- **background** Is the download a background download? +- **BinFileTimestamp** No content is currently available. +- **BinFileVersion** No content is currently available. +- **c`nUrl** No content is currently available. +- **cdnUrl** The URL of the source CDN (Content Delivery Network). +- **errorBode** No content is currently available. +- **errorCode** The error code that was returned. +- **expebimentId** No content is currently available. +- **expebimentIderrorCode** No content is currently available. +- **experiientId** No content is currently available. +- **experimenpId** No content is currently available. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being paused. +- **FileId** No content is currently available. +- **FileSize** No content is currently available. +- **isVp|** No content is currently available. +- **isVpn** Is the device connected to a Virtual Private Network? +- **jobID** Identifier for the Windows Update job. +- **ksVpn** No content is currently available. +- **LoadBehavior** No content is currently available. +- **LSID** No content is currently available. +- **OfficeArchitecture** No content is currently available. +- **OutlookCrashingAddin** No content is currently available. +- **predefinedCallerName** The name of the API Caller object. +- **ProductCompany** No content is currently available. +- **ProductName** No content is currently available. +- **ProductVersion** No content is currently available. +- **ProgramId** No content is currently available. +- **Provider** No content is currently available. +- **reasonCod%** No content is currently available. +- **reasonCode** The reason for pausing the download. +- **recsonCodesessiolID** No content is currently available. +- **routeToCacheSedver** No content is currently available. +- **routeToCacheServer** The cache server setting, source, and value. +- **sessionID** The ID of the download session. +- **updateID** The ID of the update being paused. +- **updateMD** No content is currently available. + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted + +This event sends data describing the start of a new download to enable Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **b6nUrl** No content is currently available. +- **background** Indicates whether the download is happening in the background. +- **bacoground** No content is currently available. +- **bileSizeCaller** No content is currently available. +- **bytesRequested** Number of bytes requested for the download. +- **cdnUrl** The URL of the source Content Distribution Network (CDN). +- **costFlags** A set of flags representing network cost. +- **costFlaos** No content is currently available. +- **deviceProfile** Identifies the usage or form factor (such as Desktop, Xbox, or VM). +- **diceRoll** Random number used for determining if a client will use peering. +- **doClientVersion** The version of the Delivery Optimization client. +- **doErrorC/de** No content is currently available. +- **doErrorCode** The Delivery Optimization error code that was returned. +- **doErrorCoee** No content is currently available. +- **downloadMode** The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100). +- **downloadModeReason** Reason for the download. +- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). +- **errorCode** The error code that was returned. +- **experimejtId** No content is currently available. +- **experimentId** ID used to correlate client/services calls that are part of the same test during A/B testing. +- **expeZone** No content is currently available. +- **faleID** No content is currently available. +- **fiheID** No content is currently available. +- **fileID** The ID of the file being downloaded. +- **filePat(** No content is currently available. +- **filePath** The path to where the downloaded file will be written. +- **fileSize** Total file size of the file that was downloaded. +- **fileSizeCaller** Value for total file size provided by our caller. +- **groqpID** No content is currently available. +- **groupID** ID for the group. +- **isEncrypted** Indicates whether the download is encrypted. +- **isFpn** No content is currently available. +- **isVpn** Indicates whether the device is connected to a Virtual Private Network. +- **jobID** The ID of the Windows Update job. +- **peerID** The ID for this delivery optimization client. +- **predefinedCall%rName** No content is currently available. +- **predefinedCallerName** Name of the API caller. +- **rimentId** No content is currently available. +- **routeToCacheSedver** No content is currently available. +- **routeToCacheServer** Cache server setting, source, and value. +- **sessionID** The ID for the file download session. +- **sessionIF** No content is currently available. +- **sessmonID** No content is currently available. +- **setConfigs** A JSON representation of the configurations that have been set, and their sources. +- **updateID** The ID of the update being downloaded. +- **updateYD** No content is currently available. +- **usedMemoryStream** Indicates whether the download used memory streaming. + + +### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication + +This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **cdnHeaders** The HTTP headers returned by the CDN. +- **cdnIp** The IP address of the CDN. +- **cdnUrl** The URL of the CDN. +- **eErrorCode** No content is currently available. +- **eErrorCunt** No content is currently available. +- **errorCode** The error code that was returned. +- **errorCount** The total number of times this error code was seen since the last FailureCdnCommunication event was encountered. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **htppStatusCode** No content is currently available. +- **httpStatusCode** The HTTP status code returned by the CDN. +- **isHeadRequest** The type of HTTP request that was sent to the CDN. Example: HEAD or GET +- **peerTyp,** No content is currently available. +- **peerType** The type of peer (LAN, Group, Internet, CDN, Cache Host, etc.). +- **requestOffset** The byte offset within the file in the sent request. +- **requestSize** The size of the range requested from the CDN. +- **responseSize** The size of the range response received from the CDN. +- **sessionID** The ID of the download session. + + +### Microsoft.OSG.DU.DeliveryOptClient.JobError + +This event represents a Windows Update job error. It allows for investigation of top errors. + +The following fields are available: + +- **cdnIp** The IP Address of the source CDN (Content Delivery Network). +- **doErrorCode** Error code returned for delivery optimization. +- **errorCode** The error code returned. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **jobID** The Windows Update job ID. +- **jobKD** No content is currently available. + + +## Windows Update events + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentAnalysisSummary + +This event collects information regarding the state of devices and drivers on the system following a reboot after the install phase of the new device manifest UUP (Unified Update Platform) update scenario which is used to install a device manifest describing a set of driver packages. + +The following fields are available: + +- **activated** Whether the entire device manifest update is considered activated and in use. +- **analysisErrorCount** The number of driver packages that could not be analyzed because errors occurred during analysis. +- **flightId** Unique ID for each flight. +- **missingDriverCount** The number of driver packages delivered by the device manifest that are missing from the system. +- **missingUpdateCount** The number of updates in the device manifest that are missing from the system. +- **objectId** Unique value for each diagnostics session. +- **publishedCount** The number of drivers packages delivered by the device manifest that are published and available to be used on devices. +- **relatedCV** Correlation vector value generated from the latest USO scan. +- **scenarioId** Indicates the update scenario. +- **sessionId** Unique value for each update session. +- **summary** A summary string that contains basic information about driver packages that are part of the device manifest and any devices on the system that those driver packages match. +- **summaryAppendError** A Boolean indicating if there was an error appending more information to the summary string. +- **truncatedDeviceCount** The number of devices missing from the summary string because there is not enough room in the string. +- **truncatedDriverCount** The number of driver packages missing from the summary string because there is not enough room in the string. +- **unpublishedCount** How many drivers packages that were delivered by the device manifest that are still unpublished and unavailable to be used on devices. +- **updateId** The unique ID for each update. + + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentCommit + +This event collects information regarding the final commit phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. + +The following fields are available: + +- **errorCode** The error code returned for the current session initialization. +- **flightId** The unique identifier for each flight. +- **objectId** The unique GUID for each diagnostics session. +- **relatedCV** A correlation vector value generated from the latest USO scan. +- **result** Outcome of the initialization of the session. +- **scenarioId** Identifies the Update scenario. +- **sessionId** The unique value for each update session. +- **updateId** The unique identifier for each Update. + + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentDownloadRequest + +This event collects information regarding the download request phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. + +The following fields are available: + +- **deletedCorruptFiles** Indicates if UpdateAgent found any corrupt payload files and whether the payload was deleted. +- **errorCode** The error code returned for the current session initialization. +- **flightId** The unique identifier for each flight. +- **objectId** Unique value for each Update Agent mode. +- **packageCountOptional** Number of optional packages requested. +- **packageCountRequired** Number of required packages requested. +- **packageCountTotal** Total number of packages needed. +- **packageCountTotalCanonical** Total number of canonical packages. +- **packageCountTotalDiff** Total number of diff packages. +- **packageCountTotalExpress** Total number of express packages. +- **packageSizeCanonical** Size of canonical packages in bytes. +- **packageSizeDiff** Size of diff packages in bytes. +- **packageSizeExpress** Size of express packages in bytes. +- **rangeRequestState** Represents the state of the download range request. +- **relatedCV** Correlation vector value generated from the latest USO scan. +- **result** Result of the download request phase of update. +- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. +- **sessionId** Unique value for each Update Agent mode attempt. +- **updateId** Unique ID for each update. + + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInitialize + +This event sends data for initializing a new update session for the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. + +The following fields are available: + +- **errorCode** The error code returned for the current session initialization. +- **flightId** The unique identifier for each flight. +- **flightMetadata** Contains the FlightId and the build being flighted. +- **objectId** Unique value for each Update Agent mode. +- **relatedCV** Correlation vector value generated from the latest USO scan. +- **result** Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled. +- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. +- **sessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios). +- **sessionId** Unique value for each Update Agent mode attempt. +- **updateId** Unique ID for each update. + + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInstall + +This event collects information regarding the install phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. + +The following fields are available: + +- **errorCode** The error code returned for the current install phase. +- **flightId** The unique identifier for each flight (pre-release builds). +- **objectId** The unique identifier for each diagnostics session. +- **relatedCV** Correlation vector value generated from the latest scan. +- **result** Outcome of the install phase of the update. +- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate +- **sessionId** The unique identifier for each update session. +- **updateId** The unique identifier for each Update. + + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentModeStart + +This event sends data for the start of each mode during the process of updating device manifest assets via the UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. + +The following fields are available: + +- **flightId** The unique identifier for each flight (pre-release builds). +- **mode** Indicates the active Update Agent mode. +- **objectId** Unique value for each diagnostics session. +- **relatedCV** Correlation vector value generated from the latest scan. +- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. +- **sessionId** The unique identifier for each update session. +- **updateId** The unique identifier for each Update. + + +### Microsoft.Windows.Update.NotificationUx.DialogNotificationToBeDisplayed + +This event indicates that a notification dialog box is about to be displayed to user. + +The following fields are available: + +- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode. +- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before the RebootFailed dialog box is shown. +- **DaysSinceRebootRequired** Number of days since restart was required. +- **DeviceLocalTime** The local time on the device sending the event. +- **EngagedModeLimit** The number of days to switch between DTE dialog boxes. +- **EnterAutoModeLimit** The maximum number of days for a device to enter Auto Reboot mode. +- **ETag** OneSettings versioning value. +- **IsForcedEnabled** Indicates whether Forced Reboot mode is enabled for this device. +- **IsUltimateForcedEnabled** Indicates whether Ultimate Forced Reboot mode is enabled for this device. +- **NotificationUxState** Indicates which dialog box is shown. +- **NotificationUxStateString** Indicates which dialog box is shown. +- **RebootUxState** Indicates the state of the restart (Engaged, Auto, Forced, or UltimateForced). +- **RebootUxStateString** Indicates the state of the restart (Engaged, Auto, Forced, or UltimateForced). +- **RebootVersion** Version of DTE. +- **SkipToAutoModeLimit** The minimum length of time to pass in restart pending before a device can be put into auto mode. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UtcTime** The time the dialog box notification will be displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootAcceptAutoDialog + +This event indicates that the Enhanced Engaged restart "accept automatically" dialog box was displayed. + +The following fields are available: + +- **DeviceLocalTime** The local time on the device sending the event. +- **ETag** OneSettings versioning value. +- **ExitCode** Indicates how users exited the dialog box. +- **RebootVersion** Version of DTE. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UserResponseString** The option that user chose on this dialog box. +- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootFirstReminderDialog + +This event indicates that the Enhanced Engaged restart "first reminder" dialog box was displayed.. + +The following fields are available: + +- **DeviceLocalTime** The local time on the device sending the event. +- **ETag** OneSettings versioning value. +- **ExitCode** Indicates how users exited the dialog box. +- **RebootVersion** Version of DTE. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UserResponseString** The option that user chose in this dialog box. +- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootFailedDialog + +This event indicates that the Enhanced Engaged restart "restart failed" dialog box was displayed. + +The following fields are available: + +- **DeviceLocalTime** The local time of the device sending the event. +- **ETag** OneSettings versioning value. +- **ExitCode** Indicates how users exited the dialog box. +- **RebootVersion** Version of DTE. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UserResponseString** The option that the user chose in this dialog box. +- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootImminentDialog + +This event indicates that the Enhanced Engaged restart "restart imminent" dialog box was displayed. + +The following fields are available: + +- **DeviceLocalTime** Time the dialog box was shown on the local device. +- **ETag** OneSettings versioning value. +- **ExitCode** Indicates how users exited the dialog box. +- **RebootVersion** Version of DTE. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UserResponseString** The option that user chose in this dialog box. +- **UtcTime** The time that dialog box was displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootReminderDialog + +This event returns information relating to the Enhanced Engaged reboot reminder dialog that was displayed. + +The following fields are available: + +- **DeviceLocalTime** The time at which the reboot reminder dialog was shown (based on the local device time settings). +- **ETag** The OneSettings versioning value. +- **ExitCode** Indicates how users exited the reboot reminder dialog box. +- **RebootVersion** The version of the DTE (Direct-to-Engaged). +- **UpdateId** The ID of the update that is waiting for reboot to finish installation. +- **UpdateRevision** The revision of the update that is waiting for reboot to finish installation. +- **UserResponseString** The option chosen by the user on the reboot dialog box. +- **UtcTime** The time at which the reboot reminder dialog was shown (in UTC). + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootReminderToast + +This event indicates that the Enhanced Engaged restart reminder pop-up banner was displayed. + +The following fields are available: + +- **DeviceLocalTime** The local time on the device sending the event. +- **ETag** OneSettings versioning value. +- **ExitCode** Indicates how users exited the pop-up banner. +- **RebootVersion** The version of the reboot logic. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UserResponseString** The option that the user chose in the pop-up banner. +- **UtcTime** The time that the pop-up banner was displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.RebootScheduled + +Indicates when a reboot is scheduled by the system or a user for a security, quality, or feature update. + +The following fields are available: + +- **activeHoursApplicable** Indicates whether an Active Hours policy is present on the device. +- **IsEnhancedEngagedReboot** Indicates whether this is an Enhanced Engaged reboot. +- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action. +- **rebootOutsideOfActiveHours** Indicates whether a restart is scheduled outside of active hours. +- **rebootScheduledByUser** Indicates whether the restart was scheduled by user (if not, it was scheduled automatically). +- **rebootState** The current state of the restart. +- **rebootUsingSmartScheduler** Indicates whether the reboot is scheduled by smart scheduler. +- **revisionNumber** Revision number of the update that is getting installed with this restart. +- **scheduledRebootTime** Time of the scheduled restart. +- **scheduledRebootTimeInUTC** Time of the scheduled restart in Coordinated Universal Time. +- **updateId** ID of the update that is getting installed with this restart. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.ActivityRestrictedByActiveHoursPolicy + +This event indicates a policy is present that may restrict update activity to outside of active hours. + +The following fields are available: + +- **activeHoursEnd** The end of the active hours window. +- **activeHoursStart** The start of the active hours window. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.BlockedByActiveHours + +This event indicates that update activity was blocked because it is within the active hours window. + +The following fields are available: + +- **activeHoursEnd** The end of the active hours window. +- **activeHoursStart** The start of the active hours window. +- **updatePhase** The current state of the update process. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.BlockedByBatteryLevel + +This event indicates that Windows Update activity was blocked due to low battery level. + +The following fields are available: + +- **batteryLevel** The current battery charge capacity. +- **batteryLevelThreshold** The battery capacity threshold to stop update activity. +- **updatePhase** The current state of the update process. +- **wuDeviceid** Device ID. + + +### Microsoft.Windows.Update.Orchestrator.DeferRestart + +This event indicates that a restart required for installing updates was postponed. + +The following fields are available: + +- **displayNeededReason** List of reasons for needing display. +- **eventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). +- **filteredDeferReason** Applicable filtered reasons why reboot was postponed (such as user active, or low battery). +- **gameModeReason** Name of the executable that caused the game mode state check to start. +- **ignoredReason** List of reasons that were intentionally ignored. +- **IgnoreReasonsForRestart** List of reasons why restart was deferred. +- **revisionNumber** Update ID revision number. +- **systemNeededReason** List of reasons why system is needed. +- **updateId** Update ID. +- **updateScenarioType** Update session type. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.Detection + +This event indicates that a scan for a Windows Update occurred. + +The following fields are available: + +- **deferReason** The reason why the device could not check for updates. +- **detectionBlockingPolicy** The Policy that blocked detection. +- **detectionBlockreason** The reason detection did not complete. +- **detectionRetryMode** Indicates whether we will try to scan again. +- **errorCode** The error code returned for the current process. +- **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. +- **flightID** The unique identifier for the flight (Windows Insider pre-release build) should be delivered to the device, if applicable. +- **interactive** Indicates whether the user initiated the session. +- **networkStatus** Indicates if the device is connected to the internet. +- **revisionNumber** The Update revision number. +- **scanTriggerSource** The source of the triggered scan. +- **updateId** The unique identifier of the Update. +- **updateScenarioType** Identifies the type of update session being performed. +- **wuDeviceid** The unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.DisplayNeeded + +This event indicates the reboot was postponed due to needing a display. + +The following fields are available: + +- **displayNeededReason** Reason the display is needed. +- **eventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. +- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours. +- **revisionNumber** Revision number of the update. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated. +- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue + + +### Microsoft.Windows.Update.Orchestrator.Download + +This event sends launch data for a Windows Update download to help keep Windows up to date. + +The following fields are available: + +- **deferReason** Reason for download not completing. +- **e:4|SScenario** No content is currently available. +- **errorCode** An error code represented as a hexadecimal value. +- **eventScenario** End-to-end update session ID. +- **fdightID** No content is currently available. +- **flightID** The specific ID of the Windows Insider build the device is getting. +- **interactive** Indicates whether the session is user initiated. +- **interactiveelatedCVerrorCode** No content is currently available. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenariotate** No content is currently available. +- **updateScenarioType** The update session type. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.DTUCompletedWhenWuFlightPendingCommit + +This event indicates that DTU completed installation of the electronic software delivery (ESD), when Windows Update was already in Pending Commit phase of the feature update. + +The following fields are available: + +- **wuDeviceid** Device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.DTUEnabled + +This event indicates that Inbox DTU functionality was enabled. + +The following fields are available: + +- **wuDeviceid** Device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.DTUInitiated + +This event indicates that Inbox DTU functionality was intiated. + +The following fields are available: + +- **dtuErrorCode** Return code from creating the DTU Com Server. +- **isDtuApplicable** Determination of whether DTU is applicable to the machine it is running on. +- **wuDeviceid** Device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.EscalationRiskLevels + +This event is sent during update scan, download, or install, and indicates that the device is at risk of being out-of-date. + +The following fields are available: + +- **configVersion** The escalation configuration version on the device. +- **downloadElapsedTime** Indicates how long since the download is required on device. +- **downloadRiskLevel** At-risk level of download phase. +- **installElapsedTime** Indicates how long since the install is required on device. +- **installRiskLevel** The at-risk level of install phase. +- **isSediment** Assessment of whether is device is at risk. +- **scanElapsedTime** Indicates how long since the scan is required on device. +- **scanRiskLevel** At-risk level of the scan phase. +- **wuDeviceid** Device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.FailedToAddTimeTriggerToScanTask + +This event indicated that USO failed to add a trigger time to a task. + +The following fields are available: + +- **errorCode** The Windows Update error code. +- **wuDeviceid** The Windows Update device ID. + + +### Microsoft.Windows.Update.Orchestrator.FlightInapplicable + +This event indicates that the update is no longer applicable to this device. + +The following fields are available: + +- **EventPublishedTime** Time when this event was generated. +- **flightID** The specific ID of the Windows Insider build. +- **inapplicableReason** The reason why the update is inapplicable. +- **revisionNumber** Update revision number. +- **updateId** Unique Windows Update ID. +- **updateScenarioType** Update session type. +- **UpdateStatus** Last status of update. +- **UUPFallBackConfigured** Indicates whether UUP fallback is configured. +- **wuDeviceid** Unique Device ID. + + +### Microsoft.Windows.Update.Orchestrator.InitiatingReboot + +This event sends data about an Orchestrator requesting a reboot from power management to help keep Windows up to date. + +The following fields are available: + +- **EventPublishedTime** Time of the event. +- **flightID** Unique update ID +- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action. +- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours. +- **revisionNumber** Revision number of the update. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.Install + +This event sends launch data for a Windows Update install to help keep Windows up to date. + +The following fields are available: + +- **batteryLevel** Current battery capacity in mWh or percentage left. +- **defeec-9-0S** No content is currently available. +- **deferReason** Reason for install not completing. +- **errorCode** The error code reppresented by a hexadecimal value. +- **eventScenario** End-to-end update session ID. +- **flightID** The ID of the Windows Insider build the device is getting. +- **flightUpdate** Indicates whether the update is a Windows Insider build. +- **ForcedRebootReminderSet** A boolean value that indicates if a forced reboot will happen for updates. +- **Ignorec-9-0SsFoec-start** No content is currently available. +- **IgnoreReasonsForRestart** The reason(s) a Postpone Restart command was ignored. +- **installCommitfailedtime** The time it took for a reboot to happen but the upgrade failed to progress. +- **installRebootinitiatetime** The time it took for a reboot to be attempted. +- **interactive** Identifies if session is user initiated. +- **minutesToCommit** The time it took to install updates. +- **rebootOutsideOfActiveHours** Indicates whether a reboot is scheduled outside of active hours. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateMd** No content is currently available. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.LowUptimes + +This event is sent if a device is identified as not having sufficient uptime to reliably process updates in order to keep secure. + +The following fields are available: + +- **availableHistoryMinutes** The number of minutes available from the local machine activity history. +- **isLowUptimeMachine** Is the machine considered low uptime or not. +- **lowUptimeMinHours** Current setting for the minimum number of hours needed to not be considered low uptime. +- **lowUptimeQueryDays** Current setting for the number of recent days to check for uptime. +- **uptimeMinutes** Number of minutes of uptime measured. +- **wuDeviceid** Unique device ID for Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.OneshotUpdateDetection + +This event returns data about scans initiated through settings UI, or background scans that are urgent; to help keep Windows up to date. + +The following fields are available: + +- **externalOneshotupdate** The last time a task-triggered scan was completed. +- **interactiveOneshotupdate** The last time an interactive scan was completed. +- **oldlastscanOneshotupdate** The last time a scan completed successfully. +- **wuDeviceid** The Windows Update Device GUID (Globally-Unique ID). + + +### Microsoft.Windows.Update.Orchestrator.PreShutdownStart + +This event is generated before the shutdown and commit operations. + +The following fields are available: + +- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. + + +### Microsoft.Windows.Update.Orchestrator.RebootFailed + +This event sends information about whether an update required a reboot and reasons for failure, to help keep Windows up to date. + +The following fields are available: + +- **batteryLevel** Current battery capacity in mWh or percentage left. +- **deferReason** Reason for install not completing. +- **EventPublishedTime** The time that the reboot failure occurred. +- **flightID** Unique update ID. +- **rebootOutsideOfActiveHours** Indicates whether a reboot was scheduled outside of active hours. +- **RebootResults** Hex code indicating failure reason. Typically, we expect this to be a specific USO generated hex code. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.RefreshSettings + +This event sends basic data about the version of upgrade settings applied to the system to help keep Windows up to date. + +The following fields are available: + +- **errorCode** Hex code for the error message, to allow lookup of the specific error. +- **settingsDownloadTime** Timestamp of the last attempt to acquire settings. +- **settingsETag** Version identifier for the settings. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask + +This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows up to date. + +The following fields are available: + +- **RebootTaskMissedTimeUTC** The time when the reboot task was scheduled to run, but did not. +- **RebootTaskNextTimeUTC** The time when the reboot task was rescheduled for. +- **RebootTaskRestoredTime** Time at which this reboot task was restored. +- **wuDeviceid** Device ID for the device on which the reboot is restored. + + +### Microsoft.Windows.Update.Orchestrator.ScanTriggered + +This event indicates that Update Orchestrator has started a scan operation. + +The following fields are available: + +- **errorCode** The error code returned for the current scan operation. +- **eventScenario** Indicates the purpose of sending this event. +- **interactive** Indicates whether the scan is interactive. +- **isDTUEnabled** Indicates whether DTU (internal abbreviation for Direct Feature Update) channel is enabled on the client system. +- **isScanPastSla** Indicates whether the SLA has elapsed for scanning. +- **isScanPastTriggerSla** Indicates whether the SLA has elapsed for triggering a scan. +- **minutesOverScanSla** Indicates how many minutes the scan exceeded the scan SLA. +- **minutesOverScanTriggerSla** Indicates how many minutes the scan exceeded the scan trigger SLA. +- **scanTriggerSource** Indicates what caused the scan. +- **updateScenarioType** The update session type. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.StickUpdate + +This event is sent when the update service orchestrator (USO) indicates the update cannot be superseded by a newer update. + +The following fields are available: + +- **updateAd** No content is currently available. +- **updateId** Identifier associated with the specific piece of content. +- **wuDeviceid** Unique device ID controlled by the software distribution client. + + +### Microsoft.Windows.Update.Orchestrator.SystemNeeded + +This event sends data about why a device is unable to reboot, to help keep Windows up to date. + +The following fields are available: + +- **eventScenario** End-to-end update session ID. +- **rebootOutsideOfActiveHours** Indicates whether a reboot is scheduled outside of active hours. +- **revisionNumber** Update revision number. +- **systemNeededReason** List of apps or tasks that are preventing the system from restarting. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.TerminatedByActiveHours + +This event indicates that update activity was stopped due to active hours starting. + +The following fields are available: + +- **activeHoursEnd** The end of the active hours window. +- **activeHoursStart** The start of the active hours window. +- **updatePhase** The current state of the update process. +- **wuDeviceid** The device identifier. + + +### Microsoft.Windows.Update.Orchestrator.TerminatedByBatteryLevel + +This event is sent when update activity was stopped due to a low battery level. + +The following fields are available: + +- **batteryLevel** The current battery charge capacity. +- **batteryLevelThreshold** The battery capacity threshold to stop update activity. +- **updatePhase** The current state of the update process. +- **wuDeviceid** The device identifier. + + +### Microsoft.Windows.Update.Orchestrator.UnstickUpdate + +This event is sent when the update service orchestrator (USO) indicates that the update can be superseded by a newer update. + +The following fields are available: + +- **updateId** Identifier associated with the specific piece of content. +- **wuDeviceid** Unique device ID controlled by the software distribution client. + + +### Microsoft.Windows.Update.Orchestrator.UpdatePolicyCacheRefresh + +This event sends data on whether Update Management Policies were enabled on a device, to help keep Windows up to date. + +The following fields are available: + +- **configuredPoliciescount** Number of policies on the device. +- **policiesNamevaluesource** Policy name and source of policy (group policy, MDM or flight). +- **policyCacherefreshtime** Time when policy cache was refreshed. +- **updateInstalluxsetting** Indicates whether a user has set policies via a user experience option. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.UpdateRebootRequired + +This event sends data about whether an update required a reboot to help keep Windows up to date. + +The following fields are available: + +- **flightID** The specific ID of the Windows Insider build the device is getting. +- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.updateSettingsFlushFailed + +This event sends information about an update that encountered problems and was not able to complete. + +The following fields are available: + +- **errorCode** The error code encountered. +- **wuDeviceid** The ID of the device in which the error occurred. + + +### Microsoft.Windows.Update.Orchestrator.UsoSession + +This event represents the state of the USO service at start and completion. + +The following fields are available: + +- **activeSessionid** A unique session GUID. +- **eventScenario** The state of the update action. +- **interactive** Is the USO session interactive? +- **lastErrorcode** The last error that was encountered. +- **lastErrorstate** The state of the update when the last error was encountered. +- **sessionType** A GUID that refers to the update session type. +- **updateScenarioType** A descriptive update session type. +- **wuDeviceid** The Windows Update device GUID. + + +### Microsoft.Windows.Update.Ux.MusNotification.EnhancedEngagedRebootUxState + +This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes values for the timing of how eDTE will progress through each phase of the reboot. + +The following fields are available: + +- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode. +- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before a Reboot Failed dialog will be shown. +- **DeviceLocalTime** The date and time (based on the device date/time settings) the reboot mode changed. +- **EngagedModeLimit** The number of days to switch between DTE (Direct-to-Engaged) dialogs. +- **EnterAutoModeLimit** The maximum number of days a device can enter Auto Reboot mode. +- **ETag** The Entity Tag that represents the OneSettings version. +- **IsForcedEnabled** Identifies whether Forced Reboot mode is enabled for the device. +- **IsUltimateForcedEnabled** Identifies whether Ultimate Forced Reboot mode is enabled for the device. +- **OldestUpdateLocalTime** The date and time (based on the device date/time settings) this update’s reboot began pending. +- **RebootUxState** Identifies the reboot state: Engaged, Auto, Forced, UltimateForced. +- **RebootVersion** The version of the DTE (Direct-to-Engaged). +- **SkipToAutoModeLimit** The maximum number of days to switch to start while in Auto Reboot mode. +- **UpdateId** The ID of the update that is waiting for reboot to finish installation. +- **UpdateRevision** The revision of the update that is waiting for reboot to finish installation. + + +### Microsoft.Windows.Update.Ux.MusNotification.RebootNoLongerNeeded + +This event is sent when a security update has successfully completed. + +The following fields are available: + +- **UtcTime** The Coordinated Universal Time that the restart was no longer needed. + + +### Microsoft.Windows.Update.Ux.MusNotification.RebootScheduled + +This event sends basic information about scheduling an update-related reboot, to get security updates and to help keep Windows up-to-date. + +The following fields are available: + +- **activeHoursApplicable** Indicates whether Active Hours applies on this device. +- **IsEnhancedEngagedReboot** Indicates whether Enhanced reboot was enabled. +- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action. +- **rebootOutsideOfActiveHours** True, if a reboot is scheduled outside of active hours. False, otherwise. +- **rebootScheduledByUser** True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically. +- **rebootState** Current state of the reboot. +- **rebootUsingSmartScheduler** Indicates that the reboot is scheduled by SmartScheduler. +- **revisionNumber** Revision number of the OS. +- **scheduledRebootTime** Time scheduled for the reboot. +- **scheduledRebootTimeInUTC** Time scheduled for the reboot, in UTC. +- **updateId** Identifies which update is being scheduled. +- **wuDeviceid** The unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Ux.MusNotification.UxBrokerScheduledTask + +This event is sent when MUSE broker schedules a task. + +The following fields are available: + +- **TaskArgument** The arguments with which the task is scheduled. +- **TaskName** Name of the task. + + +### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled + +This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up to date. + +The following fields are available: + +- **activeHoursApplicable** Is the restart respecting Active Hours? +- **IsEnhancedEngagedReboot** TRUE if the reboot path is Enhanced Engaged. Otherwise, FALSE. +- **rebootArgument** The arguments that are passed to the OS for the restarted. +- **rebootOutsideOfActiveHours** Was the restart scheduled outside of Active Hours? +- **rebootScheduledByUser** Was the restart scheduled by the user? If the value is false, the restart was scheduled by the device. +- **rebootState** The state of the restart. +- **rebootUsingSmartScheduler** TRUE if the reboot should be performed by the Smart Scheduler. Otherwise, FALSE. +- **revisionNumber** The revision number of the OS being updated. +- **scheduledRebootTime** Time of the scheduled reboot +- **scheduledRebootTimeInUTC** Time of the scheduled restart, in Coordinated Universal Time. +- **updateId** The Windows Update device GUID. +- **wuDeviceid** The Windows Update device GUID. + + +## Windows Update mitigation events + +### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages + +This event sends data specific to the CleanupSafeOsImages mitigation used for OS Updates. + +The following fields are available: + +- **ClientId** The client ID used by Windows Update. +- **FlightId** The ID of each Windows Insider build the device received. +- **InstanceId** A unique device ID that identifies each update instance. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **MountedImageCount** The number of mounted images. +- **MountedImageMatches** The number of mounted image matches. +- **MountedImagesFailed** The number of mounted images that could not be removed. +- **MountedImagesRemoved** The number of mounted images that were successfully removed. +- **MountedImagesSkipped** The number of mounted images that were not found. +- **RelatedCV** The correlation vector value generated from the latest USO scan. +- **Result** HResult of this operation. +- **ScenarioId** ID indicating the mitigation scenario. +- **ScenarioSupported** Indicates whether the scenario was supported. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each Windows Update. +- **WuId** Unique ID for the Windows Update client. + + +### Mitigation360Telemetry.MitigationCustom.FixAppXReparsePoints + +This event sends data specific to the FixAppXReparsePoints mitigation used for OS updates. + +The following fields are available: + +- **ClientId** Unique identifier for each flight. +- **FlightId** Unique GUID that identifies each instances of setuphost.exe. +- **InstanceId** The update scenario in which the mitigation was executed. +- **MitigationScenario** Correlation vector value generated from the latest USO scan. +- **RelatedCV** Number of reparse points that are corrupted but we failed to fix them. +- **ReparsePointsFailed** Number of reparse points that were corrupted and were fixed by this mitigation. +- **ReparsePointsFixed** Number of reparse points that are not corrupted and no action is required. +- **ReparsePointsSkipped** HResult of this operation. +- **Result** ID indicating the mitigation scenario. +- **ScenarioId** Indicates whether the scenario was supported. +- **ScenarioSupported** Unique value for each update attempt. +- **SessionId** Unique ID for each Update. +- **UpdateId** Unique ID for the Windows Update client. +- **WuId** Unique ID for the Windows Update client. + + +### Mitigation360Telemetry.MitigationCustom.FixupEditionId + +This event sends data specific to the FixupEditionId mitigation used for OS updates. + +The following fields are available: + +- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **EditionIdUpdated** Determine whether EditionId was changed. +- **FlightId** Unique identifier for each flight. +- **InstanceId** Unique GUID that identifies each instances of setuphost.exe. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **ProductEditionId** Expected EditionId value based on GetProductInfo. +- **ProductType** Value returned by GetProductInfo. +- **RegistryEditionId** EditionId value in the registry. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** HResult of this operation. +- **ScenarioId** ID indicating the mitigation scenario. +- **ScenarioSupported** Indicates whether the scenario was supported. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. +- **WuId** Unique ID for the Windows Update client. + + +## Windows Update Reserve Manager events + +### Microsoft.Windows.UpdateReserveManager.CommitPendingHardReserveAdjustment + +This event is sent when the Update Reserve Manager commits a hard reserve adjustment that was pending. + +The following fields are available: + +- **FinalAdjustment** Final adjustment for the hard reserve following the addition or removal of optional content. +- **InitialAdjustment** Initial intended adjustment for the hard reserve following the addition/removal of optional content. + + +### Microsoft.Windows.UpdateReserveManager.FunctionReturnedError + +This event is sent when the Update Reserve Manager returns an error from one of its internal functions. + +The following fields are available: + +- **FailedExpression** The failed expression that was returned. +- **FailedFile** The binary file that contained the failed function. +- **FailedFunction** The name of the function that originated the failure. +- **FailedLine** The line number of the failure. +- **ReturnCode** The return code of the function. + + +### Microsoft.Windows.UpdateReserveManager.InitializeUpdateReserveManager + +This event returns data about the Update Reserve Manager, including whether it’s been initialized. + +The following fields are available: + +- **ClientId** The ID of the caller application. +- **Flags** The enumerated flags used to initialize the manager. +- **FlightId** The flight ID of the content the calling client is currently operating with. +- **Offline** Indicates whether or the reserve manager is called during offline operations. +- **PolicyPassed** Indicates whether the machine is able to use reserves. +- **ReturnCode** Return code of the operation. +- **Version** The version of the Update Reserve Manager. + + +### Microsoft.Windows.UpdateReserveManager.PrepareTIForReserveInitialization + +This event is sent when the Update Reserve Manager prepares the Trusted Installer to initialize reserves on the next boot. + +The following fields are available: + +- **Flags** The flags that are passed to the function to prepare the Trusted Installer for reserve initialization. + + +### Microsoft.Windows.UpdateReserveManager.RemovePendingHardReserveAdjustment + +This event is sent when the Update Reserve Manager removes a pending hard reserve adjustment. + + + +### Microsoft.Windows.UpdateReserveManager.UpdatePendingHardReserveAdjustment + +This event is sent when the Update Reserve Manager needs to adjust the size of the hard reserve after the option content is installed. + +The following fields are available: + +- **ChangeSize** The change in the hard reserve size based on the addition or removal of optional content. +- **Disposition** The parameter for the hard reserve adjustment function. +- **Flags** The flags passed to the hard reserve adjustment function. +- **PendingHardReserveAdjustment** The final change to the hard reserve size. +- **UpdateType** Indicates whether the change is an increase or decrease in the size of the hard reserve. + + +## Winlogon events + +### Microsoft.Windows.Security.Winlogon.SetupCompleteLogon + +This event signals the completion of the setup process. It happens only once during the first logon. + + + +## XBOX events + +### Microsoft.Xbox.XamTelemetry.AppActivationError + +This event indicates whether the system detected an activation error in the app. + +The following fields are available: + +- **ActivationUri** Activation URI (Uniform Resource Identifier) used in the attempt to activate the app. +- **AppId** The Xbox LIVE Title ID. +- **AppUserModelId** The AUMID (Application User Model ID) of the app to activate. +- **Result** The HResult error. +- **UserId** The Xbox LIVE User ID (XUID). + + +### Microsoft.Xbox.XamTelemetry.AppActivity + +This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc. + +The following fields are available: + +- **AppActionId** The ID of the application action. +- **AppCurrentVisibilityState** The ID of the current application visibility state. +- **AppId** The Xbox LIVE Title ID of the app. +- **AppPackageFullName** The full name of the application package. +- **AppPreviousVisibilityState** The ID of the previous application visibility state. +- **AppSessionId** The application session ID. +- **AppType** The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa). +- **BCACode** The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application. +- **DurationMs** The amount of time (in milliseconds) since the last application state transition. +- **IsTrialLicense** This boolean value is TRUE if the application is on a trial license. +- **LicenseType** The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 - Offline, 4 - Disc). +- **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license. +- **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application. +- **UserId** The XUID (Xbox User ID) of the current user. + + + From b5c7241367bd26ec26531fd4b4ef12db09406e20 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 20 Mar 2019 13:28:09 -0700 Subject: [PATCH 068/492] new build 3/20/2019 1:28 PM --- .../basic-level-windows-diagnostic-events-and-fields-1903.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index 03eb191a9a..4d3aa705fe 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/19/2019 +ms.date: 03/20/2019 --- From 13be4cc9c4be4531a6c87a10d60c03d49bd7fcd4 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 20 Mar 2019 13:28:16 -0700 Subject: [PATCH 069/492] new build 3/20/2019 1:28 PM --- ...ndows-diagnostic-events-and-fields-1703.md | 2 +- ...ndows-diagnostic-events-and-fields-1709.md | 2 +- ...ndows-diagnostic-events-and-fields-1803.md | 125 ++++++++++++++- ...ndows-diagnostic-events-and-fields-1809.md | 145 +++++++----------- 4 files changed, 184 insertions(+), 90 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index 28d0314670..0f32a74a67 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/19/2019 +ms.date: 03/20/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index 16140deb3c..e7b0b0b20f 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/19/2019 +ms.date: 03/20/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index cf362ccc46..c3150d4aeb 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/19/2019 +ms.date: 03/20/2019 --- @@ -1582,6 +1582,50 @@ The following fields are available: - **SLICVersion** Returns OS type/version from SLIC table. +### Census.PrivacySettings + +This event provides information about the device level privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represent the authority that set the value. The effective consent (first 8 bits) is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority (last 8 bits) is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = system, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings. + +The following fields are available: + +- **Activity** Current state of the activity history setting. +- **ActivityHistoryCloudSync** Current state of the activity history cloud sync setting. +- **ActivityHistoryCollection** Current state of the activity history collection setting. +- **AdvertisingId** Current state of the advertising ID setting. +- **AppDiagnostics** Current state of the app diagnostics setting. +- **Appointments** Current state of the calendar setting. +- **Bluetooth** Current state of the Bluetooth capability setting. +- **BluetoothSync** Current state of the Bluetooth sync capability setting. +- **BroadFileSystemAccess** Current state of the broad file system access setting. +- **CellularData** Current state of the cellular data capability setting. +- **Chat** Current state of the chat setting. +- **Contacts** Current state of the contacts setting. +- **DocumentsLibrary** Current state of the documents library setting. +- **Email** Current state of the email setting. +- **FindMyDevice** Current state of the "find my device" setting. +- **GazeInput** Current state of the gaze input setting. +- **HumanInterfaceDevice** Current state of the human interface device setting. +- **InkTypeImprovement** Current state of the improve inking and typing setting. +- **Location** Current state of the location setting. +- **LocationHistory** Current state of the location history setting. +- **Microphone** Current state of the microphone setting. +- **PhoneCall** Current state of the phone call setting. +- **PhoneCallHistory** Current state of the call history setting. +- **PicturesLibrary** Current state of the pictures library setting. +- **Radios** Current state of the radios setting. +- **SensorsCustom** Current state of the custom sensor setting. +- **SerialCommunication** Current state of the serial communication setting. +- **Sms** Current state of the text messaging setting. +- **SpeechPersonalization** Current state of the speech services setting. +- **USB** Current state of the USB setting. +- **UserAccountInformation** Current state of the account information setting. +- **UserDataTasks** Current state of the tasks setting. +- **UserNotificationListener** Current state of the notifications setting. +- **VideosLibrary** Current state of the videos library setting. +- **Webcam** Current state of the camera setting. +- **WiFiDirect** Current state of the Wi-Fi direct setting. + + ### Census.Processor Provides information on several important data points about Processor settings. @@ -1695,6 +1739,50 @@ The following fields are available: - **SpeechInputLanguages** The Speech Input languages installed on the device. +### Census.UserPrivacySettings + +This event provides information about the current users privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represents the authority that set the value. The effective consent is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = user, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings. + +The following fields are available: + +- **Activity** Current state of the activity history setting. +- **ActivityHistoryCloudSync** Current state of the activity history cloud sync setting. +- **ActivityHistoryCollection** Current state of the activity history collection setting. +- **AdvertisingId** Current state of the advertising ID setting. +- **AppDiagnostics** Current state of the app diagnostics setting. +- **Appointments** Current state of the calendar setting. +- **Bluetooth** Current state of the Bluetooth capability setting. +- **BluetoothSync** Current state of the Bluetooth sync capability setting. +- **BroadFileSystemAccess** Current state of the broad file system access setting. +- **CellularData** Current state of the cellular data capability setting. +- **Chat** Current state of the chat setting. +- **Contacts** Current state of the contacts setting. +- **DocumentsLibrary** Current state of the documents library setting. +- **Email** Current state of the email setting. +- **GazeInput** Current state of the gaze input setting. +- **HumanInterfaceDevice** Current state of the human interface device setting. +- **InkTypeImprovement** Current state of the improve inking and typing setting. +- **InkTypePersonalization** Current state of the inking and typing personalization setting. +- **Location** Current state of the location setting. +- **LocationHistory** Current state of the location history setting. +- **Microphone** Current state of the microphone setting. +- **PhoneCall** Current state of the phone call setting. +- **PhoneCallHistory** Current state of the call history setting. +- **PicturesLibrary** Current state of the pictures library setting. +- **Radios** Current state of the radios setting. +- **SensorsCustom** Current state of the custom sensor setting. +- **SerialCommunication** Current state of the serial communication setting. +- **Sms** Current state of the text messaging setting. +- **SpeechPersonalization** Current state of the speech services setting. +- **USB** Current state of the USB setting. +- **UserAccountInformation** Current state of the account information setting. +- **UserDataTasks** Current state of the tasks setting. +- **UserNotificationListener** Current state of the notifications setting. +- **VideosLibrary** Current state of the videos library setting. +- **Webcam** Current state of the camera setting. +- **WiFiDirect** Current state of the Wi-Fi direct setting. + + ### Census.VM This event sends data indicating whether virtualization is enabled on the device, and its various characteristics, to help keep Windows up to date. @@ -2027,6 +2115,41 @@ The following fields are available: - **transactionCanceled** Indicates whether the uninstall was cancelled. +### CbsServicingProvider.CbsSelectableUpdateChangeV2 + +This event reports the results of enabling or disabling optional Windows Content to keep Windows up to date. + +The following fields are available: + +- **applicableUpdateState** Indicates the highest applicable state of the optional content. +- **buildVersion** The build version of the package being installed. +- **clientId** The name of the application requesting the optional content change. +- **downloadSource** Indicates if optional content was obtained from Windows Update or a locally accessible file. +- **downloadtimeInSeconds** Indicates if optional content was obtained from Windows Update or a locally accessible file. +- **executionID** A unique ID used to identify events associated with a single servicing operation and not reused for future operations. +- **executionSequence** A counter that tracks the number of servicing operations attempted on the device. +- **firstMergedExecutionSequence** The value of a pervious executionSequence counter that is being merged with the current operation, if applicable. +- **firstMergedID** A unique ID of a pervious servicing operation that is being merged with this operation, if applicable. +- **hrDownloadResult** The return code of the download operation. +- **hrStatusUpdate** The return code of the servicing operation. +- **identityHash** A pseudonymized (hashed) identifier for the Windows Package that is being installed or uninstalled. +- **initiatedOffline** Indicates whether the operation was performed against an offline Windows image file or a running instance of Windows. +- **majorVersion** The major version of the package being installed. +- **minorVersion** The minor version of the package being installed. +- **packageArchitecture** The architecture of the package being installed. +- **packageLanguage** The language of the package being installed. +- **packageName** The name of the package being installed. +- **rebootRequired** Indicates whether a reboot is required to complete the operation. +- **revisionVersion** The revision number of the package being installed. +- **stackBuild** The build number of the servicing stack binary performing the installation. +- **stackMajorVersion** The major version number of the servicing stack binary performing the installation. +- **stackMinorVersion** The minor version number of the servicing stack binary performing the installation. +- **stackRevision** The revision number of the servicing stack binary performing the installation. +- **updateName** The name of the optional Windows Operation System feature being enabled or disabled. +- **updateStartState** A value indicating the state of the optional content before the operation started. +- **updateTargetState** A value indicating the desired state of the optional content. + + ## Deployment extensions ### DeploymentTelemetry.Deployment_End diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index 1daea9d4d6..680f731738 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/19/2019 +ms.date: 03/20/2019 --- @@ -502,6 +502,7 @@ The following fields are available: - **DecisionSystemBios_TH2** The count of the number of this particular object type present on this device. - **DecisionSystemProcessor_RS2** The count of the number of this particular object type present on this device. - **DecisionTest_RS1** An ID for the system, calculated by hashing hardware identifiers. +- **I4BD-B1CFi2vuW9de87ed73cb92d3ca4.amd64fre.rs5_2eu5umeZone** No content is currently available. - **InventoryApplicationFile** The count of the number of this particular object type present on this device. - **InventoryDeviceContainer** A count of device container objects in cache. - **InventoryDevicePnp** A count of device Plug and Play objects in cache. @@ -850,7 +851,6 @@ The following fields are available: - **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update? - **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device? - **DriverBlockOverridden** Is there is a driver block on the device that has been overridden? -- **DriverJlockOverridden** No content is currently available. - **NeedsDismissAction** Will the user would need to dismiss a warning during Setup for this device? - **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS? - **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade? @@ -2029,7 +2029,6 @@ The following fields are available: - **LocationHistory** Current state of the location history setting. - **LocationHistoryCloudSync** Current state of the location history cloud sync setting. - **LocationHistoryOnTimeline** Current state of the location history on timeline setting. -- **LocTîÿxV4ocationHistory** No content is currently available. - **Microphone** Current state of the microphone setting. - **PhoneCall** Current state of the phone call setting. - **PhoneCallHistory** Current state of the call history setting. @@ -2139,12 +2138,7 @@ This event sends data about the logical/physical display size, resolution and nu The following fields are available: -- **ÉnternalPrimaryDisplayLogicalDPIY** No content is currently available. -- **IîternalPrimaryDisplayResolutionVertical** No content is currently available. -- **InterjalPrimaryDisplayResolutionHorizontal** No content is currently available. -- **InternalPrimaðyDisplayPhysicalDPIX** No content is currently available. - **InternalPrimaryDisplayLogicalDPIX** Retrieves the logical DPI in the x-direction of the internal display. -- **InternalPrimaryDisplayLogicálDPIX** No content is currently available. - **InternalPrimaryDisplayLogicalDPIY** Retrieves the logical DPI in the y-direction of the internal display. - **InternalPrimaryDisplayPhysicalDPIX** Retrieves the physical DPI in the x-direction of the internal display. - **InternalPrimaryDisplayPhysicalDPIY** Retrieves the physical DPI in the y-direction of the internal display. @@ -2152,11 +2146,8 @@ The following fields are available: - **InternalPrimaryDisplayResolutionVertical** Retrieves the number of pixels in the vertical direction of the internal display. - **InternalPrimaryDisplaySizePhysicalH** Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches . - **InternalPrimaryDisplaySizePhysicalY** Retrieves the physical vertical length of the display in mm. Used for calculating the diagonal length in inches -- **InternalPrimaryDiwplayPhysicalDPIY** No content is currently available. - **NumberofExternalDisplays** Retrieves the number of external displays connected to the machine - **NumberofInternalDisplays** Retrieves the number of internal displays in a machine. -- **OumberofExternalDisplays** No content is currently available. -- **OumberofInternalDisplays** No content is currently available. - **VRAMDedicated** Retrieves the video RAM in MB. - **VRAMDedicatedSystem** Retrieves the amount of memory on the dedicated video card. - **VRAMSharedSystem** Retrieves the amount of RAM memory that the video card can use. @@ -2276,7 +2267,6 @@ The following fields are available: - **XboxConsolePreferredLanguage** Retrieves the preferred language selected by the user on Xbox console. - **XboxConsoleSerialNumber** Retrieves the serial number of the Xbox console. -- **XboxConsoleSerialOumber** No content is currently available. - **XboxLiveDeviceId** Retrieves the unique device ID of the console. - **XboxLiveSandboxId** Retrieves the developer sandbox ID if the device is internal to Microsoft. @@ -2460,6 +2450,7 @@ The following fields are available: - **inventoryId** Device ID used for Compatibility testing - **objectInstanceId** Object identity which is unique within the device scope. - **objectType** Indicates the object type that the event applies to. +- **objectType(objectInstanceId** No content is currently available. - **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. @@ -2601,6 +2592,41 @@ The following fields are available: - **stageTimeSeconds** The time (in seconds) required to stage all files that are part of the update. +### CbsServicingProvider.CbsSelectableUpdateChangeV2 + +This event reports the results of enabling or disabling optional Windows Content to keep Windows up to date. + +The following fields are available: + +- **applicableUpdateState** Indicates the highest applicable state of the optional content. +- **buildVersion** The build version of the package being installed. +- **clientId** The name of the application requesting the optional content change. +- **downloadSource** Indicates if optional content was obtained from Windows Update or a locally accessible file. +- **downloadtimeInSeconds** The number of seconds required to complete the optional content download. +- **executionID** A unique ID used to identify events associated with a single servicing operation and not reused for future operations. +- **executionSequence** A counter that tracks the number of servicing operations attempted on the device. +- **firstMergedExecutionSequence** The value of a pervious executionSequence counter that is being merged with the current operation, if applicable. +- **firstMergedID** A unique ID of a pervious servicing operation that is being merged with this operation, if applicable. +- **hrDownloadResult** The return code of the download operation. +- **hrStatusUpdate** The return code of the servicing operation. +- **identityHash** A pseudonymized (hashed) identifier for the Windows Package that is being installed or uninstalled. +- **initiatedOffline** Indicates whether the operation was performed against an offline Windows image file or a running instance of Windows. +- **majorVersion** The major version of the package being installed. +- **minorVersion** The minor version of the package being installed. +- **packageArchitecture** The architecture of the package being installed. +- **packageLanguage** The language of the package being installed. +- **packageName** The name of the package being installed. +- **rebootRequired** Indicates whether a reboot is required to complete the operation. +- **revisionVersion** The revision number of the package being installed. +- **stackBuild** The build number of the servicing stack binary performing the installation. +- **stackMajorVersion** The major version number of the servicing stack binary performing the installation. +- **stackMinorVersion** The minor version number of the servicing stack binary performing the installation. +- **stackRevision** The revision number of the servicing stack binary performing the installation. +- **updateName** The name of the optional Windows Operation System feature being enabled or disabled. +- **updateStartState** A value indicating the state of the optional content before the operation started. +- **updateTargetState** A value indicating the desired state of the optional content. + + ## Deployment extensions ### DeploymentTelemetry.Deployment_End @@ -2683,12 +2709,14 @@ Fired by UTC at startup to signal what data we are allowed to collect. The following fields are available: +- **CanAddMsaToMsTelemetby** No content is currently available. - **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. - **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. - **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. - **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. - **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. - **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. +- **CanCollectWintowsAnalyticsEvents** No content is currently available. - **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. - **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise. - **CanReportScenarios** True if we can report scenario completions, false otherwise. @@ -2718,7 +2746,6 @@ This event sends data about the health and quality of the diagnostic data from t The following fields are available: - **AgentConnectionErrorsCount** Number of non-timeout errors associated with the host/agent channel. -- **AgentConnectionrrorCsCount** No content is currently available. - **CensusExitCode** The last exit code of the Census task. - **CensusStartTime** Time of last Census run. - **CensusTaskEnabled** True if Census is enabled, false otherwise. @@ -2732,9 +2759,7 @@ The following fields are available: - **DbDroppedFailureCount** Number of events dropped due to DB failures. - **DbDroppedFullCount** Number of events dropped due to DB fullness. - **DecodingDroppedCount** Number of events dropped due to decoding failures. -- **DecodthiDroppedCount** No content is currently available. - **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. -- **EnterthiCriticalOverflowDroppedCounter** No content is currently available. - **EtwDroppedBufferCount** Number of buffers dropped in the UTC ETW session. - **EtwDroppedCount** Number of events dropped at ETW layer of telemetry client. - **EventsPersistedCount** Number of events that reached the PersistEvent stage. @@ -2749,26 +2774,17 @@ The following fields are available: - **HeartBeatSequenceNumber** The sequence number of this heartbeat. - **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. - **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel. -- **LastAgentConnectionrrorC** No content is currently available. - **LastEventSizeOffender** Event name of last event which exceeded max event size. - **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. -- **Max8ctiveAgentConnectionCount** No content is currently available. - **MaxActiveAgentConnectionCount** The maximum number of active agents during this heartbeat timeframe. - **MaxInUseScenarioCounter** Soft maximum number of scenarios loaded by UTC. -- **MaxInUseScenaryoCounter** No content is currently available. -- **omporessedBytesUploaded** No content is currently available. - **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events). - **PrivacyBlockedCount** The number of events blocked due to privacy settings or tags. -- **RepeatedUploadFailqreDpopped** No content is currently available. - **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. - **SettingsHttpAttempts** Number of attempts to contact OneSettings service. - **SettingsHttpFailures** The number of failures from contacting the OneSettings service. -- **SettthisHttpAttempts** No content is currently available. -- **SettthisHttpFailures** No content is currently available. - **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers. - **TopUploaderErrors** List of top errors received from the upload endpoint. -- **TopUploaderrrorCs** No content is currently available. -- **UphoaderErporCount** No content is currently available. - **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client. - **UploaderErrorCount** Number of errors received from the upload endpoint. - **VortexFailuresTimeout** The number of timeout failures received from Vortex. @@ -2776,7 +2792,6 @@ The following fields are available: - **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. - **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. - **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. -- **VortexHttpResponsesWirhDroppedEvents** No content is currently available. - **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. @@ -2794,7 +2809,6 @@ The following fields are available: - **DbDroppedFailureCount** Number of events dropped due to database failures. - **DbDroppedFullCount** Number of events dropped due to database being full. - **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. -- **Eve~tStoreResetCounter** No content is currently available. - **EventsPersistedCount** Number of events that reached the PersistEvent stage. - **EventStoreLifetimeResetCounter** Number of times the event store has been reset. - **EventStoreResetCounter** Number of times the event store has been reset during this heartbeat. @@ -3385,23 +3399,24 @@ The following fields are available: - **aiSeqId** The event sequence ID. - **bootId** The system boot ID. - **BrightnessVersionViaDDI** The version of the Display Brightness Interface. +- **BrightngssVersionViaDDI** No content is currently available. - **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload. - **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes). - **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes). -- **DedicatedVkdeoMemoryB** No content is currently available. - **DisplayAdapterLuid** The display adapter LUID. - **DriverDate** The date of the display driver. - **DriverRank** The rank of the display driver. - **DriverVersion** The display driver version. +- **DriverVgrsion** No content is currently available. - **DX10UMDFilePath** The file path to the location of the DirectX 10 Display User Mode Driver in the Driver Store. - **DX11UMDFilePath** The file path to the location of the DirectX 11 Display User Mode Driver in the Driver Store. - **DX12UMDFilePath** The file path to the location of the DirectX 12 Display User Mode Driver in the Driver Store. +- **DX9UMDFilePatè** No content is currently available. - **DX9UMDFilePath** The file path to the location of the DirectX 9 Display User Mode Driver in the Driver Store. - **GPUDeviceID** The GPU device ID. - **GPUPreemptionLevel** The maximum preemption level supported by GPU for graphics payload. - **GPURevisionID** The GPU revision ID. - **GPUVendorID** The GPU vendor ID. -- **GPUVgndorID** No content is currently available. - **InterfaceId** The GPU interface ID. - **IsDisplayDevice** Does the GPU have displaying capabilities? - **IsHwSchSupported** Indicates whether the adapter supports hardware scheduling. @@ -3415,22 +3430,23 @@ The following fields are available: - **IsPostAdapter** Is this GPU the POST GPU in the device? - **IsRemovable** TRUE if the adapter supports being disabled or removed. - **IsRenderDevice** Does the GPU have rendering capabilities? +- **IsRendgrDevice** No content is currently available. - **IsSoftwareDevice** Is this a software implementation of the GPU? - **KMDFilePath** The file path to the location of the Display Kernel Mode Driver in the Driver Store. - **MeasureEnabled** Is the device listening to MICROSOFT_KEYWORD_MEASURES? +- **MeasurgEnabled** No content is currently available. - **MsHybridDiscrete** Indicates whether the adapter is a discrete adapter in a hybrid configuration. -- **N}mVidPnSources** No content is currently available. - **NumVidPnSources** The number of supported display output sources. - **NumVidPnTargets** The number of supported display output targets. +- **NumVidPnTattets** No content is currently available. - **SharedSystemMemoryB** The amount of system memory shared by GPU and CPU (in bytes). - **SubSystemID** The subsystem ID. -- **SubVendopID** No content is currently available. - **SubVendorID** The GPU sub vendor ID. +- **TelemetpyEnabled** No content is currently available. - **TelemetryEnabled** Is the device listening to MICROSOFT_KEYWORD_TELEMETRY? - **TelInvEvntTrigger** What triggered this event to be logged? Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling) -- **TenemetryEnabled** No content is currently available. -- **TenInvEvntTrigger** No content is currently available. - **version** The event version. +- **verskon** No content is currently available. - **WDDMVersion** The Windows Display Driver Model version. @@ -3521,14 +3537,17 @@ The following fields are available: - **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend. - **AppTimeStamp** The date/time stamp of the app. - **AppVersion** The version of the app that has crashed. +- **DargetAsId** No content is currently available. - **ExceptionCode** The exception code returned by the process that has crashed. - **ExceptionOffset** The address where the exception had occurred. - **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting. - **FriendlyAppName** The description of the app that has crashed, if different from the AppName. Otherwise, the process name. - **IsFatal** True/False to indicate whether the crash resulted in process termination. +- **ModNa-e** No content is currently available. - **ModName** Exception module name (e.g. bar.dll). - **ModTimeStamp** The date/time stamp of the module. - **ModVersion** The version of the module that has crashed. +- **OodTimeStamp** No content is currently available. - **PackageFullName** Store application identity. - **PackageRelativeAppId** Store application identity. - **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. @@ -3620,7 +3639,6 @@ The following fields are available: - **InventoryMiscellaneousOfficeVBA** A count of office vba objects in cache - **InventoryMiscellaneousOfficeVBARuleViolations** A count of office vba rule violations objects in cache - **InventoryMiscellaneousUUPInfo** A count of uup info objects in cache -- **InventoryMiscnfo** No content is currently available. - **Metadata** A count of metadata objects in cache. - **Orphan** A count of orphan file objects in cache. - **Programs** A count of program objects in cache. @@ -3659,6 +3677,7 @@ The following fields are available: - **HiddenArp** Indicates whether a program hides itself from showing up in ARP. - **InstallDate** The date the application was installed (a best guess based on folder creation date heuristics). - **InstallDateArpLastModified** The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015 00:00:00 +- **InstallDateFromLbnkFile** No content is currently available. - **InstallDateFromLinkFile** The estimated date of install based on the links to the files. Passed as an array. - **InstallDateMsi** The install date if the application was installed via Microsoft Installer (MSI). Passed as an array. - **InventoryVersion** The version of the inventory file generating the events. @@ -3761,7 +3780,6 @@ The following fields are available: - **IsActive** Is the device connected, or has it been seen in the last 14 days? - **IsConnected** For a physically attached device, this value is the same as IsPresent. For wireless a device, this value represents a communication link. - **IsMachineContainer** Is the container the root device itself? -- **IsMAchineContainer** No content is currently available. - **IsNetworked** Is this a networked device? - **IsPaired** Does the device container require pairing? - **Manufacturer** The manufacturer name for the device container. @@ -3888,10 +3906,10 @@ The following fields are available: - **Description** The description of the device. - **DeviceInterfaceClasses** The device interfaces that this device implements. - **DeviceState** Identifies the current state of the parent (main) device. +- **DevicmState** No content is currently available. - **DriverId** The unique identifier for the installed driver. - **DriverName** The name of the driver image file. - **DriverPackageStrongName** The immediate parent directory name in the Directory field of InventoryDriverPackage. -- **DriveRPackageStrongNaMe** No content is currently available. - **DriverVerDate** The date associated with the driver installed on the device. - **DriverVerVersion** The version number of the driver installed on the device. - **Enumerator** Identifies the bus that enumerated the device. @@ -3911,6 +3929,7 @@ The following fields are available: - **Service** The name of the device service. - **STACKID** The list of hardware IDs for the stack. - **UpperClassFilters** The identifiers of the Upper Class filters installed for the device. +- **UpperFilers** No content is currently available. - **UpperFilters** The identifiers of the Upper filters installed for the device. @@ -3968,30 +3987,20 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: -- **Dri6erCompany** No content is currently available. -- **Driv%rPackageStrongName** No content is currently available. -- **Drive2Name** No content is currently available. - **DriverCheckSum** The checksum of the driver file. -- **DriverCompa.y** No content is currently available. - **DriverCompany** The company name that developed the driver. - **DriverInBox** Is the driver included with the operating system? - **DriverIsKernelMode** Is it a kernel mode driver? - **DriverName** The file name of the driver. - **DriverPackageStrongName** The strong name of the driver package -- **DriverSign%d** No content is currently available. - **DriverSigned** The strong name of the driver package - **DriverTimeStamp** The low 32 bits of the time stamp of the driver file. - **DriverType** A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8. define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE 0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64 0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15. define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED 0x800000. - **DriverVersion** The version of the driver file. -- **DviverCompany** No content is currently available. -- **I.f** No content is currently available. -- **Imagesize** No content is currently available. - **ImageSize** The size of the driver file. - **Inf** The name of the INF file. -- **Invento2yVersion** No content is currently available. - **InventoryVersion** The version of the inventory file generating the events. - **Product** The product name that is included in the driver file. -- **ProductVersio~** No content is currently available. - **ProductVersion** The product version that is included in the driver file. - **Service** The name of the service that is installed for the device. - **WdfVersion** The Windows Driver Framework version. @@ -4503,7 +4512,6 @@ The following fields are available: - **BootStatusPolicy** Identifies the applicable Boot Status Policy. - **BootType** Identifies the type of boot (e.g.: "Cold", "Hiber", "Resume"). - **EventTimestamp** Seconds elapsed since an arbitrary time point. This can be used to identify the time difference in successive boot attempts being made. -- **Firmw!reResetReasonEmbeddedControllerAdditional** No content is currently available. - **FirmwareResetReasonEmbeddedController** Reason for system reset provided by firmware. - **FirmwareResetReasonEmbeddedControllerAdditional** Additional information on system reset reason provided by firmware if needed. - **FirmwareResetReasonPch** Reason for system reset provided by firmware. @@ -4736,47 +4744,22 @@ This event provides a Windows Internal Library context used for Product and Serv The following fields are available: -- **-149ngContextMessage** No content is currently available. -- **3645entContextName** No content is currently available. -- **379rentContextName** No content is currently available. -- **532rentContextName** No content is currently available. -- **677rentContextName** No content is currently available. -- **8108entContextName** No content is currently available. -- **8251entContextName** No content is currently available. -- **902rentContextName** No content is currently available. -- **9567ngContextMessage** No content is currently available. -- **9717ngContextMessage** No content is currently available. - **callContext** The function where the failure occurred. - **currentContextId** The ID of the current call context where the failure occurred. - **currentContextMessage** The message of the current call context where the failure occurred. -- **currentContextMessaon** No content is currently available. - **currentContextName** The name of the current call context where the failure occurred. - **failureCount** The number of failures for this failure ID. - **failureId** The ID of the failure that occurred. - **failureType** The type of the failure that occurred. - **fileName** The file name where the failure occurred. -- **functige** No content is currently available. - **function** The function where the failure occurred. - **hresult** The HResult of the overall activity. - **lineNumber** The line number where the failure occurred. - **message** The message of the failure that occurred. - **module** The module where the failure occurred. -- **ori1-0467ngContextMessage** No content is currently available. -- **ori1-1210ngContextMessage** No content is currently available. -- **ori1143-7ngContextMessage** No content is currently available. -- **ori1-1945ngContextMessage** No content is currently available. -- **ori13s090ngContextMessage** No content is currently available. -- **ori1-4671entContextName** No content is currently available. -- **ori1-5108ngContextMessage** No content is currently available. -- **ori1-5686ngContextMessage** No content is currently available. -- **ori1n:667ngContextMessage** No content is currently available. -- **ori1n8488ngContextMessage** No content is currently available. -- **ori1-s4o5ngContextMessage** No content is currently available. -- **ori808467ngContextMessage** No content is currently available. - **originatingContextId** The ID of the originating call context that resulted in the failure. - **originatingContextMessage** The message of the originating call context that resulted in the failure. - **originatingContextName** The name of the originating call context that resulted in the failure. -- **threa0Id** No content is currently available. - **threadId** The ID of the thread on which the activity is executing. @@ -4854,7 +4837,6 @@ This service retrieves events generated by SetupPlatform, the engine that drives The following fields are available: -- **Falue** No content is currently available. - **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. - **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. - **Value** Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time. @@ -4868,12 +4850,8 @@ Scan process event on Windows Update client. See the EventScenario field for spe The following fields are available: -- **AativityMatchingId** No content is currently available. - **ActivityMatchingId** Contains a unique ID identifying a single CheckForUpdates session from initialization to completion. -- **ActivityMatcjingId** No content is currently available. -- **AllowCachedResul|s** No content is currently available. - **AllowCachedResults** Indicates if the scan allowed using cached results. -- **AllowCachedRmsults** No content is currently available. - **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable - **BiosFamily** The family of the BIOS (Basic Input Output System). - **BiosName** The name of the device BIOS. @@ -4897,17 +4875,14 @@ The following fields are available: - **DriverError** The error code hit during a driver scan. This is 0 if no error was encountered. - **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled. - **DriverSyncPassPerformed** Were drivers scanned this time? -- **DriverSyncPasSPerformed** No content is currently available. - **EventInstanceID** A globally unique identifier for event instance. - **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. -- **ExtendedetadataICabUrl** No content is currently available. - **ExtendedMetadataCabUrl** Hostname that is used to download an update. - **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. - **FailedUpdateGuids** The GUIDs for the updates that failed to be evaluated during the scan. - **FailedUpdatesCount** The number of updates that failed to be evaluated during the scan. - **FeatureUpdateDeferral** The deferral period configured for feature OS updates on the device (in days). - **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FeatureUpdatePausePerimd** No content is currently available. - **FeatureUpdatePausePeriod** The pause duration configured for feature OS updates on the device (in days). - **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). - **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). @@ -4915,20 +4890,16 @@ The following fields are available: - **IntentPFNs** Intended application-set metadata for atomic update scenarios. - **IPVersion** Indicates whether the download took place over IPv4 or IPv6 - **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEna`led** No content is currently available. - **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. - **IsWUfBFederatedScanDisabled** Indicates if Windows Update for Business federated scan is disabled on the device. - **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce - **MSIError** The last error that was encountered during a scan for updates. -- **NetworkConneativityDetected** No content is currently available. - **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6 - **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete - **NumberOfApplicationsCategoryScanEvaluated** The number of categories (apps) for which an app update scan checked - **NumberOfLoop** The number of round trips the scan required - **NumberOfNewUpdatesFromServiceSync** The number of updates which were seen for the first time in this scan - **NumberOfUpdatesEvaluated** The total number of updates which were evaluated as a part of the scan -- **NumFailedetadataISignatures** No content is currently available. -- **NumFailedMetadatabignatures** No content is currently available. - **NumFailedMetadataSignatures** The number of metadata signatures checks which failed for new metadata synced down. - **Online** Indicates if this was an online scan. - **PausedUpdates** A list of UpdateIds which that currently being paused. @@ -4945,19 +4916,16 @@ The following fields are available: - **ScanDurationInSeconds** The number of seconds a scan took - **ScanEnqueueTime** The number of seconds it took to initialize a scan - **ScanProps** This is a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits are used; all remaining bits are reserved and set to zero. Bit 0 (0x1): IsInteractive - is set to 1 if the scan is requested by a user, or 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker - is set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates). -- **ServiaeUrl** No content is currently available. - **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.). - **ServiceUrl** The environment URL a device is configured to scan with - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult). +- **SyncTyp%** No content is currently available. - **SyncType** Describes the type of scan the event was - **SystemBIOSMajorRelease** Major version of the BIOS. - **SystemBIOSMinorRelease** Minor version of the BIOS. - **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null. -- **TotalNumetadataISignatures** No content is currently available. -- **TotalNumMetadatabignatures** No content is currently available. - **TotalNumMetadataSignatures** The total number of metadata signatures checks done for new metadata that was synced down. -- **VelatedCV** No content is currently available. - **WebServiceRetryMethods** Web service method requests that needed to be retried to complete operation. - **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. @@ -5202,6 +5170,7 @@ The following fields are available: - **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting being introduced. - **ProcessName** The process name of the caller who initiated API calls, in the event that CallerApplicationName was not provided. - **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **rApcessFailurePostReboot** No content is currently available. - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one - **RepeatFailCount** Indicates whether this specific piece of content has previously failed. - **RepeatFailFlag** Indicates whether this specific piece of content previously failed to install. @@ -6661,6 +6630,7 @@ The following fields are available: - **b9tesFromPeers** No content is currently available. - **background** Is the download a background download? - **bytesFrkmIntPeers** No content is currently available. +- **bytesFroeIntPeers** No content is currently available. - **bytesFromCacheSedver** No content is currently available. - **bytesFromCacheServer** Bytes received from a cache host. - **bytesFromCdN** No content is currently available. @@ -6704,6 +6674,7 @@ The following fields are available: - **gCurMemoryStreamBytes** Current usage for memory streaming. - **gMaxMemoryStreamBytes** Maximum usage for memory streaming. - **groupConjectionCount** No content is currently available. +- **groupConnectaonCount** No content is currently available. - **groupConnectionCount** The total number of connections made to peers in the same group. - **in4ernetConnectionCount** No content is currently available. - **internetConnectionCnunt** No content is currently available. From 422a14b801f78e8ac4c3c49794b36685f0d4cc91 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 21 Mar 2019 08:18:42 -0700 Subject: [PATCH 070/492] new build 3/21/2019 8:18 AM --- .../basic-level-windows-diagnostic-events-and-fields-1903.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index 4d3aa705fe..9e412991e5 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/20/2019 +ms.date: 03/21/2019 --- From 9f185a1abed0ba5e92b919925c6c5124b3eff260 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 21 Mar 2019 08:18:49 -0700 Subject: [PATCH 071/492] new build 3/21/2019 8:18 AM --- ...ndows-diagnostic-events-and-fields-1703.md | 2 +- ...ndows-diagnostic-events-and-fields-1709.md | 2 +- ...ndows-diagnostic-events-and-fields-1803.md | 2 +- ...ndows-diagnostic-events-and-fields-1809.md | 69 +------------------ 4 files changed, 4 insertions(+), 71 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index 0f32a74a67..8bd5d541d3 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/20/2019 +ms.date: 03/21/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index e7b0b0b20f..d36fddc9a7 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/20/2019 +ms.date: 03/21/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index c3150d4aeb..cdb533230d 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/20/2019 +ms.date: 03/21/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index 680f731738..3f57313fe0 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/20/2019 +ms.date: 03/21/2019 --- @@ -4969,7 +4969,6 @@ The following fields are available: - **ActiveDownloadTime** How long the download took, in seconds, excluding time where the update wasn't actively being downloaded. - **AppXBlockHashFailures** Indicates the number of blocks that failed hash validation during download of the app payload. -- **AppXBlocKHashFailures** No content is currently available. - **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded. - **AppXDownloadScope** Indicates the scope of the download for application content. - **AppXScope** Indicates the scope of the app download. @@ -4984,14 +4983,11 @@ The following fields are available: - **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. - **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to download. - **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **BundleRevisionumber** No content is currently available. - **BytesDownloaded** Number of bytes that were downloaded for an individual piece of content (not the entire bundle). - **CachedEngineVersion** The version of the “Self-Initiated Healing” (SIH) engine that is cached on the device, if applicable. - **CallerApplicationName** The name provided by the application that initiated API calls into the software distribution client. -- **CallerApplicavionName** No content is currently available. - **CbsDownloadMethod** Indicates whether the download was a full- or a partial-file download. - **CbsMethod** The method used for downloading the update content related to the Component Based Servicing (CBS) technology. -- **CDNCoun|ryCode** No content is currently available. - **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. - **CDNId** ID which defines which CDN the software distribution client downloaded the content from. - **ClientVersion** The version number of the software distribution client. @@ -5007,8 +5003,6 @@ The following fields are available: - **EventType** Identifies the type of the event (Child, Bundle, or Driver). - **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. - **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FFightBuildNumber** No content is currently available. -- **FFightId** No content is currently available. - **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). - **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight. - **FlightId** The specific ID of the flight (pre-release build) the device is getting. @@ -5021,7 +5015,6 @@ The following fields are available: - **IsDependentSet** Indicates whether a driver is a part of a larger System Hardware/Firmware Update - **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. - **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. -- **IsWUfBEnaBled** No content is currently available. - **NetworkCost** A flag indicating the cost of the network (congested, fixed, variable, over data limit, roaming, etc.) used for downloading the update content. - **NetworkCostBitMask** Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.) - **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered." @@ -5033,19 +5026,14 @@ The following fields are available: - **Reason** A 32-bit integer representing the reason the update is blocked from being downloaded in the background. - **RegulationReason** The reason that the update is regulated - **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content. -- **RegulitionResult** No content is currently available. - **RelatedCV** The Correlation Vector that was used before the most recent change to a new Correlation Vector. - **RepeatFailCount** Indicates whether this specific content has previously failed. - **RepeatFailFlag** Indicates whether this specific content previously failed to download. - **RevisionNumber** The revision number of the specified piece of content. -- **RevisionNUmber** No content is currently available. -- **Revisionumber** No content is currently available. - **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). -- **ServiceGUid** No content is currently available. - **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade. - **ShippingMobileOperator** The mobile operator linked to the device when the device shipped. - **SizeCalcTime** Time (in seconds) taken to calculate the total download size of the payload. -- **SonnectTime** No content is currently available. - **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). - **SystemBIOSMajorRelease** Major version of the BIOS. - **SystemBIOSMinorRelease** Minor version of the BIOS. @@ -5139,7 +5127,6 @@ The following fields are available: - **CurrentMobileOperator** The mobile operator to which the device is currently connected. - **DeploymentProviderMode** The mode of operation of the update deployment provider. - **DeviceModel** The device model. -- **DriverPifgBack** No content is currently available. - **DriverPingBack** Contains information about the previous driver and system state. - **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required. - **EventInstanceID** A globally unique identifier for event instance. @@ -5170,7 +5157,6 @@ The following fields are available: - **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting being introduced. - **ProcessName** The process name of the caller who initiated API calls, in the event that CallerApplicationName was not provided. - **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **rApcessFailurePostReboot** No content is currently available. - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one - **RepeatFailCount** Indicates whether this specific piece of content has previously failed. - **RepeatFailFlag** Indicates whether this specific piece of content previously failed to install. @@ -5307,11 +5293,8 @@ The following fields are available: - **IntentPFNs** Intended application-set metadata for atomic update scenarios. - **NumberOfApplicableUpdates** The number of updates ultimately deemed applicable to the system after the detection process is complete. - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. -- **RelntedCV** No content is currently available. - **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.). -- **umberOfApplicableUpdates** No content is currently available. - **WUDeviceID** The unique device ID controlled by the software distribution client. -- **xHDeviceID** No content is currently available. ### SoftwareUpdateClientTelemetry.UpdateMetadataIntegrity @@ -5321,25 +5304,18 @@ Ensures Windows Updates are secure and complete. Event helps to identify whether The following fields are available: - **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **CallerLoglicationName** No content is currently available. - **EndpointUrl** URL of the endpoint where client obtains update metadata. Used to identify test vs staging vs production environments. -- **EventSbenario** No content is currently available. - **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc. - **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. -- **ExtendefStatusCode** No content is currently available. -- **imeZoScenario** No content is currently available. - **LeafCertId** The integral ID from the FragmentSigning data for the certificate that failed. - **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate. - **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce - **MetadataSignature** A base64-encoded string of the signature associated with the update metadata (specified by revision ID). - **RawMode** The raw unparsed mode string from the SLS response. This field is null if not applicable. - **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable. -- **RcwMode** No content is currently available. - **RevisionId** The revision ID for a specific piece of content. - **RevisionNumber** The revision number for a specific piece of content. -- **SedviceGuid** No content is currently available. - **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Microsoft Store -- **ServiceGuidEndpointUrl** No content is currently available. - **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate. - **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate. - **SHA256OfTimestampToken** An encoded string of the timestamp token. @@ -5496,7 +5472,6 @@ This event sends data for the initialize phase of updating Windows via the new U The following fields are available: - **ErrorCode** The error code returned for the current install phase. -- **essionData** No content is currently available. - **FlightId** Unique ID for each flight. - **FlightMetadata** Contains the FlightId and the build being flighted. - **ObjectId** Unique value for each Update Agent mode. @@ -5578,7 +5553,6 @@ The following fields are available: - **Applicable** The count of mitigations that were applicable to the system and scenario. - **Failed** The count of mitigations that failed. - **FlightId** Unique identifier for each flight. -- **Friled** No content is currently available. - **MitigationScenario** The update scenario in which the mitigations were attempted. - **ObjectId** The unique value for each Update Agent mode. - **RelatedCV** The correlation vector value generated from the latest USO scan. @@ -5614,7 +5588,6 @@ The following fields are available: - **Count** The count of applicable OneSettings for the device. - **FlightId** Unique ID for the flight (test instance version). -- **Obj%ctId** No content is currently available. - **ObjectId** The unique value for each Update Agent mode. - **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. - **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. @@ -5927,11 +5900,9 @@ The following fields are available: - **ClientId** Retrieves the upgrade ID. In the Windows Update scenario, this will be the Windows Update client ID. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **FieldName** Retrieves the data point. - **FlightData** Specifies a unique identifier for each group of Windows Insider builds. -- **InstanãeId** No content is currently available. - **InstanceId** Retrieves a unique identifier for each instance of a setup session. - **ReportId** Retrieves the report ID. - **ScenarioId** Retrieves the deployment scenario. -- **value** No content is currently available. - **Value** Retrieves the value associated with the corresponding FieldName. @@ -6024,7 +5995,6 @@ The following fields are available: - **HostOSBuildNumber** The build number of the previous OS. - **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). - **InstanceId** A unique GUID that identifies each instance of setuphost.exe -- **o-Ste** No content is currently available. - **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. - **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. - **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. @@ -6066,7 +6036,6 @@ The following fields are available: - **usingBackupQualityAssessment** Relying on backup quality assessment. - **usingCachedFeatureAssessment** WaaS Medic run did not get OS build age from the network on the previous run. - **usingCachedQualityAssessment** WaaS Medic run did not get OS revision age from the network on the previous run. -- **versionbtring** No content is currently available. - **versionString** Version of the WaaSMedic engine. - **waasMedicRunMode** Indicates whether this was a background regular run of the medic or whether it was triggered by a user launching Windows Update Troubleshooter. @@ -6081,7 +6050,6 @@ The following fields are available: - **BootId** Uint32 identifying the boot number for this device. - **BugCheckCode** Uint64 "bugcheck code" that identifies a proximate cause of the bug check. -- **BugCheckPar%meter2** No content is currently available. - **BugCheckParameter1** Uint64 parameter providing additional information. - **BugCheckParameter2** Uint64 parameter providing additional information. - **BugCheckParameter3** Uint64 parameter providing additional information. @@ -6134,14 +6102,10 @@ This event is sent when an installation or update is canceled by a user or the s The following fields are available: - **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. -- **AggregatedPackageFullNcmes** No content is currently available. - **AttemptNumber** Number of retry attempts before it was canceled. - **BundleId** The Item Bundle ID. -- **Bundlele** No content is currently available. - **CategoryId** The Item Category ID. -- **Categoryle** No content is currently available. - **ClientAppId** The identity of the app that initiated this operation. -- **ClientApple** No content is currently available. - **HResult** The result code of the last action performed before this operation. - **IsBundle** Is this a bundle? - **IsInteractive** Was this requested by a user? @@ -6150,11 +6114,8 @@ The following fields are available: - **IsRestore** Is this automatically restoring a previously acquired product? - **IsUpdate** Flag indicating if this is an update. - **ParentBundleId** The product ID of the parent (if this product is part of a bundle). -- **ParentBundlele** No content is currently available. - **PFN** The product family name of the product being installed. -- **Producele** No content is currently available. - **ProductId** The identity of the package or packages being installed. -- **S{stemAttemptNumber** No content is currently available. - **SystemAttemptNumber** The total number of automatic attempts at installation before it was canceled. - **UserAttemptNumber** The total number of user attempts at installation before it was canceled. - **WUContentId** The Windows Update content ID. @@ -6220,8 +6181,6 @@ This event is sent after the license is acquired when a product is being install The following fields are available: -- **AggregatedPackageFullNaies** No content is currently available. -- **AggregatedpackageFullNames** No content is currently available. - **AggregatedPackageFullNames** Includes a set of package full names for each app that is part of an atomic set. - **AttemptNumber** The total number of attempts to acquire this product. - **CategoryId** The identity of the package or packages being installed. @@ -6232,17 +6191,11 @@ The following fields are available: - **IsMandatory** Is this a mandatory update? - **IsRemediation** Is this repairing a previous installation? - **IsRestore** Is this happening after a device restore? -- **IsUp`ate** No content is currently available. - **IsUpdate** Is this an update? -- **ParentBuneleId** No content is currently available. - **PFN** Product Family Name of the product being installed. -- **Produc|Id** No content is currently available. -- **productId** No content is currently available. - **ProductId** The Store Product ID for the product being installed. -- **SystemAttemptNueber** No content is currently available. - **SystemAttemptNumber** The number of attempts by the system to acquire this product. - **UserAttemptNumber** The number of attempts by the user to acquire this product -- **UserCttemptNumber** No content is currently available. - **WUContentId** The Windows Update content ID. @@ -6252,14 +6205,10 @@ This event is sent after an app is downloaded to help keep Windows up-to-date an The following fields are available: -- **AggregatedPackageFullLames** No content is currently available. -- **AggregatedPackageFullNaðes** No content is currently available. - **AggregatedPackageFullNames** The name of all packages to be downloaded and installed. -- **AsUpdate** No content is currently available. - **AttemptNumber** Number of retry attempts before it was canceled. - **BundleId** The identity of the Windows Insider build associated with this product. - **CategoryId** The identity of the package or packages being installed. -- **CategoryIf** No content is currently available. - **ClientAppId** The identity of the app that initiated this operation. - **DownloadSize** The total size of the download. - **ExtendedHResult** Any extended HResult error codes. @@ -6274,9 +6223,7 @@ The following fields are available: - **PFN** The Product Family Name of the app being download. - **ProductId** The Store Product ID for the product being installed. - **SystemAttemptNumber** The number of attempts by the system to download. -- **UserAttemptNum`er** No content is currently available. - **UserAttemptNumber** The number of attempts by the user to download. -- **UserCttemptNumber** No content is currently available. - **WUContentId** The Windows Update content ID. @@ -6304,7 +6251,6 @@ This event is sent after a product has been installed to help keep Windows up-to The following fields are available: -- **__TlgCÖ__** No content is currently available. - **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. - **AttemptNumber** The number of retry attempts before it was canceled. - **BundleId** The identity of the build associated with this product. @@ -6314,13 +6260,10 @@ The following fields are available: - **HResult** The result code of the last action performed. - **IsBundle** Is this a bundle? - **IsInteractive** Is this an interactive installation? -- **IsInteragtive** No content is currently available. - **IsMandatory** Is this a mandatory installation? - **IsRemediation** Is this repairing a previous installation? - **IsRestore** Is this automatically restoring a previously acquired product? -- **IsRestorg** No content is currently available. - **IsUpdate** Is this an update? -- **KsBundle** No content is currently available. - **ParentBundleId** The product ID of the parent (if this product is part of a bundle). - **PFN** Product Family Name of the product being installed. - **ProductId** The Store Product ID for the product being installed. @@ -6410,13 +6353,9 @@ This event is sent at the end of an app install or update to help keep Windows u The following fields are available: - **CatalogId** The name of the product catalog from which this app was chosen. -- **CatanogId** No content is currently available. -- **CatdlogId** No content is currently available. - **FailedRetry** Indicates whether the installation or update retry was successful. - **HResult** The HResult code of the operation. -- **JResult** No content is currently available. - **PFN** The Package Family Name of the app that is being installed or updated. -- **Producele** No content is currently available. - **ProductId** The product ID of the app that is being updated or installed. @@ -6483,7 +6422,6 @@ The following fields are available: - **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. - **AttemptNumber** The number of retry attempts before it was canceled. - **BundleId** The identity of the build associated with this product. -- **categoryId** No content is currently available. - **CategoryId** The identity of the package or packages being installed. - **ClientAppId** The identity of the app that initiated this operation. - **HResult** The result code of the last action performed before this operation. @@ -6627,10 +6565,8 @@ The following fields are available: - **b6nErrorCounts** No content is currently available. - **b6nIp** No content is currently available. - **b6nUrl** No content is currently available. -- **b9tesFromPeers** No content is currently available. - **background** Is the download a background download? - **bytesFrkmIntPeers** No content is currently available. -- **bytesFroeIntPeers** No content is currently available. - **bytesFromCacheSedver** No content is currently available. - **bytesFromCacheServer** Bytes received from a cache host. - **bytesFromCdN** No content is currently available. @@ -6639,7 +6575,6 @@ The following fields are available: - **bytesFromGroupPeers** The number of bytes received from a peer in the same domain group. - **bytesFromIntÐeers** No content is currently available. - **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same domain group. -- **byTesFromIntPeers** No content is currently available. - **bytesFromLinkLocalPeers** The number of bytes received from local peers. - **bytesFromLocalCache** Bytes copied over from local (on disk) cache. - **bytesFromPeers** The number of bytes received from a peer in the same LAN. @@ -6664,7 +6599,6 @@ The following fields are available: - **downloadMode** The download mode used for this file download session. - **doWnloadMode** No content is currently available. - **downloadModeReason** Reason for the download. -- **downloadModeS2c** No content is currently available. - **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). - **downloadMofeSrc** No content is currently available. - **experimentId** When running a test, this is used to correlate with other events that are part of the same test. @@ -6674,7 +6608,6 @@ The following fields are available: - **gCurMemoryStreamBytes** Current usage for memory streaming. - **gMaxMemoryStreamBytes** Maximum usage for memory streaming. - **groupConjectionCount** No content is currently available. -- **groupConnectaonCount** No content is currently available. - **groupConnectionCount** The total number of connections made to peers in the same group. - **in4ernetConnectionCount** No content is currently available. - **internetConnectionCnunt** No content is currently available. From ad191329006ff8e6fd1c5a568c4de32170994864 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 21 Mar 2019 14:41:16 -0700 Subject: [PATCH 072/492] added IME support --- .../faq-wd-app-guard.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md index 0fe3b780be..92683a153d 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md @@ -6,9 +6,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: justinha +author: qrscharmed ms.author: justinha -ms.date: 11/07/2017 +ms.date: 03/21/2019 --- # Frequently asked questions - Windows Defender Application Guard @@ -58,6 +58,12 @@ Answering frequently asked questions about Windows Defender Application Guard (A |**A:** |WDAG requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as “192.168.1.4:81” can be annotated as “itproxy:81” or using a record such as “P19216810010” for a proxy with an IP address of 192.168.100.10. This applies to Windows 10 Enterprise edition, 1709 or higher.|
+| | | +|---|----------------------------| +|**Q:** |Which input Method Editors (IME) in 19H1 are not supported?| +|**A:** |The following Input Method Editors (IME) that are introduced in the Windows 10 May 2019 Update are currently not supported in WDAG.
Vietnam Telex keyboard
Vietnam number key-based keyboard
Hindi phonetic keyboard
Bangla phonetic keyboard
Marathi phonetic keyboard
Telugu phonetic keyboard
Tamil phonetic keyboard
Kannada phonetic keyboard
Malayalam phonetic keyboard
Gujarati phonetic keyboard
Odia phonetic keyboard
Punjabi phonetic keyboard| +
+ | | | |---|----------------------------| |**Q:** |I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering?| From 1108b06dd4838f30b595649fe8181b4ef13325a3 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 21 Mar 2019 14:41:29 -0700 Subject: [PATCH 073/492] added IME support --- .../windows-defender-application-guard/faq-wd-app-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md index 92683a153d..402f197bcd 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md @@ -60,7 +60,7 @@ Answering frequently asked questions about Windows Defender Application Guard (A | | | |---|----------------------------| -|**Q:** |Which input Method Editors (IME) in 19H1 are not supported?| +|**Q:** |Which Input Method Editors (IME) in 19H1 are not supported?| |**A:** |The following Input Method Editors (IME) that are introduced in the Windows 10 May 2019 Update are currently not supported in WDAG.
Vietnam Telex keyboard
Vietnam number key-based keyboard
Hindi phonetic keyboard
Bangla phonetic keyboard
Marathi phonetic keyboard
Telugu phonetic keyboard
Tamil phonetic keyboard
Kannada phonetic keyboard
Malayalam phonetic keyboard
Gujarati phonetic keyboard
Odia phonetic keyboard
Punjabi phonetic keyboard|
From 591d48f5786610a44662272cbabc1770fc444e74 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 21 Mar 2019 14:42:09 -0700 Subject: [PATCH 074/492] edits --- .../windows-defender-application-guard/faq-wd-app-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md index 402f197bcd..875de5e08e 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md @@ -61,7 +61,7 @@ Answering frequently asked questions about Windows Defender Application Guard (A | | | |---|----------------------------| |**Q:** |Which Input Method Editors (IME) in 19H1 are not supported?| -|**A:** |The following Input Method Editors (IME) that are introduced in the Windows 10 May 2019 Update are currently not supported in WDAG.
Vietnam Telex keyboard
Vietnam number key-based keyboard
Hindi phonetic keyboard
Bangla phonetic keyboard
Marathi phonetic keyboard
Telugu phonetic keyboard
Tamil phonetic keyboard
Kannada phonetic keyboard
Malayalam phonetic keyboard
Gujarati phonetic keyboard
Odia phonetic keyboard
Punjabi phonetic keyboard| +|**A:** |The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in WDAG.
Vietnam Telex keyboard
Vietnam number key-based keyboard
Hindi phonetic keyboard
Bangla phonetic keyboard
Marathi phonetic keyboard
Telugu phonetic keyboard
Tamil phonetic keyboard
Kannada phonetic keyboard
Malayalam phonetic keyboard
Gujarati phonetic keyboard
Odia phonetic keyboard
Punjabi phonetic keyboard|
| | | From 5c3f4f8881106b8565a0a047e0f87be09eea16bc Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Mon, 25 Mar 2019 07:49:34 -0700 Subject: [PATCH 075/492] add ms.date --- windows/configuration/wcd/wcd-cellular.md | 2 +- windows/configuration/wcd/wcd-changes.md | 2 +- windows/configuration/wcd/wcd-deviceupdatecenter.md | 2 +- windows/configuration/wcd/wcd-oobe.md | 2 +- windows/configuration/wcd/wcd-policies.md | 2 +- windows/configuration/wcd/wcd-privacy.md | 2 +- windows/configuration/wcd/wcd-time.md | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/configuration/wcd/wcd-cellular.md b/windows/configuration/wcd/wcd-cellular.md index 1019d87dd8..9c292c9e3d 100644 --- a/windows/configuration/wcd/wcd-cellular.md +++ b/windows/configuration/wcd/wcd-cellular.md @@ -8,7 +8,7 @@ author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker ms.topic: article -ms.date: 10/02/2018 +ms.date: 05/21/2019 --- # Cellular (Windows Configuration Designer reference) diff --git a/windows/configuration/wcd/wcd-changes.md b/windows/configuration/wcd/wcd-changes.md index 785a38cf30..571f137000 100644 --- a/windows/configuration/wcd/wcd-changes.md +++ b/windows/configuration/wcd/wcd-changes.md @@ -8,7 +8,7 @@ author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker ms.topic: article -ms.date: 10/02/2018 +ms.date: 05/21/2019 --- # Changes to settings in Windows Configuration Designer diff --git a/windows/configuration/wcd/wcd-deviceupdatecenter.md b/windows/configuration/wcd/wcd-deviceupdatecenter.md index 7417a12104..09f2af4d12 100644 --- a/windows/configuration/wcd/wcd-deviceupdatecenter.md +++ b/windows/configuration/wcd/wcd-deviceupdatecenter.md @@ -8,7 +8,7 @@ author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker ms.topic: article -ms.date: 09/06/2017 +ms.date: 05/21/2019 --- # DeviceUpdateCenter (Windows Configuration Designer reference) diff --git a/windows/configuration/wcd/wcd-oobe.md b/windows/configuration/wcd/wcd-oobe.md index 6bf1ca1d44..31af250386 100644 --- a/windows/configuration/wcd/wcd-oobe.md +++ b/windows/configuration/wcd/wcd-oobe.md @@ -8,7 +8,7 @@ author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker ms.topic: article -ms.date: 09/06/2017 +ms.date: 05/21/2019 --- # OOBE (Windows Configuration Designer reference) diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md index 19bc04a0f5..a2098f93b8 100644 --- a/windows/configuration/wcd/wcd-policies.md +++ b/windows/configuration/wcd/wcd-policies.md @@ -8,7 +8,7 @@ author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker ms.topic: article -ms.date: 10/02/2018 +ms.date: 05/21/2019 --- # Policies (Windows Configuration Designer reference) diff --git a/windows/configuration/wcd/wcd-privacy.md b/windows/configuration/wcd/wcd-privacy.md index 1451f639d8..ad2a699688 100644 --- a/windows/configuration/wcd/wcd-privacy.md +++ b/windows/configuration/wcd/wcd-privacy.md @@ -8,7 +8,7 @@ author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker ms.topic: article -ms.date: 09/06/2017 +ms.date: 05/21/2019 --- # Privacy (Windows Configuration Designer reference) diff --git a/windows/configuration/wcd/wcd-time.md b/windows/configuration/wcd/wcd-time.md index 57086da3c3..b81a6d8f1c 100644 --- a/windows/configuration/wcd/wcd-time.md +++ b/windows/configuration/wcd/wcd-time.md @@ -8,7 +8,7 @@ author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker ms.topic: article -ms.date: 09/06/2017 +ms.date: 05/21/2019 --- # Time From 970f6486da29a20e6e29ee6da832bf36d7e7a744 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 26 Mar 2019 09:02:03 -0700 Subject: [PATCH 076/492] new build 3/26/2019 9:02 AM --- .../basic-level-windows-diagnostic-events-and-fields-1903.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index 9e412991e5..a7a06f32ec 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/21/2019 +ms.date: 03/26/2019 --- From 3e550647faf490d4c9490766f145808fea01430b Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 26 Mar 2019 09:02:11 -0700 Subject: [PATCH 077/492] new build 3/26/2019 9:02 AM --- ...ndows-diagnostic-events-and-fields-1703.md | 2 +- ...ndows-diagnostic-events-and-fields-1709.md | 37 +- ...ndows-diagnostic-events-and-fields-1803.md | 2 +- ...ndows-diagnostic-events-and-fields-1809.md | 15670 ++++++++-------- 4 files changed, 7949 insertions(+), 7762 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index 8bd5d541d3..ae09444cb1 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/21/2019 +ms.date: 03/26/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index d36fddc9a7..494bb5b1d5 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/21/2019 +ms.date: 03/26/2019 --- @@ -1912,6 +1912,41 @@ The following fields are available: - **pendingDecision** Indicates the cause of reboot, if applicable. +### CbsServicingProvider.CbsSelectableUpdateChangeV2 + +This event reports the results of enabling or disabling optional Windows Content to keep Windows up to date. + +The following fields are available: + +- **applicableUpdateState** Indicates the highest applicable state of the optional content. +- **buildVersion** The build version of the package being installed. +- **clientId** The name of the application requesting the optional content change. +- **downloadSource** Indicates if optional content was obtained from Windows Update or a locally accessible file. +- **downloadtimeInSeconds** Indicates if optional content was obtained from Windows Update or a locally accessible file. +- **executionID** A unique ID used to identify events associated with a single servicing operation and not reused for future operations. +- **executionSequence** A counter that tracks the number of servicing operations attempted on the device. +- **firstMergedExecutionSequence** The value of a pervious executionSequence counter that is being merged with the current operation, if applicable. +- **firstMergedID** A unique ID of a pervious servicing operation that is being merged with this operation, if applicable. +- **hrDownloadResult** The return code of the download operation. +- **hrStatusUpdate** The return code of the servicing operation. +- **identityHash** A pseudonymized (hashed) identifier for the Windows Package that is being installed or uninstalled. +- **initiatedOffline** Indicates whether the operation was performed against an offline Windows image file or a running instance of Windows. +- **majorVersion** The major version of the package being installed. +- **minorVersion** The minor version of the package being installed. +- **packageArchitecture** The architecture of the package being installed. +- **packageLanguage** The language of the package being installed. +- **packageName** The name of the package being installed. +- **rebootRequired** Indicates whether a reboot is required to complete the operation. +- **revisionVersion** The revision number of the package being installed. +- **stackBuild** The build number of the servicing stack binary performing the installation. +- **stackMajorVersion** The major version number of the servicing stack binary performing the installation. +- **stackMinorVersion** The minor version number of the servicing stack binary performing the installation. +- **stackRevision** The revision number of the servicing stack binary performing the installation. +- **updateName** The name of the optional Windows Operation System feature being enabled or disabled. +- **updateStartState** A value indicating the state of the optional content before the operation started. +- **updateTargetState** A value indicating the desired state of the optional content. + + ## Diagnostic data events ### TelClientSynthetic.AuthorizationInfo_RuntimeTransition diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index cdb533230d..38b1e69785 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/21/2019 +ms.date: 03/26/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index 3f57313fe0..1fdf4dd009 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -1,7759 +1,7911 @@ ---- -description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. -title: Windows 10, version 1809 basic diagnostic events and fields (Windows 10) -keywords: privacy, telemetry -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -localizationpriority: high -author: brianlic-msft -ms.author: brianlic -manager: dansimp -ms.collection: M365-security-compliance -ms.topic: article -audience: ITPro -ms.date: 03/21/2019 ---- - - -# Windows 10, version 1809 basic level Windows diagnostic events and fields - - **Applies to** - -- Windows 10, version 1809 - - -The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information. - -The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. - -Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief description is provided for each field. Every event generated includes common data, which collects device data. - -You can learn more about Windows functional and diagnostic data through these articles: - - -- [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) -- [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) -- [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) -- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) -- [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) - - - - -## Account trace logging provider events - -### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.General - -This event provides information about application properties to indicate the successful execution. - -The following fields are available: - -- **AppMode** Indicates the mode the app is being currently run around privileges. -- **ExitCode** Indicates the exit code of the app. -- **Help** Indicates if the app needs to be launched in the help mode. -- **ParseError** Indicates if there was a parse error during the execution. -- **RightsAcquired** Indicates if the right privileges were acquired for successful execution. -- **RightsWereEnabled** Indicates if the right privileges were enabled for successful execution. -- **TestMode** Indicates whether the app is being run in test mode. - - -### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.GetCount - -This event provides information about the properties of user accounts in the Administrator group. - -The following fields are available: - -- **Internal** Indicates the internal property associated with the count group. -- **LastError** The error code (if applicable) for the cause of the failure to get the count of the user account. -- **Result** The HResult error. - - -## AppLocker events - -### Microsoft.Windows.Security.AppLockerCSP.ActivityStoppedAutomatically - -Automatically closed activity for start/stop operations that aren't explicitly closed. - - - -### Microsoft.Windows.Security.AppLockerCSP.AddParams - -Parameters passed to Add function of the AppLockerCSP Node. - -The following fields are available: - -- **child** The child URI of the node to add. -- **uri** URI of the node relative to %SYSTEM32%/AppLocker. - - -### Microsoft.Windows.Security.AppLockerCSP.AddStart - -Start of "Add" Operation for the AppLockerCSP Node. - - - -### Microsoft.Windows.Security.AppLockerCSP.AddStop - -End of "Add" Operation for AppLockerCSP Node. - -The following fields are available: - -- **hr** The HRESULT returned by Add function in AppLockerCSP. - - -### Microsoft.Windows.Security.AppLockerCSP.CAppLockerCSP::Rollback - -Result of the 'Rollback' operation in AppLockerCSP. - -The following fields are available: - -- **oldId** Previous id for the CSP transaction. -- **txId** Current id for the CSP transaction. - - -### Microsoft.Windows.Security.AppLockerCSP.ClearParams - -Parameters passed to the "Clear" operation for AppLockerCSP. - -The following fields are available: - -- **uri** The URI relative to the %SYSTEM32%\AppLocker folder. - - -### Microsoft.Windows.Security.AppLockerCSP.ClearStart - -Start of the "Clear" operation for the AppLockerCSP Node. - - - -### Microsoft.Windows.Security.AppLockerCSP.ClearStop - -End of the "Clear" operation for the AppLockerCSP node. - -The following fields are available: - -- **hr** HRESULT reported at the end of the 'Clear' function. - - -### Microsoft.Windows.Security.AppLockerCSP.ConfigManagerNotificationStart - -Start of the "ConfigManagerNotification" operation for AppLockerCSP. - -The following fields are available: - -- **NotifyState** State sent by ConfigManager to AppLockerCSP. - - -### Microsoft.Windows.Security.AppLockerCSP.ConfigManagerNotificationStop - -End of the "ConfigManagerNotification" operation for AppLockerCSP. - -The following fields are available: - -- **hr** HRESULT returned by the ConfigManagerNotification function in AppLockerCSP. - - -### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceParams - -Parameters passed to the CreateNodeInstance function of the AppLockerCSP node. - -The following fields are available: - -- **NodeId** NodeId passed to CreateNodeInstance. -- **nodeOps** NodeOperations parameter passed to CreateNodeInstance. -- **uri** URI passed to CreateNodeInstance, relative to %SYSTEM32%\AppLocker. - - -### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceStart - -Start of the "CreateNodeInstance" operation for the AppLockerCSP node. - - - -### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceStop - -End of the "CreateNodeInstance" operation for the AppLockerCSP node - -The following fields are available: - -- **hr** HRESULT returned by the CreateNodeInstance function in AppLockerCSP. - - -### Microsoft.Windows.Security.AppLockerCSP.DeleteChildParams - -Parameters passed to the DeleteChild function of the AppLockerCSP node. - -The following fields are available: - -- **child** The child URI of the node to delete. -- **uri** URI relative to %SYSTEM32%\AppLocker. - - -### Microsoft.Windows.Security.AppLockerCSP.DeleteChildStart - -Start of the "DeleteChild" operation for the AppLockerCSP node. - - - -### Microsoft.Windows.Security.AppLockerCSP.DeleteChildStop - -End of the "DeleteChild" operation for the AppLockerCSP node. - -The following fields are available: - -- **hr** HRESULT returned by the DeleteChild function in AppLockerCSP. - - -### Microsoft.Windows.Security.AppLockerCSP.EnumPolicies - -Logged URI relative to %SYSTEM32%\AppLocker, if the Plugin GUID is null, or the CSP doesn't believe the old policy is present. - -The following fields are available: - -- **uri** URI relative to %SYSTEM32%\AppLocker. - - -### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesParams - -Parameters passed to the GetChildNodeNames function of the AppLockerCSP node. - -The following fields are available: - -- **uri** URI relative to %SYSTEM32%/AppLocker for MDM node. - - -### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesStart - -Start of the "GetChildNodeNames" operation for the AppLockerCSP node. - - - -### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesStop - -End of the "GetChildNodeNames" operation for the AppLockerCSP node. - -The following fields are available: - -- **child[0]** If function succeeded, the first child's name, else "NA". -- **count** If function succeeded, the number of child node names returned by the function, else 0. -- **hr** HRESULT returned by the GetChildNodeNames function of AppLockerCSP. - - -### Microsoft.Windows.Security.AppLockerCSP.GetLatestId - -The result of 'GetLatestId' in AppLockerCSP (the latest time stamped GUID). - -The following fields are available: - -- **dirId** The latest directory identifier found by GetLatestId. -- **id** The id returned by GetLatestId if id > 0 - otherwise the dirId parameter. - - -### Microsoft.Windows.Security.AppLockerCSP.HResultException - -HRESULT thrown by any arbitrary function in AppLockerCSP. - -The following fields are available: - -- **file** File in the OS code base in which the exception occurs. -- **function** Function in the OS code base in which the exception occurs. -- **hr** HRESULT that is reported. -- **line** Line in the file in the OS code base in which the exception occurs. - - -### Microsoft.Windows.Security.AppLockerCSP.SetValueParams - -Parameters passed to the SetValue function of the AppLockerCSP node. - -The following fields are available: - -- **dataLength** Length of the value to set. -- **uri** The node URI to that should contain the value, relative to %SYSTEM32%\AppLocker. - - -### Microsoft.Windows.Security.AppLockerCSP.SetValueStart - -Start of the "SetValue" operation for the AppLockerCSP node. - - - -### Microsoft.Windows.Security.AppLockerCSP.SetValueStop - -End of the "SetValue" operation for the AppLockerCSP node. - -The following fields are available: - -- **hr** HRESULT returned by the SetValue function in AppLockerCSP. - - -### Microsoft.Windows.Security.AppLockerCSP.TryRemediateMissingPolicies - -EntryPoint of fix step or policy remediation, includes URI relative to %SYSTEM32%\AppLocker that needs to be fixed. - -The following fields are available: - -- **uri** URI for node relative to %SYSTEM32%/AppLocker. - - -## Appraiser events - -### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount - -This event lists the types of objects and how many of each exist on the client device. This allows for a quick way to ensure that the records present on the server match what is present on the client. - -The following fields are available: - -- **DatasourceApplicationFile_19ASetup** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_19H1** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers. -- **DatasourceApplicationFile_RS2** An ID for the system, calculated by hashing hardware identifiers. -- **DatasourceApplicationFile_RS3** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS3Setup** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS4** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS4Setup** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS5** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS5Setup** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_TH1** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_TH2** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_19ASetup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_19H1** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS1** The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on this device. -- **DatasourceDevicePnp_RS2** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS3** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS3Setup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS4** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS4Setup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS5** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS5Setup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_TH1** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_TH2** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_19ASetup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_19H1** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS1** The total DataSourceDriverPackage objects targeting Windows 10 version 1607 on this device. -- **DatasourceDriverPackage_RS2** The total DataSourceDriverPackage objects targeting Windows 10, version 1703 on this device. -- **DatasourceDriverPackage_RS3** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS3Setup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS4** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS4Setup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS5** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS5Setup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_TH1** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_TH2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_19ASetup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS1** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1607 on this device. -- **DataSourceMatchingInfoBlock_RS2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS3** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS3Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS4Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS5Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_TH1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_19ASetup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS1** The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. -- **DataSourceMatchingInfoPassive_RS2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS3** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS3Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS4Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS5Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_19ASetup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_RS1** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. -- **DataSourceMatchingInfoPostUpgrade_RS2** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device. -- **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device. -- **DataSourceMatchingInfoPostUpgrade_RS3Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_RS4Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_RS5Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_TH1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_19ASetup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_19H1** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_19H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS1** The total DatasourceSystemBios objects targeting Windows 10 version 1607 present on this device. -- **DatasourceSystemBios_RS2** The total DatasourceSystemBios objects targeting Windows 10 version 1703 present on this device. -- **DatasourceSystemBios_RS3** The total DatasourceSystemBios objects targeting Windows 10 version 1709 present on this device. -- **DatasourceSystemBios_RS3Setup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS4** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS4Setup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS5** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS5Setup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_TH1** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_TH2** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_19H1** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS1** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS2** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS3** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS3Setup** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS4** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS5** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_TH1** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_TH2** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_19H1** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS1** The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this device. -- **DecisionDevicePnp_RS2** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS3** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS3Setup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS4** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS5** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_TH1** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_TH2** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_19H1** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS1** The total DecisionDriverPackage objects targeting Windows 10 version 1607 on this device. -- **DecisionDriverPackage_RS2** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS3** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS3Setup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS4** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS5** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_TH1** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_TH2** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_RS1** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1607 present on this device. -- **DecisionMatchingInfoBlock_RS2** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device. -- **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1709 present on this device. -- **DecisionMatchingInfoBlock_RS3Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_RS4** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1803 present on this device. -- **DecisionMatchingInfoBlock_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_TH1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_RS1** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. -- **DecisionMatchingInfoPassive_RS2** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1703 on this device. -- **DecisionMatchingInfoPassive_RS3** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1803 on this device. -- **DecisionMatchingInfoPassive_RS3Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_RS1** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. -- **DecisionMatchingInfoPostUpgrade_RS2** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device. -- **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device. -- **DecisionMatchingInfoPostUpgrade_RS3Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_TH1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_19H1** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_19H1Setup** The total DecisionMediaCenter objects targeting the next release of Windows on this device. -- **DecisionMediaCenter_RS1** The total DecisionMediaCenter objects targeting Windows 10 version 1607 present on this device. -- **DecisionMediaCenter_RS2** The total DecisionMediaCenter objects targeting Windows 10 version 1703 present on this device. -- **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting Windows 10 version 1709 present on this device. -- **DecisionMediaCenter_RS3Setup** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_RS4** The total DecisionMediaCenter objects targeting Windows 10 version 1803 present on this device. -- **DecisionMediaCenter_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_RS5** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_TH1** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_TH2** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_19ASetup** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **DecisionSystemBios_19H1** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_19H1Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **DecisionSystemBios_RS1** The total DecisionSystemBios objects targeting Windows 10 version 1607 on this device. -- **DecisionSystemBios_RS2** The total DecisionSystemBios objects targeting Windows 10 version 1703 on this device. -- **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting Windows 10 version 1709 on this device. -- **DecisionSystemBios_RS3Setup** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_RS4** The total DecisionSystemBios objects targeting Windows 10 version, 1803 present on this device. -- **DecisionSystemBios_RS4Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **DecisionSystemBios_RS5** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **DecisionSystemBios_RS5Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **DecisionSystemBios_TH1** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_TH2** The count of the number of this particular object type present on this device. -- **DecisionSystemProcessor_RS2** The count of the number of this particular object type present on this device. -- **DecisionTest_RS1** An ID for the system, calculated by hashing hardware identifiers. -- **I4BD-B1CFi2vuW9de87ed73cb92d3ca4.amd64fre.rs5_2eu5umeZone** No content is currently available. -- **InventoryApplicationFile** The count of the number of this particular object type present on this device. -- **InventoryDeviceContainer** A count of device container objects in cache. -- **InventoryDevicePnp** A count of device Plug and Play objects in cache. -- **InventoryDriverBinary** A count of driver binary objects in cache. -- **InventoryDriverPackage** A count of device objects in cache. -- **InventoryLanguagePack** The count of the number of this particular object type present on this device. -- **InventoryMediaCenter** The count of the number of this particular object type present on this device. -- **InventorySystemBios** The count of the number of this particular object type present on this device. -- **InventorySystemMachine** The count of the number of this particular object type present on this device. -- **InventorySystemProcessor** The count of the number of this particular object type present on this device. -- **InventoryTest** The count of the number of this particular object type present on this device. -- **InventoryUplevelDriverPackage** The count of the number of this particular object type present on this device. -- **PCFP** The count of the number of this particular object type present on this device. -- **SystemMemory** The count of the number of this particular object type present on this device. -- **SystemProcessorCompareExchange** The count of the number of this particular object type present on this device. -- **SystemProcessorLahfSahf** The count of the number of this particular object type present on this device. -- **SystemProcessorNx** The total number of objects of this type present on this device. -- **SystemProcessorPrefetchW** The total number of objects of this type present on this device. -- **SystemProcessorSse2** The total number of objects of this type present on this device. -- **SystemTouch** The count of the number of this particular object type present on this device. -- **SystemWim** The total number of objects of this type present on this device. -- **SystemWindowsActivationStatus** The count of the number of this particular object type present on this device. -- **SystemWlan** The total number of objects of this type present on this device. -- **Wmdrm_19ASetup** The count of the number of this particular object type present on this device. -- **Wmdrm_19H1** The count of the number of this particular object type present on this device. -- **Wmdrm_19H1Setup** The total Wmdrm objects targeting the next release of Windows on this device. -- **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers. -- **Wmdrm_RS2** An ID for the system, calculated by hashing hardware identifiers. -- **Wmdrm_RS3** An ID for the system, calculated by hashing hardware identifiers. -- **Wmdrm_RS3Setup** The count of the number of this particular object type present on this device. -- **Wmdrm_RS4** The total Wmdrm objects targeting Windows 10, version 1803 present on this device. -- **Wmdrm_RS4Setup** The count of the number of this particular object type present on this device. -- **Wmdrm_RS5** The count of the number of this particular object type present on this device. -- **Wmdrm_RS5Setup** The count of the number of this particular object type present on this device. -- **Wmdrm_TH1** The count of the number of this particular object type present on this device. -- **Wmdrm_TH2** The count of the number of this particular object type present on this device. - - -### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd - -Represents the basic metadata about specific application files installed on the system. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file that is generating the events. -- **AvDisplayName** If the app is an anti-virus app, this is its display name. -- **CompatModelIndex** The compatibility prediction for this file. -- **HasCitData** Indicates whether the file is present in CIT data. -- **HasUpgradeExe** Indicates whether the anti-virus app has an upgrade.exe file. -- **IsAv** Is the file an anti-virus reporting EXE? -- **ResolveAttempted** This will always be an empty string when sending telemetry. -- **SdbEntries** An array of fields that indicates the SDB entries that apply to this file. - - -### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove - -This event indicates that the DatasourceApplicationFile object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileStartSync - -This event indicates that a new set of DatasourceApplicationFileAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd - -This event sends compatibility data for a Plug and Play device, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **ActiveNetworkConnection** Indicates whether the device is an active network device. -- **AppraiserVersion** The version of the appraiser file generating the events. -- **CosDeviceRating** An enumeration that indicates if there is a driver on the target operating system. -- **CosDeviceSolution** An enumeration that indicates how a driver on the target operating system is available. -- **CosDeviceSolutionUrl** Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd . Empty string -- **CosPopulatedFromId** The expected uplevel driver matching ID based on driver coverage data. -- **IsBootCritical** Indicates whether the device boot is critical. -- **UplevelInboxDriver** Indicates whether there is a driver uplevel for this device. -- **WuDriverCoverage** Indicates whether there is a driver uplevel for this device, according to Windows Update. -- **WuDriverUpdateId** The Windows Update ID of the applicable uplevel driver. -- **WuPopulatedFromId** The expected uplevel driver matching ID based on driver coverage from Windows Update. - - -### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove - -This event indicates that the DatasourceDevicePnp object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpStartSync - -This event indicates that a new set of DatasourceDevicePnpAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageAdd - -This event sends compatibility database data about driver packages to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageStartSync - -This event indicates that a new set of DatasourceDriverPackageAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd - -This event sends blocking data about any compatibility blocking entries hit on the system that are not directly related to specific applications or devices, to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove - -This event indicates that the DataSourceMatchingInfoBlock object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync - -This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events have been sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd - -This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove - -This event indicates that the DataSourceMatchingInfoPassive object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync - -This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd - -This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove - -This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync - -This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd - -This event sends compatibility database information about the BIOS to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosRemove - -This event indicates that the DatasourceSystemBios object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync - -This event indicates that a new set of DatasourceSystemBiosAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionApplicationFileAdd - -This event sends compatibility decision data about a file to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file that is generating the events. -- **BlockAlreadyInbox** The uplevel runtime block on the file already existed on the current OS. -- **BlockingApplication** Indicates whether there are any application issues that interfere with the upgrade due to the file in question. -- **DisplayGenericMessage** Will be a generic message be shown for this file? -- **DisplayGenericMessageGated** Indicates whether a generic message be shown for this file. -- **HardBlock** This file is blocked in the SDB. -- **HasUxBlockOverride** Does the file have a block that is overridden by a tag in the SDB? -- **MigApplication** Does the file have a MigXML from the SDB associated with it that applies to the current upgrade mode? -- **MigRemoval** Does the file have a MigXML from the SDB that will cause the app to be removed on upgrade? -- **NeedsDismissAction** Will the file cause an action that can be dimissed? -- **NeedsInstallPostUpgradeData** After upgrade, the file will have a post-upgrade notification to install a replacement for the app. -- **NeedsNotifyPostUpgradeData** Does the file have a notification that should be shown after upgrade? -- **NeedsReinstallPostUpgradeData** After upgrade, this file will have a post-upgrade notification to reinstall the app. -- **NeedsUninstallAction** The file must be uninstalled to complete the upgrade. -- **SdbBlockUpgrade** The file is tagged as blocking upgrade in the SDB, -- **SdbBlockUpgradeCanReinstall** The file is tagged as blocking upgrade in the SDB. It can be reinstalled after upgrade. -- **SdbBlockUpgradeUntilUpdate** The file is tagged as blocking upgrade in the SDB. If the app is updated, the upgrade can proceed. -- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the SDB. It does not block upgrade. -- **SdbReinstallUpgradeWarn** The file is tagged as needing to be reinstalled after upgrade with a warning in the SDB. It does not block upgrade. -- **SoftBlock** The file is softblocked in the SDB and has a warning. - - -### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove - -This event indicates Indicates that the DecisionApplicationFile object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionApplicationFileStartSync - -This event indicates that a new set of DecisionApplicationFileAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd - -This event sends compatibility decision data about a PNP device to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file generating the events. -- **AssociatedDriverIsBlocked** Is the driver associated with this PNP device blocked? -- **AssociatedDriverWillNotMigrate** Will the driver associated with this plug-and-play device migrate? -- **BlockAssociatedDriver** Should the driver associated with this PNP device be blocked? -- **BlockingDevice** Is this PNP device blocking upgrade? -- **BlockUpgradeIfDriverBlocked** Is the PNP device both boot critical and does not have a driver included with the OS? -- **BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork** Is this PNP device the only active network device? -- **DisplayGenericMessage** Will a generic message be shown during Setup for this PNP device? -- **DisplayGenericMessageGated** Indicates whether a generic message will be shown during Setup for this PNP device. -- **DriverAvailableInbox** Is a driver included with the operating system for this PNP device? -- **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update? -- **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device? -- **DriverBlockOverridden** Is there is a driver block on the device that has been overridden? -- **NeedsDismissAction** Will the user would need to dismiss a warning during Setup for this device? -- **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS? -- **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade? -- **SdbDriverBlockOverridden** Is there an SDB block on the PNP device that blocks upgrade, but that block was overridden? - - -### Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove - -This event indicates that the DecisionDevicePnp object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionDevicePnpStartSync - -The DecisionDevicePnpStartSync event indicates that a new set of DecisionDevicePnpAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionDriverPackageAdd - -This event sends decision data about driver package compatibility to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file generating the events. -- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for this driver package. -- **DriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden? -- **DriverIsDeviceBlocked** Was the driver package was blocked because of a device block? -- **DriverIsDriverBlocked** Is the driver package blocked because of a driver block? -- **DriverIsTroubleshooterBlocked** Indicates whether the driver package is blocked because of a troubleshooter block. -- **DriverShouldNotMigrate** Should the driver package be migrated during upgrade? -- **SdbDriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden? - - -### Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove - -This event indicates that the DecisionDriverPackage object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionDriverPackageStartSync - -This event indicates that a new set of DecisionDriverPackageAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd - -This event sends compatibility decision data about blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file generating the events. -- **BlockingApplication** Are there are any application issues that interfere with upgrade due to matching info blocks? -- **DisplayGenericMessage** Will a generic message be shown for this block? -- **NeedsUninstallAction** Does the user need to take an action in setup due to a matching info block? -- **SdbBlockUpgrade** Is a matching info block blocking upgrade? -- **SdbBlockUpgradeCanReinstall** Is a matching info block blocking upgrade, but has the can reinstall tag? -- **SdbBlockUpgradeUntilUpdate** Is a matching info block blocking upgrade but has the until update tag? - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockRemove - -This event indicates that the DecisionMatchingInfoBlock object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockStartSync - -This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd - -This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **BlockingApplication** Are there any application issues that interfere with upgrade due to matching info blocks? -- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown due to matching info blocks. -- **MigApplication** Is there a matching info block with a mig for the current mode of upgrade? - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveRemove - -This event Indicates that the DecisionMatchingInfoPassive object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync - -This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeAdd - -This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **NeedsInstallPostUpgradeData** Will the file have a notification after upgrade to install a replacement for the app? -- **NeedsNotifyPostUpgradeData** Should a notification be shown for this file after upgrade? -- **NeedsReinstallPostUpgradeData** Will the file have a notification after upgrade to reinstall the app? -- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the compatibility database (but is not blocking upgrade). - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeRemove - -This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync - -This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMediaCenterAdd - -This event sends decision data about the presence of Windows Media Center, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **BlockingApplication** Is there any application issues that interfere with upgrade due to Windows Media Center? -- **MediaCenterActivelyUsed** If Windows Media Center is supported on the edition, has it been run at least once and are the MediaCenterIndicators are true? -- **MediaCenterIndicators** Do any indicators imply that Windows Media Center is in active use? -- **MediaCenterInUse** Is Windows Media Center actively being used? -- **MediaCenterPaidOrActivelyUsed** Is Windows Media Center actively being used or is it running on a supported edition? -- **NeedsDismissAction** Are there any actions that can be dismissed coming from Windows Media Center? - - -### Microsoft.Windows.Appraiser.General.DecisionMediaCenterRemove - -This event indicates that the DecisionMediaCenter object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMediaCenterStartSync - -This event indicates that a new set of DecisionMediaCenterAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionSystemBiosAdd - -This event sends compatibility decision data about the BIOS to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **Blocking** Is the device blocked from upgrade due to a BIOS block? -- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for the bios. -- **HasBiosBlock** Does the device have a BIOS block? - - -### Microsoft.Windows.Appraiser.General.DecisionSystemBiosRemove - -This event indicates that the DecisionSystemBios object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync - -This event indicates that a new set of DecisionSystemBiosAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.GatedRegChange - -This event sends data about the results of running a set of quick-blocking instructions, to help keep Windows up to date. - -The following fields are available: - -- **NewData** The data in the registry value after the scan completed. -- **OldData** The previous data in the registry value before the scan ran. -- **PCFP** An ID for the system calculated by hashing hardware identifiers. -- **RegKey** The registry key name for which a result is being sent. -- **RegValue** The registry value for which a result is being sent. -- **Time** The client time of the event. - - -### Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd - -This event represents the basic metadata about a file on the system. The file must be part of an app and either have a block in the compatibility database or be part of an antivirus program. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **AvDisplayName** If the app is an antivirus app, this is its display name. -- **AvProductState** Indicates whether the antivirus program is turned on and the signatures are up to date. -- **BinaryType** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64. -- **BinFileVersion** An attempt to clean up FileVersion at the client that tries to place the version into 4 octets. -- **BinProductVersion** An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets. -- **BoeProgramId** If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata. -- **CompanyName** The company name of the vendor who developed this file. -- **FileId** A hash that uniquely identifies a file. -- **FileVersion** The File version field from the file metadata under Properties -> Details. -- **HasUpgradeExe** Indicates whether the antivirus app has an upgrade.exe file. -- **IsAv** Indicates whether the file an antivirus reporting EXE. -- **LinkDate** The date and time that this file was linked on. -- **LowerCaseLongPath** The full file path to the file that was inventoried on the device. -- **Name** The name of the file that was inventoried. -- **ProductName** The Product name field from the file metadata under Properties -> Details. -- **ProductVersion** The Product version field from the file metadata under Properties -> Details. -- **ProgramId** A hash of the Name, Version, Publisher, and Language of an application used to identify it. -- **Size** The size of the file (in hexadecimal bytes). - - -### Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove - -This event indicates that the InventoryApplicationFile object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync - -This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventoryLanguagePackAdd - -This event sends data about the number of language packs installed on the system, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **HasLanguagePack** Indicates whether this device has 2 or more language packs. -- **LanguagePackCount** The number of language packs are installed. - - -### Microsoft.Windows.Appraiser.General.InventoryLanguagePackRemove - -This event indicates that the InventoryLanguagePack object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventoryLanguagePackStartSync - -This event indicates that a new set of InventoryLanguagePackAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventoryMediaCenterAdd - -This event sends true/false data about decision points used to understand whether Windows Media Center is used on the system, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **EverLaunched** Has Windows Media Center ever been launched? -- **HasConfiguredTv** Has the user configured a TV tuner through Windows Media Center? -- **HasExtendedUserAccounts** Are any Windows Media Center Extender user accounts configured? -- **HasWatchedFolders** Are any folders configured for Windows Media Center to watch? -- **IsDefaultLauncher** Is Windows Media Center the default app for opening music or video files? -- **IsPaid** Is the user running a Windows Media Center edition that implies they paid for Windows Media Center? -- **IsSupported** Does the running OS support Windows Media Center? - - -### Microsoft.Windows.Appraiser.General.InventoryMediaCenterRemove - -This event indicates that the InventoryMediaCenter object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventoryMediaCenterStartSync - -This event indicates that a new set of InventoryMediaCenterAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventorySystemBiosAdd - -This event sends basic metadata about the BIOS to determine whether it has a compatibility block. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **biosDate** The release date of the BIOS in UTC format. -- **BiosDate** The release date of the BIOS in UTC format. -- **biosName** The name field from Win32_BIOS. -- **BiosName** The name field from Win32_BIOS. -- **manufacturer** The manufacturer field from Win32_ComputerSystem. -- **Manufacturer** The manufacturer field from Win32_ComputerSystem. -- **model** The model field from Win32_ComputerSystem. -- **Model** The model field from Win32_ComputerSystem. - - -### Microsoft.Windows.Appraiser.General.InventorySystemBiosRemove - -This event indicates that the InventorySystemBios object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventorySystemBiosStartSync - -This event indicates that a new set of InventorySystemBiosAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd - -This event is only runs during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. Is critical to understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **BootCritical** Is the driver package marked as boot critical? -- **Build** The build value from the driver package. -- **CatalogFile** The name of the catalog file within the driver package. -- **Class** The device class from the driver package. -- **ClassGuid** The device class unique ID from the driver package. -- **Date** The date from the driver package. -- **Inbox** Is the driver package of a driver that is included with Windows? -- **OriginalName** The original name of the INF file before it was renamed. Generally a path under $WINDOWS.~BT\Drivers\DU. -- **Provider** The provider of the driver package. -- **PublishedName** The name of the INF file after it was renamed. -- **Revision** The revision of the driver package. -- **SignatureStatus** Indicates if the driver package is signed. Unknown = 0, Unsigned = 1, Signed = 2. -- **VersionMajor** The major version of the driver package. -- **VersionMinor** The minor version of the driver package. - - -### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove - -This event indicates that the InventoryUplevelDriverPackage object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageStartSync - -This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.RunContext - -This event indicates what should be expected in the data payload. - -The following fields are available: - -- **AppraiserBranch** The source branch in which the currently running version of Appraiser was built. -- **AppraiserProcess** The name of the process that launched Appraiser. -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **CensusId** A unique hardware identifier. -- **Context** Indicates what mode Appraiser is running in. Example: Setup or Telemetry. -- **PCFP** An ID for the system calculated by hashing hardware identifiers. -- **Subcontext** Indicates what categories of incompatibilities appraiser is scanning for. Can be N/A, Resolve, or a semicolon-delimited list that can include App, Dev, Sys, Gat, or Rescan. -- **Time** The client time of the event. - - -### Microsoft.Windows.Appraiser.General.SystemMemoryAdd - -This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **Blocking** Is the device from upgrade due to memory restrictions? -- **MemoryRequirementViolated** Was a memory requirement violated? -- **pageFile** The current committed memory limit for the system or the current process, whichever is smaller (in bytes). -- **ram** The amount of memory on the device. -- **ramKB** The amount of memory (in KB). -- **virtual** The size of the user-mode portion of the virtual address space of the calling process (in bytes). -- **virtualKB** The amount of virtual memory (in KB). - - -### Microsoft.Windows.Appraiser.General.SystemMemoryRemove - -This event that the SystemMemory object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemMemoryStartSync - -This event indicates that a new set of SystemMemoryAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeAdd - -This event sends data indicating whether the system supports the CompareExchange128 CPU requirement, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **Blocking** Is the upgrade blocked due to the processor? -- **CompareExchange128Support** Does the CPU support CompareExchange128? - - -### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeRemove - -This event indicates that the SystemProcessorCompareExchange object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeStartSync - -This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd - -This event sends data indicating whether the system supports the LahfSahf CPU requirement, to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **Blocking** Is the upgrade blocked due to the processor? -- **LahfSahfSupport** Does the CPU support LAHF/SAHF? - - -### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfRemove - -This event indicates that the SystemProcessorLahfSahf object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfStartSync - -This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd - -This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **Blocking** Is the upgrade blocked due to the processor? -- **NXDriverResult** The result of the driver used to do a non-deterministic check for NX support. -- **NXProcessorSupport** Does the processor support NX? - - -### Microsoft.Windows.Appraiser.General.SystemProcessorNxRemove - -This event indicates that the SystemProcessorNx object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorNxStartSync - -This event indicates that a new set of SystemProcessorNxAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd - -This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **Blocking** Is the upgrade blocked due to the processor? -- **PrefetchWSupport** Does the processor support PrefetchW? - - -### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWRemove - -This event indicates that the SystemProcessorPrefetchW object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync - -This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Add - -This event sends data indicating whether the system supports the SSE2 CPU requirement, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **Blocking** Is the upgrade blocked due to the processor? -- **SSE2ProcessorSupport** Does the processor support SSE2? - - -### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Remove - -This event indicates that the SystemProcessorSse2 object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorSse2StartSync - -This event indicates that a new set of SystemProcessorSse2Add events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemTouchAdd - -This event sends data indicating whether the system supports touch, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **IntegratedTouchDigitizerPresent** Is there an integrated touch digitizer? -- **MaximumTouches** The maximum number of touch points supported by the device hardware. - - -### Microsoft.Windows.Appraiser.General.SystemTouchRemove - -This event indicates that the SystemTouch object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemTouchStartSync - -This event indicates that a new set of SystemTouchAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemWimAdd - -This event sends data indicating whether the operating system is running from a compressed Windows Imaging Format (WIM) file, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **IsWimBoot** Is the current operating system running from a compressed WIM file? -- **RegistryWimBootValue** The raw value from the registry that is used to indicate if the device is running from a WIM. - - -### Microsoft.Windows.Appraiser.General.SystemWimRemove - -This event indicates that the SystemWim object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemWimStartSync - -This event indicates that a new set of SystemWimAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusAdd - -This event sends data indicating whether the current operating system is activated, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **WindowsIsLicensedApiValue** The result from the API that's used to indicate if operating system is activated. -- **WindowsNotActivatedDecision** Is the current operating system activated? - - -### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusRemove - -This event indicates that the SystemWindowsActivationStatus object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusStartSync - -This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemWlanAdd - -This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **Blocking** Is the upgrade blocked because of an emulated WLAN driver? -- **HasWlanBlock** Does the emulated WLAN driver have an upgrade block? -- **WlanEmulatedDriver** Does the device have an emulated WLAN driver? -- **WlanExists** Does the device support WLAN at all? -- **WlanModulePresent** Are any WLAN modules present? -- **WlanNativeDriver** Does the device have a non-emulated WLAN driver? - - -### Microsoft.Windows.Appraiser.General.SystemWlanRemove - -This event indicates that the SystemWlan object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemWlanStartSync - -This event indicates that a new set of SystemWlanAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.TelemetryRunHealth - -This event indicates the parameters and result of a telemetry (diagnostic) run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date. - -The following fields are available: - -- **AppraiserBranch** The source branch in which the version of Appraiser that is running was built. -- **AppraiserDataVersion** The version of the data files being used by the Appraiser telemetry run. -- **AppraiserProcess** The name of the process that launched Appraiser. -- **AppraiserVersion** The file version (major, minor and build) of the Appraiser DLL, concatenated without dots. -- **AuxFinal** Obsolete, always set to false. -- **AuxInitial** Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app. -- **DeadlineDate** A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan. -- **EnterpriseRun** Indicates if the telemetry run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter. -- **FullSync** Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent. -- **InboxDataVersion** The original version of the data files before retrieving any newer version. -- **IndicatorsWritten** Indicates if all relevant UEX indicators were successfully written or updated. -- **InventoryFullSync** Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent. -- **PCFP** An ID for the system calculated by hashing hardware identifiers. -- **PerfBackoff** Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal. -- **PerfBackoffInsurance** Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row. -- **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device. -- **RunDate** The date that the telemetry run was stated, expressed as a filetime. -- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional telemetry on an infrequent schedule and only from machines at telemetry levels higher than Basic. -- **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information. -- **RunResult** The hresult of the Appraiser telemetry run. -- **ScheduledUploadDay** The day scheduled for the upload. -- **SendingUtc** Indicates if the Appraiser client is sending events during the current telemetry run. -- **StoreHandleIsNotNull** Obsolete, always set to false -- **TelementrySent** Indicates if telemetry was successfully sent. -- **ThrottlingUtc** Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also telemetry reliability. -- **Time** The client time of the event. -- **VerboseMode** Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging. -- **WhyFullSyncWithoutTablePrefix** Indicates the reason or reasons that a full sync was generated. - - -### Microsoft.Windows.Appraiser.General.WmdrmAdd - -This event sends data about the usage of older digital rights management on the system, to help keep Windows up to date. This data does not indicate the details of the media using the digital rights management, only whether any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able to be removed once all mitigations are in place. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **BlockingApplication** Same as NeedsDismissAction. -- **NeedsDismissAction** Indicates if a dismissible message is needed to warn the user about a potential loss of data due to DRM deprecation. -- **WmdrmApiResult** Raw value of the API used to gather DRM state. -- **WmdrmCdRipped** Indicates if the system has any files encrypted with personal DRM, which was used for ripped CDs. -- **WmdrmIndicators** WmdrmCdRipped OR WmdrmPurchased. -- **WmdrmInUse** WmdrmIndicators AND dismissible block in setup was not dismissed. -- **WmdrmNonPermanent** Indicates if the system has any files with non-permanent licenses. -- **WmdrmPurchased** Indicates if the system has any files with permanent licenses. - - -### Microsoft.Windows.Appraiser.General.WmdrmRemove - -This event indicates that the Wmdrm object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.WmdrmStartSync - -This event indicates that a new set of WmdrmAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -## Census events - -### Census.App - -Provides information on IE and Census versions running on the device - -The following fields are available: - -- **AppraiserEnterpriseErrorCode** The error code of the last Appraiser enterprise run. -- **AppraiserErrorCode** The error code of the last Appraiser run. -- **AppraiserRunEndTimeStamp** The end time of the last Appraiser run. -- **AppraiserRunIsInProgressOrCrashed** Flag that indicates if the Appraiser run is in progress or has crashed. -- **AppraiserRunStartTimeStamp** The start time of the last Appraiser run. -- **AppraiserTaskEnabled** Whether the Appraiser task is enabled. -- **AppraiserTaskExitCode** The Appraiser task exist code. -- **AppraiserTaskLastRun** The last runtime for the Appraiser task. -- **CensusVersion** The version of Census that generated the current data for this device. -- **IEVersion** The version of Internet Explorer that is running on the device. - - -### Census.Battery - -This event sends type and capacity data about the battery on the device, as well as the number of connected standby devices in use, type to help keep Windows up to date. - -The following fields are available: - -- **InternalBatteryCapablities** Represents information about what the battery is capable of doing. -- **InternalBatteryCapacityCurrent** Represents the battery's current fully charged capacity in mWh (or relative). Compare this value to DesignedCapacity  to estimate the battery's wear. -- **InternalBatteryCapacityDesign** Represents the theoretical capacity of the battery when new, in mWh. -- **InternalBatteryNumberOfCharges** Provides the number of battery charges. This is used when creating new products and validating that existing products meets targeted functionality performance. -- **IsAlwaysOnAlwaysConnectedCapable** Represents whether the battery enables the device to be AlwaysOnAlwaysConnected . Boolean value. - - -### Census.Camera - -This event sends data about the resolution of cameras on the device, to help keep Windows up to date. - -The following fields are available: - -- **FrontFacingCameraResolution** Represents the resolution of the front facing camera in megapixels. If a front facing camera does not exist, then the value is 0. -- **RearFacingCameraResolution** Represents the resolution of the rear facing camera in megapixels. If a rear facing camera does not exist, then the value is 0. - - -### Census.Enterprise - -This event sends data about Azure presence, type, and cloud domain use in order to provide an understanding of the use and integration of devices in an enterprise, cloud, and server environment. - -The following fields are available: - -- **AADDeviceId** Azure Active Directory device ID. -- **AzureOSIDPresent** Represents the field used to identify an Azure machine. -- **AzureVMType** Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs. -- **CDJType** Represents the type of cloud domain joined for the machine. -- **CommercialId** Represents the GUID for the commercial entity which the device is a member of.  Will be used to reflect insights back to customers. -- **ContainerType** The type of container, such as process or virtual machine hosted. -- **EnrollmentType** Defines the type of MDM enrollment on the device. -- **HashedDomain** The hashed representation of the user domain used for login. -- **IsCloudDomainJoined** Is this device joined to an Azure Active Directory (AAD) tenant? true/false -- **IsDERequirementMet** Represents if the device can do device encryption. -- **IsDeviceProtected** Represents if Device protected by BitLocker/Device Encryption -- **IsDomainJoined** Indicates whether a machine is joined to a domain. -- **IsEDPEnabled** Represents if Enterprise data protected on the device. -- **IsMDMEnrolled** Whether the device has been MDM Enrolled or not. -- **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID -- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise SCCM environment. -- **ServerFeatures** Represents the features installed on a Windows   Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. -- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier - - -### Census.Firmware - -This event sends data about the BIOS and startup embedded in the device, to help keep Windows up to date. - -The following fields are available: - -- **FirmwareManufacturer** Represents the manufacturer of the device's firmware (BIOS). -- **FirmwareReleaseDate** Represents the date the current firmware was released. -- **FirmwareType** Represents the firmware type. The various types can be unknown, BIOS, UEFI. -- **FirmwareVersion** Represents the version of the current firmware. - - -### Census.Flighting - -This event sends Windows Insider data from customers participating in improvement testing and feedback programs, to help keep Windows up to date. - -The following fields are available: - -- **DeviceSampleRate** The telemetry sample rate assigned to the device. -- **EnablePreviewBuilds** Used to enable Windows Insider builds on a device. -- **FlightIds** A list of the different Windows Insider builds on this device. -- **FlightingBranchName** The name of the Windows Insider branch currently used by the device. -- **IsFlightsDisabled** Represents if the device is participating in the Windows Insider program. -- **MSA_Accounts** Represents a list of hashed IDs of the Microsoft Accounts that are flighting (pre-release builds) on this device. -- **SSRK** Retrieves the mobile targeting settings. - - -### Census.Hardware - -This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level setting, and TPM support, to help keep Windows up to date. - -The following fields are available: - -- **ActiveMicCount** The number of active microphones attached to the device. -- **ChassisType** Represents the type of device chassis, such as desktop or low profile desktop. The possible values can range between 1 - 36. -- **ComputerHardwareID** Identifies a device class that is represented by a hash of different SMBIOS fields. -- **D3DMaxFeatureLevel** Supported Direct3D version. -- **DeviceColor** Indicates a color of the device. -- **DeviceForm** Indicates the form as per the device classification. -- **DeviceName** The device name that is set by the user. -- **DigitizerSupport** Is a digitizer supported? -- **DUID** The device unique ID. -- **Gyroscope** Indicates whether the device has a gyroscope (a mechanical component that measures and maintains orientation). -- **InventoryId** The device ID used for compatibility testing. -- **Magnetometer** Indicates whether the device has a magnetometer (a mechanical component that works like a compass). -- **NFCProximity** Indicates whether the device supports NFC (a set of communication protocols that helps establish communication when applicable devices are brought close together.) -- **OEMDigitalMarkerFileName** The name of the file placed in the \Windows\system32\drivers directory that specifies the OEM and model name of the device. -- **OEMManufacturerName** The device manufacturer name. The OEMName for an inactive device is not reprocessed even if the clean OEM name is changed at a later date. -- **OEMModelBaseBoard** The baseboard model used by the OEM. -- **OEMModelBaseBoardVersion** Differentiates between developer and retail devices. -- **OEMModelName** The device model name. -- **OEMModelNumber** The device model number. -- **OEMModelSKU** The device edition that is defined by the manufacturer. -- **OEMModelSystemFamily** The system family set on the device by an OEM. -- **OEMModelSystemVersion** The system model version set on the device by the OEM. -- **OEMOptionalIdentifier** A Microsoft assigned value that represents a specific OEM subsidiary. -- **OEMSerialNumber** The serial number of the device that is set by the manufacturer. -- **PhoneManufacturer** The friendly name of the phone manufacturer. -- **PowerPlatformRole** The OEM preferred power management profile. It's used to help to identify the basic form factor of the device. -- **SoCName** The firmware manufacturer of the device. -- **StudyID** Used to identify retail and non-retail device. -- **TelemetryLevel** The telemetry level the user has opted into, such as Basic or Enhanced. -- **TelemetryLevelLimitEnhanced** The telemetry level for Windows Analytics-based solutions. -- **TelemetrySettingAuthority** Determines who set the telemetry level, such as GP, MDM, or the user. -- **TPMManufacturerId** The ID of the TPM manufacturer. -- **TPMManufacturerVersion** The version of the TPM manufacturer. -- **TPMVersion** The supported Trusted Platform Module (TPM) on the device. If no TPM is present, the value is 0. -- **VoiceSupported** Does the device have a cellular radio capable of making voice calls? - - -### Census.Memory - -This event sends data about the memory on the device, including ROM and RAM, to help keep Windows up to date. - -The following fields are available: - -- **TotalPhysicalRAM** Represents the physical memory (in MB). -- **TotalVisibleMemory** Represents the memory that is not reserved by the system. - - -### Census.Network - -This event sends data about the mobile and cellular network used by the device (mobile service provider, network, device ID, and service cost factors), to help keep Windows up to date. - -The following fields are available: - -- **IMEI0** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage. -- **IMEI1** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage. -- **MCC0** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. -- **MCC1** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. -- **MEID** Represents the Mobile Equipment Identity (MEID). MEID is a worldwide unique phone ID assigned to CDMA phones. MEID replaces electronic serial number (ESN), and is equivalent to IMEI for GSM and WCDMA phones. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. -- **MNC0** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. -- **MNC1** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. -- **MobileOperatorBilling** Represents the telephone company that provides services for mobile phone users. -- **MobileOperatorCommercialized** Represents which reseller and geography the phone is commercialized for. This is the set of values on the phone for who and where it was intended to be used. For example, the commercialized mobile operator code AT&T in the US would be ATT-US. -- **MobileOperatorNetwork0** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage. -- **MobileOperatorNetwork1** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage. -- **NetworkAdapterGUID** The GUID of the primary network adapter. -- **NetworkCost** Represents the network cost associated with a connection. -- **SPN0** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage. -- **SPN1** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage. - - -### Census.OS - -This event sends data about the operating system such as the version, locale, update service configuration, when and how it was originally installed, and whether it is a virtual device, to help keep Windows up to date. - -The following fields are available: - -- **ActivationChannel** Retrieves the retail license key or Volume license key for a machine. -- **AssignedAccessStatus** Kiosk configuration mode. -- **CompactOS** Indicates if the Compact OS feature from Win10 is enabled. -- **DeveloperUnlockStatus** Represents if a device has been developer unlocked by the user or Group Policy. -- **DeviceTimeZone** The time zone that is set on the device. Example: Pacific Standard Time -- **GenuineState** Retrieves the ID Value specifying the OS Genuine check. -- **InstallationType** Retrieves the type of OS installation. (Clean, Upgrade, Reset, Refresh, Update). -- **InstallLanguage** The first language installed on the user machine. -- **IsDeviceRetailDemo** Retrieves if the device is running in demo mode. -- **IsEduData** Returns Boolean if the education data policy is enabled. -- **IsPortableOperatingSystem** Retrieves whether OS is running Windows-To-Go -- **IsSecureBootEnabled** Retrieves whether Boot chain is signed under UEFI. -- **LanguagePacks** The list of language packages installed on the device. -- **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store. -- **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine. -- **OSEdition** Retrieves the version of the current OS. -- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc -- **OSOOBEDateTime** Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC). -- **OSSKU** Retrieves the Friendly Name of OS Edition. -- **OSSubscriptionStatus** Represents the existing status for enterprise subscription feature for PRO machines. -- **OSSubscriptionTypeId** Returns boolean for enterprise subscription feature for selected PRO machines. -- **OSTimeZoneBiasInMins** Retrieves the time zone set on machine. -- **OSUILocale** Retrieves the locale of the UI that is currently used by the OS. -- **ProductActivationResult** Returns Boolean if the OS Activation was successful. -- **ProductActivationTime** Returns the OS Activation time for tracking piracy issues. -- **ProductKeyID2** Retrieves the License key if the machine is updated with a new license key. -- **RACw7Id** Retrieves the Microsoft Reliability Analysis Component (RAC) Win7 Identifier. RAC is used to monitor and analyze system usage and reliability. -- **ServiceMachineIP** Retrieves the IP address of the KMS host used for anti-piracy. -- **ServiceMachinePort** Retrieves the port of the KMS host used for anti-piracy. -- **ServiceProductKeyID** Retrieves the License key of the KMS -- **SharedPCMode** Returns Boolean for education devices used as shared cart -- **Signature** Retrieves if it is a signature machine sold by Microsoft store. -- **SLICStatus** Whether a SLIC table exists on the device. -- **SLICVersion** Returns OS type/version from SLIC table. - - -### Census.PrivacySettings - -This event provides information about the device level privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represent the authority that set the value. The effective consent (first 8 bits) is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority (last 8 bits) is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = system, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings. - -The following fields are available: - -- **Activity** Current state of the activity history setting. -- **ActivityHistoryCloudSync** Current state of the activity history cloud sync setting. -- **ActivityHistoryCollection** Current state of the activity history collection setting. -- **AdvertisingId** Current state of the advertising ID setting. -- **AppDiagnostics** Current state of the app diagnostics setting. -- **Appointments** Current state of the calendar setting. -- **Bluetooth** Current state of the Bluetooth capability setting. -- **BluetoothSync** Current state of the Bluetooth sync capability setting. -- **BroadFileSystemAccess** Current state of the broad file system access setting. -- **CellularData** Current state of the cellular data capability setting. -- **Chat** Current state of the chat setting. -- **Contacts** Current state of the contacts setting. -- **DocumentsLibrary** Current state of the documents library setting. -- **Email** Current state of the email setting. -- **FindMyDevice** Current state of the "find my device" setting. -- **GazeInput** Current state of the gaze input setting. -- **HumanInterfaceDevice** Current state of the human interface device setting. -- **InkTypeImprovement** Current state of the improve inking and typing setting. -- **Location** Current state of the location setting. -- **LocationHistory** Current state of the location history setting. -- **LocationHistoryCloudSync** Current state of the location history cloud sync setting. -- **LocationHistoryOnTimeline** Current state of the location history on timeline setting. -- **Microphone** Current state of the microphone setting. -- **PhoneCall** Current state of the phone call setting. -- **PhoneCallHistory** Current state of the call history setting. -- **PicturesLibrary** Current state of the pictures library setting. -- **Radios** Current state of the radios setting. -- **SensorsCustom** Current state of the custom sensor setting. -- **SerialCommunication** Current state of the serial communication setting. -- **Sms** Current state of the text messaging setting. -- **SpeechPersonalization** Current state of the speech services setting. -- **USB** Current state of the USB setting. -- **UserAccountInformation** Current state of the account information setting. -- **UserDataTasks** Current state of the tasks setting. -- **UserNotificationListener** Current state of the notifications setting. -- **VideosLibrary** Current state of the videos library setting. -- **Webcam** Current state of the camera setting. -- **WiFiDirect** Current state of the Wi-Fi direct setting. - - -### Census.Processor - -Provides information on several important data points about Processor settings - -The following fields are available: - -- **KvaShadow** This is the micro code information of the processor. -- **MMSettingOverride** Microcode setting of the processor. -- **MMSettingOverrideMask** Microcode setting override of the processor. -- **PreviousUpdateRevision** Previous microcode revision -- **ProcessorArchitecture** Retrieves the processor architecture of the installed operating system. -- **ProcessorClockSpeed** Clock speed of the processor in MHz. -- **ProcessorCores** Number of logical cores in the processor. -- **ProcessorIdentifier** Processor Identifier of a manufacturer. -- **ProcessorManufacturer** Name of the processor manufacturer. -- **ProcessorModel** Name of the processor model. -- **ProcessorPhysicalCores** Number of physical cores in the processor. -- **ProcessorUpdateRevision** The microcode revision. -- **ProcessorUpdateStatus** Enum value that represents the processor microcode load status -- **SocketCount** Count of CPU sockets. -- **SpeculationControl** Indicates whether the system has enabled protections needed to validate the speculation control vulnerability. - - -### Census.Security - -This event provides information on about security settings used to help keep Windows up to date and secure. - -The following fields are available: - -- **AvailableSecurityProperties** This field helps to enumerate and report state on the relevant security properties for Device Guard. -- **CGRunning** Credential Guard isolates and hardens key system and user secrets against compromise, helping to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already running via a local or network based vector. This field tells if Credential Guard is running. -- **DGState** This field summarizes the Device Guard state. -- **HVCIRunning** Hypervisor Code Integrity (HVCI) enables Device Guard to help protect kernel mode processes and drivers from vulnerability exploits and zero days. HVCI uses the processor’s functionality to force all software running in kernel mode to safely allocate memory. This field tells if HVCI is running. -- **IsSawGuest** Indicates whether the device is running as a Secure Admin Workstation Guest. -- **IsSawHost** Indicates whether the device is running as a Secure Admin Workstation Host. -- **RequiredSecurityProperties** Describes the required security properties to enable virtualization-based security. -- **SecureBootCapable** Systems that support Secure Boot can have the feature turned off via BIOS. This field tells if the system is capable of running Secure Boot, regardless of the BIOS setting. -- **SModeState** The Windows S mode trail state. -- **VBSState** Virtualization-based security (VBS) uses the hypervisor to help protect the kernel and other parts of the operating system. Credential Guard and Hypervisor Code Integrity (HVCI) both depend on VBS to isolate/protect secrets, and kernel-mode code integrity validation. VBS has a tri-state that can be Disabled, Enabled, or Running. - - -### Census.Speech - -This event is used to gather basic speech settings on the device. - -The following fields are available: - -- **AboveLockEnabled** Cortana setting that represents if Cortana can be invoked when the device is locked. -- **GPAllowInputPersonalization** Indicates if a Group Policy setting has enabled speech functionalities. -- **HolographicSpeechInputDisabled** Holographic setting that represents if the attached HMD devices have speech functionality disabled by the user. -- **HolographicSpeechInputDisabledRemote** Indicates if a remote policy has disabled speech functionalities for the HMD devices. -- **KeyVer** Version information for the census speech event. -- **KWSEnabled** Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS). -- **MDMAllowInputPersonalization** Indicates if an MDM policy has enabled speech functionalities. -- **RemotelyManaged** Indicates if the device is being controlled by a remote administrator (MDM or Group Policy) in the context of speech functionalities. -- **SpeakerIdEnabled** Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice. -- **SpeechServicesEnabled** Windows setting that represents whether a user is opted-in for speech services on the device. -- **SpeechServicesValueSource** Indicates the deciding factor for the effective online speech recognition privacy policy settings: remote admin, local admin, or user preference. - - -### Census.Storage - -This event sends data about the total capacity of the system volume and primary disk, to help keep Windows up to date. - -The following fields are available: - -- **PrimaryDiskTotalCapacity** Retrieves the amount of disk space on the primary disk of the device in MB. -- **PrimaryDiskType** Retrieves an enumerator value of type STORAGE_BUS_TYPE that indicates the type of bus to which the device is connected. This should be used to interpret the raw device properties at the end of this structure (if any). -- **StorageReservePassedPolicy** Indicates whether the Storage Reserve policy, which ensures that updates have enough disk space and customers are on the latest OS, is enabled on this device. -- **SystemVolumeTotalCapacity** Retrieves the size of the partition that the System volume is installed on in MB. - - -### Census.Userdefault - -This event sends data about the current user's default preferences for browser and several of the most popular extensions and protocols, to help keep Windows up to date. - -The following fields are available: - -- **CalendarType** The calendar identifiers that are used to specify different calendars. -- **DefaultApp** The current uer's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf. -- **DefaultBrowserProgId** The ProgramId of the current user's default browser. -- **LongDateFormat** The long date format the user has selected. -- **ShortDateFormat** The short date format the user has selected. - - -### Census.UserDisplay - -This event sends data about the logical/physical display size, resolution and number of internal/external displays, and VRAM on the system, to help keep Windows up to date. - -The following fields are available: - -- **InternalPrimaryDisplayLogicalDPIX** Retrieves the logical DPI in the x-direction of the internal display. -- **InternalPrimaryDisplayLogicalDPIY** Retrieves the logical DPI in the y-direction of the internal display. -- **InternalPrimaryDisplayPhysicalDPIX** Retrieves the physical DPI in the x-direction of the internal display. -- **InternalPrimaryDisplayPhysicalDPIY** Retrieves the physical DPI in the y-direction of the internal display. -- **InternalPrimaryDisplayResolutionHorizontal** Retrieves the number of pixels in the horizontal direction of the internal display. -- **InternalPrimaryDisplayResolutionVertical** Retrieves the number of pixels in the vertical direction of the internal display. -- **InternalPrimaryDisplaySizePhysicalH** Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches . -- **InternalPrimaryDisplaySizePhysicalY** Retrieves the physical vertical length of the display in mm. Used for calculating the diagonal length in inches -- **NumberofExternalDisplays** Retrieves the number of external displays connected to the machine -- **NumberofInternalDisplays** Retrieves the number of internal displays in a machine. -- **VRAMDedicated** Retrieves the video RAM in MB. -- **VRAMDedicatedSystem** Retrieves the amount of memory on the dedicated video card. -- **VRAMSharedSystem** Retrieves the amount of RAM memory that the video card can use. - - -### Census.UserNLS - -This event sends data about the default app language, input, and display language preferences set by the user, to help keep Windows up to date. - -The following fields are available: - -- **DefaultAppLanguage** The current user Default App Language. -- **DisplayLanguage** The current user preferred Windows Display Language. -- **HomeLocation** The current user location, which is populated using GetUserGeoId() function. -- **KeyboardInputLanguages** The Keyboard input languages installed on the device. -- **SpeechInputLanguages** The Speech Input languages installed on the device. - - -### Census.UserPrivacySettings - -This event provides information about the current users privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represents the authority that set the value. The effective consent is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = user, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings. - -The following fields are available: - -- **Activity** Current state of the activity history setting. -- **ActivityHistoryCloudSync** Current state of the activity history cloud sync setting. -- **ActivityHistoryCollection** Current state of the activity history collection setting. -- **AdvertisingId** Current state of the advertising ID setting. -- **AppDiagnostics** Current state of the app diagnostics setting. -- **Appointments** Current state of the calendar setting. -- **Bluetooth** Current state of the Bluetooth capability setting. -- **BluetoothSync** Current state of the Bluetooth sync capability setting. -- **BroadFileSystemAccess** Current state of the broad file system access setting. -- **CellularData** Current state of the cellular data capability setting. -- **Chat** Current state of the chat setting. -- **Contacts** Current state of the contacts setting. -- **DocumentsLibrary** Current state of the documents library setting. -- **Email** Current state of the email setting. -- **GazeInput** Current state of the gaze input setting. -- **HumanInterfaceDevice** Current state of the human interface device setting. -- **InkTypeImprovement** Current state of the improve inking and typing setting. -- **InkTypePersonalization** Current state of the inking and typing personalization setting. -- **Location** Current state of the location setting. -- **LocationHistory** Current state of the location history setting. -- **LocationHistoryCloudSync** Current state of the location history cloud synchronization setting. -- **LocationHistoryOnTimeline** Current state of the location history on timeline setting. -- **Microphone** Current state of the microphone setting. -- **PhoneCall** Current state of the phone call setting. -- **PhoneCallHistory** Current state of the call history setting. -- **PicturesLibrary** Current state of the pictures library setting. -- **Radios** Current state of the radios setting. -- **SensorsCustom** Current state of the custom sensor setting. -- **SerialCommunication** Current state of the serial communication setting. -- **Sms** Current state of the text messaging setting. -- **SpeechPersonalization** Current state of the speech services setting. -- **USB** Current state of the USB setting. -- **UserAccountInformation** Current state of the account information setting. -- **UserDataTasks** Current state of the tasks setting. -- **UserNotificationListener** Current state of the notifications setting. -- **VideosLibrary** Current state of the videos library setting. -- **Webcam** Current state of the camera setting. -- **WiFiDirect** Current state of the Wi-Fi direct setting. - - -### Census.VM - -This event sends data indicating whether virtualization is enabled on the device, and its various characteristics, to help keep Windows up to date. - -The following fields are available: - -- **CloudService** Indicates which cloud service, if any, that this virtual machine is running within. -- **HyperVisor** Retrieves whether the current OS is running on top of a Hypervisor. -- **IOMMUPresent** Represents if an input/output memory management unit (IOMMU) is present. -- **IsVDI** Is the device using Virtual Desktop Infrastructure? -- **IsVirtualDevice** Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#1 Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field should not be relied upon for non-Hv#1 Hypervisors. -- **SLATSupported** Represents whether Second Level Address Translation (SLAT) is supported by the hardware. -- **VirtualizationFirmwareEnabled** Represents whether virtualization is enabled in the firmware. - - -### Census.WU - -This event sends data about the Windows update server and other App store policies, to help keep Windows up to date. - -The following fields are available: - -- **AppraiserGatedStatus** Indicates whether a device has been gated for upgrading. -- **AppStoreAutoUpdate** Retrieves the Appstore settings for auto upgrade. (Enable/Disabled). -- **AppStoreAutoUpdateMDM** Retrieves the App Auto Update value for MDM: 0 - Disallowed. 1 - Allowed. 2 - Not configured. Default: [2] Not configured -- **AppStoreAutoUpdatePolicy** Retrieves the Microsoft Store App Auto Update group policy setting -- **DelayUpgrade** Retrieves the Windows upgrade flag for delaying upgrades. -- **OSAssessmentFeatureOutOfDate** How many days has it been since a the last feature update was released but the device did not install it? -- **OSAssessmentForFeatureUpdate** Is the device is on the latest feature update? -- **OSAssessmentForQualityUpdate** Is the device on the latest quality update? -- **OSAssessmentForSecurityUpdate** Is the device on the latest security update? -- **OSAssessmentQualityOutOfDate** How many days has it been since a the last quality update was released but the device did not install it? -- **OSAssessmentReleaseInfoTime** The freshness of release information used to perform an assessment. -- **OSRollbackCount** The number of times feature updates have rolled back on the device. -- **OSRolledBack** A flag that represents when a feature update has rolled back during setup. -- **OSUninstalled** A flag that represents when a feature update is uninstalled on a device . -- **OSWUAutoUpdateOptions** Retrieves the auto update settings on the device. -- **OSWUAutoUpdateOptionsSource** The source of auto update setting that appears in the OSWUAutoUpdateOptions field. For example: Group Policy (GP), Mobile Device Management (MDM), and Default. -- **UninstallActive** A flag that represents when a device has uninstalled a previous upgrade recently. -- **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS). -- **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates. -- **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades. -- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network. -- **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier. -- **WUPauseState** Retrieves WU setting to determine if updates are paused. -- **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default). - - -### Census.Xbox - -This event sends data about the Xbox Console, such as Serial Number and DeviceId, to help keep Windows up to date. - -The following fields are available: - -- **XboxConsolePreferredLanguage** Retrieves the preferred language selected by the user on Xbox console. -- **XboxConsoleSerialNumber** Retrieves the serial number of the Xbox console. -- **XboxLiveDeviceId** Retrieves the unique device ID of the console. -- **XboxLiveSandboxId** Retrieves the developer sandbox ID if the device is internal to Microsoft. - - -## Common data extensions - -### Common Data Extensions.app - -Describes the properties of the running application. This extension could be populated by a client app or a web app. - -The following fields are available: - -- **asId** An integer value that represents the app session. This value starts at 0 on the first app launch and increments after each subsequent app launch per boot session. -- **env** The environment from which the event was logged. -- **expId** Associates a flight, such as an OS flight, or an experiment, such as a web site UX experiment, with an event. -- **id** Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application. -- **locale** The locale of the app. -- **name** The name of the app. -- **userId** The userID as known by the application. -- **ver** Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app. - - -### Common Data Extensions.container - -Describes the properties of the container for events logged within a container. - -The following fields are available: - -- **epoch** An ID that's incremented for each SDK initialization. -- **localId** The device ID as known by the client. -- **osVer** The operating system version. -- **seq** An ID that's incremented for each event. -- **type** The container type. Examples: Process or VMHost - - -### Common Data Extensions.cs - -Describes properties related to the schema of the event. - -The following fields are available: - -- **sig** A common schema signature that identifies new and modified event schemas. - - -### Common Data Extensions.device - -Describes the device-related fields. - -The following fields are available: - -- **deviceClass** The device classification. For example, Desktop, Server, or Mobile. -- **localId** A locally-defined unique ID for the device. This is not the human-readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId -- **make** Device manufacturer. -- **model** Device model. - - -### Common Data Extensions.Envelope - -Represents an envelope that contains all of the common data extensions. - -The following fields are available: - -- **cV** Represents the Correlation Vector: A single field for tracking partial order of related telemetry events across component boundaries. -- **data** Represents the optional unique diagnostic data for a particular event schema. -- **ext_app** Describes the properties of the running application. This extension could be populated by either a client app or a web app. See [Common Data Extensions.app](#common-data-extensionsapp). -- **ext_container** Describes the properties of the container for events logged within a container. See [Common Data Extensions.container](#common-data-extensionscontainer). -- **ext_cs** Describes properties related to the schema of the event. See [Common Data Extensions.cs](#common-data-extensionscs). -- **ext_device** Describes the device-related fields. See [Common Data Extensions.device](#common-data-extensionsdevice). -- **ext_os** Describes the operating system properties that would be populated by the client. See [Common Data Extensions.os](#common-data-extensionsos). -- **ext_receipts** Describes the fields related to time as provided by the client for debugging purposes. See [Common Data Extensions.receipts](#common-data-extensionsreceipts). -- **ext_sdk** Describes the fields related to a platform library required for a specific SDK. See [Common Data Extensions.sdk](#common-data-extensionssdk). -- **ext_user** Describes the fields related to a user. See [Common Data Extensions.user](#common-data-extensionsuser). -- **ext_utc** Describes the fields that might be populated by a logging library on Windows. See [Common Data Extensions.utc](#common-data-extensionsutc). -- **ext_xbl** Describes the fields related to XBOX Live. See [Common Data Extensions.xbl](#common-data-extensionsxbl). -- **flags** Represents a collection of bits that describe how the event should be processed by the Connected User Experience and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency. -- **iKey** Represents an ID for applications or other logical groupings of events. -- **name** Represents the uniquely qualified name for the event. -- **popSample** Represents the effective sample rate for this event at the time it was generated by a client. -- **time** Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the client. This should be in ISO 8601 format. -- **ver** Represents the major and minor version of the extension. - - -### Common Data Extensions.os - -Describes some properties of the operating system. - -The following fields are available: - -- **bootId** An integer value that represents the boot session. This value starts at 0 on first boot after OS install and increments after every reboot. -- **expId** Represents the experiment ID. The standard for associating a flight, such as an OS flight (pre-release build), or an experiment, such as a web site UX experiment, with an event is to record the flight / experiment IDs in Part A of the common schema. -- **locale** Represents the locale of the operating system. -- **name** Represents the operating system name. -- **ver** Represents the major and minor version of the extension. - - -### Common Data Extensions.receipts - -Represents various time information as provided by the client and helps for debugging purposes. - -The following fields are available: - -- **originalTime** The original event time. -- **uploadTime** The time the event was uploaded. - - -### Common Data Extensions.sdk - -Used by platform specific libraries to record fields that are required for a specific SDK. - -The following fields are available: - -- **epoch** An ID that is incremented for each SDK initialization. -- **installId** An ID that's created during the initialization of the SDK for the first time. -- **libVer** The SDK version. -- **seq** An ID that is incremented for each event. - - -### Common Data Extensions.user - -Describes the fields related to a user. - -The following fields are available: - -- **authId** This is an ID of the user associated with this event that is deduced from a token such as a Microsoft Account ticket or an XBOX token. -- **locale** The language and region. -- **localId** Represents a unique user identity that is created locally and added by the client. This is not the user's account ID. - - -### Common Data Extensions.utc - -Describes the properties that could be populated by a logging library on Windows. - -The following fields are available: - -- **aId** Represents the ETW ActivityId. Logged via TraceLogging or directly via ETW. -- **bSeq** Upload buffer sequence number in the format: buffer identifier:sequence number -- **cat** Represents a bitmask of the ETW Keywords associated with the event. -- **cpId** The composer ID, such as Reference, Desktop, Phone, Holographic, Hub, IoT Composer. -- **epoch** Represents the epoch and seqNum fields, which help track how many events were fired and how many events were uploaded, and enables identification of data lost during upload and de-duplication of events on the ingress server. -- **flags** Represents the bitmap that captures various Windows specific flags. -- **mon** Combined monitor and event sequence numbers in the format: monitor sequence : event sequence -- **op** Represents the ETW Op Code. -- **raId** Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW. -- **seq** Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue. The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server. -- **stId** Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID. - - -### Common Data Extensions.xbl - -Describes the fields that are related to XBOX Live. - -The following fields are available: - -- **claims** Any additional claims whose short claim name hasn't been added to this structure. -- **did** XBOX device ID -- **dty** XBOX device type -- **dvr** The version of the operating system on the device. -- **eid** A unique ID that represents the developer entity. -- **exp** Expiration time -- **ip** The IP address of the client device. -- **nbf** Not before time -- **pid** A comma separated list of PUIDs listed as base10 numbers. -- **sbx** XBOX sandbox identifier -- **sid** The service instance ID. -- **sty** The service type. -- **tid** The XBOX Live title ID. -- **tvr** The XBOX Live title version. -- **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts. -- **xid** A list of base10-encoded XBOX User IDs. - - -## Common data fields - -### Ms.Device.DeviceInventoryChange - -Describes the installation state for all hardware and software components available on a particular device. - -The following fields are available: - -- **action** The change that was invoked on a device inventory object. -- **inventoryId** Device ID used for Compatibility testing -- **objectInstanceId** Object identity which is unique within the device scope. -- **objectType** Indicates the object type that the event applies to. -- **objectType(objectInstanceId** No content is currently available. -- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. - - -## Compatibility events - -### Microsoft.Windows.Compatibility.Apphelp.SdbFix - -Product instrumentation for helping debug/troubleshoot issues with inbox compatibility components. - -The following fields are available: - -- **AppName** Name of the application impacted by SDB. -- **FixID** SDB GUID. -- **Flags** List of flags applied. -- **ImageName** Name of file. - - -## Component-based servicing events - -### CbsServicingProvider.CbsCapabilityEnumeration - -This event reports on the results of scanning for optional Windows content on Windows Update. - -The following fields are available: - -- **architecture** Indicates the scan was limited to the specified architecture. -- **capabilityCount** The number of optional content packages found during the scan. -- **clientId** The name of the application requesting the optional content. -- **duration** The amount of time it took to complete the scan. -- **hrStatus** The HReturn code of the scan. -- **language** Indicates the scan was limited to the specified language. -- **majorVersion** Indicates the scan was limited to the specified major version. -- **minorVersion** Indicates the scan was limited to the specified minor version. -- **namespace** Indicates the scan was limited to packages in the specified namespace. -- **sourceFilter** A bitmask indicating the scan checked for locally available optional content. -- **stackBuild** The build number of the servicing stack. -- **stackMajorVersion** The major version number of the servicing stack. -- **stackMinorVersion** The minor version number of the servicing stack. -- **stackRevision** The revision number of the servicing stack. - - -### CbsServicingProvider.CbsCapabilitySessionFinalize - -This event provides information about the results of installing or uninstalling optional Windows content from Windows Update. - -The following fields are available: - -- **capabilities** The names of the optional content packages that were installed. -- **clientId** The name of the application requesting the optional content. -- **currentID** The ID of the current install session. -- **downloadSource** The source of the download. -- **highestState** The highest final install state of the optional content. -- **hrLCUReservicingStatus** Indicates whether the optional content was updated to the latest available version. -- **hrStatus** The HReturn code of the install operation. -- **rebootCount** The number of reboots required to complete the install. -- **retryID** The session ID that will be used to retry a failed operation. -- **retryStatus** Indicates whether the install will be retried in the event of failure. -- **stackBuild** The build number of the servicing stack. -- **stackMajorVersion** The major version number of the servicing stack. -- **stackMinorVersion** The minor version number of the servicing stack. -- **stackRevision** The revision number of the servicing stack. - - -### CbsServicingProvider.CbsCapabilitySessionPended - -This event provides information about the results of installing optional Windows content that requires a reboot to keep Windows up to date. - -The following fields are available: - -- **clientId** The name of the application requesting the optional content. -- **pendingDecision** Indicates the cause of reboot, if applicable. - - -### CbsServicingProvider.CbsLateAcquisition - -This event sends data to indicate if some Operating System packages could not be updated as part of an upgrade, to help keep Windows up to date. - -The following fields are available: - -- **Features** The list of feature packages that could not be updated. -- **RetryID** The ID identifying the retry attempt to update the listed packages. - - -### CbsServicingProvider.CbsPackageRemoval - -This event provides information about the results of uninstalling a Windows Cumulative Security Update to help keep Windows up to date. - -The following fields are available: - -- **buildVersion** The build number of the security update being uninstalled. -- **clientId** The name of the application requesting the uninstall. -- **currentStateEnd** The final state of the update after the operation. -- **failureDetails** Information about the cause of a failure, if applicable. -- **failureSourceEnd** The stage during the uninstall where the failure occurred. -- **hrStatusEnd** The overall exit code of the operation. -- **initiatedOffline** Indicates if the uninstall was initiated for a mounted Windows image. -- **majorVersion** The major version number of the security update being uninstalled. -- **minorVersion** The minor version number of the security update being uninstalled. -- **originalState** The starting state of the update before the operation. -- **pendingDecision** Indicates the cause of reboot, if applicable. -- **primitiveExecutionContext** The state during system startup when the uninstall was completed. -- **revisionVersion** The revision number of the security update being uninstalled. -- **transactionCanceled** Indicates whether the uninstall was cancelled. - - -### CbsServicingProvider.CbsQualityUpdateInstall - -This event reports on the performance and reliability results of installing Servicing content from Windows Update to keep Windows up to date. - -The following fields are available: - -- **buildVersion** The build version number of the update package. -- **clientId** The name of the application requesting the optional content. -- **corruptionHistoryFlags** A bitmask of the types of component store corruption that have caused update failures on the device. -- **corruptionType** An enumeration listing the type of data corruption responsible for the current update failure. -- **currentStateEnd** The final state of the package after the operation has completed. -- **doqTimeSeconds** The time in seconds spent updating drivers. -- **executeTimeSeconds** The number of seconds required to execute the install. -- **failureDetails** The driver or installer that caused the update to fail. -- **failureSourceEnd** An enumeration indicating at what phase of the update a failure occurred. -- **hrStatusEnd** The return code of the install operation. -- **initiatedOffline** A true or false value indicating whether the package was installed into an offline Windows Imaging Format (WIM) file. -- **majorVersion** The major version number of the update package. -- **minorVersion** The minor version number of the update package. -- **originalState** The starting state of the package. -- **overallTimeSeconds** The time (in seconds) to perform the overall servicing operation. -- **planTimeSeconds** The time in seconds required to plan the update operations. -- **poqTimeSeconds** The time in seconds processing file and registry operations. -- **postRebootTimeSeconds** The time (in seconds) to do startup processing for the update. -- **preRebootTimeSeconds** The time (in seconds) between execution of the installation and the reboot. -- **primitiveExecutionContext** An enumeration indicating at what phase of shutdown or startup the update was installed. -- **rebootCount** The number of reboots required to install the update. -- **rebootTimeSeconds** The time (in seconds) before startup processing begins for the update. -- **resolveTimeSeconds** The time in seconds required to resolve the packages that are part of the update. -- **revisionVersion** The revision version number of the update package. -- **rptTimeSeconds** The time in seconds spent executing installer plugins. -- **shutdownTimeSeconds** The time (in seconds) required to do shutdown processing for the update. -- **stackRevision** The revision number of the servicing stack. -- **stageTimeSeconds** The time (in seconds) required to stage all files that are part of the update. - - -### CbsServicingProvider.CbsSelectableUpdateChangeV2 - -This event reports the results of enabling or disabling optional Windows Content to keep Windows up to date. - -The following fields are available: - -- **applicableUpdateState** Indicates the highest applicable state of the optional content. -- **buildVersion** The build version of the package being installed. -- **clientId** The name of the application requesting the optional content change. -- **downloadSource** Indicates if optional content was obtained from Windows Update or a locally accessible file. -- **downloadtimeInSeconds** The number of seconds required to complete the optional content download. -- **executionID** A unique ID used to identify events associated with a single servicing operation and not reused for future operations. -- **executionSequence** A counter that tracks the number of servicing operations attempted on the device. -- **firstMergedExecutionSequence** The value of a pervious executionSequence counter that is being merged with the current operation, if applicable. -- **firstMergedID** A unique ID of a pervious servicing operation that is being merged with this operation, if applicable. -- **hrDownloadResult** The return code of the download operation. -- **hrStatusUpdate** The return code of the servicing operation. -- **identityHash** A pseudonymized (hashed) identifier for the Windows Package that is being installed or uninstalled. -- **initiatedOffline** Indicates whether the operation was performed against an offline Windows image file or a running instance of Windows. -- **majorVersion** The major version of the package being installed. -- **minorVersion** The minor version of the package being installed. -- **packageArchitecture** The architecture of the package being installed. -- **packageLanguage** The language of the package being installed. -- **packageName** The name of the package being installed. -- **rebootRequired** Indicates whether a reboot is required to complete the operation. -- **revisionVersion** The revision number of the package being installed. -- **stackBuild** The build number of the servicing stack binary performing the installation. -- **stackMajorVersion** The major version number of the servicing stack binary performing the installation. -- **stackMinorVersion** The minor version number of the servicing stack binary performing the installation. -- **stackRevision** The revision number of the servicing stack binary performing the installation. -- **updateName** The name of the optional Windows Operation System feature being enabled or disabled. -- **updateStartState** A value indicating the state of the optional content before the operation started. -- **updateTargetState** A value indicating the desired state of the optional content. - - -## Deployment extensions - -### DeploymentTelemetry.Deployment_End - -This event indicates that a Deployment 360 API has completed. - -The following fields are available: - -- **ClientId** Client ID of the user utilizing the D360 API. -- **ErrorCode** Error code of action. -- **FlightId** The specific ID of the Windows Insider build the device is getting. -- **Mode** Phase in upgrade. -- **RelatedCV** The correction vector (CV) of any other related events -- **Result** End result of the action. - - -### DeploymentTelemetry.Deployment_SetupBoxLaunch - -This event indicates that the Deployment 360 APIs have launched Setup Box. - -The following fields are available: - -- **ClientId** The client ID of the user utilizing the D360 API. -- **FlightId** The specific ID of the Windows Insider build the device is getting. -- **Quiet** Whether Setup will run in quiet mode or full mode. -- **RelatedCV** The correlation vector (CV) of any other related events. -- **SetupMode** The current setup phase. - - -### DeploymentTelemetry.Deployment_SetupBoxResult - -This event indicates that the Deployment 360 APIs have received a return from Setup Box. - -The following fields are available: - -- **ClientId** Client ID of the user utilizing the D360 API. -- **ErrorCode** Error code of the action. -- **FlightId** The specific ID of the Windows Insider build the device is getting. -- **Quiet** Indicates whether Setup will run in quiet mode or full mode. -- **RelatedCV** The correlation vector (CV) of any other related events. -- **SetupMode** The current Setup phase. - - -### DeploymentTelemetry.Deployment_Start - -This event indicates that a Deployment 360 API has been called. - -The following fields are available: - -- **ClientId** Client ID of the user utilizing the D360 API. -- **FlightId** The specific ID of the Windows Insider build the device is getting. -- **Mode** The current phase of the upgrade. -- **RelatedCV** The correlation vector (CV) of any other related events. - - -## Diagnostic data events - -### TelClientSynthetic.AuthorizationInfo_RuntimeTransition - -This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect. - -The following fields are available: - -- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. -- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. -- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. -- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. -- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. -- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. -- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. -- **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise. -- **CanReportScenarios** True if we can report scenario completions, false otherwise. -- **PreviousPermissions** Bitmask of previous telemetry state. -- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. - - -### TelClientSynthetic.AuthorizationInfo_Startup - -Fired by UTC at startup to signal what data we are allowed to collect. - -The following fields are available: - -- **CanAddMsaToMsTelemetby** No content is currently available. -- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. -- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. -- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. -- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. -- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. -- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. -- **CanCollectWintowsAnalyticsEvents** No content is currently available. -- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. -- **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise. -- **CanReportScenarios** True if we can report scenario completions, false otherwise. -- **PreviousPermissions** Bitmask of previous telemetry state. -- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. - - -### TelClientSynthetic.ConnectivityHeartBeat_0 - -This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network. - -The following fields are available: - -- **CensusExitCode** Returns last execution codes from census client run. -- **CensusStartTime** Returns timestamp corresponding to last successful census run. -- **CensusTaskEnabled** Returns Boolean value for the census task (Enable/Disable) on client machine. -- **LastConnectivityLossTime** Retrieves the last time the device lost free network. -- **NetworkState** Retrieves the network state: 0 = No network. 1 = Restricted network. 2 = Free network. -- **NoNetworkTime** Retrieves the time spent with no network (since the last time) in seconds. -- **RestrictedNetworkTime** Retrieves the time spent on a metered (cost restricted) network in seconds. - - -### TelClientSynthetic.HeartBeat_5 - -This event sends data about the health and quality of the diagnostic data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device. - -The following fields are available: - -- **AgentConnectionErrorsCount** Number of non-timeout errors associated with the host/agent channel. -- **CensusExitCode** The last exit code of the Census task. -- **CensusStartTime** Time of last Census run. -- **CensusTaskEnabled** True if Census is enabled, false otherwise. -- **CompressedBytesUploaded** Number of compressed bytes uploaded. -- **ConsumerDroppedCount** Number of events dropped at consumer layer of telemetry client. -- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. -- **CriticalDataThrottleDroppedCount** The number of critical data sampled events that were dropped because of throttling. -- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event DB. -- **DbCriticalDroppedCount** Total number of dropped critical events in event DB. -- **DbDroppedCount** Number of events dropped due to DB fullness. -- **DbDroppedFailureCount** Number of events dropped due to DB failures. -- **DbDroppedFullCount** Number of events dropped due to DB fullness. -- **DecodingDroppedCount** Number of events dropped due to decoding failures. -- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. -- **EtwDroppedBufferCount** Number of buffers dropped in the UTC ETW session. -- **EtwDroppedCount** Number of events dropped at ETW layer of telemetry client. -- **EventsPersistedCount** Number of events that reached the PersistEvent stage. -- **EventStoreLifetimeResetCounter** Number of times event DB was reset for the lifetime of UTC. -- **EventStoreResetCounter** Number of times event DB was reset. -- **EventStoreResetSizeSum** Total size of event DB across all resets reports in this instance. -- **EventSubStoreResetCounter** Number of times event DB was reset. -- **EventSubStoreResetSizeSum** Total size of event DB across all resets reports in this instance. -- **EventsUploaded** Number of events uploaded. -- **Flags** Flags indicating device state such as network state, battery state, and opt-in state. -- **FullTriggerBufferDroppedCount** Number of events dropped due to trigger buffer being full. -- **HeartBeatSequenceNumber** The sequence number of this heartbeat. -- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. -- **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel. -- **LastEventSizeOffender** Event name of last event which exceeded max event size. -- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. -- **MaxActiveAgentConnectionCount** The maximum number of active agents during this heartbeat timeframe. -- **MaxInUseScenarioCounter** Soft maximum number of scenarios loaded by UTC. -- **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events). -- **PrivacyBlockedCount** The number of events blocked due to privacy settings or tags. -- **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. -- **SettingsHttpAttempts** Number of attempts to contact OneSettings service. -- **SettingsHttpFailures** The number of failures from contacting the OneSettings service. -- **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers. -- **TopUploaderErrors** List of top errors received from the upload endpoint. -- **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client. -- **UploaderErrorCount** Number of errors received from the upload endpoint. -- **VortexFailuresTimeout** The number of timeout failures received from Vortex. -- **VortexHttpAttempts** Number of attempts to contact Vortex. -- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. -- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. -- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. -- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. - - -### TelClientSynthetic.HeartBeat_Aria_5 - -This event is the telemetry client ARIA heartbeat. - -The following fields are available: - -- **CompressedBytesUploaded** Number of compressed bytes uploaded. -- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. -- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event database. -- **DbCriticalDroppedCount** Total number of dropped critical events in event database. -- **DbDroppedCount** Number of events dropped at the database layer. -- **DbDroppedFailureCount** Number of events dropped due to database failures. -- **DbDroppedFullCount** Number of events dropped due to database being full. -- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. -- **EventsPersistedCount** Number of events that reached the PersistEvent stage. -- **EventStoreLifetimeResetCounter** Number of times the event store has been reset. -- **EventStoreResetCounter** Number of times the event store has been reset during this heartbeat. -- **EventStoreResetSizeSum** Size of event store reset in bytes. -- **EventsUploaded** Number of events uploaded. -- **HeartBeatSequenceNumber** The sequence number of this heartbeat. -- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. -- **LastEventSizeOffender** Event name of last event which exceeded max event size. -- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. -- **PreviousHeartBeatTime** The FILETIME of the previous heartbeat fire. -- **PrivacyBlockedCount** The number of events blocked due to privacy settings or tags. -- **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. -- **SettingsHttpAttempts** Number of attempts to contact OneSettings service. -- **SettingsHttpFailures** Number of failures from contacting OneSettings service. -- **TopUploaderErrors** List of top errors received from the upload endpoint. -- **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client. -- **UploaderErrorCount** Number of errors received from the upload endpoint. -- **VortexFailuresTimeout** Number of time out failures received from Vortex. -- **VortexHttpAttempts** Number of attempts to contact Vortex. -- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. -- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. -- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. -- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. - - -### TelClientSynthetic.HeartBeat_Seville_5 - -This event is sent by the universal telemetry client (UTC) as a heartbeat signal for Sense. - -The following fields are available: - -- **AgentConnectionErrorsCount** Number of non-timeout errors associated with the host or agent channel. -- **CompressedBytesUploaded** Number of compressed bytes uploaded. -- **ConsumerDroppedCount** Number of events dropped at consumer layer of the telemetry client. -- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. -- **CriticalDataThrottleDroppedCount** Number of critical data sampled events dropped due to throttling. -- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event database. -- **DailyUploadQuotaInBytes** Daily upload quota for Sense in bytes (only in in-proc mode). -- **DbCriticalDroppedCount** Total number of dropped critical events in event database. -- **DbDroppedCount** Number of events dropped due to database being full. -- **DbDroppedFailureCount** Number of events dropped due to database failures. -- **DbDroppedFullCount** Number of events dropped due to database being full. -- **DecodingDroppedCount** Number of events dropped due to decoding failures. -- **DiskSizeInBytes** Size of event store for Sense in bytes (only in in-proc mode). -- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. -- **EtwDroppedBufferCount** Number of buffers dropped in the universal telemetry client (UTC) event tracing for Windows (ETW) session. -- **EtwDroppedCount** Number of events dropped at the event tracing for Windows (ETW) layer of telemetry client. -- **EventsPersistedCount** Number of events that reached the PersistEvent stage. -- **EventStoreLifetimeResetCounter** Number of times event the database was reset for the lifetime of the universal telemetry client (UTC). -- **EventStoreResetCounter** Number of times the event database was reset. -- **EventStoreResetSizeSum** Total size of the event database across all resets reports in this instance. -- **EventsUploaded** Number of events uploaded. -- **Flags** Flags indicating device state, such as network state, battery state, and opt-in state. -- **FullTriggerBufferDroppedCount** Number of events dropped due to trigger buffer being full. -- **HeartBeatSequenceNumber** The sequence number of this heartbeat. -- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. -- **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel. -- **LastEventSizeOffender** Event name of last event which exceeded the maximum event size. -- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. -- **MaxActiveAgentConnectionCount** Maximum number of active agents during this heartbeat timeframe. -- **NormalUploadTimerMillis** Number of milliseconds between each upload of normal events for SENSE (only in in-proc mode). -- **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events). -- **RepeatedUploadFailureDropped** Number of events lost due to repeated failed uploaded attempts. -- **SettingsHttpAttempts** Number of attempts to contact OneSettings service. -- **SettingsHttpFailures** Number of failures from contacting the OneSettings service. -- **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers. -- **TopUploaderErrors** Top uploader errors, grouped by endpoint and error type. -- **UploaderDroppedCount** Number of events dropped at the uploader layer of the telemetry client. -- **UploaderErrorCount** Number of input for the TopUploaderErrors mode estimation. -- **VortexFailuresTimeout** Number of time out failures received from Vortex. -- **VortexHttpAttempts** Number of attempts to contact Vortex. -- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. -- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. -- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. -- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. - - -## Direct to update events - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicability - -Event to indicate that the Coordinator CheckApplicability call succeeded. - -The following fields are available: - -- **ApplicabilityResult** Result of CheckApplicability function. -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **IsDeviceAADDomainJoined** Indicates whether the device is logged in to the AAD (Azure Active Directory) domain. -- **IsDeviceADDomainJoined** Indicates whether the device is logged in to the AD (Active Directory) domain. -- **IsDeviceCloverTrail** Indicates whether the device has a Clover Trail system installed. -- **IsDeviceFeatureUpdatingPaused** Indicates whether Feature Update is paused on the device. -- **IsDeviceNetworkMetered** Indicates whether the device is connected to a metered network. -- **IsDeviceOobeBlocked** Indicates whether user approval is required to install updates on the device. -- **IsDeviceRequireUpdateApproval** Indicates whether user approval is required to install updates on the device. -- **IsDeviceSccmManaged** Indicates whether the device is running the Microsoft SCCM (System Center Configuration Manager) to keep the operating system and applications up to date. -- **IsDeviceUninstallActive** Indicates whether the OS (operating system) on the device was recently updated. -- **IsDeviceUpdateNotificationLevel** Indicates whether the device has a set policy to control update notifications. -- **IsDeviceUpdateServiceManaged** Indicates whether the device uses WSUS (Windows Server Update Services). -- **IsDeviceZeroExhaust** Indicates whether the device subscribes to the Zero Exhaust policy to minimize connections from Windows to Microsoft. -- **IsGreaterThanMaxRetry** Indicates whether the DTU (Direct to Update) service has exceeded its maximum retry count. -- **IsVolumeLicensed** Indicates whether a volume license was used to authenticate the operating system or applications on the device. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicabilityGenericFailure - -This event indicatse that we have received an unexpected error in the Direct to Update (DTU) Coordinators CheckApplicability call. - -The following fields are available: - -- **CampaignID** ID of the campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Cleanup call. - -The following fields are available: - -- **CampaignID** Campaign ID being run -- **ClientID** Client ID being run -- **CoordinatorVersion** Coordinator version of DTU -- **CV** Correlation vector -- **hResult** HRESULT of the failure - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupSuccess - -This event indicates that the Coordinator Cleanup call succeeded. - -The following fields are available: - -- **CampaignID** Campaign ID being run -- **ClientID** Client ID being run -- **CoordinatorVersion** Coordinator version of DTU -- **CV** Correlation vector - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Commit call. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitSuccess - -This event indicates that the Coordinator Commit call succeeded. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Download call. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadIgnoredFailure - -This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Download call that will be ignored. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadSuccess - -This event indicates that the Coordinator Download call succeeded. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator HandleShutdown call. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinate version of DTU. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownSuccess - -This event indicates that the Coordinator HandleShutdown call succeeded. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Initialize call. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeSuccess - -This event indicates that the Coordinator Initialize call succeeded. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Install call. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallIgnoredFailure - -This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Install call that will be ignored. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallSuccess - -This event indicates that the Coordinator Install call succeeded. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorProgressCallBack - -This event indicates that the Coordinator's progress callback has been called. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **DeployPhase** Current Deploy Phase. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorSetCommitReadySuccess - -This event indicates that the Coordinator SetCommitReady call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiNotShown - -This event indicates that the Coordinator WaitForRebootUi call succeeded. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSelection - -This event indicates that the user selected an option on the Reboot UI. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **rebootUiSelection** Selection on the Reboot UI. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSuccess - -This event indicates that the Coordinator WaitForRebootUi call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler CheckApplicabilityInternal call. - -The following fields are available: - -- **CampaignID** ID of the campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalSuccess - -This event indicates that the Handler CheckApplicabilityInternal call succeeded. - -The following fields are available: - -- **ApplicabilityResult** The result of the applicability check. -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilitySuccess - -This event indicates that the Handler CheckApplicability call succeeded. - -The following fields are available: - -- **ApplicabilityResult** The result code indicating whether the update is applicable. -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **CV_new** New correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckIfCoordinatorMinApplicableVersionSuccess - -This event indicates that the Handler CheckIfCoordinatorMinApplicableVersion call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **CheckIfCoordinatorMinApplicableVersionResult** Result of CheckIfCoordinatorMinApplicableVersion function. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Commit call. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **CV_new** New correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitSuccess - -This event indicates that the Handler Commit call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run.run -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **CV_new** New correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabFailure - -This event indicates that the Handler Download and Extract cab call failed. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **DownloadAndExtractCabFunction_failureReason** Reason why the update download and extract process failed. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabSuccess - -This event indicates that the Handler Download and Extract cab call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Download call. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadSuccess - -This event indicates that the Handler Download call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Initialize call. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **DownloadAndExtractCabFunction_hResult** HRESULT of the download and extract. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeSuccess - -This event indicates that the Handler Initialize call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **DownloadAndExtractCabFunction_hResult** HRESULT of the download and extraction. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Install call. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallSuccess - -This event indicates that the Coordinator Install call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerSetCommitReadySuccess - -This event indicates that the Handler SetCommitReady call succeeded. - -The following fields are available: - -- **CampaignID** ID of the campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler WaitForRebootUi call. - -The following fields are available: - -- **CampaignID** The ID of the campaigning being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **hResult** The HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiSuccess - -This event indicates that the Handler WaitForRebootUi call succeeded. - -The following fields are available: - -- **CampaignID** ID of the campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -## DxgKernelTelemetry events - -### DxgKrnlTelemetry.GPUAdapterInventoryV2 - -This event sends basic GPU and display driver information to keep Windows and display drivers up-to-date. - -The following fields are available: - -- **AdapterTypeValue** The numeric value indicating the type of Graphics adapter. -- **aiSeqId** The event sequence ID. -- **bootId** The system boot ID. -- **BrightnessVersionViaDDI** The version of the Display Brightness Interface. -- **BrightngssVersionViaDDI** No content is currently available. -- **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload. -- **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes). -- **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes). -- **DisplayAdapterLuid** The display adapter LUID. -- **DriverDate** The date of the display driver. -- **DriverRank** The rank of the display driver. -- **DriverVersion** The display driver version. -- **DriverVgrsion** No content is currently available. -- **DX10UMDFilePath** The file path to the location of the DirectX 10 Display User Mode Driver in the Driver Store. -- **DX11UMDFilePath** The file path to the location of the DirectX 11 Display User Mode Driver in the Driver Store. -- **DX12UMDFilePath** The file path to the location of the DirectX 12 Display User Mode Driver in the Driver Store. -- **DX9UMDFilePatè** No content is currently available. -- **DX9UMDFilePath** The file path to the location of the DirectX 9 Display User Mode Driver in the Driver Store. -- **GPUDeviceID** The GPU device ID. -- **GPUPreemptionLevel** The maximum preemption level supported by GPU for graphics payload. -- **GPURevisionID** The GPU revision ID. -- **GPUVendorID** The GPU vendor ID. -- **InterfaceId** The GPU interface ID. -- **IsDisplayDevice** Does the GPU have displaying capabilities? -- **IsHwSchSupported** Indicates whether the adapter supports hardware scheduling. -- **IsHybridDiscrete** Does the GPU have discrete GPU capabilities in a hybrid device? -- **IsHybridIntegrated** Does the GPU have integrated GPU capabilities in a hybrid device? -- **IsLDA** Is the GPU comprised of Linked Display Adapters? -- **IsMiracastSupported** Does the GPU support Miracast? -- **IsMismatchLDA** Is at least one device in the Linked Display Adapters chain from a different vendor? -- **IsMPOSupported** Does the GPU support Multi-Plane Overlays? -- **IsMsMiracastSupported** Are the GPU Miracast capabilities driven by a Microsoft solution? -- **IsPostAdapter** Is this GPU the POST GPU in the device? -- **IsRemovable** TRUE if the adapter supports being disabled or removed. -- **IsRenderDevice** Does the GPU have rendering capabilities? -- **IsRendgrDevice** No content is currently available. -- **IsSoftwareDevice** Is this a software implementation of the GPU? -- **KMDFilePath** The file path to the location of the Display Kernel Mode Driver in the Driver Store. -- **MeasureEnabled** Is the device listening to MICROSOFT_KEYWORD_MEASURES? -- **MeasurgEnabled** No content is currently available. -- **MsHybridDiscrete** Indicates whether the adapter is a discrete adapter in a hybrid configuration. -- **NumVidPnSources** The number of supported display output sources. -- **NumVidPnTargets** The number of supported display output targets. -- **NumVidPnTattets** No content is currently available. -- **SharedSystemMemoryB** The amount of system memory shared by GPU and CPU (in bytes). -- **SubSystemID** The subsystem ID. -- **SubVendorID** The GPU sub vendor ID. -- **TelemetpyEnabled** No content is currently available. -- **TelemetryEnabled** Is the device listening to MICROSOFT_KEYWORD_TELEMETRY? -- **TelInvEvntTrigger** What triggered this event to be logged? Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling) -- **version** The event version. -- **verskon** No content is currently available. -- **WDDMVersion** The Windows Display Driver Model version. - - -## Failover Clustering events - -### Microsoft.Windows.Server.FailoverClusteringCritical.ClusterSummary2 - -This event returns information about how many resources and of what type are in the server cluster. This data is collected to keep Windows Server safe, secure, and up to date. The data includes information about whether hardware is configured correctly, if the software is patched correctly, and assists in preventing crashes by attributing issues (like fatal errors) to workloads and system configurations. - -The following fields are available: - -- **autoAssignSite** The cluster parameter: auto site. -- **autoBalancerLevel** The cluster parameter: auto balancer level. -- **autoBalancerMode** The cluster parameter: auto balancer mode. -- **blockCacheSize** The configured size of the block cache. -- **ClusterAdConfiguration** The ad configuration of the cluster. -- **clusterAdType** The cluster parameter: mgmt_point_type. -- **clusterDumpPolicy** The cluster configured dump policy. -- **clusterFunctionalLevel** The current cluster functional level. -- **clusterGuid** The unique identifier for the cluster. -- **clusterWitnessType** The witness type the cluster is configured for. -- **countNodesInSite** The number of nodes in the cluster. -- **crossSiteDelay** The cluster parameter: CrossSiteDelay. -- **crossSiteThreshold** The cluster parameter: CrossSiteThreshold. -- **crossSubnetDelay** The cluster parameter: CrossSubnetDelay. -- **crossSubnetThreshold** The cluster parameter: CrossSubnetThreshold. -- **csvCompatibleFilters** The cluster parameter: ClusterCsvCompatibleFilters. -- **csvIncompatibleFilters** The cluster parameter: ClusterCsvIncompatibleFilters. -- **csvResourceCount** The number of resources in the cluster. -- **currentNodeSite** The name configured for the current site for the cluster. -- **dasModeBusType** The direct storage bus type of the storage spaces. -- **downLevelNodeCount** The number of nodes in the cluster that are running down-level. -- **drainOnShutdown** Specifies whether a node should be drained when it is shut down. -- **dynamicQuorumEnabled** Specifies whether dynamic Quorum has been enabled. -- **enforcedAntiAffinity** The cluster parameter: enforced anti affinity. -- **genAppNames** The win32 service name of a clustered service. -- **genSvcNames** The command line of a clustered genapp. -- **hangRecoveryAction** The cluster parameter: hang recovery action. -- **hangTimeOut** Specifies the “hang time out” parameter for the cluster. -- **isCalabria** Specifies whether storage spaces direct is enabled. -- **isMixedMode** Identifies if the cluster is running with different version of OS for nodes. -- **isRunningDownLevel** Identifies if the current node is running down-level. -- **logLevel** Specifies the granularity that is logged in the cluster log. -- **logSize** Specifies the size of the cluster log. -- **lowerQuorumPriorityNodeId** The cluster parameter: lower quorum priority node ID. -- **minNeverPreempt** The cluster parameter: minimum never preempt. -- **minPreemptor** The cluster parameter: minimum preemptor priority. -- **netftIpsecEnabled** The parameter: netftIpsecEnabled. -- **NodeCount** The number of nodes in the cluster. -- **nodeId** The current node number in the cluster. -- **nodeResourceCounts** Specifies the number of node resources. -- **nodeResourceOnlineCounts** Specifies the number of node resources that are online. -- **numberOfSites** The number of different sites. -- **numNodesInNoSite** The number of nodes not belonging to a site. -- **plumbAllCrossSubnetRoutes** The cluster parameter: plumb all cross subnet routes. -- **preferredSite** The preferred site location. -- **privateCloudWitness** Specifies whether a private cloud witness exists for this cluster. -- **quarantineDuration** The quarantine duration. -- **quarantineThreshold** The quarantine threshold. -- **quorumArbitrationTimeout** In the event of an arbitration event, this specifies the quorum timeout period. -- **resiliencyLevel** Specifies the level of resiliency. -- **resourceCounts** Specifies the number of resources. -- **resourceTypeCounts** Specifies the number of resource types in the cluster. -- **resourceTypes** Data representative of each resource type. -- **resourceTypesPath** Data representative of the DLL path for each resource type. -- **sameSubnetDelay** The cluster parameter: same subnet delay. -- **sameSubnetThreshold** The cluster parameter: same subnet threshold. -- **secondsInMixedMode** The amount of time (in seconds) that the cluster has been in mixed mode (nodes with different operating system versions in the same cluster). -- **securityLevel** The cluster parameter: security level. -- **securityLevelForStorage** The cluster parameter: security level for storage. -- **sharedVolumeBlockCacheSize** Specifies the block cache size for shared for shared volumes. -- **shutdownTimeoutMinutes** Specifies the amount of time it takes to time out when shutting down. -- **upNodeCount** Specifies the number of nodes that are up (online). -- **useClientAccessNetworksForCsv** The cluster parameter: use client access networks for CSV. -- **vmIsolationTime** The cluster parameter: VM isolation time. -- **witnessDatabaseWriteTimeout** Specifies the timeout period for writing to the quorum witness database. - - -## Fault Reporting events - -### Microsoft.Windows.FaultReporting.AppCrashEvent - -This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes\" by a user DO NOT emit this event. - -The following fields are available: - -- **AppName** The name of the app that has crashed. -- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend. -- **AppTimeStamp** The date/time stamp of the app. -- **AppVersion** The version of the app that has crashed. -- **DargetAsId** No content is currently available. -- **ExceptionCode** The exception code returned by the process that has crashed. -- **ExceptionOffset** The address where the exception had occurred. -- **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting. -- **FriendlyAppName** The description of the app that has crashed, if different from the AppName. Otherwise, the process name. -- **IsFatal** True/False to indicate whether the crash resulted in process termination. -- **ModNa-e** No content is currently available. -- **ModName** Exception module name (e.g. bar.dll). -- **ModTimeStamp** The date/time stamp of the module. -- **ModVersion** The version of the module that has crashed. -- **OodTimeStamp** No content is currently available. -- **PackageFullName** Store application identity. -- **PackageRelativeAppId** Store application identity. -- **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. -- **ProcessCreateTime** The time of creation of the process that has crashed. -- **ProcessId** The ID of the process that has crashed. -- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. -- **TargetAppId** The kernel reported AppId of the application being reported. -- **TargetAppVer** The specific version of the application being reported -- **TargetAsId** The sequence number for the hanging process. - - -## Feature update events - -### Microsoft.Windows.Upgrade.Uninstall.UninstallFinalizedAndRebootTriggered - -This event indicates that the uninstall was properly configured and that a system reboot was initiated. - - - -### Microsoft.Windows.Upgrade.Uninstall.UninstallGoBackButtonClicked - -This event sends basic metadata about the starting point of uninstalling a feature update, which helps ensure customers can safely revert to a well-known state if the update caused any problems. - - - -## Hang Reporting events - -### Microsoft.Windows.HangReporting.AppHangEvent - -This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. - -The following fields are available: - -- **AppName** The name of the app that has hung. -- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the telemetry backend. -- **AppVersion** The version of the app that has hung. -- **IsFatal** True/False based on whether the hung application caused the creation of a Fatal Hang Report. -- **PackageFullName** Store application identity. -- **PackageRelativeAppId** Store application identity. -- **ProcessArchitecture** Architecture of the hung process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. -- **ProcessCreateTime** The time of creation of the process that has hung. -- **ProcessId** The ID of the process that has hung. -- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. -- **TargetAppId** The kernel reported AppId of the application being reported. -- **TargetAppVer** The specific version of the application being reported. -- **TargetAsId** The sequence number for the hanging process. -- **TypeCode** Bitmap describing the hang type. -- **WaitingOnAppName** If this is a cross process hang waiting for an application, this has the name of the application. -- **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it is waiting. -- **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting. -- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application id of the package. - - -## Inventory events - -### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum - -This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object. - -The following fields are available: - -- **Device** A count of device objects in cache. -- **DeviceCensus** A count of device census objects in cache. -- **DriverPackageExtended** A count of driverpackageextended objects in cache. -- **File** A count of file objects in cache. -- **FileSigningInfo** A count of file signing objects in cache. -- **Generic** A count of generic objects in cache. -- **HwItem** A count of hwitem objects in cache. -- **InventoryApplication** A count of application objects in cache. -- **InventoryApplicationAppV** A count of application AppV objects in cache. -- **InventoryApplicationDriver** A count of application driver objects in cache -- **InventoryApplicationFile** A count of application file objects in cache. -- **InventoryApplicationFramework** A count of application framework objects in cache -- **InventoryApplicationShortcut** A count of application shortcut objects in cache -- **InventoryDeviceContainer** A count of device container objects in cache. -- **InventoryDeviceInterface** A count of Plug and Play device interface objects in cache. -- **InventoryDeviceMediaClass** A count of device media objects in cache. -- **InventoryDevicePnp** A count of device Plug and Play objects in cache. -- **InventoryDeviceUsbHubClass** A count of device usb objects in cache -- **InventoryDriverBinary** A count of driver binary objects in cache. -- **InventoryDriverPackage** A count of device objects in cache. -- **InventoryMiscellaneousOfficeAddIn** A count of office add-in objects in cache -- **InventoryMiscellaneousOfficeAddInUsage** A count of office add-in usage objects in cache. -- **InventoryMiscellaneousOfficeIdentifiers** A count of office identifier objects in cache -- **InventoryMiscellaneousOfficeIESettings** A count of office ie settings objects in cache -- **InventoryMiscellaneousOfficeInsights** A count of office insights objects in cache -- **InventoryMiscellaneousOfficeProducts** A count of office products objects in cache -- **InventoryMiscellaneousOfficeSettings** A count of office settings objects in cache -- **InventoryMiscellaneousOfficeVBA** A count of office vba objects in cache -- **InventoryMiscellaneousOfficeVBARuleViolations** A count of office vba rule violations objects in cache -- **InventoryMiscellaneousUUPInfo** A count of uup info objects in cache -- **Metadata** A count of metadata objects in cache. -- **Orphan** A count of orphan file objects in cache. -- **Programs** A count of program objects in cache. - - -### Microsoft.Windows.Inventory.Core.AmiTelCacheFileInfo - -Diagnostic data about the inventory cache. - -The following fields are available: - -- **CacheFileSize** Size of the cache. -- **InventoryVersion** Inventory version of the cache. -- **TempCacheCount** Number of temp caches created. -- **TempCacheDeletedCount** Number of temp caches deleted. - - -### Microsoft.Windows.Inventory.Core.AmiTelCacheVersions - -This event sends inventory component versions for the Device Inventory data. - -The following fields are available: - -- **aeinv** The version of the App inventory component. -- **devinv** The file version of the Device inventory component. - - -### Microsoft.Windows.Inventory.Core.InventoryApplicationAdd - -This event sends basic metadata about an application on the system to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **HiddenArp** Indicates whether a program hides itself from showing up in ARP. -- **InstallDate** The date the application was installed (a best guess based on folder creation date heuristics). -- **InstallDateArpLastModified** The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015 00:00:00 -- **InstallDateFromLbnkFile** No content is currently available. -- **InstallDateFromLinkFile** The estimated date of install based on the links to the files. Passed as an array. -- **InstallDateMsi** The install date if the application was installed via Microsoft Installer (MSI). Passed as an array. -- **InventoryVersion** The version of the inventory file generating the events. -- **Language** The language code of the program. -- **MsiPackageCode** A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage. -- **MsiProductCode** A GUID that describe the MSI Product. -- **Name** The name of the application. -- **OSVersionAtInstallTime** The four octets from the OS version at the time of the application's install. -- **PackageFullName** The package full name for a Store application. -- **ProgramInstanceId** A hash of the file IDs in an app. -- **Publisher** The Publisher of the application. Location pulled from depends on the 'Source' field. -- **RootDirPath** The path to the root directory where the program was installed. -- **Source** How the program was installed (for example, ARP, MSI, Appx). -- **StoreAppType** A sub-classification for the type of Microsoft Store app, such as UWP or Win8StoreApp. -- **Type** One of ("Application", "Hotfix", "BOE", "Service", "Unknown"). Application indicates Win32 or Appx app, Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is a service. Application and BOE are the ones most likely seen. -- **Version** The version number of the program. - - -### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverAdd - -This event represents what drivers an application installs. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory component. -- **ProgramIds** The unique program identifier the driver is associated with. - - -### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync - -The InventoryApplicationDriverStartSync event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory component. - - -### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd - -This event provides the basic metadata about the frameworks an application may depend on. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **FileId** A hash that uniquely identifies a file. -- **Frameworks** The list of frameworks this file depends on. -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync - -This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryApplicationRemove - -This event indicates that a new set of InventoryDevicePnpAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryApplicationStartSync - -This event indicates that a new set of InventoryApplicationAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd - -This event sends basic metadata about a device container (such as a monitor or printer as opposed to a Plug and Play device) to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Categories** A comma separated list of functional categories in which the container belongs. -- **DiscoveryMethod** The discovery method for the device container. -- **FriendlyName** The name of the device container. -- **InventoryVersion** The version of the inventory file generating the events. -- **IsActive** Is the device connected, or has it been seen in the last 14 days? -- **IsConnected** For a physically attached device, this value is the same as IsPresent. For wireless a device, this value represents a communication link. -- **IsMachineContainer** Is the container the root device itself? -- **IsNetworked** Is this a networked device? -- **IsPaired** Does the device container require pairing? -- **Manufacturer** The manufacturer name for the device container. -- **ModelId** A unique model ID. -- **ModelName** The model name. -- **ModelNumber** The model number for the device container. -- **PrimaryCategory** The primary category for the device container. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerRemove - -This event indicates that the InventoryDeviceContainer object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerStartSync - -This event indicates that a new set of InventoryDeviceContainerAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd - -This event retrieves information about what sensor interfaces are available on the device. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Accelerometer3D** Indicates if an Accelerator3D sensor is found. -- **ActivityDetection** Indicates if an Activity Detection sensor is found. -- **AmbientLight** Indicates if an Ambient Light sensor is found. -- **Barometer** Indicates if a Barometer sensor is found. -- **Custom** Indicates if a Custom sensor is found. -- **EnergyMeter** Indicates if an Energy sensor is found. -- **FloorElevation** Indicates if a Floor Elevation sensor is found. -- **GeomagneticOrientation** Indicates if a Geo Magnetic Orientation sensor is found. -- **GravityVector** Indicates if a Gravity Detector sensor is found. -- **Gyrometer3D** Indicates if a Gyrometer3D sensor is found. -- **Humidity** Indicates if a Humidity sensor is found. -- **InventoryVersion** The version of the inventory file generating the events. -- **LinearAccelerometer** Indicates if a Linear Accelerometer sensor is found. -- **Magnetometer3D** Indicates if a Magnetometer3D sensor is found. -- **Orientation** Indicates if an Orientation sensor is found. -- **Pedometer** Indicates if a Pedometer sensor is found. -- **Proximity** Indicates if a Proximity sensor is found. -- **RelativeOrientation** Indicates if a Relative Orientation sensor is found. -- **SimpleDeviceOrientation** Indicates if a Simple Device Orientation sensor is found. -- **Temperature** Indicates if a Temperature sensor is found. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync - -This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd - -This event sends additional metadata about a Plug and Play device that is specific to a particular class of devices to help keep Windows up to date while reducing overall size of data payload. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **audio.captureDriver** Audio device capture driver. Example: hdaudio.inf:db04a16ce4e8d6ee:HdAudModel:10.0.14887.1000:hdaudio\func_01 -- **audio.renderDriver** Audio device render driver. Example: hdaudio.inf:db04a16ce4e8d6ee:HdAudModel:10.0.14889.1001:hdaudio\func_01 -- **Audio_CaptureDriver** The Audio device capture driver endpoint. -- **Audio_RenderDriver** The Audio device render driver endpoint. -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove - -This event indicates that the InventoryDeviceMediaClassRemove object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassStartSync - -This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent. - -This event includes fields from [Ms.Device.De~iceInventoryChange](#msdevicede~iceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd - -This event represents the basic metadata about a plug and play (PNP) device and its associated driver. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **basedata** No content is currently available. See [basedata](#basedata). -- **BusReportedDescription** The description of the device reported by the bux. -- **Class** The device setup class of the driver loaded for the device. -- **ClassGuid** The device class unique identifier of the driver package loaded on the device. -- **COMPID** The list of “Compatible IDs” for this device. -- **ContainerId** The system-supplied unique identifier that specifies which group(s) the device(s) installed on the parent (main) device belong to. -- **Description** The description of the device. -- **DeviceInterfaceClasses** The device interfaces that this device implements. -- **DeviceState** Identifies the current state of the parent (main) device. -- **DevicmState** No content is currently available. -- **DriverId** The unique identifier for the installed driver. -- **DriverName** The name of the driver image file. -- **DriverPackageStrongName** The immediate parent directory name in the Directory field of InventoryDriverPackage. -- **DriverVerDate** The date associated with the driver installed on the device. -- **DriverVerVersion** The version number of the driver installed on the device. -- **Enumerator** Identifies the bus that enumerated the device. -- **ExtendedInfs** The extended INF file names. -- **HWID** A list of hardware IDs for the device. -- **Inf** The name of the INF file (possibly renamed by the OS, such as oemXX.inf). -- **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx -- **InventoryVersion** The version number of the inventory process generating the events. -- **LowerClassFilters** The identifiers of the Lower Class filters installed for the device. -- **LowerFilters** The identifiers of the Lower filters installed for the device. -- **Manufacturer** The manufacturer of the device. -- **MatchingID** The Hardware ID or Compatible ID that Windows uses to install a device instance. -- **Model** Identifies the model of the device. -- **ParentId** The Device Instance ID of the parent of the device. -- **ProblemCode** The error code currently returned by the device, if applicable. -- **Provider** Identifies the device provider. -- **Service** The name of the device service. -- **STACKID** The list of hardware IDs for the stack. -- **UpperClassFilters** The identifiers of the Upper Class filters installed for the device. -- **UpperFilers** No content is currently available. -- **UpperFilters** The identifiers of the Upper filters installed for the device. - - -### Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove - -This event indicates that the InventoryDevicePnpRemove object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDevicePnpStartSync - -This event indicates that a new set of InventoryDevicePnpAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd - -This event sends basic metadata about the USB hubs on the device. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. -- **TotalUserConnectablePorts** Total number of connectable USB ports. -- **TotalUserConnectableTypeCPorts** Total number of connectable USB Type C ports. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassStartSync - -This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent. - -This event includes fields from [Ms.De~ice.DeviceInventoryChange](#msde~icedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd - -This event provides the basic metadata about driver binaries running on the system. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **DriverCheckSum** The checksum of the driver file. -- **DriverCompany** The company name that developed the driver. -- **DriverInBox** Is the driver included with the operating system? -- **DriverIsKernelMode** Is it a kernel mode driver? -- **DriverName** The file name of the driver. -- **DriverPackageStrongName** The strong name of the driver package -- **DriverSigned** The strong name of the driver package -- **DriverTimeStamp** The low 32 bits of the time stamp of the driver file. -- **DriverType** A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8. define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE 0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64 0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15. define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED 0x800000. -- **DriverVersion** The version of the driver file. -- **ImageSize** The size of the driver file. -- **Inf** The name of the INF file. -- **InventoryVersion** The version of the inventory file generating the events. -- **Product** The product name that is included in the driver file. -- **ProductVersion** The product version that is included in the driver file. -- **Service** The name of the service that is installed for the device. -- **WdfVersion** The Windows Driver Framework version. - - -### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove - -This event indicates that the InventoryDriverBinary object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryStartSync - -This event indicates that a new set of InventoryDriverBinaryAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd - -This event sends basic metadata about drive packages installed on the system to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Class** The class name for the device driver. -- **ClassGuid** The class GUID for the device driver. -- **Date** The driver package date. -- **Directory** The path to the driver package. -- **DriverInBox** Is the driver included with the operating system? -- **Inf** The INF name of the driver package. -- **InventoryVersion** The version of the inventory file generating the events. -- **Provider** The provider for the driver package. -- **SubmissionId** The HLK submission ID for the driver package. -- **Version** The version of the driver package. - - -### Microsoft.Windows.Inventory.Core.InventoryDriverPackageRemove - -This event indicates that the InventoryDriverPackageRemove object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDriverPackageStartSync - -This event indicates that a new set of InventoryDriverPackageAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.StartUtcJsonTrace - -This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the beginning of the event download, and that tracing should begin. - - - -### Microsoft.Windows.Inventory.Core.StopUtcJsonTrace - -This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the end of the event download, and that tracing should end. - - - -### Microsoft.Windows.Inventory.General.AppHealthStaticAdd - -This event sends details collected for a specific application on the source device. - -The following fields are available: - -- **AhaVersion** The binary version of the App Health Analyzer tool. -- **ApplicationErrors** The count of application errors from the event log. -- **Bitness** The architecture type of the application (16 Bit or 32 bit or 64 bit). -- **device_level** Various JRE/JAVA versions installed on a particular device. -- **ExtendedProperties** Attribute used for aggregating all other attributes under this event type. -- **Jar** Flag to determine if an app has a Java JAR file dependency. -- **Jre** Flag to determine if an app has JRE framework dependency. -- **Jre_version** JRE versions an app has declared framework dependency for. -- **Name** Name of the application. -- **NonDPIAware** Flag to determine if an app is non-DPI aware. -- **NumBinaries** Count of all binaries (.sys,.dll,.ini) from application install location. -- **RequiresAdmin** Flag to determine if an app requests admin privileges for execution. -- **RequiresAdminv2** Additional flag to determine if an app requests admin privileges for execution. -- **RequiresUIAccess** Flag to determine if an app is based on UI features for accessibility. -- **VB6** Flag to determine if an app is based on VB6 framework. -- **VB6v2** Additional flag to determine if an app is based on VB6 framework. -- **Version** Version of the application. -- **VersionCheck** Flag to determine if an app has a static dependency on OS version. -- **VersionCheckv2** Additional flag to determine if an app has a static dependency on OS version. - - -### Microsoft.Windows.Inventory.General.AppHealthStaticStartSync - -This event indicates the beginning of a series of AppHealthStaticAdd events. - -The following fields are available: - -- **AllowTelemetry** Indicates the presence of the 'allowtelemetry' command line argument. -- **CommandLineArgs** Command line arguments passed when launching the App Health Analyzer executable. -- **Enhanced** Indicates the presence of the 'enhanced' command line argument. -- **StartTime** UTC date and time at which this event was sent. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd - -Provides data on the installed Office Add-ins. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AddinCLSID** The class identifier key for the Microsoft Office add-in. -- **AddInCLSID** The class identifier key for the Microsoft Office add-in. -- **AddInId** The identifier for the Microsoft Office add-in. -- **AddinType** The type of the Microsoft Office add-in. -- **BinFileTimestamp** The timestamp of the Office add-in. -- **BinFileVersion** The version of the Microsoft Office add-in. -- **Description** Description of the Microsoft Office add-in. -- **FileId** The file identifier of the Microsoft Office add-in. -- **FileSize** The file size of the Microsoft Office add-in. -- **FriendlyName** The friendly name for the Microsoft Office add-in. -- **FullPath** The full path to the Microsoft Office add-in. -- **InventoryVersion** The version of the inventory binary generating the events. -- **LoadBehavior** Integer that describes the load behavior. -- **LoadTime** Load time for the Office add-in. -- **OfficeApplication** The Microsoft Office application associated with the add-in. -- **OfficeArchitecture** The architecture of the add-in. -- **OfficeVersion** The Microsoft Office version for this add-in. -- **OutlookCrashingAddin** Indicates whether crashes have been found for this add-in. -- **ProductCompany** The name of the company associated with the Office add-in. -- **ProductName** The product name associated with the Microsoft Office add-in. -- **ProductVersion** The version associated with the Office add-in. -- **ProgramId** The unique program identifier of the Microsoft Office add-in. -- **Provider** Name of the provider for this add-in. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove - -Indicates that this particular data object represented by the objectInstanceId is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync - -This event indicates that a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd - -Provides data on the Office identifiers. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. -- **OAudienceData** Sub-identifier for Microsoft Office release management, identifying the pilot group for a device -- **OAudienceId** Microsoft Office identifier for Microsoft Office release management, identifying the pilot group for a device -- **OMID** Identifier for the Office SQM Machine -- **OPlatform** Whether the installed Microsoft Office product is 32-bit or 64-bit -- **OTenantId** Unique GUID representing the Microsoft O365 Tenant -- **OVersion** Installed version of Microsoft Office. For example, 16.0.8602.1000 -- **OWowMID** Legacy Microsoft Office telemetry identifier (SQM Machine ID) for WoW systems (32-bit Microsoft Office on 64-bit Windows) - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync - -Diagnostic event to indicate a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd - -Provides data on Office-related Internet Explorer features. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. -- **OIeFeatureAddon** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_ADDON_MANAGEMENT feature lets applications hosting the WebBrowser Control to respect add-on management selections made using the Add-on Manager feature of Internet Explorer. Add-ons disabled by the user or by administrative group policy will also be disabled in applications that enable this feature. -- **OIeMachineLockdown** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_LOCALMACHINE_LOCKDOWN feature is enabled, Internet Explorer applies security restrictions on content loaded from the user's local machine, which helps prevent malicious behavior involving local files. -- **OIeMimeHandling** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_MIME_HANDLING feature control is enabled, Internet Explorer handles MIME types more securely. Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2) -- **OIeMimeSniffing** Flag indicating which Microsoft Office products have this setting enabled. Determines a file's type by examining its bit signature. Windows Internet Explorer uses this information to determine how to render the file. The FEATURE_MIME_SNIFFING feature, when enabled, allows to be set differently for each security zone by using the URLACTION_FEATURE_MIME_SNIFFING URL action flag -- **OIeNoAxInstall** Flag indicating which Microsoft Office products have this setting enabled. When a webpage attempts to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request. When a webpage tries to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request -- **OIeNoDownload** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_RESTRICT_FILEDOWNLOAD feature blocks file download requests that navigate to a resource, that display a file download dialog box, or that are not initiated explicitly by a user action (for example, a mouse click or key press). Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2) -- **OIeObjectCaching** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_OBJECT_CACHING feature prevents webpages from accessing or instantiating ActiveX controls cached from different domains or security contexts -- **OIePasswordDisable** Flag indicating which Microsoft Office products have this setting enabled. After Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2), Internet Explorer no longer allows usernames and passwords to be specified in URLs that use the HTTP or HTTPS protocols. URLs using other protocols, such as FTP, still allow usernames and passwords -- **OIeSafeBind** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SAFE_BINDTOOBJECT feature performs additional safety checks when calling MonikerBindToObject to create and initialize Microsoft ActiveX controls. Specifically, prevent the control from being created if COMPAT_EVIL_DONT_LOAD is in the registry for the control -- **OIeSecurityBand** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SECURITYBAND feature controls the display of the Internet Explorer Information bar. When enabled, the Information bar appears when file download or code installation is restricted -- **OIeUncSaveCheck** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_UNC_SAVEDFILECHECK feature enables the Mark of the Web (MOTW) for local files loaded from network locations that have been shared by using the Universal Naming Convention (UNC) -- **OIeValidateUrl** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_VALIDATE_NAVIGATE_URL feature control prevents Windows Internet Explorer from navigating to a badly formed URL -- **OIeWebOcPopup** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_WEBOC_POPUPMANAGEMENT feature allows applications hosting the WebBrowser Control to receive the default Internet Explorer pop-up window management behavior -- **OIeWinRestrict** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_WINDOW_RESTRICTIONS feature adds several restrictions to the size and behavior of popup windows -- **OIeZoneElevate** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_ZONE_ELEVATION feature prevents pages in one zone from navigating to pages in a higher security zone unless the navigation is generated by the user - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync - -Diagnostic event to indicate a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd - -This event provides insight data on the installed Office products - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. -- **OfficeApplication** The name of the Office application. -- **OfficeArchitecture** The bitness of the Office application. -- **OfficeVersion** The version of the Office application. -- **Value** The insights collected about this entity. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsRemove - -Indicates that this particular data object represented by the objectInstanceId is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync - -This diagnostic event indicates that a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd - -Describes Office Products installed. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. -- **OC2rApps** A GUID the describes the Office Click-To-Run apps -- **OC2rSkus** Comma-delimited list (CSV) of Office Click-To-Run products installed on the device. For example, Office 2016 ProPlus -- **OMsiApps** Comma-delimited list (CSV) of Office MSI products installed on the device. For example, Microsoft Word -- **OProductCodes** A GUID that describes the Office MSI products - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync - -Diagnostic event to indicate a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd - -This event describes various Office settings - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **BrowserFlags** Browser flags for Office-related products -- **ExchangeProviderFlags** Provider policies for Office Exchange -- **InventoryVersion** The version of the inventory binary generating the events. -- **SharedComputerLicensing** Office shared computer licensing policies - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync - -Indicates a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAAdd - -This event provides a summary rollup count of conditions encountered while performing a local scan of Office files, analyzing for known VBA programmability compatibility issues between legacy office version and ProPlus, and between 32 and 64-bit versions - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Design** Count of files with design issues found. -- **Design_x64** Count of files with 64 bit design issues found. -- **DuplicateVBA** Count of files with duplicate VBA code. -- **HasVBA** Count of files with VBA code. -- **Inaccessible** Count of files that were inaccessible for scanning. -- **InventoryVersion** The version of the inventory binary generating the events. -- **Issues** Count of files with issues detected. -- **Issues_x64** Count of files with 64-bit issues detected. -- **IssuesNone** Count of files with no issues detected. -- **IssuesNone_x64** Count of files with no 64-bit issues detected. -- **Locked** Count of files that were locked, preventing scanning. -- **NoVBA** Count of files with no VBA inside. -- **Protected** Count of files that were password protected, preventing scanning. -- **RemLimited** Count of files that require limited remediation changes. -- **RemLimited_x64** Count of files that require limited remediation changes for 64-bit issues. -- **RemSignificant** Count of files that require significant remediation changes. -- **RemSignificant_x64** Count of files that require significant remediation changes for 64-bit issues. -- **Score** Overall compatibility score calculated for scanned content. -- **Score_x64** Overall 64-bit compatibility score calculated for scanned content. -- **Total** Total number of files scanned. -- **Validation** Count of files that require additional manual validation. -- **Validation_x64** Count of files that require additional manual validation for 64-bit issues. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARemove - -Indicates that this particular data object represented by the objectInstanceId is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsAdd - -This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated with the validation rule - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Count** Count of total Microsoft Office VBA rule violations -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsRemove - -Indicates that this particular data object represented by the objectInstanceId is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync - -This event indicates that a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync - -Diagnostic event to indicate a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd - -Provides data on Unified Update Platform (UUP) products and what version they are at. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Identifier** UUP identifier -- **LastActivatedVersion** Last activated version -- **PreviousVersion** Previous version -- **Source** UUP source -- **Version** UUP version - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoRemove - -Indicates that this particular data object represented by the objectInstanceId is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoStartSync - -Diagnostic event to indicate a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - - - -### Microsoft.Windows.Inventory.Indicators.Checksum - -This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events. - -The following fields are available: - -- **CensusId** A unique hardware identifier. -- **ChecksumDictionary** A count of each operating system indicator. -- **PCFP** Equivalent to the InventoryId field that is found in other core events. - - -### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd - -These events represent the basic metadata about the OS indicators installed on the system which are used for keeping the device up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **IndicatorValue** The indicator value. -- **Value** Describes an operating system indicator that may be relevant for the device upgrade. - - -### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove - -This event is a counterpart to InventoryMiscellaneousUexIndicatorAdd that indicates that the item has been removed. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - - - -### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync - -This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - - - -## Kernel events - -### IO - -This event indicates the number of bytes read from or read by the OS and written to or written by the OS upon system startup. - -The following fields are available: - -- **BytesRead** The total number of bytes read from or read by the OS upon system startup. -- **BytesWritten** The total number of bytes written to or written by the OS upon system startup. - - -### Microsoft.Windows.Kernel.BootEnvironment.OsLaunch - -OS information collected during Boot, used to evaluate the success of the upgrade process. - -The following fields are available: - -- **BootApplicationId** This field tells us what the OS Loader Application Identifier is. -- **BootAttemptCount** The number of consecutive times the boot manager has attempted to boot into this operating system. -- **BootSequence** The current Boot ID, used to correlate events related to a particular boot session. -- **BootStatusPolicy** Identifies the applicable Boot Status Policy. -- **BootType** Identifies the type of boot (e.g.: "Cold", "Hiber", "Resume"). -- **EventTimestamp** Seconds elapsed since an arbitrary time point. This can be used to identify the time difference in successive boot attempts being made. -- **FirmwareResetReasonEmbeddedController** Reason for system reset provided by firmware. -- **FirmwareResetReasonEmbeddedControllerAdditional** Additional information on system reset reason provided by firmware if needed. -- **FirmwareResetReasonPch** Reason for system reset provided by firmware. -- **FirmwareResetReasonPchAdditional** Additional information on system reset reason provided by firmware if needed. -- **FirmwareResetReasonSupplied** Flag indicating that a reason for system reset was provided by firmware. -- **IO** Amount of data written to and read from the disk by the OS Loader during boot. See [IO](#io). -- **LastBootSucceeded** Flag indicating whether the last boot was successful. -- **LastShutdownSucceeded** Flag indicating whether the last shutdown was successful. -- **MaxAbove4GbFreeRange** This field describes the largest memory range available above 4Gb. -- **MaxBelow4GbFreeRange** This field describes the largest memory range available below 4Gb. -- **MeasuredLaunchPrepared** This field tells us if the OS launch was initiated using Measured/Secure Boot over DRTM (Dynamic Root of Trust for Measurement). -- **MeasuredLaunchResume** This field tells us if Dynamic Root of Trust for Measurement (DRTM) was used when resuming from hibernation. -- **MenuPolicy** Type of advanced options menu that should be shown to the user (Legacy, Standard, etc.). -- **RecoveryEnabled** Indicates whether recovery is enabled. -- **SecureLaunchPrepared** This field indicates if DRTM was prepared during boot. -- **TcbLaunch** Indicates whether the Trusted Computing Base was used during the boot flow. -- **UserInputTime** The amount of time the loader application spent waiting for user input. - - -## Miracast events - -### Microsoft.Windows.Cast.Miracast.MiracastSessionEnd - -This event sends data at the end of a Miracast session that helps determine RTSP related Miracast failures along with some statistics about the session - -The following fields are available: - -- **AudioChannelCount** The number of audio channels. -- **AudioSampleRate** The sample rate of audio in terms of samples per second. -- **AudioSubtype** The unique subtype identifier of the audio codec (encoding method) used for audio encoding. -- **AverageBitrate** The average video bitrate used during the Miracast session, in bits per second. -- **AverageDataRate** The average available bandwidth reported by the WiFi driver during the Miracast session, in bits per second. -- **AveragePacketSendTimeInMs** The average time required for the network to send a sample, in milliseconds. -- **ConnectorType** The type of connector used during the Miracast session. -- **EncodeAverageTimeMS** The average time to encode a frame of video, in milliseconds. -- **EncodeCount** The count of total frames encoded in the session. -- **EncodeMaxTimeMS** The maximum time to encode a frame, in milliseconds. -- **EncodeMinTimeMS** The minimum time to encode a frame, in milliseconds. -- **EncoderCreationTimeInMs** The time required to create the video encoder, in milliseconds. -- **ErrorSource** Identifies the component that encountered an error that caused a disconnect, if applicable. -- **FirstFrameTime** The time (tick count) when the first frame is sent. -- **FirstLatencyMode** The first latency mode. -- **FrameAverageTimeMS** Average time to process an entire frame, in milliseconds. -- **FrameCount** The total number of frames processed. -- **FrameMaxTimeMS** The maximum time required to process an entire frame, in milliseconds. -- **FrameMinTimeMS** The minimum time required to process an entire frame, in milliseconds. -- **Glitches** The number of frames that failed to be delivered on time. -- **HardwareCursorEnabled** Indicates if hardware cursor was enabled when the connection ended. -- **HDCPState** The state of HDCP (High-bandwidth Digital Content Protection) when the connection ended. -- **HighestBitrate** The highest video bitrate used during the Miracast session, in bits per second. -- **HighestDataRate** The highest available bandwidth reported by the WiFi driver, in bits per second. -- **LastLatencyMode** The last reported latency mode. -- **LogTimeReference** The reference time, in tick counts. -- **LowestBitrate** The lowest video bitrate used during the Miracast session, in bits per second. -- **LowestDataRate** The lowest video bitrate used during the Miracast session, in bits per second. -- **MediaErrorCode** The error code reported by the media session, if applicable. -- **MiracastEntry** The time (tick count) when the Miracast driver was first loaded. -- **MiracastM1** The time (tick count) when the M1 request was sent. -- **MiracastM2** The time (tick count) when the M2 request was sent. -- **MiracastM3** The time (tick count) when the M3 request was sent. -- **MiracastM4** The time (tick count) when the M4 request was sent. -- **MiracastM5** The time (tick count) when the M5 request was sent. -- **MiracastM6** The time (tick count) when the M6 request was sent. -- **MiracastM7** The time (tick count) when the M7 request was sent. -- **MiracastSessionState** The state of the Miracast session when the connection ended. -- **MiracastStreaming** The time (tick count) when the Miracast session first started processing frames. -- **ProfileCount** The count of profiles generated from the receiver M4 response. -- **ProfileCountAfterFiltering** The count of profiles after filtering based on available bandwidth and encoder capabilities. -- **RefreshRate** The refresh rate set on the remote display. -- **RotationSupported** Indicates if the Miracast receiver supports display rotation. -- **RTSPSessionId** The unique identifier of the RTSP session. This matches the RTSP session ID for the receiver for the same session. -- **SessionGuid** The unique identifier of to correlate various Miracast events from a session. -- **SinkHadEdid** Indicates if the Miracast receiver reported an EDID. -- **SupportMicrosoftColorSpaceConversion** Indicates whether the Microsoft color space conversion for extra color fidelity is supported by the receiver. -- **SupportsMicrosoftDiagnostics** Indicates whether the Miracast receiver supports the Microsoft Diagnostics Miracast extension. -- **SupportsMicrosoftFormatChange** Indicates whether the Miracast receiver supports the Microsoft Format Change Miracast extension. -- **SupportsMicrosoftLatencyManagement** Indicates whether the Miracast receiver supports the Microsoft Latency Management Miracast extension. -- **SupportsMicrosoftRTCP** Indicates whether the Miracast receiver supports the Microsoft RTCP Miracast extension. -- **SupportsMicrosoftVideoFormats** Indicates whether the Miracast receiver supports Microsoft video format for 3:2 resolution. -- **SupportsWiDi** Indicates whether Miracast receiver supports Intel WiDi extensions. -- **TeardownErrorCode** The error code reason for teardown provided by the receiver, if applicable. -- **TeardownErrorReason** The text string reason for teardown provided by the receiver, if applicable. -- **UIBCEndState** Indicates whether UIBC was enabled when the connection ended. -- **UIBCEverEnabled** Indicates whether UIBC was ever enabled. -- **UIBCStatus** The result code reported by the UIBC setup process. -- **VideoBitrate** The starting bitrate for the video encoder. -- **VideoCodecLevel** The encoding level used for encoding, specific to the video subtype. -- **VideoHeight** The height of encoded video frames. -- **VideoSubtype** The unique subtype identifier of the video codec (encoding method) used for video encoding. -- **VideoWidth** The width of encoded video frames. -- **WFD2Supported** Indicates if the Miracast receiver supports WFD2 protocol. - - -## OneDrive events - -### Microsoft.OneDrive.Sync.Setup.APIOperation - -This event includes basic data about install and uninstall OneDrive API operations. - -The following fields are available: - -- **APIName** The name of the API. -- **Duration** How long the operation took. -- **IsSuccess** Was the operation successful? -- **ResultCode** The result code. -- **ScenarioName** The name of the scenario. - - -### Microsoft.OneDrive.Sync.Setup.EndExperience - -This event includes a success or failure summary of the installation. - -The following fields are available: - -- **APIName** The name of the API. -- **HResult** HResult of the operation -- **IsSuccess** Whether the operation is successful or not -- **ScenarioName** The name of the scenario. - - -### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation - -This event is related to the OS version when the OS is upgraded with OneDrive installed. - -The following fields are available: - -- **CurrentOneDriveVersion** The current version of OneDrive. -- **CurrentOSBuildBranch** The current branch of the operating system. -- **CurrentOSBuildNumber** The current build number of the operating system. -- **CurrentOSVersion** The current version of the operating system. -- **HResult** The HResult of the operation. -- **SourceOSBuildBranch** The source branch of the operating system. -- **SourceOSBuildNumber** The source build number of the operating system. -- **SourceOSVersion** The source version of the operating system. - - -### Microsoft.OneDrive.Sync.Setup.RegisterStandaloneUpdaterAPIOperation - -This event is related to registering or unregistering the OneDrive update task. - -The following fields are available: - -- **APIName** The name of the API. -- **IsSuccess** Was the operation successful? -- **RegisterNewTaskResult** The HResult of the RegisterNewTask operation. -- **ScenarioName** The name of the scenario. -- **UnregisterOldTaskResult** The HResult of the UnregisterOldTask operation. - - -### Microsoft.OneDrive.Sync.Updater.ComponentInstallState - -This event includes basic data about the installation state of dependent OneDrive components. - -The following fields are available: - -- **ComponentName** The name of the dependent component. -- **isInstalled** Is the dependent component installed? - - -### Microsoft.OneDrive.Sync.Updater.OverlayIconStatus - -This event indicates if the OneDrive overlay icon is working correctly. 0 = healthy; 1 = can be fixed; 2 = broken - -The following fields are available: - -- **32bit** The status of the OneDrive overlay icon on a 32-bit operating system. -- **64bit** The status of the OneDrive overlay icon on a 64-bit operating system. - - -### Microsoft.OneDrive.Sync.Updater.UpdateOverallResult - -This event sends information describing the result of the update. - -The following fields are available: - -- **hr** The HResult of the operation. -- **IsLoggingEnabled** Indicates whether logging is enabled for the updater. -- **UpdaterVersion** The version of the updater. - - -### Microsoft.OneDrive.Sync.Updater.UpdateXmlDownloadHResult - -This event determines the status when downloading the OneDrive update configuration file. - -The following fields are available: - -- **hr** The HResult of the operation. - - -### Microsoft.OneDrive.Sync.Updater.WebConnectionStatus - -This event determines the error code that was returned when verifying Internet connectivity. - -The following fields are available: - -- **winInetError** The HResult of the operation. - - -## Privacy consent logging events - -### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted - -This event is used to determine whether the user successfully completed the privacy consent experience. - -The following fields are available: - -- **presentationVersion** Which display version of the privacy consent experience the user completed -- **privacyConsentState** The current state of the privacy consent experience -- **settingsVersion** Which setting version of the privacy consent experience the user completed -- **userOobeExitReason** The exit reason of the privacy consent experience - - -### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentStatus - -Event tells us effectiveness of new privacy experience. - -The following fields are available: - -- **isAdmin** whether the person who is logging in is an admin -- **isExistingUser** whether the account existed in a downlevel OS -- **isLaunching** Whether or not the privacy consent experience will be launched -- **isSilentElevation** whether the user has most restrictive UAC controls -- **privacyConsentState** whether the user has completed privacy experience -- **userRegionCode** The current user's region setting - - -### wilActivity - -This event provides a Windows Internal Library context used for Product and Service diagnostics. - -The following fields are available: - -- **callContext** The function where the failure occurred. -- **currentContextId** The ID of the current call context where the failure occurred. -- **currentContextMessage** The message of the current call context where the failure occurred. -- **currentContextName** The name of the current call context where the failure occurred. -- **failureCount** The number of failures for this failure ID. -- **failureId** The ID of the failure that occurred. -- **failureType** The type of the failure that occurred. -- **fileName** The file name where the failure occurred. -- **function** The function where the failure occurred. -- **hresult** The HResult of the overall activity. -- **lineNumber** The line number where the failure occurred. -- **message** The message of the failure that occurred. -- **module** The module where the failure occurred. -- **originatingContextId** The ID of the originating call context that resulted in the failure. -- **originatingContextMessage** The message of the originating call context that resulted in the failure. -- **originatingContextName** The name of the originating call context that resulted in the failure. -- **threadId** The ID of the thread on which the activity is executing. - - -## Sediment events - -### Microsoft.Windows.Sediment.Info.DetailedState - -This event is sent when detailed state information is needed from an update trial run. - -The following fields are available: - -- **Data** Data relevant to the state, such as what percent of disk space the directory takes up. -- **Id** Identifies the trial being run, such as a disk related trial. -- **ReleaseVer** The version of the component. -- **State** The state of the reporting data from the trial, such as the top-level directory analysis. -- **Time** The time the event was fired. - - -### Microsoft.Windows.Sediment.Info.Error - -This event indicates an error in the updater payload. This information assists in keeping Windows up to date. - -The following fields are available: - -- **FailureType** The type of error encountered. -- **FileName** The code file in which the error occurred. -- **HResult** The failure error code. -- **LineNumber** The line number in the code file at which the error occurred. -- **ReleaseVer** The version information for the component in which the error occurred. -- **Time** The system time at which the error occurred. - - -### Microsoft.Windows.Sediment.Info.PhaseChange - -The event indicates progress made by the updater. This information assists in keeping Windows up to date. - -The following fields are available: - -- **NewPhase** The phase of progress made. -- **ReleaseVer** The version information for the component in which the change occurred. -- **Time** The system time at which the phase chance occurred. - - -## Setup events - -### SetupPlatformTel.SetupPlatformTelActivityEvent - -This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up to date. - -The following fields are available: - -- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. -- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. -- **Value** Value associated with the corresponding event name. For example, time-related events will include the system time - - -### SetupPlatformTel.SetupPlatformTelActivityStarted - -This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. - -The following fields are available: - -- **Name** The name of the dynamic update type. Example: GDR driver - - -### SetupPlatformTel.SetupPlatformTelActivityStopped - -This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. - - - -### SetupPlatformTel.SetupPlatformTelEvent - -This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios. - -The following fields are available: - -- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. -- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. -- **Value** Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time. - - -## Software update events - -### SoftwareUpdateClientTelemetry.CheckForUpdates - -Scan process event on Windows Update client. See the EventScenario field for specifics (started/failed/succeeded). - -The following fields are available: - -- **ActivityMatchingId** Contains a unique ID identifying a single CheckForUpdates session from initialization to completion. -- **AllowCachedResults** Indicates if the scan allowed using cached results. -- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable -- **BiosFamily** The family of the BIOS (Basic Input Output System). -- **BiosName** The name of the device BIOS. -- **BiosReleaseDate** The release date of the device BIOS. -- **BiosSKUNumber** The sku number of the device BIOS. -- **BIOSVendor** The vendor of the BIOS. -- **BiosVersion** The version of the BIOS. -- **BranchReadinessLevel** The servicing branch configured on the device. -- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. -- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. -- **CapabilityDetectoidGuid** The GUID for a hardware applicability detectoid that could not be evaluated. -- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. -- **CDNId** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. -- **ClientVersion** The version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No data is currently reported in this field. Expected value for this field is 0. -- **Context** Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown -- **CurrentMobileOperator** The mobile operator the device is currently connected to. -- **DeferralPolicySources** Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000). -- **DeferredUpdates** Update IDs which are currently being deferred until a later time -- **DeviceModel** What is the device model. -- **DriverError** The error code hit during a driver scan. This is 0 if no error was encountered. -- **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled. -- **DriverSyncPassPerformed** Were drivers scanned this time? -- **EventInstanceID** A globally unique identifier for event instance. -- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. -- **ExtendedMetadataCabUrl** Hostname that is used to download an update. -- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. -- **FailedUpdateGuids** The GUIDs for the updates that failed to be evaluated during the scan. -- **FailedUpdatesCount** The number of updates that failed to be evaluated during the scan. -- **FeatureUpdateDeferral** The deferral period configured for feature OS updates on the device (in days). -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FeatureUpdatePausePeriod** The pause duration configured for feature OS updates on the device (in days). -- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). -- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). -- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. -- **IntentPFNs** Intended application-set metadata for atomic update scenarios. -- **IPVersion** Indicates whether the download took place over IPv4 or IPv6 -- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. -- **IsWUfBFederatedScanDisabled** Indicates if Windows Update for Business federated scan is disabled on the device. -- **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce -- **MSIError** The last error that was encountered during a scan for updates. -- **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6 -- **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete -- **NumberOfApplicationsCategoryScanEvaluated** The number of categories (apps) for which an app update scan checked -- **NumberOfLoop** The number of round trips the scan required -- **NumberOfNewUpdatesFromServiceSync** The number of updates which were seen for the first time in this scan -- **NumberOfUpdatesEvaluated** The total number of updates which were evaluated as a part of the scan -- **NumFailedMetadataSignatures** The number of metadata signatures checks which failed for new metadata synced down. -- **Online** Indicates if this was an online scan. -- **PausedUpdates** A list of UpdateIds which that currently being paused. -- **PauseFeatureUpdatesEndTime** If feature OS updates are paused on the device, this is the date and time for the end of the pause time window. -- **PauseFeatureUpdatesStartTime** If feature OS updates are paused on the device, this is the date and time for the beginning of the pause time window. -- **PauseQualityUpdatesEndTime** If quality OS updates are paused on the device, this is the date and time for the end of the pause time window. -- **PauseQualityUpdatesStartTime** If quality OS updates are paused on the device, this is the date and time for the beginning of the pause time window. -- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting (pre-release builds) being introduced. -- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided. -- **QualityUpdateDeferral** The deferral period configured for quality OS updates on the device (in days). -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **QualityUpdatePausePeriod** The pause duration configured for quality OS updates on the device (in days). -- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one -- **ScanDurationInSeconds** The number of seconds a scan took -- **ScanEnqueueTime** The number of seconds it took to initialize a scan -- **ScanProps** This is a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits are used; all remaining bits are reserved and set to zero. Bit 0 (0x1): IsInteractive - is set to 1 if the scan is requested by a user, or 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker - is set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates). -- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.). -- **ServiceUrl** The environment URL a device is configured to scan with -- **ShippingMobileOperator** The mobile operator that a device shipped on. -- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult). -- **SyncTyp%** No content is currently available. -- **SyncType** Describes the type of scan the event was -- **SystemBIOSMajorRelease** Major version of the BIOS. -- **SystemBIOSMinorRelease** Minor version of the BIOS. -- **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null. -- **TotalNumMetadataSignatures** The total number of metadata signatures checks done for new metadata that was synced down. -- **WebServiceRetryMethods** Web service method requests that needed to be retried to complete operation. -- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. - - -### SoftwareUpdateClientTelemetry.Commit - -This event tracks the commit process post the update installation when software update client is trying to update the device. - -The following fields are available: - -- **BiosFamily** Device family as defined in the system BIOS -- **BiosName** Name of the system BIOS -- **BiosReleaseDate** Release date of the system BIOS -- **BiosSKUNumber** Device SKU as defined in the system BIOS -- **BIOSVendor** Vendor of the system BIOS -- **BiosVersion** Version of the system BIOS -- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. -- **BundleRevisionNumber** Identifies the revision number of the content bundle -- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client -- **ClientVersion** Version number of the software distribution client -- **DeploymentProviderMode** The mode of operation of the update deployment provider. -- **DeviceModel** Device model as defined in the system bios -- **EventInstanceID** A globally unique identifier for event instance -- **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc. -- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver". -- **FlightId** The specific id of the flight the device is getting -- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) -- **RevisionNumber** Identifies the revision number of this specific piece of content -- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). -- **SystemBIOSMajorRelease** Major release version of the system bios -- **SystemBIOSMinorRelease** Minor release version of the system bios -- **UpdateId** Identifier associated with the specific piece of content -- **WUDeviceID** Unique device id controlled by the software distribution client - - -### SoftwareUpdateClientTelemetry.Download - -Download process event for target update on Windows Update client. See the EventScenario field for specifics (started/failed/succeeded). - -The following fields are available: - -- **ActiveDownloadTime** How long the download took, in seconds, excluding time where the update wasn't actively being downloaded. -- **AppXBlockHashFailures** Indicates the number of blocks that failed hash validation during download of the app payload. -- **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded. -- **AppXDownloadScope** Indicates the scope of the download for application content. -- **AppXScope** Indicates the scope of the app download. -- **BiosFamily** The family of the BIOS (Basic Input Output System). -- **BiosName** The name of the device BIOS. -- **BiosReleaseDate** The release date of the device BIOS. -- **BiosSKUNumber** The sku number of the device BIOS. -- **BIOSVendor** The vendor of the BIOS. -- **BiosVersion** The version of the BIOS. -- **BundleBytesDownloaded** Number of bytes downloaded for the specific content bundle. -- **BundleId** Identifier associated with the specific content bundle. -- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. -- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to download. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **BytesDownloaded** Number of bytes that were downloaded for an individual piece of content (not the entire bundle). -- **CachedEngineVersion** The version of the “Self-Initiated Healing” (SIH) engine that is cached on the device, if applicable. -- **CallerApplicationName** The name provided by the application that initiated API calls into the software distribution client. -- **CbsDownloadMethod** Indicates whether the download was a full- or a partial-file download. -- **CbsMethod** The method used for downloading the update content related to the Component Based Servicing (CBS) technology. -- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. -- **CDNId** ID which defines which CDN the software distribution client downloaded the content from. -- **ClientVersion** The version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. -- **ConnectTime** Indicates the cumulative amount of time (in seconds) it took to establish the connection for all updates in an update bundle. -- **CurrentMobileOperator** The mobile operator the device is currently connected to. -- **DeviceModel** The model of the device. -- **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority. -- **DownloadProps** Information about the download operation properties in the form of a bitmask. -- **DownloadType** Differentiates the download type of “Self-Initiated Healing” (SIH) downloads between Metadata and Payload downloads. -- **EventInstanceID** A globally unique identifier for event instance. -- **EventScenario** Indicates the purpose for sending this event: whether because the software distribution just started downloading content; or whether it was cancelled, succeeded, or failed. -- **EventType** Identifies the type of the event (Child, Bundle, or Driver). -- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). -- **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight. -- **FlightId** The specific ID of the flight (pre-release build) the device is getting. -- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). -- **HandlerType** Indicates what kind of content is being downloaded (app, driver, windows patch, etc.). -- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. -- **HostName** The hostname URL the content is downloading from. -- **IPVersion** Indicates whether the download took place over IPv4 or IPv6. -- **IsDependentSet** Indicates whether a driver is a part of a larger System Hardware/Firmware Update -- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. -- **NetworkCost** A flag indicating the cost of the network (congested, fixed, variable, over data limit, roaming, etc.) used for downloading the update content. -- **NetworkCostBitMask** Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.) -- **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered." -- **PackageFullName** The package name of the content. -- **PhonePreviewEnabled** Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced. -- **PostDnldTime** Time (in seconds) taken to signal download completion after the last job completed downloading the payload. -- **ProcessName** The process name of the application that initiated API calls, in the event where CallerApplicationName was not provided. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **Reason** A 32-bit integer representing the reason the update is blocked from being downloaded in the background. -- **RegulationReason** The reason that the update is regulated -- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content. -- **RelatedCV** The Correlation Vector that was used before the most recent change to a new Correlation Vector. -- **RepeatFailCount** Indicates whether this specific content has previously failed. -- **RepeatFailFlag** Indicates whether this specific content previously failed to download. -- **RevisionNumber** The revision number of the specified piece of content. -- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). -- **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade. -- **ShippingMobileOperator** The mobile operator linked to the device when the device shipped. -- **SizeCalcTime** Time (in seconds) taken to calculate the total download size of the payload. -- **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). -- **SystemBIOSMajorRelease** Major version of the BIOS. -- **SystemBIOSMinorRelease** Minor version of the BIOS. -- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. -- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. -- **TargetMetadataVersion** The version of the currently downloading (or most recently downloaded) package. -- **ThrottlingServiceHResult** Result code (success/failure) while contacting a web service to determine whether this device should download content yet. -- **TimeToEstablishConnection** Time (in milliseconds) it took to establish the connection prior to beginning downloaded. -- **TotalExpectedBytes** The total size (in Bytes) expected to be downloaded. -- **UpdateId** An identifier associated with the specific piece of content. -- **UpdateID** An identifier associated with the specific piece of content. -- **UpdateImportance** Indicates whether the content was marked as Important, Recommended, or Optional. -- **UsedDO** Indicates whether the download used the Delivery Optimization (DO) service. -- **UsedSystemVolume** Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive. -- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. - - -### SoftwareUpdateClientTelemetry.DownloadCheckpoint - -This event provides a checkpoint between each of the Windows Update download phases for UUP content - -The following fields are available: - -- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client -- **ClientVersion** The version number of the software distribution client -- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed -- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver" -- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough -- **FileId** A hash that uniquely identifies a file -- **FileName** Name of the downloaded file -- **FlightId** The unique identifier for each flight -- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one -- **RevisionNumber** Unique revision number of Update -- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.) -- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult) -- **UpdateId** Unique Update ID -- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue - - -### SoftwareUpdateClientTelemetry.DownloadHeartbeat - -This event allows tracking of ongoing downloads and contains data to explain the current state of the download - -The following fields are available: - -- **BytesTotal** Total bytes to transfer for this content -- **BytesTransferred** Total bytes transferred for this content at the time of heartbeat -- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client -- **ClientVersion** The version number of the software distribution client -- **ConnectionStatus** Indicates the connectivity state of the device at the time of heartbeat -- **CurrentError** Last (transient) error encountered by the active download -- **DownloadFlags** Flags indicating if power state is ignored -- **DownloadState** Current state of the active download for this content (queued, suspended, or progressing) -- **EventType** Possible values are "Child", "Bundle", or "Driver" -- **FlightId** The unique identifier for each flight -- **IsNetworkMetered** Indicates whether Windows considered the current network to be ?metered" -- **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any -- **MOUpdateDownloadLimit** Mobile operator cap on size of operating system update downloads, if any -- **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby) -- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one -- **ResumeCount** Number of times this active download has resumed from a suspended state -- **RevisionNumber** Identifies the revision number of this specific piece of content -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) -- **SuspendCount** Number of times this active download has entered a suspended state -- **SuspendReason** Last reason for why this active download entered a suspended state -- **UpdateId** Identifier associated with the specific piece of content -- **WUDeviceID** Unique device id controlled by the software distribution client - - -### SoftwareUpdateClientTelemetry.Install - -This event sends tracking data about the software distribution client installation of the content for that update, to help keep Windows up to date. - -The following fields are available: - -- **BiosFamily** The family of the BIOS (Basic Input Output System). -- **BiosName** The name of the device BIOS. -- **BiosReleaseDate** The release date of the device BIOS. -- **BiosSKUNumber** The sku number of the device BIOS. -- **BIOSVendor** The vendor of the BIOS. -- **BiosVersion** The version of the BIOS. -- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. -- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. -- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to install. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. -- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. -- **ClientVersion** The version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No value is currently reported in this field. Expected value for this field is 0. -- **CSIErrorType** The stage of CBS installation where it failed. -- **CurrentMobileOperator** The mobile operator to which the device is currently connected. -- **DeploymentProviderMode** The mode of operation of the update deployment provider. -- **DeviceModel** The device model. -- **DriverPingBack** Contains information about the previous driver and system state. -- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required. -- **EventInstanceID** A globally unique identifier for event instance. -- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. -- **EventType** Possible values are Child, Bundle, or Driver. -- **ExtendedErrorCode** The extended error code. -- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode is not specific enough. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBranch** The branch that a device is on if participating in the Windows Insider Program. -- **FlightBuildNumber** If this installation was for a Windows Insider build, this is the build number of that build. -- **FlightId** The specific ID of the Windows Insider build the device is getting. -- **FlightRing** The ring that a device is on if participating in the Windows Insider Program. -- **HandlerType** Indicates what kind of content is being installed (for example, app, driver, Windows update). -- **HardwareId** If this install was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. -- **InstallProps** A bitmask for future flags associated with the install operation. No value is currently reported in this field. Expected value for this field is 0. -- **IntentPFNs** Intended application-set metadata for atomic update scenarios. -- **IsDependentSet** Indicates whether the driver is part of a larger System Hardware/Firmware update. -- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. -- **IsFirmware** Indicates whether this update is a firmware update. -- **IsSuccessFailurePostReboot** Indicates whether the update succeeded and then failed after a restart. -- **IsWUfBDualScanEnabled** Indicates whether Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Indicates whether Windows Update for Business is enabled on the device. -- **MergedUpdate** Indicates whether the OS update and a BSP update merged for installation. -- **MsiAction** The stage of MSI installation where it failed. -- **MsiProductCode** The unique identifier of the MSI installer. -- **PackageFullName** The package name of the content being installed. -- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting being introduced. -- **ProcessName** The process name of the caller who initiated API calls, in the event that CallerApplicationName was not provided. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one -- **RepeatFailCount** Indicates whether this specific piece of content has previously failed. -- **RepeatFailFlag** Indicates whether this specific piece of content previously failed to install. -- **RevisionNumber** The revision number of this specific piece of content. -- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). -- **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway. -- **ShippingMobileOperator** The mobile operator that a device shipped on. -- **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult). -- **SystemBIOSMajorRelease** Major version of the BIOS. -- **SystemBIOSMinorRelease** Minor version of the BIOS. -- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. -- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. -- **TransactionCode** The ID that represents a given MSI installation. -- **UpdateId** Unique update ID. -- **UpdateID** An identifier associated with the specific piece of content. -- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional. -- **UsedSystemVolume** Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive. -- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. - - -### SoftwareUpdateClientTelemetry.Revert - -Revert event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded). - -The following fields are available: - -- **BundleId** Identifier associated with the specific content bundle. Should not be all zeros if the BundleId was found. -- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **ClientVersion** Version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. -- **CSIErrorType** Stage of CBS installation that failed. -- **DriverPingBack** Contains information about the previous driver and system state. -- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required. -- **EventInstanceID** A globally unique identifier for event instance. -- **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). -- **EventType** Event type (Child, Bundle, Release, or Driver). -- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode is not specific enough. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBuildNumber** Indicates the build number of the flight. -- **FlightId** The specific ID of the flight the device is getting. -- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). -- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. -- **IsFirmware** Indicates whether an update was a firmware update. -- **IsSuccessFailurePostReboot** Indicates whether an initial success was a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. -- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. -- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. -- **RepeatFailCount** Indicates whether this specific piece of content has previously failed. -- **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. -- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. -- **UpdateId** The identifier associated with the specific piece of content. -- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). -- **UsedSystemVolume** Indicates whether the device's main system storage drive or an alternate storage drive was used. -- **WUDeviceID** Unique device ID controlled by the software distribution client. - - -### SoftwareUpdateClientTelemetry.TaskRun - -Start event for Server Initiated Healing client. See EventScenario field for specifics (for example, started/completed). - -The following fields are available: - -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **ClientVersion** Version number of the software distribution client. -- **CmdLineArgs** Command line arguments passed in by the caller. -- **EventInstanceID** A globally unique identifier for the event instance. -- **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.). -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **WUDeviceID** Unique device ID controlled by the software distribution client. - - -### SoftwareUpdateClientTelemetry.Uninstall - -Uninstall event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded). - -The following fields are available: - -- **BundleId** The identifier associated with the specific content bundle. This should not be all zeros if the bundleID was found. -- **BundleRepeatFailCount** Indicates whether this particular update bundle previously failed. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **CallerApplicationName** Name of the application making the Windows Update request. Used to identify context of request. -- **ClientVersion** Version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. -- **DriverPingBack** Contains information about the previous driver and system state. -- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers when a recovery is required. -- **EventInstanceID** A globally unique identifier for event instance. -- **EventScenario** Indicates the purpose of the event (a scan started, succeded, failed, etc.). -- **EventType** Indicates the event type. Possible values are "Child", "Bundle", "Release" or "Driver". -- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode is not specific enough. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBuildNumber** Indicates the build number of the flight. -- **FlightId** The specific ID of the flight the device is getting. -- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). -- **HardwareId** If the download was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. -- **IsFirmware** Indicates whether an update was a firmware update. -- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. -- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. -- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. -- **RepeatFailCount** Indicates whether this specific piece of content previously failed. -- **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. -- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. -- **UpdateId** Identifier associated with the specific piece of content. -- **UpdateImportance** Indicates the importance of a driver and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). -- **UsedSystemVolume** Indicates whether the device’s main system storage drive or an alternate storage drive was used. -- **WUDeviceID** Unique device ID controlled by the software distribution client. - - -### SoftwareUpdateClientTelemetry.UpdateDetected - -This event sends data about an AppX app that has been updated from the Microsoft Store, including what app needs an update and what version/architecture is required, in order to understand and address problems with apps getting required updates. - -The following fields are available: - -- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable. -- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. -- **IntentPFNs** Intended application-set metadata for atomic update scenarios. -- **NumberOfApplicableUpdates** The number of updates ultimately deemed applicable to the system after the detection process is complete. -- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. -- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.). -- **WUDeviceID** The unique device ID controlled by the software distribution client. - - -### SoftwareUpdateClientTelemetry.UpdateMetadataIntegrity - -Ensures Windows Updates are secure and complete. Event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack. - -The following fields are available: - -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **EndpointUrl** URL of the endpoint where client obtains update metadata. Used to identify test vs staging vs production environments. -- **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc. -- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. -- **LeafCertId** The integral ID from the FragmentSigning data for the certificate that failed. -- **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate. -- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce -- **MetadataSignature** A base64-encoded string of the signature associated with the update metadata (specified by revision ID). -- **RawMode** The raw unparsed mode string from the SLS response. This field is null if not applicable. -- **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable. -- **RevisionId** The revision ID for a specific piece of content. -- **RevisionNumber** The revision number for a specific piece of content. -- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Microsoft Store -- **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate. -- **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate. -- **SHA256OfTimestampToken** An encoded string of the timestamp token. -- **SignatureAlgorithm** The hash algorithm for the metadata signature. -- **SLSPrograms** A test program a machine may be opted in. Examples include "Canary" and "Insider Fast". -- **StatusCode** Result code of the event (success, cancellation, failure code HResult) -- **TimestampTokenCertThumbprint** The thumbprint of the encoded timestamp token. -- **TimestampTokenId** The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed. -- **UpdateId** The update ID for a specific piece of content. -- **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp. - - -## System Resource Usage Monitor events - -### Microsoft.Windows.Srum.Sdp.CpuUsage - -This event provides information on CPU usage. - -The following fields are available: - -- **UsageMax** The maximum of hourly average CPU usage. -- **UsageMean** The mean of hourly average CPU usage. -- **UsageMedian** The median of hourly average CPU usage. -- **UsageTwoHourMaxMean** The mean of the maximum of every two hour of hourly average CPU usage. -- **UsageTwoHourMedianMean** The mean of the median of every two hour of hourly average CPU usage. - - -### Microsoft.Windows.Srum.Sdp.NetworkUsage - -This event provides information on network usage. - -The following fields are available: - -- **AdapterGuid** The unique ID of the adapter. -- **BytesTotalMax** The maximum of the hourly average bytes total. -- **BytesTotalMean** The mean of the hourly average bytes total. -- **BytesTotalMedian** The median of the hourly average bytes total. -- **BytesTotalTwoHourMaxMean** The mean of the maximum of every two hours of hourly average bytes total. -- **BytesTotalTwoHourMedianMean** The mean of the median of every two hour of hourly average bytes total. -- **LinkSpeed** The adapter link speed. - - -## Update events - -### Update360Telemetry.Revert - -This event sends data relating to the Revert phase of updating Windows. - -The following fields are available: - -- **ErrorCode** The error code returned for the Revert phase. -- **FlightId** Unique ID for the flight (test instance version). -- **ObjectId** The unique value for each Update Agent mode. -- **RebootRequired** Indicates reboot is required. -- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. -- **Result** The HResult of the event. -- **RevertResult** The result code returned for the Revert operation. -- **ScenarioId** The ID of the update scenario. -- **SessionId** The ID of the update attempt. -- **UpdateId** The ID of the update. - - -### Update360Telemetry.UpdateAgentCommit - -This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. - -The following fields are available: - -- **ErrorCode** The error code returned for the current install phase. -- **FlightId** Unique ID for each flight. -- **ObjectId** Unique value for each Update Agent mode. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **Result** Outcome of the install phase of the update. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentDownloadRequest - -This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. - -The following fields are available: - -- **DeletedCorruptFiles** Boolean indicating whether corrupt payload was deleted. -- **DownloadRequests** Number of times a download was retried. -- **ErrorCode** The error code returned for the current download request phase. -- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. -- **FlightId** Unique ID for each flight. -- **InternalFailureResult** Indicates a non-fatal error from a plugin. -- **ObjectId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). -- **PackageCategoriesSkipped** Indicates package categories that were skipped, if applicable. -- **PackageCountOptional** Number of optional packages requested. -- **PackageCountRequired** Number of required packages requested. -- **PackageCountTotal** Total number of packages needed. -- **PackageCountTotalCanonical** Total number of canonical packages. -- **PackageCountTotalDiff** Total number of diff packages. -- **PackageCountTotalExpress** Total number of express packages. -- **PackageCountTotalPSFX** The total number of PSFX packages. -- **PackageExpressType** Type of express package. -- **PackageSizeCanonical** Size of canonical packages in bytes. -- **PackageSizeDiff** Size of diff packages in bytes. -- **PackageSizeExpress** Size of express packages in bytes. -- **PackageSizePSFX** The size of PSFX packages, in bytes. -- **RangeRequestState** Indicates the range request type used. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **Result** Outcome of the download request phase of update. -- **SandboxTaggedForReserves** The sandbox for reserves. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each attempt (same value for initialize, download, install commit phases). -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentExpand - -This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. - -The following fields are available: - -- **ElapsedTickCount** Time taken for expand phase. -- **EndFreeSpace** Free space after expand phase. -- **EndSandboxSize** Sandbox size after expand phase. -- **ErrorCode** The error code returned for the current install phase. -- **FlightId** Unique ID for each flight. -- **ObjectId** Unique value for each Update Agent mode. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each update attempt. -- **StartFreeSpace** Free space before expand phase. -- **StartSandboxSize** Sandbox size after expand phase. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentFellBackToCanonical - -This event collects information when express could not be used and we fall back to canonical during the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. - -The following fields are available: - -- **FlightId** Unique ID for each flight. -- **ObjectId** Unique value for each Update Agent mode. -- **PackageCount** Number of packages that feel back to canonical. -- **PackageList** PackageIds which fell back to canonical. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentInitialize - -This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. - -The following fields are available: - -- **ErrorCode** The error code returned for the current install phase. -- **FlightId** Unique ID for each flight. -- **FlightMetadata** Contains the FlightId and the build being flighted. -- **ObjectId** Unique value for each Update Agent mode. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **Result** Outcome of the install phase of the update. -- **ScenarioId** Indicates the update scenario. -- **SessionData** String containing instructions to update agent for processing FODs and DUICs (Null for other scenarios). -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentInstall - -This event sends data for the install phase of updating Windows. - -The following fields are available: - -- **ErrorCode** The error code returned for the current install phase. -- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. -- **FlightId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). -- **InternalFailureResult** Indicates a non-fatal error from a plugin. -- **ObjectId** Correlation vector value generated from the latest USO scan. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **Result** The result for the current install phase. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentMerge - -The UpdateAgentMerge event sends data on the merge phase when updating Windows. - -The following fields are available: - -- **ErrorCode** The error code returned for the current merge phase. -- **FlightId** Unique ID for each flight. -- **MergeId** The unique ID to join two update sessions being merged. -- **ObjectId** Unique value for each Update Agent mode. -- **RelatedCV** Related correlation vector value. -- **Result** Outcome of the merge phase of the update. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each attempt. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentMitigationResult - -This event sends data indicating the result of each update agent mitigation. - -The following fields are available: - -- **Applicable** Indicates whether the mitigation is applicable for the current update. -- **CommandCount** The number of command operations in the mitigation entry. -- **CustomCount** The number of custom operations in the mitigation entry. -- **FileCount** The number of file operations in the mitigation entry. -- **FlightId** Unique identifier for each flight. -- **Index** The mitigation index of this particular mitigation. -- **MitigationScenario** The update scenario in which the mitigation was executed. -- **Name** The friendly name of the mitigation. -- **ObjectId** Unique value for each Update Agent mode. -- **OperationIndex** The mitigation operation index (in the event of a failure). -- **OperationName** The friendly name of the mitigation operation (in the event of failure). -- **RegistryCount** The number of registry operations in the mitigation entry. -- **RelatedCV** The correlation vector value generated from the latest USO scan. -- **Result** The HResult of this operation. -- **ScenarioId** The update agent scenario ID. -- **SessionId** Unique value for each update attempt. -- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). -- **UpdateId** Unique ID for each Update. - - -### Update360Telemetry.UpdateAgentMitigationSummary - -This event sends a summary of all the update agent mitigations available for an this update. - -The following fields are available: - -- **Applicable** The count of mitigations that were applicable to the system and scenario. -- **Failed** The count of mitigations that failed. -- **FlightId** Unique identifier for each flight. -- **MitigationScenario** The update scenario in which the mitigations were attempted. -- **ObjectId** The unique value for each Update Agent mode. -- **RelatedCV** The correlation vector value generated from the latest USO scan. -- **Result** The HResult of this operation. -- **ScenarioId** The update agent scenario ID. -- **SessionId** Unique value for each update attempt. -- **TimeDiff** The amount of time spent performing all mitigations (in 100-nanosecond increments). -- **Total** Total number of mitigations that were available. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentModeStart - -This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. - -The following fields are available: - -- **FlightId** Unique ID for each flight. -- **Mode** Indicates the mode that has started. -- **ObjectId** Unique value for each Update Agent mode. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each update. -- **Version** Version of update - - -### Update360Telemetry.UpdateAgentOneSettings - -This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. - -The following fields are available: - -- **Count** The count of applicable OneSettings for the device. -- **FlightId** Unique ID for the flight (test instance version). -- **ObjectId** The unique value for each Update Agent mode. -- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. -- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. -- **Result** The HResult of the event. -- **ScenarioId** The ID of the update scenario. -- **SessionId** The ID of the update attempt. -- **UpdateId** The ID of the update. -- **Values** The values sent back to the device, if applicable. - - -### Update360Telemetry.UpdateAgentPostRebootResult - -This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. - -The following fields are available: - -- **ErrorCode** The error code returned for the current post reboot phase. -- **FlightId** The specific ID of the Windows Insider build the device is getting. -- **ObjectId** Unique value for each Update Agent mode. -- **PostRebootResult** Indicates the Hresult. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentReboot - -This event sends information indicating that a request has been sent to suspend an update. - -The following fields are available: - -- **ErrorCode** The error code returned for the current reboot. -- **FlightId** Unique ID for the flight (test instance version). -- **ObjectId** The unique value for each Update Agent mode. -- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. -- **Result** The HResult of the event. -- **ScenarioId** The ID of the update scenario. -- **SessionId** The ID of the update attempt. -- **UpdateId** The ID of the update. - - -### Update360Telemetry.UpdateAgentSetupBoxLaunch - -The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. - -The following fields are available: - -- **ContainsExpressPackage** Indicates whether the download package is express. -- **FlightId** Unique ID for each flight. -- **FreeSpace** Free space on OS partition. -- **InstallCount** Number of install attempts using the same sandbox. -- **ObjectId** Unique value for each Update Agent mode. -- **Quiet** Indicates whether setup is running in quiet mode. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **SandboxSize** Size of the sandbox. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each update attempt. -- **SetupMode** Mode of setup to be launched. -- **UpdateId** Unique ID for each Update. -- **UserSession** Indicates whether install was invoked by user actions. - - -## Update notification events - -### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignManagerHeartbeat - -This event is sent at the start of the CampaignManager event and is intended to be used as a heartbeat. - -The following fields are available: - -- **CampaignConfigVersion** Configuration version for the current campaign. -- **CampaignID** Currently campaign that is running on Update Notification Pipeline (UNP). -- **ConfigCatalogVersion** Current catalog version of UNP. -- **ContentVersion** Content version for the current campaign on UNP. -- **CV** Correlation vector. -- **DetectorVersion** Most recently run detector version for the current campaign on UNP. -- **GlobalEventCounter** Client-side counter that indicates the event ordering sent by the user. -- **PackageVersion** Current UNP package version. - - -## Upgrade events - -### FacilitatorTelemetry.DCATDownload - -This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to help keep Windows up-to-date and secure. - -The following fields are available: - -- **DownloadSize** Download size of payload. -- **ElapsedTime** Time taken to download payload. -- **MediaFallbackUsed** Used to determine if we used Media CompDBs to figure out package requirements for the upgrade. -- **ResultCode** Result returned by the Facilitator DCAT call. -- **Scenario** Dynamic update scenario (Image DU, or Setup DU). -- **Type** Type of package that was downloaded. -- **UpdateId** The ID of the update that was downloaded. - - -### FacilitatorTelemetry.DUDownload - -This event returns data about the download of supplemental packages critical to upgrading a device to the next version of Windows. - -The following fields are available: - -- **DownloadRequestAttributes** The attributes sent for download. -- **PackageCategoriesFailed** Lists the categories of packages that failed to download. -- **PackageCategoriesSkipped** Lists the categories of package downloads that were skipped. -- **ResultCode** The result of the event execution. -- **Scenario** Identifies the active Download scenario. -- **Url** The URL the download request was sent to. -- **Version** Identifies the version of Facilitator used. - - -### FacilitatorTelemetry.InitializeDU - -This event determines whether devices received additional or critical supplemental content during an OS upgrade. - -The following fields are available: - -- **DCATUrl** The Delivery Catalog (DCAT) URL we send the request to. -- **DownloadRequestAttributes** The attributes we send to DCAT. -- **ResultCode** The result returned from the initiation of Facilitator with the URL/attributes. -- **Scenario** Dynamic Update scenario (Image DU, or Setup DU). -- **Url** The Delivery Catalog (DCAT) URL we send the request to. -- **Version** Version of Facilitator. - - -### Setup360Telemetry.Downlevel - -This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up-to-date and secure. - -The following fields are available: - -- **ClientId** If using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but it can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the downlevel OS. -- **HostOsSkuName** The operating system edition which is running Setup360 instance (downlevel OS). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. -- **ReportId** In the Windows Update scenario, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. -- **Setup360Extended** More detailed information about phase/action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360 (for example, Predownload, Install, Finalize, Rollback). -- **Setup360Result** The result of Setup360 (HRESULT used to diagnose errors). -- **Setup360Scenario** The Setup360 flow type (for example, Boot, Media, Update, MCT). -- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS). -- **State** Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled. -- **TestId** An ID that uniquely identifies a group of events. -- **WuId** This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId. - - -### Setup360Telemetry.Finalize - -This event sends data indicating that the device has started the phase of finalizing the upgrade, to help keep Windows up-to-date and secure. - -The following fields are available: - -- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the previous OS. -- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe -- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. -- **Setup360Extended** More detailed information about the phase/action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. -- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. -- **TestId** ID that uniquely identifies a group of events. -- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. - - -### Setup360Telemetry.OsUninstall - -This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, it indicates the outcome of an OS uninstall. - -The following fields are available: - -- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the previous OS. -- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. -- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. -- **Setup360Extended** Detailed information about the phase or action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT -- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. -- **TestId** ID that uniquely identifies a group of events. -- **WuId** Windows Update client ID. - - -### Setup360Telemetry.PostRebootInstall - -This event sends data indicating that the device has invoked the post reboot install phase of the upgrade, to help keep Windows up-to-date. - -The following fields are available: - -- **ClientId** With Windows Update, this is the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the previous OS. -- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. -- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. -- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback -- **Setup360Result** The result of Setup360. This is an HRESULT error code that's used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT -- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled -- **TestId** A string to uniquely identify a group of events. -- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as ClientId. - - -### Setup360Telemetry.PreDownloadQuiet - -This event sends data indicating that the device has invoked the predownload quiet phase of the upgrade, to help keep Windows up to date. - -The following fields are available: - -- **ClientId** Using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the previous OS. -- **HostOsSkuName** The OS edition which is running Setup360 instance (previous operating system). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. -- **ReportId** Using Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. -- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. -- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled. -- **TestId** ID that uniquely identifies a group of events. -- **WuId** This is the Windows Update Client ID. Using Windows Update, this is the same as the clientId. - - -### Setup360Telemetry.PreDownloadUX - -This event sends data regarding OS Updates and Upgrades from Windows 7.X, Windows 8.X, Windows 10 and RS, to help keep Windows up-to-date and secure. Specifically, it indicates the outcome of the PredownloadUX portion of the update process. - -The following fields are available: - -- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **HostOSBuildNumber** The build number of the previous operating system. -- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous operating system). -- **InstanceId** Unique GUID that identifies each instance of setuphost.exe. -- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. -- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. -- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS). -- **State** The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled. -- **TestId** ID that uniquely identifies a group of events. -- **WuId** Windows Update client ID. - - -### Setup360Telemetry.PreInstallQuiet - -This event sends data indicating that the device has invoked the preinstall quiet phase of the upgrade, to help keep Windows up-to-date. - -The following fields are available: - -- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the previous OS. -- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe -- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. -- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. -- **Setup360Scenario** Setup360 flow type (Boot, Media, Update, MCT). -- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. -- **TestId** A string to uniquely identify a group of events. -- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. - - -### Setup360Telemetry.PreInstallUX - -This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10, to help keep Windows up-to-date. Specifically, it indicates the outcome of the PreinstallUX portion of the update process. - -The following fields are available: - -- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the previous OS. -- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. -- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. -- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type, Example: Boot, Media, Update, MCT. -- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. -- **TestId** A string to uniquely identify a group of events. -- **WuId** Windows Update client ID. - - -### Setup360Telemetry.Setup360 - -This event sends data about OS deployment scenarios, to help keep Windows up-to-date. - -The following fields are available: - -- **ClientId** Retrieves the upgrade ID. In the Windows Update scenario, this will be the Windows Update client ID. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FieldName** Retrieves the data point. -- **FlightData** Specifies a unique identifier for each group of Windows Insider builds. -- **InstanceId** Retrieves a unique identifier for each instance of a setup session. -- **ReportId** Retrieves the report ID. -- **ScenarioId** Retrieves the deployment scenario. -- **Value** Retrieves the value associated with the corresponding FieldName. - - -### Setup360Telemetry.Setup360DynamicUpdate - -This event helps determine whether the device received supplemental content during an operating system upgrade, to help keep Windows up-to-date. - -The following fields are available: - -- **FlightData** Specifies a unique identifier for each group of Windows Insider builds. -- **InstanceId** Retrieves a unique identifier for each instance of a setup session. -- **Operation** Facilitator’s last known operation (scan, download, etc.). -- **ReportId** ID for tying together events stream side. -- **ResultCode** Result returned for the entire setup operation. -- **Scenario** Dynamic Update scenario (Image DU, or Setup DU). -- **ScenarioId** Identifies the update scenario. -- **TargetBranch** Branch of the target OS. -- **TargetBuild** Build of the target OS. - - -### Setup360Telemetry.Setup360MitigationResult - -This event sends data indicating the result of each setup mitigation. - -The following fields are available: - -- **Applicable** TRUE if the mitigation is applicable for the current update. -- **ClientId** In the Windows Update scenario, this is the client ID passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **CommandCount** The number of command operations in the mitigation entry. -- **CustomCount** The number of custom operations in the mitigation entry. -- **FileCount** The number of file operations in the mitigation entry. -- **FlightData** The unique identifier for each flight (test release). -- **Index** The mitigation index of this particular mitigation. -- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE. -- **MitigationScenario** The update scenario in which the mitigation was executed. -- **Name** The friendly (descriptive) name of the mitigation. -- **OperationIndex** The mitigation operation index (in the event of a failure). -- **OperationName** The friendly (descriptive) name of the mitigation operation (in the event of failure). -- **RegistryCount** The number of registry operations in the mitigation entry. -- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM. -- **Result** HResult of this operation. -- **ScenarioId** Setup360 flow type. -- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). - - -### Setup360Telemetry.Setup360MitigationSummary - -This event sends a summary of all the setup mitigations available for this update. - -The following fields are available: - -- **Applicable** The count of mitigations that were applicable to the system and scenario. -- **ClientId** The Windows Update client ID passed to Setup. -- **Failed** The count of mitigations that failed. -- **FlightData** The unique identifier for each flight (test release). -- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE. -- **MitigationScenario** The update scenario in which the mitigations were attempted. -- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM. -- **Result** HResult of this operation. -- **ScenarioId** Setup360 flow type. -- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). -- **Total** The total number of mitigations that were available. - - -### Setup360Telemetry.Setup360OneSettings - -This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. - -The following fields are available: - -- **ClientId** The Windows Update client ID passed to Setup. -- **Count** The count of applicable OneSettings for the device. -- **FlightData** The ID for the flight (test instance version). -- **InstanceId** The GUID (Globally-Unique ID) that identifies each instance of setuphost.exe. -- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. -- **ReportId** The Update ID passed to Setup. -- **Result** The HResult of the event error. -- **ScenarioId** The update scenario ID. -- **Values** Values sent back to the device, if applicable. - - -### Setup360Telemetry.UnexpectedEvent - -This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date. - -The following fields are available: - -- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the previous OS. -- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe -- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. -- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. -- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. -- **TestId** A string to uniquely identify a group of events. -- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. - - -## Windows as a Service diagnostic events - -### Microsoft.Windows.WaaSMedic.SummaryEvent - -Result of the WaaSMedic operation. - -The following fields are available: - -- **callerApplication** The name of the calling application. -- **capsuleCount** The number of Sediment Pack capsules. -- **capsuleFailureCount** The number of capsule failures. -- **detectionSummary** Result of each applicable detection that was run. -- **featureAssessmentImpact** WaaS Assessment impact for feature updates. -- **hrEngineBlockReason** Indicates the reason for stopping WaaSMedic. -- **hrEngineResult** Error code from the engine operation. -- **hrLastSandboxError** The last error sent by the WaaSMedic sandbox. -- **initSummary** Summary data of the initialization method. -- **insufficientSessions** Device not eligible for diagnostics. -- **isInteractiveMode** The user started a run of WaaSMedic. -- **isManaged** Device is managed for updates. -- **isWUConnected** Device is connected to Windows Update. -- **noMoreActions** No more applicable diagnostics. -- **pluginFailureCount** The number of plugins that have failed. -- **pluginsCount** The number of plugins. -- **qualityAssessmentImpact** WaaS Assessment impact for quality updates. -- **remediationSummary** Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on. -- **usingBackupFeatureAssessment** Relying on backup feature assessment. -- **usingBackupQualityAssessment** Relying on backup quality assessment. -- **usingCachedFeatureAssessment** WaaS Medic run did not get OS build age from the network on the previous run. -- **usingCachedQualityAssessment** WaaS Medic run did not get OS revision age from the network on the previous run. -- **versionString** Version of the WaaSMedic engine. -- **waasMedicRunMode** Indicates whether this was a background regular run of the medic or whether it was triggered by a user launching Windows Update Troubleshooter. - - -## Windows Error Reporting events - -### Microsoft.Windows.WERVertical.OSCrash - -This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event. - -The following fields are available: - -- **BootId** Uint32 identifying the boot number for this device. -- **BugCheckCode** Uint64 "bugcheck code" that identifies a proximate cause of the bug check. -- **BugCheckParameter1** Uint64 parameter providing additional information. -- **BugCheckParameter2** Uint64 parameter providing additional information. -- **BugCheckParameter3** Uint64 parameter providing additional information. -- **BugCheckParameter4** Uint64 parameter providing additional information. -- **DumpFileAttributes** Codes that identify the type of data contained in the dump file -- **DumpFileSize** Size of the dump file -- **IsValidDumpFile** True if the dump file is valid for the debugger, false otherwise -- **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson). - - -## Windows Error Reporting MTT events - -### Microsoft.Windows.WER.MTT.Denominator - -This event provides a denominator to calculate MTTF (mean-time-to-failure) for crashes and other errors, to help keep Windows up to date. - -The following fields are available: - -- **DPRange** Maximum mean value range. -- **DPValue** Randomized bit value (0 or 1) that can be reconstituted over a large population to estimate the mean. -- **Value** Standard UTC emitted DP value structure See [Value](#value). - - -### Value - -This event returns data about Mean Time to Failure (MTTF) for Windows devices. It is the primary means of estimating reliability problems in Basic Diagnostic reporting with very strong privacy guarantees. Since Basic Diagnostic reporting does not include system up-time, and since that information is important to ensuring the safe and stable operation of Windows, the data provided by this event provides that data in a manner which does not threaten a user’s privacy. - -The following fields are available: - -- **Algorithm** The algorithm used to preserve privacy. -- **DPRange** The upper bound of the range being measured. -- **DPValue** The randomized response returned by the client. -- **Epsilon** The level of privacy to be applied. -- **HistType** The histogram type if the algorithm is a histogram algorithm. -- **PertProb** The probability the entry will be Perturbed if the algorithm chosen is “heavy-hitters”. - - -## Windows Store events - -### Microsoft.Windows.Store.StoreActivating - -This event sends tracking data about when the Store app activation via protocol URI is in progress, to help keep Windows up to date. - - - -### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation - -This event is sent when an installation or update is canceled by a user or the system and is used to help keep Windows Apps up to date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. -- **AttemptNumber** Number of retry attempts before it was canceled. -- **BundleId** The Item Bundle ID. -- **CategoryId** The Item Category ID. -- **ClientAppId** The identity of the app that initiated this operation. -- **HResult** The result code of the last action performed before this operation. -- **IsBundle** Is this a bundle? -- **IsInteractive** Was this requested by a user? -- **IsMandatory** Was this a mandatory update? -- **IsRemediation** Was this a remediation install? -- **IsRestore** Is this automatically restoring a previously acquired product? -- **IsUpdate** Flag indicating if this is an update. -- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). -- **PFN** The product family name of the product being installed. -- **ProductId** The identity of the package or packages being installed. -- **SystemAttemptNumber** The total number of automatic attempts at installation before it was canceled. -- **UserAttemptNumber** The total number of user attempts at installation before it was canceled. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.BeginGetInstalledContentIds - -This event is sent when an inventory of the apps installed is started to determine whether updates for those apps are available. It's used to help keep Windows up-to-date and secure. - - - -### Microsoft.Windows.StoreAgent.Telemetry.BeginUpdateMetadataPrepare - -This event is sent when the Store Agent cache is refreshed with any available package updates. It's used to help keep Windows up-to-date and secure. - - - -### Microsoft.Windows.StoreAgent.Telemetry.CancelInstallation - -This event is sent when an app update or installation is canceled while in interactive mode. This can be canceled by the user or the system. It's used to help keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The names of all package or packages to be downloaded and installed. -- **AttemptNumber** Total number of installation attempts. -- **BundleId** The identity of the Windows Insider build that is associated with this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **IsBundle** Is this a bundle? -- **IsInteractive** Was this requested by a user? -- **IsMandatory** Is this a mandatory update? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this an automatic restore of a previously acquired product? -- **IsUpdate** Is this a product update? -- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). -- **PFN** The name of all packages to be downloaded and installed. -- **PreviousHResult** The previous HResult code. -- **PreviousInstallState** Previous installation state before it was canceled. -- **ProductId** The name of the package or packages requested for installation. -- **RelatedCV** Correlation Vector of a previous performed action on this product. -- **SystemAttemptNumber** Total number of automatic attempts to install before it was canceled. -- **UserAttemptNumber** Total number of user attempts to install before it was canceled. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.CompleteInstallOperationRequest - -This event is sent at the end of app installations or updates to help keep Windows up-to-date and secure. - -The following fields are available: - -- **CatalogId** The Store Product ID of the app being installed. -- **HResult** HResult code of the action being performed. -- **IsBundle** Is this a bundle? -- **PackageFamilyName** The name of the package being installed. -- **ProductId** The Store Product ID of the product being installed. -- **SkuId** Specific edition of the item being installed. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndAcquireLicense - -This event is sent after the license is acquired when a product is being installed. It's used to help keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** Includes a set of package full names for each app that is part of an atomic set. -- **AttemptNumber** The total number of attempts to acquire this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **HResult** HResult code to show the result of the operation (success/failure). -- **IsBundle** Is this a bundle? -- **IsInteractive** Did the user initiate the installation? -- **IsMandatory** Is this a mandatory update? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this happening after a device restore? -- **IsUpdate** Is this an update? -- **PFN** Product Family Name of the product being installed. -- **ProductId** The Store Product ID for the product being installed. -- **SystemAttemptNumber** The number of attempts by the system to acquire this product. -- **UserAttemptNumber** The number of attempts by the user to acquire this product -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndDownload - -This event is sent after an app is downloaded to help keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed. -- **AttemptNumber** Number of retry attempts before it was canceled. -- **BundleId** The identity of the Windows Insider build associated with this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **DownloadSize** The total size of the download. -- **ExtendedHResult** Any extended HResult error codes. -- **HResult** The result code of the last action performed. -- **IsBundle** Is this a bundle? -- **IsInteractive** Is this initiated by the user? -- **IsMandatory** Is this a mandatory installation? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this a restore of a previously acquired product? -- **IsUpdate** Is this an update? -- **ParentBundleId** The parent bundle ID (if it's part of a bundle). -- **PFN** The Product Family Name of the app being download. -- **ProductId** The Store Product ID for the product being installed. -- **SystemAttemptNumber** The number of attempts by the system to download. -- **UserAttemptNumber** The number of attempts by the user to download. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndFrameworkUpdate - -This event is sent when an app update requires an updated Framework package and the process starts to download it. It is used to help keep Windows up-to-date and secure. - -The following fields are available: - -- **HResult** The result code of the last action performed before this operation. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndGetInstalledContentIds - -This event is sent after sending the inventory of the products installed to determine whether updates for those products are available. It's used to help keep Windows up-to-date and secure. - -The following fields are available: - -- **HResult** The result code of the last action performed before this operation. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndInstall - -This event is sent after a product has been installed to help keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. -- **AttemptNumber** The number of retry attempts before it was canceled. -- **BundleId** The identity of the build associated with this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **ExtendedHResult** The extended HResult error code. -- **HResult** The result code of the last action performed. -- **IsBundle** Is this a bundle? -- **IsInteractive** Is this an interactive installation? -- **IsMandatory** Is this a mandatory installation? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this automatically restoring a previously acquired product? -- **IsUpdate** Is this an update? -- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). -- **PFN** Product Family Name of the product being installed. -- **ProductId** The Store Product ID for the product being installed. -- **SystemAttemptNumber** The total number of system attempts. -- **UserAttemptNumber** The total number of user attempts. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndScanForUpdates - -This event is sent after a scan for product updates to determine if there are packages to install. It's used to help keep Windows up-to-date and secure. - -The following fields are available: - -- **ClientAppId** The identity of the app that initiated this operation. -- **HResult** The result code of the last action performed. -- **IsApplicability** Is this request to only check if there are any applicable packages to install? -- **IsInteractive** Is this user requested? -- **IsOnline** Is the request doing an online check? - - -### Microsoft.Windows.StoreAgent.Telemetry.EndSearchUpdatePackages - -This event is sent after searching for update packages to install. It is used to help keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. -- **AttemptNumber** The total number of retry attempts before it was canceled. -- **BundleId** The identity of the build associated with this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **HResult** The result code of the last action performed. -- **IsBundle** Is this a bundle? -- **IsInteractive** Is this user requested? -- **IsMandatory** Is this a mandatory update? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this restoring previously acquired content? -- **IsUpdate** Is this an update? -- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). -- **PFN** The name of the package or packages requested for install. -- **ProductId** The Store Product ID for the product being installed. -- **SystemAttemptNumber** The total number of system attempts. -- **UserAttemptNumber** The total number of user attempts. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndStageUserData - -This event is sent after restoring user data (if any) that needs to be restored following a product install. It is used to keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed. -- **AttemptNumber** The total number of retry attempts before it was canceled. -- **BundleId** The identity of the build associated with this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **HResult** The result code of the last action performed. -- **IsBundle** Is this a bundle? -- **IsInteractive** Is this user requested? -- **IsMandatory** Is this a mandatory update? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this restoring previously acquired content? -- **IsUpdate** Is this an update? -- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). -- **PFN** The name of the package or packages requested for install. -- **ProductId** The Store Product ID for the product being installed. -- **SystemAttemptNumber** The total number of system attempts. -- **UserAttemptNumber** The total number of system attempts. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndUpdateMetadataPrepare - -This event is sent after a scan for available app updates to help keep Windows up-to-date and secure. - -The following fields are available: - -- **HResult** The result code of the last action performed. - - -### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentComplete - -This event is sent at the end of an app install or update to help keep Windows up-to-date and secure. - -The following fields are available: - -- **CatalogId** The name of the product catalog from which this app was chosen. -- **FailedRetry** Indicates whether the installation or update retry was successful. -- **HResult** The HResult code of the operation. -- **PFN** The Package Family Name of the app that is being installed or updated. -- **ProductId** The product ID of the app that is being updated or installed. - - -### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate - -This event is sent at the beginning of an app install or update to help keep Windows up-to-date and secure. - -The following fields are available: - -- **CatalogId** The name of the product catalog from which this app was chosen. -- **FulfillmentPluginId** The ID of the plugin needed to install the package type of the product. -- **PFN** The Package Family Name of the app that is being installed or updated. -- **PluginTelemetryData** Diagnostic information specific to the package-type plug-in. -- **ProductId** The product ID of the app that is being updated or installed. - - -### Microsoft.Windows.StoreAgent.Telemetry.InstallOperationRequest - -This event is sent when a product install or update is initiated, to help keep Windows up-to-date and secure. - -The following fields are available: - -- **BundleId** The identity of the build associated with this product. -- **CatalogId** If this product is from a private catalog, the Store Product ID for the product being installed. -- **ProductId** The Store Product ID for the product being installed. -- **SkuId** Specific edition ID being installed. -- **VolumePath** The disk path of the installation. - - -### Microsoft.Windows.StoreAgent.Telemetry.PauseInstallation - -This event is sent when a product install or update is paused (either by a user or the system), to help keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. -- **AttemptNumber** The total number of retry attempts before it was canceled. -- **BundleId** The identity of the build associated with this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **IsBundle** Is this a bundle? -- **IsInteractive** Is this user requested? -- **IsMandatory** Is this a mandatory update? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this restoring previously acquired content? -- **IsUpdate** Is this an update? -- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). -- **PFN** The Product Full Name. -- **PreviousHResult** The result code of the last action performed before this operation. -- **PreviousInstallState** Previous state before the installation or update was paused. -- **ProductId** The Store Product ID for the product being installed. -- **RelatedCV** Correlation Vector of a previous performed action on this product. -- **SystemAttemptNumber** The total number of system attempts. -- **UserAttemptNumber** The total number of user attempts. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.ResumeInstallation - -This event is sent when a product install or update is resumed (either by a user or the system), to help keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. -- **AttemptNumber** The number of retry attempts before it was canceled. -- **BundleId** The identity of the build associated with this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **HResult** The result code of the last action performed before this operation. -- **IsBundle** Is this a bundle? -- **IsInteractive** Is this user requested? -- **IsMandatory** Is this a mandatory update? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this restoring previously acquired content? -- **IsUpdate** Is this an update? -- **IsUserRetry** Did the user initiate the retry? -- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). -- **PFN** The name of the package or packages requested for install. -- **PreviousHResult** The previous HResult error code. -- **PreviousInstallState** Previous state before the installation was paused. -- **ProductId** The Store Product ID for the product being installed. -- **RelatedCV** Correlation Vector for the original install before it was resumed. -- **ResumeClientId** The ID of the app that initiated the resume operation. -- **SystemAttemptNumber** The total number of system attempts. -- **UserAttemptNumber** The total number of user attempts. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.ResumeOperationRequest - -This event is sent when a product install or update is resumed by a user or on installation retries, to help keep Windows up-to-date and secure. - -The following fields are available: - -- **ProductId** The Store Product ID for the product being installed. - - -### Microsoft.Windows.StoreAgent.Telemetry.SearchForUpdateOperationRequest - -This event is sent when searching for update packages to install, to help keep Windows up-to-date and secure. - -The following fields are available: - -- **CatalogId** The Store Catalog ID for the product being installed. -- **ProductId** The Store Product ID for the product being installed. -- **SkuId** Specfic edition of the app being updated. - - -### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest - -This event occurs when an update is requested for an app, to help keep Windows up-to-date and secure. - -The following fields are available: - -- **PFamN** The name of the app that is requested for update. - - -## Windows System Kit events - -### Microsoft.Windows.Kits.WSK.WskImageCreate - -This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate “image” creation failures. - -The following fields are available: - -- **Phase** The image creation phase. Values are “Start” or “End”. -- **WskVersion** The version of the Windows System Kit being used. - - -### Microsoft.Windows.Kits.WSK.WskImageCustomization - -This event sends simple Product and Service usage data when a user is using the Windows System Kit to create/modify configuration files allowing the customization of a new OS image with Apps or Drivers. The data includes the version of the Windows System Kit, the state of the event, the customization type (drivers or apps) and the mode (new or updating) and is used to help investigate configuration file creation failures. - -The following fields are available: - -- **CustomizationMode** Indicates the mode of the customization (new or updating). -- **CustomizationType** Indicates the type of customization (drivers or apps). -- **Mode** The mode of update to image configuration files. Values are “New” or “Update”. -- **Phase** The image creation phase. Values are “Start” or “End”. -- **Type** The type of update to image configuration files. Values are “Apps” or “Drivers”. -- **WskVersion** The version of the Windows System Kit being used. - - -### Microsoft.Windows.Kits.WSK.WskWorkspaceCreate - -This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new workspace for generating OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate workspace creation failures. - -The following fields are available: - -- **Architecture** The OS architecture that the workspace will target. Values are one of: “AMD64”, “ARM64”, “x86”, or “ARM”. -- **OsEdition** The Operating System Edition that the workspace will target. -- **Phase** The image creation phase. Values are “Start” or “End”. -- **WorkspaceArchitecture** The operating system architecture that the workspace will target. -- **WorkspaceOsEdition** The operating system edition that the workspace will target. -- **WskVersion** The version of the Windows System Kit being used. - - -## Windows Update Delivery Optimization events - -### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled - -This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads. - -The following fields are available: - -- **background** Is the download being done in the background? -- **bytesFromCacheServer** Bytes received from a cache host. -- **bytesFromCDN** The number of bytes received from a CDN source. -- **bytesFromGroupPeers** The number of bytes received from a peer in the same group. -- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same group. -- **bytesFromLinkLocalPeers** The number of bytes received from local peers. -- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. -- **bytesFromPeers** The number of bytes received from a peer in the same LAN. -- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. -- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. -- **cdnIp** The IP Address of the source CDN (Content Delivery Network). -- **cdnUrl** The URL of the source CDN (Content Delivery Network). -- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. -- **errorCode** The error code that was returned. -- **experimentId** When running a test, this is used to correlate events that are part of the same test. -- **fileID** The ID of the file being downloaded. -- **gCurMemoryStreamBytes** Current usage for memory streaming. -- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. -- **isVpn** Indicates whether the device is connected to a VPN (Virtual Private Network). -- **jobID** Identifier for the Windows Update job. -- **predefinedCallerName** The name of the API Caller. -- **reasonCode** Reason the action or event occurred. -- **routeToCacheServer** The cache server setting, source, and value. -- **sessionID** The ID of the file download session. -- **updateID** The ID of the update being downloaded. -- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. - - -### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted - -This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads. - -The following fields are available: - -- **#dnErrorCounts** No content is currently available. -- **__TlgCVß_** No content is currently available. -- **|anConnectionCount** No content is currently available. -- **}plinkUsageBps** No content is currently available. -- **0redefinedCallerName** No content is currently available. -- **b6nConnectionCount** No content is currently available. -- **b6nErrorCodes** No content is currently available. -- **b6nErrorCounts** No content is currently available. -- **b6nIp** No content is currently available. -- **b6nUrl** No content is currently available. -- **background** Is the download a background download? -- **bytesFrkmIntPeers** No content is currently available. -- **bytesFromCacheSedver** No content is currently available. -- **bytesFromCacheServer** Bytes received from a cache host. -- **bytesFromCdN** No content is currently available. -- **bytesFromCDN** The number of bytes received from a CDN source. -- **bytesFromGpoupPeers** No content is currently available. -- **bytesFromGroupPeers** The number of bytes received from a peer in the same domain group. -- **bytesFromIntÐeers** No content is currently available. -- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same domain group. -- **bytesFromLinkLocalPeers** The number of bytes received from local peers. -- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. -- **bytesFromPeers** The number of bytes received from a peer in the same LAN. -- **bytesRequested** The total number of bytes requested for download. -- **cacheSarverConnectionCount** No content is currently available. -- **cacheSedverConnectionCount** No content is currently available. -- **cacheServerConndctionCount** No content is currently available. -- **cacheServerConnectionCoujt** No content is currently available. -- **cacheServerConnectionCount** Number of connections made to cache hosts. -- **cdnConnectionCount** The total number of connections made to the CDN. -- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. -- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. -- **cdnIp** The IP address of the source CDN. -- **cdnSonnectionCount** No content is currently available. -- **cdnUrl** Url of the source Content Distribution Network (CDN). -- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. -- **dkwnloadModeSrc** No content is currently available. -- **doErrorCode** The Delivery Optimization error code that was returned. -- **dowflinkBps** No content is currently available. -- **downlinkBps** The maximum measured available download bandwidth (in bytes per second). -- **downlinkUsageBps** The download speed (in bytes per second). -- **downloadMode** The download mode used for this file download session. -- **doWnloadMode** No content is currently available. -- **downloadModeReason** Reason for the download. -- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). -- **downloadMofeSrc** No content is currently available. -- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. -- **expiresAt** The time when the content will expire from the Delivery Optimization Cache. -- **fileID** The ID of the file being downloaded. -- **fileSize** The size of the file being downloaded. -- **gCurMemoryStreamBytes** Current usage for memory streaming. -- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. -- **groupConjectionCount** No content is currently available. -- **groupConnectionCount** The total number of connections made to peers in the same group. -- **in4ernetConnectionCount** No content is currently available. -- **internetConnectionCnunt** No content is currently available. -- **internetConnectionCount** The total number of connections made to peers not in the same LAN or the same group. -- **internetConnectionCountdownlinkBps** No content is currently available. -- **isEjcrypted** No content is currently available. -- **isEncryptdd** No content is currently available. -- **isEncrypted** TRUE if the file is encrypted and will be decrypted after download. -- **isVpn** Is the device connected to a Virtual Private Network? -- **jobID** Identifier for the Windows Update job. -- **lanConnectionCo}nt** No content is currently available. -- **lanConnectionCount** The total number of connections made to peers in the same LAN. -- **linkLocalConnectionCount** The number of connections made to peers in the same Link-local network. -- **numPeers** The total number of peers used for this download. -- **numPeersLocal** The total number of local peers used for this download. -- **predefi.edCallerName** No content is currently available. -- **predefinedCallerName** The name of the API Caller. -- **predefinedCalleRName** No content is currently available. -- **rcdnIp** No content is currently available. -- **restrictedUpload** Is the upload restricted? -- **romteToCacheServer** No content is currently available. -- **roupeToCacheServer** No content is currently available. -- **routeTnCacheServer** No content is currently available. -- **routeToCacheSedver** No content is currently available. -- **routeToCacheServer** The cache server setting, source, and value. -- **sessionID** The ID of the download session. -- **totalTimeMs** Duration of the download (in seconds). -- **updateID** The ID of the update being downloaded. -- **uplinkBps** The maximum measured available upload bandwidth (in bytes per second). -- **uplinkUsageBps** The upload speed (in bytes per second). -- **uplinkUsegeBps** No content is currently available. -- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. - - -### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused - -This event represents a temporary suspension of a download with Delivery Optimization. It's used to understand and address problems regarding downloads. - -The following fields are available: - -- **AddinType** No content is currently available. -- **backgground** No content is currently available. -- **backgro}nd** No content is currently available. -- **backgrou|d** No content is currently available. -- **background** Is the download a background download? -- **BinFileTimestamp** No content is currently available. -- **BinFileVersion** No content is currently available. -- **c`nUrl** No content is currently available. -- **cdnUrl** The URL of the source CDN (Content Delivery Network). -- **errorBode** No content is currently available. -- **errorCode** The error code that was returned. -- **expebimentId** No content is currently available. -- **expebimentIderrorCode** No content is currently available. -- **experiientId** No content is currently available. -- **experimenpId** No content is currently available. -- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. -- **fileID** The ID of the file being paused. -- **FileId** No content is currently available. -- **FileSize** No content is currently available. -- **isVp|** No content is currently available. -- **isVpn** Is the device connected to a Virtual Private Network? -- **jobID** Identifier for the Windows Update job. -- **ksVpn** No content is currently available. -- **LoadBehavior** No content is currently available. -- **LSID** No content is currently available. -- **OfficeArchitecture** No content is currently available. -- **OutlookCrashingAddin** No content is currently available. -- **predefinedCallerName** The name of the API Caller object. -- **ProductCompany** No content is currently available. -- **ProductName** No content is currently available. -- **ProductVersion** No content is currently available. -- **ProgramId** No content is currently available. -- **Provider** No content is currently available. -- **reasonCod%** No content is currently available. -- **reasonCode** The reason for pausing the download. -- **recsonCodesessiolID** No content is currently available. -- **routeToCacheSedver** No content is currently available. -- **routeToCacheServer** The cache server setting, source, and value. -- **sessionID** The ID of the download session. -- **updateID** The ID of the update being paused. -- **updateMD** No content is currently available. - - -### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted - -This event sends data describing the start of a new download to enable Delivery Optimization. It's used to understand and address problems regarding downloads. - -The following fields are available: - -- **b6nUrl** No content is currently available. -- **background** Indicates whether the download is happening in the background. -- **bacoground** No content is currently available. -- **bileSizeCaller** No content is currently available. -- **bytesRequested** Number of bytes requested for the download. -- **cdnUrl** The URL of the source Content Distribution Network (CDN). -- **costFlags** A set of flags representing network cost. -- **costFlaos** No content is currently available. -- **deviceProfile** Identifies the usage or form factor (such as Desktop, Xbox, or VM). -- **diceRoll** Random number used for determining if a client will use peering. -- **doClientVersion** The version of the Delivery Optimization client. -- **doErrorC/de** No content is currently available. -- **doErrorCode** The Delivery Optimization error code that was returned. -- **doErrorCoee** No content is currently available. -- **downloadMode** The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100). -- **downloadModeReason** Reason for the download. -- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). -- **errorCode** The error code that was returned. -- **experimejtId** No content is currently available. -- **experimentId** ID used to correlate client/services calls that are part of the same test during A/B testing. -- **expeZone** No content is currently available. -- **faleID** No content is currently available. -- **fiheID** No content is currently available. -- **fileID** The ID of the file being downloaded. -- **filePat(** No content is currently available. -- **filePath** The path to where the downloaded file will be written. -- **fileSize** Total file size of the file that was downloaded. -- **fileSizeCaller** Value for total file size provided by our caller. -- **groqpID** No content is currently available. -- **groupID** ID for the group. -- **isEncrypted** Indicates whether the download is encrypted. -- **isFpn** No content is currently available. -- **isVpn** Indicates whether the device is connected to a Virtual Private Network. -- **jobID** The ID of the Windows Update job. -- **peerID** The ID for this delivery optimization client. -- **predefinedCall%rName** No content is currently available. -- **predefinedCallerName** Name of the API caller. -- **rimentId** No content is currently available. -- **routeToCacheSedver** No content is currently available. -- **routeToCacheServer** Cache server setting, source, and value. -- **sessionID** The ID for the file download session. -- **sessionIF** No content is currently available. -- **sessmonID** No content is currently available. -- **setConfigs** A JSON representation of the configurations that have been set, and their sources. -- **updateID** The ID of the update being downloaded. -- **updateYD** No content is currently available. -- **usedMemoryStream** Indicates whether the download used memory streaming. - - -### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication - -This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads. - -The following fields are available: - -- **cdnHeaders** The HTTP headers returned by the CDN. -- **cdnIp** The IP address of the CDN. -- **cdnUrl** The URL of the CDN. -- **eErrorCode** No content is currently available. -- **eErrorCunt** No content is currently available. -- **errorCode** The error code that was returned. -- **errorCount** The total number of times this error code was seen since the last FailureCdnCommunication event was encountered. -- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. -- **fileID** The ID of the file being downloaded. -- **htppStatusCode** No content is currently available. -- **httpStatusCode** The HTTP status code returned by the CDN. -- **isHeadRequest** The type of HTTP request that was sent to the CDN. Example: HEAD or GET -- **peerTyp,** No content is currently available. -- **peerType** The type of peer (LAN, Group, Internet, CDN, Cache Host, etc.). -- **requestOffset** The byte offset within the file in the sent request. -- **requestSize** The size of the range requested from the CDN. -- **responseSize** The size of the range response received from the CDN. -- **sessionID** The ID of the download session. - - -### Microsoft.OSG.DU.DeliveryOptClient.JobError - -This event represents a Windows Update job error. It allows for investigation of top errors. - -The following fields are available: - -- **cdnIp** The IP Address of the source CDN (Content Delivery Network). -- **doErrorCode** Error code returned for delivery optimization. -- **errorCode** The error code returned. -- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. -- **fileID** The ID of the file being downloaded. -- **jobID** The Windows Update job ID. -- **jobKD** No content is currently available. - - -## Windows Update events - -### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentAnalysisSummary - -This event collects information regarding the state of devices and drivers on the system following a reboot after the install phase of the new device manifest UUP (Unified Update Platform) update scenario which is used to install a device manifest describing a set of driver packages. - -The following fields are available: - -- **activated** Whether the entire device manifest update is considered activated and in use. -- **analysisErrorCount** The number of driver packages that could not be analyzed because errors occurred during analysis. -- **flightId** Unique ID for each flight. -- **missingDriverCount** The number of driver packages delivered by the device manifest that are missing from the system. -- **missingUpdateCount** The number of updates in the device manifest that are missing from the system. -- **objectId** Unique value for each diagnostics session. -- **publishedCount** The number of drivers packages delivered by the device manifest that are published and available to be used on devices. -- **relatedCV** Correlation vector value generated from the latest USO scan. -- **scenarioId** Indicates the update scenario. -- **sessionId** Unique value for each update session. -- **summary** A summary string that contains basic information about driver packages that are part of the device manifest and any devices on the system that those driver packages match. -- **summaryAppendError** A Boolean indicating if there was an error appending more information to the summary string. -- **truncatedDeviceCount** The number of devices missing from the summary string because there is not enough room in the string. -- **truncatedDriverCount** The number of driver packages missing from the summary string because there is not enough room in the string. -- **unpublishedCount** How many drivers packages that were delivered by the device manifest that are still unpublished and unavailable to be used on devices. -- **updateId** The unique ID for each update. - - -### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentCommit - -This event collects information regarding the final commit phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. - -The following fields are available: - -- **errorCode** The error code returned for the current session initialization. -- **flightId** The unique identifier for each flight. -- **objectId** The unique GUID for each diagnostics session. -- **relatedCV** A correlation vector value generated from the latest USO scan. -- **result** Outcome of the initialization of the session. -- **scenarioId** Identifies the Update scenario. -- **sessionId** The unique value for each update session. -- **updateId** The unique identifier for each Update. - - -### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentDownloadRequest - -This event collects information regarding the download request phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. - -The following fields are available: - -- **deletedCorruptFiles** Indicates if UpdateAgent found any corrupt payload files and whether the payload was deleted. -- **errorCode** The error code returned for the current session initialization. -- **flightId** The unique identifier for each flight. -- **objectId** Unique value for each Update Agent mode. -- **packageCountOptional** Number of optional packages requested. -- **packageCountRequired** Number of required packages requested. -- **packageCountTotal** Total number of packages needed. -- **packageCountTotalCanonical** Total number of canonical packages. -- **packageCountTotalDiff** Total number of diff packages. -- **packageCountTotalExpress** Total number of express packages. -- **packageSizeCanonical** Size of canonical packages in bytes. -- **packageSizeDiff** Size of diff packages in bytes. -- **packageSizeExpress** Size of express packages in bytes. -- **rangeRequestState** Represents the state of the download range request. -- **relatedCV** Correlation vector value generated from the latest USO scan. -- **result** Result of the download request phase of update. -- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. -- **sessionId** Unique value for each Update Agent mode attempt. -- **updateId** Unique ID for each update. - - -### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInitialize - -This event sends data for initializing a new update session for the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. - -The following fields are available: - -- **errorCode** The error code returned for the current session initialization. -- **flightId** The unique identifier for each flight. -- **flightMetadata** Contains the FlightId and the build being flighted. -- **objectId** Unique value for each Update Agent mode. -- **relatedCV** Correlation vector value generated from the latest USO scan. -- **result** Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled. -- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. -- **sessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios). -- **sessionId** Unique value for each Update Agent mode attempt. -- **updateId** Unique ID for each update. - - -### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInstall - -This event collects information regarding the install phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. - -The following fields are available: - -- **errorCode** The error code returned for the current install phase. -- **flightId** The unique identifier for each flight (pre-release builds). -- **objectId** The unique identifier for each diagnostics session. -- **relatedCV** Correlation vector value generated from the latest scan. -- **result** Outcome of the install phase of the update. -- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate -- **sessionId** The unique identifier for each update session. -- **updateId** The unique identifier for each Update. - - -### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentModeStart - -This event sends data for the start of each mode during the process of updating device manifest assets via the UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. - -The following fields are available: - -- **flightId** The unique identifier for each flight (pre-release builds). -- **mode** Indicates the active Update Agent mode. -- **objectId** Unique value for each diagnostics session. -- **relatedCV** Correlation vector value generated from the latest scan. -- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. -- **sessionId** The unique identifier for each update session. -- **updateId** The unique identifier for each Update. - - -### Microsoft.Windows.Update.NotificationUx.DialogNotificationToBeDisplayed - -This event indicates that a notification dialog box is about to be displayed to user. - -The following fields are available: - -- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode. -- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before the RebootFailed dialog box is shown. -- **DaysSinceRebootRequired** Number of days since restart was required. -- **DeviceLocalTime** The local time on the device sending the event. -- **EngagedModeLimit** The number of days to switch between DTE dialog boxes. -- **EnterAutoModeLimit** The maximum number of days for a device to enter Auto Reboot mode. -- **ETag** OneSettings versioning value. -- **IsForcedEnabled** Indicates whether Forced Reboot mode is enabled for this device. -- **IsUltimateForcedEnabled** Indicates whether Ultimate Forced Reboot mode is enabled for this device. -- **NotificationUxState** Indicates which dialog box is shown. -- **NotificationUxStateString** Indicates which dialog box is shown. -- **RebootUxState** Indicates the state of the restart (Engaged, Auto, Forced, or UltimateForced). -- **RebootUxStateString** Indicates the state of the restart (Engaged, Auto, Forced, or UltimateForced). -- **RebootVersion** Version of DTE. -- **SkipToAutoModeLimit** The minimum length of time to pass in restart pending before a device can be put into auto mode. -- **UpdateId** The ID of the update that is pending restart to finish installation. -- **UpdateRevision** The revision of the update that is pending restart to finish installation. -- **UtcTime** The time the dialog box notification will be displayed, in Coordinated Universal Time. - - -### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootAcceptAutoDialog - -This event indicates that the Enhanced Engaged restart "accept automatically" dialog box was displayed. - -The following fields are available: - -- **DeviceLocalTime** The local time on the device sending the event. -- **ETag** OneSettings versioning value. -- **ExitCode** Indicates how users exited the dialog box. -- **RebootVersion** Version of DTE. -- **UpdateId** The ID of the update that is pending restart to finish installation. -- **UpdateRevision** The revision of the update that is pending restart to finish installation. -- **UserResponseString** The option that user chose on this dialog box. -- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time. - - -### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootFirstReminderDialog - -This event indicates that the Enhanced Engaged restart "first reminder" dialog box was displayed.. - -The following fields are available: - -- **DeviceLocalTime** The local time on the device sending the event. -- **ETag** OneSettings versioning value. -- **ExitCode** Indicates how users exited the dialog box. -- **RebootVersion** Version of DTE. -- **UpdateId** The ID of the update that is pending restart to finish installation. -- **UpdateRevision** The revision of the update that is pending restart to finish installation. -- **UserResponseString** The option that user chose in this dialog box. -- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time. - - -### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootFailedDialog - -This event indicates that the Enhanced Engaged restart "restart failed" dialog box was displayed. - -The following fields are available: - -- **DeviceLocalTime** The local time of the device sending the event. -- **ETag** OneSettings versioning value. -- **ExitCode** Indicates how users exited the dialog box. -- **RebootVersion** Version of DTE. -- **UpdateId** The ID of the update that is pending restart to finish installation. -- **UpdateRevision** The revision of the update that is pending restart to finish installation. -- **UserResponseString** The option that the user chose in this dialog box. -- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time. - - -### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootImminentDialog - -This event indicates that the Enhanced Engaged restart "restart imminent" dialog box was displayed. - -The following fields are available: - -- **DeviceLocalTime** Time the dialog box was shown on the local device. -- **ETag** OneSettings versioning value. -- **ExitCode** Indicates how users exited the dialog box. -- **RebootVersion** Version of DTE. -- **UpdateId** The ID of the update that is pending restart to finish installation. -- **UpdateRevision** The revision of the update that is pending restart to finish installation. -- **UserResponseString** The option that user chose in this dialog box. -- **UtcTime** The time that dialog box was displayed, in Coordinated Universal Time. - - -### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootReminderDialog - -This event returns information relating to the Enhanced Engaged reboot reminder dialog that was displayed. - -The following fields are available: - -- **DeviceLocalTime** The time at which the reboot reminder dialog was shown (based on the local device time settings). -- **ETag** The OneSettings versioning value. -- **ExitCode** Indicates how users exited the reboot reminder dialog box. -- **RebootVersion** The version of the DTE (Direct-to-Engaged). -- **UpdateId** The ID of the update that is waiting for reboot to finish installation. -- **UpdateRevision** The revision of the update that is waiting for reboot to finish installation. -- **UserResponseString** The option chosen by the user on the reboot dialog box. -- **UtcTime** The time at which the reboot reminder dialog was shown (in UTC). - - -### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootReminderToast - -This event indicates that the Enhanced Engaged restart reminder pop-up banner was displayed. - -The following fields are available: - -- **DeviceLocalTime** The local time on the device sending the event. -- **ETag** OneSettings versioning value. -- **ExitCode** Indicates how users exited the pop-up banner. -- **RebootVersion** The version of the reboot logic. -- **UpdateId** The ID of the update that is pending restart to finish installation. -- **UpdateRevision** The revision of the update that is pending restart to finish installation. -- **UserResponseString** The option that the user chose in the pop-up banner. -- **UtcTime** The time that the pop-up banner was displayed, in Coordinated Universal Time. - - -### Microsoft.Windows.Update.NotificationUx.RebootScheduled - -Indicates when a reboot is scheduled by the system or a user for a security, quality, or feature update. - -The following fields are available: - -- **activeHoursApplicable** Indicates whether an Active Hours policy is present on the device. -- **IsEnhancedEngagedReboot** Indicates whether this is an Enhanced Engaged reboot. -- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action. -- **rebootOutsideOfActiveHours** Indicates whether a restart is scheduled outside of active hours. -- **rebootScheduledByUser** Indicates whether the restart was scheduled by user (if not, it was scheduled automatically). -- **rebootState** The current state of the restart. -- **rebootUsingSmartScheduler** Indicates whether the reboot is scheduled by smart scheduler. -- **revisionNumber** Revision number of the update that is getting installed with this restart. -- **scheduledRebootTime** Time of the scheduled restart. -- **scheduledRebootTimeInUTC** Time of the scheduled restart in Coordinated Universal Time. -- **updateId** ID of the update that is getting installed with this restart. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.ActivityRestrictedByActiveHoursPolicy - -This event indicates a policy is present that may restrict update activity to outside of active hours. - -The following fields are available: - -- **activeHoursEnd** The end of the active hours window. -- **activeHoursStart** The start of the active hours window. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.BlockedByActiveHours - -This event indicates that update activity was blocked because it is within the active hours window. - -The following fields are available: - -- **activeHoursEnd** The end of the active hours window. -- **activeHoursStart** The start of the active hours window. -- **updatePhase** The current state of the update process. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.BlockedByBatteryLevel - -This event indicates that Windows Update activity was blocked due to low battery level. - -The following fields are available: - -- **batteryLevel** The current battery charge capacity. -- **batteryLevelThreshold** The battery capacity threshold to stop update activity. -- **updatePhase** The current state of the update process. -- **wuDeviceid** Device ID. - - -### Microsoft.Windows.Update.Orchestrator.DeferRestart - -This event indicates that a restart required for installing updates was postponed. - -The following fields are available: - -- **displayNeededReason** List of reasons for needing display. -- **eventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). -- **filteredDeferReason** Applicable filtered reasons why reboot was postponed (such as user active, or low battery). -- **gameModeReason** Name of the executable that caused the game mode state check to start. -- **ignoredReason** List of reasons that were intentionally ignored. -- **IgnoreReasonsForRestart** List of reasons why restart was deferred. -- **revisionNumber** Update ID revision number. -- **systemNeededReason** List of reasons why system is needed. -- **updateId** Update ID. -- **updateScenarioType** Update session type. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.Detection - -This event indicates that a scan for a Windows Update occurred. - -The following fields are available: - -- **deferReason** The reason why the device could not check for updates. -- **detectionBlockingPolicy** The Policy that blocked detection. -- **detectionBlockreason** The reason detection did not complete. -- **detectionRetryMode** Indicates whether we will try to scan again. -- **errorCode** The error code returned for the current process. -- **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. -- **flightID** The unique identifier for the flight (Windows Insider pre-release build) should be delivered to the device, if applicable. -- **interactive** Indicates whether the user initiated the session. -- **networkStatus** Indicates if the device is connected to the internet. -- **revisionNumber** The Update revision number. -- **scanTriggerSource** The source of the triggered scan. -- **updateId** The unique identifier of the Update. -- **updateScenarioType** Identifies the type of update session being performed. -- **wuDeviceid** The unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.DisplayNeeded - -This event indicates the reboot was postponed due to needing a display. - -The following fields are available: - -- **displayNeededReason** Reason the display is needed. -- **eventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. -- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours. -- **revisionNumber** Revision number of the update. -- **updateId** Update ID. -- **updateScenarioType** The update session type. -- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated. -- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue - - -### Microsoft.Windows.Update.Orchestrator.Download - -This event sends launch data for a Windows Update download to help keep Windows up to date. - -The following fields are available: - -- **deferReason** Reason for download not completing. -- **e:4|SScenario** No content is currently available. -- **errorCode** An error code represented as a hexadecimal value. -- **eventScenario** End-to-end update session ID. -- **fdightID** No content is currently available. -- **flightID** The specific ID of the Windows Insider build the device is getting. -- **interactive** Indicates whether the session is user initiated. -- **interactiveelatedCVerrorCode** No content is currently available. -- **revisionNumber** Update revision number. -- **updateId** Update ID. -- **updateScenariotate** No content is currently available. -- **updateScenarioType** The update session type. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.DTUCompletedWhenWuFlightPendingCommit - -This event indicates that DTU completed installation of the electronic software delivery (ESD), when Windows Update was already in Pending Commit phase of the feature update. - -The following fields are available: - -- **wuDeviceid** Device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.DTUEnabled - -This event indicates that Inbox DTU functionality was enabled. - -The following fields are available: - -- **wuDeviceid** Device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.DTUInitiated - -This event indicates that Inbox DTU functionality was intiated. - -The following fields are available: - -- **dtuErrorCode** Return code from creating the DTU Com Server. -- **isDtuApplicable** Determination of whether DTU is applicable to the machine it is running on. -- **wuDeviceid** Device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.EscalationRiskLevels - -This event is sent during update scan, download, or install, and indicates that the device is at risk of being out-of-date. - -The following fields are available: - -- **configVersion** The escalation configuration version on the device. -- **downloadElapsedTime** Indicates how long since the download is required on device. -- **downloadRiskLevel** At-risk level of download phase. -- **installElapsedTime** Indicates how long since the install is required on device. -- **installRiskLevel** The at-risk level of install phase. -- **isSediment** Assessment of whether is device is at risk. -- **scanElapsedTime** Indicates how long since the scan is required on device. -- **scanRiskLevel** At-risk level of the scan phase. -- **wuDeviceid** Device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.FailedToAddTimeTriggerToScanTask - -This event indicated that USO failed to add a trigger time to a task. - -The following fields are available: - -- **errorCode** The Windows Update error code. -- **wuDeviceid** The Windows Update device ID. - - -### Microsoft.Windows.Update.Orchestrator.FlightInapplicable - -This event indicates that the update is no longer applicable to this device. - -The following fields are available: - -- **EventPublishedTime** Time when this event was generated. -- **flightID** The specific ID of the Windows Insider build. -- **inapplicableReason** The reason why the update is inapplicable. -- **revisionNumber** Update revision number. -- **updateId** Unique Windows Update ID. -- **updateScenarioType** Update session type. -- **UpdateStatus** Last status of update. -- **UUPFallBackConfigured** Indicates whether UUP fallback is configured. -- **wuDeviceid** Unique Device ID. - - -### Microsoft.Windows.Update.Orchestrator.InitiatingReboot - -This event sends data about an Orchestrator requesting a reboot from power management to help keep Windows up to date. - -The following fields are available: - -- **EventPublishedTime** Time of the event. -- **flightID** Unique update ID -- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action. -- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours. -- **revisionNumber** Revision number of the update. -- **updateId** Update ID. -- **updateScenarioType** The update session type. -- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.Install - -This event sends launch data for a Windows Update install to help keep Windows up to date. - -The following fields are available: - -- **batteryLevel** Current battery capacity in mWh or percentage left. -- **defeec-9-0S** No content is currently available. -- **deferReason** Reason for install not completing. -- **errorCode** The error code reppresented by a hexadecimal value. -- **eventScenario** End-to-end update session ID. -- **flightID** The ID of the Windows Insider build the device is getting. -- **flightUpdate** Indicates whether the update is a Windows Insider build. -- **ForcedRebootReminderSet** A boolean value that indicates if a forced reboot will happen for updates. -- **Ignorec-9-0SsFoec-start** No content is currently available. -- **IgnoreReasonsForRestart** The reason(s) a Postpone Restart command was ignored. -- **installCommitfailedtime** The time it took for a reboot to happen but the upgrade failed to progress. -- **installRebootinitiatetime** The time it took for a reboot to be attempted. -- **interactive** Identifies if session is user initiated. -- **minutesToCommit** The time it took to install updates. -- **rebootOutsideOfActiveHours** Indicates whether a reboot is scheduled outside of active hours. -- **revisionNumber** Update revision number. -- **updateId** Update ID. -- **updateMd** No content is currently available. -- **updateScenarioType** The update session type. -- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.LowUptimes - -This event is sent if a device is identified as not having sufficient uptime to reliably process updates in order to keep secure. - -The following fields are available: - -- **availableHistoryMinutes** The number of minutes available from the local machine activity history. -- **isLowUptimeMachine** Is the machine considered low uptime or not. -- **lowUptimeMinHours** Current setting for the minimum number of hours needed to not be considered low uptime. -- **lowUptimeQueryDays** Current setting for the number of recent days to check for uptime. -- **uptimeMinutes** Number of minutes of uptime measured. -- **wuDeviceid** Unique device ID for Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.OneshotUpdateDetection - -This event returns data about scans initiated through settings UI, or background scans that are urgent; to help keep Windows up to date. - -The following fields are available: - -- **externalOneshotupdate** The last time a task-triggered scan was completed. -- **interactiveOneshotupdate** The last time an interactive scan was completed. -- **oldlastscanOneshotupdate** The last time a scan completed successfully. -- **wuDeviceid** The Windows Update Device GUID (Globally-Unique ID). - - -### Microsoft.Windows.Update.Orchestrator.PreShutdownStart - -This event is generated before the shutdown and commit operations. - -The following fields are available: - -- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. - - -### Microsoft.Windows.Update.Orchestrator.RebootFailed - -This event sends information about whether an update required a reboot and reasons for failure, to help keep Windows up to date. - -The following fields are available: - -- **batteryLevel** Current battery capacity in mWh or percentage left. -- **deferReason** Reason for install not completing. -- **EventPublishedTime** The time that the reboot failure occurred. -- **flightID** Unique update ID. -- **rebootOutsideOfActiveHours** Indicates whether a reboot was scheduled outside of active hours. -- **RebootResults** Hex code indicating failure reason. Typically, we expect this to be a specific USO generated hex code. -- **revisionNumber** Update revision number. -- **updateId** Update ID. -- **updateScenarioType** The update session type. -- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.RefreshSettings - -This event sends basic data about the version of upgrade settings applied to the system to help keep Windows up to date. - -The following fields are available: - -- **errorCode** Hex code for the error message, to allow lookup of the specific error. -- **settingsDownloadTime** Timestamp of the last attempt to acquire settings. -- **settingsETag** Version identifier for the settings. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask - -This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows up to date. - -The following fields are available: - -- **RebootTaskMissedTimeUTC** The time when the reboot task was scheduled to run, but did not. -- **RebootTaskNextTimeUTC** The time when the reboot task was rescheduled for. -- **RebootTaskRestoredTime** Time at which this reboot task was restored. -- **wuDeviceid** Device ID for the device on which the reboot is restored. - - -### Microsoft.Windows.Update.Orchestrator.ScanTriggered - -This event indicates that Update Orchestrator has started a scan operation. - -The following fields are available: - -- **errorCode** The error code returned for the current scan operation. -- **eventScenario** Indicates the purpose of sending this event. -- **interactive** Indicates whether the scan is interactive. -- **isDTUEnabled** Indicates whether DTU (internal abbreviation for Direct Feature Update) channel is enabled on the client system. -- **isScanPastSla** Indicates whether the SLA has elapsed for scanning. -- **isScanPastTriggerSla** Indicates whether the SLA has elapsed for triggering a scan. -- **minutesOverScanSla** Indicates how many minutes the scan exceeded the scan SLA. -- **minutesOverScanTriggerSla** Indicates how many minutes the scan exceeded the scan trigger SLA. -- **scanTriggerSource** Indicates what caused the scan. -- **updateScenarioType** The update session type. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.StickUpdate - -This event is sent when the update service orchestrator (USO) indicates the update cannot be superseded by a newer update. - -The following fields are available: - -- **updateAd** No content is currently available. -- **updateId** Identifier associated with the specific piece of content. -- **wuDeviceid** Unique device ID controlled by the software distribution client. - - -### Microsoft.Windows.Update.Orchestrator.SystemNeeded - -This event sends data about why a device is unable to reboot, to help keep Windows up to date. - -The following fields are available: - -- **eventScenario** End-to-end update session ID. -- **rebootOutsideOfActiveHours** Indicates whether a reboot is scheduled outside of active hours. -- **revisionNumber** Update revision number. -- **systemNeededReason** List of apps or tasks that are preventing the system from restarting. -- **updateId** Update ID. -- **updateScenarioType** The update session type. -- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.TerminatedByActiveHours - -This event indicates that update activity was stopped due to active hours starting. - -The following fields are available: - -- **activeHoursEnd** The end of the active hours window. -- **activeHoursStart** The start of the active hours window. -- **updatePhase** The current state of the update process. -- **wuDeviceid** The device identifier. - - -### Microsoft.Windows.Update.Orchestrator.TerminatedByBatteryLevel - -This event is sent when update activity was stopped due to a low battery level. - -The following fields are available: - -- **batteryLevel** The current battery charge capacity. -- **batteryLevelThreshold** The battery capacity threshold to stop update activity. -- **updatePhase** The current state of the update process. -- **wuDeviceid** The device identifier. - - -### Microsoft.Windows.Update.Orchestrator.UnstickUpdate - -This event is sent when the update service orchestrator (USO) indicates that the update can be superseded by a newer update. - -The following fields are available: - -- **updateId** Identifier associated with the specific piece of content. -- **wuDeviceid** Unique device ID controlled by the software distribution client. - - -### Microsoft.Windows.Update.Orchestrator.UpdatePolicyCacheRefresh - -This event sends data on whether Update Management Policies were enabled on a device, to help keep Windows up to date. - -The following fields are available: - -- **configuredPoliciescount** Number of policies on the device. -- **policiesNamevaluesource** Policy name and source of policy (group policy, MDM or flight). -- **policyCacherefreshtime** Time when policy cache was refreshed. -- **updateInstalluxsetting** Indicates whether a user has set policies via a user experience option. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.UpdateRebootRequired - -This event sends data about whether an update required a reboot to help keep Windows up to date. - -The following fields are available: - -- **flightID** The specific ID of the Windows Insider build the device is getting. -- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action. -- **revisionNumber** Update revision number. -- **updateId** Update ID. -- **updateScenarioType** The update session type. -- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.updateSettingsFlushFailed - -This event sends information about an update that encountered problems and was not able to complete. - -The following fields are available: - -- **errorCode** The error code encountered. -- **wuDeviceid** The ID of the device in which the error occurred. - - -### Microsoft.Windows.Update.Orchestrator.UsoSession - -This event represents the state of the USO service at start and completion. - -The following fields are available: - -- **activeSessionid** A unique session GUID. -- **eventScenario** The state of the update action. -- **interactive** Is the USO session interactive? -- **lastErrorcode** The last error that was encountered. -- **lastErrorstate** The state of the update when the last error was encountered. -- **sessionType** A GUID that refers to the update session type. -- **updateScenarioType** A descriptive update session type. -- **wuDeviceid** The Windows Update device GUID. - - -### Microsoft.Windows.Update.Ux.MusNotification.EnhancedEngagedRebootUxState - -This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes values for the timing of how eDTE will progress through each phase of the reboot. - -The following fields are available: - -- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode. -- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before a Reboot Failed dialog will be shown. -- **DeviceLocalTime** The date and time (based on the device date/time settings) the reboot mode changed. -- **EngagedModeLimit** The number of days to switch between DTE (Direct-to-Engaged) dialogs. -- **EnterAutoModeLimit** The maximum number of days a device can enter Auto Reboot mode. -- **ETag** The Entity Tag that represents the OneSettings version. -- **IsForcedEnabled** Identifies whether Forced Reboot mode is enabled for the device. -- **IsUltimateForcedEnabled** Identifies whether Ultimate Forced Reboot mode is enabled for the device. -- **OldestUpdateLocalTime** The date and time (based on the device date/time settings) this update’s reboot began pending. -- **RebootUxState** Identifies the reboot state: Engaged, Auto, Forced, UltimateForced. -- **RebootVersion** The version of the DTE (Direct-to-Engaged). -- **SkipToAutoModeLimit** The maximum number of days to switch to start while in Auto Reboot mode. -- **UpdateId** The ID of the update that is waiting for reboot to finish installation. -- **UpdateRevision** The revision of the update that is waiting for reboot to finish installation. - - -### Microsoft.Windows.Update.Ux.MusNotification.RebootNoLongerNeeded - -This event is sent when a security update has successfully completed. - -The following fields are available: - -- **UtcTime** The Coordinated Universal Time that the restart was no longer needed. - - -### Microsoft.Windows.Update.Ux.MusNotification.RebootScheduled - -This event sends basic information about scheduling an update-related reboot, to get security updates and to help keep Windows up-to-date. - -The following fields are available: - -- **activeHoursApplicable** Indicates whether Active Hours applies on this device. -- **IsEnhancedEngagedReboot** Indicates whether Enhanced reboot was enabled. -- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action. -- **rebootOutsideOfActiveHours** True, if a reboot is scheduled outside of active hours. False, otherwise. -- **rebootScheduledByUser** True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically. -- **rebootState** Current state of the reboot. -- **rebootUsingSmartScheduler** Indicates that the reboot is scheduled by SmartScheduler. -- **revisionNumber** Revision number of the OS. -- **scheduledRebootTime** Time scheduled for the reboot. -- **scheduledRebootTimeInUTC** Time scheduled for the reboot, in UTC. -- **updateId** Identifies which update is being scheduled. -- **wuDeviceid** The unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Ux.MusNotification.UxBrokerScheduledTask - -This event is sent when MUSE broker schedules a task. - -The following fields are available: - -- **TaskArgument** The arguments with which the task is scheduled. -- **TaskName** Name of the task. - - -### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled - -This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up to date. - -The following fields are available: - -- **activeHoursApplicable** Is the restart respecting Active Hours? -- **IsEnhancedEngagedReboot** TRUE if the reboot path is Enhanced Engaged. Otherwise, FALSE. -- **rebootArgument** The arguments that are passed to the OS for the restarted. -- **rebootOutsideOfActiveHours** Was the restart scheduled outside of Active Hours? -- **rebootScheduledByUser** Was the restart scheduled by the user? If the value is false, the restart was scheduled by the device. -- **rebootState** The state of the restart. -- **rebootUsingSmartScheduler** TRUE if the reboot should be performed by the Smart Scheduler. Otherwise, FALSE. -- **revisionNumber** The revision number of the OS being updated. -- **scheduledRebootTime** Time of the scheduled reboot -- **scheduledRebootTimeInUTC** Time of the scheduled restart, in Coordinated Universal Time. -- **updateId** The Windows Update device GUID. -- **wuDeviceid** The Windows Update device GUID. - - -## Windows Update mitigation events - -### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages - -This event sends data specific to the CleanupSafeOsImages mitigation used for OS Updates. - -The following fields are available: - -- **ClientId** The client ID used by Windows Update. -- **FlightId** The ID of each Windows Insider build the device received. -- **InstanceId** A unique device ID that identifies each update instance. -- **MitigationScenario** The update scenario in which the mitigation was executed. -- **MountedImageCount** The number of mounted images. -- **MountedImageMatches** The number of mounted image matches. -- **MountedImagesFailed** The number of mounted images that could not be removed. -- **MountedImagesRemoved** The number of mounted images that were successfully removed. -- **MountedImagesSkipped** The number of mounted images that were not found. -- **RelatedCV** The correlation vector value generated from the latest USO scan. -- **Result** HResult of this operation. -- **ScenarioId** ID indicating the mitigation scenario. -- **ScenarioSupported** Indicates whether the scenario was supported. -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each Windows Update. -- **WuId** Unique ID for the Windows Update client. - - -### Mitigation360Telemetry.MitigationCustom.FixAppXReparsePoints - -This event sends data specific to the FixAppXReparsePoints mitigation used for OS updates. - -The following fields are available: - -- **ClientId** Unique identifier for each flight. -- **FlightId** Unique GUID that identifies each instances of setuphost.exe. -- **InstanceId** The update scenario in which the mitigation was executed. -- **MitigationScenario** Correlation vector value generated from the latest USO scan. -- **RelatedCV** Number of reparse points that are corrupted but we failed to fix them. -- **ReparsePointsFailed** Number of reparse points that were corrupted and were fixed by this mitigation. -- **ReparsePointsFixed** Number of reparse points that are not corrupted and no action is required. -- **ReparsePointsSkipped** HResult of this operation. -- **Result** ID indicating the mitigation scenario. -- **ScenarioId** Indicates whether the scenario was supported. -- **ScenarioSupported** Unique value for each update attempt. -- **SessionId** Unique ID for each Update. -- **UpdateId** Unique ID for the Windows Update client. -- **WuId** Unique ID for the Windows Update client. - - -### Mitigation360Telemetry.MitigationCustom.FixupEditionId - -This event sends data specific to the FixupEditionId mitigation used for OS updates. - -The following fields are available: - -- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **EditionIdUpdated** Determine whether EditionId was changed. -- **FlightId** Unique identifier for each flight. -- **InstanceId** Unique GUID that identifies each instances of setuphost.exe. -- **MitigationScenario** The update scenario in which the mitigation was executed. -- **ProductEditionId** Expected EditionId value based on GetProductInfo. -- **ProductType** Value returned by GetProductInfo. -- **RegistryEditionId** EditionId value in the registry. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **Result** HResult of this operation. -- **ScenarioId** ID indicating the mitigation scenario. -- **ScenarioSupported** Indicates whether the scenario was supported. -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each update. -- **WuId** Unique ID for the Windows Update client. - - -## Windows Update Reserve Manager events - -### Microsoft.Windows.UpdateReserveManager.CommitPendingHardReserveAdjustment - -This event is sent when the Update Reserve Manager commits a hard reserve adjustment that was pending. - -The following fields are available: - -- **FinalAdjustment** Final adjustment for the hard reserve following the addition or removal of optional content. -- **InitialAdjustment** Initial intended adjustment for the hard reserve following the addition/removal of optional content. - - -### Microsoft.Windows.UpdateReserveManager.FunctionReturnedError - -This event is sent when the Update Reserve Manager returns an error from one of its internal functions. - -The following fields are available: - -- **FailedExpression** The failed expression that was returned. -- **FailedFile** The binary file that contained the failed function. -- **FailedFunction** The name of the function that originated the failure. -- **FailedLine** The line number of the failure. -- **ReturnCode** The return code of the function. - - -### Microsoft.Windows.UpdateReserveManager.InitializeUpdateReserveManager - -This event returns data about the Update Reserve Manager, including whether it’s been initialized. - -The following fields are available: - -- **ClientId** The ID of the caller application. -- **Flags** The enumerated flags used to initialize the manager. -- **FlightId** The flight ID of the content the calling client is currently operating with. -- **Offline** Indicates whether or the reserve manager is called during offline operations. -- **PolicyPassed** Indicates whether the machine is able to use reserves. -- **ReturnCode** Return code of the operation. -- **Version** The version of the Update Reserve Manager. - - -### Microsoft.Windows.UpdateReserveManager.PrepareTIForReserveInitialization - -This event is sent when the Update Reserve Manager prepares the Trusted Installer to initialize reserves on the next boot. - -The following fields are available: - -- **Flags** The flags that are passed to the function to prepare the Trusted Installer for reserve initialization. - - -### Microsoft.Windows.UpdateReserveManager.RemovePendingHardReserveAdjustment - -This event is sent when the Update Reserve Manager removes a pending hard reserve adjustment. - - - -### Microsoft.Windows.UpdateReserveManager.UpdatePendingHardReserveAdjustment - -This event is sent when the Update Reserve Manager needs to adjust the size of the hard reserve after the option content is installed. - -The following fields are available: - -- **ChangeSize** The change in the hard reserve size based on the addition or removal of optional content. -- **Disposition** The parameter for the hard reserve adjustment function. -- **Flags** The flags passed to the hard reserve adjustment function. -- **PendingHardReserveAdjustment** The final change to the hard reserve size. -- **UpdateType** Indicates whether the change is an increase or decrease in the size of the hard reserve. - - -## Winlogon events - -### Microsoft.Windows.Security.Winlogon.SetupCompleteLogon - -This event signals the completion of the setup process. It happens only once during the first logon. - - - -## XBOX events - -### Microsoft.Xbox.XamTelemetry.AppActivationError - -This event indicates whether the system detected an activation error in the app. - -The following fields are available: - -- **ActivationUri** Activation URI (Uniform Resource Identifier) used in the attempt to activate the app. -- **AppId** The Xbox LIVE Title ID. -- **AppUserModelId** The AUMID (Application User Model ID) of the app to activate. -- **Result** The HResult error. -- **UserId** The Xbox LIVE User ID (XUID). - - -### Microsoft.Xbox.XamTelemetry.AppActivity - -This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc. - -The following fields are available: - -- **AppActionId** The ID of the application action. -- **AppCurrentVisibilityState** The ID of the current application visibility state. -- **AppId** The Xbox LIVE Title ID of the app. -- **AppPackageFullName** The full name of the application package. -- **AppPreviousVisibilityState** The ID of the previous application visibility state. -- **AppSessionId** The application session ID. -- **AppType** The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa). -- **BCACode** The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application. -- **DurationMs** The amount of time (in milliseconds) since the last application state transition. -- **IsTrialLicense** This boolean value is TRUE if the application is on a trial license. -- **LicenseType** The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 - Offline, 4 - Disc). -- **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license. -- **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application. -- **UserId** The XUID (Xbox User ID) of the current user. - - - +--- +description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. +title: Windows 10, version 1809 basic diagnostic events and fields (Windows 10) +keywords: privacy, telemetry +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: brianlic-msft +ms.author: brianlic +manager: dansimp +ms.collection: M365-security-compliance +ms.topic: article +audience: ITPro +ms.date: 03/26/2019 +--- + + +# Windows 10, version 1809 basic level Windows diagnostic events and fields + + **Applies to** + +- Windows 10, version 1809 + + +The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information. + +The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. + +Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief description is provided for each field. Every event generated includes common data, which collects device data. + +You can learn more about Windows functional and diagnostic data through these articles: + + +- [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) +- [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) +- [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) +- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) +- [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) + + + + +## Account trace logging provider events + +### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.General + +This event provides information about application properties to indicate the successful execution. + +The following fields are available: + +- **AppMode** Indicates the mode the app is being currently run around privileges. +- **ExitCode** Indicates the exit code of the app. +- **Help** Indicates if the app needs to be launched in the help mode. +- **ParseError** Indicates if there was a parse error during the execution. +- **RightsAcquired** Indicates if the right privileges were acquired for successful execution. +- **RightsWereEnabled** Indicates if the right privileges were enabled for successful execution. +- **TestMode** Indicates whether the app is being run in test mode. + + +### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.GetCount + +This event provides information about the properties of user accounts in the Administrator group. + +The following fields are available: + +- **Internal** Indicates the internal property associated with the count group. +- **LastError** The error code (if applicable) for the cause of the failure to get the count of the user account. +- **Result** The HResult error. + + +## AppLocker events + +### Microsoft.Windows.Security.AppLockerCSP.ActivityStoppedAutomatically + +Automatically closed activity for start/stop operations that aren't explicitly closed. + + + +### Microsoft.Windows.Security.AppLockerCSP.AddParams + +Parameters passed to Add function of the AppLockerCSP Node. + +The following fields are available: + +- **child** The child URI of the node to add. +- **uri** URI of the node relative to %SYSTEM32%/AppLocker. + + +### Microsoft.Windows.Security.AppLockerCSP.AddStart + +Start of "Add" Operation for the AppLockerCSP Node. + + + +### Microsoft.Windows.Security.AppLockerCSP.AddStop + +End of "Add" Operation for AppLockerCSP Node. + +The following fields are available: + +- **hr** The HRESULT returned by Add function in AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.CAppLockerCSP::Rollback + +Result of the 'Rollback' operation in AppLockerCSP. + +The following fields are available: + +- **oldId** Previous id for the CSP transaction. +- **txId** Current id for the CSP transaction. + + +### Microsoft.Windows.Security.AppLockerCSP.ClearParams + +Parameters passed to the "Clear" operation for AppLockerCSP. + +The following fields are available: + +- **uri** The URI relative to the %SYSTEM32%\AppLocker folder. + + +### Microsoft.Windows.Security.AppLockerCSP.ClearStart + +Start of the "Clear" operation for the AppLockerCSP Node. + + + +### Microsoft.Windows.Security.AppLockerCSP.ClearStop + +End of the "Clear" operation for the AppLockerCSP node. + +The following fields are available: + +- **hr** HRESULT reported at the end of the 'Clear' function. + + +### Microsoft.Windows.Security.AppLockerCSP.ConfigManagerNotificationStart + +Start of the "ConfigManagerNotification" operation for AppLockerCSP. + +The following fields are available: + +- **NotifyState** State sent by ConfigManager to AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.ConfigManagerNotificationStop + +End of the "ConfigManagerNotification" operation for AppLockerCSP. + +The following fields are available: + +- **hr** HRESULT returned by the ConfigManagerNotification function in AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceParams + +Parameters passed to the CreateNodeInstance function of the AppLockerCSP node. + +The following fields are available: + +- **NodeId** NodeId passed to CreateNodeInstance. +- **nodeOps** NodeOperations parameter passed to CreateNodeInstance. +- **uri** URI passed to CreateNodeInstance, relative to %SYSTEM32%\AppLocker. + + +### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceStart + +Start of the "CreateNodeInstance" operation for the AppLockerCSP node. + + + +### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceStop + +End of the "CreateNodeInstance" operation for the AppLockerCSP node + +The following fields are available: + +- **hr** HRESULT returned by the CreateNodeInstance function in AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.DeleteChildParams + +Parameters passed to the DeleteChild function of the AppLockerCSP node. + +The following fields are available: + +- **child** The child URI of the node to delete. +- **uri** URI relative to %SYSTEM32%\AppLocker. + + +### Microsoft.Windows.Security.AppLockerCSP.DeleteChildStart + +Start of the "DeleteChild" operation for the AppLockerCSP node. + + + +### Microsoft.Windows.Security.AppLockerCSP.DeleteChildStop + +End of the "DeleteChild" operation for the AppLockerCSP node. + +The following fields are available: + +- **hr** HRESULT returned by the DeleteChild function in AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.EnumPolicies + +Logged URI relative to %SYSTEM32%\AppLocker, if the Plugin GUID is null, or the CSP doesn't believe the old policy is present. + +The following fields are available: + +- **uri** URI relative to %SYSTEM32%\AppLocker. + + +### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesParams + +Parameters passed to the GetChildNodeNames function of the AppLockerCSP node. + +The following fields are available: + +- **uri** URI relative to %SYSTEM32%/AppLocker for MDM node. + + +### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesStart + +Start of the "GetChildNodeNames" operation for the AppLockerCSP node. + + + +### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesStop + +End of the "GetChildNodeNames" operation for the AppLockerCSP node. + +The following fields are available: + +- **child[0]** If function succeeded, the first child's name, else "NA". +- **count** If function succeeded, the number of child node names returned by the function, else 0. +- **hr** HRESULT returned by the GetChildNodeNames function of AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.GetLatestId + +The result of 'GetLatestId' in AppLockerCSP (the latest time stamped GUID). + +The following fields are available: + +- **dirId** The latest directory identifier found by GetLatestId. +- **id** The id returned by GetLatestId if id > 0 - otherwise the dirId parameter. + + +### Microsoft.Windows.Security.AppLockerCSP.HResultException + +HRESULT thrown by any arbitrary function in AppLockerCSP. + +The following fields are available: + +- **file** File in the OS code base in which the exception occurs. +- **function** Function in the OS code base in which the exception occurs. +- **hr** HRESULT that is reported. +- **line** Line in the file in the OS code base in which the exception occurs. + + +### Microsoft.Windows.Security.AppLockerCSP.SetValueParams + +Parameters passed to the SetValue function of the AppLockerCSP node. + +The following fields are available: + +- **dataLength** Length of the value to set. +- **uri** The node URI to that should contain the value, relative to %SYSTEM32%\AppLocker. + + +### Microsoft.Windows.Security.AppLockerCSP.SetValueStart + +Start of the "SetValue" operation for the AppLockerCSP node. + + + +### Microsoft.Windows.Security.AppLockerCSP.SetValueStop + +End of the "SetValue" operation for the AppLockerCSP node. + +The following fields are available: + +- **hr** HRESULT returned by the SetValue function in AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.TryRemediateMissingPolicies + +EntryPoint of fix step or policy remediation, includes URI relative to %SYSTEM32%\AppLocker that needs to be fixed. + +The following fields are available: + +- **uri** URI for node relative to %SYSTEM32%/AppLocker. + + +## Appraiser events + +### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount + +This event lists the types of objects and how many of each exist on the client device. This allows for a quick way to ensure that the records present on the server match what is present on the client. + +The following fields are available: + +- **DatasourceApplicationFile_19ASetup** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_19H1** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers. +- **DatasourceApplicationFile_RS2** An ID for the system, calculated by hashing hardware identifiers. +- **DatasourceApplicationFile_RS3** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS3Setup** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS4** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS4Setup** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS5** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS5Setup** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_TH1** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_TH2** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_19ASetup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_19H1** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS1** The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on this device. +- **DatasourceDevicePnp_RS2** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS3** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS3Setup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS4** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS4Setup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS5** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS5Setup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_TH1** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_TH2** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_19ASetup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_19H1** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS1** The total DataSourceDriverPackage objects targeting Windows 10 version 1607 on this device. +- **DatasourceDriverPackage_RS2** The total DataSourceDriverPackage objects targeting Windows 10, version 1703 on this device. +- **DatasourceDriverPackage_RS3** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS3Setup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS4** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS4Setup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS5** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS5Setup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_TH1** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_TH2** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_19ASetup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS1** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1607 on this device. +- **DataSourceMatchingInfoBlock_RS2** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS3** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS3Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS4Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS5Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_TH1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_19ASetup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS1** The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. +- **DataSourceMatchingInfoPassive_RS2** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS3** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS3Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS4Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS5Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_19ASetup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS1** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. +- **DataSourceMatchingInfoPostUpgrade_RS2** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device. +- **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device. +- **DataSourceMatchingInfoPostUpgrade_RS3Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS4Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS5Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_TH1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_19ASetup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_19H1** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_19H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS1** The total DatasourceSystemBios objects targeting Windows 10 version 1607 present on this device. +- **DatasourceSystemBios_RS2** The total DatasourceSystemBios objects targeting Windows 10 version 1703 present on this device. +- **DatasourceSystemBios_RS3** The total DatasourceSystemBios objects targeting Windows 10 version 1709 present on this device. +- **DatasourceSystemBios_RS3Setup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS4** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS4Setup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS5** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS5Setup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_TH1** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_TH2** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_19H1** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS1** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS2** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS3** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS4** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS5** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_TH1** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_TH2** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_19H1** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS1** The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this device. +- **DecisionDevicePnp_RS2** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS3** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS4** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS5** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_TH1** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_TH2** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_19H1** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS1** The total DecisionDriverPackage objects targeting Windows 10 version 1607 on this device. +- **DecisionDriverPackage_RS2** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS3** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS4** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS5** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_TH1** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_TH2** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_RS1** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1607 present on this device. +- **DecisionMatchingInfoBlock_RS2** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device. +- **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1709 present on this device. +- **DecisionMatchingInfoBlock_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_RS4** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1803 present on this device. +- **DecisionMatchingInfoBlock_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_TH1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_RS1** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. +- **DecisionMatchingInfoPassive_RS2** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1703 on this device. +- **DecisionMatchingInfoPassive_RS3** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1803 on this device. +- **DecisionMatchingInfoPassive_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS1** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. +- **DecisionMatchingInfoPostUpgrade_RS2** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device. +- **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device. +- **DecisionMatchingInfoPostUpgrade_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_TH1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_19H1** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_19H1Setup** The total DecisionMediaCenter objects targeting the next release of Windows on this device. +- **DecisionMediaCenter_RS1** The total DecisionMediaCenter objects targeting Windows 10 version 1607 present on this device. +- **DecisionMediaCenter_RS2** The total DecisionMediaCenter objects targeting Windows 10 version 1703 present on this device. +- **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting Windows 10 version 1709 present on this device. +- **DecisionMediaCenter_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_RS4** The total DecisionMediaCenter objects targeting Windows 10 version 1803 present on this device. +- **DecisionMediaCenter_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_RS5** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_TH1** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_TH2** The count of the number of this particular object type present on this device. +- **DecisionSystemBios_19ASetup** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_19H1** The count of the number of this particular object type present on this device. +- **DecisionSystemBios_19H1Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_RS1** The total DecisionSystemBios objects targeting Windows 10 version 1607 on this device. +- **DecisionSystemBios_RS2** The total DecisionSystemBios objects targeting Windows 10 version 1703 on this device. +- **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting Windows 10 version 1709 on this device. +- **DecisionSystemBios_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionSystemBios_RS4** The total DecisionSystemBios objects targeting Windows 10 version, 1803 present on this device. +- **DecisionSystemBios_RS4Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_RS5** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_RS5Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_TH1** The count of the number of this particular object type present on this device. +- **DecisionSystemBios_TH2** The count of the number of this particular object type present on this device. +- **DecisionSystemProcessor_RS2** The count of the number of this particular object type present on this device. +- **DecisionTest_RS1** An ID for the system, calculated by hashing hardware identifiers. +- **InventoryApplicationFile** The count of the number of this particular object type present on this device. +- **InventoryDeviceContainer** A count of device container objects in cache. +- **InventoryDevicePnp** A count of device Plug and Play objects in cache. +- **InventoryDriverBinary** A count of driver binary objects in cache. +- **InventoryDriverPackage** A count of device objects in cache. +- **InventoryLanguagePack** The count of the number of this particular object type present on this device. +- **InventoryMediaCenter** The count of the number of this particular object type present on this device. +- **InventorySystemBios** The count of the number of this particular object type present on this device. +- **InventorySystemMachine** The count of the number of this particular object type present on this device. +- **InventorySystemProcessor** The count of the number of this particular object type present on this device. +- **InventoryTest** The count of the number of this particular object type present on this device. +- **InventoryUplevelDriverPackage** The count of the number of this particular object type present on this device. +- **PCFP** The count of the number of this particular object type present on this device. +- **SystemMemory** The count of the number of this particular object type present on this device. +- **SystemProcessorCompareExchange** The count of the number of this particular object type present on this device. +- **SystemProcessorLahfSahf** The count of the number of this particular object type present on this device. +- **SystemProcessorNx** The total number of objects of this type present on this device. +- **SystemProcessorPrefetchW** The total number of objects of this type present on this device. +- **SystemProcessorSse2** The total number of objects of this type present on this device. +- **SystemTouch** The count of the number of this particular object type present on this device. +- **SystemWim** The total number of objects of this type present on this device. +- **SystemWindowsActivationStatus** The count of the number of this particular object type present on this device. +- **SystemWlan** The total number of objects of this type present on this device. +- **Wmdrm_19ASetup** The count of the number of this particular object type present on this device. +- **Wmdrm_19H1** The count of the number of this particular object type present on this device. +- **Wmdrm_19H1Setup** The total Wmdrm objects targeting the next release of Windows on this device. +- **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers. +- **Wmdrm_RS2** An ID for the system, calculated by hashing hardware identifiers. +- **Wmdrm_RS3** An ID for the system, calculated by hashing hardware identifiers. +- **Wmdrm_RS3Setup** The count of the number of this particular object type present on this device. +- **Wmdrm_RS4** The total Wmdrm objects targeting Windows 10, version 1803 present on this device. +- **Wmdrm_RS4Setup** The count of the number of this particular object type present on this device. +- **Wmdrm_RS5** The count of the number of this particular object type present on this device. +- **Wmdrm_RS5Setup** The count of the number of this particular object type present on this device. +- **Wmdrm_TH1** The count of the number of this particular object type present on this device. +- **Wmdrm_TH2** The count of the number of this particular object type present on this device. + + +### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd + +Represents the basic metadata about specific application files installed on the system. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file that is generating the events. +- **AvDisplayName** If the app is an anti-virus app, this is its display name. +- **CompatModelIndex** The compatibility prediction for this file. +- **HasCitData** Indicates whether the file is present in CIT data. +- **HasCitDcta** No content is currently available. +- **HasUpgradeExe** Indicates whether the anti-virus app has an upgrade.exe file. +- **IsAv** Is the file an anti-virus reporting EXE? +- **ResolveAttempted** This will always be an empty string when sending telemetry. +- **SdbEntries** An array of fields that indicates the SDB entries that apply to this file. + + +### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove + +This event indicates that the DatasourceApplicationFile object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileStartSync + +This event indicates that a new set of DatasourceApplicationFileAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd + +This event sends compatibility data for a Plug and Play device, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **ActiveNetworkConnection** Indicates whether the device is an active network device. +- **ActivóNetworkConnection** No content is currently available. +- **AppraiserVersion** The version of the appraiser file generating the events. +- **CosDeviceRating** An enumeration that indicates if there is a driver on the target operating system. +- **CosDeviceSolution** An enumeration that indicates how a driver on the target operating system is available. +- **CosDeviceSolutionUrl** Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd . Empty string +- **CosPopulatedFromId** The expected uplevel driver matching ID based on driver coverage data. +- **IsBootCritical** Indicates whether the device boot is critical. +- **UplevelInboxDriver** Indicates whether there is a driver uplevel for this device. +- **WuDriverCoverage** Indicates whether there is a driver uplevel for this device, according to Windows Update. +- **WuDriverUpdateId** The Windows Update ID of the applicable uplevel driver. +- **WuPopulatedFromId** The expected uplevel driver matching ID based on driver coverage from Windows Update. + + +### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove + +This event indicates that the DatasourceDevicePnp object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpStartSync + +This event indicates that a new set of DatasourceDevicePnpAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageAdd + +This event sends compatibility database data about driver packages to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageRemove + +This event indicates that the DatasourceDriverPackage object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageStartSync + +This event indicates that a new set of DatasourceDriverPackageAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd + +This event sends blocking data about any compatibility blocking entries hit on the system that are not directly related to specific applications or devices, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove + +This event indicates that the DataSourceMatchingInfoBlock object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync + +This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events have been sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd + +This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove + +This event indicates that the DataSourceMatchingInfoPassive object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync + +This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd + +This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove + +This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync + +This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd + +This event sends compatibility database information about the BIOS to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosRemove + +This event indicates that the DatasourceSystemBios object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync + +This event indicates that a new set of DatasourceSystemBiosAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionApplicationFileAdd + +This event sends compatibility decision data about a file to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file that is generating the events. +- **BlockAlreadyInbox** The uplevel runtime block on the file already existed on the current OS. +- **BlockingApplication** Indicates whether there are any application issues that interfere with the upgrade due to the file in question. +- **DisplayGenericMessage** Will be a generic message be shown for this file? +- **DisplayGenericMessageGated** Indicates whether a generic message be shown for this file. +- **HardBlock** This file is blocked in the SDB. +- **HasUxBlockOverride** Does the file have a block that is overridden by a tag in the SDB? +- **MigApplication** Does the file have a MigXML from the SDB associated with it that applies to the current upgrade mode? +- **MigRemoval** Does the file have a MigXML from the SDB that will cause the app to be removed on upgrade? +- **NeedsDismissAction** Will the file cause an action that can be dimissed? +- **NeedsInstallPostUpgradeData** After upgrade, the file will have a post-upgrade notification to install a replacement for the app. +- **NeedsNotifyPostUpgradeData** Does the file have a notification that should be shown after upgrade? +- **NeedsReinstallPostUpgradeData** After upgrade, this file will have a post-upgrade notification to reinstall the app. +- **NeedsUninstallAction** The file must be uninstalled to complete the upgrade. +- **SdbBlockUpgrade** The file is tagged as blocking upgrade in the SDB, +- **SdbBlockUpgradeCanReinstall** The file is tagged as blocking upgrade in the SDB. It can be reinstalled after upgrade. +- **SdbBlockUpgradeUntilUpdate** The file is tagged as blocking upgrade in the SDB. If the app is updated, the upgrade can proceed. +- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the SDB. It does not block upgrade. +- **SdbReinstallUpgradeWarn** The file is tagged as needing to be reinstalled after upgrade with a warning in the SDB. It does not block upgrade. +- **SoftBlock** The file is softblocked in the SDB and has a warning. + + +### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove + +This event indicates Indicates that the DecisionApplicationFile object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionApplicationFileStartSync + +This event indicates that a new set of DecisionApplicationFileAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd + +This event sends compatibility decision data about a PNP device to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **AssociatedDriverIsBlocked** Is the driver associated with this PNP device blocked? +- **AssociatedDriverWillNotMigrate** Will the driver associated with this plug-and-play device migrate? +- **BlockAssociatedDriver** Should the driver associated with this PNP device be blocked? +- **BlockingDevice** Is this PNP device blocking upgrade? +- **BlockUpgradeIfDriverBlocked** Is the PNP device both boot critical and does not have a driver included with the OS? +- **BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork** Is this PNP device the only active network device? +- **CssociatedDriverIsBlocked** No content is currently available. +- **DisplayGenericMessage** Will a generic message be shown during Setup for this PNP device? +- **DisplayGenericMessageGated** Indicates whether a generic message will be shown during Setup for this PNP device. +- **DriverAvailableInbox** Is a driver included with the operating system for this PNP device? +- **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update? +- **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device? +- **DriverBlockOverridden** Is there is a driver block on the device that has been overridden? +- **DviverAvailableInbox** No content is currently available. +- **NeedsDismissAction** Will the user would need to dismiss a warning during Setup for this device? +- **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS? +- **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade? +- **SdbDriverBlockOverridden** Is there an SDB block on the PNP device that blocks upgrade, but that block was overridden? + + +### Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove + +This event indicates that the DecisionDevicePnp object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionDevicePnpStartSync + +The DecisionDevicePnpStartSync event indicates that a new set of DecisionDevicePnpAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionDriverPackageAdd + +This event sends decision data about driver package compatibility to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for this driver package. +- **DriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden? +- **DriverIsDeviceBlocked** Was the driver package was blocked because of a device block? +- **DriverIsDriverBlocked** Is the driver package blocked because of a driver block? +- **DriverIsTroubleshooterBlocked** Indicates whether the driver package is blocked because of a troubleshooter block. +- **DriverShouldNotMigrate** Should the driver package be migrated during upgrade? +- **SdbDriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden? + + +### Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove + +This event indicates that the DecisionDriverPackage object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionDriverPackageStartSync + +This event indicates that a new set of DecisionDriverPackageAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd + +This event sends compatibility decision data about blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **BlockingApplication** Are there are any application issues that interfere with upgrade due to matching info blocks? +- **DisplayGenericMessage** Will a generic message be shown for this block? +- **NeedsUninstallAction** Does the user need to take an action in setup due to a matching info block? +- **SdbBlockUpgrade** Is a matching info block blocking upgrade? +- **SdbBlockUpgradeCanReinstall** Is a matching info block blocking upgrade, but has the can reinstall tag? +- **SdbBlockUpgradeUntilUpdate** Is a matching info block blocking upgrade but has the until update tag? + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockRemove + +This event indicates that the DecisionMatchingInfoBlock object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockStartSync + +This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd + +This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **BlockingApplication** Are there any application issues that interfere with upgrade due to matching info blocks? +- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown due to matching info blocks. +- **MigApplication** Is there a matching info block with a mig for the current mode of upgrade? + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveRemove + +This event Indicates that the DecisionMatchingInfoPassive object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync + +This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeAdd + +This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **NeedsInstallPostUpgradeData** Will the file have a notification after upgrade to install a replacement for the app? +- **NeedsNotifyPostUpgradeData** Should a notification be shown for this file after upgrade? +- **NeedsReinstallPostUpgradeData** Will the file have a notification after upgrade to reinstall the app? +- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the compatibility database (but is not blocking upgrade). + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeRemove + +This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync + +This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMediaCenterAdd + +This event sends decision data about the presence of Windows Media Center, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **BlockingApplication** Is there any application issues that interfere with upgrade due to Windows Media Center? +- **MediaCenterActivelyUsed** If Windows Media Center is supported on the edition, has it been run at least once and are the MediaCenterIndicators are true? +- **MediaCenterIndicators** Do any indicators imply that Windows Media Center is in active use? +- **MediaCenterInUse** Is Windows Media Center actively being used? +- **MediaCenterPaidOrActivelyUsed** Is Windows Media Center actively being used or is it running on a supported edition? +- **NeedsDismissAction** Are there any actions that can be dismissed coming from Windows Media Center? + + +### Microsoft.Windows.Appraiser.General.DecisionMediaCenterRemove + +This event indicates that the DecisionMediaCenter object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMediaCenterStartSync + +This event indicates that a new set of DecisionMediaCenterAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemBiosAdd + +This event sends compatibility decision data about the BIOS to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Blocking** Is the device blocked from upgrade due to a BIOS block? +- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for the bios. +- **HasBiosBlock** Does the device have a BIOS block? + + +### Microsoft.Windows.Appraiser.General.DecisionSystemBiosRemove + +This event indicates that the DecisionSystemBios object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync + +This event indicates that a new set of DecisionSystemBiosAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.GatedRegChange + +This event sends data about the results of running a set of quick-blocking instructions, to help keep Windows up to date. + +The following fields are available: + +- **NewData** The data in the registry value after the scan completed. +- **OldData** The previous data in the registry value before the scan ran. +- **PCFP** An ID for the system calculated by hashing hardware identifiers. +- **RegKey** The registry key name for which a result is being sent. +- **RegValue** The registry value for which a result is being sent. +- **Time** The client time of the event. + + +### Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd + +This event represents the basic metadata about a file on the system. The file must be part of an app and either have a block in the compatibility database or be part of an antivirus program. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **AvDisplayName** If the app is an antivirus app, this is its display name. +- **AvProductState** Indicates whether the antivirus program is turned on and the signatures are up to date. +- **BinaryType** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64. +- **BinFileVersion** An attempt to clean up FileVersion at the client that tries to place the version into 4 octets. +- **BinProductVersion** An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets. +- **BoeProgramId** If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata. +- **CompanyName** The company name of the vendor who developed this file. +- **FileId** A hash that uniquely identifies a file. +- **FileVersion** The File version field from the file metadata under Properties -> Details. +- **HasUpgradeExe** Indicates whether the antivirus app has an upgrade.exe file. +- **IsAv** Indicates whether the file an antivirus reporting EXE. +- **LinkDate** The date and time that this file was linked on. +- **LowerCaseLongPath** The full file path to the file that was inventoried on the device. +- **Name** The name of the file that was inventoried. +- **ProductName** The Product name field from the file metadata under Properties -> Details. +- **ProductVersion** The Product version field from the file metadata under Properties -> Details. +- **ProgramId** A hash of the Name, Version, Publisher, and Language of an application used to identify it. +- **Size** The size of the file (in hexadecimal bytes). + + +### Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove + +This event indicates that the InventoryApplicationFile object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync + +This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryLanguagePackAdd + +This event sends data about the number of language packs installed on the system, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **HasLanguagePack** Indicates whether this device has 2 or more language packs. +- **LanguagePackCount** The number of language packs are installed. + + +### Microsoft.Windows.Appraiser.General.InventoryLanguagePackRemove + +This event indicates that the InventoryLanguagePack object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryLanguagePackStartSync + +This event indicates that a new set of InventoryLanguagePackAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryMediaCenterAdd + +This event sends true/false data about decision points used to understand whether Windows Media Center is used on the system, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **EverLaunched** Has Windows Media Center ever been launched? +- **HasConfiguredTv** Has the user configured a TV tuner through Windows Media Center? +- **HasExtendedUserAccounts** Are any Windows Media Center Extender user accounts configured? +- **HasWatchedFolders** Are any folders configured for Windows Media Center to watch? +- **IsDefaultLauncher** Is Windows Media Center the default app for opening music or video files? +- **IsPaid** Is the user running a Windows Media Center edition that implies they paid for Windows Media Center? +- **IsSupported** Does the running OS support Windows Media Center? + + +### Microsoft.Windows.Appraiser.General.InventoryMediaCenterRemove + +This event indicates that the InventoryMediaCenter object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryMediaCenterStartSync + +This event indicates that a new set of InventoryMediaCenterAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventorySystemBiosAdd + +This event sends basic metadata about the BIOS to determine whether it has a compatibility block. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **biosDate** The release date of the BIOS in UTC format. +- **BiosDate** The release date of the BIOS in UTC format. +- **biosName** The name field from Win32_BIOS. +- **BiosName** The name field from Win32_BIOS. +- **manufacturer** The manufacturer field from Win32_ComputerSystem. +- **Manufacturer** The manufacturer field from Win32_ComputerSystem. +- **model** The model field from Win32_ComputerSystem. +- **Model** The model field from Win32_ComputerSystem. + + +### Microsoft.Windows.Appraiser.General.InventorySystemBiosRemove + +This event indicates that the InventorySystemBios object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventorySystemBiosStartSync + +This event indicates that a new set of InventorySystemBiosAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd + +This event is only runs during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. Is critical to understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **BootCritical** Is the driver package marked as boot critical? +- **Build** The build value from the driver package. +- **CatalogFile** The name of the catalog file within the driver package. +- **Class** The device class from the driver package. +- **ClassGuid** The device class unique ID from the driver package. +- **Date** The date from the driver package. +- **Inbox** Is the driver package of a driver that is included with Windows? +- **OriginalName** The original name of the INF file before it was renamed. Generally a path under $WINDOWS.~BT\Drivers\DU. +- **Provider** The provider of the driver package. +- **PublishedName** The name of the INF file after it was renamed. +- **Revision** The revision of the driver package. +- **SignatureStatus** Indicates if the driver package is signed. Unknown = 0, Unsigned = 1, Signed = 2. +- **VersionMajor** The major version of the driver package. +- **VersionMinor** The minor version of the driver package. + + +### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove + +This event indicates that the InventoryUplevelDriverPackage object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageStartSync + +This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.RunContext + +This event indicates what should be expected in the data payload. + +The following fields are available: + +- **__TlgCV_** No content is currently available. +- **AppraiserBranch** The source branch in which the currently running version of Appraiser was built. +- **AppraiserProcess** The name of the process that launched Appraiser. +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **CensusId** A unique hardware identifier. +- **Context** Indicates what mode Appraiser is running in. Example: Setup or Telemetry. +- **PCFP** An ID for the system calculated by hashing hardware identifiers. +- **Subcontext** Indicates what categories of incompatibilities appraiser is scanning for. Can be N/A, Resolve, or a semicolon-delimited list that can include App, Dev, Sys, Gat, or Rescan. +- **Time** The client time of the event. + + +### Microsoft.Windows.Appraiser.General.SystemMemoryAdd + +This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Blocking** Is the device from upgrade due to memory restrictions? +- **MemoryRequirementViolated** Was a memory requirement violated? +- **pageFile** The current committed memory limit for the system or the current process, whichever is smaller (in bytes). +- **ram** The amount of memory on the device. +- **ramKB** The amount of memory (in KB). +- **virtual** The size of the user-mode portion of the virtual address space of the calling process (in bytes). +- **virtualKB** The amount of virtual memory (in KB). + + +### Microsoft.Windows.Appraiser.General.SystemMemoryRemove + +This event that the SystemMemory object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemMemoryStartSync + +This event indicates that a new set of SystemMemoryAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeAdd + +This event sends data indicating whether the system supports the CompareExchange128 CPU requirement, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **CompareExchange128Support** Does the CPU support CompareExchange128? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeRemove + +This event indicates that the SystemProcessorCompareExchange object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeStartSync + +This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd + +This event sends data indicating whether the system supports the LahfSahf CPU requirement, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **LahfSahfSupport** Does the CPU support LAHF/SAHF? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfRemove + +This event indicates that the SystemProcessorLahfSahf object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfStartSync + +This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd + +This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **NXDriverResult** The result of the driver used to do a non-deterministic check for NX support. +- **NXProcessorSupport** Does the processor support NX? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorNxRemove + +This event indicates that the SystemProcessorNx object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorNxStartSync + +This event indicates that a new set of SystemProcessorNxAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd + +This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **PrefetchWSupport** Does the processor support PrefetchW? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWRemove + +This event indicates that the SystemProcessorPrefetchW object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync + +This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Add + +This event sends data indicating whether the system supports the SSE2 CPU requirement, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **SSE2ProcessorSupport** Does the processor support SSE2? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Remove + +This event indicates that the SystemProcessorSse2 object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorSse2StartSync + +This event indicates that a new set of SystemProcessorSse2Add events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemTouchAdd + +This event sends data indicating whether the system supports touch, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **IntegratedTouchDigitizerPresent** Is there an integrated touch digitizer? +- **MaximumTouches** The maximum number of touch points supported by the device hardware. + + +### Microsoft.Windows.Appraiser.General.SystemTouchRemove + +This event indicates that the SystemTouch object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemTouchStartSync + +This event indicates that a new set of SystemTouchAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWimAdd + +This event sends data indicating whether the operating system is running from a compressed Windows Imaging Format (WIM) file, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **IsWimBoot** Is the current operating system running from a compressed WIM file? +- **RegistryWimBootValue** The raw value from the registry that is used to indicate if the device is running from a WIM. + + +### Microsoft.Windows.Appraiser.General.SystemWimRemove + +This event indicates that the SystemWim object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWimStartSync + +This event indicates that a new set of SystemWimAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusAdd + +This event sends data indicating whether the current operating system is activated, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **WindowsIsLicensedApiValue** The result from the API that's used to indicate if operating system is activated. +- **WindowsNotActivatedDecision** Is the current operating system activated? + + +### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusRemove + +This event indicates that the SystemWindowsActivationStatus object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusStartSync + +This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWlanAdd + +This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked because of an emulated WLAN driver? +- **HasWlanBlock** Does the emulated WLAN driver have an upgrade block? +- **WlanEmulatedDriver** Does the device have an emulated WLAN driver? +- **WlanExists** Does the device support WLAN at all? +- **WlanModulePresent** Are any WLAN modules present? +- **WlanNativeDriver** Does the device have a non-emulated WLAN driver? + + +### Microsoft.Windows.Appraiser.General.SystemWlanRemove + +This event indicates that the SystemWlan object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWlanStartSync + +This event indicates that a new set of SystemWlanAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.TelemetryRunHealth + +This event indicates the parameters and result of a telemetry (diagnostic) run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date. + +The following fields are available: + +- **AppraiserBranch** The source branch in which the version of Appraiser that is running was built. +- **AppraiserDataVersion** The version of the data files being used by the Appraiser telemetry run. +- **AppraiserProcess** The name of the process that launched Appraiser. +- **AppraiserVersion** The file version (major, minor and build) of the Appraiser DLL, concatenated without dots. +- **AuxFinal** Obsolete, always set to false. +- **AuxInitial** Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app. +- **DeadlineDate** A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan. +- **EnterpriseRun** Indicates if the telemetry run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter. +- **FullSync** Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent. +- **InboxDataVersion** The original version of the data files before retrieving any newer version. +- **IndicatorsWritten** Indicates if all relevant UEX indicators were successfully written or updated. +- **InventoryFullSync** Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent. +- **PCFP** An ID for the system calculated by hashing hardware identifiers. +- **PerfBackoff** Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal. +- **PerfBackoffInsurance** Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row. +- **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device. +- **RunDate** The date that the telemetry run was stated, expressed as a filetime. +- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional telemetry on an infrequent schedule and only from machines at telemetry levels higher than Basic. +- **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information. +- **RunResult** The hresult of the Appraiser telemetry run. +- **ScheduledUploadDay** The day scheduled for the upload. +- **SendingUtc** Indicates if the Appraiser client is sending events during the current telemetry run. +- **StoreHandleIsNotNull** Obsolete, always set to false +- **TelementrySent** Indicates if telemetry was successfully sent. +- **ThrottlingUtc** Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also telemetry reliability. +- **Time** The client time of the event. +- **VerboseMode** Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging. +- **WhyFullSyncWithoutTablePrefix** Indicates the reason or reasons that a full sync was generated. + + +### Microsoft.Windows.Appraiser.General.WmdrmAdd + +This event sends data about the usage of older digital rights management on the system, to help keep Windows up to date. This data does not indicate the details of the media using the digital rights management, only whether any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able to be removed once all mitigations are in place. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **BlockingApplication** Same as NeedsDismissAction. +- **NeedsDismissAction** Indicates if a dismissible message is needed to warn the user about a potential loss of data due to DRM deprecation. +- **WmdrmApiResult** Raw value of the API used to gather DRM state. +- **WmdrmCdRipped** Indicates if the system has any files encrypted with personal DRM, which was used for ripped CDs. +- **WmdrmIndicators** WmdrmCdRipped OR WmdrmPurchased. +- **WmdrmInUse** WmdrmIndicators AND dismissible block in setup was not dismissed. +- **WmdrmNonPårmanent** No content is currently available. +- **WmdrmNonPermanent** Indicates if the system has any files with non-permanent licenses. +- **WmdrmPurchased** Indicates if the system has any files with permanent licenses. + + +### Microsoft.Windows.Appraiser.General.WmdrmRemove + +This event indicates that the Wmdrm object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.WmdrmStartSync + +This event indicates that a new set of WmdrmAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +## Census events + +### Census.App + +Provides information on IE and Census versions running on the device + +The following fields are available: + +- **AppraiserEnterpriseErrorCode** The error code of the last Appraiser enterprise run. +- **AppraiserErrorCode** The error code of the last Appraiser run. +- **AppraiserRunEndTimeStamp** The end time of the last Appraiser run. +- **AppraiserRunIsInProgressOrCrashed** Flag that indicates if the Appraiser run is in progress or has crashed. +- **AppraiserRunStartTimeStamp** The start time of the last Appraiser run. +- **AppraiserTaskEnabled** Whether the Appraiser task is enabled. +- **AppraiserTaskExitCode** The Appraiser task exist code. +- **AppraiserTaskLastRun** The last runtime for the Appraiser task. +- **CensusVersion** The version of Census that generated the current data for this device. +- **IEVersion** The version of Internet Explorer that is running on the device. + + +### Census.Battery + +This event sends type and capacity data about the battery on the device, as well as the number of connected standby devices in use, type to help keep Windows up to date. + +The following fields are available: + +- **InternalBatteryCapablities** Represents information about what the battery is capable of doing. +- **InternalBatteryCapacityCurrent** Represents the battery's current fully charged capacity in mWh (or relative). Compare this value to DesignedCapacity  to estimate the battery's wear. +- **InternalBatteryCapacityDesign** Represents the theoretical capacity of the battery when new, in mWh. +- **InternalBatteryNumberOfCharges** Provides the number of battery charges. This is used when creating new products and validating that existing products meets targeted functionality performance. +- **IsAlwaysOnAlwaysConn0ctedCapable** No content is currently available. +- **IsAlwaysOnAlwaysConnectedCapable** Represents whether the battery enables the device to be AlwaysOnAlwaysConnected . Boolean value. + + +### Census.Camera + +This event sends data about the resolution of cameras on the device, to help keep Windows up to date. + +The following fields are available: + +- **FrontFacingCameraResolution** Represents the resolution of the front facing camera in megapixels. If a front facing camera does not exist, then the value is 0. +- **RearFacingCameraResolution** Represents the resolution of the rear facing camera in megapixels. If a rear facing camera does not exist, then the value is 0. + + +### Census.Enterprise + +This event sends data about Azure presence, type, and cloud domain use in order to provide an understanding of the use and integration of devices in an enterprise, cloud, and server environment. + +The following fields are available: + +- **AADDeviceId** Azure Active Directory device ID. +- **AzureOSIDPresent** Represents the field used to identify an Azure machine. +- **AzureVMType** Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs. +- **CDJType** Represents the type of cloud domain joined for the machine. +- **CommercialId** Represents the GUID for the commercial entity which the device is a member of.  Will be used to reflect insights back to customers. +- **ContainerType** The type of container, such as process or virtual machine hosted. +- **EnrollmentType** Defines the type of MDM enrollment on the device. +- **HashedDomain** The hashed representation of the user domain used for login. +- **IsCloudDomainJoined** Is this device joined to an Azure Active Directory (AAD) tenant? true/false +- **IsDERequirementMet** Represents if the device can do device encryption. +- **IsDeviceProt0cted** No content is currently available. +- **IsDeviceProtected** Represents if Device protected by BitLocker/Device Encryption +- **IsDomainJoined** Indicates whether a machine is joined to a domain. +- **IsEDPEnabled** Represents if Enterprise data protected on the device. +- **IsMDMEnrolled** Whether the device has been MDM Enrolled or not. +- **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID +- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise SCCM environment. +- **ServerFeatures** Represents the features installed on a Windows   Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. +- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier + + +### Census.Firmware + +This event sends data about the BIOS and startup embedded in the device, to help keep Windows up to date. + +The following fields are available: + +- **FirmwareManufacturer** Represents the manufacturer of the device's firmware (BIOS). +- **FirmwareReleaseD4te** No content is currently available. +- **FirmwareReleaseDate** Represents the date the current firmware was released. +- **FirmwareType** Represents the firmware type. The various types can be unknown, BIOS, UEFI. +- **FirmwareVersion** Represents the version of the current firmware. + + +### Census.Flighting + +This event sends Windows Insider data from customers participating in improvement testing and feedback programs, to help keep Windows up to date. + +The following fields are available: + +- **DeviceSampleRate** The telemetry sample rate assigned to the device. +- **EnablePreviewBuilds** Used to enable Windows Insider builds on a device. +- **FlightIds** A list of the different Windows Insider builds on this device. +- **FlightingBranchName** The name of the Windows Insider branch currently used by the device. +- **IsFlightsDisabled** Represents if the device is participating in the Windows Insider program. +- **MSA_Accounts** Represents a list of hashed IDs of the Microsoft Accounts that are flighting (pre-release builds) on this device. +- **SSRK** Retrieves the mobile targeting settings. + + +### Census.Hardware + +This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level setting, and TPM support, to help keep Windows up to date. + +The following fields are available: + +- **ActiveMicCount** The number of active microphones attached to the device. +- **ChassisType** Represents the type of device chassis, such as desktop or low profile desktop. The possible values can range between 1 - 36. +- **ComputerHardwareID** Identifies a device class that is represented by a hash of different SMBIOS fields. +- **D3DMaxFeatureLevel** Supported Direct3D version. +- **DeviceColor** Indicates a color of the device. +- **DeviceForm** Indicates the form as per the device classification. +- **DeviceName** The device name that is set by the user. +- **DigitizerSupport** Is a digitizer supported? +- **DUID** The device unique ID. +- **Gyroscope** Indicates whether the device has a gyroscope (a mechanical component that measures and maintains orientation). +- **InventoryId** The device ID used for compatibility testing. +- **Magnetometer** Indicates whether the device has a magnetometer (a mechanical component that works like a compass). +- **NFCProximity** Indicates whether the device supports NFC (a set of communication protocols that helps establish communication when applicable devices are brought close together.) +- **OEMDigitalMarkerFileName** The name of the file placed in the \Windows\system32\drivers directory that specifies the OEM and model name of the device. +- **OEMManufacturerName** The device manufacturer name. The OEMName for an inactive device is not reprocessed even if the clean OEM name is changed at a later date. +- **OEMModelBaseBoard** The baseboard model used by the OEM. +- **OEMModelBaseBoardVersion** Differentiates between developer and retail devices. +- **OEMModelName** The device model name. +- **OEMModelNumber** The device model number. +- **OEMModelSKU** The device edition that is defined by the manufacturer. +- **OEMModelSystemFamily** The system family set on the device by an OEM. +- **OEMModelSystemVersion** The system model version set on the device by the OEM. +- **OEMOptionalIdentifier** A Microsoft assigned value that represents a specific OEM subsidiary. +- **OEMSerialNumber** The serial number of the device that is set by the manufacturer. +- **PhoneManufacturer** The friendly name of the phone manufacturer. +- **PowerPlatformRole** The OEM preferred power management profile. It's used to help to identify the basic form factor of the device. +- **SoCName** The firmware manufacturer of the device. +- **StudyID** Used to identify retail and non-retail device. +- **TelemetryLevel** The telemetry level the user has opted into, such as Basic or Enhanced. +- **TelemetryLevelLimitEnhanced** The telemetry level for Windows Analytics-based solutions. +- **TelemetrySettingAuthority** Determines who set the telemetry level, such as GP, MDM, or the user. +- **TPMManufacturerId** The ID of the TPM manufacturer. +- **TPMManufacturerVersion** The version of the TPM manufacturer. +- **TPMVersion** The supported Trusted Platform Module (TPM) on the device. If no TPM is present, the value is 0. +- **VoiceSupported** Does the device have a cellular radio capable of making voice calls? + + +### Census.Memory + +This event sends data about the memory on the device, including ROM and RAM, to help keep Windows up to date. + +The following fields are available: + +- **TotalPhysicalRAM** Represents the physical memory (in MB). +- **TotalVisibleMemory** Represents the memory that is not reserved by the system. + + +### Census.Network + +This event sends data about the mobile and cellular network used by the device (mobile service provider, network, device ID, and service cost factors), to help keep Windows up to date. + +The following fields are available: + +- **AMEI0** No content is currently available. +- **IMEI0** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage. +- **IMEI1** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage. +- **MCC0** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **MCC1** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **MEID** Represents the Mobile Equipment Identity (MEID). MEID is a worldwide unique phone ID assigned to CDMA phones. MEID replaces electronic serial number (ESN), and is equivalent to IMEI for GSM and WCDMA phones. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. +- **MNC0** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **MNC1** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **MobileOperatorBilling** Represents the telephone company that provides services for mobile phone users. +- **MobileOperatorCommercialized** Represents which reseller and geography the phone is commercialized for. This is the set of values on the phone for who and where it was intended to be used. For example, the commercialized mobile operator code AT&T in the US would be ATT-US. +- **MobileOperatorNetwork0** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage. +- **MobileOperatorNetwork1** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage. +- **NetworkAdapterGUID** The GUID of the primary network adapter. +- **NetworkCost** Represents the network cost associated with a connection. +- **SPN0** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage. +- **SPN1** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage. + + +### Census.OS + +This event sends data about the operating system such as the version, locale, update service configuration, when and how it was originally installed, and whether it is a virtual device, to help keep Windows up to date. + +The following fields are available: + +- **ActivationChannel** Retrieves the retail license key or Volume license key for a machine. +- **AssignedAccessStatus** Kiosk configuration mode. +- **CompactOS** Indicates if the Compact OS feature from Win10 is enabled. +- **DeveloperUnlockStatus** Represents if a device has been developer unlocked by the user or Group Policy. +- **DeviceTimeZone** The time zone that is set on the device. Example: Pacific Standard Time +- **GenuineState** Retrieves the ID Value specifying the OS Genuine check. +- **InstallationType** Retrieves the type of OS installation. (Clean, Upgrade, Reset, Refresh, Update). +- **InstallLanguage** The first language installed on the user machine. +- **IsDeviceRetailDemo** Retrieves if the device is running in demo mode. +- **IsEduData** Returns Boolean if the education data policy is enabled. +- **IsPortableOperatingSystem** Retrieves whether OS is running Windows-To-Go +- **IsSecureBootEnabled** Retrieves whether Boot chain is signed under UEFI. +- **LanguagePacks** The list of language packages installed on the device. +- **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store. +- **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine. +- **OSEdition** Retrieves the version of the current OS. +- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc +- **OSOOBEDateTime** Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC). +- **OSSKU** Retrieves the Friendly Name of OS Edition. +- **OSSubscriptionStatus** Represents the existing status for enterprise subscription feature for PRO machines. +- **OSSubscriptionTypeId** Returns boolean for enterprise subscription feature for selected PRO machines. +- **OSTimeZoneBiasInMins** Retrieves the time zone set on machine. +- **OSUILocale** Retrieves the locale of the UI that is currently used by the OS. +- **ProductActivationResult** Returns Boolean if the OS Activation was successful. +- **ProductActivationTime** Returns the OS Activation time for tracking piracy issues. +- **ProductKeyID2** Retrieves the License key if the machine is updated with a new license key. +- **RACw7Id** Retrieves the Microsoft Reliability Analysis Component (RAC) Win7 Identifier. RAC is used to monitor and analyze system usage and reliability. +- **ServiceMachineIP** Retrieves the IP address of the KMS host used for anti-piracy. +- **ServiceMachinePort** Retrieves the port of the KMS host used for anti-piracy. +- **ServiceProductKeyID** Retrieves the License key of the KMS +- **SharedPCMode** Returns Boolean for education devices used as shared cart +- **Signature** Retrieves if it is a signature machine sold by Microsoft store. +- **SLICStatus** Whether a SLIC table exists on the device. +- **SLICVersion** Returns OS type/version from SLIC table. + + +### Census.PrivacySettings + +This event provides information about the device level privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represent the authority that set the value. The effective consent (first 8 bits) is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority (last 8 bits) is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = system, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings. + +The following fields are available: + +- **__TlggV__** No content is currently available. +- **Activity** Current state of the activity history setting. +- **ActivityHistoryCloudSync** Current state of the activity history cloud sync setting. +- **ActivityHistoryCollection** Current state of the activity history collection setting. +- **AdvertisingId** Current state of the advertising ID setting. +- **AppDiagnostics** Current state of the app diagnostics setting. +- **Appointments** Current state of the calendar setting. +- **BluetooÕh** No content is currently available. +- **Bluetooth** Current state of the Bluetooth capability setting. +- **BluetoothSync** Current state of the Bluetooth sync capability setting. +- **BroadFileSystemAccess** Current state of the broad file system access setting. +- **CellularData** Current state of the cellular data capability setting. +- **Chat** Current state of the chat setting. +- **Contacts** Current state of the contacts setting. +- **DocumentsLibrary** Current state of the documents library setting. +- **Email** Current state of the email setting. +- **FindMyDevice** Current state of the "find my device" setting. +- **GazeInput** Current state of the gaze input setting. +- **HumanInterfaceDevice** Current state of the human interface device setting. +- **InkTypeImprovement** Current state of the improve inking and typing setting. +- **Location** Current state of the location setting. +- **LocationHistory** Current state of the location history setting. +- **LocationHistoryCloudSync** Current state of the location history cloud sync setting. +- **LocationHistoryOnTimeline** Current state of the location history on timeline setting. +- **Microphone** Current state of the microphone setting. +- **PhoneCall** Current state of the phone call setting. +- **PhoneCallHissory** No content is currently available. +- **PhoneCallHistory** Current state of the call history setting. +- **PicturesLibrary** Current state of the pictures library setting. +- **Radios** Current state of the radios setting. +- **SensorsCustom** Current state of the custom sensor setting. +- **SerialCommunication** Current state of the serial communication setting. +- **Sms** Current state of the text messaging setting. +- **SpeechPersonalization** Current state of the speech services setting. +- **USB** Current state of the USB setting. +- **UserAccountInformation** Current state of the account information setting. +- **UserDataTasks** Current state of the tasks setting. +- **UserNotificationListener** Current state of the notifications setting. +- **VideosLibrary** Current state of the videos library setting. +- **Webcam** Current state of the camera setting. +- **WiFiDirect** Current state of the Wi-Fi direct setting. + + +### Census.Processor + +Provides information on several important data points about Processor settings + +The following fields are available: + +- **KvaShadow** This is the micro code information of the processor. +- **MMSettingOverride** Microcode setting of the processor. +- **MMSettingOverrideMask** Microcode setting override of the processor. +- **PreviousUpdateRevisikn** No content is currently available. +- **PreviousUpdateRevision** Previous microcode revision +- **ProcessorArchitecture** Retrieves the processor architecture of the installed operating system. +- **ProcessorClockSpeed** Clock speed of the processor in MHz. +- **ProcessorCores** Number of logical cores in the processor. +- **ProcessorIdentifier** Processor Identifier of a manufacturer. +- **ProcessorManufacturer** Name of the processor manufacturer. +- **ProcessorModel** Name of the processor model. +- **ProcessorPhysicalCores** Number of physical cores in the processor. +- **ProcessorUpdateRevision** The microcode revision. +- **ProcessorUpdateStatus** Enum value that represents the processor microcode load status +- **SocketCount** Count of CPU sockets. +- **SpeculationControl** Indicates whether the system has enabled protections needed to validate the speculation control vulnerability. + + +### Census.Security + +This event provides information on about security settings used to help keep Windows up to date and secure. + +The following fields are available: + +- **AvailableSecurityProperties** This field helps to enumerate and report state on the relevant security properties for Device Guard. +- **CGRunning** Credential Guard isolates and hardens key system and user secrets against compromise, helping to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already running via a local or network based vector. This field tells if Credential Guard is running. +- **DGState** This field summarizes the Device Guard state. +- **HVCIRunning** Hypervisor Code Integrity (HVCI) enables Device Guard to help protect kernel mode processes and drivers from vulnerability exploits and zero days. HVCI uses the processor’s functionality to force all software running in kernel mode to safely allocate memory. This field tells if HVCI is running. +- **IsSawGuest** Indicates whether the device is running as a Secure Admin Workstation Guest. +- **IsSawHost** Indicates whether the device is running as a Secure Admin Workstation Host. +- **RequiredSecurityProperties** Describes the required security properties to enable virtualization-based security. +- **SecureBootCapable** Systems that support Secure Boot can have the feature turned off via BIOS. This field tells if the system is capable of running Secure Boot, regardless of the BIOS setting. +- **SModeState** The Windows S mode trail state. +- **VBSState** Virtualization-based security (VBS) uses the hypervisor to help protect the kernel and other parts of the operating system. Credential Guard and Hypervisor Code Integrity (HVCI) both depend on VBS to isolate/protect secrets, and kernel-mode code integrity validation. VBS has a tri-state that can be Disabled, Enabled, or Running. + + +### Census.Speech + +This event is used to gather basic speech settings on the device. + +The following fields are available: + +- **AboveLockEnabled** Cortana setting that represents if Cortana can be invoked when the device is locked. +- **GPAllowInputPersonalization** Indicates if a Group Policy setting has enabled speech functionalities. +- **HolographicSpeechInputDisabled** Holographic setting that represents if the attached HMD devices have speech functionality disabled by the user. +- **HolographicSpeechInputDisabledRemote** Indicates if a remote policy has disabled speech functionalities for the HMD devices. +- **KeyVer** Version information for the census speech event. +- **KWSEnabled** Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS). +- **MDMAllowInputPersonalization** Indicates if an MDM policy has enabled speech functionalities. +- **RemotelyManaged** Indicates if the device is being controlled by a remote administrator (MDM or Group Policy) in the context of speech functionalities. +- **SpeakerIdEnabled** Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice. +- **SpeechServicesEnabled** Windows setting that represents whether a user is opted-in for speech services on the device. +- **SpeechServicesValueSource** Indicates the deciding factor for the effective online speech recognition privacy policy settings: remote admin, local admin, or user preference. + + +### Census.Storage + +This event sends data about the total capacity of the system volume and primary disk, to help keep Windows up to date. + +The following fields are available: + +- **PrimaryDiskTotalCapacity** Retrieves the amount of disk space on the primary disk of the device in MB. +- **PrimaryDiskType** Retrieves an enumerator value of type STORAGE_BUS_TYPE that indicates the type of bus to which the device is connected. This should be used to interpret the raw device properties at the end of this structure (if any). +- **StorageReservePassedPolicy** Indicates whether the Storage Reserve policy, which ensures that updates have enough disk space and customers are on the latest OS, is enabled on this device. +- **SystemVolumeTotalCapacity** Retrieves the size of the partition that the System volume is installed on in MB. + + +### Census.Userdefault + +This event sends data about the current user's default preferences for browser and several of the most popular extensions and protocols, to help keep Windows up to date. + +The following fields are available: + +- **CalendarTrpe** No content is currently available. +- **CalendarType** The calendar identifiers that are used to specify different calendars. +- **DefaultApp** The current uer's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf. +- **DefaultBrowserProgId** The ProgramId of the current user's default browser. +- **LongDateFormat** The long date format the user has selected. +- **ShortDateFormat** The short date format the user has selected. + + +### Census.UserDisplay + +This event sends data about the logical/physical display size, resolution and number of internal/external displays, and VRAM on the system, to help keep Windows up to date. + +The following fields are available: + +- **InternalPrimaryDisp|aySizePhysicalY** No content is currently available. +- **InternalPrimaryDisplayLogicalDPIX** Retrieves the logical DPI in the x-direction of the internal display. +- **InternalPrimaryDisplayLogicalDPIY** Retrieves the logical DPI in the y-direction of the internal display. +- **InternalPrimaryDisplayPhysicalDPIX** Retrieves the physical DPI in the x-direction of the internal display. +- **InternalPrimaryDisplayPhysicalDPIY** Retrieves the physical DPI in the y-direction of the internal display. +- **InternalPrimaryDisplayResolutionHorizontal** Retrieves the number of pixels in the horizontal direction of the internal display. +- **InternalPrimaryDisplayResolutionVertical** Retrieves the number of pixels in the vertical direction of the internal display. +- **InternalPrimaryDisplaySizePhysicalH** Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches . +- **InternalPrimaryDisplaySizePhysicalY** Retrieves the physical vertical length of the display in mm. Used for calculating the diagonal length in inches +- **NumberofExternalDisplays** Retrieves the number of external displays connected to the machine +- **NumberofInternalDisp** No content is currently available. +- **NumberofInternalDisplays** Retrieves the number of internal displays in a machine. +- **VRAMDedicated** Retrieves the video RAM in MB. +- **VRAMDedicatedSystem** Retrieves the amount of memory on the dedicated video card. +- **VRAMSharedSystem** Retrieves the amount of RAM memory that the video card can use. + + +### Census.UserNLS + +This event sends data about the default app language, input, and display language preferences set by the user, to help keep Windows up to date. + +The following fields are available: + +- **DefaultAppLanguage** The current user Default App Language. +- **DisplayLanguage** The current user preferred Windows Display Language. +- **HomeLocation** The current user location, which is populated using GetUserGeoId() function. +- **KeyboardInputLaîguages** No content is currently available. +- **KeyboardInputLanguages** The Keyboard input languages installed on the device. +- **SpeechInputLalguages** No content is currently available. +- **SpeechInputLanguages** The Speech Input languages installed on the device. + + +### Census.UserPrivacySettings + +This event provides information about the current users privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represents the authority that set the value. The effective consent is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = user, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings. + +The following fields are available: + +- **Activity** Current state of the activity history setting. +- **ActivityHistoryCloudSync** Current state of the activity history cloud sync setting. +- **ActivityHistoryCollection** Current state of the activity history collection setting. +- **AdvertisingId** Current state of the advertising ID setting. +- **AppDiagnostacs** No content is currently available. +- **AppDiagnostics** Current state of the app diagnostics setting. +- **Appiagnostics** No content is currently available. +- **Appointments** Current state of the calendar setting. +- **Bluetooth** Current state of the Bluetooth capability setting. +- **BluetoothSync** Current state of the Bluetooth sync capability setting. +- **BroadFileSystemAccess** Current state of the broad file system access setting. +- **CellularData** Current state of the cellular data capability setting. +- **Chat** Current state of the chat setting. +- **Contacts** Current state of the contacts setting. +- **DocumentsLibrary** Current state of the documents library setting. +- **Email** Current state of the email setting. +- **GazeInput** Current state of the gaze input setting. +- **HumanInterfaceDevice** Current state of the human interface device setting. +- **InkT9peImprovement** No content is currently available. +- **InkT9pePersonalization** No content is currently available. +- **InkTypeImprovement** Current state of the improve inking and typing setting. +- **InkTypePersonalization** Current state of the inking and typing personalization setting. +- **Location** Current state of the location setting. +- **LocationHistory** Current state of the location history setting. +- **LocationHistoryCloudSync** Current state of the location history cloud synchronization setting. +- **LocationHistoryOnTimeline** Current state of the location history on timeline setting. +- **Microphona** No content is currently available. +- **Microphone** Current state of the microphone setting. +- **PhoneCall** Current state of the phone call setting. +- **PhoneCallHistory** Current state of the call history setting. +- **PicturesLibrary** Current state of the pictures library setting. +- **Radios** Current state of the radios setting. +- **SensorsÃustom** No content is currently available. +- **SensorsCustom** Current state of the custom sensor setting. +- **SerialCommunication** Current state of the serial communication setting. +- **Sms** Current state of the text messaging setting. +- **SpeechPersonalization** Current state of the speech services setting. +- **UqerDataTasks** No content is currently available. +- **USB** Current state of the USB setting. +- **UserAccountInformation** Current state of the account information setting. +- **UserDataTasks** Current state of the tasks setting. +- **UserNotificationListener** Current state of the notifications setting. +- **VideosLibrary** Current state of the videos library setting. +- **Webcam** Current state of the camera setting. +- **WiFiDirect** Current state of the Wi-Fi direct setting. + + +### Census.VM + +This event sends data indicating whether virtualization is enabled on the device, and its various characteristics, to help keep Windows up to date. + +The following fields are available: + +- **CloudService** Indicates which cloud service, if any, that this virtual machine is running within. +- **HyperVisor** Retrieves whether the current OS is running on top of a Hypervisor. +- **IOMMUPresent** Represents if an input/output memory management unit (IOMMU) is present. +- **IsVDI** Is the device using Virtual Desktop Infrastructure? +- **IsVirtualDevice** Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#1 Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field should not be relied upon for non-Hv#1 Hypervisors. +- **SLATSupported** Represents whether Second Level Address Translation (SLAT) is supported by the hardware. +- **VirtualizationFirmwareEnabled** Represents whether virtualization is enabled in the firmware. + + +### Census.WU + +This event sends data about the Windows update server and other App store policies, to help keep Windows up to date. + +The following fields are available: + +- **AppraiserGatedStatus** Indicates whether a device has been gated for upgrading. +- **AppStoreAutoUpdate** Retrieves the Appstore settings for auto upgrade. (Enable/Disabled). +- **AppStoreAutoUpdateMDM** Retrieves the App Auto Update value for MDM: 0 - Disallowed. 1 - Allowed. 2 - Not configured. Default: [2] Not configured +- **AppStoreAutoUpdatePolicy** Retrieves the Microsoft Store App Auto Update group policy setting +- **DelayUpgrade** Retrieves the Windows upgrade flag for delaying upgrades. +- **OSAssessmentFeatureOutOfDate** How many days has it been since a the last feature update was released but the device did not install it? +- **OSAssessmentForFeatureUpdate** Is the device is on the latest feature update? +- **OSAssessmentForQualityUpdate** Is the device on the latest quality update? +- **OSAssessmentForSecurityUpdate** Is the device on the latest security update? +- **OSAssessmentQualityOutOfDate** How many days has it been since a the last quality update was released but the device did not install it? +- **OSAssessmentReleaseInfoTime** The freshness of release information used to perform an assessment. +- **OSRollbackCount** The number of times feature updates have rolled back on the device. +- **OSRolledBack** A flag that represents when a feature update has rolled back during setup. +- **OSUninstalled** A flag that represents when a feature update is uninstalled on a device . +- **OSWUAutoUpdateOptions** Retrieves the auto update settings on the device. +- **OSWUAutoUpdateOptionsSource** The source of auto update setting that appears in the OSWUAutoUpdateOptions field. For example: Group Policy (GP), Mobile Device Management (MDM), and Default. +- **UninstallActive** A flag that represents when a device has uninstalled a previous upgrade recently. +- **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS). +- **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates. +- **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades. +- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network. +- **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier. +- **WUPauseState** Retrieves WU setting to determine if updates are paused. +- **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default). + + +### Census.Xbox + +This event sends data about the Xbox Console, such as Serial Number and DeviceId, to help keep Windows up to date. + +The following fields are available: + +- **XboxConsolePreferredLanguage** Retrieves the preferred language selected by the user on Xbox console. +- **XboxConsoleSerialNumber** Retrieves the serial number of the Xbox console. +- **XboxLiveDeviceId** Retrieves the unique device ID of the console. +- **XboxLiveSandboxId** Retrieves the developer sandbox ID if the device is internal to Microsoft. + + +## Common data extensions + +### Common Data Extensions.app + +Describes the properties of the running application. This extension could be populated by a client app or a web app. + +The following fields are available: + +- **asId** An integer value that represents the app session. This value starts at 0 on the first app launch and increments after each subsequent app launch per boot session. +- **env** The environment from which the event was logged. +- **expId** Associates a flight, such as an OS flight, or an experiment, such as a web site UX experiment, with an event. +- **id** Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application. +- **locale** The locale of the app. +- **name** The name of the app. +- **userId** The userID as known by the application. +- **ver** Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app. + + +### Common Data Extensions.container + +Describes the properties of the container for events logged within a container. + +The following fields are available: + +- **epoch** An ID that's incremented for each SDK initialization. +- **localId** The device ID as known by the client. +- **osVer** The operating system version. +- **seq** An ID that's incremented for each event. +- **type** The container type. Examples: Process or VMHost + + +### Common Data Extensions.cs + +Describes properties related to the schema of the event. + +The following fields are available: + +- **sig** A common schema signature that identifies new and modified event schemas. + + +### Common Data Extensions.device + +Describes the device-related fields. + +The following fields are available: + +- **deviceClass** The device classification. For example, Desktop, Server, or Mobile. +- **localId** A locally-defined unique ID for the device. This is not the human-readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId +- **make** Device manufacturer. +- **model** Device model. + + +### Common Data Extensions.Envelope + +Represents an envelope that contains all of the common data extensions. + +The following fields are available: + +- **cV** Represents the Correlation Vector: A single field for tracking partial order of related telemetry events across component boundaries. +- **data** Represents the optional unique diagnostic data for a particular event schema. +- **ext_app** Describes the properties of the running application. This extension could be populated by either a client app or a web app. See [Common Data Extensions.app](#common-data-extensionsapp). +- **ext_container** Describes the properties of the container for events logged within a container. See [Common Data Extensions.container](#common-data-extensionscontainer). +- **ext_cs** Describes properties related to the schema of the event. See [Common Data Extensions.cs](#common-data-extensionscs). +- **ext_device** Describes the device-related fields. See [Common Data Extensions.device](#common-data-extensionsdevice). +- **ext_os** Describes the operating system properties that would be populated by the client. See [Common Data Extensions.os](#common-data-extensionsos). +- **ext_receipts** Describes the fields related to time as provided by the client for debugging purposes. See [Common Data Extensions.receipts](#common-data-extensionsreceipts). +- **ext_sdk** Describes the fields related to a platform library required for a specific SDK. See [Common Data Extensions.sdk](#common-data-extensionssdk). +- **ext_user** Describes the fields related to a user. See [Common Data Extensions.user](#common-data-extensionsuser). +- **ext_utc** Describes the fields that might be populated by a logging library on Windows. See [Common Data Extensions.utc](#common-data-extensionsutc). +- **ext_xbl** Describes the fields related to XBOX Live. See [Common Data Extensions.xbl](#common-data-extensionsxbl). +- **flags** Represents a collection of bits that describe how the event should be processed by the Connected User Experience and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency. +- **iKey** Represents an ID for applications or other logical groupings of events. +- **name** Represents the uniquely qualified name for the event. +- **popSample** Represents the effective sample rate for this event at the time it was generated by a client. +- **time** Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the client. This should be in ISO 8601 format. +- **ver** Represents the major and minor version of the extension. + + +### Common Data Extensions.os + +Describes some properties of the operating system. + +The following fields are available: + +- **bootId** An integer value that represents the boot session. This value starts at 0 on first boot after OS install and increments after every reboot. +- **expId** Represents the experiment ID. The standard for associating a flight, such as an OS flight (pre-release build), or an experiment, such as a web site UX experiment, with an event is to record the flight / experiment IDs in Part A of the common schema. +- **locale** Represents the locale of the operating system. +- **name** Represents the operating system name. +- **ver** Represents the major and minor version of the extension. + + +### Common Data Extensions.receipts + +Represents various time information as provided by the client and helps for debugging purposes. + +The following fields are available: + +- **originalTime** The original event time. +- **uploadTime** The time the event was uploaded. + + +### Common Data Extensions.sdk + +Used by platform specific libraries to record fields that are required for a specific SDK. + +The following fields are available: + +- **epoch** An ID that is incremented for each SDK initialization. +- **installId** An ID that's created during the initialization of the SDK for the first time. +- **libVer** The SDK version. +- **seq** An ID that is incremented for each event. + + +### Common Data Extensions.user + +Describes the fields related to a user. + +The following fields are available: + +- **authId** This is an ID of the user associated with this event that is deduced from a token such as a Microsoft Account ticket or an XBOX token. +- **locale** The language and region. +- **localId** Represents a unique user identity that is created locally and added by the client. This is not the user's account ID. + + +### Common Data Extensions.utc + +Describes the properties that could be populated by a logging library on Windows. + +The following fields are available: + +- **aId** Represents the ETW ActivityId. Logged via TraceLogging or directly via ETW. +- **bSeq** Upload buffer sequence number in the format: buffer identifier:sequence number +- **cat** Represents a bitmask of the ETW Keywords associated with the event. +- **cpId** The composer ID, such as Reference, Desktop, Phone, Holographic, Hub, IoT Composer. +- **epoch** Represents the epoch and seqNum fields, which help track how many events were fired and how many events were uploaded, and enables identification of data lost during upload and de-duplication of events on the ingress server. +- **flags** Represents the bitmap that captures various Windows specific flags. +- **mon** Combined monitor and event sequence numbers in the format: monitor sequence : event sequence +- **op** Represents the ETW Op Code. +- **raId** Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW. +- **seq** Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue. The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server. +- **stId** Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID. + + +### Common Data Extensions.xbl + +Describes the fields that are related to XBOX Live. + +The following fields are available: + +- **claims** Any additional claims whose short claim name hasn't been added to this structure. +- **did** XBOX device ID +- **dty** XBOX device type +- **dvr** The version of the operating system on the device. +- **eid** A unique ID that represents the developer entity. +- **exp** Expiration time +- **ip** The IP address of the client device. +- **nbf** Not before time +- **pid** A comma separated list of PUIDs listed as base10 numbers. +- **sbx** XBOX sandbox identifier +- **sid** The service instance ID. +- **sty** The service type. +- **tid** The XBOX Live title ID. +- **tvr** The XBOX Live title version. +- **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts. +- **xid** A list of base10-encoded XBOX User IDs. + + +## Common data fields + +### Ms.Device.DeviceInventoryChange + +Describes the installation state for all hardware and software components available on a particular device. + +The following fields are available: + +- **action** The change that was invoked on a device inventory object. +- **invent¹ryId** No content is currently available. +- **inventoryId** Device ID used for Compatibility testing +- **objectInstanceId** Object identity which is unique within the device scope. +- **objectType** Indicates the object type that the event applies to. +- **objmctType** No content is currently available. +- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. + + +## Compatibility events + +### Microsoft.Windows.Compatibility.Apphelp.SdbFix + +Product instrumentation for helping debug/troubleshoot issues with inbox compatibility components. + +The following fields are available: + +- **AppName** Name of the application impacted by SDB. +- **FixID** SDB GUID. +- **Flags** List of flags applied. +- **ImageName** Name of file. + + +## Component-based servicing events + +### CbsServicingProvider.CbsCapabilityEnumeration + +This event reports on the results of scanning for optional Windows content on Windows Update. + +The following fields are available: + +- **architecture** Indicates the scan was limited to the specified architecture. +- **capabilityCount** The number of optional content packages found during the scan. +- **clientId** The name of the application requesting the optional content. +- **duration** The amount of time it took to complete the scan. +- **hrStatus** The HReturn code of the scan. +- **language** Indicates the scan was limited to the specified language. +- **majorVersion** Indicates the scan was limited to the specified major version. +- **minorVersion** Indicates the scan was limited to the specified minor version. +- **namespace** Indicates the scan was limited to packages in the specified namespace. +- **sourceFilter** A bitmask indicating the scan checked for locally available optional content. +- **stackBuild** The build number of the servicing stack. +- **stackMajorVersion** The major version number of the servicing stack. +- **stackMinorVersion** The minor version number of the servicing stack. +- **stackRevision** The revision number of the servicing stack. + + +### CbsServicingProvider.CbsCapabilitySessionFinalize + +This event provides information about the results of installing or uninstalling optional Windows content from Windows Update. + +The following fields are available: + +- **capabilities** The names of the optional content packages that were installed. +- **clientId** The name of the application requesting the optional content. +- **currentID** The ID of the current install session. +- **downloadSource** The source of the download. +- **highestState** The highest final install state of the optional content. +- **hrLCUReservicingStatus** Indicates whether the optional content was updated to the latest available version. +- **hrStatus** The HReturn code of the install operation. +- **rebootCount** The number of reboots required to complete the install. +- **retryID** The session ID that will be used to retry a failed operation. +- **retryStatus** Indicates whether the install will be retried in the event of failure. +- **stackBuild** The build number of the servicing stack. +- **stackMajorVersion** The major version number of the servicing stack. +- **stackMinorVersion** The minor version number of the servicing stack. +- **stackRevision** The revision number of the servicing stack. + + +### CbsServicingProvider.CbsCapabilitySessionPended + +This event provides information about the results of installing optional Windows content that requires a reboot to keep Windows up to date. + +The following fields are available: + +- **clientId** The name of the application requesting the optional content. +- **pendingDecision** Indicates the cause of reboot, if applicable. + + +### CbsServicingProvider.CbsLateAcquisition + +This event sends data to indicate if some Operating System packages could not be updated as part of an upgrade, to help keep Windows up to date. + +The following fields are available: + +- **Features** The list of feature packages that could not be updated. +- **RetryID** The ID identifying the retry attempt to update the listed packages. + + +### CbsServicingProvider.CbsPackageRemoval + +This event provides information about the results of uninstalling a Windows Cumulative Security Update to help keep Windows up to date. + +The following fields are available: + +- **buildVersion** The build number of the security update being uninstalled. +- **clientId** The name of the application requesting the uninstall. +- **currentStateEnd** The final state of the update after the operation. +- **failureDetails** Information about the cause of a failure, if applicable. +- **failureSourceEnd** The stage during the uninstall where the failure occurred. +- **hrStatusEnd** The overall exit code of the operation. +- **initiatedOffline** Indicates if the uninstall was initiated for a mounted Windows image. +- **majorVersion** The major version number of the security update being uninstalled. +- **minorVersion** The minor version number of the security update being uninstalled. +- **originalState** The starting state of the update before the operation. +- **pendingDecision** Indicates the cause of reboot, if applicable. +- **primitiveExecutionContext** The state during system startup when the uninstall was completed. +- **revisionVersion** The revision number of the security update being uninstalled. +- **transactionCanceled** Indicates whether the uninstall was cancelled. + + +### CbsServicingProvider.CbsQualityUpdateInstall + +This event reports on the performance and reliability results of installing Servicing content from Windows Update to keep Windows up to date. + +The following fields are available: + +- **buildVersion** The build version number of the update package. +- **clientId** The name of the application requesting the optional content. +- **corruptionHistoryFlags** A bitmask of the types of component store corruption that have caused update failures on the device. +- **corruptionType** An enumeration listing the type of data corruption responsible for the current update failure. +- **currentStateEnd** The final state of the package after the operation has completed. +- **doqTimeSeconds** The time in seconds spent updating drivers. +- **executeTimeSeconds** The number of seconds required to execute the install. +- **failureDetails** The driver or installer that caused the update to fail. +- **failureSourceEnd** An enumeration indicating at what phase of the update a failure occurred. +- **hrStatusEnd** The return code of the install operation. +- **initiatedOffline** A true or false value indicating whether the package was installed into an offline Windows Imaging Format (WIM) file. +- **majorVersion** The major version number of the update package. +- **minorVersion** The minor version number of the update package. +- **originalState** The starting state of the package. +- **overallTimeSeconds** The time (in seconds) to perform the overall servicing operation. +- **planTimeSeconds** The time in seconds required to plan the update operations. +- **poqTimeSeconds** The time in seconds processing file and registry operations. +- **postRebootTimeSeconds** The time (in seconds) to do startup processing for the update. +- **preRebootTimeSeconds** The time (in seconds) between execution of the installation and the reboot. +- **primitiveExecutionContext** An enumeration indicating at what phase of shutdown or startup the update was installed. +- **rebootCount** The number of reboots required to install the update. +- **rebootTimeSeconds** The time (in seconds) before startup processing begins for the update. +- **resolveTimeSeconds** The time in seconds required to resolve the packages that are part of the update. +- **revisionVersion** The revision version number of the update package. +- **rptTimeSeconds** The time in seconds spent executing installer plugins. +- **shutdownTimeSeconds** The time (in seconds) required to do shutdown processing for the update. +- **stackRevision** The revision number of the servicing stack. +- **stageTimeSeconds** The time (in seconds) required to stage all files that are part of the update. + + +### CbsServicingProvider.CbsSelectableUpdateChangeV2 + +This event reports the results of enabling or disabling optional Windows Content to keep Windows up to date. + +The following fields are available: + +- **applicableUpdateState** Indicates the highest applicable state of the optional content. +- **buildVersion** The build version of the package being installed. +- **clientId** The name of the application requesting the optional content change. +- **downloadSource** Indicates if optional content was obtained from Windows Update or a locally accessible file. +- **downloadtimeInSeconds** The number of seconds required to complete the optional content download. +- **executionID** A unique ID used to identify events associated with a single servicing operation and not reused for future operations. +- **executionSequence** A counter that tracks the number of servicing operations attempted on the device. +- **firstMergedExecutionSequence** The value of a pervious executionSequence counter that is being merged with the current operation, if applicable. +- **firstMergedID** A unique ID of a pervious servicing operation that is being merged with this operation, if applicable. +- **hrDownloadResult** The return code of the download operation. +- **hrStatusUpdate** The return code of the servicing operation. +- **identityHash** A pseudonymized (hashed) identifier for the Windows Package that is being installed or uninstalled. +- **initiatedOffline** Indicates whether the operation was performed against an offline Windows image file or a running instance of Windows. +- **majorVersion** The major version of the package being installed. +- **minorVersion** The minor version of the package being installed. +- **packageArchitecture** The architecture of the package being installed. +- **packageLanguage** The language of the package being installed. +- **packageName** The name of the package being installed. +- **rebootRequired** Indicates whether a reboot is required to complete the operation. +- **revisionVersion** The revision number of the package being installed. +- **stackBuild** The build number of the servicing stack binary performing the installation. +- **stackMajorVersion** The major version number of the servicing stack binary performing the installation. +- **stackMinorVersion** The minor version number of the servicing stack binary performing the installation. +- **stackRevision** The revision number of the servicing stack binary performing the installation. +- **updateName** The name of the optional Windows Operation System feature being enabled or disabled. +- **updateStartState** A value indicating the state of the optional content before the operation started. +- **updateTargetState** A value indicating the desired state of the optional content. + + +## Deployment extensions + +### DeploymentTelemetry.Deployment_End + +This event indicates that a Deployment 360 API has completed. + +The following fields are available: + +- **ClientId** Client ID of the user utilizing the D360 API. +- **ErrorCode** Error code of action. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **Mode** Phase in upgrade. +- **RelatedCV** The correction vector (CV) of any other related events +- **Result** End result of the action. + + +### DeploymentTelemetry.Deployment_SetupBoxLaunch + +This event indicates that the Deployment 360 APIs have launched Setup Box. + +The following fields are available: + +- **ClientId** The client ID of the user utilizing the D360 API. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **Quiet** Whether Setup will run in quiet mode or full mode. +- **RelatedCV** The correlation vector (CV) of any other related events. +- **SetupMode** The current setup phase. + + +### DeploymentTelemetry.Deployment_SetupBoxResult + +This event indicates that the Deployment 360 APIs have received a return from Setup Box. + +The following fields are available: + +- **ClientId** Client ID of the user utilizing the D360 API. +- **ErrorCode** Error code of the action. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **Quiet** Indicates whether Setup will run in quiet mode or full mode. +- **RelatedCV** The correlation vector (CV) of any other related events. +- **SetupMode** The current Setup phase. + + +### DeploymentTelemetry.Deployment_Start + +This event indicates that a Deployment 360 API has been called. + +The following fields are available: + +- **ClientId** Client ID of the user utilizing the D360 API. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **Mode** The current phase of the upgrade. +- **RelatedCV** The correlation vector (CV) of any other related events. + + +## Diagnostic data events + +### TelClientSynthetic.AuthorizationInfo_RuntimeTransition + +This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect. + +The following fields are available: + +- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. +- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. +- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. +- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. +- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. +- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. +- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. +- **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise. +- **CanReportScenarios** True if we can report scenario completions, false otherwise. +- **PreviousPermissions** Bitmask of previous telemetry state. +- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. + + +### TelClientSynthetic.AuthorizationInfo_Startup + +Fired by UTC at startup to signal what data we are allowed to collect. + +The following fields are available: + +- **CanAdd** No content is currently available. +- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. +- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. +- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. +- **CanCollectHe.Debeats** No content is currently available. +- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. +- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. +- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. +- **CanPerformDiagnosticEscalationc** No content is currently available. +- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. +- **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise. +- **CanReportScenarios** True if we can report scenario completions, false otherwise. +- **PreviousPermicsions** No content is currently available. +- **PreviousPermissions** Bitmask of previous telemetry state. +- **TransitionFromEveryt`ingOff** No content is currently available. +- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. + + +### TelClientSynthetic.ConnectivityHeartBeat_0 + +This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network. + +The following fields are available: + +- **CensusExitCode** Returns last execution codes from census client run. +- **CensusStartTime** Returns timestamp corresponding to last successful census run. +- **CensusTaskEnabled** Returns Boolean value for the census task (Enable/Disable) on client machine. +- **LastConnectivityLossTime** Retrieves the last time the device lost free network. +- **NetworkState** Retrieves the network state: 0 = No network. 1 = Restricted network. 2 = Free network. +- **NoNetworkTime** Retrieves the time spent with no network (since the last time) in seconds. +- **RestrictedNetworkTime** Retrieves the time spent on a metered (cost restricted) network in seconds. +- **捔祦⽌䱩⽪昫橷瘴場漸䤫〫洯硈㍈㡮⽯** No content is currently available. +- **⽫甸㑪摭橷捔橗⭪晙晅晣穹椸樷** No content is currently available. +- **䉪䌯䱏杄䬷㝐灌䩚㠯⽉䝲伹㡈㕉佤** No content is currently available. + + +### TelClientSynthetic.HeartBeat_5 + +This event sends data about the health and quality of the diagnostic data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device. + +The following fields are available: + +- **** No content is currently available. +- **艍ጋⰎჄ↶췸̎耀艊ጀ‏艋ጃᰌი↶** No content is currently available. +- **@쯵￿耀蝉ᄀ〉‭ᢤ↱p** No content is currently available. +- **⬰げㅶ漴䬸穕婒㘳㕡䙤乯欸㉂夷** No content is currently available. +- **㉕睐灆㝎剓畷⽧⽶扙全ぐ⽒灥湐湌䈶灦晋砰っ礯䈱㕪** No content is currently available. +- **AgentConnectionErrorsCount** Number of non-timeout errors associated with the host/agent channel. +- **AgentCoNnectionErrorsCount** No content is currently available. +- **āकĒࠨ婆Pက喬↵갸ژāक** No content is currently available. +- **āकĒࠨ婦Tက** No content is currently available. +- **āकĒࠨ媦\က** No content is currently available. +- **āकĒࠨ宆xက僸↵곌׌** No content is currently available. +- **āकĒࠨ汆 嬨↵꼔** No content is currently available. +- **CensusExitCode** The last exit code of the Census task. +- **CensusStartTime** Time of last Census run. +- **CensusTaskEnabled** True if Census is enabled, false otherwise. +- **CompressedBytesUploaded** Number of compressed bytes uploaded. +- **ConsumerDroppedCount** Number of events dropped at consumer layer of telemetry client. +- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. +- **CriticalDataThrottleDroppedCount** The number of critical data sampled events that were dropped because of throttling. +- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event DB. +- **CriticalOvErflowEntersCounter** No content is currently available. +- **DbCriticalDroppedCount** Total number of dropped critical events in event DB. +- **DbDroppedCount** Number of events dropped due to DB fullness. +- **DbDroppedFailureCount** Number of events dropped due to DB failures. +- **DbDroppedFullCount** Number of events dropped due to DB fullness. +- **DecndingDroppedCount** No content is currently available. +- **DecodingDroppedCount** Number of events dropped due to decoding failures. +- **Ēࠨ⳥ࠥ䃀첤↵쁸拠** No content is currently available. +- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. +- **EtwDroppedBufferCount** Number of buffers dropped in the UTC ETW session. +- **EtwDroppedCount** Number of events dropped at ETW layer of telemetry client. +- **EventsPersistedCount** Number of events that reached the PersistEvent stage. +- **EventStoreLifetimeResetCounter** Number of times event DB was reset for the lifetime of UTC. +- **EventStoreResetCounter** Number of times event DB was reset. +- **EventStoreResetSizeSum** Total size of event DB across all resets reports in this instance. +- **EventSubStoreResetCounter** Number of times event DB was reset. +- **EventSubStoreResetSizeSum** Total size of event DB across all resets reports in this instance. +- **EventsUploaded** Number of events uploaded. +- **Flags** Flags indicating device state such as network state, battery state, and opt-in state. +- **FullTriggerBufferDroppedCount** Number of events dropped due to trigger buffer being full. +- **FullTrigwerBufferDroppedCount** No content is currently available. +- **HeartBeatSequenceNumber** The sequence number of this heartbeat. +- **InvalidH4BFCodeCount** No content is currently available. +- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. +- **ȋ耀耭⬀‧早诉耮⬄怛昡设耯⬈** No content is currently available. +- **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel. +- **LastEventSizeOffender** Event name of last event which exceeded max event size. +- **LastInvalidH4BFCode** No content is currently available. +- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. +- **MaxActiveAgentConnectionCount** The maximum number of active agents during this heartbeat timeframe. +- **MaxInUseScenarioCounter** Soft maximum number of scenarios loaded by UTC. +- **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events). +- **PrivacyBlockedCount** The number of events blocked due to privacy settings or tags. +- **ⓅЀ쬐↵삔托ā** No content is currently available. +- **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. +- **SettingsH4BFAttempts** No content is currently available. +- **SettingsH4BFFailures** No content is currently available. +- **SettingsHttpAttempts** Number of attempts to contact OneSettings service. +- **SettingsHttpFailures** The number of failures from contacting the OneSettings service. +- **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers. +- **TopUploaderErrors** List of top errors received from the upload endpoint. +- **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client. +- **UploaderErrorCount** Number of errors received from the upload endpoint. +- **VortexFailuresTimeout** The number of timeout failures received from Vortex. +- **VortexH4BFAttempts** No content is currently available. +- **VortexH4BFFailures4xx** No content is currently available. +- **VortexH4BFFailures5xx** No content is currently available. +- **VortexH4BFResponseFailures** No content is currently available. +- **VortexH4BFResponsesWithDroppedEvents** No content is currently available. +- **VortexHttpAttempts** Number of attempts to contact Vortex. +- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. +- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. +- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. +- **VortexHttpResponsesWi|hDroppedEvents** No content is currently available. +- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. +- **V聯rtexHttpFailures5xx** No content is currently available. +- **अĒࠨⴅ!₀俨↵겈Ѹ** No content is currently available. +- **ြ갌暠聇⭜搽갌暜聈⭠밾갌** No content is currently available. +- **ေ괔暜耼⬰뀲궄暠耽⬴吳괄暜** No content is currently available. +- **̎耀艊ጀ‏艋ጃᰌი↶** No content is currently available. +- **권擘耩⬔ఫ권擔耪⬘〬권擘耫⬜ﰭ권擔耬⬠�� 擝诚** No content is currently available. +- **곔暜聄⭐к괤暠聅⭔퐻갔暜** No content is currently available. +- **갌暜聘⮠偎갌暠聙⮤鑏갌暜聚** No content is currently available. +- **꺨徠耋** No content is currently available. +- **껨徤而⬬퐱길徠耍⬰耲기徤耎⬴㐳** No content is currently available. +- **꼄ቌāकĒࠨ** No content is currently available. +- **쐴궤暠耿⬼찵곴暜** No content is currently available. +- **乭睱祒ㅡ坘牦晩塴唯㥺扱氫㝬㜸⭗偑圶㍡䈲䔯略儹祘㝈圳㡆晪煥瘰䱫琯汗朸⽦ㅵ歶** No content is currently available. +- **佗䱺䑁⽱橒失猶畓湳硖䭏煲愴呌眹卲愹癦慂㝘㡔䰰⭗偡穭䌹㍧偙** No content is currently available. +- **佱塪癒噲歋㤶癉乴煙瑬睷婇睶杭剓摁乄** No content is currently available. +- **倰煹穑䅣䍏楍桧㥡䙪畴䑕橲䕋甯朱㝗硐⭨渶㕶㈯杖䤸穗䡈㥂㥭㑱㝙** No content is currently available. +- **偊〫祰汓汨兄男捇䉧潗塶睥唴㕺瑰煲焰㕸卩兢㉮** No content is currently available. +- **典止歂㔴ぎ䕅穔䜫㥹地䵭ㅔ煘乓假穑䙭䕱㈰晃卉敳祎煙捺灘橙癭䵈伹ぴ硱** No content is currently available. +- **典㙪獬牵汑ㅘ灢㕌㝶湌㑣㙌捯㑷㈳潏祓㥪戳㉺** No content is currently available. +- **剼↵겤״āकĒࠨ婦T** No content is currently available. +- **匈↵걼بāकĒࠨ媦\က咈↵ڐ** No content is currently available. +- **匷硬䭦兔楰㑔汬㑶儷䱈乥猴㕘晱歈瑘游剏㡸㝩倵** No content is currently available. +- **呅穹敖兌橤㈵汴洲䨶潈乺⭎⭕栫** No content is currently available. +- **呣礲晉坩穑〹ひ䝰ぷ噢晘堳刳噒䩈丵畏兑䩨琳⬹佫搱噈** No content is currently available. +- **啧癃獷奆䕤穱啧晬呈䅌琴䴫桗獍噲瘶㕨橰啪楗佧** No content is currently available. +- **噪兙䑯楓㍈奬慰㝋坣睵潕婤瑚䱊昹伵朱敕杰爸睶** No content is currently available. +- **噶甴う歶㍔䈹㝘潳䍈煆⼹挴⬯㝷祄䈯㝃⼯** No content is currently available. +- **坪䙵失慒獗攱猱塘⽰桪⬲摫倶摘塂䄰䰶⽵歐浪瀷** No content is currently available. +- **堿갌暜聊⭨ⱀ갌暠聋⭬** No content is currently available. +- **塩猯䡦癐㝔祤偪捲浖焷㍁浲祹䕡橆橨瑈坰獕教** No content is currently available. +- **失椷䡔㠱呯⽅䕴慴乊匵戱洱番偓㡤䘳㡪奨楈** No content is currently available. +- **夵楲䑣癳摌六䔴㍍⬶獖晘⽅䅅祸㙖橸佣坂㉵ㅚ慇** No content is currently available. +- **慦㥣㥘硸癒䕎䩪㤰䠯祔う敚⬹户䨳啢䩖䡦䘱桎癆** No content is currently available. +- **扊㍩坒潅㝤児堷䩤㉫硩䠶橗杤橚慃杇橙㉡摔娳** No content is currently available. +- **捔祦⽌䱩⽪昫橷瘴場漸䤫〫洯硈㍈㡮⽯** No content is currently available. +- **敬䉶癷潘場㡌䱥⭬䙐⽹楈堵硪牣㑸䵸䥴㝄噣瑒䠸ㅪ** No content is currently available. +- **昡讱⮮耀耰⬀‧晩讛耱⬄怛暥讐耲⬈** No content is currently available. +- **暜耸⬠蠮궴暠耹⬤뀯괤暜耺⬨氰긔暠** No content is currently available. +- **暜职⭰䱂갌暠聍⭴籃갌暜聎⭸聄** No content is currently available. +- **暜聒⮈챈갌暠聓⮌둉갌暜联** No content is currently available. +- **暠耳⬌ﰩ굔暜耴⬐瀪귤暠耵⬔瀫굄暜耶⬘쐬긔暠耷⬜** No content is currently available. +- **暠聏⭼㑅갌暜聐⮀ᑆ갌暠聑⮄** No content is currently available. +- **术硂瑲⽑㥴䱡偭橏䬷礫癪硷㡲⽰䑇游临㙐橪㑯倴⽓剂** No content is currently available. +- **樲㙘䡌㡘坯歎楈⽹ご㥹湭歆㡨婨⬵啊䍶桊塌吶㥈敍汍㕪刲慄** No content is currently available. +- **毆€ 娠↵꺈࿐** No content is currently available. +- **泆  嚔↵곴बā** No content is currently available. +- **湹䩳⭑晹礰婶啊灋䱸晒㉉㑬ひ⭄㑉慙㝲䡦** No content is currently available. +- **潭晰橷睧䌵** No content is currently available. +- **瀯㉪䡏ㅏ⭕楆摡倶㙑愰佚䍪䤳煃奄硭摍嘯煗㍓唸卆** No content is currently available. +- **灋瘸乏煆䬳桱㕙瘸㑘䙸橧㥶䔵橲㕙楗佧吸⭚獏桗** No content is currently available. +- **獇牅歘䉡汸㉂夸乶坁浂偕㤲塅䩸桑と牚穒癲浕** No content is currently available. +- **獭䭏啪漲睌穩⬫入䨱䈸⽁䑇敉儴慣㙹么䥶晋湋朶剹慷** No content is currently available. +- **瑖穒㍤摧癵摆䑧⭧䍏杭䵫敘煰橲煤橲煤橲煤橲煤橲煤橲煤橲煤橲武** No content is currently available. +- **⽫甸㑪摭橷捔橗⭪晙晅晣穹椸樷** No content is currently available. +- **穇圹塑⽈潘䉘䉒头㡕湲㠵汪圸夸䑬潕杪䙔戴䑌** No content is currently available. +- **穬⼱䍯昫㤹卲儫⬯牎奦㡈㙸ㄯ時㍊佘䱳伵㠫栱䥦⭦慊祘⽂浶** No content is currently available. +- **ࠣ耀耤⬀‧撡豒耥⬄怛擝豇耦⬈귄擘耧⬌鐩** No content is currently available. +- **̎耀艊ጀ‏艋ጃᰌი↶艌錇萍ƒ** No content is currently available. +- **̎耀艊ጀ‏艋ጃᰌი↶艌錇萍ƒ჌↶ 艍ጋⰎ** No content is currently available. +- **耏⬸찴기徤耐⬼됵기** No content is currently available. +- **耑⭀萶기徤耒⭄࠷기徠耓** No content is currently available. +- **耝⬐�� 拱費Ԗ耀耞** No content is currently available. +- **艋ጃᰌი↶艌錇萍ƒ჌↶ 艍ጋⰎჄ↶** No content is currently available. +- **萍ƒ჌↶ 艍ጋⰎჄ↶᝞耀老⬀‧彵** No content is currently available. +- **萍ƒ჌↶ 艍ጋⰎჄ↶큰̎耀艊** No content is currently available. +- **葊갌暠聕⮔ࡋ갌暜聖⮘豌갌暠聗** No content is currently available. +- **㐰愱啬瑬癏䝒乘慲椰㉑眫䱄晶獶䝅䙗䕫㉡** No content is currently available. +- **䄸䵒䝰ㅹ灌癳噚䥍祫䬵礷楗光摹䑑䡢ㅑ䭱獎伱噺獃䕑济浱桱** No content is currently available. +- **䉪䌯䱏杄䬷㝐灌䩚㠯⽉䝲伹㡈㕉佤** No content is currently available. +- **䍭㐰䕩坶㥆慉塲夶煁椫㝖瀱栲硪爯畉乂㑒㝥昷䕺乍併娴橲䭎改睗畃睯** No content is currently available. +- **䍸欳昷偔坊問扨婔䨷㥗桴塲㍄䵹橥癉嘷䵊噲湥** No content is currently available. +- **䠷坸⽦䄯⽣晵ㄳ卂楖づ睧䤵椹穴䝊潩硍䩢䵎橫㍸牨** No content is currently available. +- **䨵浤汗位㑗䕶㝸䥮敡潱倱偑煥塪晢** No content is currently available. +- **䰶굔暠聁⭄砷곤暜聂⭈8궄暠** No content is currently available. +- **䱥⭫䙐晹楈䠵硨牣㑷噏挶䍈伹桪湣㑸呵㠴乘攸浌䡥穆䱶㕧瑘捷㉌伶穆䡦㕩橶捸砳甴㑚堸** No content is currently available. +- **䱲㝏危㡨呥卐䩯⭒祐汮潧䩑ㅷ歈偤㉱灕⬲穏公** No content is currently available. +- **䴶㑊啥䕪乶汊摉㥐焲楂䜹洳敡⬫灍⭒佦呮敮婪〷朵癹呧煡㙤䤫浨瘹** No content is currently available. + + +### TelClientSynthetic.HeartBeat_Aria_5 + +This event is the telemetry client ARIA heartbeat. + +The following fields are available: + +- **CompressedBytesUploaded** Number of compressed bytes uploaded. +- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. +- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event database. +- **DbCriticalDroppedCount** Total number of dropped critical events in event database. +- **DbDroppedCount** Number of events dropped at the database layer. +- **DbDroppedFailureCount** Number of events dropped due to database failures. +- **DbDroppedFullCount** Number of events dropped due to database being full. +- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. +- **EventsPersistedCount** Number of events that reached the PersistEvent stage. +- **EventStoreLifetimeResetCounter** Number of times the event store has been reset. +- **EventStoreResetCounter** Number of times the event store has been reset during this heartbeat. +- **EventStoreResetSizeSum** Size of event store reset in bytes. +- **EventsUploaded** Number of events uploaded. +- **HeartBeatSequenceNumber** The sequence number of this heartbeat. +- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. +- **LastEventSizeOffender** Event name of last event which exceeded max event size. +- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. +- **PreviousHeartBeatTime** The FILETIME of the previous heartbeat fire. +- **PrivacyBlockedCount** The number of events blocked due to privacy settings or tags. +- **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. +- **SettingsHttpAttempts** Number of attempts to contact OneSettings service. +- **SettingsHttpFailures** Number of failures from contacting OneSettings service. +- **TopUploaderErrors** List of top errors received from the upload endpoint. +- **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client. +- **UploaderErrorCount** Number of errors received from the upload endpoint. +- **VortexFailuresTimeout** Number of time out failures received from Vortex. +- **VortexHttpAttempts** Number of attempts to contact Vortex. +- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. +- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. +- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. +- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. + + +### TelClientSynthetic.HeartBeat_Seville_5 + +This event is sent by the universal telemetry client (UTC) as a heartbeat signal for Sense. + +The following fields are available: + +- **AgentConnectionErrorsCount** Number of non-timeout errors associated with the host or agent channel. +- **CompressedBytesUploaded** Number of compressed bytes uploaded. +- **ConsumerDroppedCount** Number of events dropped at consumer layer of the telemetry client. +- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. +- **CriticalDataThrottleDroppedCount** Number of critical data sampled events dropped due to throttling. +- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event database. +- **DailyUploadQuotaInBytes** Daily upload quota for Sense in bytes (only in in-proc mode). +- **DbCriticalDroppedCount** Total number of dropped critical events in event database. +- **DbDroppedCount** Number of events dropped due to database being full. +- **DbDroppedFailureCount** Number of events dropped due to database failures. +- **DbDroppedFullCount** Number of events dropped due to database being full. +- **DecodingDroppedCount** Number of events dropped due to decoding failures. +- **DiskSizeInBytes** Size of event store for Sense in bytes (only in in-proc mode). +- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. +- **EtwDroppedBufferCount** Number of buffers dropped in the universal telemetry client (UTC) event tracing for Windows (ETW) session. +- **EtwDroppedCount** Number of events dropped at the event tracing for Windows (ETW) layer of telemetry client. +- **EventsPersistedCount** Number of events that reached the PersistEvent stage. +- **EventStoreLifetimeResetCounter** Number of times event the database was reset for the lifetime of the universal telemetry client (UTC). +- **EventStoreResetCounter** Number of times the event database was reset. +- **EventStoreResetSizeSum** Total size of the event database across all resets reports in this instance. +- **EventsUploaded** Number of events uploaded. +- **Flags** Flags indicating device state, such as network state, battery state, and opt-in state. +- **FullTriggerBufferDroppedCount** Number of events dropped due to trigger buffer being full. +- **HeartBeatSequenceNumber** The sequence number of this heartbeat. +- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. +- **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel. +- **LastEventSizeOffender** Event name of last event which exceeded the maximum event size. +- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. +- **MaxActiveAgentConnectionCount** Maximum number of active agents during this heartbeat timeframe. +- **NormalUploadTimerMillis** Number of milliseconds between each upload of normal events for SENSE (only in in-proc mode). +- **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events). +- **RepeatedUploadFailureDropped** Number of events lost due to repeated failed uploaded attempts. +- **SettingsHttpAttempts** Number of attempts to contact OneSettings service. +- **SettingsHttpFailures** Number of failures from contacting the OneSettings service. +- **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers. +- **TopUploaderErrors** Top uploader errors, grouped by endpoint and error type. +- **UploaderDroppedCount** Number of events dropped at the uploader layer of the telemetry client. +- **UploaderErrorCount** Number of input for the TopUploaderErrors mode estimation. +- **VortexFailuresTimeout** Number of time out failures received from Vortex. +- **VortexHttpAttempts** Number of attempts to contact Vortex. +- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. +- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. +- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. +- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. + + +## Direct to update events + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicability + +Event to indicate that the Coordinator CheckApplicability call succeeded. + +The following fields are available: + +- **ApplicabilityResult** Result of CheckApplicability function. +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **IsDeviceAADDomainJoined** Indicates whether the device is logged in to the AAD (Azure Active Directory) domain. +- **IsDeviceADDomainJoined** Indicates whether the device is logged in to the AD (Active Directory) domain. +- **IsDeviceCloverTrail** Indicates whether the device has a Clover Trail system installed. +- **IsDeviceFeatureUpdatingPaused** Indicates whether Feature Update is paused on the device. +- **IsDeviceNetworkMetered** Indicates whether the device is connected to a metered network. +- **IsDeviceOobeBlocked** Indicates whether user approval is required to install updates on the device. +- **IsDeviceRequireUpdateApproval** Indicates whether user approval is required to install updates on the device. +- **IsDeviceSccmManaged** Indicates whether the device is running the Microsoft SCCM (System Center Configuration Manager) to keep the operating system and applications up to date. +- **IsDeviceUninstallActive** Indicates whether the OS (operating system) on the device was recently updated. +- **IsDeviceUpdateNotificationLevel** Indicates whether the device has a set policy to control update notifications. +- **IsDeviceUpdateServiceManaged** Indicates whether the device uses WSUS (Windows Server Update Services). +- **IsDeviceZeroExhaust** Indicates whether the device subscribes to the Zero Exhaust policy to minimize connections from Windows to Microsoft. +- **IsGreaterThanMaxRetry** Indicates whether the DTU (Direct to Update) service has exceeded its maximum retry count. +- **IsVolumeLicensed** Indicates whether a volume license was used to authenticate the operating system or applications on the device. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicabilityGenericFailure + +This event indicatse that we have received an unexpected error in the Direct to Update (DTU) Coordinators CheckApplicability call. + +The following fields are available: + +- **CampaignID** ID of the campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Cleanup call. + +The following fields are available: + +- **CampaignID** Campaign ID being run +- **ClientID** Client ID being run +- **CoordinatorVersion** Coordinator version of DTU +- **CV** Correlation vector +- **hResult** HRESULT of the failure + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupSuccess + +This event indicates that the Coordinator Cleanup call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run +- **ClientID** Client ID being run +- **CoordinatorVersion** Coordinator version of DTU +- **CV** Correlation vector + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Commit call. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitSuccess + +This event indicates that the Coordinator Commit call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Download call. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadIgnoredFailure + +This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Download call that will be ignored. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadSuccess + +This event indicates that the Coordinator Download call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator HandleShutdown call. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinate version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownSuccess + +This event indicates that the Coordinator HandleShutdown call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Initialize call. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeSuccess + +This event indicates that the Coordinator Initialize call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Install call. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallIgnoredFailure + +This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Install call that will be ignored. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallSuccess + +This event indicates that the Coordinator Install call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorProgressCallBack + +This event indicates that the Coordinator's progress callback has been called. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **DeployPhase** Current Deploy Phase. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorSetCommitReadySuccess + +This event indicates that the Coordinator SetCommitReady call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiNotShown + +This event indicates that the Coordinator WaitForRebootUi call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSelection + +This event indicates that the user selected an option on the Reboot UI. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **rebootUiSelection** Selection on the Reboot UI. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSuccess + +This event indicates that the Coordinator WaitForRebootUi call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler CheckApplicabilityInternal call. + +The following fields are available: + +- **CampaignID** ID of the campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalSuccess + +This event indicates that the Handler CheckApplicabilityInternal call succeeded. + +The following fields are available: + +- **ApplicabilityResult** The result of the applicability check. +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilitySuccess + +This event indicates that the Handler CheckApplicability call succeeded. + +The following fields are available: + +- **ApplicabilityResult** The result code indicating whether the update is applicable. +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **CV_new** New correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckIfCoordinatorMinApplicableVersionSuccess + +This event indicates that the Handler CheckIfCoordinatorMinApplicableVersion call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **CheckIfCoordinatorMinApplicableVersionResult** Result of CheckIfCoordinatorMinApplicableVersion function. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Commit call. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **CV_new** New correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitSuccess + +This event indicates that the Handler Commit call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run.run +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **CV_new** New correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabFailure + +This event indicates that the Handler Download and Extract cab call failed. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **DownloadAndExtractCabFunction_failureReason** Reason why the update download and extract process failed. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabSuccess + +This event indicates that the Handler Download and Extract cab call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Download call. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadSuccess + +This event indicates that the Handler Download call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Initialize call. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **DownloadAndExtractCabFunction_hResult** HRESULT of the download and extract. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeSuccess + +This event indicates that the Handler Initialize call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **DownloadAndExtractCabFunction_hResult** HRESULT of the download and extraction. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Install call. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallSuccess + +This event indicates that the Coordinator Install call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerSetCommitReadySuccess + +This event indicates that the Handler SetCommitReady call succeeded. + +The following fields are available: + +- **CampaignID** ID of the campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler WaitForRebootUi call. + +The following fields are available: + +- **CampaignID** The ID of the campaigning being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** The HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiSuccess + +This event indicates that the Handler WaitForRebootUi call succeeded. + +The following fields are available: + +- **CampaignID** ID of the campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +## DxgKernelTelemetry events + +### DxgKrnlTelemetry.GPUAdapterInventoryV2 + +This event sends basic GPU and display driver information to keep Windows and display drivers up-to-date. + +The following fields are available: + +- **AdapterT}peValue** No content is currently available. +- **AdapterTypeValue** The numeric value indicating the type of Graphics adapter. +- **AdapterTyreValue** No content is currently available. +- **aiSeqId** The event sequence ID. +- **bootId** The system boot ID. +- **BrightnessVersionViaDDI** The version of the Display Brightness Interface. +- **ComputePreelptionLevel** No content is currently available. +- **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload. +- **DedicatedSy{temMemoryB** No content is currently available. +- **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes). +- **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes). +- **DisplayAdap|erLuid** No content is currently available. +- **DisplayAdapderLuid** No content is currently available. +- **DisplayAdapterLuid** The display adapter LUID. +- **Driver^ersion** No content is currently available. +- **DriverDat** No content is currently available. +- **DriverDate** The date of the display driver. +- **DriverRank** The rank of the display driver. +- **DriverVersion** The display driver version. +- **DX10UMDFilePath** The file path to the location of the DirectX 10 Display User Mode Driver in the Driver Store. +- **DX11UMDFilePath** The file path to the location of the DirectX 11 Display User Mode Driver in the Driver Store. +- **DX12UMDFilePath** The file path to the location of the DirectX 12 Display User Mode Driver in the Driver Store. +- **DX1rUMDFilePath** No content is currently available. +- **DX9UMDFilePath** The file path to the location of the DirectX 9 Display User Mode Driver in the Driver Store. +- **DX9UMDFileXath** No content is currently available. +- **GPUDeviceID** The GPU device ID. +- **GPUDexiceID** No content is currently available. +- **GPUPreelptionLevel** No content is currently available. +- **GPUPreemptionLevel** The maximum preemption level supported by GPU for graphics payload. +- **GPUPzeemptionLevel** No content is currently available. +- **GPURevisionID** The GPU revision ID. +- **GPURexisionID** No content is currently available. +- **GPUVendorID** The GPU vendor ID. +- **InterfaceId** The GPU interface ID. +- **IsDisplayDevice** Does the GPU have displaying capabilities? +- **IsDisplayDexice** No content is currently available. +- **IsHwSchSupported** Indicates whether the adapter supports hardware scheduling. +- **IsHybridDiscrete** Does the GPU have discrete GPU capabilities in a hybrid device? +- **IsHybridDiwcrete** No content is currently available. +- **IsHybridIntegrated** Does the GPU have integrated GPU capabilities in a hybrid device? +- **IsLDA** Is the GPU comprised of Linked Display Adapters? +- **IsMiiacastSupported** No content is currently available. +- **IsMiracastSupported** Does the GPU support Miracast? +- **IsMismatchLDA** Is at least one device in the Linked Display Adapters chain from a different vendor? +- **IsMPOSupport%d** No content is currently available. +- **IsMPOSupported** Does the GPU support Multi-Plane Overlays? +- **IsMsMiiacastSupported** No content is currently available. +- **IsMsMiracastSupported** Are the GPU Miracast capabilities driven by a Microsoft solution? +- **IsPostAdapter** Is this GPU the POST GPU in the device? +- **IsRemovable** TRUE if the adapter supports being disabled or removed. +- **IsRemovableǑBrightnessVersionViaDDIǩ WDDMVersionॠȠDisplayAdapterLuidǷDisplayAdapterLuidȄGPUPreempti** No content is currently available. +- **IsRenderDevice** Does the GPU have rendering capabilities? +- **IsRenderDexice** No content is currently available. +- **IsSoftwareDevace** No content is currently available. +- **IsSoftwareDevice** Is this a software implementation of the GPU? +- **IsSoftwareDexice** No content is currently available. +- **KMDFilePath** The file path to the location of the Display Kernel Mode Driver in the Driver Store. +- **Meas}reEnabled** No content is currently available. +- **MeasureEnabled** Is the device listening to MICROSOFT_KEYWORD_MEASURES? +- **MnterfaceId** No content is currently available. +- **MsHybridDiscrete** Indicates whether the adapter is a discrete adapter in a hybrid configuration. +- **NumVidPnSou** No content is currently available. +- **NumVidPnSources** The number of supported display output sources. +- **NumVidPnTargets** The number of supported display output targets. +- **SharedSystemMemory@** No content is currently available. +- **SharedSystemMemoryB** The amount of system memory shared by GPU and CPU (in bytes). +- **SubSystemID** The subsystem ID. +- **SubVendorID** The GPU sub vendor ID. +- **TelemetryEnabled** Is the device listening to MICROSOFT_KEYWORD_TELEMETRY? +- **TelInvEvntTrigger** What triggered this event to be logged? Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling) +- **TelnveEvntTrigger** No content is currently available. +- **version** The event version. +- **verwion** No content is currently available. +- **WDDMVersion** The Windows Display Driver Model version. + + +## Failover Clustering events + +### Microsoft.Windows.Server.FailoverClusteringCritical.ClusterSummary2 + +This event returns information about how many resources and of what type are in the server cluster. This data is collected to keep Windows Server safe, secure, and up to date. The data includes information about whether hardware is configured correctly, if the software is patched correctly, and assists in preventing crashes by attributing issues (like fatal errors) to workloads and system configurations. + +The following fields are available: + +- **autoAssignSite** The cluster parameter: auto site. +- **autoBalancerLevel** The cluster parameter: auto balancer level. +- **autoBalancerMode** The cluster parameter: auto balancer mode. +- **blockCacheSize** The configured size of the block cache. +- **ClusterAdConfiguration** The ad configuration of the cluster. +- **clusterAdType** The cluster parameter: mgmt_point_type. +- **clusterDumpPolicy** The cluster configured dump policy. +- **clusterFunctionalLevel** The current cluster functional level. +- **clusterGuid** The unique identifier for the cluster. +- **clusterWitnessType** The witness type the cluster is configured for. +- **countNodesInSite** The number of nodes in the cluster. +- **crossSiteDelay** The cluster parameter: CrossSiteDelay. +- **crossSiteThreshold** The cluster parameter: CrossSiteThreshold. +- **crossSubnetDelay** The cluster parameter: CrossSubnetDelay. +- **crossSubnetThreshold** The cluster parameter: CrossSubnetThreshold. +- **csvCompatibleFilters** The cluster parameter: ClusterCsvCompatibleFilters. +- **csvIncompatibleFilters** The cluster parameter: ClusterCsvIncompatibleFilters. +- **csvResourceCount** The number of resources in the cluster. +- **currentNodeSite** The name configured for the current site for the cluster. +- **dasModeBusType** The direct storage bus type of the storage spaces. +- **downLevelNodeCount** The number of nodes in the cluster that are running down-level. +- **drainOnShutdown** Specifies whether a node should be drained when it is shut down. +- **dynamicQuorumEnabled** Specifies whether dynamic Quorum has been enabled. +- **enforcedAntiAffinity** The cluster parameter: enforced anti affinity. +- **genAppNames** The win32 service name of a clustered service. +- **genSvcNames** The command line of a clustered genapp. +- **hangRecoveryAction** The cluster parameter: hang recovery action. +- **hangTimeOut** Specifies the “hang time out” parameter for the cluster. +- **isCalabria** Specifies whether storage spaces direct is enabled. +- **isMixedMode** Identifies if the cluster is running with different version of OS for nodes. +- **isRunningDownLevel** Identifies if the current node is running down-level. +- **logLevel** Specifies the granularity that is logged in the cluster log. +- **logSize** Specifies the size of the cluster log. +- **lowerQuorumPriorityNodeId** The cluster parameter: lower quorum priority node ID. +- **minNeverPreempt** The cluster parameter: minimum never preempt. +- **minPreemptor** The cluster parameter: minimum preemptor priority. +- **netftIpsecEnabled** The parameter: netftIpsecEnabled. +- **NodeCount** The number of nodes in the cluster. +- **nodeId** The current node number in the cluster. +- **nodeResourceCounts** Specifies the number of node resources. +- **nodeResourceOnlineCounts** Specifies the number of node resources that are online. +- **numberOfSites** The number of different sites. +- **numNodesInNoSite** The number of nodes not belonging to a site. +- **plumbAllCrossSubnetRoutes** The cluster parameter: plumb all cross subnet routes. +- **preferredSite** The preferred site location. +- **privateCloudWitness** Specifies whether a private cloud witness exists for this cluster. +- **quarantineDuration** The quarantine duration. +- **quarantineThreshold** The quarantine threshold. +- **quorumArbitrationTimeout** In the event of an arbitration event, this specifies the quorum timeout period. +- **resiliencyLevel** Specifies the level of resiliency. +- **resourceCounts** Specifies the number of resources. +- **resourceTypeCounts** Specifies the number of resource types in the cluster. +- **resourceTypes** Data representative of each resource type. +- **resourceTypesPath** Data representative of the DLL path for each resource type. +- **sameSubnetDelay** The cluster parameter: same subnet delay. +- **sameSubnetThreshold** The cluster parameter: same subnet threshold. +- **secondsInMixedMode** The amount of time (in seconds) that the cluster has been in mixed mode (nodes with different operating system versions in the same cluster). +- **securityLevel** The cluster parameter: security level. +- **securityLevelForStorage** The cluster parameter: security level for storage. +- **sharedVolumeBlockCacheSize** Specifies the block cache size for shared for shared volumes. +- **shutdownTimeoutMinutes** Specifies the amount of time it takes to time out when shutting down. +- **upNodeCount** Specifies the number of nodes that are up (online). +- **useClientAccessNetworksForCsv** The cluster parameter: use client access networks for CSV. +- **vmIsolationTime** The cluster parameter: VM isolation time. +- **witnessDatabaseWriteTimeout** Specifies the timeout period for writing to the quorum witness database. + + +## Fault Reporting events + +### Microsoft.Windows.FaultReporting.AppCrashEvent + +This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes\" by a user DO NOT emit this event. + +The following fields are available: + +- **AppName** The name of the app that has crashed. +- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend. +- **AppTimeStamp** The date/time stamp of the app. +- **AppVersion** The version of the app that has crashed. +- **AsFatal** No content is currently available. +- **Exceptio** No content is currently available. +- **ExceptionCode** The exception code returned by the process that has crashed. +- **ExceptionOffset** The address where the exception had occurred. +- **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting. +- **FriendlyAppName** The description of the app that has crashed, if different from the AppName. Otherwise, the process name. +- **IsFatal** True/False to indicate whether the crash resulted in process termination. +- **ModName** Exception module name (e.g. bar.dll). +- **ModTimestamp** No content is currently available. +- **ModTimeStamp** The date/time stamp of the module. +- **ModVersion** The version of the module that has crashed. +- **ode** No content is currently available. +- **PackageFullName** Store application identity. +- **PackageRelativeAppId** Store application identity. +- **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. +- **ProcessCreateTime** The time of creation of the process that has crashed. +- **ProcessId** The ID of the process that has crashed. +- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. +- **TargetAppId** The kernel reported AppId of the application being reported. +- **targetAppVer** No content is currently available. +- **TargetAppVer** The specific version of the application being reported +- **TargetAsId** The sequence number for the hanging process. + + +## Feature update events + +### Microsoft.Windows.Upgrade.Uninstall.UninstallFinalizedAndRebootTriggered + +This event indicates that the uninstall was properly configured and that a system reboot was initiated. + + + +### Microsoft.Windows.Upgrade.Uninstall.UninstallGoBackButtonClicked + +This event sends basic metadata about the starting point of uninstalling a feature update, which helps ensure customers can safely revert to a well-known state if the update caused any problems. + + + +## Hang Reporting events + +### Microsoft.Windows.HangReporting.AppHangEvent + +This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. + +The following fields are available: + +- **AppName** The name of the app that has hung. +- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the telemetry backend. +- **AppVersion** The version of the app that has hung. +- **IsFatal** True/False based on whether the hung application caused the creation of a Fatal Hang Report. +- **PackageFullName** Store application identity. +- **PackageRelativeAppId** Store application identity. +- **ProcessArchitecture** Architecture of the hung process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. +- **ProcessCreateTime** The time of creation of the process that has hung. +- **ProcessId** The ID of the process that has hung. +- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. +- **TargetAppId** The kernel reported AppId of the application being reported. +- **TargetAppVer** The specific version of the application being reported. +- **TargetAsId** The sequence number for the hanging process. +- **TypeCode** Bitmap describing the hang type. +- **WaitingOnAppName** If this is a cross process hang waiting for an application, this has the name of the application. +- **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it is waiting. +- **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting. +- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application id of the package. + + +## Inventory events + +### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum + +This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object. + +The following fields are available: + +- **Device** A count of device objects in cache. +- **DeviceCensus** A count of device census objects in cache. +- **DriverPackageExtended** A count of driverpackageextended objects in cache. +- **File** A count of file objects in cache. +- **FileSigningInfo** A count of file signing objects in cache. +- **Generic** A count of generic objects in cache. +- **HwItem** A count of hwitem objects in cache. +- **IentoryMiscellaneousOfficeAddIn** No content is currently available. +- **InventoryApplication** A count of application objects in cache. +- **InventoryApplicationAppV** A count of application AppV objects in cache. +- **InventoryApplicationDriver** A count of application driver objects in cache +- **InventoryApplicationFile** A count of application file objects in cache. +- **InventoryApplicationFramework** A count of application framework objects in cache +- **InventoryApplicationShortcut** A count of application shortcut objects in cache +- **InventoryDeviceContainer** A count of device container objects in cache. +- **InventoryDeviceInterface** A count of Plug and Play device interface objects in cache. +- **InventoryDeviceMediaClass** A count of device media objects in cache. +- **InventoryDevicePnp** A count of device Plug and Play objects in cache. +- **InventoryDeviceUsbHubClass** A count of device usb objects in cache +- **InventoryDriverBinary** A count of driver binary objects in cache. +- **InventoryDriverPackage** A count of device objects in cache. +- **InventoryMiscellaneiscellaneousOfficeInsights** No content is currently available. +- **InventoryMiscellaneousOfficeAddIn** A count of office add-in objects in cache +- **InventoryMiscellaneousOfficeAddInUsage** A count of office add-in usage objects in cache. +- **InventoryMiscellaneousOfficeIdentifiers** A count of office identifier objects in cache +- **InventoryMiscellaneousOfficeIESettings** A count of office ie settings objects in cache +- **InventoryMiscellaneousOfficeInsights** A count of office insights objects in cache +- **InventoryMiscellaneousOfficeProducts** A count of office products objects in cache +- **InventoryMiscellaneousOfficeSettings** A count of office settings objects in cache +- **InventoryMiscellaneousOfficeVBA** A count of office vba objects in cache +- **InventoryMiscellaneousOfficeVBARuleViolations** A count of office vba rule violations objects in cache +- **InventoryMiscellaneousUUPInfo** A count of uup info objects in cache +- **Metadata** A count of metadata objects in cache. +- **Orphan** A count of orphan file objects in cache. +- **Programs** A count of program objects in cache. + + +### Microsoft.Windows.Inventory.Core.AmiTelCacheFileInfo + +Diagnostic data about the inventory cache. + +The following fields are available: + +- **CacheFileSize** Size of the cache. +- **InventoryVersion** Inventory version of the cache. +- **TempCacheCount** Number of temp caches created. +- **TempCacheDeletedCount** Number of temp caches deleted. + + +### Microsoft.Windows.Inventory.Core.AmiTelCacheVersions + +This event sends inventory component versions for the Device Inventory data. + +The following fields are available: + +- **aeinv** The version of the App inventory component. +- **devinv** The file version of the Device inventory component. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationAdd + +This event sends basic metadata about an application on the system to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **HiddenArp** Indicates whether a program hides itself from showing up in ARP. +- **InstallDate** The date the application was installed (a best guess based on folder creation date heuristics). +- **InstallDateArpLastModified** The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015 00:00:00 +- **InstallDateFromLincFile** No content is currently available. +- **InstallDateFromLinkFile** The estimated date of install based on the links to the files. Passed as an array. +- **InstallDateMsi** The install date if the application was installed via Microsoft Installer (MSI). Passed as an array. +- **InventoryVersion** The version of the inventory file generating the events. +- **Language** The language code of the program. +- **MsipackageCode** No content is currently available. +- **MsiPackageCode** A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage. +- **MsiProductCode** A GUID that describe the MSI Product. +- **Name** The name of the application. +- **OSversionAtInstallTime** No content is currently available. +- **OSVersionAtInstallTime** The four octets from the OS version at the time of the application's install. +- **PackageFullName** The package full name for a Store application. +- **ProgramInstanceId** A hash of the file IDs in an app. +- **Publisher** The Publisher of the application. Location pulled from depends on the 'Source' field. +- **RootDirPath** The path to the root directory where the program was installed. +- **Source** How the program was installed (for example, ARP, MSI, Appx). +- **StoreAppType** A sub-classification for the type of Microsoft Store app, such as UWP or Win8StoreApp. +- **type** No content is currently available. +- **Type** One of ("Application", "Hotfix", "BOE", "Service", "Unknown"). Application indicates Win32 or Appx app, Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is a service. Application and BOE are the ones most likely seen. +- **Version** The version number of the program. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverAdd + +This event represents what drivers an application installs. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory component. +- **ProgramIds** The unique program identifier the driver is associated with. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync + +The InventoryApplicationDriverStartSync event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory component. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd + +This event provides the basic metadata about the frameworks an application may depend on. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **FileId** A hash that uniquely identifies a file. +- **Frameworks** The list of frameworks this file depends on. +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync + +This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationRemove + +This event indicates that a new set of InventoryDevicePnpAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationStartSync + +This event indicates that a new set of InventoryApplicationAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd + +This event sends basic metadata about a device container (such as a monitor or printer as opposed to a Plug and Play device) to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Categories** A comma separated list of functional categories in which the container belongs. +- **DiscoveryMethod** The discovery method for the device container. +- **FriendlyName** The name of the device container. +- **InventoryVersion** The version of the inventory file generating the events. +- **IsActive** Is the device connected, or has it been seen in the last 14 days? +- **IsConnected** For a physically attached device, this value is the same as IsPresent. For wireless a device, this value represents a communication link. +- **IsMachineContainer** Is the container the root device itself? +- **IsNetworked** Is this a networked device? +- **IsPaired** Does the device container require pairing? +- **Manufacturer** The manufacturer name for the device container. +- **ModelId** A unique model ID. +- **ModelName** The model name. +- **ModelNumber** The model number for the device container. +- **PrimaryCategory** The primary category for the device container. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerRemove + +This event indicates that the InventoryDeviceContainer object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerStartSync + +This event indicates that a new set of InventoryDeviceContainerAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd + +This event retrieves information about what sensor interfaces are available on the device. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Accelerometer3D** Indicates if an Accelerator3D sensor is found. +- **ActivityDetection** Indicates if an Activity Detection sensor is found. +- **AmbientLight** Indicates if an Ambient Light sensor is found. +- **Barometer** Indicates if a Barometer sensor is found. +- **Custom** Indicates if a Custom sensor is found. +- **EnergyMeter** Indicates if an Energy sensor is found. +- **FloorElevation** Indicates if a Floor Elevation sensor is found. +- **GeomagneticOrientation** Indicates if a Geo Magnetic Orientation sensor is found. +- **GravityVector** Indicates if a Gravity Detector sensor is found. +- **Gyrometer3D** Indicates if a Gyrometer3D sensor is found. +- **Humidity** Indicates if a Humidity sensor is found. +- **InventoryVersion** The version of the inventory file generating the events. +- **LinearAccelerometer** Indicates if a Linear Accelerometer sensor is found. +- **Magnetometer3D** Indicates if a Magnetometer3D sensor is found. +- **Orientation** Indicates if an Orientation sensor is found. +- **Pedometer** Indicates if a Pedometer sensor is found. +- **Proximity** Indicates if a Proximity sensor is found. +- **RelativeOrientation** Indicates if a Relative Orientation sensor is found. +- **SimpleDeviceOrientation** Indicates if a Simple Device Orientation sensor is found. +- **Temperature** Indicates if a Temperature sensor is found. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync + +This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd + +This event sends additional metadata about a Plug and Play device that is specific to a particular class of devices to help keep Windows up to date while reducing overall size of data payload. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **audio.captureDriver** Audio device capture driver. Example: hdaudio.inf:db04a16ce4e8d6ee:HdAudModel:10.0.14887.1000:hdaudio\func_01 +- **audio.renderDriver** Audio device render driver. Example: hdaudio.inf:db04a16ce4e8d6ee:HdAudModel:10.0.14889.1001:hdaudio\func_01 +- **Audio_CaptureDriver** The Audio device capture driver endpoint. +- **Audio_RenderDriver** The Audio device render driver endpoint. +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove + +This event indicates that the InventoryDeviceMediaClassRemove object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassStartSync + +This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent. + +This event includes fields from [Ms.Device.De~iceInventoryChange](#msdevicede~iceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd + +This event represents the basic metadata about a plug and play (PNP) device and its associated driver. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **]pperClassFilters** No content is currently available. +- **basedata** No content is currently available. See [basedata](#basedata). +- **BusReportedDescraption** No content is currently available. +- **BusReportedDescription** The description of the device reported by the bux. +- **BusReptrtedDescription** No content is currently available. +- **Clas{Guid** No content is currently available. +- **Class** The device setup class of the driver loaded for the device. +- **ClassGuid** The device class unique identifier of the driver package loaded on the device. +- **COMPID** The list of “Compatible IDs” for this device. +- **Con|ainerId** No content is currently available. +- **ContainerId** The system-supplied unique identifier that specifies which group(s) the device(s) installed on the parent (main) device belong to. +- **Descriptaon** No content is currently available. +- **Description** The description of the device. +- **DeviceDriverFlightId** No content is currently available. +- **DeviceExtDriversFlightIds** No content is currently available. +- **DeviceInterfaceClasses** The device interfaces that this device implements. +- **DeviceState** Identifies the current state of the parent (main) device. +- **DriverAd** No content is currently available. +- **DriverId** The unique identifier for the installed driver. +- **DriverName** The name of the driver image file. +- **DriverPackageStrongName** The immediate parent directory name in the Directory field of InventoryDriverPackage. +- **DriverVer^ersion** No content is currently available. +- **DriverVerDate** The date associated with the driver installed on the device. +- **DriverVerVersion** The version number of the driver installed on the device. +- **Enumerator** Identifies the bus that enumerated the device. +- **ExtendedInfs** The extended INF file names. +- **FirstInstallDate** No content is currently available. +- **H_ID** No content is currently available. +- **HWID** A list of hardware IDs for the device. +- **Inf** The name of the INF file (possibly renamed by the OS, such as oemXX.inf). +- **InstallDate** No content is currently available. +- **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx +- **InventoryVersion** The version number of the inventory process generating the events. +- **LowerClassFilters** The identifiers of the Lower Class filters installed for the device. +- **LowerFilters** The identifiers of the Lower filters installed for the device. +- **Manufacturer** The manufacturer of the device. +- **MatchangID** No content is currently available. +- **MatchingID** The Hardware ID or Compatible ID that Windows uses to install a device instance. +- **Modeh** No content is currently available. +- **Model** Identifies the model of the device. +- **ParentId** The Device Instance ID of the parent of the device. +- **ProblemCode** The error code currently returned by the device, if applicable. +- **ProblmmCode** No content is currently available. +- **Provider** Identifies the device provider. +- **Service** The name of the device service. +- **STACKID** The list of hardware IDs for the stack. +- **UpperClassFilters** The identifiers of the Upper Class filters installed for the device. +- **UpperFilters** The identifiers of the Upper filters installed for the device. +- **UpxerClassFilters** No content is currently available. + + +### Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove + +This event indicates that the InventoryDevicePnpRemove object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDevicePnpStartSync + +This event indicates that a new set of InventoryDevicePnpAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd + +This event sends basic metadata about the USB hubs on the device. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. +- **TotalUserConnectablePorts** Total number of connectable USB ports. +- **TotalUserConnectableTypeCPorts** Total number of connectable USB Type C ports. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassStartSync + +This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent. + +This event includes fields from [Ms.De~ice.DeviceInventoryChange](#msde~icedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd + +This event provides the basic metadata about driver binaries running on the system. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **DrivdrCompany** No content is currently available. +- **DriverCheckSum** The checksum of the driver file. +- **DriverCompany** The company name that developed the driver. +- **DriverInBox** Is the driver included with the operating system? +- **DriverIsKernelMode** Is it a kernel mode driver? +- **DriverName** The file name of the driver. +- **DriverPackageStrongName** The strong name of the driver package +- **DriverSigned** The strong name of the driver package +- **DriverTimeStamp** The low 32 bits of the time stamp of the driver file. +- **DriverType** A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8. define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE 0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64 0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15. define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED 0x800000. +- **DriverVersion** The version of the driver file. +- **ImageSize** The size of the driver file. +- **ImageSmze** No content is currently available. +- **Inf** The name of the INF file. +- **InventoryVersion** The version of the inventory file generating the events. +- **Product** The product name that is included in the driver file. +- **ProductVersion** The product version that is included in the driver file. +- **Service** The name of the service that is installed for the device. +- **WdfVersion** The Windows Driver Framework version. +- **WdfVers-on** No content is currently available. +- **WdfVersÿon** No content is currently available. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove + +This event indicates that the InventoryDriverBinary object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryStartSync + +This event indicates that a new set of InventoryDriverBinaryAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd + +This event sends basic metadata about drive packages installed on the system to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Class** The class name for the device driver. +- **ClassGuid** The class GUID for the device driver. +- **Date** The driver package date. +- **Directory** The path to the driver package. +- **DriverInBox** Is the driver included with the operating system? +- **Inf** The INF name of the driver package. +- **InventoryVersion** The version of the inventory file generating the events. +- **Provider** The provider for the driver package. +- **SubmissionId** The HLK submission ID for the driver package. +- **Version** The version of the driver package. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverPackageRemove + +This event indicates that the InventoryDriverPackageRemove object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverPackageStartSync + +This event indicates that a new set of InventoryDriverPackageAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.StartUtcJsonTrace + +This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the beginning of the event download, and that tracing should begin. + + + +### Microsoft.Windows.Inventory.Core.StopUtcJsonTrace + +This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the end of the event download, and that tracing should end. + + + +### Microsoft.Windows.Inventory.General.AppHealthStaticAdd + +This event sends details collected for a specific application on the source device. + +The following fields are available: + +- **AhaVersion** The binary version of the App Health Analyzer tool. +- **ApplicationErrors** The count of application errors from the event log. +- **Bitness** The architecture type of the application (16 Bit or 32 bit or 64 bit). +- **device_level** Various JRE/JAVA versions installed on a particular device. +- **ExtendedProperties** Attribute used for aggregating all other attributes under this event type. +- **Jar** Flag to determine if an app has a Java JAR file dependency. +- **Jre** Flag to determine if an app has JRE framework dependency. +- **Jre_version** JRE versions an app has declared framework dependency for. +- **Name** Name of the application. +- **NonDPIAware** Flag to determine if an app is non-DPI aware. +- **NumBinaries** Count of all binaries (.sys,.dll,.ini) from application install location. +- **RequiresAdmin** Flag to determine if an app requests admin privileges for execution. +- **RequiresAdminv2** Additional flag to determine if an app requests admin privileges for execution. +- **RequiresUIAccess** Flag to determine if an app is based on UI features for accessibility. +- **VB6** Flag to determine if an app is based on VB6 framework. +- **VB6v2** Additional flag to determine if an app is based on VB6 framework. +- **Version** Version of the application. +- **VersionCheck** Flag to determine if an app has a static dependency on OS version. +- **VersionCheckv2** Additional flag to determine if an app has a static dependency on OS version. + + +### Microsoft.Windows.Inventory.General.AppHealthStaticStartSync + +This event indicates the beginning of a series of AppHealthStaticAdd events. + +The following fields are available: + +- **AllowTelemetry** Indicates the presence of the 'allowtelemetry' command line argument. +- **CommandLineArgs** Command line arguments passed when launching the App Health Analyzer executable. +- **Enhanced** Indicates the presence of the 'enhanced' command line argument. +- **StartTime** UTC date and time at which this event was sent. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd + +Provides data on the installed Office Add-ins. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AddinCLSID** The class identifier key for the Microsoft Office add-in. +- **AddInCLSID** The class identifier key for the Microsoft Office add-in. +- **AddInId** The identifier for the Microsoft Office add-in. +- **AddinType** The type of the Microsoft Office add-in. +- **BinFileTimestamp** The timestamp of the Office add-in. +- **BinFileVersion** The version of the Microsoft Office add-in. +- **Description** Description of the Microsoft Office add-in. +- **FileId** The file identifier of the Microsoft Office add-in. +- **FileSize** The file size of the Microsoft Office add-in. +- **FriendlyName** The friendly name for the Microsoft Office add-in. +- **FullPath** The full path to the Microsoft Office add-in. +- **InventoryVersion** The version of the inventory binary generating the events. +- **LoadBehavior** Integer that describes the load behavior. +- **LoadTime** Load time for the Office add-in. +- **OfficeApplication** The Microsoft Office application associated with the add-in. +- **OfficeArchitecture** The architecture of the add-in. +- **OfficeVersion** The Microsoft Office version for this add-in. +- **OutlookCrashingAddin** Indicates whether crashes have been found for this add-in. +- **ProductCompany** The name of the company associated with the Office add-in. +- **ProductName** The product name associated with the Microsoft Office add-in. +- **ProductVersion** The version associated with the Office add-in. +- **ProgramId** The unique program identifier of the Microsoft Office add-in. +- **Provider** Name of the provider for this add-in. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove + +Indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync + +This event indicates that a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd + +Provides data on the Office identifiers. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. +- **OAudienceData** Sub-identifier for Microsoft Office release management, identifying the pilot group for a device +- **OAudienceId** Microsoft Office identifier for Microsoft Office release management, identifying the pilot group for a device +- **OMID** Identifier for the Office SQM Machine +- **OPlatform** Whether the installed Microsoft Office product is 32-bit or 64-bit +- **OTenantId** Unique GUID representing the Microsoft O365 Tenant +- **OVersion** Installed version of Microsoft Office. For example, 16.0.8602.1000 +- **OWowMID** Legacy Microsoft Office telemetry identifier (SQM Machine ID) for WoW systems (32-bit Microsoft Office on 64-bit Windows) + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd + +Provides data on Office-related Internet Explorer features. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. +- **OIeFeatureAddon** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_ADDON_MANAGEMENT feature lets applications hosting the WebBrowser Control to respect add-on management selections made using the Add-on Manager feature of Internet Explorer. Add-ons disabled by the user or by administrative group policy will also be disabled in applications that enable this feature. +- **OIeMachineLockdown** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_LOCALMACHINE_LOCKDOWN feature is enabled, Internet Explorer applies security restrictions on content loaded from the user's local machine, which helps prevent malicious behavior involving local files. +- **OIeMimeHandling** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_MIME_HANDLING feature control is enabled, Internet Explorer handles MIME types more securely. Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2) +- **OIeMimeSniffing** Flag indicating which Microsoft Office products have this setting enabled. Determines a file's type by examining its bit signature. Windows Internet Explorer uses this information to determine how to render the file. The FEATURE_MIME_SNIFFING feature, when enabled, allows to be set differently for each security zone by using the URLACTION_FEATURE_MIME_SNIFFING URL action flag +- **OIeNoAxInstall** Flag indicating which Microsoft Office products have this setting enabled. When a webpage attempts to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request. When a webpage tries to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request +- **OIeNoDownload** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_RESTRICT_FILEDOWNLOAD feature blocks file download requests that navigate to a resource, that display a file download dialog box, or that are not initiated explicitly by a user action (for example, a mouse click or key press). Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2) +- **OIeObjectCaching** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_OBJECT_CACHING feature prevents webpages from accessing or instantiating ActiveX controls cached from different domains or security contexts +- **OIePasswordDisable** Flag indicating which Microsoft Office products have this setting enabled. After Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2), Internet Explorer no longer allows usernames and passwords to be specified in URLs that use the HTTP or HTTPS protocols. URLs using other protocols, such as FTP, still allow usernames and passwords +- **OIeSafeBind** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SAFE_BINDTOOBJECT feature performs additional safety checks when calling MonikerBindToObject to create and initialize Microsoft ActiveX controls. Specifically, prevent the control from being created if COMPAT_EVIL_DONT_LOAD is in the registry for the control +- **OIeSecurityBand** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SECURITYBAND feature controls the display of the Internet Explorer Information bar. When enabled, the Information bar appears when file download or code installation is restricted +- **OIeUncSaveCheck** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_UNC_SAVEDFILECHECK feature enables the Mark of the Web (MOTW) for local files loaded from network locations that have been shared by using the Universal Naming Convention (UNC) +- **OIeValidateUrl** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_VALIDATE_NAVIGATE_URL feature control prevents Windows Internet Explorer from navigating to a badly formed URL +- **OIeWebOcPopup** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_WEBOC_POPUPMANAGEMENT feature allows applications hosting the WebBrowser Control to receive the default Internet Explorer pop-up window management behavior +- **OIeWinRestrict** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_WINDOW_RESTRICTIONS feature adds several restrictions to the size and behavior of popup windows +- **OIeZoneElevate** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_ZONE_ELEVATION feature prevents pages in one zone from navigating to pages in a higher security zone unless the navigation is generated by the user + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd + +This event provides insight data on the installed Office products + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. +- **OfficeApplication** The name of the Office application. +- **OfficeArchitecture** The bitness of the Office application. +- **OfficeVersion** The version of the Office application. +- **Valóe** No content is currently available. +- **Value** The insights collected about this entity. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsRemove + +Indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync + +This diagnostic event indicates that a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd + +Describes Office Products installed. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. +- **OC2rApps** A GUID the describes the Office Click-To-Run apps +- **OC2rSkus** Comma-delimited list (CSV) of Office Click-To-Run products installed on the device. For example, Office 2016 ProPlus +- **OMsiApps** Comma-delimited list (CSV) of Office MSI products installed on the device. For example, Microsoft Word +- **OProductCodes** A GUID that describes the Office MSI products + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd + +This event describes various Office settings + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **BrowserFlags** Browser flags for Office-related products +- **ExchangeProviderFlags** Provider policies for Office Exchange +- **InventoryVersion** The version of the inventory binary generating the events. +- **SharedComputerLicensing** Office shared computer licensing policies + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync + +Indicates a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAAdd + +This event provides a summary rollup count of conditions encountered while performing a local scan of Office files, analyzing for known VBA programmability compatibility issues between legacy office version and ProPlus, and between 32 and 64-bit versions + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Design** Count of files with design issues found. +- **Design_x64** Count of files with 64 bit design issues found. +- **DuplicateVBA** Count of files with duplicate VBA code. +- **HasVBA** Count of files with VBA code. +- **Inaccessible** Count of files that were inaccessible for scanning. +- **InventoryVersion** The version of the inventory binary generating the events. +- **Issues** Count of files with issues detected. +- **Issues_x64** Count of files with 64-bit issues detected. +- **IssuesNone** Count of files with no issues detected. +- **IssuesNone_x64** Count of files with no 64-bit issues detected. +- **Locked** Count of files that were locked, preventing scanning. +- **NoVBA** Count of files with no VBA inside. +- **Protected** Count of files that were password protected, preventing scanning. +- **RemLimited** Count of files that require limited remediation changes. +- **RemLimited_x64** Count of files that require limited remediation changes for 64-bit issues. +- **RemSignificant** Count of files that require significant remediation changes. +- **RemSignificant_x64** Count of files that require significant remediation changes for 64-bit issues. +- **Score** Overall compatibility score calculated for scanned content. +- **Score_x64** Overall 64-bit compatibility score calculated for scanned content. +- **Total** Total number of files scanned. +- **Validation** Count of files that require additional manual validation. +- **Validation_x64** Count of files that require additional manual validation for 64-bit issues. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARemove + +Indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsAdd + +This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated with the validation rule + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Count** Count of total Microsoft Office VBA rule violations +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsRemove + +Indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync + +This event indicates that a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd + +Provides data on Unified Update Platform (UUP) products and what version they are at. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Identifier** UUP identifier +- **LastActivatedVersion** Last activated version +- **PreviousVersion** Previous version +- **Source** UUP source +- **Version** UUP version + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoRemove + +Indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +### Microsoft.Windows.Inventory.Indicators.Checksum + +This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events. + +The following fields are available: + +- **CensusId** A unique hardware identifier. +- **ChecksumDictionary** A count of each operating system indicator. +- **PCFP** Equivalent to the InventoryId field that is found in other core events. + + +### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd + +These events represent the basic metadata about the OS indicators installed on the system which are used for keeping the device up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **IndicatorValue** The indicator value. +- **Value** Describes an operating system indicator that may be relevant for the device upgrade. + + +### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove + +This event is a counterpart to InventoryMiscellaneousUexIndicatorAdd that indicates that the item has been removed. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync + +This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +## Kernel events + +### IO + +This event indicates the number of bytes read from or read by the OS and written to or written by the OS upon system startup. + +The following fields are available: + +- **BootAttemptCount** No content is currently available. +- **BootStatusPolicy** No content is currently available. +- **BootType** No content is currently available. +- **BytesRead** The total number of bytes read from or read by the OS upon system startup. +- **BytesWritten** The total number of bytes written to or written by the OS upon system startup. +- **FirmwareResetReasonEmbeddedController** No content is currently available. +- **FirmwareResetReasonEmbeddedControllerAdditional** No content is currently available. +- **FirmwareResetReasonPch** No content is currently available. +- **FirmwareResetReasonPchAdditional** No content is currently available. +- **FirmwareResetReasonSupplied** No content is currently available. +- **LastBootSucceeded** No content is currently available. +- **LastShutdownSucceeded** No content is currently available. +- **MeasuredLaunchResume** No content is currently available. +- **MenuPolicy** No content is currently available. +- **RecoveryEnabled** No content is currently available. +- **UserInputTime** No content is currently available. + + +### Microsoft.Windows.Kernel.BootEnvironment.OsLaunch + +OS information collected during Boot, used to evaluate the success of the upgrade process. + +The following fields are available: + +- **Boo|ApplicationId** No content is currently available. +- **BootApplicataonId** No content is currently available. +- **BootApplicationId** This field tells us what the OS Loader Application Identifier is. +- **BootAttemptCount** The number of consecutive times the boot manager has attempted to boot into this operating system. +- **BootSequence** The current Boot ID, used to correlate events related to a particular boot session. +- **BootStatusPolicy** Identifies the applicable Boot Status Policy. +- **BootType** Identifies the type of boot (e.g.: "Cold", "Hiber", "Resume"). +- **EventTimestamp** Seconds elapsed since an arbitrary time point. This can be used to identify the time difference in successive boot attempts being made. +- **FirmwareResetReasonEmbeddedController** Reason for system reset provided by firmware. +- **FirmwareResetReasonEmbeddedControllerAdditional** Additional information on system reset reason provided by firmware if needed. +- **FirmwareResetReasonPch** Reason for system reset provided by firmware. +- **FirmwareResetReasonPchAdditional** Additional information on system reset reason provided by firmware if needed. +- **FirmwareResetReasonSupplied** Flag indicating that a reason for system reset was provided by firmware. +- **IO** Amount of data written to and read from the disk by the OS Loader during boot. See [IO](#io). +- **LastBootSucceeded** Flag indicating whether the last boot was successful. +- **LastShutdownSucceeded** Flag indicating whether the last shutdown was successful. +- **MaxAbove4GbFreeRange** This field describes the largest memory range available above 4Gb. +- **MaxBelow4GbFreeRange** This field describes the largest memory range available below 4Gb. +- **MeasuredLaunchPrepared** This field tells us if the OS launch was initiated using Measured/Secure Boot over DRTM (Dynamic Root of Trust for Measurement). +- **MeasuredLaunchResume** This field tells us if Dynamic Root of Trust for Measurement (DRTM) was used when resuming from hibernation. +- **MenuPolicy** Type of advanced options menu that should be shown to the user (Legacy, Standard, etc.). +- **RecoveryEnabled** Indicates whether recovery is enabled. +- **SecureLaunchPrepared** This field indicates if DRTM was prepared during boot. +- **TcbLaunch** Indicates whether the Trusted Computing Base was used during the boot flow. +- **UserInputTime** The amount of time the loader application spent waiting for user input. + + +## Miracast events + +### Microsoft.Windows.Cast.Miracast.MiracastSessionEnd + +This event sends data at the end of a Miracast session that helps determine RTSP related Miracast failures along with some statistics about the session + +The following fields are available: + +- **AudioChannelCount** The number of audio channels. +- **AudioSampleRate** The sample rate of audio in terms of samples per second. +- **AudioSubtype** The unique subtype identifier of the audio codec (encoding method) used for audio encoding. +- **AverageBitrate** The average video bitrate used during the Miracast session, in bits per second. +- **AverageDataRate** The average available bandwidth reported by the WiFi driver during the Miracast session, in bits per second. +- **AveragePacketSendTimeInMs** The average time required for the network to send a sample, in milliseconds. +- **ConnectorType** The type of connector used during the Miracast session. +- **EncodeAverageTimeMS** The average time to encode a frame of video, in milliseconds. +- **EncodeCount** The count of total frames encoded in the session. +- **EncodeMaxTimeMS** The maximum time to encode a frame, in milliseconds. +- **EncodeMinTimeMS** The minimum time to encode a frame, in milliseconds. +- **EncoderCreationTimeInMs** The time required to create the video encoder, in milliseconds. +- **ErrorSource** Identifies the component that encountered an error that caused a disconnect, if applicable. +- **FirstFrameTime** The time (tick count) when the first frame is sent. +- **FirstLatencyMode** The first latency mode. +- **FrameAverageTimeMS** Average time to process an entire frame, in milliseconds. +- **FrameCount** The total number of frames processed. +- **FrameMaxTimeMS** The maximum time required to process an entire frame, in milliseconds. +- **FrameMinTimeMS** The minimum time required to process an entire frame, in milliseconds. +- **Glitches** The number of frames that failed to be delivered on time. +- **HardwareCursorEnabled** Indicates if hardware cursor was enabled when the connection ended. +- **HDCPState** The state of HDCP (High-bandwidth Digital Content Protection) when the connection ended. +- **HighestBitrate** The highest video bitrate used during the Miracast session, in bits per second. +- **HighestDataRate** The highest available bandwidth reported by the WiFi driver, in bits per second. +- **LastLatencyMode** The last reported latency mode. +- **LogTimeReference** The reference time, in tick counts. +- **LowestBitrate** The lowest video bitrate used during the Miracast session, in bits per second. +- **LowestDataRate** The lowest video bitrate used during the Miracast session, in bits per second. +- **MediaErrorCode** The error code reported by the media session, if applicable. +- **MiracastEntry** The time (tick count) when the Miracast driver was first loaded. +- **MiracastM1** The time (tick count) when the M1 request was sent. +- **MiracastM2** The time (tick count) when the M2 request was sent. +- **MiracastM3** The time (tick count) when the M3 request was sent. +- **MiracastM4** The time (tick count) when the M4 request was sent. +- **MiracastM5** The time (tick count) when the M5 request was sent. +- **MiracastM6** The time (tick count) when the M6 request was sent. +- **MiracastM7** The time (tick count) when the M7 request was sent. +- **MiracastSessionState** The state of the Miracast session when the connection ended. +- **MiracastStreaming** The time (tick count) when the Miracast session first started processing frames. +- **ProfileCount** The count of profiles generated from the receiver M4 response. +- **ProfileCountAfterFiltering** The count of profiles after filtering based on available bandwidth and encoder capabilities. +- **RefreshRate** The refresh rate set on the remote display. +- **RotationSupported** Indicates if the Miracast receiver supports display rotation. +- **RTSPSessionId** The unique identifier of the RTSP session. This matches the RTSP session ID for the receiver for the same session. +- **SessionGuid** The unique identifier of to correlate various Miracast events from a session. +- **SinkHadEdid** Indicates if the Miracast receiver reported an EDID. +- **SupportMicrosoftColorSpaceConversion** Indicates whether the Microsoft color space conversion for extra color fidelity is supported by the receiver. +- **SupportsMicrosoftDiagnostics** Indicates whether the Miracast receiver supports the Microsoft Diagnostics Miracast extension. +- **SupportsMicrosoftFormatChange** Indicates whether the Miracast receiver supports the Microsoft Format Change Miracast extension. +- **SupportsMicrosoftLatencyManagement** Indicates whether the Miracast receiver supports the Microsoft Latency Management Miracast extension. +- **SupportsMicrosoftRTCP** Indicates whether the Miracast receiver supports the Microsoft RTCP Miracast extension. +- **SupportsMicrosoftVideoFormats** Indicates whether the Miracast receiver supports Microsoft video format for 3:2 resolution. +- **SupportsWiDi** Indicates whether Miracast receiver supports Intel WiDi extensions. +- **TeardownErrorCode** The error code reason for teardown provided by the receiver, if applicable. +- **TeardownErrorReason** The text string reason for teardown provided by the receiver, if applicable. +- **UIBCEndState** Indicates whether UIBC was enabled when the connection ended. +- **UIBCEverEnabled** Indicates whether UIBC was ever enabled. +- **UIBCStatus** The result code reported by the UIBC setup process. +- **VideoBitrate** The starting bitrate for the video encoder. +- **VideoCodecLevel** The encoding level used for encoding, specific to the video subtype. +- **VideoHeight** The height of encoded video frames. +- **VideoSubtype** The unique subtype identifier of the video codec (encoding method) used for video encoding. +- **VideoWidth** The width of encoded video frames. +- **WFD2Supported** Indicates if the Miracast receiver supports WFD2 protocol. + + +## OneDrive events + +### Microsoft.OneDrive.Sync.Setup.APIOperation + +This event includes basic data about install and uninstall OneDrive API operations. + +The following fields are available: + +- **APIName** The name of the API. +- **Duration** How long the operation took. +- **IsSuccess** Was the operation successful? +- **ResultCode** The result code. +- **ScenarioName** The name of the scenario. + + +### Microsoft.OneDrive.Sync.Setup.EndExperience + +This event includes a success or failure summary of the installation. + +The following fields are available: + +- **APIName** The name of the API. +- **HResult** HResult of the operation +- **IsSuccess** Whether the operation is successful or not +- **ScenarioName** The name of the scenario. + + +### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation + +This event is related to the OS version when the OS is upgraded with OneDrive installed. + +The following fields are available: + +- **CurrentOneDriveVersion** The current version of OneDrive. +- **CurrentOSBuildBranch** The current branch of the operating system. +- **CurrentOSBuildNumber** The current build number of the operating system. +- **CurrentOSVersion** The current version of the operating system. +- **HResult** The HResult of the operation. +- **SourceOSBuildBranch** The source branch of the operating system. +- **SourceOSBuildNumber** The source build number of the operating system. +- **SourceOSVersion** The source version of the operating system. + + +### Microsoft.OneDrive.Sync.Setup.RegisterStandaloneUpdaterAPIOperation + +This event is related to registering or unregistering the OneDrive update task. + +The following fields are available: + +- **APIName** The name of the API. +- **IsSuccess** Was the operation successful? +- **RegisterNewTaskResult** The HResult of the RegisterNewTask operation. +- **ScenarioName** The name of the scenario. +- **UnregisterOldTaskResult** The HResult of the UnregisterOldTask operation. + + +### Microsoft.OneDrive.Sync.Updater.ComponentInstallState + +This event includes basic data about the installation state of dependent OneDrive components. + +The following fields are available: + +- **ComponentName** The name of the dependent component. +- **isInstalled** Is the dependent component installed? + + +### Microsoft.OneDrive.Sync.Updater.OverlayIconStatus + +This event indicates if the OneDrive overlay icon is working correctly. 0 = healthy; 1 = can be fixed; 2 = broken + +The following fields are available: + +- **32bit** The status of the OneDrive overlay icon on a 32-bit operating system. +- **64bit** The status of the OneDrive overlay icon on a 64-bit operating system. + + +### Microsoft.OneDrive.Sync.Updater.UpdateOverallResult + +This event sends information describing the result of the update. + +The following fields are available: + +- **br** No content is currently available. +- **hr** The HResult of the operation. +- **IsLoggingE~abled** No content is currently available. +- **IsLoggingEnabled** Indicates whether logging is enabled for the updater. +- **UpdaterVersion** The version of the updater. + + +### Microsoft.OneDrive.Sync.Updater.UpdateXmlDownloadHResult + +This event determines the status when downloading the OneDrive update configuration file. + +The following fields are available: + +- **hr** The HResult of the operation. + + +### Microsoft.OneDrive.Sync.Updater.WebConnectionStatus + +This event determines the error code that was returned when verifying Internet connectivity. + +The following fields are available: + +- **winInetError** The HResult of the operation. + + +## Privacy consent logging events + +### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted + +This event is used to determine whether the user successfully completed the privacy consent experience. + +The following fields are available: + +- **presentationVersion** Which display version of the privacy consent experience the user completed +- **privacyConsentState** The current state of the privacy consent experience +- **settingsVersion** Which setting version of the privacy consent experience the user completed +- **userOobeExitReason** The exit reason of the privacy consent experience + + +### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentStatus + +Event tells us effectiveness of new privacy experience. + +The following fields are available: + +- **isAdmin** whether the person who is logging in is an admin +- **isExistingUser** whether the account existed in a downlevel OS +- **isLaunching** Whether or not the privacy consent experience will be launched +- **isSilentElevation** whether the user has most restrictive UAC controls +- **privacyConsentState** whether the user has completed privacy experience +- **userRegionCode** The current user's region setting + + +### wilActivity + +This event provides a Windows Internal Library context used for Product and Service diagnostics. + +The following fields are available: + +- **callContext** The function where the failure occurred. +- **currentContextId** The ID of the current call context where the failure occurred. +- **currentContextMessage** The message of the current call context where the failure occurred. +- **currentContextName** The name of the current call context where the failure occurred. +- **failureCount** The number of failures for this failure ID. +- **failureId** The ID of the failure that occurred. +- **failureType** The type of the failure that occurred. +- **fileName** The file name where the failure occurred. +- **function** The function where the failure occurred. +- **hresult** The HResult of the overall activity. +- **lineNumber** The line number where the failure occurred. +- **message** The message of the failure that occurred. +- **module** The module where the failure occurred. +- **originatingContextId** The ID of the originating call context that resulted in the failure. +- **originatingContextMessage** The message of the originating call context that resulted in the failure. +- **originatingContextName** The name of the originating call context that resulted in the failure. +- **threadId** The ID of the thread on which the activity is executing. + + +## Sediment events + +### Microsoft.Windows.Sediment.Info.DetailedState + +This event is sent when detailed state information is needed from an update trial run. + +The following fields are available: + +- **Data** Data relevant to the state, such as what percent of disk space the directory takes up. +- **Id** Identifies the trial being run, such as a disk related trial. +- **ReleaseVer** The version of the component. +- **State** The state of the reporting data from the trial, such as the top-level directory analysis. +- **Time** The time the event was fired. + + +### Microsoft.Windows.Sediment.Info.Error + +This event indicates an error in the updater payload. This information assists in keeping Windows up to date. + +The following fields are available: + +- **FailureType** The type of error encountered. +- **FileName** The code file in which the error occurred. +- **HResult** The failure error code. +- **LineNumber** The line number in the code file at which the error occurred. +- **ReleaseVer** The version information for the component in which the error occurred. +- **Time** The system time at which the error occurred. + + +### Microsoft.Windows.Sediment.Info.PhaseChange + +The event indicates progress made by the updater. This information assists in keeping Windows up to date. + +The following fields are available: + +- **NewPhase** The phase of progress made. +- **ReleaseVer** The version information for the component in which the change occurred. +- **Time** The system time at which the phase chance occurred. + + +## Setup events + +### SetupPlatformTel.SetupPlatformTelActivityEvent + +This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up to date. + +The following fields are available: + +- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. +- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. +- **Value** Value associated with the corresponding event name. For example, time-related events will include the system time + + +### SetupPlatformTel.SetupPlatformTelActivityStarted + +This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. + +The following fields are available: + +- **Name** The name of the dynamic update type. Example: GDR driver + + +### SetupPlatformTel.SetupPlatformTelActivityStopped + +This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. + + + +### SetupPlatformTel.SetupPlatformTelEvent + +This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios. + +The following fields are available: + +- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. +- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. +- **Value** Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time. + + +## Software update events + +### SoftwareUpdateClientTelemetry.CheckForUpdates + +Scan process event on Windows Update client. See the EventScenario field for specifics (started/failed/succeeded). + +The following fields are available: + +- **ActivityMatchingId** Contains a unique ID identifying a single CheckForUpdates session from initialization to completion. +- **AllowCachedResults** Indicates if the scan allowed using cached results. +- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable +- **BiosFamily** The family of the BIOS (Basic Input Output System). +- **BiosName** The name of the device BIOS. +- **BiosReleaseDate** The release date of the device BIOS. +- **BiosSKUNumber** The sku number of the device BIOS. +- **BIOSVendor** The vendor of the BIOS. +- **BiosVersion** The version of the BIOS. +- **BranchReadinessLevel** The servicing branch configured on the device. +- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. +- **CapabilityDetectoidGuid** The GUID for a hardware applicability detectoid that could not be evaluated. +- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. +- **CDNId** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. +- **ClientVersion** The version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No data is currently reported in this field. Expected value for this field is 0. +- **Context** Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown +- **CurrentMobileOperator** The mobile operator the device is currently connected to. +- **DeferralPolicySources** Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000). +- **DeferredUpdates** Update IDs which are currently being deferred until a later time +- **DeviceModel** What is the device model. +- **DriverError** The error code hit during a driver scan. This is 0 if no error was encountered. +- **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled. +- **DriverGxclusionPolicy** No content is currently available. +- **DriverSyncPassPerformed** Were drivers scanned this time? +- **EventInstanceID** A globally unique identifier for event instance. +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. +- **ExtendedMetadataCabUrl** Hostname that is used to download an update. +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. +- **FailedUpdateGuids** The GUIDs for the updates that failed to be evaluated during the scan. +- **FailedUpdatesCount** The number of updates that failed to be evaluated during the scan. +- **FeatureUpdateDeferral** The deferral period configured for feature OS updates on the device (in days). +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FeatureUpdatePause9-8iod** No content is currently available. +- **FeatureUpdatePausePeriod** The pause duration configured for feature OS updates on the device (in days). +- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). +- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). +- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. +- **I#Version** No content is currently available. +- **IntentPFNs** Intended application-set metadata for atomic update scenarios. +- **IPVersion** Indicates whether the download took place over IPv4 or IPv6 +- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. +- **IsWUfBDualScaninabled** No content is currently available. +- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. +- **IsWUfBFederatedScanDisabled** Indicates if Windows Update for Business federated scan is disabled on the device. +- **IsWUfBinabled** No content is currently available. +- **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce +- **MSIError** The last error that was encountered during a scan for updates. +- **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6 +- **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete +- **NumberOfApplicationsCategoryScanEval}ated** No content is currently available. +- **NumberOfApplicationsCategoryScanEvaluated** The number of categories (apps) for which an app update scan checked +- **NumberOfLoop** The number of round trips the scan required +- **NumberOfNewUpdatesFromServiceSync** The number of updates which were seen for the first time in this scan +- **NumberOfUpdatesEvaluated** The total number of updates which were evaluated as a part of the scan +- **NumFailedMetadataSignatures** The number of metadata signatures checks which failed for new metadata synced down. +- **Online** Indicates if this was an online scan. +- **PausedUpdates** A list of UpdateIds which that currently being paused. +- **PauseFeatureUpdatesEndTime** If feature OS updates are paused on the device, this is the date and time for the end of the pause time window. +- **PauseFeatureUpdatesStartTime** If feature OS updates are paused on the device, this is the date and time for the beginning of the pause time window. +- **PauseQualityUpdatesEndTime** If quality OS updates are paused on the device, this is the date and time for the end of the pause time window. +- **PauseQualityUpdatesStartTime** If quality OS updates are paused on the device, this is the date and time for the beginning of the pause time window. +- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting (pre-release builds) being introduced. +- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided. +- **QualityUpdateDeferral** The deferral period configured for quality OS updates on the device (in days). +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **QualityUpdatePause9-8iod** No content is currently available. +- **QualityUpdatePausePeriod** The pause duration configured for quality OS updates on the device (in days). +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one +- **S}ncType** No content is currently available. +- **ScanDuratioInSeconds** No content is currently available. +- **ScanDurationInSeconds** The number of seconds a scan took +- **ScanEnqueueTime** The number of seconds it took to initialize a scan +- **ScanPrps** No content is currently available. +- **ScanProps** This is a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits are used; all remaining bits are reserved and set to zero. Bit 0 (0x1): IsInteractive - is set to 1 if the scan is requested by a user, or 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker - is set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates). +- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.). +- **ServiceUrl** The environment URL a device is configured to scan with +- **ShippingMobileOperator** The mobile operator that a device shipped on. +- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult). +- **SyncType** Describes the type of scan the event was +- **SystemBIOSMajorRelease** Major version of the BIOS. +- **SystemBIOSMinorRelease** Minor version of the BIOS. +- **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null. +- **TotalNumMetadataSignatureM** No content is currently available. +- **TotalNumMetadataSignatures** The total number of metadata signatures checks done for new metadata that was synced down. +- **WebServiceRetryMethods** Web service method requests that needed to be retried to complete operation. +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. + + +### SoftwareUpdateClientTelemetry.Commit + +This event tracks the commit process post the update installation when software update client is trying to update the device. + +The following fields are available: + +- **BiosFamily** Device family as defined in the system BIOS +- **BiosName** Name of the system BIOS +- **BiosReleaseDate** Release date of the system BIOS +- **BiosSKUNumber** Device SKU as defined in the system BIOS +- **BIOSVendor** Vendor of the system BIOS +- **BiosVersion** Version of the system BIOS +- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. +- **BundleRevisionNumber** Identifies the revision number of the content bundle +- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client +- **ClientVersion** Version number of the software distribution client +- **DeploymentProviderMode** The mode of operation of the update deployment provider. +- **DeviceModel** Device model as defined in the system bios +- **EventInstanceID** A globally unique identifier for event instance +- **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc. +- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver". +- **FlightId** The specific id of the flight the device is getting +- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) +- **RevisionNumber** Identifies the revision number of this specific piece of content +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). +- **SystemBIOSMajorRelease** Major release version of the system bios +- **SystemBIOSMinorRelease** Minor release version of the system bios +- **UpdateId** Identifier associated with the specific piece of content +- **WUDeviceID** Unique device id controlled by the software distribution client + + +### SoftwareUpdateClientTelemetry.Download + +Download process event for target update on Windows Update client. See the EventScenario field for specifics (started/failed/succeeded). + +The following fields are available: + +- **ActiveDownloadTime** How long the download took, in seconds, excluding time where the update wasn't actively being downloaded. +- **AppXBlockHashFailures** Indicates the number of blocks that failed hash validation during download of the app payload. +- **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded. +- **AppXDownloadScope** Indicates the scope of the download for application content. +- **AppXScope** Indicates the scope of the app download. +- **aundleBy1esDownl?aded** No content is currently available. +- **B1ndleRepeatFailCount** No content is currently available. +- **BiosFamily** The family of the BIOS (Basic Input Output System). +- **BiosName** The name of the device BIOS. +- **BiosReleaseDate** The release date of the device BIOS. +- **BiosSKUNumber** The sku number of the device BIOS. +- **BIOSVendor** The vendor of the BIOS. +- **BiosVersion** The version of the BIOS. +- **BundleBytesDownloaded** Number of bytes downloaded for the specific content bundle. +- **BundleId** Identifier associated with the specific content bundle. +- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. +- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to download. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **BytesDownloaded** Number of bytes that were downloaded for an individual piece of content (not the entire bundle). +- **CachedEngineVersion** The version of the “Self-Initiated Healing” (SIH) engine that is cached on the device, if applicable. +- **CallerApplicationName** The name provided by the application that initiated API calls into the software distribution client. +- **Cbs5ethod** No content is currently available. +- **CbsDownloadMethod** Indicates whether the download was a full- or a partial-file download. +- **CbsMethod** The method used for downloading the update content related to the Component Based Servicing (CBS) technology. +- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. +- **CDNId** ID which defines which CDN the software distribution client downloaded the content from. +- **ClientVersion** The version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. +- **ConnectTime** Indicates the cumulative amount of time (in seconds) it took to establish the connection for all updates in an update bundle. +- **CurrentMobileOperator** The mobile operator the device is currently connected to. +- **DeviceModel** The model of the device. +- **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority. +- **DownloadProps** Information about the download operation properties in the form of a bitmask. +- **DownloadType** Differentiates the download type of “Self-Initiated Healing” (SIH) downloads between Metadata and Payload downloads. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventScenarao** No content is currently available. +- **EventScenario** Indicates the purpose for sending this event: whether because the software distribution just started downloading content; or whether it was cancelled, succeeded, or failed. +- **EventType** Identifies the type of the event (Child, Bundle, or Driver). +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). +- **flightBuildNumber** No content is currently available. +- **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight. +- **FlightId** The specific ID of the flight (pre-release build) the device is getting. +- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). +- **HandlerType** Indicates what kind of content is being downloaded (app, driver, windows patch, etc.). +- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. +- **HostName** The hostname URL the content is downloading from. +- **IPVersion** Indicates whether the download took place over IPv4 or IPv6. +- **IsDependentSet** Indicates whether a driver is a part of a larger System Hardware/Firmware Update +- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. +- **IsWVfBDualScanEnabled** No content is currently available. +- **IsWVfBEnabled** No content is currently available. +- **NetworkCost** A flag indicating the cost of the network (congested, fixed, variable, over data limit, roaming, etc.) used for downloading the update content. +- **NetworkCostBitMask** Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.) +- **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered." +- **PackageFullName** The package name of the content. +- **PhonePreviewEnabled** Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced. +- **PostDnldTime** Time (in seconds) taken to signal download completion after the last job completed downloading the payload. +- **ProcessName** The process name of the application that initiated API calls, in the event where CallerApplicationName was not provided. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **Reason** A 32-bit integer representing the reason the update is blocked from being downloaded in the background. +- **RegulationReason** The reason that the update is regulated +- **RegulationReóult** No content is currently available. +- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content. +- **RelatedCV** The Correlation Vector that was used before the most recent change to a new Correlation Vector. +- **RelqtedCV** No content is currently available. +- **RepeatFailCount** Indicates whether this specific content has previously failed. +- **RepeatFailFlag** Indicates whether this specific content previously failed to download. +- **RevisionNumber** The revision number of the specified piece of content. +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). +- **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade. +- **ShippingMobileOperator** The mobile operator linked to the device when the device shipped. +- **SizeCalcTime** Time (in seconds) taken to calculate the total download size of the payload. +- **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). +- **SystemBIOSMajorRelease** Major version of the BIOS. +- **SystemBIOSMinorRelease** Minor version of the BIOS. +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **TargetMetadataVersion** The version of the currently downloading (or most recently downloaded) package. +- **ThrottlingServiceHResult** Result code (success/failure) while contacting a web service to determine whether this device should download content yet. +- **TimeToEstablishConnection** Time (in milliseconds) it took to establish the connection prior to beginning downloaded. +- **TotalEx8ectedBydes** No content is currently available. +- **TotalExpectedBytes** The total size (in Bytes) expected to be downloaded. +- **UpdateId** An identifier associated with the specific piece of content. +- **UpdateID** An identifier associated with the specific piece of content. +- **UpdateImportance** Indicates whether the content was marked as Important, Recommended, or Optional. +- **UsecDO** No content is currently available. +- **UsedDO** Indicates whether the download used the Delivery Optimization (DO) service. +- **UsedSystemVolume** Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive. +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. +- **YsWUfBEnabled** No content is currently available. + + +### SoftwareUpdateClientTelemetry.DownloadCheckpoint + +This event provides a checkpoint between each of the Windows Update download phases for UUP content + +The following fields are available: + +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client +- **ClientVersion** The version number of the software distribution client +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed +- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver" +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough +- **FileId** A hash that uniquely identifies a file +- **FileName** Name of the downloaded file +- **FlightId** The unique identifier for each flight +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one +- **RevisionNumber** Unique revision number of Update +- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.) +- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult) +- **UpdateId** Unique Update ID +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue + + +### SoftwareUpdateClientTelemetry.DownloadHeartbeat + +This event allows tracking of ongoing downloads and contains data to explain the current state of the download + +The following fields are available: + +- **BytesTotal** Total bytes to transfer for this content +- **BytesTransferred** Total bytes transferred for this content at the time of heartbeat +- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client +- **ClientVersion** The version number of the software distribution client +- **ConnectionStatus** Indicates the connectivity state of the device at the time of heartbeat +- **CurrentError** Last (transient) error encountered by the active download +- **DownloadFlags** Flags indicating if power state is ignored +- **DownloadState** Current state of the active download for this content (queued, suspended, or progressing) +- **EventType** Possible values are "Child", "Bundle", or "Driver" +- **FlightId** The unique identifier for each flight +- **IsNetworkMetered** Indicates whether Windows considered the current network to be ?metered" +- **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any +- **MOUpdateDownloadLimit** Mobile operator cap on size of operating system update downloads, if any +- **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby) +- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one +- **ResumeCount** Number of times this active download has resumed from a suspended state +- **RevisionNumber** Identifies the revision number of this specific piece of content +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) +- **SuspendCount** Number of times this active download has entered a suspended state +- **SuspendReason** Last reason for why this active download entered a suspended state +- **UpdateId** Identifier associated with the specific piece of content +- **WUDeviceID** Unique device id controlled by the software distribution client + + +### SoftwareUpdateClientTelemetry.Install + +This event sends tracking data about the software distribution client installation of the content for that update, to help keep Windows up to date. + +The following fields are available: + +- **BiosFamily** The family of the BIOS (Basic Input Output System). +- **BiosName** The name of the device BIOS. +- **BiosReleaseDate** The release date of the device BIOS. +- **BiosSKUNumber** The sku number of the device BIOS. +- **BIOSVendor** The vendor of the BIOS. +- **BiosVersion** The version of the BIOS. +- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. +- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. +- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to install. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. +- **ClientVersion** The version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No value is currently reported in this field. Expected value for this field is 0. +- **CSIErrorType** The stage of CBS installation where it failed. +- **CurrentMobileOperator** The mobile operator to which the device is currently connected. +- **DeploymentProviderMode** The mode of operation of the update deployment provider. +- **DeviceModel** The device model. +- **DriverPingBack** Contains information about the previous driver and system state. +- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. +- **EventType** Possible values are Child, Bundle, or Driver. +- **ExtendedErrorCode** The extended error code. +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode is not specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBranch** The branch that a device is on if participating in the Windows Insider Program. +- **FlightBuildNumber** If this installation was for a Windows Insider build, this is the build number of that build. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **FlightRing** The ring that a device is on if participating in the Windows Insider Program. +- **HandlerType** Indicates what kind of content is being installed (for example, app, driver, Windows update). +- **HardwareId** If this install was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. +- **InstallProps** A bitmask for future flags associated with the install operation. No value is currently reported in this field. Expected value for this field is 0. +- **IntentPFNs** Intended application-set metadata for atomic update scenarios. +- **IsDependentSet** Indicates whether the driver is part of a larger System Hardware/Firmware update. +- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. +- **IsFirmware** Indicates whether this update is a firmware update. +- **IsSuccessFailurePostReboot** Indicates whether the update succeeded and then failed after a restart. +- **IsWUfBDualScanEnabled** Indicates whether Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Indicates whether Windows Update for Business is enabled on the device. +- **MergedUpdate** Indicates whether the OS update and a BSP update merged for installation. +- **MsiAction** The stage of MSI installation where it failed. +- **MsiProductCode** The unique identifier of the MSI installer. +- **PackageFullName** The package name of the content being installed. +- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting being introduced. +- **ProcessName** The process name of the caller who initiated API calls, in the event that CallerApplicationName was not provided. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one +- **RepeatFailCount** Indicates whether this specific piece of content has previously failed. +- **RepeatFailFlag** Indicates whether this specific piece of content previously failed to install. +- **RevisionNumber** The revision number of this specific piece of content. +- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). +- **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway. +- **ShippingMobileOperator** The mobile operator that a device shipped on. +- **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult). +- **SystemBIOSMajorRelease** Major version of the BIOS. +- **SystemBIOSMinorRelease** Minor version of the BIOS. +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **Targeti~gVersion** No content is currently available. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **TransactionCode** The ID that represents a given MSI installation. +- **UpdateId** Unique update ID. +- **UpdateID** An identifier associated with the specific piece of content. +- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional. +- **UsedSystemVolume** Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive. +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. + + +### SoftwareUpdateClientTelemetry.Revert + +Revert event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded). + +The following fields are available: + +- **BundleId** Identifier associated with the specific content bundle. Should not be all zeros if the BundleId was found. +- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **ClientVersion** Version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. +- **CSIErrorType** Stage of CBS installation that failed. +- **DriverPingBack** Contains information about the previous driver and system state. +- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). +- **EventType** Event type (Child, Bundle, Release, or Driver). +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode is not specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBuildNumber** Indicates the build number of the flight. +- **FlightId** The specific ID of the flight the device is getting. +- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). +- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. +- **IsFirmware** Indicates whether an update was a firmware update. +- **IsSuccessFailurePostReboot** Indicates whether an initial success was a failure after a reboot. +- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. +- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. +- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. +- **RepeatFailCount** Indicates whether this specific piece of content has previously failed. +- **RevisionNumber** Identifies the revision number of this specific piece of content. +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **UpdateId** The identifier associated with the specific piece of content. +- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). +- **UsedSystemVolume** Indicates whether the device's main system storage drive or an alternate storage drive was used. +- **WUDeviceID** Unique device ID controlled by the software distribution client. + + +### SoftwareUpdateClientTelemetry.TaskRun + +Start event for Server Initiated Healing client. See EventScenario field for specifics (for example, started/completed). + +The following fields are available: + +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **ClientVersion** Version number of the software distribution client. +- **CmdLineArgs** Command line arguments passed in by the caller. +- **EventInstanceID** A globally unique identifier for the event instance. +- **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **WUDeviceID** Unique device ID controlled by the software distribution client. + + +### SoftwareUpdateClientTelemetry.Uninstall + +Uninstall event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded). + +The following fields are available: + +- **BundleId** The identifier associated with the specific content bundle. This should not be all zeros if the bundleID was found. +- **BundleRepeatFailCount** Indicates whether this particular update bundle previously failed. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CallerApplicationName** Name of the application making the Windows Update request. Used to identify context of request. +- **ClientVersion** Version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. +- **DriverPingBack** Contains information about the previous driver and system state. +- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers when a recovery is required. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventScenario** Indicates the purpose of the event (a scan started, succeded, failed, etc.). +- **EventType** Indicates the event type. Possible values are "Child", "Bundle", "Release" or "Driver". +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode is not specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBuildNumber** Indicates the build number of the flight. +- **FlightId** The specific ID of the flight the device is getting. +- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). +- **HardwareId** If the download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. +- **IsFirmware** Indicates whether an update was a firmware update. +- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. +- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. +- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. +- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. +- **RepeatFailCount** Indicates whether this specific piece of content previously failed. +- **RevisionNumber** Identifies the revision number of this specific piece of content. +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **UpdateId** Identifier associated with the specific piece of content. +- **UpdateImportance** Indicates the importance of a driver and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). +- **UsedSystemVolume** Indicates whether the device’s main system storage drive or an alternate storage drive was used. +- **WUDeviceID** Unique device ID controlled by the software distribution client. + + +### SoftwareUpdateClientTelemetry.UpdateDetected + +This event sends data about an AppX app that has been updated from the Microsoft Store, including what app needs an update and what version/architecture is required, in order to understand and address problems with apps getting required updates. + +The following fields are available: + +- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable. +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. +- **IntentPFNs** Intended application-set metadata for atomic update scenarios. +- **NumberOfA0plicableUpdates** No content is currently available. +- **NumberOfApplicableUpdates** The number of updates ultimately deemed applicable to the system after the detection process is complete. +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. +- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.). +- **WUDeviceID** The unique device ID controlled by the software distribution client. + + +### SoftwareUpdateClientTelemetry.UpdateMetadataIntegrity + +Ensures Windows Updates are secure and complete. Event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack. + +The following fields are available: + +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **EndpointUrl** URL of the endpoint where client obtains update metadata. Used to identify test vs staging vs production environments. +- **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc. +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. +- **LeafCertId** The integral ID from the FragmentSigning data for the certificate that failed. +- **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate. +- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce +- **MetadataSignature** A base64-encoded string of the signature associated with the update metadata (specified by revision ID). +- **RawMode** The raw unparsed mode string from the SLS response. This field is null if not applicable. +- **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable. +- **RevisionId** The revision ID for a specific piece of content. +- **RevisionNumber** The revision number for a specific piece of content. +- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Microsoft Store +- **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate. +- **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate. +- **SHA256OfTimestampToken** An encoded string of the timestamp token. +- **SignatureAlgorithm** The hash algorithm for the metadata signature. +- **SLSPrograms** A test program a machine may be opted in. Examples include "Canary" and "Insider Fast". +- **StatusCode** Result code of the event (success, cancellation, failure code HResult) +- **TimestampTokenCertThumbprint** The thumbprint of the encoded timestamp token. +- **TimestampTokenId** The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed. +- **UpdateId** The update ID for a specific piece of content. +- **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp. + + +## System Resource Usage Monitor events + +### Microsoft.Windows.Srum.Sdp.CpuUsage + +This event provides information on CPU usage. + +The following fields are available: + +- **UsageMax** The maximum of hourly average CPU usage. +- **UsageMean** The mean of hourly average CPU usage. +- **UsageMedian** The median of hourly average CPU usage. +- **UsageTwoHourMaxMean** The mean of the maximum of every two hour of hourly average CPU usage. +- **UsageTwoHourMedianMean** The mean of the median of every two hour of hourly average CPU usage. + + +### Microsoft.Windows.Srum.Sdp.NetworkUsage + +This event provides information on network usage. + +The following fields are available: + +- **AdapterGuid** The unique ID of the adapter. +- **BytesTotalMax** The maximum of the hourly average bytes total. +- **BytesTotalMean** The mean of the hourly average bytes total. +- **BytesTotalMedian** The median of the hourly average bytes total. +- **BytesTotalTwoHourMaxMean** The mean of the maximum of every two hours of hourly average bytes total. +- **BytesTotalTwoHourMedianMean** The mean of the median of every two hour of hourly average bytes total. +- **LinkSpeed** The adapter link speed. + + +## Update events + +### Update360Telemetry.Revert + +This event sends data relating to the Revert phase of updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the Revert phase. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **RebootRequired** Indicates reboot is required. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **RevertResult** The result code returned for the Revert operation. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. + + +### Update360Telemetry.UpdateAgentCommit + +This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **ErrorCode** The error code returned for the current install phase. +- **FlightId** Unique ID for each flight. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Outcome of the install phase of the update. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentDownloadRequest + +This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. + +The following fields are available: + +- **DeletedCorruptFiles** Boolean indicating whether corrupt payload was deleted. +- **DownloadRequests** Number of times a download was retried. +- **ErrorCode** The error code returned for the current download request phase. +- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. +- **FlightId** Unique ID for each flight. +- **InternalFailureResult** Indicates a non-fatal error from a plugin. +- **ObjectId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). +- **PackageCategoriesSkipped** Indicates package categories that were skipped, if applicable. +- **PackageCCoegoriesSkipped** No content is currently available. +- **PackageCountOptional** Number of optional packages requested. +- **PackageCountRequired** Number of required packages requested. +- **PackageCountTotal** Total number of packages needed. +- **PackageCountTotalCanonical** Total number of canonical packages. +- **PackageCountTotalDiff** Total number of diff packages. +- **PackageCountTotalExpress** Total number of express packages. +- **PackageCountTotalPSFX** The total number of PSFX packages. +- **PackageExpressType** Type of express package. +- **PackageSizeCanonical** Size of canonical packages in bytes. +- **PackageSizeDiff** Size of diff packages in bytes. +- **PackageSizeExpress** Size of express packages in bytes. +- **PackageSizePSFX** The size of PSFX packages, in bytes. +- **RangeRequestSsCoe** No content is currently available. +- **RangeRequestState** Indicates the range request type used. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Outcome of the download request phase of update. +- **SandboxTaggedForReserves** The sandbox for reserves. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each attempt (same value for initialize, download, install commit phases). +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentExpand + +This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **ElapsedTickCount** Time taken for expand phase. +- **EndFreeSpace** Free space after expand phase. +- **EndSandboxSize** Sandbox size after expand phase. +- **ErrorCode** The error code returned for the current install phase. +- **FlightId** Unique ID for each flight. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **StartFreeSpace** Free space before expand phase. +- **StartSandboxSize** Sandbox size after expand phase. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentFellBackToCanonical + +This event collects information when express could not be used and we fall back to canonical during the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **FlightId** Unique ID for each flight. +- **ObjectId** Unique value for each Update Agent mode. +- **PackageCount** Number of packages that feel back to canonical. +- **PackageList** PackageIds which fell back to canonical. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentInitialize + +This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. + +The following fields are available: + +- **ErrorCode** The error code returned for the current install phase. +- **FlightId** Unique ID for each flight. +- **FlightMetadata** Contains the FlightId and the build being flighted. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Outcome of the install phase of the update. +- **ScenarioId** Indicates the update scenario. +- **SessionData** String containing instructions to update agent for processing FODs and DUICs (Null for other scenarios). +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentInstall + +This event sends data for the install phase of updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the current install phase. +- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. +- **FlightId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). +- **InternalFailureResult** Indicates a non-fatal error from a plugin. +- **ObjectId** Correlation vector value generated from the latest USO scan. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** The result for the current install phase. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentMerge + +The UpdateAgentMerge event sends data on the merge phase when updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the current merge phase. +- **FlightId** Unique ID for each flight. +- **MergeId** The unique ID to join two update sessions being merged. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Related correlation vector value. +- **Result** Outcome of the merge phase of the update. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentMitigationResult + +This event sends data indicating the result of each update agent mitigation. + +The following fields are available: + +- **Applicable** Indicates whether the mitigation is applicable for the current update. +- **CommandCount** The number of command operations in the mitigation entry. +- **CustomCount** The number of custom operations in the mitigation entry. +- **FileCount** The number of file operations in the mitigation entry. +- **FlightId** Unique identifier for each flight. +- **Index** The mitigation index of this particular mitigation. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **Name** The friendly name of the mitigation. +- **ObjectId** Unique value for each Update Agent mode. +- **OperationIndex** The mitigation operation index (in the event of a failure). +- **OperationName** The friendly name of the mitigation operation (in the event of failure). +- **RegistryCount** The number of registry operations in the mitigation entry. +- **RelatedCV** The correlation vector value generated from the latest USO scan. +- **Result** The HResult of this operation. +- **ScenarioId** The update agent scenario ID. +- **SessionId** Unique value for each update attempt. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). +- **UpdateId** Unique ID for each Update. + + +### Update360Telemetry.UpdateAgentMitigationSummary + +This event sends a summary of all the update agent mitigations available for an this update. + +The following fields are available: + +- **Applicable** The count of mitigations that were applicable to the system and scenario. +- **Failed** The count of mitigations that failed. +- **FlightId** Unique identifier for each flight. +- **MitigationScenario** The update scenario in which the mitigations were attempted. +- **ObjectId** The unique value for each Update Agent mode. +- **RelatedCV** The correlation vector value generated from the latest USO scan. +- **Result** The HResult of this operation. +- **ScenarioId** The update agent scenario ID. +- **SessionId** Unique value for each update attempt. +- **TimeDiff** The amount of time spent performing all mitigations (in 100-nanosecond increments). +- **Total** Total number of mitigations that were available. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentModeStart + +This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. + +The following fields are available: + +- **FlightId** Unique ID for each flight. +- **Mode** Indicates the mode that has started. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. +- **Version** Version of update + + +### Update360Telemetry.UpdateAgentOneSettings + +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **Count** The count of applicable OneSettings for the device. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. +- **Values** The values sent back to the device, if applicable. + + +### Update360Telemetry.UpdateAgentPostRebootResult + +This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. + +The following fields are available: + +- **ErrorCode** The error code returned for the current post reboot phase. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **ObjectId** Unique value for each Update Agent mode. +- **PostRebootResult** Indicates the Hresult. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentReboot + +This event sends information indicating that a request has been sent to suspend an update. + +The following fields are available: + +- **ErrorCode** The error code returned for the current reboot. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. + + +### Update360Telemetry.UpdateAgentSetupBoxLaunch + +The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. + +The following fields are available: + +- **ContainsExpressPackage** Indicates whether the download package is express. +- **FlightId** Unique ID for each flight. +- **FreeSpace** Free space on OS partition. +- **InstallCount** Number of install attempts using the same sandbox. +- **ObjectId** Unique value for each Update Agent mode. +- **Quiet** Indicates whether setup is running in quiet mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **SandboxSize** Size of the sandbox. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **SetupMode** Mode of setup to be launched. +- **UpdateId** Unique ID for each Update. +- **UserSession** Indicates whether install was invoked by user actions. + + +## Update notification events + +### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignManagerHeartbeat + +This event is sent at the start of the CampaignManager event and is intended to be used as a heartbeat. + +The following fields are available: + +- **CampaignConfigVersion** Configuration version for the current campaign. +- **CampaignID** Currently campaign that is running on Update Notification Pipeline (UNP). +- **ConfigCatalogVersion** Current catalog version of UNP. +- **ContentVersion** Content version for the current campaign on UNP. +- **CV** Correlation vector. +- **DetectorVersion** Most recently run detector version for the current campaign on UNP. +- **GlobalEventCounter** Client-side counter that indicates the event ordering sent by the user. +- **PackageVersion** Current UNP package version. + + +## Upgrade events + +### FacilitatorTelemetry.DCATDownload + +This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **DownloadSize** Download size of payload. +- **ElapsedTime** Time taken to download payload. +- **MediaFallbackUsed** Used to determine if we used Media CompDBs to figure out package requirements for the upgrade. +- **ResultCode** Result returned by the Facilitator DCAT call. +- **Scenario** Dynamic update scenario (Image DU, or Setup DU). +- **Type** Type of package that was downloaded. +- **UpdateId** The ID of the update that was downloaded. + + +### FacilitatorTelemetry.DUDownload + +This event returns data about the download of supplemental packages critical to upgrading a device to the next version of Windows. + +The following fields are available: + +- **DownloadRequestAttributes** The attributes sent for download. +- **PackageCategoriesFailed** Lists the categories of packages that failed to download. +- **PackageCategoriesSkipped** Lists the categories of package downloads that were skipped. +- **ResultCode** The result of the event execution. +- **Scenario** Identifies the active Download scenario. +- **Url** The URL the download request was sent to. +- **Version** Identifies the version of Facilitator used. + + +### FacilitatorTelemetry.InitializeDU + +This event determines whether devices received additional or critical supplemental content during an OS upgrade. + +The following fields are available: + +- **DCATUrl** The Delivery Catalog (DCAT) URL we send the request to. +- **DownloadRequestAttributes** The attributes we send to DCAT. +- **ResultCode** The result returned from the initiation of Facilitator with the URL/attributes. +- **Scenario** Dynamic Update scenario (Image DU, or Setup DU). +- **Url** The Delivery Catalog (DCAT) URL we send the request to. +- **Version** Version of Facilitator. + + +### Setup360Telemetry.Downlevel + +This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ClientId** If using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but it can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the downlevel OS. +- **HostOsSkuName** The operating system edition which is running Setup360 instance (downlevel OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** In the Windows Update scenario, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** More detailed information about phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360 (for example, Predownload, Install, Finalize, Rollback). +- **Setup360Result** The result of Setup360 (HRESULT used to diagnose errors). +- **Setup360Scenario** The Setup360 flow type (for example, Boot, Media, Update, MCT). +- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS). +- **State** Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** An ID that uniquely identifies a group of events. +- **WuId** This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId. + + +### Setup360Telemetry.Finalize + +This event sends data indicating that the device has started the phase of finalizing the upgrade, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** More detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** ID that uniquely identifies a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. + + +### Setup360Telemetry.OsUninstall + +This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, it indicates the outcome of an OS uninstall. + +The following fields are available: + +- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase or action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** ID that uniquely identifies a group of events. +- **WuId** Windows Update client ID. + + +### Setup360Telemetry.PostRebootInstall + +This event sends data indicating that the device has invoked the post reboot install phase of the upgrade, to help keep Windows up-to-date. + +The following fields are available: + +- **ClientId** With Windows Update, this is the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback +- **Setup360Result** The result of Setup360. This is an HRESULT error code that's used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled +- **TestId** A string to uniquely identify a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as ClientId. + + +### Setup360Telemetry.PreDownloadQuiet + +This event sends data indicating that the device has invoked the predownload quiet phase of the upgrade, to help keep Windows up to date. + +The following fields are available: + +- **ClientId** Using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous operating system). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** Using Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled. +- **TestId** ID that uniquely identifies a group of events. +- **WuId** This is the Windows Update Client ID. Using Windows Update, this is the same as the clientId. + + +### Setup360Telemetry.PreDownloadUX + +This event sends data regarding OS Updates and Upgrades from Windows 7.X, Windows 8.X, Windows 10 and RS, to help keep Windows up-to-date and secure. Specifically, it indicates the outcome of the PredownloadUX portion of the update process. + +The following fields are available: + +- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **HostOSBuildNumber** The build number of the previous operating system. +- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous operating system). +- **InstanceId** Unique GUID that identifies each instance of setuphost.exe. +- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS). +- **State** The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** ID that uniquely identifies a group of events. +- **WuId** Windows Update client ID. + + +### Setup360Telemetry.PreInstallQuiet + +This event sends data indicating that the device has invoked the preinstall quiet phase of the upgrade, to help keep Windows up-to-date. + +The following fields are available: + +- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. +- **Setup360Scenario** Setup360 flow type (Boot, Media, Update, MCT). +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** A string to uniquely identify a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. + + +### Setup360Telemetry.PreInstallUX + +This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10, to help keep Windows up-to-date. Specifically, it indicates the outcome of the PreinstallUX portion of the update process. + +The following fields are available: + +- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type, Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** A string to uniquely identify a group of events. +- **WuId** Windows Update client ID. + + +### Setup360Telemetry.Setup360 + +This event sends data about OS deployment scenarios, to help keep Windows up-to-date. + +The following fields are available: + +- **ClientId** Retrieves the upgrade ID. In the Windows Update scenario, this will be the Windows Update client ID. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FieldName** Retrieves the data point. +- **FlightData** Specifies a unique identifier for each group of Windows Insider builds. +- **InstanceId** Retrieves a unique identifier for each instance of a setup session. +- **ReportId** Retrieves the report ID. +- **ScenarioId** Retrieves the deployment scenario. +- **Value** Retrieves the value associated with the corresponding FieldName. + + +### Setup360Telemetry.Setup360DynamicUpdate + +This event helps determine whether the device received supplemental content during an operating system upgrade, to help keep Windows up-to-date. + +The following fields are available: + +- **FlightData** Specifies a unique identifier for each group of Windows Insider builds. +- **InstanceId** Retrieves a unique identifier for each instance of a setup session. +- **Operation** Facilitator’s last known operation (scan, download, etc.). +- **ReportId** ID for tying together events stream side. +- **ResultCode** Result returned for the entire setup operation. +- **Scenario** Dynamic Update scenario (Image DU, or Setup DU). +- **ScenarioId** Identifies the update scenario. +- **TargetBranch** Branch of the target OS. +- **TargetBuild** Build of the target OS. + + +### Setup360Telemetry.Setup360MitigationResult + +This event sends data indicating the result of each setup mitigation. + +The following fields are available: + +- **Applicable** TRUE if the mitigation is applicable for the current update. +- **ClientId** In the Windows Update scenario, this is the client ID passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **CommandCount** The number of command operations in the mitigation entry. +- **CustomCount** The number of custom operations in the mitigation entry. +- **FileCount** The number of file operations in the mitigation entry. +- **FlightData** The unique identifier for each flight (test release). +- **Index** The mitigation index of this particular mitigation. +- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **Name** The friendly (descriptive) name of the mitigation. +- **OperationIndex** The mitigation operation index (in the event of a failure). +- **OperationName** The friendly (descriptive) name of the mitigation operation (in the event of failure). +- **RegistryCount** The number of registry operations in the mitigation entry. +- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM. +- **Result** HResult of this operation. +- **ScenarioId** Setup360 flow type. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). + + +### Setup360Telemetry.Setup360MitigationSummary + +This event sends a summary of all the setup mitigations available for this update. + +The following fields are available: + +- **Applicable** The count of mitigations that were applicable to the system and scenario. +- **ClientId** The Windows Update client ID passed to Setup. +- **Failed** The count of mitigations that failed. +- **FlightData** The unique identifier for each flight (test release). +- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE. +- **MitigationScenario** The update scenario in which the mitigations were attempted. +- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM. +- **Result** HResult of this operation. +- **ScenarioId** Setup360 flow type. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). +- **Total** The total number of mitigations that were available. + + +### Setup360Telemetry.Setup360OneSettings + +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **ClientId** The Windows Update client ID passed to Setup. +- **Count** The count of applicable OneSettings for the device. +- **FlightData** The ID for the flight (test instance version). +- **InstanceId** The GUID (Globally-Unique ID) that identifies each instance of setuphost.exe. +- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. +- **ReportId** The Update ID passed to Setup. +- **Result** The HResult of the event error. +- **ScenarioId** The update scenario ID. +- **Values** Values sent back to the device, if applicable. + + +### Setup360Telemetry.UnexpectedEvent + +This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date. + +The following fields are available: + +- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** A string to uniquely identify a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. + + +## Windows as a Service diagnostic events + +### Microsoft.Windows.WaaSMedic.SummaryEvent + +Result of the WaaSMedic operation. + +The following fields are available: + +- **callerApplication** The name of the calling application. +- **capsuleCount** The number of Sediment Pack capsules. +- **capsuleFailureCount** The number of capsule failures. +- **detectionSummary** Result of each applicable detection that was run. +- **featureAssessmentImpact** WaaS Assessment impact for feature updates. +- **hrEngineBlockReason** Indicates the reason for stopping WaaSMedic. +- **hrEngineResult** Error code from the engine operation. +- **hrLastSandboxError** The last error sent by the WaaSMedic sandbox. +- **initSummary** Summary data of the initialization method. +- **insufficientSessions** Device not eligible for diagnostics. +- **isInteractiveMode** The user started a run of WaaSMedic. +- **isManaged** Device is managed for updates. +- **isWUConnected** Device is connected to Windows Update. +- **noMoreActions** No more applicable diagnostics. +- **pluginFailureCount** The number of plugins that have failed. +- **pluginsCount** The number of plugins. +- **qualityAssessmentImpact** WaaS Assessment impact for quality updates. +- **remediationSummary** Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on. +- **usingBackupFeatureAssessment** Relying on backup feature assessment. +- **usingBackupQualityAssessment** Relying on backup quality assessment. +- **usingCachedFeatureAssessment** WaaS Medic run did not get OS build age from the network on the previous run. +- **usingCachedQualityAssessment** WaaS Medic run did not get OS revision age from the network on the previous run. +- **versionString** Version of the WaaSMedic engine. +- **waasMedicRunMode** Indicates whether this was a background regular run of the medic or whether it was triggered by a user launching Windows Update Troubleshooter. + + +## Windows Error Reporting events + +### Microsoft.Windows.WERVertical.OSCrash + +This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event. + +The following fields are available: + +- **BootId** Uint32 identifying the boot number for this device. +- **BugCheckCode** Uint64 "bugcheck code" that identifies a proximate cause of the bug check. +- **BugCheckParameter1** Uint64 parameter providing additional information. +- **BugCheckParameter2** Uint64 parameter providing additional information. +- **BugCheckParameter3** Uint64 parameter providing additional information. +- **BugCheckParameter4** Uint64 parameter providing additional information. +- **DumpFileAttributes** Codes that identify the type of data contained in the dump file +- **DumpFileSize** Size of the dump file +- **IsValidDumpFile** True if the dump file is valid for the debugger, false otherwise +- **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson). + + +## Windows Error Reporting MTT events + +### Microsoft.Windows.WER.MTT.Denominator + +This event provides a denominator to calculate MTTF (mean-time-to-failure) for crashes and other errors, to help keep Windows up to date. + +The following fields are available: + +- **DPRange** Maximum mean value range. +- **DPValue** Randomized bit value (0 or 1) that can be reconstituted over a large population to estimate the mean. +- **Value** Standard UTC emitted DP value structure See [Value](#value). + + +### Value + +This event returns data about Mean Time to Failure (MTTF) for Windows devices. It is the primary means of estimating reliability problems in Basic Diagnostic reporting with very strong privacy guarantees. Since Basic Diagnostic reporting does not include system up-time, and since that information is important to ensuring the safe and stable operation of Windows, the data provided by this event provides that data in a manner which does not threaten a user’s privacy. + +The following fields are available: + +- **Algorithm** The algorithm used to preserve privacy. +- **DPRange** The upper bound of the range being measured. +- **DPValue** The randomized response returned by the client. +- **Epsilon** The level of privacy to be applied. +- **HistType** The histogram type if the algorithm is a histogram algorithm. +- **PertProb** The probability the entry will be Perturbed if the algorithm chosen is “heavy-hitters”. + + +## Windows Store events + +### Microsoft.Windows.Store.StoreActivating + +This event sends tracking data about when the Store app activation via protocol URI is in progress, to help keep Windows up to date. + + + +### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation + +This event is sent when an installation or update is canceled by a user or the system and is used to help keep Windows Apps up to date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** Number of retry attempts before it was canceled. +- **BundleId** The Item Bundle ID. +- **CategoryId** The Item Category ID. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed before this operation. +- **IsBundle** Is this a bundle? +- **IsInteractive** Was this requested by a user? +- **IsMandatory** Was this a mandatory update? +- **IsRemediation** Was this a remediation install? +- **IsRestore** Is this automatically restoring a previously acquired product? +- **IsUpdate** Flag indicating if this is an update. +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The product family name of the product being installed. +- **ProductId** The identity of the package or packages being installed. +- **SystemAttemptNumber** The total number of automatic attempts at installation before it was canceled. +- **UserAttemptNumber** The total number of user attempts at installation before it was canceled. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.BeginGetInstalledContentIds + +This event is sent when an inventory of the apps installed is started to determine whether updates for those apps are available. It's used to help keep Windows up-to-date and secure. + + + +### Microsoft.Windows.StoreAgent.Telemetry.BeginUpdateMetadataPrepare + +This event is sent when the Store Agent cache is refreshed with any available package updates. It's used to help keep Windows up-to-date and secure. + + + +### Microsoft.Windows.StoreAgent.Telemetry.CancelInstallation + +This event is sent when an app update or installation is canceled while in interactive mode. This can be canceled by the user or the system. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all package or packages to be downloaded and installed. +- **AttemptNumber** Total number of installation attempts. +- **BundleId** The identity of the Windows Insider build that is associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **IsBundle** Is this a bundle? +- **IsInteractive** Was this requested by a user? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this an automatic restore of a previously acquired product? +- **IsUpdate** Is this a product update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of all packages to be downloaded and installed. +- **PreviousHResult** The previous HResult code. +- **PreviousInstallState** Previous installation state before it was canceled. +- **ProductId** The name of the package or packages requested for installation. +- **RelatedCV** Correlation Vector of a previous performed action on this product. +- **SystemAttemptNumber** Total number of automatic attempts to install before it was canceled. +- **UserAttemptNumber** Total number of user attempts to install before it was canceled. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.CompleteInstallOperationRequest + +This event is sent at the end of app installations or updates to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The Store Product ID of the app being installed. +- **HResult** HResult code of the action being performed. +- **IsBundle** Is this a bundle? +- **PackageFamilyName** The name of the package being installed. +- **ProductId** The Store Product ID of the product being installed. +- **SkuId** Specific edition of the item being installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndAcquireLicense + +This event is sent after the license is acquired when a product is being installed. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** Includes a set of package full names for each app that is part of an atomic set. +- **AttemptNumber** The total number of attempts to acquire this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** HResult code to show the result of the operation (success/failure). +- **IsBundle** Is this a bundle? +- **IsInteractive** Did the user initiate the installation? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this happening after a device restore? +- **IsUpdate** Is this an update? +- **PFN** Product Family Name of the product being installed. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The number of attempts by the system to acquire this product. +- **UserAttemptNumber** The number of attempts by the user to acquire this product +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndDownload + +This event is sent after an app is downloaded to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed. +- **AttemptNumber** Number of retry attempts before it was canceled. +- **BundleId** The identity of the Windows Insider build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **DownloadSize** The total size of the download. +- **ExtendedHResult** Any extended HResult error codes. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this initiated by the user? +- **IsMandatory** Is this a mandatory installation? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this a restore of a previously acquired product? +- **IsUpdate** Is this an update? +- **ParentBundleId** The parent bundle ID (if it's part of a bundle). +- **PFN** The Product Family Name of the app being download. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The number of attempts by the system to download. +- **UserAttemptNumber** The number of attempts by the user to download. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndFrameworkUpdate + +This event is sent when an app update requires an updated Framework package and the process starts to download it. It is used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **HResult** The result code of the last action performed before this operation. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndGetInstalledContentIds + +This event is sent after sending the inventory of the products installed to determine whether updates for those products are available. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **HResult** The result code of the last action performed before this operation. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndInstall + +This event is sent after a product has been installed to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **ExtendedHResult** The extended HResult error code. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this an interactive installation? +- **IsMandatory** Is this a mandatory installation? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this automatically restoring a previously acquired product? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** Product Family Name of the product being installed. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndScanForUpdates + +This event is sent after a scan for product updates to determine if there are packages to install. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AsOnline** No content is currently available. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed. +- **IsApplicability** Is this request to only check if there are any applicable packages to install? +- **IsInteractive** Is this user requested? +- **IsOnline** Is the request doing an online check? + + +### Microsoft.Windows.StoreAgent.Telemetry.EndSearchUpdatePackages + +This event is sent after searching for update packages to install. It is used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The total number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of the package or packages requested for install. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndStageUserData + +This event is sent after restoring user data (if any) that needs to be restored following a product install. It is used to keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed. +- **AttemptNumber** The total number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of the package or packages requested for install. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of system attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndUpdateMetadataPrepare + +This event is sent after a scan for available app updates to help keep Windows up-to-date and secure. + +The following fields are available: + +- **HResult** The result code of the last action performed. + + +### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentComplete + +This event is sent at the end of an app install or update to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The name of the product catalog from which this app was chosen. +- **FailedRetry** Indicates whether the installation or update retry was successful. +- **HResult** The HResult code of the operation. +- **PFN** The Package Family Name of the app that is being installed or updated. +- **ProductId** The product ID of the app that is being updated or installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate + +This event is sent at the beginning of an app install or update to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The name of the product catalog from which this app was chosen. +- **FulfillmentPluginId** The ID of the plugin needed to install the package type of the product. +- **PFN** The Package Family Name of the app that is being installed or updated. +- **PluginTelemetryData** Diagnostic information specific to the package-type plug-in. +- **ProductId** The product ID of the app that is being updated or installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.InstallOperationRequest + +This event is sent when a product install or update is initiated, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **BundleId** The identity of the build associated with this product. +- **CatalogId** If this product is from a private catalog, the Store Product ID for the product being installed. +- **ProductId** The Store Product ID for the product being installed. +- **SkuId** Specific edition ID being installed. +- **VolumePath** The disk path of the installation. + + +### Microsoft.Windows.StoreAgent.Telemetry.PauseInstallation + +This event is sent when a product install or update is paused (either by a user or the system), to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The total number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The Product Full Name. +- **PreviousHResult** The result code of the last action performed before this operation. +- **PreviousInstallState** Previous state before the installation or update was paused. +- **ProductId** The Store Product ID for the product being installed. +- **RelatedCV** Correlation Vector of a previous performed action on this product. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.ResumeInstallation + +This event is sent when a product install or update is resumed (either by a user or the system), to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed before this operation. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **IsUserRetry** Did the user initiate the retry? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of the package or packages requested for install. +- **PreviousHResult** The previous HResult error code. +- **PreviousInstallState** Previous state before the installation was paused. +- **ProductId** The Store Product ID for the product being installed. +- **RelatedCV** Correlation Vector for the original install before it was resumed. +- **ResumeClientId** The ID of the app that initiated the resume operation. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.ResumeOperationRequest + +This event is sent when a product install or update is resumed by a user or on installation retries, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ProductId** The Store Product ID for the product being installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.SearchForUpdateOperationRequest + +This event is sent when searching for update packages to install, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The Store Catalog ID for the product being installed. +- **ProductId** The Store Product ID for the product being installed. +- **SkuId** Specfic edition of the app being updated. + + +### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest + +This event occurs when an update is requested for an app, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **PFamN** The name of the app that is requested for update. + + +## Windows System Kit events + +### Microsoft.Windows.Kits.WSK.WskImageCreate + +This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate “image” creation failures. + +The following fields are available: + +- **Phase** The image creation phase. Values are “Start” or “End”. +- **WskVersion** The version of the Windows System Kit being used. + + +### Microsoft.Windows.Kits.WSK.WskImageCustomization + +This event sends simple Product and Service usage data when a user is using the Windows System Kit to create/modify configuration files allowing the customization of a new OS image with Apps or Drivers. The data includes the version of the Windows System Kit, the state of the event, the customization type (drivers or apps) and the mode (new or updating) and is used to help investigate configuration file creation failures. + +The following fields are available: + +- **CustomizationMode** Indicates the mode of the customization (new or updating). +- **CustomizationType** Indicates the type of customization (drivers or apps). +- **Mode** The mode of update to image configuration files. Values are “New” or “Update”. +- **Phase** The image creation phase. Values are “Start” or “End”. +- **Type** The type of update to image configuration files. Values are “Apps” or “Drivers”. +- **WskVersion** The version of the Windows System Kit being used. + + +### Microsoft.Windows.Kits.WSK.WskWorkspaceCreate + +This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new workspace for generating OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate workspace creation failures. + +The following fields are available: + +- **Architecture** The OS architecture that the workspace will target. Values are one of: “AMD64”, “ARM64”, “x86”, or “ARM”. +- **OsEdition** The Operating System Edition that the workspace will target. +- **Phase** The image creation phase. Values are “Start” or “End”. +- **WorkspaceArchitecture** The operating system architecture that the workspace will target. +- **WorkspaceOsEdition** The operating system edition that the workspace will target. +- **WskVersion** The version of the Windows System Kit being used. + + +## Windows Update Delivery Optimization events + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled + +This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **background** Is the download being done in the background? +- **bytesFromCacheServer** Bytes received from a cache host. +- **bytesFromCDN** The number of bytes received from a CDN source. +- **bytesFromGroupPeers** The number of bytes received from a peer in the same group. +- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same group. +- **bytesFromLinkLocalPeers** The number of bytes received from local peers. +- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. +- **bytesFromPeers** The number of bytes received from a peer in the same LAN. +- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. +- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. +- **cdnIp** The IP Address of the source CDN (Content Delivery Network). +- **cdnUrl** The URL of the source CDN (Content Delivery Network). +- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. +- **errorCode** The error code that was returned. +- **experimentId** When running a test, this is used to correlate events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **gCurMemoryStreamBytes** Current usage for memory streaming. +- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. +- **isVpn** Indicates whether the device is connected to a VPN (Virtual Private Network). +- **jobID** Identifier for the Windows Update job. +- **predefinedCallerName** The name of the API Caller. +- **reasonCode** Reason the action or event occurred. +- **routeToCacheServer** The cache server setting, source, and value. +- **sessionID** The ID of the file download session. +- **updateID** The ID of the update being downloaded. +- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted + +This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **background** Is the download a background download? +- **bytesFromCacheServer** Bytes received from a cache host. +- **bytesFromCDN** The number of bytes received from a CDN source. +- **bytesFromGroupPeers** The number of bytes received from a peer in the same domain group. +- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same domain group. +- **bytesFromLinkLocalPeers** The number of bytes received from local peers. +- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. +- **bytesFromPeers** The number of bytes received from a peer in the same LAN. +- **bytesRequested** The total number of bytes requested for download. +- **cacheServerBonnectionCount** No content is currently available. +- **cacheServerConnectionCount** Number of connections made to cache hosts. +- **cdnConnectionCount** The total number of connections made to the CDN. +- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. +- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. +- **cdnIp** The IP address of the source CDN. +- **cdnUrl** Url of the source Content Distribution Network (CDN). +- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. +- **dnErrorCounts** No content is currently available. +- **doErrorCode** The Delivery Optimization error code that was returned. +- **downlinkBps** The maximum measured available download bandwidth (in bytes per second). +- **downlinkUsageBps** The download speed (in bytes per second). +- **downloadMode** The download mode used for this file download session. +- **downloadModeReason** Reason for the download. +- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **expiresAt** The time when the content will expire from the Delivery Optimization Cache. +- **fileID** The ID of the file being downloaded. +- **fileSize** The size of the file being downloaded. +- **gCurMemoryStreamBytes** Current usage for memory streaming. +- **gdnConnectionCount** No content is currently available. +- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. +- **groupConnectionCo** No content is currently available. +- **groupConnectionCount** The total number of connections made to peers in the same group. +- **internetConnectionCount** The total number of connections made to peers not in the same LAN or the same group. +- **isEncrypted** TRUE if the file is encrypted and will be decrypted after download. +- **isVpn** Is the device connected to a Virtual Private Network? +- **jobID** Identifier for the Windows Update job. +- **lanConnectionCount** The total number of connections made to peers in the same LAN. +- **linkLocalConnectionCount** The number of connections made to peers in the same Link-local network. +- **numPeers** The total number of peers used for this download. +- **numPeersLocal** The total number of local peers used for this download. +- **predefinedCallerName** The name of the API Caller. +- **restrictedU`load** No content is currently available. +- **restrictedUpload** Is the upload restricted? +- **routeToCacheServer** The cache server setting, source, and value. +- **sessionID** The ID of the download session. +- **totalTimeMs** Duration of the download (in seconds). +- **updateID** The ID of the update being downloaded. +- **uplinkBps** The maximum measured available upload bandwidth (in bytes per second). +- **uplinkUsageBps** The upload speed (in bytes per second). +- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused + +This event represents a temporary suspension of a download with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **background** Is the download a background download? +- **cdnUrl** The URL of the source CDN (Content Delivery Network). +- **errorCode** The error code that was returned. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being paused. +- **isVpn** Is the device connected to a Virtual Private Network? +- **jobID** Identifier for the Windows Update job. +- **predefinedCallerName** The name of the API Caller object. +- **reasonCode** The reason for pausing the download. +- **routeToCacheServer** The cache server setting, source, and value. +- **sessionID** The ID of the download session. +- **updateID** The ID of the update being paused. + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted + +This event sends data describing the start of a new download to enable Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **ActiveNetworkConnection** No content is currently available. +- **background** Indicates whether the download is happening in the background. +- **bytesRequested** Number of bytes requested for the download. +- **cdnUrl** The URL of the source Content Distribution Network (CDN). +- **costFlags** A set of flags representing network cost. +- **deviceProfile** Identifies the usage or form factor (such as Desktop, Xbox, or VM). +- **diceRoll** Random number used for determining if a client will use peering. +- **doClientVersion** The version of the Delivery Optimization client. +- **doErrorCode** The Delivery Optimization error code that was returned. +- **downloadMode** The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100). +- **downloadModeReason** Reason for the download. +- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). +- **errorCode** The error code that was returned. +- **experimentId** ID used to correlate client/services calls that are part of the same test during A/B testing. +- **fileID** The ID of the file being downloaded. +- **filePath** The path to where the downloaded file will be written. +- **fileSize** Total file size of the file that was downloaded. +- **fileSizeCaller** Value for total file size provided by our caller. +- **groupID** ID for the group. +- **IsBootCritical** No content is currently available. +- **isEncrypted** Indicates whether the download is encrypted. +- **isVpn** Indicates whether the device is connected to a Virtual Private Network. +- **jobID** The ID of the Windows Update job. +- **peerID** The ID for this delivery optimization client. +- **predefinedCallerName** Name of the API caller. +- **routeToCacheServer** Cache server setting, source, and value. +- **SdbEntries** No content is currently available. +- **sessionID** The ID for the file download session. +- **setConfigs** A JSON representation of the configurations that have been set, and their sources. +- **updateID** The ID of the update being downloaded. +- **usedMemoryStream** Indicates whether the download used memory streaming. +- **WuDriverCoverage** No content is currently available. +- **WuDriverUpdateId** No content is currently available. +- **WuPopulatedFromId** No content is currently available. + + +### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication + +This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **cdnHeaders** The HTTP headers returned by the CDN. +- **cdnIp** The IP address of the CDN. +- **cdnUrl** The URL of the CDN. +- **errorCode** The error code that was returned. +- **errorCount** The total number of times this error code was seen since the last FailureCdnCommunication event was encountered. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **httpStatusCode** The HTTP status code returned by the CDN. +- **isHeadRequest** The type of HTTP request that was sent to the CDN. Example: HEAD or GET +- **peerType** The type of peer (LAN, Group, Internet, CDN, Cache Host, etc.). +- **requestOffset** The byte offset within the file in the sent request. +- **requestSize** The size of the range requested from the CDN. +- **responseSize** The size of the range response received from the CDN. +- **sessionID** The ID of the download session. + + +### Microsoft.OSG.DU.DeliveryOptClient.JobError + +This event represents a Windows Update job error. It allows for investigation of top errors. + +The following fields are available: + +- **cdnIp** The IP Address of the source CDN (Content Delivery Network). +- **doErrorCode** Error code returned for delivery optimization. +- **errorCode** The error code returned. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **jobID** The Windows Update job ID. + + +## Windows Update events + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentAnalysisSummary + +This event collects information regarding the state of devices and drivers on the system following a reboot after the install phase of the new device manifest UUP (Unified Update Platform) update scenario which is used to install a device manifest describing a set of driver packages. + +The following fields are available: + +- **activated** Whether the entire device manifest update is considered activated and in use. +- **analysisErrorCount** The number of driver packages that could not be analyzed because errors occurred during analysis. +- **flightId** Unique ID for each flight. +- **missingDriverCount** The number of driver packages delivered by the device manifest that are missing from the system. +- **missingUpdateCount** The number of updates in the device manifest that are missing from the system. +- **objectId** Unique value for each diagnostics session. +- **publishedCount** The number of drivers packages delivered by the device manifest that are published and available to be used on devices. +- **relatedCV** Correlation vector value generated from the latest USO scan. +- **scenarioId** Indicates the update scenario. +- **sessionId** Unique value for each update session. +- **summary** A summary string that contains basic information about driver packages that are part of the device manifest and any devices on the system that those driver packages match. +- **summaryAppendError** A Boolean indicating if there was an error appending more information to the summary string. +- **truncatedDeviceCount** The number of devices missing from the summary string because there is not enough room in the string. +- **truncatedDriverCount** The number of driver packages missing from the summary string because there is not enough room in the string. +- **unpublishedCount** How many drivers packages that were delivered by the device manifest that are still unpublished and unavailable to be used on devices. +- **updateId** The unique ID for each update. + + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentCommit + +This event collects information regarding the final commit phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. + +The following fields are available: + +- **errorCode** The error code returned for the current session initialization. +- **flightId** The unique identifier for each flight. +- **objectId** The unique GUID for each diagnostics session. +- **relatedCV** A correlation vector value generated from the latest USO scan. +- **result** Outcome of the initialization of the session. +- **scenarioId** Identifies the Update scenario. +- **sessionId** The unique value for each update session. +- **updateId** The unique identifier for each Update. + + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentDownloadRequest + +This event collects information regarding the download request phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. + +The following fields are available: + +- **deletedCorruptFiles** Indicates if UpdateAgent found any corrupt payload files and whether the payload was deleted. +- **errorCode** The error code returned for the current session initialization. +- **flightId** The unique identifier for each flight. +- **objectId** Unique value for each Update Agent mode. +- **packageCountOptional** Number of optional packages requested. +- **packageCountRequired** Number of required packages requested. +- **packageCountTotal** Total number of packages needed. +- **packageCountTotalCanonical** Total number of canonical packages. +- **packageCountTotalDiff** Total number of diff packages. +- **packageCountTotalExpress** Total number of express packages. +- **packageSizeCanonical** Size of canonical packages in bytes. +- **packageSizeDiff** Size of diff packages in bytes. +- **packageSizeExpress** Size of express packages in bytes. +- **rangeRequestState** Represents the state of the download range request. +- **relatedCV** Correlation vector value generated from the latest USO scan. +- **result** Result of the download request phase of update. +- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. +- **sessionId** Unique value for each Update Agent mode attempt. +- **updateId** Unique ID for each update. + + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInitialize + +This event sends data for initializing a new update session for the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. + +The following fields are available: + +- **errorCode** The error code returned for the current session initialization. +- **flightId** The unique identifier for each flight. +- **flightMetadata** Contains the FlightId and the build being flighted. +- **objectId** Unique value for each Update Agent mode. +- **relatedCV** Correlation vector value generated from the latest USO scan. +- **result** Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled. +- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. +- **sessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios). +- **sessionId** Unique value for each Update Agent mode attempt. +- **updateId** Unique ID for each update. + + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInstall + +This event collects information regarding the install phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. + +The following fields are available: + +- **errorCode** The error code returned for the current install phase. +- **flightId** The unique identifier for each flight (pre-release builds). +- **objectId** The unique identifier for each diagnostics session. +- **relatedCV** Correlation vector value generated from the latest scan. +- **result** Outcome of the install phase of the update. +- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate +- **sessionId** The unique identifier for each update session. +- **updateId** The unique identifier for each Update. + + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentModeStart + +This event sends data for the start of each mode during the process of updating device manifest assets via the UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. + +The following fields are available: + +- **flightId** The unique identifier for each flight (pre-release builds). +- **mode** Indicates the active Update Agent mode. +- **objectId** Unique value for each diagnostics session. +- **relatedCV** Correlation vector value generated from the latest scan. +- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. +- **sessionId** The unique identifier for each update session. +- **updateId** The unique identifier for each Update. + + +### Microsoft.Windows.Update.NotificationUx.DialogNotificationToBeDisplayed + +This event indicates that a notification dialog box is about to be displayed to user. + +The following fields are available: + +- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode. +- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before the RebootFailed dialog box is shown. +- **DaysSinceRebootRequired** Number of days since restart was required. +- **DeviceLocalTime** The local time on the device sending the event. +- **EngagedModeLimit** The number of days to switch between DTE dialog boxes. +- **EnterAutoModeLimit** The maximum number of days for a device to enter Auto Reboot mode. +- **ETag** OneSettings versioning value. +- **IsForcedEnabled** Indicates whether Forced Reboot mode is enabled for this device. +- **IsUltimateForcedEnabled** Indicates whether Ultimate Forced Reboot mode is enabled for this device. +- **NotificationUxState** Indicates which dialog box is shown. +- **NotificationUxStateString** Indicates which dialog box is shown. +- **RebootUxState** Indicates the state of the restart (Engaged, Auto, Forced, or UltimateForced). +- **RebootUxStateString** Indicates the state of the restart (Engaged, Auto, Forced, or UltimateForced). +- **RebootVersion** Version of DTE. +- **SkipToAutoModeLimit** The minimum length of time to pass in restart pending before a device can be put into auto mode. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UtcTime** The time the dialog box notification will be displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootAcceptAutoDialog + +This event indicates that the Enhanced Engaged restart "accept automatically" dialog box was displayed. + +The following fields are available: + +- **DeviceLocalTime** The local time on the device sending the event. +- **ETag** OneSettings versioning value. +- **ExitCode** Indicates how users exited the dialog box. +- **RebootVersion** Version of DTE. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UserResponseString** The option that user chose on this dialog box. +- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootFirstReminderDialog + +This event indicates that the Enhanced Engaged restart "first reminder" dialog box was displayed.. + +The following fields are available: + +- **DeviceLocalTime** The local time on the device sending the event. +- **ETag** OneSettings versioning value. +- **ExitCode** Indicates how users exited the dialog box. +- **RebootVersion** Version of DTE. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UserResponseString** The option that user chose in this dialog box. +- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootFailedDialog + +This event indicates that the Enhanced Engaged restart "restart failed" dialog box was displayed. + +The following fields are available: + +- **DeviceLocalTime** The local time of the device sending the event. +- **ETag** OneSettings versioning value. +- **ExitCode** Indicates how users exited the dialog box. +- **RebootVersion** Version of DTE. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UserResponseString** The option that the user chose in this dialog box. +- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootImminentDialog + +This event indicates that the Enhanced Engaged restart "restart imminent" dialog box was displayed. + +The following fields are available: + +- **DeviceLocalTime** Time the dialog box was shown on the local device. +- **ETag** OneSettings versioning value. +- **ExitCode** Indicates how users exited the dialog box. +- **RebootVersion** Version of DTE. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UserResponseString** The option that user chose in this dialog box. +- **UtcTime** The time that dialog box was displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootReminderDialog + +This event returns information relating to the Enhanced Engaged reboot reminder dialog that was displayed. + +The following fields are available: + +- **DeviceLocalTime** The time at which the reboot reminder dialog was shown (based on the local device time settings). +- **ETag** The OneSettings versioning value. +- **ExitCode** Indicates how users exited the reboot reminder dialog box. +- **RebootVersion** The version of the DTE (Direct-to-Engaged). +- **UpdateId** The ID of the update that is waiting for reboot to finish installation. +- **UpdateRevision** The revision of the update that is waiting for reboot to finish installation. +- **UserResponseString** The option chosen by the user on the reboot dialog box. +- **UtcTime** The time at which the reboot reminder dialog was shown (in UTC). + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootReminderToast + +This event indicates that the Enhanced Engaged restart reminder pop-up banner was displayed. + +The following fields are available: + +- **DeviceLocalTime** The local time on the device sending the event. +- **ETag** OneSettings versioning value. +- **ExitCode** Indicates how users exited the pop-up banner. +- **RebootVersion** The version of the reboot logic. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UserResponseString** The option that the user chose in the pop-up banner. +- **UtcTime** The time that the pop-up banner was displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.RebootScheduled + +Indicates when a reboot is scheduled by the system or a user for a security, quality, or feature update. + +The following fields are available: + +- **activeHoursApplicable** Indicates whether an Active Hours policy is present on the device. +- **IsEnhancedEngagedReboot** Indicates whether this is an Enhanced Engaged reboot. +- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action. +- **rebootOutsideOfActiveHours** Indicates whether a restart is scheduled outside of active hours. +- **rebootScheduledByUser** Indicates whether the restart was scheduled by user (if not, it was scheduled automatically). +- **rebootState** The current state of the restart. +- **rebootUsingSmartScheduler** Indicates whether the reboot is scheduled by smart scheduler. +- **revisionNumber** Revision number of the update that is getting installed with this restart. +- **scheduledRebootTime** Time of the scheduled restart. +- **scheduledRebootTimeInUTC** Time of the scheduled restart in Coordinated Universal Time. +- **updateId** ID of the update that is getting installed with this restart. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.ActivityRestrictedByActiveHoursPolicy + +This event indicates a policy is present that may restrict update activity to outside of active hours. + +The following fields are available: + +- **activeHoursEnd** The end of the active hours window. +- **activeHoursStart** The start of the active hours window. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.BlockedByActiveHours + +This event indicates that update activity was blocked because it is within the active hours window. + +The following fields are available: + +- **activeHoursEnd** The end of the active hours window. +- **activeHoursStart** The start of the active hours window. +- **updatePhase** The current state of the update process. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.BlockedByBatteryLevel + +This event indicates that Windows Update activity was blocked due to low battery level. + +The following fields are available: + +- **batteryLevel** The current battery charge capacity. +- **batteryLevelThreshold** The battery capacity threshold to stop update activity. +- **updatePhase** The current state of the update process. +- **wuDeviceid** Device ID. + + +### Microsoft.Windows.Update.Orchestrator.DeferRestart + +This event indicates that a restart required for installing updates was postponed. + +The following fields are available: + +- **displayNeededReason** List of reasons for needing display. +- **eventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). +- **filteredDeferReason** Applicable filtered reasons why reboot was postponed (such as user active, or low battery). +- **gameModeReason** Name of the executable that caused the game mode state check to start. +- **ignoredReason** List of reasons that were intentionally ignored. +- **IgnoreReasonsForRestart** List of reasons why restart was deferred. +- **revisionNumber** Update ID revision number. +- **systemNeededReason** List of reasons why system is needed. +- **updateId** Update ID. +- **updateScenarioType** Update session type. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.Detection + +This event indicates that a scan for a Windows Update occurred. + +The following fields are available: + +- **deferReason** The reason why the device could not check for updates. +- **detectionBlockingPolicy** The Policy that blocked detection. +- **detectionBlockreason** The reason detection did not complete. +- **detectionRetryMode** Indicates whether we will try to scan again. +- **errorCode** The error code returned for the current process. +- **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. +- **flightID** The unique identifier for the flight (Windows Insider pre-release build) should be delivered to the device, if applicable. +- **interactive** Indicates whether the user initiated the session. +- **networkStatus** Indicates if the device is connected to the internet. +- **revisionNumber** The Update revision number. +- **scanTriggerSource** The source of the triggered scan. +- **updateId** The unique identifier of the Update. +- **updateScenarioType** Identifies the type of update session being performed. +- **wuDeviceid** The unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.DisplayNeeded + +This event indicates the reboot was postponed due to needing a display. + +The following fields are available: + +- **displayNeededReason** Reason the display is needed. +- **eventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. +- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours. +- **revisionNumber** Revision number of the update. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated. +- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue + + +### Microsoft.Windows.Update.Orchestrator.Download + +This event sends launch data for a Windows Update download to help keep Windows up to date. + +The following fields are available: + +- **deferReason** Reason for download not completing. +- **errorCode** An error code represented as a hexadecimal value. +- **eventScenario** End-to-end update session ID. +- **flightID** The specific ID of the Windows Insider build the device is getting. +- **interactive** Indicates whether the session is user initiated. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.DTUCompletedWhenWuFlightPendingCommit + +This event indicates that DTU completed installation of the electronic software delivery (ESD), when Windows Update was already in Pending Commit phase of the feature update. + +The following fields are available: + +- **wuDeviceid** Device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.DTUEnabled + +This event indicates that Inbox DTU functionality was enabled. + +The following fields are available: + +- **wuDeviceid** Device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.DTUInitiated + +This event indicates that Inbox DTU functionality was intiated. + +The following fields are available: + +- **dtuErrorCode** Return code from creating the DTU Com Server. +- **isDtuApplicable** Determination of whether DTU is applicable to the machine it is running on. +- **wuDeviceid** Device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.EscalationRiskLevels + +This event is sent during update scan, download, or install, and indicates that the device is at risk of being out-of-date. + +The following fields are available: + +- **configVersion** The escalation configuration version on the device. +- **downloadElapsedTime** Indicates how long since the download is required on device. +- **downloadRiskLevel** At-risk level of download phase. +- **installElapsedTime** Indicates how long since the install is required on device. +- **installRiskLevel** The at-risk level of install phase. +- **isSediment** Assessment of whether is device is at risk. +- **scanElapsedTime** Indicates how long since the scan is required on device. +- **scanRiskLevel** At-risk level of the scan phase. +- **wuDeviceid** Device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.FailedToAddTimeTriggerToScanTask + +This event indicated that USO failed to add a trigger time to a task. + +The following fields are available: + +- **errorCode** The Windows Update error code. +- **wuDeviceid** The Windows Update device ID. + + +### Microsoft.Windows.Update.Orchestrator.FlightInapplicable + +This event indicates that the update is no longer applicable to this device. + +The following fields are available: + +- **EventPublishedTime** Time when this event was generated. +- **flightID** The specific ID of the Windows Insider build. +- **inapplicableReason** The reason why the update is inapplicable. +- **revisionNumber** Update revision number. +- **updateId** Unique Windows Update ID. +- **updateScenarioType** Update session type. +- **UpdateStatus** Last status of update. +- **UUPFallBackConfigured** Indicates whether UUP fallback is configured. +- **wuDeviceid** Unique Device ID. + + +### Microsoft.Windows.Update.Orchestrator.InitiatingReboot + +This event sends data about an Orchestrator requesting a reboot from power management to help keep Windows up to date. + +The following fields are available: + +- **EventPublishedTime** Time of the event. +- **flightID** Unique update ID +- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action. +- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours. +- **revisionNumber** Revision number of the update. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.Install + +This event sends launch data for a Windows Update install to help keep Windows up to date. + +The following fields are available: + +- **batteryLevel** Current battery capacity in mWh or percentage left. +- **deferReason** Reason for install not completing. +- **errorCode** The error code reppresented by a hexadecimal value. +- **eventScenario** End-to-end update session ID. +- **flightID** The ID of the Windows Insider build the device is getting. +- **flightUpdate** Indicates whether the update is a Windows Insider build. +- **ForcedRebootReminderSet** A boolean value that indicates if a forced reboot will happen for updates. +- **IgnoreReasonsForRestart** The reason(s) a Postpone Restart command was ignored. +- **installCommitfailedtime** The time it took for a reboot to happen but the upgrade failed to progress. +- **installRebootinitiatetime** The time it took for a reboot to be attempted. +- **interactive** Identifies if session is user initiated. +- **minutesToCommit** The time it took to install updates. +- **rebootOutsideOfActiveHours** Indicates whether a reboot is scheduled outside of active hours. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.LowUptimes + +This event is sent if a device is identified as not having sufficient uptime to reliably process updates in order to keep secure. + +The following fields are available: + +- **availableHistoryMinutes** The number of minutes available from the local machine activity history. +- **isLowUptimeMachine** Is the machine considered low uptime or not. +- **lowUptimeMinHours** Current setting for the minimum number of hours needed to not be considered low uptime. +- **lowUptimeQueryDays** Current setting for the number of recent days to check for uptime. +- **uptimeMinutes** Number of minutes of uptime measured. +- **wuDeviceid** Unique device ID for Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.OneshotUpdateDetection + +This event returns data about scans initiated through settings UI, or background scans that are urgent; to help keep Windows up to date. + +The following fields are available: + +- **externalOneshotupdate** The last time a task-triggered scan was completed. +- **interactiveOneshotupdate** The last time an interactive scan was completed. +- **oldlastscanOneshotupdate** The last time a scan completed successfully. +- **wuDeviceid** The Windows Update Device GUID (Globally-Unique ID). + + +### Microsoft.Windows.Update.Orchestrator.PreShutdownStart + +This event is generated before the shutdown and commit operations. + +The following fields are available: + +- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. + + +### Microsoft.Windows.Update.Orchestrator.RebootFailed + +This event sends information about whether an update required a reboot and reasons for failure, to help keep Windows up to date. + +The following fields are available: + +- **batteryLevel** Current battery capacity in mWh or percentage left. +- **deferReason** Reason for install not completing. +- **EventPublishedTime** The time that the reboot failure occurred. +- **flightID** Unique update ID. +- **rebootOutsideOfActiveHours** Indicates whether a reboot was scheduled outside of active hours. +- **RebootResults** Hex code indicating failure reason. Typically, we expect this to be a specific USO generated hex code. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.RefreshSettings + +This event sends basic data about the version of upgrade settings applied to the system to help keep Windows up to date. + +The following fields are available: + +- **errorCode** Hex code for the error message, to allow lookup of the specific error. +- **settingsDownloadTime** Timestamp of the last attempt to acquire settings. +- **settingsETag** Version identifier for the settings. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask + +This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows up to date. + +The following fields are available: + +- **RebootTaskMissedTimeUTC** The time when the reboot task was scheduled to run, but did not. +- **RebootTaskNextTimeUTC** The time when the reboot task was rescheduled for. +- **RebootTaskRestoredTime** Time at which this reboot task was restored. +- **wuDeviceid** Device ID for the device on which the reboot is restored. + + +### Microsoft.Windows.Update.Orchestrator.ScanTriggered + +This event indicates that Update Orchestrator has started a scan operation. + +The following fields are available: + +- **errorCode** The error code returned for the current scan operation. +- **eventScenario** Indicates the purpose of sending this event. +- **interactive** Indicates whether the scan is interactive. +- **isDTUEnabled** Indicates whether DTU (internal abbreviation for Direct Feature Update) channel is enabled on the client system. +- **isScanPastSla** Indicates whether the SLA has elapsed for scanning. +- **isScanPastTriggerSla** Indicates whether the SLA has elapsed for triggering a scan. +- **minutesOverScanSla** Indicates how many minutes the scan exceeded the scan SLA. +- **minutesOverScanTriggerSla** Indicates how many minutes the scan exceeded the scan trigger SLA. +- **scanTriggerSource** Indicates what caused the scan. +- **updateScenarioType** The update session type. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.StickUpdate + +This event is sent when the update service orchestrator (USO) indicates the update cannot be superseded by a newer update. + +The following fields are available: + +- **updateId** Identifier associated with the specific piece of content. +- **wuDeviceid** Unique device ID controlled by the software distribution client. + + +### Microsoft.Windows.Update.Orchestrator.SystemNeeded + +This event sends data about why a device is unable to reboot, to help keep Windows up to date. + +The following fields are available: + +- **eventScenario** End-to-end update session ID. +- **rebootOutsideOfActiveHours** Indicates whether a reboot is scheduled outside of active hours. +- **revisionNumber** Update revision number. +- **systemNeededReason** List of apps or tasks that are preventing the system from restarting. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.TerminatedByActiveHours + +This event indicates that update activity was stopped due to active hours starting. + +The following fields are available: + +- **activeHoursEnd** The end of the active hours window. +- **activeHoursStart** The start of the active hours window. +- **updatePhase** The current state of the update process. +- **wuDeviceid** The device identifier. + + +### Microsoft.Windows.Update.Orchestrator.TerminatedByBatteryLevel + +This event is sent when update activity was stopped due to a low battery level. + +The following fields are available: + +- **batteryLevel** The current battery charge capacity. +- **batteryLevelThreshold** The battery capacity threshold to stop update activity. +- **updatePhase** The current state of the update process. +- **wuDeviceid** The device identifier. + + +### Microsoft.Windows.Update.Orchestrator.UnstickUpdate + +This event is sent when the update service orchestrator (USO) indicates that the update can be superseded by a newer update. + +The following fields are available: + +- **updateId** Identifier associated with the specific piece of content. +- **wuDeviceid** Unique device ID controlled by the software distribution client. + + +### Microsoft.Windows.Update.Orchestrator.UpdatePolicyCacheRefresh + +This event sends data on whether Update Management Policies were enabled on a device, to help keep Windows up to date. + +The following fields are available: + +- **configuredPoliciescount** Number of policies on the device. +- **configuredPoliciescsunt** No content is currently available. +- **policiesNamevaluesource** Policy name and source of policy (group policy, MDM or flight). +- **policyCacherefreshtime** Time when policy cache was refreshed. +- **updateInstalluxsetting** Indicates whether a user has set policies via a user experience option. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.UpdateRebootRequired + +This event sends data about whether an update required a reboot to help keep Windows up to date. + +The following fields are available: + +- **flightID** The specific ID of the Windows Insider build the device is getting. +- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.updateSettingsFlushFailed + +This event sends information about an update that encountered problems and was not able to complete. + +The following fields are available: + +- **errorCode** The error code encountered. +- **wuDeviceid** The ID of the device in which the error occurred. + + +### Microsoft.Windows.Update.Orchestrator.UsoSession + +This event represents the state of the USO service at start and completion. + +The following fields are available: + +- **activeSessionid** A unique session GUID. +- **eventScenario** The state of the update action. +- **interactive** Is the USO session interactive? +- **lastErrorcode** The last error that was encountered. +- **lastErrorstate** The state of the update when the last error was encountered. +- **sessionType** A GUID that refers to the update session type. +- **updateScenarioType** A descriptive update session type. +- **wuDeviceid** The Windows Update device GUID. + + +### Microsoft.Windows.Update.Ux.MusNotification.EnhancedEngagedRebootUxState + +This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes values for the timing of how eDTE will progress through each phase of the reboot. + +The following fields are available: + +- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode. +- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before a Reboot Failed dialog will be shown. +- **DeviceLocalTime** The date and time (based on the device date/time settings) the reboot mode changed. +- **EngagedModeLimit** The number of days to switch between DTE (Direct-to-Engaged) dialogs. +- **EnterAutoModeLimit** The maximum number of days a device can enter Auto Reboot mode. +- **ETag** The Entity Tag that represents the OneSettings version. +- **IsForcedEnabled** Identifies whether Forced Reboot mode is enabled for the device. +- **IsUltimateForcedEnabled** Identifies whether Ultimate Forced Reboot mode is enabled for the device. +- **OldestUpdateLocalTime** The date and time (based on the device date/time settings) this update’s reboot began pending. +- **RebootUxState** Identifies the reboot state: Engaged, Auto, Forced, UltimateForced. +- **RebootVersion** The version of the DTE (Direct-to-Engaged). +- **SkipToAutoModeLimit** The maximum number of days to switch to start while in Auto Reboot mode. +- **UpdateId** The ID of the update that is waiting for reboot to finish installation. +- **UpdateRevision** The revision of the update that is waiting for reboot to finish installation. + + +### Microsoft.Windows.Update.Ux.MusNotification.RebootNoLongerNeeded + +This event is sent when a security update has successfully completed. + +The following fields are available: + +- **UtcTime** The Coordinated Universal Time that the restart was no longer needed. + + +### Microsoft.Windows.Update.Ux.MusNotification.RebootScheduled + +This event sends basic information about scheduling an update-related reboot, to get security updates and to help keep Windows up-to-date. + +The following fields are available: + +- **activeHoursApplicable** Indicates whether Active Hours applies on this device. +- **IsEnhancedEngagedReboot** Indicates whether Enhanced reboot was enabled. +- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action. +- **rebootOutsideOfActiveHours** True, if a reboot is scheduled outside of active hours. False, otherwise. +- **rebootScheduledByUser** True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically. +- **rebootState** Current state of the reboot. +- **rebootUsingSmartScheduler** Indicates that the reboot is scheduled by SmartScheduler. +- **revisionNumber** Revision number of the OS. +- **scheduledRebootTime** Time scheduled for the reboot. +- **scheduledRebootTimeInUTC** Time scheduled for the reboot, in UTC. +- **updateId** Identifies which update is being scheduled. +- **wuDeviceid** The unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Ux.MusNotification.UxBrokerScheduledTask + +This event is sent when MUSE broker schedules a task. + +The following fields are available: + +- **TaskArgument** The arguments with which the task is scheduled. +- **TaskName** Name of the task. + + +### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled + +This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up to date. + +The following fields are available: + +- **activeHoursApplicable** Is the restart respecting Active Hours? +- **IsEnhancedEngagedReboot** TRUE if the reboot path is Enhanced Engaged. Otherwise, FALSE. +- **rebootArgument** The arguments that are passed to the OS for the restarted. +- **rebootOutsideOfActiveHours** Was the restart scheduled outside of Active Hours? +- **rebootScheduledByUser** Was the restart scheduled by the user? If the value is false, the restart was scheduled by the device. +- **rebootState** The state of the restart. +- **rebootUsingSmartScheduler** TRUE if the reboot should be performed by the Smart Scheduler. Otherwise, FALSE. +- **revisionNumber** The revision number of the OS being updated. +- **scheduledRebootTime** Time of the scheduled reboot +- **scheduledRebootTimeInUTC** Time of the scheduled restart, in Coordinated Universal Time. +- **updateId** The Windows Update device GUID. +- **wuDeviceid** The Windows Update device GUID. + + +## Windows Update mitigation events + +### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages + +This event sends data specific to the CleanupSafeOsImages mitigation used for OS Updates. + +The following fields are available: + +- **ClientId** The client ID used by Windows Update. +- **FlightId** The ID of each Windows Insider build the device received. +- **InstanceId** A unique device ID that identifies each update instance. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **MountedImageCount** The number of mounted images. +- **MountedImageMatches** The number of mounted image matches. +- **MountedImagesFailed** The number of mounted images that could not be removed. +- **MountedImagesRemoved** The number of mounted images that were successfully removed. +- **MountedImagesSkipped** The number of mounted images that were not found. +- **RelatedCV** The correlation vector value generated from the latest USO scan. +- **Result** HResult of this operation. +- **ScenarioId** ID indicating the mitigation scenario. +- **ScenarioSupported** Indicates whether the scenario was supported. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each Windows Update. +- **WuId** Unique ID for the Windows Update client. + + +### Mitigation360Telemetry.MitigationCustom.FixAppXReparsePoints + +This event sends data specific to the FixAppXReparsePoints mitigation used for OS updates. + +The following fields are available: + +- **ClientId** Unique identifier for each flight. +- **FlightId** Unique GUID that identifies each instances of setuphost.exe. +- **InstanceId** The update scenario in which the mitigation was executed. +- **MitigationScenario** Correlation vector value generated from the latest USO scan. +- **RelatedCV** Number of reparse points that are corrupted but we failed to fix them. +- **ReparsePointsFailed** Number of reparse points that were corrupted and were fixed by this mitigation. +- **ReparsePointsFixed** Number of reparse points that are not corrupted and no action is required. +- **ReparsePointsSkipped** HResult of this operation. +- **Result** ID indicating the mitigation scenario. +- **ScenarioId** Indicates whether the scenario was supported. +- **ScenarioSupported** Unique value for each update attempt. +- **SessionId** Unique ID for each Update. +- **UpdateId** Unique ID for the Windows Update client. +- **WuId** Unique ID for the Windows Update client. + + +### Mitigation360Telemetry.MitigationCustom.FixupEditionId + +This event sends data specific to the FixupEditionId mitigation used for OS updates. + +The following fields are available: + +- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **EditionIdUpdated** Determine whether EditionId was changed. +- **FlightId** Unique identifier for each flight. +- **InstanceId** Unique GUID that identifies each instances of setuphost.exe. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **ProductEditionId** Expected EditionId value based on GetProductInfo. +- **ProductType** Value returned by GetProductInfo. +- **RegistryEditionId** EditionId value in the registry. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** HResult of this operation. +- **ScenarioId** ID indicating the mitigation scenario. +- **ScenarioSupported** Indicates whether the scenario was supported. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. +- **WuId** Unique ID for the Windows Update client. + + +## Windows Update Reserve Manager events + +### Microsoft.Windows.UpdateReserveManager.CommitPendingHardReserveAdjustment + +This event is sent when the Update Reserve Manager commits a hard reserve adjustment that was pending. + +The following fields are available: + +- **FinalAdjustment** Final adjustment for the hard reserve following the addition or removal of optional content. +- **InitialAdjustment** Initial intended adjustment for the hard reserve following the addition/removal of optional content. + + +### Microsoft.Windows.UpdateReserveManager.FunctionReturnedError + +This event is sent when the Update Reserve Manager returns an error from one of its internal functions. + +The following fields are available: + +- **FailedExpression** The failed expression that was returned. +- **FailedFile** The binary file that contained the failed function. +- **FailedFunction** The name of the function that originated the failure. +- **FailedLine** The line number of the failure. +- **ReturnCode** The return code of the function. + + +### Microsoft.Windows.UpdateReserveManager.InitializeUpdateReserveManager + +This event returns data about the Update Reserve Manager, including whether it’s been initialized. + +The following fields are available: + +- **ClientId** The ID of the caller application. +- **Flags** The enumerated flags used to initialize the manager. +- **FlightId** The flight ID of the content the calling client is currently operating with. +- **Offline** Indicates whether or the reserve manager is called during offline operations. +- **PolicyPassed** Indicates whether the machine is able to use reserves. +- **ReturnCode** Return code of the operation. +- **Version** The version of the Update Reserve Manager. + + +### Microsoft.Windows.UpdateReserveManager.PrepareTIForReserveInitialization + +This event is sent when the Update Reserve Manager prepares the Trusted Installer to initialize reserves on the next boot. + +The following fields are available: + +- **Flags** The flags that are passed to the function to prepare the Trusted Installer for reserve initialization. + + +### Microsoft.Windows.UpdateReserveManager.RemovePendingHardReserveAdjustment + +This event is sent when the Update Reserve Manager removes a pending hard reserve adjustment. + + + +### Microsoft.Windows.UpdateReserveManager.UpdatePendingHardReserveAdjustment + +This event is sent when the Update Reserve Manager needs to adjust the size of the hard reserve after the option content is installed. + +The following fields are available: + +- **ChangeSize** The change in the hard reserve size based on the addition or removal of optional content. +- **Disposition** The parameter for the hard reserve adjustment function. +- **Flags** The flags passed to the hard reserve adjustment function. +- **PendingHardReserveAdjustment** The final change to the hard reserve size. +- **UpdateType** Indicates whether the change is an increase or decrease in the size of the hard reserve. + + +## Winlogon events + +### Microsoft.Windows.Security.Winlogon.SetupCompleteLogon + +This event signals the completion of the setup process. It happens only once during the first logon. + + + +## XBOX events + +### Microsoft.Xbox.XamTelemetry.AppActivationError + +This event indicates whether the system detected an activation error in the app. + +The following fields are available: + +- **ActivationUri** Activation URI (Uniform Resource Identifier) used in the attempt to activate the app. +- **AppId** The Xbox LIVE Title ID. +- **AppUserModelId** The AUMID (Application User Model ID) of the app to activate. +- **Result** The HResult error. +- **UserId** The Xbox LIVE User ID (XUID). + + +### Microsoft.Xbox.XamTelemetry.AppActivity + +This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc. + +The following fields are available: + +- **AppActionId** The ID of the application action. +- **AppCurrentVisibilityState** The ID of the current application visibility state. +- **AppId** The Xbox LIVE Title ID of the app. +- **AppPackageFullName** The full name of the application package. +- **AppPreviousVisibilityState** The ID of the previous application visibility state. +- **AppSessionId** The application session ID. +- **AppType** The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa). +- **BCACode** The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application. +- **DurationMs** The amount of time (in milliseconds) since the last application state transition. +- **IsTrialLicense** This boolean value is TRUE if the application is on a trial license. +- **LicenseType** The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 - Offline, 4 - Disc). +- **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license. +- **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application. +- **UserId** The XUID (Xbox User ID) of the current user. + + + From a9b48ce01f125b4d7bf26d5653a34122d743f54b Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 27 Mar 2019 09:03:25 -0700 Subject: [PATCH 078/492] new build 3/27/2019 9:03 AM --- .../basic-level-windows-diagnostic-events-and-fields-1903.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index a7a06f32ec..6d5138182b 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/26/2019 +ms.date: 03/27/2019 --- From 666dcc2f9c959cfcae120ee93a2f71d1b7260c18 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 27 Mar 2019 09:03:35 -0700 Subject: [PATCH 079/492] new build 3/27/2019 9:03 AM --- ...ndows-diagnostic-events-and-fields-1703.md | 2 +- ...ndows-diagnostic-events-and-fields-1709.md | 2 +- ...ndows-diagnostic-events-and-fields-1803.md | 2 +- ...ndows-diagnostic-events-and-fields-1809.md | 15678 ++++++++-------- 4 files changed, 7770 insertions(+), 7914 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index ae09444cb1..1a4810d670 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/26/2019 +ms.date: 03/27/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index 494bb5b1d5..0ca537440b 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/26/2019 +ms.date: 03/27/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index 38b1e69785..a2d892faf3 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/26/2019 +ms.date: 03/27/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index 1fdf4dd009..8540ded6cf 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -1,7911 +1,7767 @@ ---- -description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. -title: Windows 10, version 1809 basic diagnostic events and fields (Windows 10) -keywords: privacy, telemetry -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -localizationpriority: high -author: brianlic-msft -ms.author: brianlic -manager: dansimp -ms.collection: M365-security-compliance -ms.topic: article -audience: ITPro -ms.date: 03/26/2019 ---- - - -# Windows 10, version 1809 basic level Windows diagnostic events and fields - - **Applies to** - -- Windows 10, version 1809 - - -The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information. - -The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. - -Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief description is provided for each field. Every event generated includes common data, which collects device data. - -You can learn more about Windows functional and diagnostic data through these articles: - - -- [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) -- [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) -- [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) -- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) -- [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) - - - - -## Account trace logging provider events - -### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.General - -This event provides information about application properties to indicate the successful execution. - -The following fields are available: - -- **AppMode** Indicates the mode the app is being currently run around privileges. -- **ExitCode** Indicates the exit code of the app. -- **Help** Indicates if the app needs to be launched in the help mode. -- **ParseError** Indicates if there was a parse error during the execution. -- **RightsAcquired** Indicates if the right privileges were acquired for successful execution. -- **RightsWereEnabled** Indicates if the right privileges were enabled for successful execution. -- **TestMode** Indicates whether the app is being run in test mode. - - -### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.GetCount - -This event provides information about the properties of user accounts in the Administrator group. - -The following fields are available: - -- **Internal** Indicates the internal property associated with the count group. -- **LastError** The error code (if applicable) for the cause of the failure to get the count of the user account. -- **Result** The HResult error. - - -## AppLocker events - -### Microsoft.Windows.Security.AppLockerCSP.ActivityStoppedAutomatically - -Automatically closed activity for start/stop operations that aren't explicitly closed. - - - -### Microsoft.Windows.Security.AppLockerCSP.AddParams - -Parameters passed to Add function of the AppLockerCSP Node. - -The following fields are available: - -- **child** The child URI of the node to add. -- **uri** URI of the node relative to %SYSTEM32%/AppLocker. - - -### Microsoft.Windows.Security.AppLockerCSP.AddStart - -Start of "Add" Operation for the AppLockerCSP Node. - - - -### Microsoft.Windows.Security.AppLockerCSP.AddStop - -End of "Add" Operation for AppLockerCSP Node. - -The following fields are available: - -- **hr** The HRESULT returned by Add function in AppLockerCSP. - - -### Microsoft.Windows.Security.AppLockerCSP.CAppLockerCSP::Rollback - -Result of the 'Rollback' operation in AppLockerCSP. - -The following fields are available: - -- **oldId** Previous id for the CSP transaction. -- **txId** Current id for the CSP transaction. - - -### Microsoft.Windows.Security.AppLockerCSP.ClearParams - -Parameters passed to the "Clear" operation for AppLockerCSP. - -The following fields are available: - -- **uri** The URI relative to the %SYSTEM32%\AppLocker folder. - - -### Microsoft.Windows.Security.AppLockerCSP.ClearStart - -Start of the "Clear" operation for the AppLockerCSP Node. - - - -### Microsoft.Windows.Security.AppLockerCSP.ClearStop - -End of the "Clear" operation for the AppLockerCSP node. - -The following fields are available: - -- **hr** HRESULT reported at the end of the 'Clear' function. - - -### Microsoft.Windows.Security.AppLockerCSP.ConfigManagerNotificationStart - -Start of the "ConfigManagerNotification" operation for AppLockerCSP. - -The following fields are available: - -- **NotifyState** State sent by ConfigManager to AppLockerCSP. - - -### Microsoft.Windows.Security.AppLockerCSP.ConfigManagerNotificationStop - -End of the "ConfigManagerNotification" operation for AppLockerCSP. - -The following fields are available: - -- **hr** HRESULT returned by the ConfigManagerNotification function in AppLockerCSP. - - -### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceParams - -Parameters passed to the CreateNodeInstance function of the AppLockerCSP node. - -The following fields are available: - -- **NodeId** NodeId passed to CreateNodeInstance. -- **nodeOps** NodeOperations parameter passed to CreateNodeInstance. -- **uri** URI passed to CreateNodeInstance, relative to %SYSTEM32%\AppLocker. - - -### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceStart - -Start of the "CreateNodeInstance" operation for the AppLockerCSP node. - - - -### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceStop - -End of the "CreateNodeInstance" operation for the AppLockerCSP node - -The following fields are available: - -- **hr** HRESULT returned by the CreateNodeInstance function in AppLockerCSP. - - -### Microsoft.Windows.Security.AppLockerCSP.DeleteChildParams - -Parameters passed to the DeleteChild function of the AppLockerCSP node. - -The following fields are available: - -- **child** The child URI of the node to delete. -- **uri** URI relative to %SYSTEM32%\AppLocker. - - -### Microsoft.Windows.Security.AppLockerCSP.DeleteChildStart - -Start of the "DeleteChild" operation for the AppLockerCSP node. - - - -### Microsoft.Windows.Security.AppLockerCSP.DeleteChildStop - -End of the "DeleteChild" operation for the AppLockerCSP node. - -The following fields are available: - -- **hr** HRESULT returned by the DeleteChild function in AppLockerCSP. - - -### Microsoft.Windows.Security.AppLockerCSP.EnumPolicies - -Logged URI relative to %SYSTEM32%\AppLocker, if the Plugin GUID is null, or the CSP doesn't believe the old policy is present. - -The following fields are available: - -- **uri** URI relative to %SYSTEM32%\AppLocker. - - -### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesParams - -Parameters passed to the GetChildNodeNames function of the AppLockerCSP node. - -The following fields are available: - -- **uri** URI relative to %SYSTEM32%/AppLocker for MDM node. - - -### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesStart - -Start of the "GetChildNodeNames" operation for the AppLockerCSP node. - - - -### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesStop - -End of the "GetChildNodeNames" operation for the AppLockerCSP node. - -The following fields are available: - -- **child[0]** If function succeeded, the first child's name, else "NA". -- **count** If function succeeded, the number of child node names returned by the function, else 0. -- **hr** HRESULT returned by the GetChildNodeNames function of AppLockerCSP. - - -### Microsoft.Windows.Security.AppLockerCSP.GetLatestId - -The result of 'GetLatestId' in AppLockerCSP (the latest time stamped GUID). - -The following fields are available: - -- **dirId** The latest directory identifier found by GetLatestId. -- **id** The id returned by GetLatestId if id > 0 - otherwise the dirId parameter. - - -### Microsoft.Windows.Security.AppLockerCSP.HResultException - -HRESULT thrown by any arbitrary function in AppLockerCSP. - -The following fields are available: - -- **file** File in the OS code base in which the exception occurs. -- **function** Function in the OS code base in which the exception occurs. -- **hr** HRESULT that is reported. -- **line** Line in the file in the OS code base in which the exception occurs. - - -### Microsoft.Windows.Security.AppLockerCSP.SetValueParams - -Parameters passed to the SetValue function of the AppLockerCSP node. - -The following fields are available: - -- **dataLength** Length of the value to set. -- **uri** The node URI to that should contain the value, relative to %SYSTEM32%\AppLocker. - - -### Microsoft.Windows.Security.AppLockerCSP.SetValueStart - -Start of the "SetValue" operation for the AppLockerCSP node. - - - -### Microsoft.Windows.Security.AppLockerCSP.SetValueStop - -End of the "SetValue" operation for the AppLockerCSP node. - -The following fields are available: - -- **hr** HRESULT returned by the SetValue function in AppLockerCSP. - - -### Microsoft.Windows.Security.AppLockerCSP.TryRemediateMissingPolicies - -EntryPoint of fix step or policy remediation, includes URI relative to %SYSTEM32%\AppLocker that needs to be fixed. - -The following fields are available: - -- **uri** URI for node relative to %SYSTEM32%/AppLocker. - - -## Appraiser events - -### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount - -This event lists the types of objects and how many of each exist on the client device. This allows for a quick way to ensure that the records present on the server match what is present on the client. - -The following fields are available: - -- **DatasourceApplicationFile_19ASetup** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_19H1** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers. -- **DatasourceApplicationFile_RS2** An ID for the system, calculated by hashing hardware identifiers. -- **DatasourceApplicationFile_RS3** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS3Setup** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS4** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS4Setup** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS5** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS5Setup** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_TH1** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_TH2** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_19ASetup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_19H1** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS1** The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on this device. -- **DatasourceDevicePnp_RS2** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS3** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS3Setup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS4** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS4Setup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS5** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS5Setup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_TH1** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_TH2** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_19ASetup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_19H1** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS1** The total DataSourceDriverPackage objects targeting Windows 10 version 1607 on this device. -- **DatasourceDriverPackage_RS2** The total DataSourceDriverPackage objects targeting Windows 10, version 1703 on this device. -- **DatasourceDriverPackage_RS3** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS3Setup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS4** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS4Setup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS5** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS5Setup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_TH1** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_TH2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_19ASetup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS1** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1607 on this device. -- **DataSourceMatchingInfoBlock_RS2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS3** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS3Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS4Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS5Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_TH1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_19ASetup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS1** The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. -- **DataSourceMatchingInfoPassive_RS2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS3** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS3Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS4Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS5Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_19ASetup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_RS1** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. -- **DataSourceMatchingInfoPostUpgrade_RS2** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device. -- **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device. -- **DataSourceMatchingInfoPostUpgrade_RS3Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_RS4Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_RS5Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_TH1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_19ASetup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_19H1** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_19H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS1** The total DatasourceSystemBios objects targeting Windows 10 version 1607 present on this device. -- **DatasourceSystemBios_RS2** The total DatasourceSystemBios objects targeting Windows 10 version 1703 present on this device. -- **DatasourceSystemBios_RS3** The total DatasourceSystemBios objects targeting Windows 10 version 1709 present on this device. -- **DatasourceSystemBios_RS3Setup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS4** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS4Setup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS5** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS5Setup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_TH1** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_TH2** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_19H1** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS1** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS2** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS3** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS3Setup** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS4** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS5** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_TH1** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_TH2** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_19H1** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS1** The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this device. -- **DecisionDevicePnp_RS2** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS3** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS3Setup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS4** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS5** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_TH1** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_TH2** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_19H1** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS1** The total DecisionDriverPackage objects targeting Windows 10 version 1607 on this device. -- **DecisionDriverPackage_RS2** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS3** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS3Setup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS4** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS5** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_TH1** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_TH2** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_RS1** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1607 present on this device. -- **DecisionMatchingInfoBlock_RS2** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device. -- **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1709 present on this device. -- **DecisionMatchingInfoBlock_RS3Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_RS4** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1803 present on this device. -- **DecisionMatchingInfoBlock_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_TH1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_RS1** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. -- **DecisionMatchingInfoPassive_RS2** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1703 on this device. -- **DecisionMatchingInfoPassive_RS3** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1803 on this device. -- **DecisionMatchingInfoPassive_RS3Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_RS1** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. -- **DecisionMatchingInfoPostUpgrade_RS2** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device. -- **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device. -- **DecisionMatchingInfoPostUpgrade_RS3Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_TH1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_19ASetup** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_19H1** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_19H1Setup** The total DecisionMediaCenter objects targeting the next release of Windows on this device. -- **DecisionMediaCenter_RS1** The total DecisionMediaCenter objects targeting Windows 10 version 1607 present on this device. -- **DecisionMediaCenter_RS2** The total DecisionMediaCenter objects targeting Windows 10 version 1703 present on this device. -- **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting Windows 10 version 1709 present on this device. -- **DecisionMediaCenter_RS3Setup** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_RS4** The total DecisionMediaCenter objects targeting Windows 10 version 1803 present on this device. -- **DecisionMediaCenter_RS4Setup** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_RS5** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_RS5Setup** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_TH1** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_TH2** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_19ASetup** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **DecisionSystemBios_19H1** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_19H1Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **DecisionSystemBios_RS1** The total DecisionSystemBios objects targeting Windows 10 version 1607 on this device. -- **DecisionSystemBios_RS2** The total DecisionSystemBios objects targeting Windows 10 version 1703 on this device. -- **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting Windows 10 version 1709 on this device. -- **DecisionSystemBios_RS3Setup** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_RS4** The total DecisionSystemBios objects targeting Windows 10 version, 1803 present on this device. -- **DecisionSystemBios_RS4Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **DecisionSystemBios_RS5** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **DecisionSystemBios_RS5Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **DecisionSystemBios_TH1** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_TH2** The count of the number of this particular object type present on this device. -- **DecisionSystemProcessor_RS2** The count of the number of this particular object type present on this device. -- **DecisionTest_RS1** An ID for the system, calculated by hashing hardware identifiers. -- **InventoryApplicationFile** The count of the number of this particular object type present on this device. -- **InventoryDeviceContainer** A count of device container objects in cache. -- **InventoryDevicePnp** A count of device Plug and Play objects in cache. -- **InventoryDriverBinary** A count of driver binary objects in cache. -- **InventoryDriverPackage** A count of device objects in cache. -- **InventoryLanguagePack** The count of the number of this particular object type present on this device. -- **InventoryMediaCenter** The count of the number of this particular object type present on this device. -- **InventorySystemBios** The count of the number of this particular object type present on this device. -- **InventorySystemMachine** The count of the number of this particular object type present on this device. -- **InventorySystemProcessor** The count of the number of this particular object type present on this device. -- **InventoryTest** The count of the number of this particular object type present on this device. -- **InventoryUplevelDriverPackage** The count of the number of this particular object type present on this device. -- **PCFP** The count of the number of this particular object type present on this device. -- **SystemMemory** The count of the number of this particular object type present on this device. -- **SystemProcessorCompareExchange** The count of the number of this particular object type present on this device. -- **SystemProcessorLahfSahf** The count of the number of this particular object type present on this device. -- **SystemProcessorNx** The total number of objects of this type present on this device. -- **SystemProcessorPrefetchW** The total number of objects of this type present on this device. -- **SystemProcessorSse2** The total number of objects of this type present on this device. -- **SystemTouch** The count of the number of this particular object type present on this device. -- **SystemWim** The total number of objects of this type present on this device. -- **SystemWindowsActivationStatus** The count of the number of this particular object type present on this device. -- **SystemWlan** The total number of objects of this type present on this device. -- **Wmdrm_19ASetup** The count of the number of this particular object type present on this device. -- **Wmdrm_19H1** The count of the number of this particular object type present on this device. -- **Wmdrm_19H1Setup** The total Wmdrm objects targeting the next release of Windows on this device. -- **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers. -- **Wmdrm_RS2** An ID for the system, calculated by hashing hardware identifiers. -- **Wmdrm_RS3** An ID for the system, calculated by hashing hardware identifiers. -- **Wmdrm_RS3Setup** The count of the number of this particular object type present on this device. -- **Wmdrm_RS4** The total Wmdrm objects targeting Windows 10, version 1803 present on this device. -- **Wmdrm_RS4Setup** The count of the number of this particular object type present on this device. -- **Wmdrm_RS5** The count of the number of this particular object type present on this device. -- **Wmdrm_RS5Setup** The count of the number of this particular object type present on this device. -- **Wmdrm_TH1** The count of the number of this particular object type present on this device. -- **Wmdrm_TH2** The count of the number of this particular object type present on this device. - - -### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd - -Represents the basic metadata about specific application files installed on the system. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file that is generating the events. -- **AvDisplayName** If the app is an anti-virus app, this is its display name. -- **CompatModelIndex** The compatibility prediction for this file. -- **HasCitData** Indicates whether the file is present in CIT data. -- **HasCitDcta** No content is currently available. -- **HasUpgradeExe** Indicates whether the anti-virus app has an upgrade.exe file. -- **IsAv** Is the file an anti-virus reporting EXE? -- **ResolveAttempted** This will always be an empty string when sending telemetry. -- **SdbEntries** An array of fields that indicates the SDB entries that apply to this file. - - -### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove - -This event indicates that the DatasourceApplicationFile object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileStartSync - -This event indicates that a new set of DatasourceApplicationFileAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd - -This event sends compatibility data for a Plug and Play device, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **ActiveNetworkConnection** Indicates whether the device is an active network device. -- **ActivóNetworkConnection** No content is currently available. -- **AppraiserVersion** The version of the appraiser file generating the events. -- **CosDeviceRating** An enumeration that indicates if there is a driver on the target operating system. -- **CosDeviceSolution** An enumeration that indicates how a driver on the target operating system is available. -- **CosDeviceSolutionUrl** Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd . Empty string -- **CosPopulatedFromId** The expected uplevel driver matching ID based on driver coverage data. -- **IsBootCritical** Indicates whether the device boot is critical. -- **UplevelInboxDriver** Indicates whether there is a driver uplevel for this device. -- **WuDriverCoverage** Indicates whether there is a driver uplevel for this device, according to Windows Update. -- **WuDriverUpdateId** The Windows Update ID of the applicable uplevel driver. -- **WuPopulatedFromId** The expected uplevel driver matching ID based on driver coverage from Windows Update. - - -### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove - -This event indicates that the DatasourceDevicePnp object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpStartSync - -This event indicates that a new set of DatasourceDevicePnpAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageAdd - -This event sends compatibility database data about driver packages to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageRemove - -This event indicates that the DatasourceDriverPackage object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageStartSync - -This event indicates that a new set of DatasourceDriverPackageAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd - -This event sends blocking data about any compatibility blocking entries hit on the system that are not directly related to specific applications or devices, to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove - -This event indicates that the DataSourceMatchingInfoBlock object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync - -This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events have been sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd - -This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove - -This event indicates that the DataSourceMatchingInfoPassive object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync - -This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd - -This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove - -This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync - -This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd - -This event sends compatibility database information about the BIOS to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosRemove - -This event indicates that the DatasourceSystemBios object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync - -This event indicates that a new set of DatasourceSystemBiosAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionApplicationFileAdd - -This event sends compatibility decision data about a file to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file that is generating the events. -- **BlockAlreadyInbox** The uplevel runtime block on the file already existed on the current OS. -- **BlockingApplication** Indicates whether there are any application issues that interfere with the upgrade due to the file in question. -- **DisplayGenericMessage** Will be a generic message be shown for this file? -- **DisplayGenericMessageGated** Indicates whether a generic message be shown for this file. -- **HardBlock** This file is blocked in the SDB. -- **HasUxBlockOverride** Does the file have a block that is overridden by a tag in the SDB? -- **MigApplication** Does the file have a MigXML from the SDB associated with it that applies to the current upgrade mode? -- **MigRemoval** Does the file have a MigXML from the SDB that will cause the app to be removed on upgrade? -- **NeedsDismissAction** Will the file cause an action that can be dimissed? -- **NeedsInstallPostUpgradeData** After upgrade, the file will have a post-upgrade notification to install a replacement for the app. -- **NeedsNotifyPostUpgradeData** Does the file have a notification that should be shown after upgrade? -- **NeedsReinstallPostUpgradeData** After upgrade, this file will have a post-upgrade notification to reinstall the app. -- **NeedsUninstallAction** The file must be uninstalled to complete the upgrade. -- **SdbBlockUpgrade** The file is tagged as blocking upgrade in the SDB, -- **SdbBlockUpgradeCanReinstall** The file is tagged as blocking upgrade in the SDB. It can be reinstalled after upgrade. -- **SdbBlockUpgradeUntilUpdate** The file is tagged as blocking upgrade in the SDB. If the app is updated, the upgrade can proceed. -- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the SDB. It does not block upgrade. -- **SdbReinstallUpgradeWarn** The file is tagged as needing to be reinstalled after upgrade with a warning in the SDB. It does not block upgrade. -- **SoftBlock** The file is softblocked in the SDB and has a warning. - - -### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove - -This event indicates Indicates that the DecisionApplicationFile object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionApplicationFileStartSync - -This event indicates that a new set of DecisionApplicationFileAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd - -This event sends compatibility decision data about a PNP device to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file generating the events. -- **AssociatedDriverIsBlocked** Is the driver associated with this PNP device blocked? -- **AssociatedDriverWillNotMigrate** Will the driver associated with this plug-and-play device migrate? -- **BlockAssociatedDriver** Should the driver associated with this PNP device be blocked? -- **BlockingDevice** Is this PNP device blocking upgrade? -- **BlockUpgradeIfDriverBlocked** Is the PNP device both boot critical and does not have a driver included with the OS? -- **BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork** Is this PNP device the only active network device? -- **CssociatedDriverIsBlocked** No content is currently available. -- **DisplayGenericMessage** Will a generic message be shown during Setup for this PNP device? -- **DisplayGenericMessageGated** Indicates whether a generic message will be shown during Setup for this PNP device. -- **DriverAvailableInbox** Is a driver included with the operating system for this PNP device? -- **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update? -- **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device? -- **DriverBlockOverridden** Is there is a driver block on the device that has been overridden? -- **DviverAvailableInbox** No content is currently available. -- **NeedsDismissAction** Will the user would need to dismiss a warning during Setup for this device? -- **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS? -- **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade? -- **SdbDriverBlockOverridden** Is there an SDB block on the PNP device that blocks upgrade, but that block was overridden? - - -### Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove - -This event indicates that the DecisionDevicePnp object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionDevicePnpStartSync - -The DecisionDevicePnpStartSync event indicates that a new set of DecisionDevicePnpAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionDriverPackageAdd - -This event sends decision data about driver package compatibility to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file generating the events. -- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for this driver package. -- **DriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden? -- **DriverIsDeviceBlocked** Was the driver package was blocked because of a device block? -- **DriverIsDriverBlocked** Is the driver package blocked because of a driver block? -- **DriverIsTroubleshooterBlocked** Indicates whether the driver package is blocked because of a troubleshooter block. -- **DriverShouldNotMigrate** Should the driver package be migrated during upgrade? -- **SdbDriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden? - - -### Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove - -This event indicates that the DecisionDriverPackage object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionDriverPackageStartSync - -This event indicates that a new set of DecisionDriverPackageAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd - -This event sends compatibility decision data about blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file generating the events. -- **BlockingApplication** Are there are any application issues that interfere with upgrade due to matching info blocks? -- **DisplayGenericMessage** Will a generic message be shown for this block? -- **NeedsUninstallAction** Does the user need to take an action in setup due to a matching info block? -- **SdbBlockUpgrade** Is a matching info block blocking upgrade? -- **SdbBlockUpgradeCanReinstall** Is a matching info block blocking upgrade, but has the can reinstall tag? -- **SdbBlockUpgradeUntilUpdate** Is a matching info block blocking upgrade but has the until update tag? - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockRemove - -This event indicates that the DecisionMatchingInfoBlock object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockStartSync - -This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd - -This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **BlockingApplication** Are there any application issues that interfere with upgrade due to matching info blocks? -- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown due to matching info blocks. -- **MigApplication** Is there a matching info block with a mig for the current mode of upgrade? - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveRemove - -This event Indicates that the DecisionMatchingInfoPassive object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync - -This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeAdd - -This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **NeedsInstallPostUpgradeData** Will the file have a notification after upgrade to install a replacement for the app? -- **NeedsNotifyPostUpgradeData** Should a notification be shown for this file after upgrade? -- **NeedsReinstallPostUpgradeData** Will the file have a notification after upgrade to reinstall the app? -- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the compatibility database (but is not blocking upgrade). - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeRemove - -This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync - -This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMediaCenterAdd - -This event sends decision data about the presence of Windows Media Center, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **BlockingApplication** Is there any application issues that interfere with upgrade due to Windows Media Center? -- **MediaCenterActivelyUsed** If Windows Media Center is supported on the edition, has it been run at least once and are the MediaCenterIndicators are true? -- **MediaCenterIndicators** Do any indicators imply that Windows Media Center is in active use? -- **MediaCenterInUse** Is Windows Media Center actively being used? -- **MediaCenterPaidOrActivelyUsed** Is Windows Media Center actively being used or is it running on a supported edition? -- **NeedsDismissAction** Are there any actions that can be dismissed coming from Windows Media Center? - - -### Microsoft.Windows.Appraiser.General.DecisionMediaCenterRemove - -This event indicates that the DecisionMediaCenter object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionMediaCenterStartSync - -This event indicates that a new set of DecisionMediaCenterAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionSystemBiosAdd - -This event sends compatibility decision data about the BIOS to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **Blocking** Is the device blocked from upgrade due to a BIOS block? -- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for the bios. -- **HasBiosBlock** Does the device have a BIOS block? - - -### Microsoft.Windows.Appraiser.General.DecisionSystemBiosRemove - -This event indicates that the DecisionSystemBios object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync - -This event indicates that a new set of DecisionSystemBiosAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.GatedRegChange - -This event sends data about the results of running a set of quick-blocking instructions, to help keep Windows up to date. - -The following fields are available: - -- **NewData** The data in the registry value after the scan completed. -- **OldData** The previous data in the registry value before the scan ran. -- **PCFP** An ID for the system calculated by hashing hardware identifiers. -- **RegKey** The registry key name for which a result is being sent. -- **RegValue** The registry value for which a result is being sent. -- **Time** The client time of the event. - - -### Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd - -This event represents the basic metadata about a file on the system. The file must be part of an app and either have a block in the compatibility database or be part of an antivirus program. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **AvDisplayName** If the app is an antivirus app, this is its display name. -- **AvProductState** Indicates whether the antivirus program is turned on and the signatures are up to date. -- **BinaryType** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64. -- **BinFileVersion** An attempt to clean up FileVersion at the client that tries to place the version into 4 octets. -- **BinProductVersion** An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets. -- **BoeProgramId** If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata. -- **CompanyName** The company name of the vendor who developed this file. -- **FileId** A hash that uniquely identifies a file. -- **FileVersion** The File version field from the file metadata under Properties -> Details. -- **HasUpgradeExe** Indicates whether the antivirus app has an upgrade.exe file. -- **IsAv** Indicates whether the file an antivirus reporting EXE. -- **LinkDate** The date and time that this file was linked on. -- **LowerCaseLongPath** The full file path to the file that was inventoried on the device. -- **Name** The name of the file that was inventoried. -- **ProductName** The Product name field from the file metadata under Properties -> Details. -- **ProductVersion** The Product version field from the file metadata under Properties -> Details. -- **ProgramId** A hash of the Name, Version, Publisher, and Language of an application used to identify it. -- **Size** The size of the file (in hexadecimal bytes). - - -### Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove - -This event indicates that the InventoryApplicationFile object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync - -This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventoryLanguagePackAdd - -This event sends data about the number of language packs installed on the system, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **HasLanguagePack** Indicates whether this device has 2 or more language packs. -- **LanguagePackCount** The number of language packs are installed. - - -### Microsoft.Windows.Appraiser.General.InventoryLanguagePackRemove - -This event indicates that the InventoryLanguagePack object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventoryLanguagePackStartSync - -This event indicates that a new set of InventoryLanguagePackAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventoryMediaCenterAdd - -This event sends true/false data about decision points used to understand whether Windows Media Center is used on the system, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **EverLaunched** Has Windows Media Center ever been launched? -- **HasConfiguredTv** Has the user configured a TV tuner through Windows Media Center? -- **HasExtendedUserAccounts** Are any Windows Media Center Extender user accounts configured? -- **HasWatchedFolders** Are any folders configured for Windows Media Center to watch? -- **IsDefaultLauncher** Is Windows Media Center the default app for opening music or video files? -- **IsPaid** Is the user running a Windows Media Center edition that implies they paid for Windows Media Center? -- **IsSupported** Does the running OS support Windows Media Center? - - -### Microsoft.Windows.Appraiser.General.InventoryMediaCenterRemove - -This event indicates that the InventoryMediaCenter object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventoryMediaCenterStartSync - -This event indicates that a new set of InventoryMediaCenterAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventorySystemBiosAdd - -This event sends basic metadata about the BIOS to determine whether it has a compatibility block. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **biosDate** The release date of the BIOS in UTC format. -- **BiosDate** The release date of the BIOS in UTC format. -- **biosName** The name field from Win32_BIOS. -- **BiosName** The name field from Win32_BIOS. -- **manufacturer** The manufacturer field from Win32_ComputerSystem. -- **Manufacturer** The manufacturer field from Win32_ComputerSystem. -- **model** The model field from Win32_ComputerSystem. -- **Model** The model field from Win32_ComputerSystem. - - -### Microsoft.Windows.Appraiser.General.InventorySystemBiosRemove - -This event indicates that the InventorySystemBios object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventorySystemBiosStartSync - -This event indicates that a new set of InventorySystemBiosAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd - -This event is only runs during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. Is critical to understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **BootCritical** Is the driver package marked as boot critical? -- **Build** The build value from the driver package. -- **CatalogFile** The name of the catalog file within the driver package. -- **Class** The device class from the driver package. -- **ClassGuid** The device class unique ID from the driver package. -- **Date** The date from the driver package. -- **Inbox** Is the driver package of a driver that is included with Windows? -- **OriginalName** The original name of the INF file before it was renamed. Generally a path under $WINDOWS.~BT\Drivers\DU. -- **Provider** The provider of the driver package. -- **PublishedName** The name of the INF file after it was renamed. -- **Revision** The revision of the driver package. -- **SignatureStatus** Indicates if the driver package is signed. Unknown = 0, Unsigned = 1, Signed = 2. -- **VersionMajor** The major version of the driver package. -- **VersionMinor** The minor version of the driver package. - - -### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove - -This event indicates that the InventoryUplevelDriverPackage object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageStartSync - -This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.RunContext - -This event indicates what should be expected in the data payload. - -The following fields are available: - -- **__TlgCV_** No content is currently available. -- **AppraiserBranch** The source branch in which the currently running version of Appraiser was built. -- **AppraiserProcess** The name of the process that launched Appraiser. -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **CensusId** A unique hardware identifier. -- **Context** Indicates what mode Appraiser is running in. Example: Setup or Telemetry. -- **PCFP** An ID for the system calculated by hashing hardware identifiers. -- **Subcontext** Indicates what categories of incompatibilities appraiser is scanning for. Can be N/A, Resolve, or a semicolon-delimited list that can include App, Dev, Sys, Gat, or Rescan. -- **Time** The client time of the event. - - -### Microsoft.Windows.Appraiser.General.SystemMemoryAdd - -This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **Blocking** Is the device from upgrade due to memory restrictions? -- **MemoryRequirementViolated** Was a memory requirement violated? -- **pageFile** The current committed memory limit for the system or the current process, whichever is smaller (in bytes). -- **ram** The amount of memory on the device. -- **ramKB** The amount of memory (in KB). -- **virtual** The size of the user-mode portion of the virtual address space of the calling process (in bytes). -- **virtualKB** The amount of virtual memory (in KB). - - -### Microsoft.Windows.Appraiser.General.SystemMemoryRemove - -This event that the SystemMemory object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemMemoryStartSync - -This event indicates that a new set of SystemMemoryAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeAdd - -This event sends data indicating whether the system supports the CompareExchange128 CPU requirement, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **Blocking** Is the upgrade blocked due to the processor? -- **CompareExchange128Support** Does the CPU support CompareExchange128? - - -### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeRemove - -This event indicates that the SystemProcessorCompareExchange object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeStartSync - -This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd - -This event sends data indicating whether the system supports the LahfSahf CPU requirement, to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. -- **Blocking** Is the upgrade blocked due to the processor? -- **LahfSahfSupport** Does the CPU support LAHF/SAHF? - - -### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfRemove - -This event indicates that the SystemProcessorLahfSahf object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfStartSync - -This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd - -This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **Blocking** Is the upgrade blocked due to the processor? -- **NXDriverResult** The result of the driver used to do a non-deterministic check for NX support. -- **NXProcessorSupport** Does the processor support NX? - - -### Microsoft.Windows.Appraiser.General.SystemProcessorNxRemove - -This event indicates that the SystemProcessorNx object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorNxStartSync - -This event indicates that a new set of SystemProcessorNxAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd - -This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **Blocking** Is the upgrade blocked due to the processor? -- **PrefetchWSupport** Does the processor support PrefetchW? - - -### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWRemove - -This event indicates that the SystemProcessorPrefetchW object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync - -This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Add - -This event sends data indicating whether the system supports the SSE2 CPU requirement, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **Blocking** Is the upgrade blocked due to the processor? -- **SSE2ProcessorSupport** Does the processor support SSE2? - - -### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Remove - -This event indicates that the SystemProcessorSse2 object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemProcessorSse2StartSync - -This event indicates that a new set of SystemProcessorSse2Add events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemTouchAdd - -This event sends data indicating whether the system supports touch, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **IntegratedTouchDigitizerPresent** Is there an integrated touch digitizer? -- **MaximumTouches** The maximum number of touch points supported by the device hardware. - - -### Microsoft.Windows.Appraiser.General.SystemTouchRemove - -This event indicates that the SystemTouch object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemTouchStartSync - -This event indicates that a new set of SystemTouchAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemWimAdd - -This event sends data indicating whether the operating system is running from a compressed Windows Imaging Format (WIM) file, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **IsWimBoot** Is the current operating system running from a compressed WIM file? -- **RegistryWimBootValue** The raw value from the registry that is used to indicate if the device is running from a WIM. - - -### Microsoft.Windows.Appraiser.General.SystemWimRemove - -This event indicates that the SystemWim object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemWimStartSync - -This event indicates that a new set of SystemWimAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusAdd - -This event sends data indicating whether the current operating system is activated, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **WindowsIsLicensedApiValue** The result from the API that's used to indicate if operating system is activated. -- **WindowsNotActivatedDecision** Is the current operating system activated? - - -### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusRemove - -This event indicates that the SystemWindowsActivationStatus object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusStartSync - -This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemWlanAdd - -This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up-to-date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **Blocking** Is the upgrade blocked because of an emulated WLAN driver? -- **HasWlanBlock** Does the emulated WLAN driver have an upgrade block? -- **WlanEmulatedDriver** Does the device have an emulated WLAN driver? -- **WlanExists** Does the device support WLAN at all? -- **WlanModulePresent** Are any WLAN modules present? -- **WlanNativeDriver** Does the device have a non-emulated WLAN driver? - - -### Microsoft.Windows.Appraiser.General.SystemWlanRemove - -This event indicates that the SystemWlan object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.SystemWlanStartSync - -This event indicates that a new set of SystemWlanAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.TelemetryRunHealth - -This event indicates the parameters and result of a telemetry (diagnostic) run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date. - -The following fields are available: - -- **AppraiserBranch** The source branch in which the version of Appraiser that is running was built. -- **AppraiserDataVersion** The version of the data files being used by the Appraiser telemetry run. -- **AppraiserProcess** The name of the process that launched Appraiser. -- **AppraiserVersion** The file version (major, minor and build) of the Appraiser DLL, concatenated without dots. -- **AuxFinal** Obsolete, always set to false. -- **AuxInitial** Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app. -- **DeadlineDate** A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan. -- **EnterpriseRun** Indicates if the telemetry run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter. -- **FullSync** Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent. -- **InboxDataVersion** The original version of the data files before retrieving any newer version. -- **IndicatorsWritten** Indicates if all relevant UEX indicators were successfully written or updated. -- **InventoryFullSync** Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent. -- **PCFP** An ID for the system calculated by hashing hardware identifiers. -- **PerfBackoff** Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal. -- **PerfBackoffInsurance** Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row. -- **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device. -- **RunDate** The date that the telemetry run was stated, expressed as a filetime. -- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional telemetry on an infrequent schedule and only from machines at telemetry levels higher than Basic. -- **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information. -- **RunResult** The hresult of the Appraiser telemetry run. -- **ScheduledUploadDay** The day scheduled for the upload. -- **SendingUtc** Indicates if the Appraiser client is sending events during the current telemetry run. -- **StoreHandleIsNotNull** Obsolete, always set to false -- **TelementrySent** Indicates if telemetry was successfully sent. -- **ThrottlingUtc** Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also telemetry reliability. -- **Time** The client time of the event. -- **VerboseMode** Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging. -- **WhyFullSyncWithoutTablePrefix** Indicates the reason or reasons that a full sync was generated. - - -### Microsoft.Windows.Appraiser.General.WmdrmAdd - -This event sends data about the usage of older digital rights management on the system, to help keep Windows up to date. This data does not indicate the details of the media using the digital rights management, only whether any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able to be removed once all mitigations are in place. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **BlockingApplication** Same as NeedsDismissAction. -- **NeedsDismissAction** Indicates if a dismissible message is needed to warn the user about a potential loss of data due to DRM deprecation. -- **WmdrmApiResult** Raw value of the API used to gather DRM state. -- **WmdrmCdRipped** Indicates if the system has any files encrypted with personal DRM, which was used for ripped CDs. -- **WmdrmIndicators** WmdrmCdRipped OR WmdrmPurchased. -- **WmdrmInUse** WmdrmIndicators AND dismissible block in setup was not dismissed. -- **WmdrmNonPårmanent** No content is currently available. -- **WmdrmNonPermanent** Indicates if the system has any files with non-permanent licenses. -- **WmdrmPurchased** Indicates if the system has any files with permanent licenses. - - -### Microsoft.Windows.Appraiser.General.WmdrmRemove - -This event indicates that the Wmdrm object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -### Microsoft.Windows.Appraiser.General.WmdrmStartSync - -This event indicates that a new set of WmdrmAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - -## Census events - -### Census.App - -Provides information on IE and Census versions running on the device - -The following fields are available: - -- **AppraiserEnterpriseErrorCode** The error code of the last Appraiser enterprise run. -- **AppraiserErrorCode** The error code of the last Appraiser run. -- **AppraiserRunEndTimeStamp** The end time of the last Appraiser run. -- **AppraiserRunIsInProgressOrCrashed** Flag that indicates if the Appraiser run is in progress or has crashed. -- **AppraiserRunStartTimeStamp** The start time of the last Appraiser run. -- **AppraiserTaskEnabled** Whether the Appraiser task is enabled. -- **AppraiserTaskExitCode** The Appraiser task exist code. -- **AppraiserTaskLastRun** The last runtime for the Appraiser task. -- **CensusVersion** The version of Census that generated the current data for this device. -- **IEVersion** The version of Internet Explorer that is running on the device. - - -### Census.Battery - -This event sends type and capacity data about the battery on the device, as well as the number of connected standby devices in use, type to help keep Windows up to date. - -The following fields are available: - -- **InternalBatteryCapablities** Represents information about what the battery is capable of doing. -- **InternalBatteryCapacityCurrent** Represents the battery's current fully charged capacity in mWh (or relative). Compare this value to DesignedCapacity  to estimate the battery's wear. -- **InternalBatteryCapacityDesign** Represents the theoretical capacity of the battery when new, in mWh. -- **InternalBatteryNumberOfCharges** Provides the number of battery charges. This is used when creating new products and validating that existing products meets targeted functionality performance. -- **IsAlwaysOnAlwaysConn0ctedCapable** No content is currently available. -- **IsAlwaysOnAlwaysConnectedCapable** Represents whether the battery enables the device to be AlwaysOnAlwaysConnected . Boolean value. - - -### Census.Camera - -This event sends data about the resolution of cameras on the device, to help keep Windows up to date. - -The following fields are available: - -- **FrontFacingCameraResolution** Represents the resolution of the front facing camera in megapixels. If a front facing camera does not exist, then the value is 0. -- **RearFacingCameraResolution** Represents the resolution of the rear facing camera in megapixels. If a rear facing camera does not exist, then the value is 0. - - -### Census.Enterprise - -This event sends data about Azure presence, type, and cloud domain use in order to provide an understanding of the use and integration of devices in an enterprise, cloud, and server environment. - -The following fields are available: - -- **AADDeviceId** Azure Active Directory device ID. -- **AzureOSIDPresent** Represents the field used to identify an Azure machine. -- **AzureVMType** Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs. -- **CDJType** Represents the type of cloud domain joined for the machine. -- **CommercialId** Represents the GUID for the commercial entity which the device is a member of.  Will be used to reflect insights back to customers. -- **ContainerType** The type of container, such as process or virtual machine hosted. -- **EnrollmentType** Defines the type of MDM enrollment on the device. -- **HashedDomain** The hashed representation of the user domain used for login. -- **IsCloudDomainJoined** Is this device joined to an Azure Active Directory (AAD) tenant? true/false -- **IsDERequirementMet** Represents if the device can do device encryption. -- **IsDeviceProt0cted** No content is currently available. -- **IsDeviceProtected** Represents if Device protected by BitLocker/Device Encryption -- **IsDomainJoined** Indicates whether a machine is joined to a domain. -- **IsEDPEnabled** Represents if Enterprise data protected on the device. -- **IsMDMEnrolled** Whether the device has been MDM Enrolled or not. -- **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID -- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise SCCM environment. -- **ServerFeatures** Represents the features installed on a Windows   Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. -- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier - - -### Census.Firmware - -This event sends data about the BIOS and startup embedded in the device, to help keep Windows up to date. - -The following fields are available: - -- **FirmwareManufacturer** Represents the manufacturer of the device's firmware (BIOS). -- **FirmwareReleaseD4te** No content is currently available. -- **FirmwareReleaseDate** Represents the date the current firmware was released. -- **FirmwareType** Represents the firmware type. The various types can be unknown, BIOS, UEFI. -- **FirmwareVersion** Represents the version of the current firmware. - - -### Census.Flighting - -This event sends Windows Insider data from customers participating in improvement testing and feedback programs, to help keep Windows up to date. - -The following fields are available: - -- **DeviceSampleRate** The telemetry sample rate assigned to the device. -- **EnablePreviewBuilds** Used to enable Windows Insider builds on a device. -- **FlightIds** A list of the different Windows Insider builds on this device. -- **FlightingBranchName** The name of the Windows Insider branch currently used by the device. -- **IsFlightsDisabled** Represents if the device is participating in the Windows Insider program. -- **MSA_Accounts** Represents a list of hashed IDs of the Microsoft Accounts that are flighting (pre-release builds) on this device. -- **SSRK** Retrieves the mobile targeting settings. - - -### Census.Hardware - -This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level setting, and TPM support, to help keep Windows up to date. - -The following fields are available: - -- **ActiveMicCount** The number of active microphones attached to the device. -- **ChassisType** Represents the type of device chassis, such as desktop or low profile desktop. The possible values can range between 1 - 36. -- **ComputerHardwareID** Identifies a device class that is represented by a hash of different SMBIOS fields. -- **D3DMaxFeatureLevel** Supported Direct3D version. -- **DeviceColor** Indicates a color of the device. -- **DeviceForm** Indicates the form as per the device classification. -- **DeviceName** The device name that is set by the user. -- **DigitizerSupport** Is a digitizer supported? -- **DUID** The device unique ID. -- **Gyroscope** Indicates whether the device has a gyroscope (a mechanical component that measures and maintains orientation). -- **InventoryId** The device ID used for compatibility testing. -- **Magnetometer** Indicates whether the device has a magnetometer (a mechanical component that works like a compass). -- **NFCProximity** Indicates whether the device supports NFC (a set of communication protocols that helps establish communication when applicable devices are brought close together.) -- **OEMDigitalMarkerFileName** The name of the file placed in the \Windows\system32\drivers directory that specifies the OEM and model name of the device. -- **OEMManufacturerName** The device manufacturer name. The OEMName for an inactive device is not reprocessed even if the clean OEM name is changed at a later date. -- **OEMModelBaseBoard** The baseboard model used by the OEM. -- **OEMModelBaseBoardVersion** Differentiates between developer and retail devices. -- **OEMModelName** The device model name. -- **OEMModelNumber** The device model number. -- **OEMModelSKU** The device edition that is defined by the manufacturer. -- **OEMModelSystemFamily** The system family set on the device by an OEM. -- **OEMModelSystemVersion** The system model version set on the device by the OEM. -- **OEMOptionalIdentifier** A Microsoft assigned value that represents a specific OEM subsidiary. -- **OEMSerialNumber** The serial number of the device that is set by the manufacturer. -- **PhoneManufacturer** The friendly name of the phone manufacturer. -- **PowerPlatformRole** The OEM preferred power management profile. It's used to help to identify the basic form factor of the device. -- **SoCName** The firmware manufacturer of the device. -- **StudyID** Used to identify retail and non-retail device. -- **TelemetryLevel** The telemetry level the user has opted into, such as Basic or Enhanced. -- **TelemetryLevelLimitEnhanced** The telemetry level for Windows Analytics-based solutions. -- **TelemetrySettingAuthority** Determines who set the telemetry level, such as GP, MDM, or the user. -- **TPMManufacturerId** The ID of the TPM manufacturer. -- **TPMManufacturerVersion** The version of the TPM manufacturer. -- **TPMVersion** The supported Trusted Platform Module (TPM) on the device. If no TPM is present, the value is 0. -- **VoiceSupported** Does the device have a cellular radio capable of making voice calls? - - -### Census.Memory - -This event sends data about the memory on the device, including ROM and RAM, to help keep Windows up to date. - -The following fields are available: - -- **TotalPhysicalRAM** Represents the physical memory (in MB). -- **TotalVisibleMemory** Represents the memory that is not reserved by the system. - - -### Census.Network - -This event sends data about the mobile and cellular network used by the device (mobile service provider, network, device ID, and service cost factors), to help keep Windows up to date. - -The following fields are available: - -- **AMEI0** No content is currently available. -- **IMEI0** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage. -- **IMEI1** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage. -- **MCC0** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. -- **MCC1** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. -- **MEID** Represents the Mobile Equipment Identity (MEID). MEID is a worldwide unique phone ID assigned to CDMA phones. MEID replaces electronic serial number (ESN), and is equivalent to IMEI for GSM and WCDMA phones. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. -- **MNC0** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. -- **MNC1** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. -- **MobileOperatorBilling** Represents the telephone company that provides services for mobile phone users. -- **MobileOperatorCommercialized** Represents which reseller and geography the phone is commercialized for. This is the set of values on the phone for who and where it was intended to be used. For example, the commercialized mobile operator code AT&T in the US would be ATT-US. -- **MobileOperatorNetwork0** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage. -- **MobileOperatorNetwork1** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage. -- **NetworkAdapterGUID** The GUID of the primary network adapter. -- **NetworkCost** Represents the network cost associated with a connection. -- **SPN0** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage. -- **SPN1** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage. - - -### Census.OS - -This event sends data about the operating system such as the version, locale, update service configuration, when and how it was originally installed, and whether it is a virtual device, to help keep Windows up to date. - -The following fields are available: - -- **ActivationChannel** Retrieves the retail license key or Volume license key for a machine. -- **AssignedAccessStatus** Kiosk configuration mode. -- **CompactOS** Indicates if the Compact OS feature from Win10 is enabled. -- **DeveloperUnlockStatus** Represents if a device has been developer unlocked by the user or Group Policy. -- **DeviceTimeZone** The time zone that is set on the device. Example: Pacific Standard Time -- **GenuineState** Retrieves the ID Value specifying the OS Genuine check. -- **InstallationType** Retrieves the type of OS installation. (Clean, Upgrade, Reset, Refresh, Update). -- **InstallLanguage** The first language installed on the user machine. -- **IsDeviceRetailDemo** Retrieves if the device is running in demo mode. -- **IsEduData** Returns Boolean if the education data policy is enabled. -- **IsPortableOperatingSystem** Retrieves whether OS is running Windows-To-Go -- **IsSecureBootEnabled** Retrieves whether Boot chain is signed under UEFI. -- **LanguagePacks** The list of language packages installed on the device. -- **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store. -- **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine. -- **OSEdition** Retrieves the version of the current OS. -- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc -- **OSOOBEDateTime** Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC). -- **OSSKU** Retrieves the Friendly Name of OS Edition. -- **OSSubscriptionStatus** Represents the existing status for enterprise subscription feature for PRO machines. -- **OSSubscriptionTypeId** Returns boolean for enterprise subscription feature for selected PRO machines. -- **OSTimeZoneBiasInMins** Retrieves the time zone set on machine. -- **OSUILocale** Retrieves the locale of the UI that is currently used by the OS. -- **ProductActivationResult** Returns Boolean if the OS Activation was successful. -- **ProductActivationTime** Returns the OS Activation time for tracking piracy issues. -- **ProductKeyID2** Retrieves the License key if the machine is updated with a new license key. -- **RACw7Id** Retrieves the Microsoft Reliability Analysis Component (RAC) Win7 Identifier. RAC is used to monitor and analyze system usage and reliability. -- **ServiceMachineIP** Retrieves the IP address of the KMS host used for anti-piracy. -- **ServiceMachinePort** Retrieves the port of the KMS host used for anti-piracy. -- **ServiceProductKeyID** Retrieves the License key of the KMS -- **SharedPCMode** Returns Boolean for education devices used as shared cart -- **Signature** Retrieves if it is a signature machine sold by Microsoft store. -- **SLICStatus** Whether a SLIC table exists on the device. -- **SLICVersion** Returns OS type/version from SLIC table. - - -### Census.PrivacySettings - -This event provides information about the device level privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represent the authority that set the value. The effective consent (first 8 bits) is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority (last 8 bits) is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = system, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings. - -The following fields are available: - -- **__TlggV__** No content is currently available. -- **Activity** Current state of the activity history setting. -- **ActivityHistoryCloudSync** Current state of the activity history cloud sync setting. -- **ActivityHistoryCollection** Current state of the activity history collection setting. -- **AdvertisingId** Current state of the advertising ID setting. -- **AppDiagnostics** Current state of the app diagnostics setting. -- **Appointments** Current state of the calendar setting. -- **BluetooÕh** No content is currently available. -- **Bluetooth** Current state of the Bluetooth capability setting. -- **BluetoothSync** Current state of the Bluetooth sync capability setting. -- **BroadFileSystemAccess** Current state of the broad file system access setting. -- **CellularData** Current state of the cellular data capability setting. -- **Chat** Current state of the chat setting. -- **Contacts** Current state of the contacts setting. -- **DocumentsLibrary** Current state of the documents library setting. -- **Email** Current state of the email setting. -- **FindMyDevice** Current state of the "find my device" setting. -- **GazeInput** Current state of the gaze input setting. -- **HumanInterfaceDevice** Current state of the human interface device setting. -- **InkTypeImprovement** Current state of the improve inking and typing setting. -- **Location** Current state of the location setting. -- **LocationHistory** Current state of the location history setting. -- **LocationHistoryCloudSync** Current state of the location history cloud sync setting. -- **LocationHistoryOnTimeline** Current state of the location history on timeline setting. -- **Microphone** Current state of the microphone setting. -- **PhoneCall** Current state of the phone call setting. -- **PhoneCallHissory** No content is currently available. -- **PhoneCallHistory** Current state of the call history setting. -- **PicturesLibrary** Current state of the pictures library setting. -- **Radios** Current state of the radios setting. -- **SensorsCustom** Current state of the custom sensor setting. -- **SerialCommunication** Current state of the serial communication setting. -- **Sms** Current state of the text messaging setting. -- **SpeechPersonalization** Current state of the speech services setting. -- **USB** Current state of the USB setting. -- **UserAccountInformation** Current state of the account information setting. -- **UserDataTasks** Current state of the tasks setting. -- **UserNotificationListener** Current state of the notifications setting. -- **VideosLibrary** Current state of the videos library setting. -- **Webcam** Current state of the camera setting. -- **WiFiDirect** Current state of the Wi-Fi direct setting. - - -### Census.Processor - -Provides information on several important data points about Processor settings - -The following fields are available: - -- **KvaShadow** This is the micro code information of the processor. -- **MMSettingOverride** Microcode setting of the processor. -- **MMSettingOverrideMask** Microcode setting override of the processor. -- **PreviousUpdateRevisikn** No content is currently available. -- **PreviousUpdateRevision** Previous microcode revision -- **ProcessorArchitecture** Retrieves the processor architecture of the installed operating system. -- **ProcessorClockSpeed** Clock speed of the processor in MHz. -- **ProcessorCores** Number of logical cores in the processor. -- **ProcessorIdentifier** Processor Identifier of a manufacturer. -- **ProcessorManufacturer** Name of the processor manufacturer. -- **ProcessorModel** Name of the processor model. -- **ProcessorPhysicalCores** Number of physical cores in the processor. -- **ProcessorUpdateRevision** The microcode revision. -- **ProcessorUpdateStatus** Enum value that represents the processor microcode load status -- **SocketCount** Count of CPU sockets. -- **SpeculationControl** Indicates whether the system has enabled protections needed to validate the speculation control vulnerability. - - -### Census.Security - -This event provides information on about security settings used to help keep Windows up to date and secure. - -The following fields are available: - -- **AvailableSecurityProperties** This field helps to enumerate and report state on the relevant security properties for Device Guard. -- **CGRunning** Credential Guard isolates and hardens key system and user secrets against compromise, helping to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already running via a local or network based vector. This field tells if Credential Guard is running. -- **DGState** This field summarizes the Device Guard state. -- **HVCIRunning** Hypervisor Code Integrity (HVCI) enables Device Guard to help protect kernel mode processes and drivers from vulnerability exploits and zero days. HVCI uses the processor’s functionality to force all software running in kernel mode to safely allocate memory. This field tells if HVCI is running. -- **IsSawGuest** Indicates whether the device is running as a Secure Admin Workstation Guest. -- **IsSawHost** Indicates whether the device is running as a Secure Admin Workstation Host. -- **RequiredSecurityProperties** Describes the required security properties to enable virtualization-based security. -- **SecureBootCapable** Systems that support Secure Boot can have the feature turned off via BIOS. This field tells if the system is capable of running Secure Boot, regardless of the BIOS setting. -- **SModeState** The Windows S mode trail state. -- **VBSState** Virtualization-based security (VBS) uses the hypervisor to help protect the kernel and other parts of the operating system. Credential Guard and Hypervisor Code Integrity (HVCI) both depend on VBS to isolate/protect secrets, and kernel-mode code integrity validation. VBS has a tri-state that can be Disabled, Enabled, or Running. - - -### Census.Speech - -This event is used to gather basic speech settings on the device. - -The following fields are available: - -- **AboveLockEnabled** Cortana setting that represents if Cortana can be invoked when the device is locked. -- **GPAllowInputPersonalization** Indicates if a Group Policy setting has enabled speech functionalities. -- **HolographicSpeechInputDisabled** Holographic setting that represents if the attached HMD devices have speech functionality disabled by the user. -- **HolographicSpeechInputDisabledRemote** Indicates if a remote policy has disabled speech functionalities for the HMD devices. -- **KeyVer** Version information for the census speech event. -- **KWSEnabled** Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS). -- **MDMAllowInputPersonalization** Indicates if an MDM policy has enabled speech functionalities. -- **RemotelyManaged** Indicates if the device is being controlled by a remote administrator (MDM or Group Policy) in the context of speech functionalities. -- **SpeakerIdEnabled** Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice. -- **SpeechServicesEnabled** Windows setting that represents whether a user is opted-in for speech services on the device. -- **SpeechServicesValueSource** Indicates the deciding factor for the effective online speech recognition privacy policy settings: remote admin, local admin, or user preference. - - -### Census.Storage - -This event sends data about the total capacity of the system volume and primary disk, to help keep Windows up to date. - -The following fields are available: - -- **PrimaryDiskTotalCapacity** Retrieves the amount of disk space on the primary disk of the device in MB. -- **PrimaryDiskType** Retrieves an enumerator value of type STORAGE_BUS_TYPE that indicates the type of bus to which the device is connected. This should be used to interpret the raw device properties at the end of this structure (if any). -- **StorageReservePassedPolicy** Indicates whether the Storage Reserve policy, which ensures that updates have enough disk space and customers are on the latest OS, is enabled on this device. -- **SystemVolumeTotalCapacity** Retrieves the size of the partition that the System volume is installed on in MB. - - -### Census.Userdefault - -This event sends data about the current user's default preferences for browser and several of the most popular extensions and protocols, to help keep Windows up to date. - -The following fields are available: - -- **CalendarTrpe** No content is currently available. -- **CalendarType** The calendar identifiers that are used to specify different calendars. -- **DefaultApp** The current uer's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf. -- **DefaultBrowserProgId** The ProgramId of the current user's default browser. -- **LongDateFormat** The long date format the user has selected. -- **ShortDateFormat** The short date format the user has selected. - - -### Census.UserDisplay - -This event sends data about the logical/physical display size, resolution and number of internal/external displays, and VRAM on the system, to help keep Windows up to date. - -The following fields are available: - -- **InternalPrimaryDisp|aySizePhysicalY** No content is currently available. -- **InternalPrimaryDisplayLogicalDPIX** Retrieves the logical DPI in the x-direction of the internal display. -- **InternalPrimaryDisplayLogicalDPIY** Retrieves the logical DPI in the y-direction of the internal display. -- **InternalPrimaryDisplayPhysicalDPIX** Retrieves the physical DPI in the x-direction of the internal display. -- **InternalPrimaryDisplayPhysicalDPIY** Retrieves the physical DPI in the y-direction of the internal display. -- **InternalPrimaryDisplayResolutionHorizontal** Retrieves the number of pixels in the horizontal direction of the internal display. -- **InternalPrimaryDisplayResolutionVertical** Retrieves the number of pixels in the vertical direction of the internal display. -- **InternalPrimaryDisplaySizePhysicalH** Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches . -- **InternalPrimaryDisplaySizePhysicalY** Retrieves the physical vertical length of the display in mm. Used for calculating the diagonal length in inches -- **NumberofExternalDisplays** Retrieves the number of external displays connected to the machine -- **NumberofInternalDisp** No content is currently available. -- **NumberofInternalDisplays** Retrieves the number of internal displays in a machine. -- **VRAMDedicated** Retrieves the video RAM in MB. -- **VRAMDedicatedSystem** Retrieves the amount of memory on the dedicated video card. -- **VRAMSharedSystem** Retrieves the amount of RAM memory that the video card can use. - - -### Census.UserNLS - -This event sends data about the default app language, input, and display language preferences set by the user, to help keep Windows up to date. - -The following fields are available: - -- **DefaultAppLanguage** The current user Default App Language. -- **DisplayLanguage** The current user preferred Windows Display Language. -- **HomeLocation** The current user location, which is populated using GetUserGeoId() function. -- **KeyboardInputLaîguages** No content is currently available. -- **KeyboardInputLanguages** The Keyboard input languages installed on the device. -- **SpeechInputLalguages** No content is currently available. -- **SpeechInputLanguages** The Speech Input languages installed on the device. - - -### Census.UserPrivacySettings - -This event provides information about the current users privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represents the authority that set the value. The effective consent is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = user, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings. - -The following fields are available: - -- **Activity** Current state of the activity history setting. -- **ActivityHistoryCloudSync** Current state of the activity history cloud sync setting. -- **ActivityHistoryCollection** Current state of the activity history collection setting. -- **AdvertisingId** Current state of the advertising ID setting. -- **AppDiagnostacs** No content is currently available. -- **AppDiagnostics** Current state of the app diagnostics setting. -- **Appiagnostics** No content is currently available. -- **Appointments** Current state of the calendar setting. -- **Bluetooth** Current state of the Bluetooth capability setting. -- **BluetoothSync** Current state of the Bluetooth sync capability setting. -- **BroadFileSystemAccess** Current state of the broad file system access setting. -- **CellularData** Current state of the cellular data capability setting. -- **Chat** Current state of the chat setting. -- **Contacts** Current state of the contacts setting. -- **DocumentsLibrary** Current state of the documents library setting. -- **Email** Current state of the email setting. -- **GazeInput** Current state of the gaze input setting. -- **HumanInterfaceDevice** Current state of the human interface device setting. -- **InkT9peImprovement** No content is currently available. -- **InkT9pePersonalization** No content is currently available. -- **InkTypeImprovement** Current state of the improve inking and typing setting. -- **InkTypePersonalization** Current state of the inking and typing personalization setting. -- **Location** Current state of the location setting. -- **LocationHistory** Current state of the location history setting. -- **LocationHistoryCloudSync** Current state of the location history cloud synchronization setting. -- **LocationHistoryOnTimeline** Current state of the location history on timeline setting. -- **Microphona** No content is currently available. -- **Microphone** Current state of the microphone setting. -- **PhoneCall** Current state of the phone call setting. -- **PhoneCallHistory** Current state of the call history setting. -- **PicturesLibrary** Current state of the pictures library setting. -- **Radios** Current state of the radios setting. -- **SensorsÃustom** No content is currently available. -- **SensorsCustom** Current state of the custom sensor setting. -- **SerialCommunication** Current state of the serial communication setting. -- **Sms** Current state of the text messaging setting. -- **SpeechPersonalization** Current state of the speech services setting. -- **UqerDataTasks** No content is currently available. -- **USB** Current state of the USB setting. -- **UserAccountInformation** Current state of the account information setting. -- **UserDataTasks** Current state of the tasks setting. -- **UserNotificationListener** Current state of the notifications setting. -- **VideosLibrary** Current state of the videos library setting. -- **Webcam** Current state of the camera setting. -- **WiFiDirect** Current state of the Wi-Fi direct setting. - - -### Census.VM - -This event sends data indicating whether virtualization is enabled on the device, and its various characteristics, to help keep Windows up to date. - -The following fields are available: - -- **CloudService** Indicates which cloud service, if any, that this virtual machine is running within. -- **HyperVisor** Retrieves whether the current OS is running on top of a Hypervisor. -- **IOMMUPresent** Represents if an input/output memory management unit (IOMMU) is present. -- **IsVDI** Is the device using Virtual Desktop Infrastructure? -- **IsVirtualDevice** Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#1 Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field should not be relied upon for non-Hv#1 Hypervisors. -- **SLATSupported** Represents whether Second Level Address Translation (SLAT) is supported by the hardware. -- **VirtualizationFirmwareEnabled** Represents whether virtualization is enabled in the firmware. - - -### Census.WU - -This event sends data about the Windows update server and other App store policies, to help keep Windows up to date. - -The following fields are available: - -- **AppraiserGatedStatus** Indicates whether a device has been gated for upgrading. -- **AppStoreAutoUpdate** Retrieves the Appstore settings for auto upgrade. (Enable/Disabled). -- **AppStoreAutoUpdateMDM** Retrieves the App Auto Update value for MDM: 0 - Disallowed. 1 - Allowed. 2 - Not configured. Default: [2] Not configured -- **AppStoreAutoUpdatePolicy** Retrieves the Microsoft Store App Auto Update group policy setting -- **DelayUpgrade** Retrieves the Windows upgrade flag for delaying upgrades. -- **OSAssessmentFeatureOutOfDate** How many days has it been since a the last feature update was released but the device did not install it? -- **OSAssessmentForFeatureUpdate** Is the device is on the latest feature update? -- **OSAssessmentForQualityUpdate** Is the device on the latest quality update? -- **OSAssessmentForSecurityUpdate** Is the device on the latest security update? -- **OSAssessmentQualityOutOfDate** How many days has it been since a the last quality update was released but the device did not install it? -- **OSAssessmentReleaseInfoTime** The freshness of release information used to perform an assessment. -- **OSRollbackCount** The number of times feature updates have rolled back on the device. -- **OSRolledBack** A flag that represents when a feature update has rolled back during setup. -- **OSUninstalled** A flag that represents when a feature update is uninstalled on a device . -- **OSWUAutoUpdateOptions** Retrieves the auto update settings on the device. -- **OSWUAutoUpdateOptionsSource** The source of auto update setting that appears in the OSWUAutoUpdateOptions field. For example: Group Policy (GP), Mobile Device Management (MDM), and Default. -- **UninstallActive** A flag that represents when a device has uninstalled a previous upgrade recently. -- **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS). -- **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates. -- **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades. -- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network. -- **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier. -- **WUPauseState** Retrieves WU setting to determine if updates are paused. -- **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default). - - -### Census.Xbox - -This event sends data about the Xbox Console, such as Serial Number and DeviceId, to help keep Windows up to date. - -The following fields are available: - -- **XboxConsolePreferredLanguage** Retrieves the preferred language selected by the user on Xbox console. -- **XboxConsoleSerialNumber** Retrieves the serial number of the Xbox console. -- **XboxLiveDeviceId** Retrieves the unique device ID of the console. -- **XboxLiveSandboxId** Retrieves the developer sandbox ID if the device is internal to Microsoft. - - -## Common data extensions - -### Common Data Extensions.app - -Describes the properties of the running application. This extension could be populated by a client app or a web app. - -The following fields are available: - -- **asId** An integer value that represents the app session. This value starts at 0 on the first app launch and increments after each subsequent app launch per boot session. -- **env** The environment from which the event was logged. -- **expId** Associates a flight, such as an OS flight, or an experiment, such as a web site UX experiment, with an event. -- **id** Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application. -- **locale** The locale of the app. -- **name** The name of the app. -- **userId** The userID as known by the application. -- **ver** Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app. - - -### Common Data Extensions.container - -Describes the properties of the container for events logged within a container. - -The following fields are available: - -- **epoch** An ID that's incremented for each SDK initialization. -- **localId** The device ID as known by the client. -- **osVer** The operating system version. -- **seq** An ID that's incremented for each event. -- **type** The container type. Examples: Process or VMHost - - -### Common Data Extensions.cs - -Describes properties related to the schema of the event. - -The following fields are available: - -- **sig** A common schema signature that identifies new and modified event schemas. - - -### Common Data Extensions.device - -Describes the device-related fields. - -The following fields are available: - -- **deviceClass** The device classification. For example, Desktop, Server, or Mobile. -- **localId** A locally-defined unique ID for the device. This is not the human-readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId -- **make** Device manufacturer. -- **model** Device model. - - -### Common Data Extensions.Envelope - -Represents an envelope that contains all of the common data extensions. - -The following fields are available: - -- **cV** Represents the Correlation Vector: A single field for tracking partial order of related telemetry events across component boundaries. -- **data** Represents the optional unique diagnostic data for a particular event schema. -- **ext_app** Describes the properties of the running application. This extension could be populated by either a client app or a web app. See [Common Data Extensions.app](#common-data-extensionsapp). -- **ext_container** Describes the properties of the container for events logged within a container. See [Common Data Extensions.container](#common-data-extensionscontainer). -- **ext_cs** Describes properties related to the schema of the event. See [Common Data Extensions.cs](#common-data-extensionscs). -- **ext_device** Describes the device-related fields. See [Common Data Extensions.device](#common-data-extensionsdevice). -- **ext_os** Describes the operating system properties that would be populated by the client. See [Common Data Extensions.os](#common-data-extensionsos). -- **ext_receipts** Describes the fields related to time as provided by the client for debugging purposes. See [Common Data Extensions.receipts](#common-data-extensionsreceipts). -- **ext_sdk** Describes the fields related to a platform library required for a specific SDK. See [Common Data Extensions.sdk](#common-data-extensionssdk). -- **ext_user** Describes the fields related to a user. See [Common Data Extensions.user](#common-data-extensionsuser). -- **ext_utc** Describes the fields that might be populated by a logging library on Windows. See [Common Data Extensions.utc](#common-data-extensionsutc). -- **ext_xbl** Describes the fields related to XBOX Live. See [Common Data Extensions.xbl](#common-data-extensionsxbl). -- **flags** Represents a collection of bits that describe how the event should be processed by the Connected User Experience and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency. -- **iKey** Represents an ID for applications or other logical groupings of events. -- **name** Represents the uniquely qualified name for the event. -- **popSample** Represents the effective sample rate for this event at the time it was generated by a client. -- **time** Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the client. This should be in ISO 8601 format. -- **ver** Represents the major and minor version of the extension. - - -### Common Data Extensions.os - -Describes some properties of the operating system. - -The following fields are available: - -- **bootId** An integer value that represents the boot session. This value starts at 0 on first boot after OS install and increments after every reboot. -- **expId** Represents the experiment ID. The standard for associating a flight, such as an OS flight (pre-release build), or an experiment, such as a web site UX experiment, with an event is to record the flight / experiment IDs in Part A of the common schema. -- **locale** Represents the locale of the operating system. -- **name** Represents the operating system name. -- **ver** Represents the major and minor version of the extension. - - -### Common Data Extensions.receipts - -Represents various time information as provided by the client and helps for debugging purposes. - -The following fields are available: - -- **originalTime** The original event time. -- **uploadTime** The time the event was uploaded. - - -### Common Data Extensions.sdk - -Used by platform specific libraries to record fields that are required for a specific SDK. - -The following fields are available: - -- **epoch** An ID that is incremented for each SDK initialization. -- **installId** An ID that's created during the initialization of the SDK for the first time. -- **libVer** The SDK version. -- **seq** An ID that is incremented for each event. - - -### Common Data Extensions.user - -Describes the fields related to a user. - -The following fields are available: - -- **authId** This is an ID of the user associated with this event that is deduced from a token such as a Microsoft Account ticket or an XBOX token. -- **locale** The language and region. -- **localId** Represents a unique user identity that is created locally and added by the client. This is not the user's account ID. - - -### Common Data Extensions.utc - -Describes the properties that could be populated by a logging library on Windows. - -The following fields are available: - -- **aId** Represents the ETW ActivityId. Logged via TraceLogging or directly via ETW. -- **bSeq** Upload buffer sequence number in the format: buffer identifier:sequence number -- **cat** Represents a bitmask of the ETW Keywords associated with the event. -- **cpId** The composer ID, such as Reference, Desktop, Phone, Holographic, Hub, IoT Composer. -- **epoch** Represents the epoch and seqNum fields, which help track how many events were fired and how many events were uploaded, and enables identification of data lost during upload and de-duplication of events on the ingress server. -- **flags** Represents the bitmap that captures various Windows specific flags. -- **mon** Combined monitor and event sequence numbers in the format: monitor sequence : event sequence -- **op** Represents the ETW Op Code. -- **raId** Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW. -- **seq** Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue. The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server. -- **stId** Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID. - - -### Common Data Extensions.xbl - -Describes the fields that are related to XBOX Live. - -The following fields are available: - -- **claims** Any additional claims whose short claim name hasn't been added to this structure. -- **did** XBOX device ID -- **dty** XBOX device type -- **dvr** The version of the operating system on the device. -- **eid** A unique ID that represents the developer entity. -- **exp** Expiration time -- **ip** The IP address of the client device. -- **nbf** Not before time -- **pid** A comma separated list of PUIDs listed as base10 numbers. -- **sbx** XBOX sandbox identifier -- **sid** The service instance ID. -- **sty** The service type. -- **tid** The XBOX Live title ID. -- **tvr** The XBOX Live title version. -- **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts. -- **xid** A list of base10-encoded XBOX User IDs. - - -## Common data fields - -### Ms.Device.DeviceInventoryChange - -Describes the installation state for all hardware and software components available on a particular device. - -The following fields are available: - -- **action** The change that was invoked on a device inventory object. -- **invent¹ryId** No content is currently available. -- **inventoryId** Device ID used for Compatibility testing -- **objectInstanceId** Object identity which is unique within the device scope. -- **objectType** Indicates the object type that the event applies to. -- **objmctType** No content is currently available. -- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. - - -## Compatibility events - -### Microsoft.Windows.Compatibility.Apphelp.SdbFix - -Product instrumentation for helping debug/troubleshoot issues with inbox compatibility components. - -The following fields are available: - -- **AppName** Name of the application impacted by SDB. -- **FixID** SDB GUID. -- **Flags** List of flags applied. -- **ImageName** Name of file. - - -## Component-based servicing events - -### CbsServicingProvider.CbsCapabilityEnumeration - -This event reports on the results of scanning for optional Windows content on Windows Update. - -The following fields are available: - -- **architecture** Indicates the scan was limited to the specified architecture. -- **capabilityCount** The number of optional content packages found during the scan. -- **clientId** The name of the application requesting the optional content. -- **duration** The amount of time it took to complete the scan. -- **hrStatus** The HReturn code of the scan. -- **language** Indicates the scan was limited to the specified language. -- **majorVersion** Indicates the scan was limited to the specified major version. -- **minorVersion** Indicates the scan was limited to the specified minor version. -- **namespace** Indicates the scan was limited to packages in the specified namespace. -- **sourceFilter** A bitmask indicating the scan checked for locally available optional content. -- **stackBuild** The build number of the servicing stack. -- **stackMajorVersion** The major version number of the servicing stack. -- **stackMinorVersion** The minor version number of the servicing stack. -- **stackRevision** The revision number of the servicing stack. - - -### CbsServicingProvider.CbsCapabilitySessionFinalize - -This event provides information about the results of installing or uninstalling optional Windows content from Windows Update. - -The following fields are available: - -- **capabilities** The names of the optional content packages that were installed. -- **clientId** The name of the application requesting the optional content. -- **currentID** The ID of the current install session. -- **downloadSource** The source of the download. -- **highestState** The highest final install state of the optional content. -- **hrLCUReservicingStatus** Indicates whether the optional content was updated to the latest available version. -- **hrStatus** The HReturn code of the install operation. -- **rebootCount** The number of reboots required to complete the install. -- **retryID** The session ID that will be used to retry a failed operation. -- **retryStatus** Indicates whether the install will be retried in the event of failure. -- **stackBuild** The build number of the servicing stack. -- **stackMajorVersion** The major version number of the servicing stack. -- **stackMinorVersion** The minor version number of the servicing stack. -- **stackRevision** The revision number of the servicing stack. - - -### CbsServicingProvider.CbsCapabilitySessionPended - -This event provides information about the results of installing optional Windows content that requires a reboot to keep Windows up to date. - -The following fields are available: - -- **clientId** The name of the application requesting the optional content. -- **pendingDecision** Indicates the cause of reboot, if applicable. - - -### CbsServicingProvider.CbsLateAcquisition - -This event sends data to indicate if some Operating System packages could not be updated as part of an upgrade, to help keep Windows up to date. - -The following fields are available: - -- **Features** The list of feature packages that could not be updated. -- **RetryID** The ID identifying the retry attempt to update the listed packages. - - -### CbsServicingProvider.CbsPackageRemoval - -This event provides information about the results of uninstalling a Windows Cumulative Security Update to help keep Windows up to date. - -The following fields are available: - -- **buildVersion** The build number of the security update being uninstalled. -- **clientId** The name of the application requesting the uninstall. -- **currentStateEnd** The final state of the update after the operation. -- **failureDetails** Information about the cause of a failure, if applicable. -- **failureSourceEnd** The stage during the uninstall where the failure occurred. -- **hrStatusEnd** The overall exit code of the operation. -- **initiatedOffline** Indicates if the uninstall was initiated for a mounted Windows image. -- **majorVersion** The major version number of the security update being uninstalled. -- **minorVersion** The minor version number of the security update being uninstalled. -- **originalState** The starting state of the update before the operation. -- **pendingDecision** Indicates the cause of reboot, if applicable. -- **primitiveExecutionContext** The state during system startup when the uninstall was completed. -- **revisionVersion** The revision number of the security update being uninstalled. -- **transactionCanceled** Indicates whether the uninstall was cancelled. - - -### CbsServicingProvider.CbsQualityUpdateInstall - -This event reports on the performance and reliability results of installing Servicing content from Windows Update to keep Windows up to date. - -The following fields are available: - -- **buildVersion** The build version number of the update package. -- **clientId** The name of the application requesting the optional content. -- **corruptionHistoryFlags** A bitmask of the types of component store corruption that have caused update failures on the device. -- **corruptionType** An enumeration listing the type of data corruption responsible for the current update failure. -- **currentStateEnd** The final state of the package after the operation has completed. -- **doqTimeSeconds** The time in seconds spent updating drivers. -- **executeTimeSeconds** The number of seconds required to execute the install. -- **failureDetails** The driver or installer that caused the update to fail. -- **failureSourceEnd** An enumeration indicating at what phase of the update a failure occurred. -- **hrStatusEnd** The return code of the install operation. -- **initiatedOffline** A true or false value indicating whether the package was installed into an offline Windows Imaging Format (WIM) file. -- **majorVersion** The major version number of the update package. -- **minorVersion** The minor version number of the update package. -- **originalState** The starting state of the package. -- **overallTimeSeconds** The time (in seconds) to perform the overall servicing operation. -- **planTimeSeconds** The time in seconds required to plan the update operations. -- **poqTimeSeconds** The time in seconds processing file and registry operations. -- **postRebootTimeSeconds** The time (in seconds) to do startup processing for the update. -- **preRebootTimeSeconds** The time (in seconds) between execution of the installation and the reboot. -- **primitiveExecutionContext** An enumeration indicating at what phase of shutdown or startup the update was installed. -- **rebootCount** The number of reboots required to install the update. -- **rebootTimeSeconds** The time (in seconds) before startup processing begins for the update. -- **resolveTimeSeconds** The time in seconds required to resolve the packages that are part of the update. -- **revisionVersion** The revision version number of the update package. -- **rptTimeSeconds** The time in seconds spent executing installer plugins. -- **shutdownTimeSeconds** The time (in seconds) required to do shutdown processing for the update. -- **stackRevision** The revision number of the servicing stack. -- **stageTimeSeconds** The time (in seconds) required to stage all files that are part of the update. - - -### CbsServicingProvider.CbsSelectableUpdateChangeV2 - -This event reports the results of enabling or disabling optional Windows Content to keep Windows up to date. - -The following fields are available: - -- **applicableUpdateState** Indicates the highest applicable state of the optional content. -- **buildVersion** The build version of the package being installed. -- **clientId** The name of the application requesting the optional content change. -- **downloadSource** Indicates if optional content was obtained from Windows Update or a locally accessible file. -- **downloadtimeInSeconds** The number of seconds required to complete the optional content download. -- **executionID** A unique ID used to identify events associated with a single servicing operation and not reused for future operations. -- **executionSequence** A counter that tracks the number of servicing operations attempted on the device. -- **firstMergedExecutionSequence** The value of a pervious executionSequence counter that is being merged with the current operation, if applicable. -- **firstMergedID** A unique ID of a pervious servicing operation that is being merged with this operation, if applicable. -- **hrDownloadResult** The return code of the download operation. -- **hrStatusUpdate** The return code of the servicing operation. -- **identityHash** A pseudonymized (hashed) identifier for the Windows Package that is being installed or uninstalled. -- **initiatedOffline** Indicates whether the operation was performed against an offline Windows image file or a running instance of Windows. -- **majorVersion** The major version of the package being installed. -- **minorVersion** The minor version of the package being installed. -- **packageArchitecture** The architecture of the package being installed. -- **packageLanguage** The language of the package being installed. -- **packageName** The name of the package being installed. -- **rebootRequired** Indicates whether a reboot is required to complete the operation. -- **revisionVersion** The revision number of the package being installed. -- **stackBuild** The build number of the servicing stack binary performing the installation. -- **stackMajorVersion** The major version number of the servicing stack binary performing the installation. -- **stackMinorVersion** The minor version number of the servicing stack binary performing the installation. -- **stackRevision** The revision number of the servicing stack binary performing the installation. -- **updateName** The name of the optional Windows Operation System feature being enabled or disabled. -- **updateStartState** A value indicating the state of the optional content before the operation started. -- **updateTargetState** A value indicating the desired state of the optional content. - - -## Deployment extensions - -### DeploymentTelemetry.Deployment_End - -This event indicates that a Deployment 360 API has completed. - -The following fields are available: - -- **ClientId** Client ID of the user utilizing the D360 API. -- **ErrorCode** Error code of action. -- **FlightId** The specific ID of the Windows Insider build the device is getting. -- **Mode** Phase in upgrade. -- **RelatedCV** The correction vector (CV) of any other related events -- **Result** End result of the action. - - -### DeploymentTelemetry.Deployment_SetupBoxLaunch - -This event indicates that the Deployment 360 APIs have launched Setup Box. - -The following fields are available: - -- **ClientId** The client ID of the user utilizing the D360 API. -- **FlightId** The specific ID of the Windows Insider build the device is getting. -- **Quiet** Whether Setup will run in quiet mode or full mode. -- **RelatedCV** The correlation vector (CV) of any other related events. -- **SetupMode** The current setup phase. - - -### DeploymentTelemetry.Deployment_SetupBoxResult - -This event indicates that the Deployment 360 APIs have received a return from Setup Box. - -The following fields are available: - -- **ClientId** Client ID of the user utilizing the D360 API. -- **ErrorCode** Error code of the action. -- **FlightId** The specific ID of the Windows Insider build the device is getting. -- **Quiet** Indicates whether Setup will run in quiet mode or full mode. -- **RelatedCV** The correlation vector (CV) of any other related events. -- **SetupMode** The current Setup phase. - - -### DeploymentTelemetry.Deployment_Start - -This event indicates that a Deployment 360 API has been called. - -The following fields are available: - -- **ClientId** Client ID of the user utilizing the D360 API. -- **FlightId** The specific ID of the Windows Insider build the device is getting. -- **Mode** The current phase of the upgrade. -- **RelatedCV** The correlation vector (CV) of any other related events. - - -## Diagnostic data events - -### TelClientSynthetic.AuthorizationInfo_RuntimeTransition - -This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect. - -The following fields are available: - -- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. -- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. -- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. -- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. -- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. -- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. -- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. -- **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise. -- **CanReportScenarios** True if we can report scenario completions, false otherwise. -- **PreviousPermissions** Bitmask of previous telemetry state. -- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. - - -### TelClientSynthetic.AuthorizationInfo_Startup - -Fired by UTC at startup to signal what data we are allowed to collect. - -The following fields are available: - -- **CanAdd** No content is currently available. -- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. -- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. -- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. -- **CanCollectHe.Debeats** No content is currently available. -- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. -- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. -- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. -- **CanPerformDiagnosticEscalationc** No content is currently available. -- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. -- **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise. -- **CanReportScenarios** True if we can report scenario completions, false otherwise. -- **PreviousPermicsions** No content is currently available. -- **PreviousPermissions** Bitmask of previous telemetry state. -- **TransitionFromEveryt`ingOff** No content is currently available. -- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. - - -### TelClientSynthetic.ConnectivityHeartBeat_0 - -This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network. - -The following fields are available: - -- **CensusExitCode** Returns last execution codes from census client run. -- **CensusStartTime** Returns timestamp corresponding to last successful census run. -- **CensusTaskEnabled** Returns Boolean value for the census task (Enable/Disable) on client machine. -- **LastConnectivityLossTime** Retrieves the last time the device lost free network. -- **NetworkState** Retrieves the network state: 0 = No network. 1 = Restricted network. 2 = Free network. -- **NoNetworkTime** Retrieves the time spent with no network (since the last time) in seconds. -- **RestrictedNetworkTime** Retrieves the time spent on a metered (cost restricted) network in seconds. -- **捔祦⽌䱩⽪昫橷瘴場漸䤫〫洯硈㍈㡮⽯** No content is currently available. -- **⽫甸㑪摭橷捔橗⭪晙晅晣穹椸樷** No content is currently available. -- **䉪䌯䱏杄䬷㝐灌䩚㠯⽉䝲伹㡈㕉佤** No content is currently available. - - -### TelClientSynthetic.HeartBeat_5 - -This event sends data about the health and quality of the diagnostic data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device. - -The following fields are available: - -- **** No content is currently available. -- **艍ጋⰎჄ↶췸̎耀艊ጀ‏艋ጃᰌი↶** No content is currently available. -- **@쯵￿耀蝉ᄀ〉‭ᢤ↱p** No content is currently available. -- **⬰げㅶ漴䬸穕婒㘳㕡䙤乯欸㉂夷** No content is currently available. -- **㉕睐灆㝎剓畷⽧⽶扙全ぐ⽒灥湐湌䈶灦晋砰っ礯䈱㕪** No content is currently available. -- **AgentConnectionErrorsCount** Number of non-timeout errors associated with the host/agent channel. -- **AgentCoNnectionErrorsCount** No content is currently available. -- **āकĒࠨ婆Pက喬↵갸ژāक** No content is currently available. -- **āकĒࠨ婦Tက** No content is currently available. -- **āकĒࠨ媦\က** No content is currently available. -- **āकĒࠨ宆xက僸↵곌׌** No content is currently available. -- **āकĒࠨ汆 嬨↵꼔** No content is currently available. -- **CensusExitCode** The last exit code of the Census task. -- **CensusStartTime** Time of last Census run. -- **CensusTaskEnabled** True if Census is enabled, false otherwise. -- **CompressedBytesUploaded** Number of compressed bytes uploaded. -- **ConsumerDroppedCount** Number of events dropped at consumer layer of telemetry client. -- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. -- **CriticalDataThrottleDroppedCount** The number of critical data sampled events that were dropped because of throttling. -- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event DB. -- **CriticalOvErflowEntersCounter** No content is currently available. -- **DbCriticalDroppedCount** Total number of dropped critical events in event DB. -- **DbDroppedCount** Number of events dropped due to DB fullness. -- **DbDroppedFailureCount** Number of events dropped due to DB failures. -- **DbDroppedFullCount** Number of events dropped due to DB fullness. -- **DecndingDroppedCount** No content is currently available. -- **DecodingDroppedCount** Number of events dropped due to decoding failures. -- **Ēࠨ⳥ࠥ䃀첤↵쁸拠** No content is currently available. -- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. -- **EtwDroppedBufferCount** Number of buffers dropped in the UTC ETW session. -- **EtwDroppedCount** Number of events dropped at ETW layer of telemetry client. -- **EventsPersistedCount** Number of events that reached the PersistEvent stage. -- **EventStoreLifetimeResetCounter** Number of times event DB was reset for the lifetime of UTC. -- **EventStoreResetCounter** Number of times event DB was reset. -- **EventStoreResetSizeSum** Total size of event DB across all resets reports in this instance. -- **EventSubStoreResetCounter** Number of times event DB was reset. -- **EventSubStoreResetSizeSum** Total size of event DB across all resets reports in this instance. -- **EventsUploaded** Number of events uploaded. -- **Flags** Flags indicating device state such as network state, battery state, and opt-in state. -- **FullTriggerBufferDroppedCount** Number of events dropped due to trigger buffer being full. -- **FullTrigwerBufferDroppedCount** No content is currently available. -- **HeartBeatSequenceNumber** The sequence number of this heartbeat. -- **InvalidH4BFCodeCount** No content is currently available. -- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. -- **ȋ耀耭⬀‧早诉耮⬄怛昡设耯⬈** No content is currently available. -- **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel. -- **LastEventSizeOffender** Event name of last event which exceeded max event size. -- **LastInvalidH4BFCode** No content is currently available. -- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. -- **MaxActiveAgentConnectionCount** The maximum number of active agents during this heartbeat timeframe. -- **MaxInUseScenarioCounter** Soft maximum number of scenarios loaded by UTC. -- **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events). -- **PrivacyBlockedCount** The number of events blocked due to privacy settings or tags. -- **ⓅЀ쬐↵삔托ā** No content is currently available. -- **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. -- **SettingsH4BFAttempts** No content is currently available. -- **SettingsH4BFFailures** No content is currently available. -- **SettingsHttpAttempts** Number of attempts to contact OneSettings service. -- **SettingsHttpFailures** The number of failures from contacting the OneSettings service. -- **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers. -- **TopUploaderErrors** List of top errors received from the upload endpoint. -- **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client. -- **UploaderErrorCount** Number of errors received from the upload endpoint. -- **VortexFailuresTimeout** The number of timeout failures received from Vortex. -- **VortexH4BFAttempts** No content is currently available. -- **VortexH4BFFailures4xx** No content is currently available. -- **VortexH4BFFailures5xx** No content is currently available. -- **VortexH4BFResponseFailures** No content is currently available. -- **VortexH4BFResponsesWithDroppedEvents** No content is currently available. -- **VortexHttpAttempts** Number of attempts to contact Vortex. -- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. -- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. -- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. -- **VortexHttpResponsesWi|hDroppedEvents** No content is currently available. -- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. -- **V聯rtexHttpFailures5xx** No content is currently available. -- **अĒࠨⴅ!₀俨↵겈Ѹ** No content is currently available. -- **ြ갌暠聇⭜搽갌暜聈⭠밾갌** No content is currently available. -- **ေ괔暜耼⬰뀲궄暠耽⬴吳괄暜** No content is currently available. -- **̎耀艊ጀ‏艋ጃᰌი↶** No content is currently available. -- **권擘耩⬔ఫ권擔耪⬘〬권擘耫⬜ﰭ권擔耬⬠�� 擝诚** No content is currently available. -- **곔暜聄⭐к괤暠聅⭔퐻갔暜** No content is currently available. -- **갌暜聘⮠偎갌暠聙⮤鑏갌暜聚** No content is currently available. -- **꺨徠耋** No content is currently available. -- **껨徤而⬬퐱길徠耍⬰耲기徤耎⬴㐳** No content is currently available. -- **꼄ቌāकĒࠨ** No content is currently available. -- **쐴궤暠耿⬼찵곴暜** No content is currently available. -- **乭睱祒ㅡ坘牦晩塴唯㥺扱氫㝬㜸⭗偑圶㍡䈲䔯略儹祘㝈圳㡆晪煥瘰䱫琯汗朸⽦ㅵ歶** No content is currently available. -- **佗䱺䑁⽱橒失猶畓湳硖䭏煲愴呌眹卲愹癦慂㝘㡔䰰⭗偡穭䌹㍧偙** No content is currently available. -- **佱塪癒噲歋㤶癉乴煙瑬睷婇睶杭剓摁乄** No content is currently available. -- **倰煹穑䅣䍏楍桧㥡䙪畴䑕橲䕋甯朱㝗硐⭨渶㕶㈯杖䤸穗䡈㥂㥭㑱㝙** No content is currently available. -- **偊〫祰汓汨兄男捇䉧潗塶睥唴㕺瑰煲焰㕸卩兢㉮** No content is currently available. -- **典止歂㔴ぎ䕅穔䜫㥹地䵭ㅔ煘乓假穑䙭䕱㈰晃卉敳祎煙捺灘橙癭䵈伹ぴ硱** No content is currently available. -- **典㙪獬牵汑ㅘ灢㕌㝶湌㑣㙌捯㑷㈳潏祓㥪戳㉺** No content is currently available. -- **剼↵겤״āकĒࠨ婦T** No content is currently available. -- **匈↵걼بāकĒࠨ媦\က咈↵ڐ** No content is currently available. -- **匷硬䭦兔楰㑔汬㑶儷䱈乥猴㕘晱歈瑘游剏㡸㝩倵** No content is currently available. -- **呅穹敖兌橤㈵汴洲䨶潈乺⭎⭕栫** No content is currently available. -- **呣礲晉坩穑〹ひ䝰ぷ噢晘堳刳噒䩈丵畏兑䩨琳⬹佫搱噈** No content is currently available. -- **啧癃獷奆䕤穱啧晬呈䅌琴䴫桗獍噲瘶㕨橰啪楗佧** No content is currently available. -- **噪兙䑯楓㍈奬慰㝋坣睵潕婤瑚䱊昹伵朱敕杰爸睶** No content is currently available. -- **噶甴う歶㍔䈹㝘潳䍈煆⼹挴⬯㝷祄䈯㝃⼯** No content is currently available. -- **坪䙵失慒獗攱猱塘⽰桪⬲摫倶摘塂䄰䰶⽵歐浪瀷** No content is currently available. -- **堿갌暜聊⭨ⱀ갌暠聋⭬** No content is currently available. -- **塩猯䡦癐㝔祤偪捲浖焷㍁浲祹䕡橆橨瑈坰獕教** No content is currently available. -- **失椷䡔㠱呯⽅䕴慴乊匵戱洱番偓㡤䘳㡪奨楈** No content is currently available. -- **夵楲䑣癳摌六䔴㍍⬶獖晘⽅䅅祸㙖橸佣坂㉵ㅚ慇** No content is currently available. -- **慦㥣㥘硸癒䕎䩪㤰䠯祔う敚⬹户䨳啢䩖䡦䘱桎癆** No content is currently available. -- **扊㍩坒潅㝤児堷䩤㉫硩䠶橗杤橚慃杇橙㉡摔娳** No content is currently available. -- **捔祦⽌䱩⽪昫橷瘴場漸䤫〫洯硈㍈㡮⽯** No content is currently available. -- **敬䉶癷潘場㡌䱥⭬䙐⽹楈堵硪牣㑸䵸䥴㝄噣瑒䠸ㅪ** No content is currently available. -- **昡讱⮮耀耰⬀‧晩讛耱⬄怛暥讐耲⬈** No content is currently available. -- **暜耸⬠蠮궴暠耹⬤뀯괤暜耺⬨氰긔暠** No content is currently available. -- **暜职⭰䱂갌暠聍⭴籃갌暜聎⭸聄** No content is currently available. -- **暜聒⮈챈갌暠聓⮌둉갌暜联** No content is currently available. -- **暠耳⬌ﰩ굔暜耴⬐瀪귤暠耵⬔瀫굄暜耶⬘쐬긔暠耷⬜** No content is currently available. -- **暠聏⭼㑅갌暜聐⮀ᑆ갌暠聑⮄** No content is currently available. -- **术硂瑲⽑㥴䱡偭橏䬷礫癪硷㡲⽰䑇游临㙐橪㑯倴⽓剂** No content is currently available. -- **樲㙘䡌㡘坯歎楈⽹ご㥹湭歆㡨婨⬵啊䍶桊塌吶㥈敍汍㕪刲慄** No content is currently available. -- **毆€ 娠↵꺈࿐** No content is currently available. -- **泆  嚔↵곴बā** No content is currently available. -- **湹䩳⭑晹礰婶啊灋䱸晒㉉㑬ひ⭄㑉慙㝲䡦** No content is currently available. -- **潭晰橷睧䌵** No content is currently available. -- **瀯㉪䡏ㅏ⭕楆摡倶㙑愰佚䍪䤳煃奄硭摍嘯煗㍓唸卆** No content is currently available. -- **灋瘸乏煆䬳桱㕙瘸㑘䙸橧㥶䔵橲㕙楗佧吸⭚獏桗** No content is currently available. -- **獇牅歘䉡汸㉂夸乶坁浂偕㤲塅䩸桑と牚穒癲浕** No content is currently available. -- **獭䭏啪漲睌穩⬫入䨱䈸⽁䑇敉儴慣㙹么䥶晋湋朶剹慷** No content is currently available. -- **瑖穒㍤摧癵摆䑧⭧䍏杭䵫敘煰橲煤橲煤橲煤橲煤橲煤橲煤橲煤橲武** No content is currently available. -- **⽫甸㑪摭橷捔橗⭪晙晅晣穹椸樷** No content is currently available. -- **穇圹塑⽈潘䉘䉒头㡕湲㠵汪圸夸䑬潕杪䙔戴䑌** No content is currently available. -- **穬⼱䍯昫㤹卲儫⬯牎奦㡈㙸ㄯ時㍊佘䱳伵㠫栱䥦⭦慊祘⽂浶** No content is currently available. -- **ࠣ耀耤⬀‧撡豒耥⬄怛擝豇耦⬈귄擘耧⬌鐩** No content is currently available. -- **̎耀艊ጀ‏艋ጃᰌი↶艌錇萍ƒ** No content is currently available. -- **̎耀艊ጀ‏艋ጃᰌი↶艌錇萍ƒ჌↶ 艍ጋⰎ** No content is currently available. -- **耏⬸찴기徤耐⬼됵기** No content is currently available. -- **耑⭀萶기徤耒⭄࠷기徠耓** No content is currently available. -- **耝⬐�� 拱費Ԗ耀耞** No content is currently available. -- **艋ጃᰌი↶艌錇萍ƒ჌↶ 艍ጋⰎჄ↶** No content is currently available. -- **萍ƒ჌↶ 艍ጋⰎჄ↶᝞耀老⬀‧彵** No content is currently available. -- **萍ƒ჌↶ 艍ጋⰎჄ↶큰̎耀艊** No content is currently available. -- **葊갌暠聕⮔ࡋ갌暜聖⮘豌갌暠聗** No content is currently available. -- **㐰愱啬瑬癏䝒乘慲椰㉑眫䱄晶獶䝅䙗䕫㉡** No content is currently available. -- **䄸䵒䝰ㅹ灌癳噚䥍祫䬵礷楗光摹䑑䡢ㅑ䭱獎伱噺獃䕑济浱桱** No content is currently available. -- **䉪䌯䱏杄䬷㝐灌䩚㠯⽉䝲伹㡈㕉佤** No content is currently available. -- **䍭㐰䕩坶㥆慉塲夶煁椫㝖瀱栲硪爯畉乂㑒㝥昷䕺乍併娴橲䭎改睗畃睯** No content is currently available. -- **䍸欳昷偔坊問扨婔䨷㥗桴塲㍄䵹橥癉嘷䵊噲湥** No content is currently available. -- **䠷坸⽦䄯⽣晵ㄳ卂楖づ睧䤵椹穴䝊潩硍䩢䵎橫㍸牨** No content is currently available. -- **䨵浤汗位㑗䕶㝸䥮敡潱倱偑煥塪晢** No content is currently available. -- **䰶굔暠聁⭄砷곤暜聂⭈8궄暠** No content is currently available. -- **䱥⭫䙐晹楈䠵硨牣㑷噏挶䍈伹桪湣㑸呵㠴乘攸浌䡥穆䱶㕧瑘捷㉌伶穆䡦㕩橶捸砳甴㑚堸** No content is currently available. -- **䱲㝏危㡨呥卐䩯⭒祐汮潧䩑ㅷ歈偤㉱灕⬲穏公** No content is currently available. -- **䴶㑊啥䕪乶汊摉㥐焲楂䜹洳敡⬫灍⭒佦呮敮婪〷朵癹呧煡㙤䤫浨瘹** No content is currently available. - - -### TelClientSynthetic.HeartBeat_Aria_5 - -This event is the telemetry client ARIA heartbeat. - -The following fields are available: - -- **CompressedBytesUploaded** Number of compressed bytes uploaded. -- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. -- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event database. -- **DbCriticalDroppedCount** Total number of dropped critical events in event database. -- **DbDroppedCount** Number of events dropped at the database layer. -- **DbDroppedFailureCount** Number of events dropped due to database failures. -- **DbDroppedFullCount** Number of events dropped due to database being full. -- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. -- **EventsPersistedCount** Number of events that reached the PersistEvent stage. -- **EventStoreLifetimeResetCounter** Number of times the event store has been reset. -- **EventStoreResetCounter** Number of times the event store has been reset during this heartbeat. -- **EventStoreResetSizeSum** Size of event store reset in bytes. -- **EventsUploaded** Number of events uploaded. -- **HeartBeatSequenceNumber** The sequence number of this heartbeat. -- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. -- **LastEventSizeOffender** Event name of last event which exceeded max event size. -- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. -- **PreviousHeartBeatTime** The FILETIME of the previous heartbeat fire. -- **PrivacyBlockedCount** The number of events blocked due to privacy settings or tags. -- **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. -- **SettingsHttpAttempts** Number of attempts to contact OneSettings service. -- **SettingsHttpFailures** Number of failures from contacting OneSettings service. -- **TopUploaderErrors** List of top errors received from the upload endpoint. -- **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client. -- **UploaderErrorCount** Number of errors received from the upload endpoint. -- **VortexFailuresTimeout** Number of time out failures received from Vortex. -- **VortexHttpAttempts** Number of attempts to contact Vortex. -- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. -- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. -- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. -- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. - - -### TelClientSynthetic.HeartBeat_Seville_5 - -This event is sent by the universal telemetry client (UTC) as a heartbeat signal for Sense. - -The following fields are available: - -- **AgentConnectionErrorsCount** Number of non-timeout errors associated with the host or agent channel. -- **CompressedBytesUploaded** Number of compressed bytes uploaded. -- **ConsumerDroppedCount** Number of events dropped at consumer layer of the telemetry client. -- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. -- **CriticalDataThrottleDroppedCount** Number of critical data sampled events dropped due to throttling. -- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event database. -- **DailyUploadQuotaInBytes** Daily upload quota for Sense in bytes (only in in-proc mode). -- **DbCriticalDroppedCount** Total number of dropped critical events in event database. -- **DbDroppedCount** Number of events dropped due to database being full. -- **DbDroppedFailureCount** Number of events dropped due to database failures. -- **DbDroppedFullCount** Number of events dropped due to database being full. -- **DecodingDroppedCount** Number of events dropped due to decoding failures. -- **DiskSizeInBytes** Size of event store for Sense in bytes (only in in-proc mode). -- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. -- **EtwDroppedBufferCount** Number of buffers dropped in the universal telemetry client (UTC) event tracing for Windows (ETW) session. -- **EtwDroppedCount** Number of events dropped at the event tracing for Windows (ETW) layer of telemetry client. -- **EventsPersistedCount** Number of events that reached the PersistEvent stage. -- **EventStoreLifetimeResetCounter** Number of times event the database was reset for the lifetime of the universal telemetry client (UTC). -- **EventStoreResetCounter** Number of times the event database was reset. -- **EventStoreResetSizeSum** Total size of the event database across all resets reports in this instance. -- **EventsUploaded** Number of events uploaded. -- **Flags** Flags indicating device state, such as network state, battery state, and opt-in state. -- **FullTriggerBufferDroppedCount** Number of events dropped due to trigger buffer being full. -- **HeartBeatSequenceNumber** The sequence number of this heartbeat. -- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. -- **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel. -- **LastEventSizeOffender** Event name of last event which exceeded the maximum event size. -- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. -- **MaxActiveAgentConnectionCount** Maximum number of active agents during this heartbeat timeframe. -- **NormalUploadTimerMillis** Number of milliseconds between each upload of normal events for SENSE (only in in-proc mode). -- **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events). -- **RepeatedUploadFailureDropped** Number of events lost due to repeated failed uploaded attempts. -- **SettingsHttpAttempts** Number of attempts to contact OneSettings service. -- **SettingsHttpFailures** Number of failures from contacting the OneSettings service. -- **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers. -- **TopUploaderErrors** Top uploader errors, grouped by endpoint and error type. -- **UploaderDroppedCount** Number of events dropped at the uploader layer of the telemetry client. -- **UploaderErrorCount** Number of input for the TopUploaderErrors mode estimation. -- **VortexFailuresTimeout** Number of time out failures received from Vortex. -- **VortexHttpAttempts** Number of attempts to contact Vortex. -- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. -- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. -- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. -- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. - - -## Direct to update events - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicability - -Event to indicate that the Coordinator CheckApplicability call succeeded. - -The following fields are available: - -- **ApplicabilityResult** Result of CheckApplicability function. -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **IsDeviceAADDomainJoined** Indicates whether the device is logged in to the AAD (Azure Active Directory) domain. -- **IsDeviceADDomainJoined** Indicates whether the device is logged in to the AD (Active Directory) domain. -- **IsDeviceCloverTrail** Indicates whether the device has a Clover Trail system installed. -- **IsDeviceFeatureUpdatingPaused** Indicates whether Feature Update is paused on the device. -- **IsDeviceNetworkMetered** Indicates whether the device is connected to a metered network. -- **IsDeviceOobeBlocked** Indicates whether user approval is required to install updates on the device. -- **IsDeviceRequireUpdateApproval** Indicates whether user approval is required to install updates on the device. -- **IsDeviceSccmManaged** Indicates whether the device is running the Microsoft SCCM (System Center Configuration Manager) to keep the operating system and applications up to date. -- **IsDeviceUninstallActive** Indicates whether the OS (operating system) on the device was recently updated. -- **IsDeviceUpdateNotificationLevel** Indicates whether the device has a set policy to control update notifications. -- **IsDeviceUpdateServiceManaged** Indicates whether the device uses WSUS (Windows Server Update Services). -- **IsDeviceZeroExhaust** Indicates whether the device subscribes to the Zero Exhaust policy to minimize connections from Windows to Microsoft. -- **IsGreaterThanMaxRetry** Indicates whether the DTU (Direct to Update) service has exceeded its maximum retry count. -- **IsVolumeLicensed** Indicates whether a volume license was used to authenticate the operating system or applications on the device. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicabilityGenericFailure - -This event indicatse that we have received an unexpected error in the Direct to Update (DTU) Coordinators CheckApplicability call. - -The following fields are available: - -- **CampaignID** ID of the campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Cleanup call. - -The following fields are available: - -- **CampaignID** Campaign ID being run -- **ClientID** Client ID being run -- **CoordinatorVersion** Coordinator version of DTU -- **CV** Correlation vector -- **hResult** HRESULT of the failure - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupSuccess - -This event indicates that the Coordinator Cleanup call succeeded. - -The following fields are available: - -- **CampaignID** Campaign ID being run -- **ClientID** Client ID being run -- **CoordinatorVersion** Coordinator version of DTU -- **CV** Correlation vector - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Commit call. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitSuccess - -This event indicates that the Coordinator Commit call succeeded. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Download call. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadIgnoredFailure - -This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Download call that will be ignored. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadSuccess - -This event indicates that the Coordinator Download call succeeded. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator HandleShutdown call. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinate version of DTU. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownSuccess - -This event indicates that the Coordinator HandleShutdown call succeeded. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Initialize call. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeSuccess - -This event indicates that the Coordinator Initialize call succeeded. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Install call. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallIgnoredFailure - -This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Install call that will be ignored. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallSuccess - -This event indicates that the Coordinator Install call succeeded. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorProgressCallBack - -This event indicates that the Coordinator's progress callback has been called. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** Client ID being run. -- **CoordinatorVersion** Coordinator version of DTU. -- **CV** Correlation vector. -- **DeployPhase** Current Deploy Phase. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorSetCommitReadySuccess - -This event indicates that the Coordinator SetCommitReady call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiNotShown - -This event indicates that the Coordinator WaitForRebootUi call succeeded. - -The following fields are available: - -- **CampaignID** Campaign ID being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSelection - -This event indicates that the user selected an option on the Reboot UI. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **rebootUiSelection** Selection on the Reboot UI. - - -### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSuccess - -This event indicates that the Coordinator WaitForRebootUi call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler CheckApplicabilityInternal call. - -The following fields are available: - -- **CampaignID** ID of the campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalSuccess - -This event indicates that the Handler CheckApplicabilityInternal call succeeded. - -The following fields are available: - -- **ApplicabilityResult** The result of the applicability check. -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilitySuccess - -This event indicates that the Handler CheckApplicability call succeeded. - -The following fields are available: - -- **ApplicabilityResult** The result code indicating whether the update is applicable. -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **CV_new** New correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckIfCoordinatorMinApplicableVersionSuccess - -This event indicates that the Handler CheckIfCoordinatorMinApplicableVersion call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **CheckIfCoordinatorMinApplicableVersionResult** Result of CheckIfCoordinatorMinApplicableVersion function. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Commit call. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **CV_new** New correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitSuccess - -This event indicates that the Handler Commit call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run.run -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **CV_new** New correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabFailure - -This event indicates that the Handler Download and Extract cab call failed. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **DownloadAndExtractCabFunction_failureReason** Reason why the update download and extract process failed. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabSuccess - -This event indicates that the Handler Download and Extract cab call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Download call. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadSuccess - -This event indicates that the Handler Download call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Initialize call. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **DownloadAndExtractCabFunction_hResult** HRESULT of the download and extract. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeSuccess - -This event indicates that the Handler Initialize call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **DownloadAndExtractCabFunction_hResult** HRESULT of the download and extraction. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Install call. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **hResult** HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallSuccess - -This event indicates that the Coordinator Install call succeeded. - -The following fields are available: - -- **CampaignID** ID of the update campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerSetCommitReadySuccess - -This event indicates that the Handler SetCommitReady call succeeded. - -The following fields are available: - -- **CampaignID** ID of the campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiGenericFailure - -This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler WaitForRebootUi call. - -The following fields are available: - -- **CampaignID** The ID of the campaigning being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. -- **hResult** The HRESULT of the failure. - - -### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiSuccess - -This event indicates that the Handler WaitForRebootUi call succeeded. - -The following fields are available: - -- **CampaignID** ID of the campaign being run. -- **ClientID** ID of the client receiving the update. -- **CoordinatorVersion** Coordinator version of Direct to Update. -- **CV** Correlation vector. - - -## DxgKernelTelemetry events - -### DxgKrnlTelemetry.GPUAdapterInventoryV2 - -This event sends basic GPU and display driver information to keep Windows and display drivers up-to-date. - -The following fields are available: - -- **AdapterT}peValue** No content is currently available. -- **AdapterTypeValue** The numeric value indicating the type of Graphics adapter. -- **AdapterTyreValue** No content is currently available. -- **aiSeqId** The event sequence ID. -- **bootId** The system boot ID. -- **BrightnessVersionViaDDI** The version of the Display Brightness Interface. -- **ComputePreelptionLevel** No content is currently available. -- **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload. -- **DedicatedSy{temMemoryB** No content is currently available. -- **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes). -- **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes). -- **DisplayAdap|erLuid** No content is currently available. -- **DisplayAdapderLuid** No content is currently available. -- **DisplayAdapterLuid** The display adapter LUID. -- **Driver^ersion** No content is currently available. -- **DriverDat** No content is currently available. -- **DriverDate** The date of the display driver. -- **DriverRank** The rank of the display driver. -- **DriverVersion** The display driver version. -- **DX10UMDFilePath** The file path to the location of the DirectX 10 Display User Mode Driver in the Driver Store. -- **DX11UMDFilePath** The file path to the location of the DirectX 11 Display User Mode Driver in the Driver Store. -- **DX12UMDFilePath** The file path to the location of the DirectX 12 Display User Mode Driver in the Driver Store. -- **DX1rUMDFilePath** No content is currently available. -- **DX9UMDFilePath** The file path to the location of the DirectX 9 Display User Mode Driver in the Driver Store. -- **DX9UMDFileXath** No content is currently available. -- **GPUDeviceID** The GPU device ID. -- **GPUDexiceID** No content is currently available. -- **GPUPreelptionLevel** No content is currently available. -- **GPUPreemptionLevel** The maximum preemption level supported by GPU for graphics payload. -- **GPUPzeemptionLevel** No content is currently available. -- **GPURevisionID** The GPU revision ID. -- **GPURexisionID** No content is currently available. -- **GPUVendorID** The GPU vendor ID. -- **InterfaceId** The GPU interface ID. -- **IsDisplayDevice** Does the GPU have displaying capabilities? -- **IsDisplayDexice** No content is currently available. -- **IsHwSchSupported** Indicates whether the adapter supports hardware scheduling. -- **IsHybridDiscrete** Does the GPU have discrete GPU capabilities in a hybrid device? -- **IsHybridDiwcrete** No content is currently available. -- **IsHybridIntegrated** Does the GPU have integrated GPU capabilities in a hybrid device? -- **IsLDA** Is the GPU comprised of Linked Display Adapters? -- **IsMiiacastSupported** No content is currently available. -- **IsMiracastSupported** Does the GPU support Miracast? -- **IsMismatchLDA** Is at least one device in the Linked Display Adapters chain from a different vendor? -- **IsMPOSupport%d** No content is currently available. -- **IsMPOSupported** Does the GPU support Multi-Plane Overlays? -- **IsMsMiiacastSupported** No content is currently available. -- **IsMsMiracastSupported** Are the GPU Miracast capabilities driven by a Microsoft solution? -- **IsPostAdapter** Is this GPU the POST GPU in the device? -- **IsRemovable** TRUE if the adapter supports being disabled or removed. -- **IsRemovableǑBrightnessVersionViaDDIǩ WDDMVersionॠȠDisplayAdapterLuidǷDisplayAdapterLuidȄGPUPreempti** No content is currently available. -- **IsRenderDevice** Does the GPU have rendering capabilities? -- **IsRenderDexice** No content is currently available. -- **IsSoftwareDevace** No content is currently available. -- **IsSoftwareDevice** Is this a software implementation of the GPU? -- **IsSoftwareDexice** No content is currently available. -- **KMDFilePath** The file path to the location of the Display Kernel Mode Driver in the Driver Store. -- **Meas}reEnabled** No content is currently available. -- **MeasureEnabled** Is the device listening to MICROSOFT_KEYWORD_MEASURES? -- **MnterfaceId** No content is currently available. -- **MsHybridDiscrete** Indicates whether the adapter is a discrete adapter in a hybrid configuration. -- **NumVidPnSou** No content is currently available. -- **NumVidPnSources** The number of supported display output sources. -- **NumVidPnTargets** The number of supported display output targets. -- **SharedSystemMemory@** No content is currently available. -- **SharedSystemMemoryB** The amount of system memory shared by GPU and CPU (in bytes). -- **SubSystemID** The subsystem ID. -- **SubVendorID** The GPU sub vendor ID. -- **TelemetryEnabled** Is the device listening to MICROSOFT_KEYWORD_TELEMETRY? -- **TelInvEvntTrigger** What triggered this event to be logged? Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling) -- **TelnveEvntTrigger** No content is currently available. -- **version** The event version. -- **verwion** No content is currently available. -- **WDDMVersion** The Windows Display Driver Model version. - - -## Failover Clustering events - -### Microsoft.Windows.Server.FailoverClusteringCritical.ClusterSummary2 - -This event returns information about how many resources and of what type are in the server cluster. This data is collected to keep Windows Server safe, secure, and up to date. The data includes information about whether hardware is configured correctly, if the software is patched correctly, and assists in preventing crashes by attributing issues (like fatal errors) to workloads and system configurations. - -The following fields are available: - -- **autoAssignSite** The cluster parameter: auto site. -- **autoBalancerLevel** The cluster parameter: auto balancer level. -- **autoBalancerMode** The cluster parameter: auto balancer mode. -- **blockCacheSize** The configured size of the block cache. -- **ClusterAdConfiguration** The ad configuration of the cluster. -- **clusterAdType** The cluster parameter: mgmt_point_type. -- **clusterDumpPolicy** The cluster configured dump policy. -- **clusterFunctionalLevel** The current cluster functional level. -- **clusterGuid** The unique identifier for the cluster. -- **clusterWitnessType** The witness type the cluster is configured for. -- **countNodesInSite** The number of nodes in the cluster. -- **crossSiteDelay** The cluster parameter: CrossSiteDelay. -- **crossSiteThreshold** The cluster parameter: CrossSiteThreshold. -- **crossSubnetDelay** The cluster parameter: CrossSubnetDelay. -- **crossSubnetThreshold** The cluster parameter: CrossSubnetThreshold. -- **csvCompatibleFilters** The cluster parameter: ClusterCsvCompatibleFilters. -- **csvIncompatibleFilters** The cluster parameter: ClusterCsvIncompatibleFilters. -- **csvResourceCount** The number of resources in the cluster. -- **currentNodeSite** The name configured for the current site for the cluster. -- **dasModeBusType** The direct storage bus type of the storage spaces. -- **downLevelNodeCount** The number of nodes in the cluster that are running down-level. -- **drainOnShutdown** Specifies whether a node should be drained when it is shut down. -- **dynamicQuorumEnabled** Specifies whether dynamic Quorum has been enabled. -- **enforcedAntiAffinity** The cluster parameter: enforced anti affinity. -- **genAppNames** The win32 service name of a clustered service. -- **genSvcNames** The command line of a clustered genapp. -- **hangRecoveryAction** The cluster parameter: hang recovery action. -- **hangTimeOut** Specifies the “hang time out” parameter for the cluster. -- **isCalabria** Specifies whether storage spaces direct is enabled. -- **isMixedMode** Identifies if the cluster is running with different version of OS for nodes. -- **isRunningDownLevel** Identifies if the current node is running down-level. -- **logLevel** Specifies the granularity that is logged in the cluster log. -- **logSize** Specifies the size of the cluster log. -- **lowerQuorumPriorityNodeId** The cluster parameter: lower quorum priority node ID. -- **minNeverPreempt** The cluster parameter: minimum never preempt. -- **minPreemptor** The cluster parameter: minimum preemptor priority. -- **netftIpsecEnabled** The parameter: netftIpsecEnabled. -- **NodeCount** The number of nodes in the cluster. -- **nodeId** The current node number in the cluster. -- **nodeResourceCounts** Specifies the number of node resources. -- **nodeResourceOnlineCounts** Specifies the number of node resources that are online. -- **numberOfSites** The number of different sites. -- **numNodesInNoSite** The number of nodes not belonging to a site. -- **plumbAllCrossSubnetRoutes** The cluster parameter: plumb all cross subnet routes. -- **preferredSite** The preferred site location. -- **privateCloudWitness** Specifies whether a private cloud witness exists for this cluster. -- **quarantineDuration** The quarantine duration. -- **quarantineThreshold** The quarantine threshold. -- **quorumArbitrationTimeout** In the event of an arbitration event, this specifies the quorum timeout period. -- **resiliencyLevel** Specifies the level of resiliency. -- **resourceCounts** Specifies the number of resources. -- **resourceTypeCounts** Specifies the number of resource types in the cluster. -- **resourceTypes** Data representative of each resource type. -- **resourceTypesPath** Data representative of the DLL path for each resource type. -- **sameSubnetDelay** The cluster parameter: same subnet delay. -- **sameSubnetThreshold** The cluster parameter: same subnet threshold. -- **secondsInMixedMode** The amount of time (in seconds) that the cluster has been in mixed mode (nodes with different operating system versions in the same cluster). -- **securityLevel** The cluster parameter: security level. -- **securityLevelForStorage** The cluster parameter: security level for storage. -- **sharedVolumeBlockCacheSize** Specifies the block cache size for shared for shared volumes. -- **shutdownTimeoutMinutes** Specifies the amount of time it takes to time out when shutting down. -- **upNodeCount** Specifies the number of nodes that are up (online). -- **useClientAccessNetworksForCsv** The cluster parameter: use client access networks for CSV. -- **vmIsolationTime** The cluster parameter: VM isolation time. -- **witnessDatabaseWriteTimeout** Specifies the timeout period for writing to the quorum witness database. - - -## Fault Reporting events - -### Microsoft.Windows.FaultReporting.AppCrashEvent - -This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes\" by a user DO NOT emit this event. - -The following fields are available: - -- **AppName** The name of the app that has crashed. -- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend. -- **AppTimeStamp** The date/time stamp of the app. -- **AppVersion** The version of the app that has crashed. -- **AsFatal** No content is currently available. -- **Exceptio** No content is currently available. -- **ExceptionCode** The exception code returned by the process that has crashed. -- **ExceptionOffset** The address where the exception had occurred. -- **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting. -- **FriendlyAppName** The description of the app that has crashed, if different from the AppName. Otherwise, the process name. -- **IsFatal** True/False to indicate whether the crash resulted in process termination. -- **ModName** Exception module name (e.g. bar.dll). -- **ModTimestamp** No content is currently available. -- **ModTimeStamp** The date/time stamp of the module. -- **ModVersion** The version of the module that has crashed. -- **ode** No content is currently available. -- **PackageFullName** Store application identity. -- **PackageRelativeAppId** Store application identity. -- **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. -- **ProcessCreateTime** The time of creation of the process that has crashed. -- **ProcessId** The ID of the process that has crashed. -- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. -- **TargetAppId** The kernel reported AppId of the application being reported. -- **targetAppVer** No content is currently available. -- **TargetAppVer** The specific version of the application being reported -- **TargetAsId** The sequence number for the hanging process. - - -## Feature update events - -### Microsoft.Windows.Upgrade.Uninstall.UninstallFinalizedAndRebootTriggered - -This event indicates that the uninstall was properly configured and that a system reboot was initiated. - - - -### Microsoft.Windows.Upgrade.Uninstall.UninstallGoBackButtonClicked - -This event sends basic metadata about the starting point of uninstalling a feature update, which helps ensure customers can safely revert to a well-known state if the update caused any problems. - - - -## Hang Reporting events - -### Microsoft.Windows.HangReporting.AppHangEvent - -This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. - -The following fields are available: - -- **AppName** The name of the app that has hung. -- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the telemetry backend. -- **AppVersion** The version of the app that has hung. -- **IsFatal** True/False based on whether the hung application caused the creation of a Fatal Hang Report. -- **PackageFullName** Store application identity. -- **PackageRelativeAppId** Store application identity. -- **ProcessArchitecture** Architecture of the hung process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. -- **ProcessCreateTime** The time of creation of the process that has hung. -- **ProcessId** The ID of the process that has hung. -- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. -- **TargetAppId** The kernel reported AppId of the application being reported. -- **TargetAppVer** The specific version of the application being reported. -- **TargetAsId** The sequence number for the hanging process. -- **TypeCode** Bitmap describing the hang type. -- **WaitingOnAppName** If this is a cross process hang waiting for an application, this has the name of the application. -- **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it is waiting. -- **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting. -- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application id of the package. - - -## Inventory events - -### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum - -This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object. - -The following fields are available: - -- **Device** A count of device objects in cache. -- **DeviceCensus** A count of device census objects in cache. -- **DriverPackageExtended** A count of driverpackageextended objects in cache. -- **File** A count of file objects in cache. -- **FileSigningInfo** A count of file signing objects in cache. -- **Generic** A count of generic objects in cache. -- **HwItem** A count of hwitem objects in cache. -- **IentoryMiscellaneousOfficeAddIn** No content is currently available. -- **InventoryApplication** A count of application objects in cache. -- **InventoryApplicationAppV** A count of application AppV objects in cache. -- **InventoryApplicationDriver** A count of application driver objects in cache -- **InventoryApplicationFile** A count of application file objects in cache. -- **InventoryApplicationFramework** A count of application framework objects in cache -- **InventoryApplicationShortcut** A count of application shortcut objects in cache -- **InventoryDeviceContainer** A count of device container objects in cache. -- **InventoryDeviceInterface** A count of Plug and Play device interface objects in cache. -- **InventoryDeviceMediaClass** A count of device media objects in cache. -- **InventoryDevicePnp** A count of device Plug and Play objects in cache. -- **InventoryDeviceUsbHubClass** A count of device usb objects in cache -- **InventoryDriverBinary** A count of driver binary objects in cache. -- **InventoryDriverPackage** A count of device objects in cache. -- **InventoryMiscellaneiscellaneousOfficeInsights** No content is currently available. -- **InventoryMiscellaneousOfficeAddIn** A count of office add-in objects in cache -- **InventoryMiscellaneousOfficeAddInUsage** A count of office add-in usage objects in cache. -- **InventoryMiscellaneousOfficeIdentifiers** A count of office identifier objects in cache -- **InventoryMiscellaneousOfficeIESettings** A count of office ie settings objects in cache -- **InventoryMiscellaneousOfficeInsights** A count of office insights objects in cache -- **InventoryMiscellaneousOfficeProducts** A count of office products objects in cache -- **InventoryMiscellaneousOfficeSettings** A count of office settings objects in cache -- **InventoryMiscellaneousOfficeVBA** A count of office vba objects in cache -- **InventoryMiscellaneousOfficeVBARuleViolations** A count of office vba rule violations objects in cache -- **InventoryMiscellaneousUUPInfo** A count of uup info objects in cache -- **Metadata** A count of metadata objects in cache. -- **Orphan** A count of orphan file objects in cache. -- **Programs** A count of program objects in cache. - - -### Microsoft.Windows.Inventory.Core.AmiTelCacheFileInfo - -Diagnostic data about the inventory cache. - -The following fields are available: - -- **CacheFileSize** Size of the cache. -- **InventoryVersion** Inventory version of the cache. -- **TempCacheCount** Number of temp caches created. -- **TempCacheDeletedCount** Number of temp caches deleted. - - -### Microsoft.Windows.Inventory.Core.AmiTelCacheVersions - -This event sends inventory component versions for the Device Inventory data. - -The following fields are available: - -- **aeinv** The version of the App inventory component. -- **devinv** The file version of the Device inventory component. - - -### Microsoft.Windows.Inventory.Core.InventoryApplicationAdd - -This event sends basic metadata about an application on the system to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **HiddenArp** Indicates whether a program hides itself from showing up in ARP. -- **InstallDate** The date the application was installed (a best guess based on folder creation date heuristics). -- **InstallDateArpLastModified** The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015 00:00:00 -- **InstallDateFromLincFile** No content is currently available. -- **InstallDateFromLinkFile** The estimated date of install based on the links to the files. Passed as an array. -- **InstallDateMsi** The install date if the application was installed via Microsoft Installer (MSI). Passed as an array. -- **InventoryVersion** The version of the inventory file generating the events. -- **Language** The language code of the program. -- **MsipackageCode** No content is currently available. -- **MsiPackageCode** A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage. -- **MsiProductCode** A GUID that describe the MSI Product. -- **Name** The name of the application. -- **OSversionAtInstallTime** No content is currently available. -- **OSVersionAtInstallTime** The four octets from the OS version at the time of the application's install. -- **PackageFullName** The package full name for a Store application. -- **ProgramInstanceId** A hash of the file IDs in an app. -- **Publisher** The Publisher of the application. Location pulled from depends on the 'Source' field. -- **RootDirPath** The path to the root directory where the program was installed. -- **Source** How the program was installed (for example, ARP, MSI, Appx). -- **StoreAppType** A sub-classification for the type of Microsoft Store app, such as UWP or Win8StoreApp. -- **type** No content is currently available. -- **Type** One of ("Application", "Hotfix", "BOE", "Service", "Unknown"). Application indicates Win32 or Appx app, Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is a service. Application and BOE are the ones most likely seen. -- **Version** The version number of the program. - - -### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverAdd - -This event represents what drivers an application installs. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory component. -- **ProgramIds** The unique program identifier the driver is associated with. - - -### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync - -The InventoryApplicationDriverStartSync event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory component. - - -### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd - -This event provides the basic metadata about the frameworks an application may depend on. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **FileId** A hash that uniquely identifies a file. -- **Frameworks** The list of frameworks this file depends on. -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync - -This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryApplicationRemove - -This event indicates that a new set of InventoryDevicePnpAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryApplicationStartSync - -This event indicates that a new set of InventoryApplicationAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd - -This event sends basic metadata about a device container (such as a monitor or printer as opposed to a Plug and Play device) to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Categories** A comma separated list of functional categories in which the container belongs. -- **DiscoveryMethod** The discovery method for the device container. -- **FriendlyName** The name of the device container. -- **InventoryVersion** The version of the inventory file generating the events. -- **IsActive** Is the device connected, or has it been seen in the last 14 days? -- **IsConnected** For a physically attached device, this value is the same as IsPresent. For wireless a device, this value represents a communication link. -- **IsMachineContainer** Is the container the root device itself? -- **IsNetworked** Is this a networked device? -- **IsPaired** Does the device container require pairing? -- **Manufacturer** The manufacturer name for the device container. -- **ModelId** A unique model ID. -- **ModelName** The model name. -- **ModelNumber** The model number for the device container. -- **PrimaryCategory** The primary category for the device container. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerRemove - -This event indicates that the InventoryDeviceContainer object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerStartSync - -This event indicates that a new set of InventoryDeviceContainerAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd - -This event retrieves information about what sensor interfaces are available on the device. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Accelerometer3D** Indicates if an Accelerator3D sensor is found. -- **ActivityDetection** Indicates if an Activity Detection sensor is found. -- **AmbientLight** Indicates if an Ambient Light sensor is found. -- **Barometer** Indicates if a Barometer sensor is found. -- **Custom** Indicates if a Custom sensor is found. -- **EnergyMeter** Indicates if an Energy sensor is found. -- **FloorElevation** Indicates if a Floor Elevation sensor is found. -- **GeomagneticOrientation** Indicates if a Geo Magnetic Orientation sensor is found. -- **GravityVector** Indicates if a Gravity Detector sensor is found. -- **Gyrometer3D** Indicates if a Gyrometer3D sensor is found. -- **Humidity** Indicates if a Humidity sensor is found. -- **InventoryVersion** The version of the inventory file generating the events. -- **LinearAccelerometer** Indicates if a Linear Accelerometer sensor is found. -- **Magnetometer3D** Indicates if a Magnetometer3D sensor is found. -- **Orientation** Indicates if an Orientation sensor is found. -- **Pedometer** Indicates if a Pedometer sensor is found. -- **Proximity** Indicates if a Proximity sensor is found. -- **RelativeOrientation** Indicates if a Relative Orientation sensor is found. -- **SimpleDeviceOrientation** Indicates if a Simple Device Orientation sensor is found. -- **Temperature** Indicates if a Temperature sensor is found. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync - -This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd - -This event sends additional metadata about a Plug and Play device that is specific to a particular class of devices to help keep Windows up to date while reducing overall size of data payload. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **audio.captureDriver** Audio device capture driver. Example: hdaudio.inf:db04a16ce4e8d6ee:HdAudModel:10.0.14887.1000:hdaudio\func_01 -- **audio.renderDriver** Audio device render driver. Example: hdaudio.inf:db04a16ce4e8d6ee:HdAudModel:10.0.14889.1001:hdaudio\func_01 -- **Audio_CaptureDriver** The Audio device capture driver endpoint. -- **Audio_RenderDriver** The Audio device render driver endpoint. -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove - -This event indicates that the InventoryDeviceMediaClassRemove object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassStartSync - -This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent. - -This event includes fields from [Ms.Device.De~iceInventoryChange](#msdevicede~iceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd - -This event represents the basic metadata about a plug and play (PNP) device and its associated driver. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **]pperClassFilters** No content is currently available. -- **basedata** No content is currently available. See [basedata](#basedata). -- **BusReportedDescraption** No content is currently available. -- **BusReportedDescription** The description of the device reported by the bux. -- **BusReptrtedDescription** No content is currently available. -- **Clas{Guid** No content is currently available. -- **Class** The device setup class of the driver loaded for the device. -- **ClassGuid** The device class unique identifier of the driver package loaded on the device. -- **COMPID** The list of “Compatible IDs” for this device. -- **Con|ainerId** No content is currently available. -- **ContainerId** The system-supplied unique identifier that specifies which group(s) the device(s) installed on the parent (main) device belong to. -- **Descriptaon** No content is currently available. -- **Description** The description of the device. -- **DeviceDriverFlightId** No content is currently available. -- **DeviceExtDriversFlightIds** No content is currently available. -- **DeviceInterfaceClasses** The device interfaces that this device implements. -- **DeviceState** Identifies the current state of the parent (main) device. -- **DriverAd** No content is currently available. -- **DriverId** The unique identifier for the installed driver. -- **DriverName** The name of the driver image file. -- **DriverPackageStrongName** The immediate parent directory name in the Directory field of InventoryDriverPackage. -- **DriverVer^ersion** No content is currently available. -- **DriverVerDate** The date associated with the driver installed on the device. -- **DriverVerVersion** The version number of the driver installed on the device. -- **Enumerator** Identifies the bus that enumerated the device. -- **ExtendedInfs** The extended INF file names. -- **FirstInstallDate** No content is currently available. -- **H_ID** No content is currently available. -- **HWID** A list of hardware IDs for the device. -- **Inf** The name of the INF file (possibly renamed by the OS, such as oemXX.inf). -- **InstallDate** No content is currently available. -- **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx -- **InventoryVersion** The version number of the inventory process generating the events. -- **LowerClassFilters** The identifiers of the Lower Class filters installed for the device. -- **LowerFilters** The identifiers of the Lower filters installed for the device. -- **Manufacturer** The manufacturer of the device. -- **MatchangID** No content is currently available. -- **MatchingID** The Hardware ID or Compatible ID that Windows uses to install a device instance. -- **Modeh** No content is currently available. -- **Model** Identifies the model of the device. -- **ParentId** The Device Instance ID of the parent of the device. -- **ProblemCode** The error code currently returned by the device, if applicable. -- **ProblmmCode** No content is currently available. -- **Provider** Identifies the device provider. -- **Service** The name of the device service. -- **STACKID** The list of hardware IDs for the stack. -- **UpperClassFilters** The identifiers of the Upper Class filters installed for the device. -- **UpperFilters** The identifiers of the Upper filters installed for the device. -- **UpxerClassFilters** No content is currently available. - - -### Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove - -This event indicates that the InventoryDevicePnpRemove object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDevicePnpStartSync - -This event indicates that a new set of InventoryDevicePnpAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd - -This event sends basic metadata about the USB hubs on the device. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. -- **TotalUserConnectablePorts** Total number of connectable USB ports. -- **TotalUserConnectableTypeCPorts** Total number of connectable USB Type C ports. - - -### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassStartSync - -This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent. - -This event includes fields from [Ms.De~ice.DeviceInventoryChange](#msde~icedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd - -This event provides the basic metadata about driver binaries running on the system. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **DrivdrCompany** No content is currently available. -- **DriverCheckSum** The checksum of the driver file. -- **DriverCompany** The company name that developed the driver. -- **DriverInBox** Is the driver included with the operating system? -- **DriverIsKernelMode** Is it a kernel mode driver? -- **DriverName** The file name of the driver. -- **DriverPackageStrongName** The strong name of the driver package -- **DriverSigned** The strong name of the driver package -- **DriverTimeStamp** The low 32 bits of the time stamp of the driver file. -- **DriverType** A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8. define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE 0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64 0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15. define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED 0x800000. -- **DriverVersion** The version of the driver file. -- **ImageSize** The size of the driver file. -- **ImageSmze** No content is currently available. -- **Inf** The name of the INF file. -- **InventoryVersion** The version of the inventory file generating the events. -- **Product** The product name that is included in the driver file. -- **ProductVersion** The product version that is included in the driver file. -- **Service** The name of the service that is installed for the device. -- **WdfVersion** The Windows Driver Framework version. -- **WdfVers-on** No content is currently available. -- **WdfVersÿon** No content is currently available. - - -### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove - -This event indicates that the InventoryDriverBinary object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryStartSync - -This event indicates that a new set of InventoryDriverBinaryAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd - -This event sends basic metadata about drive packages installed on the system to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Class** The class name for the device driver. -- **ClassGuid** The class GUID for the device driver. -- **Date** The driver package date. -- **Directory** The path to the driver package. -- **DriverInBox** Is the driver included with the operating system? -- **Inf** The INF name of the driver package. -- **InventoryVersion** The version of the inventory file generating the events. -- **Provider** The provider for the driver package. -- **SubmissionId** The HLK submission ID for the driver package. -- **Version** The version of the driver package. - - -### Microsoft.Windows.Inventory.Core.InventoryDriverPackageRemove - -This event indicates that the InventoryDriverPackageRemove object is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.InventoryDriverPackageStartSync - -This event indicates that a new set of InventoryDriverPackageAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory file generating the events. - - -### Microsoft.Windows.Inventory.Core.StartUtcJsonTrace - -This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the beginning of the event download, and that tracing should begin. - - - -### Microsoft.Windows.Inventory.Core.StopUtcJsonTrace - -This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the end of the event download, and that tracing should end. - - - -### Microsoft.Windows.Inventory.General.AppHealthStaticAdd - -This event sends details collected for a specific application on the source device. - -The following fields are available: - -- **AhaVersion** The binary version of the App Health Analyzer tool. -- **ApplicationErrors** The count of application errors from the event log. -- **Bitness** The architecture type of the application (16 Bit or 32 bit or 64 bit). -- **device_level** Various JRE/JAVA versions installed on a particular device. -- **ExtendedProperties** Attribute used for aggregating all other attributes under this event type. -- **Jar** Flag to determine if an app has a Java JAR file dependency. -- **Jre** Flag to determine if an app has JRE framework dependency. -- **Jre_version** JRE versions an app has declared framework dependency for. -- **Name** Name of the application. -- **NonDPIAware** Flag to determine if an app is non-DPI aware. -- **NumBinaries** Count of all binaries (.sys,.dll,.ini) from application install location. -- **RequiresAdmin** Flag to determine if an app requests admin privileges for execution. -- **RequiresAdminv2** Additional flag to determine if an app requests admin privileges for execution. -- **RequiresUIAccess** Flag to determine if an app is based on UI features for accessibility. -- **VB6** Flag to determine if an app is based on VB6 framework. -- **VB6v2** Additional flag to determine if an app is based on VB6 framework. -- **Version** Version of the application. -- **VersionCheck** Flag to determine if an app has a static dependency on OS version. -- **VersionCheckv2** Additional flag to determine if an app has a static dependency on OS version. - - -### Microsoft.Windows.Inventory.General.AppHealthStaticStartSync - -This event indicates the beginning of a series of AppHealthStaticAdd events. - -The following fields are available: - -- **AllowTelemetry** Indicates the presence of the 'allowtelemetry' command line argument. -- **CommandLineArgs** Command line arguments passed when launching the App Health Analyzer executable. -- **Enhanced** Indicates the presence of the 'enhanced' command line argument. -- **StartTime** UTC date and time at which this event was sent. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd - -Provides data on the installed Office Add-ins. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AddinCLSID** The class identifier key for the Microsoft Office add-in. -- **AddInCLSID** The class identifier key for the Microsoft Office add-in. -- **AddInId** The identifier for the Microsoft Office add-in. -- **AddinType** The type of the Microsoft Office add-in. -- **BinFileTimestamp** The timestamp of the Office add-in. -- **BinFileVersion** The version of the Microsoft Office add-in. -- **Description** Description of the Microsoft Office add-in. -- **FileId** The file identifier of the Microsoft Office add-in. -- **FileSize** The file size of the Microsoft Office add-in. -- **FriendlyName** The friendly name for the Microsoft Office add-in. -- **FullPath** The full path to the Microsoft Office add-in. -- **InventoryVersion** The version of the inventory binary generating the events. -- **LoadBehavior** Integer that describes the load behavior. -- **LoadTime** Load time for the Office add-in. -- **OfficeApplication** The Microsoft Office application associated with the add-in. -- **OfficeArchitecture** The architecture of the add-in. -- **OfficeVersion** The Microsoft Office version for this add-in. -- **OutlookCrashingAddin** Indicates whether crashes have been found for this add-in. -- **ProductCompany** The name of the company associated with the Office add-in. -- **ProductName** The product name associated with the Microsoft Office add-in. -- **ProductVersion** The version associated with the Office add-in. -- **ProgramId** The unique program identifier of the Microsoft Office add-in. -- **Provider** Name of the provider for this add-in. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove - -Indicates that this particular data object represented by the objectInstanceId is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync - -This event indicates that a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd - -Provides data on the Office identifiers. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. -- **OAudienceData** Sub-identifier for Microsoft Office release management, identifying the pilot group for a device -- **OAudienceId** Microsoft Office identifier for Microsoft Office release management, identifying the pilot group for a device -- **OMID** Identifier for the Office SQM Machine -- **OPlatform** Whether the installed Microsoft Office product is 32-bit or 64-bit -- **OTenantId** Unique GUID representing the Microsoft O365 Tenant -- **OVersion** Installed version of Microsoft Office. For example, 16.0.8602.1000 -- **OWowMID** Legacy Microsoft Office telemetry identifier (SQM Machine ID) for WoW systems (32-bit Microsoft Office on 64-bit Windows) - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync - -Diagnostic event to indicate a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd - -Provides data on Office-related Internet Explorer features. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. -- **OIeFeatureAddon** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_ADDON_MANAGEMENT feature lets applications hosting the WebBrowser Control to respect add-on management selections made using the Add-on Manager feature of Internet Explorer. Add-ons disabled by the user or by administrative group policy will also be disabled in applications that enable this feature. -- **OIeMachineLockdown** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_LOCALMACHINE_LOCKDOWN feature is enabled, Internet Explorer applies security restrictions on content loaded from the user's local machine, which helps prevent malicious behavior involving local files. -- **OIeMimeHandling** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_MIME_HANDLING feature control is enabled, Internet Explorer handles MIME types more securely. Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2) -- **OIeMimeSniffing** Flag indicating which Microsoft Office products have this setting enabled. Determines a file's type by examining its bit signature. Windows Internet Explorer uses this information to determine how to render the file. The FEATURE_MIME_SNIFFING feature, when enabled, allows to be set differently for each security zone by using the URLACTION_FEATURE_MIME_SNIFFING URL action flag -- **OIeNoAxInstall** Flag indicating which Microsoft Office products have this setting enabled. When a webpage attempts to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request. When a webpage tries to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request -- **OIeNoDownload** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_RESTRICT_FILEDOWNLOAD feature blocks file download requests that navigate to a resource, that display a file download dialog box, or that are not initiated explicitly by a user action (for example, a mouse click or key press). Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2) -- **OIeObjectCaching** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_OBJECT_CACHING feature prevents webpages from accessing or instantiating ActiveX controls cached from different domains or security contexts -- **OIePasswordDisable** Flag indicating which Microsoft Office products have this setting enabled. After Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2), Internet Explorer no longer allows usernames and passwords to be specified in URLs that use the HTTP or HTTPS protocols. URLs using other protocols, such as FTP, still allow usernames and passwords -- **OIeSafeBind** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SAFE_BINDTOOBJECT feature performs additional safety checks when calling MonikerBindToObject to create and initialize Microsoft ActiveX controls. Specifically, prevent the control from being created if COMPAT_EVIL_DONT_LOAD is in the registry for the control -- **OIeSecurityBand** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SECURITYBAND feature controls the display of the Internet Explorer Information bar. When enabled, the Information bar appears when file download or code installation is restricted -- **OIeUncSaveCheck** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_UNC_SAVEDFILECHECK feature enables the Mark of the Web (MOTW) for local files loaded from network locations that have been shared by using the Universal Naming Convention (UNC) -- **OIeValidateUrl** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_VALIDATE_NAVIGATE_URL feature control prevents Windows Internet Explorer from navigating to a badly formed URL -- **OIeWebOcPopup** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_WEBOC_POPUPMANAGEMENT feature allows applications hosting the WebBrowser Control to receive the default Internet Explorer pop-up window management behavior -- **OIeWinRestrict** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_WINDOW_RESTRICTIONS feature adds several restrictions to the size and behavior of popup windows -- **OIeZoneElevate** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_ZONE_ELEVATION feature prevents pages in one zone from navigating to pages in a higher security zone unless the navigation is generated by the user - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync - -Diagnostic event to indicate a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd - -This event provides insight data on the installed Office products - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. -- **OfficeApplication** The name of the Office application. -- **OfficeArchitecture** The bitness of the Office application. -- **OfficeVersion** The version of the Office application. -- **Valóe** No content is currently available. -- **Value** The insights collected about this entity. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsRemove - -Indicates that this particular data object represented by the objectInstanceId is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync - -This diagnostic event indicates that a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd - -Describes Office Products installed. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. -- **OC2rApps** A GUID the describes the Office Click-To-Run apps -- **OC2rSkus** Comma-delimited list (CSV) of Office Click-To-Run products installed on the device. For example, Office 2016 ProPlus -- **OMsiApps** Comma-delimited list (CSV) of Office MSI products installed on the device. For example, Microsoft Word -- **OProductCodes** A GUID that describes the Office MSI products - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync - -Diagnostic event to indicate a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd - -This event describes various Office settings - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **BrowserFlags** Browser flags for Office-related products -- **ExchangeProviderFlags** Provider policies for Office Exchange -- **InventoryVersion** The version of the inventory binary generating the events. -- **SharedComputerLicensing** Office shared computer licensing policies - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync - -Indicates a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAAdd - -This event provides a summary rollup count of conditions encountered while performing a local scan of Office files, analyzing for known VBA programmability compatibility issues between legacy office version and ProPlus, and between 32 and 64-bit versions - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Design** Count of files with design issues found. -- **Design_x64** Count of files with 64 bit design issues found. -- **DuplicateVBA** Count of files with duplicate VBA code. -- **HasVBA** Count of files with VBA code. -- **Inaccessible** Count of files that were inaccessible for scanning. -- **InventoryVersion** The version of the inventory binary generating the events. -- **Issues** Count of files with issues detected. -- **Issues_x64** Count of files with 64-bit issues detected. -- **IssuesNone** Count of files with no issues detected. -- **IssuesNone_x64** Count of files with no 64-bit issues detected. -- **Locked** Count of files that were locked, preventing scanning. -- **NoVBA** Count of files with no VBA inside. -- **Protected** Count of files that were password protected, preventing scanning. -- **RemLimited** Count of files that require limited remediation changes. -- **RemLimited_x64** Count of files that require limited remediation changes for 64-bit issues. -- **RemSignificant** Count of files that require significant remediation changes. -- **RemSignificant_x64** Count of files that require significant remediation changes for 64-bit issues. -- **Score** Overall compatibility score calculated for scanned content. -- **Score_x64** Overall 64-bit compatibility score calculated for scanned content. -- **Total** Total number of files scanned. -- **Validation** Count of files that require additional manual validation. -- **Validation_x64** Count of files that require additional manual validation for 64-bit issues. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARemove - -Indicates that this particular data object represented by the objectInstanceId is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsAdd - -This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated with the validation rule - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Count** Count of total Microsoft Office VBA rule violations -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsRemove - -Indicates that this particular data object represented by the objectInstanceId is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync - -This event indicates that a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync - -Diagnostic event to indicate a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd - -Provides data on Unified Update Platform (UUP) products and what version they are at. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **Identifier** UUP identifier -- **LastActivatedVersion** Last activated version -- **PreviousVersion** Previous version -- **Source** UUP source -- **Version** UUP version - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoRemove - -Indicates that this particular data object represented by the objectInstanceId is no longer present. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoStartSync - -Diagnostic event to indicate a new sync is being generated for this object type. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - - - -### Microsoft.Windows.Inventory.Indicators.Checksum - -This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events. - -The following fields are available: - -- **CensusId** A unique hardware identifier. -- **ChecksumDictionary** A count of each operating system indicator. -- **PCFP** Equivalent to the InventoryId field that is found in other core events. - - -### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd - -These events represent the basic metadata about the OS indicators installed on the system which are used for keeping the device up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **IndicatorValue** The indicator value. -- **Value** Describes an operating system indicator that may be relevant for the device upgrade. - - -### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove - -This event is a counterpart to InventoryMiscellaneousUexIndicatorAdd that indicates that the item has been removed. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - - - -### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync - -This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events will be sent. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - - - -## Kernel events - -### IO - -This event indicates the number of bytes read from or read by the OS and written to or written by the OS upon system startup. - -The following fields are available: - -- **BootAttemptCount** No content is currently available. -- **BootStatusPolicy** No content is currently available. -- **BootType** No content is currently available. -- **BytesRead** The total number of bytes read from or read by the OS upon system startup. -- **BytesWritten** The total number of bytes written to or written by the OS upon system startup. -- **FirmwareResetReasonEmbeddedController** No content is currently available. -- **FirmwareResetReasonEmbeddedControllerAdditional** No content is currently available. -- **FirmwareResetReasonPch** No content is currently available. -- **FirmwareResetReasonPchAdditional** No content is currently available. -- **FirmwareResetReasonSupplied** No content is currently available. -- **LastBootSucceeded** No content is currently available. -- **LastShutdownSucceeded** No content is currently available. -- **MeasuredLaunchResume** No content is currently available. -- **MenuPolicy** No content is currently available. -- **RecoveryEnabled** No content is currently available. -- **UserInputTime** No content is currently available. - - -### Microsoft.Windows.Kernel.BootEnvironment.OsLaunch - -OS information collected during Boot, used to evaluate the success of the upgrade process. - -The following fields are available: - -- **Boo|ApplicationId** No content is currently available. -- **BootApplicataonId** No content is currently available. -- **BootApplicationId** This field tells us what the OS Loader Application Identifier is. -- **BootAttemptCount** The number of consecutive times the boot manager has attempted to boot into this operating system. -- **BootSequence** The current Boot ID, used to correlate events related to a particular boot session. -- **BootStatusPolicy** Identifies the applicable Boot Status Policy. -- **BootType** Identifies the type of boot (e.g.: "Cold", "Hiber", "Resume"). -- **EventTimestamp** Seconds elapsed since an arbitrary time point. This can be used to identify the time difference in successive boot attempts being made. -- **FirmwareResetReasonEmbeddedController** Reason for system reset provided by firmware. -- **FirmwareResetReasonEmbeddedControllerAdditional** Additional information on system reset reason provided by firmware if needed. -- **FirmwareResetReasonPch** Reason for system reset provided by firmware. -- **FirmwareResetReasonPchAdditional** Additional information on system reset reason provided by firmware if needed. -- **FirmwareResetReasonSupplied** Flag indicating that a reason for system reset was provided by firmware. -- **IO** Amount of data written to and read from the disk by the OS Loader during boot. See [IO](#io). -- **LastBootSucceeded** Flag indicating whether the last boot was successful. -- **LastShutdownSucceeded** Flag indicating whether the last shutdown was successful. -- **MaxAbove4GbFreeRange** This field describes the largest memory range available above 4Gb. -- **MaxBelow4GbFreeRange** This field describes the largest memory range available below 4Gb. -- **MeasuredLaunchPrepared** This field tells us if the OS launch was initiated using Measured/Secure Boot over DRTM (Dynamic Root of Trust for Measurement). -- **MeasuredLaunchResume** This field tells us if Dynamic Root of Trust for Measurement (DRTM) was used when resuming from hibernation. -- **MenuPolicy** Type of advanced options menu that should be shown to the user (Legacy, Standard, etc.). -- **RecoveryEnabled** Indicates whether recovery is enabled. -- **SecureLaunchPrepared** This field indicates if DRTM was prepared during boot. -- **TcbLaunch** Indicates whether the Trusted Computing Base was used during the boot flow. -- **UserInputTime** The amount of time the loader application spent waiting for user input. - - -## Miracast events - -### Microsoft.Windows.Cast.Miracast.MiracastSessionEnd - -This event sends data at the end of a Miracast session that helps determine RTSP related Miracast failures along with some statistics about the session - -The following fields are available: - -- **AudioChannelCount** The number of audio channels. -- **AudioSampleRate** The sample rate of audio in terms of samples per second. -- **AudioSubtype** The unique subtype identifier of the audio codec (encoding method) used for audio encoding. -- **AverageBitrate** The average video bitrate used during the Miracast session, in bits per second. -- **AverageDataRate** The average available bandwidth reported by the WiFi driver during the Miracast session, in bits per second. -- **AveragePacketSendTimeInMs** The average time required for the network to send a sample, in milliseconds. -- **ConnectorType** The type of connector used during the Miracast session. -- **EncodeAverageTimeMS** The average time to encode a frame of video, in milliseconds. -- **EncodeCount** The count of total frames encoded in the session. -- **EncodeMaxTimeMS** The maximum time to encode a frame, in milliseconds. -- **EncodeMinTimeMS** The minimum time to encode a frame, in milliseconds. -- **EncoderCreationTimeInMs** The time required to create the video encoder, in milliseconds. -- **ErrorSource** Identifies the component that encountered an error that caused a disconnect, if applicable. -- **FirstFrameTime** The time (tick count) when the first frame is sent. -- **FirstLatencyMode** The first latency mode. -- **FrameAverageTimeMS** Average time to process an entire frame, in milliseconds. -- **FrameCount** The total number of frames processed. -- **FrameMaxTimeMS** The maximum time required to process an entire frame, in milliseconds. -- **FrameMinTimeMS** The minimum time required to process an entire frame, in milliseconds. -- **Glitches** The number of frames that failed to be delivered on time. -- **HardwareCursorEnabled** Indicates if hardware cursor was enabled when the connection ended. -- **HDCPState** The state of HDCP (High-bandwidth Digital Content Protection) when the connection ended. -- **HighestBitrate** The highest video bitrate used during the Miracast session, in bits per second. -- **HighestDataRate** The highest available bandwidth reported by the WiFi driver, in bits per second. -- **LastLatencyMode** The last reported latency mode. -- **LogTimeReference** The reference time, in tick counts. -- **LowestBitrate** The lowest video bitrate used during the Miracast session, in bits per second. -- **LowestDataRate** The lowest video bitrate used during the Miracast session, in bits per second. -- **MediaErrorCode** The error code reported by the media session, if applicable. -- **MiracastEntry** The time (tick count) when the Miracast driver was first loaded. -- **MiracastM1** The time (tick count) when the M1 request was sent. -- **MiracastM2** The time (tick count) when the M2 request was sent. -- **MiracastM3** The time (tick count) when the M3 request was sent. -- **MiracastM4** The time (tick count) when the M4 request was sent. -- **MiracastM5** The time (tick count) when the M5 request was sent. -- **MiracastM6** The time (tick count) when the M6 request was sent. -- **MiracastM7** The time (tick count) when the M7 request was sent. -- **MiracastSessionState** The state of the Miracast session when the connection ended. -- **MiracastStreaming** The time (tick count) when the Miracast session first started processing frames. -- **ProfileCount** The count of profiles generated from the receiver M4 response. -- **ProfileCountAfterFiltering** The count of profiles after filtering based on available bandwidth and encoder capabilities. -- **RefreshRate** The refresh rate set on the remote display. -- **RotationSupported** Indicates if the Miracast receiver supports display rotation. -- **RTSPSessionId** The unique identifier of the RTSP session. This matches the RTSP session ID for the receiver for the same session. -- **SessionGuid** The unique identifier of to correlate various Miracast events from a session. -- **SinkHadEdid** Indicates if the Miracast receiver reported an EDID. -- **SupportMicrosoftColorSpaceConversion** Indicates whether the Microsoft color space conversion for extra color fidelity is supported by the receiver. -- **SupportsMicrosoftDiagnostics** Indicates whether the Miracast receiver supports the Microsoft Diagnostics Miracast extension. -- **SupportsMicrosoftFormatChange** Indicates whether the Miracast receiver supports the Microsoft Format Change Miracast extension. -- **SupportsMicrosoftLatencyManagement** Indicates whether the Miracast receiver supports the Microsoft Latency Management Miracast extension. -- **SupportsMicrosoftRTCP** Indicates whether the Miracast receiver supports the Microsoft RTCP Miracast extension. -- **SupportsMicrosoftVideoFormats** Indicates whether the Miracast receiver supports Microsoft video format for 3:2 resolution. -- **SupportsWiDi** Indicates whether Miracast receiver supports Intel WiDi extensions. -- **TeardownErrorCode** The error code reason for teardown provided by the receiver, if applicable. -- **TeardownErrorReason** The text string reason for teardown provided by the receiver, if applicable. -- **UIBCEndState** Indicates whether UIBC was enabled when the connection ended. -- **UIBCEverEnabled** Indicates whether UIBC was ever enabled. -- **UIBCStatus** The result code reported by the UIBC setup process. -- **VideoBitrate** The starting bitrate for the video encoder. -- **VideoCodecLevel** The encoding level used for encoding, specific to the video subtype. -- **VideoHeight** The height of encoded video frames. -- **VideoSubtype** The unique subtype identifier of the video codec (encoding method) used for video encoding. -- **VideoWidth** The width of encoded video frames. -- **WFD2Supported** Indicates if the Miracast receiver supports WFD2 protocol. - - -## OneDrive events - -### Microsoft.OneDrive.Sync.Setup.APIOperation - -This event includes basic data about install and uninstall OneDrive API operations. - -The following fields are available: - -- **APIName** The name of the API. -- **Duration** How long the operation took. -- **IsSuccess** Was the operation successful? -- **ResultCode** The result code. -- **ScenarioName** The name of the scenario. - - -### Microsoft.OneDrive.Sync.Setup.EndExperience - -This event includes a success or failure summary of the installation. - -The following fields are available: - -- **APIName** The name of the API. -- **HResult** HResult of the operation -- **IsSuccess** Whether the operation is successful or not -- **ScenarioName** The name of the scenario. - - -### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation - -This event is related to the OS version when the OS is upgraded with OneDrive installed. - -The following fields are available: - -- **CurrentOneDriveVersion** The current version of OneDrive. -- **CurrentOSBuildBranch** The current branch of the operating system. -- **CurrentOSBuildNumber** The current build number of the operating system. -- **CurrentOSVersion** The current version of the operating system. -- **HResult** The HResult of the operation. -- **SourceOSBuildBranch** The source branch of the operating system. -- **SourceOSBuildNumber** The source build number of the operating system. -- **SourceOSVersion** The source version of the operating system. - - -### Microsoft.OneDrive.Sync.Setup.RegisterStandaloneUpdaterAPIOperation - -This event is related to registering or unregistering the OneDrive update task. - -The following fields are available: - -- **APIName** The name of the API. -- **IsSuccess** Was the operation successful? -- **RegisterNewTaskResult** The HResult of the RegisterNewTask operation. -- **ScenarioName** The name of the scenario. -- **UnregisterOldTaskResult** The HResult of the UnregisterOldTask operation. - - -### Microsoft.OneDrive.Sync.Updater.ComponentInstallState - -This event includes basic data about the installation state of dependent OneDrive components. - -The following fields are available: - -- **ComponentName** The name of the dependent component. -- **isInstalled** Is the dependent component installed? - - -### Microsoft.OneDrive.Sync.Updater.OverlayIconStatus - -This event indicates if the OneDrive overlay icon is working correctly. 0 = healthy; 1 = can be fixed; 2 = broken - -The following fields are available: - -- **32bit** The status of the OneDrive overlay icon on a 32-bit operating system. -- **64bit** The status of the OneDrive overlay icon on a 64-bit operating system. - - -### Microsoft.OneDrive.Sync.Updater.UpdateOverallResult - -This event sends information describing the result of the update. - -The following fields are available: - -- **br** No content is currently available. -- **hr** The HResult of the operation. -- **IsLoggingE~abled** No content is currently available. -- **IsLoggingEnabled** Indicates whether logging is enabled for the updater. -- **UpdaterVersion** The version of the updater. - - -### Microsoft.OneDrive.Sync.Updater.UpdateXmlDownloadHResult - -This event determines the status when downloading the OneDrive update configuration file. - -The following fields are available: - -- **hr** The HResult of the operation. - - -### Microsoft.OneDrive.Sync.Updater.WebConnectionStatus - -This event determines the error code that was returned when verifying Internet connectivity. - -The following fields are available: - -- **winInetError** The HResult of the operation. - - -## Privacy consent logging events - -### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted - -This event is used to determine whether the user successfully completed the privacy consent experience. - -The following fields are available: - -- **presentationVersion** Which display version of the privacy consent experience the user completed -- **privacyConsentState** The current state of the privacy consent experience -- **settingsVersion** Which setting version of the privacy consent experience the user completed -- **userOobeExitReason** The exit reason of the privacy consent experience - - -### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentStatus - -Event tells us effectiveness of new privacy experience. - -The following fields are available: - -- **isAdmin** whether the person who is logging in is an admin -- **isExistingUser** whether the account existed in a downlevel OS -- **isLaunching** Whether or not the privacy consent experience will be launched -- **isSilentElevation** whether the user has most restrictive UAC controls -- **privacyConsentState** whether the user has completed privacy experience -- **userRegionCode** The current user's region setting - - -### wilActivity - -This event provides a Windows Internal Library context used for Product and Service diagnostics. - -The following fields are available: - -- **callContext** The function where the failure occurred. -- **currentContextId** The ID of the current call context where the failure occurred. -- **currentContextMessage** The message of the current call context where the failure occurred. -- **currentContextName** The name of the current call context where the failure occurred. -- **failureCount** The number of failures for this failure ID. -- **failureId** The ID of the failure that occurred. -- **failureType** The type of the failure that occurred. -- **fileName** The file name where the failure occurred. -- **function** The function where the failure occurred. -- **hresult** The HResult of the overall activity. -- **lineNumber** The line number where the failure occurred. -- **message** The message of the failure that occurred. -- **module** The module where the failure occurred. -- **originatingContextId** The ID of the originating call context that resulted in the failure. -- **originatingContextMessage** The message of the originating call context that resulted in the failure. -- **originatingContextName** The name of the originating call context that resulted in the failure. -- **threadId** The ID of the thread on which the activity is executing. - - -## Sediment events - -### Microsoft.Windows.Sediment.Info.DetailedState - -This event is sent when detailed state information is needed from an update trial run. - -The following fields are available: - -- **Data** Data relevant to the state, such as what percent of disk space the directory takes up. -- **Id** Identifies the trial being run, such as a disk related trial. -- **ReleaseVer** The version of the component. -- **State** The state of the reporting data from the trial, such as the top-level directory analysis. -- **Time** The time the event was fired. - - -### Microsoft.Windows.Sediment.Info.Error - -This event indicates an error in the updater payload. This information assists in keeping Windows up to date. - -The following fields are available: - -- **FailureType** The type of error encountered. -- **FileName** The code file in which the error occurred. -- **HResult** The failure error code. -- **LineNumber** The line number in the code file at which the error occurred. -- **ReleaseVer** The version information for the component in which the error occurred. -- **Time** The system time at which the error occurred. - - -### Microsoft.Windows.Sediment.Info.PhaseChange - -The event indicates progress made by the updater. This information assists in keeping Windows up to date. - -The following fields are available: - -- **NewPhase** The phase of progress made. -- **ReleaseVer** The version information for the component in which the change occurred. -- **Time** The system time at which the phase chance occurred. - - -## Setup events - -### SetupPlatformTel.SetupPlatformTelActivityEvent - -This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up to date. - -The following fields are available: - -- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. -- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. -- **Value** Value associated with the corresponding event name. For example, time-related events will include the system time - - -### SetupPlatformTel.SetupPlatformTelActivityStarted - -This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. - -The following fields are available: - -- **Name** The name of the dynamic update type. Example: GDR driver - - -### SetupPlatformTel.SetupPlatformTelActivityStopped - -This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. - - - -### SetupPlatformTel.SetupPlatformTelEvent - -This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios. - -The following fields are available: - -- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. -- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. -- **Value** Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time. - - -## Software update events - -### SoftwareUpdateClientTelemetry.CheckForUpdates - -Scan process event on Windows Update client. See the EventScenario field for specifics (started/failed/succeeded). - -The following fields are available: - -- **ActivityMatchingId** Contains a unique ID identifying a single CheckForUpdates session from initialization to completion. -- **AllowCachedResults** Indicates if the scan allowed using cached results. -- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable -- **BiosFamily** The family of the BIOS (Basic Input Output System). -- **BiosName** The name of the device BIOS. -- **BiosReleaseDate** The release date of the device BIOS. -- **BiosSKUNumber** The sku number of the device BIOS. -- **BIOSVendor** The vendor of the BIOS. -- **BiosVersion** The version of the BIOS. -- **BranchReadinessLevel** The servicing branch configured on the device. -- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. -- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. -- **CapabilityDetectoidGuid** The GUID for a hardware applicability detectoid that could not be evaluated. -- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. -- **CDNId** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. -- **ClientVersion** The version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No data is currently reported in this field. Expected value for this field is 0. -- **Context** Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown -- **CurrentMobileOperator** The mobile operator the device is currently connected to. -- **DeferralPolicySources** Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000). -- **DeferredUpdates** Update IDs which are currently being deferred until a later time -- **DeviceModel** What is the device model. -- **DriverError** The error code hit during a driver scan. This is 0 if no error was encountered. -- **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled. -- **DriverGxclusionPolicy** No content is currently available. -- **DriverSyncPassPerformed** Were drivers scanned this time? -- **EventInstanceID** A globally unique identifier for event instance. -- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. -- **ExtendedMetadataCabUrl** Hostname that is used to download an update. -- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. -- **FailedUpdateGuids** The GUIDs for the updates that failed to be evaluated during the scan. -- **FailedUpdatesCount** The number of updates that failed to be evaluated during the scan. -- **FeatureUpdateDeferral** The deferral period configured for feature OS updates on the device (in days). -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FeatureUpdatePause9-8iod** No content is currently available. -- **FeatureUpdatePausePeriod** The pause duration configured for feature OS updates on the device (in days). -- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). -- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). -- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. -- **I#Version** No content is currently available. -- **IntentPFNs** Intended application-set metadata for atomic update scenarios. -- **IPVersion** Indicates whether the download took place over IPv4 or IPv6 -- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. -- **IsWUfBDualScaninabled** No content is currently available. -- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. -- **IsWUfBFederatedScanDisabled** Indicates if Windows Update for Business federated scan is disabled on the device. -- **IsWUfBinabled** No content is currently available. -- **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce -- **MSIError** The last error that was encountered during a scan for updates. -- **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6 -- **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete -- **NumberOfApplicationsCategoryScanEval}ated** No content is currently available. -- **NumberOfApplicationsCategoryScanEvaluated** The number of categories (apps) for which an app update scan checked -- **NumberOfLoop** The number of round trips the scan required -- **NumberOfNewUpdatesFromServiceSync** The number of updates which were seen for the first time in this scan -- **NumberOfUpdatesEvaluated** The total number of updates which were evaluated as a part of the scan -- **NumFailedMetadataSignatures** The number of metadata signatures checks which failed for new metadata synced down. -- **Online** Indicates if this was an online scan. -- **PausedUpdates** A list of UpdateIds which that currently being paused. -- **PauseFeatureUpdatesEndTime** If feature OS updates are paused on the device, this is the date and time for the end of the pause time window. -- **PauseFeatureUpdatesStartTime** If feature OS updates are paused on the device, this is the date and time for the beginning of the pause time window. -- **PauseQualityUpdatesEndTime** If quality OS updates are paused on the device, this is the date and time for the end of the pause time window. -- **PauseQualityUpdatesStartTime** If quality OS updates are paused on the device, this is the date and time for the beginning of the pause time window. -- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting (pre-release builds) being introduced. -- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided. -- **QualityUpdateDeferral** The deferral period configured for quality OS updates on the device (in days). -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **QualityUpdatePause9-8iod** No content is currently available. -- **QualityUpdatePausePeriod** The pause duration configured for quality OS updates on the device (in days). -- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one -- **S}ncType** No content is currently available. -- **ScanDuratioInSeconds** No content is currently available. -- **ScanDurationInSeconds** The number of seconds a scan took -- **ScanEnqueueTime** The number of seconds it took to initialize a scan -- **ScanPrps** No content is currently available. -- **ScanProps** This is a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits are used; all remaining bits are reserved and set to zero. Bit 0 (0x1): IsInteractive - is set to 1 if the scan is requested by a user, or 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker - is set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates). -- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.). -- **ServiceUrl** The environment URL a device is configured to scan with -- **ShippingMobileOperator** The mobile operator that a device shipped on. -- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult). -- **SyncType** Describes the type of scan the event was -- **SystemBIOSMajorRelease** Major version of the BIOS. -- **SystemBIOSMinorRelease** Minor version of the BIOS. -- **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null. -- **TotalNumMetadataSignatureM** No content is currently available. -- **TotalNumMetadataSignatures** The total number of metadata signatures checks done for new metadata that was synced down. -- **WebServiceRetryMethods** Web service method requests that needed to be retried to complete operation. -- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. - - -### SoftwareUpdateClientTelemetry.Commit - -This event tracks the commit process post the update installation when software update client is trying to update the device. - -The following fields are available: - -- **BiosFamily** Device family as defined in the system BIOS -- **BiosName** Name of the system BIOS -- **BiosReleaseDate** Release date of the system BIOS -- **BiosSKUNumber** Device SKU as defined in the system BIOS -- **BIOSVendor** Vendor of the system BIOS -- **BiosVersion** Version of the system BIOS -- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. -- **BundleRevisionNumber** Identifies the revision number of the content bundle -- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client -- **ClientVersion** Version number of the software distribution client -- **DeploymentProviderMode** The mode of operation of the update deployment provider. -- **DeviceModel** Device model as defined in the system bios -- **EventInstanceID** A globally unique identifier for event instance -- **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc. -- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver". -- **FlightId** The specific id of the flight the device is getting -- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) -- **RevisionNumber** Identifies the revision number of this specific piece of content -- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). -- **SystemBIOSMajorRelease** Major release version of the system bios -- **SystemBIOSMinorRelease** Minor release version of the system bios -- **UpdateId** Identifier associated with the specific piece of content -- **WUDeviceID** Unique device id controlled by the software distribution client - - -### SoftwareUpdateClientTelemetry.Download - -Download process event for target update on Windows Update client. See the EventScenario field for specifics (started/failed/succeeded). - -The following fields are available: - -- **ActiveDownloadTime** How long the download took, in seconds, excluding time where the update wasn't actively being downloaded. -- **AppXBlockHashFailures** Indicates the number of blocks that failed hash validation during download of the app payload. -- **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded. -- **AppXDownloadScope** Indicates the scope of the download for application content. -- **AppXScope** Indicates the scope of the app download. -- **aundleBy1esDownl?aded** No content is currently available. -- **B1ndleRepeatFailCount** No content is currently available. -- **BiosFamily** The family of the BIOS (Basic Input Output System). -- **BiosName** The name of the device BIOS. -- **BiosReleaseDate** The release date of the device BIOS. -- **BiosSKUNumber** The sku number of the device BIOS. -- **BIOSVendor** The vendor of the BIOS. -- **BiosVersion** The version of the BIOS. -- **BundleBytesDownloaded** Number of bytes downloaded for the specific content bundle. -- **BundleId** Identifier associated with the specific content bundle. -- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. -- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to download. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **BytesDownloaded** Number of bytes that were downloaded for an individual piece of content (not the entire bundle). -- **CachedEngineVersion** The version of the “Self-Initiated Healing” (SIH) engine that is cached on the device, if applicable. -- **CallerApplicationName** The name provided by the application that initiated API calls into the software distribution client. -- **Cbs5ethod** No content is currently available. -- **CbsDownloadMethod** Indicates whether the download was a full- or a partial-file download. -- **CbsMethod** The method used for downloading the update content related to the Component Based Servicing (CBS) technology. -- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. -- **CDNId** ID which defines which CDN the software distribution client downloaded the content from. -- **ClientVersion** The version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. -- **ConnectTime** Indicates the cumulative amount of time (in seconds) it took to establish the connection for all updates in an update bundle. -- **CurrentMobileOperator** The mobile operator the device is currently connected to. -- **DeviceModel** The model of the device. -- **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority. -- **DownloadProps** Information about the download operation properties in the form of a bitmask. -- **DownloadType** Differentiates the download type of “Self-Initiated Healing” (SIH) downloads between Metadata and Payload downloads. -- **EventInstanceID** A globally unique identifier for event instance. -- **EventScenarao** No content is currently available. -- **EventScenario** Indicates the purpose for sending this event: whether because the software distribution just started downloading content; or whether it was cancelled, succeeded, or failed. -- **EventType** Identifies the type of the event (Child, Bundle, or Driver). -- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). -- **flightBuildNumber** No content is currently available. -- **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight. -- **FlightId** The specific ID of the flight (pre-release build) the device is getting. -- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). -- **HandlerType** Indicates what kind of content is being downloaded (app, driver, windows patch, etc.). -- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. -- **HostName** The hostname URL the content is downloading from. -- **IPVersion** Indicates whether the download took place over IPv4 or IPv6. -- **IsDependentSet** Indicates whether a driver is a part of a larger System Hardware/Firmware Update -- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. -- **IsWVfBDualScanEnabled** No content is currently available. -- **IsWVfBEnabled** No content is currently available. -- **NetworkCost** A flag indicating the cost of the network (congested, fixed, variable, over data limit, roaming, etc.) used for downloading the update content. -- **NetworkCostBitMask** Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.) -- **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered." -- **PackageFullName** The package name of the content. -- **PhonePreviewEnabled** Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced. -- **PostDnldTime** Time (in seconds) taken to signal download completion after the last job completed downloading the payload. -- **ProcessName** The process name of the application that initiated API calls, in the event where CallerApplicationName was not provided. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **Reason** A 32-bit integer representing the reason the update is blocked from being downloaded in the background. -- **RegulationReason** The reason that the update is regulated -- **RegulationReóult** No content is currently available. -- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content. -- **RelatedCV** The Correlation Vector that was used before the most recent change to a new Correlation Vector. -- **RelqtedCV** No content is currently available. -- **RepeatFailCount** Indicates whether this specific content has previously failed. -- **RepeatFailFlag** Indicates whether this specific content previously failed to download. -- **RevisionNumber** The revision number of the specified piece of content. -- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). -- **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade. -- **ShippingMobileOperator** The mobile operator linked to the device when the device shipped. -- **SizeCalcTime** Time (in seconds) taken to calculate the total download size of the payload. -- **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). -- **SystemBIOSMajorRelease** Major version of the BIOS. -- **SystemBIOSMinorRelease** Minor version of the BIOS. -- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. -- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. -- **TargetMetadataVersion** The version of the currently downloading (or most recently downloaded) package. -- **ThrottlingServiceHResult** Result code (success/failure) while contacting a web service to determine whether this device should download content yet. -- **TimeToEstablishConnection** Time (in milliseconds) it took to establish the connection prior to beginning downloaded. -- **TotalEx8ectedBydes** No content is currently available. -- **TotalExpectedBytes** The total size (in Bytes) expected to be downloaded. -- **UpdateId** An identifier associated with the specific piece of content. -- **UpdateID** An identifier associated with the specific piece of content. -- **UpdateImportance** Indicates whether the content was marked as Important, Recommended, or Optional. -- **UsecDO** No content is currently available. -- **UsedDO** Indicates whether the download used the Delivery Optimization (DO) service. -- **UsedSystemVolume** Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive. -- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. -- **YsWUfBEnabled** No content is currently available. - - -### SoftwareUpdateClientTelemetry.DownloadCheckpoint - -This event provides a checkpoint between each of the Windows Update download phases for UUP content - -The following fields are available: - -- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client -- **ClientVersion** The version number of the software distribution client -- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed -- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver" -- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough -- **FileId** A hash that uniquely identifies a file -- **FileName** Name of the downloaded file -- **FlightId** The unique identifier for each flight -- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one -- **RevisionNumber** Unique revision number of Update -- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.) -- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult) -- **UpdateId** Unique Update ID -- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue - - -### SoftwareUpdateClientTelemetry.DownloadHeartbeat - -This event allows tracking of ongoing downloads and contains data to explain the current state of the download - -The following fields are available: - -- **BytesTotal** Total bytes to transfer for this content -- **BytesTransferred** Total bytes transferred for this content at the time of heartbeat -- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client -- **ClientVersion** The version number of the software distribution client -- **ConnectionStatus** Indicates the connectivity state of the device at the time of heartbeat -- **CurrentError** Last (transient) error encountered by the active download -- **DownloadFlags** Flags indicating if power state is ignored -- **DownloadState** Current state of the active download for this content (queued, suspended, or progressing) -- **EventType** Possible values are "Child", "Bundle", or "Driver" -- **FlightId** The unique identifier for each flight -- **IsNetworkMetered** Indicates whether Windows considered the current network to be ?metered" -- **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any -- **MOUpdateDownloadLimit** Mobile operator cap on size of operating system update downloads, if any -- **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby) -- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one -- **ResumeCount** Number of times this active download has resumed from a suspended state -- **RevisionNumber** Identifies the revision number of this specific piece of content -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) -- **SuspendCount** Number of times this active download has entered a suspended state -- **SuspendReason** Last reason for why this active download entered a suspended state -- **UpdateId** Identifier associated with the specific piece of content -- **WUDeviceID** Unique device id controlled by the software distribution client - - -### SoftwareUpdateClientTelemetry.Install - -This event sends tracking data about the software distribution client installation of the content for that update, to help keep Windows up to date. - -The following fields are available: - -- **BiosFamily** The family of the BIOS (Basic Input Output System). -- **BiosName** The name of the device BIOS. -- **BiosReleaseDate** The release date of the device BIOS. -- **BiosSKUNumber** The sku number of the device BIOS. -- **BIOSVendor** The vendor of the BIOS. -- **BiosVersion** The version of the BIOS. -- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. -- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. -- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to install. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. -- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. -- **ClientVersion** The version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No value is currently reported in this field. Expected value for this field is 0. -- **CSIErrorType** The stage of CBS installation where it failed. -- **CurrentMobileOperator** The mobile operator to which the device is currently connected. -- **DeploymentProviderMode** The mode of operation of the update deployment provider. -- **DeviceModel** The device model. -- **DriverPingBack** Contains information about the previous driver and system state. -- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required. -- **EventInstanceID** A globally unique identifier for event instance. -- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. -- **EventType** Possible values are Child, Bundle, or Driver. -- **ExtendedErrorCode** The extended error code. -- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode is not specific enough. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBranch** The branch that a device is on if participating in the Windows Insider Program. -- **FlightBuildNumber** If this installation was for a Windows Insider build, this is the build number of that build. -- **FlightId** The specific ID of the Windows Insider build the device is getting. -- **FlightRing** The ring that a device is on if participating in the Windows Insider Program. -- **HandlerType** Indicates what kind of content is being installed (for example, app, driver, Windows update). -- **HardwareId** If this install was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. -- **InstallProps** A bitmask for future flags associated with the install operation. No value is currently reported in this field. Expected value for this field is 0. -- **IntentPFNs** Intended application-set metadata for atomic update scenarios. -- **IsDependentSet** Indicates whether the driver is part of a larger System Hardware/Firmware update. -- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. -- **IsFirmware** Indicates whether this update is a firmware update. -- **IsSuccessFailurePostReboot** Indicates whether the update succeeded and then failed after a restart. -- **IsWUfBDualScanEnabled** Indicates whether Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Indicates whether Windows Update for Business is enabled on the device. -- **MergedUpdate** Indicates whether the OS update and a BSP update merged for installation. -- **MsiAction** The stage of MSI installation where it failed. -- **MsiProductCode** The unique identifier of the MSI installer. -- **PackageFullName** The package name of the content being installed. -- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting being introduced. -- **ProcessName** The process name of the caller who initiated API calls, in the event that CallerApplicationName was not provided. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one -- **RepeatFailCount** Indicates whether this specific piece of content has previously failed. -- **RepeatFailFlag** Indicates whether this specific piece of content previously failed to install. -- **RevisionNumber** The revision number of this specific piece of content. -- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). -- **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway. -- **ShippingMobileOperator** The mobile operator that a device shipped on. -- **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult). -- **SystemBIOSMajorRelease** Major version of the BIOS. -- **SystemBIOSMinorRelease** Minor version of the BIOS. -- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. -- **Targeti~gVersion** No content is currently available. -- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. -- **TransactionCode** The ID that represents a given MSI installation. -- **UpdateId** Unique update ID. -- **UpdateID** An identifier associated with the specific piece of content. -- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional. -- **UsedSystemVolume** Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive. -- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. - - -### SoftwareUpdateClientTelemetry.Revert - -Revert event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded). - -The following fields are available: - -- **BundleId** Identifier associated with the specific content bundle. Should not be all zeros if the BundleId was found. -- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **ClientVersion** Version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. -- **CSIErrorType** Stage of CBS installation that failed. -- **DriverPingBack** Contains information about the previous driver and system state. -- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required. -- **EventInstanceID** A globally unique identifier for event instance. -- **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). -- **EventType** Event type (Child, Bundle, Release, or Driver). -- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode is not specific enough. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBuildNumber** Indicates the build number of the flight. -- **FlightId** The specific ID of the flight the device is getting. -- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). -- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. -- **IsFirmware** Indicates whether an update was a firmware update. -- **IsSuccessFailurePostReboot** Indicates whether an initial success was a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. -- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. -- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. -- **RepeatFailCount** Indicates whether this specific piece of content has previously failed. -- **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. -- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. -- **UpdateId** The identifier associated with the specific piece of content. -- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). -- **UsedSystemVolume** Indicates whether the device's main system storage drive or an alternate storage drive was used. -- **WUDeviceID** Unique device ID controlled by the software distribution client. - - -### SoftwareUpdateClientTelemetry.TaskRun - -Start event for Server Initiated Healing client. See EventScenario field for specifics (for example, started/completed). - -The following fields are available: - -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **ClientVersion** Version number of the software distribution client. -- **CmdLineArgs** Command line arguments passed in by the caller. -- **EventInstanceID** A globally unique identifier for the event instance. -- **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.). -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **WUDeviceID** Unique device ID controlled by the software distribution client. - - -### SoftwareUpdateClientTelemetry.Uninstall - -Uninstall event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded). - -The following fields are available: - -- **BundleId** The identifier associated with the specific content bundle. This should not be all zeros if the bundleID was found. -- **BundleRepeatFailCount** Indicates whether this particular update bundle previously failed. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **CallerApplicationName** Name of the application making the Windows Update request. Used to identify context of request. -- **ClientVersion** Version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. -- **DriverPingBack** Contains information about the previous driver and system state. -- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers when a recovery is required. -- **EventInstanceID** A globally unique identifier for event instance. -- **EventScenario** Indicates the purpose of the event (a scan started, succeded, failed, etc.). -- **EventType** Indicates the event type. Possible values are "Child", "Bundle", "Release" or "Driver". -- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode is not specific enough. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBuildNumber** Indicates the build number of the flight. -- **FlightId** The specific ID of the flight the device is getting. -- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). -- **HardwareId** If the download was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. -- **IsFirmware** Indicates whether an update was a firmware update. -- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. -- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. -- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. -- **RepeatFailCount** Indicates whether this specific piece of content previously failed. -- **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. -- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. -- **UpdateId** Identifier associated with the specific piece of content. -- **UpdateImportance** Indicates the importance of a driver and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). -- **UsedSystemVolume** Indicates whether the device’s main system storage drive or an alternate storage drive was used. -- **WUDeviceID** Unique device ID controlled by the software distribution client. - - -### SoftwareUpdateClientTelemetry.UpdateDetected - -This event sends data about an AppX app that has been updated from the Microsoft Store, including what app needs an update and what version/architecture is required, in order to understand and address problems with apps getting required updates. - -The following fields are available: - -- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable. -- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. -- **IntentPFNs** Intended application-set metadata for atomic update scenarios. -- **NumberOfA0plicableUpdates** No content is currently available. -- **NumberOfApplicableUpdates** The number of updates ultimately deemed applicable to the system after the detection process is complete. -- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. -- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.). -- **WUDeviceID** The unique device ID controlled by the software distribution client. - - -### SoftwareUpdateClientTelemetry.UpdateMetadataIntegrity - -Ensures Windows Updates are secure and complete. Event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack. - -The following fields are available: - -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **EndpointUrl** URL of the endpoint where client obtains update metadata. Used to identify test vs staging vs production environments. -- **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc. -- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. -- **LeafCertId** The integral ID from the FragmentSigning data for the certificate that failed. -- **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate. -- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce -- **MetadataSignature** A base64-encoded string of the signature associated with the update metadata (specified by revision ID). -- **RawMode** The raw unparsed mode string from the SLS response. This field is null if not applicable. -- **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable. -- **RevisionId** The revision ID for a specific piece of content. -- **RevisionNumber** The revision number for a specific piece of content. -- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Microsoft Store -- **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate. -- **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate. -- **SHA256OfTimestampToken** An encoded string of the timestamp token. -- **SignatureAlgorithm** The hash algorithm for the metadata signature. -- **SLSPrograms** A test program a machine may be opted in. Examples include "Canary" and "Insider Fast". -- **StatusCode** Result code of the event (success, cancellation, failure code HResult) -- **TimestampTokenCertThumbprint** The thumbprint of the encoded timestamp token. -- **TimestampTokenId** The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed. -- **UpdateId** The update ID for a specific piece of content. -- **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp. - - -## System Resource Usage Monitor events - -### Microsoft.Windows.Srum.Sdp.CpuUsage - -This event provides information on CPU usage. - -The following fields are available: - -- **UsageMax** The maximum of hourly average CPU usage. -- **UsageMean** The mean of hourly average CPU usage. -- **UsageMedian** The median of hourly average CPU usage. -- **UsageTwoHourMaxMean** The mean of the maximum of every two hour of hourly average CPU usage. -- **UsageTwoHourMedianMean** The mean of the median of every two hour of hourly average CPU usage. - - -### Microsoft.Windows.Srum.Sdp.NetworkUsage - -This event provides information on network usage. - -The following fields are available: - -- **AdapterGuid** The unique ID of the adapter. -- **BytesTotalMax** The maximum of the hourly average bytes total. -- **BytesTotalMean** The mean of the hourly average bytes total. -- **BytesTotalMedian** The median of the hourly average bytes total. -- **BytesTotalTwoHourMaxMean** The mean of the maximum of every two hours of hourly average bytes total. -- **BytesTotalTwoHourMedianMean** The mean of the median of every two hour of hourly average bytes total. -- **LinkSpeed** The adapter link speed. - - -## Update events - -### Update360Telemetry.Revert - -This event sends data relating to the Revert phase of updating Windows. - -The following fields are available: - -- **ErrorCode** The error code returned for the Revert phase. -- **FlightId** Unique ID for the flight (test instance version). -- **ObjectId** The unique value for each Update Agent mode. -- **RebootRequired** Indicates reboot is required. -- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. -- **Result** The HResult of the event. -- **RevertResult** The result code returned for the Revert operation. -- **ScenarioId** The ID of the update scenario. -- **SessionId** The ID of the update attempt. -- **UpdateId** The ID of the update. - - -### Update360Telemetry.UpdateAgentCommit - -This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. - -The following fields are available: - -- **ErrorCode** The error code returned for the current install phase. -- **FlightId** Unique ID for each flight. -- **ObjectId** Unique value for each Update Agent mode. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **Result** Outcome of the install phase of the update. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentDownloadRequest - -This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. - -The following fields are available: - -- **DeletedCorruptFiles** Boolean indicating whether corrupt payload was deleted. -- **DownloadRequests** Number of times a download was retried. -- **ErrorCode** The error code returned for the current download request phase. -- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. -- **FlightId** Unique ID for each flight. -- **InternalFailureResult** Indicates a non-fatal error from a plugin. -- **ObjectId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). -- **PackageCategoriesSkipped** Indicates package categories that were skipped, if applicable. -- **PackageCCoegoriesSkipped** No content is currently available. -- **PackageCountOptional** Number of optional packages requested. -- **PackageCountRequired** Number of required packages requested. -- **PackageCountTotal** Total number of packages needed. -- **PackageCountTotalCanonical** Total number of canonical packages. -- **PackageCountTotalDiff** Total number of diff packages. -- **PackageCountTotalExpress** Total number of express packages. -- **PackageCountTotalPSFX** The total number of PSFX packages. -- **PackageExpressType** Type of express package. -- **PackageSizeCanonical** Size of canonical packages in bytes. -- **PackageSizeDiff** Size of diff packages in bytes. -- **PackageSizeExpress** Size of express packages in bytes. -- **PackageSizePSFX** The size of PSFX packages, in bytes. -- **RangeRequestSsCoe** No content is currently available. -- **RangeRequestState** Indicates the range request type used. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **Result** Outcome of the download request phase of update. -- **SandboxTaggedForReserves** The sandbox for reserves. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each attempt (same value for initialize, download, install commit phases). -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentExpand - -This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. - -The following fields are available: - -- **ElapsedTickCount** Time taken for expand phase. -- **EndFreeSpace** Free space after expand phase. -- **EndSandboxSize** Sandbox size after expand phase. -- **ErrorCode** The error code returned for the current install phase. -- **FlightId** Unique ID for each flight. -- **ObjectId** Unique value for each Update Agent mode. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each update attempt. -- **StartFreeSpace** Free space before expand phase. -- **StartSandboxSize** Sandbox size after expand phase. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentFellBackToCanonical - -This event collects information when express could not be used and we fall back to canonical during the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. - -The following fields are available: - -- **FlightId** Unique ID for each flight. -- **ObjectId** Unique value for each Update Agent mode. -- **PackageCount** Number of packages that feel back to canonical. -- **PackageList** PackageIds which fell back to canonical. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentInitialize - -This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. - -The following fields are available: - -- **ErrorCode** The error code returned for the current install phase. -- **FlightId** Unique ID for each flight. -- **FlightMetadata** Contains the FlightId and the build being flighted. -- **ObjectId** Unique value for each Update Agent mode. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **Result** Outcome of the install phase of the update. -- **ScenarioId** Indicates the update scenario. -- **SessionData** String containing instructions to update agent for processing FODs and DUICs (Null for other scenarios). -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentInstall - -This event sends data for the install phase of updating Windows. - -The following fields are available: - -- **ErrorCode** The error code returned for the current install phase. -- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. -- **FlightId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). -- **InternalFailureResult** Indicates a non-fatal error from a plugin. -- **ObjectId** Correlation vector value generated from the latest USO scan. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **Result** The result for the current install phase. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentMerge - -The UpdateAgentMerge event sends data on the merge phase when updating Windows. - -The following fields are available: - -- **ErrorCode** The error code returned for the current merge phase. -- **FlightId** Unique ID for each flight. -- **MergeId** The unique ID to join two update sessions being merged. -- **ObjectId** Unique value for each Update Agent mode. -- **RelatedCV** Related correlation vector value. -- **Result** Outcome of the merge phase of the update. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each attempt. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentMitigationResult - -This event sends data indicating the result of each update agent mitigation. - -The following fields are available: - -- **Applicable** Indicates whether the mitigation is applicable for the current update. -- **CommandCount** The number of command operations in the mitigation entry. -- **CustomCount** The number of custom operations in the mitigation entry. -- **FileCount** The number of file operations in the mitigation entry. -- **FlightId** Unique identifier for each flight. -- **Index** The mitigation index of this particular mitigation. -- **MitigationScenario** The update scenario in which the mitigation was executed. -- **Name** The friendly name of the mitigation. -- **ObjectId** Unique value for each Update Agent mode. -- **OperationIndex** The mitigation operation index (in the event of a failure). -- **OperationName** The friendly name of the mitigation operation (in the event of failure). -- **RegistryCount** The number of registry operations in the mitigation entry. -- **RelatedCV** The correlation vector value generated from the latest USO scan. -- **Result** The HResult of this operation. -- **ScenarioId** The update agent scenario ID. -- **SessionId** Unique value for each update attempt. -- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). -- **UpdateId** Unique ID for each Update. - - -### Update360Telemetry.UpdateAgentMitigationSummary - -This event sends a summary of all the update agent mitigations available for an this update. - -The following fields are available: - -- **Applicable** The count of mitigations that were applicable to the system and scenario. -- **Failed** The count of mitigations that failed. -- **FlightId** Unique identifier for each flight. -- **MitigationScenario** The update scenario in which the mitigations were attempted. -- **ObjectId** The unique value for each Update Agent mode. -- **RelatedCV** The correlation vector value generated from the latest USO scan. -- **Result** The HResult of this operation. -- **ScenarioId** The update agent scenario ID. -- **SessionId** Unique value for each update attempt. -- **TimeDiff** The amount of time spent performing all mitigations (in 100-nanosecond increments). -- **Total** Total number of mitigations that were available. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentModeStart - -This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. - -The following fields are available: - -- **FlightId** Unique ID for each flight. -- **Mode** Indicates the mode that has started. -- **ObjectId** Unique value for each Update Agent mode. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each update. -- **Version** Version of update - - -### Update360Telemetry.UpdateAgentOneSettings - -This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. - -The following fields are available: - -- **Count** The count of applicable OneSettings for the device. -- **FlightId** Unique ID for the flight (test instance version). -- **ObjectId** The unique value for each Update Agent mode. -- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. -- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. -- **Result** The HResult of the event. -- **ScenarioId** The ID of the update scenario. -- **SessionId** The ID of the update attempt. -- **UpdateId** The ID of the update. -- **Values** The values sent back to the device, if applicable. - - -### Update360Telemetry.UpdateAgentPostRebootResult - -This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. - -The following fields are available: - -- **ErrorCode** The error code returned for the current post reboot phase. -- **FlightId** The specific ID of the Windows Insider build the device is getting. -- **ObjectId** Unique value for each Update Agent mode. -- **PostRebootResult** Indicates the Hresult. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each update. - - -### Update360Telemetry.UpdateAgentReboot - -This event sends information indicating that a request has been sent to suspend an update. - -The following fields are available: - -- **ErrorCode** The error code returned for the current reboot. -- **FlightId** Unique ID for the flight (test instance version). -- **ObjectId** The unique value for each Update Agent mode. -- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. -- **Result** The HResult of the event. -- **ScenarioId** The ID of the update scenario. -- **SessionId** The ID of the update attempt. -- **UpdateId** The ID of the update. - - -### Update360Telemetry.UpdateAgentSetupBoxLaunch - -The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. - -The following fields are available: - -- **ContainsExpressPackage** Indicates whether the download package is express. -- **FlightId** Unique ID for each flight. -- **FreeSpace** Free space on OS partition. -- **InstallCount** Number of install attempts using the same sandbox. -- **ObjectId** Unique value for each Update Agent mode. -- **Quiet** Indicates whether setup is running in quiet mode. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **SandboxSize** Size of the sandbox. -- **ScenarioId** Indicates the update scenario. -- **SessionId** Unique value for each update attempt. -- **SetupMode** Mode of setup to be launched. -- **UpdateId** Unique ID for each Update. -- **UserSession** Indicates whether install was invoked by user actions. - - -## Update notification events - -### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignManagerHeartbeat - -This event is sent at the start of the CampaignManager event and is intended to be used as a heartbeat. - -The following fields are available: - -- **CampaignConfigVersion** Configuration version for the current campaign. -- **CampaignID** Currently campaign that is running on Update Notification Pipeline (UNP). -- **ConfigCatalogVersion** Current catalog version of UNP. -- **ContentVersion** Content version for the current campaign on UNP. -- **CV** Correlation vector. -- **DetectorVersion** Most recently run detector version for the current campaign on UNP. -- **GlobalEventCounter** Client-side counter that indicates the event ordering sent by the user. -- **PackageVersion** Current UNP package version. - - -## Upgrade events - -### FacilitatorTelemetry.DCATDownload - -This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to help keep Windows up-to-date and secure. - -The following fields are available: - -- **DownloadSize** Download size of payload. -- **ElapsedTime** Time taken to download payload. -- **MediaFallbackUsed** Used to determine if we used Media CompDBs to figure out package requirements for the upgrade. -- **ResultCode** Result returned by the Facilitator DCAT call. -- **Scenario** Dynamic update scenario (Image DU, or Setup DU). -- **Type** Type of package that was downloaded. -- **UpdateId** The ID of the update that was downloaded. - - -### FacilitatorTelemetry.DUDownload - -This event returns data about the download of supplemental packages critical to upgrading a device to the next version of Windows. - -The following fields are available: - -- **DownloadRequestAttributes** The attributes sent for download. -- **PackageCategoriesFailed** Lists the categories of packages that failed to download. -- **PackageCategoriesSkipped** Lists the categories of package downloads that were skipped. -- **ResultCode** The result of the event execution. -- **Scenario** Identifies the active Download scenario. -- **Url** The URL the download request was sent to. -- **Version** Identifies the version of Facilitator used. - - -### FacilitatorTelemetry.InitializeDU - -This event determines whether devices received additional or critical supplemental content during an OS upgrade. - -The following fields are available: - -- **DCATUrl** The Delivery Catalog (DCAT) URL we send the request to. -- **DownloadRequestAttributes** The attributes we send to DCAT. -- **ResultCode** The result returned from the initiation of Facilitator with the URL/attributes. -- **Scenario** Dynamic Update scenario (Image DU, or Setup DU). -- **Url** The Delivery Catalog (DCAT) URL we send the request to. -- **Version** Version of Facilitator. - - -### Setup360Telemetry.Downlevel - -This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up-to-date and secure. - -The following fields are available: - -- **ClientId** If using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but it can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the downlevel OS. -- **HostOsSkuName** The operating system edition which is running Setup360 instance (downlevel OS). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. -- **ReportId** In the Windows Update scenario, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. -- **Setup360Extended** More detailed information about phase/action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360 (for example, Predownload, Install, Finalize, Rollback). -- **Setup360Result** The result of Setup360 (HRESULT used to diagnose errors). -- **Setup360Scenario** The Setup360 flow type (for example, Boot, Media, Update, MCT). -- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS). -- **State** Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled. -- **TestId** An ID that uniquely identifies a group of events. -- **WuId** This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId. - - -### Setup360Telemetry.Finalize - -This event sends data indicating that the device has started the phase of finalizing the upgrade, to help keep Windows up-to-date and secure. - -The following fields are available: - -- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the previous OS. -- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe -- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. -- **Setup360Extended** More detailed information about the phase/action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. -- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. -- **TestId** ID that uniquely identifies a group of events. -- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. - - -### Setup360Telemetry.OsUninstall - -This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, it indicates the outcome of an OS uninstall. - -The following fields are available: - -- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the previous OS. -- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. -- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. -- **Setup360Extended** Detailed information about the phase or action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT -- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. -- **TestId** ID that uniquely identifies a group of events. -- **WuId** Windows Update client ID. - - -### Setup360Telemetry.PostRebootInstall - -This event sends data indicating that the device has invoked the post reboot install phase of the upgrade, to help keep Windows up-to-date. - -The following fields are available: - -- **ClientId** With Windows Update, this is the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the previous OS. -- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. -- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. -- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback -- **Setup360Result** The result of Setup360. This is an HRESULT error code that's used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT -- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled -- **TestId** A string to uniquely identify a group of events. -- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as ClientId. - - -### Setup360Telemetry.PreDownloadQuiet - -This event sends data indicating that the device has invoked the predownload quiet phase of the upgrade, to help keep Windows up to date. - -The following fields are available: - -- **ClientId** Using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the previous OS. -- **HostOsSkuName** The OS edition which is running Setup360 instance (previous operating system). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. -- **ReportId** Using Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. -- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. -- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled. -- **TestId** ID that uniquely identifies a group of events. -- **WuId** This is the Windows Update Client ID. Using Windows Update, this is the same as the clientId. - - -### Setup360Telemetry.PreDownloadUX - -This event sends data regarding OS Updates and Upgrades from Windows 7.X, Windows 8.X, Windows 10 and RS, to help keep Windows up-to-date and secure. Specifically, it indicates the outcome of the PredownloadUX portion of the update process. - -The following fields are available: - -- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **HostOSBuildNumber** The build number of the previous operating system. -- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous operating system). -- **InstanceId** Unique GUID that identifies each instance of setuphost.exe. -- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. -- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. -- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS). -- **State** The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled. -- **TestId** ID that uniquely identifies a group of events. -- **WuId** Windows Update client ID. - - -### Setup360Telemetry.PreInstallQuiet - -This event sends data indicating that the device has invoked the preinstall quiet phase of the upgrade, to help keep Windows up-to-date. - -The following fields are available: - -- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the previous OS. -- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe -- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. -- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. -- **Setup360Scenario** Setup360 flow type (Boot, Media, Update, MCT). -- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. -- **TestId** A string to uniquely identify a group of events. -- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. - - -### Setup360Telemetry.PreInstallUX - -This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10, to help keep Windows up-to-date. Specifically, it indicates the outcome of the PreinstallUX portion of the update process. - -The following fields are available: - -- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the previous OS. -- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. -- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. -- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type, Example: Boot, Media, Update, MCT. -- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. -- **TestId** A string to uniquely identify a group of events. -- **WuId** Windows Update client ID. - - -### Setup360Telemetry.Setup360 - -This event sends data about OS deployment scenarios, to help keep Windows up-to-date. - -The following fields are available: - -- **ClientId** Retrieves the upgrade ID. In the Windows Update scenario, this will be the Windows Update client ID. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FieldName** Retrieves the data point. -- **FlightData** Specifies a unique identifier for each group of Windows Insider builds. -- **InstanceId** Retrieves a unique identifier for each instance of a setup session. -- **ReportId** Retrieves the report ID. -- **ScenarioId** Retrieves the deployment scenario. -- **Value** Retrieves the value associated with the corresponding FieldName. - - -### Setup360Telemetry.Setup360DynamicUpdate - -This event helps determine whether the device received supplemental content during an operating system upgrade, to help keep Windows up-to-date. - -The following fields are available: - -- **FlightData** Specifies a unique identifier for each group of Windows Insider builds. -- **InstanceId** Retrieves a unique identifier for each instance of a setup session. -- **Operation** Facilitator’s last known operation (scan, download, etc.). -- **ReportId** ID for tying together events stream side. -- **ResultCode** Result returned for the entire setup operation. -- **Scenario** Dynamic Update scenario (Image DU, or Setup DU). -- **ScenarioId** Identifies the update scenario. -- **TargetBranch** Branch of the target OS. -- **TargetBuild** Build of the target OS. - - -### Setup360Telemetry.Setup360MitigationResult - -This event sends data indicating the result of each setup mitigation. - -The following fields are available: - -- **Applicable** TRUE if the mitigation is applicable for the current update. -- **ClientId** In the Windows Update scenario, this is the client ID passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **CommandCount** The number of command operations in the mitigation entry. -- **CustomCount** The number of custom operations in the mitigation entry. -- **FileCount** The number of file operations in the mitigation entry. -- **FlightData** The unique identifier for each flight (test release). -- **Index** The mitigation index of this particular mitigation. -- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE. -- **MitigationScenario** The update scenario in which the mitigation was executed. -- **Name** The friendly (descriptive) name of the mitigation. -- **OperationIndex** The mitigation operation index (in the event of a failure). -- **OperationName** The friendly (descriptive) name of the mitigation operation (in the event of failure). -- **RegistryCount** The number of registry operations in the mitigation entry. -- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM. -- **Result** HResult of this operation. -- **ScenarioId** Setup360 flow type. -- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). - - -### Setup360Telemetry.Setup360MitigationSummary - -This event sends a summary of all the setup mitigations available for this update. - -The following fields are available: - -- **Applicable** The count of mitigations that were applicable to the system and scenario. -- **ClientId** The Windows Update client ID passed to Setup. -- **Failed** The count of mitigations that failed. -- **FlightData** The unique identifier for each flight (test release). -- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE. -- **MitigationScenario** The update scenario in which the mitigations were attempted. -- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM. -- **Result** HResult of this operation. -- **ScenarioId** Setup360 flow type. -- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). -- **Total** The total number of mitigations that were available. - - -### Setup360Telemetry.Setup360OneSettings - -This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. - -The following fields are available: - -- **ClientId** The Windows Update client ID passed to Setup. -- **Count** The count of applicable OneSettings for the device. -- **FlightData** The ID for the flight (test instance version). -- **InstanceId** The GUID (Globally-Unique ID) that identifies each instance of setuphost.exe. -- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. -- **ReportId** The Update ID passed to Setup. -- **Result** The HResult of the event error. -- **ScenarioId** The update scenario ID. -- **Values** Values sent back to the device, if applicable. - - -### Setup360Telemetry.UnexpectedEvent - -This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date. - -The following fields are available: - -- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** Unique value that identifies the flight. -- **HostOSBuildNumber** The build number of the previous OS. -- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). -- **InstanceId** A unique GUID that identifies each instance of setuphost.exe -- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. -- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. -- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. -- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. -- **TestId** A string to uniquely identify a group of events. -- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. - - -## Windows as a Service diagnostic events - -### Microsoft.Windows.WaaSMedic.SummaryEvent - -Result of the WaaSMedic operation. - -The following fields are available: - -- **callerApplication** The name of the calling application. -- **capsuleCount** The number of Sediment Pack capsules. -- **capsuleFailureCount** The number of capsule failures. -- **detectionSummary** Result of each applicable detection that was run. -- **featureAssessmentImpact** WaaS Assessment impact for feature updates. -- **hrEngineBlockReason** Indicates the reason for stopping WaaSMedic. -- **hrEngineResult** Error code from the engine operation. -- **hrLastSandboxError** The last error sent by the WaaSMedic sandbox. -- **initSummary** Summary data of the initialization method. -- **insufficientSessions** Device not eligible for diagnostics. -- **isInteractiveMode** The user started a run of WaaSMedic. -- **isManaged** Device is managed for updates. -- **isWUConnected** Device is connected to Windows Update. -- **noMoreActions** No more applicable diagnostics. -- **pluginFailureCount** The number of plugins that have failed. -- **pluginsCount** The number of plugins. -- **qualityAssessmentImpact** WaaS Assessment impact for quality updates. -- **remediationSummary** Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on. -- **usingBackupFeatureAssessment** Relying on backup feature assessment. -- **usingBackupQualityAssessment** Relying on backup quality assessment. -- **usingCachedFeatureAssessment** WaaS Medic run did not get OS build age from the network on the previous run. -- **usingCachedQualityAssessment** WaaS Medic run did not get OS revision age from the network on the previous run. -- **versionString** Version of the WaaSMedic engine. -- **waasMedicRunMode** Indicates whether this was a background regular run of the medic or whether it was triggered by a user launching Windows Update Troubleshooter. - - -## Windows Error Reporting events - -### Microsoft.Windows.WERVertical.OSCrash - -This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event. - -The following fields are available: - -- **BootId** Uint32 identifying the boot number for this device. -- **BugCheckCode** Uint64 "bugcheck code" that identifies a proximate cause of the bug check. -- **BugCheckParameter1** Uint64 parameter providing additional information. -- **BugCheckParameter2** Uint64 parameter providing additional information. -- **BugCheckParameter3** Uint64 parameter providing additional information. -- **BugCheckParameter4** Uint64 parameter providing additional information. -- **DumpFileAttributes** Codes that identify the type of data contained in the dump file -- **DumpFileSize** Size of the dump file -- **IsValidDumpFile** True if the dump file is valid for the debugger, false otherwise -- **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson). - - -## Windows Error Reporting MTT events - -### Microsoft.Windows.WER.MTT.Denominator - -This event provides a denominator to calculate MTTF (mean-time-to-failure) for crashes and other errors, to help keep Windows up to date. - -The following fields are available: - -- **DPRange** Maximum mean value range. -- **DPValue** Randomized bit value (0 or 1) that can be reconstituted over a large population to estimate the mean. -- **Value** Standard UTC emitted DP value structure See [Value](#value). - - -### Value - -This event returns data about Mean Time to Failure (MTTF) for Windows devices. It is the primary means of estimating reliability problems in Basic Diagnostic reporting with very strong privacy guarantees. Since Basic Diagnostic reporting does not include system up-time, and since that information is important to ensuring the safe and stable operation of Windows, the data provided by this event provides that data in a manner which does not threaten a user’s privacy. - -The following fields are available: - -- **Algorithm** The algorithm used to preserve privacy. -- **DPRange** The upper bound of the range being measured. -- **DPValue** The randomized response returned by the client. -- **Epsilon** The level of privacy to be applied. -- **HistType** The histogram type if the algorithm is a histogram algorithm. -- **PertProb** The probability the entry will be Perturbed if the algorithm chosen is “heavy-hitters”. - - -## Windows Store events - -### Microsoft.Windows.Store.StoreActivating - -This event sends tracking data about when the Store app activation via protocol URI is in progress, to help keep Windows up to date. - - - -### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation - -This event is sent when an installation or update is canceled by a user or the system and is used to help keep Windows Apps up to date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. -- **AttemptNumber** Number of retry attempts before it was canceled. -- **BundleId** The Item Bundle ID. -- **CategoryId** The Item Category ID. -- **ClientAppId** The identity of the app that initiated this operation. -- **HResult** The result code of the last action performed before this operation. -- **IsBundle** Is this a bundle? -- **IsInteractive** Was this requested by a user? -- **IsMandatory** Was this a mandatory update? -- **IsRemediation** Was this a remediation install? -- **IsRestore** Is this automatically restoring a previously acquired product? -- **IsUpdate** Flag indicating if this is an update. -- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). -- **PFN** The product family name of the product being installed. -- **ProductId** The identity of the package or packages being installed. -- **SystemAttemptNumber** The total number of automatic attempts at installation before it was canceled. -- **UserAttemptNumber** The total number of user attempts at installation before it was canceled. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.BeginGetInstalledContentIds - -This event is sent when an inventory of the apps installed is started to determine whether updates for those apps are available. It's used to help keep Windows up-to-date and secure. - - - -### Microsoft.Windows.StoreAgent.Telemetry.BeginUpdateMetadataPrepare - -This event is sent when the Store Agent cache is refreshed with any available package updates. It's used to help keep Windows up-to-date and secure. - - - -### Microsoft.Windows.StoreAgent.Telemetry.CancelInstallation - -This event is sent when an app update or installation is canceled while in interactive mode. This can be canceled by the user or the system. It's used to help keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The names of all package or packages to be downloaded and installed. -- **AttemptNumber** Total number of installation attempts. -- **BundleId** The identity of the Windows Insider build that is associated with this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **IsBundle** Is this a bundle? -- **IsInteractive** Was this requested by a user? -- **IsMandatory** Is this a mandatory update? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this an automatic restore of a previously acquired product? -- **IsUpdate** Is this a product update? -- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). -- **PFN** The name of all packages to be downloaded and installed. -- **PreviousHResult** The previous HResult code. -- **PreviousInstallState** Previous installation state before it was canceled. -- **ProductId** The name of the package or packages requested for installation. -- **RelatedCV** Correlation Vector of a previous performed action on this product. -- **SystemAttemptNumber** Total number of automatic attempts to install before it was canceled. -- **UserAttemptNumber** Total number of user attempts to install before it was canceled. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.CompleteInstallOperationRequest - -This event is sent at the end of app installations or updates to help keep Windows up-to-date and secure. - -The following fields are available: - -- **CatalogId** The Store Product ID of the app being installed. -- **HResult** HResult code of the action being performed. -- **IsBundle** Is this a bundle? -- **PackageFamilyName** The name of the package being installed. -- **ProductId** The Store Product ID of the product being installed. -- **SkuId** Specific edition of the item being installed. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndAcquireLicense - -This event is sent after the license is acquired when a product is being installed. It's used to help keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** Includes a set of package full names for each app that is part of an atomic set. -- **AttemptNumber** The total number of attempts to acquire this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **HResult** HResult code to show the result of the operation (success/failure). -- **IsBundle** Is this a bundle? -- **IsInteractive** Did the user initiate the installation? -- **IsMandatory** Is this a mandatory update? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this happening after a device restore? -- **IsUpdate** Is this an update? -- **PFN** Product Family Name of the product being installed. -- **ProductId** The Store Product ID for the product being installed. -- **SystemAttemptNumber** The number of attempts by the system to acquire this product. -- **UserAttemptNumber** The number of attempts by the user to acquire this product -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndDownload - -This event is sent after an app is downloaded to help keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed. -- **AttemptNumber** Number of retry attempts before it was canceled. -- **BundleId** The identity of the Windows Insider build associated with this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **DownloadSize** The total size of the download. -- **ExtendedHResult** Any extended HResult error codes. -- **HResult** The result code of the last action performed. -- **IsBundle** Is this a bundle? -- **IsInteractive** Is this initiated by the user? -- **IsMandatory** Is this a mandatory installation? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this a restore of a previously acquired product? -- **IsUpdate** Is this an update? -- **ParentBundleId** The parent bundle ID (if it's part of a bundle). -- **PFN** The Product Family Name of the app being download. -- **ProductId** The Store Product ID for the product being installed. -- **SystemAttemptNumber** The number of attempts by the system to download. -- **UserAttemptNumber** The number of attempts by the user to download. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndFrameworkUpdate - -This event is sent when an app update requires an updated Framework package and the process starts to download it. It is used to help keep Windows up-to-date and secure. - -The following fields are available: - -- **HResult** The result code of the last action performed before this operation. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndGetInstalledContentIds - -This event is sent after sending the inventory of the products installed to determine whether updates for those products are available. It's used to help keep Windows up-to-date and secure. - -The following fields are available: - -- **HResult** The result code of the last action performed before this operation. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndInstall - -This event is sent after a product has been installed to help keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. -- **AttemptNumber** The number of retry attempts before it was canceled. -- **BundleId** The identity of the build associated with this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **ExtendedHResult** The extended HResult error code. -- **HResult** The result code of the last action performed. -- **IsBundle** Is this a bundle? -- **IsInteractive** Is this an interactive installation? -- **IsMandatory** Is this a mandatory installation? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this automatically restoring a previously acquired product? -- **IsUpdate** Is this an update? -- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). -- **PFN** Product Family Name of the product being installed. -- **ProductId** The Store Product ID for the product being installed. -- **SystemAttemptNumber** The total number of system attempts. -- **UserAttemptNumber** The total number of user attempts. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndScanForUpdates - -This event is sent after a scan for product updates to determine if there are packages to install. It's used to help keep Windows up-to-date and secure. - -The following fields are available: - -- **AsOnline** No content is currently available. -- **ClientAppId** The identity of the app that initiated this operation. -- **HResult** The result code of the last action performed. -- **IsApplicability** Is this request to only check if there are any applicable packages to install? -- **IsInteractive** Is this user requested? -- **IsOnline** Is the request doing an online check? - - -### Microsoft.Windows.StoreAgent.Telemetry.EndSearchUpdatePackages - -This event is sent after searching for update packages to install. It is used to help keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. -- **AttemptNumber** The total number of retry attempts before it was canceled. -- **BundleId** The identity of the build associated with this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **HResult** The result code of the last action performed. -- **IsBundle** Is this a bundle? -- **IsInteractive** Is this user requested? -- **IsMandatory** Is this a mandatory update? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this restoring previously acquired content? -- **IsUpdate** Is this an update? -- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). -- **PFN** The name of the package or packages requested for install. -- **ProductId** The Store Product ID for the product being installed. -- **SystemAttemptNumber** The total number of system attempts. -- **UserAttemptNumber** The total number of user attempts. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndStageUserData - -This event is sent after restoring user data (if any) that needs to be restored following a product install. It is used to keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed. -- **AttemptNumber** The total number of retry attempts before it was canceled. -- **BundleId** The identity of the build associated with this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **HResult** The result code of the last action performed. -- **IsBundle** Is this a bundle? -- **IsInteractive** Is this user requested? -- **IsMandatory** Is this a mandatory update? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this restoring previously acquired content? -- **IsUpdate** Is this an update? -- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). -- **PFN** The name of the package or packages requested for install. -- **ProductId** The Store Product ID for the product being installed. -- **SystemAttemptNumber** The total number of system attempts. -- **UserAttemptNumber** The total number of system attempts. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.EndUpdateMetadataPrepare - -This event is sent after a scan for available app updates to help keep Windows up-to-date and secure. - -The following fields are available: - -- **HResult** The result code of the last action performed. - - -### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentComplete - -This event is sent at the end of an app install or update to help keep Windows up-to-date and secure. - -The following fields are available: - -- **CatalogId** The name of the product catalog from which this app was chosen. -- **FailedRetry** Indicates whether the installation or update retry was successful. -- **HResult** The HResult code of the operation. -- **PFN** The Package Family Name of the app that is being installed or updated. -- **ProductId** The product ID of the app that is being updated or installed. - - -### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate - -This event is sent at the beginning of an app install or update to help keep Windows up-to-date and secure. - -The following fields are available: - -- **CatalogId** The name of the product catalog from which this app was chosen. -- **FulfillmentPluginId** The ID of the plugin needed to install the package type of the product. -- **PFN** The Package Family Name of the app that is being installed or updated. -- **PluginTelemetryData** Diagnostic information specific to the package-type plug-in. -- **ProductId** The product ID of the app that is being updated or installed. - - -### Microsoft.Windows.StoreAgent.Telemetry.InstallOperationRequest - -This event is sent when a product install or update is initiated, to help keep Windows up-to-date and secure. - -The following fields are available: - -- **BundleId** The identity of the build associated with this product. -- **CatalogId** If this product is from a private catalog, the Store Product ID for the product being installed. -- **ProductId** The Store Product ID for the product being installed. -- **SkuId** Specific edition ID being installed. -- **VolumePath** The disk path of the installation. - - -### Microsoft.Windows.StoreAgent.Telemetry.PauseInstallation - -This event is sent when a product install or update is paused (either by a user or the system), to help keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. -- **AttemptNumber** The total number of retry attempts before it was canceled. -- **BundleId** The identity of the build associated with this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **IsBundle** Is this a bundle? -- **IsInteractive** Is this user requested? -- **IsMandatory** Is this a mandatory update? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this restoring previously acquired content? -- **IsUpdate** Is this an update? -- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). -- **PFN** The Product Full Name. -- **PreviousHResult** The result code of the last action performed before this operation. -- **PreviousInstallState** Previous state before the installation or update was paused. -- **ProductId** The Store Product ID for the product being installed. -- **RelatedCV** Correlation Vector of a previous performed action on this product. -- **SystemAttemptNumber** The total number of system attempts. -- **UserAttemptNumber** The total number of user attempts. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.ResumeInstallation - -This event is sent when a product install or update is resumed (either by a user or the system), to help keep Windows up-to-date and secure. - -The following fields are available: - -- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. -- **AttemptNumber** The number of retry attempts before it was canceled. -- **BundleId** The identity of the build associated with this product. -- **CategoryId** The identity of the package or packages being installed. -- **ClientAppId** The identity of the app that initiated this operation. -- **HResult** The result code of the last action performed before this operation. -- **IsBundle** Is this a bundle? -- **IsInteractive** Is this user requested? -- **IsMandatory** Is this a mandatory update? -- **IsRemediation** Is this repairing a previous installation? -- **IsRestore** Is this restoring previously acquired content? -- **IsUpdate** Is this an update? -- **IsUserRetry** Did the user initiate the retry? -- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). -- **PFN** The name of the package or packages requested for install. -- **PreviousHResult** The previous HResult error code. -- **PreviousInstallState** Previous state before the installation was paused. -- **ProductId** The Store Product ID for the product being installed. -- **RelatedCV** Correlation Vector for the original install before it was resumed. -- **ResumeClientId** The ID of the app that initiated the resume operation. -- **SystemAttemptNumber** The total number of system attempts. -- **UserAttemptNumber** The total number of user attempts. -- **WUContentId** The Windows Update content ID. - - -### Microsoft.Windows.StoreAgent.Telemetry.ResumeOperationRequest - -This event is sent when a product install or update is resumed by a user or on installation retries, to help keep Windows up-to-date and secure. - -The following fields are available: - -- **ProductId** The Store Product ID for the product being installed. - - -### Microsoft.Windows.StoreAgent.Telemetry.SearchForUpdateOperationRequest - -This event is sent when searching for update packages to install, to help keep Windows up-to-date and secure. - -The following fields are available: - -- **CatalogId** The Store Catalog ID for the product being installed. -- **ProductId** The Store Product ID for the product being installed. -- **SkuId** Specfic edition of the app being updated. - - -### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest - -This event occurs when an update is requested for an app, to help keep Windows up-to-date and secure. - -The following fields are available: - -- **PFamN** The name of the app that is requested for update. - - -## Windows System Kit events - -### Microsoft.Windows.Kits.WSK.WskImageCreate - -This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate “image” creation failures. - -The following fields are available: - -- **Phase** The image creation phase. Values are “Start” or “End”. -- **WskVersion** The version of the Windows System Kit being used. - - -### Microsoft.Windows.Kits.WSK.WskImageCustomization - -This event sends simple Product and Service usage data when a user is using the Windows System Kit to create/modify configuration files allowing the customization of a new OS image with Apps or Drivers. The data includes the version of the Windows System Kit, the state of the event, the customization type (drivers or apps) and the mode (new or updating) and is used to help investigate configuration file creation failures. - -The following fields are available: - -- **CustomizationMode** Indicates the mode of the customization (new or updating). -- **CustomizationType** Indicates the type of customization (drivers or apps). -- **Mode** The mode of update to image configuration files. Values are “New” or “Update”. -- **Phase** The image creation phase. Values are “Start” or “End”. -- **Type** The type of update to image configuration files. Values are “Apps” or “Drivers”. -- **WskVersion** The version of the Windows System Kit being used. - - -### Microsoft.Windows.Kits.WSK.WskWorkspaceCreate - -This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new workspace for generating OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate workspace creation failures. - -The following fields are available: - -- **Architecture** The OS architecture that the workspace will target. Values are one of: “AMD64”, “ARM64”, “x86”, or “ARM”. -- **OsEdition** The Operating System Edition that the workspace will target. -- **Phase** The image creation phase. Values are “Start” or “End”. -- **WorkspaceArchitecture** The operating system architecture that the workspace will target. -- **WorkspaceOsEdition** The operating system edition that the workspace will target. -- **WskVersion** The version of the Windows System Kit being used. - - -## Windows Update Delivery Optimization events - -### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled - -This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads. - -The following fields are available: - -- **background** Is the download being done in the background? -- **bytesFromCacheServer** Bytes received from a cache host. -- **bytesFromCDN** The number of bytes received from a CDN source. -- **bytesFromGroupPeers** The number of bytes received from a peer in the same group. -- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same group. -- **bytesFromLinkLocalPeers** The number of bytes received from local peers. -- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. -- **bytesFromPeers** The number of bytes received from a peer in the same LAN. -- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. -- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. -- **cdnIp** The IP Address of the source CDN (Content Delivery Network). -- **cdnUrl** The URL of the source CDN (Content Delivery Network). -- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. -- **errorCode** The error code that was returned. -- **experimentId** When running a test, this is used to correlate events that are part of the same test. -- **fileID** The ID of the file being downloaded. -- **gCurMemoryStreamBytes** Current usage for memory streaming. -- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. -- **isVpn** Indicates whether the device is connected to a VPN (Virtual Private Network). -- **jobID** Identifier for the Windows Update job. -- **predefinedCallerName** The name of the API Caller. -- **reasonCode** Reason the action or event occurred. -- **routeToCacheServer** The cache server setting, source, and value. -- **sessionID** The ID of the file download session. -- **updateID** The ID of the update being downloaded. -- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. - - -### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted - -This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads. - -The following fields are available: - -- **background** Is the download a background download? -- **bytesFromCacheServer** Bytes received from a cache host. -- **bytesFromCDN** The number of bytes received from a CDN source. -- **bytesFromGroupPeers** The number of bytes received from a peer in the same domain group. -- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same domain group. -- **bytesFromLinkLocalPeers** The number of bytes received from local peers. -- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. -- **bytesFromPeers** The number of bytes received from a peer in the same LAN. -- **bytesRequested** The total number of bytes requested for download. -- **cacheServerBonnectionCount** No content is currently available. -- **cacheServerConnectionCount** Number of connections made to cache hosts. -- **cdnConnectionCount** The total number of connections made to the CDN. -- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. -- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. -- **cdnIp** The IP address of the source CDN. -- **cdnUrl** Url of the source Content Distribution Network (CDN). -- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. -- **dnErrorCounts** No content is currently available. -- **doErrorCode** The Delivery Optimization error code that was returned. -- **downlinkBps** The maximum measured available download bandwidth (in bytes per second). -- **downlinkUsageBps** The download speed (in bytes per second). -- **downloadMode** The download mode used for this file download session. -- **downloadModeReason** Reason for the download. -- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). -- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. -- **expiresAt** The time when the content will expire from the Delivery Optimization Cache. -- **fileID** The ID of the file being downloaded. -- **fileSize** The size of the file being downloaded. -- **gCurMemoryStreamBytes** Current usage for memory streaming. -- **gdnConnectionCount** No content is currently available. -- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. -- **groupConnectionCo** No content is currently available. -- **groupConnectionCount** The total number of connections made to peers in the same group. -- **internetConnectionCount** The total number of connections made to peers not in the same LAN or the same group. -- **isEncrypted** TRUE if the file is encrypted and will be decrypted after download. -- **isVpn** Is the device connected to a Virtual Private Network? -- **jobID** Identifier for the Windows Update job. -- **lanConnectionCount** The total number of connections made to peers in the same LAN. -- **linkLocalConnectionCount** The number of connections made to peers in the same Link-local network. -- **numPeers** The total number of peers used for this download. -- **numPeersLocal** The total number of local peers used for this download. -- **predefinedCallerName** The name of the API Caller. -- **restrictedU`load** No content is currently available. -- **restrictedUpload** Is the upload restricted? -- **routeToCacheServer** The cache server setting, source, and value. -- **sessionID** The ID of the download session. -- **totalTimeMs** Duration of the download (in seconds). -- **updateID** The ID of the update being downloaded. -- **uplinkBps** The maximum measured available upload bandwidth (in bytes per second). -- **uplinkUsageBps** The upload speed (in bytes per second). -- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. - - -### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused - -This event represents a temporary suspension of a download with Delivery Optimization. It's used to understand and address problems regarding downloads. - -The following fields are available: - -- **background** Is the download a background download? -- **cdnUrl** The URL of the source CDN (Content Delivery Network). -- **errorCode** The error code that was returned. -- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. -- **fileID** The ID of the file being paused. -- **isVpn** Is the device connected to a Virtual Private Network? -- **jobID** Identifier for the Windows Update job. -- **predefinedCallerName** The name of the API Caller object. -- **reasonCode** The reason for pausing the download. -- **routeToCacheServer** The cache server setting, source, and value. -- **sessionID** The ID of the download session. -- **updateID** The ID of the update being paused. - - -### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted - -This event sends data describing the start of a new download to enable Delivery Optimization. It's used to understand and address problems regarding downloads. - -The following fields are available: - -- **ActiveNetworkConnection** No content is currently available. -- **background** Indicates whether the download is happening in the background. -- **bytesRequested** Number of bytes requested for the download. -- **cdnUrl** The URL of the source Content Distribution Network (CDN). -- **costFlags** A set of flags representing network cost. -- **deviceProfile** Identifies the usage or form factor (such as Desktop, Xbox, or VM). -- **diceRoll** Random number used for determining if a client will use peering. -- **doClientVersion** The version of the Delivery Optimization client. -- **doErrorCode** The Delivery Optimization error code that was returned. -- **downloadMode** The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100). -- **downloadModeReason** Reason for the download. -- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). -- **errorCode** The error code that was returned. -- **experimentId** ID used to correlate client/services calls that are part of the same test during A/B testing. -- **fileID** The ID of the file being downloaded. -- **filePath** The path to where the downloaded file will be written. -- **fileSize** Total file size of the file that was downloaded. -- **fileSizeCaller** Value for total file size provided by our caller. -- **groupID** ID for the group. -- **IsBootCritical** No content is currently available. -- **isEncrypted** Indicates whether the download is encrypted. -- **isVpn** Indicates whether the device is connected to a Virtual Private Network. -- **jobID** The ID of the Windows Update job. -- **peerID** The ID for this delivery optimization client. -- **predefinedCallerName** Name of the API caller. -- **routeToCacheServer** Cache server setting, source, and value. -- **SdbEntries** No content is currently available. -- **sessionID** The ID for the file download session. -- **setConfigs** A JSON representation of the configurations that have been set, and their sources. -- **updateID** The ID of the update being downloaded. -- **usedMemoryStream** Indicates whether the download used memory streaming. -- **WuDriverCoverage** No content is currently available. -- **WuDriverUpdateId** No content is currently available. -- **WuPopulatedFromId** No content is currently available. - - -### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication - -This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads. - -The following fields are available: - -- **cdnHeaders** The HTTP headers returned by the CDN. -- **cdnIp** The IP address of the CDN. -- **cdnUrl** The URL of the CDN. -- **errorCode** The error code that was returned. -- **errorCount** The total number of times this error code was seen since the last FailureCdnCommunication event was encountered. -- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. -- **fileID** The ID of the file being downloaded. -- **httpStatusCode** The HTTP status code returned by the CDN. -- **isHeadRequest** The type of HTTP request that was sent to the CDN. Example: HEAD or GET -- **peerType** The type of peer (LAN, Group, Internet, CDN, Cache Host, etc.). -- **requestOffset** The byte offset within the file in the sent request. -- **requestSize** The size of the range requested from the CDN. -- **responseSize** The size of the range response received from the CDN. -- **sessionID** The ID of the download session. - - -### Microsoft.OSG.DU.DeliveryOptClient.JobError - -This event represents a Windows Update job error. It allows for investigation of top errors. - -The following fields are available: - -- **cdnIp** The IP Address of the source CDN (Content Delivery Network). -- **doErrorCode** Error code returned for delivery optimization. -- **errorCode** The error code returned. -- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. -- **fileID** The ID of the file being downloaded. -- **jobID** The Windows Update job ID. - - -## Windows Update events - -### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentAnalysisSummary - -This event collects information regarding the state of devices and drivers on the system following a reboot after the install phase of the new device manifest UUP (Unified Update Platform) update scenario which is used to install a device manifest describing a set of driver packages. - -The following fields are available: - -- **activated** Whether the entire device manifest update is considered activated and in use. -- **analysisErrorCount** The number of driver packages that could not be analyzed because errors occurred during analysis. -- **flightId** Unique ID for each flight. -- **missingDriverCount** The number of driver packages delivered by the device manifest that are missing from the system. -- **missingUpdateCount** The number of updates in the device manifest that are missing from the system. -- **objectId** Unique value for each diagnostics session. -- **publishedCount** The number of drivers packages delivered by the device manifest that are published and available to be used on devices. -- **relatedCV** Correlation vector value generated from the latest USO scan. -- **scenarioId** Indicates the update scenario. -- **sessionId** Unique value for each update session. -- **summary** A summary string that contains basic information about driver packages that are part of the device manifest and any devices on the system that those driver packages match. -- **summaryAppendError** A Boolean indicating if there was an error appending more information to the summary string. -- **truncatedDeviceCount** The number of devices missing from the summary string because there is not enough room in the string. -- **truncatedDriverCount** The number of driver packages missing from the summary string because there is not enough room in the string. -- **unpublishedCount** How many drivers packages that were delivered by the device manifest that are still unpublished and unavailable to be used on devices. -- **updateId** The unique ID for each update. - - -### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentCommit - -This event collects information regarding the final commit phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. - -The following fields are available: - -- **errorCode** The error code returned for the current session initialization. -- **flightId** The unique identifier for each flight. -- **objectId** The unique GUID for each diagnostics session. -- **relatedCV** A correlation vector value generated from the latest USO scan. -- **result** Outcome of the initialization of the session. -- **scenarioId** Identifies the Update scenario. -- **sessionId** The unique value for each update session. -- **updateId** The unique identifier for each Update. - - -### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentDownloadRequest - -This event collects information regarding the download request phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. - -The following fields are available: - -- **deletedCorruptFiles** Indicates if UpdateAgent found any corrupt payload files and whether the payload was deleted. -- **errorCode** The error code returned for the current session initialization. -- **flightId** The unique identifier for each flight. -- **objectId** Unique value for each Update Agent mode. -- **packageCountOptional** Number of optional packages requested. -- **packageCountRequired** Number of required packages requested. -- **packageCountTotal** Total number of packages needed. -- **packageCountTotalCanonical** Total number of canonical packages. -- **packageCountTotalDiff** Total number of diff packages. -- **packageCountTotalExpress** Total number of express packages. -- **packageSizeCanonical** Size of canonical packages in bytes. -- **packageSizeDiff** Size of diff packages in bytes. -- **packageSizeExpress** Size of express packages in bytes. -- **rangeRequestState** Represents the state of the download range request. -- **relatedCV** Correlation vector value generated from the latest USO scan. -- **result** Result of the download request phase of update. -- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. -- **sessionId** Unique value for each Update Agent mode attempt. -- **updateId** Unique ID for each update. - - -### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInitialize - -This event sends data for initializing a new update session for the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. - -The following fields are available: - -- **errorCode** The error code returned for the current session initialization. -- **flightId** The unique identifier for each flight. -- **flightMetadata** Contains the FlightId and the build being flighted. -- **objectId** Unique value for each Update Agent mode. -- **relatedCV** Correlation vector value generated from the latest USO scan. -- **result** Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled. -- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. -- **sessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios). -- **sessionId** Unique value for each Update Agent mode attempt. -- **updateId** Unique ID for each update. - - -### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInstall - -This event collects information regarding the install phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. - -The following fields are available: - -- **errorCode** The error code returned for the current install phase. -- **flightId** The unique identifier for each flight (pre-release builds). -- **objectId** The unique identifier for each diagnostics session. -- **relatedCV** Correlation vector value generated from the latest scan. -- **result** Outcome of the install phase of the update. -- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate -- **sessionId** The unique identifier for each update session. -- **updateId** The unique identifier for each Update. - - -### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentModeStart - -This event sends data for the start of each mode during the process of updating device manifest assets via the UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. - -The following fields are available: - -- **flightId** The unique identifier for each flight (pre-release builds). -- **mode** Indicates the active Update Agent mode. -- **objectId** Unique value for each diagnostics session. -- **relatedCV** Correlation vector value generated from the latest scan. -- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. -- **sessionId** The unique identifier for each update session. -- **updateId** The unique identifier for each Update. - - -### Microsoft.Windows.Update.NotificationUx.DialogNotificationToBeDisplayed - -This event indicates that a notification dialog box is about to be displayed to user. - -The following fields are available: - -- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode. -- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before the RebootFailed dialog box is shown. -- **DaysSinceRebootRequired** Number of days since restart was required. -- **DeviceLocalTime** The local time on the device sending the event. -- **EngagedModeLimit** The number of days to switch between DTE dialog boxes. -- **EnterAutoModeLimit** The maximum number of days for a device to enter Auto Reboot mode. -- **ETag** OneSettings versioning value. -- **IsForcedEnabled** Indicates whether Forced Reboot mode is enabled for this device. -- **IsUltimateForcedEnabled** Indicates whether Ultimate Forced Reboot mode is enabled for this device. -- **NotificationUxState** Indicates which dialog box is shown. -- **NotificationUxStateString** Indicates which dialog box is shown. -- **RebootUxState** Indicates the state of the restart (Engaged, Auto, Forced, or UltimateForced). -- **RebootUxStateString** Indicates the state of the restart (Engaged, Auto, Forced, or UltimateForced). -- **RebootVersion** Version of DTE. -- **SkipToAutoModeLimit** The minimum length of time to pass in restart pending before a device can be put into auto mode. -- **UpdateId** The ID of the update that is pending restart to finish installation. -- **UpdateRevision** The revision of the update that is pending restart to finish installation. -- **UtcTime** The time the dialog box notification will be displayed, in Coordinated Universal Time. - - -### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootAcceptAutoDialog - -This event indicates that the Enhanced Engaged restart "accept automatically" dialog box was displayed. - -The following fields are available: - -- **DeviceLocalTime** The local time on the device sending the event. -- **ETag** OneSettings versioning value. -- **ExitCode** Indicates how users exited the dialog box. -- **RebootVersion** Version of DTE. -- **UpdateId** The ID of the update that is pending restart to finish installation. -- **UpdateRevision** The revision of the update that is pending restart to finish installation. -- **UserResponseString** The option that user chose on this dialog box. -- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time. - - -### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootFirstReminderDialog - -This event indicates that the Enhanced Engaged restart "first reminder" dialog box was displayed.. - -The following fields are available: - -- **DeviceLocalTime** The local time on the device sending the event. -- **ETag** OneSettings versioning value. -- **ExitCode** Indicates how users exited the dialog box. -- **RebootVersion** Version of DTE. -- **UpdateId** The ID of the update that is pending restart to finish installation. -- **UpdateRevision** The revision of the update that is pending restart to finish installation. -- **UserResponseString** The option that user chose in this dialog box. -- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time. - - -### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootFailedDialog - -This event indicates that the Enhanced Engaged restart "restart failed" dialog box was displayed. - -The following fields are available: - -- **DeviceLocalTime** The local time of the device sending the event. -- **ETag** OneSettings versioning value. -- **ExitCode** Indicates how users exited the dialog box. -- **RebootVersion** Version of DTE. -- **UpdateId** The ID of the update that is pending restart to finish installation. -- **UpdateRevision** The revision of the update that is pending restart to finish installation. -- **UserResponseString** The option that the user chose in this dialog box. -- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time. - - -### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootImminentDialog - -This event indicates that the Enhanced Engaged restart "restart imminent" dialog box was displayed. - -The following fields are available: - -- **DeviceLocalTime** Time the dialog box was shown on the local device. -- **ETag** OneSettings versioning value. -- **ExitCode** Indicates how users exited the dialog box. -- **RebootVersion** Version of DTE. -- **UpdateId** The ID of the update that is pending restart to finish installation. -- **UpdateRevision** The revision of the update that is pending restart to finish installation. -- **UserResponseString** The option that user chose in this dialog box. -- **UtcTime** The time that dialog box was displayed, in Coordinated Universal Time. - - -### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootReminderDialog - -This event returns information relating to the Enhanced Engaged reboot reminder dialog that was displayed. - -The following fields are available: - -- **DeviceLocalTime** The time at which the reboot reminder dialog was shown (based on the local device time settings). -- **ETag** The OneSettings versioning value. -- **ExitCode** Indicates how users exited the reboot reminder dialog box. -- **RebootVersion** The version of the DTE (Direct-to-Engaged). -- **UpdateId** The ID of the update that is waiting for reboot to finish installation. -- **UpdateRevision** The revision of the update that is waiting for reboot to finish installation. -- **UserResponseString** The option chosen by the user on the reboot dialog box. -- **UtcTime** The time at which the reboot reminder dialog was shown (in UTC). - - -### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootReminderToast - -This event indicates that the Enhanced Engaged restart reminder pop-up banner was displayed. - -The following fields are available: - -- **DeviceLocalTime** The local time on the device sending the event. -- **ETag** OneSettings versioning value. -- **ExitCode** Indicates how users exited the pop-up banner. -- **RebootVersion** The version of the reboot logic. -- **UpdateId** The ID of the update that is pending restart to finish installation. -- **UpdateRevision** The revision of the update that is pending restart to finish installation. -- **UserResponseString** The option that the user chose in the pop-up banner. -- **UtcTime** The time that the pop-up banner was displayed, in Coordinated Universal Time. - - -### Microsoft.Windows.Update.NotificationUx.RebootScheduled - -Indicates when a reboot is scheduled by the system or a user for a security, quality, or feature update. - -The following fields are available: - -- **activeHoursApplicable** Indicates whether an Active Hours policy is present on the device. -- **IsEnhancedEngagedReboot** Indicates whether this is an Enhanced Engaged reboot. -- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action. -- **rebootOutsideOfActiveHours** Indicates whether a restart is scheduled outside of active hours. -- **rebootScheduledByUser** Indicates whether the restart was scheduled by user (if not, it was scheduled automatically). -- **rebootState** The current state of the restart. -- **rebootUsingSmartScheduler** Indicates whether the reboot is scheduled by smart scheduler. -- **revisionNumber** Revision number of the update that is getting installed with this restart. -- **scheduledRebootTime** Time of the scheduled restart. -- **scheduledRebootTimeInUTC** Time of the scheduled restart in Coordinated Universal Time. -- **updateId** ID of the update that is getting installed with this restart. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.ActivityRestrictedByActiveHoursPolicy - -This event indicates a policy is present that may restrict update activity to outside of active hours. - -The following fields are available: - -- **activeHoursEnd** The end of the active hours window. -- **activeHoursStart** The start of the active hours window. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.BlockedByActiveHours - -This event indicates that update activity was blocked because it is within the active hours window. - -The following fields are available: - -- **activeHoursEnd** The end of the active hours window. -- **activeHoursStart** The start of the active hours window. -- **updatePhase** The current state of the update process. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.BlockedByBatteryLevel - -This event indicates that Windows Update activity was blocked due to low battery level. - -The following fields are available: - -- **batteryLevel** The current battery charge capacity. -- **batteryLevelThreshold** The battery capacity threshold to stop update activity. -- **updatePhase** The current state of the update process. -- **wuDeviceid** Device ID. - - -### Microsoft.Windows.Update.Orchestrator.DeferRestart - -This event indicates that a restart required for installing updates was postponed. - -The following fields are available: - -- **displayNeededReason** List of reasons for needing display. -- **eventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). -- **filteredDeferReason** Applicable filtered reasons why reboot was postponed (such as user active, or low battery). -- **gameModeReason** Name of the executable that caused the game mode state check to start. -- **ignoredReason** List of reasons that were intentionally ignored. -- **IgnoreReasonsForRestart** List of reasons why restart was deferred. -- **revisionNumber** Update ID revision number. -- **systemNeededReason** List of reasons why system is needed. -- **updateId** Update ID. -- **updateScenarioType** Update session type. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.Detection - -This event indicates that a scan for a Windows Update occurred. - -The following fields are available: - -- **deferReason** The reason why the device could not check for updates. -- **detectionBlockingPolicy** The Policy that blocked detection. -- **detectionBlockreason** The reason detection did not complete. -- **detectionRetryMode** Indicates whether we will try to scan again. -- **errorCode** The error code returned for the current process. -- **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. -- **flightID** The unique identifier for the flight (Windows Insider pre-release build) should be delivered to the device, if applicable. -- **interactive** Indicates whether the user initiated the session. -- **networkStatus** Indicates if the device is connected to the internet. -- **revisionNumber** The Update revision number. -- **scanTriggerSource** The source of the triggered scan. -- **updateId** The unique identifier of the Update. -- **updateScenarioType** Identifies the type of update session being performed. -- **wuDeviceid** The unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.DisplayNeeded - -This event indicates the reboot was postponed due to needing a display. - -The following fields are available: - -- **displayNeededReason** Reason the display is needed. -- **eventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. -- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours. -- **revisionNumber** Revision number of the update. -- **updateId** Update ID. -- **updateScenarioType** The update session type. -- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated. -- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue - - -### Microsoft.Windows.Update.Orchestrator.Download - -This event sends launch data for a Windows Update download to help keep Windows up to date. - -The following fields are available: - -- **deferReason** Reason for download not completing. -- **errorCode** An error code represented as a hexadecimal value. -- **eventScenario** End-to-end update session ID. -- **flightID** The specific ID of the Windows Insider build the device is getting. -- **interactive** Indicates whether the session is user initiated. -- **revisionNumber** Update revision number. -- **updateId** Update ID. -- **updateScenarioType** The update session type. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.DTUCompletedWhenWuFlightPendingCommit - -This event indicates that DTU completed installation of the electronic software delivery (ESD), when Windows Update was already in Pending Commit phase of the feature update. - -The following fields are available: - -- **wuDeviceid** Device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.DTUEnabled - -This event indicates that Inbox DTU functionality was enabled. - -The following fields are available: - -- **wuDeviceid** Device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.DTUInitiated - -This event indicates that Inbox DTU functionality was intiated. - -The following fields are available: - -- **dtuErrorCode** Return code from creating the DTU Com Server. -- **isDtuApplicable** Determination of whether DTU is applicable to the machine it is running on. -- **wuDeviceid** Device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.EscalationRiskLevels - -This event is sent during update scan, download, or install, and indicates that the device is at risk of being out-of-date. - -The following fields are available: - -- **configVersion** The escalation configuration version on the device. -- **downloadElapsedTime** Indicates how long since the download is required on device. -- **downloadRiskLevel** At-risk level of download phase. -- **installElapsedTime** Indicates how long since the install is required on device. -- **installRiskLevel** The at-risk level of install phase. -- **isSediment** Assessment of whether is device is at risk. -- **scanElapsedTime** Indicates how long since the scan is required on device. -- **scanRiskLevel** At-risk level of the scan phase. -- **wuDeviceid** Device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.FailedToAddTimeTriggerToScanTask - -This event indicated that USO failed to add a trigger time to a task. - -The following fields are available: - -- **errorCode** The Windows Update error code. -- **wuDeviceid** The Windows Update device ID. - - -### Microsoft.Windows.Update.Orchestrator.FlightInapplicable - -This event indicates that the update is no longer applicable to this device. - -The following fields are available: - -- **EventPublishedTime** Time when this event was generated. -- **flightID** The specific ID of the Windows Insider build. -- **inapplicableReason** The reason why the update is inapplicable. -- **revisionNumber** Update revision number. -- **updateId** Unique Windows Update ID. -- **updateScenarioType** Update session type. -- **UpdateStatus** Last status of update. -- **UUPFallBackConfigured** Indicates whether UUP fallback is configured. -- **wuDeviceid** Unique Device ID. - - -### Microsoft.Windows.Update.Orchestrator.InitiatingReboot - -This event sends data about an Orchestrator requesting a reboot from power management to help keep Windows up to date. - -The following fields are available: - -- **EventPublishedTime** Time of the event. -- **flightID** Unique update ID -- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action. -- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours. -- **revisionNumber** Revision number of the update. -- **updateId** Update ID. -- **updateScenarioType** The update session type. -- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.Install - -This event sends launch data for a Windows Update install to help keep Windows up to date. - -The following fields are available: - -- **batteryLevel** Current battery capacity in mWh or percentage left. -- **deferReason** Reason for install not completing. -- **errorCode** The error code reppresented by a hexadecimal value. -- **eventScenario** End-to-end update session ID. -- **flightID** The ID of the Windows Insider build the device is getting. -- **flightUpdate** Indicates whether the update is a Windows Insider build. -- **ForcedRebootReminderSet** A boolean value that indicates if a forced reboot will happen for updates. -- **IgnoreReasonsForRestart** The reason(s) a Postpone Restart command was ignored. -- **installCommitfailedtime** The time it took for a reboot to happen but the upgrade failed to progress. -- **installRebootinitiatetime** The time it took for a reboot to be attempted. -- **interactive** Identifies if session is user initiated. -- **minutesToCommit** The time it took to install updates. -- **rebootOutsideOfActiveHours** Indicates whether a reboot is scheduled outside of active hours. -- **revisionNumber** Update revision number. -- **updateId** Update ID. -- **updateScenarioType** The update session type. -- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.LowUptimes - -This event is sent if a device is identified as not having sufficient uptime to reliably process updates in order to keep secure. - -The following fields are available: - -- **availableHistoryMinutes** The number of minutes available from the local machine activity history. -- **isLowUptimeMachine** Is the machine considered low uptime or not. -- **lowUptimeMinHours** Current setting for the minimum number of hours needed to not be considered low uptime. -- **lowUptimeQueryDays** Current setting for the number of recent days to check for uptime. -- **uptimeMinutes** Number of minutes of uptime measured. -- **wuDeviceid** Unique device ID for Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.OneshotUpdateDetection - -This event returns data about scans initiated through settings UI, or background scans that are urgent; to help keep Windows up to date. - -The following fields are available: - -- **externalOneshotupdate** The last time a task-triggered scan was completed. -- **interactiveOneshotupdate** The last time an interactive scan was completed. -- **oldlastscanOneshotupdate** The last time a scan completed successfully. -- **wuDeviceid** The Windows Update Device GUID (Globally-Unique ID). - - -### Microsoft.Windows.Update.Orchestrator.PreShutdownStart - -This event is generated before the shutdown and commit operations. - -The following fields are available: - -- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. - - -### Microsoft.Windows.Update.Orchestrator.RebootFailed - -This event sends information about whether an update required a reboot and reasons for failure, to help keep Windows up to date. - -The following fields are available: - -- **batteryLevel** Current battery capacity in mWh or percentage left. -- **deferReason** Reason for install not completing. -- **EventPublishedTime** The time that the reboot failure occurred. -- **flightID** Unique update ID. -- **rebootOutsideOfActiveHours** Indicates whether a reboot was scheduled outside of active hours. -- **RebootResults** Hex code indicating failure reason. Typically, we expect this to be a specific USO generated hex code. -- **revisionNumber** Update revision number. -- **updateId** Update ID. -- **updateScenarioType** The update session type. -- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.RefreshSettings - -This event sends basic data about the version of upgrade settings applied to the system to help keep Windows up to date. - -The following fields are available: - -- **errorCode** Hex code for the error message, to allow lookup of the specific error. -- **settingsDownloadTime** Timestamp of the last attempt to acquire settings. -- **settingsETag** Version identifier for the settings. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask - -This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows up to date. - -The following fields are available: - -- **RebootTaskMissedTimeUTC** The time when the reboot task was scheduled to run, but did not. -- **RebootTaskNextTimeUTC** The time when the reboot task was rescheduled for. -- **RebootTaskRestoredTime** Time at which this reboot task was restored. -- **wuDeviceid** Device ID for the device on which the reboot is restored. - - -### Microsoft.Windows.Update.Orchestrator.ScanTriggered - -This event indicates that Update Orchestrator has started a scan operation. - -The following fields are available: - -- **errorCode** The error code returned for the current scan operation. -- **eventScenario** Indicates the purpose of sending this event. -- **interactive** Indicates whether the scan is interactive. -- **isDTUEnabled** Indicates whether DTU (internal abbreviation for Direct Feature Update) channel is enabled on the client system. -- **isScanPastSla** Indicates whether the SLA has elapsed for scanning. -- **isScanPastTriggerSla** Indicates whether the SLA has elapsed for triggering a scan. -- **minutesOverScanSla** Indicates how many minutes the scan exceeded the scan SLA. -- **minutesOverScanTriggerSla** Indicates how many minutes the scan exceeded the scan trigger SLA. -- **scanTriggerSource** Indicates what caused the scan. -- **updateScenarioType** The update session type. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.StickUpdate - -This event is sent when the update service orchestrator (USO) indicates the update cannot be superseded by a newer update. - -The following fields are available: - -- **updateId** Identifier associated with the specific piece of content. -- **wuDeviceid** Unique device ID controlled by the software distribution client. - - -### Microsoft.Windows.Update.Orchestrator.SystemNeeded - -This event sends data about why a device is unable to reboot, to help keep Windows up to date. - -The following fields are available: - -- **eventScenario** End-to-end update session ID. -- **rebootOutsideOfActiveHours** Indicates whether a reboot is scheduled outside of active hours. -- **revisionNumber** Update revision number. -- **systemNeededReason** List of apps or tasks that are preventing the system from restarting. -- **updateId** Update ID. -- **updateScenarioType** The update session type. -- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.TerminatedByActiveHours - -This event indicates that update activity was stopped due to active hours starting. - -The following fields are available: - -- **activeHoursEnd** The end of the active hours window. -- **activeHoursStart** The start of the active hours window. -- **updatePhase** The current state of the update process. -- **wuDeviceid** The device identifier. - - -### Microsoft.Windows.Update.Orchestrator.TerminatedByBatteryLevel - -This event is sent when update activity was stopped due to a low battery level. - -The following fields are available: - -- **batteryLevel** The current battery charge capacity. -- **batteryLevelThreshold** The battery capacity threshold to stop update activity. -- **updatePhase** The current state of the update process. -- **wuDeviceid** The device identifier. - - -### Microsoft.Windows.Update.Orchestrator.UnstickUpdate - -This event is sent when the update service orchestrator (USO) indicates that the update can be superseded by a newer update. - -The following fields are available: - -- **updateId** Identifier associated with the specific piece of content. -- **wuDeviceid** Unique device ID controlled by the software distribution client. - - -### Microsoft.Windows.Update.Orchestrator.UpdatePolicyCacheRefresh - -This event sends data on whether Update Management Policies were enabled on a device, to help keep Windows up to date. - -The following fields are available: - -- **configuredPoliciescount** Number of policies on the device. -- **configuredPoliciescsunt** No content is currently available. -- **policiesNamevaluesource** Policy name and source of policy (group policy, MDM or flight). -- **policyCacherefreshtime** Time when policy cache was refreshed. -- **updateInstalluxsetting** Indicates whether a user has set policies via a user experience option. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.UpdateRebootRequired - -This event sends data about whether an update required a reboot to help keep Windows up to date. - -The following fields are available: - -- **flightID** The specific ID of the Windows Insider build the device is getting. -- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action. -- **revisionNumber** Update revision number. -- **updateId** Update ID. -- **updateScenarioType** The update session type. -- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. -- **wuDeviceid** Unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Orchestrator.updateSettingsFlushFailed - -This event sends information about an update that encountered problems and was not able to complete. - -The following fields are available: - -- **errorCode** The error code encountered. -- **wuDeviceid** The ID of the device in which the error occurred. - - -### Microsoft.Windows.Update.Orchestrator.UsoSession - -This event represents the state of the USO service at start and completion. - -The following fields are available: - -- **activeSessionid** A unique session GUID. -- **eventScenario** The state of the update action. -- **interactive** Is the USO session interactive? -- **lastErrorcode** The last error that was encountered. -- **lastErrorstate** The state of the update when the last error was encountered. -- **sessionType** A GUID that refers to the update session type. -- **updateScenarioType** A descriptive update session type. -- **wuDeviceid** The Windows Update device GUID. - - -### Microsoft.Windows.Update.Ux.MusNotification.EnhancedEngagedRebootUxState - -This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes values for the timing of how eDTE will progress through each phase of the reboot. - -The following fields are available: - -- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode. -- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before a Reboot Failed dialog will be shown. -- **DeviceLocalTime** The date and time (based on the device date/time settings) the reboot mode changed. -- **EngagedModeLimit** The number of days to switch between DTE (Direct-to-Engaged) dialogs. -- **EnterAutoModeLimit** The maximum number of days a device can enter Auto Reboot mode. -- **ETag** The Entity Tag that represents the OneSettings version. -- **IsForcedEnabled** Identifies whether Forced Reboot mode is enabled for the device. -- **IsUltimateForcedEnabled** Identifies whether Ultimate Forced Reboot mode is enabled for the device. -- **OldestUpdateLocalTime** The date and time (based on the device date/time settings) this update’s reboot began pending. -- **RebootUxState** Identifies the reboot state: Engaged, Auto, Forced, UltimateForced. -- **RebootVersion** The version of the DTE (Direct-to-Engaged). -- **SkipToAutoModeLimit** The maximum number of days to switch to start while in Auto Reboot mode. -- **UpdateId** The ID of the update that is waiting for reboot to finish installation. -- **UpdateRevision** The revision of the update that is waiting for reboot to finish installation. - - -### Microsoft.Windows.Update.Ux.MusNotification.RebootNoLongerNeeded - -This event is sent when a security update has successfully completed. - -The following fields are available: - -- **UtcTime** The Coordinated Universal Time that the restart was no longer needed. - - -### Microsoft.Windows.Update.Ux.MusNotification.RebootScheduled - -This event sends basic information about scheduling an update-related reboot, to get security updates and to help keep Windows up-to-date. - -The following fields are available: - -- **activeHoursApplicable** Indicates whether Active Hours applies on this device. -- **IsEnhancedEngagedReboot** Indicates whether Enhanced reboot was enabled. -- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action. -- **rebootOutsideOfActiveHours** True, if a reboot is scheduled outside of active hours. False, otherwise. -- **rebootScheduledByUser** True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically. -- **rebootState** Current state of the reboot. -- **rebootUsingSmartScheduler** Indicates that the reboot is scheduled by SmartScheduler. -- **revisionNumber** Revision number of the OS. -- **scheduledRebootTime** Time scheduled for the reboot. -- **scheduledRebootTimeInUTC** Time scheduled for the reboot, in UTC. -- **updateId** Identifies which update is being scheduled. -- **wuDeviceid** The unique device ID used by Windows Update. - - -### Microsoft.Windows.Update.Ux.MusNotification.UxBrokerScheduledTask - -This event is sent when MUSE broker schedules a task. - -The following fields are available: - -- **TaskArgument** The arguments with which the task is scheduled. -- **TaskName** Name of the task. - - -### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled - -This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up to date. - -The following fields are available: - -- **activeHoursApplicable** Is the restart respecting Active Hours? -- **IsEnhancedEngagedReboot** TRUE if the reboot path is Enhanced Engaged. Otherwise, FALSE. -- **rebootArgument** The arguments that are passed to the OS for the restarted. -- **rebootOutsideOfActiveHours** Was the restart scheduled outside of Active Hours? -- **rebootScheduledByUser** Was the restart scheduled by the user? If the value is false, the restart was scheduled by the device. -- **rebootState** The state of the restart. -- **rebootUsingSmartScheduler** TRUE if the reboot should be performed by the Smart Scheduler. Otherwise, FALSE. -- **revisionNumber** The revision number of the OS being updated. -- **scheduledRebootTime** Time of the scheduled reboot -- **scheduledRebootTimeInUTC** Time of the scheduled restart, in Coordinated Universal Time. -- **updateId** The Windows Update device GUID. -- **wuDeviceid** The Windows Update device GUID. - - -## Windows Update mitigation events - -### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages - -This event sends data specific to the CleanupSafeOsImages mitigation used for OS Updates. - -The following fields are available: - -- **ClientId** The client ID used by Windows Update. -- **FlightId** The ID of each Windows Insider build the device received. -- **InstanceId** A unique device ID that identifies each update instance. -- **MitigationScenario** The update scenario in which the mitigation was executed. -- **MountedImageCount** The number of mounted images. -- **MountedImageMatches** The number of mounted image matches. -- **MountedImagesFailed** The number of mounted images that could not be removed. -- **MountedImagesRemoved** The number of mounted images that were successfully removed. -- **MountedImagesSkipped** The number of mounted images that were not found. -- **RelatedCV** The correlation vector value generated from the latest USO scan. -- **Result** HResult of this operation. -- **ScenarioId** ID indicating the mitigation scenario. -- **ScenarioSupported** Indicates whether the scenario was supported. -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each Windows Update. -- **WuId** Unique ID for the Windows Update client. - - -### Mitigation360Telemetry.MitigationCustom.FixAppXReparsePoints - -This event sends data specific to the FixAppXReparsePoints mitigation used for OS updates. - -The following fields are available: - -- **ClientId** Unique identifier for each flight. -- **FlightId** Unique GUID that identifies each instances of setuphost.exe. -- **InstanceId** The update scenario in which the mitigation was executed. -- **MitigationScenario** Correlation vector value generated from the latest USO scan. -- **RelatedCV** Number of reparse points that are corrupted but we failed to fix them. -- **ReparsePointsFailed** Number of reparse points that were corrupted and were fixed by this mitigation. -- **ReparsePointsFixed** Number of reparse points that are not corrupted and no action is required. -- **ReparsePointsSkipped** HResult of this operation. -- **Result** ID indicating the mitigation scenario. -- **ScenarioId** Indicates whether the scenario was supported. -- **ScenarioSupported** Unique value for each update attempt. -- **SessionId** Unique ID for each Update. -- **UpdateId** Unique ID for the Windows Update client. -- **WuId** Unique ID for the Windows Update client. - - -### Mitigation360Telemetry.MitigationCustom.FixupEditionId - -This event sends data specific to the FixupEditionId mitigation used for OS updates. - -The following fields are available: - -- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **EditionIdUpdated** Determine whether EditionId was changed. -- **FlightId** Unique identifier for each flight. -- **InstanceId** Unique GUID that identifies each instances of setuphost.exe. -- **MitigationScenario** The update scenario in which the mitigation was executed. -- **ProductEditionId** Expected EditionId value based on GetProductInfo. -- **ProductType** Value returned by GetProductInfo. -- **RegistryEditionId** EditionId value in the registry. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **Result** HResult of this operation. -- **ScenarioId** ID indicating the mitigation scenario. -- **ScenarioSupported** Indicates whether the scenario was supported. -- **SessionId** Unique value for each update attempt. -- **UpdateId** Unique ID for each update. -- **WuId** Unique ID for the Windows Update client. - - -## Windows Update Reserve Manager events - -### Microsoft.Windows.UpdateReserveManager.CommitPendingHardReserveAdjustment - -This event is sent when the Update Reserve Manager commits a hard reserve adjustment that was pending. - -The following fields are available: - -- **FinalAdjustment** Final adjustment for the hard reserve following the addition or removal of optional content. -- **InitialAdjustment** Initial intended adjustment for the hard reserve following the addition/removal of optional content. - - -### Microsoft.Windows.UpdateReserveManager.FunctionReturnedError - -This event is sent when the Update Reserve Manager returns an error from one of its internal functions. - -The following fields are available: - -- **FailedExpression** The failed expression that was returned. -- **FailedFile** The binary file that contained the failed function. -- **FailedFunction** The name of the function that originated the failure. -- **FailedLine** The line number of the failure. -- **ReturnCode** The return code of the function. - - -### Microsoft.Windows.UpdateReserveManager.InitializeUpdateReserveManager - -This event returns data about the Update Reserve Manager, including whether it’s been initialized. - -The following fields are available: - -- **ClientId** The ID of the caller application. -- **Flags** The enumerated flags used to initialize the manager. -- **FlightId** The flight ID of the content the calling client is currently operating with. -- **Offline** Indicates whether or the reserve manager is called during offline operations. -- **PolicyPassed** Indicates whether the machine is able to use reserves. -- **ReturnCode** Return code of the operation. -- **Version** The version of the Update Reserve Manager. - - -### Microsoft.Windows.UpdateReserveManager.PrepareTIForReserveInitialization - -This event is sent when the Update Reserve Manager prepares the Trusted Installer to initialize reserves on the next boot. - -The following fields are available: - -- **Flags** The flags that are passed to the function to prepare the Trusted Installer for reserve initialization. - - -### Microsoft.Windows.UpdateReserveManager.RemovePendingHardReserveAdjustment - -This event is sent when the Update Reserve Manager removes a pending hard reserve adjustment. - - - -### Microsoft.Windows.UpdateReserveManager.UpdatePendingHardReserveAdjustment - -This event is sent when the Update Reserve Manager needs to adjust the size of the hard reserve after the option content is installed. - -The following fields are available: - -- **ChangeSize** The change in the hard reserve size based on the addition or removal of optional content. -- **Disposition** The parameter for the hard reserve adjustment function. -- **Flags** The flags passed to the hard reserve adjustment function. -- **PendingHardReserveAdjustment** The final change to the hard reserve size. -- **UpdateType** Indicates whether the change is an increase or decrease in the size of the hard reserve. - - -## Winlogon events - -### Microsoft.Windows.Security.Winlogon.SetupCompleteLogon - -This event signals the completion of the setup process. It happens only once during the first logon. - - - -## XBOX events - -### Microsoft.Xbox.XamTelemetry.AppActivationError - -This event indicates whether the system detected an activation error in the app. - -The following fields are available: - -- **ActivationUri** Activation URI (Uniform Resource Identifier) used in the attempt to activate the app. -- **AppId** The Xbox LIVE Title ID. -- **AppUserModelId** The AUMID (Application User Model ID) of the app to activate. -- **Result** The HResult error. -- **UserId** The Xbox LIVE User ID (XUID). - - -### Microsoft.Xbox.XamTelemetry.AppActivity - -This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc. - -The following fields are available: - -- **AppActionId** The ID of the application action. -- **AppCurrentVisibilityState** The ID of the current application visibility state. -- **AppId** The Xbox LIVE Title ID of the app. -- **AppPackageFullName** The full name of the application package. -- **AppPreviousVisibilityState** The ID of the previous application visibility state. -- **AppSessionId** The application session ID. -- **AppType** The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa). -- **BCACode** The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application. -- **DurationMs** The amount of time (in milliseconds) since the last application state transition. -- **IsTrialLicense** This boolean value is TRUE if the application is on a trial license. -- **LicenseType** The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 - Offline, 4 - Disc). -- **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license. -- **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application. -- **UserId** The XUID (Xbox User ID) of the current user. - - - +--- +description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. +title: Windows 10, version 1809 basic diagnostic events and fields (Windows 10) +keywords: privacy, telemetry +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: brianlic-msft +ms.author: brianlic +manager: dansimp +ms.collection: M365-security-compliance +ms.topic: article +audience: ITPro +ms.date: 03/27/2019 +--- + + +# Windows 10, version 1809 basic level Windows diagnostic events and fields + + **Applies to** + +- Windows 10, version 1809 + + +The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information. + +The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. + +Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief description is provided for each field. Every event generated includes common data, which collects device data. + +You can learn more about Windows functional and diagnostic data through these articles: + + +- [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) +- [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) +- [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) +- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) +- [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) + + + + +## Account trace logging provider events + +### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.General + +This event provides information about application properties to indicate the successful execution. + +The following fields are available: + +- **AppMode** Indicates the mode the app is being currently run around privileges. +- **ExitCode** Indicates the exit code of the app. +- **Help** Indicates if the app needs to be launched in the help mode. +- **ParseError** Indicates if there was a parse error during the execution. +- **RightsAcquired** Indicates if the right privileges were acquired for successful execution. +- **RightsWereEnabled** Indicates if the right privileges were enabled for successful execution. +- **TestMode** Indicates whether the app is being run in test mode. + + +### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.GetCount + +This event provides information about the properties of user accounts in the Administrator group. + +The following fields are available: + +- **Internal** Indicates the internal property associated with the count group. +- **LastError** The error code (if applicable) for the cause of the failure to get the count of the user account. +- **Result** The HResult error. + + +## AppLocker events + +### Microsoft.Windows.Security.AppLockerCSP.ActivityStoppedAutomatically + +Automatically closed activity for start/stop operations that aren't explicitly closed. + + + +### Microsoft.Windows.Security.AppLockerCSP.AddParams + +Parameters passed to Add function of the AppLockerCSP Node. + +The following fields are available: + +- **child** The child URI of the node to add. +- **uri** URI of the node relative to %SYSTEM32%/AppLocker. + + +### Microsoft.Windows.Security.AppLockerCSP.AddStart + +Start of "Add" Operation for the AppLockerCSP Node. + + + +### Microsoft.Windows.Security.AppLockerCSP.AddStop + +End of "Add" Operation for AppLockerCSP Node. + +The following fields are available: + +- **hr** The HRESULT returned by Add function in AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.CAppLockerCSP::Rollback + +Result of the 'Rollback' operation in AppLockerCSP. + +The following fields are available: + +- **oldId** Previous id for the CSP transaction. +- **txId** Current id for the CSP transaction. + + +### Microsoft.Windows.Security.AppLockerCSP.ClearParams + +Parameters passed to the "Clear" operation for AppLockerCSP. + +The following fields are available: + +- **uri** The URI relative to the %SYSTEM32%\AppLocker folder. + + +### Microsoft.Windows.Security.AppLockerCSP.ClearStart + +Start of the "Clear" operation for the AppLockerCSP Node. + + + +### Microsoft.Windows.Security.AppLockerCSP.ClearStop + +End of the "Clear" operation for the AppLockerCSP node. + +The following fields are available: + +- **hr** HRESULT reported at the end of the 'Clear' function. + + +### Microsoft.Windows.Security.AppLockerCSP.ConfigManagerNotificationStart + +Start of the "ConfigManagerNotification" operation for AppLockerCSP. + +The following fields are available: + +- **NotifyState** State sent by ConfigManager to AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.ConfigManagerNotificationStop + +End of the "ConfigManagerNotification" operation for AppLockerCSP. + +The following fields are available: + +- **hr** HRESULT returned by the ConfigManagerNotification function in AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceParams + +Parameters passed to the CreateNodeInstance function of the AppLockerCSP node. + +The following fields are available: + +- **NodeId** NodeId passed to CreateNodeInstance. +- **nodeOps** NodeOperations parameter passed to CreateNodeInstance. +- **uri** URI passed to CreateNodeInstance, relative to %SYSTEM32%\AppLocker. + + +### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceStart + +Start of the "CreateNodeInstance" operation for the AppLockerCSP node. + + + +### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceStop + +End of the "CreateNodeInstance" operation for the AppLockerCSP node + +The following fields are available: + +- **hr** HRESULT returned by the CreateNodeInstance function in AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.DeleteChildParams + +Parameters passed to the DeleteChild function of the AppLockerCSP node. + +The following fields are available: + +- **child** The child URI of the node to delete. +- **uri** URI relative to %SYSTEM32%\AppLocker. + + +### Microsoft.Windows.Security.AppLockerCSP.DeleteChildStart + +Start of the "DeleteChild" operation for the AppLockerCSP node. + + + +### Microsoft.Windows.Security.AppLockerCSP.DeleteChildStop + +End of the "DeleteChild" operation for the AppLockerCSP node. + +The following fields are available: + +- **hr** HRESULT returned by the DeleteChild function in AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.EnumPolicies + +Logged URI relative to %SYSTEM32%\AppLocker, if the Plugin GUID is null, or the CSP doesn't believe the old policy is present. + +The following fields are available: + +- **uri** URI relative to %SYSTEM32%\AppLocker. + + +### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesParams + +Parameters passed to the GetChildNodeNames function of the AppLockerCSP node. + +The following fields are available: + +- **uri** URI relative to %SYSTEM32%/AppLocker for MDM node. + + +### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesStart + +Start of the "GetChildNodeNames" operation for the AppLockerCSP node. + + + +### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesStop + +End of the "GetChildNodeNames" operation for the AppLockerCSP node. + +The following fields are available: + +- **child[0]** If function succeeded, the first child's name, else "NA". +- **count** If function succeeded, the number of child node names returned by the function, else 0. +- **hr** HRESULT returned by the GetChildNodeNames function of AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.GetLatestId + +The result of 'GetLatestId' in AppLockerCSP (the latest time stamped GUID). + +The following fields are available: + +- **dirId** The latest directory identifier found by GetLatestId. +- **id** The id returned by GetLatestId if id > 0 - otherwise the dirId parameter. + + +### Microsoft.Windows.Security.AppLockerCSP.HResultException + +HRESULT thrown by any arbitrary function in AppLockerCSP. + +The following fields are available: + +- **file** File in the OS code base in which the exception occurs. +- **function** Function in the OS code base in which the exception occurs. +- **hr** HRESULT that is reported. +- **line** Line in the file in the OS code base in which the exception occurs. + + +### Microsoft.Windows.Security.AppLockerCSP.SetValueParams + +Parameters passed to the SetValue function of the AppLockerCSP node. + +The following fields are available: + +- **dataLength** Length of the value to set. +- **uri** The node URI to that should contain the value, relative to %SYSTEM32%\AppLocker. + + +### Microsoft.Windows.Security.AppLockerCSP.SetValueStart + +Start of the "SetValue" operation for the AppLockerCSP node. + + + +### Microsoft.Windows.Security.AppLockerCSP.SetValueStop + +End of the "SetValue" operation for the AppLockerCSP node. + +The following fields are available: + +- **hr** HRESULT returned by the SetValue function in AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.TryRemediateMissingPolicies + +EntryPoint of fix step or policy remediation, includes URI relative to %SYSTEM32%\AppLocker that needs to be fixed. + +The following fields are available: + +- **uri** URI for node relative to %SYSTEM32%/AppLocker. + + +## Appraiser events + +### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount + +This event lists the types of objects and how many of each exist on the client device. This allows for a quick way to ensure that the records present on the server match what is present on the client. + +The following fields are available: + +- **DatasourceApplicationFile_19ASetup** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_19H1** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers. +- **DatasourceApplicationFile_RS2** An ID for the system, calculated by hashing hardware identifiers. +- **DatasourceApplicationFile_RS3** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS3Setup** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS4** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS4Setup** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS5** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS5Setup** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_TH1** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_TH2** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_19ASetup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_19H1** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS1** The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on this device. +- **DatasourceDevicePnp_RS2** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS3** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS3Setup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS4** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS4Setup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS5** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS5Setup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_TH1** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_TH2** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_19ASetup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_19H1** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS1** The total DataSourceDriverPackage objects targeting Windows 10 version 1607 on this device. +- **DatasourceDriverPackage_RS2** The total DataSourceDriverPackage objects targeting Windows 10, version 1703 on this device. +- **DatasourceDriverPackage_RS3** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS3Setup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS4** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS4Setup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS5** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS5Setup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_TH1** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_TH2** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_19ASetup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS1** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1607 on this device. +- **DataSourceMatchingInfoBlock_RS2** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS3** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS3Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS4Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS5Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_TH1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_19ASetup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS1** The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. +- **DataSourceMatchingInfoPassive_RS2** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS3** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS3Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS4Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS5Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_19ASetup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS1** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. +- **DataSourceMatchingInfoPostUpgrade_RS2** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device. +- **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device. +- **DataSourceMatchingInfoPostUpgrade_RS3Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS4Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS5Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_TH1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_19ASetup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_19H1** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_19H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS1** The total DatasourceSystemBios objects targeting Windows 10 version 1607 present on this device. +- **DatasourceSystemBios_RS2** The total DatasourceSystemBios objects targeting Windows 10 version 1703 present on this device. +- **DatasourceSystemBios_RS3** The total DatasourceSystemBios objects targeting Windows 10 version 1709 present on this device. +- **DatasourceSystemBios_RS3Setup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS4** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS4Setup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS5** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS5Setup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_TH1** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_TH2** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_19H1** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS1** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS2** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS3** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS4** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS5** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_TH1** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_TH2** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_19H1** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS1** The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this device. +- **DecisionDevicePnp_RS2** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS3** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS4** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS5** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_TH1** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_TH2** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_19H1** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS1** The total DecisionDriverPackage objects targeting Windows 10 version 1607 on this device. +- **DecisionDriverPackage_RS2** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS3** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS4** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS5** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_TH1** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_TH2** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_RS1** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1607 present on this device. +- **DecisionMatchingInfoBlock_RS2** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device. +- **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1709 present on this device. +- **DecisionMatchingInfoBlock_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_RS4** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1803 present on this device. +- **DecisionMatchingInfoBlock_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_TH1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_RS1** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. +- **DecisionMatchingInfoPassive_RS2** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1703 on this device. +- **DecisionMatchingInfoPassive_RS3** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1803 on this device. +- **DecisionMatchingInfoPassive_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS1** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. +- **DecisionMatchingInfoPostUpgrade_RS2** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device. +- **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device. +- **DecisionMatchingInfoPostUpgrade_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_TH1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_19H1** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_19H1Setup** The total DecisionMediaCenter objects targeting the next release of Windows on this device. +- **DecisionMediaCenter_RS1** The total DecisionMediaCenter objects targeting Windows 10 version 1607 present on this device. +- **DecisionMediaCenter_RS2** The total DecisionMediaCenter objects targeting Windows 10 version 1703 present on this device. +- **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting Windows 10 version 1709 present on this device. +- **DecisionMediaCenter_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_RS4** The total DecisionMediaCenter objects targeting Windows 10 version 1803 present on this device. +- **DecisionMediaCenter_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_RS5** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_TH1** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_TH2** The count of the number of this particular object type present on this device. +- **DecisionSystemBios_19ASetup** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_19H1** The count of the number of this particular object type present on this device. +- **DecisionSystemBios_19H1Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_RS1** The total DecisionSystemBios objects targeting Windows 10 version 1607 on this device. +- **DecisionSystemBios_RS2** The total DecisionSystemBios objects targeting Windows 10 version 1703 on this device. +- **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting Windows 10 version 1709 on this device. +- **DecisionSystemBios_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionSystemBios_RS4** The total DecisionSystemBios objects targeting Windows 10 version, 1803 present on this device. +- **DecisionSystemBios_RS4Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_RS5** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_RS5Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_TH1** The count of the number of this particular object type present on this device. +- **DecisionSystemBios_TH2** The count of the number of this particular object type present on this device. +- **DecisionSystemProcessor_RS2** The count of the number of this particular object type present on this device. +- **DecisionTest_RS1** An ID for the system, calculated by hashing hardware identifiers. +- **InventoryApplicationFile** The count of the number of this particular object type present on this device. +- **InventoryDeviceContainer** A count of device container objects in cache. +- **InventoryDevicePnp** A count of device Plug and Play objects in cache. +- **InventoryDriverBinary** A count of driver binary objects in cache. +- **InventoryDriverPackage** A count of device objects in cache. +- **InventoryLanguagePack** The count of the number of this particular object type present on this device. +- **InventoryMediaCenter** The count of the number of this particular object type present on this device. +- **InventorySystemBios** The count of the number of this particular object type present on this device. +- **InventorySystemMachine** The count of the number of this particular object type present on this device. +- **InventorySystemProcessor** The count of the number of this particular object type present on this device. +- **InventoryTest** The count of the number of this particular object type present on this device. +- **InventoryUplevelDriverPackage** The count of the number of this particular object type present on this device. +- **PCFP** The count of the number of this particular object type present on this device. +- **SystemMemory** The count of the number of this particular object type present on this device. +- **SystemProcessorCompareExchange** The count of the number of this particular object type present on this device. +- **SystemProcessorLahfSahf** The count of the number of this particular object type present on this device. +- **SystemProcessorNx** The total number of objects of this type present on this device. +- **SystemProcessorPrefetchW** The total number of objects of this type present on this device. +- **SystemProcessorSse2** The total number of objects of this type present on this device. +- **SystemTouch** The count of the number of this particular object type present on this device. +- **SystemWim** The total number of objects of this type present on this device. +- **SystemWindowsActivationStatus** The count of the number of this particular object type present on this device. +- **SystemWlan** The total number of objects of this type present on this device. +- **Wmdrm_19ASetup** The count of the number of this particular object type present on this device. +- **Wmdrm_19H1** The count of the number of this particular object type present on this device. +- **Wmdrm_19H1Setup** The total Wmdrm objects targeting the next release of Windows on this device. +- **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers. +- **Wmdrm_RS2** An ID for the system, calculated by hashing hardware identifiers. +- **Wmdrm_RS3** An ID for the system, calculated by hashing hardware identifiers. +- **Wmdrm_RS3Setup** The count of the number of this particular object type present on this device. +- **Wmdrm_RS4** The total Wmdrm objects targeting Windows 10, version 1803 present on this device. +- **Wmdrm_RS4Setup** The count of the number of this particular object type present on this device. +- **Wmdrm_RS5** The count of the number of this particular object type present on this device. +- **Wmdrm_RS5Setup** The count of the number of this particular object type present on this device. +- **Wmdrm_TH1** The count of the number of this particular object type present on this device. +- **Wmdrm_TH2** The count of the number of this particular object type present on this device. + + +### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd + +Represents the basic metadata about specific application files installed on the system. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file that is generating the events. +- **AvDisplayName** If the app is an anti-virus app, this is its display name. +- **CompatModelIndex** The compatibility prediction for this file. +- **HasCitData** Indicates whether the file is present in CIT data. +- **HasUpgradeExe** Indicates whether the anti-virus app has an upgrade.exe file. +- **IsAv** Is the file an anti-virus reporting EXE? +- **ResolveAttempted** This will always be an empty string when sending telemetry. +- **SdbEntries** An array of fields that indicates the SDB entries that apply to this file. + + +### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove + +This event indicates that the DatasourceApplicationFile object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileStartSync + +This event indicates that a new set of DatasourceApplicationFileAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd + +This event sends compatibility data for a Plug and Play device, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **ActiveNetworkConnection** Indicates whether the device is an active network device. +- **AppraiserVersion** The version of the appraiser file generating the events. +- **CosDeviceRating** An enumeration that indicates if there is a driver on the target operating system. +- **CosDeviceSolution** An enumeration that indicates how a driver on the target operating system is available. +- **CosDeviceSolutionUrl** Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd . Empty string +- **CosPopulatedFromId** The expected uplevel driver matching ID based on driver coverage data. +- **IsBootCritical** Indicates whether the device boot is critical. +- **UplevelInboxDriver** Indicates whether there is a driver uplevel for this device. +- **WuDriverCoverage** Indicates whether there is a driver uplevel for this device, according to Windows Update. +- **WuDriverUpdateId** The Windows Update ID of the applicable uplevel driver. +- **WuPopulatedFromId** The expected uplevel driver matching ID based on driver coverage from Windows Update. + + +### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove + +This event indicates that the DatasourceDevicePnp object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpStartSync + +This event indicates that a new set of DatasourceDevicePnpAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageAdd + +This event sends compatibility database data about driver packages to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageRemove + +This event indicates that the DatasourceDriverPackage object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageStartSync + +This event indicates that a new set of DatasourceDriverPackageAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd + +This event sends blocking data about any compatibility blocking entries hit on the system that are not directly related to specific applications or devices, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove + +This event indicates that the DataSourceMatchingInfoBlock object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync + +This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events have been sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd + +This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove + +This event indicates that the DataSourceMatchingInfoPassive object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync + +This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd + +This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove + +This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync + +This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd + +This event sends compatibility database information about the BIOS to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosRemove + +This event indicates that the DatasourceSystemBios object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync + +This event indicates that a new set of DatasourceSystemBiosAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionApplicationFileAdd + +This event sends compatibility decision data about a file to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file that is generating the events. +- **BlockAlreadyInbox** The uplevel runtime block on the file already existed on the current OS. +- **BlockingApplication** Indicates whether there are any application issues that interfere with the upgrade due to the file in question. +- **DisplayGenericMessage** Will be a generic message be shown for this file? +- **DisplayGenericMessageGated** Indicates whether a generic message be shown for this file. +- **HardBlock** This file is blocked in the SDB. +- **HasUxBlockOverride** Does the file have a block that is overridden by a tag in the SDB? +- **MigApplication** Does the file have a MigXML from the SDB associated with it that applies to the current upgrade mode? +- **MigRemoval** Does the file have a MigXML from the SDB that will cause the app to be removed on upgrade? +- **NeedsDismissAction** Will the file cause an action that can be dimissed? +- **NeedsInstallPostUpgradeData** After upgrade, the file will have a post-upgrade notification to install a replacement for the app. +- **NeedsNotifyPostUpgradeData** Does the file have a notification that should be shown after upgrade? +- **NeedsReinstallPostUpgradeData** After upgrade, this file will have a post-upgrade notification to reinstall the app. +- **NeedsUninstallAction** The file must be uninstalled to complete the upgrade. +- **SdbBlockUpgrade** The file is tagged as blocking upgrade in the SDB, +- **SdbBlockUpgradeCanReinstall** The file is tagged as blocking upgrade in the SDB. It can be reinstalled after upgrade. +- **SdbBlockUpgradeUntilUpdate** The file is tagged as blocking upgrade in the SDB. If the app is updated, the upgrade can proceed. +- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the SDB. It does not block upgrade. +- **SdbReinstallUpgradeWarn** The file is tagged as needing to be reinstalled after upgrade with a warning in the SDB. It does not block upgrade. +- **SoftBlock** The file is softblocked in the SDB and has a warning. + + +### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove + +This event indicates Indicates that the DecisionApplicationFile object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionApplicationFileStartSync + +This event indicates that a new set of DecisionApplicationFileAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd + +This event sends compatibility decision data about a PNP device to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **AssociatedDriverIsBlocked** Is the driver associated with this PNP device blocked? +- **AssociatedDriverWillNotMigrate** Will the driver associated with this plug-and-play device migrate? +- **BlockAssociatedDriver** Should the driver associated with this PNP device be blocked? +- **BlockingDevice** Is this PNP device blocking upgrade? +- **BlockUpgradeIfDriverBlocked** Is the PNP device both boot critical and does not have a driver included with the OS? +- **BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork** Is this PNP device the only active network device? +- **DisplayGenericMessage** Will a generic message be shown during Setup for this PNP device? +- **DisplayGenericMessageGated** Indicates whether a generic message will be shown during Setup for this PNP device. +- **DriverAvailableInbox** Is a driver included with the operating system for this PNP device? +- **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update? +- **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device? +- **DriverBlockOverridden** Is there is a driver block on the device that has been overridden? +- **NeedsDismissAction** Will the user would need to dismiss a warning during Setup for this device? +- **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS? +- **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade? +- **SdbDriverBlockOverridden** Is there an SDB block on the PNP device that blocks upgrade, but that block was overridden? + + +### Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove + +This event indicates that the DecisionDevicePnp object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionDevicePnpStartSync + +The DecisionDevicePnpStartSync event indicates that a new set of DecisionDevicePnpAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionDriverPackageAdd + +This event sends decision data about driver package compatibility to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for this driver package. +- **DriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden? +- **DriverIsDeviceBlocked** Was the driver package was blocked because of a device block? +- **DriverIsDriverBlocked** Is the driver package blocked because of a driver block? +- **DriverIsTroubleshooterBlocked** Indicates whether the driver package is blocked because of a troubleshooter block. +- **DriverShouldNotMigrate** Should the driver package be migrated during upgrade? +- **SdbDriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden? + + +### Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove + +This event indicates that the DecisionDriverPackage object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionDriverPackageStartSync + +This event indicates that a new set of DecisionDriverPackageAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd + +This event sends compatibility decision data about blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **BlockingApplication** Are there are any application issues that interfere with upgrade due to matching info blocks? +- **DisplayGenericMessage** Will a generic message be shown for this block? +- **NeedsUninstallAction** Does the user need to take an action in setup due to a matching info block? +- **SdbBlockUpgrade** Is a matching info block blocking upgrade? +- **SdbBlockUpgradeCanReinstall** Is a matching info block blocking upgrade, but has the can reinstall tag? +- **SdbBlockUpgradeUntilUpdate** Is a matching info block blocking upgrade but has the until update tag? + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockRemove + +This event indicates that the DecisionMatchingInfoBlock object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockStartSync + +This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd + +This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **BlockingApplication** Are there any application issues that interfere with upgrade due to matching info blocks? +- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown due to matching info blocks. +- **MigApplication** Is there a matching info block with a mig for the current mode of upgrade? + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveRemove + +This event Indicates that the DecisionMatchingInfoPassive object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync + +This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeAdd + +This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **NeedsInstallPostUpgradeData** Will the file have a notification after upgrade to install a replacement for the app? +- **NeedsNotifyPostUpgradeData** Should a notification be shown for this file after upgrade? +- **NeedsReinstallPostUpgradeData** Will the file have a notification after upgrade to reinstall the app? +- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the compatibility database (but is not blocking upgrade). + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeRemove + +This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync + +This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMediaCenterAdd + +This event sends decision data about the presence of Windows Media Center, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **BlockingApplication** Is there any application issues that interfere with upgrade due to Windows Media Center? +- **MediaCenterActivelyUsed** If Windows Media Center is supported on the edition, has it been run at least once and are the MediaCenterIndicators are true? +- **MediaCenterIndicators** Do any indicators imply that Windows Media Center is in active use? +- **MediaCenterInUse** Is Windows Media Center actively being used? +- **MediaCenterPaidOrActivelyUsed** Is Windows Media Center actively being used or is it running on a supported edition? +- **NeedsDismissAction** Are there any actions that can be dismissed coming from Windows Media Center? + + +### Microsoft.Windows.Appraiser.General.DecisionMediaCenterRemove + +This event indicates that the DecisionMediaCenter object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMediaCenterStartSync + +This event indicates that a new set of DecisionMediaCenterAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemBiosAdd + +This event sends compatibility decision data about the BIOS to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Blocking** Is the device blocked from upgrade due to a BIOS block? +- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for the bios. +- **HasBiosBlock** Does the device have a BIOS block? + + +### Microsoft.Windows.Appraiser.General.DecisionSystemBiosRemove + +This event indicates that the DecisionSystemBios object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync + +This event indicates that a new set of DecisionSystemBiosAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.GatedRegChange + +This event sends data about the results of running a set of quick-blocking instructions, to help keep Windows up to date. + +The following fields are available: + +- **NewData** The data in the registry value after the scan completed. +- **OldData** The previous data in the registry value before the scan ran. +- **PCFP** An ID for the system calculated by hashing hardware identifiers. +- **RegKey** The registry key name for which a result is being sent. +- **RegValue** The registry value for which a result is being sent. +- **Time** The client time of the event. + + +### Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd + +This event represents the basic metadata about a file on the system. The file must be part of an app and either have a block in the compatibility database or be part of an antivirus program. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **AvDisplayName** If the app is an antivirus app, this is its display name. +- **AvProductState** Indicates whether the antivirus program is turned on and the signatures are up to date. +- **BinaryType** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64. +- **BinFileVersion** An attempt to clean up FileVersion at the client that tries to place the version into 4 octets. +- **BinProductVersion** An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets. +- **BoeProgramId** If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata. +- **CompanyName** The company name of the vendor who developed this file. +- **FileId** A hash that uniquely identifies a file. +- **FileVersion** The File version field from the file metadata under Properties -> Details. +- **HasUpgradeExe** Indicates whether the antivirus app has an upgrade.exe file. +- **IsAv** Indicates whether the file an antivirus reporting EXE. +- **LinkDate** The date and time that this file was linked on. +- **LowerCaseLongPath** The full file path to the file that was inventoried on the device. +- **Name** The name of the file that was inventoried. +- **ProductName** The Product name field from the file metadata under Properties -> Details. +- **ProductVersion** The Product version field from the file metadata under Properties -> Details. +- **ProgramId** A hash of the Name, Version, Publisher, and Language of an application used to identify it. +- **Size** The size of the file (in hexadecimal bytes). + + +### Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove + +This event indicates that the InventoryApplicationFile object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync + +This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryLanguagePackAdd + +This event sends data about the number of language packs installed on the system, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **HasLanguagePack** Indicates whether this device has 2 or more language packs. +- **LanguagePackCount** The number of language packs are installed. + + +### Microsoft.Windows.Appraiser.General.InventoryLanguagePackRemove + +This event indicates that the InventoryLanguagePack object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryLanguagePackStartSync + +This event indicates that a new set of InventoryLanguagePackAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryMediaCenterAdd + +This event sends true/false data about decision points used to understand whether Windows Media Center is used on the system, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **EverLaunched** Has Windows Media Center ever been launched? +- **HasConfiguredTv** Has the user configured a TV tuner through Windows Media Center? +- **HasExtendedUserAccounts** Are any Windows Media Center Extender user accounts configured? +- **HasWatchedFolders** Are any folders configured for Windows Media Center to watch? +- **IsDefaultLauncher** Is Windows Media Center the default app for opening music or video files? +- **IsPaid** Is the user running a Windows Media Center edition that implies they paid for Windows Media Center? +- **IsSupported** Does the running OS support Windows Media Center? + + +### Microsoft.Windows.Appraiser.General.InventoryMediaCenterRemove + +This event indicates that the InventoryMediaCenter object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryMediaCenterStartSync + +This event indicates that a new set of InventoryMediaCenterAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventorySystemBiosAdd + +This event sends basic metadata about the BIOS to determine whether it has a compatibility block. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **biosDate** The release date of the BIOS in UTC format. +- **BiosDate** The release date of the BIOS in UTC format. +- **biosName** The name field from Win32_BIOS. +- **BiosName** The name field from Win32_BIOS. +- **manufacturer** The manufacturer field from Win32_ComputerSystem. +- **Manufacturer** The manufacturer field from Win32_ComputerSystem. +- **model** The model field from Win32_ComputerSystem. +- **Model** The model field from Win32_ComputerSystem. + + +### Microsoft.Windows.Appraiser.General.InventorySystemBiosRemove + +This event indicates that the InventorySystemBios object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventorySystemBiosStartSync + +This event indicates that a new set of InventorySystemBiosAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd + +This event is only runs during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. Is critical to understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **BootCritical** Is the driver package marked as boot critical? +- **Build** The build value from the driver package. +- **CatalogFile** The name of the catalog file within the driver package. +- **Class** The device class from the driver package. +- **ClassGuid** The device class unique ID from the driver package. +- **Date** The date from the driver package. +- **Inbox** Is the driver package of a driver that is included with Windows? +- **OriginalName** The original name of the INF file before it was renamed. Generally a path under $WINDOWS.~BT\Drivers\DU. +- **Provider** The provider of the driver package. +- **PublishedName** The name of the INF file after it was renamed. +- **Revision** The revision of the driver package. +- **SignatureStatus** Indicates if the driver package is signed. Unknown = 0, Unsigned = 1, Signed = 2. +- **VersionMajor** The major version of the driver package. +- **VersionMinor** The minor version of the driver package. + + +### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove + +This event indicates that the InventoryUplevelDriverPackage object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageStartSync + +This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.RunContext + +This event indicates what should be expected in the data payload. + +The following fields are available: + +- **AppraiserBranch** The source branch in which the currently running version of Appraiser was built. +- **AppraiserProcess** The name of the process that launched Appraiser. +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **CensusId** A unique hardware identifier. +- **Context** Indicates what mode Appraiser is running in. Example: Setup or Telemetry. +- **PCFP** An ID for the system calculated by hashing hardware identifiers. +- **Subcontext** Indicates what categories of incompatibilities appraiser is scanning for. Can be N/A, Resolve, or a semicolon-delimited list that can include App, Dev, Sys, Gat, or Rescan. +- **Time** The client time of the event. + + +### Microsoft.Windows.Appraiser.General.SystemMemoryAdd + +This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Blocking** Is the device from upgrade due to memory restrictions? +- **MemoryRequirementViolated** Was a memory requirement violated? +- **pageFile** The current committed memory limit for the system or the current process, whichever is smaller (in bytes). +- **ram** The amount of memory on the device. +- **ramKB** The amount of memory (in KB). +- **virtual** The size of the user-mode portion of the virtual address space of the calling process (in bytes). +- **virtualKB** The amount of virtual memory (in KB). + + +### Microsoft.Windows.Appraiser.General.SystemMemoryRemove + +This event that the SystemMemory object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemMemoryStartSync + +This event indicates that a new set of SystemMemoryAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeAdd + +This event sends data indicating whether the system supports the CompareExchange128 CPU requirement, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **CompareExchange128Support** Does the CPU support CompareExchange128? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeRemove + +This event indicates that the SystemProcessorCompareExchange object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeStartSync + +This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd + +This event sends data indicating whether the system supports the LahfSahf CPU requirement, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **LahfSahfSupport** Does the CPU support LAHF/SAHF? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfRemove + +This event indicates that the SystemProcessorLahfSahf object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfStartSync + +This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd + +This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **NXDriverResult** The result of the driver used to do a non-deterministic check for NX support. +- **NXProcessorSupport** Does the processor support NX? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorNxRemove + +This event indicates that the SystemProcessorNx object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorNxStartSync + +This event indicates that a new set of SystemProcessorNxAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd + +This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **PrefetchWSupport** Does the processor support PrefetchW? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWRemove + +This event indicates that the SystemProcessorPrefetchW object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync + +This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Add + +This event sends data indicating whether the system supports the SSE2 CPU requirement, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **SSE2ProcessorSupport** Does the processor support SSE2? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Remove + +This event indicates that the SystemProcessorSse2 object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorSse2StartSync + +This event indicates that a new set of SystemProcessorSse2Add events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemTouchAdd + +This event sends data indicating whether the system supports touch, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **IntegratedTouchDigitizerPresent** Is there an integrated touch digitizer? +- **MaximumTouches** The maximum number of touch points supported by the device hardware. + + +### Microsoft.Windows.Appraiser.General.SystemTouchRemove + +This event indicates that the SystemTouch object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemTouchStartSync + +This event indicates that a new set of SystemTouchAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWimAdd + +This event sends data indicating whether the operating system is running from a compressed Windows Imaging Format (WIM) file, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **IsWimBoot** Is the current operating system running from a compressed WIM file? +- **RegistryWimBootValue** The raw value from the registry that is used to indicate if the device is running from a WIM. + + +### Microsoft.Windows.Appraiser.General.SystemWimRemove + +This event indicates that the SystemWim object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWimStartSync + +This event indicates that a new set of SystemWimAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusAdd + +This event sends data indicating whether the current operating system is activated, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **WindowsIsLicensedApiValue** The result from the API that's used to indicate if operating system is activated. +- **WindowsNotActivatedDecision** Is the current operating system activated? + + +### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusRemove + +This event indicates that the SystemWindowsActivationStatus object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusStartSync + +This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWlanAdd + +This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked because of an emulated WLAN driver? +- **HasWlanBlock** Does the emulated WLAN driver have an upgrade block? +- **WlanEmulatedDriver** Does the device have an emulated WLAN driver? +- **WlanExists** Does the device support WLAN at all? +- **WlanModulePresent** Are any WLAN modules present? +- **WlanNativeDriver** Does the device have a non-emulated WLAN driver? + + +### Microsoft.Windows.Appraiser.General.SystemWlanRemove + +This event indicates that the SystemWlan object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWlanStartSync + +This event indicates that a new set of SystemWlanAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.TelemetryRunHealth + +This event indicates the parameters and result of a telemetry (diagnostic) run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date. + +The following fields are available: + +- **AppraiserBranch** The source branch in which the version of Appraiser that is running was built. +- **AppraiserDataVersion** The version of the data files being used by the Appraiser telemetry run. +- **AppraiserProcess** The name of the process that launched Appraiser. +- **AppraiserVersion** The file version (major, minor and build) of the Appraiser DLL, concatenated without dots. +- **AuxFinal** Obsolete, always set to false. +- **AuxInitial** Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app. +- **DeadlineDate** A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan. +- **EnterpriseRun** Indicates if the telemetry run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter. +- **FullSync** Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent. +- **InboxDataVersion** The original version of the data files before retrieving any newer version. +- **IndicatorsWritten** Indicates if all relevant UEX indicators were successfully written or updated. +- **InventoryFullSync** Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent. +- **PCFP** An ID for the system calculated by hashing hardware identifiers. +- **PerfBackoff** Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal. +- **PerfBackoffInsurance** Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row. +- **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device. +- **RunDate** The date that the telemetry run was stated, expressed as a filetime. +- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional telemetry on an infrequent schedule and only from machines at telemetry levels higher than Basic. +- **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information. +- **RunResult** The hresult of the Appraiser telemetry run. +- **ScheduledUploadDay** The day scheduled for the upload. +- **SendingUtc** Indicates if the Appraiser client is sending events during the current telemetry run. +- **StoreHandleIsNotNull** Obsolete, always set to false +- **TelementrySent** Indicates if telemetry was successfully sent. +- **ThrottlingUtc** Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also telemetry reliability. +- **Time** The client time of the event. +- **VerboseMode** Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging. +- **WhyFullSyncWithoutTablePrefix** Indicates the reason or reasons that a full sync was generated. + + +### Microsoft.Windows.Appraiser.General.WmdrmAdd + +This event sends data about the usage of older digital rights management on the system, to help keep Windows up to date. This data does not indicate the details of the media using the digital rights management, only whether any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able to be removed once all mitigations are in place. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **BlockingApplication** Same as NeedsDismissAction. +- **NeedsDismissAction** Indicates if a dismissible message is needed to warn the user about a potential loss of data due to DRM deprecation. +- **WmdrmApiResult** Raw value of the API used to gather DRM state. +- **WmdrmCdRipped** Indicates if the system has any files encrypted with personal DRM, which was used for ripped CDs. +- **WmdrmIndicators** WmdrmCdRipped OR WmdrmPurchased. +- **WmdrmInUse** WmdrmIndicators AND dismissible block in setup was not dismissed. +- **WmdrmNonPermanent** Indicates if the system has any files with non-permanent licenses. +- **WmdrmPurchased** Indicates if the system has any files with permanent licenses. + + +### Microsoft.Windows.Appraiser.General.WmdrmRemove + +This event indicates that the Wmdrm object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.WmdrmStartSync + +This event indicates that a new set of WmdrmAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +## Census events + +### Census.App + +Provides information on IE and Census versions running on the device + +The following fields are available: + +- **AppraiserEnterpriseErrorCode** The error code of the last Appraiser enterprise run. +- **AppraiserErrorCode** The error code of the last Appraiser run. +- **AppraiserRunEndTimeStamp** The end time of the last Appraiser run. +- **AppraiserRunIsInProgressOrCrashed** Flag that indicates if the Appraiser run is in progress or has crashed. +- **AppraiserRunStartTimeStamp** The start time of the last Appraiser run. +- **AppraiserTaskEnabled** Whether the Appraiser task is enabled. +- **AppraiserTaskExitCode** The Appraiser task exist code. +- **AppraiserTaskLastRun** The last runtime for the Appraiser task. +- **CensusVersion** The version of Census that generated the current data for this device. +- **IEVersion** The version of Internet Explorer that is running on the device. + + +### Census.Battery + +This event sends type and capacity data about the battery on the device, as well as the number of connected standby devices in use, type to help keep Windows up to date. + +The following fields are available: + +- **InternalBatteryCapablities** Represents information about what the battery is capable of doing. +- **InternalBatteryCapacityCurrent** Represents the battery's current fully charged capacity in mWh (or relative). Compare this value to DesignedCapacity  to estimate the battery's wear. +- **InternalBatteryCapacityDesign** Represents the theoretical capacity of the battery when new, in mWh. +- **InternalBatteryNumberOfCharges** Provides the number of battery charges. This is used when creating new products and validating that existing products meets targeted functionality performance. +- **IsAlwaysOnAlwaysConnectedCapable** Represents whether the battery enables the device to be AlwaysOnAlwaysConnected . Boolean value. + + +### Census.Camera + +This event sends data about the resolution of cameras on the device, to help keep Windows up to date. + +The following fields are available: + +- **FrontFacingCameraResolution** Represents the resolution of the front facing camera in megapixels. If a front facing camera does not exist, then the value is 0. +- **RearFacingCameraResolution** Represents the resolution of the rear facing camera in megapixels. If a rear facing camera does not exist, then the value is 0. + + +### Census.Enterprise + +This event sends data about Azure presence, type, and cloud domain use in order to provide an understanding of the use and integration of devices in an enterprise, cloud, and server environment. + +The following fields are available: + +- **AADDeviceId** Azure Active Directory device ID. +- **AzureOSIDPresent** Represents the field used to identify an Azure machine. +- **AzureVMType** Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs. +- **CDJType** Represents the type of cloud domain joined for the machine. +- **CommercialId** Represents the GUID for the commercial entity which the device is a member of.  Will be used to reflect insights back to customers. +- **ContainerType** The type of container, such as process or virtual machine hosted. +- **EnrollmentType** Defines the type of MDM enrollment on the device. +- **HashedDomain** The hashed representation of the user domain used for login. +- **IsCloudDomainJoined** Is this device joined to an Azure Active Directory (AAD) tenant? true/false +- **IsDERequirementMet** Represents if the device can do device encryption. +- **IsDeviceProtected** Represents if Device protected by BitLocker/Device Encryption +- **IsDomainJoined** Indicates whether a machine is joined to a domain. +- **IsEDPEnabled** Represents if Enterprise data protected on the device. +- **IsMDMEnrolled** Whether the device has been MDM Enrolled or not. +- **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID +- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise SCCM environment. +- **ServerFeatures** Represents the features installed on a Windows   Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. +- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier + + +### Census.Firmware + +This event sends data about the BIOS and startup embedded in the device, to help keep Windows up to date. + +The following fields are available: + +- **FirmwareManufacturer** Represents the manufacturer of the device's firmware (BIOS). +- **FirmwareReleaseDate** Represents the date the current firmware was released. +- **FirmwareType** Represents the firmware type. The various types can be unknown, BIOS, UEFI. +- **FirmwareVersion** Represents the version of the current firmware. + + +### Census.Flighting + +This event sends Windows Insider data from customers participating in improvement testing and feedback programs, to help keep Windows up to date. + +The following fields are available: + +- **DeviceSampleRate** The telemetry sample rate assigned to the device. +- **EnablePreviewBuilds** Used to enable Windows Insider builds on a device. +- **FlightIds** A list of the different Windows Insider builds on this device. +- **FlightingBranchName** The name of the Windows Insider branch currently used by the device. +- **IsFlightsDisabled** Represents if the device is participating in the Windows Insider program. +- **MSA_Accounts** Represents a list of hashed IDs of the Microsoft Accounts that are flighting (pre-release builds) on this device. +- **SSRK** Retrieves the mobile targeting settings. + + +### Census.Hardware + +This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level setting, and TPM support, to help keep Windows up to date. + +The following fields are available: + +- **ActiveMicCount** The number of active microphones attached to the device. +- **ChassisType** Represents the type of device chassis, such as desktop or low profile desktop. The possible values can range between 1 - 36. +- **ComputerHardwareID** Identifies a device class that is represented by a hash of different SMBIOS fields. +- **D3DMaxFeatureLevel** Supported Direct3D version. +- **DeviceColor** Indicates a color of the device. +- **DeviceForm** Indicates the form as per the device classification. +- **DeviceName** The device name that is set by the user. +- **DigitizerSupport** Is a digitizer supported? +- **DUID** The device unique ID. +- **Gyroscope** Indicates whether the device has a gyroscope (a mechanical component that measures and maintains orientation). +- **InventoryId** The device ID used for compatibility testing. +- **Magnetometer** Indicates whether the device has a magnetometer (a mechanical component that works like a compass). +- **NFCProximity** Indicates whether the device supports NFC (a set of communication protocols that helps establish communication when applicable devices are brought close together.) +- **OEMDigitalMarkerFileName** The name of the file placed in the \Windows\system32\drivers directory that specifies the OEM and model name of the device. +- **OEMManufacturerName** The device manufacturer name. The OEMName for an inactive device is not reprocessed even if the clean OEM name is changed at a later date. +- **OEMModelBaseBoard** The baseboard model used by the OEM. +- **OEMModelBaseBoardVersion** Differentiates between developer and retail devices. +- **OEMModelName** The device model name. +- **OEMModelNumber** The device model number. +- **OEMModelSKU** The device edition that is defined by the manufacturer. +- **OEMModelSystemFamily** The system family set on the device by an OEM. +- **OEMModelSystemVersion** The system model version set on the device by the OEM. +- **OEMOptionalIdentifier** A Microsoft assigned value that represents a specific OEM subsidiary. +- **OEMSerialNumber** The serial number of the device that is set by the manufacturer. +- **PhoneManufacturer** The friendly name of the phone manufacturer. +- **PowerPlatformRole** The OEM preferred power management profile. It's used to help to identify the basic form factor of the device. +- **SoCName** The firmware manufacturer of the device. +- **StudyID** Used to identify retail and non-retail device. +- **TelemetryLevel** The telemetry level the user has opted into, such as Basic or Enhanced. +- **TelemetryLevelLimitEnhanced** The telemetry level for Windows Analytics-based solutions. +- **TelemetrySettingAuthority** Determines who set the telemetry level, such as GP, MDM, or the user. +- **TPMManufacturerId** The ID of the TPM manufacturer. +- **TPMManufacturerVersion** The version of the TPM manufacturer. +- **TPMVersion** The supported Trusted Platform Module (TPM) on the device. If no TPM is present, the value is 0. +- **VoiceSupported** Does the device have a cellular radio capable of making voice calls? + + +### Census.Memory + +This event sends data about the memory on the device, including ROM and RAM, to help keep Windows up to date. + +The following fields are available: + +- **TotalPhysicalRAM** Represents the physical memory (in MB). +- **TotalVisibleMemory** Represents the memory that is not reserved by the system. + + +### Census.Network + +This event sends data about the mobile and cellular network used by the device (mobile service provider, network, device ID, and service cost factors), to help keep Windows up to date. + +The following fields are available: + +- **IMEI0** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage. +- **IMEI1** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage. +- **MCC0** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **MCC1** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **MEID** Represents the Mobile Equipment Identity (MEID). MEID is a worldwide unique phone ID assigned to CDMA phones. MEID replaces electronic serial number (ESN), and is equivalent to IMEI for GSM and WCDMA phones. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. +- **MNC0** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **MNC1** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **MobileOperatorBilling** Represents the telephone company that provides services for mobile phone users. +- **MobileOperatorCommercialized** Represents which reseller and geography the phone is commercialized for. This is the set of values on the phone for who and where it was intended to be used. For example, the commercialized mobile operator code AT&T in the US would be ATT-US. +- **MobileOperatorNetwork0** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage. +- **MobileOperatorNetwork1** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage. +- **NetworkAdapterGUID** The GUID of the primary network adapter. +- **NetworkCost** Represents the network cost associated with a connection. +- **SPN0** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage. +- **SPN1** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage. + + +### Census.OS + +This event sends data about the operating system such as the version, locale, update service configuration, when and how it was originally installed, and whether it is a virtual device, to help keep Windows up to date. + +The following fields are available: + +- **ActivationChannel** Retrieves the retail license key or Volume license key for a machine. +- **AssignedAccessStatus** Kiosk configuration mode. +- **CompactOS** Indicates if the Compact OS feature from Win10 is enabled. +- **DeveloperUnlockStatus** Represents if a device has been developer unlocked by the user or Group Policy. +- **DeviceTimeZone** The time zone that is set on the device. Example: Pacific Standard Time +- **GenuineState** Retrieves the ID Value specifying the OS Genuine check. +- **InstallationType** Retrieves the type of OS installation. (Clean, Upgrade, Reset, Refresh, Update). +- **InstallLanguage** The first language installed on the user machine. +- **IsDeviceRetailDemo** Retrieves if the device is running in demo mode. +- **IsEduData** Returns Boolean if the education data policy is enabled. +- **IsPortableOperatingSystem** Retrieves whether OS is running Windows-To-Go +- **IsSecureBootEnabled** Retrieves whether Boot chain is signed under UEFI. +- **LanguagePacks** The list of language packages installed on the device. +- **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store. +- **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine. +- **OSEdition** Retrieves the version of the current OS. +- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc +- **OSOOBEDateTime** Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC). +- **OSSKU** Retrieves the Friendly Name of OS Edition. +- **OSSubscriptionStatus** Represents the existing status for enterprise subscription feature for PRO machines. +- **OSSubscriptionTypeId** Returns boolean for enterprise subscription feature for selected PRO machines. +- **OSTimeZoneBiasInMins** Retrieves the time zone set on machine. +- **OSUILocale** Retrieves the locale of the UI that is currently used by the OS. +- **ProductActivationResult** Returns Boolean if the OS Activation was successful. +- **ProductActivationTime** Returns the OS Activation time for tracking piracy issues. +- **ProductKeyID2** Retrieves the License key if the machine is updated with a new license key. +- **RACw7Id** Retrieves the Microsoft Reliability Analysis Component (RAC) Win7 Identifier. RAC is used to monitor and analyze system usage and reliability. +- **ServiceMachineIP** Retrieves the IP address of the KMS host used for anti-piracy. +- **ServiceMachinePort** Retrieves the port of the KMS host used for anti-piracy. +- **ServiceProductKeyID** Retrieves the License key of the KMS +- **SharedPCMode** Returns Boolean for education devices used as shared cart +- **Signature** Retrieves if it is a signature machine sold by Microsoft store. +- **SLICStatus** Whether a SLIC table exists on the device. +- **SLICVersion** Returns OS type/version from SLIC table. + + +### Census.PrivacySettings + +This event provides information about the device level privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represent the authority that set the value. The effective consent (first 8 bits) is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority (last 8 bits) is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = system, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings. + +The following fields are available: + +- **Activity** Current state of the activity history setting. +- **ActivityHistoryCloudSync** Current state of the activity history cloud sync setting. +- **ActivityHistoryCollection** Current state of the activity history collection setting. +- **AdvertisingId** Current state of the advertising ID setting. +- **AppDiagnostics** Current state of the app diagnostics setting. +- **Appointments** Current state of the calendar setting. +- **Bluetooth** Current state of the Bluetooth capability setting. +- **BluetoothSync** Current state of the Bluetooth sync capability setting. +- **BroadFileSystemAccess** Current state of the broad file system access setting. +- **CellularData** Current state of the cellular data capability setting. +- **Chat** Current state of the chat setting. +- **Contacts** Current state of the contacts setting. +- **DocumentsLibrary** Current state of the documents library setting. +- **Email** Current state of the email setting. +- **FindMyDevice** Current state of the "find my device" setting. +- **GazeInput** Current state of the gaze input setting. +- **HumanInterfaceDevice** Current state of the human interface device setting. +- **InkTypeImprovement** Current state of the improve inking and typing setting. +- **Location** Current state of the location setting. +- **LocationHistory** Current state of the location history setting. +- **LocationHistoryCloudSync** Current state of the location history cloud sync setting. +- **LocationHistoryOnTimeline** Current state of the location history on timeline setting. +- **Microphone** Current state of the microphone setting. +- **PhoneCall** Current state of the phone call setting. +- **PhoneCallHistory** Current state of the call history setting. +- **PicturesLibrary** Current state of the pictures library setting. +- **Radios** Current state of the radios setting. +- **SensorsCustom** Current state of the custom sensor setting. +- **SerialCommunication** Current state of the serial communication setting. +- **Sms** Current state of the text messaging setting. +- **SpeechPersonalization** Current state of the speech services setting. +- **USB** Current state of the USB setting. +- **UserAccountInformation** Current state of the account information setting. +- **UserDataTasks** Current state of the tasks setting. +- **UserNotificationListener** Current state of the notifications setting. +- **VideosLibrary** Current state of the videos library setting. +- **Webcam** Current state of the camera setting. +- **WiFiDirect** Current state of the Wi-Fi direct setting. + + +### Census.Processor + +Provides information on several important data points about Processor settings + +The following fields are available: + +- **KvaShadow** This is the micro code information of the processor. +- **MMSettingOverride** Microcode setting of the processor. +- **MMSettingOverrideMask** Microcode setting override of the processor. +- **PreviousUpdateRevision** Previous microcode revision +- **ProcessorArchitecture** Retrieves the processor architecture of the installed operating system. +- **ProcessorClockSpeed** Clock speed of the processor in MHz. +- **ProcessorCores** Number of logical cores in the processor. +- **ProcessorIdentifier** Processor Identifier of a manufacturer. +- **ProcessorManufacturer** Name of the processor manufacturer. +- **ProcessorModel** Name of the processor model. +- **ProcessorPhysicalCores** Number of physical cores in the processor. +- **ProcessorUpdateRevision** The microcode revision. +- **ProcessorUpdateStatus** Enum value that represents the processor microcode load status +- **SocketCount** Count of CPU sockets. +- **SpeculationControl** Indicates whether the system has enabled protections needed to validate the speculation control vulnerability. + + +### Census.Security + +This event provides information on about security settings used to help keep Windows up to date and secure. + +The following fields are available: + +- **AvailableSecurityProperties** This field helps to enumerate and report state on the relevant security properties for Device Guard. +- **CGRunning** Credential Guard isolates and hardens key system and user secrets against compromise, helping to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already running via a local or network based vector. This field tells if Credential Guard is running. +- **DGState** This field summarizes the Device Guard state. +- **HVCIRunning** Hypervisor Code Integrity (HVCI) enables Device Guard to help protect kernel mode processes and drivers from vulnerability exploits and zero days. HVCI uses the processor’s functionality to force all software running in kernel mode to safely allocate memory. This field tells if HVCI is running. +- **IsSawGuest** Indicates whether the device is running as a Secure Admin Workstation Guest. +- **IsSawHost** Indicates whether the device is running as a Secure Admin Workstation Host. +- **RequiredSecurityProperties** Describes the required security properties to enable virtualization-based security. +- **SecureBootCapable** Systems that support Secure Boot can have the feature turned off via BIOS. This field tells if the system is capable of running Secure Boot, regardless of the BIOS setting. +- **SModeState** The Windows S mode trail state. +- **VBSState** Virtualization-based security (VBS) uses the hypervisor to help protect the kernel and other parts of the operating system. Credential Guard and Hypervisor Code Integrity (HVCI) both depend on VBS to isolate/protect secrets, and kernel-mode code integrity validation. VBS has a tri-state that can be Disabled, Enabled, or Running. + + +### Census.Speech + +This event is used to gather basic speech settings on the device. + +The following fields are available: + +- **AboveLockEnabled** Cortana setting that represents if Cortana can be invoked when the device is locked. +- **GPAllowInputPersonalization** Indicates if a Group Policy setting has enabled speech functionalities. +- **HolographicSpeechInputDisabled** Holographic setting that represents if the attached HMD devices have speech functionality disabled by the user. +- **HolographicSpeechInputDisabledRemote** Indicates if a remote policy has disabled speech functionalities for the HMD devices. +- **KeyVer** Version information for the census speech event. +- **KWSEnabled** Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS). +- **MDMAllowInputPersonalization** Indicates if an MDM policy has enabled speech functionalities. +- **RemotelyManaged** Indicates if the device is being controlled by a remote administrator (MDM or Group Policy) in the context of speech functionalities. +- **SpeakerIdEnabled** Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice. +- **SpeechServicesEnabled** Windows setting that represents whether a user is opted-in for speech services on the device. +- **SpeechServicesValueSource** Indicates the deciding factor for the effective online speech recognition privacy policy settings: remote admin, local admin, or user preference. + + +### Census.Storage + +This event sends data about the total capacity of the system volume and primary disk, to help keep Windows up to date. + +The following fields are available: + +- **PrimaryDiskTotalCapacity** Retrieves the amount of disk space on the primary disk of the device in MB. +- **PrimaryDiskType** Retrieves an enumerator value of type STORAGE_BUS_TYPE that indicates the type of bus to which the device is connected. This should be used to interpret the raw device properties at the end of this structure (if any). +- **StorageReservePassedPolicy** Indicates whether the Storage Reserve policy, which ensures that updates have enough disk space and customers are on the latest OS, is enabled on this device. +- **SystemVolumeTotalCapacity** Retrieves the size of the partition that the System volume is installed on in MB. + + +### Census.Userdefault + +This event sends data about the current user's default preferences for browser and several of the most popular extensions and protocols, to help keep Windows up to date. + +The following fields are available: + +- **CalendarType** The calendar identifiers that are used to specify different calendars. +- **DefaultApp** The current uer's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf. +- **DefaultBrowserProgId** The ProgramId of the current user's default browser. +- **LongDateFormat** The long date format the user has selected. +- **ShortDateFormat** The short date format the user has selected. + + +### Census.UserDisplay + +This event sends data about the logical/physical display size, resolution and number of internal/external displays, and VRAM on the system, to help keep Windows up to date. + +The following fields are available: + +- **InternalPrimaryDisplayLogicalDPIX** Retrieves the logical DPI in the x-direction of the internal display. +- **InternalPrimaryDisplayLogicalDPIY** Retrieves the logical DPI in the y-direction of the internal display. +- **InternalPrimaryDisplayPhysicalDPIX** Retrieves the physical DPI in the x-direction of the internal display. +- **InternalPrimaryDisplayPhysicalDPIY** Retrieves the physical DPI in the y-direction of the internal display. +- **InternalPrimaryDisplayResolutionHorizontal** Retrieves the number of pixels in the horizontal direction of the internal display. +- **InternalPrimaryDisplayResolutionVertical** Retrieves the number of pixels in the vertical direction of the internal display. +- **InternalPrimaryDisplaySizePhysicalH** Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches . +- **InternalPrimaryDisplaySizePhysicalY** Retrieves the physical vertical length of the display in mm. Used for calculating the diagonal length in inches +- **NumberofExternalDisplays** Retrieves the number of external displays connected to the machine +- **NumberofInternalDisplays** Retrieves the number of internal displays in a machine. +- **VRAMDedicated** Retrieves the video RAM in MB. +- **VRAMDedicatedSystem** Retrieves the amount of memory on the dedicated video card. +- **VRAMSharedSystem** Retrieves the amount of RAM memory that the video card can use. + + +### Census.UserNLS + +This event sends data about the default app language, input, and display language preferences set by the user, to help keep Windows up to date. + +The following fields are available: + +- **DefaultAppLanguage** The current user Default App Language. +- **DisplayLanguage** The current user preferred Windows Display Language. +- **HomeLocation** The current user location, which is populated using GetUserGeoId() function. +- **KeyboardInputLaîguages** No content is currently available. +- **KeyboardInputLanguages** The Keyboard input languages installed on the device. +- **SpeechInputLalguages** No content is currently available. +- **SpeechInputLanguages** The Speech Input languages installed on the device. + + +### Census.UserPrivacySettings + +This event provides information about the current users privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represents the authority that set the value. The effective consent is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = user, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings. + +The following fields are available: + +- **Activity** Current state of the activity history setting. +- **ActivityHistoryCloudSync** Current state of the activity history cloud sync setting. +- **ActivityHistoryCollection** Current state of the activity history collection setting. +- **AdvertisingId** Current state of the advertising ID setting. +- **AppDiagnostacs** No content is currently available. +- **AppDiagnostics** Current state of the app diagnostics setting. +- **Appiagnostics** No content is currently available. +- **Appointments** Current state of the calendar setting. +- **Bluetooth** Current state of the Bluetooth capability setting. +- **BluetoothSync** Current state of the Bluetooth sync capability setting. +- **BroadFileSystemAccess** Current state of the broad file system access setting. +- **CellularData** Current state of the cellular data capability setting. +- **Chat** Current state of the chat setting. +- **Contacts** Current state of the contacts setting. +- **DocumentsLibrary** Current state of the documents library setting. +- **Email** Current state of the email setting. +- **GazeInput** Current state of the gaze input setting. +- **HumanInterfaceDevice** Current state of the human interface device setting. +- **InkT9peImprovement** No content is currently available. +- **InkT9pePersonalization** No content is currently available. +- **InkTypeImprovement** Current state of the improve inking and typing setting. +- **InkTypePersonalization** Current state of the inking and typing personalization setting. +- **Location** Current state of the location setting. +- **LocationHistory** Current state of the location history setting. +- **LocationHistoryCloudSync** Current state of the location history cloud synchronization setting. +- **LocationHistoryOnTimeline** Current state of the location history on timeline setting. +- **Microphona** No content is currently available. +- **Microphone** Current state of the microphone setting. +- **PhoneCall** Current state of the phone call setting. +- **PhoneCallHistory** Current state of the call history setting. +- **PicturesLibrary** Current state of the pictures library setting. +- **Radios** Current state of the radios setting. +- **SensorsÃustom** No content is currently available. +- **SensorsCustom** Current state of the custom sensor setting. +- **SerialCommunication** Current state of the serial communication setting. +- **Sms** Current state of the text messaging setting. +- **SpeechPersonalization** Current state of the speech services setting. +- **UqerDataTasks** No content is currently available. +- **USB** Current state of the USB setting. +- **UserAccountInformation** Current state of the account information setting. +- **UserDataTasks** Current state of the tasks setting. +- **UserNotificationListener** Current state of the notifications setting. +- **VideosLibrary** Current state of the videos library setting. +- **Webcam** Current state of the camera setting. +- **WiFiDirect** Current state of the Wi-Fi direct setting. + + +### Census.VM + +This event sends data indicating whether virtualization is enabled on the device, and its various characteristics, to help keep Windows up to date. + +The following fields are available: + +- **CloudService** Indicates which cloud service, if any, that this virtual machine is running within. +- **HyperVisor** Retrieves whether the current OS is running on top of a Hypervisor. +- **IOMMUPresent** Represents if an input/output memory management unit (IOMMU) is present. +- **IsVDI** Is the device using Virtual Desktop Infrastructure? +- **IsVirtualDevice** Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#1 Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field should not be relied upon for non-Hv#1 Hypervisors. +- **SLATSupported** Represents whether Second Level Address Translation (SLAT) is supported by the hardware. +- **VirtualizationFirmwareEnabled** Represents whether virtualization is enabled in the firmware. + + +### Census.WU + +This event sends data about the Windows update server and other App store policies, to help keep Windows up to date. + +The following fields are available: + +- **AppraiserGatedStatus** Indicates whether a device has been gated for upgrading. +- **AppStoreAutoUpdate** Retrieves the Appstore settings for auto upgrade. (Enable/Disabled). +- **AppStoreAutoUpdateMDM** Retrieves the App Auto Update value for MDM: 0 - Disallowed. 1 - Allowed. 2 - Not configured. Default: [2] Not configured +- **AppStoreAutoUpdatePolicy** Retrieves the Microsoft Store App Auto Update group policy setting +- **DelayUpgrade** Retrieves the Windows upgrade flag for delaying upgrades. +- **OSAssessmentFeatureOutOfDate** How many days has it been since a the last feature update was released but the device did not install it? +- **OSAssessmentForFeatureUpdate** Is the device is on the latest feature update? +- **OSAssessmentForQualityUpdate** Is the device on the latest quality update? +- **OSAssessmentForSecurityUpdate** Is the device on the latest security update? +- **OSAssessmentQualityOutOfDate** How many days has it been since a the last quality update was released but the device did not install it? +- **OSAssessmentReleaseInfoTime** The freshness of release information used to perform an assessment. +- **OSRollbackCount** The number of times feature updates have rolled back on the device. +- **OSRolledBack** A flag that represents when a feature update has rolled back during setup. +- **OSUninstalled** A flag that represents when a feature update is uninstalled on a device . +- **OSWUAutoUpdateOptions** Retrieves the auto update settings on the device. +- **OSWUAutoUpdateOptionsSource** The source of auto update setting that appears in the OSWUAutoUpdateOptions field. For example: Group Policy (GP), Mobile Device Management (MDM), and Default. +- **UninstallActive** A flag that represents when a device has uninstalled a previous upgrade recently. +- **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS). +- **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates. +- **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades. +- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network. +- **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier. +- **WUPauseState** Retrieves WU setting to determine if updates are paused. +- **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default). + + +### Census.Xbox + +This event sends data about the Xbox Console, such as Serial Number and DeviceId, to help keep Windows up to date. + +The following fields are available: + +- **XboxConsolePreferredLanguage** Retrieves the preferred language selected by the user on Xbox console. +- **XboxConsoleSerialNumber** Retrieves the serial number of the Xbox console. +- **XboxLiveDeviceId** Retrieves the unique device ID of the console. +- **XboxLiveSandboxId** Retrieves the developer sandbox ID if the device is internal to Microsoft. + + +## Common data extensions + +### Common Data Extensions.app + +Describes the properties of the running application. This extension could be populated by a client app or a web app. + +The following fields are available: + +- **asId** An integer value that represents the app session. This value starts at 0 on the first app launch and increments after each subsequent app launch per boot session. +- **env** The environment from which the event was logged. +- **expId** Associates a flight, such as an OS flight, or an experiment, such as a web site UX experiment, with an event. +- **id** Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application. +- **locale** The locale of the app. +- **name** The name of the app. +- **userId** The userID as known by the application. +- **ver** Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app. + + +### Common Data Extensions.container + +Describes the properties of the container for events logged within a container. + +The following fields are available: + +- **epoch** An ID that's incremented for each SDK initialization. +- **localId** The device ID as known by the client. +- **osVer** The operating system version. +- **seq** An ID that's incremented for each event. +- **type** The container type. Examples: Process or VMHost + + +### Common Data Extensions.cs + +Describes properties related to the schema of the event. + +The following fields are available: + +- **sig** A common schema signature that identifies new and modified event schemas. + + +### Common Data Extensions.device + +Describes the device-related fields. + +The following fields are available: + +- **deviceClass** The device classification. For example, Desktop, Server, or Mobile. +- **localId** A locally-defined unique ID for the device. This is not the human-readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId +- **make** Device manufacturer. +- **model** Device model. + + +### Common Data Extensions.Envelope + +Represents an envelope that contains all of the common data extensions. + +The following fields are available: + +- **cV** Represents the Correlation Vector: A single field for tracking partial order of related telemetry events across component boundaries. +- **data** Represents the optional unique diagnostic data for a particular event schema. +- **ext_app** Describes the properties of the running application. This extension could be populated by either a client app or a web app. See [Common Data Extensions.app](#common-data-extensionsapp). +- **ext_container** Describes the properties of the container for events logged within a container. See [Common Data Extensions.container](#common-data-extensionscontainer). +- **ext_cs** Describes properties related to the schema of the event. See [Common Data Extensions.cs](#common-data-extensionscs). +- **ext_device** Describes the device-related fields. See [Common Data Extensions.device](#common-data-extensionsdevice). +- **ext_os** Describes the operating system properties that would be populated by the client. See [Common Data Extensions.os](#common-data-extensionsos). +- **ext_receipts** Describes the fields related to time as provided by the client for debugging purposes. See [Common Data Extensions.receipts](#common-data-extensionsreceipts). +- **ext_sdk** Describes the fields related to a platform library required for a specific SDK. See [Common Data Extensions.sdk](#common-data-extensionssdk). +- **ext_user** Describes the fields related to a user. See [Common Data Extensions.user](#common-data-extensionsuser). +- **ext_utc** Describes the fields that might be populated by a logging library on Windows. See [Common Data Extensions.utc](#common-data-extensionsutc). +- **ext_xbl** Describes the fields related to XBOX Live. See [Common Data Extensions.xbl](#common-data-extensionsxbl). +- **flags** Represents a collection of bits that describe how the event should be processed by the Connected User Experience and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency. +- **iKey** Represents an ID for applications or other logical groupings of events. +- **name** Represents the uniquely qualified name for the event. +- **popSample** Represents the effective sample rate for this event at the time it was generated by a client. +- **time** Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the client. This should be in ISO 8601 format. +- **ver** Represents the major and minor version of the extension. + + +### Common Data Extensions.os + +Describes some properties of the operating system. + +The following fields are available: + +- **bootId** An integer value that represents the boot session. This value starts at 0 on first boot after OS install and increments after every reboot. +- **expId** Represents the experiment ID. The standard for associating a flight, such as an OS flight (pre-release build), or an experiment, such as a web site UX experiment, with an event is to record the flight / experiment IDs in Part A of the common schema. +- **locale** Represents the locale of the operating system. +- **name** Represents the operating system name. +- **ver** Represents the major and minor version of the extension. + + +### Common Data Extensions.receipts + +Represents various time information as provided by the client and helps for debugging purposes. + +The following fields are available: + +- **originalTime** The original event time. +- **uploadTime** The time the event was uploaded. + + +### Common Data Extensions.sdk + +Used by platform specific libraries to record fields that are required for a specific SDK. + +The following fields are available: + +- **epoch** An ID that is incremented for each SDK initialization. +- **installId** An ID that's created during the initialization of the SDK for the first time. +- **libVer** The SDK version. +- **seq** An ID that is incremented for each event. + + +### Common Data Extensions.user + +Describes the fields related to a user. + +The following fields are available: + +- **authId** This is an ID of the user associated with this event that is deduced from a token such as a Microsoft Account ticket or an XBOX token. +- **locale** The language and region. +- **localId** Represents a unique user identity that is created locally and added by the client. This is not the user's account ID. + + +### Common Data Extensions.utc + +Describes the properties that could be populated by a logging library on Windows. + +The following fields are available: + +- **aId** Represents the ETW ActivityId. Logged via TraceLogging or directly via ETW. +- **bSeq** Upload buffer sequence number in the format: buffer identifier:sequence number +- **cat** Represents a bitmask of the ETW Keywords associated with the event. +- **cpId** The composer ID, such as Reference, Desktop, Phone, Holographic, Hub, IoT Composer. +- **epoch** Represents the epoch and seqNum fields, which help track how many events were fired and how many events were uploaded, and enables identification of data lost during upload and de-duplication of events on the ingress server. +- **flags** Represents the bitmap that captures various Windows specific flags. +- **mon** Combined monitor and event sequence numbers in the format: monitor sequence : event sequence +- **op** Represents the ETW Op Code. +- **raId** Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW. +- **seq** Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue. The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server. +- **stId** Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID. + + +### Common Data Extensions.xbl + +Describes the fields that are related to XBOX Live. + +The following fields are available: + +- **claims** Any additional claims whose short claim name hasn't been added to this structure. +- **did** XBOX device ID +- **dty** XBOX device type +- **dvr** The version of the operating system on the device. +- **eid** A unique ID that represents the developer entity. +- **exp** Expiration time +- **ip** The IP address of the client device. +- **nbf** Not before time +- **pid** A comma separated list of PUIDs listed as base10 numbers. +- **sbx** XBOX sandbox identifier +- **sid** The service instance ID. +- **sty** The service type. +- **tid** The XBOX Live title ID. +- **tvr** The XBOX Live title version. +- **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts. +- **xid** A list of base10-encoded XBOX User IDs. + + +## Common data fields + +### Ms.Device.DeviceInventoryChange + +Describes the installation state for all hardware and software components available on a particular device. + +The following fields are available: + +- **action** The change that was invoked on a device inventory object. +- **inventoryId** Device ID used for Compatibility testing +- **objectInstanceId** Object identity which is unique within the device scope. +- **objectType** Indicates the object type that the event applies to. +- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. + + +## Compatibility events + +### Microsoft.Windows.Compatibility.Apphelp.SdbFix + +Product instrumentation for helping debug/troubleshoot issues with inbox compatibility components. + +The following fields are available: + +- **AppName** Name of the application impacted by SDB. +- **FixID** SDB GUID. +- **Flags** List of flags applied. +- **ImageName** Name of file. + + +## Component-based servicing events + +### CbsServicingProvider.CbsCapabilityEnumeration + +This event reports on the results of scanning for optional Windows content on Windows Update. + +The following fields are available: + +- **architecture** Indicates the scan was limited to the specified architecture. +- **capabilityCount** The number of optional content packages found during the scan. +- **clientId** The name of the application requesting the optional content. +- **duration** The amount of time it took to complete the scan. +- **hrStatus** The HReturn code of the scan. +- **language** Indicates the scan was limited to the specified language. +- **majorVersion** Indicates the scan was limited to the specified major version. +- **minorVersion** Indicates the scan was limited to the specified minor version. +- **namespace** Indicates the scan was limited to packages in the specified namespace. +- **sourceFilter** A bitmask indicating the scan checked for locally available optional content. +- **stackBuild** The build number of the servicing stack. +- **stackMajorVersion** The major version number of the servicing stack. +- **stackMinorVersion** The minor version number of the servicing stack. +- **stackRevision** The revision number of the servicing stack. + + +### CbsServicingProvider.CbsCapabilitySessionFinalize + +This event provides information about the results of installing or uninstalling optional Windows content from Windows Update. + +The following fields are available: + +- **capabilities** The names of the optional content packages that were installed. +- **clientId** The name of the application requesting the optional content. +- **currentID** The ID of the current install session. +- **downloadSource** The source of the download. +- **highestState** The highest final install state of the optional content. +- **hrLCUReservicingStatus** Indicates whether the optional content was updated to the latest available version. +- **hrStatus** The HReturn code of the install operation. +- **rebootCount** The number of reboots required to complete the install. +- **retryID** The session ID that will be used to retry a failed operation. +- **retryStatus** Indicates whether the install will be retried in the event of failure. +- **stackBuild** The build number of the servicing stack. +- **stackMajorVersion** The major version number of the servicing stack. +- **stackMinorVersion** The minor version number of the servicing stack. +- **stackRevision** The revision number of the servicing stack. + + +### CbsServicingProvider.CbsCapabilitySessionPended + +This event provides information about the results of installing optional Windows content that requires a reboot to keep Windows up to date. + +The following fields are available: + +- **clientId** The name of the application requesting the optional content. +- **pendingDecision** Indicates the cause of reboot, if applicable. + + +### CbsServicingProvider.CbsLateAcquisition + +This event sends data to indicate if some Operating System packages could not be updated as part of an upgrade, to help keep Windows up to date. + +The following fields are available: + +- **Features** The list of feature packages that could not be updated. +- **RetryID** The ID identifying the retry attempt to update the listed packages. + + +### CbsServicingProvider.CbsPackageRemoval + +This event provides information about the results of uninstalling a Windows Cumulative Security Update to help keep Windows up to date. + +The following fields are available: + +- **buildVersion** The build number of the security update being uninstalled. +- **clientId** The name of the application requesting the uninstall. +- **currentStateEnd** The final state of the update after the operation. +- **failureDetails** Information about the cause of a failure, if applicable. +- **failureSourceEnd** The stage during the uninstall where the failure occurred. +- **hrStatusEnd** The overall exit code of the operation. +- **initiatedOffline** Indicates if the uninstall was initiated for a mounted Windows image. +- **majorVersion** The major version number of the security update being uninstalled. +- **minorVersion** The minor version number of the security update being uninstalled. +- **originalState** The starting state of the update before the operation. +- **pendingDecision** Indicates the cause of reboot, if applicable. +- **primitiveExecutionContext** The state during system startup when the uninstall was completed. +- **revisionVersion** The revision number of the security update being uninstalled. +- **transactionCanceled** Indicates whether the uninstall was cancelled. + + +### CbsServicingProvider.CbsQualityUpdateInstall + +This event reports on the performance and reliability results of installing Servicing content from Windows Update to keep Windows up to date. + +The following fields are available: + +- **buildVersion** The build version number of the update package. +- **clientId** The name of the application requesting the optional content. +- **corruptionHistoryFlags** A bitmask of the types of component store corruption that have caused update failures on the device. +- **corruptionType** An enumeration listing the type of data corruption responsible for the current update failure. +- **currentStateEnd** The final state of the package after the operation has completed. +- **doqTimeSeconds** The time in seconds spent updating drivers. +- **executeTimeSeconds** The number of seconds required to execute the install. +- **failureDetails** The driver or installer that caused the update to fail. +- **failureSourceEnd** An enumeration indicating at what phase of the update a failure occurred. +- **hrStatusEnd** The return code of the install operation. +- **initiatedOffline** A true or false value indicating whether the package was installed into an offline Windows Imaging Format (WIM) file. +- **majorVersion** The major version number of the update package. +- **minorVersion** The minor version number of the update package. +- **originalState** The starting state of the package. +- **overallTimeSeconds** The time (in seconds) to perform the overall servicing operation. +- **planTimeSeconds** The time in seconds required to plan the update operations. +- **poqTimeSeconds** The time in seconds processing file and registry operations. +- **postRebootTimeSeconds** The time (in seconds) to do startup processing for the update. +- **preRebootTimeSeconds** The time (in seconds) between execution of the installation and the reboot. +- **primitiveExecutionContext** An enumeration indicating at what phase of shutdown or startup the update was installed. +- **rebootCount** The number of reboots required to install the update. +- **rebootTimeSeconds** The time (in seconds) before startup processing begins for the update. +- **resolveTimeSeconds** The time in seconds required to resolve the packages that are part of the update. +- **revisionVersion** The revision version number of the update package. +- **rptTimeSeconds** The time in seconds spent executing installer plugins. +- **shutdownTimeSeconds** The time (in seconds) required to do shutdown processing for the update. +- **stackRevision** The revision number of the servicing stack. +- **stageTimeSeconds** The time (in seconds) required to stage all files that are part of the update. + + +### CbsServicingProvider.CbsSelectableUpdateChangeV2 + +This event reports the results of enabling or disabling optional Windows Content to keep Windows up to date. + +The following fields are available: + +- **applicableUpdateState** Indicates the highest applicable state of the optional content. +- **buildVersion** The build version of the package being installed. +- **clientId** The name of the application requesting the optional content change. +- **downloadSource** Indicates if optional content was obtained from Windows Update or a locally accessible file. +- **downloadtimeInSeconds** The number of seconds required to complete the optional content download. +- **executionID** A unique ID used to identify events associated with a single servicing operation and not reused for future operations. +- **executionSequence** A counter that tracks the number of servicing operations attempted on the device. +- **firstMergedExecutionSequence** The value of a pervious executionSequence counter that is being merged with the current operation, if applicable. +- **firstMergedID** A unique ID of a pervious servicing operation that is being merged with this operation, if applicable. +- **hrDownloadResult** The return code of the download operation. +- **hrStatusUpdate** The return code of the servicing operation. +- **identityHash** A pseudonymized (hashed) identifier for the Windows Package that is being installed or uninstalled. +- **initiatedOffline** Indicates whether the operation was performed against an offline Windows image file or a running instance of Windows. +- **majorVersion** The major version of the package being installed. +- **minorVersion** The minor version of the package being installed. +- **packageArchitecture** The architecture of the package being installed. +- **packageLanguage** The language of the package being installed. +- **packageName** The name of the package being installed. +- **rebootRequired** Indicates whether a reboot is required to complete the operation. +- **revisionVersion** The revision number of the package being installed. +- **stackBuild** The build number of the servicing stack binary performing the installation. +- **stackMajorVersion** The major version number of the servicing stack binary performing the installation. +- **stackMinorVersion** The minor version number of the servicing stack binary performing the installation. +- **stackRevision** The revision number of the servicing stack binary performing the installation. +- **updateName** The name of the optional Windows Operation System feature being enabled or disabled. +- **updateStartState** A value indicating the state of the optional content before the operation started. +- **updateTargetState** A value indicating the desired state of the optional content. + + +## Deployment extensions + +### DeploymentTelemetry.Deployment_End + +This event indicates that a Deployment 360 API has completed. + +The following fields are available: + +- **ClientId** Client ID of the user utilizing the D360 API. +- **ErrorCode** Error code of action. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **Mode** Phase in upgrade. +- **RelatedCV** The correction vector (CV) of any other related events +- **Result** End result of the action. + + +### DeploymentTelemetry.Deployment_SetupBoxLaunch + +This event indicates that the Deployment 360 APIs have launched Setup Box. + +The following fields are available: + +- **ClientId** The client ID of the user utilizing the D360 API. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **Quiet** Whether Setup will run in quiet mode or full mode. +- **RelatedCV** The correlation vector (CV) of any other related events. +- **SetupMode** The current setup phase. + + +### DeploymentTelemetry.Deployment_SetupBoxResult + +This event indicates that the Deployment 360 APIs have received a return from Setup Box. + +The following fields are available: + +- **ClientId** Client ID of the user utilizing the D360 API. +- **ErrorCode** Error code of the action. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **Quiet** Indicates whether Setup will run in quiet mode or full mode. +- **RelatedCV** The correlation vector (CV) of any other related events. +- **SetupMode** The current Setup phase. + + +### DeploymentTelemetry.Deployment_Start + +This event indicates that a Deployment 360 API has been called. + +The following fields are available: + +- **ClientId** Client ID of the user utilizing the D360 API. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **Mode** The current phase of the upgrade. +- **RelatedCV** The correlation vector (CV) of any other related events. + + +## Diagnostic data events + +### TelClientSynthetic.AuthorizationInfo_RuntimeTransition + +This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect. + +The following fields are available: + +- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. +- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. +- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. +- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. +- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. +- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. +- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. +- **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise. +- **CanReportScenarios** True if we can report scenario completions, false otherwise. +- **PreviousPermissions** Bitmask of previous telemetry state. +- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. + + +### TelClientSynthetic.AuthorizationInfo_Startup + +Fired by UTC at startup to signal what data we are allowed to collect. + +The following fields are available: + +- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. +- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. +- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. +- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. +- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. +- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. +- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. +- **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise. +- **CanReportScenarios** True if we can report scenario completions, false otherwise. +- **PreviousPermissions** Bitmask of previous telemetry state. +- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. + + +### TelClientSynthetic.ConnectivityHeartBeat_0 + +This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network. + +The following fields are available: + +- **CensusExitCode** Returns last execution codes from census client run. +- **CensusStartTime** Returns timestamp corresponding to last successful census run. +- **CensusTaskEnabled** Returns Boolean value for the census task (Enable/Disable) on client machine. +- **LastConnectivityLossTime** Retrieves the last time the device lost free network. +- **NetworkState** Retrieves the network state: 0 = No network. 1 = Restricted network. 2 = Free network. +- **NoNetworkTime** Retrieves the time spent with no network (since the last time) in seconds. +- **RestrictedNetworkTime** Retrieves the time spent on a metered (cost restricted) network in seconds. +- **捔祦⽌䱩⽪昫橷瘴場漸䤫〫洯硈㍈㡮⽯** No content is currently available. +- **⽫甸㑪摭橷捔橗⭪晙晅晣穹椸樷** No content is currently available. +- **䉪䌯䱏杄䬷㝐灌䩚㠯⽉䝲伹㡈㕉佤** No content is currently available. + + +### TelClientSynthetic.HeartBeat_5 + +This event sends data about the health and quality of the diagnostic data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device. + +The following fields are available: + +- **AgentConnectionErrorsCount** Number of non-timeout errors associated with the host/agent channel. +- **CensusExitCode** The last exit code of the Census task. +- **CensusStartTime** Time of last Census run. +- **CensusTaskEnabled** True if Census is enabled, false otherwise. +- **CompressedBytesUploaded** Number of compressed bytes uploaded. +- **ConsumerDroppedCount** Number of events dropped at consumer layer of telemetry client. +- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. +- **CriticalDataThrottleDroppedCount** The number of critical data sampled events that were dropped because of throttling. +- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event DB. +- **CriticalOvErflowEntersCounter** No content is currently available. +- **DbCriticalDroppedCount** Total number of dropped critical events in event DB. +- **DbDroppedCount** Number of events dropped due to DB fullness. +- **DbDroppedFailureCount** Number of events dropped due to DB failures. +- **DbDroppedFullCount** Number of events dropped due to DB fullness. +- **DecndingDroppedCount** No content is currently available. +- **DecodingDroppedCount** Number of events dropped due to decoding failures. +- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. +- **EtwDroppedBufferCount** Number of buffers dropped in the UTC ETW session. +- **EtwDroppedCount** Number of events dropped at ETW layer of telemetry client. +- **EventsPersistedCount** Number of events that reached the PersistEvent stage. +- **EventStoreLifetimeResetCounter** Number of times event DB was reset for the lifetime of UTC. +- **EventStoreResetCounter** Number of times event DB was reset. +- **EventStoreResetSizeSum** Total size of event DB across all resets reports in this instance. +- **EventSubStoreResetCounter** Number of times event DB was reset. +- **EventSubStoreResetSizeSum** Total size of event DB across all resets reports in this instance. +- **EventsUploaded** Number of events uploaded. +- **Flags** Flags indicating device state such as network state, battery state, and opt-in state. +- **FullTriggerBufferDroppedCount** Number of events dropped due to trigger buffer being full. +- **FullTrigwerBufferDroppedCount** No content is currently available. +- **HeartBeatSequenceNumber** The sequence number of this heartbeat. +- **InvalidH4BFCodeCount** No content is currently available. +- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. +- **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel. +- **LastEventSizeOffender** Event name of last event which exceeded max event size. +- **LastInvalidH4BFCode** No content is currently available. +- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. +- **MaxActiveAgentConnectionCount** The maximum number of active agents during this heartbeat timeframe. +- **MaxInUseScenarioCounter** Soft maximum number of scenarios loaded by UTC. +- **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events). +- **PrivacyBlockedCount** The number of events blocked due to privacy settings or tags. +- **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. +- **SettingsH4BFAttempts** No content is currently available. +- **SettingsH4BFFailures** No content is currently available. +- **SettingsHttpAttempts** Number of attempts to contact OneSettings service. +- **SettingsHttpFailures** The number of failures from contacting the OneSettings service. +- **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers. +- **TopUploaderErrors** List of top errors received from the upload endpoint. +- **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client. +- **UploaderErrorCount** Number of errors received from the upload endpoint. +- **VortexFailuresTimeout** The number of timeout failures received from Vortex. +- **VortexH4BFAttempts** No content is currently available. +- **VortexH4BFFailures4xx** No content is currently available. +- **VortexH4BFFailures5xx** No content is currently available. +- **VortexH4BFResponseFailures** No content is currently available. +- **VortexH4BFResponsesWithDroppedEvents** No content is currently available. +- **VortexHttpAttempts** Number of attempts to contact Vortex. +- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. +- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. +- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. +- **VortexHttpResponsesWi|hDroppedEvents** No content is currently available. +- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. + + +### TelClientSynthetic.HeartBeat_Aria_5 + +This event is the telemetry client ARIA heartbeat. + +The following fields are available: + +- **CompressedBytesUploaded** Number of compressed bytes uploaded. +- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. +- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event database. +- **DbCriticalDroppedCount** Total number of dropped critical events in event database. +- **DbDroppedCount** Number of events dropped at the database layer. +- **DbDroppedFailureCount** Number of events dropped due to database failures. +- **DbDroppedFullCount** Number of events dropped due to database being full. +- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. +- **EventsPersistedCount** Number of events that reached the PersistEvent stage. +- **EventStoreLifetimeResetCounter** Number of times the event store has been reset. +- **EventStoreResetCounter** Number of times the event store has been reset during this heartbeat. +- **EventStoreResetSizeSum** Size of event store reset in bytes. +- **EventsUploaded** Number of events uploaded. +- **HeartBeatSequenceNumber** The sequence number of this heartbeat. +- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. +- **LastEventSizeOffender** Event name of last event which exceeded max event size. +- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. +- **PreviousHeartBeatTime** The FILETIME of the previous heartbeat fire. +- **PrivacyBlockedCount** The number of events blocked due to privacy settings or tags. +- **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. +- **SettingsHttpAttempts** Number of attempts to contact OneSettings service. +- **SettingsHttpFailures** Number of failures from contacting OneSettings service. +- **TopUploaderErrors** List of top errors received from the upload endpoint. +- **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client. +- **UploaderErrorCount** Number of errors received from the upload endpoint. +- **VortexFailuresTimeout** Number of time out failures received from Vortex. +- **VortexHttpAttempts** Number of attempts to contact Vortex. +- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. +- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. +- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. +- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. + + +### TelClientSynthetic.HeartBeat_Seville_5 + +This event is sent by the universal telemetry client (UTC) as a heartbeat signal for Sense. + +The following fields are available: + +- **AgentConnectionErrorsCount** Number of non-timeout errors associated with the host or agent channel. +- **CompressedBytesUploaded** Number of compressed bytes uploaded. +- **ConsumerDroppedCount** Number of events dropped at consumer layer of the telemetry client. +- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. +- **CriticalDataThrottleDroppedCount** Number of critical data sampled events dropped due to throttling. +- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event database. +- **DailyUploadQuotaInBytes** Daily upload quota for Sense in bytes (only in in-proc mode). +- **DbCriticalDroppedCount** Total number of dropped critical events in event database. +- **DbDroppedCount** Number of events dropped due to database being full. +- **DbDroppedFailureCount** Number of events dropped due to database failures. +- **DbDroppedFullCount** Number of events dropped due to database being full. +- **DecodingDroppedCount** Number of events dropped due to decoding failures. +- **DiskSizeInBytes** Size of event store for Sense in bytes (only in in-proc mode). +- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. +- **EtwDroppedBufferCount** Number of buffers dropped in the universal telemetry client (UTC) event tracing for Windows (ETW) session. +- **EtwDroppedCount** Number of events dropped at the event tracing for Windows (ETW) layer of telemetry client. +- **EventsPersistedCount** Number of events that reached the PersistEvent stage. +- **EventStoreLifetimeResetCounter** Number of times event the database was reset for the lifetime of the universal telemetry client (UTC). +- **EventStoreResetCounter** Number of times the event database was reset. +- **EventStoreResetSizeSum** Total size of the event database across all resets reports in this instance. +- **EventsUploaded** Number of events uploaded. +- **Flags** Flags indicating device state, such as network state, battery state, and opt-in state. +- **FullTriggerBufferDroppedCount** Number of events dropped due to trigger buffer being full. +- **HeartBeatSequenceNumber** The sequence number of this heartbeat. +- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. +- **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel. +- **LastEventSizeOffender** Event name of last event which exceeded the maximum event size. +- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. +- **MaxActiveAgentConnectionCount** Maximum number of active agents during this heartbeat timeframe. +- **NormalUploadTimerMillis** Number of milliseconds between each upload of normal events for SENSE (only in in-proc mode). +- **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events). +- **RepeatedUploadFailureDropped** Number of events lost due to repeated failed uploaded attempts. +- **SettingsHttpAttempts** Number of attempts to contact OneSettings service. +- **SettingsHttpFailures** Number of failures from contacting the OneSettings service. +- **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers. +- **TopUploaderErrors** Top uploader errors, grouped by endpoint and error type. +- **UploaderDroppedCount** Number of events dropped at the uploader layer of the telemetry client. +- **UploaderErrorCount** Number of input for the TopUploaderErrors mode estimation. +- **VortexFailuresTimeout** Number of time out failures received from Vortex. +- **VortexHttpAttempts** Number of attempts to contact Vortex. +- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. +- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. +- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. +- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. + + +## Direct to update events + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicability + +Event to indicate that the Coordinator CheckApplicability call succeeded. + +The following fields are available: + +- **ApplicabilityResult** Result of CheckApplicability function. +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **IsDeviceAADDomainJoined** Indicates whether the device is logged in to the AAD (Azure Active Directory) domain. +- **IsDeviceADDomainJoined** Indicates whether the device is logged in to the AD (Active Directory) domain. +- **IsDeviceCloverTrail** Indicates whether the device has a Clover Trail system installed. +- **IsDeviceFeatureUpdatingPaused** Indicates whether Feature Update is paused on the device. +- **IsDeviceNetworkMetered** Indicates whether the device is connected to a metered network. +- **IsDeviceOobeBlocked** Indicates whether user approval is required to install updates on the device. +- **IsDeviceRequireUpdateApproval** Indicates whether user approval is required to install updates on the device. +- **IsDeviceSccmManaged** Indicates whether the device is running the Microsoft SCCM (System Center Configuration Manager) to keep the operating system and applications up to date. +- **IsDeviceUninstallActive** Indicates whether the OS (operating system) on the device was recently updated. +- **IsDeviceUpdateNotificationLevel** Indicates whether the device has a set policy to control update notifications. +- **IsDeviceUpdateServiceManaged** Indicates whether the device uses WSUS (Windows Server Update Services). +- **IsDeviceZeroExhaust** Indicates whether the device subscribes to the Zero Exhaust policy to minimize connections from Windows to Microsoft. +- **IsGreaterThanMaxRetry** Indicates whether the DTU (Direct to Update) service has exceeded its maximum retry count. +- **IsVolumeLicensed** Indicates whether a volume license was used to authenticate the operating system or applications on the device. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicabilityGenericFailure + +This event indicatse that we have received an unexpected error in the Direct to Update (DTU) Coordinators CheckApplicability call. + +The following fields are available: + +- **CampaignID** ID of the campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Cleanup call. + +The following fields are available: + +- **CampaignID** Campaign ID being run +- **ClientID** Client ID being run +- **CoordinatorVersion** Coordinator version of DTU +- **CV** Correlation vector +- **hResult** HRESULT of the failure + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupSuccess + +This event indicates that the Coordinator Cleanup call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run +- **ClientID** Client ID being run +- **CoordinatorVersion** Coordinator version of DTU +- **CV** Correlation vector + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Commit call. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitSuccess + +This event indicates that the Coordinator Commit call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Download call. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadIgnoredFailure + +This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Download call that will be ignored. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadSuccess + +This event indicates that the Coordinator Download call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator HandleShutdown call. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinate version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownSuccess + +This event indicates that the Coordinator HandleShutdown call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Initialize call. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeSuccess + +This event indicates that the Coordinator Initialize call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Install call. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallIgnoredFailure + +This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Install call that will be ignored. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallSuccess + +This event indicates that the Coordinator Install call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorProgressCallBack + +This event indicates that the Coordinator's progress callback has been called. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **DeployPhase** Current Deploy Phase. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorSetCommitReadySuccess + +This event indicates that the Coordinator SetCommitReady call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiNotShown + +This event indicates that the Coordinator WaitForRebootUi call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSelection + +This event indicates that the user selected an option on the Reboot UI. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **rebootUiSelection** Selection on the Reboot UI. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSuccess + +This event indicates that the Coordinator WaitForRebootUi call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler CheckApplicabilityInternal call. + +The following fields are available: + +- **CampaignID** ID of the campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalSuccess + +This event indicates that the Handler CheckApplicabilityInternal call succeeded. + +The following fields are available: + +- **ApplicabilityResult** The result of the applicability check. +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilitySuccess + +This event indicates that the Handler CheckApplicability call succeeded. + +The following fields are available: + +- **ApplicabilityResult** The result code indicating whether the update is applicable. +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **CV_new** New correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckIfCoordinatorMinApplicableVersionSuccess + +This event indicates that the Handler CheckIfCoordinatorMinApplicableVersion call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **CheckIfCoordinatorMinApplicableVersionResult** Result of CheckIfCoordinatorMinApplicableVersion function. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Commit call. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **CV_new** New correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitSuccess + +This event indicates that the Handler Commit call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run.run +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **CV_new** New correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabFailure + +This event indicates that the Handler Download and Extract cab call failed. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **DownloadAndExtractCabFunction_failureReason** Reason why the update download and extract process failed. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabSuccess + +This event indicates that the Handler Download and Extract cab call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Download call. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadSuccess + +This event indicates that the Handler Download call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Initialize call. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **DownloadAndExtractCabFunction_hResult** HRESULT of the download and extract. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeSuccess + +This event indicates that the Handler Initialize call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **DownloadAndExtractCabFunction_hResult** HRESULT of the download and extraction. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Install call. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallSuccess + +This event indicates that the Coordinator Install call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerSetCommitReadySuccess + +This event indicates that the Handler SetCommitReady call succeeded. + +The following fields are available: + +- **CampaignID** ID of the campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler WaitForRebootUi call. + +The following fields are available: + +- **CampaignID** The ID of the campaigning being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** The HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiSuccess + +This event indicates that the Handler WaitForRebootUi call succeeded. + +The following fields are available: + +- **CampaignID** ID of the campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +## DxgKernelTelemetry events + +### DxgKrnlTelemetry.GPUAdapterInventoryV2 + +This event sends basic GPU and display driver information to keep Windows and display drivers up-to-date. + +The following fields are available: + +- **AdapterTypeValue** The numeric value indicating the type of Graphics adapter. +- **aiSeqId** The event sequence ID. +- **bootId** The system boot ID. +- **BrightnessVersionViaDDI** The version of the Display Brightness Interface. +- **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload. +- **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes). +- **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes). +- **DisplayAdapterLuid** The display adapter LUID. +- **DriverDate** The date of the display driver. +- **DriverRank** The rank of the display driver. +- **DriverVersion** The display driver version. +- **DX10UMDFilePath** The file path to the location of the DirectX 10 Display User Mode Driver in the Driver Store. +- **DX11UMDFilePath** The file path to the location of the DirectX 11 Display User Mode Driver in the Driver Store. +- **DX12UMDFilePath** The file path to the location of the DirectX 12 Display User Mode Driver in the Driver Store. +- **DX9UMDFilePath** The file path to the location of the DirectX 9 Display User Mode Driver in the Driver Store. +- **GPUDeviceID** The GPU device ID. +- **GPUPreemptionLevel** The maximum preemption level supported by GPU for graphics payload. +- **GPURevisionID** The GPU revision ID. +- **GPUVendorID** The GPU vendor ID. +- **InterfaceId** The GPU interface ID. +- **IsDisplayDevice** Does the GPU have displaying capabilities? +- **IsHwSchSupported** Indicates whether the adapter supports hardware scheduling. +- **IsHybridDiscrete** Does the GPU have discrete GPU capabilities in a hybrid device? +- **IsHybridIntegrated** Does the GPU have integrated GPU capabilities in a hybrid device? +- **IsLDA** Is the GPU comprised of Linked Display Adapters? +- **IsMiracastSupported** Does the GPU support Miracast? +- **IsMismatchLDA** Is at least one device in the Linked Display Adapters chain from a different vendor? +- **IsMPOSupported** Does the GPU support Multi-Plane Overlays? +- **IsMsMiracastSupported** Are the GPU Miracast capabilities driven by a Microsoft solution? +- **IsPostAdapter** Is this GPU the POST GPU in the device? +- **IsRemovable** TRUE if the adapter supports being disabled or removed. +- **IsRenderDevice** Does the GPU have rendering capabilities? +- **IsSoftwareDevice** Is this a software implementation of the GPU? +- **KMDFilePath** The file path to the location of the Display Kernel Mode Driver in the Driver Store. +- **MeasureEnabled** Is the device listening to MICROSOFT_KEYWORD_MEASURES? +- **MsHybridDiscrete** Indicates whether the adapter is a discrete adapter in a hybrid configuration. +- **NumVidPnSources** The number of supported display output sources. +- **NumVidPnTargets** The number of supported display output targets. +- **SharedSystemMemoryB** The amount of system memory shared by GPU and CPU (in bytes). +- **SubSystemID** The subsystem ID. +- **SubVendorID** The GPU sub vendor ID. +- **TelemetryEnabled** Is the device listening to MICROSOFT_KEYWORD_TELEMETRY? +- **TelInvEvntTrigger** What triggered this event to be logged? Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling) +- **version** The event version. +- **WDDMVersion** The Windows Display Driver Model version. + + +## Failover Clustering events + +### Microsoft.Windows.Server.FailoverClusteringCritical.ClusterSummary2 + +This event returns information about how many resources and of what type are in the server cluster. This data is collected to keep Windows Server safe, secure, and up to date. The data includes information about whether hardware is configured correctly, if the software is patched correctly, and assists in preventing crashes by attributing issues (like fatal errors) to workloads and system configurations. + +The following fields are available: + +- **autoAssignSite** The cluster parameter: auto site. +- **autoBalancerLevel** The cluster parameter: auto balancer level. +- **autoBalancerMode** The cluster parameter: auto balancer mode. +- **blockCacheSize** The configured size of the block cache. +- **ClusterAdConfiguration** The ad configuration of the cluster. +- **clusterAdType** The cluster parameter: mgmt_point_type. +- **clusterDumpPolicy** The cluster configured dump policy. +- **clusterFunctionalLevel** The current cluster functional level. +- **clusterGuid** The unique identifier for the cluster. +- **clusterWitnessType** The witness type the cluster is configured for. +- **countNodesInSite** The number of nodes in the cluster. +- **crossSiteDelay** The cluster parameter: CrossSiteDelay. +- **crossSiteThreshold** The cluster parameter: CrossSiteThreshold. +- **crossSubnetDelay** The cluster parameter: CrossSubnetDelay. +- **crossSubnetThreshold** The cluster parameter: CrossSubnetThreshold. +- **csvCompatibleFilters** The cluster parameter: ClusterCsvCompatibleFilters. +- **csvIncompatibleFilters** The cluster parameter: ClusterCsvIncompatibleFilters. +- **csvResourceCount** The number of resources in the cluster. +- **currentNodeSite** The name configured for the current site for the cluster. +- **dasModeBusType** The direct storage bus type of the storage spaces. +- **downLevelNodeCount** The number of nodes in the cluster that are running down-level. +- **drainOnShutdown** Specifies whether a node should be drained when it is shut down. +- **dynamicQuorumEnabled** Specifies whether dynamic Quorum has been enabled. +- **enforcedAntiAffinity** The cluster parameter: enforced anti affinity. +- **genAppNames** The win32 service name of a clustered service. +- **genSvcNames** The command line of a clustered genapp. +- **hangRecoveryAction** The cluster parameter: hang recovery action. +- **hangTimeOut** Specifies the “hang time out” parameter for the cluster. +- **isCalabria** Specifies whether storage spaces direct is enabled. +- **isMixedMode** Identifies if the cluster is running with different version of OS for nodes. +- **isRunningDownLevel** Identifies if the current node is running down-level. +- **logLevel** Specifies the granularity that is logged in the cluster log. +- **logSize** Specifies the size of the cluster log. +- **lowerQuorumPriorityNodeId** The cluster parameter: lower quorum priority node ID. +- **minNeverPreempt** The cluster parameter: minimum never preempt. +- **minPreemptor** The cluster parameter: minimum preemptor priority. +- **netftIpsecEnabled** The parameter: netftIpsecEnabled. +- **NodeCount** The number of nodes in the cluster. +- **nodeId** The current node number in the cluster. +- **nodeResourceCounts** Specifies the number of node resources. +- **nodeResourceOnlineCounts** Specifies the number of node resources that are online. +- **numberOfSites** The number of different sites. +- **numNodesInNoSite** The number of nodes not belonging to a site. +- **plumbAllCrossSubnetRoutes** The cluster parameter: plumb all cross subnet routes. +- **preferredSite** The preferred site location. +- **privateCloudWitness** Specifies whether a private cloud witness exists for this cluster. +- **quarantineDuration** The quarantine duration. +- **quarantineThreshold** The quarantine threshold. +- **quorumArbitrationTimeout** In the event of an arbitration event, this specifies the quorum timeout period. +- **resiliencyLevel** Specifies the level of resiliency. +- **resourceCounts** Specifies the number of resources. +- **resourceTypeCounts** Specifies the number of resource types in the cluster. +- **resourceTypes** Data representative of each resource type. +- **resourceTypesPath** Data representative of the DLL path for each resource type. +- **sameSubnetDelay** The cluster parameter: same subnet delay. +- **sameSubnetThreshold** The cluster parameter: same subnet threshold. +- **secondsInMixedMode** The amount of time (in seconds) that the cluster has been in mixed mode (nodes with different operating system versions in the same cluster). +- **securityLevel** The cluster parameter: security level. +- **securityLevelForStorage** The cluster parameter: security level for storage. +- **sharedVolumeBlockCacheSize** Specifies the block cache size for shared for shared volumes. +- **shutdownTimeoutMinutes** Specifies the amount of time it takes to time out when shutting down. +- **upNodeCount** Specifies the number of nodes that are up (online). +- **useClientAccessNetworksForCsv** The cluster parameter: use client access networks for CSV. +- **vmIsolationTime** The cluster parameter: VM isolation time. +- **witnessDatabaseWriteTimeout** Specifies the timeout period for writing to the quorum witness database. + + +## Fault Reporting events + +### Microsoft.Windows.FaultReporting.AppCrashEvent + +This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes\" by a user DO NOT emit this event. + +The following fields are available: + +- **AppName** The name of the app that has crashed. +- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend. +- **AppTimeStamp** The date/time stamp of the app. +- **AppVersion** The version of the app that has crashed. +- **AsFatal** No content is currently available. +- **Exceptio** No content is currently available. +- **ExceptionCode** The exception code returned by the process that has crashed. +- **ExceptionOffset** The address where the exception had occurred. +- **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting. +- **FriendlyAppName** The description of the app that has crashed, if different from the AppName. Otherwise, the process name. +- **IsFatal** True/False to indicate whether the crash resulted in process termination. +- **ModName** Exception module name (e.g. bar.dll). +- **ModTimestamp** No content is currently available. +- **ModTimeStamp** The date/time stamp of the module. +- **ModVersion** The version of the module that has crashed. +- **ode** No content is currently available. +- **PackageFullName** Store application identity. +- **PackageRelativeAppId** Store application identity. +- **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. +- **ProcessCreateTime** The time of creation of the process that has crashed. +- **ProcessId** The ID of the process that has crashed. +- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. +- **TargetAppId** The kernel reported AppId of the application being reported. +- **targetAppVer** No content is currently available. +- **TargetAppVer** The specific version of the application being reported +- **TargetAsId** The sequence number for the hanging process. + + +## Feature update events + +### Microsoft.Windows.Upgrade.Uninstall.UninstallFinalizedAndRebootTriggered + +This event indicates that the uninstall was properly configured and that a system reboot was initiated. + + + +### Microsoft.Windows.Upgrade.Uninstall.UninstallGoBackButtonClicked + +This event sends basic metadata about the starting point of uninstalling a feature update, which helps ensure customers can safely revert to a well-known state if the update caused any problems. + + + +## Hang Reporting events + +### Microsoft.Windows.HangReporting.AppHangEvent + +This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. + +The following fields are available: + +- **AppName** The name of the app that has hung. +- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the telemetry backend. +- **AppVersion** The version of the app that has hung. +- **IsFatal** True/False based on whether the hung application caused the creation of a Fatal Hang Report. +- **PackageFullName** Store application identity. +- **PackageRelativeAppId** Store application identity. +- **ProcessArchitecture** Architecture of the hung process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. +- **ProcessCreateTime** The time of creation of the process that has hung. +- **ProcessId** The ID of the process that has hung. +- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. +- **TargetAppId** The kernel reported AppId of the application being reported. +- **TargetAppVer** The specific version of the application being reported. +- **TargetAsId** The sequence number for the hanging process. +- **TypeCode** Bitmap describing the hang type. +- **WaitingOnAppName** If this is a cross process hang waiting for an application, this has the name of the application. +- **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it is waiting. +- **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting. +- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application id of the package. + + +## Inventory events + +### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum + +This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object. + +The following fields are available: + +- **Device** A count of device objects in cache. +- **DeviceCensus** A count of device census objects in cache. +- **DriverPackageExtended** A count of driverpackageextended objects in cache. +- **File** A count of file objects in cache. +- **FileSigningInfo** A count of file signing objects in cache. +- **Generic** A count of generic objects in cache. +- **HwItem** A count of hwitem objects in cache. +- **IentoryMiscellaneousOfficeAddIn** No content is currently available. +- **InventoryApplication** A count of application objects in cache. +- **InventoryApplicationAppV** A count of application AppV objects in cache. +- **InventoryApplicationDriver** A count of application driver objects in cache +- **InventoryApplicationFile** A count of application file objects in cache. +- **InventoryApplicationFramework** A count of application framework objects in cache +- **InventoryApplicationShortcut** A count of application shortcut objects in cache +- **InventoryDeviceContainer** A count of device container objects in cache. +- **InventoryDeviceInterface** A count of Plug and Play device interface objects in cache. +- **InventoryDeviceMediaClass** A count of device media objects in cache. +- **InventoryDevicePnp** A count of device Plug and Play objects in cache. +- **InventoryDeviceUsbHubClass** A count of device usb objects in cache +- **InventoryDriverBinary** A count of driver binary objects in cache. +- **InventoryDriverPackage** A count of device objects in cache. +- **InventoryMiscellaneiscellaneousOfficeInsights** No content is currently available. +- **InventoryMiscellaneousOfficeAddIn** A count of office add-in objects in cache +- **InventoryMiscellaneousOfficeAddInUsage** A count of office add-in usage objects in cache. +- **InventoryMiscellaneousOfficeIdentifiers** A count of office identifier objects in cache +- **InventoryMiscellaneousOfficeIESettings** A count of office ie settings objects in cache +- **InventoryMiscellaneousOfficeInsights** A count of office insights objects in cache +- **InventoryMiscellaneousOfficeProducts** A count of office products objects in cache +- **InventoryMiscellaneousOfficeSettings** A count of office settings objects in cache +- **InventoryMiscellaneousOfficeVBA** A count of office vba objects in cache +- **InventoryMiscellaneousOfficeVBARuleViolations** A count of office vba rule violations objects in cache +- **InventoryMiscellaneousUUPInfo** A count of uup info objects in cache +- **Metadata** A count of metadata objects in cache. +- **Orphan** A count of orphan file objects in cache. +- **Programs** A count of program objects in cache. + + +### Microsoft.Windows.Inventory.Core.AmiTelCacheFileInfo + +Diagnostic data about the inventory cache. + +The following fields are available: + +- **CacheFileSize** Size of the cache. +- **InventoryVersion** Inventory version of the cache. +- **TempCacheCount** Number of temp caches created. +- **TempCacheDeletedCount** Number of temp caches deleted. + + +### Microsoft.Windows.Inventory.Core.AmiTelCacheVersions + +This event sends inventory component versions for the Device Inventory data. + +The following fields are available: + +- **aeinv** The version of the App inventory component. +- **devinv** The file version of the Device inventory component. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationAdd + +This event sends basic metadata about an application on the system to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **HiddenArp** Indicates whether a program hides itself from showing up in ARP. +- **InstallDate** The date the application was installed (a best guess based on folder creation date heuristics). +- **InstallDateArpLastModified** The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015 00:00:00 +- **InstallDateFromLincFile** No content is currently available. +- **InstallDateFromLinkFile** The estimated date of install based on the links to the files. Passed as an array. +- **InstallDateMsi** The install date if the application was installed via Microsoft Installer (MSI). Passed as an array. +- **InventoryVersion** The version of the inventory file generating the events. +- **Language** The language code of the program. +- **MsipackageCode** No content is currently available. +- **MsiPackageCode** A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage. +- **MsiProductCode** A GUID that describe the MSI Product. +- **Name** The name of the application. +- **OSversionAtInstallTime** No content is currently available. +- **OSVersionAtInstallTime** The four octets from the OS version at the time of the application's install. +- **PackageFullName** The package full name for a Store application. +- **ProgramInstanceId** A hash of the file IDs in an app. +- **Publisher** The Publisher of the application. Location pulled from depends on the 'Source' field. +- **RootDirPath** The path to the root directory where the program was installed. +- **Source** How the program was installed (for example, ARP, MSI, Appx). +- **StoreAppType** A sub-classification for the type of Microsoft Store app, such as UWP or Win8StoreApp. +- **type** No content is currently available. +- **Type** One of ("Application", "Hotfix", "BOE", "Service", "Unknown"). Application indicates Win32 or Appx app, Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is a service. Application and BOE are the ones most likely seen. +- **Version** The version number of the program. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverAdd + +This event represents what drivers an application installs. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory component. +- **ProgramIds** The unique program identifier the driver is associated with. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync + +The InventoryApplicationDriverStartSync event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory component. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd + +This event provides the basic metadata about the frameworks an application may depend on. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **FileId** A hash that uniquely identifies a file. +- **Frameworks** The list of frameworks this file depends on. +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync + +This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationRemove + +This event indicates that a new set of InventoryDevicePnpAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationStartSync + +This event indicates that a new set of InventoryApplicationAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd + +This event sends basic metadata about a device container (such as a monitor or printer as opposed to a Plug and Play device) to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Categories** A comma separated list of functional categories in which the container belongs. +- **DiscoveryMethod** The discovery method for the device container. +- **FriendlyName** The name of the device container. +- **InventoryVersion** The version of the inventory file generating the events. +- **IsActive** Is the device connected, or has it been seen in the last 14 days? +- **IsConnected** For a physically attached device, this value is the same as IsPresent. For wireless a device, this value represents a communication link. +- **IsMachineContainer** Is the container the root device itself? +- **IsNetworked** Is this a networked device? +- **IsPaired** Does the device container require pairing? +- **Manufacturer** The manufacturer name for the device container. +- **ModelId** A unique model ID. +- **ModelName** The model name. +- **ModelNumber** The model number for the device container. +- **PrimaryCategory** The primary category for the device container. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerRemove + +This event indicates that the InventoryDeviceContainer object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerStartSync + +This event indicates that a new set of InventoryDeviceContainerAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd + +This event retrieves information about what sensor interfaces are available on the device. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Accelerometer3D** Indicates if an Accelerator3D sensor is found. +- **ActivityDetection** Indicates if an Activity Detection sensor is found. +- **AmbientLight** Indicates if an Ambient Light sensor is found. +- **Barometer** Indicates if a Barometer sensor is found. +- **Custom** Indicates if a Custom sensor is found. +- **EnergyMeter** Indicates if an Energy sensor is found. +- **FloorElevation** Indicates if a Floor Elevation sensor is found. +- **GeomagneticOrientation** Indicates if a Geo Magnetic Orientation sensor is found. +- **GravityVector** Indicates if a Gravity Detector sensor is found. +- **Gyrometer3D** Indicates if a Gyrometer3D sensor is found. +- **Humidity** Indicates if a Humidity sensor is found. +- **InventoryVersion** The version of the inventory file generating the events. +- **LinearAccelerometer** Indicates if a Linear Accelerometer sensor is found. +- **Magnetometer3D** Indicates if a Magnetometer3D sensor is found. +- **Orientation** Indicates if an Orientation sensor is found. +- **Pedometer** Indicates if a Pedometer sensor is found. +- **Proximity** Indicates if a Proximity sensor is found. +- **RelativeOrientation** Indicates if a Relative Orientation sensor is found. +- **SimpleDeviceOrientation** Indicates if a Simple Device Orientation sensor is found. +- **Temperature** Indicates if a Temperature sensor is found. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync + +This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd + +This event sends additional metadata about a Plug and Play device that is specific to a particular class of devices to help keep Windows up to date while reducing overall size of data payload. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **audio.captureDriver** Audio device capture driver. Example: hdaudio.inf:db04a16ce4e8d6ee:HdAudModel:10.0.14887.1000:hdaudio\func_01 +- **audio.renderDriver** Audio device render driver. Example: hdaudio.inf:db04a16ce4e8d6ee:HdAudModel:10.0.14889.1001:hdaudio\func_01 +- **Audio_CaptureDriver** The Audio device capture driver endpoint. +- **Audio_RenderDriver** The Audio device render driver endpoint. +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove + +This event indicates that the InventoryDeviceMediaClassRemove object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassStartSync + +This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent. + +This event includes fields from [Ms.Device.De~iceInventoryChange](#msdevicede~iceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd + +This event represents the basic metadata about a plug and play (PNP) device and its associated driver. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **]pperClassFilters** No content is currently available. +- **basedata** No content is currently available. See [basedata](#basedata). +- **BusReportedDescraption** No content is currently available. +- **BusReportedDescription** The description of the device reported by the bux. +- **BusReptrtedDescription** No content is currently available. +- **Clas{Guid** No content is currently available. +- **Class** The device setup class of the driver loaded for the device. +- **ClassGuid** The device class unique identifier of the driver package loaded on the device. +- **COMPID** The list of “Compatible IDs” for this device. +- **Con|ainerId** No content is currently available. +- **ContainerId** The system-supplied unique identifier that specifies which group(s) the device(s) installed on the parent (main) device belong to. +- **Descriptaon** No content is currently available. +- **Description** The description of the device. +- **DeviceDriverFlightId** No content is currently available. +- **DeviceExtDriversFlightIds** No content is currently available. +- **DeviceInterfaceClasses** The device interfaces that this device implements. +- **DeviceState** Identifies the current state of the parent (main) device. +- **DriverAd** No content is currently available. +- **DriverId** The unique identifier for the installed driver. +- **DriverName** The name of the driver image file. +- **DriverPackageStrongName** The immediate parent directory name in the Directory field of InventoryDriverPackage. +- **DriverVer^ersion** No content is currently available. +- **DriverVerDate** The date associated with the driver installed on the device. +- **DriverVerVersion** The version number of the driver installed on the device. +- **Enumerator** Identifies the bus that enumerated the device. +- **ExtendedInfs** The extended INF file names. +- **FirstInstallDate** No content is currently available. +- **H_ID** No content is currently available. +- **HWID** A list of hardware IDs for the device. +- **Inf** The name of the INF file (possibly renamed by the OS, such as oemXX.inf). +- **InstallDate** No content is currently available. +- **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx +- **InventoryVersion** The version number of the inventory process generating the events. +- **LowerClassFilters** The identifiers of the Lower Class filters installed for the device. +- **LowerFilters** The identifiers of the Lower filters installed for the device. +- **Manufacturer** The manufacturer of the device. +- **MatchangID** No content is currently available. +- **MatchingID** The Hardware ID or Compatible ID that Windows uses to install a device instance. +- **Modeh** No content is currently available. +- **Model** Identifies the model of the device. +- **ParentId** The Device Instance ID of the parent of the device. +- **ProblemCode** The error code currently returned by the device, if applicable. +- **ProblmmCode** No content is currently available. +- **Provider** Identifies the device provider. +- **Service** The name of the device service. +- **STACKID** The list of hardware IDs for the stack. +- **UpperClassFilters** The identifiers of the Upper Class filters installed for the device. +- **UpperFilters** The identifiers of the Upper filters installed for the device. +- **UpxerClassFilters** No content is currently available. + + +### Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove + +This event indicates that the InventoryDevicePnpRemove object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDevicePnpStartSync + +This event indicates that a new set of InventoryDevicePnpAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd + +This event sends basic metadata about the USB hubs on the device. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. +- **TotalUserConnectablePorts** Total number of connectable USB ports. +- **TotalUserConnectableTypeCPorts** Total number of connectable USB Type C ports. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassStartSync + +This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent. + +This event includes fields from [Ms.De~ice.DeviceInventoryChange](#msde~icedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd + +This event provides the basic metadata about driver binaries running on the system. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **DrivdrCompany** No content is currently available. +- **DriverCheckSum** The checksum of the driver file. +- **DriverCompany** The company name that developed the driver. +- **DriverInBox** Is the driver included with the operating system? +- **DriverIsKernelMode** Is it a kernel mode driver? +- **DriverName** The file name of the driver. +- **DriverPackageStrongName** The strong name of the driver package +- **DriverSigned** The strong name of the driver package +- **DriverTimeStamp** The low 32 bits of the time stamp of the driver file. +- **DriverType** A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8. define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE 0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64 0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15. define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED 0x800000. +- **DriverVersion** The version of the driver file. +- **ImageSize** The size of the driver file. +- **ImageSmze** No content is currently available. +- **Inf** The name of the INF file. +- **InventoryVersion** The version of the inventory file generating the events. +- **Product** The product name that is included in the driver file. +- **ProductVersion** The product version that is included in the driver file. +- **Service** The name of the service that is installed for the device. +- **WdfVersion** The Windows Driver Framework version. +- **WdfVers-on** No content is currently available. +- **WdfVersÿon** No content is currently available. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove + +This event indicates that the InventoryDriverBinary object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryStartSync + +This event indicates that a new set of InventoryDriverBinaryAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd + +This event sends basic metadata about drive packages installed on the system to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Class** The class name for the device driver. +- **ClassGuid** The class GUID for the device driver. +- **Date** The driver package date. +- **Directory** The path to the driver package. +- **DriverInBox** Is the driver included with the operating system? +- **Inf** The INF name of the driver package. +- **InventoryVersion** The version of the inventory file generating the events. +- **Provider** The provider for the driver package. +- **SubmissionId** The HLK submission ID for the driver package. +- **Version** The version of the driver package. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverPackageRemove + +This event indicates that the InventoryDriverPackageRemove object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverPackageStartSync + +This event indicates that a new set of InventoryDriverPackageAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.StartUtcJsonTrace + +This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the beginning of the event download, and that tracing should begin. + + + +### Microsoft.Windows.Inventory.Core.StopUtcJsonTrace + +This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the end of the event download, and that tracing should end. + + + +### Microsoft.Windows.Inventory.General.AppHealthStaticAdd + +This event sends details collected for a specific application on the source device. + +The following fields are available: + +- **AhaVersion** The binary version of the App Health Analyzer tool. +- **ApplicationErrors** The count of application errors from the event log. +- **Bitness** The architecture type of the application (16 Bit or 32 bit or 64 bit). +- **device_level** Various JRE/JAVA versions installed on a particular device. +- **ExtendedProperties** Attribute used for aggregating all other attributes under this event type. +- **Jar** Flag to determine if an app has a Java JAR file dependency. +- **Jre** Flag to determine if an app has JRE framework dependency. +- **Jre_version** JRE versions an app has declared framework dependency for. +- **Name** Name of the application. +- **NonDPIAware** Flag to determine if an app is non-DPI aware. +- **NumBinaries** Count of all binaries (.sys,.dll,.ini) from application install location. +- **RequiresAdmin** Flag to determine if an app requests admin privileges for execution. +- **RequiresAdminv2** Additional flag to determine if an app requests admin privileges for execution. +- **RequiresUIAccess** Flag to determine if an app is based on UI features for accessibility. +- **VB6** Flag to determine if an app is based on VB6 framework. +- **VB6v2** Additional flag to determine if an app is based on VB6 framework. +- **Version** Version of the application. +- **VersionCheck** Flag to determine if an app has a static dependency on OS version. +- **VersionCheckv2** Additional flag to determine if an app has a static dependency on OS version. + + +### Microsoft.Windows.Inventory.General.AppHealthStaticStartSync + +This event indicates the beginning of a series of AppHealthStaticAdd events. + +The following fields are available: + +- **AllowTelemetry** Indicates the presence of the 'allowtelemetry' command line argument. +- **CommandLineArgs** Command line arguments passed when launching the App Health Analyzer executable. +- **Enhanced** Indicates the presence of the 'enhanced' command line argument. +- **StartTime** UTC date and time at which this event was sent. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd + +Provides data on the installed Office Add-ins. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AddinCLSID** The class identifier key for the Microsoft Office add-in. +- **AddInCLSID** The class identifier key for the Microsoft Office add-in. +- **AddInId** The identifier for the Microsoft Office add-in. +- **AddinType** The type of the Microsoft Office add-in. +- **BinFileTimestamp** The timestamp of the Office add-in. +- **BinFileVersion** The version of the Microsoft Office add-in. +- **Description** Description of the Microsoft Office add-in. +- **FileId** The file identifier of the Microsoft Office add-in. +- **FileSize** The file size of the Microsoft Office add-in. +- **FriendlyName** The friendly name for the Microsoft Office add-in. +- **FullPath** The full path to the Microsoft Office add-in. +- **InventoryVersion** The version of the inventory binary generating the events. +- **LoadBehavior** Integer that describes the load behavior. +- **LoadTime** Load time for the Office add-in. +- **OfficeApplication** The Microsoft Office application associated with the add-in. +- **OfficeArchitecture** The architecture of the add-in. +- **OfficeVersion** The Microsoft Office version for this add-in. +- **OutlookCrashingAddin** Indicates whether crashes have been found for this add-in. +- **ProductCompany** The name of the company associated with the Office add-in. +- **ProductName** The product name associated with the Microsoft Office add-in. +- **ProductVersion** The version associated with the Office add-in. +- **ProgramId** The unique program identifier of the Microsoft Office add-in. +- **Provider** Name of the provider for this add-in. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove + +Indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync + +This event indicates that a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd + +Provides data on the Office identifiers. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. +- **OAudienceData** Sub-identifier for Microsoft Office release management, identifying the pilot group for a device +- **OAudienceId** Microsoft Office identifier for Microsoft Office release management, identifying the pilot group for a device +- **OMID** Identifier for the Office SQM Machine +- **OPlatform** Whether the installed Microsoft Office product is 32-bit or 64-bit +- **OTenantId** Unique GUID representing the Microsoft O365 Tenant +- **OVersion** Installed version of Microsoft Office. For example, 16.0.8602.1000 +- **OWowMID** Legacy Microsoft Office telemetry identifier (SQM Machine ID) for WoW systems (32-bit Microsoft Office on 64-bit Windows) + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd + +Provides data on Office-related Internet Explorer features. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. +- **OIeFeatureAddon** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_ADDON_MANAGEMENT feature lets applications hosting the WebBrowser Control to respect add-on management selections made using the Add-on Manager feature of Internet Explorer. Add-ons disabled by the user or by administrative group policy will also be disabled in applications that enable this feature. +- **OIeMachineLockdown** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_LOCALMACHINE_LOCKDOWN feature is enabled, Internet Explorer applies security restrictions on content loaded from the user's local machine, which helps prevent malicious behavior involving local files. +- **OIeMimeHandling** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_MIME_HANDLING feature control is enabled, Internet Explorer handles MIME types more securely. Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2) +- **OIeMimeSniffing** Flag indicating which Microsoft Office products have this setting enabled. Determines a file's type by examining its bit signature. Windows Internet Explorer uses this information to determine how to render the file. The FEATURE_MIME_SNIFFING feature, when enabled, allows to be set differently for each security zone by using the URLACTION_FEATURE_MIME_SNIFFING URL action flag +- **OIeNoAxInstall** Flag indicating which Microsoft Office products have this setting enabled. When a webpage attempts to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request. When a webpage tries to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request +- **OIeNoDownload** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_RESTRICT_FILEDOWNLOAD feature blocks file download requests that navigate to a resource, that display a file download dialog box, or that are not initiated explicitly by a user action (for example, a mouse click or key press). Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2) +- **OIeObjectCaching** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_OBJECT_CACHING feature prevents webpages from accessing or instantiating ActiveX controls cached from different domains or security contexts +- **OIePasswordDisable** Flag indicating which Microsoft Office products have this setting enabled. After Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2), Internet Explorer no longer allows usernames and passwords to be specified in URLs that use the HTTP or HTTPS protocols. URLs using other protocols, such as FTP, still allow usernames and passwords +- **OIeSafeBind** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SAFE_BINDTOOBJECT feature performs additional safety checks when calling MonikerBindToObject to create and initialize Microsoft ActiveX controls. Specifically, prevent the control from being created if COMPAT_EVIL_DONT_LOAD is in the registry for the control +- **OIeSecurityBand** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SECURITYBAND feature controls the display of the Internet Explorer Information bar. When enabled, the Information bar appears when file download or code installation is restricted +- **OIeUncSaveCheck** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_UNC_SAVEDFILECHECK feature enables the Mark of the Web (MOTW) for local files loaded from network locations that have been shared by using the Universal Naming Convention (UNC) +- **OIeValidateUrl** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_VALIDATE_NAVIGATE_URL feature control prevents Windows Internet Explorer from navigating to a badly formed URL +- **OIeWebOcPopup** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_WEBOC_POPUPMANAGEMENT feature allows applications hosting the WebBrowser Control to receive the default Internet Explorer pop-up window management behavior +- **OIeWinRestrict** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_WINDOW_RESTRICTIONS feature adds several restrictions to the size and behavior of popup windows +- **OIeZoneElevate** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_ZONE_ELEVATION feature prevents pages in one zone from navigating to pages in a higher security zone unless the navigation is generated by the user + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd + +This event provides insight data on the installed Office products + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. +- **OfficeApplication** The name of the Office application. +- **OfficeArchitecture** The bitness of the Office application. +- **OfficeVersion** The version of the Office application. +- **Valóe** No content is currently available. +- **Value** The insights collected about this entity. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsRemove + +Indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync + +This diagnostic event indicates that a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd + +Describes Office Products installed. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. +- **OC2rApps** A GUID the describes the Office Click-To-Run apps +- **OC2rSkus** Comma-delimited list (CSV) of Office Click-To-Run products installed on the device. For example, Office 2016 ProPlus +- **OMsiApps** Comma-delimited list (CSV) of Office MSI products installed on the device. For example, Microsoft Word +- **OProductCodes** A GUID that describes the Office MSI products + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd + +This event describes various Office settings + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **BrowserFlags** Browser flags for Office-related products +- **ExchangeProviderFlags** Provider policies for Office Exchange +- **InventoryVersion** The version of the inventory binary generating the events. +- **SharedComputerLicensing** Office shared computer licensing policies + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync + +Indicates a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAAdd + +This event provides a summary rollup count of conditions encountered while performing a local scan of Office files, analyzing for known VBA programmability compatibility issues between legacy office version and ProPlus, and between 32 and 64-bit versions + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Design** Count of files with design issues found. +- **Design_x64** Count of files with 64 bit design issues found. +- **DuplicateVBA** Count of files with duplicate VBA code. +- **HasVBA** Count of files with VBA code. +- **Inaccessible** Count of files that were inaccessible for scanning. +- **InventoryVersion** The version of the inventory binary generating the events. +- **Issues** Count of files with issues detected. +- **Issues_x64** Count of files with 64-bit issues detected. +- **IssuesNone** Count of files with no issues detected. +- **IssuesNone_x64** Count of files with no 64-bit issues detected. +- **Locked** Count of files that were locked, preventing scanning. +- **NoVBA** Count of files with no VBA inside. +- **Protected** Count of files that were password protected, preventing scanning. +- **RemLimited** Count of files that require limited remediation changes. +- **RemLimited_x64** Count of files that require limited remediation changes for 64-bit issues. +- **RemSignificant** Count of files that require significant remediation changes. +- **RemSignificant_x64** Count of files that require significant remediation changes for 64-bit issues. +- **Score** Overall compatibility score calculated for scanned content. +- **Score_x64** Overall 64-bit compatibility score calculated for scanned content. +- **Total** Total number of files scanned. +- **Validation** Count of files that require additional manual validation. +- **Validation_x64** Count of files that require additional manual validation for 64-bit issues. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARemove + +Indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsAdd + +This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated with the validation rule + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Count** Count of total Microsoft Office VBA rule violations +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsRemove + +Indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync + +This event indicates that a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd + +Provides data on Unified Update Platform (UUP) products and what version they are at. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Identifier** UUP identifier +- **LastActivatedVersion** Last activated version +- **PreviousVersion** Previous version +- **Source** UUP source +- **Version** UUP version + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoRemove + +Indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +### Microsoft.Windows.Inventory.Indicators.Checksum + +This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events. + +The following fields are available: + +- **CensusId** A unique hardware identifier. +- **ChecksumDictionary** A count of each operating system indicator. +- **PCFP** Equivalent to the InventoryId field that is found in other core events. + + +### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd + +These events represent the basic metadata about the OS indicators installed on the system which are used for keeping the device up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **IndicatorValue** The indicator value. +- **Value** Describes an operating system indicator that may be relevant for the device upgrade. + + +### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove + +This event is a counterpart to InventoryMiscellaneousUexIndicatorAdd that indicates that the item has been removed. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync + +This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +## Kernel events + +### IO + +This event indicates the number of bytes read from or read by the OS and written to or written by the OS upon system startup. + +The following fields are available: + +- **BootAttemptCount** No content is currently available. +- **BootStatusPolicy** No content is currently available. +- **BootType** No content is currently available. +- **BytesRead** The total number of bytes read from or read by the OS upon system startup. +- **BytesWritten** The total number of bytes written to or written by the OS upon system startup. +- **FirmwareResetReasonEmbeddedController** No content is currently available. +- **FirmwareResetReasonEmbeddedControllerAdditional** No content is currently available. +- **FirmwareResetReasonPch** No content is currently available. +- **FirmwareResetReasonPchAdditional** No content is currently available. +- **FirmwareResetReasonSupplied** No content is currently available. +- **LastBootSucceeded** No content is currently available. +- **LastShutdownSucceeded** No content is currently available. +- **MeasuredLaunchResume** No content is currently available. +- **MenuPolicy** No content is currently available. +- **RecoveryEnabled** No content is currently available. +- **UserInputTime** No content is currently available. + + +### Microsoft.Windows.Kernel.BootEnvironment.OsLaunch + +OS information collected during Boot, used to evaluate the success of the upgrade process. + +The following fields are available: + +- **Boo|ApplicationId** No content is currently available. +- **BootApplicataonId** No content is currently available. +- **BootApplicationId** This field tells us what the OS Loader Application Identifier is. +- **BootAttemptCount** The number of consecutive times the boot manager has attempted to boot into this operating system. +- **BootSequence** The current Boot ID, used to correlate events related to a particular boot session. +- **BootStatusPolicy** Identifies the applicable Boot Status Policy. +- **BootType** Identifies the type of boot (e.g.: "Cold", "Hiber", "Resume"). +- **EventTimestamp** Seconds elapsed since an arbitrary time point. This can be used to identify the time difference in successive boot attempts being made. +- **FirmwareResetReasonEmbeddedController** Reason for system reset provided by firmware. +- **FirmwareResetReasonEmbeddedControllerAdditional** Additional information on system reset reason provided by firmware if needed. +- **FirmwareResetReasonPch** Reason for system reset provided by firmware. +- **FirmwareResetReasonPchAdditional** Additional information on system reset reason provided by firmware if needed. +- **FirmwareResetReasonSupplied** Flag indicating that a reason for system reset was provided by firmware. +- **IO** Amount of data written to and read from the disk by the OS Loader during boot. See [IO](#io). +- **LastBootSucceeded** Flag indicating whether the last boot was successful. +- **LastShutdownSucceeded** Flag indicating whether the last shutdown was successful. +- **MaxAbove4GbFreeRange** This field describes the largest memory range available above 4Gb. +- **MaxBelow4GbFreeRange** This field describes the largest memory range available below 4Gb. +- **MeasuredLaunchPrepared** This field tells us if the OS launch was initiated using Measured/Secure Boot over DRTM (Dynamic Root of Trust for Measurement). +- **MeasuredLaunchResume** This field tells us if Dynamic Root of Trust for Measurement (DRTM) was used when resuming from hibernation. +- **MenuPolicy** Type of advanced options menu that should be shown to the user (Legacy, Standard, etc.). +- **RecoveryEnabled** Indicates whether recovery is enabled. +- **SecureLaunchPrepared** This field indicates if DRTM was prepared during boot. +- **TcbLaunch** Indicates whether the Trusted Computing Base was used during the boot flow. +- **UserInputTime** The amount of time the loader application spent waiting for user input. + + +## Miracast events + +### Microsoft.Windows.Cast.Miracast.MiracastSessionEnd + +This event sends data at the end of a Miracast session that helps determine RTSP related Miracast failures along with some statistics about the session + +The following fields are available: + +- **AudioChannelCount** The number of audio channels. +- **AudioSampleRate** The sample rate of audio in terms of samples per second. +- **AudioSubtype** The unique subtype identifier of the audio codec (encoding method) used for audio encoding. +- **AverageBitrate** The average video bitrate used during the Miracast session, in bits per second. +- **AverageDataRate** The average available bandwidth reported by the WiFi driver during the Miracast session, in bits per second. +- **AveragePacketSendTimeInMs** The average time required for the network to send a sample, in milliseconds. +- **ConnectorType** The type of connector used during the Miracast session. +- **EncodeAverageTimeMS** The average time to encode a frame of video, in milliseconds. +- **EncodeCount** The count of total frames encoded in the session. +- **EncodeMaxTimeMS** The maximum time to encode a frame, in milliseconds. +- **EncodeMinTimeMS** The minimum time to encode a frame, in milliseconds. +- **EncoderCreationTimeInMs** The time required to create the video encoder, in milliseconds. +- **ErrorSource** Identifies the component that encountered an error that caused a disconnect, if applicable. +- **FirstFrameTime** The time (tick count) when the first frame is sent. +- **FirstLatencyMode** The first latency mode. +- **FrameAverageTimeMS** Average time to process an entire frame, in milliseconds. +- **FrameCount** The total number of frames processed. +- **FrameMaxTimeMS** The maximum time required to process an entire frame, in milliseconds. +- **FrameMinTimeMS** The minimum time required to process an entire frame, in milliseconds. +- **Glitches** The number of frames that failed to be delivered on time. +- **HardwareCursorEnabled** Indicates if hardware cursor was enabled when the connection ended. +- **HDCPState** The state of HDCP (High-bandwidth Digital Content Protection) when the connection ended. +- **HighestBitrate** The highest video bitrate used during the Miracast session, in bits per second. +- **HighestDataRate** The highest available bandwidth reported by the WiFi driver, in bits per second. +- **LastLatencyMode** The last reported latency mode. +- **LogTimeReference** The reference time, in tick counts. +- **LowestBitrate** The lowest video bitrate used during the Miracast session, in bits per second. +- **LowestDataRate** The lowest video bitrate used during the Miracast session, in bits per second. +- **MediaErrorCode** The error code reported by the media session, if applicable. +- **MiracastEntry** The time (tick count) when the Miracast driver was first loaded. +- **MiracastM1** The time (tick count) when the M1 request was sent. +- **MiracastM2** The time (tick count) when the M2 request was sent. +- **MiracastM3** The time (tick count) when the M3 request was sent. +- **MiracastM4** The time (tick count) when the M4 request was sent. +- **MiracastM5** The time (tick count) when the M5 request was sent. +- **MiracastM6** The time (tick count) when the M6 request was sent. +- **MiracastM7** The time (tick count) when the M7 request was sent. +- **MiracastSessionState** The state of the Miracast session when the connection ended. +- **MiracastStreaming** The time (tick count) when the Miracast session first started processing frames. +- **ProfileCount** The count of profiles generated from the receiver M4 response. +- **ProfileCountAfterFiltering** The count of profiles after filtering based on available bandwidth and encoder capabilities. +- **RefreshRate** The refresh rate set on the remote display. +- **RotationSupported** Indicates if the Miracast receiver supports display rotation. +- **RTSPSessionId** The unique identifier of the RTSP session. This matches the RTSP session ID for the receiver for the same session. +- **SessionGuid** The unique identifier of to correlate various Miracast events from a session. +- **SinkHadEdid** Indicates if the Miracast receiver reported an EDID. +- **SupportMicrosoftColorSpaceConversion** Indicates whether the Microsoft color space conversion for extra color fidelity is supported by the receiver. +- **SupportsMicrosoftDiagnostics** Indicates whether the Miracast receiver supports the Microsoft Diagnostics Miracast extension. +- **SupportsMicrosoftFormatChange** Indicates whether the Miracast receiver supports the Microsoft Format Change Miracast extension. +- **SupportsMicrosoftLatencyManagement** Indicates whether the Miracast receiver supports the Microsoft Latency Management Miracast extension. +- **SupportsMicrosoftRTCP** Indicates whether the Miracast receiver supports the Microsoft RTCP Miracast extension. +- **SupportsMicrosoftVideoFormats** Indicates whether the Miracast receiver supports Microsoft video format for 3:2 resolution. +- **SupportsWiDi** Indicates whether Miracast receiver supports Intel WiDi extensions. +- **TeardownErrorCode** The error code reason for teardown provided by the receiver, if applicable. +- **TeardownErrorReason** The text string reason for teardown provided by the receiver, if applicable. +- **UIBCEndState** Indicates whether UIBC was enabled when the connection ended. +- **UIBCEverEnabled** Indicates whether UIBC was ever enabled. +- **UIBCStatus** The result code reported by the UIBC setup process. +- **VideoBitrate** The starting bitrate for the video encoder. +- **VideoCodecLevel** The encoding level used for encoding, specific to the video subtype. +- **VideoHeight** The height of encoded video frames. +- **VideoSubtype** The unique subtype identifier of the video codec (encoding method) used for video encoding. +- **VideoWidth** The width of encoded video frames. +- **WFD2Supported** Indicates if the Miracast receiver supports WFD2 protocol. + + +## OneDrive events + +### Microsoft.OneDrive.Sync.Setup.APIOperation + +This event includes basic data about install and uninstall OneDrive API operations. + +The following fields are available: + +- **APIName** The name of the API. +- **Duration** How long the operation took. +- **IsSuccess** Was the operation successful? +- **ResultCode** The result code. +- **ScenarioName** The name of the scenario. + + +### Microsoft.OneDrive.Sync.Setup.EndExperience + +This event includes a success or failure summary of the installation. + +The following fields are available: + +- **APIName** The name of the API. +- **HResult** HResult of the operation +- **IsSuccess** Whether the operation is successful or not +- **ScenarioName** The name of the scenario. + + +### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation + +This event is related to the OS version when the OS is upgraded with OneDrive installed. + +The following fields are available: + +- **CurrentOneDriveVersion** The current version of OneDrive. +- **CurrentOSBuildBranch** The current branch of the operating system. +- **CurrentOSBuildNumber** The current build number of the operating system. +- **CurrentOSVersion** The current version of the operating system. +- **HResult** The HResult of the operation. +- **SourceOSBuildBranch** The source branch of the operating system. +- **SourceOSBuildNumber** The source build number of the operating system. +- **SourceOSVersion** The source version of the operating system. + + +### Microsoft.OneDrive.Sync.Setup.RegisterStandaloneUpdaterAPIOperation + +This event is related to registering or unregistering the OneDrive update task. + +The following fields are available: + +- **APIName** The name of the API. +- **IsSuccess** Was the operation successful? +- **RegisterNewTaskResult** The HResult of the RegisterNewTask operation. +- **ScenarioName** The name of the scenario. +- **UnregisterOldTaskResult** The HResult of the UnregisterOldTask operation. + + +### Microsoft.OneDrive.Sync.Updater.ComponentInstallState + +This event includes basic data about the installation state of dependent OneDrive components. + +The following fields are available: + +- **ComponentName** The name of the dependent component. +- **isInstalled** Is the dependent component installed? + + +### Microsoft.OneDrive.Sync.Updater.OverlayIconStatus + +This event indicates if the OneDrive overlay icon is working correctly. 0 = healthy; 1 = can be fixed; 2 = broken + +The following fields are available: + +- **32bit** The status of the OneDrive overlay icon on a 32-bit operating system. +- **64bit** The status of the OneDrive overlay icon on a 64-bit operating system. + + +### Microsoft.OneDrive.Sync.Updater.UpdateOverallResult + +This event sends information describing the result of the update. + +The following fields are available: + +- **br** No content is currently available. +- **hr** The HResult of the operation. +- **IsLoggingE~abled** No content is currently available. +- **IsLoggingEnabled** Indicates whether logging is enabled for the updater. +- **UpdaterVersion** The version of the updater. + + +### Microsoft.OneDrive.Sync.Updater.UpdateXmlDownloadHResult + +This event determines the status when downloading the OneDrive update configuration file. + +The following fields are available: + +- **hr** The HResult of the operation. + + +### Microsoft.OneDrive.Sync.Updater.WebConnectionStatus + +This event determines the error code that was returned when verifying Internet connectivity. + +The following fields are available: + +- **winInetError** The HResult of the operation. + + +## Privacy consent logging events + +### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted + +This event is used to determine whether the user successfully completed the privacy consent experience. + +The following fields are available: + +- **presentationVersion** Which display version of the privacy consent experience the user completed +- **privacyConsentState** The current state of the privacy consent experience +- **settingsVersion** Which setting version of the privacy consent experience the user completed +- **userOobeExitReason** The exit reason of the privacy consent experience + + +### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentStatus + +Event tells us effectiveness of new privacy experience. + +The following fields are available: + +- **isAdmin** whether the person who is logging in is an admin +- **isExistingUser** whether the account existed in a downlevel OS +- **isLaunching** Whether or not the privacy consent experience will be launched +- **isSilentElevation** whether the user has most restrictive UAC controls +- **privacyConsentState** whether the user has completed privacy experience +- **userRegionCode** The current user's region setting + + +### wilActivity + +This event provides a Windows Internal Library context used for Product and Service diagnostics. + +The following fields are available: + +- **callContext** The function where the failure occurred. +- **currentContextId** The ID of the current call context where the failure occurred. +- **currentContextMessage** The message of the current call context where the failure occurred. +- **currentContextName** The name of the current call context where the failure occurred. +- **failureCount** The number of failures for this failure ID. +- **failureId** The ID of the failure that occurred. +- **failureType** The type of the failure that occurred. +- **fileName** The file name where the failure occurred. +- **function** The function where the failure occurred. +- **hresult** The HResult of the overall activity. +- **lineNumber** The line number where the failure occurred. +- **message** The message of the failure that occurred. +- **module** The module where the failure occurred. +- **originatingContextId** The ID of the originating call context that resulted in the failure. +- **originatingContextMessage** The message of the originating call context that resulted in the failure. +- **originatingContextName** The name of the originating call context that resulted in the failure. +- **threadId** The ID of the thread on which the activity is executing. + + +## Sediment events + +### Microsoft.Windows.Sediment.Info.DetailedState + +This event is sent when detailed state information is needed from an update trial run. + +The following fields are available: + +- **Data** Data relevant to the state, such as what percent of disk space the directory takes up. +- **Id** Identifies the trial being run, such as a disk related trial. +- **ReleaseVer** The version of the component. +- **State** The state of the reporting data from the trial, such as the top-level directory analysis. +- **Time** The time the event was fired. + + +### Microsoft.Windows.Sediment.Info.Error + +This event indicates an error in the updater payload. This information assists in keeping Windows up to date. + +The following fields are available: + +- **FailureType** The type of error encountered. +- **FileName** The code file in which the error occurred. +- **HResult** The failure error code. +- **LineNumber** The line number in the code file at which the error occurred. +- **ReleaseVer** The version information for the component in which the error occurred. +- **Time** The system time at which the error occurred. + + +### Microsoft.Windows.Sediment.Info.PhaseChange + +The event indicates progress made by the updater. This information assists in keeping Windows up to date. + +The following fields are available: + +- **NewPhase** The phase of progress made. +- **ReleaseVer** The version information for the component in which the change occurred. +- **Time** The system time at which the phase chance occurred. + + +## Setup events + +### SetupPlatformTel.SetupPlatformTelActivityEvent + +This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up to date. + +The following fields are available: + +- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. +- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. +- **Value** Value associated with the corresponding event name. For example, time-related events will include the system time + + +### SetupPlatformTel.SetupPlatformTelActivityStarted + +This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. + +The following fields are available: + +- **Name** The name of the dynamic update type. Example: GDR driver + + +### SetupPlatformTel.SetupPlatformTelActivityStopped + +This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. + + + +### SetupPlatformTel.SetupPlatformTelEvent + +This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios. + +The following fields are available: + +- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. +- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. +- **Value** Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time. + + +## Software update events + +### SoftwareUpdateClientTelemetry.CheckForUpdates + +Scan process event on Windows Update client. See the EventScenario field for specifics (started/failed/succeeded). + +The following fields are available: + +- **ActivityMatchingId** Contains a unique ID identifying a single CheckForUpdates session from initialization to completion. +- **AllowCachedResults** Indicates if the scan allowed using cached results. +- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable +- **BiosFamily** The family of the BIOS (Basic Input Output System). +- **BiosName** The name of the device BIOS. +- **BiosReleaseDate** The release date of the device BIOS. +- **BiosSKUNumber** The sku number of the device BIOS. +- **BIOSVendor** The vendor of the BIOS. +- **BiosVersion** The version of the BIOS. +- **BranchReadinessLevel** The servicing branch configured on the device. +- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. +- **CapabilityDetectoidGuid** The GUID for a hardware applicability detectoid that could not be evaluated. +- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. +- **CDNId** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. +- **ClientVersion** The version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No data is currently reported in this field. Expected value for this field is 0. +- **Context** Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown +- **CurrentMobileOperator** The mobile operator the device is currently connected to. +- **DeferralPolicySources** Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000). +- **DeferredUpdates** Update IDs which are currently being deferred until a later time +- **DeviceModel** What is the device model. +- **DriverError** The error code hit during a driver scan. This is 0 if no error was encountered. +- **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled. +- **DriverGxclusionPolicy** No content is currently available. +- **DriverSyncPassPerformed** Were drivers scanned this time? +- **EventInstanceID** A globally unique identifier for event instance. +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. +- **ExtendedMetadataCabUrl** Hostname that is used to download an update. +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. +- **FailedUpdateGuids** The GUIDs for the updates that failed to be evaluated during the scan. +- **FailedUpdatesCount** The number of updates that failed to be evaluated during the scan. +- **FeatureUpdateDeferral** The deferral period configured for feature OS updates on the device (in days). +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FeatureUpdatePause9-8iod** No content is currently available. +- **FeatureUpdatePausePeriod** The pause duration configured for feature OS updates on the device (in days). +- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). +- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). +- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. +- **I#Version** No content is currently available. +- **IntentPFNs** Intended application-set metadata for atomic update scenarios. +- **IPVersion** Indicates whether the download took place over IPv4 or IPv6 +- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. +- **IsWUfBDualScaninabled** No content is currently available. +- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. +- **IsWUfBFederatedScanDisabled** Indicates if Windows Update for Business federated scan is disabled on the device. +- **IsWUfBinabled** No content is currently available. +- **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce +- **MSIError** The last error that was encountered during a scan for updates. +- **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6 +- **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete +- **NumberOfApplicationsCategoryScanEval}ated** No content is currently available. +- **NumberOfApplicationsCategoryScanEvaluated** The number of categories (apps) for which an app update scan checked +- **NumberOfLoop** The number of round trips the scan required +- **NumberOfNewUpdatesFromServiceSync** The number of updates which were seen for the first time in this scan +- **NumberOfUpdatesEvaluated** The total number of updates which were evaluated as a part of the scan +- **NumFailedMetadataSignatures** The number of metadata signatures checks which failed for new metadata synced down. +- **Online** Indicates if this was an online scan. +- **PausedUpdates** A list of UpdateIds which that currently being paused. +- **PauseFeatureUpdatesEndTime** If feature OS updates are paused on the device, this is the date and time for the end of the pause time window. +- **PauseFeatureUpdatesStartTime** If feature OS updates are paused on the device, this is the date and time for the beginning of the pause time window. +- **PauseQualityUpdatesEndTime** If quality OS updates are paused on the device, this is the date and time for the end of the pause time window. +- **PauseQualityUpdatesStartTime** If quality OS updates are paused on the device, this is the date and time for the beginning of the pause time window. +- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting (pre-release builds) being introduced. +- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided. +- **QualityUpdateDeferral** The deferral period configured for quality OS updates on the device (in days). +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **QualityUpdatePause9-8iod** No content is currently available. +- **QualityUpdatePausePeriod** The pause duration configured for quality OS updates on the device (in days). +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one +- **S}ncType** No content is currently available. +- **ScanDuratioInSeconds** No content is currently available. +- **ScanDurationInSeconds** The number of seconds a scan took +- **ScanEnqueueTime** The number of seconds it took to initialize a scan +- **ScanPrps** No content is currently available. +- **ScanProps** This is a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits are used; all remaining bits are reserved and set to zero. Bit 0 (0x1): IsInteractive - is set to 1 if the scan is requested by a user, or 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker - is set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates). +- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.). +- **ServiceUrl** The environment URL a device is configured to scan with +- **ShippingMobileOperator** The mobile operator that a device shipped on. +- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult). +- **SyncType** Describes the type of scan the event was +- **SystemBIOSMajorRelease** Major version of the BIOS. +- **SystemBIOSMinorRelease** Minor version of the BIOS. +- **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null. +- **TotalNumMetadataSignatureM** No content is currently available. +- **TotalNumMetadataSignatures** The total number of metadata signatures checks done for new metadata that was synced down. +- **WebServiceRetryMethods** Web service method requests that needed to be retried to complete operation. +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. + + +### SoftwareUpdateClientTelemetry.Commit + +This event tracks the commit process post the update installation when software update client is trying to update the device. + +The following fields are available: + +- **BiosFamily** Device family as defined in the system BIOS +- **BiosName** Name of the system BIOS +- **BiosReleaseDate** Release date of the system BIOS +- **BiosSKUNumber** Device SKU as defined in the system BIOS +- **BIOSVendor** Vendor of the system BIOS +- **BiosVersion** Version of the system BIOS +- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. +- **BundleRevisionNumber** Identifies the revision number of the content bundle +- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client +- **ClientVersion** Version number of the software distribution client +- **DeploymentProviderMode** The mode of operation of the update deployment provider. +- **DeviceModel** Device model as defined in the system bios +- **EventInstanceID** A globally unique identifier for event instance +- **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc. +- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver". +- **FlightId** The specific id of the flight the device is getting +- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) +- **RevisionNumber** Identifies the revision number of this specific piece of content +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). +- **SystemBIOSMajorRelease** Major release version of the system bios +- **SystemBIOSMinorRelease** Minor release version of the system bios +- **UpdateId** Identifier associated with the specific piece of content +- **WUDeviceID** Unique device id controlled by the software distribution client + + +### SoftwareUpdateClientTelemetry.Download + +Download process event for target update on Windows Update client. See the EventScenario field for specifics (started/failed/succeeded). + +The following fields are available: + +- **ActiveDownloadTime** How long the download took, in seconds, excluding time where the update wasn't actively being downloaded. +- **AppXBlockHashFailures** Indicates the number of blocks that failed hash validation during download of the app payload. +- **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded. +- **AppXDownloadScope** Indicates the scope of the download for application content. +- **AppXScope** Indicates the scope of the app download. +- **aundleBy1esDownl?aded** No content is currently available. +- **B1ndleRepeatFailCount** No content is currently available. +- **BiosFamily** The family of the BIOS (Basic Input Output System). +- **BiosName** The name of the device BIOS. +- **BiosReleaseDate** The release date of the device BIOS. +- **BiosSKUNumber** The sku number of the device BIOS. +- **BIOSVendor** The vendor of the BIOS. +- **BiosVersion** The version of the BIOS. +- **BundleBytesDownloaded** Number of bytes downloaded for the specific content bundle. +- **BundleId** Identifier associated with the specific content bundle. +- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. +- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to download. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **BytesDownloaded** Number of bytes that were downloaded for an individual piece of content (not the entire bundle). +- **CachedEngineVersion** The version of the “Self-Initiated Healing” (SIH) engine that is cached on the device, if applicable. +- **CallerApplicationName** The name provided by the application that initiated API calls into the software distribution client. +- **Cbs5ethod** No content is currently available. +- **CbsDownloadMethod** Indicates whether the download was a full- or a partial-file download. +- **CbsMethod** The method used for downloading the update content related to the Component Based Servicing (CBS) technology. +- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. +- **CDNId** ID which defines which CDN the software distribution client downloaded the content from. +- **ClientVersion** The version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. +- **ConnectTime** Indicates the cumulative amount of time (in seconds) it took to establish the connection for all updates in an update bundle. +- **CurrentMobileOperator** The mobile operator the device is currently connected to. +- **DeviceModel** The model of the device. +- **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority. +- **DownloadProps** Information about the download operation properties in the form of a bitmask. +- **DownloadType** Differentiates the download type of “Self-Initiated Healing” (SIH) downloads between Metadata and Payload downloads. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventScenarao** No content is currently available. +- **EventScenario** Indicates the purpose for sending this event: whether because the software distribution just started downloading content; or whether it was cancelled, succeeded, or failed. +- **EventType** Identifies the type of the event (Child, Bundle, or Driver). +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). +- **flightBuildNumber** No content is currently available. +- **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight. +- **FlightId** The specific ID of the flight (pre-release build) the device is getting. +- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). +- **HandlerType** Indicates what kind of content is being downloaded (app, driver, windows patch, etc.). +- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. +- **HostName** The hostname URL the content is downloading from. +- **IPVersion** Indicates whether the download took place over IPv4 or IPv6. +- **IsDependentSet** Indicates whether a driver is a part of a larger System Hardware/Firmware Update +- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. +- **IsWVfBDualScanEnabled** No content is currently available. +- **IsWVfBEnabled** No content is currently available. +- **NetworkCost** A flag indicating the cost of the network (congested, fixed, variable, over data limit, roaming, etc.) used for downloading the update content. +- **NetworkCostBitMask** Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.) +- **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered." +- **PackageFullName** The package name of the content. +- **PhonePreviewEnabled** Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced. +- **PostDnldTime** Time (in seconds) taken to signal download completion after the last job completed downloading the payload. +- **ProcessName** The process name of the application that initiated API calls, in the event where CallerApplicationName was not provided. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **Reason** A 32-bit integer representing the reason the update is blocked from being downloaded in the background. +- **RegulationReason** The reason that the update is regulated +- **RegulationReóult** No content is currently available. +- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content. +- **RelatedCV** The Correlation Vector that was used before the most recent change to a new Correlation Vector. +- **RelqtedCV** No content is currently available. +- **RepeatFailCount** Indicates whether this specific content has previously failed. +- **RepeatFailFlag** Indicates whether this specific content previously failed to download. +- **RevisionNumber** The revision number of the specified piece of content. +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). +- **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade. +- **ShippingMobileOperator** The mobile operator linked to the device when the device shipped. +- **SizeCalcTime** Time (in seconds) taken to calculate the total download size of the payload. +- **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). +- **SystemBIOSMajorRelease** Major version of the BIOS. +- **SystemBIOSMinorRelease** Minor version of the BIOS. +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **TargetMetadataVersion** The version of the currently downloading (or most recently downloaded) package. +- **ThrottlingServiceHResult** Result code (success/failure) while contacting a web service to determine whether this device should download content yet. +- **TimeToEstablishConnection** Time (in milliseconds) it took to establish the connection prior to beginning downloaded. +- **TotalEx8ectedBydes** No content is currently available. +- **TotalExpectedBytes** The total size (in Bytes) expected to be downloaded. +- **UpdateId** An identifier associated with the specific piece of content. +- **UpdateID** An identifier associated with the specific piece of content. +- **UpdateImportance** Indicates whether the content was marked as Important, Recommended, or Optional. +- **UsecDO** No content is currently available. +- **UsedDO** Indicates whether the download used the Delivery Optimization (DO) service. +- **UsedSystemVolume** Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive. +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. +- **YsWUfBEnabled** No content is currently available. + + +### SoftwareUpdateClientTelemetry.DownloadCheckpoint + +This event provides a checkpoint between each of the Windows Update download phases for UUP content + +The following fields are available: + +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client +- **ClientVersion** The version number of the software distribution client +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed +- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver" +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough +- **FileId** A hash that uniquely identifies a file +- **FileName** Name of the downloaded file +- **FlightId** The unique identifier for each flight +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one +- **RevisionNumber** Unique revision number of Update +- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.) +- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult) +- **UpdateId** Unique Update ID +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue + + +### SoftwareUpdateClientTelemetry.DownloadHeartbeat + +This event allows tracking of ongoing downloads and contains data to explain the current state of the download + +The following fields are available: + +- **BytesTotal** Total bytes to transfer for this content +- **BytesTransferred** Total bytes transferred for this content at the time of heartbeat +- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client +- **ClientVersion** The version number of the software distribution client +- **ConnectionStatus** Indicates the connectivity state of the device at the time of heartbeat +- **CurrentError** Last (transient) error encountered by the active download +- **DownloadFlags** Flags indicating if power state is ignored +- **DownloadState** Current state of the active download for this content (queued, suspended, or progressing) +- **EventType** Possible values are "Child", "Bundle", or "Driver" +- **FlightId** The unique identifier for each flight +- **IsNetworkMetered** Indicates whether Windows considered the current network to be ?metered" +- **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any +- **MOUpdateDownloadLimit** Mobile operator cap on size of operating system update downloads, if any +- **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby) +- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one +- **ResumeCount** Number of times this active download has resumed from a suspended state +- **RevisionNumber** Identifies the revision number of this specific piece of content +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) +- **SuspendCount** Number of times this active download has entered a suspended state +- **SuspendReason** Last reason for why this active download entered a suspended state +- **UpdateId** Identifier associated with the specific piece of content +- **WUDeviceID** Unique device id controlled by the software distribution client + + +### SoftwareUpdateClientTelemetry.Install + +This event sends tracking data about the software distribution client installation of the content for that update, to help keep Windows up to date. + +The following fields are available: + +- **BiosFamily** The family of the BIOS (Basic Input Output System). +- **BiosName** The name of the device BIOS. +- **BiosReleaseDate** The release date of the device BIOS. +- **BiosSKUNumber** The sku number of the device BIOS. +- **BIOSVendor** The vendor of the BIOS. +- **BiosVersion** The version of the BIOS. +- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. +- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. +- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to install. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. +- **ClientVersion** The version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No value is currently reported in this field. Expected value for this field is 0. +- **CSIErrorType** The stage of CBS installation where it failed. +- **CurrentMobileOperator** The mobile operator to which the device is currently connected. +- **DeploymentProviderMode** The mode of operation of the update deployment provider. +- **DeviceModel** The device model. +- **DriverPingBack** Contains information about the previous driver and system state. +- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. +- **EventType** Possible values are Child, Bundle, or Driver. +- **ExtendedErrorCode** The extended error code. +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode is not specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBranch** The branch that a device is on if participating in the Windows Insider Program. +- **FlightBuildNumber** If this installation was for a Windows Insider build, this is the build number of that build. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **FlightRing** The ring that a device is on if participating in the Windows Insider Program. +- **HandlerType** Indicates what kind of content is being installed (for example, app, driver, Windows update). +- **HardwareId** If this install was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. +- **InstallProps** A bitmask for future flags associated with the install operation. No value is currently reported in this field. Expected value for this field is 0. +- **IntentPFNs** Intended application-set metadata for atomic update scenarios. +- **IsDependentSet** Indicates whether the driver is part of a larger System Hardware/Firmware update. +- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. +- **IsFirmware** Indicates whether this update is a firmware update. +- **IsSuccessFailurePostReboot** Indicates whether the update succeeded and then failed after a restart. +- **IsWUfBDualScanEnabled** Indicates whether Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Indicates whether Windows Update for Business is enabled on the device. +- **MergedUpdate** Indicates whether the OS update and a BSP update merged for installation. +- **MsiAction** The stage of MSI installation where it failed. +- **MsiProductCode** The unique identifier of the MSI installer. +- **PackageFullName** The package name of the content being installed. +- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting being introduced. +- **ProcessName** The process name of the caller who initiated API calls, in the event that CallerApplicationName was not provided. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one +- **RepeatFailCount** Indicates whether this specific piece of content has previously failed. +- **RepeatFailFlag** Indicates whether this specific piece of content previously failed to install. +- **RevisionNumber** The revision number of this specific piece of content. +- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). +- **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway. +- **ShippingMobileOperator** The mobile operator that a device shipped on. +- **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult). +- **SystemBIOSMajorRelease** Major version of the BIOS. +- **SystemBIOSMinorRelease** Minor version of the BIOS. +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **Targeti~gVersion** No content is currently available. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **TransactionCode** The ID that represents a given MSI installation. +- **UpdateId** Unique update ID. +- **UpdateID** An identifier associated with the specific piece of content. +- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional. +- **UsedSystemVolume** Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive. +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. + + +### SoftwareUpdateClientTelemetry.Revert + +Revert event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded). + +The following fields are available: + +- **BundleId** Identifier associated with the specific content bundle. Should not be all zeros if the BundleId was found. +- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **ClientVersion** Version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. +- **CSIErrorType** Stage of CBS installation that failed. +- **DriverPingBack** Contains information about the previous driver and system state. +- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). +- **EventType** Event type (Child, Bundle, Release, or Driver). +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode is not specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBuildNumber** Indicates the build number of the flight. +- **FlightId** The specific ID of the flight the device is getting. +- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). +- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. +- **IsFirmware** Indicates whether an update was a firmware update. +- **IsSuccessFailurePostReboot** Indicates whether an initial success was a failure after a reboot. +- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. +- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. +- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. +- **RepeatFailCount** Indicates whether this specific piece of content has previously failed. +- **RevisionNumber** Identifies the revision number of this specific piece of content. +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **UpdateId** The identifier associated with the specific piece of content. +- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). +- **UsedSystemVolume** Indicates whether the device's main system storage drive or an alternate storage drive was used. +- **WUDeviceID** Unique device ID controlled by the software distribution client. + + +### SoftwareUpdateClientTelemetry.TaskRun + +Start event for Server Initiated Healing client. See EventScenario field for specifics (for example, started/completed). + +The following fields are available: + +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **ClientVersion** Version number of the software distribution client. +- **CmdLineArgs** Command line arguments passed in by the caller. +- **EventInstanceID** A globally unique identifier for the event instance. +- **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **WUDeviceID** Unique device ID controlled by the software distribution client. + + +### SoftwareUpdateClientTelemetry.Uninstall + +Uninstall event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded). + +The following fields are available: + +- **BundleId** The identifier associated with the specific content bundle. This should not be all zeros if the bundleID was found. +- **BundleRepeatFailCount** Indicates whether this particular update bundle previously failed. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CallerApplicationName** Name of the application making the Windows Update request. Used to identify context of request. +- **ClientVersion** Version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. +- **DriverPingBack** Contains information about the previous driver and system state. +- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers when a recovery is required. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventScenario** Indicates the purpose of the event (a scan started, succeded, failed, etc.). +- **EventType** Indicates the event type. Possible values are "Child", "Bundle", "Release" or "Driver". +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode is not specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBuildNumber** Indicates the build number of the flight. +- **FlightId** The specific ID of the flight the device is getting. +- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). +- **HardwareId** If the download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. +- **IsFirmware** Indicates whether an update was a firmware update. +- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. +- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. +- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. +- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. +- **RepeatFailCount** Indicates whether this specific piece of content previously failed. +- **RevisionNumber** Identifies the revision number of this specific piece of content. +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **UpdateId** Identifier associated with the specific piece of content. +- **UpdateImportance** Indicates the importance of a driver and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). +- **UsedSystemVolume** Indicates whether the device’s main system storage drive or an alternate storage drive was used. +- **WUDeviceID** Unique device ID controlled by the software distribution client. + + +### SoftwareUpdateClientTelemetry.UpdateDetected + +This event sends data about an AppX app that has been updated from the Microsoft Store, including what app needs an update and what version/architecture is required, in order to understand and address problems with apps getting required updates. + +The following fields are available: + +- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable. +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. +- **IntentPFNs** Intended application-set metadata for atomic update scenarios. +- **NumberOfA0plicableUpdates** No content is currently available. +- **NumberOfApplicableUpdates** The number of updates ultimately deemed applicable to the system after the detection process is complete. +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. +- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.). +- **WUDeviceID** The unique device ID controlled by the software distribution client. + + +### SoftwareUpdateClientTelemetry.UpdateMetadataIntegrity + +Ensures Windows Updates are secure and complete. Event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack. + +The following fields are available: + +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **EndpointUrl** URL of the endpoint where client obtains update metadata. Used to identify test vs staging vs production environments. +- **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc. +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. +- **LeafCertId** The integral ID from the FragmentSigning data for the certificate that failed. +- **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate. +- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce +- **MetadataSignature** A base64-encoded string of the signature associated with the update metadata (specified by revision ID). +- **RawMode** The raw unparsed mode string from the SLS response. This field is null if not applicable. +- **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable. +- **RevisionId** The revision ID for a specific piece of content. +- **RevisionNumber** The revision number for a specific piece of content. +- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Microsoft Store +- **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate. +- **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate. +- **SHA256OfTimestampToken** An encoded string of the timestamp token. +- **SignatureAlgorithm** The hash algorithm for the metadata signature. +- **SLSPrograms** A test program a machine may be opted in. Examples include "Canary" and "Insider Fast". +- **StatusCode** Result code of the event (success, cancellation, failure code HResult) +- **TimestampTokenCertThumbprint** The thumbprint of the encoded timestamp token. +- **TimestampTokenId** The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed. +- **UpdateId** The update ID for a specific piece of content. +- **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp. + + +## System Resource Usage Monitor events + +### Microsoft.Windows.Srum.Sdp.CpuUsage + +This event provides information on CPU usage. + +The following fields are available: + +- **UsageMax** The maximum of hourly average CPU usage. +- **UsageMean** The mean of hourly average CPU usage. +- **UsageMedian** The median of hourly average CPU usage. +- **UsageTwoHourMaxMean** The mean of the maximum of every two hour of hourly average CPU usage. +- **UsageTwoHourMedianMean** The mean of the median of every two hour of hourly average CPU usage. + + +### Microsoft.Windows.Srum.Sdp.NetworkUsage + +This event provides information on network usage. + +The following fields are available: + +- **AdapterGuid** The unique ID of the adapter. +- **BytesTotalMax** The maximum of the hourly average bytes total. +- **BytesTotalMean** The mean of the hourly average bytes total. +- **BytesTotalMedian** The median of the hourly average bytes total. +- **BytesTotalTwoHourMaxMean** The mean of the maximum of every two hours of hourly average bytes total. +- **BytesTotalTwoHourMedianMean** The mean of the median of every two hour of hourly average bytes total. +- **LinkSpeed** The adapter link speed. + + +## Update events + +### Update360Telemetry.Revert + +This event sends data relating to the Revert phase of updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the Revert phase. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **RebootRequired** Indicates reboot is required. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **RevertResult** The result code returned for the Revert operation. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. + + +### Update360Telemetry.UpdateAgentCommit + +This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **ErrorCode** The error code returned for the current install phase. +- **FlightId** Unique ID for each flight. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Outcome of the install phase of the update. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentDownloadRequest + +This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. + +The following fields are available: + +- **DeletedCorruptFiles** Boolean indicating whether corrupt payload was deleted. +- **DownloadRequests** Number of times a download was retried. +- **ErrorCode** The error code returned for the current download request phase. +- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. +- **FlightId** Unique ID for each flight. +- **InternalFailureResult** Indicates a non-fatal error from a plugin. +- **ObjectId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). +- **PackageCategoriesSkipped** Indicates package categories that were skipped, if applicable. +- **PackageCCoegoriesSkipped** No content is currently available. +- **PackageCountOptional** Number of optional packages requested. +- **PackageCountRequired** Number of required packages requested. +- **PackageCountTotal** Total number of packages needed. +- **PackageCountTotalCanonical** Total number of canonical packages. +- **PackageCountTotalDiff** Total number of diff packages. +- **PackageCountTotalExpress** Total number of express packages. +- **PackageCountTotalPSFX** The total number of PSFX packages. +- **PackageExpressType** Type of express package. +- **PackageSizeCanonical** Size of canonical packages in bytes. +- **PackageSizeDiff** Size of diff packages in bytes. +- **PackageSizeExpress** Size of express packages in bytes. +- **PackageSizePSFX** The size of PSFX packages, in bytes. +- **RangeRequestSsCoe** No content is currently available. +- **RangeRequestState** Indicates the range request type used. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Outcome of the download request phase of update. +- **SandboxTaggedForReserves** The sandbox for reserves. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each attempt (same value for initialize, download, install commit phases). +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentExpand + +This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **ElapsedTickCount** Time taken for expand phase. +- **EndFreeSpace** Free space after expand phase. +- **EndSandboxSize** Sandbox size after expand phase. +- **ErrorCode** The error code returned for the current install phase. +- **FlightId** Unique ID for each flight. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **StartFreeSpace** Free space before expand phase. +- **StartSandboxSize** Sandbox size after expand phase. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentFellBackToCanonical + +This event collects information when express could not be used and we fall back to canonical during the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **FlightId** Unique ID for each flight. +- **ObjectId** Unique value for each Update Agent mode. +- **PackageCount** Number of packages that feel back to canonical. +- **PackageList** PackageIds which fell back to canonical. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentInitialize + +This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. + +The following fields are available: + +- **ErrorCode** The error code returned for the current install phase. +- **FlightId** Unique ID for each flight. +- **FlightMetadata** Contains the FlightId and the build being flighted. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Outcome of the install phase of the update. +- **ScenarioId** Indicates the update scenario. +- **SessionData** String containing instructions to update agent for processing FODs and DUICs (Null for other scenarios). +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentInstall + +This event sends data for the install phase of updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the current install phase. +- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. +- **FlightId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). +- **InternalFailureResult** Indicates a non-fatal error from a plugin. +- **ObjectId** Correlation vector value generated from the latest USO scan. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** The result for the current install phase. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentMerge + +The UpdateAgentMerge event sends data on the merge phase when updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the current merge phase. +- **FlightId** Unique ID for each flight. +- **MergeId** The unique ID to join two update sessions being merged. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Related correlation vector value. +- **Result** Outcome of the merge phase of the update. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentMitigationResult + +This event sends data indicating the result of each update agent mitigation. + +The following fields are available: + +- **Applicable** Indicates whether the mitigation is applicable for the current update. +- **CommandCount** The number of command operations in the mitigation entry. +- **CustomCount** The number of custom operations in the mitigation entry. +- **FileCount** The number of file operations in the mitigation entry. +- **FlightId** Unique identifier for each flight. +- **Index** The mitigation index of this particular mitigation. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **Name** The friendly name of the mitigation. +- **ObjectId** Unique value for each Update Agent mode. +- **OperationIndex** The mitigation operation index (in the event of a failure). +- **OperationName** The friendly name of the mitigation operation (in the event of failure). +- **RegistryCount** The number of registry operations in the mitigation entry. +- **RelatedCV** The correlation vector value generated from the latest USO scan. +- **Result** The HResult of this operation. +- **ScenarioId** The update agent scenario ID. +- **SessionId** Unique value for each update attempt. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). +- **UpdateId** Unique ID for each Update. + + +### Update360Telemetry.UpdateAgentMitigationSummary + +This event sends a summary of all the update agent mitigations available for an this update. + +The following fields are available: + +- **Applicable** The count of mitigations that were applicable to the system and scenario. +- **Failed** The count of mitigations that failed. +- **FlightId** Unique identifier for each flight. +- **MitigationScenario** The update scenario in which the mitigations were attempted. +- **ObjectId** The unique value for each Update Agent mode. +- **RelatedCV** The correlation vector value generated from the latest USO scan. +- **Result** The HResult of this operation. +- **ScenarioId** The update agent scenario ID. +- **SessionId** Unique value for each update attempt. +- **TimeDiff** The amount of time spent performing all mitigations (in 100-nanosecond increments). +- **Total** Total number of mitigations that were available. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentModeStart + +This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. + +The following fields are available: + +- **FlightId** Unique ID for each flight. +- **Mode** Indicates the mode that has started. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. +- **Version** Version of update + + +### Update360Telemetry.UpdateAgentOneSettings + +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **Count** The count of applicable OneSettings for the device. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. +- **Values** The values sent back to the device, if applicable. + + +### Update360Telemetry.UpdateAgentPostRebootResult + +This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. + +The following fields are available: + +- **ErrorCode** The error code returned for the current post reboot phase. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **ObjectId** Unique value for each Update Agent mode. +- **PostRebootResult** Indicates the Hresult. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentReboot + +This event sends information indicating that a request has been sent to suspend an update. + +The following fields are available: + +- **ErrorCode** The error code returned for the current reboot. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. + + +### Update360Telemetry.UpdateAgentSetupBoxLaunch + +The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. + +The following fields are available: + +- **ContainsExpressPackage** Indicates whether the download package is express. +- **FlightId** Unique ID for each flight. +- **FreeSpace** Free space on OS partition. +- **InstallCount** Number of install attempts using the same sandbox. +- **ObjectId** Unique value for each Update Agent mode. +- **Quiet** Indicates whether setup is running in quiet mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **SandboxSize** Size of the sandbox. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **SetupMode** Mode of setup to be launched. +- **UpdateId** Unique ID for each Update. +- **UserSession** Indicates whether install was invoked by user actions. + + +## Update notification events + +### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignManagerHeartbeat + +This event is sent at the start of the CampaignManager event and is intended to be used as a heartbeat. + +The following fields are available: + +- **CampaignConfigVersion** Configuration version for the current campaign. +- **CampaignID** Currently campaign that is running on Update Notification Pipeline (UNP). +- **ConfigCatalogVersion** Current catalog version of UNP. +- **ContentVersion** Content version for the current campaign on UNP. +- **CV** Correlation vector. +- **DetectorVersion** Most recently run detector version for the current campaign on UNP. +- **GlobalEventCounter** Client-side counter that indicates the event ordering sent by the user. +- **PackageVersion** Current UNP package version. + + +## Upgrade events + +### FacilitatorTelemetry.DCATDownload + +This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **DownloadSize** Download size of payload. +- **ElapsedTime** Time taken to download payload. +- **MediaFallbackUsed** Used to determine if we used Media CompDBs to figure out package requirements for the upgrade. +- **ResultCode** Result returned by the Facilitator DCAT call. +- **Scenario** Dynamic update scenario (Image DU, or Setup DU). +- **Type** Type of package that was downloaded. +- **UpdateId** The ID of the update that was downloaded. + + +### FacilitatorTelemetry.DUDownload + +This event returns data about the download of supplemental packages critical to upgrading a device to the next version of Windows. + +The following fields are available: + +- **DownloadRequestAttributes** The attributes sent for download. +- **PackageCategoriesFailed** Lists the categories of packages that failed to download. +- **PackageCategoriesSkipped** Lists the categories of package downloads that were skipped. +- **ResultCode** The result of the event execution. +- **Scenario** Identifies the active Download scenario. +- **Url** The URL the download request was sent to. +- **Version** Identifies the version of Facilitator used. + + +### FacilitatorTelemetry.InitializeDU + +This event determines whether devices received additional or critical supplemental content during an OS upgrade. + +The following fields are available: + +- **DCATUrl** The Delivery Catalog (DCAT) URL we send the request to. +- **DownloadRequestAttributes** The attributes we send to DCAT. +- **ResultCode** The result returned from the initiation of Facilitator with the URL/attributes. +- **Scenario** Dynamic Update scenario (Image DU, or Setup DU). +- **Url** The Delivery Catalog (DCAT) URL we send the request to. +- **Version** Version of Facilitator. + + +### Setup360Telemetry.Downlevel + +This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ClientId** If using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but it can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the downlevel OS. +- **HostOsSkuName** The operating system edition which is running Setup360 instance (downlevel OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** In the Windows Update scenario, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** More detailed information about phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360 (for example, Predownload, Install, Finalize, Rollback). +- **Setup360Result** The result of Setup360 (HRESULT used to diagnose errors). +- **Setup360Scenario** The Setup360 flow type (for example, Boot, Media, Update, MCT). +- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS). +- **State** Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** An ID that uniquely identifies a group of events. +- **WuId** This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId. + + +### Setup360Telemetry.Finalize + +This event sends data indicating that the device has started the phase of finalizing the upgrade, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** More detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** ID that uniquely identifies a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. + + +### Setup360Telemetry.OsUninstall + +This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, it indicates the outcome of an OS uninstall. + +The following fields are available: + +- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase or action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** ID that uniquely identifies a group of events. +- **WuId** Windows Update client ID. + + +### Setup360Telemetry.PostRebootInstall + +This event sends data indicating that the device has invoked the post reboot install phase of the upgrade, to help keep Windows up-to-date. + +The following fields are available: + +- **ClientId** With Windows Update, this is the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback +- **Setup360Result** The result of Setup360. This is an HRESULT error code that's used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled +- **TestId** A string to uniquely identify a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as ClientId. + + +### Setup360Telemetry.PreDownloadQuiet + +This event sends data indicating that the device has invoked the predownload quiet phase of the upgrade, to help keep Windows up to date. + +The following fields are available: + +- **ClientId** Using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous operating system). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** Using Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled. +- **TestId** ID that uniquely identifies a group of events. +- **WuId** This is the Windows Update Client ID. Using Windows Update, this is the same as the clientId. + + +### Setup360Telemetry.PreDownloadUX + +This event sends data regarding OS Updates and Upgrades from Windows 7.X, Windows 8.X, Windows 10 and RS, to help keep Windows up-to-date and secure. Specifically, it indicates the outcome of the PredownloadUX portion of the update process. + +The following fields are available: + +- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **HostOSBuildNumber** The build number of the previous operating system. +- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous operating system). +- **InstanceId** Unique GUID that identifies each instance of setuphost.exe. +- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS). +- **State** The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** ID that uniquely identifies a group of events. +- **WuId** Windows Update client ID. + + +### Setup360Telemetry.PreInstallQuiet + +This event sends data indicating that the device has invoked the preinstall quiet phase of the upgrade, to help keep Windows up-to-date. + +The following fields are available: + +- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. +- **Setup360Scenario** Setup360 flow type (Boot, Media, Update, MCT). +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** A string to uniquely identify a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. + + +### Setup360Telemetry.PreInstallUX + +This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10, to help keep Windows up-to-date. Specifically, it indicates the outcome of the PreinstallUX portion of the update process. + +The following fields are available: + +- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type, Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** A string to uniquely identify a group of events. +- **WuId** Windows Update client ID. + + +### Setup360Telemetry.Setup360 + +This event sends data about OS deployment scenarios, to help keep Windows up-to-date. + +The following fields are available: + +- **ClientId** Retrieves the upgrade ID. In the Windows Update scenario, this will be the Windows Update client ID. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FieldName** Retrieves the data point. +- **FlightData** Specifies a unique identifier for each group of Windows Insider builds. +- **InstanceId** Retrieves a unique identifier for each instance of a setup session. +- **ReportId** Retrieves the report ID. +- **ScenarioId** Retrieves the deployment scenario. +- **Value** Retrieves the value associated with the corresponding FieldName. + + +### Setup360Telemetry.Setup360DynamicUpdate + +This event helps determine whether the device received supplemental content during an operating system upgrade, to help keep Windows up-to-date. + +The following fields are available: + +- **FlightData** Specifies a unique identifier for each group of Windows Insider builds. +- **InstanceId** Retrieves a unique identifier for each instance of a setup session. +- **Operation** Facilitator’s last known operation (scan, download, etc.). +- **ReportId** ID for tying together events stream side. +- **ResultCode** Result returned for the entire setup operation. +- **Scenario** Dynamic Update scenario (Image DU, or Setup DU). +- **ScenarioId** Identifies the update scenario. +- **TargetBranch** Branch of the target OS. +- **TargetBuild** Build of the target OS. + + +### Setup360Telemetry.Setup360MitigationResult + +This event sends data indicating the result of each setup mitigation. + +The following fields are available: + +- **Applicable** TRUE if the mitigation is applicable for the current update. +- **ClientId** In the Windows Update scenario, this is the client ID passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **CommandCount** The number of command operations in the mitigation entry. +- **CustomCount** The number of custom operations in the mitigation entry. +- **FileCount** The number of file operations in the mitigation entry. +- **FlightData** The unique identifier for each flight (test release). +- **Index** The mitigation index of this particular mitigation. +- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **Name** The friendly (descriptive) name of the mitigation. +- **OperationIndex** The mitigation operation index (in the event of a failure). +- **OperationName** The friendly (descriptive) name of the mitigation operation (in the event of failure). +- **RegistryCount** The number of registry operations in the mitigation entry. +- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM. +- **Result** HResult of this operation. +- **ScenarioId** Setup360 flow type. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). + + +### Setup360Telemetry.Setup360MitigationSummary + +This event sends a summary of all the setup mitigations available for this update. + +The following fields are available: + +- **Applicable** The count of mitigations that were applicable to the system and scenario. +- **ClientId** The Windows Update client ID passed to Setup. +- **Failed** The count of mitigations that failed. +- **FlightData** The unique identifier for each flight (test release). +- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE. +- **MitigationScenario** The update scenario in which the mitigations were attempted. +- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM. +- **Result** HResult of this operation. +- **ScenarioId** Setup360 flow type. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). +- **Total** The total number of mitigations that were available. + + +### Setup360Telemetry.Setup360OneSettings + +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **ClientId** The Windows Update client ID passed to Setup. +- **Count** The count of applicable OneSettings for the device. +- **FlightData** The ID for the flight (test instance version). +- **InstanceId** The GUID (Globally-Unique ID) that identifies each instance of setuphost.exe. +- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. +- **ReportId** The Update ID passed to Setup. +- **Result** The HResult of the event error. +- **ScenarioId** The update scenario ID. +- **Values** Values sent back to the device, if applicable. + + +### Setup360Telemetry.UnexpectedEvent + +This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date. + +The following fields are available: + +- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** A string to uniquely identify a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. + + +## Windows as a Service diagnostic events + +### Microsoft.Windows.WaaSMedic.SummaryEvent + +Result of the WaaSMedic operation. + +The following fields are available: + +- **callerApplication** The name of the calling application. +- **capsuleCount** The number of Sediment Pack capsules. +- **capsuleFailureCount** The number of capsule failures. +- **detectionSummary** Result of each applicable detection that was run. +- **featureAssessmentImpact** WaaS Assessment impact for feature updates. +- **hrEngineBlockReason** Indicates the reason for stopping WaaSMedic. +- **hrEngineResult** Error code from the engine operation. +- **hrLastSandboxError** The last error sent by the WaaSMedic sandbox. +- **initSummary** Summary data of the initialization method. +- **insufficientSessions** Device not eligible for diagnostics. +- **isInteractiveMode** The user started a run of WaaSMedic. +- **isManaged** Device is managed for updates. +- **isWUConnected** Device is connected to Windows Update. +- **noMoreActions** No more applicable diagnostics. +- **pluginFailureCount** The number of plugins that have failed. +- **pluginsCount** The number of plugins. +- **qualityAssessmentImpact** WaaS Assessment impact for quality updates. +- **remediationSummary** Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on. +- **usingBackupFeatureAssessment** Relying on backup feature assessment. +- **usingBackupQualityAssessment** Relying on backup quality assessment. +- **usingCachedFeatureAssessment** WaaS Medic run did not get OS build age from the network on the previous run. +- **usingCachedQualityAssessment** WaaS Medic run did not get OS revision age from the network on the previous run. +- **versionString** Version of the WaaSMedic engine. +- **waasMedicRunMode** Indicates whether this was a background regular run of the medic or whether it was triggered by a user launching Windows Update Troubleshooter. + + +## Windows Error Reporting events + +### Microsoft.Windows.WERVertical.OSCrash + +This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event. + +The following fields are available: + +- **BootId** Uint32 identifying the boot number for this device. +- **BugCheckCode** Uint64 "bugcheck code" that identifies a proximate cause of the bug check. +- **BugCheckParameter1** Uint64 parameter providing additional information. +- **BugCheckParameter2** Uint64 parameter providing additional information. +- **BugCheckParameter3** Uint64 parameter providing additional information. +- **BugCheckParameter4** Uint64 parameter providing additional information. +- **DumpFileAttributes** Codes that identify the type of data contained in the dump file +- **DumpFileSize** Size of the dump file +- **IsValidDumpFile** True if the dump file is valid for the debugger, false otherwise +- **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson). + + +## Windows Error Reporting MTT events + +### Microsoft.Windows.WER.MTT.Denominator + +This event provides a denominator to calculate MTTF (mean-time-to-failure) for crashes and other errors, to help keep Windows up to date. + +The following fields are available: + +- **DPRange** Maximum mean value range. +- **DPValue** Randomized bit value (0 or 1) that can be reconstituted over a large population to estimate the mean. +- **Value** Standard UTC emitted DP value structure See [Value](#value). + + +### Value + +This event returns data about Mean Time to Failure (MTTF) for Windows devices. It is the primary means of estimating reliability problems in Basic Diagnostic reporting with very strong privacy guarantees. Since Basic Diagnostic reporting does not include system up-time, and since that information is important to ensuring the safe and stable operation of Windows, the data provided by this event provides that data in a manner which does not threaten a user’s privacy. + +The following fields are available: + +- **Algorithm** The algorithm used to preserve privacy. +- **DPRange** The upper bound of the range being measured. +- **DPValue** The randomized response returned by the client. +- **Epsilon** The level of privacy to be applied. +- **HistType** The histogram type if the algorithm is a histogram algorithm. +- **PertProb** The probability the entry will be Perturbed if the algorithm chosen is “heavy-hitters”. + + +## Windows Store events + +### Microsoft.Windows.Store.StoreActivating + +This event sends tracking data about when the Store app activation via protocol URI is in progress, to help keep Windows up to date. + + + +### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation + +This event is sent when an installation or update is canceled by a user or the system and is used to help keep Windows Apps up to date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** Number of retry attempts before it was canceled. +- **BundleId** The Item Bundle ID. +- **CategoryId** The Item Category ID. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed before this operation. +- **IsBundle** Is this a bundle? +- **IsInteractive** Was this requested by a user? +- **IsMandatory** Was this a mandatory update? +- **IsRemediation** Was this a remediation install? +- **IsRestore** Is this automatically restoring a previously acquired product? +- **IsUpdate** Flag indicating if this is an update. +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The product family name of the product being installed. +- **ProductId** The identity of the package or packages being installed. +- **SystemAttemptNumber** The total number of automatic attempts at installation before it was canceled. +- **UserAttemptNumber** The total number of user attempts at installation before it was canceled. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.BeginGetInstalledContentIds + +This event is sent when an inventory of the apps installed is started to determine whether updates for those apps are available. It's used to help keep Windows up-to-date and secure. + + + +### Microsoft.Windows.StoreAgent.Telemetry.BeginUpdateMetadataPrepare + +This event is sent when the Store Agent cache is refreshed with any available package updates. It's used to help keep Windows up-to-date and secure. + + + +### Microsoft.Windows.StoreAgent.Telemetry.CancelInstallation + +This event is sent when an app update or installation is canceled while in interactive mode. This can be canceled by the user or the system. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all package or packages to be downloaded and installed. +- **AttemptNumber** Total number of installation attempts. +- **BundleId** The identity of the Windows Insider build that is associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **IsBundle** Is this a bundle? +- **IsInteractive** Was this requested by a user? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this an automatic restore of a previously acquired product? +- **IsUpdate** Is this a product update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of all packages to be downloaded and installed. +- **PreviousHResult** The previous HResult code. +- **PreviousInstallState** Previous installation state before it was canceled. +- **ProductId** The name of the package or packages requested for installation. +- **RelatedCV** Correlation Vector of a previous performed action on this product. +- **SystemAttemptNumber** Total number of automatic attempts to install before it was canceled. +- **UserAttemptNumber** Total number of user attempts to install before it was canceled. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.CompleteInstallOperationRequest + +This event is sent at the end of app installations or updates to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The Store Product ID of the app being installed. +- **HResult** HResult code of the action being performed. +- **IsBundle** Is this a bundle? +- **PackageFamilyName** The name of the package being installed. +- **ProductId** The Store Product ID of the product being installed. +- **SkuId** Specific edition of the item being installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndAcquireLicense + +This event is sent after the license is acquired when a product is being installed. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** Includes a set of package full names for each app that is part of an atomic set. +- **AttemptNumber** The total number of attempts to acquire this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** HResult code to show the result of the operation (success/failure). +- **IsBundle** Is this a bundle? +- **IsInteractive** Did the user initiate the installation? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this happening after a device restore? +- **IsUpdate** Is this an update? +- **PFN** Product Family Name of the product being installed. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The number of attempts by the system to acquire this product. +- **UserAttemptNumber** The number of attempts by the user to acquire this product +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndDownload + +This event is sent after an app is downloaded to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed. +- **AttemptNumber** Number of retry attempts before it was canceled. +- **BundleId** The identity of the Windows Insider build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **DownloadSize** The total size of the download. +- **ExtendedHResult** Any extended HResult error codes. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this initiated by the user? +- **IsMandatory** Is this a mandatory installation? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this a restore of a previously acquired product? +- **IsUpdate** Is this an update? +- **ParentBundleId** The parent bundle ID (if it's part of a bundle). +- **PFN** The Product Family Name of the app being download. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The number of attempts by the system to download. +- **UserAttemptNumber** The number of attempts by the user to download. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndFrameworkUpdate + +This event is sent when an app update requires an updated Framework package and the process starts to download it. It is used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **HResult** The result code of the last action performed before this operation. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndGetInstalledContentIds + +This event is sent after sending the inventory of the products installed to determine whether updates for those products are available. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **HResult** The result code of the last action performed before this operation. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndInstall + +This event is sent after a product has been installed to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **ExtendedHResult** The extended HResult error code. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this an interactive installation? +- **IsMandatory** Is this a mandatory installation? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this automatically restoring a previously acquired product? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** Product Family Name of the product being installed. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndScanForUpdates + +This event is sent after a scan for product updates to determine if there are packages to install. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AsOnline** No content is currently available. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed. +- **IsApplicability** Is this request to only check if there are any applicable packages to install? +- **IsInteractive** Is this user requested? +- **IsOnline** Is the request doing an online check? + + +### Microsoft.Windows.StoreAgent.Telemetry.EndSearchUpdatePackages + +This event is sent after searching for update packages to install. It is used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The total number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of the package or packages requested for install. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndStageUserData + +This event is sent after restoring user data (if any) that needs to be restored following a product install. It is used to keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed. +- **AttemptNumber** The total number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of the package or packages requested for install. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of system attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndUpdateMetadataPrepare + +This event is sent after a scan for available app updates to help keep Windows up-to-date and secure. + +The following fields are available: + +- **HResult** The result code of the last action performed. + + +### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentComplete + +This event is sent at the end of an app install or update to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The name of the product catalog from which this app was chosen. +- **FailedRetry** Indicates whether the installation or update retry was successful. +- **HResult** The HResult code of the operation. +- **PFN** The Package Family Name of the app that is being installed or updated. +- **ProductId** The product ID of the app that is being updated or installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate + +This event is sent at the beginning of an app install or update to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The name of the product catalog from which this app was chosen. +- **FulfillmentPluginId** The ID of the plugin needed to install the package type of the product. +- **PFN** The Package Family Name of the app that is being installed or updated. +- **PluginTelemetryData** Diagnostic information specific to the package-type plug-in. +- **ProductId** The product ID of the app that is being updated or installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.InstallOperationRequest + +This event is sent when a product install or update is initiated, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **BundleId** The identity of the build associated with this product. +- **CatalogId** If this product is from a private catalog, the Store Product ID for the product being installed. +- **ProductId** The Store Product ID for the product being installed. +- **SkuId** Specific edition ID being installed. +- **VolumePath** The disk path of the installation. + + +### Microsoft.Windows.StoreAgent.Telemetry.PauseInstallation + +This event is sent when a product install or update is paused (either by a user or the system), to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The total number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The Product Full Name. +- **PreviousHResult** The result code of the last action performed before this operation. +- **PreviousInstallState** Previous state before the installation or update was paused. +- **ProductId** The Store Product ID for the product being installed. +- **RelatedCV** Correlation Vector of a previous performed action on this product. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.ResumeInstallation + +This event is sent when a product install or update is resumed (either by a user or the system), to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed before this operation. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **IsUserRetry** Did the user initiate the retry? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of the package or packages requested for install. +- **PreviousHResult** The previous HResult error code. +- **PreviousInstallState** Previous state before the installation was paused. +- **ProductId** The Store Product ID for the product being installed. +- **RelatedCV** Correlation Vector for the original install before it was resumed. +- **ResumeClientId** The ID of the app that initiated the resume operation. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.ResumeOperationRequest + +This event is sent when a product install or update is resumed by a user or on installation retries, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ProductId** The Store Product ID for the product being installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.SearchForUpdateOperationRequest + +This event is sent when searching for update packages to install, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The Store Catalog ID for the product being installed. +- **ProductId** The Store Product ID for the product being installed. +- **SkuId** Specfic edition of the app being updated. + + +### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest + +This event occurs when an update is requested for an app, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **PFamN** The name of the app that is requested for update. + + +## Windows System Kit events + +### Microsoft.Windows.Kits.WSK.WskImageCreate + +This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate “image” creation failures. + +The following fields are available: + +- **Phase** The image creation phase. Values are “Start” or “End”. +- **WskVersion** The version of the Windows System Kit being used. + + +### Microsoft.Windows.Kits.WSK.WskImageCustomization + +This event sends simple Product and Service usage data when a user is using the Windows System Kit to create/modify configuration files allowing the customization of a new OS image with Apps or Drivers. The data includes the version of the Windows System Kit, the state of the event, the customization type (drivers or apps) and the mode (new or updating) and is used to help investigate configuration file creation failures. + +The following fields are available: + +- **CustomizationMode** Indicates the mode of the customization (new or updating). +- **CustomizationType** Indicates the type of customization (drivers or apps). +- **Mode** The mode of update to image configuration files. Values are “New” or “Update”. +- **Phase** The image creation phase. Values are “Start” or “End”. +- **Type** The type of update to image configuration files. Values are “Apps” or “Drivers”. +- **WskVersion** The version of the Windows System Kit being used. + + +### Microsoft.Windows.Kits.WSK.WskWorkspaceCreate + +This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new workspace for generating OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate workspace creation failures. + +The following fields are available: + +- **Architecture** The OS architecture that the workspace will target. Values are one of: “AMD64”, “ARM64”, “x86”, or “ARM”. +- **OsEdition** The Operating System Edition that the workspace will target. +- **Phase** The image creation phase. Values are “Start” or “End”. +- **WorkspaceArchitecture** The operating system architecture that the workspace will target. +- **WorkspaceOsEdition** The operating system edition that the workspace will target. +- **WskVersion** The version of the Windows System Kit being used. + + +## Windows Update Delivery Optimization events + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled + +This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **background** Is the download being done in the background? +- **bytesFromCacheServer** Bytes received from a cache host. +- **bytesFromCDN** The number of bytes received from a CDN source. +- **bytesFromGroupPeers** The number of bytes received from a peer in the same group. +- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same group. +- **bytesFromLinkLocalPeers** The number of bytes received from local peers. +- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. +- **bytesFromPeers** The number of bytes received from a peer in the same LAN. +- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. +- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. +- **cdnIp** The IP Address of the source CDN (Content Delivery Network). +- **cdnUrl** The URL of the source CDN (Content Delivery Network). +- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. +- **errorCode** The error code that was returned. +- **experimentId** When running a test, this is used to correlate events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **gCurMemoryStreamBytes** Current usage for memory streaming. +- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. +- **isVpn** Indicates whether the device is connected to a VPN (Virtual Private Network). +- **jobID** Identifier for the Windows Update job. +- **predefinedCallerName** The name of the API Caller. +- **reasonCode** Reason the action or event occurred. +- **routeToCacheServer** The cache server setting, source, and value. +- **sessionID** The ID of the file download session. +- **updateID** The ID of the update being downloaded. +- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted + +This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **background** Is the download a background download? +- **bytesFromCacheServer** Bytes received from a cache host. +- **bytesFromCDN** The number of bytes received from a CDN source. +- **bytesFromGroupPeers** The number of bytes received from a peer in the same domain group. +- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same domain group. +- **bytesFromLinkLocalPeers** The number of bytes received from local peers. +- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. +- **bytesFromPeers** The number of bytes received from a peer in the same LAN. +- **bytesRequested** The total number of bytes requested for download. +- **cacheServerBonnectionCount** No content is currently available. +- **cacheServerConnectionCount** Number of connections made to cache hosts. +- **cdnConnectionCount** The total number of connections made to the CDN. +- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. +- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. +- **cdnIp** The IP address of the source CDN. +- **cdnUrl** Url of the source Content Distribution Network (CDN). +- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. +- **dnErrorCounts** No content is currently available. +- **doErrorCode** The Delivery Optimization error code that was returned. +- **downlinkBps** The maximum measured available download bandwidth (in bytes per second). +- **downlinkUsageBps** The download speed (in bytes per second). +- **downloadMode** The download mode used for this file download session. +- **downloadModeReason** Reason for the download. +- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **expiresAt** The time when the content will expire from the Delivery Optimization Cache. +- **fileID** The ID of the file being downloaded. +- **fileSize** The size of the file being downloaded. +- **gCurMemoryStreamBytes** Current usage for memory streaming. +- **gdnConnectionCount** No content is currently available. +- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. +- **groupConnectionCo** No content is currently available. +- **groupConnectionCount** The total number of connections made to peers in the same group. +- **internetConnectionCount** The total number of connections made to peers not in the same LAN or the same group. +- **isEncrypted** TRUE if the file is encrypted and will be decrypted after download. +- **isVpn** Is the device connected to a Virtual Private Network? +- **jobID** Identifier for the Windows Update job. +- **lanConnectionCount** The total number of connections made to peers in the same LAN. +- **linkLocalConnectionCount** The number of connections made to peers in the same Link-local network. +- **numPeers** The total number of peers used for this download. +- **numPeersLocal** The total number of local peers used for this download. +- **predefinedCallerName** The name of the API Caller. +- **restrictedU`load** No content is currently available. +- **restrictedUpload** Is the upload restricted? +- **routeToCacheServer** The cache server setting, source, and value. +- **sessionID** The ID of the download session. +- **totalTimeMs** Duration of the download (in seconds). +- **updateID** The ID of the update being downloaded. +- **uplinkBps** The maximum measured available upload bandwidth (in bytes per second). +- **uplinkUsageBps** The upload speed (in bytes per second). +- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused + +This event represents a temporary suspension of a download with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **background** Is the download a background download? +- **cdnUrl** The URL of the source CDN (Content Delivery Network). +- **errorCode** The error code that was returned. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being paused. +- **isVpn** Is the device connected to a Virtual Private Network? +- **jobID** Identifier for the Windows Update job. +- **predefinedCallerName** The name of the API Caller object. +- **reasonCode** The reason for pausing the download. +- **routeToCacheServer** The cache server setting, source, and value. +- **sessionID** The ID of the download session. +- **updateID** The ID of the update being paused. + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted + +This event sends data describing the start of a new download to enable Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **ActiveNetworkConnection** No content is currently available. +- **background** Indicates whether the download is happening in the background. +- **bytesRequested** Number of bytes requested for the download. +- **cdnUrl** The URL of the source Content Distribution Network (CDN). +- **costFlags** A set of flags representing network cost. +- **deviceProfile** Identifies the usage or form factor (such as Desktop, Xbox, or VM). +- **diceRoll** Random number used for determining if a client will use peering. +- **doClientVersion** The version of the Delivery Optimization client. +- **doErrorCode** The Delivery Optimization error code that was returned. +- **downloadMode** The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100). +- **downloadModeReason** Reason for the download. +- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). +- **errorCode** The error code that was returned. +- **experimentId** ID used to correlate client/services calls that are part of the same test during A/B testing. +- **fileID** The ID of the file being downloaded. +- **filePath** The path to where the downloaded file will be written. +- **fileSize** Total file size of the file that was downloaded. +- **fileSizeCaller** Value for total file size provided by our caller. +- **groupID** ID for the group. +- **IsBootCritical** No content is currently available. +- **isEncrypted** Indicates whether the download is encrypted. +- **isVpn** Indicates whether the device is connected to a Virtual Private Network. +- **jobID** The ID of the Windows Update job. +- **peerID** The ID for this delivery optimization client. +- **predefinedCallerName** Name of the API caller. +- **routeToCacheServer** Cache server setting, source, and value. +- **SdbEntries** No content is currently available. +- **sessionID** The ID for the file download session. +- **setConfigs** A JSON representation of the configurations that have been set, and their sources. +- **updateID** The ID of the update being downloaded. +- **usedMemoryStream** Indicates whether the download used memory streaming. +- **WuDriverCoverage** No content is currently available. +- **WuDriverUpdateId** No content is currently available. +- **WuPopulatedFromId** No content is currently available. + + +### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication + +This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **cdnHeaders** The HTTP headers returned by the CDN. +- **cdnIp** The IP address of the CDN. +- **cdnUrl** The URL of the CDN. +- **errorCode** The error code that was returned. +- **errorCount** The total number of times this error code was seen since the last FailureCdnCommunication event was encountered. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **httpStatusCode** The HTTP status code returned by the CDN. +- **isHeadRequest** The type of HTTP request that was sent to the CDN. Example: HEAD or GET +- **peerType** The type of peer (LAN, Group, Internet, CDN, Cache Host, etc.). +- **requestOffset** The byte offset within the file in the sent request. +- **requestSize** The size of the range requested from the CDN. +- **responseSize** The size of the range response received from the CDN. +- **sessionID** The ID of the download session. + + +### Microsoft.OSG.DU.DeliveryOptClient.JobError + +This event represents a Windows Update job error. It allows for investigation of top errors. + +The following fields are available: + +- **cdnIp** The IP Address of the source CDN (Content Delivery Network). +- **doErrorCode** Error code returned for delivery optimization. +- **errorCode** The error code returned. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **jobID** The Windows Update job ID. + + +## Windows Update events + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentAnalysisSummary + +This event collects information regarding the state of devices and drivers on the system following a reboot after the install phase of the new device manifest UUP (Unified Update Platform) update scenario which is used to install a device manifest describing a set of driver packages. + +The following fields are available: + +- **activated** Whether the entire device manifest update is considered activated and in use. +- **analysisErrorCount** The number of driver packages that could not be analyzed because errors occurred during analysis. +- **flightId** Unique ID for each flight. +- **missingDriverCount** The number of driver packages delivered by the device manifest that are missing from the system. +- **missingUpdateCount** The number of updates in the device manifest that are missing from the system. +- **objectId** Unique value for each diagnostics session. +- **publishedCount** The number of drivers packages delivered by the device manifest that are published and available to be used on devices. +- **relatedCV** Correlation vector value generated from the latest USO scan. +- **scenarioId** Indicates the update scenario. +- **sessionId** Unique value for each update session. +- **summary** A summary string that contains basic information about driver packages that are part of the device manifest and any devices on the system that those driver packages match. +- **summaryAppendError** A Boolean indicating if there was an error appending more information to the summary string. +- **truncatedDeviceCount** The number of devices missing from the summary string because there is not enough room in the string. +- **truncatedDriverCount** The number of driver packages missing from the summary string because there is not enough room in the string. +- **unpublishedCount** How many drivers packages that were delivered by the device manifest that are still unpublished and unavailable to be used on devices. +- **updateId** The unique ID for each update. + + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentCommit + +This event collects information regarding the final commit phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. + +The following fields are available: + +- **errorCode** The error code returned for the current session initialization. +- **flightId** The unique identifier for each flight. +- **objectId** The unique GUID for each diagnostics session. +- **relatedCV** A correlation vector value generated from the latest USO scan. +- **result** Outcome of the initialization of the session. +- **scenarioId** Identifies the Update scenario. +- **sessionId** The unique value for each update session. +- **updateId** The unique identifier for each Update. + + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentDownloadRequest + +This event collects information regarding the download request phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. + +The following fields are available: + +- **deletedCorruptFiles** Indicates if UpdateAgent found any corrupt payload files and whether the payload was deleted. +- **errorCode** The error code returned for the current session initialization. +- **flightId** The unique identifier for each flight. +- **objectId** Unique value for each Update Agent mode. +- **packageCountOptional** Number of optional packages requested. +- **packageCountRequired** Number of required packages requested. +- **packageCountTotal** Total number of packages needed. +- **packageCountTotalCanonical** Total number of canonical packages. +- **packageCountTotalDiff** Total number of diff packages. +- **packageCountTotalExpress** Total number of express packages. +- **packageSizeCanonical** Size of canonical packages in bytes. +- **packageSizeDiff** Size of diff packages in bytes. +- **packageSizeExpress** Size of express packages in bytes. +- **rangeRequestState** Represents the state of the download range request. +- **relatedCV** Correlation vector value generated from the latest USO scan. +- **result** Result of the download request phase of update. +- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. +- **sessionId** Unique value for each Update Agent mode attempt. +- **updateId** Unique ID for each update. + + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInitialize + +This event sends data for initializing a new update session for the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. + +The following fields are available: + +- **errorCode** The error code returned for the current session initialization. +- **flightId** The unique identifier for each flight. +- **flightMetadata** Contains the FlightId and the build being flighted. +- **objectId** Unique value for each Update Agent mode. +- **relatedCV** Correlation vector value generated from the latest USO scan. +- **result** Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled. +- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. +- **sessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios). +- **sessionId** Unique value for each Update Agent mode attempt. +- **updateId** Unique ID for each update. + + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInstall + +This event collects information regarding the install phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. + +The following fields are available: + +- **errorCode** The error code returned for the current install phase. +- **flightId** The unique identifier for each flight (pre-release builds). +- **objectId** The unique identifier for each diagnostics session. +- **relatedCV** Correlation vector value generated from the latest scan. +- **result** Outcome of the install phase of the update. +- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate +- **sessionId** The unique identifier for each update session. +- **updateId** The unique identifier for each Update. + + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentModeStart + +This event sends data for the start of each mode during the process of updating device manifest assets via the UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. + +The following fields are available: + +- **flightId** The unique identifier for each flight (pre-release builds). +- **mode** Indicates the active Update Agent mode. +- **objectId** Unique value for each diagnostics session. +- **relatedCV** Correlation vector value generated from the latest scan. +- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. +- **sessionId** The unique identifier for each update session. +- **updateId** The unique identifier for each Update. + + +### Microsoft.Windows.Update.NotificationUx.DialogNotificationToBeDisplayed + +This event indicates that a notification dialog box is about to be displayed to user. + +The following fields are available: + +- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode. +- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before the RebootFailed dialog box is shown. +- **DaysSinceRebootRequired** Number of days since restart was required. +- **DeviceLocalTime** The local time on the device sending the event. +- **EngagedModeLimit** The number of days to switch between DTE dialog boxes. +- **EnterAutoModeLimit** The maximum number of days for a device to enter Auto Reboot mode. +- **ETag** OneSettings versioning value. +- **IsForcedEnabled** Indicates whether Forced Reboot mode is enabled for this device. +- **IsUltimateForcedEnabled** Indicates whether Ultimate Forced Reboot mode is enabled for this device. +- **NotificationUxState** Indicates which dialog box is shown. +- **NotificationUxStateString** Indicates which dialog box is shown. +- **RebootUxState** Indicates the state of the restart (Engaged, Auto, Forced, or UltimateForced). +- **RebootUxStateString** Indicates the state of the restart (Engaged, Auto, Forced, or UltimateForced). +- **RebootVersion** Version of DTE. +- **SkipToAutoModeLimit** The minimum length of time to pass in restart pending before a device can be put into auto mode. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UtcTime** The time the dialog box notification will be displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootAcceptAutoDialog + +This event indicates that the Enhanced Engaged restart "accept automatically" dialog box was displayed. + +The following fields are available: + +- **DeviceLocalTime** The local time on the device sending the event. +- **ETag** OneSettings versioning value. +- **ExitCode** Indicates how users exited the dialog box. +- **RebootVersion** Version of DTE. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UserResponseString** The option that user chose on this dialog box. +- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootFirstReminderDialog + +This event indicates that the Enhanced Engaged restart "first reminder" dialog box was displayed.. + +The following fields are available: + +- **DeviceLocalTime** The local time on the device sending the event. +- **ETag** OneSettings versioning value. +- **ExitCode** Indicates how users exited the dialog box. +- **RebootVersion** Version of DTE. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UserResponseString** The option that user chose in this dialog box. +- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootFailedDialog + +This event indicates that the Enhanced Engaged restart "restart failed" dialog box was displayed. + +The following fields are available: + +- **DeviceLocalTime** The local time of the device sending the event. +- **ETag** OneSettings versioning value. +- **ExitCode** Indicates how users exited the dialog box. +- **RebootVersion** Version of DTE. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UserResponseString** The option that the user chose in this dialog box. +- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootImminentDialog + +This event indicates that the Enhanced Engaged restart "restart imminent" dialog box was displayed. + +The following fields are available: + +- **DeviceLocalTime** Time the dialog box was shown on the local device. +- **ETag** OneSettings versioning value. +- **ExitCode** Indicates how users exited the dialog box. +- **RebootVersion** Version of DTE. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UserResponseString** The option that user chose in this dialog box. +- **UtcTime** The time that dialog box was displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootReminderDialog + +This event returns information relating to the Enhanced Engaged reboot reminder dialog that was displayed. + +The following fields are available: + +- **DeviceLocalTime** The time at which the reboot reminder dialog was shown (based on the local device time settings). +- **ETag** The OneSettings versioning value. +- **ExitCode** Indicates how users exited the reboot reminder dialog box. +- **RebootVersion** The version of the DTE (Direct-to-Engaged). +- **UpdateId** The ID of the update that is waiting for reboot to finish installation. +- **UpdateRevision** The revision of the update that is waiting for reboot to finish installation. +- **UserResponseString** The option chosen by the user on the reboot dialog box. +- **UtcTime** The time at which the reboot reminder dialog was shown (in UTC). + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootReminderToast + +This event indicates that the Enhanced Engaged restart reminder pop-up banner was displayed. + +The following fields are available: + +- **DeviceLocalTime** The local time on the device sending the event. +- **ETag** OneSettings versioning value. +- **ExitCode** Indicates how users exited the pop-up banner. +- **RebootVersion** The version of the reboot logic. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UserResponseString** The option that the user chose in the pop-up banner. +- **UtcTime** The time that the pop-up banner was displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.RebootScheduled + +Indicates when a reboot is scheduled by the system or a user for a security, quality, or feature update. + +The following fields are available: + +- **activeHoursApplicable** Indicates whether an Active Hours policy is present on the device. +- **IsEnhancedEngagedReboot** Indicates whether this is an Enhanced Engaged reboot. +- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action. +- **rebootOutsideOfActiveHours** Indicates whether a restart is scheduled outside of active hours. +- **rebootScheduledByUser** Indicates whether the restart was scheduled by user (if not, it was scheduled automatically). +- **rebootState** The current state of the restart. +- **rebootUsingSmartScheduler** Indicates whether the reboot is scheduled by smart scheduler. +- **revisionNumber** Revision number of the update that is getting installed with this restart. +- **scheduledRebootTime** Time of the scheduled restart. +- **scheduledRebootTimeInUTC** Time of the scheduled restart in Coordinated Universal Time. +- **updateId** ID of the update that is getting installed with this restart. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.ActivityRestrictedByActiveHoursPolicy + +This event indicates a policy is present that may restrict update activity to outside of active hours. + +The following fields are available: + +- **activeHoursEnd** The end of the active hours window. +- **activeHoursStart** The start of the active hours window. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.BlockedByActiveHours + +This event indicates that update activity was blocked because it is within the active hours window. + +The following fields are available: + +- **activeHoursEnd** The end of the active hours window. +- **activeHoursStart** The start of the active hours window. +- **updatePhase** The current state of the update process. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.BlockedByBatteryLevel + +This event indicates that Windows Update activity was blocked due to low battery level. + +The following fields are available: + +- **batteryLevel** The current battery charge capacity. +- **batteryLevelThreshold** The battery capacity threshold to stop update activity. +- **updatePhase** The current state of the update process. +- **wuDeviceid** Device ID. + + +### Microsoft.Windows.Update.Orchestrator.DeferRestart + +This event indicates that a restart required for installing updates was postponed. + +The following fields are available: + +- **displayNeededReason** List of reasons for needing display. +- **eventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). +- **filteredDeferReason** Applicable filtered reasons why reboot was postponed (such as user active, or low battery). +- **gameModeReason** Name of the executable that caused the game mode state check to start. +- **ignoredReason** List of reasons that were intentionally ignored. +- **IgnoreReasonsForRestart** List of reasons why restart was deferred. +- **revisionNumber** Update ID revision number. +- **systemNeededReason** List of reasons why system is needed. +- **updateId** Update ID. +- **updateScenarioType** Update session type. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.Detection + +This event indicates that a scan for a Windows Update occurred. + +The following fields are available: + +- **deferReason** The reason why the device could not check for updates. +- **detectionBlockingPolicy** The Policy that blocked detection. +- **detectionBlockreason** The reason detection did not complete. +- **detectionRetryMode** Indicates whether we will try to scan again. +- **errorCode** The error code returned for the current process. +- **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. +- **flightID** The unique identifier for the flight (Windows Insider pre-release build) should be delivered to the device, if applicable. +- **interactive** Indicates whether the user initiated the session. +- **networkStatus** Indicates if the device is connected to the internet. +- **revisionNumber** The Update revision number. +- **scanTriggerSource** The source of the triggered scan. +- **updateId** The unique identifier of the Update. +- **updateScenarioType** Identifies the type of update session being performed. +- **wuDeviceid** The unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.DisplayNeeded + +This event indicates the reboot was postponed due to needing a display. + +The following fields are available: + +- **displayNeededReason** Reason the display is needed. +- **eventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. +- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours. +- **revisionNumber** Revision number of the update. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated. +- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue + + +### Microsoft.Windows.Update.Orchestrator.Download + +This event sends launch data for a Windows Update download to help keep Windows up to date. + +The following fields are available: + +- **deferReason** Reason for download not completing. +- **errorCode** An error code represented as a hexadecimal value. +- **eventScenario** End-to-end update session ID. +- **flightID** The specific ID of the Windows Insider build the device is getting. +- **interactive** Indicates whether the session is user initiated. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.DTUCompletedWhenWuFlightPendingCommit + +This event indicates that DTU completed installation of the electronic software delivery (ESD), when Windows Update was already in Pending Commit phase of the feature update. + +The following fields are available: + +- **wuDeviceid** Device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.DTUEnabled + +This event indicates that Inbox DTU functionality was enabled. + +The following fields are available: + +- **wuDeviceid** Device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.DTUInitiated + +This event indicates that Inbox DTU functionality was intiated. + +The following fields are available: + +- **dtuErrorCode** Return code from creating the DTU Com Server. +- **isDtuApplicable** Determination of whether DTU is applicable to the machine it is running on. +- **wuDeviceid** Device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.EscalationRiskLevels + +This event is sent during update scan, download, or install, and indicates that the device is at risk of being out-of-date. + +The following fields are available: + +- **configVersion** The escalation configuration version on the device. +- **downloadElapsedTime** Indicates how long since the download is required on device. +- **downloadRiskLevel** At-risk level of download phase. +- **installElapsedTime** Indicates how long since the install is required on device. +- **installRiskLevel** The at-risk level of install phase. +- **isSediment** Assessment of whether is device is at risk. +- **scanElapsedTime** Indicates how long since the scan is required on device. +- **scanRiskLevel** At-risk level of the scan phase. +- **wuDeviceid** Device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.FailedToAddTimeTriggerToScanTask + +This event indicated that USO failed to add a trigger time to a task. + +The following fields are available: + +- **errorCode** The Windows Update error code. +- **wuDeviceid** The Windows Update device ID. + + +### Microsoft.Windows.Update.Orchestrator.FlightInapplicable + +This event indicates that the update is no longer applicable to this device. + +The following fields are available: + +- **EventPublishedTime** Time when this event was generated. +- **flightID** The specific ID of the Windows Insider build. +- **inapplicableReason** The reason why the update is inapplicable. +- **revisionNumber** Update revision number. +- **updateId** Unique Windows Update ID. +- **updateScenarioType** Update session type. +- **UpdateStatus** Last status of update. +- **UUPFallBackConfigured** Indicates whether UUP fallback is configured. +- **wuDeviceid** Unique Device ID. + + +### Microsoft.Windows.Update.Orchestrator.InitiatingReboot + +This event sends data about an Orchestrator requesting a reboot from power management to help keep Windows up to date. + +The following fields are available: + +- **EventPublishedTime** Time of the event. +- **flightID** Unique update ID +- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action. +- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours. +- **revisionNumber** Revision number of the update. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.Install + +This event sends launch data for a Windows Update install to help keep Windows up to date. + +The following fields are available: + +- **batteryLevel** Current battery capacity in mWh or percentage left. +- **deferReason** Reason for install not completing. +- **errorCode** The error code reppresented by a hexadecimal value. +- **eventScenario** End-to-end update session ID. +- **flightID** The ID of the Windows Insider build the device is getting. +- **flightUpdate** Indicates whether the update is a Windows Insider build. +- **ForcedRebootReminderSet** A boolean value that indicates if a forced reboot will happen for updates. +- **IgnoreReasonsForRestart** The reason(s) a Postpone Restart command was ignored. +- **installCommitfailedtime** The time it took for a reboot to happen but the upgrade failed to progress. +- **installRebootinitiatetime** The time it took for a reboot to be attempted. +- **interactive** Identifies if session is user initiated. +- **minutesToCommit** The time it took to install updates. +- **rebootOutsideOfActiveHours** Indicates whether a reboot is scheduled outside of active hours. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.LowUptimes + +This event is sent if a device is identified as not having sufficient uptime to reliably process updates in order to keep secure. + +The following fields are available: + +- **availableHistoryMinutes** The number of minutes available from the local machine activity history. +- **isLowUptimeMachine** Is the machine considered low uptime or not. +- **lowUptimeMinHours** Current setting for the minimum number of hours needed to not be considered low uptime. +- **lowUptimeQueryDays** Current setting for the number of recent days to check for uptime. +- **uptimeMinutes** Number of minutes of uptime measured. +- **wuDeviceid** Unique device ID for Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.OneshotUpdateDetection + +This event returns data about scans initiated through settings UI, or background scans that are urgent; to help keep Windows up to date. + +The following fields are available: + +- **externalOneshotupdate** The last time a task-triggered scan was completed. +- **interactiveOneshotupdate** The last time an interactive scan was completed. +- **oldlastscanOneshotupdate** The last time a scan completed successfully. +- **wuDeviceid** The Windows Update Device GUID (Globally-Unique ID). + + +### Microsoft.Windows.Update.Orchestrator.PreShutdownStart + +This event is generated before the shutdown and commit operations. + +The following fields are available: + +- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. + + +### Microsoft.Windows.Update.Orchestrator.RebootFailed + +This event sends information about whether an update required a reboot and reasons for failure, to help keep Windows up to date. + +The following fields are available: + +- **batteryLevel** Current battery capacity in mWh or percentage left. +- **deferReason** Reason for install not completing. +- **EventPublishedTime** The time that the reboot failure occurred. +- **flightID** Unique update ID. +- **rebootOutsideOfActiveHours** Indicates whether a reboot was scheduled outside of active hours. +- **RebootResults** Hex code indicating failure reason. Typically, we expect this to be a specific USO generated hex code. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.RefreshSettings + +This event sends basic data about the version of upgrade settings applied to the system to help keep Windows up to date. + +The following fields are available: + +- **errorCode** Hex code for the error message, to allow lookup of the specific error. +- **settingsDownloadTime** Timestamp of the last attempt to acquire settings. +- **settingsETag** Version identifier for the settings. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask + +This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows up to date. + +The following fields are available: + +- **RebootTaskMissedTimeUTC** The time when the reboot task was scheduled to run, but did not. +- **RebootTaskNextTimeUTC** The time when the reboot task was rescheduled for. +- **RebootTaskRestoredTime** Time at which this reboot task was restored. +- **wuDeviceid** Device ID for the device on which the reboot is restored. + + +### Microsoft.Windows.Update.Orchestrator.ScanTriggered + +This event indicates that Update Orchestrator has started a scan operation. + +The following fields are available: + +- **errorCode** The error code returned for the current scan operation. +- **eventScenario** Indicates the purpose of sending this event. +- **interactive** Indicates whether the scan is interactive. +- **isDTUEnabled** Indicates whether DTU (internal abbreviation for Direct Feature Update) channel is enabled on the client system. +- **isScanPastSla** Indicates whether the SLA has elapsed for scanning. +- **isScanPastTriggerSla** Indicates whether the SLA has elapsed for triggering a scan. +- **minutesOverScanSla** Indicates how many minutes the scan exceeded the scan SLA. +- **minutesOverScanTriggerSla** Indicates how many minutes the scan exceeded the scan trigger SLA. +- **scanTriggerSource** Indicates what caused the scan. +- **updateScenarioType** The update session type. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.StickUpdate + +This event is sent when the update service orchestrator (USO) indicates the update cannot be superseded by a newer update. + +The following fields are available: + +- **updateId** Identifier associated with the specific piece of content. +- **wuDeviceid** Unique device ID controlled by the software distribution client. + + +### Microsoft.Windows.Update.Orchestrator.SystemNeeded + +This event sends data about why a device is unable to reboot, to help keep Windows up to date. + +The following fields are available: + +- **eventScenario** End-to-end update session ID. +- **rebootOutsideOfActiveHours** Indicates whether a reboot is scheduled outside of active hours. +- **revisionNumber** Update revision number. +- **systemNeededReason** List of apps or tasks that are preventing the system from restarting. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.TerminatedByActiveHours + +This event indicates that update activity was stopped due to active hours starting. + +The following fields are available: + +- **activeHoursEnd** The end of the active hours window. +- **activeHoursStart** The start of the active hours window. +- **updatePhase** The current state of the update process. +- **wuDeviceid** The device identifier. + + +### Microsoft.Windows.Update.Orchestrator.TerminatedByBatteryLevel + +This event is sent when update activity was stopped due to a low battery level. + +The following fields are available: + +- **batteryLevel** The current battery charge capacity. +- **batteryLevelThreshold** The battery capacity threshold to stop update activity. +- **updatePhase** The current state of the update process. +- **wuDeviceid** The device identifier. + + +### Microsoft.Windows.Update.Orchestrator.UnstickUpdate + +This event is sent when the update service orchestrator (USO) indicates that the update can be superseded by a newer update. + +The following fields are available: + +- **updateId** Identifier associated with the specific piece of content. +- **wuDeviceid** Unique device ID controlled by the software distribution client. + + +### Microsoft.Windows.Update.Orchestrator.UpdatePolicyCacheRefresh + +This event sends data on whether Update Management Policies were enabled on a device, to help keep Windows up to date. + +The following fields are available: + +- **configuredPoliciescount** Number of policies on the device. +- **configuredPoliciescsunt** No content is currently available. +- **policiesNamevaluesource** Policy name and source of policy (group policy, MDM or flight). +- **policyCacherefreshtime** Time when policy cache was refreshed. +- **updateInstalluxsetting** Indicates whether a user has set policies via a user experience option. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.UpdateRebootRequired + +This event sends data about whether an update required a reboot to help keep Windows up to date. + +The following fields are available: + +- **flightID** The specific ID of the Windows Insider build the device is getting. +- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.updateSettingsFlushFailed + +This event sends information about an update that encountered problems and was not able to complete. + +The following fields are available: + +- **errorCode** The error code encountered. +- **wuDeviceid** The ID of the device in which the error occurred. + + +### Microsoft.Windows.Update.Orchestrator.UsoSession + +This event represents the state of the USO service at start and completion. + +The following fields are available: + +- **activeSessionid** A unique session GUID. +- **eventScenario** The state of the update action. +- **interactive** Is the USO session interactive? +- **lastErrorcode** The last error that was encountered. +- **lastErrorstate** The state of the update when the last error was encountered. +- **sessionType** A GUID that refers to the update session type. +- **updateScenarioType** A descriptive update session type. +- **wuDeviceid** The Windows Update device GUID. + + +### Microsoft.Windows.Update.Ux.MusNotification.EnhancedEngagedRebootUxState + +This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes values for the timing of how eDTE will progress through each phase of the reboot. + +The following fields are available: + +- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode. +- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before a Reboot Failed dialog will be shown. +- **DeviceLocalTime** The date and time (based on the device date/time settings) the reboot mode changed. +- **EngagedModeLimit** The number of days to switch between DTE (Direct-to-Engaged) dialogs. +- **EnterAutoModeLimit** The maximum number of days a device can enter Auto Reboot mode. +- **ETag** The Entity Tag that represents the OneSettings version. +- **IsForcedEnabled** Identifies whether Forced Reboot mode is enabled for the device. +- **IsUltimateForcedEnabled** Identifies whether Ultimate Forced Reboot mode is enabled for the device. +- **OldestUpdateLocalTime** The date and time (based on the device date/time settings) this update’s reboot began pending. +- **RebootUxState** Identifies the reboot state: Engaged, Auto, Forced, UltimateForced. +- **RebootVersion** The version of the DTE (Direct-to-Engaged). +- **SkipToAutoModeLimit** The maximum number of days to switch to start while in Auto Reboot mode. +- **UpdateId** The ID of the update that is waiting for reboot to finish installation. +- **UpdateRevision** The revision of the update that is waiting for reboot to finish installation. + + +### Microsoft.Windows.Update.Ux.MusNotification.RebootNoLongerNeeded + +This event is sent when a security update has successfully completed. + +The following fields are available: + +- **UtcTime** The Coordinated Universal Time that the restart was no longer needed. + + +### Microsoft.Windows.Update.Ux.MusNotification.RebootScheduled + +This event sends basic information about scheduling an update-related reboot, to get security updates and to help keep Windows up-to-date. + +The following fields are available: + +- **activeHoursApplicable** Indicates whether Active Hours applies on this device. +- **IsEnhancedEngagedReboot** Indicates whether Enhanced reboot was enabled. +- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action. +- **rebootOutsideOfActiveHours** True, if a reboot is scheduled outside of active hours. False, otherwise. +- **rebootScheduledByUser** True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically. +- **rebootState** Current state of the reboot. +- **rebootUsingSmartScheduler** Indicates that the reboot is scheduled by SmartScheduler. +- **revisionNumber** Revision number of the OS. +- **scheduledRebootTime** Time scheduled for the reboot. +- **scheduledRebootTimeInUTC** Time scheduled for the reboot, in UTC. +- **updateId** Identifies which update is being scheduled. +- **wuDeviceid** The unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Ux.MusNotification.UxBrokerScheduledTask + +This event is sent when MUSE broker schedules a task. + +The following fields are available: + +- **TaskArgument** The arguments with which the task is scheduled. +- **TaskName** Name of the task. + + +### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled + +This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up to date. + +The following fields are available: + +- **activeHoursApplicable** Is the restart respecting Active Hours? +- **IsEnhancedEngagedReboot** TRUE if the reboot path is Enhanced Engaged. Otherwise, FALSE. +- **rebootArgument** The arguments that are passed to the OS for the restarted. +- **rebootOutsideOfActiveHours** Was the restart scheduled outside of Active Hours? +- **rebootScheduledByUser** Was the restart scheduled by the user? If the value is false, the restart was scheduled by the device. +- **rebootState** The state of the restart. +- **rebootUsingSmartScheduler** TRUE if the reboot should be performed by the Smart Scheduler. Otherwise, FALSE. +- **revisionNumber** The revision number of the OS being updated. +- **scheduledRebootTime** Time of the scheduled reboot +- **scheduledRebootTimeInUTC** Time of the scheduled restart, in Coordinated Universal Time. +- **updateId** The Windows Update device GUID. +- **wuDeviceid** The Windows Update device GUID. + + +## Windows Update mitigation events + +### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages + +This event sends data specific to the CleanupSafeOsImages mitigation used for OS Updates. + +The following fields are available: + +- **ClientId** The client ID used by Windows Update. +- **FlightId** The ID of each Windows Insider build the device received. +- **InstanceId** A unique device ID that identifies each update instance. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **MountedImageCount** The number of mounted images. +- **MountedImageMatches** The number of mounted image matches. +- **MountedImagesFailed** The number of mounted images that could not be removed. +- **MountedImagesRemoved** The number of mounted images that were successfully removed. +- **MountedImagesSkipped** The number of mounted images that were not found. +- **RelatedCV** The correlation vector value generated from the latest USO scan. +- **Result** HResult of this operation. +- **ScenarioId** ID indicating the mitigation scenario. +- **ScenarioSupported** Indicates whether the scenario was supported. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each Windows Update. +- **WuId** Unique ID for the Windows Update client. + + +### Mitigation360Telemetry.MitigationCustom.FixAppXReparsePoints + +This event sends data specific to the FixAppXReparsePoints mitigation used for OS updates. + +The following fields are available: + +- **ClientId** Unique identifier for each flight. +- **FlightId** Unique GUID that identifies each instances of setuphost.exe. +- **InstanceId** The update scenario in which the mitigation was executed. +- **MitigationScenario** Correlation vector value generated from the latest USO scan. +- **RelatedCV** Number of reparse points that are corrupted but we failed to fix them. +- **ReparsePointsFailed** Number of reparse points that were corrupted and were fixed by this mitigation. +- **ReparsePointsFixed** Number of reparse points that are not corrupted and no action is required. +- **ReparsePointsSkipped** HResult of this operation. +- **Result** ID indicating the mitigation scenario. +- **ScenarioId** Indicates whether the scenario was supported. +- **ScenarioSupported** Unique value for each update attempt. +- **SessionId** Unique ID for each Update. +- **UpdateId** Unique ID for the Windows Update client. +- **WuId** Unique ID for the Windows Update client. + + +### Mitigation360Telemetry.MitigationCustom.FixupEditionId + +This event sends data specific to the FixupEditionId mitigation used for OS updates. + +The following fields are available: + +- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **EditionIdUpdated** Determine whether EditionId was changed. +- **FlightId** Unique identifier for each flight. +- **InstanceId** Unique GUID that identifies each instances of setuphost.exe. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **ProductEditionId** Expected EditionId value based on GetProductInfo. +- **ProductType** Value returned by GetProductInfo. +- **RegistryEditionId** EditionId value in the registry. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** HResult of this operation. +- **ScenarioId** ID indicating the mitigation scenario. +- **ScenarioSupported** Indicates whether the scenario was supported. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. +- **WuId** Unique ID for the Windows Update client. + + +## Windows Update Reserve Manager events + +### Microsoft.Windows.UpdateReserveManager.CommitPendingHardReserveAdjustment + +This event is sent when the Update Reserve Manager commits a hard reserve adjustment that was pending. + +The following fields are available: + +- **FinalAdjustment** Final adjustment for the hard reserve following the addition or removal of optional content. +- **InitialAdjustment** Initial intended adjustment for the hard reserve following the addition/removal of optional content. + + +### Microsoft.Windows.UpdateReserveManager.FunctionReturnedError + +This event is sent when the Update Reserve Manager returns an error from one of its internal functions. + +The following fields are available: + +- **FailedExpression** The failed expression that was returned. +- **FailedFile** The binary file that contained the failed function. +- **FailedFunction** The name of the function that originated the failure. +- **FailedLine** The line number of the failure. +- **ReturnCode** The return code of the function. + + +### Microsoft.Windows.UpdateReserveManager.InitializeUpdateReserveManager + +This event returns data about the Update Reserve Manager, including whether it’s been initialized. + +The following fields are available: + +- **ClientId** The ID of the caller application. +- **Flags** The enumerated flags used to initialize the manager. +- **FlightId** The flight ID of the content the calling client is currently operating with. +- **Offline** Indicates whether or the reserve manager is called during offline operations. +- **PolicyPassed** Indicates whether the machine is able to use reserves. +- **ReturnCode** Return code of the operation. +- **Version** The version of the Update Reserve Manager. + + +### Microsoft.Windows.UpdateReserveManager.PrepareTIForReserveInitialization + +This event is sent when the Update Reserve Manager prepares the Trusted Installer to initialize reserves on the next boot. + +The following fields are available: + +- **Flags** The flags that are passed to the function to prepare the Trusted Installer for reserve initialization. + + +### Microsoft.Windows.UpdateReserveManager.RemovePendingHardReserveAdjustment + +This event is sent when the Update Reserve Manager removes a pending hard reserve adjustment. + + + +### Microsoft.Windows.UpdateReserveManager.UpdatePendingHardReserveAdjustment + +This event is sent when the Update Reserve Manager needs to adjust the size of the hard reserve after the option content is installed. + +The following fields are available: + +- **ChangeSize** The change in the hard reserve size based on the addition or removal of optional content. +- **Disposition** The parameter for the hard reserve adjustment function. +- **Flags** The flags passed to the hard reserve adjustment function. +- **PendingHardReserveAdjustment** The final change to the hard reserve size. +- **UpdateType** Indicates whether the change is an increase or decrease in the size of the hard reserve. + + +## Winlogon events + +### Microsoft.Windows.Security.Winlogon.SetupCompleteLogon + +This event signals the completion of the setup process. It happens only once during the first logon. + + + +## XBOX events + +### Microsoft.Xbox.XamTelemetry.AppActivationError + +This event indicates whether the system detected an activation error in the app. + +The following fields are available: + +- **ActivationUri** Activation URI (Uniform Resource Identifier) used in the attempt to activate the app. +- **AppId** The Xbox LIVE Title ID. +- **AppUserModelId** The AUMID (Application User Model ID) of the app to activate. +- **Result** The HResult error. +- **UserId** The Xbox LIVE User ID (XUID). + + +### Microsoft.Xbox.XamTelemetry.AppActivity + +This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc. + +The following fields are available: + +- **AppActionId** The ID of the application action. +- **AppCurrentVisibilityState** The ID of the current application visibility state. +- **AppId** The Xbox LIVE Title ID of the app. +- **AppPackageFullName** The full name of the application package. +- **AppPreviousVisibilityState** The ID of the previous application visibility state. +- **AppSessionId** The application session ID. +- **AppType** The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa). +- **BCACode** The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application. +- **DurationMs** The amount of time (in milliseconds) since the last application state transition. +- **IsTrialLicense** This boolean value is TRUE if the application is on a trial license. +- **LicenseType** The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 - Offline, 4 - Disc). +- **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license. +- **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application. +- **UserId** The XUID (Xbox User ID) of the current user. + + + From b1567238bc987713dde8b105a0b9b029cf03fb4f Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 28 Mar 2019 08:21:14 -0700 Subject: [PATCH 080/492] new build 3/28/2019 8:21 AM --- .../basic-level-windows-diagnostic-events-and-fields-1903.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index 6d5138182b..76c72b91b1 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/27/2019 +ms.date: 03/28/2019 --- From fe66322f4c0cf05d89c157dbb5faa784b805af3c Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 28 Mar 2019 08:21:21 -0700 Subject: [PATCH 081/492] new build 3/28/2019 8:21 AM --- ...ndows-diagnostic-events-and-fields-1703.md | 2 +- ...ndows-diagnostic-events-and-fields-1709.md | 2 +- ...ndows-diagnostic-events-and-fields-1803.md | 2 +- ...ndows-diagnostic-events-and-fields-1809.md | 74 +++++-------------- 4 files changed, 22 insertions(+), 58 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index 1a4810d670..49791ce7a0 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/27/2019 +ms.date: 03/28/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index 0ca537440b..d6a6f6eaad 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/27/2019 +ms.date: 03/28/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index a2d892faf3..12fd625a8a 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/27/2019 +ms.date: 03/28/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index 8540ded6cf..60f70721cc 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/27/2019 +ms.date: 03/28/2019 --- @@ -2172,9 +2172,7 @@ The following fields are available: - **DefaultAppLanguage** The current user Default App Language. - **DisplayLanguage** The current user preferred Windows Display Language. - **HomeLocation** The current user location, which is populated using GetUserGeoId() function. -- **KeyboardInputLaîguages** No content is currently available. - **KeyboardInputLanguages** The Keyboard input languages installed on the device. -- **SpeechInputLalguages** No content is currently available. - **SpeechInputLanguages** The Speech Input languages installed on the device. @@ -2188,9 +2186,7 @@ The following fields are available: - **ActivityHistoryCloudSync** Current state of the activity history cloud sync setting. - **ActivityHistoryCollection** Current state of the activity history collection setting. - **AdvertisingId** Current state of the advertising ID setting. -- **AppDiagnostacs** No content is currently available. - **AppDiagnostics** Current state of the app diagnostics setting. -- **Appiagnostics** No content is currently available. - **Appointments** Current state of the calendar setting. - **Bluetooth** Current state of the Bluetooth capability setting. - **BluetoothSync** Current state of the Bluetooth sync capability setting. @@ -2202,26 +2198,21 @@ The following fields are available: - **Email** Current state of the email setting. - **GazeInput** Current state of the gaze input setting. - **HumanInterfaceDevice** Current state of the human interface device setting. -- **InkT9peImprovement** No content is currently available. -- **InkT9pePersonalization** No content is currently available. - **InkTypeImprovement** Current state of the improve inking and typing setting. - **InkTypePersonalization** Current state of the inking and typing personalization setting. - **Location** Current state of the location setting. - **LocationHistory** Current state of the location history setting. - **LocationHistoryCloudSync** Current state of the location history cloud synchronization setting. - **LocationHistoryOnTimeline** Current state of the location history on timeline setting. -- **Microphona** No content is currently available. - **Microphone** Current state of the microphone setting. - **PhoneCall** Current state of the phone call setting. - **PhoneCallHistory** Current state of the call history setting. - **PicturesLibrary** Current state of the pictures library setting. - **Radios** Current state of the radios setting. -- **SensorsÃustom** No content is currently available. - **SensorsCustom** Current state of the custom sensor setting. - **SerialCommunication** Current state of the serial communication setting. - **Sms** Current state of the text messaging setting. - **SpeechPersonalization** Current state of the speech services setting. -- **UqerDataTasks** No content is currently available. - **USB** Current state of the USB setting. - **UserAccountInformation** Current state of the account information setting. - **UserDataTasks** Current state of the tasks setting. @@ -2753,9 +2744,6 @@ The following fields are available: - **NetworkState** Retrieves the network state: 0 = No network. 1 = Restricted network. 2 = Free network. - **NoNetworkTime** Retrieves the time spent with no network (since the last time) in seconds. - **RestrictedNetworkTime** Retrieves the time spent on a metered (cost restricted) network in seconds. -- **捔祦⽌䱩⽪昫橷瘴場漸䤫〫洯硈㍈㡮⽯** No content is currently available. -- **⽫甸㑪摭橷捔橗⭪晙晅晣穹椸樷** No content is currently available. -- **䉪䌯䱏杄䬷㝐灌䩚㠯⽉䝲伹㡈㕉佤** No content is currently available. ### TelClientSynthetic.HeartBeat_5 @@ -2773,12 +2761,10 @@ The following fields are available: - **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. - **CriticalDataThrottleDroppedCount** The number of critical data sampled events that were dropped because of throttling. - **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event DB. -- **CriticalOvErflowEntersCounter** No content is currently available. - **DbCriticalDroppedCount** Total number of dropped critical events in event DB. - **DbDroppedCount** Number of events dropped due to DB fullness. - **DbDroppedFailureCount** Number of events dropped due to DB failures. - **DbDroppedFullCount** Number of events dropped due to DB fullness. -- **DecndingDroppedCount** No content is currently available. - **DecodingDroppedCount** Number of events dropped due to decoding failures. - **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. - **EtwDroppedBufferCount** Number of buffers dropped in the UTC ETW session. @@ -2792,21 +2778,16 @@ The following fields are available: - **EventsUploaded** Number of events uploaded. - **Flags** Flags indicating device state such as network state, battery state, and opt-in state. - **FullTriggerBufferDroppedCount** Number of events dropped due to trigger buffer being full. -- **FullTrigwerBufferDroppedCount** No content is currently available. - **HeartBeatSequenceNumber** The sequence number of this heartbeat. -- **InvalidH4BFCodeCount** No content is currently available. - **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. - **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel. - **LastEventSizeOffender** Event name of last event which exceeded max event size. -- **LastInvalidH4BFCode** No content is currently available. - **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. - **MaxActiveAgentConnectionCount** The maximum number of active agents during this heartbeat timeframe. - **MaxInUseScenarioCounter** Soft maximum number of scenarios loaded by UTC. - **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events). - **PrivacyBlockedCount** The number of events blocked due to privacy settings or tags. - **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. -- **SettingsH4BFAttempts** No content is currently available. -- **SettingsH4BFFailures** No content is currently available. - **SettingsHttpAttempts** Number of attempts to contact OneSettings service. - **SettingsHttpFailures** The number of failures from contacting the OneSettings service. - **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers. @@ -2814,16 +2795,10 @@ The following fields are available: - **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client. - **UploaderErrorCount** Number of errors received from the upload endpoint. - **VortexFailuresTimeout** The number of timeout failures received from Vortex. -- **VortexH4BFAttempts** No content is currently available. -- **VortexH4BFFailures4xx** No content is currently available. -- **VortexH4BFFailures5xx** No content is currently available. -- **VortexH4BFResponseFailures** No content is currently available. -- **VortexH4BFResponsesWithDroppedEvents** No content is currently available. - **VortexHttpAttempts** Number of attempts to contact Vortex. - **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. - **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. - **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. -- **VortexHttpResponsesWi|hDroppedEvents** No content is currently available. - **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. @@ -3561,18 +3536,14 @@ The following fields are available: - **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend. - **AppTimeStamp** The date/time stamp of the app. - **AppVersion** The version of the app that has crashed. -- **AsFatal** No content is currently available. -- **Exceptio** No content is currently available. - **ExceptionCode** The exception code returned by the process that has crashed. - **ExceptionOffset** The address where the exception had occurred. - **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting. - **FriendlyAppName** The description of the app that has crashed, if different from the AppName. Otherwise, the process name. - **IsFatal** True/False to indicate whether the crash resulted in process termination. - **ModName** Exception module name (e.g. bar.dll). -- **ModTimestamp** No content is currently available. - **ModTimeStamp** The date/time stamp of the module. - **ModVersion** The version of the module that has crashed. -- **ode** No content is currently available. - **PackageFullName** Store application identity. - **PackageRelativeAppId** Store application identity. - **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. @@ -3580,7 +3551,6 @@ The following fields are available: - **ProcessId** The ID of the process that has crashed. - **ReportId** A GUID used to identify the report. This can used to track the report across Watson. - **TargetAppId** The kernel reported AppId of the application being reported. -- **targetAppVer** No content is currently available. - **TargetAppVer** The specific version of the application being reported - **TargetAsId** The sequence number for the hanging process. @@ -3642,7 +3612,6 @@ The following fields are available: - **FileSigningInfo** A count of file signing objects in cache. - **Generic** A count of generic objects in cache. - **HwItem** A count of hwitem objects in cache. -- **IentoryMiscellaneousOfficeAddIn** No content is currently available. - **InventoryApplication** A count of application objects in cache. - **InventoryApplicationAppV** A count of application AppV objects in cache. - **InventoryApplicationDriver** A count of application driver objects in cache @@ -3656,7 +3625,6 @@ The following fields are available: - **InventoryDeviceUsbHubClass** A count of device usb objects in cache - **InventoryDriverBinary** A count of driver binary objects in cache. - **InventoryDriverPackage** A count of device objects in cache. -- **InventoryMiscellaneiscellaneousOfficeInsights** No content is currently available. - **InventoryMiscellaneousOfficeAddIn** A count of office add-in objects in cache - **InventoryMiscellaneousOfficeAddInUsage** A count of office add-in usage objects in cache. - **InventoryMiscellaneousOfficeIdentifiers** A count of office identifier objects in cache @@ -3705,16 +3673,13 @@ The following fields are available: - **HiddenArp** Indicates whether a program hides itself from showing up in ARP. - **InstallDate** The date the application was installed (a best guess based on folder creation date heuristics). - **InstallDateArpLastModified** The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015 00:00:00 -- **InstallDateFromLincFile** No content is currently available. - **InstallDateFromLinkFile** The estimated date of install based on the links to the files. Passed as an array. - **InstallDateMsi** The install date if the application was installed via Microsoft Installer (MSI). Passed as an array. - **InventoryVersion** The version of the inventory file generating the events. - **Language** The language code of the program. -- **MsipackageCode** No content is currently available. - **MsiPackageCode** A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage. - **MsiProductCode** A GUID that describe the MSI Product. - **Name** The name of the application. -- **OSversionAtInstallTime** No content is currently available. - **OSVersionAtInstallTime** The four octets from the OS version at the time of the application's install. - **PackageFullName** The package full name for a Store application. - **ProgramInstanceId** A hash of the file IDs in an app. @@ -3722,7 +3687,6 @@ The following fields are available: - **RootDirPath** The path to the root directory where the program was installed. - **Source** How the program was installed (for example, ARP, MSI, Appx). - **StoreAppType** A sub-classification for the type of Microsoft Store app, such as UWP or Win8StoreApp. -- **type** No content is currently available. - **Type** One of ("Application", "Hotfix", "BOE", "Service", "Unknown"). Application indicates Win32 or Appx app, Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is a service. Application and BOE are the ones most likely seen. - **Version** The version number of the program. @@ -3928,55 +3892,41 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: -- **]pperClassFilters** No content is currently available. -- **basedata** No content is currently available. See [basedata](#basedata). -- **BusReportedDescraption** No content is currently available. - **BusReportedDescription** The description of the device reported by the bux. -- **BusReptrtedDescription** No content is currently available. -- **Clas{Guid** No content is currently available. - **Class** The device setup class of the driver loaded for the device. - **ClassGuid** The device class unique identifier of the driver package loaded on the device. - **COMPID** The list of “Compatible IDs” for this device. -- **Con|ainerId** No content is currently available. - **ContainerId** The system-supplied unique identifier that specifies which group(s) the device(s) installed on the parent (main) device belong to. -- **Descriptaon** No content is currently available. - **Description** The description of the device. -- **DeviceDriverFlightId** No content is currently available. -- **DeviceExtDriversFlightIds** No content is currently available. +- **DeviceDriverFlightId** The test build (Flight) identifier of the device driver. +- **DeviceExtDriversFlightIds** The test build (Flight) identifier for all extended device drivers. - **DeviceInterfaceClasses** The device interfaces that this device implements. - **DeviceState** Identifies the current state of the parent (main) device. -- **DriverAd** No content is currently available. - **DriverId** The unique identifier for the installed driver. - **DriverName** The name of the driver image file. - **DriverPackageStrongName** The immediate parent directory name in the Directory field of InventoryDriverPackage. -- **DriverVer^ersion** No content is currently available. - **DriverVerDate** The date associated with the driver installed on the device. - **DriverVerVersion** The version number of the driver installed on the device. - **Enumerator** Identifies the bus that enumerated the device. - **ExtendedInfs** The extended INF file names. -- **FirstInstallDate** No content is currently available. -- **H_ID** No content is currently available. +- **FirstInstallDate** The first time this device was installed on the machine. - **HWID** A list of hardware IDs for the device. - **Inf** The name of the INF file (possibly renamed by the OS, such as oemXX.inf). -- **InstallDate** No content is currently available. +- **InstallDate** The date of the most recent installation of the device on the machine. - **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx - **InventoryVersion** The version number of the inventory process generating the events. - **LowerClassFilters** The identifiers of the Lower Class filters installed for the device. - **LowerFilters** The identifiers of the Lower filters installed for the device. - **Manufacturer** The manufacturer of the device. -- **MatchangID** No content is currently available. - **MatchingID** The Hardware ID or Compatible ID that Windows uses to install a device instance. -- **Modeh** No content is currently available. - **Model** Identifies the model of the device. - **ParentId** The Device Instance ID of the parent of the device. - **ProblemCode** The error code currently returned by the device, if applicable. -- **ProblmmCode** No content is currently available. - **Provider** Identifies the device provider. - **Service** The name of the device service. - **STACKID** The list of hardware IDs for the stack. - **UpperClassFilters** The identifiers of the Upper Class filters installed for the device. - **UpperFilters** The identifiers of the Upper filters installed for the device. -- **UpxerClassFilters** No content is currently available. ### Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove @@ -4779,6 +4729,20 @@ The following fields are available: - **winInetError** The HResult of the operation. +## Other events + +### Microsoft.Windows.MigrationCore.MigObjectCountKFSys + +No content is currently available. + +The following fields are available: + +- **knownFolderLoc->DirName->CString** No content is currently available. +- **knownFoldersSys[i]** No content is currently available. +- **migDiagSession->CString** No content is currently available. +- **objectCount** No content is currently available. + + ## Privacy consent logging events ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted From 39f90cf585d3cf0746fc039bc5a43dfb63d6f01b Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Thu, 28 Mar 2019 11:57:38 -0700 Subject: [PATCH 082/492] updates for my task 3180695 --- windows/configuration/kiosk-single-app.md | 2 +- .../mobile-devices/provisioning-configure-mobile.md | 2 +- .../provision-pcs-for-initial-deployment.md | 2 +- windows/deployment/vda-subscription-activation.md | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md index 439acaa52b..7aba6dd11a 100644 --- a/windows/configuration/kiosk-single-app.md +++ b/windows/configuration/kiosk-single-app.md @@ -203,7 +203,7 @@ When you use the **Provision kiosk devices** wizard in Windows Configuration Des - + diff --git a/windows/configuration/mobile-devices/provisioning-configure-mobile.md b/windows/configuration/mobile-devices/provisioning-configure-mobile.md index 141db07726..ee0785c38d 100644 --- a/windows/configuration/mobile-devices/provisioning-configure-mobile.md +++ b/windows/configuration/mobile-devices/provisioning-configure-mobile.md @@ -44,7 +44,7 @@ The **Provision Windows mobile devices** wizard lets you configure common settin
![step one](images/one.png)![set up device](images/set-up-device.png)

Enable device setup if you want to configure settings on this page.

**If enabled:**

Enter a name for the device.

(Optional) Select a license file to upgrade Windows 10 to a different edition. [See the permitted upgrades.](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)

Toggle **Configure devices for shared use** off. This setting optimizes Windows 10 for shared use scenarios and isn't necessary for a kiosk scenario.

You can also select to remove pre-installed software from the device. 		![device name, upgrade to enterprise, shared use, remove pre-installed software](images/set-up-device-details.png)
![step two](images/two.png) ![set up network](images/set-up-network.png)

Enable network setup if you want to configure settings on this page.

**If enabled:**

Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.		![Enter network SSID and type](images/set-up-network-details.png)
![step three](images/three.png) ![account management](images/account-management.png)

Enable account management if you want to configure settings on this page.

**If enabled:**

You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device

To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.

Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.

**Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.

To create a local administrator account, select that option and enter a user name and password.

**Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. 		![join Active Directory, Azure AD, or create a local admin account](images/account-management-details.png)
![step three](images/three.png) ![account management](images/account-management.png)

Enable account management if you want to configure settings on this page.

**If enabled:**

You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device

To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.

Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 180 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.

**Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.

To create a local administrator account, select that option and enter a user name and password.

**Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. 		![join Active Directory, Azure AD, or create a local admin account](images/account-management-details.png)
![step four](images/four.png) ![add applications](images/add-applications.png)

You can provision the kiosk app in the **Add applications** step. You can install multiple applications, both Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provisioning-packages/provision-pcs-with-apps.md)

**Warning:** If you click the plus button to add an application, you must specify an application for the provisioning package to validate. If you click the plus button in error, select any executable file in **Installer Path**, and then a **Cancel** button becomes available, allowing you to complete the provisioning package without an application. 		![add an application](images/add-applications-details.png)
![step five](images/five.png) ![add certificates](images/add-certificates.png)

To provision the device with a certificate for the kiosk app, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.		![add a certificate](images/add-certificates-details.png)
![step six](images/six.png) ![Configure kiosk account and app](images/kiosk-account.png)

You can create a local standard user account that will be used to run the kiosk app. If you toggle **No**, make sure that you have an existing user account to run the kiosk app.

If you want to create an account, enter the user name and password, and then toggle **Yes** or **No** to automatically sign in the account when the device starts. (If you encounter issues with auto sign-in after you apply the provisioning package, check the Event Viewer logs for auto logon issues under **Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational**.)

In **Configure the kiosk mode app**, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Windows desktop application) or the AUMID (for a Universal Windows app). For a Windows desktop application, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.		![Configure kiosk account and app](images/kiosk-account-details.png)
- +
![step one](../images/one.png)![set up device](../images/set-up-device-mobile.png)

Enter a device name.

Optionally, you can enter a product key to upgrade the device from Windows 10 Mobile to Windows 10 Mobile Enterprise. 		![device name, upgrade license](../images/set-up-device-details-mobile.png)
![step two](../images/two.png) ![set up network](../images/set-up-network-mobile.png)

Toggle **On** or **Off** for wireless network connectivity.

If you select **On**, enter the SSID, network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.		![Enter network SSID and type](../images/set-up-network-details-mobile.png)
![step three](../images/three.png) ![bulk enrollment in Azure Active Directory](../images/bulk-enroll-mobile.png)

Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used.

Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.

**Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards. 		![Enter expiration and get bulk token](../images/bulk-enroll-mobile-details.png)
![step three](../images/three.png) ![bulk enrollment in Azure Active Directory](../images/bulk-enroll-mobile.png)

Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used.

Set an expiration date for the token (maximum is 180 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.

**Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards. 		![Enter expiration and get bulk token](../images/bulk-enroll-mobile-details.png)
![step four](../images/four.png) ![finish](../images/finish-mobile.png)

You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.		![Protect your package](../images/finish-details-mobile.png)
diff --git a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md index 9979020ba7..13941c3e8f 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md +++ b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md @@ -81,7 +81,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L - + diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md index 52d00d7f17..bc7249bb71 100644 --- a/windows/deployment/vda-subscription-activation.md +++ b/windows/deployment/vda-subscription-activation.md @@ -88,7 +88,7 @@ For examples of activation issues, see [Troubleshoot the user experience](https: ## Azure Active Directory-joined VMs >[!IMPORTANT] ->Azure Active Directory (Azure AD) provisioning packages have a 30 day limit on bulk token usage. You will need to update the provisioning package and re-inject it into the image after 30 days. Existing virtual machines that are Azure AD-joined and deployed will not need to be recreated. +>Azure Active Directory (Azure AD) provisioning packages have a 180 day limit on bulk token usage. You will need to update the provisioning package and re-inject it into the image after 180 days. Existing virtual machines that are Azure AD-joined and deployed will not need to be recreated. For Azure AD-joined VMs, follow the same instructions (above) as for [Active Directory-joined VMs](#active-directory-joined-vms) with the following exceptions: - In step 9, during setup with Windows Configuration Designer, under **Name**, type a name for the project that indicates it is not for Active Directory joined VMs, such as **Desktop Bulk Enrollment Token Pro GVLK**. From d8006946d7a35a9a85b3fa33e5a22ddab662096e Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Fri, 29 Mar 2019 07:59:34 -0700 Subject: [PATCH 083/492] task 3180700 --- .../configuration/configure-windows-10-taskbar.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md index 6d89596e32..9439d40848 100644 --- a/windows/configuration/configure-windows-10-taskbar.md +++ b/windows/configuration/configure-windows-10-taskbar.md @@ -9,7 +9,7 @@ author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: medium -ms.date: 01/18/2018 +ms.date: 05/21/2019 --- # Configure Windows 10 taskbar @@ -315,6 +315,16 @@ The resulting taskbar for computers in any other country region: + + + + + + + + + + ``` From cfac8ae6fcfba81d9c6004d129253f1558d4b200 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Fri, 29 Mar 2019 09:05:12 -0700 Subject: [PATCH 084/492] Revert "task 3180700" This reverts commit d8006946d7a35a9a85b3fa33e5a22ddab662096e. --- .../configuration/configure-windows-10-taskbar.md | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md index 9439d40848..6d89596e32 100644 --- a/windows/configuration/configure-windows-10-taskbar.md +++ b/windows/configuration/configure-windows-10-taskbar.md @@ -9,7 +9,7 @@ author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: medium -ms.date: 05/21/2019 +ms.date: 01/18/2018 --- # Configure Windows 10 taskbar @@ -315,16 +315,6 @@ The resulting taskbar for computers in any other country region: - - - - - - - - - - ``` From 6d6481535f028c25e3d706ae7cebbed2a263c278 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 29 Mar 2019 13:15:15 -0700 Subject: [PATCH 085/492] new build 3/29/2019 1:15 PM --- .../basic-level-windows-diagnostic-events-and-fields-1903.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index 76c72b91b1..f91d4a0548 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/28/2019 +ms.date: 03/29/2019 --- From 8c5178c35dc73447dbac3b204c0a75ec8a9207d8 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 29 Mar 2019 13:15:20 -0700 Subject: [PATCH 086/492] new build 3/29/2019 1:15 PM --- ...ndows-diagnostic-events-and-fields-1703.md | 2 +- ...ndows-diagnostic-events-and-fields-1709.md | 2 +- ...ndows-diagnostic-events-and-fields-1803.md | 2 +- ...ndows-diagnostic-events-and-fields-1809.md | 55 ++----------------- 4 files changed, 9 insertions(+), 52 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index 49791ce7a0..b5c2cbf517 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/28/2019 +ms.date: 03/29/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index d6a6f6eaad..800377e966 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/28/2019 +ms.date: 03/29/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index 12fd625a8a..e22d5344bb 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/28/2019 +ms.date: 03/29/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index 60f70721cc..6c3abb47aa 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/28/2019 +ms.date: 03/29/2019 --- @@ -3983,7 +3983,6 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: -- **DrivdrCompany** No content is currently available. - **DriverCheckSum** The checksum of the driver file. - **DriverCompany** The company name that developed the driver. - **DriverInBox** Is the driver included with the operating system? @@ -3995,15 +3994,12 @@ The following fields are available: - **DriverType** A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8. define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE 0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64 0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15. define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED 0x800000. - **DriverVersion** The version of the driver file. - **ImageSize** The size of the driver file. -- **ImageSmze** No content is currently available. - **Inf** The name of the INF file. - **InventoryVersion** The version of the inventory file generating the events. - **Product** The product name that is included in the driver file. - **ProductVersion** The product version that is included in the driver file. - **Service** The name of the service that is installed for the device. - **WdfVersion** The Windows Driver Framework version. -- **WdfVers-on** No content is currently available. -- **WdfVersÿon** No content is currently available. ### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove @@ -4254,7 +4250,6 @@ The following fields are available: - **OfficeApplication** The name of the Office application. - **OfficeArchitecture** The bitness of the Office application. - **OfficeVersion** The version of the Office application. -- **Valóe** No content is currently available. - **Value** The insights collected about this entity. @@ -4521,8 +4516,6 @@ OS information collected during Boot, used to evaluate the success of the upgrad The following fields are available: -- **Boo|ApplicationId** No content is currently available. -- **BootApplicataonId** No content is currently available. - **BootApplicationId** This field tells us what the OS Loader Application Identifier is. - **BootAttemptCount** The number of consecutive times the boot manager has attempted to boot into this operating system. - **BootSequence** The current Boot ID, used to correlate events related to a particular boot session. @@ -4704,9 +4697,7 @@ This event sends information describing the result of the update. The following fields are available: -- **br** No content is currently available. - **hr** The HResult of the operation. -- **IsLoggingE~abled** No content is currently available. - **IsLoggingEnabled** Indicates whether logging is enabled for the updater. - **UpdaterVersion** The version of the updater. @@ -4733,14 +4724,13 @@ The following fields are available: ### Microsoft.Windows.MigrationCore.MigObjectCountKFSys -No content is currently available. +This event returns data about the count of the migration objects across various phases during feature update. The following fields are available: -- **knownFolderLoc->DirName->CString** No content is currently available. -- **knownFoldersSys[i]** No content is currently available. -- **migDiagSession->CString** No content is currently available. -- **objectCount** No content is currently available. +- **knownFoldersSys[i]** The predefined folder path locations. +- **migDiagSession->CString** Identifies the phase of the upgrade where migration happens. +- **objectCount** The count of the number of objects that are being transferred. ## Privacy consent logging events @@ -4787,6 +4777,7 @@ The following fields are available: - **fileName** The file name where the failure occurred. - **function** The function where the failure occurred. - **hresult** The HResult of the overall activity. +- **hrutTyp** No content is currently available. - **lineNumber** The line number where the failure occurred. - **message** The message of the failure that occurred. - **module** The module where the failure occurred. @@ -4907,7 +4898,6 @@ The following fields are available: - **DeviceModel** What is the device model. - **DriverError** The error code hit during a driver scan. This is 0 if no error was encountered. - **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled. -- **DriverGxclusionPolicy** No content is currently available. - **DriverSyncPassPerformed** Were drivers scanned this time? - **EventInstanceID** A globally unique identifier for event instance. - **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. @@ -4917,24 +4907,19 @@ The following fields are available: - **FailedUpdatesCount** The number of updates that failed to be evaluated during the scan. - **FeatureUpdateDeferral** The deferral period configured for feature OS updates on the device (in days). - **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FeatureUpdatePause9-8iod** No content is currently available. - **FeatureUpdatePausePeriod** The pause duration configured for feature OS updates on the device (in days). - **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). - **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). - **HomeMobileOperator** The mobile operator that the device was originally intended to work with. -- **I#Version** No content is currently available. - **IntentPFNs** Intended application-set metadata for atomic update scenarios. - **IPVersion** Indicates whether the download took place over IPv4 or IPv6 - **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. -- **IsWUfBDualScaninabled** No content is currently available. - **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. - **IsWUfBFederatedScanDisabled** Indicates if Windows Update for Business federated scan is disabled on the device. -- **IsWUfBinabled** No content is currently available. - **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce - **MSIError** The last error that was encountered during a scan for updates. - **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6 - **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete -- **NumberOfApplicationsCategoryScanEval}ated** No content is currently available. - **NumberOfApplicationsCategoryScanEvaluated** The number of categories (apps) for which an app update scan checked - **NumberOfLoop** The number of round trips the scan required - **NumberOfNewUpdatesFromServiceSync** The number of updates which were seen for the first time in this scan @@ -4950,14 +4935,10 @@ The following fields are available: - **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided. - **QualityUpdateDeferral** The deferral period configured for quality OS updates on the device (in days). - **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **QualityUpdatePause9-8iod** No content is currently available. - **QualityUpdatePausePeriod** The pause duration configured for quality OS updates on the device (in days). - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one -- **S}ncType** No content is currently available. -- **ScanDuratioInSeconds** No content is currently available. - **ScanDurationInSeconds** The number of seconds a scan took - **ScanEnqueueTime** The number of seconds it took to initialize a scan -- **ScanPrps** No content is currently available. - **ScanProps** This is a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits are used; all remaining bits are reserved and set to zero. Bit 0 (0x1): IsInteractive - is set to 1 if the scan is requested by a user, or 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker - is set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates). - **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.). - **ServiceUrl** The environment URL a device is configured to scan with @@ -4967,7 +4948,6 @@ The following fields are available: - **SystemBIOSMajorRelease** Major version of the BIOS. - **SystemBIOSMinorRelease** Minor version of the BIOS. - **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null. -- **TotalNumMetadataSignatureM** No content is currently available. - **TotalNumMetadataSignatures** The total number of metadata signatures checks done for new metadata that was synced down. - **WebServiceRetryMethods** Web service method requests that needed to be retried to complete operation. - **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. @@ -5015,8 +4995,6 @@ The following fields are available: - **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded. - **AppXDownloadScope** Indicates the scope of the download for application content. - **AppXScope** Indicates the scope of the app download. -- **aundleBy1esDownl?aded** No content is currently available. -- **B1ndleRepeatFailCount** No content is currently available. - **BiosFamily** The family of the BIOS (Basic Input Output System). - **BiosName** The name of the device BIOS. - **BiosReleaseDate** The release date of the device BIOS. @@ -5031,7 +5009,6 @@ The following fields are available: - **BytesDownloaded** Number of bytes that were downloaded for an individual piece of content (not the entire bundle). - **CachedEngineVersion** The version of the “Self-Initiated Healing” (SIH) engine that is cached on the device, if applicable. - **CallerApplicationName** The name provided by the application that initiated API calls into the software distribution client. -- **Cbs5ethod** No content is currently available. - **CbsDownloadMethod** Indicates whether the download was a full- or a partial-file download. - **CbsMethod** The method used for downloading the update content related to the Component Based Servicing (CBS) technology. - **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. @@ -5045,13 +5022,11 @@ The following fields are available: - **DownloadProps** Information about the download operation properties in the form of a bitmask. - **DownloadType** Differentiates the download type of “Self-Initiated Healing” (SIH) downloads between Metadata and Payload downloads. - **EventInstanceID** A globally unique identifier for event instance. -- **EventScenarao** No content is currently available. - **EventScenario** Indicates the purpose for sending this event: whether because the software distribution just started downloading content; or whether it was cancelled, succeeded, or failed. - **EventType** Identifies the type of the event (Child, Bundle, or Driver). - **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. - **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. - **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). -- **flightBuildNumber** No content is currently available. - **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight. - **FlightId** The specific ID of the flight (pre-release build) the device is getting. - **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). @@ -5063,8 +5038,6 @@ The following fields are available: - **IsDependentSet** Indicates whether a driver is a part of a larger System Hardware/Firmware Update - **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. - **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. -- **IsWVfBDualScanEnabled** No content is currently available. -- **IsWVfBEnabled** No content is currently available. - **NetworkCost** A flag indicating the cost of the network (congested, fixed, variable, over data limit, roaming, etc.) used for downloading the update content. - **NetworkCostBitMask** Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.) - **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered." @@ -5075,10 +5048,8 @@ The following fields are available: - **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. - **Reason** A 32-bit integer representing the reason the update is blocked from being downloaded in the background. - **RegulationReason** The reason that the update is regulated -- **RegulationReóult** No content is currently available. - **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content. - **RelatedCV** The Correlation Vector that was used before the most recent change to a new Correlation Vector. -- **RelqtedCV** No content is currently available. - **RepeatFailCount** Indicates whether this specific content has previously failed. - **RepeatFailFlag** Indicates whether this specific content previously failed to download. - **RevisionNumber** The revision number of the specified piece of content. @@ -5094,16 +5065,13 @@ The following fields are available: - **TargetMetadataVersion** The version of the currently downloading (or most recently downloaded) package. - **ThrottlingServiceHResult** Result code (success/failure) while contacting a web service to determine whether this device should download content yet. - **TimeToEstablishConnection** Time (in milliseconds) it took to establish the connection prior to beginning downloaded. -- **TotalEx8ectedBydes** No content is currently available. - **TotalExpectedBytes** The total size (in Bytes) expected to be downloaded. - **UpdateId** An identifier associated with the specific piece of content. - **UpdateID** An identifier associated with the specific piece of content. - **UpdateImportance** Indicates whether the content was marked as Important, Recommended, or Optional. -- **UsecDO** No content is currently available. - **UsedDO** Indicates whether the download used the Delivery Optimization (DO) service. - **UsedSystemVolume** Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive. - **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. -- **YsWUfBEnabled** No content is currently available. ### SoftwareUpdateClientTelemetry.DownloadCheckpoint @@ -5223,7 +5191,6 @@ The following fields are available: - **SystemBIOSMajorRelease** Major version of the BIOS. - **SystemBIOSMinorRelease** Minor version of the BIOS. - **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. -- **Targeti~gVersion** No content is currently available. - **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. - **TransactionCode** The ID that represents a given MSI installation. - **UpdateId** Unique update ID. @@ -5347,7 +5314,6 @@ The following fields are available: - **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable. - **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. - **IntentPFNs** Intended application-set metadata for atomic update scenarios. -- **NumberOfA0plicableUpdates** No content is currently available. - **NumberOfApplicableUpdates** The number of updates ultimately deemed applicable to the system after the detection process is complete. - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. - **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.). @@ -5465,7 +5431,6 @@ The following fields are available: - **InternalFailureResult** Indicates a non-fatal error from a plugin. - **ObjectId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). - **PackageCategoriesSkipped** Indicates package categories that were skipped, if applicable. -- **PackageCCoegoriesSkipped** No content is currently available. - **PackageCountOptional** Number of optional packages requested. - **PackageCountRequired** Number of required packages requested. - **PackageCountTotal** Total number of packages needed. @@ -5478,7 +5443,6 @@ The following fields are available: - **PackageSizeDiff** Size of diff packages in bytes. - **PackageSizeExpress** Size of express packages in bytes. - **PackageSizePSFX** The size of PSFX packages, in bytes. -- **RangeRequestSsCoe** No content is currently available. - **RangeRequestState** Indicates the range request type used. - **RelatedCV** Correlation vector value generated from the latest USO scan. - **Result** Outcome of the download request phase of update. @@ -6337,7 +6301,6 @@ This event is sent after a scan for product updates to determine if there are pa The following fields are available: -- **AsOnline** No content is currently available. - **ClientAppId** The identity of the app that initiated this operation. - **HResult** The result code of the last action performed. - **IsApplicability** Is this request to only check if there are any applicable packages to install? @@ -6624,7 +6587,6 @@ The following fields are available: - **bytesFromLocalCache** Bytes copied over from local (on disk) cache. - **bytesFromPeers** The number of bytes received from a peer in the same LAN. - **bytesRequested** The total number of bytes requested for download. -- **cacheServerBonnectionCount** No content is currently available. - **cacheServerConnectionCount** Number of connections made to cache hosts. - **cdnConnectionCount** The total number of connections made to the CDN. - **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. @@ -6632,7 +6594,6 @@ The following fields are available: - **cdnIp** The IP address of the source CDN. - **cdnUrl** Url of the source Content Distribution Network (CDN). - **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. -- **dnErrorCounts** No content is currently available. - **doErrorCode** The Delivery Optimization error code that was returned. - **downlinkBps** The maximum measured available download bandwidth (in bytes per second). - **downlinkUsageBps** The download speed (in bytes per second). @@ -6644,9 +6605,7 @@ The following fields are available: - **fileID** The ID of the file being downloaded. - **fileSize** The size of the file being downloaded. - **gCurMemoryStreamBytes** Current usage for memory streaming. -- **gdnConnectionCount** No content is currently available. - **gMaxMemoryStreamBytes** Maximum usage for memory streaming. -- **groupConnectionCo** No content is currently available. - **groupConnectionCount** The total number of connections made to peers in the same group. - **internetConnectionCount** The total number of connections made to peers not in the same LAN or the same group. - **isEncrypted** TRUE if the file is encrypted and will be decrypted after download. @@ -6657,7 +6616,6 @@ The following fields are available: - **numPeers** The total number of peers used for this download. - **numPeersLocal** The total number of local peers used for this download. - **predefinedCallerName** The name of the API Caller. -- **restrictedU`load** No content is currently available. - **restrictedUpload** Is the upload restricted? - **routeToCacheServer** The cache server setting, source, and value. - **sessionID** The ID of the download session. @@ -7415,7 +7373,6 @@ This event sends data on whether Update Management Policies were enabled on a de The following fields are available: - **configuredPoliciescount** Number of policies on the device. -- **configuredPoliciescsunt** No content is currently available. - **policiesNamevaluesource** Policy name and source of policy (group policy, MDM or flight). - **policyCacherefreshtime** Time when policy cache was refreshed. - **updateInstalluxsetting** Indicates whether a user has set policies via a user experience option. From ce42be5de8a47a7fd35fe6b79beadfe982105351 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Mon, 1 Apr 2019 16:27:21 -0700 Subject: [PATCH 087/492] new build 4/1/2019 4:27 PM --- .../basic-level-windows-diagnostic-events-and-fields-1903.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index f91d4a0548..c9df4f0d71 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/29/2019 +ms.date: 04/01/2019 --- From 8bd56a341549d1dfc1dfb68f7417069c1e7fa366 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Mon, 1 Apr 2019 16:27:28 -0700 Subject: [PATCH 088/492] new build 4/1/2019 4:27 PM --- ...ndows-diagnostic-events-and-fields-1703.md | 2 +- ...ndows-diagnostic-events-and-fields-1709.md | 2 +- ...ndows-diagnostic-events-and-fields-1803.md | 2 +- ...ndows-diagnostic-events-and-fields-1809.md | 34 +++++++++++++++---- 4 files changed, 30 insertions(+), 10 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index b5c2cbf517..1d21304909 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/29/2019 +ms.date: 04/01/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index 800377e966..e06f5187b6 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/29/2019 +ms.date: 04/01/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index e22d5344bb..0606766261 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/29/2019 +ms.date: 04/01/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index 6c3abb47aa..25ff1cd99e 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 03/29/2019 +ms.date: 04/01/2019 --- @@ -346,6 +346,7 @@ The following fields are available: - **DatasourceDriverPackage_TH2** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_19ASetup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. +- **DataSourceMatchIngInfoBlock_19H1** No content is currently available. - **DataSourceMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_RS1** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1607 on this device. - **DataSourceMatchingInfoBlock_RS2** The count of the number of this particular object type present on this device. @@ -2760,13 +2761,20 @@ The following fields are available: - **ConsumerDroppedCount** Number of events dropped at consumer layer of telemetry client. - **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. - **CriticalDataThrottleDroppedCount** The number of critical data sampled events that were dropped because of throttling. +- **CriticalDt2eDbDroppedCount** No content is currently available. +- **CriticalDt2eThrottleDroppedCount** No content is currently available. - **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event DB. +- **CrrancalDataDbDroppedCount** No content is currently available. +- **CrrancalDataThrottleDroppedCount** No content is currently available. +- **CrrancalOverflowEntersCounter** No content is currently available. - **DbCriticalDroppedCount** Total number of dropped critical events in event DB. +- **DbCrrancalDroppedCount** No content is currently available. - **DbDroppedCount** Number of events dropped due to DB fullness. - **DbDroppedFailureCount** Number of events dropped due to DB failures. - **DbDroppedFullCount** Number of events dropped due to DB fullness. - **DecodingDroppedCount** Number of events dropped due to decoding failures. - **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. +- **EnteringCrrancalOverflowDroppedCounter** No content is currently available. - **EtwDroppedBufferCount** Number of buffers dropped in the UTC ETW session. - **EtwDroppedCount** Number of events dropped at ETW layer of telemetry client. - **EventsPersistedCount** Number of events that reached the PersistEvent stage. @@ -2796,6 +2804,8 @@ The following fields are available: - **UploaderErrorCount** Number of errors received from the upload endpoint. - **VortexFailuresTimeout** The number of timeout failures received from Vortex. - **VortexHttpAttempts** Number of attempts to contact Vortex. +- **VortexHttpeReponseFailures** No content is currently available. +- **VortexHttpeReponsesWithDroppedEvents** No content is currently available. - **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. - **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. - **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. @@ -3409,6 +3419,7 @@ The following fields are available: - **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload. - **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes). - **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes). +- **DedicatedVidmoMemoryB** No content is currently available. - **DisplayAdapterLuid** The display adapter LUID. - **DriverDate** The date of the display driver. - **DriverRank** The rank of the display driver. @@ -3435,6 +3446,7 @@ The following fields are available: - **IsRemovable** TRUE if the adapter supports being disabled or removed. - **IsRenderDevice** Does the GPU have rendering capabilities? - **IsSoftwareDevice** Is this a software implementation of the GPU? +- **KMDF** No content is currently available. - **KMDFilePath** The file path to the location of the Display Kernel Mode Driver in the Driver Store. - **MeasureEnabled** Is the device listening to MICROSOFT_KEYWORD_MEASURES? - **MsHybridDiscrete** Indicates whether the adapter is a discrete adapter in a hybrid configuration. @@ -3445,6 +3457,7 @@ The following fields are available: - **SubVendorID** The GPU sub vendor ID. - **TelemetryEnabled** Is the device listening to MICROSOFT_KEYWORD_TELEMETRY? - **TelInvEvntTrigger** What triggered this event to be logged? Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling) +- **TmlemetryEnabled** No content is currently available. - **version** The event version. - **WDDMVersion** The Windows Display Driver Model version. @@ -3552,6 +3565,7 @@ The following fields are available: - **ReportId** A GUID used to identify the report. This can used to track the report across Watson. - **TargetAppId** The kernel reported AppId of the application being reported. - **TargetAppVer** The specific version of the application being reported +- **TargetAppVr** No content is currently available. - **TargetAsId** The sequence number for the hanging process. @@ -4000,6 +4014,7 @@ The following fields are available: - **ProductVersion** The product version that is included in the driver file. - **Service** The name of the service that is installed for the device. - **WdfVersion** The Windows Driver Framework version. +- **YmageSize** No content is currently available. ### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove @@ -4777,6 +4792,7 @@ The following fields are available: - **fileName** The file name where the failure occurred. - **function** The function where the failure occurred. - **hresult** The HResult of the overall activity. +- **hresult€threadId** No content is currently available. - **hrutTyp** No content is currently available. - **lineNumber** The line number where the failure occurred. - **message** The message of the failure that occurred. @@ -4938,6 +4954,8 @@ The following fields are available: - **QualityUpdatePausePeriod** The pause duration configured for quality OS updates on the device (in days). - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one - **ScanDurationInSeconds** The number of seconds a scan took +- **ScanDurationInSeuonds** No content is currently available. +- **ScanEnque}eTime** No content is currently available. - **ScanEnqueueTime** The number of seconds it took to initialize a scan - **ScanProps** This is a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits are used; all remaining bits are reserved and set to zero. Bit 0 (0x1): IsInteractive - is set to 1 if the scan is requested by a user, or 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker - is set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates). - **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.). @@ -4995,6 +5013,7 @@ The following fields are available: - **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded. - **AppXDownloadScope** Indicates the scope of the download for application content. - **AppXScope** Indicates the scope of the app download. +- **AppXU3s8aHashFailures** No content is currently available. - **BiosFamily** The family of the BIOS (Basic Input Output System). - **BiosName** The name of the device BIOS. - **BiosReleaseDate** The release date of the device BIOS. @@ -5028,6 +5047,7 @@ The following fields are available: - **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. - **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). - **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight. +- **FlighTBuildNumber** No content is currently available. - **FlightId** The specific ID of the flight (pre-release build) the device is getting. - **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). - **HandlerType** Indicates what kind of content is being downloaded (app, driver, windows patch, etc.). @@ -5069,6 +5089,7 @@ The following fields are available: - **UpdateId** An identifier associated with the specific piece of content. - **UpdateID** An identifier associated with the specific piece of content. - **UpdateImportance** Indicates whether the content was marked as Important, Recommended, or Optional. +- **UpdatEImportance** No content is currently available. - **UsedDO** Indicates whether the download used the Delivery Optimization (DO) service. - **UsedSystemVolume** Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive. - **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. @@ -5132,6 +5153,7 @@ This event sends tracking data about the software distribution client installati The following fields are available: +- **2À@=2§3F'™+ck** No content is currently available. - **BiosFamily** The family of the BIOS (Basic Input Output System). - **BiosName** The name of the device BIOS. - **BiosReleaseDate** The release date of the device BIOS. @@ -5152,11 +5174,13 @@ The following fields are available: - **DeviceModel** The device model. - **DriverPingBack** Contains information about the previous driver and system state. - **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required. +- **DriverReuoveryIds** No content is currently available. - **EventInstanceID** A globally unique identifier for event instance. - **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. - **EventType** Possible values are Child, Bundle, or Driver. - **ExtendedErrorCode** The extended error code. - **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode is not specific enough. +- **ExtendEdStatusCode** No content is currently available. - **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. - **FlightBranch** The branch that a device is on if participating in the Windows Insider Program. - **FlightBuildNumber** If this installation was for a Windows Insider build, this is the build number of that build. @@ -6594,6 +6618,7 @@ The following fields are available: - **cdnIp** The IP address of the source CDN. - **cdnUrl** Url of the source Content Distribution Network (CDN). - **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. +- **dataSourcEsTotal** No content is currently available. - **doErrorCode** The Delivery Optimization error code that was returned. - **downlinkBps** The maximum measured available download bandwidth (in bytes per second). - **downlinkUsageBps** The download speed (in bytes per second). @@ -6603,6 +6628,7 @@ The following fields are available: - **experimentId** When running a test, this is used to correlate with other events that are part of the same test. - **expiresAt** The time when the content will expire from the Delivery Optimization Cache. - **fileID** The ID of the file being downloaded. +- **fileSaze** No content is currently available. - **fileSize** The size of the file being downloaded. - **gCurMemoryStreamBytes** Current usage for memory streaming. - **gMaxMemoryStreamBytes** Maximum usage for memory streaming. @@ -6652,7 +6678,6 @@ This event sends data describing the start of a new download to enable Delivery The following fields are available: -- **ActiveNetworkConnection** No content is currently available. - **background** Indicates whether the download is happening in the background. - **bytesRequested** Number of bytes requested for the download. - **cdnUrl** The URL of the source Content Distribution Network (CDN). @@ -6671,21 +6696,16 @@ The following fields are available: - **fileSize** Total file size of the file that was downloaded. - **fileSizeCaller** Value for total file size provided by our caller. - **groupID** ID for the group. -- **IsBootCritical** No content is currently available. - **isEncrypted** Indicates whether the download is encrypted. - **isVpn** Indicates whether the device is connected to a Virtual Private Network. - **jobID** The ID of the Windows Update job. - **peerID** The ID for this delivery optimization client. - **predefinedCallerName** Name of the API caller. - **routeToCacheServer** Cache server setting, source, and value. -- **SdbEntries** No content is currently available. - **sessionID** The ID for the file download session. - **setConfigs** A JSON representation of the configurations that have been set, and their sources. - **updateID** The ID of the update being downloaded. - **usedMemoryStream** Indicates whether the download used memory streaming. -- **WuDriverCoverage** No content is currently available. -- **WuDriverUpdateId** No content is currently available. -- **WuPopulatedFromId** No content is currently available. ### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication From bbf3529726f7e837cfefbf1f31d91297425677b2 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 2 Apr 2019 08:53:08 -0700 Subject: [PATCH 089/492] new build 4/2/2019 8:53 AM --- ...basic-level-windows-diagnostic-events-and-fields-1903.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index c9df4f0d71..b745b8fa81 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/01/2019 +ms.date: 04/02/2019 --- @@ -3130,8 +3130,8 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: -- **Audio.CaptureDriver** No content is currently available. -- **Audio.RenderDriver** No content is currently available. +- **Audio.CaptureDriver** The capture driver endpoint for the audio device. +- **Audio.RenderDriver** The render driver for the audio device. - **Audio_CaptureDriver** The Audio device capture driver endpoint. - **Audio_RenderDriver** The Audio device render driver endpoint. - **InventoryVersion** The version of the inventory file generating the events. From a168f8af7f9af53e7dd874afa4e8fb05bde719cc Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 2 Apr 2019 08:53:13 -0700 Subject: [PATCH 090/492] new build 4/2/2019 8:53 AM --- ...ndows-diagnostic-events-and-fields-1703.md | 2 +- ...ndows-diagnostic-events-and-fields-1709.md | 2 +- ...ndows-diagnostic-events-and-fields-1803.md | 2 +- ...ndows-diagnostic-events-and-fields-1809.md | 125 +++++++++++++++++- 4 files changed, 125 insertions(+), 6 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index 1d21304909..c7bbf928bd 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/01/2019 +ms.date: 04/02/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index e06f5187b6..72b3a95d4c 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/01/2019 +ms.date: 04/02/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index 0606766261..48424772ba 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/01/2019 +ms.date: 04/02/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index 25ff1cd99e..f86d9d6c9c 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/01/2019 +ms.date: 04/02/2019 --- @@ -1774,6 +1774,7 @@ The following fields are available: - **WmdrmInUse** WmdrmIndicators AND dismissible block in setup was not dismissed. - **WmdrmNonPermanent** Indicates if the system has any files with non-permanent licenses. - **WmdrmPurchased** Indicates if the system has any files with permanent licenses. +- **聗mdrmNonPermanent** No content is currently available. ### Microsoft.Windows.Appraiser.General.WmdrmRemove @@ -1960,7 +1961,9 @@ The following fields are available: - **MEID** Represents the Mobile Equipment Identity (MEID). MEID is a worldwide unique phone ID assigned to CDMA phones. MEID replaces electronic serial number (ESN), and is equivalent to IMEI for GSM and WCDMA phones. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. - **MNC0** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. - **MNC1** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **Mobi�eOperatorNetwork1** No content is currently available. - **MobileOperatorBilling** Represents the telephone company that provides services for mobile phone users. +- **MobileOperatorCommercia�ized** No content is currently available. - **MobileOperatorCommercialized** Represents which reseller and geography the phone is commercialized for. This is the set of values on the phone for who and where it was intended to be used. For example, the commercialized mobile operator code AT&T in the US would be ATT-US. - **MobileOperatorNetwork0** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage. - **MobileOperatorNetwork1** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage. @@ -2719,7 +2722,9 @@ Fired by UTC at startup to signal what data we are allowed to collect. The following fields are available: +- **CanAddMsagoMsTelemetry** No content is currently available. - **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. +- **CanCollactAnyTelemetry** No content is currently available. - **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. - **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. - **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. @@ -2727,7 +2732,9 @@ The following fields are available: - **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. - **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. - **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise. +- **CanPerfotmDiagnosticEscalations** No content is currently available. - **CanReportScenarios** True if we can report scenario completions, false otherwise. +- **Can䁃ollectCoreTelemetry** No content is currently available. - **PreviousPermissions** Bitmask of previous telemetry state. - **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. @@ -2742,6 +2749,7 @@ The following fields are available: - **CensusStartTime** Returns timestamp corresponding to last successful census run. - **CensusTaskEnabled** Returns Boolean value for the census task (Enable/Disable) on client machine. - **LastConnectivityLossTime** Retrieves the last time the device lost free network. +- **LastGonnectivityLossTime** No content is currently available. - **NetworkState** Retrieves the network state: 0 = No network. 1 = Restricted network. 2 = Free network. - **NoNetworkTime** Retrieves the time spent with no network (since the last time) in seconds. - **RestrictedNetworkTime** Retrieves the time spent on a metered (cost restricted) network in seconds. @@ -2754,9 +2762,18 @@ This event sends data about the health and quality of the diagnostic data from t The following fields are available: - **AgentConnectionErrorsCount** Number of non-timeout errors associated with the host/agent channel. +- **AggregationFlags** No content is currently available. +- **AggregationPeriodMS** No content is currently available. +- **AudioInMS** No content is currently available. +- **AudioOutMS** No content is currently available. +- **BackgroundMouseSec** No content is currently available. +- **BitPeriodMS** No content is currently available. - **CensusExitCode** The last exit code of the Census task. - **CensusStartTime** Time of last Census run. - **CensusTaskEnabled** True if Census is enabled, false otherwise. +- **CompositionDirtyGeneratedSec** No content is currently available. +- **CompositionDirtyPropagatedSec** No content is currently available. +- **CompositionRenderedSec** No content is currently available. - **CompressedBytesUploaded** Number of compressed bytes uploaded. - **ConsumerDroppedCount** Number of events dropped at consumer layer of telemetry client. - **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. @@ -2773,43 +2790,72 @@ The following fields are available: - **DbDroppedFailureCount** Number of events dropped due to DB failures. - **DbDroppedFullCount** Number of events dropped due to DB fullness. - **DecodingDroppedCount** Number of events dropped due to decoding failures. +- **Decoding刁刁刁刁刁刁刁刁刁刁刁刁** No content is currently available. - **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. - **EnteringCrrancalOverflowDroppedCounter** No content is currently available. - **EtwDroppedBufferCount** Number of buffers dropped in the UTC ETW session. +- **EtwDroppedBuffertorFlags** No content is currently available. - **EtwDroppedCount** Number of events dropped at ETW layer of telemetry client. +- **Eve~tStoreResetSizeSum** No content is currently available. +- **EventSequence** No content is currently available. - **EventsPersistedCount** Number of events that reached the PersistEvent stage. - **EventStoreLifetimeResetCounter** Number of times event DB was reset for the lifetime of UTC. - **EventStoreResetCounter** Number of times event DB was reset. - **EventStoreResetSizeSum** Total size of event DB across all resets reports in this instance. +- **EventStOreResetSizeSum** No content is currently available. - **EventSubStoreResetCounter** Number of times event DB was reset. - **EventSubStoreResetSizeSum** Total size of event DB across all resets reports in this instance. - **EventsUploaded** Number of events uploaded. - **Flags** Flags indicating device state such as network state, battery state, and opt-in state. - **FullTriggerBufferDroppedCount** Number of events dropped due to trigger buffer being full. +- **FullTriggerBuvferDroppedCount** No content is currently available. +- **GameInputSec** No content is currently available. - **HeartBeatSequenceNumber** The sequence number of this heartbeat. +- **InteractiveTimeoutPeriodMS** No content is currently available. - **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. +- **InvalidHttpCodECount** No content is currently available. - **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel. - **LastEventSizeOffender** Event name of last event which exceeded max event size. - **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. - **MaxActiveAgentConnectionCount** The maximum number of active agents during this heartbeat timeframe. +- **MaxIn]seScenarioCounter** No content is currently available. - **MaxInUseScenarioCounter** Soft maximum number of scenarios loaded by UTC. +- **MaxInUseScenarioCountev** No content is currently available. - **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events). - **PrivacyBlockedCount** The number of events blocked due to privacy settings or tags. +- **Repe`tedUploadFailureDropped** No content is currently available. - **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. +- **SettingsHttpAtsempts** No content is currently available. - **SettingsHttpAttempts** Number of attempts to contact OneSettings service. - **SettingsHttpFailures** The number of failures from contacting the OneSettings service. +- **SinceFirstInteractivityMS** No content is currently available. +- **SpeechRecognitionSec** No content is currently available. +- **SummaryRound** No content is currently available. +- **TargetAsId** No content is currently available. - **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers. - **TopUploaderErrors** List of top errors received from the upload endpoint. - **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client. - **UploaderErrorCount** Number of errors received from the upload endpoint. +- **ViewFlags** No content is currently available. +- **VodtexFailuresTimeout** No content is currently available. +- **VodtexHttpAttempts** No content is currently available. +- **VodtexHttpFailures4xx** No content is currently available. +- **VodtexHttpFailures5xx** No content is currently available. +- **VodtexHttpResponseFailures** No content is currently available. +- **VodtexHttpResponsesWithDroppedEvents** No content is currently available. - **VortexFailuresTimeout** The number of timeout failures received from Vortex. +- **VortexHttpAtsempts** No content is currently available. - **VortexHttpAttempts** Number of attempts to contact Vortex. - **VortexHttpeReponseFailures** No content is currently available. - **VortexHttpeReponsesWithDroppedEvents** No content is currently available. - **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. - **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. +- **VortexHttpFailures5xz** No content is currently available. - **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. - **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. +- **VortexHttpResponsesWythDroppedEvents** No content is currently available. +- **WindowFlags** No content is currently available. +- **刁刁刁刁刁merDroppedCoᕵnt** No content is currently available. ### TelClientSynthetic.HeartBeat_Aria_5 @@ -3414,12 +3460,17 @@ The following fields are available: - **AdapterTypeValue** The numeric value indicating the type of Graphics adapter. - **aiSeqId** The event sequence ID. +- **bootAd** No content is currently available. - **bootId** The system boot ID. - **BrightnessVersionViaDDI** The version of the Display Brightness Interface. +- **CompupePreemptionLevel** No content is currently available. - **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload. +- **ComputePreeMptionLevel** No content is currently available. - **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes). +- **DedicatedViddoMemoryB** No content is currently available. - **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes). - **DedicatedVidmoMemoryB** No content is currently available. +- **DedicatedVifeoMemoryB** No content is currently available. - **DisplayAdapterLuid** The display adapter LUID. - **DriverDate** The date of the display driver. - **DriverRank** The rank of the display driver. @@ -3432,6 +3483,7 @@ The following fields are available: - **GPUPreemptionLevel** The maximum preemption level supported by GPU for graphics payload. - **GPURevisionID** The GPU revision ID. - **GPUVendorID** The GPU vendor ID. +- **IntarfaceId** No content is currently available. - **InterfaceId** The GPU interface ID. - **IsDisplayDevice** Does the GPU have displaying capabilities? - **IsHwSchSupported** Indicates whether the adapter supports hardware scheduling. @@ -3440,6 +3492,7 @@ The following fields are available: - **IsLDA** Is the GPU comprised of Linked Display Adapters? - **IsMiracastSupported** Does the GPU support Miracast? - **IsMismatchLDA** Is at least one device in the Linked Display Adapters chain from a different vendor? +- **IsMismat-hLDA** No content is currently available. - **IsMPOSupported** Does the GPU support Multi-Plane Overlays? - **IsMsMiracastSupported** Are the GPU Miracast capabilities driven by a Microsoft solution? - **IsPostAdapter** Is this GPU the POST GPU in the device? @@ -3448,6 +3501,7 @@ The following fields are available: - **IsSoftwareDevice** Is this a software implementation of the GPU? - **KMDF** No content is currently available. - **KMDFilePath** The file path to the location of the Display Kernel Mode Driver in the Driver Store. +- **MeasureEnablad** No content is currently available. - **MeasureEnabled** Is the device listening to MICROSOFT_KEYWORD_MEASURES? - **MsHybridDiscrete** Indicates whether the adapter is a discrete adapter in a hybrid configuration. - **NumVidPnSources** The number of supported display output sources. @@ -3457,6 +3511,7 @@ The following fields are available: - **SubVendorID** The GPU sub vendor ID. - **TelemetryEnabled** Is the device listening to MICROSOFT_KEYWORD_TELEMETRY? - **TelInvEvntTrigger** What triggered this event to be logged? Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling) +- **TelINvEvntTrigger** No content is currently available. - **TmlemetryEnabled** No content is currently available. - **version** The event version. - **WDDMVersion** The Windows Display Driver Model version. @@ -3546,27 +3601,39 @@ This event sends data about crashes for both native and managed applications, to The following fields are available: - **AppName** The name of the app that has crashed. +- **AppSassionGuid** No content is currently available. +- **AppSessionGqid** No content is currently available. - **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend. +- **AppTimestamp** No content is currently available. - **AppTimeStamp** The date/time stamp of the app. - **AppVersion** The version of the app that has crashed. +- **ExcaptionCode** No content is currently available. - **ExceptionCode** The exception code returned by the process that has crashed. - **ExceptionOffset** The address where the exception had occurred. - **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting. - **FriendlyAppName** The description of the app that has crashed, if different from the AppName. Otherwise, the process name. - **IsFatal** True/False to indicate whether the crash resulted in process termination. - **ModName** Exception module name (e.g. bar.dll). +- **ModTimaStamp** No content is currently available. - **ModTimeStamp** The date/time stamp of the module. +- **ModVarsion** No content is currently available. - **ModVersion** The version of the module that has crashed. +- **PackageFullNama** No content is currently available. - **PackageFullName** Store application identity. - **PackageRelativeAppId** Store application identity. - **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. +- **ProcessArinetecture** No content is currently available. - **ProcessCreateTime** The time of creation of the process that has crashed. - **ProcessId** The ID of the process that has crashed. - **ReportId** A GUID used to identify the report. This can used to track the report across Watson. +- **TargepAsId** No content is currently available. - **TargetAppId** The kernel reported AppId of the application being reported. - **TargetAppVer** The specific version of the application being reported - **TargetAppVr** No content is currently available. - **TargetAsId** The sequence number for the hanging process. +- **TarSetAppId** No content is currently available. +- **TarSetAppVer** No content is currently available. +- **TarSetAsId** No content is currently available. ## Feature update events @@ -3684,6 +3751,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: +- **HiddenAr`** No content is currently available. - **HiddenArp** Indicates whether a program hides itself from showing up in ARP. - **InstallDate** The date the application was installed (a best guess based on folder creation date heuristics). - **InstallDateArpLastModified** The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015 00:00:00 @@ -3692,12 +3760,15 @@ The following fields are available: - **InventoryVersion** The version of the inventory file generating the events. - **Language** The language code of the program. - **MsiPackageCode** A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage. +- **MsiPqckageCode** No content is currently available. - **MsiProductCode** A GUID that describe the MSI Product. - **Name** The name of the application. +- **OSVersionAtI~stallTi}e** No content is currently available. - **OSVersionAtInstallTime** The four octets from the OS version at the time of the application's install. - **PackageFullName** The package full name for a Store application. - **ProgramInstanceId** A hash of the file IDs in an app. - **Publisher** The Publisher of the application. Location pulled from depends on the 'Source' field. +- **RootDibPath** No content is currently available. - **RootDirPath** The path to the root directory where the program was installed. - **Source** How the program was installed (for example, ARP, MSI, Appx). - **StoreAppType** A sub-classification for the type of Microsoft Store app, such as UWP or Win8StoreApp. @@ -3906,6 +3977,8 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: +- **** No content is currently available. +- **€** No content is currently available. - **BusReportedDescription** The description of the device reported by the bux. - **Class** The device setup class of the driver loaded for the device. - **ClassGuid** The device class unique identifier of the driver package loaded on the device. @@ -3919,6 +3992,8 @@ The following fields are available: - **DriverId** The unique identifier for the installed driver. - **DriverName** The name of the driver image file. - **DriverPackageStrongName** The immediate parent directory name in the Directory field of InventoryDriverPackage. +- **DriverPackageStrongName** No content is currently available. +- **DriverV** No content is currently available. - **DriverVerDate** The date associated with the driver installed on the device. - **DriverVerVersion** The version number of the driver installed on the device. - **Enumerator** Identifies the bus that enumerated the device. @@ -4538,12 +4613,15 @@ The following fields are available: - **BootType** Identifies the type of boot (e.g.: "Cold", "Hiber", "Resume"). - **EventTimestamp** Seconds elapsed since an arbitrary time point. This can be used to identify the time difference in successive boot attempts being made. - **FirmwareResetReasonEmbeddedController** Reason for system reset provided by firmware. +- **FirmwareresetReasonEmbeddedControllerAdditional** No content is currently available. - **FirmwareResetReasonEmbeddedControllerAdditional** Additional information on system reset reason provided by firmware if needed. - **FirmwareResetReasonPch** Reason for system reset provided by firmware. - **FirmwareResetReasonPchAdditional** Additional information on system reset reason provided by firmware if needed. +- **FirmwareResetReasonPchADditional** No content is currently available. - **FirmwareResetReasonSupplied** Flag indicating that a reason for system reset was provided by firmware. - **IO** Amount of data written to and read from the disk by the OS Loader during boot. See [IO](#io). - **LastBootSucceeded** Flag indicating whether the last boot was successful. +- **LastBootSucceedEd** No content is currently available. - **LastShutdownSucceeded** Flag indicating whether the last shutdown was successful. - **MaxAbove4GbFreeRange** This field describes the largest memory range available above 4Gb. - **MaxBelow4GbFreeRange** This field describes the largest memory range available below 4Gb. @@ -4792,8 +4870,6 @@ The following fields are available: - **fileName** The file name where the failure occurred. - **function** The function where the failure occurred. - **hresult** The HResult of the overall activity. -- **hresult€threadId** No content is currently available. -- **hrutTyp** No content is currently available. - **lineNumber** The line number where the failure occurred. - **message** The message of the failure that occurred. - **module** The module where the failure occurred. @@ -4877,8 +4953,10 @@ This service retrieves events generated by SetupPlatform, the engine that drives The following fields are available: +- **CroupName** No content is currently available. - **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. - **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. +- **Valqe** No content is currently available. - **Value** Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time. @@ -4890,6 +4968,8 @@ Scan process event on Windows Update client. See the EventScenario field for spe The following fields are available: +- **Ä7G§ Date: Wed, 3 Apr 2019 08:16:17 -0700 Subject: [PATCH 091/492] new build 4/3/2019 8:16 AM --- ...ndows-diagnostic-events-and-fields-1903.md | 98 +++++++++---------- 1 file changed, 49 insertions(+), 49 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index b745b8fa81..e28e119c2b 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/02/2019 +ms.date: 04/03/2019 --- @@ -3780,7 +3780,7 @@ The following fields are available: - **ClassGuid** The unique ID for the device class. - **DeviceInstanceId** The unique ID for the device on the system. -- **DriverDate** The date the driver was installed. +- **DriverDate** The date of the driver. - **DriverFlightIds** The IDs for the driver flights. - **DriverInfName** Driver INF file name. - **DriverProvider** The driver manufacturer or provider. @@ -3969,7 +3969,7 @@ The following fields are available: ### Microsoft.Windows.DriverInstall.DeviceInstall -This critical event sends device instance properties for the driver installation that took place. +This critical event sends information about the driver installation that took place. The following fields are available: @@ -3981,59 +3981,59 @@ The following fields are available: - **DeviceConfigured** Indicates whether this device was configured through the kernel configuration. - **DeviceInstanceId** The unique identifier of the device in the system. - **DeviceStack** The device stack of the driver being installed. -- **DriverDate** No content is currently available. -- **DriverDescription** No content is currently available. -- **DriverInfName** No content is currently available. -- **DriverInfSectionName** No content is currently available. -- **DriverPackageId** No content is currently available. -- **DriverProvider** No content is currently available. -- **DriverUpdated** No content is currently available. -- **DriverVersion** No content is currently available. -- **EndTime** No content is currently available. -- **Error** No content is currently available. -- **ExtensionDrivers** No content is currently available. -- **FinishInstallAction** No content is currently available. -- **FinishInstallUI** No content is currently available. -- **FirmwareDate** No content is currently available. -- **FirmwareRevision** No content is currently available. -- **FirmwareVersion** No content is currently available. -- **FirstHardwareId** No content is currently available. -- **FlightIds** No content is currently available. -- **GenericDriver** No content is currently available. -- **Inbox** No content is currently available. -- **InstallDate** No content is currently available. -- **LastCompatibleId** No content is currently available. -- **LegacyInstallReasonError** No content is currently available. -- **LowerFilters** No content is currently available. -- **MatchingDeviceId** No content is currently available. -- **NeedReboot** No content is currently available. -- **OriginalDriverInfName** No content is currently available. -- **ParentDeviceInstanceId** No content is currently available. -- **PendedUntilReboot** No content is currently available. -- **Problem** No content is currently available. -- **ProblemStatus** No content is currently available. -- **SecondaryDevice** No content is currently available. -- **ServiceName** No content is currently available. -- **SetupMode** No content is currently available. -- **StartTime** No content is currently available. -- **SubmissionId** No content is currently available. -- **UpperFilters** No content is currently available. +- **DriverDate** The date of the driver. +- **DriverDescription** A description of the driver function. +- **DriverInfName** Name of the INF file (the setup information file) for the driver. +- **DriverInfSectionName** Name of the DDInstall section within the driver INF file. +- **DriverPackageId** The ID of the driver package that is staged to the driver store. +- **DriverProvider** The driver manufacturer or provider. +- **DriverUpdated** Indicates whether the driver is replacing an old driver. +- **DriverVersion** The version of the driver file. +- **EndTime** The time the installation completed. +- **Error** Provides the WIN32 error code for the installation. +- **ExtensionDrivers** List of extension drivers that complement this installation. +- **FinishInstallAction** Indicates whether the co-installer invoked the finish-install action. +- **FinishInstallUI** Indicates whether the installation process shows the user interface. +- **FirmwareDate** The firmware date that will be stored in the EFI System Resource Table (ESRT). +- **FirmwareRevision** The firmware revision that will be stored in the EFI System Resource Table (ESRT). +- **FirmwareVersion** The firmware version that will be stored in the EFI System Resource Table (ESRT). +- **FirstHardwareId** The ID in the hardware ID list that provides the most specific device description. +- **FlightIds** A list of the different Windows Insider builds on the device. +- **GenericDriver** Indicates whether the driver is a generic driver. +- **Inbox** Indicates whether the driver package is included with Windows. +- **InstallDate** The date the driver was installed. +- **LastCompatibleId** The ID in the hardware ID list that provides the least specific device description. +- **LegacyInstallReasonError** The error code for the legacy installation. +- **LowerFilters** The list of lower filter drivers. +- **MatchingDeviceId** The hardware ID or compatible ID that Windows used to install the device instance. +- **NeedReboot** Indicates whether the driver requires a reboot. +- **OriginalDriverInfName** The original name of the INF file before it was renamed. +- **ParentDeviceInstanceId** The device instance ID of the parent of the device. +- **PendedUntilReboot** Indicates whether the installation is pending until the device is rebooted. +- **Problem** Error code returned by the device after installation. +- **ProblemStatus** The status of the device after the driver installation. +- **SecondaryDevice** Indicates whether the device is a secondary device. +- **ServiceName** The service name of the driver. +- **SetupMode** Indicates whether the driver installation took place before the initial installation of the device was completed. +- **StartTime** The time when the installation started. +- **SubmissionId** The driver submission identifier assigned by the Windows Hardware Development Center. +- **UpperFilters** The list of upper filter drivers. ### Microsoft.Windows.DriverInstall.NewDevInstallDeviceEnd -No content is currently available. +This event sends data about the driver installation once it is completed. The following fields are available: -- **DeviceInstanceId** No content is currently available. -- **DriverUpdated** No content is currently available. -- **Error** No content is currently available. -- **FlightId** No content is currently available. -- **InstallDate** No content is currently available. -- **InstallFlags** No content is currently available. -- **RebootRequired** No content is currently available. -- **RollbackPossible** No content is currently available. +- **DeviceInstanceId** The unique identifier of the device in the system. +- **DriverUpdated** Indicates whether the driver was updated. +- **Error** The Win32 error code of the installation. +- **FlightId** The ID of the Windows Insider build the device received. +- **InstallDate** The date the driver was installed. +- **InstallFlags** The driver installation flags. +- **RebootRequired** Indicates whether a reboot is required after the installation. +- **RollbackPossible** Indicates whether this driver can be rolled back. - **WuTargetedHardwareId** No content is currently available. - **WuUntargetedHardwareId** No content is currently available. From c14180bb1ecd7810628c83071bb0ea541e4632fe Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 3 Apr 2019 08:16:25 -0700 Subject: [PATCH 092/492] new build 4/3/2019 8:16 AM --- ...ndows-diagnostic-events-and-fields-1703.md | 2 +- ...ndows-diagnostic-events-and-fields-1709.md | 2 +- ...ndows-diagnostic-events-and-fields-1803.md | 2 +- ...ndows-diagnostic-events-and-fields-1809.md | 102 +++++++----------- 4 files changed, 42 insertions(+), 66 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index c7bbf928bd..b1c005dbbe 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/02/2019 +ms.date: 04/03/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index 72b3a95d4c..ab77c90805 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/02/2019 +ms.date: 04/03/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index 48424772ba..db64dc298d 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/02/2019 +ms.date: 04/03/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index f86d9d6c9c..f398e84056 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/02/2019 +ms.date: 04/03/2019 --- @@ -346,7 +346,6 @@ The following fields are available: - **DatasourceDriverPackage_TH2** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_19ASetup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchIngInfoBlock_19H1** No content is currently available. - **DataSourceMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_RS1** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1607 on this device. - **DataSourceMatchingInfoBlock_RS2** The count of the number of this particular object type present on this device. @@ -1742,6 +1741,8 @@ The following fields are available: - **PCFP** An ID for the system calculated by hashing hardware identifiers. - **PerfBackoff** Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal. - **PerfBackoffInsurance** Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row. +- **PerfBnDroff** No content is currently available. +- **PerfBnDroffInsurance** No content is currently available. - **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device. - **RunDate** The date that the telemetry run was stated, expressed as a filetime. - **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional telemetry on an infrequent schedule and only from machines at telemetry levels higher than Basic. @@ -1807,6 +1808,7 @@ Provides information on IE and Census versions running on the device The following fields are available: +- **App�aiserRunEndTimeStamp** No content is currently available. - **AppraiserEnterpriseErrorCode** The error code of the last Appraiser enterprise run. - **AppraiserErrorCode** The error code of the last Appraiser run. - **AppraiserRunEndTimeStamp** The end time of the last Appraiser run. @@ -1874,8 +1876,10 @@ This event sends data about the BIOS and startup embedded in the device, to help The following fields are available: +- **Firmware�anufacturer** No content is currently available. - **FirmwareManufacturer** Represents the manufacturer of the device's firmware (BIOS). - **FirmwareReleaseDate** Represents the date the current firmware was released. +- **FirmwareRele�seDate** No content is currently available. - **FirmwareType** Represents the firmware type. The various types can be unknown, BIOS, UEFI. - **FirmwareVersion** Represents the version of the current firmware. @@ -1888,6 +1892,7 @@ The following fields are available: - **DeviceSampleRate** The telemetry sample rate assigned to the device. - **EnablePreviewBuilds** Used to enable Windows Insider builds on a device. +- **EnablePrevi�wBuilds** No content is currently available. - **FlightIds** A list of the different Windows Insider builds on this device. - **FlightingBranchName** The name of the Windows Insider branch currently used by the device. - **IsFlightsDisabled** Represents if the device is participating in the Windows Insider program. @@ -2251,6 +2256,7 @@ The following fields are available: - **AppStoreAutoUpdate** Retrieves the Appstore settings for auto upgrade. (Enable/Disabled). - **AppStoreAutoUpdateMDM** Retrieves the App Auto Update value for MDM: 0 - Disallowed. 1 - Allowed. 2 - Not configured. Default: [2] Not configured - **AppStoreAutoUpdatePolicy** Retrieves the Microsoft Store App Auto Update group policy setting +- **AppStoreAutoUpd�te** No content is currently available. - **DelayUpgrade** Retrieves the Windows upgrade flag for delaying upgrades. - **OSAssessmentFeatureOutOfDate** How many days has it been since a the last feature update was released but the device did not install it? - **OSAssessmentForFeatureUpdate** Is the device is on the latest feature update? @@ -2731,6 +2737,7 @@ The following fields are available: - **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. - **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. - **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. +- **CanPerformiagnosticEscalations** No content is currently available. - **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise. - **CanPerfotmDiagnosticEscalations** No content is currently available. - **CanReportScenarios** True if we can report scenario completions, false otherwise. @@ -2776,56 +2783,43 @@ The following fields are available: - **CompositionRenderedSec** No content is currently available. - **CompressedBytesUploaded** Number of compressed bytes uploaded. - **ConsumerDroppedCount** Number of events dropped at consumer layer of telemetry client. +- **CriticaDataThrottleDroppedCount** No content is currently available. - **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. - **CriticalDataThrottleDroppedCount** The number of critical data sampled events that were dropped because of throttling. -- **CriticalDt2eDbDroppedCount** No content is currently available. -- **CriticalDt2eThrottleDroppedCount** No content is currently available. - **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event DB. -- **CrrancalDataDbDroppedCount** No content is currently available. -- **CrrancalDataThrottleDroppedCount** No content is currently available. -- **CrrancalOverflowEntersCounter** No content is currently available. - **DbCriticalDroppedCount** Total number of dropped critical events in event DB. -- **DbCrrancalDroppedCount** No content is currently available. - **DbDroppedCount** Number of events dropped due to DB fullness. - **DbDroppedFailureCount** Number of events dropped due to DB failures. - **DbDroppedFullCount** Number of events dropped due to DB fullness. - **DecodingDroppedCount** Number of events dropped due to decoding failures. -- **Decoding刁刁刁刁刁刁刁刁刁刁刁刁** No content is currently available. - **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. -- **EnteringCrrancalOverflowDroppedCounter** No content is currently available. - **EtwDroppedBufferCount** Number of buffers dropped in the UTC ETW session. - **EtwDroppedBuffertorFlags** No content is currently available. - **EtwDroppedCount** Number of events dropped at ETW layer of telemetry client. -- **Eve~tStoreResetSizeSum** No content is currently available. - **EventSequence** No content is currently available. - **EventsPersistedCount** Number of events that reached the PersistEvent stage. +- **EventStoreLhfetimeResetCounter** No content is currently available. - **EventStoreLifetimeResetCounter** Number of times event DB was reset for the lifetime of UTC. - **EventStoreResetCounter** Number of times event DB was reset. - **EventStoreResetSizeSum** Total size of event DB across all resets reports in this instance. -- **EventStOreResetSizeSum** No content is currently available. - **EventSubStoreResetCounter** Number of times event DB was reset. - **EventSubStoreResetSizeSum** Total size of event DB across all resets reports in this instance. - **EventsUploaded** Number of events uploaded. - **Flags** Flags indicating device state such as network state, battery state, and opt-in state. - **FullTriggerBufferDroppedCount** Number of events dropped due to trigger buffer being full. -- **FullTriggerBuvferDroppedCount** No content is currently available. - **GameInputSec** No content is currently available. - **HeartBeatSequenceNumber** The sequence number of this heartbeat. - **InteractiveTimeoutPeriodMS** No content is currently available. - **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. -- **InvalidHttpCodECount** No content is currently available. - **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel. - **LastEventSizeOffender** Event name of last event which exceeded max event size. +- **LastInvalhdHttpCode** No content is currently available. - **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. - **MaxActiveAgentConnectionCount** The maximum number of active agents during this heartbeat timeframe. -- **MaxIn]seScenarioCounter** No content is currently available. - **MaxInUseScenarioCounter** Soft maximum number of scenarios loaded by UTC. -- **MaxInUseScenarioCountev** No content is currently available. - **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events). - **PrivacyBlockedCount** The number of events blocked due to privacy settings or tags. -- **Repe`tedUploadFailureDropped** No content is currently available. - **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. -- **SettingsHttpAtsempts** No content is currently available. - **SettingsHttpAttempts** Number of attempts to contact OneSettings service. - **SettingsHttpFailures** The number of failures from contacting the OneSettings service. - **SinceFirstInteractivityMS** No content is currently available. @@ -2834,28 +2828,17 @@ The following fields are available: - **TargetAsId** No content is currently available. - **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers. - **TopUploaderErrors** List of top errors received from the upload endpoint. +- **TopUploaderErross** No content is currently available. - **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client. - **UploaderErrorCount** Number of errors received from the upload endpoint. - **ViewFlags** No content is currently available. -- **VodtexFailuresTimeout** No content is currently available. -- **VodtexHttpAttempts** No content is currently available. -- **VodtexHttpFailures4xx** No content is currently available. -- **VodtexHttpFailures5xx** No content is currently available. -- **VodtexHttpResponseFailures** No content is currently available. -- **VodtexHttpResponsesWithDroppedEvents** No content is currently available. - **VortexFailuresTimeout** The number of timeout failures received from Vortex. -- **VortexHttpAtsempts** No content is currently available. - **VortexHttpAttempts** Number of attempts to contact Vortex. -- **VortexHttpeReponseFailures** No content is currently available. -- **VortexHttpeReponsesWithDroppedEvents** No content is currently available. - **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. - **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. -- **VortexHttpFailures5xz** No content is currently available. - **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. - **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. -- **VortexHttpResponsesWythDroppedEvents** No content is currently available. - **WindowFlags** No content is currently available. -- **刁刁刁刁刁merDroppedCoᕵnt** No content is currently available. ### TelClientSynthetic.HeartBeat_Aria_5 @@ -3460,21 +3443,19 @@ The following fields are available: - **AdapterTypeValue** The numeric value indicating the type of Graphics adapter. - **aiSeqId** The event sequence ID. -- **bootAd** No content is currently available. +- **B2ightnessVersionViaDDI** No content is currently available. - **bootId** The system boot ID. - **BrightnessVersionViaDDI** The version of the Display Brightness Interface. -- **CompupePreemptionLevel** No content is currently available. - **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload. -- **ComputePreeMptionLevel** No content is currently available. +- **Dedic`tedSystemMemoryB** No content is currently available. +- **DedicatedSystemMemorqB** No content is currently available. - **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes). -- **DedicatedViddoMemoryB** No content is currently available. - **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes). -- **DedicatedVidmoMemoryB** No content is currently available. -- **DedicatedVifeoMemoryB** No content is currently available. - **DisplayAdapterLuid** The display adapter LUID. - **DriverDate** The date of the display driver. - **DriverRank** The rank of the display driver. - **DriverVersion** The display driver version. +- **DX10UM@FilePath** No content is currently available. - **DX10UMDFilePath** The file path to the location of the DirectX 10 Display User Mode Driver in the Driver Store. - **DX11UMDFilePath** The file path to the location of the DirectX 11 Display User Mode Driver in the Driver Store. - **DX12UMDFilePath** The file path to the location of the DirectX 12 Display User Mode Driver in the Driver Store. @@ -3483,7 +3464,6 @@ The following fields are available: - **GPUPreemptionLevel** The maximum preemption level supported by GPU for graphics payload. - **GPURevisionID** The GPU revision ID. - **GPUVendorID** The GPU vendor ID. -- **IntarfaceId** No content is currently available. - **InterfaceId** The GPU interface ID. - **IsDisplayDevice** Does the GPU have displaying capabilities? - **IsHwSchSupported** Indicates whether the adapter supports hardware scheduling. @@ -3492,16 +3472,15 @@ The following fields are available: - **IsLDA** Is the GPU comprised of Linked Display Adapters? - **IsMiracastSupported** Does the GPU support Miracast? - **IsMismatchLDA** Is at least one device in the Linked Display Adapters chain from a different vendor? -- **IsMismat-hLDA** No content is currently available. - **IsMPOSupported** Does the GPU support Multi-Plane Overlays? - **IsMsMiracastSupported** Are the GPU Miracast capabilities driven by a Microsoft solution? - **IsPostAdapter** Is this GPU the POST GPU in the device? - **IsRemovable** TRUE if the adapter supports being disabled or removed. +- **IsRenderDdvice** No content is currently available. - **IsRenderDevice** Does the GPU have rendering capabilities? - **IsSoftwareDevice** Is this a software implementation of the GPU? -- **KMDF** No content is currently available. - **KMDFilePath** The file path to the location of the Display Kernel Mode Driver in the Driver Store. -- **MeasureEnablad** No content is currently available. +- **MeastreEnabled** No content is currently available. - **MeasureEnabled** Is the device listening to MICROSOFT_KEYWORD_MEASURES? - **MsHybridDiscrete** Indicates whether the adapter is a discrete adapter in a hybrid configuration. - **NumVidPnSources** The number of supported display output sources. @@ -3511,8 +3490,7 @@ The following fields are available: - **SubVendorID** The GPU sub vendor ID. - **TelemetryEnabled** Is the device listening to MICROSOFT_KEYWORD_TELEMETRY? - **TelInvEvntTrigger** What triggered this event to be logged? Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling) -- **TelINvEvntTrigger** No content is currently available. -- **TmlemetryEnabled** No content is currently available. +- **Tel�nvEvntTrigger** No content is currently available. - **version** The event version. - **WDDMVersion** The Windows Display Driver Model version. @@ -3601,39 +3579,35 @@ This event sends data about crashes for both native and managed applications, to The following fields are available: - **AppName** The name of the app that has crashed. -- **AppSassionGuid** No content is currently available. - **AppSessionGqid** No content is currently available. +- **AppSessionGui`** No content is currently available. - **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend. -- **AppTimestamp** No content is currently available. - **AppTimeStamp** The date/time stamp of the app. +- **AppVarsion** No content is currently available. - **AppVersion** The version of the app that has crashed. -- **ExcaptionCode** No content is currently available. - **ExceptionCode** The exception code returned by the process that has crashed. - **ExceptionOffset** The address where the exception had occurred. - **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting. - **FriendlyAppName** The description of the app that has crashed, if different from the AppName. Otherwise, the process name. - **IsFatal** True/False to indicate whether the crash resulted in process termination. - **ModName** Exception module name (e.g. bar.dll). -- **ModTimaStamp** No content is currently available. +- **ModPimeStamp** No content is currently available. +- **ModTimeSpamp** No content is currently available. - **ModTimeStamp** The date/time stamp of the module. -- **ModVarsion** No content is currently available. - **ModVersion** The version of the module that has crashed. -- **PackageFullNama** No content is currently available. +- **PackaceRelativeAppId** No content is currently available. - **PackageFullName** Store application identity. +- **PackageRelativeAppHd** No content is currently available. - **PackageRelativeAppId** Store application identity. - **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. -- **ProcessArinetecture** No content is currently available. - **ProcessCreateTime** The time of creation of the process that has crashed. +- **ProcessI`** No content is currently available. - **ProcessId** The ID of the process that has crashed. +- **ReportAd** No content is currently available. - **ReportId** A GUID used to identify the report. This can used to track the report across Watson. -- **TargepAsId** No content is currently available. - **TargetAppId** The kernel reported AppId of the application being reported. - **TargetAppVer** The specific version of the application being reported -- **TargetAppVr** No content is currently available. - **TargetAsId** The sequence number for the hanging process. -- **TarSetAppId** No content is currently available. -- **TarSetAppVer** No content is currently available. -- **TarSetAsId** No content is currently available. ## Feature update events @@ -4089,7 +4063,6 @@ The following fields are available: - **ProductVersion** The product version that is included in the driver file. - **Service** The name of the service that is installed for the device. - **WdfVersion** The Windows Driver Framework version. -- **YmageSize** No content is currently available. ### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove @@ -4609,6 +4582,7 @@ The following fields are available: - **BootApplicationId** This field tells us what the OS Loader Application Identifier is. - **BootAttemptCount** The number of consecutive times the boot manager has attempted to boot into this operating system. - **BootSequence** The current Boot ID, used to correlate events related to a particular boot session. +- **BootSequenft** No content is currently available. - **BootStatusPolicy** Identifies the applicable Boot Status Policy. - **BootType** Identifies the type of boot (e.g.: "Cold", "Hiber", "Resume"). - **EventTimestamp** Seconds elapsed since an arbitrary time point. This can be used to identify the time difference in successive boot attempts being made. @@ -4968,8 +4942,9 @@ Scan process event on Windows Update client. See the EventScenario field for spe The following fields are available: -- **Ä7G§ Date: Thu, 4 Apr 2019 08:50:23 -0700 Subject: [PATCH 093/492] new build 4/4/2019 8:50 AM --- ...ndows-diagnostic-events-and-fields-1903.md | 224 +++++++++--------- 1 file changed, 112 insertions(+), 112 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index e28e119c2b..a0330d713f 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/03/2019 +ms.date: 04/04/2019 --- @@ -4040,24 +4040,24 @@ The following fields are available: ### Microsoft.Windows.DriverInstall.NewDevInstallDeviceStart -No content is currently available. +This event sends data about the driver that the new driver installation is replacing. The following fields are available: -- **DeviceInstanceId** No content is currently available. -- **FirstInstallDate** No content is currently available. -- **LastDriverDate** No content is currently available. -- **LastDriverInbox** No content is currently available. -- **LastDriverInfName** No content is currently available. -- **LastDriverVersion** No content is currently available. -- **LastFirmwareDate** No content is currently available. -- **LastFirmwareRevision** No content is currently available. -- **LastFirmwareVersion** No content is currently available. -- **LastInstallDate** No content is currently available. -- **LastMatchingDeviceId** No content is currently available. -- **LastProblem** No content is currently available. -- **LastProblemStatus** No content is currently available. -- **LastSubmissionId** No content is currently available. +- **DeviceInstanceId** The unique identifier of the device in the system. +- **FirstInstallDate** The first time a driver was installed on this device. +- **LastDriverDate** Date of the driver that is being replaced. +- **LastDriverInbox** Indicates whether the previous driver was included with Windows. +- **LastDriverInfName** Name of the INF file (the setup information file) of the driver being replaced. +- **LastDriverVersion** The version of the driver that is being replaced. +- **LastFirmwareDate** The date of the last firmware reported from the EFI System Resource Table (ESRT). +- **LastFirmwareRevision** The last firmware revision number reported from EFI System Resource Table (ESRT). +- **LastFirmwareVersion** The last firmware version reported from the EFI System Resource Table (ESRT). +- **LastInstallDate** The date a driver was last installed on this device. +- **LastMatchingDeviceId** The hardware ID or compatible ID that Windows last used to install the device instance. +- **LastProblem** The previous problem code that was set on the device. +- **LastProblemStatus** The previous problem code that was set on the device. +- **LastSubmissionId** The driver submission identifier of the driver that is being replaced. ### Microsoft.Windows.PBR.BitLockerWipeFinished @@ -4078,9 +4078,9 @@ This event sends data on the Windows Recovery Environment (WinRE) boot, which ca The following fields are available: -- **BsdSummaryInfo** No content is currently available. -- **sessionID** No content is currently available. -- **timestamp** No content is currently available. +- **BsdSummaryInfo** Summary of the last boot. +- **sessionID** The ID of the push-button reset session. +- **timestamp** The timestamp of the boot state. ### Microsoft.Windows.PBR.ClearTPMStarted @@ -4089,24 +4089,24 @@ This event sends basic data about the recovery operation on the device to allow The following fields are available: -- **sessionID** No content is currently available. -- **timestamp** No content is currently available. +- **sessionID** The ID for this push-button restart session. +- **timestamp** The time when the Trusted Platform Module will be erased. ### Microsoft.Windows.PBR.ClientInfo -No content is currently available. +This event indicates whether push-button reset (PBR) was initiated while the device was online or offline. The following fields are available: -- **name** No content is currently available. -- **sessionID** No content is currently available. -- **timestamp** No content is currently available. +- **name** Name of the user interface entry point. +- **sessionID** The ID of this push-button reset session. +- **timestamp** The time when this event occurred. ### Microsoft.Windows.PBR.Completed -No content is currently available. +This event sends data about the recovery operation on the device to allow for investigation. The following fields are available: @@ -4116,29 +4116,29 @@ The following fields are available: ### Microsoft.Windows.PBR.DataVolumeCount -No content is currently available. +This event provides the number of additional data volumes that the push-button reset operation has detected. The following fields are available: -- **count** No content is currently available. -- **sessionID** No content is currently available. -- **timestamp** No content is currently available. +- **count** The number of attached data drives. +- **sessionID** The ID of this push-button reset session. +- **timestamp** Time the event occurred. ### Microsoft.Windows.PBR.DiskSpaceRequired -No content is currently available. +This event sends the peak disk usage required for the push-button reset operation. The following fields are available: -- **numBytes** No content is currently available. -- **sessionID** No content is currently available. -- **timestamp** No content is currently available. +- **numBytes** The number of bytes required for the reset operation. +- **sessionID** The ID of this push-button reset session. +- **timestamp** Time the event occurred. ### Microsoft.Windows.PBR.EnterAPI -No content is currently available. +This event is sent at the beginning of each push-button reset (PRB) operation. The following fields are available: @@ -4149,7 +4149,7 @@ The following fields are available: ### Microsoft.Windows.PBR.EnteredOOBE -No content is currently available. +This event is sent when the initial installation of the device starts after completion of the push-button reset operation. The following fields are available: @@ -4159,7 +4159,7 @@ The following fields are available: ### Microsoft.Windows.PBR.LeaveAPI -No content is currently available. +This event is sent when the push-button reset operation is complete. The following fields are available: @@ -4167,12 +4167,12 @@ The following fields are available: - **errorCode** Error code if an error occurred during the API call. - **sessionID** The ID of this push-button reset session. - **success** Indicates whether the API call was successful. -- **timestamp** No content is currently available. +- **timestamp** Timestamp of this push-button reset event. ### Microsoft.Windows.PBR.OEMExtensionFinished -No content is currently available. +This event is sent when the OEM extensibility scripts have completed. The following fields are available: @@ -4188,7 +4188,7 @@ The following fields are available: ### Microsoft.Windows.PBR.OEMExtensionStarted -No content is currently available. +This event is sent when the OEM extensibility scripts start to execute. The following fields are available: @@ -4201,7 +4201,7 @@ The following fields are available: ### Microsoft.Windows.PBR.OperationExecuteFinished -No content is currently available. +This event is sent at the end of a push-button reset (PBR) operation. The following fields are available: @@ -4216,7 +4216,7 @@ The following fields are available: ### Microsoft.Windows.PBR.OperationExecuteStarted -No content is currently available. +This event is sent at the beginning of a push-button reset operation. The following fields are available: @@ -4230,7 +4230,7 @@ The following fields are available: ### Microsoft.Windows.PBR.OperationQueueConstructFinished -No content is currently available. +This event is sent when construction of the operation queue for push-button reset is finished. The following fields are available: @@ -4242,7 +4242,7 @@ The following fields are available: ### Microsoft.Windows.PBR.OperationQueueConstructStarted -No content is currently available. +This event is sent when construction of the operation queue for push-button reset is started. The following fields are available: @@ -4252,7 +4252,7 @@ The following fields are available: ### Microsoft.Windows.PBR.PBRClearRollBackEntry -No content is currently available. +This event is sent when the push-button reset operation clears the rollback entry. Push-button reset cannot rollback after this point. The following fields are available: @@ -4261,7 +4261,7 @@ The following fields are available: ### Microsoft.Windows.PBR.PBRClearTPMFailed -No content is currently available. +This event is sent when there was a failure while clearing the Trusted Platform Module (TPM). The following fields are available: @@ -4270,7 +4270,7 @@ The following fields are available: ### Microsoft.Windows.PBR.PBRCreateNewSystemReconstructionFailed -No content is currently available. +This event is sent when the push-button reset operation fails to construct a new copy of the operating system. The following fields are available: @@ -4284,7 +4284,7 @@ The following fields are available: ### Microsoft.Windows.PBR.PBRCreateNewSystemReconstructionSucceed -No content is currently available. +This event is sent when the push-button reset operation succeeds in constructing a new copy of the operating system. The following fields are available: @@ -4296,7 +4296,7 @@ The following fields are available: ### Microsoft.Windows.PBR.PBRDriverInjectionFailed -No content is currently available. +This event is sent when the driver injection fails. The following fields are available: @@ -4305,7 +4305,7 @@ The following fields are available: ### Microsoft.Windows.PBR.PBRFailed -No content is currently available. +This event is sent when the push-button reset operation fails and rolls back to the previous state. The following fields are available: @@ -4316,7 +4316,7 @@ The following fields are available: ### Microsoft.Windows.PBR.PBRFinalizeNewSystemFailed -No content is currently available. +This event is sent when the push-button reset operation fails to finalize the new system. The following fields are available: @@ -4329,7 +4329,7 @@ The following fields are available: ### Microsoft.Windows.PBR.PBRFinalizeNewSystemSucceed -No content is currently available. +This event is sent when the push-button reset operation succeeds in finalizing the new system. The following fields are available: @@ -4338,7 +4338,7 @@ The following fields are available: ### Microsoft.Windows.PBR.PBRFinalUserSelection -No content is currently available. +This event is sent when the user makes the final selection in the user interface. The following fields are available: @@ -4352,7 +4352,7 @@ The following fields are available: ### Microsoft.Windows.PBR.PBRFormatOSVolumeFailed -No content is currently available. +This event is sent when the operation to format the operating system volume fails during push-button reset (PBR). The following fields are available: @@ -4362,17 +4362,17 @@ The following fields are available: ### Microsoft.Windows.PBR.PBRFormatOSVolumeSucceed -No content is currently available. +This event is sent when the operation to format the operating system volume succeeds during push-button reset (PBR). The following fields are available: -- **JustDeleteFiles** No content is currently available. -- **SessionID** No content is currently available. +- **JustDeleteFiles** Indicates whether disk formatting was skipped. +- **SessionID** The ID of this push-button reset session. ### Microsoft.Windows.PBR.PBRInstallWinREFailed -No content is currently available. +This event sends basic data about the recovery operation failure on the device to allow investigation. The following fields are available: @@ -4381,7 +4381,7 @@ The following fields are available: ### Microsoft.Windows.PBR.PBRIOCTLErasureSucceed -No content is currently available. +This event is sent when the erasure operation succeeds during push-button reset (PBR). The following fields are available: @@ -4718,7 +4718,7 @@ The following fields are available: ### Microsoft.Windows.PBR.SessionCreated -No content is currently available. +This event returns data when the PRB (Push Button Reset) session is created at the beginning of the UI (user interface) process. The following fields are available: @@ -4728,7 +4728,7 @@ The following fields are available: ### Microsoft.Windows.PBR.SessionResumed -No content is currently available. +This event returns data when the PRB (Push Button Reset) session is resumed after reboots. The following fields are available: @@ -4738,7 +4738,7 @@ The following fields are available: ### Microsoft.Windows.PBR.SessionSaved -No content is currently available. +This event returns data when the PRB (Push Button Reset) session is suspended between reboots. The following fields are available: @@ -4748,18 +4748,18 @@ The following fields are available: ### Microsoft.Windows.PBR.SetupExecuteFinished -No content is currently available. +This event returns data when the PBR (Push Button Reset) setup finishes. The following fields are available: -- **sessionID** No content is currently available. +- **sessionID** The ID of this push-button reset session. - **systemState** Information about the system state of the Setup Platform operation. - **timestamp** The timestamp of this push-button reset event. ### Microsoft.Windows.PBR.SetupExecuteStarted -No content is currently available. +This event returns data when the PBR (Push Button Reset) setup starts. The following fields are available: @@ -4769,7 +4769,7 @@ The following fields are available: ### Microsoft.Windows.PBR.SetupFinalizeStarted -No content is currently available. +This event returns data when the Finalize operation is completed by setup during PBR (Push Button Reset). The following fields are available: @@ -4779,7 +4779,7 @@ The following fields are available: ### Microsoft.Windows.PBR.SetupOperationFailed -No content is currently available. +This event returns data when a PRB (Push Button Reset) setup operation fails. The following fields are available: @@ -4792,7 +4792,7 @@ The following fields are available: ### Microsoft.Windows.PBR.SystemInfoField -No content is currently available. +This event returns data about the device when the user initiates the PBR UI (Push Button Reset User Interface), to ensure the appropriate reset options are shown to the user. The following fields are available: @@ -4804,7 +4804,7 @@ The following fields are available: ### Microsoft.Windows.PBR.SystemInfoListItem -No content is currently available. +This event returns data about the device when the user initiates the PBR UI (Push Button Reset User Interface), to ensure the appropriate options can be shown to the user. The following fields are available: @@ -4817,7 +4817,7 @@ The following fields are available: ### Microsoft.Windows.PBR.SystemInfoSenseFinished -No content is currently available. +This event returns data when System Info Sense is finished. The following fields are available: @@ -4829,7 +4829,7 @@ The following fields are available: ### Microsoft.Windows.PBR.SystemInfoSenseStarted -No content is currently available. +This event returns data when System Info Sense is started. The following fields are available: @@ -4839,7 +4839,7 @@ The following fields are available: ### Microsoft.Windows.PBR.UserAcknowledgeCleanupWarning -No content is currently available. +This event returns data when the user acknowledges the cleanup warning pop-up after PRB (Push Button Reset) is complete. The following fields are available: @@ -4849,7 +4849,7 @@ The following fields are available: ### Microsoft.Windows.PBR.UserCancel -No content is currently available. +This event returns data when the user confirms they wish to cancel PBR (Push Button Reset) from the user interface. The following fields are available: @@ -4860,7 +4860,7 @@ The following fields are available: ### Microsoft.Windows.PBR.UserConfirmStart -No content is currently available. +This event returns data when the user confirms they wish to reset their device and PBR (Push Button Reset) begins. The following fields are available: @@ -4870,7 +4870,7 @@ The following fields are available: ### Microsoft.Windows.PBR.WinREInstallFinished -No content is currently available. +This event returns data when WinRE (Windows Recovery) installation is complete. The following fields are available: @@ -4882,7 +4882,7 @@ The following fields are available: ### Microsoft.Windows.PBR.WinREInstallStarted -No content is currently available. +This event returns data when WinRE (Windows Recovery) installation starts. The following fields are available: @@ -4903,11 +4903,11 @@ The following fields are available: ### Microsoft.Windows.Security.WSC.GetCallerViaWdsp -No content is currently available. +This event returns data if the registering product EXE (executable file) does not allow COM (Component Object Model) impersonation. The following fields are available: -- **callerExe** No content is currently available. +- **callerExe** The registering product EXE that does not support COM impersonation. ### Microsoft.Windows.SysReset.FlightUninstallCancel @@ -4957,7 +4957,7 @@ This event is sent when users have actions that will block the uninstall of the ### Microsoft.Windows.SysReset.IndicateLCUWasUninstalled -No content is currently available. +This event is sent when the registry indicates that the latest cumulative Windows update package has finished uninstalling. The following fields are available: @@ -5049,30 +5049,30 @@ The following fields are available: ### Microsoft.Windows.UEFI.ESRT -No content is currently available. +This event sends basic data during boot about the firmware loaded or recently installed on the machine. This helps to keep Windows up to date. The following fields are available: -- **DriverFirmwareFilename** No content is currently available. -- **DriverFirmwarePolicy** No content is currently available. -- **DriverFirmwareStatus** No content is currently available. -- **DriverFirmwareVersion** No content is currently available. +- **DriverFirmwareFilename** The firmware file name reported by the device hardware key. +- **DriverFirmwarePolicy** The optional version update policy value. +- **DriverFirmwareStatus** The firmware status reported by the device hardware key. +- **DriverFirmwareVersion** The firmware version reported by the device hardware key. - **FirmareLastAttemptVersion** No content is currently available. -- **FirmwareId** No content is currently available. -- **FirmwareLastAttemptStatus** No content is currently available. -- **FirmwareLastAttemptVersion** No content is currently available. -- **FirmwareType** No content is currently available. -- **FirmwareVersion** No content is currently available. -- **InitiateUpdate** No content is currently available. -- **LastAttemptDate** No content is currently available. -- **LastAttemptStatus** No content is currently available. -- **LastAttemptVersion** No content is currently available. -- **LowestSupportedFirmwareVersion** No content is currently available. -- **MaxRetryCount** No content is currently available. -- **PartA_PrivTags** No content is currently available. -- **RetryCount** No content is currently available. -- **Status** No content is currently available. -- **UpdateAttempted** No content is currently available. +- **FirmwareId** The UEFI (Unified Extensible Firmware Interface) identifier. +- **FirmwareLastAttemptStatus** The reported status of the most recent firmware installation attempt, as reported by the EFI System Resource Table (ESRT). +- **FirmwareLastAttemptVersion** The version of the most recent attempted firmware installation, as reported by the EFI System Resource Table (ESRT). +- **FirmwareType** The UEFI (Unified Extensible Firmware Interface) type. +- **FirmwareVersion** The UEFI (Unified Extensible Firmware Interface) version as reported by the EFI System Resource Table (ESRT). +- **InitiateUpdate** Indicates whether the system is ready to initiate an update. +- **LastAttemptDate** The date of the most recent attempted firmware installation. +- **LastAttemptStatus** The result of the most recent attempted firmware installation. +- **LastAttemptVersion** The version of the most recent attempted firmware installation. +- **LowestSupportedFirmwareVersion** The oldest (lowest) version of firmware supported. +- **MaxRetryCount** The maximum number of retries, defined by the firmware class key. +- **PartA_PrivTags** The privacy tags associated with the firmware. +- **RetryCount** The number of attempted installations (retries), reported by the driver software key. +- **Status** The status returned to the PnP (Plug-and-Play) manager. +- **UpdateAttempted** Indicates if installation of the current update has been attempted before. ### Microsoft.Xbox.XamTelemetry.AppActivationError @@ -7197,22 +7197,22 @@ The following fields are available: ### Microsoft.Windows.Update.Orchestrator.DetectionActivity -No content is currently available. +This event returns data about detected updates, as well as the types of update (optional or recommended). This data helps keep Windows up to date. The following fields are available: -- **applicableUpdateIdList** No content is currently available. -- **applicableUpdateList** No content is currently available. -- **durationInSeconds** No content is currently available. -- **expeditedMode** No content is currently available. -- **networkCostPolicy** No content is currently available. -- **scanTriggerSource** No content is currently available. -- **scenario** No content is currently available. -- **scenarioReason** No content is currently available. -- **seekerUpdateIdList** No content is currently available. -- **seekerUpdateList** No content is currently available. -- **services** No content is currently available. -- **wilActivity** No content is currently available. See [wilActivity](#wilactivity). +- **applicableUpdateIdList** The list of update identifiers. +- **applicableUpdateList** The list of available updates. +- **durationInSeconds** The amount of time (in seconds) it took for the event to run. +- **expeditedMode** Indicates whether Expedited Mode is on. +- **networkCostPolicy** The network cost. +- **scanTriggerSource** Indicates whether the scan is Interactive or Background. +- **scenario** The result code of the event. +- **scenarioReason** The reason for the result code (scenario). +- **seekerUpdateIdList** The list of “seeker” update identifiers. +- **seekerUpdateList** The list of “seeker” updates. +- **services** The list of services that were called during update. +- **wilActivity** The activity results. See [wilActivity](#wilactivity). ### Microsoft.Windows.Update.Orchestrator.DisplayNeeded From 4da8a329980776d021f3e37abdaf4c16c2939a6c Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 4 Apr 2019 08:50:29 -0700 Subject: [PATCH 094/492] new build 4/4/2019 8:50 AM --- ...ndows-diagnostic-events-and-fields-1703.md | 2 +- ...ndows-diagnostic-events-and-fields-1709.md | 2 +- ...ndows-diagnostic-events-and-fields-1803.md | 2 +- ...ndows-diagnostic-events-and-fields-1809.md | 426 ++++++++++++++++-- 4 files changed, 401 insertions(+), 31 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index b1c005dbbe..c029cc311a 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/03/2019 +ms.date: 04/04/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index ab77c90805..8fdeaa71a6 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/03/2019 +ms.date: 04/04/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index db64dc298d..f7b9ceb9f0 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/03/2019 +ms.date: 04/04/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index f398e84056..ee4dd734aa 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/03/2019 +ms.date: 04/04/2019 --- @@ -1775,7 +1775,6 @@ The following fields are available: - **WmdrmInUse** WmdrmIndicators AND dismissible block in setup was not dismissed. - **WmdrmNonPermanent** Indicates if the system has any files with non-permanent licenses. - **WmdrmPurchased** Indicates if the system has any files with permanent licenses. -- **聗mdrmNonPermanent** No content is currently available. ### Microsoft.Windows.Appraiser.General.WmdrmRemove @@ -1966,9 +1965,7 @@ The following fields are available: - **MEID** Represents the Mobile Equipment Identity (MEID). MEID is a worldwide unique phone ID assigned to CDMA phones. MEID replaces electronic serial number (ESN), and is equivalent to IMEI for GSM and WCDMA phones. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. - **MNC0** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. - **MNC1** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. -- **Mobi�eOperatorNetwork1** No content is currently available. - **MobileOperatorBilling** Represents the telephone company that provides services for mobile phone users. -- **MobileOperatorCommercia�ized** No content is currently available. - **MobileOperatorCommercialized** Represents which reseller and geography the phone is commercialized for. This is the set of values on the phone for who and where it was intended to be used. For example, the commercialized mobile operator code AT&T in the US would be ATT-US. - **MobileOperatorNetwork0** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage. - **MobileOperatorNetwork1** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage. @@ -2728,20 +2725,15 @@ Fired by UTC at startup to signal what data we are allowed to collect. The following fields are available: -- **CanAddMsagoMsTelemetry** No content is currently available. - **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. -- **CanCollactAnyTelemetry** No content is currently available. - **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. - **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. - **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. - **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. - **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. - **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. -- **CanPerformiagnosticEscalations** No content is currently available. - **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise. -- **CanPerfotmDiagnosticEscalations** No content is currently available. - **CanReportScenarios** True if we can report scenario completions, false otherwise. -- **Can䁃ollectCoreTelemetry** No content is currently available. - **PreviousPermissions** Bitmask of previous telemetry state. - **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. @@ -2769,18 +2761,9 @@ This event sends data about the health and quality of the diagnostic data from t The following fields are available: - **AgentConnectionErrorsCount** Number of non-timeout errors associated with the host/agent channel. -- **AggregationFlags** No content is currently available. -- **AggregationPeriodMS** No content is currently available. -- **AudioInMS** No content is currently available. -- **AudioOutMS** No content is currently available. -- **BackgroundMouseSec** No content is currently available. -- **BitPeriodMS** No content is currently available. - **CensusExitCode** The last exit code of the Census task. - **CensusStartTime** Time of last Census run. - **CensusTaskEnabled** True if Census is enabled, false otherwise. -- **CompositionDirtyGeneratedSec** No content is currently available. -- **CompositionDirtyPropagatedSec** No content is currently available. -- **CompositionRenderedSec** No content is currently available. - **CompressedBytesUploaded** Number of compressed bytes uploaded. - **ConsumerDroppedCount** Number of events dropped at consumer layer of telemetry client. - **CriticaDataThrottleDroppedCount** No content is currently available. @@ -2794,9 +2777,7 @@ The following fields are available: - **DecodingDroppedCount** Number of events dropped due to decoding failures. - **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. - **EtwDroppedBufferCount** Number of buffers dropped in the UTC ETW session. -- **EtwDroppedBuffertorFlags** No content is currently available. - **EtwDroppedCount** Number of events dropped at ETW layer of telemetry client. -- **EventSequence** No content is currently available. - **EventsPersistedCount** Number of events that reached the PersistEvent stage. - **EventStoreLhfetimeResetCounter** No content is currently available. - **EventStoreLifetimeResetCounter** Number of times event DB was reset for the lifetime of UTC. @@ -2807,9 +2788,7 @@ The following fields are available: - **EventsUploaded** Number of events uploaded. - **Flags** Flags indicating device state such as network state, battery state, and opt-in state. - **FullTriggerBufferDroppedCount** Number of events dropped due to trigger buffer being full. -- **GameInputSec** No content is currently available. - **HeartBeatSequenceNumber** The sequence number of this heartbeat. -- **InteractiveTimeoutPeriodMS** No content is currently available. - **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. - **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel. - **LastEventSizeOffender** Event name of last event which exceeded max event size. @@ -2822,23 +2801,17 @@ The following fields are available: - **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. - **SettingsHttpAttempts** Number of attempts to contact OneSettings service. - **SettingsHttpFailures** The number of failures from contacting the OneSettings service. -- **SinceFirstInteractivityMS** No content is currently available. -- **SpeechRecognitionSec** No content is currently available. -- **SummaryRound** No content is currently available. -- **TargetAsId** No content is currently available. - **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers. - **TopUploaderErrors** List of top errors received from the upload endpoint. - **TopUploaderErross** No content is currently available. - **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client. - **UploaderErrorCount** Number of errors received from the upload endpoint. -- **ViewFlags** No content is currently available. - **VortexFailuresTimeout** The number of timeout failures received from Vortex. - **VortexHttpAttempts** Number of attempts to contact Vortex. - **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. - **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. - **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. - **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. -- **WindowFlags** No content is currently available. ### TelClientSynthetic.HeartBeat_Aria_5 @@ -4800,6 +4773,403 @@ The following fields are available: - **objectCount** The count of the number of objects that are being transferred. +### Microsoft.Windows.Remediation.Applicable + +This event indicates a remedial plug-in is applicable if/when such a plug-in is detected. This is used to ensure Windows is up to date. + +The following fields are available: + +- **AllowAutoUpdateExists** No content is currently available. +- **AllowAutoUpdateProviderSetExists** No content is currently available. +- **AppraiserBinariesValidResult** Indicates whether plug-in was appraised as valid. +- **AppraiserRegistryValidResult** Indicates whether the registry entry checks out as valid. +- **AppraiserTaskRepairDisabled** No content is currently available. +- **AppraiserTaskValid** No content is currently available. +- **AUOptionsExists** No content is currently available. +- **CTACTargetingAttributesInvalid** No content is currently available. +- **CTACVersion** No content is currently available. +- **CV** Correlation vector +- **DataStoreSizeInBytes** No content is currently available. +- **DateTimeDifference** The difference between local and reference clock times. +- **DateTimeSyncEnabled** Indicates whether the datetime sync plug-in is enabled. +- **daysSinceInstallThreshold** No content is currently available. +- **daysSinceInstallValue** No content is currently available. +- **DaysSinceLastSIH** The number of days since the most recent SIH executed. +- **DaysToNextSIH** The number of days until the next scheduled SIH execution. +- **DetectConditionEnabled** No content is currently available. +- **DetectedCondition** Indicates whether detect condition is true and the perform action will be run. +- **DetectionFailedReason** No content is currently available. +- **DiskFreeSpaceBeforeSedimentPackInMB** No content is currently available. +- **DiskSpaceBefore** No content is currently available. +- **EditionIdFixCorrupted** No content is currently available. +- **EscalationTimerResetFixResult** No content is currently available. +- **EvalAndReportAppraiserRegEntries** Indicates the EvalAndReportAppraiserRegEntriesFailed event failed. +- **FixedEditionId** No content is currently available. +- **FlightRebootTime** No content is currently available. +- **ForcedRebootToleranceDays** No content is currently available. +- **FreeSpaceRequirement** No content is currently available. +- **GlobalEventCounter** Client side counter that indicates ordering of events sent by the remediation system. +- **HResult** The HRESULT for detection or perform action phases of the plugin. +- **installDateValue** No content is currently available. +- **IsAppraiserLatestResult** The HRESULT from the appraiser task. +- **IsConfigurationCorrected** Indicates whether the configuration of SIH task was successfully corrected. +- **IsEscalationTimerResetFixNeeded** No content is currently available. +- **IsForcedModeEnabled** No content is currently available. +- **IsHomeSku** No content is currently available. +- **IsRebootForcedMode** No content is currently available. +- **IsServiceHardeningEnabled** No content is currently available. +- **IsServiceHardeningNeeded** No content is currently available. +- **isThreshold** No content is currently available. +- **IsUsoRebootPending** No content is currently available. +- **IsUsoRebootPendingInUpdateStore** No content is currently available. +- **IsUsoRebootTaskEnabled** No content is currently available. +- **IsUsoRebootTaskExists** No content is currently available. +- **IsUsoRebootTaskValid** No content is currently available. +- **LastHresult** The HRESULT for detection or perform action phases of the plugin. +- **LastRebootTaskRunResult** No content is currently available. +- **LastRebootTaskRunTime** No content is currently available. +- **LastRun** The date of the most recent SIH run. +- **LPCountBefore** No content is currently available. +- **NextCheck** No content is currently available. +- **NextRebootTaskRunTime** No content is currently available. +- **NextRun** Date of the next scheduled SIH run. +- **NoAutoUpdateExists** No content is currently available. +- **NumberOfDaysStuckInReboot** No content is currently available. +- **OriginalEditionId** No content is currently available. +- **PackageVersion** The version of the current remediation package. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **ProductType** No content is currently available. +- **QualityUpdateSedimentFunnelState** No content is currently available. +- **QualityUpdateSedimentJsonSchemaVersion** No content is currently available. +- **QualityUpdateSedimentLastRunSeconds** No content is currently available. +- **QualityUpdateSedimentLocalStartTime** No content is currently available. +- **QualityUpdateSedimentLocaltTime** No content is currently available. +- **QualityUpdateSedimentTargetedPlugins** No content is currently available. +- **QualityUpdateSedimentTargetedTriggers** No content is currently available. +- **RegkeysExist** No content is currently available. +- **Reload** True if SIH reload is required. +- **RemediationAutoUAAcLineStatus** No content is currently available. +- **RemediationAutoUAAutoStartCount** No content is currently available. +- **RemediationAutoUACalendarTaskEnabled** No content is currently available. +- **RemediationAutoUACalendarTaskExists** No content is currently available. +- **RemediationAutoUACalendarTaskTriggerEnabledCount** No content is currently available. +- **RemediationAutoUADaysSinceLastTaskRunTime** No content is currently available. +- **RemediationAutoUAGetCurrentSize** No content is currently available. +- **RemediationAutoUAIsInstalled** No content is currently available. +- **RemediationAutoUALastTaskRunResult** No content is currently available. +- **RemediationAutoUAMeteredNetwork** No content is currently available. +- **RemediationAutoUATaskEnabled** No content is currently available. +- **RemediationAutoUATaskExists** No content is currently available. +- **RemediationAutoUATasksStalled** No content is currently available. +- **RemediationAutoUATaskTriggerEnabledCount** No content is currently available. +- **RemediationAutoUAUAExitCode** No content is currently available. +- **RemediationAutoUAUAExitState** No content is currently available. +- **RemediationAutoUAUserLoggedIn** No content is currently available. +- **RemediationAutoUAUserLoggedInAdmin** No content is currently available. +- **RemediationCorruptionRepairBuildNumber** No content is currently available. +- **RemediationCorruptionRepairCorruptionsDetected** No content is currently available. +- **RemediationCorruptionRepairDetected** No content is currently available. +- **RemediationDeliverToastBuildNumber** No content is currently available. +- **RemediationDeliverToastDetected** No content is currently available. +- **RemediationDeliverToastDeviceExcludedNation** No content is currently available. +- **RemediationDeliverToastDeviceFreeSpaceInMB** No content is currently available. +- **RemediationDeliverToastDeviceHomeSku** No content is currently available. +- **RemediationDeliverToastDeviceIncludedNation** No content is currently available. +- **RemediationDeliverToastDeviceProSku** No content is currently available. +- **RemediationDeliverToastDeviceSystemDiskSizeInMB** No content is currently available. +- **RemediationDeliverToastGeoId** No content is currently available. +- **RemediationDeviceSkuId** No content is currently available. +- **RemediationGetCurrentFolderExist** No content is currently available. +- **RemediationNoisyHammerAcLineStatus** Event that indicates the AC Line Status of the machine. +- **RemediationNoisyHammerAutoStartCount** The number of times hammer auto-started. +- **RemediationNoisyHammerCalendarTaskEnabled** Event that indicates Update Assistant Calendar Task is enabled. +- **RemediationNoisyHammerCalendarTaskExists** Event that indicates an Update Assistant Calendar Task exists. +- **RemediationNoisyHammerCalendarTaskTriggerEnabledCount** Event that indicates calendar triggers are enabled in the task. +- **RemediationNoisyHammerDaysSinceLastTaskRunTime** The number of days since the most recent hammer task ran. +- **RemediationNoisyHammerGetCurrentSize** Size in MB of the $GetCurrent folder. +- **RemediationNoisyHammerIsInstalled** TRUE if the noisy hammer is installed. +- **RemediationNoisyHammerLastTaskRunResult** The result of the last hammer task run. +- **RemediationNoisyHammerMeteredNetwork** TRUE if the machine is on a metered network. +- **RemediationNoisyHammerTaskEnabled** Indicates whether the Update Assistant Task (Noisy Hammer) is enabled. +- **RemediationNoisyHammerTaskExists** Indicates whether the Update Assistant Task (Noisy Hammer) exists. +- **RemediationNoisyHammerTasksStalled** No content is currently available. +- **RemediationNoisyHammerTaskTriggerEnabledCount** Indicates whether counting is enabled for the Update Assistant (Noisy Hammer) task trigger. +- **RemediationNoisyHammerUAExitCode** The exit code of the Update Assistant (Noisy Hammer) task. +- **RemediationNoisyHammerUAExitState** The code for the exit state of the Update Assistant (Noisy Hammer) task. +- **RemediationNoisyHammerUserLoggedIn** TRUE if there is a user logged in. +- **RemediationNoisyHammerUserLoggedInAdmin** TRUE if there is the user currently logged in is an Admin. +- **RemediationNotifyUserFixIssuesBoxStatusKey** No content is currently available. +- **RemediationNotifyUserFixIssuesBuildNumber** No content is currently available. +- **RemediationNotifyUserFixIssuesDetected** No content is currently available. +- **RemediationNotifyUserFixIssuesDiskSpace** No content is currently available. +- **RemediationNotifyUserFixIssuesFeatureUpdateBlocked** No content is currently available. +- **RemediationNotifyUserFixIssuesFeatureUpdateInProgress** No content is currently available. +- **RemediationNotifyUserFixIssuesIsUserAdmin** No content is currently available. +- **RemediationNotifyUserFixIssuesIsUserLoggedIn** No content is currently available. +- **RemediationProgramDataFolderSizeInMB** No content is currently available. +- **RemediationProgramFilesFolderSizeInMB** No content is currently available. +- **RemediationShellDeviceEducationSku** No content is currently available. +- **RemediationShellDeviceEnterpriseSku** No content is currently available. +- **RemediationShellDeviceFeatureUpdatesPaused** No content is currently available. +- **RemediationShellDeviceHomeSku** No content is currently available. +- **RemediationShellDeviceIsAllowedSku** No content is currently available. +- **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated disabled. +- **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS. +- **RemediationShellDeviceProSku** No content is currently available. +- **RemediationShellDeviceQualityUpdatesPaused** No content is currently available. +- **RemediationShellDeviceSccm** TRUE if the device is managed by SCCM (Microsoft System Center Configuration Manager). +- **RemediationShellDeviceSetupMutexInUse** No content is currently available. +- **RemediationShellDeviceWuRegistryBlocked** No content is currently available. +- **RemediationShellDeviceZeroExhaust** TRUE if the device has opted out of Windows Updates completely. +- **RemediationTargetMachine** Indicates whether the device is a target of the specified fix. +- **RemediationTaskHealthAutochkProxy** True/False based on the health of the AutochkProxy task. +- **RemediationTaskHealthChkdskProactiveScan** True/False based on the health of the Check Disk task. +- **RemediationTaskHealthDiskCleanup_SilentCleanup** True/False based on the health of the Disk Cleanup task. +- **RemediationTaskHealthMaintenance_WinSAT** True/False based on the health of the Health Maintenance task. +- **RemediationTaskHealthServicing_ComponentCleanupTask** True/False based on the health of the Health Servicing Component task. +- **RemediationTaskHealthUSO_ScheduleScanTask** True/False based on the health of the USO (Update Session Orchestrator) Schedule task. +- **RemediationTaskHealthWindowsUpdate_ScheduledStartTask** True/False based on the health of the Windows Update Scheduled Start task. +- **RemediationTaskHealthWindowsUpdate_SihbootTask** True/False based on the health of the Sihboot task. +- **RemediationUHServiceDisabledBitMap** No content is currently available. +- **RemediationUHServiceNotExistBitMap** No content is currently available. +- **RemediationUsersFolderSizeInMB** No content is currently available. +- **RemediationWindows10UpgradeFolderExist** No content is currently available. +- **RemediationWindows10UpgradeFolderSizeInMB** No content is currently available. +- **RemediationWindowsAppsFolderSizeInMB** No content is currently available. +- **RemediationWindowsBtFolderSizeInMB** No content is currently available. +- **RemediationWindowsFolderSizeInMB** No content is currently available. +- **RemediationWindowsServiceProfilesFolderSizeInMB** No content is currently available. +- **Result** This is the HRESULT for Detection or Perform Action phases of the plugin. +- **RunTask** TRUE if SIH task should be run by the plug-in. +- **StorageSenseDiskCompresserEstimateInMB** No content is currently available. +- **StorageSenseHelloFaceRecognitionFodCleanupEstimateInByte** No content is currently available. +- **StorageSenseRestorePointCleanupEstimateInMB** No content is currently available. +- **StorageSenseUserDownloadFolderCleanupEstimateInByte** No content is currently available. +- **TimeServiceNTPServer** The URL for the NTP time server used by device. +- **TimeServiceStartType** The startup type for the NTP time service. +- **TimeServiceSyncDomainJoined** True if device domain joined and hence uses DC for clock. +- **TimeServiceSyncType** Type of sync behavior for Date & Time service on device. +- **uninstallActiveValue** No content is currently available. +- **UpdateApplicabilityFixerTriggerBitMap** No content is currently available. +- **UpdateRebootTime** No content is currently available. +- **usoScanHoursSinceLastScan** No content is currently available. +- **usoScanPastThreshold** No content is currently available. +- **WindowsHiberFilSysSizeInMegabytes** No content is currently available. +- **WindowsInstallerFolderSizeInMegabytes** No content is currently available. +- **WindowsPageFileSysSizeInMegabytes** No content is currently available. +- **WindowsSoftwareDistributionFolderSizeInMegabytes** No content is currently available. +- **WindowsSwapFileSysSizeInMegabytes** No content is currently available. +- **WindowsSxsFolderSizeInMegabytes** No content is currently available. + + +### Microsoft.Windows.Remediation.Completed + +This event enables completion tracking of a process that remediates issues preventing security and quality updates. + +The following fields are available: + +- **ActionName** Name of the action to be completed by the plug-in. +- **AppraiserTaskMissing** TRUE if the Appraiser task is missing. +- **branchReadinessLevel** Branch readiness level policy. +- **cloudControlState** Value indicating whether the shell is enabled on the cloud control settings. +- **CV** The Correlation Vector. +- **DiskFreeSpaceAfterSedimentPackInMB** No content is currently available. +- **DiskFreeSpaceBeforeSedimentPackInMB** No content is currently available. +- **ForcedAppraiserTaskTriggered** TRUE if Appraiser task ran from the plug-in. +- **GlobalEventCounter** Client-side counter that indicates ordering of events sent by the active user. +- **hasRolledBack** Indicates whether the client machine has rolled back. +- **hasUninstalled** Indicates whether the client machine has uninstalled a later version of the OS. +- **hResult** The result of the event execution. +- **HResult** The result of the event execution. +- **installDate** The value of installDate registry key. Indicates the install date. +- **isNetworkMetered** Indicates whether the client machine has uninstalled a later version of the OS. +- **LatestState** The final state of the plug-in component. +- **MicrosoftCompatibilityAppraiser** The name of the component targeted by the Appraiser plug-in. +- **PackageVersion** The package version for the current Remediation. +- **PluginName** The name of the plug-in specified for each generic plug-in event. +- **QualityUpdateSedimentExecutedPlugins** No content is currently available. +- **QualityUpdateSedimentFunnelState** No content is currently available. +- **QualityUpdateSedimentJsonSchemaVersion** No content is currently available. +- **QualityUpdateSedimentLocalEndTime** No content is currently available. +- **QualityUpdateSedimentLocaltTime** No content is currently available. +- **QualityUpdateSedimentMatchedTriggers** No content is currently available. +- **QualityUpdateSedimentModelExecutionSeconds** No content is currently available. +- **recoveredFromTargetOS** No content is currently available. +- **RemediationBatteryPowerBatteryLevel** Indicates the battery level at which it is acceptable to continue operation. +- **RemediationBatteryPowerExitDueToLowBattery** True when we exit due to low battery power. +- **RemediationBatteryPowerOnBattery** True if we allow execution on battery. +- **RemediationConfigurationTroubleshooterIpconfigFix** TRUE if IPConfig Fix completed successfully. +- **RemediationConfigurationTroubleshooterNetShFix** TRUE if network card cache reset ran successfully. +- **RemediationCorruptionRepairCorruptionsDetected** No content is currently available. +- **RemediationCorruptionRepairCorruptionsFixed** No content is currently available. +- **RemediationCorruptionRepairPerformActionSuccessful** No content is currently available. +- **remediationExecution** Remediation shell is in "applying remediation" state. +- **RemediationHibernationMigrated** TRUE if hibernation was migrated. +- **RemediationHibernationMigrationSucceeded** TRUE if hibernation migration succeeded. +- **RemediationNGenDiskSpaceRestored** No content is currently available. +- **RemediationNGenMigrationSucceeded** No content is currently available. +- **RemediationShellHasUpgraded** TRUE if the device upgraded. +- **RemediationShellMinimumTimeBetweenShellRuns** Indicates the time between shell runs exceeded the minimum required to execute plugins. +- **RemediationShellRunFromService** TRUE if the shell driver was run from the service. +- **RemediationShellSessionIdentifier** Unique identifier tracking a shell session. +- **RemediationShellSessionTimeInSeconds** Indicates the time the shell session took in seconds. +- **RemediationShellTaskDeleted** Indicates that the shell task has been deleted so no additional sediment pack runs occur for this installation. +- **RemediationUpdateServiceHealthRemediationResult** The result of the Update Service Health plug-in. +- **RemediationUpdateTaskHealthRemediationResult** The result of the Update Task Health plug-in. +- **RemediationUpdateTaskHealthTaskList** A list of tasks fixed by the Update Task Health plug-in. +- **RemediationUSORebootRequred** No content is currently available. +- **Result** The HRESULT for Detection or Perform Action phases of the plug-in. +- **RunCount** No content is currently available. +- **RunResult** The HRESULT for Detection or Perform Action phases of the plug-in. +- **ServiceHardeningExitCode** The exit code returned by Windows Service Repair. +- **ServiceHealthEnabledBitMap** List of services updated by the plugin. +- **ServiceHealthInstalledBitMap** List of services installed by the plugin. +- **StorageSenseDiskCompresserTotalInMB** No content is currently available. +- **StorageSenseHelloFaceRecognitionFodCleanupTotalInByte** No content is currently available. +- **StorageSenseRestorePointCleanupTotalInMB** No content is currently available. +- **StorageSenseUserDownloadFolderCleanupTotalInByte** No content is currently available. +- **systemDriveFreeDiskSpace** Indicates the free disk space on system drive in MBs. +- **systemUptimeInHours** Indicates the amount of time the system in hours has been on since the last boot. +- **uninstallActive** TRUE if previous uninstall has occurred for current OS +- **usoScanDaysSinceLastScan** The number of days since the last USO (Update Session Orchestrator) scan. +- **usoScanInProgress** TRUE if a USO (Update Session Orchestrator) scan is in progress, to prevent multiple simultaneous scans. +- **usoScanIsAllowAutoUpdateKeyPresent** TRUE if the AllowAutoUpdate registry key is set. +- **usoScanIsAllowAutoUpdateProviderSetKeyPresent** TRUE if AllowAutoUpdateProviderSet registry key is set. +- **usoScanIsAuOptionsPresent** TRUE if Auto Update Options registry key is set. +- **usoScanIsFeatureUpdateInProgress** TRUE if a USO (Update Session Orchestrator) scan is in progress, to prevent multiple simultaneous scans. +- **usoScanIsNetworkMetered** TRUE if the device is currently connected to a metered network. +- **usoScanIsNoAutoUpdateKeyPresent** TRUE if no Auto Update registry key is set/present. +- **usoScanIsUserLoggedOn** TRUE if the user is logged on. +- **usoScanPastThreshold** TRUE if the most recent USO (Update Session Orchestrator) scan is past the threshold (late). +- **usoScanType** The type of USO (Update Session Orchestrator) scan: "Interactive" or "Background". +- **windows10UpgraderBlockWuUpdates** Event to report the value of Windows 10 Upgrader BlockWuUpdates Key. +- **windowsEditionId** Event to report the value of Windows Edition ID. +- **windowsUpgradeRecoveredFromRs4** Event to report the value of the Windows Upgrade Recovered key. + + +### Microsoft.Windows.Remediation.Started + +This event reports whether a plug-in started, to help ensure Windows is up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **PackageVersion** Current package version of Remediation. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **QualityUpdateSedimentFunnelState** No content is currently available. +- **QualityUpdateSedimentJsonSchemaVersion** No content is currently available. +- **QualityUpdateSedimentLastRunSeconds** No content is currently available. +- **QualityUpdateSedimentLocaltTime** No content is currently available. +- **QualityUpdateSedimentMatchedTriggers** No content is currently available. +- **QualityUpdateSedimentSelectedPlugins** No content is currently available. +- **QualityUpdateSedimentTargetedPlugins** No content is currently available. +- **QualityUpdateSedimentTargetedTriggers** No content is currently available. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. +- **RunCount** The number of times the remediation event started (whether it completed successfully or not). + + +### Microsoft.Windows.SedimentLauncher.Applicable + +Indicates whether a given plugin is applicable. + +The following fields are available: + +- **CV** Correlation vector. +- **DetectedCondition** Boolean true if detect condition is true and perform action will be run. +- **FileVersion** No content is currently available. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **IsHashMismatch** No content is currently available. +- **IsSelfUpdateEnabledInOneSettings** True if self update enabled in Settings. +- **IsSelfUpdateNeeded** True if self update needed by device. +- **PackageVersion** Current package version of Remediation. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. + + +### Microsoft.Windows.SedimentLauncher.Completed + +Indicates whether a given plugin has completed its work. + +The following fields are available: + +- **CV** Correlation vector. +- **FailedReasons** Concatenated list of failure reasons. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **PackageVersion** Current package version of Remediation. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. +- **SedLauncherExecutionResult** HRESULT for one execution of the Sediment Launcher. + + +### Microsoft.Windows.SedimentLauncher.Started + +This event indicates that a given plug-in has started. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **PackageVersion** Current package version of Remediation. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. + + +### Microsoft.Windows.SedimentService.Applicable + +This event indicates whether a given plug-in is applicable. + +The following fields are available: + +- **CV** Correlation vector. +- **DetectedCondition** Determine whether action needs to run based on device properties. +- **FileVersion** No content is currently available. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **IsHashMismatch** No content is currently available. +- **IsSelfUpdateEnabledInOneSettings** Indicates if self update is enabled in One Settings. +- **IsSelfUpdateNeeded** Indicates if self update is needed. +- **PackageVersion** Current package version of Remediation. +- **PluginName** Name of the plugin. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. + + +### Microsoft.Windows.SedimentService.Completed + +This event indicates whether a given plug-in has completed its work. + +The following fields are available: + +- **CV** Correlation vector. +- **FailedReasons** List of reasons when the plugin action failed. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **PackageVersion** Current package version of Remediation. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. +- **SedimentServiceCheckTaskFunctional** True/False if scheduled task check succeeded. +- **SedimentServiceCurrentBytes** Number of current private bytes of memory consumed by sedsvc.exe. +- **SedimentServiceKillService** True/False if service is marked for kill (Shell.KillService). +- **SedimentServiceMaximumBytes** Maximum bytes allowed for the service. +- **SedimentServiceRanShell** No content is currently available. +- **SedimentServiceRetrievedKillService** True/False if result of One Settings check for kill succeeded - we only send back one of these indicators (not for each call). +- **SedimentServiceShellRunHResult** No content is currently available. +- **SedimentServiceStopping** True/False indicating whether the service is stopping. +- **SedimentServiceTaskFunctional** True/False if scheduled task is functional. If task is not functional this indicates plugins will be run. +- **SedimentServiceTotalIterations** Number of 5 second iterations service will wait before running again. + + +### Microsoft.Windows.SedimentService.Started + +This event indicates a specified plug-in has started. This information helps ensure Windows is up to date. + +The following fields are available: + +- **CV** The Correlation Vector. +- **GlobalEventCounter** The client-side counter that indicates ordering of events. +- **PackageVersion** The version number of the current remediation package. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for Detection or Perform Action phases of the plugin. + + ## Privacy consent logging events ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted From f8d890ccb8d8dd95d4fee53a1881a6f4e472d759 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 5 Apr 2019 09:51:05 -0700 Subject: [PATCH 095/492] new build 4/5/2019 9:51 AM --- ...ndows-diagnostic-events-and-fields-1903.md | 96 +++++++++---------- 1 file changed, 48 insertions(+), 48 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index a0330d713f..44cb7ab443 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/04/2019 +ms.date: 04/05/2019 --- @@ -3943,28 +3943,28 @@ The following fields are available: - **ContainerId** An identifier that uniquely groups the functional devices associated with a single-function or multifunction device. - **DeviceInstanceId** The unique identifier for this instance of the device. - **EndpointDevnodeId** The IMMDevice identifier of the associated devnode. -- **endpointEffectClsid** No content is currently available. -- **endpointEffectModule** No content is currently available. +- **endpointEffectClsid** The COM Class Identifier (CLSID) for the endpoint effect audio processing object. +- **endpointEffectModule** Module name for the endpoint effect audio processing object. - **EndpointFormFactor** The enumeration value for the form factor of the endpoint device (for example speaker, microphone, remote network device). - **endpointID** The unique identifier for the audio endpoint. - **endpointInstanceId** The unique identifier for the software audio endpoint. Used for joining to other audio event. - **Flow** Indicates whether the endpoint is capture (1) or render (0). -- **globalEffectClsid** No content is currently available. -- **globalEffectModule** No content is currently available. +- **globalEffectClsid** COM Class Identifier (CLSID) for the legacy global effect audio processing object. +- **globalEffectModule** Module name for the legacy global effect audio processing object. - **HWID** The hardware identifier for the endpoint. - **IsBluetooth** Indicates whether the device is a Bluetooth device. -- **isFarField** No content is currently available. +- **isFarField** A flag indicating whether the microphone endpoint is capable of hearing far field audio. - **IsSideband** Indicates whether the device is a sideband device. - **IsUSB** Indicates whether the device is a USB device. - **JackSubType** A unique ID representing the KS node type of the endpoint. -- **localEffectClsid** No content is currently available. -- **localEffectModule** No content is currently available. +- **localEffectClsid** The COM Class Identifier (CLSID) for the legacy local effect audio processing object. +- **localEffectModule** Module name for the legacy local effect audio processing object. - **MicArrayGeometry** Describes the microphone array, including the microphone position, coordinates, type, and frequency range. See [MicArrayGeometry](#micarraygeometry). -- **modeEffectClsid** No content is currently available. -- **modeEffectModule** No content is currently available. +- **modeEffectClsid** The COM Class Identifier (CLSID) for the mode effect audio processing object. +- **modeEffectModule** Module name for the mode effect audio processing object. - **persistentId** A unique ID for this endpoint which is retained across migrations. -- **streamEffectClsid** No content is currently available. -- **streamEffectModule** No content is currently available. +- **streamEffectClsid** The COM Class Identifier (CLSID) for the stream effect audio processing object. +- **streamEffectModule** Module name for the stream effect audio processing object. ### Microsoft.Windows.DriverInstall.DeviceInstall @@ -4390,7 +4390,7 @@ The following fields are available: ### Microsoft.Windows.PBR.PBRLayoutImageFailed -No content is currently available. +This event is sent when push-button reset fails to create a new image of Windows. The following fields are available: @@ -4399,7 +4399,7 @@ The following fields are available: ### Microsoft.Windows.PBR.PBRLayoutImageSucceed -No content is currently available. +This event is sent when push-button reset succeeds in creating a new image of Windows. The following fields are available: @@ -4408,7 +4408,7 @@ The following fields are available: ### Microsoft.Windows.PBR.PBROEM1Failed -No content is currently available. +This event is sent when the first OEM extensibility operation is successfully completed. The following fields are available: @@ -4421,14 +4421,14 @@ The following fields are available: ### Microsoft.Windows.PBR.PBROEM2Failed -No content is currently available. +This event is sent when the second OEM extensibility operation is successfully completed. The following fields are available: -- **HRESULT** The result code for the error that occurred while running the OEM extensibility script. -- **Parameters** The parameters to the OEM extensibility script. +- **HRESULT** The result error code from the OEM extensibility script. +- **Parameters** The parameters that were passed to the OEM extensibility script. - **PBRType** The type of push-button reset. -- **ScriptName** The path to the push-button reset script. +- **ScriptName** The path to the OEM extensibility script. - **SessionID** The ID of the push-button reset session. @@ -4488,16 +4488,16 @@ The following fields are available: ### Microsoft.Windows.PBR.PBRReachedOOBE -No content is currently available. +This event returns data when the PBR (Push Button Reset) process reaches the OOBE (Out of Box Experience). The following fields are available: -- **SessionID** No content is currently available. +- **SessionID** The ID of this push-button reset session. ### Microsoft.Windows.PBR.PBRReconstructionInitiated -No content is currently available. +This event returns data when a PBR (Push Button Reset) reconstruction operation begins. The following fields are available: @@ -4506,7 +4506,7 @@ The following fields are available: ### Microsoft.Windows.PBR.PBRRequirementChecks -No content is currently available. +This event returns data when PBR (Push Button Reset) requirement checks begin. The following fields are available: @@ -4518,7 +4518,7 @@ The following fields are available: ### Microsoft.Windows.PBR.PBRRequirementChecksFailed -No content is currently available. +This event returns data when PBR (Push Button Reset) requirement checks fail. The following fields are available: @@ -4527,28 +4527,28 @@ The following fields are available: - **ErrorType** The type of error that occurred during the requirement checks phase of the push-button reset operation. - **PBRImageVersion** The image version of the push-button reset tool. - **PBRRecoveryStrategy** The recovery strategy for this phase of push-button reset. -- **PBRStartedFrom** No content is currently available. -- **PBRType** No content is currently available. +- **PBRStartedFrom** Identifies the push-button reset entry point. +- **PBRType** The type of push-button reset specified by the user interface. - **SessionID** The ID of this push-button reset session. ### Microsoft.Windows.PBR.PBRRequirementChecksPassed -No content is currently available. +This event returns data when PBR (Push Button Reset) requirement checks are passed. The following fields are available: -- **OSVersion** No content is currently available. -- **PBRImageType** No content is currently available. +- **OSVersion** The OS version installed on the device. +- **PBRImageType** The push-button reset image type. - **PBRImageVersion** The version of the push-button reset image. -- **PBRRecoveryStrategy** No content is currently available. -- **PBRStartedFrom** No content is currently available. +- **PBRRecoveryStrategy** The push-button reset recovery strategy. +- **PBRStartedFrom** Identifies the push-button reset entry point. - **SessionID** The ID of this push-button reset session. ### Microsoft.Windows.PBR.PBRRestoreLicenseFailed -No content is currently available. +This event sends basic data about recovery operation failure on the device. This data allows investigation to help keep Windows and PBR (Push Button Reset) up to date. The following fields are available: @@ -4557,18 +4557,18 @@ The following fields are available: ### Microsoft.Windows.PBR.PBRSucceed -No content is currently available. +This event returns data when PBR (Push Button Reset) succeeds. The following fields are available: -- **OSVersion** No content is currently available. +- **OSVersion** The OS version installed on the device. - **PBRType** The type of push-button reset. - **SessionID** The ID of this push-button reset session. ### Microsoft.Windows.PBR.PBRUserCancelled -No content is currently available. +This event returns data when the user cancels the PBR (Push Button Reset) from the UI (user interface). The following fields are available: @@ -4579,18 +4579,18 @@ The following fields are available: ### Microsoft.Windows.PBR.PBRVersionsMistmatch -No content is currently available. +This event returns data when there is a version mismatch for WinRE (Windows Recovery) and the OS. The following fields are available: -- **OSVersion** No content is currently available. +- **OSVersion** The OS version installed on the device. - **REVersion** The version of Windows Recovery Environment (WinRE). - **SessionID** The ID of this push-button reset session. ### Microsoft.Windows.PBR.PBRWinREInstallationFailed -No content is currently available. +This event returns data when the WinRE (Windows Recovery) installation fails. The following fields are available: @@ -4599,7 +4599,7 @@ The following fields are available: ### Microsoft.Windows.PBR.PhaseFinished -No content is currently available. +This event returns data when a phase of PBR (Push Button Reset) has completed. The following fields are available: @@ -4623,7 +4623,7 @@ The following fields are available: ### Microsoft.Windows.PBR.ReconstructionInfo -No content is currently available. +This event returns data about the PBR (Push Button Reset) reconstruction. The following fields are available: @@ -4631,13 +4631,13 @@ The following fields are available: - **numPackagesFailed** The number of packages that failed during the reconstruction operation of push-button reset. - **sessionID** The ID of this push-button reset session. - **slowMode** The mode of reconstruction. -- **targetVersion** No content is currently available. +- **targetVersion** The target version of the OS for the reconstruction. - **timestamp** The timestamp of this push-button reset event. ### Microsoft.Windows.PBR.ResetOptions -No content is currently available. +This event returns data about the PBR (Push Button Reset) reset options selected by the user. The following fields are available: @@ -4651,7 +4651,7 @@ The following fields are available: ### Microsoft.Windows.PBR.RetryQueued -No content is currently available. +This event returns data about the retry count when PBR (Push Button Reset) is restarted due to a reboot. The following fields are available: @@ -4662,7 +4662,7 @@ The following fields are available: ### Microsoft.Windows.PBR.ReturnedToOldOS -No content is currently available. +This event returns data after PBR (Push Button Reset) has completed the rollback. The following fields are available: @@ -4672,7 +4672,7 @@ The following fields are available: ### Microsoft.Windows.PBR.ReturnTaskSchedulingFailed -No content is currently available. +This event returns data when there is a failure scheduling a boot into WinRE (Windows Recovery). The following fields are available: @@ -4684,7 +4684,7 @@ The following fields are available: ### Microsoft.Windows.PBR.RollbackFinished -No content is currently available. +This event returns data when the PBR (Push Button Reset) rollback completes. The following fields are available: @@ -4696,7 +4696,7 @@ The following fields are available: ### Microsoft.Windows.PBR.RollbackStarted -No content is currently available. +This event returns data when the PBR (Push Button Reset) rollback begins. The following fields are available: @@ -4706,7 +4706,7 @@ The following fields are available: ### Microsoft.Windows.PBR.ScenarioNotSupported -No content is currently available. +This event returns data when the PBR (Push Button Reset) scenario selected is not supported on the device. The following fields are available: From 340015dd795a8e38b34239bae0222a23f7bb1a42 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 5 Apr 2019 09:51:11 -0700 Subject: [PATCH 096/492] new build 4/5/2019 9:51 AM --- .../basic-level-windows-diagnostic-events-and-fields-1703.md | 2 +- .../basic-level-windows-diagnostic-events-and-fields-1709.md | 2 +- .../basic-level-windows-diagnostic-events-and-fields-1803.md | 2 +- .../basic-level-windows-diagnostic-events-and-fields-1809.md | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index c029cc311a..b935c25c38 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/04/2019 +ms.date: 04/05/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index 8fdeaa71a6..ded2f5807f 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/04/2019 +ms.date: 04/05/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index f7b9ceb9f0..d65b1aae10 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/04/2019 +ms.date: 04/05/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index ee4dd734aa..21218c05f5 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/04/2019 +ms.date: 04/05/2019 --- From ef1ab22ea3b3a253a572313c8d5f6b3388002b2b Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 5 Apr 2019 13:31:12 -0700 Subject: [PATCH 097/492] new build 4/5/2019 1:31 PM --- ...ndows-diagnostic-events-and-fields-1903.md | 942 +++++++++--------- 1 file changed, 478 insertions(+), 464 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index 44cb7ab443..451bee2d3f 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -1518,6 +1518,74 @@ The following fields are available: - **AppraiserVersion** The version of the Appraiser file that is generating the events. +## Audio endpoint events + +### MicArrayGeometry + +This event provides information about the layout of the individual microphone elements in the microphone array. + +The following fields are available: + +- **MicCoords** The location and orientation of the microphone element. +- **usFrequencyBandHi** The high end of the frequency range for the microphone. +- **usFrequencyBandLo** The low end of the frequency range for the microphone. +- **usMicArrayType** The type of the microphone array. +- **usNumberOfMicrophones** The number of microphones in the array. +- **usVersion** The version of the microphone array specification. +- **wHorizontalAngleBegin** The horizontal angle of the start of the working volume (reported as radians times 10,000). +- **wHorizontalAngleEnd** The horizontal angle of the end of the working volume (reported as radians times 10,000). +- **wVerticalAngleBegin** The vertical angle of the start of the working volume (reported as radians times 10,000). +- **wVerticalAngleEnd** The vertical angle of the end of the working volume (reported as radians times 10,000). + + +### MicCoords + +This event provides information about the location and orientation of the microphone element. + +The following fields are available: + +- **usType** The type of microphone. +- **wHorizontalAngle** The horizontal angle of the microphone (reported as radians times 10,000). +- **wVerticalAngle** The vertical angle of the microphone (reported as radians times 10,000). +- **wXCoord** The x-coordinate of the microphone. +- **wYCoord** The y-coordinate of the microphone. +- **wZCoord** The z-coordinate of the microphone. + + +### Microsoft.Windows.Audio.EndpointBuilder.DeviceInfo + +This event logs the successful enumeration of an audio endpoint (such as a microphone or speaker) and provides information about the audio endpoint. + +The following fields are available: + +- **BusEnumeratorName** The name of the bus enumerator (for example, HDAUDIO or USB). +- **ContainerId** An identifier that uniquely groups the functional devices associated with a single-function or multifunction device. +- **DeviceInstanceId** The unique identifier for this instance of the device. +- **EndpointDevnodeId** The IMMDevice identifier of the associated devnode. +- **endpointEffectClsid** The COM Class Identifier (CLSID) for the endpoint effect audio processing object. +- **endpointEffectModule** Module name for the endpoint effect audio processing object. +- **EndpointFormFactor** The enumeration value for the form factor of the endpoint device (for example speaker, microphone, remote network device). +- **endpointID** The unique identifier for the audio endpoint. +- **endpointInstanceId** The unique identifier for the software audio endpoint. Used for joining to other audio event. +- **Flow** Indicates whether the endpoint is capture (1) or render (0). +- **globalEffectClsid** COM Class Identifier (CLSID) for the legacy global effect audio processing object. +- **globalEffectModule** Module name for the legacy global effect audio processing object. +- **HWID** The hardware identifier for the endpoint. +- **IsBluetooth** Indicates whether the device is a Bluetooth device. +- **isFarField** A flag indicating whether the microphone endpoint is capable of hearing far field audio. +- **IsSideband** Indicates whether the device is a sideband device. +- **IsUSB** Indicates whether the device is a USB device. +- **JackSubType** A unique ID representing the KS node type of the endpoint. +- **localEffectClsid** The COM Class Identifier (CLSID) for the legacy local effect audio processing object. +- **localEffectModule** Module name for the legacy local effect audio processing object. +- **MicArrayGeometry** Describes the microphone array, including the microphone position, coordinates, type, and frequency range. See [MicArrayGeometry](#micarraygeometry). +- **modeEffectClsid** The COM Class Identifier (CLSID) for the mode effect audio processing object. +- **modeEffectModule** Module name for the mode effect audio processing object. +- **persistentId** A unique ID for this endpoint which is retained across migrations. +- **streamEffectClsid** The COM Class Identifier (CLSID) for the stream effect audio processing object. +- **streamEffectModule** Module name for the stream effect audio processing object. + + ## Census events ### Census.App @@ -2652,6 +2720,101 @@ This event is a low latency health alert that is part of the 4Nines device healt +## Driver installation events + +### Microsoft.Windows.DriverInstall.DeviceInstall + +This critical event sends information about the driver installation that took place. + +The following fields are available: + +- **ClassGuid** The unique ID for the device class. +- **ClassLowerFilters** The list of lower filter class drivers. +- **ClassUpperFilters** The list of upper filter class drivers. +- **CoInstallers** The list of coinstallers. +- **ConfigFlags** The device configuration flags. +- **DeviceConfigured** Indicates whether this device was configured through the kernel configuration. +- **DeviceInstanceId** The unique identifier of the device in the system. +- **DeviceStack** The device stack of the driver being installed. +- **DriverDate** The date of the driver. +- **DriverDescription** A description of the driver function. +- **DriverInfName** Name of the INF file (the setup information file) for the driver. +- **DriverInfSectionName** Name of the DDInstall section within the driver INF file. +- **DriverPackageId** The ID of the driver package that is staged to the driver store. +- **DriverProvider** The driver manufacturer or provider. +- **DriverUpdated** Indicates whether the driver is replacing an old driver. +- **DriverVersion** The version of the driver file. +- **EndTime** The time the installation completed. +- **Error** Provides the WIN32 error code for the installation. +- **ExtensionDrivers** List of extension drivers that complement this installation. +- **FinishInstallAction** Indicates whether the co-installer invoked the finish-install action. +- **FinishInstallUI** Indicates whether the installation process shows the user interface. +- **FirmwareDate** The firmware date that will be stored in the EFI System Resource Table (ESRT). +- **FirmwareRevision** The firmware revision that will be stored in the EFI System Resource Table (ESRT). +- **FirmwareVersion** The firmware version that will be stored in the EFI System Resource Table (ESRT). +- **FirstHardwareId** The ID in the hardware ID list that provides the most specific device description. +- **FlightIds** A list of the different Windows Insider builds on the device. +- **GenericDriver** Indicates whether the driver is a generic driver. +- **Inbox** Indicates whether the driver package is included with Windows. +- **InstallDate** The date the driver was installed. +- **LastCompatibleId** The ID in the hardware ID list that provides the least specific device description. +- **LegacyInstallReasonError** The error code for the legacy installation. +- **LowerFilters** The list of lower filter drivers. +- **MatchingDeviceId** The hardware ID or compatible ID that Windows used to install the device instance. +- **NeedReboot** Indicates whether the driver requires a reboot. +- **OriginalDriverInfName** The original name of the INF file before it was renamed. +- **ParentDeviceInstanceId** The device instance ID of the parent of the device. +- **PendedUntilReboot** Indicates whether the installation is pending until the device is rebooted. +- **Problem** Error code returned by the device after installation. +- **ProblemStatus** The status of the device after the driver installation. +- **SecondaryDevice** Indicates whether the device is a secondary device. +- **ServiceName** The service name of the driver. +- **SetupMode** Indicates whether the driver installation took place before the initial installation of the device was completed. +- **StartTime** The time when the installation started. +- **SubmissionId** The driver submission identifier assigned by the Windows Hardware Development Center. +- **UpperFilters** The list of upper filter drivers. + + +### Microsoft.Windows.DriverInstall.NewDevInstallDeviceEnd + +This event sends data about the driver installation once it is completed. + +The following fields are available: + +- **DeviceInstanceId** The unique identifier of the device in the system. +- **DriverUpdated** Indicates whether the driver was updated. +- **Error** The Win32 error code of the installation. +- **FlightId** The ID of the Windows Insider build the device received. +- **InstallDate** The date the driver was installed. +- **InstallFlags** The driver installation flags. +- **RebootRequired** Indicates whether a reboot is required after the installation. +- **RollbackPossible** Indicates whether this driver can be rolled back. +- **WuTargetedHardwareId** No content is currently available. +- **WuUntargetedHardwareId** No content is currently available. + + +### Microsoft.Windows.DriverInstall.NewDevInstallDeviceStart + +This event sends data about the driver that the new driver installation is replacing. + +The following fields are available: + +- **DeviceInstanceId** The unique identifier of the device in the system. +- **FirstInstallDate** The first time a driver was installed on this device. +- **LastDriverDate** Date of the driver that is being replaced. +- **LastDriverInbox** Indicates whether the previous driver was included with Windows. +- **LastDriverInfName** Name of the INF file (the setup information file) of the driver being replaced. +- **LastDriverVersion** The version of the driver that is being replaced. +- **LastFirmwareDate** The date of the last firmware reported from the EFI System Resource Table (ESRT). +- **LastFirmwareRevision** The last firmware revision number reported from EFI System Resource Table (ESRT). +- **LastFirmwareVersion** The last firmware version reported from the EFI System Resource Table (ESRT). +- **LastInstallDate** The date a driver was last installed on this device. +- **LastMatchingDeviceId** The hardware ID or compatible ID that Windows last used to install the device instance. +- **LastProblem** The previous problem code that was set on the device. +- **LastProblemStatus** The previous problem code that was set on the device. +- **LastSubmissionId** The driver submission identifier of the driver that is being replaced. + + ## DxgKernelTelemetry events ### DxgKrnlTelemetry.GPUAdapterInventoryV2 @@ -3899,166 +4062,35 @@ The following fields are available: - **WFD2Supported** Indicates if the Miracast receiver supports WFD2 protocol. -## Other events +## Privacy consent logging events -### MicArrayGeometry +### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted -This event provides information about the layout of the individual microphone elements in the microphone array. +This event is used to determine whether the user successfully completed the privacy consent experience. The following fields are available: -- **MicCoords** The location and orientation of the microphone element. -- **usFrequencyBandHi** The high end of the frequency range for the microphone. -- **usFrequencyBandLo** The low end of the frequency range for the microphone. -- **usMicArrayType** The type of the microphone array. -- **usNumberOfMicrophones** The number of microphones in the array. -- **usVersion** The version of the microphone array specification. -- **wHorizontalAngleBegin** The horizontal angle of the start of the working volume (reported as radians times 10,000). -- **wHorizontalAngleEnd** The horizontal angle of the end of the working volume (reported as radians times 10,000). -- **wVerticalAngleBegin** The vertical angle of the start of the working volume (reported as radians times 10,000). -- **wVerticalAngleEnd** The vertical angle of the end of the working volume (reported as radians times 10,000). +- **presentationVersion** Which display version of the privacy consent experience the user completed +- **privacyConsentState** The current state of the privacy consent experience +- **settingsVersion** Which setting version of the privacy consent experience the user completed +- **userOobeExitReason** The exit reason of the privacy consent experience -### MicCoords +### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentStatus -This event provides information about the location and orientation of the microphone element. +Event tells us effectiveness of new privacy experience. The following fields are available: -- **usType** The type of microphone. -- **wHorizontalAngle** The horizontal angle of the microphone (reported as radians times 10,000). -- **wVerticalAngle** The vertical angle of the microphone (reported as radians times 10,000). -- **wXCoord** The x-coordinate of the microphone. -- **wYCoord** The y-coordinate of the microphone. -- **wZCoord** The z-coordinate of the microphone. +- **isAdmin** whether the person who is logging in is an admin +- **isExistingUser** whether the account existed in a downlevel OS +- **isLaunching** Whether or not the privacy consent experience will be launched +- **isSilentElevation** whether the user has most restrictive UAC controls +- **privacyConsentState** whether the user has completed privacy experience +- **userRegionCode** The current user's region setting -### Microsoft.Windows.Audio.EndpointBuilder.DeviceInfo - -This event logs the successful enumeration of an audio endpoint (such as a microphone or speaker) and provides information about the audio endpoint. - -The following fields are available: - -- **BusEnumeratorName** The name of the bus enumerator (for example, HDAUDIO or USB). -- **ContainerId** An identifier that uniquely groups the functional devices associated with a single-function or multifunction device. -- **DeviceInstanceId** The unique identifier for this instance of the device. -- **EndpointDevnodeId** The IMMDevice identifier of the associated devnode. -- **endpointEffectClsid** The COM Class Identifier (CLSID) for the endpoint effect audio processing object. -- **endpointEffectModule** Module name for the endpoint effect audio processing object. -- **EndpointFormFactor** The enumeration value for the form factor of the endpoint device (for example speaker, microphone, remote network device). -- **endpointID** The unique identifier for the audio endpoint. -- **endpointInstanceId** The unique identifier for the software audio endpoint. Used for joining to other audio event. -- **Flow** Indicates whether the endpoint is capture (1) or render (0). -- **globalEffectClsid** COM Class Identifier (CLSID) for the legacy global effect audio processing object. -- **globalEffectModule** Module name for the legacy global effect audio processing object. -- **HWID** The hardware identifier for the endpoint. -- **IsBluetooth** Indicates whether the device is a Bluetooth device. -- **isFarField** A flag indicating whether the microphone endpoint is capable of hearing far field audio. -- **IsSideband** Indicates whether the device is a sideband device. -- **IsUSB** Indicates whether the device is a USB device. -- **JackSubType** A unique ID representing the KS node type of the endpoint. -- **localEffectClsid** The COM Class Identifier (CLSID) for the legacy local effect audio processing object. -- **localEffectModule** Module name for the legacy local effect audio processing object. -- **MicArrayGeometry** Describes the microphone array, including the microphone position, coordinates, type, and frequency range. See [MicArrayGeometry](#micarraygeometry). -- **modeEffectClsid** The COM Class Identifier (CLSID) for the mode effect audio processing object. -- **modeEffectModule** Module name for the mode effect audio processing object. -- **persistentId** A unique ID for this endpoint which is retained across migrations. -- **streamEffectClsid** The COM Class Identifier (CLSID) for the stream effect audio processing object. -- **streamEffectModule** Module name for the stream effect audio processing object. - - -### Microsoft.Windows.DriverInstall.DeviceInstall - -This critical event sends information about the driver installation that took place. - -The following fields are available: - -- **ClassGuid** The unique ID for the device class. -- **ClassLowerFilters** The list of lower filter class drivers. -- **ClassUpperFilters** The list of upper filter class drivers. -- **CoInstallers** The list of coinstallers. -- **ConfigFlags** The device configuration flags. -- **DeviceConfigured** Indicates whether this device was configured through the kernel configuration. -- **DeviceInstanceId** The unique identifier of the device in the system. -- **DeviceStack** The device stack of the driver being installed. -- **DriverDate** The date of the driver. -- **DriverDescription** A description of the driver function. -- **DriverInfName** Name of the INF file (the setup information file) for the driver. -- **DriverInfSectionName** Name of the DDInstall section within the driver INF file. -- **DriverPackageId** The ID of the driver package that is staged to the driver store. -- **DriverProvider** The driver manufacturer or provider. -- **DriverUpdated** Indicates whether the driver is replacing an old driver. -- **DriverVersion** The version of the driver file. -- **EndTime** The time the installation completed. -- **Error** Provides the WIN32 error code for the installation. -- **ExtensionDrivers** List of extension drivers that complement this installation. -- **FinishInstallAction** Indicates whether the co-installer invoked the finish-install action. -- **FinishInstallUI** Indicates whether the installation process shows the user interface. -- **FirmwareDate** The firmware date that will be stored in the EFI System Resource Table (ESRT). -- **FirmwareRevision** The firmware revision that will be stored in the EFI System Resource Table (ESRT). -- **FirmwareVersion** The firmware version that will be stored in the EFI System Resource Table (ESRT). -- **FirstHardwareId** The ID in the hardware ID list that provides the most specific device description. -- **FlightIds** A list of the different Windows Insider builds on the device. -- **GenericDriver** Indicates whether the driver is a generic driver. -- **Inbox** Indicates whether the driver package is included with Windows. -- **InstallDate** The date the driver was installed. -- **LastCompatibleId** The ID in the hardware ID list that provides the least specific device description. -- **LegacyInstallReasonError** The error code for the legacy installation. -- **LowerFilters** The list of lower filter drivers. -- **MatchingDeviceId** The hardware ID or compatible ID that Windows used to install the device instance. -- **NeedReboot** Indicates whether the driver requires a reboot. -- **OriginalDriverInfName** The original name of the INF file before it was renamed. -- **ParentDeviceInstanceId** The device instance ID of the parent of the device. -- **PendedUntilReboot** Indicates whether the installation is pending until the device is rebooted. -- **Problem** Error code returned by the device after installation. -- **ProblemStatus** The status of the device after the driver installation. -- **SecondaryDevice** Indicates whether the device is a secondary device. -- **ServiceName** The service name of the driver. -- **SetupMode** Indicates whether the driver installation took place before the initial installation of the device was completed. -- **StartTime** The time when the installation started. -- **SubmissionId** The driver submission identifier assigned by the Windows Hardware Development Center. -- **UpperFilters** The list of upper filter drivers. - - -### Microsoft.Windows.DriverInstall.NewDevInstallDeviceEnd - -This event sends data about the driver installation once it is completed. - -The following fields are available: - -- **DeviceInstanceId** The unique identifier of the device in the system. -- **DriverUpdated** Indicates whether the driver was updated. -- **Error** The Win32 error code of the installation. -- **FlightId** The ID of the Windows Insider build the device received. -- **InstallDate** The date the driver was installed. -- **InstallFlags** The driver installation flags. -- **RebootRequired** Indicates whether a reboot is required after the installation. -- **RollbackPossible** Indicates whether this driver can be rolled back. -- **WuTargetedHardwareId** No content is currently available. -- **WuUntargetedHardwareId** No content is currently available. - - -### Microsoft.Windows.DriverInstall.NewDevInstallDeviceStart - -This event sends data about the driver that the new driver installation is replacing. - -The following fields are available: - -- **DeviceInstanceId** The unique identifier of the device in the system. -- **FirstInstallDate** The first time a driver was installed on this device. -- **LastDriverDate** Date of the driver that is being replaced. -- **LastDriverInbox** Indicates whether the previous driver was included with Windows. -- **LastDriverInfName** Name of the INF file (the setup information file) of the driver being replaced. -- **LastDriverVersion** The version of the driver that is being replaced. -- **LastFirmwareDate** The date of the last firmware reported from the EFI System Resource Table (ESRT). -- **LastFirmwareRevision** The last firmware revision number reported from EFI System Resource Table (ESRT). -- **LastFirmwareVersion** The last firmware version reported from the EFI System Resource Table (ESRT). -- **LastInstallDate** The date a driver was last installed on this device. -- **LastMatchingDeviceId** The hardware ID or compatible ID that Windows last used to install the device instance. -- **LastProblem** The previous problem code that was set on the device. -- **LastProblemStatus** The previous problem code that was set on the device. -- **LastSubmissionId** The driver submission identifier of the driver that is being replaced. - +## Push Button Reset events ### Microsoft.Windows.PBR.BitLockerWipeFinished @@ -4890,323 +4922,6 @@ The following fields are available: - **timestamp** The timestamp for this push-button reset event. -### Microsoft.Windows.Security.WSC.DatastoreMigratedVersion - -This event provides information about the datastore migration and whether it was successful. - -The following fields are available: - -- **datastoreisvtype** The product category of the datastore. -- **datastoremigrated** The version of the datastore that was migrated. -- **status** The result code of the migration. - - -### Microsoft.Windows.Security.WSC.GetCallerViaWdsp - -This event returns data if the registering product EXE (executable file) does not allow COM (Component Object Model) impersonation. - -The following fields are available: - -- **callerExe** The registering product EXE that does not support COM impersonation. - - -### Microsoft.Windows.SysReset.FlightUninstallCancel - -This event indicates the customer has cancelled uninstallation of Windows. - - - -### Microsoft.Windows.SysReset.FlightUninstallError - -This event sends an error code when the Windows uninstallation fails. - -The following fields are available: - -- **ErrorCode** Error code for uninstallation failure. - - -### Microsoft.Windows.SysReset.FlightUninstallReboot - -This event is sent to signal an upcoming reboot during uninstallation of Windows. - - - -### Microsoft.Windows.SysReset.FlightUninstallStart - -This event indicates that the Windows uninstallation has started. - - - -### Microsoft.Windows.SysReset.FlightUninstallUnavailable - -This event sends diagnostic data when the Windows uninstallation is not available. - -The following fields are available: - -- **AddedProfiles** Indicates that new user profiles have been created since the flight was installed. -- **MissingExternalStorage** Indicates that the external storage used to install the flight is not available. -- **MissingInfra** Indicates that uninstall resources are missing. -- **MovedProfiles** Indicates that the user profile has been moved since the flight was installed. - - -### Microsoft.Windows.SysReset.HasPendingActions - -This event is sent when users have actions that will block the uninstall of the latest quality update. - - - -### Microsoft.Windows.SysReset.IndicateLCUWasUninstalled - -This event is sent when the registry indicates that the latest cumulative Windows update package has finished uninstalling. - -The following fields are available: - -- **errorCode** The error code if there was a failure during uninstallation of the latest cumulative Windows update package. - - -### Microsoft.Windows.SysReset.LCUUninstall - -This event is sent when the latest cumulative Windows update was uninstalled on a device. - -The following fields are available: - -- **errorCode** An error that occurred while the Windows update package was being uninstalled. -- **packageName** The name of the Windows update package that is being uninstalled. -- **removalTime** The amount of time it took to uninstall the Windows update package. - - -### Microsoft.Windows.SysReset.PBRBlockedByPolicy - -This event is sent when a push-button reset operation is blocked by the System Administrator. - -The following fields are available: - -- **PBRBlocked** Reason the push-button reset operation was blocked. -- **PBRType** The type of push-button reset operation that was blocked. - - -### Microsoft.Windows.SysReset.PBREngineInitFailed - -This event signals a failed handoff between two recovery binaries. - -The following fields are available: - -- **Operation** Legacy customer scenario. - - -### Microsoft.Windows.SysReset.PBREngineInitSucceed - -This event signals successful handoff between two recovery binaries. - -The following fields are available: - -- **Operation** Legacy customer scenario. - - -### Microsoft.Windows.SysReset.PBRFailedOffline - -This event reports the error code when recovery fails. - -The following fields are available: - -- **HRESULT** Error code for the failure. -- **PBRType** The recovery scenario. -- **SessionID** The unique ID for the recovery session. - - -### Microsoft.Windows.SystemReset.EsimPresentCheck - -This event is sent when a device is checked to see whether it has an embedded SIM (eSIM). - -The following fields are available: - -- **errorCode** Any error that occurred while checking for the presence of an embedded SIM. -- **esimPresent** Indicates whether an embedded SIM is present on the device. -- **sessionID** The ID of this session. - - -### Microsoft.Windows.SystemReset.PBRCorruptionRepairOption - -This event sends corruption repair diagnostic data when the PBRCorruptionRepairOption encounters a corruption error. - -The following fields are available: - -- **cbsSessionOption** The corruption repair configuration. -- **errorCode** The error code encountered. -- **meteredConnection** Indicates whether the device is connected to a metered network (wired or WiFi). -- **sessionID** The globally unique identifier (GUID) for the session. - - -### Microsoft.Windows.SystemReset.RepairNeeded - -This event provides information about whether a system reset needs repair. - -The following fields are available: - -- **repairNeeded** Indicates whether there was corruption in the system reset which needs repair. -- **sessionID** The ID of this push-button reset session. - - -### Microsoft.Windows.UEFI.ESRT - -This event sends basic data during boot about the firmware loaded or recently installed on the machine. This helps to keep Windows up to date. - -The following fields are available: - -- **DriverFirmwareFilename** The firmware file name reported by the device hardware key. -- **DriverFirmwarePolicy** The optional version update policy value. -- **DriverFirmwareStatus** The firmware status reported by the device hardware key. -- **DriverFirmwareVersion** The firmware version reported by the device hardware key. -- **FirmareLastAttemptVersion** No content is currently available. -- **FirmwareId** The UEFI (Unified Extensible Firmware Interface) identifier. -- **FirmwareLastAttemptStatus** The reported status of the most recent firmware installation attempt, as reported by the EFI System Resource Table (ESRT). -- **FirmwareLastAttemptVersion** The version of the most recent attempted firmware installation, as reported by the EFI System Resource Table (ESRT). -- **FirmwareType** The UEFI (Unified Extensible Firmware Interface) type. -- **FirmwareVersion** The UEFI (Unified Extensible Firmware Interface) version as reported by the EFI System Resource Table (ESRT). -- **InitiateUpdate** Indicates whether the system is ready to initiate an update. -- **LastAttemptDate** The date of the most recent attempted firmware installation. -- **LastAttemptStatus** The result of the most recent attempted firmware installation. -- **LastAttemptVersion** The version of the most recent attempted firmware installation. -- **LowestSupportedFirmwareVersion** The oldest (lowest) version of firmware supported. -- **MaxRetryCount** The maximum number of retries, defined by the firmware class key. -- **PartA_PrivTags** The privacy tags associated with the firmware. -- **RetryCount** The number of attempted installations (retries), reported by the driver software key. -- **Status** The status returned to the PnP (Plug-and-Play) manager. -- **UpdateAttempted** Indicates if installation of the current update has been attempted before. - - -### Microsoft.Xbox.XamTelemetry.AppActivationError - -This event indicates whether the system detected an activation error in the app. - -The following fields are available: - -- **ActivationUri** Activation URI (Uniform Resource Identifier) used in the attempt to activate the app. -- **AppId** The Xbox LIVE Title ID. -- **AppUserModelId** The AUMID (Application User Model ID) of the app to activate. -- **Result** The HResult error. -- **UserId** The Xbox LIVE User ID (XUID). - - -### Microsoft.Xbox.XamTelemetry.AppActivity - -This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc. - -The following fields are available: - -- **AppActionId** The ID of the application action. -- **AppCurrentVisibilityState** The ID of the current application visibility state. -- **AppId** The Xbox LIVE Title ID of the app. -- **AppPackageFullName** The full name of the application package. -- **AppPreviousVisibilityState** The ID of the previous application visibility state. -- **AppSessionId** The application session ID. -- **AppType** The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa). -- **BCACode** The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application. -- **DurationMs** The amount of time (in milliseconds) since the last application state transition. -- **IsTrialLicense** This boolean value is TRUE if the application is on a trial license. -- **LicenseType** The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 - Offline, 4 - Disc). -- **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license. -- **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application. -- **UserId** The XUID (Xbox User ID) of the current user. - - -### Value - -This event returns data about Mean Time to Failure (MTTF) for Windows devices. It is the primary means of estimating reliability problems in Basic Diagnostic reporting with very strong privacy guarantees. Since Basic Diagnostic reporting does not include system up-time, and since that information is important to ensuring the safe and stable operation of Windows, the data provided by this event provides that data in a manner which does not threaten a user’s privacy. - -The following fields are available: - -- **Algorithm** The algorithm used to preserve privacy. -- **DPRange** The upper bound of the range being measured. -- **DPValue** The randomized response returned by the client. -- **Epsilon** The level of privacy to be applied. -- **HistType** The histogram type if the algorithm is a histogram algorithm. -- **PertProb** The probability the entry will be Perturbed if the algorithm chosen is “heavy-hitters”. - - -### WheaProvider.WheaErrorRecord - -This event collects data about common platform hardware error recorded by the Windows Hardware Error Architecture (WHEA) mechanism. - -The following fields are available: - -- **creatorId** The unique identifier for the entity that created the error record. -- **CreatorId** The unique identifier for the entity that created the error record. -- **errorFlags** Any flags set on the error record. -- **ErrorFlags** Any flags set on the error record. -- **notifyType** The unique identifier for the notification mechanism which reported the error to the operating system. -- **NotifyType** The unique identifier for the notification mechanism which reported the error to the operating system. -- **partitionId** The unique identifier for the partition on which the hardware error occurred. -- **PartitionId** The unique identifier for the partition on which the hardware error occurred. -- **platformId** The unique identifier for the platform on which the hardware error occurred. -- **PlatformId** The unique identifier for the platform on which the hardware error occurred. -- **record** A collection of binary data containing the full error record. -- **Record** A collection of binary data containing the full error record. -- **recordId** The identifier of the error record. -- **RecordId** The identifier of the error record. -- **sectionFlags** The flags for each section recorded in the error record. -- **SectionFlags** The flags for each section recorded in the error record. -- **SectionSeverity** The severity of each individual section. -- **sectionTypes** The unique identifier that represents the type of sections contained in the error record. -- **SectionTypes** The unique identifier that represents the type of sections contained in the error record. -- **severityCount** The severity of each individual section. -- **timeStamp** The error time stamp as recorded in the error record. -- **TimeStamp** The error time stamp as recorded in the error record. - - -### wilActivity - -This event provides a Windows Internal Library context used for Product and Service diagnostics. - -The following fields are available: - -- **callContext** The function where the failure occurred. -- **currentContextId** The ID of the current call context where the failure occurred. -- **currentContextMessage** The message of the current call context where the failure occurred. -- **currentContextName** The name of the current call context where the failure occurred. -- **failureCount** The number of failures for this failure ID. -- **failureId** The ID of the failure that occurred. -- **failureType** The type of the failure that occurred. -- **fileName** The file name where the failure occurred. -- **function** The function where the failure occurred. -- **hresult** The HResult of the overall activity. -- **lineNumber** The line number where the failure occurred. -- **message** The message of the failure that occurred. -- **module** The module where the failure occurred. -- **originatingContextId** The ID of the originating call context that resulted in the failure. -- **originatingContextMessage** The message of the originating call context that resulted in the failure. -- **originatingContextName** The name of the originating call context that resulted in the failure. -- **threadId** The ID of the thread on which the activity is executing. - - -## Privacy consent logging events - -### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted - -This event is used to determine whether the user successfully completed the privacy consent experience. - -The following fields are available: - -- **presentationVersion** Which display version of the privacy consent experience the user completed -- **privacyConsentState** The current state of the privacy consent experience -- **settingsVersion** Which setting version of the privacy consent experience the user completed -- **userOobeExitReason** The exit reason of the privacy consent experience - - -### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentStatus - -Event tells us effectiveness of new privacy experience. - -The following fields are available: - -- **isAdmin** whether the person who is logging in is an admin -- **isExistingUser** whether the account existed in a downlevel OS -- **isLaunching** Whether or not the privacy consent experience will be launched -- **isSilentElevation** whether the user has most restrictive UAC controls -- **privacyConsentState** whether the user has completed privacy experience -- **userRegionCode** The current user's region setting - - ## Sediment events ### Microsoft.Windows.Sediment.Info.DetailedState @@ -5754,6 +5469,175 @@ The following fields are available: - **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp. +## System reset events + +### Microsoft.Windows.SysReset.FlightUninstallCancel + +This event indicates the customer has cancelled uninstallation of Windows. + + + +### Microsoft.Windows.SysReset.FlightUninstallError + +This event sends an error code when the Windows uninstallation fails. + +The following fields are available: + +- **ErrorCode** Error code for uninstallation failure. + + +### Microsoft.Windows.SysReset.FlightUninstallReboot + +This event is sent to signal an upcoming reboot during uninstallation of Windows. + + + +### Microsoft.Windows.SysReset.FlightUninstallStart + +This event indicates that the Windows uninstallation has started. + + + +### Microsoft.Windows.SysReset.FlightUninstallUnavailable + +This event sends diagnostic data when the Windows uninstallation is not available. + +The following fields are available: + +- **AddedProfiles** Indicates that new user profiles have been created since the flight was installed. +- **MissingExternalStorage** Indicates that the external storage used to install the flight is not available. +- **MissingInfra** Indicates that uninstall resources are missing. +- **MovedProfiles** Indicates that the user profile has been moved since the flight was installed. + + +### Microsoft.Windows.SysReset.HasPendingActions + +This event is sent when users have actions that will block the uninstall of the latest quality update. + + + +### Microsoft.Windows.SysReset.IndicateLCUWasUninstalled + +This event is sent when the registry indicates that the latest cumulative Windows update package has finished uninstalling. + +The following fields are available: + +- **errorCode** The error code if there was a failure during uninstallation of the latest cumulative Windows update package. + + +### Microsoft.Windows.SysReset.LCUUninstall + +This event is sent when the latest cumulative Windows update was uninstalled on a device. + +The following fields are available: + +- **errorCode** An error that occurred while the Windows update package was being uninstalled. +- **packageName** The name of the Windows update package that is being uninstalled. +- **removalTime** The amount of time it took to uninstall the Windows update package. + + +### Microsoft.Windows.SysReset.PBRBlockedByPolicy + +This event is sent when a push-button reset operation is blocked by the System Administrator. + +The following fields are available: + +- **PBRBlocked** Reason the push-button reset operation was blocked. +- **PBRType** The type of push-button reset operation that was blocked. + + +### Microsoft.Windows.SysReset.PBREngineInitFailed + +This event signals a failed handoff between two recovery binaries. + +The following fields are available: + +- **Operation** Legacy customer scenario. + + +### Microsoft.Windows.SysReset.PBREngineInitSucceed + +This event signals successful handoff between two recovery binaries. + +The following fields are available: + +- **Operation** Legacy customer scenario. + + +### Microsoft.Windows.SysReset.PBRFailedOffline + +This event reports the error code when recovery fails. + +The following fields are available: + +- **HRESULT** Error code for the failure. +- **PBRType** The recovery scenario. +- **SessionID** The unique ID for the recovery session. + + +### Microsoft.Windows.SystemReset.EsimPresentCheck + +This event is sent when a device is checked to see whether it has an embedded SIM (eSIM). + +The following fields are available: + +- **errorCode** Any error that occurred while checking for the presence of an embedded SIM. +- **esimPresent** Indicates whether an embedded SIM is present on the device. +- **sessionID** The ID of this session. + + +### Microsoft.Windows.SystemReset.PBRCorruptionRepairOption + +This event sends corruption repair diagnostic data when the PBRCorruptionRepairOption encounters a corruption error. + +The following fields are available: + +- **cbsSessionOption** The corruption repair configuration. +- **errorCode** The error code encountered. +- **meteredConnection** Indicates whether the device is connected to a metered network (wired or WiFi). +- **sessionID** The globally unique identifier (GUID) for the session. + + +### Microsoft.Windows.SystemReset.RepairNeeded + +This event provides information about whether a system reset needs repair. + +The following fields are available: + +- **repairNeeded** Indicates whether there was corruption in the system reset which needs repair. +- **sessionID** The ID of this push-button reset session. + + +## UEFI events + +### Microsoft.Windows.UEFI.ESRT + +This event sends basic data during boot about the firmware loaded or recently installed on the machine. This helps to keep Windows up to date. + +The following fields are available: + +- **DriverFirmwareFilename** The firmware file name reported by the device hardware key. +- **DriverFirmwarePolicy** The optional version update policy value. +- **DriverFirmwareStatus** The firmware status reported by the device hardware key. +- **DriverFirmwareVersion** The firmware version reported by the device hardware key. +- **FirmareLastAttemptVersion** No content is currently available. +- **FirmwareId** The UEFI (Unified Extensible Firmware Interface) identifier. +- **FirmwareLastAttemptStatus** The reported status of the most recent firmware installation attempt, as reported by the EFI System Resource Table (ESRT). +- **FirmwareLastAttemptVersion** The version of the most recent attempted firmware installation, as reported by the EFI System Resource Table (ESRT). +- **FirmwareType** The UEFI (Unified Extensible Firmware Interface) type. +- **FirmwareVersion** The UEFI (Unified Extensible Firmware Interface) version as reported by the EFI System Resource Table (ESRT). +- **InitiateUpdate** Indicates whether the system is ready to initiate an update. +- **LastAttemptDate** The date of the most recent attempted firmware installation. +- **LastAttemptStatus** The result of the most recent attempted firmware installation. +- **LastAttemptVersion** The version of the most recent attempted firmware installation. +- **LowestSupportedFirmwareVersion** The oldest (lowest) version of firmware supported. +- **MaxRetryCount** The maximum number of retries, defined by the firmware class key. +- **PartA_PrivTags** The privacy tags associated with the firmware. +- **RetryCount** The number of attempted installations (retries), reported by the driver software key. +- **Status** The status returned to the PnP (Plug-and-Play) manager. +- **UpdateAttempted** Indicates if installation of the current update has been attempted before. + + ## Update events ### Update360Telemetry.Revert @@ -6421,6 +6305,20 @@ The following fields are available: - **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson). +### Value + +This event returns data about Mean Time to Failure (MTTF) for Windows devices. It is the primary means of estimating reliability problems in Basic Diagnostic reporting with very strong privacy guarantees. Since Basic Diagnostic reporting does not include system up-time, and since that information is important to ensuring the safe and stable operation of Windows, the data provided by this event provides that data in a manner which does not threaten a user’s privacy. + +The following fields are available: + +- **Algorithm** The algorithm used to preserve privacy. +- **DPRange** The upper bound of the range being measured. +- **DPValue** The randomized response returned by the client. +- **Epsilon** The level of privacy to be applied. +- **HistType** The histogram type if the algorithm is a histogram algorithm. +- **PertProb** The probability the entry will be Perturbed if the algorithm chosen is “heavy-hitters”. + + ## Windows Error Reporting MTT events ### Microsoft.Windows.WER.MTT.Denominator @@ -6432,6 +6330,60 @@ The following fields are available: - **Value** Standard UTC emitted DP value structure See [Value](#value). +## Windows Hardware Error Architecture events + +### WheaProvider.WheaErrorRecord + +This event collects data about common platform hardware error recorded by the Windows Hardware Error Architecture (WHEA) mechanism. + +The following fields are available: + +- **creatorId** The unique identifier for the entity that created the error record. +- **CreatorId** The unique identifier for the entity that created the error record. +- **errorFlags** Any flags set on the error record. +- **ErrorFlags** Any flags set on the error record. +- **notifyType** The unique identifier for the notification mechanism which reported the error to the operating system. +- **NotifyType** The unique identifier for the notification mechanism which reported the error to the operating system. +- **partitionId** The unique identifier for the partition on which the hardware error occurred. +- **PartitionId** The unique identifier for the partition on which the hardware error occurred. +- **platformId** The unique identifier for the platform on which the hardware error occurred. +- **PlatformId** The unique identifier for the platform on which the hardware error occurred. +- **record** A collection of binary data containing the full error record. +- **Record** A collection of binary data containing the full error record. +- **recordId** The identifier of the error record. +- **RecordId** The identifier of the error record. +- **sectionFlags** The flags for each section recorded in the error record. +- **SectionFlags** The flags for each section recorded in the error record. +- **SectionSeverity** The severity of each individual section. +- **sectionTypes** The unique identifier that represents the type of sections contained in the error record. +- **SectionTypes** The unique identifier that represents the type of sections contained in the error record. +- **severityCount** The severity of each individual section. +- **timeStamp** The error time stamp as recorded in the error record. +- **TimeStamp** The error time stamp as recorded in the error record. + + +## Windows Security Center events + +### Microsoft.Windows.Security.WSC.DatastoreMigratedVersion + +This event provides information about the datastore migration and whether it was successful. + +The following fields are available: + +- **datastoreisvtype** The product category of the datastore. +- **datastoremigrated** The version of the datastore that was migrated. +- **status** The result code of the migration. + + +### Microsoft.Windows.Security.WSC.GetCallerViaWdsp + +This event returns data if the registering product EXE (executable file) does not allow COM (Component Object Model) impersonation. + +The following fields are available: + +- **callerExe** The registering product EXE that does not support COM impersonation. + + ## Windows Store events ### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation @@ -7591,6 +7543,31 @@ The following fields are available: - **wuDeviceid** The Windows Update device GUID. +### wilActivity + +This event provides a Windows Internal Library context used for Product and Service diagnostics. + +The following fields are available: + +- **callContext** The function where the failure occurred. +- **currentContextId** The ID of the current call context where the failure occurred. +- **currentContextMessage** The message of the current call context where the failure occurred. +- **currentContextName** The name of the current call context where the failure occurred. +- **failureCount** The number of failures for this failure ID. +- **failureId** The ID of the failure that occurred. +- **failureType** The type of the failure that occurred. +- **fileName** The file name where the failure occurred. +- **function** The function where the failure occurred. +- **hresult** The HResult of the overall activity. +- **lineNumber** The line number where the failure occurred. +- **message** The message of the failure that occurred. +- **module** The module where the failure occurred. +- **originatingContextId** The ID of the originating call context that resulted in the failure. +- **originatingContextMessage** The message of the originating call context that resulted in the failure. +- **originatingContextName** The name of the originating call context that resulted in the failure. +- **threadId** The ID of the thread on which the activity is executing. + + ## Windows Update mitigation events ### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.General @@ -7845,4 +7822,41 @@ This event signals the completion of the setup process. It happens only once dur +## XBOX events + +### Microsoft.Xbox.XamTelemetry.AppActivationError + +This event indicates whether the system detected an activation error in the app. + +The following fields are available: + +- **ActivationUri** Activation URI (Uniform Resource Identifier) used in the attempt to activate the app. +- **AppId** The Xbox LIVE Title ID. +- **AppUserModelId** The AUMID (Application User Model ID) of the app to activate. +- **Result** The HResult error. +- **UserId** The Xbox LIVE User ID (XUID). + + +### Microsoft.Xbox.XamTelemetry.AppActivity + +This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc. + +The following fields are available: + +- **AppActionId** The ID of the application action. +- **AppCurrentVisibilityState** The ID of the current application visibility state. +- **AppId** The Xbox LIVE Title ID of the app. +- **AppPackageFullName** The full name of the application package. +- **AppPreviousVisibilityState** The ID of the previous application visibility state. +- **AppSessionId** The application session ID. +- **AppType** The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa). +- **BCACode** The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application. +- **DurationMs** The amount of time (in milliseconds) since the last application state transition. +- **IsTrialLicense** This boolean value is TRUE if the application is on a trial license. +- **LicenseType** The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 - Offline, 4 - Disc). +- **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license. +- **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application. +- **UserId** The XUID (Xbox User ID) of the current user. + + From f3d14e5b74018749b57b5261419bb3642f7b0ecf Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 5 Apr 2019 13:31:18 -0700 Subject: [PATCH 098/492] new build 4/5/2019 1:31 PM --- ...ndows-diagnostic-events-and-fields-1703.md | 2 +- ...ndows-diagnostic-events-and-fields-1709.md | 2 +- ...ndows-diagnostic-events-and-fields-1803.md | 34 +++++++++---------- 3 files changed, 19 insertions(+), 19 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index b935c25c38..68fa2f43f7 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -2954,7 +2954,7 @@ The following fields are available: - **winInetError** The HResult of the operation. -## Other events +## Privacy logging notification events ### Microsoft.Windows.Shell.PrivacyNotifierLogging.PrivacyNotifierCompleted diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index ded2f5807f..535e3032d6 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -3142,7 +3142,7 @@ The following fields are available: - **winInetError** The HResult of the operation. -## Other events +## Privacy logging notification events ### Microsoft.Windows.Shell.PrivacyNotifierLogging.PrivacyNotifierCompleted diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index d65b1aae10..880d63e219 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -4184,23 +4184,6 @@ The following fields are available: - **winInetError** The HResult of the operation. -## Other events - -### Microsoft.Windows.Shell.PrivacyNotifierLogging.PrivacyNotifierCompleted - -No content is currently available. - -The following fields are available: - -- **cleanupTask** No content is currently available. -- **cleanupTaskResult** No content is currently available. -- **deviceEvaluated** No content is currently available. -- **deviceImpacted** No content is currently available. -- **modalAction** No content is currently available. -- **modalResult** No content is currently available. -- **resetSettingsResult** No content is currently available. - - ## Privacy consent logging events ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted @@ -4260,6 +4243,23 @@ The following fields are available: - **threadId** The ID of the thread the activity was run on. +## Privacy logging notification events + +### Microsoft.Windows.Shell.PrivacyNotifierLogging.PrivacyNotifierCompleted + +No content is currently available. + +The following fields are available: + +- **cleanupTask** No content is currently available. +- **cleanupTaskResult** No content is currently available. +- **deviceEvaluated** No content is currently available. +- **deviceImpacted** No content is currently available. +- **modalAction** No content is currently available. +- **modalResult** No content is currently available. +- **resetSettingsResult** No content is currently available. + + ## Remediation events ### Microsoft.Windows.Remediation.Applicable From 11ae2c3f71a0d29d8e8cad5915266a31b7cd7c6c Mon Sep 17 00:00:00 2001 From: botmoto <42125490+botmoto@users.noreply.github.com> Date: Sun, 7 Apr 2019 16:23:10 -0700 Subject: [PATCH 099/492] Update credential-guard-manage.md --- .../credential-guard-manage.md | 20 +++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index 0edce00395..c5e98ffb47 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -20,6 +20,7 @@ ms.date: 03/01/2019 **Applies to** - Windows 10 - Windows Server 2016 +- Windows Server 2019 Prefer video? See [Windows Defender Credential Guard Deployment](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474) in the Deep Dive into Windows Defender Credential Guard video series. @@ -150,9 +151,13 @@ To disable Windows Defender Credential Guard, you can use the following set of p 1. If you used Group Policy, disable the Group Policy setting that you used to enable Windows Defender Credential Guard (**Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard** -> **Turn on Virtualization Based Security**). 2. Delete the following registry settings: - HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA\LsaCfgFlags - - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\EnableVirtualizationBasedSecurity - - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\RequirePlatformSecurityFeatures - + - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\LsaCfgFlags +> [!NOTE] +> If you also wish to disable virtualization-based security delete the following registry settings: +```syntax +HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\EnableVirtualizationBasedSecurity +HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\RequirePlatformSecurityFeatures +``` > [!IMPORTANT] > If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery. @@ -164,9 +169,8 @@ To disable Windows Defender Credential Guard, you can use the following set of p bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi" bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215} - bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS + bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X: - bcdedit /set hypervisorlaunchtype off mountvol X: /d ``` @@ -175,7 +179,11 @@ To disable Windows Defender Credential Guard, you can use the following set of p 4. Alternatively, you can disable the virtualization-based security features to turn off Windows Defender Credential Guard. > [!NOTE] -> The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Windows Defender Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS +> The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Windows Defender Credential Guard and virtualization-based security, run the following bcdedit commands after turning off all virtualization-based security Group Policy and registry settings: +```syntax +bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS +bcdedit /set vsmlaunchtype off +``` > [!NOTE] > Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs. These options will be made available with future Gen 2 VMs. From 573f21284ce3d693bbf5e4d985513290c4c4e81f Mon Sep 17 00:00:00 2001 From: botmoto <42125490+botmoto@users.noreply.github.com> Date: Sun, 7 Apr 2019 19:15:27 -0700 Subject: [PATCH 100/492] Update credential-guard-manage.md Formatting Update credential-guard-manage.md --- .../credential-guard-manage.md | 24 ++++++++----------- 1 file changed, 10 insertions(+), 14 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index c5e98ffb47..e02b561b04 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -152,16 +152,13 @@ To disable Windows Defender Credential Guard, you can use the following set of p 2. Delete the following registry settings: - HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA\LsaCfgFlags - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\LsaCfgFlags -> [!NOTE] -> If you also wish to disable virtualization-based security delete the following registry settings: -```syntax -HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\EnableVirtualizationBasedSecurity -HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\RequirePlatformSecurityFeatures -``` +3. If you also wish to disable virtualization-based security delete the following registry settings: + - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\EnableVirtualizationBasedSecurity + - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\RequirePlatformSecurityFeatures > [!IMPORTANT] > If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery. -3. Delete the Windows Defender Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands: +4. Delete the Windows Defender Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands: ``` syntax mountvol X: /s @@ -174,16 +171,15 @@ HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\Requi mountvol X: /d ``` -2. Restart the PC. -3. Accept the prompt to disable Windows Defender Credential Guard. -4. Alternatively, you can disable the virtualization-based security features to turn off Windows Defender Credential Guard. +5. Restart the PC. +6. Accept the prompt to disable Windows Defender Credential Guard. +7. Alternatively, you can disable the virtualization-based security features to turn off Windows Defender Credential Guard. > [!NOTE] > The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Windows Defender Credential Guard and virtualization-based security, run the following bcdedit commands after turning off all virtualization-based security Group Policy and registry settings: -```syntax -bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS -bcdedit /set vsmlaunchtype off -``` + + bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS + bcdedit /set vsmlaunchtype off > [!NOTE] > Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs. These options will be made available with future Gen 2 VMs. From 9eab9e5e2868ede66accadbb88059bd3ffe9dc8f Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Mon, 8 Apr 2019 08:27:05 -0700 Subject: [PATCH 101/492] new build 4/8/2019 8:27 AM --- ...l-windows-diagnostic-events-and-fields-1903.md | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index 451bee2d3f..92e4aa33bf 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/05/2019 +ms.date: 04/07/2019 --- @@ -2769,7 +2769,7 @@ The following fields are available: - **ProblemStatus** The status of the device after the driver installation. - **SecondaryDevice** Indicates whether the device is a secondary device. - **ServiceName** The service name of the driver. -- **SetupMode** Indicates whether the driver installation took place before the initial installation of the device was completed. +- **SetupMode** Indicates whether the driver installation took place before the Out Of Box Experience (OOBE) was completed. - **StartTime** The time when the installation started. - **SubmissionId** The driver submission identifier assigned by the Windows Hardware Development Center. - **UpperFilters** The list of upper filter drivers. @@ -2789,8 +2789,8 @@ The following fields are available: - **InstallFlags** The driver installation flags. - **RebootRequired** Indicates whether a reboot is required after the installation. - **RollbackPossible** Indicates whether this driver can be rolled back. -- **WuTargetedHardwareId** No content is currently available. -- **WuUntargetedHardwareId** No content is currently available. +- **WuTargetedHardwareId** Indicates that the driver was installed because the device hardware ID was targeted by the Windows Update. +- **WuUntargetedHardwareId** Indicates that the driver was installed because Windows Update performed a generic driver update for all devices of that hardware class. ### Microsoft.Windows.DriverInstall.NewDevInstallDeviceStart @@ -3956,7 +3956,7 @@ The following fields are available: - **LastCompatibleId** The ID in the hardware ID list that provides the least specific device description. - **Legacy** Indicates whether the driver is a legacy driver. - **NeedReboot** Indicates whether the driver requires a reboot. -- **SetupMode** Indicates whether the device configuration occurred during the initial installation of the device. +- **SetupMode** Indicates whether the device configuration occurred during the Out Of Box Experience (OOBE). - **StatusCode** The NTSTATUS of device configuration operation. @@ -4181,7 +4181,7 @@ The following fields are available: ### Microsoft.Windows.PBR.EnteredOOBE -This event is sent when the initial installation of the device starts after completion of the push-button reset operation. +This event is sent when the push-button reset (PRB) process enters the Out Of Box Experience (OOBE). The following fields are available: @@ -4644,7 +4644,7 @@ The following fields are available: ### Microsoft.Windows.PBR.PhaseStarted -No content is currently available. +This event is sent when a phase of the push-button reset (PBR) operation starts. The following fields are available: @@ -5620,7 +5620,6 @@ The following fields are available: - **DriverFirmwarePolicy** The optional version update policy value. - **DriverFirmwareStatus** The firmware status reported by the device hardware key. - **DriverFirmwareVersion** The firmware version reported by the device hardware key. -- **FirmareLastAttemptVersion** No content is currently available. - **FirmwareId** The UEFI (Unified Extensible Firmware Interface) identifier. - **FirmwareLastAttemptStatus** The reported status of the most recent firmware installation attempt, as reported by the EFI System Resource Table (ESRT). - **FirmwareLastAttemptVersion** The version of the most recent attempted firmware installation, as reported by the EFI System Resource Table (ESRT). From dd585ea017d4d5a4c42b374594b816babf4754ba Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Mon, 8 Apr 2019 08:27:15 -0700 Subject: [PATCH 102/492] new build 4/8/2019 8:27 AM --- .../basic-level-windows-diagnostic-events-and-fields-1703.md | 2 +- .../basic-level-windows-diagnostic-events-and-fields-1709.md | 2 +- .../basic-level-windows-diagnostic-events-and-fields-1803.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index 68fa2f43f7..98a6fb916a 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/05/2019 +ms.date: 04/07/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index 535e3032d6..ccd32531ba 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/05/2019 +ms.date: 04/07/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index 880d63e219..e0f05d671e 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/05/2019 +ms.date: 04/07/2019 --- From cb62bd8a7f39966e10068a696fa0445cf1fe4792 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Mon, 8 Apr 2019 08:53:16 -0700 Subject: [PATCH 103/492] remove ms.date from new/updated topics for 19H1 --- windows/configuration/wcd/wcd-cellular.md | 1 - windows/configuration/wcd/wcd-changes.md | 1 - windows/configuration/wcd/wcd-deviceupdatecenter.md | 1 - windows/configuration/wcd/wcd-oobe.md | 1 - windows/configuration/wcd/wcd-policies.md | 1 - windows/configuration/wcd/wcd-privacy.md | 1 - windows/configuration/wcd/wcd-storaged3inmodernstandby.md | 1 - windows/configuration/wcd/wcd-time.md | 1 - windows/configuration/wcd/wcd-wlan.md | 1 - 9 files changed, 9 deletions(-) diff --git a/windows/configuration/wcd/wcd-cellular.md b/windows/configuration/wcd/wcd-cellular.md index 9c292c9e3d..fdee985945 100644 --- a/windows/configuration/wcd/wcd-cellular.md +++ b/windows/configuration/wcd/wcd-cellular.md @@ -8,7 +8,6 @@ author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker ms.topic: article -ms.date: 05/21/2019 --- # Cellular (Windows Configuration Designer reference) diff --git a/windows/configuration/wcd/wcd-changes.md b/windows/configuration/wcd/wcd-changes.md index 571f137000..684114268a 100644 --- a/windows/configuration/wcd/wcd-changes.md +++ b/windows/configuration/wcd/wcd-changes.md @@ -8,7 +8,6 @@ author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker ms.topic: article -ms.date: 05/21/2019 --- # Changes to settings in Windows Configuration Designer diff --git a/windows/configuration/wcd/wcd-deviceupdatecenter.md b/windows/configuration/wcd/wcd-deviceupdatecenter.md index 09f2af4d12..e8431b2555 100644 --- a/windows/configuration/wcd/wcd-deviceupdatecenter.md +++ b/windows/configuration/wcd/wcd-deviceupdatecenter.md @@ -8,7 +8,6 @@ author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker ms.topic: article -ms.date: 05/21/2019 --- # DeviceUpdateCenter (Windows Configuration Designer reference) diff --git a/windows/configuration/wcd/wcd-oobe.md b/windows/configuration/wcd/wcd-oobe.md index 31af250386..f36cfa5e0f 100644 --- a/windows/configuration/wcd/wcd-oobe.md +++ b/windows/configuration/wcd/wcd-oobe.md @@ -8,7 +8,6 @@ author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker ms.topic: article -ms.date: 05/21/2019 --- # OOBE (Windows Configuration Designer reference) diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md index a2098f93b8..e1c039a10c 100644 --- a/windows/configuration/wcd/wcd-policies.md +++ b/windows/configuration/wcd/wcd-policies.md @@ -8,7 +8,6 @@ author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker ms.topic: article -ms.date: 05/21/2019 --- # Policies (Windows Configuration Designer reference) diff --git a/windows/configuration/wcd/wcd-privacy.md b/windows/configuration/wcd/wcd-privacy.md index ad2a699688..1e754ef32f 100644 --- a/windows/configuration/wcd/wcd-privacy.md +++ b/windows/configuration/wcd/wcd-privacy.md @@ -8,7 +8,6 @@ author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker ms.topic: article -ms.date: 05/21/2019 --- # Privacy (Windows Configuration Designer reference) diff --git a/windows/configuration/wcd/wcd-storaged3inmodernstandby.md b/windows/configuration/wcd/wcd-storaged3inmodernstandby.md index a866ee0dab..64f3ae3dc7 100644 --- a/windows/configuration/wcd/wcd-storaged3inmodernstandby.md +++ b/windows/configuration/wcd/wcd-storaged3inmodernstandby.md @@ -8,7 +8,6 @@ author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker ms.topic: article -ms.date: 09/06/2017 --- # StorageD3InModernStandby (Windows Configuration Designer reference) diff --git a/windows/configuration/wcd/wcd-time.md b/windows/configuration/wcd/wcd-time.md index b81a6d8f1c..c0ff2212ce 100644 --- a/windows/configuration/wcd/wcd-time.md +++ b/windows/configuration/wcd/wcd-time.md @@ -8,7 +8,6 @@ author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker ms.topic: article -ms.date: 05/21/2019 --- # Time diff --git a/windows/configuration/wcd/wcd-wlan.md b/windows/configuration/wcd/wcd-wlan.md index 1064831115..141a45bb7f 100644 --- a/windows/configuration/wcd/wcd-wlan.md +++ b/windows/configuration/wcd/wcd-wlan.md @@ -8,7 +8,6 @@ author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker ms.topic: article -ms.date: 10/02/2018 --- # WLAN (reference) From 03d24fad2d232e17851a51ba9f5b872d829fd6d6 Mon Sep 17 00:00:00 2001 From: botmoto <42125490+botmoto@users.noreply.github.com> Date: Sun, 7 Apr 2019 16:23:10 -0700 Subject: [PATCH 104/492] Update credential-guard-manage.md Update credential-guard-manage.md Formatting Update credential-guard-manage.md --- .../credential-guard-manage.md | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index 0edce00395..e02b561b04 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -20,6 +20,7 @@ ms.date: 03/01/2019 **Applies to** - Windows 10 - Windows Server 2016 +- Windows Server 2019 Prefer video? See [Windows Defender Credential Guard Deployment](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474) in the Deep Dive into Windows Defender Credential Guard video series. @@ -150,13 +151,14 @@ To disable Windows Defender Credential Guard, you can use the following set of p 1. If you used Group Policy, disable the Group Policy setting that you used to enable Windows Defender Credential Guard (**Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard** -> **Turn on Virtualization Based Security**). 2. Delete the following registry settings: - HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA\LsaCfgFlags + - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\LsaCfgFlags +3. If you also wish to disable virtualization-based security delete the following registry settings: - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\EnableVirtualizationBasedSecurity - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\RequirePlatformSecurityFeatures - > [!IMPORTANT] > If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery. -3. Delete the Windows Defender Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands: +4. Delete the Windows Defender Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands: ``` syntax mountvol X: /s @@ -164,18 +166,20 @@ To disable Windows Defender Credential Guard, you can use the following set of p bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi" bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215} - bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS + bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X: - bcdedit /set hypervisorlaunchtype off mountvol X: /d ``` -2. Restart the PC. -3. Accept the prompt to disable Windows Defender Credential Guard. -4. Alternatively, you can disable the virtualization-based security features to turn off Windows Defender Credential Guard. +5. Restart the PC. +6. Accept the prompt to disable Windows Defender Credential Guard. +7. Alternatively, you can disable the virtualization-based security features to turn off Windows Defender Credential Guard. > [!NOTE] -> The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Windows Defender Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS +> The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Windows Defender Credential Guard and virtualization-based security, run the following bcdedit commands after turning off all virtualization-based security Group Policy and registry settings: + + bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS + bcdedit /set vsmlaunchtype off > [!NOTE] > Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs. These options will be made available with future Gen 2 VMs. From c37e9090ec403646b1ff558804d6c60e436ca4de Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 9 Apr 2019 08:38:06 -0700 Subject: [PATCH 105/492] new build 4/9/2019 8:38 AM --- .../basic-level-windows-diagnostic-events-and-fields-1903.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index 92e4aa33bf..34823fd12d 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/07/2019 +ms.date: 04/09/2019 --- From 2c3b8fdf79507321990e18f920f6988faf0e1034 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 9 Apr 2019 08:38:15 -0700 Subject: [PATCH 106/492] new build 4/9/2019 8:38 AM --- ...ndows-diagnostic-events-and-fields-1703.md | 2 +- ...ndows-diagnostic-events-and-fields-1709.md | 2 +- ...ndows-diagnostic-events-and-fields-1803.md | 2 +- ...ndows-diagnostic-events-and-fields-1809.md | 263 +++++++----------- 4 files changed, 105 insertions(+), 164 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index 98a6fb916a..f49cb11ad8 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/07/2019 +ms.date: 04/09/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index ccd32531ba..4481851e43 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/07/2019 +ms.date: 04/09/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index e0f05d671e..ff2f76bd70 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/07/2019 +ms.date: 04/09/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index 21218c05f5..21821ed181 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/05/2019 +ms.date: 04/08/2019 --- @@ -1741,8 +1741,6 @@ The following fields are available: - **PCFP** An ID for the system calculated by hashing hardware identifiers. - **PerfBackoff** Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal. - **PerfBackoffInsurance** Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row. -- **PerfBnDroff** No content is currently available. -- **PerfBnDroffInsurance** No content is currently available. - **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device. - **RunDate** The date that the telemetry run was stated, expressed as a filetime. - **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional telemetry on an infrequent schedule and only from machines at telemetry levels higher than Basic. @@ -1807,7 +1805,6 @@ Provides information on IE and Census versions running on the device The following fields are available: -- **App�aiserRunEndTimeStamp** No content is currently available. - **AppraiserEnterpriseErrorCode** The error code of the last Appraiser enterprise run. - **AppraiserErrorCode** The error code of the last Appraiser run. - **AppraiserRunEndTimeStamp** The end time of the last Appraiser run. @@ -1875,10 +1872,8 @@ This event sends data about the BIOS and startup embedded in the device, to help The following fields are available: -- **Firmware�anufacturer** No content is currently available. - **FirmwareManufacturer** Represents the manufacturer of the device's firmware (BIOS). - **FirmwareReleaseDate** Represents the date the current firmware was released. -- **FirmwareRele�seDate** No content is currently available. - **FirmwareType** Represents the firmware type. The various types can be unknown, BIOS, UEFI. - **FirmwareVersion** Represents the version of the current firmware. @@ -1891,7 +1886,6 @@ The following fields are available: - **DeviceSampleRate** The telemetry sample rate assigned to the device. - **EnablePreviewBuilds** Used to enable Windows Insider builds on a device. -- **EnablePrevi�wBuilds** No content is currently available. - **FlightIds** A list of the different Windows Insider builds on this device. - **FlightingBranchName** The name of the Windows Insider branch currently used by the device. - **IsFlightsDisabled** Represents if the device is participating in the Windows Insider program. @@ -2253,7 +2247,6 @@ The following fields are available: - **AppStoreAutoUpdate** Retrieves the Appstore settings for auto upgrade. (Enable/Disabled). - **AppStoreAutoUpdateMDM** Retrieves the App Auto Update value for MDM: 0 - Disallowed. 1 - Allowed. 2 - Not configured. Default: [2] Not configured - **AppStoreAutoUpdatePolicy** Retrieves the Microsoft Store App Auto Update group policy setting -- **AppStoreAutoUpd�te** No content is currently available. - **DelayUpgrade** Retrieves the Windows upgrade flag for delaying upgrades. - **OSAssessmentFeatureOutOfDate** How many days has it been since a the last feature update was released but the device did not install it? - **OSAssessmentForFeatureUpdate** Is the device is on the latest feature update? @@ -2748,7 +2741,6 @@ The following fields are available: - **CensusStartTime** Returns timestamp corresponding to last successful census run. - **CensusTaskEnabled** Returns Boolean value for the census task (Enable/Disable) on client machine. - **LastConnectivityLossTime** Retrieves the last time the device lost free network. -- **LastGonnectivityLossTime** No content is currently available. - **NetworkState** Retrieves the network state: 0 = No network. 1 = Restricted network. 2 = Free network. - **NoNetworkTime** Retrieves the time spent with no network (since the last time) in seconds. - **RestrictedNetworkTime** Retrieves the time spent on a metered (cost restricted) network in seconds. @@ -2766,7 +2758,6 @@ The following fields are available: - **CensusTaskEnabled** True if Census is enabled, false otherwise. - **CompressedBytesUploaded** Number of compressed bytes uploaded. - **ConsumerDroppedCount** Number of events dropped at consumer layer of telemetry client. -- **CriticaDataThrottleDroppedCount** No content is currently available. - **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. - **CriticalDataThrottleDroppedCount** The number of critical data sampled events that were dropped because of throttling. - **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event DB. @@ -2779,7 +2770,6 @@ The following fields are available: - **EtwDroppedBufferCount** Number of buffers dropped in the UTC ETW session. - **EtwDroppedCount** Number of events dropped at ETW layer of telemetry client. - **EventsPersistedCount** Number of events that reached the PersistEvent stage. -- **EventStoreLhfetimeResetCounter** No content is currently available. - **EventStoreLifetimeResetCounter** Number of times event DB was reset for the lifetime of UTC. - **EventStoreResetCounter** Number of times event DB was reset. - **EventStoreResetSizeSum** Total size of event DB across all resets reports in this instance. @@ -2792,7 +2782,6 @@ The following fields are available: - **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. - **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel. - **LastEventSizeOffender** Event name of last event which exceeded max event size. -- **LastInvalhdHttpCode** No content is currently available. - **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. - **MaxActiveAgentConnectionCount** The maximum number of active agents during this heartbeat timeframe. - **MaxInUseScenarioCounter** Soft maximum number of scenarios loaded by UTC. @@ -2803,7 +2792,6 @@ The following fields are available: - **SettingsHttpFailures** The number of failures from contacting the OneSettings service. - **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers. - **TopUploaderErrors** List of top errors received from the upload endpoint. -- **TopUploaderErross** No content is currently available. - **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client. - **UploaderErrorCount** Number of errors received from the upload endpoint. - **VortexFailuresTimeout** The number of timeout failures received from Vortex. @@ -3416,19 +3404,15 @@ The following fields are available: - **AdapterTypeValue** The numeric value indicating the type of Graphics adapter. - **aiSeqId** The event sequence ID. -- **B2ightnessVersionViaDDI** No content is currently available. - **bootId** The system boot ID. - **BrightnessVersionViaDDI** The version of the Display Brightness Interface. - **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload. -- **Dedic`tedSystemMemoryB** No content is currently available. -- **DedicatedSystemMemorqB** No content is currently available. - **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes). - **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes). - **DisplayAdapterLuid** The display adapter LUID. - **DriverDate** The date of the display driver. - **DriverRank** The rank of the display driver. - **DriverVersion** The display driver version. -- **DX10UM@FilePath** No content is currently available. - **DX10UMDFilePath** The file path to the location of the DirectX 10 Display User Mode Driver in the Driver Store. - **DX11UMDFilePath** The file path to the location of the DirectX 11 Display User Mode Driver in the Driver Store. - **DX12UMDFilePath** The file path to the location of the DirectX 12 Display User Mode Driver in the Driver Store. @@ -3449,11 +3433,9 @@ The following fields are available: - **IsMsMiracastSupported** Are the GPU Miracast capabilities driven by a Microsoft solution? - **IsPostAdapter** Is this GPU the POST GPU in the device? - **IsRemovable** TRUE if the adapter supports being disabled or removed. -- **IsRenderDdvice** No content is currently available. - **IsRenderDevice** Does the GPU have rendering capabilities? - **IsSoftwareDevice** Is this a software implementation of the GPU? - **KMDFilePath** The file path to the location of the Display Kernel Mode Driver in the Driver Store. -- **MeastreEnabled** No content is currently available. - **MeasureEnabled** Is the device listening to MICROSOFT_KEYWORD_MEASURES? - **MsHybridDiscrete** Indicates whether the adapter is a discrete adapter in a hybrid configuration. - **NumVidPnSources** The number of supported display output sources. @@ -3463,7 +3445,6 @@ The following fields are available: - **SubVendorID** The GPU sub vendor ID. - **TelemetryEnabled** Is the device listening to MICROSOFT_KEYWORD_TELEMETRY? - **TelInvEvntTrigger** What triggered this event to be logged? Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling) -- **Tel�nvEvntTrigger** No content is currently available. - **version** The event version. - **WDDMVersion** The Windows Display Driver Model version. @@ -3552,11 +3533,8 @@ This event sends data about crashes for both native and managed applications, to The following fields are available: - **AppName** The name of the app that has crashed. -- **AppSessionGqid** No content is currently available. -- **AppSessionGui`** No content is currently available. - **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend. - **AppTimeStamp** The date/time stamp of the app. -- **AppVarsion** No content is currently available. - **AppVersion** The version of the app that has crashed. - **ExceptionCode** The exception code returned by the process that has crashed. - **ExceptionOffset** The address where the exception had occurred. @@ -3564,19 +3542,13 @@ The following fields are available: - **FriendlyAppName** The description of the app that has crashed, if different from the AppName. Otherwise, the process name. - **IsFatal** True/False to indicate whether the crash resulted in process termination. - **ModName** Exception module name (e.g. bar.dll). -- **ModPimeStamp** No content is currently available. -- **ModTimeSpamp** No content is currently available. - **ModTimeStamp** The date/time stamp of the module. - **ModVersion** The version of the module that has crashed. -- **PackaceRelativeAppId** No content is currently available. - **PackageFullName** Store application identity. -- **PackageRelativeAppHd** No content is currently available. - **PackageRelativeAppId** Store application identity. - **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. - **ProcessCreateTime** The time of creation of the process that has crashed. -- **ProcessI`** No content is currently available. - **ProcessId** The ID of the process that has crashed. -- **ReportAd** No content is currently available. - **ReportId** A GUID used to identify the report. This can used to track the report across Watson. - **TargetAppId** The kernel reported AppId of the application being reported. - **TargetAppVer** The specific version of the application being reported @@ -3698,7 +3670,6 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: -- **HiddenAr`** No content is currently available. - **HiddenArp** Indicates whether a program hides itself from showing up in ARP. - **InstallDate** The date the application was installed (a best guess based on folder creation date heuristics). - **InstallDateArpLastModified** The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015 00:00:00 @@ -3707,15 +3678,12 @@ The following fields are available: - **InventoryVersion** The version of the inventory file generating the events. - **Language** The language code of the program. - **MsiPackageCode** A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage. -- **MsiPqckageCode** No content is currently available. - **MsiProductCode** A GUID that describe the MSI Product. - **Name** The name of the application. -- **OSVersionAtI~stallTi}e** No content is currently available. - **OSVersionAtInstallTime** The four octets from the OS version at the time of the application's install. - **PackageFullName** The package full name for a Store application. - **ProgramInstanceId** A hash of the file IDs in an app. - **Publisher** The Publisher of the application. Location pulled from depends on the 'Source' field. -- **RootDibPath** No content is currently available. - **RootDirPath** The path to the root directory where the program was installed. - **Source** How the program was installed (for example, ARP, MSI, Appx). - **StoreAppType** A sub-classification for the type of Microsoft Store app, such as UWP or Win8StoreApp. @@ -3924,8 +3892,6 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: -- **** No content is currently available. -- **€** No content is currently available. - **BusReportedDescription** The description of the device reported by the bux. - **Class** The device setup class of the driver loaded for the device. - **ClassGuid** The device class unique identifier of the driver package loaded on the device. @@ -3939,8 +3905,6 @@ The following fields are available: - **DriverId** The unique identifier for the installed driver. - **DriverName** The name of the driver image file. - **DriverPackageStrongName** The immediate parent directory name in the Directory field of InventoryDriverPackage. -- **DriverPackageStrongName** No content is currently available. -- **DriverV** No content is currently available. - **DriverVerDate** The date associated with the driver installed on the device. - **DriverVerVersion** The version number of the driver installed on the device. - **Enumerator** Identifies the bus that enumerated the device. @@ -4581,6 +4545,19 @@ The following fields are available: - **UserInputTime** The amount of time the loader application spent waiting for user input. +## Migration events + +### Microsoft.Windows.MigrationCore.MigObjectCountKFSys + +This event returns data about the count of the migration objects across various phases during feature update. + +The following fields are available: + +- **knownFoldersSys[i]** The predefined folder path locations. +- **migDiagSession->CString** Identifies the phase of the upgrade where migration happens. +- **objectCount** The count of the number of objects that are being transferred. + + ## Miracast events ### Microsoft.Windows.Cast.Miracast.MiracastSessionEnd @@ -4760,19 +4737,61 @@ The following fields are available: - **winInetError** The HResult of the operation. -## Other events +## Privacy consent logging events -### Microsoft.Windows.MigrationCore.MigObjectCountKFSys +### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted -This event returns data about the count of the migration objects across various phases during feature update. +This event is used to determine whether the user successfully completed the privacy consent experience. The following fields are available: -- **knownFoldersSys[i]** The predefined folder path locations. -- **migDiagSession->CString** Identifies the phase of the upgrade where migration happens. -- **objectCount** The count of the number of objects that are being transferred. +- **presentationVersion** Which display version of the privacy consent experience the user completed +- **privacyConsentState** The current state of the privacy consent experience +- **settingsVersion** Which setting version of the privacy consent experience the user completed +- **userOobeExitReason** The exit reason of the privacy consent experience +### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentStatus + +Event tells us effectiveness of new privacy experience. + +The following fields are available: + +- **isAdmin** whether the person who is logging in is an admin +- **isExistingUser** whether the account existed in a downlevel OS +- **isLaunching** Whether or not the privacy consent experience will be launched +- **isSilentElevation** whether the user has most restrictive UAC controls +- **privacyConsentState** whether the user has completed privacy experience +- **userRegionCode** The current user's region setting + + +### wilActivity + +This event provides a Windows Internal Library context used for Product and Service diagnostics. + +The following fields are available: + +- **callContext** The function where the failure occurred. +- **currentContextId** The ID of the current call context where the failure occurred. +- **currentContextMessage** The message of the current call context where the failure occurred. +- **currentContextName** The name of the current call context where the failure occurred. +- **failureCount** The number of failures for this failure ID. +- **failureId** The ID of the failure that occurred. +- **failureType** The type of the failure that occurred. +- **fileName** The file name where the failure occurred. +- **function** The function where the failure occurred. +- **hresult** The HResult of the overall activity. +- **lineNumber** The line number where the failure occurred. +- **message** The message of the failure that occurred. +- **module** The module where the failure occurred. +- **originatingContextId** The ID of the originating call context that resulted in the failure. +- **originatingContextMessage** The message of the originating call context that resulted in the failure. +- **originatingContextName** The name of the originating call context that resulted in the failure. +- **threadId** The ID of the thread on which the activity is executing. + + +## Remediation events + ### Microsoft.Windows.Remediation.Applicable This event indicates a remedial plug-in is applicable if/when such a plug-in is detected. This is used to ensure Windows is up to date. @@ -5069,6 +5088,46 @@ The following fields are available: - **RunCount** The number of times the remediation event started (whether it completed successfully or not). +## Sediment events + +### Microsoft.Windows.Sediment.Info.DetailedState + +This event is sent when detailed state information is needed from an update trial run. + +The following fields are available: + +- **Data** Data relevant to the state, such as what percent of disk space the directory takes up. +- **Id** Identifies the trial being run, such as a disk related trial. +- **ReleaseVer** The version of the component. +- **State** The state of the reporting data from the trial, such as the top-level directory analysis. +- **Time** The time the event was fired. + + +### Microsoft.Windows.Sediment.Info.Error + +This event indicates an error in the updater payload. This information assists in keeping Windows up to date. + +The following fields are available: + +- **FailureType** The type of error encountered. +- **FileName** The code file in which the error occurred. +- **HResult** The failure error code. +- **LineNumber** The line number in the code file at which the error occurred. +- **ReleaseVer** The version information for the component in which the error occurred. +- **Time** The system time at which the error occurred. + + +### Microsoft.Windows.Sediment.Info.PhaseChange + +The event indicates progress made by the updater. This information assists in keeping Windows up to date. + +The following fields are available: + +- **NewPhase** The phase of progress made. +- **ReleaseVer** The version information for the component in which the change occurred. +- **Time** The system time at which the phase chance occurred. + + ### Microsoft.Windows.SedimentLauncher.Applicable Indicates whether a given plugin is applicable. @@ -5170,99 +5229,6 @@ The following fields are available: - **Result** This is the HRESULT for Detection or Perform Action phases of the plugin. -## Privacy consent logging events - -### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted - -This event is used to determine whether the user successfully completed the privacy consent experience. - -The following fields are available: - -- **presentationVersion** Which display version of the privacy consent experience the user completed -- **privacyConsentState** The current state of the privacy consent experience -- **settingsVersion** Which setting version of the privacy consent experience the user completed -- **userOobeExitReason** The exit reason of the privacy consent experience - - -### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentStatus - -Event tells us effectiveness of new privacy experience. - -The following fields are available: - -- **isAdmin** whether the person who is logging in is an admin -- **isExistingUser** whether the account existed in a downlevel OS -- **isLaunching** Whether or not the privacy consent experience will be launched -- **isSilentElevation** whether the user has most restrictive UAC controls -- **privacyConsentState** whether the user has completed privacy experience -- **userRegionCode** The current user's region setting - - -### wilActivity - -This event provides a Windows Internal Library context used for Product and Service diagnostics. - -The following fields are available: - -- **callContext** The function where the failure occurred. -- **currentContextId** The ID of the current call context where the failure occurred. -- **currentContextMessage** The message of the current call context where the failure occurred. -- **currentContextName** The name of the current call context where the failure occurred. -- **failureCount** The number of failures for this failure ID. -- **failureId** The ID of the failure that occurred. -- **failureType** The type of the failure that occurred. -- **fileName** The file name where the failure occurred. -- **function** The function where the failure occurred. -- **hresult** The HResult of the overall activity. -- **lineNumber** The line number where the failure occurred. -- **message** The message of the failure that occurred. -- **module** The module where the failure occurred. -- **originatingContextId** The ID of the originating call context that resulted in the failure. -- **originatingContextMessage** The message of the originating call context that resulted in the failure. -- **originatingContextName** The name of the originating call context that resulted in the failure. -- **threadId** The ID of the thread on which the activity is executing. - - -## Sediment events - -### Microsoft.Windows.Sediment.Info.DetailedState - -This event is sent when detailed state information is needed from an update trial run. - -The following fields are available: - -- **Data** Data relevant to the state, such as what percent of disk space the directory takes up. -- **Id** Identifies the trial being run, such as a disk related trial. -- **ReleaseVer** The version of the component. -- **State** The state of the reporting data from the trial, such as the top-level directory analysis. -- **Time** The time the event was fired. - - -### Microsoft.Windows.Sediment.Info.Error - -This event indicates an error in the updater payload. This information assists in keeping Windows up to date. - -The following fields are available: - -- **FailureType** The type of error encountered. -- **FileName** The code file in which the error occurred. -- **HResult** The failure error code. -- **LineNumber** The line number in the code file at which the error occurred. -- **ReleaseVer** The version information for the component in which the error occurred. -- **Time** The system time at which the error occurred. - - -### Microsoft.Windows.Sediment.Info.PhaseChange - -The event indicates progress made by the updater. This information assists in keeping Windows up to date. - -The following fields are available: - -- **NewPhase** The phase of progress made. -- **ReleaseVer** The version information for the component in which the change occurred. -- **Time** The system time at which the phase chance occurred. - - ## Setup events ### SetupPlatformTel.SetupPlatformTelActivityEvent @@ -6840,7 +6806,6 @@ This event is sent at the end of an app install or update to help keep Windows u The following fields are available: - **CatalogId** The name of the product catalog from which this app was chosen. -- **FailddRetry** No content is currently available. - **FailedRetry** Indicates whether the installation or update retry was successful. - **HResult** The HResult code of the operation. - **PFN** The Package Family Name of the app that is being installed or updated. @@ -7046,7 +7011,6 @@ The following fields are available: - **background** Is the download a background download? - **bytesFromCacheServer** Bytes received from a cache host. - **bytesFromCDN** The number of bytes received from a CDN source. -- **bytesFromG2oupPeers** No content is currently available. - **bytesFromGroupPeers** The number of bytes received from a peer in the same domain group. - **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same domain group. - **bytesFromLinkLocalPeers** The number of bytes received from local peers. @@ -7055,7 +7019,6 @@ The following fields are available: - **bytesRequested** The total number of bytes requested for download. - **cacheServerConnectionCount** Number of connections made to cache hosts. - **cdnConnectionCount** The total number of connections made to the CDN. -- **cdnErrorCkdes** No content is currently available. - **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. - **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. - **cdnIp** The IP address of the source CDN. @@ -7063,20 +7026,14 @@ The following fields are available: - **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. - **dataSourcEsTotal** No content is currently available. - **doErrorCode** The Delivery Optimization error code that was returned. -- **doErrorCohe** No content is currently available. - **downlinkBps** The maximum measured available download bandwidth (in bytes per second). - **downlinkUsageBps** The download speed (in bytes per second). - **downloadMode** The download mode used for this file download session. - **downloadModeReason** Reason for the download. - **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). -- **downloadodel** No content is currently available. -- **downloadodelSrc** No content is currently available. -- **downlo�dMode** No content is currently available. -- **downlwadModeSvc** No content is currently available. - **experimentId** When running a test, this is used to correlate with other events that are part of the same test. - **expiresAt** The time when the content will expire from the Delivery Optimization Cache. - **fileID** The ID of the file being downloaded. -- **fileSaze** No content is currently available. - **fileSize** The size of the file being downloaded. - **gCurMemoryStreamBytes** Current usage for memory streaming. - **gMaxMemoryStreamBytes** Maximum usage for memory streaming. @@ -7086,20 +7043,15 @@ The following fields are available: - **isVpn** Is the device connected to a Virtual Private Network? - **jobID** Identifier for the Windows Update job. - **lanConnectionCount** The total number of connections made to peers in the same LAN. -- **larConnectionCount** No content is currently available. - **linkLocalConnectionCount** The number of connections made to peers in the same Link-local network. - **numPeers** The total number of peers used for this download. - **numPeersLocal** The total number of local peers used for this download. -- **nUrConnectionCount** No content is currently available. -- **nUrIp** No content is currently available. -- **precefinedCallerName** No content is currently available. - **predefinedCallerName** The name of the API Caller. - **restrictedUpload** Is the upload restricted? - **routeToCacheServer** The cache server setting, source, and value. - **sessionID** The ID of the download session. - **totalTimeMs** Duration of the download (in seconds). - **updateID** The ID of the update being downloaded. -- **uphinkUsag,Bps** No content is currently available. - **uplinkBps** The maximum measured available upload bandwidth (in bytes per second). - **uplinkUsageBps** The upload speed (in bytes per second). - **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. @@ -7118,7 +7070,6 @@ The following fields are available: - **fileID** The ID of the file being paused. - **isVpn** Is the device connected to a Virtual Private Network? - **jobID** Identifier for the Windows Update job. -- **precefinedCallerName** No content is currently available. - **predefinedCallerName** The name of the API Caller object. - **reasonCode** The reason for pausing the download. - **routeToCacheServer** The cache server setting, source, and value. @@ -7133,7 +7084,6 @@ This event sends data describing the start of a new download to enable Delivery The following fields are available: - **background** Indicates whether the download is happening in the background. -- **bytesReqeested** No content is currently available. - **bytesRequested** Number of bytes requested for the download. - **cdnUrl** The URL of the source Content Distribution Network (CDN). - **costFlags** A set of flags representing network cost. @@ -7144,8 +7094,6 @@ The following fields are available: - **downloadMode** The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100). - **downloadModeReason** Reason for the download. - **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). -- **downloadodel** No content is currently available. -- **downloadodelSrc** No content is currently available. - **errorCode** The error code that was returned. - **experimentId** ID used to correlate client/services calls that are part of the same test during A/B testing. - **fileID** The ID of the file being downloaded. @@ -7157,7 +7105,6 @@ The following fields are available: - **isVpn** Indicates whether the device is connected to a Virtual Private Network. - **jobID** The ID of the Windows Update job. - **peerID** The ID for this delivery optimization client. -- **precefinedCallerName** No content is currently available. - **predefinedCallerName** Name of the API caller. - **routeToCacheServer** Cache server setting, source, and value. - **sessionID** The ID for the file download session. @@ -7181,7 +7128,6 @@ The following fields are available: - **experimentId** When running a test, this is used to correlate with other events that are part of the same test. - **fileID** The ID of the file being downloaded. - **httpStatusCode** The HTTP status code returned by the CDN. -- **isHeadRepuest** No content is currently available. - **isHeadRequest** The type of HTTP request that was sent to the CDN. Example: HEAD or GET - **peerType** The type of peer (LAN, Group, Internet, CDN, Cache Host, etc.). - **requestOffset** The byte offset within the file in the sent request. @@ -7635,19 +7581,14 @@ This event indicates that the update is no longer applicable to this device. The following fields are available: -- **_]TlgCV__** No content is currently available. - **EventPublishedTime** Time when this event was generated. - **flightID** The specific ID of the Windows Insider build. -- **flkghtID** No content is currently available. - **inapplicableReason** The reason why the update is inapplicable. -- **qevisionLumber** No content is currently available. - **revisionNumber** Update revision number. - **updateId** Unique Windows Update ID. - **updateScenarioType** Update session type. - **UpdateStatus** Last status of update. -- **upgateId** No content is currently available. - **UUPFallBackConfigured** Indicates whether UUP fallback is configured. -- **UUPFallBackConfigused** No content is currently available. - **wuDeviceid** Unique Device ID. From d38f75054d7a8e7093602aa084ee616c3da3870d Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Tue, 9 Apr 2019 15:55:37 -0700 Subject: [PATCH 107/492] added new redirects --- .openpublishing.redirection.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index ab677cc666..ff7e5c472d 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1047,7 +1047,12 @@ }, { "source_path": "windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md", -"redirect_url": "/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/manage-alerts", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/manage-alerts", "redirect_document_id": true }, { From 2c847b994aa04b920b23aa258ab61f562a7f3f3c Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 10 Apr 2019 07:58:08 -0700 Subject: [PATCH 108/492] new build 4/10/2019 7:58 AM --- ...el-windows-diagnostic-events-and-fields-1903.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index 34823fd12d..bd6c4e2161 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/09/2019 +ms.date: 04/10/2019 --- @@ -4466,7 +4466,7 @@ The following fields are available: ### Microsoft.Windows.PBR.PBRPostApplyFailed -No content is currently available. +This event returns data indicating the failure of the reset/recovery process after the operating system files are restored. The following fields are available: @@ -4475,7 +4475,7 @@ The following fields are available: ### Microsoft.Windows.PBR.PBRPostApplyFinished -No content is currently available. +This event returns data indicating the completion of the reset/recovery process after the operating system files are restored. The following fields are available: @@ -4484,7 +4484,7 @@ The following fields are available: ### Microsoft.Windows.PBR.PBRPostApplyStarted -No content is currently available. +This event returns data indicating the start of the reset/recovery process after the operating system files are restored. The following fields are available: @@ -4493,7 +4493,7 @@ The following fields are available: ### Microsoft.Windows.PBR.PBRPreApplyFailed -No content is currently available. +This event returns data indicating the failure of the reset/recovery process before the operating system files are restored. The following fields are available: @@ -4502,7 +4502,7 @@ The following fields are available: ### Microsoft.Windows.PBR.PBRPreApplyFinished -No content is currently available. +This event returns data indicating the completion of the reset/recovery process before the operating system files are restored. The following fields are available: @@ -4511,7 +4511,7 @@ The following fields are available: ### Microsoft.Windows.PBR.PBRPreApplyStarted -No content is currently available. +This event returns data indicating the start of the reset/recovery process before the operating system files are restored. The following fields are available: From e9d5f1efa1a143e25d58bde7338313248efd2cd1 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 10 Apr 2019 07:58:14 -0700 Subject: [PATCH 109/492] new build 4/10/2019 7:58 AM --- ...ndows-diagnostic-events-and-fields-1703.md | 6 +- ...ndows-diagnostic-events-and-fields-1709.md | 6 +- ...ndows-diagnostic-events-and-fields-1803.md | 6 +- ...ndows-diagnostic-events-and-fields-1809.md | 63 ++++++------------- 4 files changed, 27 insertions(+), 54 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index f49cb11ad8..cc4a260492 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/09/2019 +ms.date: 04/10/2019 --- @@ -2975,7 +2975,7 @@ The following fields are available: ### Microsoft.Windows.Remediation.Applicable -This event indicates a remedial plug-in is applicable if/when such a plug-in is detected. This is used to ensure Windows is up to date. +This event indicates whether a remediation plug-in is applicable, to help keep Windows up to date. A remediation plug-in addresses issues on the system that prevent the device from receiving security and quality updates. The following fields are available: @@ -3059,7 +3059,7 @@ The following fields are available: ### Microsoft.Windows.Remediation.Completed -This event enables completion tracking of a process that remediates issues preventing security and quality updates. +This event is sent when a remediation plug-in has completed, to help keep Windows up to date. A remediation plug-in addresses issues on the system that prevent the device from receiving security and quality updates. The following fields are available: diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index 4481851e43..aef6875c51 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/09/2019 +ms.date: 04/10/2019 --- @@ -3163,7 +3163,7 @@ The following fields are available: ### Microsoft.Windows.Remediation.Applicable -This event indicates a remedial plug-in is applicable if/when such a plug-in is detected. This is used to ensure Windows is up to date. +This event indicates whether a remediation plug-in is applicable, to help keep Windows up to date. A remediation plug-in addresses issues on the system that prevent the device from receiving security and quality updates. The following fields are available: @@ -3266,7 +3266,7 @@ The following fields are available: ### Microsoft.Windows.Remediation.Completed -This event enables completion tracking of a process that remediates issues preventing security and quality updates. +This event is sent when a remediation plug-in has completed, to help keep Windows up to date. A remediation plug-in addresses issues on the system that prevent the device from receiving security and quality updates. The following fields are available: diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index ff2f76bd70..1b2f1c8932 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/09/2019 +ms.date: 04/10/2019 --- @@ -4264,7 +4264,7 @@ The following fields are available: ### Microsoft.Windows.Remediation.Applicable -This event indicates a remedial plug-in is applicable if/when such a plug-in is detected. This is used to ensure Windows is up to date. +This event indicates whether a remediation plug-in is applicable, to help keep Windows up to date. A remediation plug-in addresses issues on the system that prevent the device from receiving security and quality updates. The following fields are available: @@ -4368,7 +4368,7 @@ The following fields are available: ### Microsoft.Windows.Remediation.Completed -This event enables completion tracking of a process that remediates issues preventing security and quality updates. +This event is sent when a remediation plug-in has completed, to help keep Windows up to date. A remediation plug-in addresses issues on the system that prevent the device from receiving security and quality updates. The following fields are available: diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index 21821ed181..a5e90b5538 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/08/2019 +ms.date: 04/10/2019 --- @@ -4794,7 +4794,7 @@ The following fields are available: ### Microsoft.Windows.Remediation.Applicable -This event indicates a remedial plug-in is applicable if/when such a plug-in is detected. This is used to ensure Windows is up to date. +This event indicates whether a remediation plug-in is applicable, to help keep Windows up to date. A remediation plug-in addresses issues on the system that prevent the device from receiving security and quality updates. The following fields are available: @@ -4802,13 +4802,13 @@ The following fields are available: - **AllowAutoUpdateProviderSetExists** No content is currently available. - **AppraiserBinariesValidResult** Indicates whether plug-in was appraised as valid. - **AppraiserRegistryValidResult** Indicates whether the registry entry checks out as valid. -- **AppraiserTaskRepairDisabled** No content is currently available. -- **AppraiserTaskValid** No content is currently available. -- **AUOptionsExists** No content is currently available. +- **AppraiserTaskRepairDisabled** Task repair performed by the appraiser plugin is disabled. +- **AppraiserTaskValid** Indicates that the appraiser task is valid. +- **AUOptionsExists** Indicates whether the Automatic Update option exist. - **CTACTargetingAttributesInvalid** No content is currently available. - **CTACVersion** No content is currently available. - **CV** Correlation vector -- **DataStoreSizeInBytes** No content is currently available. +- **DataStoreSizeInBytes** Size of the data store, in bytes. - **DateTimeDifference** The difference between local and reference clock times. - **DateTimeSyncEnabled** Indicates whether the datetime sync plug-in is enabled. - **daysSinceInstallThreshold** No content is currently available. @@ -4983,7 +4983,7 @@ The following fields are available: ### Microsoft.Windows.Remediation.Completed -This event enables completion tracking of a process that remediates issues preventing security and quality updates. +This event is sent when a remediation plug-in has completed, to help keep Windows up to date. A remediation plug-in addresses issues on the system that prevent the device from receiving security and quality updates. The following fields are available: @@ -5019,9 +5019,9 @@ The following fields are available: - **RemediationBatteryPowerOnBattery** True if we allow execution on battery. - **RemediationConfigurationTroubleshooterIpconfigFix** TRUE if IPConfig Fix completed successfully. - **RemediationConfigurationTroubleshooterNetShFix** TRUE if network card cache reset ran successfully. -- **RemediationCorruptionRepairCorruptionsDetected** No content is currently available. -- **RemediationCorruptionRepairCorruptionsFixed** No content is currently available. -- **RemediationCorruptionRepairPerformActionSuccessful** No content is currently available. +- **RemediationCorruptionRepairCorruptionsDetected** Number of corruptions detected on the device. +- **RemediationCorruptionRepairCorruptionsFixed** Number of detected corruptions that were fixed on the device. +- **RemediationCorruptionRepairPerformActionSuccessful** Indicates whether corruption repair was successful on the device. - **remediationExecution** Remediation shell is in "applying remediation" state. - **RemediationHibernationMigrated** TRUE if hibernation was migrated. - **RemediationHibernationMigrationSucceeded** TRUE if hibernation migration succeeded. @@ -5036,9 +5036,9 @@ The following fields are available: - **RemediationUpdateServiceHealthRemediationResult** The result of the Update Service Health plug-in. - **RemediationUpdateTaskHealthRemediationResult** The result of the Update Task Health plug-in. - **RemediationUpdateTaskHealthTaskList** A list of tasks fixed by the Update Task Health plug-in. -- **RemediationUSORebootRequred** No content is currently available. +- **RemediationUSORebootRequred** Indicates whether a reboot is determined to be required by calling the Update Service Orchestrator (USO). - **Result** The HRESULT for Detection or Perform Action phases of the plug-in. -- **RunCount** No content is currently available. +- **RunCount** The number of times the plugin has executed. - **RunResult** The HRESULT for Detection or Perform Action phases of the plug-in. - **ServiceHardeningExitCode** The exit code returned by Windows Service Repair. - **ServiceHealthEnabledBitMap** List of services updated by the plugin. @@ -5136,9 +5136,9 @@ The following fields are available: - **CV** Correlation vector. - **DetectedCondition** Boolean true if detect condition is true and perform action will be run. -- **FileVersion** No content is currently available. +- **FileVersion** The version of the data-link library (DLL) that will be applied by the self-update process. - **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. -- **IsHashMismatch** No content is currently available. +- **IsHashMismatch** Indicates whether the hash is a mismatch. - **IsSelfUpdateEnabledInOneSettings** True if self update enabled in Settings. - **IsSelfUpdateNeeded** True if self update needed by device. - **PackageVersion** Current package version of Remediation. @@ -5182,9 +5182,9 @@ The following fields are available: - **CV** Correlation vector. - **DetectedCondition** Determine whether action needs to run based on device properties. -- **FileVersion** No content is currently available. +- **FileVersion** The version of the dynamic-link library (DLL) that will be applied by the self-update process. - **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. -- **IsHashMismatch** No content is currently available. +- **IsHashMismatch** Indicates whether the hash is a mismatch. - **IsSelfUpdateEnabledInOneSettings** Indicates if self update is enabled in One Settings. - **IsSelfUpdateNeeded** Indicates if self update is needed. - **PackageVersion** Current package version of Remediation. @@ -5208,9 +5208,9 @@ The following fields are available: - **SedimentServiceCurrentBytes** Number of current private bytes of memory consumed by sedsvc.exe. - **SedimentServiceKillService** True/False if service is marked for kill (Shell.KillService). - **SedimentServiceMaximumBytes** Maximum bytes allowed for the service. -- **SedimentServiceRanShell** No content is currently available. +- **SedimentServiceRanShell** Indicates whether the shell was run by the service. - **SedimentServiceRetrievedKillService** True/False if result of One Settings check for kill succeeded - we only send back one of these indicators (not for each call). -- **SedimentServiceShellRunHResult** No content is currently available. +- **SedimentServiceShellRunHResult** The HRESULT returned when the shell was run by the service. - **SedimentServiceStopping** True/False indicating whether the service is stopping. - **SedimentServiceTaskFunctional** True/False if scheduled task is functional. If task is not functional this indicates plugins will be run. - **SedimentServiceTotalIterations** Number of 5 second iterations service will wait before running again. @@ -5263,10 +5263,8 @@ This service retrieves events generated by SetupPlatform, the engine that drives The following fields are available: -- **CroupName** No content is currently available. - **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. - **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. -- **Valqe** No content is currently available. - **Value** Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time. @@ -5278,9 +5276,6 @@ Scan process event on Windows Update client. See the EventScenario field for spe The following fields are available: -- **9ctivityMatchingId** No content is currently available. -- **9llowCachedResults** No content is currently available. -- **9pplicableUpdateInfo** No content is currently available. - **ActivityMatchingId** Contains a unique ID identifying a single CheckForUpdates session from initialization to completion. - **AllowCachedResults** Indicates if the scan allowed using cached results. - **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable @@ -5320,18 +5315,15 @@ The following fields are available: - **HomeMobileOperator** The mobile operator that the device was originally intended to work with. - **IntentPFNs** Intended application-set metadata for atomic update scenarios. - **IPVersion** Indicates whether the download took place over IPv4 or IPv6 -- **IsWTfBEnabled** No content is currently available. - **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. - **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. - **IsWUfBFederatedScanDisabled** Indicates if Windows Update for Business federated scan is disabled on the device. - **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce -- **MetadataYntegrityMode** No content is currently available. - **MSIError** The last error that was encountered during a scan for updates. - **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6 - **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete - **NumberOfApplicationsCategoryScanEvaluated** The number of categories (apps) for which an app update scan checked - **NumberOfLoop** The number of round trips the scan required -- **NumberOfNewUpdatesFòomServiceSync** No content is currently available. - **NumberOfNewUpdatesFromServiceSync** The number of updates which were seen for the first time in this scan - **NumberOfUpdatesEvaluated** The total number of updates which were evaluated as a part of the scan - **NumFailedMetadataSignatures** The number of metadata signatures checks which failed for new metadata synced down. @@ -5360,7 +5352,6 @@ The following fields are available: - **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null. - **TotalNumMetadataSignatures** The total number of metadata signatures checks done for new metadata that was synced down. - **WebServiceRetryMethods** Web service method requests that needed to be retried to complete operation. -- **WEDeviceID** No content is currently available. - **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. @@ -5401,14 +5392,11 @@ Download process event for target update on Windows Update client. See the Event The following fields are available: -- **ActimeDownloadTime** No content is currently available. -- **ActiveDown¬oadTime** No content is currently available. - **ActiveDownloadTime** How long the download took, in seconds, excluding time where the update wasn't actively being downloaded. - **AppXBlockHashFailures** Indicates the number of blocks that failed hash validation during download of the app payload. - **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded. - **AppXDownloadScope** Indicates the scope of the download for application content. - **AppXScope** Indicates the scope of the app download. -- **AppXU3s8aHashFailures** No content is currently available. - **BiosFamily** The family of the BIOS (Basic Input Output System). - **BiosName** The name of the device BIOS. - **BiosReleaseDate** The release date of the device BIOS. @@ -5428,7 +5416,6 @@ The following fields are available: - **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. - **CDNId** ID which defines which CDN the software distribution client downloaded the content from. - **ClientVersion** The version number of the software distribution client. -- **ClientVersion€WUDeviceID** No content is currently available. - **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. - **ConnectTime** Indicates the cumulative amount of time (in seconds) it took to establish the connection for all updates in an update bundle. - **CurrentMobileOperator** The mobile operator the device is currently connected to. @@ -5440,11 +5427,9 @@ The following fields are available: - **EventScenario** Indicates the purpose for sending this event: whether because the software distribution just started downloading content; or whether it was cancelled, succeeded, or failed. - **EventType** Identifies the type of the event (Child, Bundle, or Driver). - **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. -- **FdightBuildNumber** No content is currently available. - **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. - **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). - **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight. -- **FlighTBuildNumber** No content is currently available. - **FlightId** The specific ID of the flight (pre-release build) the device is getting. - **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). - **HandlerType** Indicates what kind of content is being downloaded (app, driver, windows patch, etc.). @@ -5461,7 +5446,6 @@ The following fields are available: - **PackageFullName** The package name of the content. - **PhonePreviewEnabled** Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced. - **PostDnldTime** Time (in seconds) taken to signal download completion after the last job completed downloading the payload. -- **ppXBlockHashFailures** No content is currently available. - **ProcessName** The process name of the application that initiated API calls, in the event where CallerApplicationName was not provided. - **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. - **Reason** A 32-bit integer representing the reason the update is blocked from being downloaded in the background. @@ -5470,14 +5454,12 @@ The following fields are available: - **RelatedCV** The Correlation Vector that was used before the most recent change to a new Correlation Vector. - **RepeatFailCount** Indicates whether this specific content has previously failed. - **RepeatFailFlag** Indicates whether this specific content previously failed to download. -- **RevisionN´mber** No content is currently available. - **RevisionNumber** The revision number of the specified piece of content. - **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). - **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade. - **ShippingMobileOperator** The mobile operator linked to the device when the device shipped. - **SizeCalcTime** Time (in seconds) taken to calculate the total download size of the payload. - **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). -- **StatusCodeÀExtendedStatusCode** No content is currently available. - **SystemBIOSMajorRelease** Major version of the BIOS. - **SystemBIOSMinorRelease** Minor version of the BIOS. - **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. @@ -5492,7 +5474,6 @@ The following fields are available: - **UpdatEImportance** No content is currently available. - **UsedDO** Indicates whether the download used the Delivery Optimization (DO) service. - **UsedSystemVolume** Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive. -- **WUDeviceHD** No content is currently available. - **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. @@ -5554,8 +5535,6 @@ This event sends tracking data about the software distribution client installati The following fields are available: -- **œßæ½ßüØÆÔîÐck** No content is currently available. -- **2À@=2§3F'™+ck** No content is currently available. - **BiosFamily** The family of the BIOS (Basic Input Output System). - **BiosName** The name of the device BIOS. - **BiosReleaseDate** The release date of the device BIOS. @@ -5582,7 +5561,6 @@ The following fields are available: - **EventType** Possible values are Child, Bundle, or Driver. - **ExtendedErrorCode** The extended error code. - **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode is not specific enough. -- **ExtendEdStatusCode** No content is currently available. - **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. - **FlightBranch** The branch that a device is on if participating in the Windows Insider Program. - **FlightBuildNumber** If this installation was for a Windows Insider build, this is the build number of that build. @@ -5740,7 +5718,6 @@ The following fields are available: - **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable. - **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. - **IntentPFNs** Intended application-set metadata for atomic update scenarios. -- **ItentPFNs** No content is currently available. - **NumberOfApplicableUpdates** The number of updates ultimately deemed applicable to the system after the detection process is complete. - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. - **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.). @@ -5866,7 +5843,6 @@ The following fields are available: - **PackageCountTotalExpress** Total number of express packages. - **PackageCountTotalPSFX** The total number of PSFX packages. - **PackageExpressType** Type of express package. -- **PackageSizeCanonicad** No content is currently available. - **PackageSizeCanonical** Size of canonical packages in bytes. - **PackageSizeDiff** Size of diff packages in bytes. - **PackageSizeExpress** Size of express packages in bytes. @@ -6632,7 +6608,6 @@ This event is sent after the license is acquired when a product is being install The following fields are available: -- **AcgregatedPackageFullNames** No content is currently available. - **AggregatedPackageFullNames** Includes a set of package full names for each app that is part of an atomic set. - **AttemptNumber** The total number of attempts to acquire this product. - **CategoryId** The identity of the package or packages being installed. @@ -6733,7 +6708,6 @@ The following fields are available: - **ClientAppId** The identity of the app that initiated this operation. - **HResult** The result code of the last action performed. - **IsApplicability** Is this request to only check if there are any applicable packages to install? -- **IsInteractime** No content is currently available. - **IsInteractive** Is this user requested? - **IsOnline** Is the request doing an online check? @@ -7024,7 +6998,6 @@ The following fields are available: - **cdnIp** The IP address of the source CDN. - **cdnUrl** Url of the source Content Distribution Network (CDN). - **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. -- **dataSourcEsTotal** No content is currently available. - **doErrorCode** The Delivery Optimization error code that was returned. - **downlinkBps** The maximum measured available download bandwidth (in bytes per second). - **downlinkUsageBps** The download speed (in bytes per second). From 61224eba217beb356a32d829c296658cf3d49a95 Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Wed, 10 Apr 2019 10:39:43 -0700 Subject: [PATCH 110/492] path update --- .openpublishing.redirection.json | 35 ++++++++++++++++--- ...ows-defender-advanced-threat-protection.md | 10 +++--- 2 files changed, 34 insertions(+), 11 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index ff7e5c472d..068c8c88fa 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -856,28 +856,53 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/advanced-features", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md", -"redirect_url": "/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/advanced-features", +"redirect_document_id": false +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/alerts-queue", "redirect_document_id": true }, { "source_path": "windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md", -"redirect_url": "/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/alerts-queue", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping", "redirect_document_id": true }, { "source_path": "windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md", -"redirect_url": "/windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access", "redirect_document_id": true }, { "source_path": "windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md", -"redirect_url": "/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status", "redirect_document_id": true }, { "source_path": "windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md", -"redirect_url": "/windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status", "redirect_document_id": true }, { diff --git a/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md index 1ec412b1f3..9b89a258e4 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md @@ -22,21 +22,19 @@ ms.date: 04/24/2018 **Applies to:** - - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - - >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-suppressionrules-abovefoldlink) -There might be scenarios where you need to suppress alerts from appearing in the portal. You can create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization. For more information on how to suppress alerts, see [Suppress alerts](manage-alerts-windows-defender-advanced-threat-protection.md#suppress-alerts). +There might be scenarios where you need to suppress alerts from appearing in the portal. You can create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization. For more information on how to suppress alerts, see [Suppress alerts](manage-alerts-windows-defender-advanced-threat-protection.md). You can view a list of all the suppression rules and manage them in one place. You can also turn an alert suppression rule on or off. ## Turn a suppression rule on or off + 1. In the navigation pane, select **Settings** > **Alert suppression**. The list of suppression rules that users in your organization have created is displayed. -2. Select a rule by clicking on the check-box beside the rule name. +2. Select a rule by clicking on the check-box beside the rule name. 3. Click **Turn rule on** or **Turn rule off**. @@ -47,5 +45,5 @@ You can view a list of all the suppression rules and manage them in one place. Y 2. Click on a rule name. Details of the rule is displayed. You'll see the rule details such as status, scope, action, number of matching alerts, created by, and date when the rule was created. You can also view associated alerts and the rule conditions. ## Related topics -- [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) +- [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) \ No newline at end of file From 72bb5b050586e4c18ca48b69e00cbb99d6f0af77 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 10 Apr 2019 13:49:48 -0700 Subject: [PATCH 111/492] change folder name to mdatp from wdatp --- .../TOC.md | 0 ...defender-advanced-threat-protection-new.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...lerts-queue-endpoint-detection-response.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...defender-advanced-threat-protection-new.md | 0 .../api-hello-world.md | 0 ...ows-defender-advanced-threat-protection.md | 0 .../apis-intro.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...defender-advanced-threat-protection-new.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 .../configure-attack-surface-reduction.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 .../configure-microsoft-threat-experts.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...defender-advanced-threat-protection-new.md | 0 .../custom-detection-rules.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...defender-advanced-threat-protection-new.md | 0 .../deprecate.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 .../evaluate-atp.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 .../exposed-apis-create-app-nativeapp.md | 0 .../exposed-apis-create-app-webapp.md | 0 .../exposed-apis-full-sample-powershell.md | 0 .../exposed-apis-list.md | 0 .../exposed-apis-odata-samples.md | 0 ...defender-advanced-threat-protection-new.md | 0 ...defender-advanced-threat-protection-new.md | 0 ...defender-advanced-threat-protection-new.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...defender-advanced-threat-protection-new.md | 0 ...defender-advanced-threat-protection-new.md | 0 ...defender-advanced-threat-protection-new.md | 0 ...defender-advanced-threat-protection-new.md | 0 ...defender-advanced-threat-protection-new.md | 0 ...defender-advanced-threat-protection-new.md | 0 ...defender-advanced-threat-protection-new.md | 0 ...ows-defender-advanced-threat-protection.md | 156 ++--- ...defender-advanced-threat-protection-new.md | 0 ...defender-advanced-threat-protection-new.md | 0 ...defender-advanced-threat-protection-new.md | 0 ...defender-advanced-threat-protection-new.md | 0 ...defender-advanced-threat-protection-new.md | 0 ...defender-advanced-threat-protection-new.md | 0 ...defender-advanced-threat-protection-new.md | 0 ...defender-advanced-threat-protection-new.md | 0 ...defender-advanced-threat-protection-new.md | 0 ...defender-advanced-threat-protection-new.md | 0 ...ows-defender-advanced-threat-protection.md | 152 ++--- ...defender-advanced-threat-protection-new.md | 0 ...defender-advanced-threat-protection-new.md | 0 ...defender-advanced-threat-protection-new.md | 0 ...defender-advanced-threat-protection-new.md | 0 ...defender-advanced-threat-protection-new.md | 0 ...ows-defender-advanced-threat-protection.md | 152 ++--- ...defender-advanced-threat-protection-new.md | 0 ...ows-defender-advanced-threat-protection.md | 166 ++--- ...defender-advanced-threat-protection-new.md | 0 .../get-started.md | 0 ...defender-advanced-threat-protection-new.md | 0 ...defender-advanced-threat-protection-new.md | 0 ...defender-advanced-threat-protection-new.md | 0 ...defender-advanced-threat-protection-new.md | 0 .../images/1.png | Bin .../images/AH_icon.png | Bin .../images/AR_icon.png | Bin .../images/ASR_icon.png | Bin .../images/EDR_icon.jpg | Bin .../images/EDR_icon.png | Bin .../images/Failed.png | Bin .../images/MTE_icon.jpg | Bin .../images/MTE_icon.png | Bin .../images/NGP_icon.jpg | Bin .../images/NGP_icon.png | Bin .../images/No threats found.png | Bin .../images/Partially investigated.png | Bin .../images/Partially remediated.png | Bin .../images/Pending.png | Bin .../images/Remediated.png | Bin .../images/Running.png | Bin .../images/SS_icon.png | Bin .../images/TVM_icon.png | Bin .../images/Terminated by system.png | Bin .../images/WDATP-components.png | Bin .../images/active-alerts-tile.png | Bin .../images/active-threat-icon.png | Bin .../images/advanced-features.png | Bin .../images/advanced-hunting-query-example.PNG | Bin .../images/advanced-hunting-save-query.PNG | Bin .../images/alert-details.png | Bin .../images/alert-icon.png | Bin .../images/alerts-q-bulk.png | Bin .../images/alerts-queue-list.png | Bin .../images/alerts-queue-numbered.png | Bin .../images/analysis-results.png | Bin .../images/api-jwt-ms.png | Bin .../images/api-tenant-id.png | Bin .../atp-Application-Guard-events-icon.png | Bin .../images/atp-Device-Guard-events-icon.png | Bin .../images/atp-ETW-event-icon.png | Bin .../images/atp-Exploit-Guard-events-icon.png | Bin .../images/atp-File-path-icon.png | Bin .../images/atp-Firewall-events-icon.png | Bin .../images/atp-O365-admin-portal-customer.png | Bin .../images/atp-Other-events-icon.png | Bin .../images/atp-Smart-Screen-events-icon.png | Bin .../atp-access-token-modification-icon.png | Bin .../images/atp-action-block-file.png | Bin .../atp-action-center-app-restriction.png | Bin .../atp-action-center-package-collection.png | Bin .../images/atp-action-center-restrict-app.png | Bin .../images/atp-action-center-with-info.png | Bin .../images/atp-actions-action-center.png | Bin ...-actions-collect-investigation-package.png | Bin .../images/atp-actions-isolate-machine.png | Bin .../images/atp-actions-manage-tags.png | Bin .../atp-actions-release-from-isolation.png | Bin .../atp-actions-release-from-isoloation.png | Bin .../atp-actions-remove-app-restrictions.png | Bin .../atp-actions-restrict-app-execution.png | Bin .../images/atp-actions-run-av.png | Bin .../images/atp-active-investigations-tile.png | Bin .../images/atp-actor-alert.png | Bin .../images/atp-actor-report.png | Bin .../images/atp-actor.png | Bin .../images/atp-add-application-name.png | Bin .../images/atp-add-application.png | Bin .../images/atp-add-intune-policy.png | Bin .../images/atp-advanced-hunting-query.png | Bin .../atp-advanced-hunting-results-filter.PNG | Bin .../atp-advanced-hunting-results-set.png | Bin .../images/atp-advanced-hunting.png | Bin .../images/atp-alert-details.png | Bin .../images/atp-alert-mgt-pane.png | Bin .../images/atp-alert-page.png | Bin .../images/atp-alert-process-tree.png | Bin .../images/atp-alert-source.png | Bin .../images/atp-alert-status.png | Bin .../images/atp-alert-timeline-numbered.png | Bin .../images/atp-alert-timeline.png | Bin .../images/atp-alert-view.png | Bin .../images/atp-alerts-group.png | Bin .../images/atp-alerts-q.png | Bin .../images/atp-alerts-queue-user.png | Bin .../images/atp-alerts-queue.png | Bin .../images/atp-alerts-related-to-file.png | Bin .../images/atp-alerts-related-to-machine.PNG | Bin .../images/atp-alerts-selected.png | Bin .../images/atp-alerts-tile.png | Bin .../images/atp-alertsq1.png | Bin .../images/atp-alertsq2.png | Bin .../images/atp-analyze-auto-ir.png | Bin .../images/atp-app-restriction.png | Bin .../images/atp-application-information.png | Bin .../images/atp-approve-reject-action.png | Bin .../images/atp-appsource.png | Bin .../images/atp-auto-investigation-pending.png | Bin .../images/atp-auto-investigations-list.png | Bin ...tp-automated-investigations-statistics.png | Bin .../images/atp-av-scan-action-center.png | Bin .../images/atp-av-scan-notification.png | Bin .../images/atp-azure-api-access.png | Bin .../images/atp-azure-assign-role.png | Bin .../images/atp-azure-atp-app.png | Bin .../images/atp-azure-atp-machine-user.png | Bin .../images/atp-azure-atp-machine.png | Bin .../images/atp-azure-create.png | Bin .../images/atp-azure-intune-category.png | Bin .../images/atp-azure-intune-configure.png | Bin ...p-azure-intune-create-policy-configure.png | Bin .../atp-azure-intune-create-policy-name.png | Bin .../images/atp-azure-intune-create-policy.png | Bin .../atp-azure-intune-create-profile.png | Bin .../images/atp-azure-intune-create.png | Bin .../images/atp-azure-intune-device-config.png | Bin .../images/atp-azure-intune-save-policy.png | Bin .../images/atp-azure-intune-save.png | Bin .../images/atp-azure-intune-select-group.png | Bin .../atp-azure-intune-settings-configure.png | Bin .../images/atp-azure-intune.png | Bin .../images/atp-azure-license-icon.png | Bin .../images/atp-azure-new-app.png | Bin .../images/atp-azure-required-permissions.png | Bin .../images/atp-azure-select-permissions.png | Bin .../images/atp-azure-ui-user-access.png | Bin .../images/atp-billing-licenses.png | Bin .../images/atp-billing-subscriptions.png | Bin .../images/atp-block-file-confirm.png | Bin .../images/atp-block-file.png | Bin .../images/atp-blockfile.png | Bin .../atp-cloud-discovery-dashboard-menu.png | Bin .../atp-collect-investigation-package.png | Bin .../images/atp-command-line-icon.png | Bin .../images/atp-community-center.png | Bin .../atp-conditional-access-numbered.png | Bin .../images/atp-conditional-access.png | Bin .../images/atp-confirm-isolate.png | Bin .../images/atp-create-dashboard.png | Bin .../images/atp-create-suppression-rule.png | Bin .../images/atp-custom-oma-uri.png | Bin .../images/atp-custom-ti-mapping.png | Bin .../images/atp-daily-machines-reporting.png | Bin .../atp-dashboard-security-analytics-9.png | Bin .../atp-dashboard-security-analytics-full.png | Bin .../atp-dashboard-security-analytics.png | Bin .../images/atp-data-not-available.png | Bin .../images/atp-data-ready.png | Bin .../images/atp-data-retention-policy.png | Bin .../images/atp-delete-query.png | Bin .../images/atp-detailed-actor.png | Bin .../images/atp-disableantispyware-regkey.png | Bin .../images/atp-download-connector.png | Bin .../images/atp-enable-security-analytics.png | Bin .../images/atp-example-email-notification.png | Bin .../atp-export-machine-timeline-events.png | Bin .../images/atp-file-action.png | Bin .../images/atp-file-creation-icon.png | Bin .../images/atp-file-details.png | Bin .../images/atp-file-in-org.png | Bin .../images/atp-file-information.png | Bin .../images/atp-file-observed-icon.png | Bin .../images/atp-filter-advanced-hunting.png | Bin ...rd-endpoints-warning-before-atp-access.png | Bin .../images/atp-final-preference-setup.png | Bin .../images/atp-geographic-location-setup.png | Bin .../images/atp-get-data.png | Bin .../images/atp-gpo-proxy1.png | Bin .../images/atp-gpo-proxy2.png | Bin .../images/atp-image.png | Bin .../images/atp-improv-opps-9.png | Bin .../images/atp-improv-opps.png | Bin .../images/atp-improv-ops.png | Bin .../images/atp-incident-details-page.png | Bin .../images/atp-incident-details.png | Bin .../images/atp-incident-evidence-tab.png | Bin .../images/atp-incident-graph-details.png | Bin .../images/atp-incident-graph-tab.png | Bin .../images/atp-incident-graph.png | Bin .../atp-incident-investigations-tab.png | Bin .../images/atp-incident-machine-tab.png | Bin .../images/atp-incident-queue.png | Bin ...ncidents-alerts-incidentlinkedbyreason.png | Bin .../atp-incidents-alerts-linkedbytooltip.png | Bin .../images/atp-incidents-alerts-reason.png | Bin .../images/atp-incidents-alerts-tooltip.png | Bin .../images/atp-incidents-mgt-pane.png | Bin .../images/atp-industry-information.png | Bin .../images/atp-intune-add-oma.png | Bin .../images/atp-intune-add-policy.png | Bin .../images/atp-intune-assignments.png | Bin .../images/atp-intune-configure.png | Bin .../images/atp-intune-create-policy.png | Bin .../images/atp-intune-custom.png | Bin .../images/atp-intune-deploy-policy.png | Bin .../images/atp-intune-group.png | Bin .../images/atp-intune-manage-deployment.png | Bin .../images/atp-intune-new-policy.png | Bin .../images/atp-intune-oma-uri-setting.png | Bin .../images/atp-intune-policy-name.png | Bin .../images/atp-intune-save-deployment.png | Bin .../images/atp-intune-save-policy.png | Bin ...tp-investigation-package-action-center.png | Bin .../images/atp-isolate-machine.png | Bin .../images/atp-licensing-azure-portal.png | Bin .../images/atp-loading.png | Bin .../images/atp-logo-icon.png | Bin .../images/atp-machine-actions-undo.png | Bin .../images/atp-machine-actions.png | Bin .../images/atp-machine-details-view.png | Bin .../images/atp-machine-details-view2.png | Bin .../images/atp-machine-health-details.png | Bin .../images/atp-machine-health.png | Bin .../images/atp-machine-icon.png | Bin .../atp-machine-investigation-package.png | Bin .../images/atp-machine-isolation.png | Bin .../atp-machine-timeline-details-panel.png | Bin .../images/atp-machine-timeline-export.png | Bin .../images/atp-machine-timeline-filter.png | Bin .../images/atp-machine-timeline.png | Bin .../images/atp-machine-view-ata.png | Bin .../atp-machines-active-threats-tile.png | Bin .../images/atp-machines-at-risk.png | Bin .../atp-machines-list-misconfigured.png | Bin .../images/atp-machines-list-view.png | Bin .../images/atp-machines-list-view2.png | Bin .../images/atp-machines-timeline.png | Bin .../images/atp-machines-view-list.png | Bin .../images/atp-main-portal.png | Bin .../images/atp-manage-tags.png | Bin .../images/atp-mapping 3.png | Bin .../images/atp-mapping1.png | Bin .../images/atp-mapping2.png | Bin .../images/atp-mapping3.png | Bin .../images/atp-mapping4.png | Bin .../images/atp-mapping5.png | Bin .../images/atp-mapping6.png | Bin .../images/atp-mapping7.png | Bin .../images/atp-mcas-settings.png | Bin .../images/atp-mdm-onboarding-package.png | Bin .../images/atp-memory-allocation-icon.png | Bin .../images/atp-mma-properties.png | Bin .../images/atp-mma.png | Bin .../images/atp-module-load-icon.png | Bin .../images/atp-ms-secure-score-9.png | Bin .../images/atp-ms-secure-score.png | Bin .../atp-network-communications-icon.png | Bin .../images/atp-new-alerts-list.png | Bin .../images/atp-new-suppression-rule.png | Bin .../images/atp-no-network-connection.png | Bin .../images/atp-no-subscriptions-found.png | Bin .../atp-not-authorized-to-access-portal.png | Bin .../images/atp-notification-action.png | Bin .../atp-notification-collect-package.png | Bin .../images/atp-notification-file.png | Bin .../images/atp-notification-isolate.png | Bin .../images/atp-notification-restrict.png | Bin .../images/atp-notifications.png | Bin .../images/atp-observed-in-organization.png | Bin .../images/atp-observed-machines.png | Bin .../images/atp-oma-uri-values.png | Bin ...ard-endpoints-WDATP-portal-border-test.png | Bin .../atp-onboard-endpoints-WDATP-portal.png | Bin ...p-onboard-endpoints-run-detection-test.png | Bin .../images/atp-onboard-endpoints.png | Bin .../images/atp-onboard-mdm.png | Bin .../images/atp-org-score.png | Bin .../images/atp-org-sec-score.png | Bin .../images/atp-organization-size.png | Bin .../images/atp-pending-actions-auto-ir.png | Bin .../images/atp-pending-actions-file.png | Bin .../images/atp-pending-actions-list.png | Bin .../images/atp-pending-actions-multiple.png | Bin .../atp-pending-actions-notification.png | Bin .../images/atp-permissions-applications.png | Bin .../images/atp-portal-sensor.png | Bin .../images/atp-portal-welcome-screen.png | Bin .../images/atp-portal.png | Bin .../images/atp-powerbi-accept.png | Bin .../images/atp-powerbi-consent.png | Bin .../images/atp-powerbi-extension.png | Bin .../images/atp-powerbi-get-data.png | Bin .../images/atp-powerbi-importing.png | Bin .../images/atp-powerbi-navigator.png | Bin .../images/atp-powerbi-options.png | Bin .../images/atp-powerbi-preview.png | Bin .../atp-powershell-command-run-icon.png | Bin .../images/atp-preferences-setup.png | Bin .../images/atp-preview-experience.png | Bin .../images/atp-preview-features.png | Bin .../images/atp-process-event-icon.png | Bin .../images/atp-process-injection.png | Bin .../images/atp-process-tree.png | Bin .../images/atp-refresh-token.png | Bin .../images/atp-region-control-panel.png | Bin .../images/atp-registry-event-icon.png | Bin .../images/atp-remediated-alert.png | Bin .../images/atp-remove-blocked-file.png | Bin .../images/atp-rename-incident.png | Bin .../images/atp-respond-action-icon.png | Bin .../images/atp-restrict-app.png | Bin .../images/atp-run-av-scan.png | Bin .../images/atp-running-script.png | Bin .../images/atp-sample-custom-ti-alert.png | Bin .../images/atp-save-query.png | Bin .../images/atp-save-tag.png | Bin .../images/atp-sec-coverage.png | Bin .../images/atp-sec-ops-1.png | Bin .../images/atp-sec-ops-dashboard.png | Bin .../atp-security-analytics-dashboard.png | Bin .../atp-security-analytics-view-machines.png | Bin .../atp-security-analytics-view-machines2.png | Bin .../images/atp-security-controls-9.png | Bin .../images/atp-security-controls.png | Bin .../images/atp-security-coverage.png | Bin .../images/atp-security-improvements.png | Bin .../images/atp-security-score-over-time-9.png | Bin .../images/atp-security-score-over-time.png | Bin .../images/atp-sensor-filter.png | Bin .../atp-sensor-health-filter-resized.png | Bin .../images/atp-sensor-health-filter-tile.png | Bin .../images/atp-sensor-health-filter.png | Bin .../images/atp-sensor-health-nonav.png | Bin .../images/atp-sensor-health-tile.png | Bin .../atp-server-offboarding-workspaceid.png | Bin .../atp-server-onboarding-workspaceid.png | Bin .../images/atp-server-onboarding.png | Bin .../images/atp-services.png | Bin .../images/atp-settings-aip.png | Bin .../images/atp-settings-powerbi.png | Bin .../images/atp-setup-complete.png | Bin .../images/atp-setup-incomplete.png | Bin .../atp-setup-permissions-wdatp-portal.png | Bin .../images/atp-shared-queries.png | Bin .../images/atp-siem-integration.png | Bin .../images/atp-siem-mapping1.png | Bin .../images/atp-siem-mapping13.png | Bin .../images/atp-siem-mapping2.png | Bin .../images/atp-siem-mapping3.png | Bin .../images/atp-siem-mapping4.png | Bin .../images/atp-signer-icon.png | Bin .../images/atp-simulate-custom-ti.png | Bin .../images/atp-stop-quarantine-file.png | Bin .../images/atp-stop-quarantine.png | Bin .../images/atp-stopnquarantine-file.png | Bin .../images/atp-subscription-expired.png | Bin .../images/atp-suppression-rules.png | Bin .../images/atp-suspicious-activities-tile.png | Bin .../images/atp-tag-management.png | Bin .../images/atp-task-manager.png | Bin .../images/atp-threat-intel-api.png | Bin .../images/atp-threat-protection-reports.png | Bin .../images/atp-thunderbolt-icon.png | Bin .../images/atp-tile-sensor-health.png | Bin .../images/atp-time-zone.png | Bin .../images/atp-undo-isolation.png | Bin .../images/atp-unsigned-file-icon.png | Bin .../images/atp-user-details-pane.png | Bin .../images/atp-user-details-view-azureatp.png | Bin .../images/atp-user-details-view-tdp.png | Bin .../images/atp-user-details-view.png | Bin .../images/atp-user-details.png | Bin .../images/atp-user-view-ata.png | Bin .../images/atp-users-at-risk.png | Bin .../images/atp-verify-passive-mode.png | Bin .../atp-windows-cloud-instance-creation.png | Bin .../atp-windows-defender-av-events-icon.png | Bin .../images/atp.png | Bin .../images/azure-data-discovery.png | Bin .../images/cloud-apps.png | Bin .../images/cloud-discovery.png | Bin .../images/components.png | Bin .../images/creating-account.png | Bin .../images/dashboard.png | Bin .../images/detection-icon.png | Bin .../images/enable_siem.png | Bin .../images/filter-log.png | Bin .../images/io.png | Bin ...ws-defender-advanced-threat-protection.png | Bin .../images/machine-reports.png | Bin .../images/machines-active-threats-tile.png | Bin .../images/machines-at-risk-tile.png | Bin .../images/machines-at-risk.png | Bin .../images/machines-list.png | Bin .../images/machines-reporting-tile.png | Bin .../images/menu-icon.png | Bin .../images/ms-flow-choose-action.png | Bin .../images/ms-flow-define-action.png | Bin .../images/ms-flow-e2e.png | Bin .../images/ms-flow-insert-db.png | Bin .../images/ms-flow-parse-json.png | Bin .../images/ms-flow-read-db.png | Bin .../images/mss.png | Bin .../images/nativeapp-add-permission.png | Bin .../images/nativeapp-add-permissions-end.png | Bin .../images/nativeapp-create.png | Bin .../images/nativeapp-decoded-token.png | Bin .../images/nativeapp-get-appid.png | Bin .../images/nativeapp-select-permissions.png | Bin .../images/new-secure-score-dashboard.png | Bin .../images/new-ssot.png | Bin .../images/no-threats-found.png | Bin .../images/no_threats_found.png | Bin .../images/not-remediated-icon.png | Bin .../images/office-scc-label.png | Bin .../images/overview.png | Bin .../images/partially-investigated.png | Bin .../images/partially_investigated.png | Bin .../images/partially_remediated.png | Bin .../images/power-bi-create-advanced-query.png | Bin .../images/power-bi-create-blank-query.png | Bin .../images/power-bi-edit-credentials.png | Bin .../images/power-bi-edit-data-privacy.png | Bin .../images/power-bi-open-advanced-editor.png | Bin .../images/power-bi-query-results.png | Bin .../power-bi-set-credentials-anonymous.png | Bin ...bi-set-credentials-organizational-cont.png | Bin ...ower-bi-set-credentials-organizational.png | Bin .../images/power-bi-set-data-privacy.png | Bin .../images/remediated-icon.png | Bin .../images/rules-legend.png | Bin .../images/run-as-admin.png | Bin .../images/save-query.png | Bin .../images/sccm-deployment.png | Bin .../images/sec-ops-dashboard.png | Bin .../images/securescore.png | Bin .../images/settings.png | Bin .../images/setup-preferences.png | Bin .../images/setup-preferences2.png | Bin .../images/siem_details.png | Bin .../images/ss1.png | Bin .../images/ssot.png | Bin .../images/status-tile.png | Bin .../images/submit-file.png | Bin .../images/ta.png | Bin .../images/terminated-by-system.png | Bin .../images/terminated_by_system.png | Bin .../images/threat-analytics-report.png | Bin .../images/top-recommendations.png | Bin .../images/wdatp-pillars.png | Bin .../images/wdatp-pillars2.png | Bin .../images/wdsc.png | Bin .../images/webapp-add-permission-2.png | Bin .../images/webapp-add-permission-end.png | Bin .../webapp-add-permission-readalerts.png | Bin .../images/webapp-add-permission.png | Bin .../images/webapp-app-id1.png | Bin .../images/webapp-create-key.png | Bin .../images/webapp-create.png | Bin .../images/webapp-decoded-token.png | Bin .../images/webapp-edit-multitenant.png | Bin .../images/webapp-edit-settings.png | Bin .../images/webapp-get-appid.png | Bin .../images/webapp-grant-permissions.png | Bin .../images/webapp-select-permission.png | Bin .../images/webapp-validate-token.png | Bin .../images/welcome1.png | Bin .../images/win10-endpoint-users.png | Bin .../images/windefatp-sc-qc-diagtrack.png | Bin .../images/windefatp-sc-query-diagtrack.png | Bin .../images/windefatp-sc-query.png | Bin .../windefatp-utc-console-autostart.png | Bin ...ender-system-guard-boot-time-integrity.png | Bin ...system-guard-validate-system-integrity.png | Bin .../images/windows-defender-system-guard.png | Bin .../improverequestperformance-new.md | 0 .../incidents-queue.md | 0 ...nformation-protection-in-windows-config.md | 0 ...ormation-protection-in-windows-overview.md | 0 ...defender-advanced-threat-protection-new.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...defender-advanced-threat-protection-new.md | 0 ...defender-advanced-threat-protection-new.md | 0 ...defender-advanced-threat-protection-new.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...defender-advanced-threat-protection-new.md | 0 ...defender-advanced-threat-protection-new.md | 0 .../machineactionsnote.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 .../manage-edr.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 .../management-apis.md | 0 .../microsoft-cloud-app-security-config.md | 0 ...icrosoft-cloud-app-security-integration.md | 0 .../microsoft-threat-experts.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...defender-advanced-threat-protection-new.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 .../onboard.md | 0 .../overview-attack-surface-reduction.md | 0 .../overview-custom-detections.md | 0 .../overview-endpoint-detection-response.md | 0 .../overview-hardware-based-isolation.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 .../overview.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...defender-advanced-threat-protection-new.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 .../prerelease.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...defender-advanced-threat-protection-new.md | 0 .../run-advanced-query-api.md | 0 .../run-advanced-query-sample-ms-flow.md | 0 ...dvanced-query-sample-power-bi-app-token.md | 0 ...vanced-query-sample-power-bi-user-token.md | 0 .../run-advanced-query-sample-powershell.md | 0 .../run-advanced-query-sample-python.md | 0 ...defender-advanced-threat-protection-new.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...defender-advanced-threat-protection-new.md | 0 ...ows-defender-advanced-threat-protection.md | 0 .../threat-analytics.md | 0 ...ows-defender-advanced-threat-protection.md | 0 .../threat-protection-integration.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...defender-advanced-threat-protection-new.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 624 +++++++++--------- ...ows-defender-advanced-threat-protection.md | 0 .../troubleshoot-wdatp.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...defender-advanced-threat-protection-new.md | 0 ...defender-advanced-threat-protection-new.md | 0 ...defender-advanced-threat-protection-new.md | 0 .../use-apis.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...ows-defender-advanced-threat-protection.md | 0 ...defender-advanced-threat-protection-new.md | 0 .../view-incidents-queue.md | 0 .../whats-new-in-windows-defender-atp.md | 0 ...ows-defender-advanced-threat-protection.md | 0 .../windows-defender-security-center-atp.md | 0 656 files changed, 625 insertions(+), 625 deletions(-) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/TOC.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/advanced-features-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/advanced-hunting-reference-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/advanced-hunting-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/alerts-queue-endpoint-detection-response.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/alerts-queue-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/alerts-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/api-hello-world.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/api-portal-mapping-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/apis-intro.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/assign-portal-access-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/attack-simulations-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/automated-investigations-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/basic-permissions-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/check-sensor-status-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/collect-investigation-package-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/community-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/conditional-access-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/configure-arcsight-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/configure-attack-surface-reduction.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/configure-conditional-access-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/configure-email-notifications-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/configure-endpoints-gp-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/configure-endpoints-script-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/configure-endpoints-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/configure-microsoft-threat-experts.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/configure-mssp-support-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/configure-proxy-internet-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/configure-server-endpoints-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/configure-siem-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/configure-splunk-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/custom-detection-rules.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/custom-ti-api-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/data-retention-settings-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/data-storage-privacy-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/defender-compatibility-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/deprecate.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/enable-custom-ti-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/enable-secure-score-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/enable-siem-integration-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/evaluate-atp.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/event-error-codes-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/experiment-custom-ti-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/exposed-apis-create-app-nativeapp.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/exposed-apis-create-app-webapp.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/exposed-apis-full-sample-powershell.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/exposed-apis-list.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/exposed-apis-odata-samples.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/files-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/get-alerts-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md (95%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/get-domain-statistics-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/get-file-information-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/get-file-related-machines-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/get-file-statistics-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/get-ip-statistics-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/get-kbinfo-collection-windows-defender-advanced-threat-protection.md (95%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/get-machine-by-id-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/get-machineaction-object-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/get-machinegroups-collection-windows-defender-advanced-threat-protection.md (95%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/get-machines-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md (96%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/get-started.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/get-user-information-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/get-user-related-machines-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/1.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/AH_icon.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/AR_icon.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/ASR_icon.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/EDR_icon.jpg (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/EDR_icon.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/Failed.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/MTE_icon.jpg (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/MTE_icon.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/NGP_icon.jpg (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/NGP_icon.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/No threats found.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/Partially investigated.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/Partially remediated.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/Pending.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/Remediated.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/Running.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/SS_icon.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/TVM_icon.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/Terminated by system.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/WDATP-components.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/active-alerts-tile.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/active-threat-icon.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/advanced-features.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/advanced-hunting-query-example.PNG (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/advanced-hunting-save-query.PNG (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/alert-details.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/alert-icon.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/alerts-q-bulk.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/alerts-queue-list.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/alerts-queue-numbered.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/analysis-results.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/api-jwt-ms.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/api-tenant-id.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-Application-Guard-events-icon.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-Device-Guard-events-icon.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-ETW-event-icon.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-Exploit-Guard-events-icon.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-File-path-icon.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-Firewall-events-icon.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-O365-admin-portal-customer.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-Other-events-icon.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-Smart-Screen-events-icon.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-access-token-modification-icon.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-action-block-file.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-action-center-app-restriction.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-action-center-package-collection.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-action-center-restrict-app.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-action-center-with-info.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-actions-action-center.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-actions-collect-investigation-package.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-actions-isolate-machine.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-actions-manage-tags.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-actions-release-from-isolation.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-actions-release-from-isoloation.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-actions-remove-app-restrictions.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-actions-restrict-app-execution.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-actions-run-av.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-active-investigations-tile.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-actor-alert.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-actor-report.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-actor.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-add-application-name.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-add-application.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-add-intune-policy.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-advanced-hunting-query.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-advanced-hunting-results-filter.PNG (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-advanced-hunting-results-set.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-advanced-hunting.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-alert-details.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-alert-mgt-pane.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-alert-page.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-alert-process-tree.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-alert-source.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-alert-status.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-alert-timeline-numbered.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-alert-timeline.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-alert-view.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-alerts-group.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-alerts-q.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-alerts-queue-user.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-alerts-queue.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-alerts-related-to-file.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-alerts-related-to-machine.PNG (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-alerts-selected.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-alerts-tile.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-alertsq1.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-alertsq2.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-analyze-auto-ir.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-app-restriction.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-application-information.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-approve-reject-action.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-appsource.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-auto-investigation-pending.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-auto-investigations-list.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-automated-investigations-statistics.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-av-scan-action-center.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-av-scan-notification.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-azure-api-access.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-azure-assign-role.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-azure-atp-app.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-azure-atp-machine-user.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-azure-atp-machine.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-azure-create.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-azure-intune-category.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-azure-intune-configure.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-azure-intune-create-policy-configure.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-azure-intune-create-policy-name.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-azure-intune-create-policy.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-azure-intune-create-profile.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-azure-intune-create.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-azure-intune-device-config.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-azure-intune-save-policy.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-azure-intune-save.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-azure-intune-select-group.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-azure-intune-settings-configure.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-azure-intune.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-azure-license-icon.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-azure-new-app.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-azure-required-permissions.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-azure-select-permissions.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-azure-ui-user-access.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-billing-licenses.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-billing-subscriptions.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-block-file-confirm.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-block-file.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-blockfile.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-cloud-discovery-dashboard-menu.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-collect-investigation-package.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-command-line-icon.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-community-center.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-conditional-access-numbered.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-conditional-access.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-confirm-isolate.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-create-dashboard.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-create-suppression-rule.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-custom-oma-uri.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-custom-ti-mapping.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-daily-machines-reporting.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-dashboard-security-analytics-9.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-dashboard-security-analytics-full.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-dashboard-security-analytics.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-data-not-available.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-data-ready.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-data-retention-policy.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-delete-query.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-detailed-actor.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-disableantispyware-regkey.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-download-connector.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-enable-security-analytics.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-example-email-notification.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-export-machine-timeline-events.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-file-action.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-file-creation-icon.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-file-details.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-file-in-org.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-file-information.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-file-observed-icon.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-filter-advanced-hunting.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-final-onboard-endpoints-warning-before-atp-access.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-final-preference-setup.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-geographic-location-setup.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-get-data.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-gpo-proxy1.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-gpo-proxy2.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-image.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-improv-opps-9.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-improv-opps.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-improv-ops.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-incident-details-page.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-incident-details.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-incident-evidence-tab.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-incident-graph-details.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-incident-graph-tab.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-incident-graph.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-incident-investigations-tab.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-incident-machine-tab.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-incident-queue.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-incidents-alerts-incidentlinkedbyreason.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-incidents-alerts-linkedbytooltip.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-incidents-alerts-reason.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-incidents-alerts-tooltip.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-incidents-mgt-pane.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-industry-information.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-intune-add-oma.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-intune-add-policy.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-intune-assignments.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-intune-configure.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-intune-create-policy.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-intune-custom.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-intune-deploy-policy.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-intune-group.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-intune-manage-deployment.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-intune-new-policy.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-intune-oma-uri-setting.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-intune-policy-name.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-intune-save-deployment.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-intune-save-policy.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-investigation-package-action-center.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-isolate-machine.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-licensing-azure-portal.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-loading.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-logo-icon.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-machine-actions-undo.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-machine-actions.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-machine-details-view.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-machine-details-view2.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-machine-health-details.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-machine-health.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-machine-icon.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-machine-investigation-package.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-machine-isolation.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-machine-timeline-details-panel.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-machine-timeline-export.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-machine-timeline-filter.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-machine-timeline.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-machine-view-ata.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-machines-active-threats-tile.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-machines-at-risk.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-machines-list-misconfigured.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-machines-list-view.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-machines-list-view2.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-machines-timeline.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-machines-view-list.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-main-portal.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-manage-tags.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-mapping 3.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-mapping1.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-mapping2.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-mapping3.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-mapping4.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-mapping5.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-mapping6.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-mapping7.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-mcas-settings.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-mdm-onboarding-package.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-memory-allocation-icon.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-mma-properties.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-mma.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-module-load-icon.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-ms-secure-score-9.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-ms-secure-score.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-network-communications-icon.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-new-alerts-list.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-new-suppression-rule.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-no-network-connection.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-no-subscriptions-found.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-not-authorized-to-access-portal.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-notification-action.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-notification-collect-package.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-notification-file.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-notification-isolate.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-notification-restrict.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-notifications.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-observed-in-organization.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-observed-machines.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-oma-uri-values.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-onboard-endpoints-WDATP-portal-border-test.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-onboard-endpoints-WDATP-portal.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-onboard-endpoints-run-detection-test.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-onboard-endpoints.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-onboard-mdm.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-org-score.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-org-sec-score.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-organization-size.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-pending-actions-auto-ir.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-pending-actions-file.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-pending-actions-list.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-pending-actions-multiple.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-pending-actions-notification.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-permissions-applications.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-portal-sensor.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-portal-welcome-screen.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-portal.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-powerbi-accept.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-powerbi-consent.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-powerbi-extension.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-powerbi-get-data.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-powerbi-importing.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-powerbi-navigator.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-powerbi-options.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-powerbi-preview.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-powershell-command-run-icon.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-preferences-setup.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-preview-experience.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-preview-features.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-process-event-icon.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-process-injection.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-process-tree.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-refresh-token.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-region-control-panel.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-registry-event-icon.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-remediated-alert.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-remove-blocked-file.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-rename-incident.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-respond-action-icon.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-restrict-app.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-run-av-scan.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-running-script.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-sample-custom-ti-alert.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-save-query.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-save-tag.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-sec-coverage.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-sec-ops-1.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-sec-ops-dashboard.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-security-analytics-dashboard.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-security-analytics-view-machines.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-security-analytics-view-machines2.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-security-controls-9.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-security-controls.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-security-coverage.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-security-improvements.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-security-score-over-time-9.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-security-score-over-time.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-sensor-filter.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-sensor-health-filter-resized.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-sensor-health-filter-tile.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-sensor-health-filter.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-sensor-health-nonav.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-sensor-health-tile.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-server-offboarding-workspaceid.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-server-onboarding-workspaceid.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-server-onboarding.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-services.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-settings-aip.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-settings-powerbi.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-setup-complete.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-setup-incomplete.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-setup-permissions-wdatp-portal.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-shared-queries.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-siem-integration.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-siem-mapping1.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-siem-mapping13.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-siem-mapping2.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-siem-mapping3.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-siem-mapping4.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-signer-icon.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-simulate-custom-ti.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-stop-quarantine-file.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-stop-quarantine.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-stopnquarantine-file.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-subscription-expired.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-suppression-rules.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-suspicious-activities-tile.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-tag-management.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-task-manager.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-threat-intel-api.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-threat-protection-reports.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-thunderbolt-icon.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-tile-sensor-health.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-time-zone.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-undo-isolation.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-unsigned-file-icon.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-user-details-pane.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-user-details-view-azureatp.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-user-details-view-tdp.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-user-details-view.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-user-details.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-user-view-ata.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-users-at-risk.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-verify-passive-mode.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-windows-cloud-instance-creation.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp-windows-defender-av-events-icon.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/atp.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/azure-data-discovery.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/cloud-apps.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/cloud-discovery.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/components.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/creating-account.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/dashboard.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/detection-icon.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/enable_siem.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/filter-log.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/io.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/licensing-windows-defender-advanced-threat-protection.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/machine-reports.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/machines-active-threats-tile.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/machines-at-risk-tile.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/machines-at-risk.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/machines-list.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/machines-reporting-tile.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/menu-icon.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/ms-flow-choose-action.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/ms-flow-define-action.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/ms-flow-e2e.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/ms-flow-insert-db.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/ms-flow-parse-json.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/ms-flow-read-db.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/mss.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/nativeapp-add-permission.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/nativeapp-add-permissions-end.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/nativeapp-create.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/nativeapp-decoded-token.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/nativeapp-get-appid.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/nativeapp-select-permissions.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/new-secure-score-dashboard.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/new-ssot.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/no-threats-found.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/no_threats_found.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/not-remediated-icon.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/office-scc-label.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/overview.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/partially-investigated.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/partially_investigated.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/partially_remediated.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/power-bi-create-advanced-query.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/power-bi-create-blank-query.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/power-bi-edit-credentials.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/power-bi-edit-data-privacy.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/power-bi-open-advanced-editor.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/power-bi-query-results.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/power-bi-set-credentials-anonymous.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/power-bi-set-credentials-organizational-cont.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/power-bi-set-credentials-organizational.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/power-bi-set-data-privacy.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/remediated-icon.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/rules-legend.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/run-as-admin.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/save-query.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/sccm-deployment.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/sec-ops-dashboard.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/securescore.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/settings.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/setup-preferences.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/setup-preferences2.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/siem_details.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/ss1.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/ssot.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/status-tile.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/submit-file.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/ta.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/terminated-by-system.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/terminated_by_system.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/threat-analytics-report.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/top-recommendations.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/wdatp-pillars.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/wdatp-pillars2.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/wdsc.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/webapp-add-permission-2.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/webapp-add-permission-end.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/webapp-add-permission-readalerts.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/webapp-add-permission.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/webapp-app-id1.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/webapp-create-key.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/webapp-create.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/webapp-decoded-token.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/webapp-edit-multitenant.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/webapp-edit-settings.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/webapp-get-appid.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/webapp-grant-permissions.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/webapp-select-permission.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/webapp-validate-token.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/welcome1.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/win10-endpoint-users.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/windefatp-sc-qc-diagtrack.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/windefatp-sc-query-diagtrack.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/windefatp-sc-query.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/windefatp-utc-console-autostart.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/windows-defender-system-guard-boot-time-integrity.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/windows-defender-system-guard-validate-system-integrity.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/images/windows-defender-system-guard.png (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/improverequestperformance-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/incidents-queue.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/information-protection-in-windows-config.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/information-protection-in-windows-overview.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/investigate-alerts-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/investigate-domain-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/investigate-files-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/investigate-incidents-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/investigate-ip-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/investigate-machines-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/investigate-user-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/isolate-machine-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/licensing-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/machine-groups-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/machine-reports-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/machine-tags-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/machine-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/machineaction-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/machineactionsnote.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/machines-view-overview-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/manage-alerts-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/manage-auto-investigation-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/manage-edr.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/manage-incidents-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/manage-suppression-rules-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/management-apis.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/microsoft-cloud-app-security-config.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/microsoft-cloud-app-security-integration.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/microsoft-threat-experts.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/minimum-requirements-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/mssp-support-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/offboard-machine-api-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/offboard-machines-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/onboard-configure-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/onboard-downlevel-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/onboard.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/overview-attack-surface-reduction.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/overview-custom-detections.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/overview-endpoint-detection-response.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/overview-hardware-based-isolation.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/overview-hunting-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/overview-secure-score-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/overview.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/portal-overview-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/post-ti-indicator-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/powerbi-reports-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/powershell-example-code-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/preferences-setup-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/prerelease.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/preview-settings-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/preview-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/python-example-code-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/rbac-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/respond-file-alerts-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/respond-machine-alerts-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/response-actions-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/restrict-code-execution-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/run-advanced-query-api.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/run-advanced-query-sample-ms-flow.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/run-advanced-query-sample-power-bi-app-token.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/run-advanced-query-sample-power-bi-user-token.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/run-advanced-query-sample-powershell.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/run-advanced-query-sample-python.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/run-av-scan-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/run-detection-test-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/secure-score-dashboard-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/security-operations-dashboard-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/service-status-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/supported-response-apis-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/threat-analytics.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/threat-indicator-concepts-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/threat-protection-integration.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/threat-protection-reports-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/ti-indicator-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/time-settings-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md (98%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/troubleshoot-siem-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/troubleshoot-wdatp.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/troubleshoot-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/unisolate-machine-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/update-alert-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/use-apis.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/use-custom-ti-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/use-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/user-roles-windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/user-windows-defender-advanced-threat-protection-new.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/view-incidents-queue.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/whats-new-in-windows-defender-atp.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/windows-defender-advanced-threat-protection.md (100%) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/windows-defender-security-center-atp.md (100%) diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/microsoft-defender-atp/TOC.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/TOC.md rename to windows/security/threat-protection/microsoft-defender-atp/TOC.md diff --git a/windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/alerts-queue-endpoint-detection-response.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/alerts-queue-endpoint-detection-response.md rename to windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md diff --git a/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/api-hello-world.md b/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/api-hello-world.md rename to windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md diff --git a/windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/apis-intro.md b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/apis-intro.md rename to windows/security/threat-protection/microsoft-defender-atp/apis-intro.md diff --git a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/community-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/community-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/configure-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/configure-attack-surface-reduction.md rename to windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md diff --git a/windows/security/threat-protection/windows-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/configure-microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/configure-microsoft-threat-experts.md rename to windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md diff --git a/windows/security/threat-protection/windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/custom-detection-rules.md rename to windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md diff --git a/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/deprecate.md b/windows/security/threat-protection/microsoft-defender-atp/deprecate.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/deprecate.md rename to windows/security/threat-protection/microsoft-defender-atp/deprecate.md diff --git a/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/evaluate-atp.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/evaluate-atp.md rename to windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md diff --git a/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-nativeapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-nativeapp.md rename to windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-webapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-webapp.md rename to windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-full-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/exposed-apis-full-sample-powershell.md rename to windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-list.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/exposed-apis-list.md rename to windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md rename to windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md diff --git a/windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/files-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/files-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md similarity index 95% rename from windows/security/threat-protection/windows-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md index 4251da56b9..e65b940689 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md @@ -1,82 +1,82 @@ ---- -title: Get CVE-KB map API -description: Retrieves a map of CVE's to KB's. -keywords: apis, graph api, supported apis, get, cve, kb -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: leonidzh -author: mjcaparas +--- +title: Get CVE-KB map API +description: Retrieves a map of CVE's to KB's. +keywords: apis, graph api, supported apis, get, cve, kb +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: leonidzh +author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance -ms.topic: article -ms.date: 10/07/2018 ---- - -# Get CVE-KB map API - -**Applies to:** - -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -Retrieves a map of CVE's to KB's and CVE details. - -## Permissions -User needs read permissions. - -## HTTP request -``` -GET /testwdatppreview/cvekbmap -``` - -## Request headers - -Header | Value -:---|:--- -Authorization | Bearer {token}. **Required**. -Content type | application/json - -## Request body -Empty - -## Response -If successful and map exists - 200 OK. - -## Example - -**Request** - -Here is an example of the request. - -``` -GET https://graph.microsoft.com/testwdatppreview/CveKbMap -Content-type: application/json -``` - -**Response** - -Here is an example of the response. - -``` -HTTP/1.1 200 OK -Content-type: application/json -{ - "@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#CveKbMap", - "@odata.count": 4168, - "value": [ - { - "cveKbId": "CVE-2015-2482-3097617", - "cveId": "CVE-2015-2482", - "kbId":"3097617", - "title": "Cumulative Security Update for Internet Explorer", - "severity": "Critical" - }, - … -} - -``` +ms.topic: article +ms.date: 10/07/2018 +--- + +# Get CVE-KB map API + +**Applies to:** + +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +Retrieves a map of CVE's to KB's and CVE details. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/cvekbmap +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + +## Request body +Empty + +## Response +If successful and map exists - 200 OK. + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/CveKbMap +Content-type: application/json +``` + +**Response** + +Here is an example of the response. + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#CveKbMap", + "@odata.count": 4168, + "value": [ + { + "cveKbId": "CVE-2015-2482-3097617", + "cveId": "CVE-2015-2482", + "kbId":"3097617", + "title": "Cumulative Security Update for Internet Explorer", + "severity": "Critical" + }, + … +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md similarity index 95% rename from windows/security/threat-protection/windows-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md index 1752cd4d91..cfc710240a 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md @@ -1,81 +1,81 @@ ---- -title: Get KB collection API -description: Retrieves a collection of KB's. -keywords: apis, graph api, supported apis, get, kb -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: leonidzh -author: mjcaparas +--- +title: Get KB collection API +description: Retrieves a collection of KB's. +keywords: apis, graph api, supported apis, get, kb +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: leonidzh +author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance -ms.topic: article -ms.date: 10/07/2018 ---- - -# Get KB collection API - -**Applies to:** - -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -Retrieves a collection of KB's and KB details. - -## Permissions -User needs read permissions. - -## HTTP request -``` -GET /testwdatppreview/kbinfo -``` - -## Request headers - -Header | Value -:---|:--- -Authorization | Bearer {token}. **Required**. -Content type | application/json - -## Request body -Empty - -## Response -If successful - 200 OK. - -## Example - -**Request** - -Here is an example of the request. - -``` -GET https://graph.microsoft.com/testwdatppreview/KbInfo -Content-type: application/json -``` - -**Response** - -Here is an example of the response. - -``` -HTTP/1.1 200 OK -Content-type: application/json -{ - "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#KbInfo", - "@odata.count": 271, - "value":[ - { - "id": "KB3097617 (10240.16549) Amd64", - "release": "KB3097617 (10240.16549)", - "publishingDate": "2015-10-16T21:00:00Z", - "version": "10.0.10240.16549", - "architecture": "Amd64" - }, - … -} +ms.topic: article +ms.date: 10/07/2018 +--- + +# Get KB collection API + +**Applies to:** + +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +Retrieves a collection of KB's and KB details. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/kbinfo +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + +## Request body +Empty + +## Response +If successful - 200 OK. + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/KbInfo +Content-type: application/json +``` + +**Response** + +Here is an example of the response. + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#KbInfo", + "@odata.count": 271, + "value":[ + { + "id": "KB3097617 (10240.16549) Amd64", + "release": "KB3097617 (10240.16549)", + "publishingDate": "2015-10-16T21:00:00Z", + "version": "10.0.10240.16549", + "architecture": "Amd64" + }, + … +} ``` \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/get-machinegroups-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection-windows-defender-advanced-threat-protection.md similarity index 95% rename from windows/security/threat-protection/windows-defender-atp/get-machinegroups-collection-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection-windows-defender-advanced-threat-protection.md index 412c1bd762..85bfd9945a 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machinegroups-collection-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection-windows-defender-advanced-threat-protection.md @@ -1,81 +1,81 @@ ---- -title: Get RBAC machine groups collection API -description: Retrieves a collection of RBAC machine groups. -keywords: apis, graph api, supported apis, get, RBAC, group -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: leonidzh -author: mjcaparas +--- +title: Get RBAC machine groups collection API +description: Retrieves a collection of RBAC machine groups. +keywords: apis, graph api, supported apis, get, RBAC, group +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: leonidzh +author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance -ms.topic: article -ms.date: 10/07/2018 ---- - -# Get KB collection API - -**Applies to:** - -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -Retrieves a collection of RBAC machine groups. - -## Permissions -User needs read permissions. - -## HTTP request -``` -GET /testwdatppreview/machinegroups -``` - -## Request headers - -Header | Value -:---|:--- -Authorization | Bearer {token}. **Required**. -Content type | application/json - -## Request body -Empty - -## Response -If successful - 200 OK. - -## Example - -**Request** - -Here is an example of the request. - -``` -GET https://graph.microsoft.com/testwdatppreview/machinegroups -Content-type: application/json -``` - -**Response** - -Here is an example of the response. -Field id contains machine group **id** and equal to field **rbacGroupId** in machines info. -Field **ungrouped** is true only for one group for all machines that have not been assigned to any group. This group as usual has name "UnassignedGroup". - -``` -HTTP/1.1 200 OK -Content-type: application/json -{ - "@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#MachineGroups", - "@odata.count":7, - "value":[ - { - "id":86, - "name":"UnassignedGroup", - "description":"", - "ungrouped":true}, - … -} +ms.topic: article +ms.date: 10/07/2018 +--- + +# Get KB collection API + +**Applies to:** + +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +Retrieves a collection of RBAC machine groups. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/machinegroups +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + +## Request body +Empty + +## Response +If successful - 200 OK. + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/machinegroups +Content-type: application/json +``` + +**Response** + +Here is an example of the response. +Field id contains machine group **id** and equal to field **rbacGroupId** in machines info. +Field **ungrouped** is true only for one group for all machines that have not been assigned to any group. This group as usual has name "UnassignedGroup". + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#MachineGroups", + "@odata.count":7, + "value":[ + { + "id":86, + "name":"UnassignedGroup", + "description":"", + "ungrouped":true}, + … +} ``` \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md similarity index 96% rename from windows/security/threat-protection/windows-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md index 0de146e30c..55803636b8 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md @@ -1,88 +1,88 @@ ---- -title: Get machines security states collection API -description: Retrieves a collection of machines security states. -keywords: apis, graph api, supported apis, get, machine, security, state -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: leonidzh -author: mjcaparas +--- +title: Get machines security states collection API +description: Retrieves a collection of machines security states. +keywords: apis, graph api, supported apis, get, machine, security, state +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: leonidzh +author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance -ms.topic: article -ms.date: 10/07/2018 ---- - -# Get Machines security states collection API - -**Applies to:** - -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -Retrieves a collection of machines security states. - -## Permissions -User needs read permissions. - -## HTTP request -``` -GET /testwdatppreview/machinesecuritystates -``` - -## Request headers - -Header | Value -:---|:--- -Authorization | Bearer {token}. **Required**. -Content type | application/json - -## Request body -Empty - -## Response -If successful - 200 OK. - -## Example - -**Request** - -Here is an example of the request. - -``` -GET https://graph.microsoft.com/testwdatppreview/machinesecuritystates -Content-type: application/json -``` - -**Response** - -Here is an example of the response. -Field *id* contains machine id and equal to the field *id** in machines info. - -``` -HTTP/1.1 200 OK -Content-type: application/json -{ - "@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#MachineSecurityStates", - "@odata.count":444, - "@odata.nextLink":"https://graph.microsoft.com/testwdatppreview/machinesecuritystates?$skiptoken=[continuation token]", - "value":[ - { - "id":"000050e1b4afeee3742489ede9ad7a3e16bbd9c4", - "build":14393, - "revision":2485, - "architecture":"Amd64", - "osVersion":"10.0.14393.2485.amd64fre.rs1_release.180827-1809", - "propertiesRequireAttention":[ - "AntivirusNotReporting", - "EdrImpairedCommunications" - ] - }, - … - ] -} +ms.topic: article +ms.date: 10/07/2018 +--- + +# Get Machines security states collection API + +**Applies to:** + +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +Retrieves a collection of machines security states. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/machinesecuritystates +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + +## Request body +Empty + +## Response +If successful - 200 OK. + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/machinesecuritystates +Content-type: application/json +``` + +**Response** + +Here is an example of the response. +Field *id* contains machine id and equal to the field *id** in machines info. + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#MachineSecurityStates", + "@odata.count":444, + "@odata.nextLink":"https://graph.microsoft.com/testwdatppreview/machinesecuritystates?$skiptoken=[continuation token]", + "value":[ + { + "id":"000050e1b4afeee3742489ede9ad7a3e16bbd9c4", + "build":14393, + "revision":2485, + "architecture":"Amd64", + "osVersion":"10.0.14393.2485.amd64fre.rs1_release.180827-1809", + "propertiesRequireAttention":[ + "AntivirusNotReporting", + "EdrImpairedCommunications" + ] + }, + … + ] +} ``` \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/get-started.md b/windows/security/threat-protection/microsoft-defender-atp/get-started.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/get-started.md rename to windows/security/threat-protection/microsoft-defender-atp/get-started.md diff --git a/windows/security/threat-protection/windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/images/1.png b/windows/security/threat-protection/microsoft-defender-atp/images/1.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/1.png rename to windows/security/threat-protection/microsoft-defender-atp/images/1.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/AH_icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/AH_icon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/AH_icon.png rename to windows/security/threat-protection/microsoft-defender-atp/images/AH_icon.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/AR_icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/AR_icon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/AR_icon.png rename to windows/security/threat-protection/microsoft-defender-atp/images/AR_icon.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/ASR_icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/ASR_icon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/ASR_icon.png rename to windows/security/threat-protection/microsoft-defender-atp/images/ASR_icon.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/EDR_icon.jpg b/windows/security/threat-protection/microsoft-defender-atp/images/EDR_icon.jpg similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/EDR_icon.jpg rename to windows/security/threat-protection/microsoft-defender-atp/images/EDR_icon.jpg diff --git a/windows/security/threat-protection/windows-defender-atp/images/EDR_icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/EDR_icon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/EDR_icon.png rename to windows/security/threat-protection/microsoft-defender-atp/images/EDR_icon.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/Failed.png b/windows/security/threat-protection/microsoft-defender-atp/images/Failed.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/Failed.png rename to windows/security/threat-protection/microsoft-defender-atp/images/Failed.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/MTE_icon.jpg b/windows/security/threat-protection/microsoft-defender-atp/images/MTE_icon.jpg similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/MTE_icon.jpg rename to windows/security/threat-protection/microsoft-defender-atp/images/MTE_icon.jpg diff --git a/windows/security/threat-protection/windows-defender-atp/images/MTE_icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/MTE_icon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/MTE_icon.png rename to windows/security/threat-protection/microsoft-defender-atp/images/MTE_icon.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/NGP_icon.jpg b/windows/security/threat-protection/microsoft-defender-atp/images/NGP_icon.jpg similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/NGP_icon.jpg rename to windows/security/threat-protection/microsoft-defender-atp/images/NGP_icon.jpg diff --git a/windows/security/threat-protection/windows-defender-atp/images/NGP_icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/NGP_icon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/NGP_icon.png rename to windows/security/threat-protection/microsoft-defender-atp/images/NGP_icon.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/No threats found.png b/windows/security/threat-protection/microsoft-defender-atp/images/No threats found.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/No threats found.png rename to windows/security/threat-protection/microsoft-defender-atp/images/No threats found.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/Partially investigated.png b/windows/security/threat-protection/microsoft-defender-atp/images/Partially investigated.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/Partially investigated.png rename to windows/security/threat-protection/microsoft-defender-atp/images/Partially investigated.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/Partially remediated.png b/windows/security/threat-protection/microsoft-defender-atp/images/Partially remediated.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/Partially remediated.png rename to windows/security/threat-protection/microsoft-defender-atp/images/Partially remediated.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/Pending.png b/windows/security/threat-protection/microsoft-defender-atp/images/Pending.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/Pending.png rename to windows/security/threat-protection/microsoft-defender-atp/images/Pending.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/Remediated.png b/windows/security/threat-protection/microsoft-defender-atp/images/Remediated.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/Remediated.png rename to windows/security/threat-protection/microsoft-defender-atp/images/Remediated.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/Running.png b/windows/security/threat-protection/microsoft-defender-atp/images/Running.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/Running.png rename to windows/security/threat-protection/microsoft-defender-atp/images/Running.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/SS_icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/SS_icon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/SS_icon.png rename to windows/security/threat-protection/microsoft-defender-atp/images/SS_icon.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/TVM_icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/TVM_icon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/TVM_icon.png rename to windows/security/threat-protection/microsoft-defender-atp/images/TVM_icon.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/Terminated by system.png b/windows/security/threat-protection/microsoft-defender-atp/images/Terminated by system.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/Terminated by system.png rename to windows/security/threat-protection/microsoft-defender-atp/images/Terminated by system.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/WDATP-components.png b/windows/security/threat-protection/microsoft-defender-atp/images/WDATP-components.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/WDATP-components.png rename to windows/security/threat-protection/microsoft-defender-atp/images/WDATP-components.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/active-alerts-tile.png b/windows/security/threat-protection/microsoft-defender-atp/images/active-alerts-tile.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/active-alerts-tile.png rename to windows/security/threat-protection/microsoft-defender-atp/images/active-alerts-tile.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/active-threat-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/active-threat-icon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/active-threat-icon.png rename to windows/security/threat-protection/microsoft-defender-atp/images/active-threat-icon.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/advanced-features.png b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-features.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/advanced-features.png rename to windows/security/threat-protection/microsoft-defender-atp/images/advanced-features.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/advanced-hunting-query-example.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-query-example.PNG similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/advanced-hunting-query-example.PNG rename to windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-query-example.PNG diff --git a/windows/security/threat-protection/windows-defender-atp/images/advanced-hunting-save-query.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-save-query.PNG similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/advanced-hunting-save-query.PNG rename to windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-save-query.PNG diff --git a/windows/security/threat-protection/windows-defender-atp/images/alert-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/alert-details.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/alert-details.png rename to windows/security/threat-protection/microsoft-defender-atp/images/alert-details.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/alert-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/alert-icon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/alert-icon.png rename to windows/security/threat-protection/microsoft-defender-atp/images/alert-icon.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/alerts-q-bulk.png b/windows/security/threat-protection/microsoft-defender-atp/images/alerts-q-bulk.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/alerts-q-bulk.png rename to windows/security/threat-protection/microsoft-defender-atp/images/alerts-q-bulk.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/alerts-queue-list.png b/windows/security/threat-protection/microsoft-defender-atp/images/alerts-queue-list.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/alerts-queue-list.png rename to windows/security/threat-protection/microsoft-defender-atp/images/alerts-queue-list.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/alerts-queue-numbered.png b/windows/security/threat-protection/microsoft-defender-atp/images/alerts-queue-numbered.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/alerts-queue-numbered.png rename to windows/security/threat-protection/microsoft-defender-atp/images/alerts-queue-numbered.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/analysis-results.png b/windows/security/threat-protection/microsoft-defender-atp/images/analysis-results.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/analysis-results.png rename to windows/security/threat-protection/microsoft-defender-atp/images/analysis-results.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/api-jwt-ms.png b/windows/security/threat-protection/microsoft-defender-atp/images/api-jwt-ms.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/api-jwt-ms.png rename to windows/security/threat-protection/microsoft-defender-atp/images/api-jwt-ms.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/api-tenant-id.png b/windows/security/threat-protection/microsoft-defender-atp/images/api-tenant-id.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/api-tenant-id.png rename to windows/security/threat-protection/microsoft-defender-atp/images/api-tenant-id.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-Application-Guard-events-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-Application-Guard-events-icon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-Application-Guard-events-icon.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-Application-Guard-events-icon.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-Device-Guard-events-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-Device-Guard-events-icon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-Device-Guard-events-icon.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-Device-Guard-events-icon.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-ETW-event-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-ETW-event-icon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-ETW-event-icon.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-ETW-event-icon.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-Exploit-Guard-events-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-Exploit-Guard-events-icon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-Exploit-Guard-events-icon.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-Exploit-Guard-events-icon.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-File-path-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-File-path-icon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-File-path-icon.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-File-path-icon.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-Firewall-events-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-Firewall-events-icon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-Firewall-events-icon.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-Firewall-events-icon.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-O365-admin-portal-customer.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-O365-admin-portal-customer.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-O365-admin-portal-customer.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-O365-admin-portal-customer.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-Other-events-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-Other-events-icon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-Other-events-icon.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-Other-events-icon.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-Smart-Screen-events-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-Smart-Screen-events-icon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-Smart-Screen-events-icon.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-Smart-Screen-events-icon.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-access-token-modification-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-access-token-modification-icon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-access-token-modification-icon.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-access-token-modification-icon.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-action-block-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-action-block-file.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-action-block-file.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-action-block-file.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-action-center-app-restriction.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-action-center-app-restriction.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-action-center-app-restriction.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-action-center-app-restriction.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-action-center-package-collection.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-action-center-package-collection.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-action-center-package-collection.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-action-center-package-collection.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-action-center-restrict-app.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-action-center-restrict-app.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-action-center-restrict-app.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-action-center-restrict-app.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-action-center-with-info.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-action-center-with-info.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-action-center-with-info.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-action-center-with-info.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-actions-action-center.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-actions-action-center.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-actions-action-center.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-actions-action-center.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-actions-collect-investigation-package.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-actions-collect-investigation-package.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-actions-collect-investigation-package.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-actions-collect-investigation-package.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-actions-isolate-machine.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-actions-isolate-machine.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-actions-isolate-machine.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-actions-isolate-machine.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-actions-manage-tags.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-actions-manage-tags.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-actions-manage-tags.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-actions-manage-tags.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-actions-release-from-isolation.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-actions-release-from-isolation.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-actions-release-from-isolation.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-actions-release-from-isolation.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-actions-release-from-isoloation.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-actions-release-from-isoloation.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-actions-release-from-isoloation.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-actions-release-from-isoloation.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-actions-remove-app-restrictions.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-actions-remove-app-restrictions.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-actions-remove-app-restrictions.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-actions-remove-app-restrictions.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-actions-restrict-app-execution.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-actions-restrict-app-execution.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-actions-restrict-app-execution.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-actions-restrict-app-execution.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-actions-run-av.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-actions-run-av.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-actions-run-av.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-actions-run-av.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-active-investigations-tile.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-active-investigations-tile.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-active-investigations-tile.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-active-investigations-tile.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-actor-alert.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-actor-alert.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-actor-alert.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-actor-alert.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-actor-report.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-actor-report.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-actor-report.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-actor-report.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-actor.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-actor.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-actor.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-actor.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-add-application-name.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-add-application-name.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-add-application-name.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-add-application-name.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-add-application.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-add-application.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-add-application.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-add-application.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-add-intune-policy.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-add-intune-policy.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-add-intune-policy.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-add-intune-policy.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-advanced-hunting-query.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting-query.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-advanced-hunting-query.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting-query.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-advanced-hunting-results-filter.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting-results-filter.PNG similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-advanced-hunting-results-filter.PNG rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting-results-filter.PNG diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-advanced-hunting-results-set.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting-results-set.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-advanced-hunting-results-set.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting-results-set.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-advanced-hunting.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-advanced-hunting.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-alert-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-details.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-alert-details.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-details.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-alert-mgt-pane.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-mgt-pane.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-alert-mgt-pane.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-mgt-pane.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-alert-page.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-page.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-alert-page.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-page.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-alert-process-tree.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-process-tree.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-alert-process-tree.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-process-tree.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-alert-source.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-source.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-alert-source.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-source.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-alert-status.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-status.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-alert-status.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-status.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-alert-timeline-numbered.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-timeline-numbered.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-alert-timeline-numbered.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-timeline-numbered.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-alert-timeline.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-timeline.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-alert-timeline.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-timeline.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-alert-view.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-view.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-alert-view.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-view.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-group.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-group.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-alerts-group.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-group.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-q.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-q.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-alerts-q.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-q.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-queue-user.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-queue-user.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-alerts-queue-user.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-queue-user.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-queue.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-queue.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-alerts-queue.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-queue.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-related-to-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-related-to-file.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-alerts-related-to-file.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-related-to-file.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-related-to-machine.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-related-to-machine.PNG similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-alerts-related-to-machine.PNG rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-related-to-machine.PNG diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-selected.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-selected.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-alerts-selected.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-selected.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-tile.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-tile.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-alerts-tile.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-tile.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-alertsq1.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alertsq1.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-alertsq1.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-alertsq1.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-alertsq2.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alertsq2.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-alertsq2.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-alertsq2.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-analyze-auto-ir.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-analyze-auto-ir.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-analyze-auto-ir.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-analyze-auto-ir.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-app-restriction.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-app-restriction.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-app-restriction.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-app-restriction.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-application-information.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-application-information.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-application-information.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-application-information.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-approve-reject-action.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-approve-reject-action.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-approve-reject-action.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-approve-reject-action.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-appsource.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-appsource.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-appsource.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-appsource.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-auto-investigation-pending.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-auto-investigation-pending.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-auto-investigation-pending.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-auto-investigation-pending.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-auto-investigations-list.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-auto-investigations-list.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-auto-investigations-list.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-auto-investigations-list.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-automated-investigations-statistics.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-automated-investigations-statistics.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-automated-investigations-statistics.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-automated-investigations-statistics.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-av-scan-action-center.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-av-scan-action-center.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-av-scan-action-center.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-av-scan-action-center.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-av-scan-notification.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-av-scan-notification.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-av-scan-notification.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-av-scan-notification.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-api-access.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-api-access.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-azure-api-access.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-api-access.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-assign-role.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-assign-role.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-azure-assign-role.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-assign-role.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-atp-app.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-atp-app.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-azure-atp-app.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-atp-app.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-atp-machine-user.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-atp-machine-user.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-azure-atp-machine-user.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-atp-machine-user.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-atp-machine.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-atp-machine.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-azure-atp-machine.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-atp-machine.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-create.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-create.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-azure-create.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-create.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-category.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-intune-category.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-category.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-intune-category.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-configure.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-intune-configure.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-configure.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-intune-configure.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-create-policy-configure.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-intune-create-policy-configure.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-create-policy-configure.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-intune-create-policy-configure.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-create-policy-name.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-intune-create-policy-name.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-create-policy-name.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-intune-create-policy-name.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-create-policy.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-intune-create-policy.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-create-policy.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-intune-create-policy.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-create-profile.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-intune-create-profile.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-create-profile.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-intune-create-profile.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-create.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-intune-create.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-create.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-intune-create.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-device-config.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-intune-device-config.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-device-config.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-intune-device-config.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-save-policy.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-intune-save-policy.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-save-policy.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-intune-save-policy.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-save.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-intune-save.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-save.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-intune-save.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-select-group.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-intune-select-group.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-select-group.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-intune-select-group.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-settings-configure.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-intune-settings-configure.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune-settings-configure.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-intune-settings-configure.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-intune.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-azure-intune.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-intune.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-license-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-license-icon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-azure-license-icon.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-license-icon.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-new-app.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-new-app.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-azure-new-app.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-new-app.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-required-permissions.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-required-permissions.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-azure-required-permissions.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-required-permissions.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-select-permissions.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-select-permissions.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-azure-select-permissions.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-select-permissions.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-ui-user-access.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-ui-user-access.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-azure-ui-user-access.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-ui-user-access.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-billing-licenses.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-billing-licenses.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-billing-licenses.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-billing-licenses.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-billing-subscriptions.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-billing-subscriptions.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-billing-subscriptions.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-billing-subscriptions.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-block-file-confirm.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-block-file-confirm.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-block-file-confirm.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-block-file-confirm.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-block-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-block-file.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-block-file.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-block-file.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-blockfile.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-blockfile.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-blockfile.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-blockfile.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-cloud-discovery-dashboard-menu.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-cloud-discovery-dashboard-menu.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-cloud-discovery-dashboard-menu.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-cloud-discovery-dashboard-menu.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-collect-investigation-package.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-collect-investigation-package.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-collect-investigation-package.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-collect-investigation-package.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-command-line-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-command-line-icon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-command-line-icon.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-command-line-icon.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-community-center.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-community-center.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-community-center.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-community-center.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-conditional-access-numbered.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-conditional-access-numbered.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-conditional-access-numbered.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-conditional-access-numbered.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-conditional-access.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-conditional-access.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-conditional-access.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-conditional-access.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-confirm-isolate.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-confirm-isolate.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-confirm-isolate.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-confirm-isolate.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-create-dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-create-dashboard.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-create-dashboard.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-create-dashboard.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-create-suppression-rule.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-create-suppression-rule.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-create-suppression-rule.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-create-suppression-rule.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-custom-oma-uri.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-custom-oma-uri.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-custom-oma-uri.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-custom-oma-uri.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-custom-ti-mapping.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-custom-ti-mapping.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-custom-ti-mapping.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-custom-ti-mapping.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-daily-machines-reporting.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-daily-machines-reporting.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-daily-machines-reporting.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-daily-machines-reporting.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-dashboard-security-analytics-9.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-dashboard-security-analytics-9.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-dashboard-security-analytics-9.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-dashboard-security-analytics-9.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-dashboard-security-analytics-full.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-dashboard-security-analytics-full.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-dashboard-security-analytics-full.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-dashboard-security-analytics-full.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-dashboard-security-analytics.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-dashboard-security-analytics.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-dashboard-security-analytics.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-dashboard-security-analytics.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-data-not-available.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-data-not-available.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-data-not-available.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-data-not-available.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-data-ready.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-data-ready.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-data-ready.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-data-ready.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-data-retention-policy.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-data-retention-policy.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-data-retention-policy.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-data-retention-policy.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-delete-query.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-delete-query.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-delete-query.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-delete-query.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-detailed-actor.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-detailed-actor.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-detailed-actor.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-detailed-actor.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-disableantispyware-regkey.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-disableantispyware-regkey.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-disableantispyware-regkey.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-disableantispyware-regkey.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-download-connector.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-connector.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-download-connector.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-download-connector.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-enable-security-analytics.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-enable-security-analytics.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-enable-security-analytics.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-enable-security-analytics.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-example-email-notification.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-example-email-notification.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-example-email-notification.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-example-email-notification.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-export-machine-timeline-events.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-export-machine-timeline-events.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-export-machine-timeline-events.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-export-machine-timeline-events.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-file-action.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-action.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-file-action.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-file-action.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-file-creation-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-creation-icon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-file-creation-icon.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-file-creation-icon.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-file-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-details.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-file-details.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-file-details.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-file-in-org.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-in-org.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-file-in-org.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-file-in-org.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-file-information.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-information.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-file-information.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-file-information.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-file-observed-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-observed-icon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-file-observed-icon.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-file-observed-icon.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-filter-advanced-hunting.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-filter-advanced-hunting.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-filter-advanced-hunting.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-filter-advanced-hunting.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-final-onboard-endpoints-warning-before-atp-access.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-final-onboard-endpoints-warning-before-atp-access.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-final-onboard-endpoints-warning-before-atp-access.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-final-onboard-endpoints-warning-before-atp-access.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-final-preference-setup.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-final-preference-setup.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-final-preference-setup.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-final-preference-setup.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-geographic-location-setup.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-geographic-location-setup.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-geographic-location-setup.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-geographic-location-setup.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-get-data.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-get-data.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-get-data.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-get-data.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-gpo-proxy1.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-gpo-proxy1.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-gpo-proxy1.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-gpo-proxy1.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-gpo-proxy2.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-gpo-proxy2.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-gpo-proxy2.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-gpo-proxy2.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-image.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-image.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-image.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-image.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-improv-opps-9.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-improv-opps-9.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-improv-opps-9.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-improv-opps-9.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-improv-opps.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-improv-opps.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-improv-opps.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-improv-opps.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-improv-ops.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-improv-ops.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-improv-ops.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-improv-ops.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-incident-details-page.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details-page.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-incident-details-page.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details-page.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-incident-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-incident-details.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-incident-evidence-tab.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-evidence-tab.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-incident-evidence-tab.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-evidence-tab.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-incident-graph-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph-details.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-incident-graph-details.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph-details.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-incident-graph-tab.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph-tab.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-incident-graph-tab.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph-tab.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-incident-graph.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-incident-graph.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-incident-investigations-tab.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-investigations-tab.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-incident-investigations-tab.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-investigations-tab.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-incident-machine-tab.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-machine-tab.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-incident-machine-tab.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-machine-tab.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-incident-queue.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-queue.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-incident-queue.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-queue.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-incidents-alerts-incidentlinkedbyreason.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-alerts-incidentlinkedbyreason.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-incidents-alerts-incidentlinkedbyreason.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-alerts-incidentlinkedbyreason.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-incidents-alerts-linkedbytooltip.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-alerts-linkedbytooltip.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-incidents-alerts-linkedbytooltip.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-alerts-linkedbytooltip.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-incidents-alerts-reason.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-alerts-reason.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-incidents-alerts-reason.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-alerts-reason.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-incidents-alerts-tooltip.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-alerts-tooltip.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-incidents-alerts-tooltip.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-alerts-tooltip.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-incidents-mgt-pane.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-mgt-pane.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-incidents-mgt-pane.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-mgt-pane.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-industry-information.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-industry-information.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-industry-information.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-industry-information.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-intune-add-oma.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-intune-add-oma.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-intune-add-oma.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-intune-add-oma.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-intune-add-policy.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-intune-add-policy.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-intune-add-policy.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-intune-add-policy.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-intune-assignments.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-intune-assignments.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-intune-assignments.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-intune-assignments.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-intune-configure.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-intune-configure.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-intune-configure.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-intune-configure.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-intune-create-policy.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-intune-create-policy.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-intune-create-policy.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-intune-create-policy.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-intune-custom.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-intune-custom.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-intune-custom.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-intune-custom.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-intune-deploy-policy.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-intune-deploy-policy.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-intune-deploy-policy.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-intune-deploy-policy.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-intune-group.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-intune-group.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-intune-group.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-intune-group.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-intune-manage-deployment.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-intune-manage-deployment.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-intune-manage-deployment.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-intune-manage-deployment.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-intune-new-policy.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-intune-new-policy.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-intune-new-policy.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-intune-new-policy.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-intune-oma-uri-setting.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-intune-oma-uri-setting.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-intune-oma-uri-setting.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-intune-oma-uri-setting.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-intune-policy-name.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-intune-policy-name.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-intune-policy-name.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-intune-policy-name.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-intune-save-deployment.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-intune-save-deployment.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-intune-save-deployment.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-intune-save-deployment.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-intune-save-policy.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-intune-save-policy.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-intune-save-policy.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-intune-save-policy.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-investigation-package-action-center.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-investigation-package-action-center.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-investigation-package-action-center.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-investigation-package-action-center.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-isolate-machine.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-isolate-machine.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-isolate-machine.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-isolate-machine.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-licensing-azure-portal.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-licensing-azure-portal.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-licensing-azure-portal.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-licensing-azure-portal.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-loading.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-loading.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-loading.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-loading.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-logo-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-logo-icon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-logo-icon.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-logo-icon.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-machine-actions-undo.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-actions-undo.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-machine-actions-undo.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-actions-undo.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-machine-actions.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-actions.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-machine-actions.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-actions.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-machine-details-view.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-details-view.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-machine-details-view.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-details-view.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-machine-details-view2.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-details-view2.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-machine-details-view2.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-details-view2.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-machine-health-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-health-details.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-machine-health-details.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-health-details.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-machine-health.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-health.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-machine-health.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-health.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-machine-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-icon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-machine-icon.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-icon.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-machine-investigation-package.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-investigation-package.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-machine-investigation-package.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-investigation-package.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-machine-isolation.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-isolation.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-machine-isolation.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-isolation.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-timeline-details-panel.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-timeline-details-panel.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-machine-timeline-export.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-timeline-export.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-machine-timeline-export.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-timeline-export.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-machine-timeline-filter.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-timeline-filter.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-machine-timeline-filter.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-timeline-filter.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-machine-timeline.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-timeline.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-machine-timeline.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-timeline.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-machine-view-ata.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-view-ata.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-machine-view-ata.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-view-ata.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-machines-active-threats-tile.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-active-threats-tile.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-machines-active-threats-tile.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-active-threats-tile.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-machines-at-risk.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-at-risk.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-machines-at-risk.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-at-risk.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-machines-list-misconfigured.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-list-misconfigured.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-machines-list-misconfigured.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-list-misconfigured.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-machines-list-view.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-list-view.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-machines-list-view.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-list-view.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-machines-list-view2.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-list-view2.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-machines-list-view2.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-list-view2.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-machines-timeline.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-timeline.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-machines-timeline.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-timeline.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-machines-view-list.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-view-list.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-machines-view-list.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-machines-view-list.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-main-portal.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-main-portal.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-main-portal.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-main-portal.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-manage-tags.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-manage-tags.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-manage-tags.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-manage-tags.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-mapping 3.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping 3.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-mapping 3.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping 3.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-mapping1.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping1.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-mapping1.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping1.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-mapping2.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping2.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-mapping2.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping2.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-mapping3.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping3.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-mapping3.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping3.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-mapping4.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping4.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-mapping4.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping4.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-mapping5.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping5.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-mapping5.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping5.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-mapping6.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping6.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-mapping6.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping6.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-mapping7.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping7.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-mapping7.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping7.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-mcas-settings.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-mcas-settings.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-mcas-settings.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-mcas-settings.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-mdm-onboarding-package.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-mdm-onboarding-package.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-mdm-onboarding-package.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-mdm-onboarding-package.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-memory-allocation-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-memory-allocation-icon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-memory-allocation-icon.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-memory-allocation-icon.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-mma-properties.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-mma-properties.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-mma-properties.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-mma-properties.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-mma.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-mma.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-mma.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-mma.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-module-load-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-module-load-icon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-module-load-icon.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-module-load-icon.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-ms-secure-score-9.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-ms-secure-score-9.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-ms-secure-score-9.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-ms-secure-score-9.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-ms-secure-score.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-ms-secure-score.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-ms-secure-score.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-ms-secure-score.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-network-communications-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-network-communications-icon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-network-communications-icon.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-network-communications-icon.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-new-alerts-list.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-new-alerts-list.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-new-alerts-list.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-new-alerts-list.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-new-suppression-rule.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-new-suppression-rule.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-new-suppression-rule.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-new-suppression-rule.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-no-network-connection.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-no-network-connection.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-no-network-connection.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-no-network-connection.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-no-subscriptions-found.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-no-subscriptions-found.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-no-subscriptions-found.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-no-subscriptions-found.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-not-authorized-to-access-portal.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-not-authorized-to-access-portal.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-not-authorized-to-access-portal.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-not-authorized-to-access-portal.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-notification-action.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-notification-action.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-notification-action.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-notification-action.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-notification-collect-package.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-notification-collect-package.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-notification-collect-package.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-notification-collect-package.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-notification-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-notification-file.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-notification-file.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-notification-file.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-notification-isolate.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-notification-isolate.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-notification-isolate.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-notification-isolate.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-notification-restrict.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-notification-restrict.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-notification-restrict.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-notification-restrict.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-notifications.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-notifications.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-notifications.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-notifications.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-observed-in-organization.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-observed-in-organization.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-observed-in-organization.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-observed-in-organization.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-observed-machines.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-observed-machines.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-observed-machines.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-observed-machines.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-oma-uri-values.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-oma-uri-values.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-oma-uri-values.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-oma-uri-values.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-onboard-endpoints-WDATP-portal-border-test.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-endpoints-WDATP-portal-border-test.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-onboard-endpoints-WDATP-portal-border-test.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-endpoints-WDATP-portal-border-test.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-onboard-endpoints-WDATP-portal.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-endpoints-WDATP-portal.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-onboard-endpoints-WDATP-portal.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-endpoints-WDATP-portal.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-onboard-endpoints-run-detection-test.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-endpoints-run-detection-test.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-onboard-endpoints-run-detection-test.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-endpoints-run-detection-test.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-onboard-endpoints.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-endpoints.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-onboard-endpoints.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-endpoints.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-onboard-mdm.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-mdm.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-onboard-mdm.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-onboard-mdm.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-org-score.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-org-score.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-org-score.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-org-score.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-org-sec-score.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-org-sec-score.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-org-sec-score.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-org-sec-score.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-organization-size.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-organization-size.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-organization-size.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-organization-size.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-pending-actions-auto-ir.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-pending-actions-auto-ir.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-pending-actions-auto-ir.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-pending-actions-auto-ir.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-pending-actions-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-pending-actions-file.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-pending-actions-file.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-pending-actions-file.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-pending-actions-list.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-pending-actions-list.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-pending-actions-list.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-pending-actions-list.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-pending-actions-multiple.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-pending-actions-multiple.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-pending-actions-multiple.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-pending-actions-multiple.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-pending-actions-notification.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-pending-actions-notification.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-pending-actions-notification.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-pending-actions-notification.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-permissions-applications.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-permissions-applications.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-permissions-applications.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-permissions-applications.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-portal-sensor.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-sensor.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-portal-sensor.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-sensor.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-portal-welcome-screen.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-welcome-screen.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-portal-welcome-screen.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-welcome-screen.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-portal.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-portal.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-portal.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-accept.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-accept.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-accept.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-accept.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-consent.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-consent.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-consent.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-consent.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-extension.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-extension.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-extension.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-extension.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-get-data.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-get-data.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-get-data.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-get-data.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-importing.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-importing.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-importing.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-importing.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-navigator.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-navigator.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-navigator.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-navigator.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-options.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-options.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-options.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-options.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-preview.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-preview.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-preview.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-powerbi-preview.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-powershell-command-run-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-powershell-command-run-icon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-powershell-command-run-icon.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-powershell-command-run-icon.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-preferences-setup.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-preferences-setup.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-preferences-setup.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-preferences-setup.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-preview-experience.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-preview-experience.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-preview-experience.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-preview-experience.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-preview-features.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-preview-features.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-preview-features.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-preview-features.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-process-event-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-process-event-icon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-process-event-icon.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-process-event-icon.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-process-injection.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-process-injection.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-process-injection.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-process-injection.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-process-tree.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-process-tree.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-process-tree.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-process-tree.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-refresh-token.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-refresh-token.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-refresh-token.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-refresh-token.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-region-control-panel.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-region-control-panel.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-region-control-panel.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-region-control-panel.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-registry-event-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-registry-event-icon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-registry-event-icon.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-registry-event-icon.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-remediated-alert.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-remediated-alert.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-remediated-alert.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-remediated-alert.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-remove-blocked-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-remove-blocked-file.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-remove-blocked-file.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-remove-blocked-file.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-rename-incident.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-rename-incident.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-rename-incident.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-rename-incident.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-respond-action-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-respond-action-icon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-respond-action-icon.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-respond-action-icon.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-restrict-app.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-restrict-app.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-restrict-app.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-restrict-app.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-run-av-scan.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-run-av-scan.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-run-av-scan.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-run-av-scan.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-running-script.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-running-script.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-running-script.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-running-script.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-sample-custom-ti-alert.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-sample-custom-ti-alert.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-sample-custom-ti-alert.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-sample-custom-ti-alert.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-save-query.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-save-query.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-save-query.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-save-query.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-save-tag.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-save-tag.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-save-tag.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-save-tag.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-sec-coverage.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-sec-coverage.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-sec-coverage.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-sec-coverage.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-sec-ops-1.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-sec-ops-1.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-sec-ops-1.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-sec-ops-1.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-sec-ops-dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-sec-ops-dashboard.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-sec-ops-dashboard.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-sec-ops-dashboard.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-security-analytics-dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-analytics-dashboard.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-security-analytics-dashboard.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-security-analytics-dashboard.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-security-analytics-view-machines.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-analytics-view-machines.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-security-analytics-view-machines.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-security-analytics-view-machines.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-security-analytics-view-machines2.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-analytics-view-machines2.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-security-analytics-view-machines2.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-security-analytics-view-machines2.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-security-controls-9.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-controls-9.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-security-controls-9.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-security-controls-9.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-security-controls.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-controls.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-security-controls.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-security-controls.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-security-coverage.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-coverage.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-security-coverage.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-security-coverage.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-security-improvements.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-improvements.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-security-improvements.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-security-improvements.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-security-score-over-time-9.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-score-over-time-9.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-security-score-over-time-9.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-security-score-over-time-9.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-security-score-over-time.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-security-score-over-time.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-security-score-over-time.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-security-score-over-time.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-sensor-filter.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-filter.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-sensor-filter.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-filter.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-sensor-health-filter-resized.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-filter-resized.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-sensor-health-filter-resized.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-filter-resized.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-sensor-health-filter-tile.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-filter-tile.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-sensor-health-filter-tile.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-filter-tile.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-sensor-health-filter.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-filter.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-sensor-health-filter.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-filter.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-sensor-health-nonav.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-nonav.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-sensor-health-nonav.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-nonav.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-sensor-health-tile.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-tile.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-sensor-health-tile.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-sensor-health-tile.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-server-offboarding-workspaceid.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-server-offboarding-workspaceid.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-server-offboarding-workspaceid.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-server-offboarding-workspaceid.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-server-onboarding-workspaceid.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-server-onboarding-workspaceid.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-server-onboarding-workspaceid.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-server-onboarding-workspaceid.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-server-onboarding.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-server-onboarding.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-server-onboarding.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-server-onboarding.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-services.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-services.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-services.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-services.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-settings-aip.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-settings-aip.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-settings-aip.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-settings-aip.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-settings-powerbi.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-settings-powerbi.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-settings-powerbi.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-settings-powerbi.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-setup-complete.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-setup-complete.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-setup-complete.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-setup-complete.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-setup-incomplete.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-setup-incomplete.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-setup-incomplete.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-setup-incomplete.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-setup-permissions-wdatp-portal.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-setup-permissions-wdatp-portal.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-setup-permissions-wdatp-portal.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-setup-permissions-wdatp-portal.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-shared-queries.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-shared-queries.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-shared-queries.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-shared-queries.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-siem-integration.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-integration.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-siem-integration.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-integration.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-siem-mapping1.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-mapping1.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-siem-mapping1.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-mapping1.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-siem-mapping13.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-mapping13.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-siem-mapping13.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-mapping13.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-siem-mapping2.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-mapping2.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-siem-mapping2.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-mapping2.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-siem-mapping3.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-mapping3.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-siem-mapping3.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-mapping3.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-siem-mapping4.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-mapping4.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-siem-mapping4.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-mapping4.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-signer-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-signer-icon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-signer-icon.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-signer-icon.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-simulate-custom-ti.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-simulate-custom-ti.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-simulate-custom-ti.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-simulate-custom-ti.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-stop-quarantine-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-stop-quarantine-file.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-stop-quarantine-file.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-stop-quarantine-file.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-stop-quarantine.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-stop-quarantine.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-stop-quarantine.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-stop-quarantine.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-stopnquarantine-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-stopnquarantine-file.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-stopnquarantine-file.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-stopnquarantine-file.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-subscription-expired.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-subscription-expired.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-subscription-expired.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-subscription-expired.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-suppression-rules.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-suppression-rules.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-suppression-rules.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-suppression-rules.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-suspicious-activities-tile.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-suspicious-activities-tile.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-suspicious-activities-tile.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-suspicious-activities-tile.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-tag-management.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-tag-management.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-tag-management.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-tag-management.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-task-manager.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-task-manager.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-task-manager.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-task-manager.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-threat-intel-api.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-threat-intel-api.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-threat-intel-api.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-threat-intel-api.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-threat-protection-reports.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-threat-protection-reports.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-threat-protection-reports.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-threat-protection-reports.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-thunderbolt-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-thunderbolt-icon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-thunderbolt-icon.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-thunderbolt-icon.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-tile-sensor-health.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-tile-sensor-health.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-tile-sensor-health.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-tile-sensor-health.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-time-zone.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-time-zone.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-time-zone.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-time-zone.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-undo-isolation.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-undo-isolation.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-undo-isolation.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-undo-isolation.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-unsigned-file-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-unsigned-file-icon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-unsigned-file-icon.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-unsigned-file-icon.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-user-details-pane.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-pane.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-user-details-pane.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-pane.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-user-details-view-azureatp.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-view-azureatp.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-user-details-view-azureatp.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-view-azureatp.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-user-details-view-tdp.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-view-tdp.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-user-details-view-tdp.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-view-tdp.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-user-details-view.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-view.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-user-details-view.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-view.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-user-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-user-details.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-user-view-ata.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-view-ata.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-user-view-ata.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-user-view-ata.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-users-at-risk.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-users-at-risk.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-users-at-risk.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-users-at-risk.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-verify-passive-mode.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-verify-passive-mode.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-verify-passive-mode.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-verify-passive-mode.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-windows-cloud-instance-creation.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-windows-cloud-instance-creation.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-windows-cloud-instance-creation.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-windows-cloud-instance-creation.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-windows-defender-av-events-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-windows-defender-av-events-icon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp-windows-defender-av-events-icon.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp-windows-defender-av-events-icon.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/atp.png rename to windows/security/threat-protection/microsoft-defender-atp/images/atp.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/azure-data-discovery.png b/windows/security/threat-protection/microsoft-defender-atp/images/azure-data-discovery.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/azure-data-discovery.png rename to windows/security/threat-protection/microsoft-defender-atp/images/azure-data-discovery.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/cloud-apps.png b/windows/security/threat-protection/microsoft-defender-atp/images/cloud-apps.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/cloud-apps.png rename to windows/security/threat-protection/microsoft-defender-atp/images/cloud-apps.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/cloud-discovery.png b/windows/security/threat-protection/microsoft-defender-atp/images/cloud-discovery.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/cloud-discovery.png rename to windows/security/threat-protection/microsoft-defender-atp/images/cloud-discovery.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/components.png b/windows/security/threat-protection/microsoft-defender-atp/images/components.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/components.png rename to windows/security/threat-protection/microsoft-defender-atp/images/components.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/creating-account.png b/windows/security/threat-protection/microsoft-defender-atp/images/creating-account.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/creating-account.png rename to windows/security/threat-protection/microsoft-defender-atp/images/creating-account.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/dashboard.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/dashboard.png rename to windows/security/threat-protection/microsoft-defender-atp/images/dashboard.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/detection-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/detection-icon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/detection-icon.png rename to windows/security/threat-protection/microsoft-defender-atp/images/detection-icon.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/enable_siem.png b/windows/security/threat-protection/microsoft-defender-atp/images/enable_siem.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/enable_siem.png rename to windows/security/threat-protection/microsoft-defender-atp/images/enable_siem.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/filter-log.png b/windows/security/threat-protection/microsoft-defender-atp/images/filter-log.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/filter-log.png rename to windows/security/threat-protection/microsoft-defender-atp/images/filter-log.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/io.png b/windows/security/threat-protection/microsoft-defender-atp/images/io.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/io.png rename to windows/security/threat-protection/microsoft-defender-atp/images/io.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/licensing-windows-defender-advanced-threat-protection.png b/windows/security/threat-protection/microsoft-defender-atp/images/licensing-windows-defender-advanced-threat-protection.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/licensing-windows-defender-advanced-threat-protection.png rename to windows/security/threat-protection/microsoft-defender-atp/images/licensing-windows-defender-advanced-threat-protection.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/machine-reports.png b/windows/security/threat-protection/microsoft-defender-atp/images/machine-reports.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/machine-reports.png rename to windows/security/threat-protection/microsoft-defender-atp/images/machine-reports.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/machines-active-threats-tile.png b/windows/security/threat-protection/microsoft-defender-atp/images/machines-active-threats-tile.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/machines-active-threats-tile.png rename to windows/security/threat-protection/microsoft-defender-atp/images/machines-active-threats-tile.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/machines-at-risk-tile.png b/windows/security/threat-protection/microsoft-defender-atp/images/machines-at-risk-tile.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/machines-at-risk-tile.png rename to windows/security/threat-protection/microsoft-defender-atp/images/machines-at-risk-tile.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/machines-at-risk.png b/windows/security/threat-protection/microsoft-defender-atp/images/machines-at-risk.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/machines-at-risk.png rename to windows/security/threat-protection/microsoft-defender-atp/images/machines-at-risk.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/machines-list.png b/windows/security/threat-protection/microsoft-defender-atp/images/machines-list.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/machines-list.png rename to windows/security/threat-protection/microsoft-defender-atp/images/machines-list.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/machines-reporting-tile.png b/windows/security/threat-protection/microsoft-defender-atp/images/machines-reporting-tile.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/machines-reporting-tile.png rename to windows/security/threat-protection/microsoft-defender-atp/images/machines-reporting-tile.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/menu-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/menu-icon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/menu-icon.png rename to windows/security/threat-protection/microsoft-defender-atp/images/menu-icon.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/ms-flow-choose-action.png b/windows/security/threat-protection/microsoft-defender-atp/images/ms-flow-choose-action.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/ms-flow-choose-action.png rename to windows/security/threat-protection/microsoft-defender-atp/images/ms-flow-choose-action.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/ms-flow-define-action.png b/windows/security/threat-protection/microsoft-defender-atp/images/ms-flow-define-action.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/ms-flow-define-action.png rename to windows/security/threat-protection/microsoft-defender-atp/images/ms-flow-define-action.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/ms-flow-e2e.png b/windows/security/threat-protection/microsoft-defender-atp/images/ms-flow-e2e.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/ms-flow-e2e.png rename to windows/security/threat-protection/microsoft-defender-atp/images/ms-flow-e2e.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/ms-flow-insert-db.png b/windows/security/threat-protection/microsoft-defender-atp/images/ms-flow-insert-db.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/ms-flow-insert-db.png rename to windows/security/threat-protection/microsoft-defender-atp/images/ms-flow-insert-db.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/ms-flow-parse-json.png b/windows/security/threat-protection/microsoft-defender-atp/images/ms-flow-parse-json.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/ms-flow-parse-json.png rename to windows/security/threat-protection/microsoft-defender-atp/images/ms-flow-parse-json.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/ms-flow-read-db.png b/windows/security/threat-protection/microsoft-defender-atp/images/ms-flow-read-db.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/ms-flow-read-db.png rename to windows/security/threat-protection/microsoft-defender-atp/images/ms-flow-read-db.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/mss.png b/windows/security/threat-protection/microsoft-defender-atp/images/mss.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/mss.png rename to windows/security/threat-protection/microsoft-defender-atp/images/mss.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/nativeapp-add-permission.png b/windows/security/threat-protection/microsoft-defender-atp/images/nativeapp-add-permission.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/nativeapp-add-permission.png rename to windows/security/threat-protection/microsoft-defender-atp/images/nativeapp-add-permission.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/nativeapp-add-permissions-end.png b/windows/security/threat-protection/microsoft-defender-atp/images/nativeapp-add-permissions-end.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/nativeapp-add-permissions-end.png rename to windows/security/threat-protection/microsoft-defender-atp/images/nativeapp-add-permissions-end.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/nativeapp-create.png b/windows/security/threat-protection/microsoft-defender-atp/images/nativeapp-create.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/nativeapp-create.png rename to windows/security/threat-protection/microsoft-defender-atp/images/nativeapp-create.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/nativeapp-decoded-token.png b/windows/security/threat-protection/microsoft-defender-atp/images/nativeapp-decoded-token.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/nativeapp-decoded-token.png rename to windows/security/threat-protection/microsoft-defender-atp/images/nativeapp-decoded-token.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/nativeapp-get-appid.png b/windows/security/threat-protection/microsoft-defender-atp/images/nativeapp-get-appid.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/nativeapp-get-appid.png rename to windows/security/threat-protection/microsoft-defender-atp/images/nativeapp-get-appid.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/nativeapp-select-permissions.png b/windows/security/threat-protection/microsoft-defender-atp/images/nativeapp-select-permissions.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/nativeapp-select-permissions.png rename to windows/security/threat-protection/microsoft-defender-atp/images/nativeapp-select-permissions.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/new-secure-score-dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/new-secure-score-dashboard.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/new-secure-score-dashboard.png rename to windows/security/threat-protection/microsoft-defender-atp/images/new-secure-score-dashboard.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/new-ssot.png b/windows/security/threat-protection/microsoft-defender-atp/images/new-ssot.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/new-ssot.png rename to windows/security/threat-protection/microsoft-defender-atp/images/new-ssot.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/no-threats-found.png b/windows/security/threat-protection/microsoft-defender-atp/images/no-threats-found.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/no-threats-found.png rename to windows/security/threat-protection/microsoft-defender-atp/images/no-threats-found.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/no_threats_found.png b/windows/security/threat-protection/microsoft-defender-atp/images/no_threats_found.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/no_threats_found.png rename to windows/security/threat-protection/microsoft-defender-atp/images/no_threats_found.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/not-remediated-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/not-remediated-icon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/not-remediated-icon.png rename to windows/security/threat-protection/microsoft-defender-atp/images/not-remediated-icon.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/office-scc-label.png b/windows/security/threat-protection/microsoft-defender-atp/images/office-scc-label.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/office-scc-label.png rename to windows/security/threat-protection/microsoft-defender-atp/images/office-scc-label.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/overview.png b/windows/security/threat-protection/microsoft-defender-atp/images/overview.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/overview.png rename to windows/security/threat-protection/microsoft-defender-atp/images/overview.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/partially-investigated.png b/windows/security/threat-protection/microsoft-defender-atp/images/partially-investigated.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/partially-investigated.png rename to windows/security/threat-protection/microsoft-defender-atp/images/partially-investigated.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/partially_investigated.png b/windows/security/threat-protection/microsoft-defender-atp/images/partially_investigated.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/partially_investigated.png rename to windows/security/threat-protection/microsoft-defender-atp/images/partially_investigated.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/partially_remediated.png b/windows/security/threat-protection/microsoft-defender-atp/images/partially_remediated.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/partially_remediated.png rename to windows/security/threat-protection/microsoft-defender-atp/images/partially_remediated.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-create-advanced-query.png b/windows/security/threat-protection/microsoft-defender-atp/images/power-bi-create-advanced-query.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/power-bi-create-advanced-query.png rename to windows/security/threat-protection/microsoft-defender-atp/images/power-bi-create-advanced-query.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-create-blank-query.png b/windows/security/threat-protection/microsoft-defender-atp/images/power-bi-create-blank-query.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/power-bi-create-blank-query.png rename to windows/security/threat-protection/microsoft-defender-atp/images/power-bi-create-blank-query.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-edit-credentials.png b/windows/security/threat-protection/microsoft-defender-atp/images/power-bi-edit-credentials.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/power-bi-edit-credentials.png rename to windows/security/threat-protection/microsoft-defender-atp/images/power-bi-edit-credentials.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-edit-data-privacy.png b/windows/security/threat-protection/microsoft-defender-atp/images/power-bi-edit-data-privacy.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/power-bi-edit-data-privacy.png rename to windows/security/threat-protection/microsoft-defender-atp/images/power-bi-edit-data-privacy.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-open-advanced-editor.png b/windows/security/threat-protection/microsoft-defender-atp/images/power-bi-open-advanced-editor.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/power-bi-open-advanced-editor.png rename to windows/security/threat-protection/microsoft-defender-atp/images/power-bi-open-advanced-editor.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-query-results.png b/windows/security/threat-protection/microsoft-defender-atp/images/power-bi-query-results.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/power-bi-query-results.png rename to windows/security/threat-protection/microsoft-defender-atp/images/power-bi-query-results.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-anonymous.png b/windows/security/threat-protection/microsoft-defender-atp/images/power-bi-set-credentials-anonymous.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-anonymous.png rename to windows/security/threat-protection/microsoft-defender-atp/images/power-bi-set-credentials-anonymous.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-organizational-cont.png b/windows/security/threat-protection/microsoft-defender-atp/images/power-bi-set-credentials-organizational-cont.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-organizational-cont.png rename to windows/security/threat-protection/microsoft-defender-atp/images/power-bi-set-credentials-organizational-cont.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-organizational.png b/windows/security/threat-protection/microsoft-defender-atp/images/power-bi-set-credentials-organizational.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-organizational.png rename to windows/security/threat-protection/microsoft-defender-atp/images/power-bi-set-credentials-organizational.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-data-privacy.png b/windows/security/threat-protection/microsoft-defender-atp/images/power-bi-set-data-privacy.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/power-bi-set-data-privacy.png rename to windows/security/threat-protection/microsoft-defender-atp/images/power-bi-set-data-privacy.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/remediated-icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/remediated-icon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/remediated-icon.png rename to windows/security/threat-protection/microsoft-defender-atp/images/remediated-icon.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/rules-legend.png b/windows/security/threat-protection/microsoft-defender-atp/images/rules-legend.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/rules-legend.png rename to windows/security/threat-protection/microsoft-defender-atp/images/rules-legend.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/run-as-admin.png b/windows/security/threat-protection/microsoft-defender-atp/images/run-as-admin.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/run-as-admin.png rename to windows/security/threat-protection/microsoft-defender-atp/images/run-as-admin.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/save-query.png b/windows/security/threat-protection/microsoft-defender-atp/images/save-query.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/save-query.png rename to windows/security/threat-protection/microsoft-defender-atp/images/save-query.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/sccm-deployment.png b/windows/security/threat-protection/microsoft-defender-atp/images/sccm-deployment.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/sccm-deployment.png rename to windows/security/threat-protection/microsoft-defender-atp/images/sccm-deployment.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/sec-ops-dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/sec-ops-dashboard.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/sec-ops-dashboard.png rename to windows/security/threat-protection/microsoft-defender-atp/images/sec-ops-dashboard.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/securescore.png b/windows/security/threat-protection/microsoft-defender-atp/images/securescore.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/securescore.png rename to windows/security/threat-protection/microsoft-defender-atp/images/securescore.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/settings.png b/windows/security/threat-protection/microsoft-defender-atp/images/settings.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/settings.png rename to windows/security/threat-protection/microsoft-defender-atp/images/settings.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/setup-preferences.png b/windows/security/threat-protection/microsoft-defender-atp/images/setup-preferences.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/setup-preferences.png rename to windows/security/threat-protection/microsoft-defender-atp/images/setup-preferences.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/setup-preferences2.png b/windows/security/threat-protection/microsoft-defender-atp/images/setup-preferences2.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/setup-preferences2.png rename to windows/security/threat-protection/microsoft-defender-atp/images/setup-preferences2.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/siem_details.png b/windows/security/threat-protection/microsoft-defender-atp/images/siem_details.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/siem_details.png rename to windows/security/threat-protection/microsoft-defender-atp/images/siem_details.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/ss1.png b/windows/security/threat-protection/microsoft-defender-atp/images/ss1.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/ss1.png rename to windows/security/threat-protection/microsoft-defender-atp/images/ss1.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/ssot.png b/windows/security/threat-protection/microsoft-defender-atp/images/ssot.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/ssot.png rename to windows/security/threat-protection/microsoft-defender-atp/images/ssot.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/status-tile.png b/windows/security/threat-protection/microsoft-defender-atp/images/status-tile.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/status-tile.png rename to windows/security/threat-protection/microsoft-defender-atp/images/status-tile.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/submit-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/submit-file.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/submit-file.png rename to windows/security/threat-protection/microsoft-defender-atp/images/submit-file.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/ta.png b/windows/security/threat-protection/microsoft-defender-atp/images/ta.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/ta.png rename to windows/security/threat-protection/microsoft-defender-atp/images/ta.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/terminated-by-system.png b/windows/security/threat-protection/microsoft-defender-atp/images/terminated-by-system.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/terminated-by-system.png rename to windows/security/threat-protection/microsoft-defender-atp/images/terminated-by-system.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/terminated_by_system.png b/windows/security/threat-protection/microsoft-defender-atp/images/terminated_by_system.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/terminated_by_system.png rename to windows/security/threat-protection/microsoft-defender-atp/images/terminated_by_system.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/threat-analytics-report.png b/windows/security/threat-protection/microsoft-defender-atp/images/threat-analytics-report.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/threat-analytics-report.png rename to windows/security/threat-protection/microsoft-defender-atp/images/threat-analytics-report.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/top-recommendations.png b/windows/security/threat-protection/microsoft-defender-atp/images/top-recommendations.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/top-recommendations.png rename to windows/security/threat-protection/microsoft-defender-atp/images/top-recommendations.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/wdatp-pillars.png b/windows/security/threat-protection/microsoft-defender-atp/images/wdatp-pillars.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/wdatp-pillars.png rename to windows/security/threat-protection/microsoft-defender-atp/images/wdatp-pillars.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/wdatp-pillars2.png b/windows/security/threat-protection/microsoft-defender-atp/images/wdatp-pillars2.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/wdatp-pillars2.png rename to windows/security/threat-protection/microsoft-defender-atp/images/wdatp-pillars2.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/wdsc.png b/windows/security/threat-protection/microsoft-defender-atp/images/wdsc.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/wdsc.png rename to windows/security/threat-protection/microsoft-defender-atp/images/wdsc.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission-2.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission-2.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission-2.png rename to windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission-2.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission-end.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission-end.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission-end.png rename to windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission-end.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission-readalerts.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission-readalerts.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission-readalerts.png rename to windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission-readalerts.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission.png rename to windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-app-id1.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-app-id1.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/webapp-app-id1.png rename to windows/security/threat-protection/microsoft-defender-atp/images/webapp-app-id1.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-create-key.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-create-key.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/webapp-create-key.png rename to windows/security/threat-protection/microsoft-defender-atp/images/webapp-create-key.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-create.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-create.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/webapp-create.png rename to windows/security/threat-protection/microsoft-defender-atp/images/webapp-create.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-decoded-token.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-decoded-token.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/webapp-decoded-token.png rename to windows/security/threat-protection/microsoft-defender-atp/images/webapp-decoded-token.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-edit-multitenant.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-edit-multitenant.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/webapp-edit-multitenant.png rename to windows/security/threat-protection/microsoft-defender-atp/images/webapp-edit-multitenant.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-edit-settings.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-edit-settings.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/webapp-edit-settings.png rename to windows/security/threat-protection/microsoft-defender-atp/images/webapp-edit-settings.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-get-appid.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-get-appid.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/webapp-get-appid.png rename to windows/security/threat-protection/microsoft-defender-atp/images/webapp-get-appid.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-grant-permissions.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-grant-permissions.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/webapp-grant-permissions.png rename to windows/security/threat-protection/microsoft-defender-atp/images/webapp-grant-permissions.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-select-permission.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-select-permission.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/webapp-select-permission.png rename to windows/security/threat-protection/microsoft-defender-atp/images/webapp-select-permission.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-validate-token.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-validate-token.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/webapp-validate-token.png rename to windows/security/threat-protection/microsoft-defender-atp/images/webapp-validate-token.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/welcome1.png b/windows/security/threat-protection/microsoft-defender-atp/images/welcome1.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/welcome1.png rename to windows/security/threat-protection/microsoft-defender-atp/images/welcome1.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/win10-endpoint-users.png b/windows/security/threat-protection/microsoft-defender-atp/images/win10-endpoint-users.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/win10-endpoint-users.png rename to windows/security/threat-protection/microsoft-defender-atp/images/win10-endpoint-users.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/windefatp-sc-qc-diagtrack.png b/windows/security/threat-protection/microsoft-defender-atp/images/windefatp-sc-qc-diagtrack.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/windefatp-sc-qc-diagtrack.png rename to windows/security/threat-protection/microsoft-defender-atp/images/windefatp-sc-qc-diagtrack.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/windefatp-sc-query-diagtrack.png b/windows/security/threat-protection/microsoft-defender-atp/images/windefatp-sc-query-diagtrack.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/windefatp-sc-query-diagtrack.png rename to windows/security/threat-protection/microsoft-defender-atp/images/windefatp-sc-query-diagtrack.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/windefatp-sc-query.png b/windows/security/threat-protection/microsoft-defender-atp/images/windefatp-sc-query.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/windefatp-sc-query.png rename to windows/security/threat-protection/microsoft-defender-atp/images/windefatp-sc-query.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/windefatp-utc-console-autostart.png b/windows/security/threat-protection/microsoft-defender-atp/images/windefatp-utc-console-autostart.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/windefatp-utc-console-autostart.png rename to windows/security/threat-protection/microsoft-defender-atp/images/windefatp-utc-console-autostart.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/windows-defender-system-guard-boot-time-integrity.png b/windows/security/threat-protection/microsoft-defender-atp/images/windows-defender-system-guard-boot-time-integrity.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/windows-defender-system-guard-boot-time-integrity.png rename to windows/security/threat-protection/microsoft-defender-atp/images/windows-defender-system-guard-boot-time-integrity.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/windows-defender-system-guard-validate-system-integrity.png b/windows/security/threat-protection/microsoft-defender-atp/images/windows-defender-system-guard-validate-system-integrity.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/windows-defender-system-guard-validate-system-integrity.png rename to windows/security/threat-protection/microsoft-defender-atp/images/windows-defender-system-guard-validate-system-integrity.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/windows-defender-system-guard.png b/windows/security/threat-protection/microsoft-defender-atp/images/windows-defender-system-guard.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/windows-defender-system-guard.png rename to windows/security/threat-protection/microsoft-defender-atp/images/windows-defender-system-guard.png diff --git a/windows/security/threat-protection/windows-defender-atp/improverequestperformance-new.md b/windows/security/threat-protection/microsoft-defender-atp/improverequestperformance-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/improverequestperformance-new.md rename to windows/security/threat-protection/microsoft-defender-atp/improverequestperformance-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/incidents-queue.md b/windows/security/threat-protection/microsoft-defender-atp/incidents-queue.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/incidents-queue.md rename to windows/security/threat-protection/microsoft-defender-atp/incidents-queue.md diff --git a/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-config.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-config.md rename to windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md diff --git a/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview.md rename to windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md diff --git a/windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/licensing-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/licensing-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/machine-reports-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/machine-reports-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/machine-reports-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/machine-reports-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/machine-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/machine-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/machineactionsnote.md b/windows/security/threat-protection/microsoft-defender-atp/machineactionsnote.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/machineactionsnote.md rename to windows/security/threat-protection/microsoft-defender-atp/machineactionsnote.md diff --git a/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/manage-auto-investigation-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/manage-auto-investigation-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/manage-edr.md b/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/manage-edr.md rename to windows/security/threat-protection/microsoft-defender-atp/manage-edr.md diff --git a/windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/management-apis.md b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/management-apis.md rename to windows/security/threat-protection/microsoft-defender-atp/management-apis.md diff --git a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md rename to windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md diff --git a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration.md rename to windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md diff --git a/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts.md rename to windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md diff --git a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/onboard.md b/windows/security/threat-protection/microsoft-defender-atp/onboard.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/onboard.md rename to windows/security/threat-protection/microsoft-defender-atp/onboard.md diff --git a/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction.md rename to windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md diff --git a/windows/security/threat-protection/windows-defender-atp/overview-custom-detections.md b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/overview-custom-detections.md rename to windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md diff --git a/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md b/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md rename to windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md diff --git a/windows/security/threat-protection/windows-defender-atp/overview-hardware-based-isolation.md b/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/overview-hardware-based-isolation.md rename to windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md diff --git a/windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/overview.md b/windows/security/threat-protection/microsoft-defender-atp/overview.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/overview.md rename to windows/security/threat-protection/microsoft-defender-atp/overview.md diff --git a/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/prerelease.md b/windows/security/threat-protection/microsoft-defender-atp/prerelease.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/prerelease.md rename to windows/security/threat-protection/microsoft-defender-atp/prerelease.md diff --git a/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/preview-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/preview-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/rbac-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/rbac-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/response-actions-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/response-actions-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md rename to windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-ms-flow.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-ms-flow.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-ms-flow.md rename to windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-ms-flow.md diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-app-token.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md rename to windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-app-token.md diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-user-token.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md rename to windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-user-token.md diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-powershell.md rename to windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-python.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-python.md rename to windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md diff --git a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/service-status-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/service-status-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/threat-analytics.md b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/threat-analytics.md rename to windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md diff --git a/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md rename to windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md diff --git a/windows/security/threat-protection/windows-defender-atp/threat-protection-reports-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/threat-protection-reports-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/time-settings-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/time-settings-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md similarity index 98% rename from windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md index 38a88cfe19..0f2789ceb5 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md @@ -1,312 +1,312 @@ ---- -title: Troubleshoot Windows Defender ATP onboarding issues -description: Troubleshoot issues that might arise during the onboarding of machines or to the Windows Defender ATP service. -keywords: troubleshoot onboarding, onboarding issues, event viewer, data collection and preview builds, sensor data and diagnostics -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: troubleshooting ---- - -# Troubleshoot Windows Defender Advanced Threat Protection onboarding issues - -**Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- Windows Server 2012 R2 -- Windows Server 2016 - - - -You might need to troubleshoot the Windows Defender ATP onboarding process if you encounter issues. -This page provides detailed steps to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur on the machines. - -If you have completed the onboarding process and don't see machines in the [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, it might indicate an onboarding or connectivity problem. - -## Troubleshoot onboarding when deploying with Group Policy -Deployment with Group Policy is done by running the onboarding script on the machines. The Group Policy console does not indicate if the deployment has succeeded or not. - -If you have completed the onboarding process and don't see machines in the [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, you can check the output of the script on the machines. For more information, see [Troubleshoot onboarding when deploying with a script](#troubleshoot-onboarding-when-deploying-with-a-script). - -If the script completes successfully, see [Troubleshoot onboarding issues on the machines](#troubleshoot-onboarding-issues-on-the-machine) for additional errors that might occur. - -## Troubleshoot onboarding issues when deploying with System Center Configuration Manager -When onboarding machines using the following versions of System Center Configuration Manager: -- System Center 2012 Configuration Manager -- System Center 2012 R2 Configuration Manager -- System Center Configuration Manager (current branch) version 1511 -- System Center Configuration Manager (current branch) version 1602 - - -Deployment with the above-mentioned versions of System Center Configuration Manager is done by running the onboarding script on the machines. You can track the deployment in the Configuration Manager Console. - -If the deployment fails, you can check the output of the script on the machines. - -If the onboarding completed successfully but the machines are not showing up in the **Machines list** after an hour, see [Troubleshoot onboarding issues on the machine](#troubleshoot-onboarding-issues-on-the-machine) for additional errors that might occur. - -## Troubleshoot onboarding when deploying with a script - -**Check the result of the script on the machine**: -1. Click **Start**, type **Event Viewer**, and press **Enter**. - -2. Go to **Windows Logs** > **Application**. - -3. Look for an event from **WDATPOnboarding** event source. - -If the script fails and the event is an error, you can check the event ID in the following table to help you troubleshoot the issue. -> [!NOTE] -> The following event IDs are specific to the onboarding script only. - -Event ID | Error Type | Resolution steps -:---|:---|:--- -5 | Offboarding data was found but couldn't be deleted | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```. -10 | Onboarding data couldn't be written to registry | Check the permissions on the registry, specifically
```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat```.
Verify that the script was ran as an administrator. -15 | Failed to start SENSE service |Check the service health (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights).

If the machine is running Windows 10, version 1607 and running the command `sc query sense` returns `START_PENDING`, reboot the machine. If rebooting the machine doesn't address the issue, upgrade to KB4015217 and try onboarding again. -15 | Failed to start SENSE service | If the message of the error is: System error 577 has occurred. You need to enable the Windows Defender Antivirus ELAM driver, see [Ensure that Windows Defender Antivirus is not disabled by a policy](#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy) for instructions. -30 | The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). -35 | The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location
```HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status```.
The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). -40 | SENSE service onboarding status is not set to **1** | The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). -65 | Insufficient privileges| Run the script again with administrator privileges. - -## Troubleshoot onboarding issues using Microsoft Intune -You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue. - -If you have configured policies in Intune and they are not propagated on machines, you might need to configure automatic MDM enrollment. - -Use the following tables to understand the possible causes of issues while onboarding: - -- Microsoft Intune error codes and OMA-URIs table -- Known issues with non-compliance table -- Mobile Device Management (MDM) event logs table - -If none of the event logs and troubleshooting steps work, download the Local script from the **Machine management** section of the portal, and run it in an elevated command prompt. - -**Microsoft Intune error codes and OMA-URIs**: - - -Error Code Hex | Error Code Dec | Error Description | OMA-URI | Possible cause and troubleshooting steps -:---|:---|:---|:---|:--- -0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding
Offboarding | **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields.

**Troubleshooting steps:**
Check the event IDs in the [View agent onboarding errors in the machine event log](#view-agent-onboarding-errors-in-the-machine-event-log) section.

Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx). - | | | | Onboarding
Offboarding
SampleSharing | **Possible cause:** Windows Defender ATP Policy registry key does not exist or the OMA DM client doesn't have permissions to write to it.

**Troubleshooting steps:** Ensure that the following registry key exists: ```HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```

If it doesn't exist, open an elevated command and add the key. - | | | | SenseIsRunning
OnboardingState
OrgId | **Possible cause:** An attempt to remediate by read-only property. Onboarding has failed.

**Troubleshooting steps:** Check the troubleshooting steps in [Troubleshoot onboarding issues on the machine](#troubleshoot-onboarding-issues-on-the-machine).

Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx). - || | | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.

Currently is supported platforms: Enterprise, Education, and Professional.
Server is not supported. - 0x87D101A9 | -2016345687 |Syncml(425): The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.

Currently is supported platforms: Enterprise, Education, and Professional. - -
-**Known issues with non-compliance** - -The following table provides information on issues with non-compliance and how you can address the issues. - -Case | Symptoms | Possible cause and troubleshooting steps -:---|:---|:--- -1 | Machine is compliant by SenseIsRunning OMA-URI. But is non-compliant by OrgId, Onboarding and OnboardingState OMA-URIs. | **Possible cause:** Check that user passed OOBE after Windows installation or upgrade. During OOBE onboarding couldn't be completed but SENSE is running already.

**Troubleshooting steps:** Wait for OOBE to complete. -2 | Machine is compliant by OrgId, Onboarding, and OnboardingState OMA-URIs, but is non-compliant by SenseIsRunning OMA-URI. | **Possible cause:** Sense service's startup type is set as "Delayed Start". Sometimes this causes the Microsoft Intune server to report the machine as non-compliant by SenseIsRunning when DM session occurs on system start.

**Troubleshooting steps:** The issue should automatically be fixed within 24 hours. -3 | Machine is non-compliant | **Troubleshooting steps:** Ensure that Onboarding and Offboarding policies are not deployed on the same machine at same time. - -
-**Mobile Device Management (MDM) event logs** - -View the MDM event logs to troubleshoot issues that might arise during onboarding: - -Log name: Microsoft\Windows\DeviceManagement-EnterpriseDiagnostics-Provider - -Channel name: Admin - -ID | Severity | Event description | Troubleshooting steps -:---|:---|:---|:--- -1819 | Error | Windows Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Download the [Cumulative Update for Windows 10, 1607](https://go.microsoft.com/fwlink/?linkid=829760). - -## Troubleshoot onboarding issues on the machine -If the deployment tools used does not indicate an error in the onboarding process, but machines are still not appearing in the machines list in an hour, go through the following verification topics to check if an error occurred with the Windows Defender ATP agent: -- [View agent onboarding errors in the machine event log](#view-agent-onboarding-errors-in-the-machine-event-log) -- [Ensure the diagnostic data service is enabled](#ensure-the-diagnostics-service-is-enabled) -- [Ensure the service is set to start](#ensure-the-service-is-set-to-start) -- [Ensure the machine has an Internet connection](#ensure-the-machine-has-an-internet-connection) -- [Ensure that Windows Defender Antivirus is not disabled by a policy](#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy) - - -### View agent onboarding errors in the machine event log - -1. Click **Start**, type **Event Viewer**, and press **Enter**. - -2. In the **Event Viewer (Local)** pane, expand **Applications and Services Logs** > **Microsoft** > **Windows** > **SENSE**. - - > [!NOTE] - > SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP. - -3. Select **Operational** to load the log. - -4. In the **Action** pane, click **Filter Current log**. - -5. On the **Filter** tab, under **Event level:** select **Critical**, **Warning**, and **Error**, and click **OK**. - - ![Image of Event Viewer log filter](images/filter-log.png) - -6. Events which can indicate issues will appear in the **Operational** pane. You can attempt to troubleshoot them based on the solutions in the following table: - -Event ID | Message | Resolution steps -:---|:---|:--- -5 | Windows Defender Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the machine has Internet access](#ensure-the-machine-has-an-internet-connection). -6 | Windows Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-script-windows-defender-advanced-threat-protection.md). -7 | Windows Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the machine has Internet access](#ensure-the-machine-has-an-internet-connection), then run the entire onboarding process again. -9 | Windows Defender Advanced Threat Protection service failed to change its start type. Failure code: variable | If the event happened during onboarding, reboot and re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-script-windows-defender-advanced-threat-protection.md).

If the event happened during offboarding, contact support. -10 | Windows Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: variable | If the event happened during onboarding, re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-script-windows-defender-advanced-threat-protection.md).

If the problem persists, contact support. -15 | Windows Defender Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the machine has Internet access](#ensure-the-machine-has-an-internet-connection). -17 | Windows Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: variable | [Run the onboarding script again](configure-endpoints-script-windows-defender-advanced-threat-protection.md). If the problem persists, contact support. -25 | Windows Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: _variable_ | Contact support. -27 | Failed to enable Windows Defender Advanced Threat Protection mode in Windows Defender. Onboarding process failed. Failure code: variable | Contact support. -29 | Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3 | Ensure the machine has Internet access, then run the entire offboarding process again. -30 | Failed to disable $(build.sense.productDisplayName) mode in Windows Defender Advanced Threat Protection. Failure code: %1 | Contact support. -32 | $(build.sense.productDisplayName) service failed to request to stop itself after offboarding process. Failure code: %1 | Verify that the service start type is manual and reboot the machine. -55 | Failed to create the Secure ETW autologger. Failure code: %1 | Reboot the machine. -63 | Updating the start type of external service. Name: %1, actual start type: %2, expected start type: %3, exit code: %4 | Identify what is causing changes in start type of mentioned service. If the exit code is not 0, fix the start type manually to expected start type. -64 | Starting stopped external service. Name: %1, exit code: %2 | Contact support if the event keeps re-appearing. -68 | The start type of the service is unexpected. Service name: %1, actual start type: %2, expected start type: %3 | Identify what is causing changes in start type. Fix mentioned service start type. -69 | The service is stopped. Service name: %1 | Start the mentioned service. Contact support if persists. - -
-There are additional components on the machine that the Windows Defender ATP agent depends on to function properly. If there are no onboarding related errors in the Windows Defender ATP agent event log, proceed with the following steps to ensure that the additional components are configured correctly. - - -### Ensure the diagnostic data service is enabled -If the machines aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the machine. The service might have been disabled by other programs or user configuration changes. - -First, you should check that the service is set to start automatically when Windows starts, then you should check that the service is currently running (and start it if it isn't). - -### Ensure the service is set to start - -**Use the command line to check the Windows 10 diagnostic data service startup type**: - -1. Open an elevated command-line prompt on the machine: - - a. Click **Start**, type **cmd**, and press **Enter**. - - b. Right-click **Command prompt** and select **Run as administrator**. - -2. Enter the following command, and press **Enter**: - - ```text - sc qc diagtrack - ``` - - If the service is enabled, then the result should look like the following screenshot: - - ![Result of the sc query command for diagtrack](images/windefatp-sc-qc-diagtrack.png) - - If the `START_TYPE` is not set to `AUTO_START`, then you'll need to set the service to automatically start. - - -**Use the command line to set the Windows 10 diagnostic data service to automatically start:** - -1. Open an elevated command-line prompt on the machine: - - a. Click **Start**, type **cmd**, and press **Enter**. - - b. Right-click **Command prompt** and select **Run as administrator**. - -2. Enter the following command, and press **Enter**: - - ```text - sc config diagtrack start=auto - ``` - -3. A success message is displayed. Verify the change by entering the following command, and press **Enter**: - - ```text - sc qc diagtrack - ``` - -4. Start the service. - - a. In the command prompt, type the following command and press **Enter**: - - ```text - sc start diagtrack - ``` - -### Ensure the machine has an Internet connection - -The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service. - -WinHTTP is independent of the Internet browsing proxy settings and other user context applications and must be able to detect the proxy servers that are available in your particular environment. - -To ensure that sensor has service connectivity, follow the steps described in the [Verify client connectivity to Windows Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls) topic. - -If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) topic. - -### Ensure that Windows Defender Antivirus is not disabled by a policy -**Problem**: The Windows Defender ATP service does not start after onboarding. - -**Symptom**: Onboarding successfully completes, but you see error 577 when trying to start the service. - -**Solution**: If your machines are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled. You must ensure that it's not disabled in system policy. - -- Depending on the tool that you use to implement policies, you'll need to verify that the following Windows Defender policies are cleared: - - - DisableAntiSpyware - - DisableAntiVirus - - For example, in Group Policy there should be no entries such as the following values: - - - `````` - - `````` -- After clearing the policy, run the onboarding steps again. - -- You can also check the following registry key values to verify that the policy is disabled: - - 1. Open the registry ```key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender```. - 2. Ensure that the value ```DisableAntiSpyware``` is not present. - - ![Image of registry key for Windows Defender Antivirus](images/atp-disableantispyware-regkey.png) - - -## Troubleshoot onboarding issues on a server -If you encounter issues while onboarding a server, go through the following verification steps to address possible issues. - -- [Ensure Microsoft Monitoring Agent (MMA) is installed and configured to report sensor data to the service](configure-server-endpoints-windows-defender-advanced-threat-protection.md#server-mma) -- [Ensure that the server proxy and Internet connectivity settings are configured properly](configure-server-endpoints-windows-defender-advanced-threat-protection.md#server-proxy) - -You might also need to check the following: -- Check that there is a Windows Defender Advanced Threat Protection Service running in the **Processes** tab in **Task Manager**. For example: - - ![Image of process view with Windows Defender Advanced Threat Protection Service running](images/atp-task-manager.png) - -- Check **Event Viewer** > **Applications and Services Logs** > **Operation Manager** to see if there are any errors. - -- In **Services**, check if the **Microsoft Monitoring Agent** is running on the server. For example, - - ![Image of Services](images/atp-services.png) - -- In **Microsoft Monitoring Agent** > **Azure Log Analytics (OMS)**, check the Workspaces and verify that the status is running. - - ![Image of Microsoft Monitoring Agent Properties](images/atp-mma-properties.png) - -- Check to see that machines are reflected in the **Machines list** in the portal. - - -## Licensing requirements -Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers: - - - Windows 10 Enterprise E5 - - Windows 10 Education E5 - - Microsoft 365 Enterprise E5 which includes Windows 10 Enterprise E5 - -For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2). - - ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshootonboarding-belowfoldlink) - - -## Related topics -- [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md) -- [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md) -- [Configure machine proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) - +--- +title: Troubleshoot Windows Defender ATP onboarding issues +description: Troubleshoot issues that might arise during the onboarding of machines or to the Windows Defender ATP service. +keywords: troubleshoot onboarding, onboarding issues, event viewer, data collection and preview builds, sensor data and diagnostics +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: troubleshooting +--- + +# Troubleshoot Windows Defender Advanced Threat Protection onboarding issues + +**Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Windows Server 2012 R2 +- Windows Server 2016 + + + +You might need to troubleshoot the Windows Defender ATP onboarding process if you encounter issues. +This page provides detailed steps to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur on the machines. + +If you have completed the onboarding process and don't see machines in the [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, it might indicate an onboarding or connectivity problem. + +## Troubleshoot onboarding when deploying with Group Policy +Deployment with Group Policy is done by running the onboarding script on the machines. The Group Policy console does not indicate if the deployment has succeeded or not. + +If you have completed the onboarding process and don't see machines in the [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, you can check the output of the script on the machines. For more information, see [Troubleshoot onboarding when deploying with a script](#troubleshoot-onboarding-when-deploying-with-a-script). + +If the script completes successfully, see [Troubleshoot onboarding issues on the machines](#troubleshoot-onboarding-issues-on-the-machine) for additional errors that might occur. + +## Troubleshoot onboarding issues when deploying with System Center Configuration Manager +When onboarding machines using the following versions of System Center Configuration Manager: +- System Center 2012 Configuration Manager +- System Center 2012 R2 Configuration Manager +- System Center Configuration Manager (current branch) version 1511 +- System Center Configuration Manager (current branch) version 1602 + + +Deployment with the above-mentioned versions of System Center Configuration Manager is done by running the onboarding script on the machines. You can track the deployment in the Configuration Manager Console. + +If the deployment fails, you can check the output of the script on the machines. + +If the onboarding completed successfully but the machines are not showing up in the **Machines list** after an hour, see [Troubleshoot onboarding issues on the machine](#troubleshoot-onboarding-issues-on-the-machine) for additional errors that might occur. + +## Troubleshoot onboarding when deploying with a script + +**Check the result of the script on the machine**: +1. Click **Start**, type **Event Viewer**, and press **Enter**. + +2. Go to **Windows Logs** > **Application**. + +3. Look for an event from **WDATPOnboarding** event source. + +If the script fails and the event is an error, you can check the event ID in the following table to help you troubleshoot the issue. +> [!NOTE] +> The following event IDs are specific to the onboarding script only. + +Event ID | Error Type | Resolution steps +:---|:---|:--- +5 | Offboarding data was found but couldn't be deleted | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```. +10 | Onboarding data couldn't be written to registry | Check the permissions on the registry, specifically
```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat```.
Verify that the script was ran as an administrator. +15 | Failed to start SENSE service |Check the service health (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights).

If the machine is running Windows 10, version 1607 and running the command `sc query sense` returns `START_PENDING`, reboot the machine. If rebooting the machine doesn't address the issue, upgrade to KB4015217 and try onboarding again. +15 | Failed to start SENSE service | If the message of the error is: System error 577 has occurred. You need to enable the Windows Defender Antivirus ELAM driver, see [Ensure that Windows Defender Antivirus is not disabled by a policy](#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy) for instructions. +30 | The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). +35 | The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location
```HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status```.
The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). +40 | SENSE service onboarding status is not set to **1** | The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). +65 | Insufficient privileges| Run the script again with administrator privileges. + +## Troubleshoot onboarding issues using Microsoft Intune +You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue. + +If you have configured policies in Intune and they are not propagated on machines, you might need to configure automatic MDM enrollment. + +Use the following tables to understand the possible causes of issues while onboarding: + +- Microsoft Intune error codes and OMA-URIs table +- Known issues with non-compliance table +- Mobile Device Management (MDM) event logs table + +If none of the event logs and troubleshooting steps work, download the Local script from the **Machine management** section of the portal, and run it in an elevated command prompt. + +**Microsoft Intune error codes and OMA-URIs**: + + +Error Code Hex | Error Code Dec | Error Description | OMA-URI | Possible cause and troubleshooting steps +:---|:---|:---|:---|:--- +0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding
Offboarding | **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields.

**Troubleshooting steps:**
Check the event IDs in the [View agent onboarding errors in the machine event log](#view-agent-onboarding-errors-in-the-machine-event-log) section.

Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx). + | | | | Onboarding
Offboarding
SampleSharing | **Possible cause:** Windows Defender ATP Policy registry key does not exist or the OMA DM client doesn't have permissions to write to it.

**Troubleshooting steps:** Ensure that the following registry key exists: ```HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```

If it doesn't exist, open an elevated command and add the key. + | | | | SenseIsRunning
OnboardingState
OrgId | **Possible cause:** An attempt to remediate by read-only property. Onboarding has failed.

**Troubleshooting steps:** Check the troubleshooting steps in [Troubleshoot onboarding issues on the machine](#troubleshoot-onboarding-issues-on-the-machine).

Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx). + || | | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.

Currently is supported platforms: Enterprise, Education, and Professional.
Server is not supported. + 0x87D101A9 | -2016345687 |Syncml(425): The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.

Currently is supported platforms: Enterprise, Education, and Professional. + +
+**Known issues with non-compliance** + +The following table provides information on issues with non-compliance and how you can address the issues. + +Case | Symptoms | Possible cause and troubleshooting steps +:---|:---|:--- +1 | Machine is compliant by SenseIsRunning OMA-URI. But is non-compliant by OrgId, Onboarding and OnboardingState OMA-URIs. | **Possible cause:** Check that user passed OOBE after Windows installation or upgrade. During OOBE onboarding couldn't be completed but SENSE is running already.

**Troubleshooting steps:** Wait for OOBE to complete. +2 | Machine is compliant by OrgId, Onboarding, and OnboardingState OMA-URIs, but is non-compliant by SenseIsRunning OMA-URI. | **Possible cause:** Sense service's startup type is set as "Delayed Start". Sometimes this causes the Microsoft Intune server to report the machine as non-compliant by SenseIsRunning when DM session occurs on system start.

**Troubleshooting steps:** The issue should automatically be fixed within 24 hours. +3 | Machine is non-compliant | **Troubleshooting steps:** Ensure that Onboarding and Offboarding policies are not deployed on the same machine at same time. + +
+**Mobile Device Management (MDM) event logs** + +View the MDM event logs to troubleshoot issues that might arise during onboarding: + +Log name: Microsoft\Windows\DeviceManagement-EnterpriseDiagnostics-Provider + +Channel name: Admin + +ID | Severity | Event description | Troubleshooting steps +:---|:---|:---|:--- +1819 | Error | Windows Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Download the [Cumulative Update for Windows 10, 1607](https://go.microsoft.com/fwlink/?linkid=829760). + +## Troubleshoot onboarding issues on the machine +If the deployment tools used does not indicate an error in the onboarding process, but machines are still not appearing in the machines list in an hour, go through the following verification topics to check if an error occurred with the Windows Defender ATP agent: +- [View agent onboarding errors in the machine event log](#view-agent-onboarding-errors-in-the-machine-event-log) +- [Ensure the diagnostic data service is enabled](#ensure-the-diagnostics-service-is-enabled) +- [Ensure the service is set to start](#ensure-the-service-is-set-to-start) +- [Ensure the machine has an Internet connection](#ensure-the-machine-has-an-internet-connection) +- [Ensure that Windows Defender Antivirus is not disabled by a policy](#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy) + + +### View agent onboarding errors in the machine event log + +1. Click **Start**, type **Event Viewer**, and press **Enter**. + +2. In the **Event Viewer (Local)** pane, expand **Applications and Services Logs** > **Microsoft** > **Windows** > **SENSE**. + + > [!NOTE] + > SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP. + +3. Select **Operational** to load the log. + +4. In the **Action** pane, click **Filter Current log**. + +5. On the **Filter** tab, under **Event level:** select **Critical**, **Warning**, and **Error**, and click **OK**. + + ![Image of Event Viewer log filter](images/filter-log.png) + +6. Events which can indicate issues will appear in the **Operational** pane. You can attempt to troubleshoot them based on the solutions in the following table: + +Event ID | Message | Resolution steps +:---|:---|:--- +5 | Windows Defender Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the machine has Internet access](#ensure-the-machine-has-an-internet-connection). +6 | Windows Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-script-windows-defender-advanced-threat-protection.md). +7 | Windows Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the machine has Internet access](#ensure-the-machine-has-an-internet-connection), then run the entire onboarding process again. +9 | Windows Defender Advanced Threat Protection service failed to change its start type. Failure code: variable | If the event happened during onboarding, reboot and re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-script-windows-defender-advanced-threat-protection.md).

If the event happened during offboarding, contact support. +10 | Windows Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: variable | If the event happened during onboarding, re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-script-windows-defender-advanced-threat-protection.md).

If the problem persists, contact support. +15 | Windows Defender Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the machine has Internet access](#ensure-the-machine-has-an-internet-connection). +17 | Windows Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: variable | [Run the onboarding script again](configure-endpoints-script-windows-defender-advanced-threat-protection.md). If the problem persists, contact support. +25 | Windows Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: _variable_ | Contact support. +27 | Failed to enable Windows Defender Advanced Threat Protection mode in Windows Defender. Onboarding process failed. Failure code: variable | Contact support. +29 | Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3 | Ensure the machine has Internet access, then run the entire offboarding process again. +30 | Failed to disable $(build.sense.productDisplayName) mode in Windows Defender Advanced Threat Protection. Failure code: %1 | Contact support. +32 | $(build.sense.productDisplayName) service failed to request to stop itself after offboarding process. Failure code: %1 | Verify that the service start type is manual and reboot the machine. +55 | Failed to create the Secure ETW autologger. Failure code: %1 | Reboot the machine. +63 | Updating the start type of external service. Name: %1, actual start type: %2, expected start type: %3, exit code: %4 | Identify what is causing changes in start type of mentioned service. If the exit code is not 0, fix the start type manually to expected start type. +64 | Starting stopped external service. Name: %1, exit code: %2 | Contact support if the event keeps re-appearing. +68 | The start type of the service is unexpected. Service name: %1, actual start type: %2, expected start type: %3 | Identify what is causing changes in start type. Fix mentioned service start type. +69 | The service is stopped. Service name: %1 | Start the mentioned service. Contact support if persists. + +
+There are additional components on the machine that the Windows Defender ATP agent depends on to function properly. If there are no onboarding related errors in the Windows Defender ATP agent event log, proceed with the following steps to ensure that the additional components are configured correctly. + + +### Ensure the diagnostic data service is enabled +If the machines aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the machine. The service might have been disabled by other programs or user configuration changes. + +First, you should check that the service is set to start automatically when Windows starts, then you should check that the service is currently running (and start it if it isn't). + +### Ensure the service is set to start + +**Use the command line to check the Windows 10 diagnostic data service startup type**: + +1. Open an elevated command-line prompt on the machine: + + a. Click **Start**, type **cmd**, and press **Enter**. + + b. Right-click **Command prompt** and select **Run as administrator**. + +2. Enter the following command, and press **Enter**: + + ```text + sc qc diagtrack + ``` + + If the service is enabled, then the result should look like the following screenshot: + + ![Result of the sc query command for diagtrack](images/windefatp-sc-qc-diagtrack.png) + + If the `START_TYPE` is not set to `AUTO_START`, then you'll need to set the service to automatically start. + + +**Use the command line to set the Windows 10 diagnostic data service to automatically start:** + +1. Open an elevated command-line prompt on the machine: + + a. Click **Start**, type **cmd**, and press **Enter**. + + b. Right-click **Command prompt** and select **Run as administrator**. + +2. Enter the following command, and press **Enter**: + + ```text + sc config diagtrack start=auto + ``` + +3. A success message is displayed. Verify the change by entering the following command, and press **Enter**: + + ```text + sc qc diagtrack + ``` + +4. Start the service. + + a. In the command prompt, type the following command and press **Enter**: + + ```text + sc start diagtrack + ``` + +### Ensure the machine has an Internet connection + +The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service. + +WinHTTP is independent of the Internet browsing proxy settings and other user context applications and must be able to detect the proxy servers that are available in your particular environment. + +To ensure that sensor has service connectivity, follow the steps described in the [Verify client connectivity to Windows Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls) topic. + +If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) topic. + +### Ensure that Windows Defender Antivirus is not disabled by a policy +**Problem**: The Windows Defender ATP service does not start after onboarding. + +**Symptom**: Onboarding successfully completes, but you see error 577 when trying to start the service. + +**Solution**: If your machines are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled. You must ensure that it's not disabled in system policy. + +- Depending on the tool that you use to implement policies, you'll need to verify that the following Windows Defender policies are cleared: + + - DisableAntiSpyware + - DisableAntiVirus + + For example, in Group Policy there should be no entries such as the following values: + + - `````` + - `````` +- After clearing the policy, run the onboarding steps again. + +- You can also check the following registry key values to verify that the policy is disabled: + + 1. Open the registry ```key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender```. + 2. Ensure that the value ```DisableAntiSpyware``` is not present. + + ![Image of registry key for Windows Defender Antivirus](images/atp-disableantispyware-regkey.png) + + +## Troubleshoot onboarding issues on a server +If you encounter issues while onboarding a server, go through the following verification steps to address possible issues. + +- [Ensure Microsoft Monitoring Agent (MMA) is installed and configured to report sensor data to the service](configure-server-endpoints-windows-defender-advanced-threat-protection.md#server-mma) +- [Ensure that the server proxy and Internet connectivity settings are configured properly](configure-server-endpoints-windows-defender-advanced-threat-protection.md#server-proxy) + +You might also need to check the following: +- Check that there is a Windows Defender Advanced Threat Protection Service running in the **Processes** tab in **Task Manager**. For example: + + ![Image of process view with Windows Defender Advanced Threat Protection Service running](images/atp-task-manager.png) + +- Check **Event Viewer** > **Applications and Services Logs** > **Operation Manager** to see if there are any errors. + +- In **Services**, check if the **Microsoft Monitoring Agent** is running on the server. For example, + + ![Image of Services](images/atp-services.png) + +- In **Microsoft Monitoring Agent** > **Azure Log Analytics (OMS)**, check the Workspaces and verify that the status is running. + + ![Image of Microsoft Monitoring Agent Properties](images/atp-mma-properties.png) + +- Check to see that machines are reflected in the **Machines list** in the portal. + + +## Licensing requirements +Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers: + + - Windows 10 Enterprise E5 + - Windows 10 Education E5 + - Microsoft 365 Enterprise E5 which includes Windows 10 Enterprise E5 + +For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2). + + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshootonboarding-belowfoldlink) + + +## Related topics +- [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md) +- [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md) +- [Configure machine proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) + diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-wdatp.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-wdatp.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/troubleshoot-wdatp.md rename to windows/security/threat-protection/microsoft-defender-atp/troubleshoot-wdatp.md diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/use-apis.md b/windows/security/threat-protection/microsoft-defender-atp/use-apis.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/use-apis.md rename to windows/security/threat-protection/microsoft-defender-atp/use-apis.md diff --git a/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/use-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/use-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/user-roles-windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/user-roles-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/user-windows-defender-advanced-threat-protection-new.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/user-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/view-incidents-queue.md b/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/view-incidents-queue.md rename to windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md diff --git a/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-windows-defender-atp.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp.md rename to windows/security/threat-protection/microsoft-defender-atp/whats-new-in-windows-defender-atp.md diff --git a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/windows-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md b/windows/security/threat-protection/microsoft-defender-atp/windows-defender-security-center-atp.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md rename to windows/security/threat-protection/microsoft-defender-atp/windows-defender-security-center-atp.md From 16f21c04d15ecb6ac56b1af4caf6cd7ab0984a1a Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 10 Apr 2019 13:51:55 -0700 Subject: [PATCH 112/492] in tp toc - change wdatp/ to mdatp --- windows/security/threat-protection/TOC.md | 426 +++++++++++----------- 1 file changed, 213 insertions(+), 213 deletions(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index caec919411..16acd664ab 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -1,10 +1,10 @@ # [Threat protection](index.md) -## [Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md) +## [Windows Defender Advanced Threat Protection](microsoft-defender-atp/windows-defender-advanced-threat-protection.md) -### [Overview](windows-defender-atp/overview.md) -#### [Attack surface reduction](windows-defender-atp/overview-attack-surface-reduction.md) -##### [Hardware-based isolation](windows-defender-atp/overview-hardware-based-isolation.md) +### [Overview](microsoft-defender-atp/overview.md) +#### [Attack surface reduction](microsoft-defender-atp/overview-attack-surface-reduction.md) +##### [Hardware-based isolation](microsoft-defender-atp/overview-hardware-based-isolation.md) ###### [Application isolation](windows-defender-application-guard/wd-app-guard-overview.md) ####### [System requirements](windows-defender-application-guard/reqs-wd-app-guard.md) ###### [System integrity](windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md) @@ -15,104 +15,104 @@ ##### [Attack surface reduction](windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md) ##### [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md) #### [Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) -#### [Endpoint detection and response](windows-defender-atp/overview-endpoint-detection-response.md) -##### [Security operations dashboard](windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md) +#### [Endpoint detection and response](microsoft-defender-atp/overview-endpoint-detection-response.md) +##### [Security operations dashboard](microsoft-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md) -##### [Incidents queue](windows-defender-atp/incidents-queue.md) -###### [View and organize the Incidents queue](windows-defender-atp/view-incidents-queue.md) -###### [Manage incidents](windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md) -###### [Investigate incidents](windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md) +##### [Incidents queue](microsoft-defender-atp/incidents-queue.md) +###### [View and organize the Incidents queue](microsoft-defender-atp/view-incidents-queue.md) +###### [Manage incidents](microsoft-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md) +###### [Investigate incidents](microsoft-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md) ##### Alerts queue -###### [View and organize the Alerts queue](windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md) -###### [Manage alerts](windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md) -###### [Investigate alerts](windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md) -###### [Investigate files](windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md) -###### [Investigate machines](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md) -###### [Investigate an IP address](windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md) -###### [Investigate a domain](windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md) -###### [Investigate a user account](windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md) +###### [View and organize the Alerts queue](microsoft-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md) +###### [Manage alerts](microsoft-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md) +###### [Investigate alerts](microsoft-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md) +###### [Investigate files](microsoft-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md) +###### [Investigate machines](microsoft-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md) +###### [Investigate an IP address](microsoft-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md) +###### [Investigate a domain](microsoft-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md) +###### [Investigate a user account](microsoft-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md) ##### Machines list -###### [View and organize the Machines list](windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md) -###### [Manage machine group and tags](windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md) -###### [Alerts related to this machine](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine) -###### [Machine timeline](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline) -####### [Search for specific events](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events) -####### [Filter events from a specific date](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date) -####### [Export machine timeline events](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events) -####### [Navigate between pages](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages) +###### [View and organize the Machines list](microsoft-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md) +###### [Manage machine group and tags](microsoft-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md) +###### [Alerts related to this machine](microsoft-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine) +###### [Machine timeline](microsoft-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline) +####### [Search for specific events](microsoft-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events) +####### [Filter events from a specific date](microsoft-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date) +####### [Export machine timeline events](microsoft-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events) +####### [Navigate between pages](microsoft-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages) -##### [Take response actions](windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md) -###### [Take response actions on a machine](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md) -####### [Collect investigation package](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines) -####### [Run antivirus scan](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines) -####### [Restrict app execution](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#restrict-app-execution) -####### [Remove app restriction](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#remove-app-restriction) -####### [Isolate machines from the network](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network) -####### [Release machine from isolation](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#release-machine-from-isolation) -####### [Check activity details in Action center](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center) +##### [Take response actions](microsoft-defender-atp/response-actions-windows-defender-advanced-threat-protection.md) +###### [Take response actions on a machine](microsoft-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md) +####### [Collect investigation package](microsoft-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines) +####### [Run antivirus scan](microsoft-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines) +####### [Restrict app execution](microsoft-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#restrict-app-execution) +####### [Remove app restriction](microsoft-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#remove-app-restriction) +####### [Isolate machines from the network](microsoft-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network) +####### [Release machine from isolation](microsoft-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#release-machine-from-isolation) +####### [Check activity details in Action center](microsoft-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center) -###### [Take response actions on a file](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md) -####### [Stop and quarantine files in your network](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network) -####### [Remove file from quarantine](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine) -####### [Block files in your network](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network) -####### [Remove file from blocked list](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-blocked-list) -####### [Check activity details in Action center](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center) -####### [Deep analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis) -####### [Submit files for analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis) -####### [View deep analysis reports](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports) -####### [Troubleshoot deep analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis) +###### [Take response actions on a file](microsoft-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md) +####### [Stop and quarantine files in your network](microsoft-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network) +####### [Remove file from quarantine](microsoft-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine) +####### [Block files in your network](microsoft-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network) +####### [Remove file from blocked list](microsoft-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-blocked-list) +####### [Check activity details in Action center](microsoft-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center) +####### [Deep analysis](microsoft-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis) +####### [Submit files for analysis](microsoft-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis) +####### [View deep analysis reports](microsoft-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports) +####### [Troubleshoot deep analysis](microsoft-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis) -#### [Automated investigation and remediation](windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md) -##### [Learn about the automated investigation and remediation dashboard](windows-defender-atp/manage-auto-investigation-windows-defender-advanced-threat-protection.md) +#### [Automated investigation and remediation](microsoft-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md) +##### [Learn about the automated investigation and remediation dashboard](microsoft-defender-atp/manage-auto-investigation-windows-defender-advanced-threat-protection.md) -#### [Secure score](windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md) -#### [Threat analytics](windows-defender-atp/threat-analytics.md) +#### [Secure score](microsoft-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md) +#### [Threat analytics](microsoft-defender-atp/threat-analytics.md) -#### [Advanced hunting](windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md) -##### [Query data using Advanced hunting](windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md) -###### [Advanced hunting reference](windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md) -###### [Advanced hunting query language best practices](windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md) -##### [Custom detections](windows-defender-atp/overview-custom-detections.md) -###### [Create custom detections rules](windows-defender-atp/custom-detection-rules.md) +#### [Advanced hunting](microsoft-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md) +##### [Query data using Advanced hunting](microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md) +###### [Advanced hunting reference](microsoft-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md) +###### [Advanced hunting query language best practices](microsoft-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md) +##### [Custom detections](microsoft-defender-atp/overview-custom-detections.md) +###### [Create custom detections rules](microsoft-defender-atp/custom-detection-rules.md) -#### [Management and APIs](windows-defender-atp/management-apis.md) -##### [Understand threat intelligence concepts](windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md) -##### [Windows Defender ATP APIs](windows-defender-atp/apis-intro.md) -##### [Managed security service provider support](windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md) +#### [Management and APIs](microsoft-defender-atp/management-apis.md) +##### [Understand threat intelligence concepts](microsoft-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md) +##### [Windows Defender ATP APIs](microsoft-defender-atp/apis-intro.md) +##### [Managed security service provider support](microsoft-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md) -#### [Microsoft threat protection](windows-defender-atp/threat-protection-integration.md) -##### [Protect users, data, and devices with conditional access](windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md) -##### [Microsoft Cloud App Security integration overview](windows-defender-atp/microsoft-cloud-app-security-integration.md) -##### [Information protection in Windows overview](windows-defender-atp/information-protection-in-windows-overview.md) +#### [Microsoft threat protection](microsoft-defender-atp/threat-protection-integration.md) +##### [Protect users, data, and devices with conditional access](microsoft-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md) +##### [Microsoft Cloud App Security integration overview](microsoft-defender-atp/microsoft-cloud-app-security-integration.md) +##### [Information protection in Windows overview](microsoft-defender-atp/information-protection-in-windows-overview.md) -#### [Microsoft Threat Experts](windows-defender-atp/microsoft-threat-experts.md) +#### [Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md) -#### [Portal overview](windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md) +#### [Portal overview](microsoft-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md) -### [Get started](windows-defender-atp/get-started.md) -#### [What's new in Windows Defender ATP](windows-defender-atp/whats-new-in-windows-defender-atp.md) -#### [Minimum requirements](windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md) -#### [Validate licensing and complete setup](windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md) -#### [Preview features](windows-defender-atp/preview-windows-defender-advanced-threat-protection.md) -#### [Data storage and privacy](windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md) -#### [Assign user access to the portal](windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md) +### [Get started](microsoft-defender-atp/get-started.md) +#### [What's new in Windows Defender ATP](microsoft-defender-atp/whats-new-in-windows-defender-atp.md) +#### [Minimum requirements](microsoft-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md) +#### [Validate licensing and complete setup](microsoft-defender-atp/licensing-windows-defender-advanced-threat-protection.md) +#### [Preview features](microsoft-defender-atp/preview-windows-defender-advanced-threat-protection.md) +#### [Data storage and privacy](microsoft-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md) +#### [Assign user access to the portal](microsoft-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md) -#### [Evaluate Windows Defender ATP](windows-defender-atp/evaluate-atp.md) +#### [Evaluate Windows Defender ATP](microsoft-defender-atp/evaluate-atp.md) #####Evaluate attack surface reduction ###### [Hardware-based isolation](windows-defender-application-guard/test-scenarios-wd-app-guard.md) ###### [Application control](windows-defender-application-control/audit-windows-defender-application-control-policies.md) @@ -123,10 +123,10 @@ ###### [Network firewall](windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md) ##### [Evaluate next generation protection](windows-defender-antivirus/evaluate-windows-defender-antivirus.md) -#### [Access the Windows Defender Security Center Community Center](windows-defender-atp/community-windows-defender-advanced-threat-protection.md) +#### [Access the Windows Defender Security Center Community Center](microsoft-defender-atp/community-windows-defender-advanced-threat-protection.md) -### [Configure and manage capabilities](windows-defender-atp/onboard.md) -#### [Configure attack surface reduction](windows-defender-atp/configure-attack-surface-reduction.md) +### [Configure and manage capabilities](microsoft-defender-atp/onboard.md) +#### [Configure attack surface reduction](microsoft-defender-atp/configure-attack-surface-reduction.md) #####Hardware-based isolation ###### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md) ###### [Application isolation](windows-defender-application-guard/install-wd-app-guard.md) @@ -213,203 +213,203 @@ ###### [Use the mpcmdrun.exe command line tool to manage next generation protection](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md) -#### [Configure Secure score dashboard security controls](windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md) +#### [Configure Secure score dashboard security controls](microsoft-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md) #### Management and API support -##### [Onboard machines](windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md) -###### [Onboard previous versions of Windows](windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md) -###### [Onboard Windows 10 machines](windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md) -####### [Onboard machines using Group Policy](windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md) -####### [Onboard machines using System Center Configuration Manager](windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) -####### [Onboard machines using Mobile Device Management tools](windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) -######## [Onboard machines using Microsoft Intune](windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#onboard-machines-using-microsoft-intune) -####### [Onboard machines using a local script](windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md) -####### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) -###### [Onboard servers](windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md) -###### [Onboard non-Windows machines](windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) -###### [Run a detection test on a newly onboarded machine](windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md) -###### [Run simulated attacks on machines](windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md) -###### [Configure proxy and Internet connectivity settings](windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md) -###### [Troubleshoot onboarding issues](windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) -####### [Troubleshoot subscription and portal access issues](windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md) +##### [Onboard machines](microsoft-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md) +###### [Onboard previous versions of Windows](microsoft-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md) +###### [Onboard Windows 10 machines](microsoft-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md) +####### [Onboard machines using Group Policy](microsoft-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md) +####### [Onboard machines using System Center Configuration Manager](microsoft-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) +####### [Onboard machines using Mobile Device Management tools](microsoft-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) +######## [Onboard machines using Microsoft Intune](microsoft-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#onboard-machines-using-microsoft-intune) +####### [Onboard machines using a local script](microsoft-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md) +####### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](microsoft-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) +###### [Onboard servers](microsoft-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md) +###### [Onboard non-Windows machines](microsoft-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) +###### [Run a detection test on a newly onboarded machine](microsoft-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md) +###### [Run simulated attacks on machines](microsoft-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md) +###### [Configure proxy and Internet connectivity settings](microsoft-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md) +###### [Troubleshoot onboarding issues](microsoft-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) +####### [Troubleshoot subscription and portal access issues](microsoft-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md) -##### [Windows Defender ATP API](windows-defender-atp/use-apis.md) -###### [Get started with Windows Defender ATP APIs](windows-defender-atp/apis-intro.md) -####### [Hello World](windows-defender-atp/api-hello-world.md) -####### [Get access with application context](windows-defender-atp/exposed-apis-create-app-webapp.md) -####### [Get access with user context](windows-defender-atp/exposed-apis-create-app-nativeapp.md) -###### [APIs](windows-defender-atp/exposed-apis-list.md) +##### [Windows Defender ATP API](microsoft-defender-atp/use-apis.md) +###### [Get started with Windows Defender ATP APIs](microsoft-defender-atp/apis-intro.md) +####### [Hello World](microsoft-defender-atp/api-hello-world.md) +####### [Get access with application context](microsoft-defender-atp/exposed-apis-create-app-webapp.md) +####### [Get access with user context](microsoft-defender-atp/exposed-apis-create-app-nativeapp.md) +###### [APIs](microsoft-defender-atp/exposed-apis-list.md) -####### [Advanced Hunting](windows-defender-atp/run-advanced-query-api.md) +####### [Advanced Hunting](microsoft-defender-atp/run-advanced-query-api.md) -####### [Alert](windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md) -######## [List alerts](windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md) -######## [Create alert](windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md) -######## [Update Alert](windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md) -######## [Get alert information by ID](windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md) -######## [Get alert related domains information](windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md) -######## [Get alert related file information](windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md) -######## [Get alert related IPs information](windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md) -######## [Get alert related machine information](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md) -######## [Get alert related user information](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md) +####### [Alert](microsoft-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md) +######## [List alerts](microsoft-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md) +######## [Create alert](microsoft-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md) +######## [Update Alert](microsoft-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md) +######## [Get alert information by ID](microsoft-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md) +######## [Get alert related domains information](microsoft-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md) +######## [Get alert related file information](microsoft-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md) +######## [Get alert related IPs information](microsoft-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md) +######## [Get alert related machine information](microsoft-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md) +######## [Get alert related user information](microsoft-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md) -####### [Machine](windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md) -######## [List machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md) -######## [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md) -######## [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md) -######## [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md) -######## [Add or Remove machine tags](windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md) -######## [Find machines by IP](windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md) +####### [Machine](microsoft-defender-atp/machine-windows-defender-advanced-threat-protection-new.md) +######## [List machines](microsoft-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md) +######## [Get machine by ID](microsoft-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md) +######## [Get machine log on users](microsoft-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md) +######## [Get machine related alerts](microsoft-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md) +######## [Add or Remove machine tags](microsoft-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md) +######## [Find machines by IP](microsoft-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md) -####### [Machine Action](windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md) -######## [List Machine Actions](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md) -######## [Get Machine Action](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md) -######## [Collect investigation package](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md) -######## [Get investigation package SAS URI](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md) -######## [Isolate machine](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md) -######## [Release machine from isolation](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md) -######## [Restrict app execution](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md) -######## [Remove app restriction](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md) -######## [Run antivirus scan](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md) -######## [Offboard machine](windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md) -######## [Stop and quarantine file](windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md) -######## [Initiate investigation (preview)](windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md) +####### [Machine Action](microsoft-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md) +######## [List Machine Actions](microsoft-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md) +######## [Get Machine Action](microsoft-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md) +######## [Collect investigation package](microsoft-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md) +######## [Get investigation package SAS URI](microsoft-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md) +######## [Isolate machine](microsoft-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md) +######## [Release machine from isolation](microsoft-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md) +######## [Restrict app execution](microsoft-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md) +######## [Remove app restriction](microsoft-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md) +######## [Run antivirus scan](microsoft-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md) +######## [Offboard machine](microsoft-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md) +######## [Stop and quarantine file](microsoft-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md) +######## [Initiate investigation (preview)](microsoft-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md) -####### [Indicators (preview)](windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md) -######## [Submit Indicator](windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md) -######## [List Indicators](windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md) -######## [Delete Indicator](windows-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) +####### [Indicators (preview)](microsoft-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md) +######## [Submit Indicator](microsoft-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md) +######## [List Indicators](microsoft-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md) +######## [Delete Indicator](microsoft-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) ####### Domain -######## [Get domain related alerts](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md) -######## [Get domain related machines](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md) -######## [Get domain statistics](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md) -######## [Is domain seen in organization](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md) +######## [Get domain related alerts](microsoft-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md) +######## [Get domain related machines](microsoft-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md) +######## [Get domain statistics](microsoft-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md) +######## [Is domain seen in organization](microsoft-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md) -####### [File](windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md) -######## [Get file information](windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md) -######## [Get file related alerts](windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md) -######## [Get file related machines](windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md) -######## [Get file statistics](windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md) +####### [File](microsoft-defender-atp/files-windows-defender-advanced-threat-protection-new.md) +######## [Get file information](microsoft-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md) +######## [Get file related alerts](microsoft-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md) +######## [Get file related machines](microsoft-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md) +######## [Get file statistics](microsoft-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md) ####### IP -######## [Get IP related alerts](windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md) -######## [Get IP related machines](windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md) -######## [Get IP statistics](windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md) -######## [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md) +######## [Get IP related alerts](microsoft-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md) +######## [Get IP related machines](microsoft-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md) +######## [Get IP statistics](microsoft-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md) +######## [Is IP seen in organization](microsoft-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md) -####### [User](windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md) -######## [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md) -######## [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md) +####### [User](microsoft-defender-atp/user-windows-defender-advanced-threat-protection-new.md) +######## [Get user related alerts](microsoft-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md) +######## [Get user related machines](microsoft-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md) ###### How to use APIs - Samples ####### Advanced Hunting API -######## [Schedule advanced Hunting using Microsoft Flow](windows-defender-atp/run-advanced-query-sample-ms-flow.md) -######## [Advanced Hunting using PowerShell](windows-defender-atp/run-advanced-query-sample-powershell.md) -######## [Advanced Hunting using Python](windows-defender-atp/run-advanced-query-sample-python.md) -######## [Create custom Power BI reports](windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md) +######## [Schedule advanced Hunting using Microsoft Flow](microsoft-defender-atp/run-advanced-query-sample-ms-flow.md) +######## [Advanced Hunting using PowerShell](microsoft-defender-atp/run-advanced-query-sample-powershell.md) +######## [Advanced Hunting using Python](microsoft-defender-atp/run-advanced-query-sample-python.md) +######## [Create custom Power BI reports](microsoft-defender-atp/run-advanced-query-sample-power-bi-app-token.md) ####### Multiple APIs -######## [PowerShell](windows-defender-atp/exposed-apis-full-sample-powershell.md) -####### [Using OData Queries](windows-defender-atp/exposed-apis-odata-samples.md) +######## [PowerShell](microsoft-defender-atp/exposed-apis-full-sample-powershell.md) +####### [Using OData Queries](microsoft-defender-atp/exposed-apis-odata-samples.md) #####Windows updates (KB) info -###### [Get KbInfo collection](windows-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md) +###### [Get KbInfo collection](microsoft-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md) #####Common Vulnerabilities and Exposures (CVE) to KB map -###### [Get CVE-KB map](windows-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md) +###### [Get CVE-KB map](microsoft-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md) ##### API for custom alerts -###### [Enable the custom threat intelligence application](windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md) -###### [Use the threat intelligence API to create custom alerts](windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md) -###### [Create custom threat intelligence alerts](windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md) -###### [PowerShell code examples](windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md) -###### [Python code examples](windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md) -###### [Experiment with custom threat intelligence alerts](windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md) -###### [Troubleshoot custom threat intelligence issues](windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) +###### [Enable the custom threat intelligence application](microsoft-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md) +###### [Use the threat intelligence API to create custom alerts](microsoft-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md) +###### [Create custom threat intelligence alerts](microsoft-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md) +###### [PowerShell code examples](microsoft-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md) +###### [Python code examples](microsoft-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md) +###### [Experiment with custom threat intelligence alerts](microsoft-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md) +###### [Troubleshoot custom threat intelligence issues](microsoft-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) -##### [Pull alerts to your SIEM tools](windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md) -###### [Enable SIEM integration](windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md) -###### [Configure Splunk to pull alerts](windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md) -###### [Configure HP ArcSight to pull alerts](windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md) -###### [Windows Defender ATP SIEM alert API fields](windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md) -###### [Pull alerts using SIEM REST API](windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) -###### [Troubleshoot SIEM tool integration issues](windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md) +##### [Pull alerts to your SIEM tools](microsoft-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md) +###### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md) +###### [Configure Splunk to pull alerts](microsoft-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md) +###### [Configure HP ArcSight to pull alerts](microsoft-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md) +###### [Windows Defender ATP SIEM alert API fields](microsoft-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md) +###### [Pull alerts using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) +###### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md) ##### Reporting -###### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md) -###### [Threat protection reports](windows-defender-atp/threat-protection-reports-windows-defender-advanced-threat-protection.md) -###### [Machine health and compliance reports](windows-defender-atp/machine-reports-windows-defender-advanced-threat-protection.md) +###### [Create and build Power BI reports using Windows Defender ATP data](microsoft-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md) +###### [Threat protection reports](microsoft-defender-atp/threat-protection-reports-windows-defender-advanced-threat-protection.md) +###### [Machine health and compliance reports](microsoft-defender-atp/machine-reports-windows-defender-advanced-threat-protection.md) ##### Role-based access control -###### [Manage portal access using RBAC](windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md) -####### [Create and manage roles](windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md) -####### [Create and manage machine groups](windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md) -######## [Create and manage machine tags](windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md) +###### [Manage portal access using RBAC](microsoft-defender-atp/rbac-windows-defender-advanced-threat-protection.md) +####### [Create and manage roles](microsoft-defender-atp/user-roles-windows-defender-advanced-threat-protection.md) +####### [Create and manage machine groups](microsoft-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md) +######## [Create and manage machine tags](microsoft-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md) -##### [Configure managed security service provider (MSSP) support](windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md) +##### [Configure managed security service provider (MSSP) support](microsoft-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md) -#### [Configure and manage Microsoft Threat Experts capabilities](windows-defender-atp/configure-microsoft-threat-experts.md) +#### [Configure and manage Microsoft Threat Experts capabilities](microsoft-defender-atp/configure-microsoft-threat-experts.md) #### Configure Microsoft threat protection integration -##### [Configure conditional access](windows-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md) -##### [Configure Microsoft Cloud App Security integration](windows-defender-atp/microsoft-cloud-app-security-config.md) -##### [Configure information protection in Windows](windows-defender-atp/information-protection-in-windows-config.md) +##### [Configure conditional access](microsoft-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md) +##### [Configure Microsoft Cloud App Security integration](microsoft-defender-atp/microsoft-cloud-app-security-config.md) +##### [Configure information protection in Windows](microsoft-defender-atp/information-protection-in-windows-config.md) -#### [Configure Windows Defender Security Center settings](windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md) +#### [Configure Windows Defender Security Center settings](microsoft-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md) ##### General -###### [Update data retention settings](windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md) -###### [Configure alert notifications](windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md) -###### [Enable and create Power BI reports using Windows Defender Security center data](windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md) -###### [Enable Secure score security controls](windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md) -###### [Configure advanced features](windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md) +###### [Update data retention settings](microsoft-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md) +###### [Configure alert notifications](microsoft-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md) +###### [Enable and create Power BI reports using Windows Defender Security center data](microsoft-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md) +###### [Enable Secure score security controls](microsoft-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md) +###### [Configure advanced features](microsoft-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md) ##### Permissions -###### [Use basic permissions to access the portal](windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md) -###### [Manage portal access using RBAC](windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md) -####### [Create and manage roles](windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md) -####### [Create and manage machine groups](windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md) -######## [Create and manage machine tags](windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md) +###### [Use basic permissions to access the portal](microsoft-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md) +###### [Manage portal access using RBAC](microsoft-defender-atp/rbac-windows-defender-advanced-threat-protection.md) +####### [Create and manage roles](microsoft-defender-atp/user-roles-windows-defender-advanced-threat-protection.md) +####### [Create and manage machine groups](microsoft-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md) +######## [Create and manage machine tags](microsoft-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md) ##### APIs -###### [Enable Threat intel](windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md) -###### [Enable SIEM integration](windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md) +###### [Enable Threat intel](microsoft-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md) +###### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md) #####Rules -###### [Manage suppression rules](windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md) -###### [Manage automation allowed/blocked lists](windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md) -###### [Manage allowed/blocked lists](windows-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md) -###### [Manage automation file uploads](windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md) -###### [Manage automation folder exclusions](windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md) +###### [Manage suppression rules](microsoft-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md) +###### [Manage automation allowed/blocked lists](microsoft-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md) +###### [Manage allowed/blocked lists](microsoft-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md) +###### [Manage automation file uploads](microsoft-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md) +###### [Manage automation folder exclusions](microsoft-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md) #####Machine management -###### [Onboarding machines](windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md) -###### [Offboarding machines](windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md) +###### [Onboarding machines](microsoft-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md) +###### [Offboarding machines](microsoft-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md) -##### [Configure Windows Defender Security Center time zone settings](windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md) +##### [Configure Windows Defender Security Center time zone settings](microsoft-defender-atp/time-settings-windows-defender-advanced-threat-protection.md) -### [Troubleshoot Windows Defender ATP](windows-defender-atp/troubleshoot-wdatp.md) +### [Troubleshoot Windows Defender ATP](microsoft-defender-atp/troubleshoot-wdatp.md) ####Troubleshoot sensor state -##### [Check sensor state](windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md) -##### [Fix unhealthy sensors](windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md) -##### [Inactive machines](windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines) -##### [Misconfigured machines](windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines) -##### [Review sensor events and errors on machines with Event Viewer](windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md) +##### [Check sensor state](microsoft-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md) +##### [Fix unhealthy sensors](microsoft-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md) +##### [Inactive machines](microsoft-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines) +##### [Misconfigured machines](microsoft-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines) +##### [Review sensor events and errors on machines with Event Viewer](microsoft-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md) -#### [Troubleshoot Windows Defender ATP service issues](windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md) -##### [Check service health](windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md) +#### [Troubleshoot Windows Defender ATP service issues](microsoft-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md) +##### [Check service health](microsoft-defender-atp/service-status-windows-defender-advanced-threat-protection.md) ####Troubleshoot attack surface reduction ##### [Network protection](windows-defender-exploit-guard/troubleshoot-np.md) From 7a6786be072fde8b79a97bac47fe715872ae6689 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 10 Apr 2019 14:02:15 -0700 Subject: [PATCH 113/492] remove -windows-defender-advanced-threat-protection --- windows/security/threat-protection/TOC.md | 146 +++++++++--------- ...ft-defender-advanced-threat-protection.md} | 0 2 files changed, 73 insertions(+), 73 deletions(-) rename windows/security/threat-protection/microsoft-defender-atp/{windows-defender-advanced-threat-protection.md => microsoft-defender-advanced-threat-protection.md} (100%) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 16acd664ab..316afb72b1 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -1,6 +1,6 @@ # [Threat protection](index.md) -## [Windows Defender Advanced Threat Protection](microsoft-defender-atp/windows-defender-advanced-threat-protection.md) +## [Windows Defender Advanced Threat Protection](microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) ### [Overview](microsoft-defender-atp/overview.md) #### [Attack surface reduction](microsoft-defender-atp/overview-attack-surface-reduction.md) @@ -110,7 +110,7 @@ #### [Validate licensing and complete setup](microsoft-defender-atp/licensing-windows-defender-advanced-threat-protection.md) #### [Preview features](microsoft-defender-atp/preview-windows-defender-advanced-threat-protection.md) #### [Data storage and privacy](microsoft-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md) -#### [Assign user access to the portal](microsoft-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md) +#### [Assign user access to the portal](microsoft-defender-atp/assign-portal-access.md) #### [Evaluate Windows Defender ATP](microsoft-defender-atp/evaluate-atp.md) #####Evaluate attack surface reduction @@ -123,7 +123,7 @@ ###### [Network firewall](windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md) ##### [Evaluate next generation protection](windows-defender-antivirus/evaluate-windows-defender-antivirus.md) -#### [Access the Windows Defender Security Center Community Center](microsoft-defender-atp/community-windows-defender-advanced-threat-protection.md) +#### [Access the Windows Defender Security Center Community Center](microsoft-defender-atp/community.md) ### [Configure and manage capabilities](microsoft-defender-atp/onboard.md) #### [Configure attack surface reduction](microsoft-defender-atp/configure-attack-surface-reduction.md) @@ -213,26 +213,26 @@ ###### [Use the mpcmdrun.exe command line tool to manage next generation protection](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md) -#### [Configure Secure score dashboard security controls](microsoft-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md) +#### [Configure Secure score dashboard security controls](microsoft-defender-atp/secure-score-dashboard.md) #### Management and API support -##### [Onboard machines](microsoft-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md) -###### [Onboard previous versions of Windows](microsoft-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md) -###### [Onboard Windows 10 machines](microsoft-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md) -####### [Onboard machines using Group Policy](microsoft-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md) -####### [Onboard machines using System Center Configuration Manager](microsoft-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) -####### [Onboard machines using Mobile Device Management tools](microsoft-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) -######## [Onboard machines using Microsoft Intune](microsoft-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#onboard-machines-using-microsoft-intune) -####### [Onboard machines using a local script](microsoft-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md) -####### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](microsoft-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) -###### [Onboard servers](microsoft-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md) -###### [Onboard non-Windows machines](microsoft-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) -###### [Run a detection test on a newly onboarded machine](microsoft-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md) -###### [Run simulated attacks on machines](microsoft-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md) -###### [Configure proxy and Internet connectivity settings](microsoft-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md) -###### [Troubleshoot onboarding issues](microsoft-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) -####### [Troubleshoot subscription and portal access issues](microsoft-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md) +##### [Onboard machines](microsoft-defender-atp/onboard-configure.md) +###### [Onboard previous versions of Windows](microsoft-defender-atp/onboard-downlevel.md) +###### [Onboard Windows 10 machines](microsoft-defender-atp/configure-endpoints.md) +####### [Onboard machines using Group Policy](microsoft-defender-atp/configure-endpoints-gp.md) +####### [Onboard machines using System Center Configuration Manager](microsoft-defender-atp/configure-endpoints-sccm.md) +####### [Onboard machines using Mobile Device Management tools](microsoft-defender-atp/configure-endpoints-mdm.md) +######## [Onboard machines using Microsoft Intune](microsoft-defender-atp/configure-endpoints-mdm.md#onboard-machines-using-microsoft-intune) +####### [Onboard machines using a local script](microsoft-defender-atp/configure-endpoints-script.md) +####### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](microsoft-defender-atp/configure-endpoints-vdi.md) +###### [Onboard servers](microsoft-defender-atp/configure-server-endpoints.md) +###### [Onboard non-Windows machines](microsoft-defender-atp/configure-endpoints-non-windows.md) +###### [Run a detection test on a newly onboarded machine](microsoft-defender-atp/run-detection-test.md) +###### [Run simulated attacks on machines](microsoft-defender-atp/attack-simulations.md) +###### [Configure proxy and Internet connectivity settings](microsoft-defender-atp/configure-proxy-internet.md) +###### [Troubleshoot onboarding issues](microsoft-defender-atp/troubleshoot-onboarding.md) +####### [Troubleshoot subscription and portal access issues](microsoft-defender-atp/troubleshoot-onboarding-error-messages.md) ##### [Windows Defender ATP API](microsoft-defender-atp/use-apis.md) ###### [Get started with Windows Defender ATP APIs](microsoft-defender-atp/apis-intro.md) @@ -316,43 +316,43 @@ #####Windows updates (KB) info -###### [Get KbInfo collection](microsoft-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md) +###### [Get KbInfo collection](microsoft-defender-atp/get-kbinfo-collection.md) #####Common Vulnerabilities and Exposures (CVE) to KB map -###### [Get CVE-KB map](microsoft-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md) +###### [Get CVE-KB map](microsoft-defender-atp/get-cvekbmap-collection.md) ##### API for custom alerts -###### [Enable the custom threat intelligence application](microsoft-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md) -###### [Use the threat intelligence API to create custom alerts](microsoft-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md) -###### [Create custom threat intelligence alerts](microsoft-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md) -###### [PowerShell code examples](microsoft-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md) -###### [Python code examples](microsoft-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md) -###### [Experiment with custom threat intelligence alerts](microsoft-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md) -###### [Troubleshoot custom threat intelligence issues](microsoft-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) +###### [Enable the custom threat intelligence application](microsoft-defender-atp/enable-custom-ti.md) +###### [Use the threat intelligence API to create custom alerts](microsoft-defender-atp/use-custom-ti.md) +###### [Create custom threat intelligence alerts](microsoft-defender-atp/custom-ti-api.md) +###### [PowerShell code examples](microsoft-defender-atp/powershell-example-code.md) +###### [Python code examples](microsoft-defender-atp/python-example-code.md) +###### [Experiment with custom threat intelligence alerts](microsoft-defender-atp/experiment-custom-ti.md) +###### [Troubleshoot custom threat intelligence issues](microsoft-defender-atp/troubleshoot-custom-ti.md) -##### [Pull alerts to your SIEM tools](microsoft-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md) -###### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md) -###### [Configure Splunk to pull alerts](microsoft-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md) -###### [Configure HP ArcSight to pull alerts](microsoft-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md) -###### [Windows Defender ATP SIEM alert API fields](microsoft-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md) -###### [Pull alerts using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) -###### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md) +##### [Pull alerts to your SIEM tools](microsoft-defender-atp/configure-siem.md) +###### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md) +###### [Configure Splunk to pull alerts](microsoft-defender-atp/configure-splunk.md) +###### [Configure HP ArcSight to pull alerts](microsoft-defender-atp/configure-arcsight.md) +###### [Windows Defender ATP SIEM alert API fields](microsoft-defender-atp/api-portal-mapping.md) +###### [Pull alerts using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md) +###### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem.md) ##### Reporting -###### [Create and build Power BI reports using Windows Defender ATP data](microsoft-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md) -###### [Threat protection reports](microsoft-defender-atp/threat-protection-reports-windows-defender-advanced-threat-protection.md) -###### [Machine health and compliance reports](microsoft-defender-atp/machine-reports-windows-defender-advanced-threat-protection.md) +###### [Create and build Power BI reports using Windows Defender ATP data](microsoft-defender-atp/powerbi-reports.md) +###### [Threat protection reports](microsoft-defender-atp/threat-protection-reports.md) +###### [Machine health and compliance reports](microsoft-defender-atp/machine-reports.md) ##### Role-based access control -###### [Manage portal access using RBAC](microsoft-defender-atp/rbac-windows-defender-advanced-threat-protection.md) -####### [Create and manage roles](microsoft-defender-atp/user-roles-windows-defender-advanced-threat-protection.md) -####### [Create and manage machine groups](microsoft-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md) -######## [Create and manage machine tags](microsoft-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md) +###### [Manage portal access using RBAC](microsoft-defender-atp/rbac.md) +####### [Create and manage roles](microsoft-defender-atp/user-roles.md) +####### [Create and manage machine groups](microsoft-defender-atp/machine-groups.md) +######## [Create and manage machine tags](microsoft-defender-atp/machine-tags.md) -##### [Configure managed security service provider (MSSP) support](microsoft-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md) +##### [Configure managed security service provider (MSSP) support](microsoft-defender-atp/configure-mssp-support.md) #### [Configure and manage Microsoft Threat Experts capabilities](microsoft-defender-atp/configure-microsoft-threat-experts.md) @@ -360,56 +360,56 @@ #### Configure Microsoft threat protection integration -##### [Configure conditional access](microsoft-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md) +##### [Configure conditional access](microsoft-defender-atp/configure-conditional-access.md) ##### [Configure Microsoft Cloud App Security integration](microsoft-defender-atp/microsoft-cloud-app-security-config.md) ##### [Configure information protection in Windows](microsoft-defender-atp/information-protection-in-windows-config.md) -#### [Configure Windows Defender Security Center settings](microsoft-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md) +#### [Configure Windows Defender Security Center settings](microsoft-defender-atp/preferences-setup.md) ##### General -###### [Update data retention settings](microsoft-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md) -###### [Configure alert notifications](microsoft-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md) -###### [Enable and create Power BI reports using Windows Defender Security center data](microsoft-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md) -###### [Enable Secure score security controls](microsoft-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md) -###### [Configure advanced features](microsoft-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md) +###### [Update data retention settings](microsoft-defender-atp/data-retention-settings.md) +###### [Configure alert notifications](microsoft-defender-atp/configure-email-notifications.md) +###### [Enable and create Power BI reports using Windows Defender Security center data](microsoft-defender-atp/powerbi-reports.md) +###### [Enable Secure score security controls](microsoft-defender-atp/enable-secure-score.md) +###### [Configure advanced features](microsoft-defender-atp/advanced-features.md) ##### Permissions -###### [Use basic permissions to access the portal](microsoft-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md) -###### [Manage portal access using RBAC](microsoft-defender-atp/rbac-windows-defender-advanced-threat-protection.md) -####### [Create and manage roles](microsoft-defender-atp/user-roles-windows-defender-advanced-threat-protection.md) -####### [Create and manage machine groups](microsoft-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md) -######## [Create and manage machine tags](microsoft-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md) +###### [Use basic permissions to access the portal](microsoft-defender-atp/basic-permissions.md) +###### [Manage portal access using RBAC](microsoft-defender-atp/rbac.md) +####### [Create and manage roles](microsoft-defender-atp/user-roles.md) +####### [Create and manage machine groups](microsoft-defender-atp/machine-groups.md) +######## [Create and manage machine tags](microsoft-defender-atp/machine-tags.md) ##### APIs -###### [Enable Threat intel](microsoft-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md) -###### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md) +###### [Enable Threat intel](microsoft-defender-atp/enable-custom-ti.md) +###### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md) #####Rules -###### [Manage suppression rules](microsoft-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md) -###### [Manage automation allowed/blocked lists](microsoft-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md) -###### [Manage allowed/blocked lists](microsoft-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md) -###### [Manage automation file uploads](microsoft-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md) -###### [Manage automation folder exclusions](microsoft-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md) +###### [Manage suppression rules](microsoft-defender-atp/manage-suppression-rules.md) +###### [Manage automation allowed/blocked lists](microsoft-defender-atp/manage-automation-allowed-blocked-list.md) +###### [Manage allowed/blocked lists](microsoft-defender-atp/manage-allowed-blocked-list.md) +###### [Manage automation file uploads](microsoft-defender-atp/manage-automation-file-uploads.md) +###### [Manage automation folder exclusions](microsoft-defender-atp/manage-automation-folder-exclusions.md) #####Machine management -###### [Onboarding machines](microsoft-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md) -###### [Offboarding machines](microsoft-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md) +###### [Onboarding machines](microsoft-defender-atp/onboard-configure.md) +###### [Offboarding machines](microsoft-defender-atp/offboard-machines.md) -##### [Configure Windows Defender Security Center time zone settings](microsoft-defender-atp/time-settings-windows-defender-advanced-threat-protection.md) +##### [Configure Windows Defender Security Center time zone settings](microsoft-defender-atp/time-settings.md) ### [Troubleshoot Windows Defender ATP](microsoft-defender-atp/troubleshoot-wdatp.md) ####Troubleshoot sensor state -##### [Check sensor state](microsoft-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md) -##### [Fix unhealthy sensors](microsoft-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md) -##### [Inactive machines](microsoft-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines) -##### [Misconfigured machines](microsoft-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines) -##### [Review sensor events and errors on machines with Event Viewer](microsoft-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md) +##### [Check sensor state](microsoft-defender-atp/check-sensor-status.md) +##### [Fix unhealthy sensors](microsoft-defender-atp/fix-unhealhty-sensors.md) +##### [Inactive machines](microsoft-defender-atp/fix-unhealhty-sensors.md#inactive-machines) +##### [Misconfigured machines](microsoft-defender-atp/fix-unhealhty-sensors.md#misconfigured-machines) +##### [Review sensor events and errors on machines with Event Viewer](microsoft-defender-atp/event-error-codes.md) -#### [Troubleshoot Windows Defender ATP service issues](microsoft-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md) -##### [Check service health](microsoft-defender-atp/service-status-windows-defender-advanced-threat-protection.md) +#### [Troubleshoot Windows Defender ATP service issues](microsoft-defender-atp/troubleshoot.md) +##### [Check service health](microsoft-defender-atp/service-status.md) ####Troubleshoot attack surface reduction ##### [Network protection](windows-defender-exploit-guard/troubleshoot-np.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md From 552ea6dcb0d88a6b5aa31108077af251ca1c708e Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 10 Apr 2019 14:34:39 -0700 Subject: [PATCH 114/492] remove -wdatp, update all file names --- windows/security/threat-protection/TOC.md | 210 +++++++++--------- ...n-new.md => add-or-remove-machine-tags.md} | 0 ...eat-protection.md => advanced-features.md} | 0 ....md => advanced-hunting-best-practices.md} | 0 ...ction.md => advanced-hunting-reference.md} | 0 ...reat-protection.md => advanced-hunting.md} | 0 ...d-threat-protection.md => alerts-queue.md} | 0 ...ced-threat-protection-new.md => alerts.md} | 0 ...at-protection.md => api-portal-mapping.md} | 0 ...-protection.md => assign-portal-access.md} | 0 ...at-protection.md => attack-simulations.md} | 0 ...tection.md => automated-investigations.md} | 0 ...eat-protection.md => basic-permissions.md} | 0 ...t-protection.md => check-sensor-status.md} | 0 ...ew.md => collect-investigation-package.md} | 0 ...nced-threat-protection.md => community.md} | 0 ...ed-threat-protection.md => conditional.md} | 0 ...at-protection.md => configure-arcsight.md} | 0 ...ion.md => configure-conditional-access.md} | 0 ...on.md => configure-email-notifications.md} | 0 ...rotection.md => configure-endpoints-gp.md} | 0 ...otection.md => configure-endpoints-mdm.md} | 0 ....md => configure-endpoints-non-windows.md} | 0 ...tection.md => configure-endpoints-sccm.md} | 0 ...ction.md => configure-endpoints-script.md} | 0 ...otection.md => configure-endpoints-vdi.md} | 0 ...t-protection.md => configure-endpoints.md} | 0 ...rotection.md => configure-mssp-support.md} | 0 ...tection.md => configure-proxy-internet.md} | 0 ...ction.md => configure-server-endpoints.md} | 0 ...threat-protection.md => configure-siem.md} | 0 ...reat-protection.md => configure-splunk.md} | 0 ...on-new.md => create-alert-by-reference.md} | 0 ...-threat-protection.md => custom-ti-api.md} | 0 ...otection.md => data-retention-settings.md} | 0 ...-protection.md => data-storage-privacy.md} | 0 ...rotection.md => defender-compatibility.md} | 0 ...on-new.md => delete-ti-indicator-by-id.md} | 0 ...reat-protection.md => enable-custom-ti.md} | 0 ...t-protection.md => enable-secure-score.md} | 0 ...otection.md => enable-siem-integration.md} | 0 ...eat-protection.md => event-error-codes.md} | 0 ...-protection.md => experiment-custom-ti.md} | 0 ...nced-threat-protection-new.md => files.md} | 0 ...tion-new.md => find-machine-info-by-ip.md} | 0 ...otection-new.md => find-machines-by-ip.md} | 0 ...protection.md => fix-unhealhty-sensors.md} | 0 ...tection-new.md => get-alert-info-by-id.md} | 0 ...ew.md => get-alert-related-domain-info.md} | 0 ...new.md => get-alert-related-files-info.md} | 0 ...on-new.md => get-alert-related-ip-info.md} | 0 ...w.md => get-alert-related-machine-info.md} | 0 ...-new.md => get-alert-related-user-info.md} | 0 ...threat-protection-new.md => get-alerts.md} | 0 ...otection.md => get-cvekbmap-collection.md} | 0 ...on-new.md => get-domain-related-alerts.md} | 0 ...-new.md => get-domain-related-machines.md} | 0 ...ection-new.md => get-domain-statistics.md} | 0 ...tection-new.md => get-file-information.md} | 0 ...tion-new.md => get-file-related-alerts.md} | 0 ...on-new.md => get-file-related-machines.md} | 0 ...otection-new.md => get-file-statistics.md} | 0 ...ection-new.md => get-ip-related-alerts.md} | 0 ...tion-new.md => get-ip-related-machines.md} | 0 ...protection-new.md => get-ip-statistics.md} | 0 ...protection.md => get-kbinfo-collection.md} | 0 ...protection-new.md => get-machine-by-id.md} | 0 ...ion-new.md => get-machine-log-on-users.md} | 0 ...n-new.md => get-machine-related-alerts.md} | 0 ...ion-new.md => get-machineaction-object.md} | 0 ...ew.md => get-machineactions-collection.md} | 0 ...ion.md => get-machinegroups-collection.md} | 0 ...reat-protection-new.md => get-machines.md} | 0 ...> get-machinesecuritystates-collection.md} | 0 ...otection-new.md => get-package-sas-uri.md} | 0 ...new.md => get-ti-indicators-collection.md} | 0 ...tection-new.md => get-user-information.md} | 0 ...tion-new.md => get-user-related-alerts.md} | 0 ...on-new.md => get-user-related-machines.md} | 0 ...ew.md => initiate-autoir-investigation.md} | 0 ...at-protection.md => investigate-alerts.md} | 0 ...at-protection.md => investigate-domain.md} | 0 ...eat-protection.md => investigate-files.md} | 0 ...protection.md => investigate-incidents.md} | 0 ...threat-protection.md => investigate-ip.md} | 0 ...-protection.md => investigate-machines.md} | 0 ...reat-protection.md => investigate-user.md} | 0 ...ection-new.md => is-domain-seen-in-org.md} | 0 ...at-protection-new.md => is-ip-seen-org.md} | 0 ...t-protection-new.md => isolate-machine.md} | 0 ...nced-threat-protection.md => licensing.md} | 0 ...threat-protection.md => machine-groups.md} | 0 ...hreat-protection.md => machine-reports.md} | 0 ...d-threat-protection.md => machine-tags.md} | 0 ...ed-threat-protection-new.md => machine.md} | 0 ...eat-protection-new.md => machineaction.md} | 0 ...rotection.md => machines-view-overview.md} | 0 ...-threat-protection.md => manage-alerts.md} | 0 ...tion.md => manage-allowed-blocked-list.md} | 0 ...ection.md => manage-auto-investigation.md} | 0 ...manage-automation-allowed-blocked-list.md} | 0 ...n.md => manage-automation-file-uploads.md} | 0 ...=> manage-automation-folder-exclusions.md} | 0 ...reat-protection.md => manage-incidents.md} | 0 ...tection.md => manage-suppression-rules.md} | 0 ...-protection.md => minimum-requirements.md} | 0 ...d-threat-protection.md => mssp-support.md} | 0 ...tection-new.md => offboard-machine-api.md} | 0 ...eat-protection.md => offboard-machines.md} | 0 ...eat-protection.md => onboard-configure.md} | 0 ...eat-protection.md => onboard-downlevel.md} | 0 ...reat-protection.md => overview-hunting.md} | 0 ...protection.md => overview-secure-score.md} | 0 ...hreat-protection.md => portal-overview.md} | 0 ...protection-new.md => post-ti-indicator.md} | 0 ...hreat-protection.md => powerbi-reports.md} | 0 ...otection.md => powershell-example-code.md} | 0 ...eat-protection.md => preferences-setup.md} | 0 ...reat-protection.md => preview-settings.md} | 0 ...vanced-threat-protection.md => preview.md} | 0 ...ction.md => pull-alerts-using-rest-api.md} | 0 ...t-protection.md => python-example-code.md} | 0 ...-advanced-threat-protection.md => rbac.md} | 0 ...t-protection.md => respond-file-alerts.md} | 0 ...rotection.md => respond-machine-alerts.md} | 0 ...reat-protection.md => response-actions.md} | 0 ...tion-new.md => restrict-code-execution.md} | 0 ...hreat-protection-new.md => run-av-scan.md} | 0 ...at-protection.md => run-detection-test.md} | 0 ...rotection.md => secure-score-dashboard.md} | 0 ...on.md => security-operations-dashboard.md} | 0 ...threat-protection.md => service-status.md} | 0 ...ion-new.md => stop-and-quarantine-file.md} | 0 ...otection.md => supported-response-apis.md} | 0 ...ection.md => threat-indicator-concepts.md} | 0 ...ection.md => threat-protection-reports.md} | 0 ...reat-protection-new.md => ti-indicator.md} | 0 ...-threat-protection.md => time-settings.md} | 0 ...rotection.md => troubleshoot-custom-ti.md} | 0 ...troubleshoot-onboarding-error-messages.md} | 0 ...otection.md => troubleshoot-onboarding.md} | 0 ...hoot-wdatp.md => troubleshoot-overview.md} | 0 ...eat-protection.md => troubleshoot-siem.md} | 0 ...d-threat-protection.md => troubleshoot.md} | 0 ...protection-new.md => unisolate-machine.md} | 0 ...on-new.md => unrestrict-code-execution.md} | 0 ...reat-protection-new.md => update-alert.md} | 0 ...-threat-protection.md => use-custom-ti.md} | 0 ...r-advanced-threat-protection.md => use.md} | 0 ...ced-threat-protection.md => user-roles.md} | 0 ...anced-threat-protection-new.md => user.md} | 0 ...=> whats-new-in-microsoft-defender-atp.md} | 0 152 files changed, 105 insertions(+), 105 deletions(-) rename windows/security/threat-protection/microsoft-defender-atp/{add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md => add-or-remove-machine-tags.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{advanced-features-windows-defender-advanced-threat-protection.md => advanced-features.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md => advanced-hunting-best-practices.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{advanced-hunting-reference-windows-defender-advanced-threat-protection.md => advanced-hunting-reference.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{advanced-hunting-windows-defender-advanced-threat-protection.md => advanced-hunting.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{alerts-queue-windows-defender-advanced-threat-protection.md => alerts-queue.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{alerts-windows-defender-advanced-threat-protection-new.md => alerts.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{api-portal-mapping-windows-defender-advanced-threat-protection.md => api-portal-mapping.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{assign-portal-access-windows-defender-advanced-threat-protection.md => assign-portal-access.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{attack-simulations-windows-defender-advanced-threat-protection.md => attack-simulations.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{automated-investigations-windows-defender-advanced-threat-protection.md => automated-investigations.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{basic-permissions-windows-defender-advanced-threat-protection.md => basic-permissions.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{check-sensor-status-windows-defender-advanced-threat-protection.md => check-sensor-status.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{collect-investigation-package-windows-defender-advanced-threat-protection-new.md => collect-investigation-package.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{community-windows-defender-advanced-threat-protection.md => community.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{conditional-access-windows-defender-advanced-threat-protection.md => conditional.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{configure-arcsight-windows-defender-advanced-threat-protection.md => configure-arcsight.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{configure-conditional-access-windows-defender-advanced-threat-protection.md => configure-conditional-access.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{configure-email-notifications-windows-defender-advanced-threat-protection.md => configure-email-notifications.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{configure-endpoints-gp-windows-defender-advanced-threat-protection.md => configure-endpoints-gp.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{configure-endpoints-mdm-windows-defender-advanced-threat-protection.md => configure-endpoints-mdm.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md => configure-endpoints-non-windows.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{configure-endpoints-sccm-windows-defender-advanced-threat-protection.md => configure-endpoints-sccm.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{configure-endpoints-script-windows-defender-advanced-threat-protection.md => configure-endpoints-script.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{configure-endpoints-vdi-windows-defender-advanced-threat-protection.md => configure-endpoints-vdi.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{configure-endpoints-windows-defender-advanced-threat-protection.md => configure-endpoints.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{configure-mssp-support-windows-defender-advanced-threat-protection.md => configure-mssp-support.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{configure-proxy-internet-windows-defender-advanced-threat-protection.md => configure-proxy-internet.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{configure-server-endpoints-windows-defender-advanced-threat-protection.md => configure-server-endpoints.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{configure-siem-windows-defender-advanced-threat-protection.md => configure-siem.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{configure-splunk-windows-defender-advanced-threat-protection.md => configure-splunk.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{create-alert-by-reference-windows-defender-advanced-threat-protection-new.md => create-alert-by-reference.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{custom-ti-api-windows-defender-advanced-threat-protection.md => custom-ti-api.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{data-retention-settings-windows-defender-advanced-threat-protection.md => data-retention-settings.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{data-storage-privacy-windows-defender-advanced-threat-protection.md => data-storage-privacy.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{defender-compatibility-windows-defender-advanced-threat-protection.md => defender-compatibility.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md => delete-ti-indicator-by-id.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{enable-custom-ti-windows-defender-advanced-threat-protection.md => enable-custom-ti.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{enable-secure-score-windows-defender-advanced-threat-protection.md => enable-secure-score.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{enable-siem-integration-windows-defender-advanced-threat-protection.md => enable-siem-integration.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{event-error-codes-windows-defender-advanced-threat-protection.md => event-error-codes.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{experiment-custom-ti-windows-defender-advanced-threat-protection.md => experiment-custom-ti.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{files-windows-defender-advanced-threat-protection-new.md => files.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md => find-machine-info-by-ip.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{find-machines-by-ip-windows-defender-advanced-threat-protection-new.md => find-machines-by-ip.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md => fix-unhealhty-sensors.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md => get-alert-info-by-id.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md => get-alert-related-domain-info.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md => get-alert-related-files-info.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md => get-alert-related-ip-info.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md => get-alert-related-machine-info.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md => get-alert-related-user-info.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{get-alerts-windows-defender-advanced-threat-protection-new.md => get-alerts.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{get-cvekbmap-collection-windows-defender-advanced-threat-protection.md => get-cvekbmap-collection.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md => get-domain-related-alerts.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{get-domain-related-machines-windows-defender-advanced-threat-protection-new.md => get-domain-related-machines.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{get-domain-statistics-windows-defender-advanced-threat-protection-new.md => get-domain-statistics.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{get-file-information-windows-defender-advanced-threat-protection-new.md => get-file-information.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{get-file-related-alerts-windows-defender-advanced-threat-protection-new.md => get-file-related-alerts.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{get-file-related-machines-windows-defender-advanced-threat-protection-new.md => get-file-related-machines.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{get-file-statistics-windows-defender-advanced-threat-protection-new.md => get-file-statistics.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md => get-ip-related-alerts.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{get-ip-related-machines-windows-defender-advanced-threat-protection-new.md => get-ip-related-machines.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{get-ip-statistics-windows-defender-advanced-threat-protection-new.md => get-ip-statistics.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{get-kbinfo-collection-windows-defender-advanced-threat-protection.md => get-kbinfo-collection.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{get-machine-by-id-windows-defender-advanced-threat-protection-new.md => get-machine-by-id.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md => get-machine-log-on-users.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md => get-machine-related-alerts.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{get-machineaction-object-windows-defender-advanced-threat-protection-new.md => get-machineaction-object.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{get-machineactions-collection-windows-defender-advanced-threat-protection-new.md => get-machineactions-collection.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{get-machinegroups-collection-windows-defender-advanced-threat-protection.md => get-machinegroups-collection.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{get-machines-windows-defender-advanced-threat-protection-new.md => get-machines.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md => get-machinesecuritystates-collection.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{get-package-sas-uri-windows-defender-advanced-threat-protection-new.md => get-package-sas-uri.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md => get-ti-indicators-collection.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{get-user-information-windows-defender-advanced-threat-protection-new.md => get-user-information.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{get-user-related-alerts-windows-defender-advanced-threat-protection-new.md => get-user-related-alerts.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{get-user-related-machines-windows-defender-advanced-threat-protection-new.md => get-user-related-machines.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md => initiate-autoir-investigation.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{investigate-alerts-windows-defender-advanced-threat-protection.md => investigate-alerts.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{investigate-domain-windows-defender-advanced-threat-protection.md => investigate-domain.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{investigate-files-windows-defender-advanced-threat-protection.md => investigate-files.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{investigate-incidents-windows-defender-advanced-threat-protection.md => investigate-incidents.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{investigate-ip-windows-defender-advanced-threat-protection.md => investigate-ip.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{investigate-machines-windows-defender-advanced-threat-protection.md => investigate-machines.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{investigate-user-windows-defender-advanced-threat-protection.md => investigate-user.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md => is-domain-seen-in-org.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{is-ip-seen-org-windows-defender-advanced-threat-protection-new.md => is-ip-seen-org.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{isolate-machine-windows-defender-advanced-threat-protection-new.md => isolate-machine.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{licensing-windows-defender-advanced-threat-protection.md => licensing.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{machine-groups-windows-defender-advanced-threat-protection.md => machine-groups.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{machine-reports-windows-defender-advanced-threat-protection.md => machine-reports.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{machine-tags-windows-defender-advanced-threat-protection.md => machine-tags.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{machine-windows-defender-advanced-threat-protection-new.md => machine.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{machineaction-windows-defender-advanced-threat-protection-new.md => machineaction.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{machines-view-overview-windows-defender-advanced-threat-protection.md => machines-view-overview.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{manage-alerts-windows-defender-advanced-threat-protection.md => manage-alerts.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md => manage-allowed-blocked-list.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{manage-auto-investigation-windows-defender-advanced-threat-protection.md => manage-auto-investigation.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md => manage-automation-allowed-blocked-list.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{manage-automation-file-uploads-windows-defender-advanced-threat-protection.md => manage-automation-file-uploads.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md => manage-automation-folder-exclusions.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{manage-incidents-windows-defender-advanced-threat-protection.md => manage-incidents.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{manage-suppression-rules-windows-defender-advanced-threat-protection.md => manage-suppression-rules.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{minimum-requirements-windows-defender-advanced-threat-protection.md => minimum-requirements.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{mssp-support-windows-defender-advanced-threat-protection.md => mssp-support.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{offboard-machine-api-windows-defender-advanced-threat-protection-new.md => offboard-machine-api.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{offboard-machines-windows-defender-advanced-threat-protection.md => offboard-machines.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{onboard-configure-windows-defender-advanced-threat-protection.md => onboard-configure.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{onboard-downlevel-windows-defender-advanced-threat-protection.md => onboard-downlevel.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{overview-hunting-windows-defender-advanced-threat-protection.md => overview-hunting.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{overview-secure-score-windows-defender-advanced-threat-protection.md => overview-secure-score.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{portal-overview-windows-defender-advanced-threat-protection.md => portal-overview.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{post-ti-indicator-windows-defender-advanced-threat-protection-new.md => post-ti-indicator.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{powerbi-reports-windows-defender-advanced-threat-protection.md => powerbi-reports.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{powershell-example-code-windows-defender-advanced-threat-protection.md => powershell-example-code.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{preferences-setup-windows-defender-advanced-threat-protection.md => preferences-setup.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{preview-settings-windows-defender-advanced-threat-protection.md => preview-settings.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{preview-windows-defender-advanced-threat-protection.md => preview.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md => pull-alerts-using-rest-api.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{python-example-code-windows-defender-advanced-threat-protection.md => python-example-code.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{rbac-windows-defender-advanced-threat-protection.md => rbac.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{respond-file-alerts-windows-defender-advanced-threat-protection.md => respond-file-alerts.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{respond-machine-alerts-windows-defender-advanced-threat-protection.md => respond-machine-alerts.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{response-actions-windows-defender-advanced-threat-protection.md => response-actions.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{restrict-code-execution-windows-defender-advanced-threat-protection-new.md => restrict-code-execution.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{run-av-scan-windows-defender-advanced-threat-protection-new.md => run-av-scan.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{run-detection-test-windows-defender-advanced-threat-protection.md => run-detection-test.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{secure-score-dashboard-windows-defender-advanced-threat-protection.md => secure-score-dashboard.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{security-operations-dashboard-windows-defender-advanced-threat-protection.md => security-operations-dashboard.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{service-status-windows-defender-advanced-threat-protection.md => service-status.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md => stop-and-quarantine-file.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{supported-response-apis-windows-defender-advanced-threat-protection.md => supported-response-apis.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{threat-indicator-concepts-windows-defender-advanced-threat-protection.md => threat-indicator-concepts.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{threat-protection-reports-windows-defender-advanced-threat-protection.md => threat-protection-reports.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{ti-indicator-windows-defender-advanced-threat-protection-new.md => ti-indicator.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{time-settings-windows-defender-advanced-threat-protection.md => time-settings.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md => troubleshoot-custom-ti.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md => troubleshoot-onboarding-error-messages.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{troubleshoot-onboarding-windows-defender-advanced-threat-protection.md => troubleshoot-onboarding.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{troubleshoot-wdatp.md => troubleshoot-overview.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{troubleshoot-siem-windows-defender-advanced-threat-protection.md => troubleshoot-siem.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{troubleshoot-windows-defender-advanced-threat-protection.md => troubleshoot.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{unisolate-machine-windows-defender-advanced-threat-protection-new.md => unisolate-machine.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md => unrestrict-code-execution.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{update-alert-windows-defender-advanced-threat-protection-new.md => update-alert.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{use-custom-ti-windows-defender-advanced-threat-protection.md => use-custom-ti.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{use-windows-defender-advanced-threat-protection.md => use.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{user-roles-windows-defender-advanced-threat-protection.md => user-roles.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{user-windows-defender-advanced-threat-protection-new.md => user.md} (100%) rename windows/security/threat-protection/microsoft-defender-atp/{whats-new-in-windows-defender-atp.md => whats-new-in-microsoft-defender-atp.md} (100%) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 316afb72b1..caca71920d 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -16,81 +16,81 @@ ##### [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md) #### [Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) #### [Endpoint detection and response](microsoft-defender-atp/overview-endpoint-detection-response.md) -##### [Security operations dashboard](microsoft-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md) +##### [Security operations dashboard](microsoft-defender-atp/security-operations-dashboard.md) ##### [Incidents queue](microsoft-defender-atp/incidents-queue.md) ###### [View and organize the Incidents queue](microsoft-defender-atp/view-incidents-queue.md) -###### [Manage incidents](microsoft-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md) -###### [Investigate incidents](microsoft-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md) +###### [Manage incidents](microsoft-defender-atp/manage-incidents.md) +###### [Investigate incidents](microsoft-defender-atp/investigate-incidents.md) ##### Alerts queue -###### [View and organize the Alerts queue](microsoft-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md) -###### [Manage alerts](microsoft-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md) -###### [Investigate alerts](microsoft-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md) -###### [Investigate files](microsoft-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md) -###### [Investigate machines](microsoft-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md) -###### [Investigate an IP address](microsoft-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md) -###### [Investigate a domain](microsoft-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md) -###### [Investigate a user account](microsoft-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md) +###### [View and organize the Alerts queue](microsoft-defender-atp/alerts-queue.md) +###### [Manage alerts](microsoft-defender-atp/manage-alerts.md) +###### [Investigate alerts](microsoft-defender-atp/investigate-alerts.md) +###### [Investigate files](microsoft-defender-atp/investigate-files.md) +###### [Investigate machines](microsoft-defender-atp/investigate-machines.md) +###### [Investigate an IP address](microsoft-defender-atp/investigate-ip.md) +###### [Investigate a domain](microsoft-defender-atp/investigate-domain.md) +###### [Investigate a user account](microsoft-defender-atp/investigate-user.md) ##### Machines list -###### [View and organize the Machines list](microsoft-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md) -###### [Manage machine group and tags](microsoft-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md) -###### [Alerts related to this machine](microsoft-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine) -###### [Machine timeline](microsoft-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline) -####### [Search for specific events](microsoft-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events) -####### [Filter events from a specific date](microsoft-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date) -####### [Export machine timeline events](microsoft-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events) -####### [Navigate between pages](microsoft-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages) +###### [View and organize the Machines list](microsoft-defender-atp/machines-view-overview.md) +###### [Manage machine group and tags](microsoft-defender-atp/machine-tags.md) +###### [Alerts related to this machine](microsoft-defender-atp/investigate-machines.md#alerts-related-to-this-machine) +###### [Machine timeline](microsoft-defender-atp/investigate-machines.md#machine-timeline) +####### [Search for specific events](microsoft-defender-atp/investigate-machines.md#search-for-specific-events) +####### [Filter events from a specific date](microsoft-defender-atp/investigate-machines.md#filter-events-from-a-specific-date) +####### [Export machine timeline events](microsoft-defender-atp/investigate-machines.md#export-machine-timeline-events) +####### [Navigate between pages](microsoft-defender-atp/investigate-machines.md#navigate-between-pages) -##### [Take response actions](microsoft-defender-atp/response-actions-windows-defender-advanced-threat-protection.md) -###### [Take response actions on a machine](microsoft-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md) -####### [Collect investigation package](microsoft-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines) -####### [Run antivirus scan](microsoft-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines) -####### [Restrict app execution](microsoft-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#restrict-app-execution) -####### [Remove app restriction](microsoft-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#remove-app-restriction) -####### [Isolate machines from the network](microsoft-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network) -####### [Release machine from isolation](microsoft-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#release-machine-from-isolation) -####### [Check activity details in Action center](microsoft-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center) +##### [Take response actions](microsoft-defender-atp/response-actions.md) +###### [Take response actions on a machine](microsoft-defender-atp/respond-machine-alerts.md) +####### [Collect investigation package](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-machines) +####### [Run antivirus scan](microsoft-defender-atp/respond-machine-alerts.md#run-windows-defender-antivirus-scan-on-machines) +####### [Restrict app execution](microsoft-defender-atp/respond-machine-alerts.md#restrict-app-execution) +####### [Remove app restriction](microsoft-defender-atp/respond-machine-alerts.md#remove-app-restriction) +####### [Isolate machines from the network](microsoft-defender-atp/respond-machine-alerts.md#isolate-machines-from-the-network) +####### [Release machine from isolation](microsoft-defender-atp/respond-machine-alerts.md#release-machine-from-isolation) +####### [Check activity details in Action center](microsoft-defender-atp/respond-machine-alerts.md#check-activity-details-in-action-center) -###### [Take response actions on a file](microsoft-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md) -####### [Stop and quarantine files in your network](microsoft-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network) -####### [Remove file from quarantine](microsoft-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine) -####### [Block files in your network](microsoft-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network) -####### [Remove file from blocked list](microsoft-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-blocked-list) -####### [Check activity details in Action center](microsoft-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center) -####### [Deep analysis](microsoft-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis) -####### [Submit files for analysis](microsoft-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis) -####### [View deep analysis reports](microsoft-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports) -####### [Troubleshoot deep analysis](microsoft-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis) +###### [Take response actions on a file](microsoft-defender-atp/respond-file-alerts.md) +####### [Stop and quarantine files in your network](microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network) +####### [Remove file from quarantine](microsoft-defender-atp/respond-file-alerts.md#remove-file-from-quarantine) +####### [Block files in your network](microsoft-defender-atp/respond-file-alerts.md#block-files-in-your-network) +####### [Remove file from blocked list](microsoft-defender-atp/respond-file-alerts.md#remove-file-from-blocked-list) +####### [Check activity details in Action center](microsoft-defender-atp/respond-file-alerts.md#check-activity-details-in-action-center) +####### [Deep analysis](microsoft-defender-atp/respond-file-alerts.md#deep-analysis) +####### [Submit files for analysis](microsoft-defender-atp/respond-file-alerts.md#submit-files-for-analysis) +####### [View deep analysis reports](microsoft-defender-atp/respond-file-alerts.md#view-deep-analysis-reports) +####### [Troubleshoot deep analysis](microsoft-defender-atp/respond-file-alerts.md#troubleshoot-deep-analysis) -#### [Automated investigation and remediation](microsoft-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md) -##### [Learn about the automated investigation and remediation dashboard](microsoft-defender-atp/manage-auto-investigation-windows-defender-advanced-threat-protection.md) +#### [Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md) +##### [Learn about the automated investigation and remediation dashboard](microsoft-defender-atp/manage-auto-investigation.md) -#### [Secure score](microsoft-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md) +#### [Secure score](microsoft-defender-atp/overview-secure-score.md) #### [Threat analytics](microsoft-defender-atp/threat-analytics.md) -#### [Advanced hunting](microsoft-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md) -##### [Query data using Advanced hunting](microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md) -###### [Advanced hunting reference](microsoft-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md) -###### [Advanced hunting query language best practices](microsoft-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md) +#### [Advanced hunting](microsoft-defender-atp/overview-hunting.md) +##### [Query data using Advanced hunting](microsoft-defender-atp/advanced-hunting.md) +###### [Advanced hunting reference](microsoft-defender-atp/advanced-hunting-reference.md) +###### [Advanced hunting query language best practices](microsoft-defender-atp/advanced-hunting-best-practices.md) ##### [Custom detections](microsoft-defender-atp/overview-custom-detections.md) ###### [Create custom detections rules](microsoft-defender-atp/custom-detection-rules.md) #### [Management and APIs](microsoft-defender-atp/management-apis.md) -##### [Understand threat intelligence concepts](microsoft-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md) +##### [Understand threat intelligence concepts](microsoft-defender-atp/threat-indicator-concepts.md) ##### [Windows Defender ATP APIs](microsoft-defender-atp/apis-intro.md) -##### [Managed security service provider support](microsoft-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md) +##### [Managed security service provider support](microsoft-defender-atp/mssp-support.md) #### [Microsoft threat protection](microsoft-defender-atp/threat-protection-integration.md) -##### [Protect users, data, and devices with conditional access](microsoft-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md) +##### [Protect users, data, and devices with conditional access](microsoft-defender-atp/conditional-access.md) ##### [Microsoft Cloud App Security integration overview](microsoft-defender-atp/microsoft-cloud-app-security-integration.md) ##### [Information protection in Windows overview](microsoft-defender-atp/information-protection-in-windows-overview.md) @@ -100,16 +100,16 @@ -#### [Portal overview](microsoft-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md) +#### [Portal overview](microsoft-defender-atp/portal-overview.md) ### [Get started](microsoft-defender-atp/get-started.md) -#### [What's new in Windows Defender ATP](microsoft-defender-atp/whats-new-in-windows-defender-atp.md) -#### [Minimum requirements](microsoft-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md) -#### [Validate licensing and complete setup](microsoft-defender-atp/licensing-windows-defender-advanced-threat-protection.md) -#### [Preview features](microsoft-defender-atp/preview-windows-defender-advanced-threat-protection.md) -#### [Data storage and privacy](microsoft-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md) +#### [What's new in Windows Defender ATP](microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md) +#### [Minimum requirements](microsoft-defender-atp/minimum-requirements.md) +#### [Validate licensing and complete setup](microsoft-defender-atp/licensing.md) +#### [Preview features](microsoft-defender-atp/preview.md) +#### [Data storage and privacy](microsoft-defender-atp/data-storage-privacy.md) #### [Assign user access to the portal](microsoft-defender-atp/assign-portal-access.md) #### [Evaluate Windows Defender ATP](microsoft-defender-atp/evaluate-atp.md) @@ -243,65 +243,65 @@ ####### [Advanced Hunting](microsoft-defender-atp/run-advanced-query-api.md) -####### [Alert](microsoft-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md) -######## [List alerts](microsoft-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md) -######## [Create alert](microsoft-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md) -######## [Update Alert](microsoft-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md) -######## [Get alert information by ID](microsoft-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md) -######## [Get alert related domains information](microsoft-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md) -######## [Get alert related file information](microsoft-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md) -######## [Get alert related IPs information](microsoft-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md) -######## [Get alert related machine information](microsoft-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md) -######## [Get alert related user information](microsoft-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md) +####### [Alert](microsoft-defender-atp/alerts.md) +######## [List alerts](microsoft-defender-atp/get-alerts.md) +######## [Create alert](microsoft-defender-atp/create-alert-by-reference.md) +######## [Update Alert](microsoft-defender-atp/update-alert.md) +######## [Get alert information by ID](microsoft-defender-atp/get-alert-info-by-id.md) +######## [Get alert related domains information](microsoft-defender-atp/get-alert-related-domain-info.md) +######## [Get alert related file information](microsoft-defender-atp/get-alert-related-files-info.md) +######## [Get alert related IPs information](microsoft-defender-atp/get-alert-related-ip-info.md) +######## [Get alert related machine information](microsoft-defender-atp/get-alert-related-machine-info.md) +######## [Get alert related user information](microsoft-defender-atp/get-alert-related-user-info.md) -####### [Machine](microsoft-defender-atp/machine-windows-defender-advanced-threat-protection-new.md) -######## [List machines](microsoft-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md) -######## [Get machine by ID](microsoft-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md) -######## [Get machine log on users](microsoft-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md) -######## [Get machine related alerts](microsoft-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md) -######## [Add or Remove machine tags](microsoft-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md) -######## [Find machines by IP](microsoft-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md) +####### [Machine](microsoft-defender-atp/machine.md) +######## [List machines](microsoft-defender-atp/get-machines.md) +######## [Get machine by ID](microsoft-defender-atp/get-machine-by-id.md) +######## [Get machine log on users](microsoft-defender-atp/get-machine-log-on-users.md) +######## [Get machine related alerts](microsoft-defender-atp/get-machine-related-alerts.md) +######## [Add or Remove machine tags](microsoft-defender-atp/add-or-remove-machine-tags.md) +######## [Find machines by IP](microsoft-defender-atp/find-machines-by-ip.md) -####### [Machine Action](microsoft-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md) -######## [List Machine Actions](microsoft-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md) -######## [Get Machine Action](microsoft-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md) -######## [Collect investigation package](microsoft-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md) -######## [Get investigation package SAS URI](microsoft-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md) -######## [Isolate machine](microsoft-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md) -######## [Release machine from isolation](microsoft-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md) -######## [Restrict app execution](microsoft-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md) -######## [Remove app restriction](microsoft-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md) -######## [Run antivirus scan](microsoft-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md) -######## [Offboard machine](microsoft-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md) -######## [Stop and quarantine file](microsoft-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md) -######## [Initiate investigation (preview)](microsoft-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md) +####### [Machine Action](microsoft-defender-atp/machineaction.md) +######## [List Machine Actions](microsoft-defender-atp/get-machineactions-collection.md) +######## [Get Machine Action](microsoft-defender-atp/get-machineaction-object.md) +######## [Collect investigation package](microsoft-defender-atp/collect-investigation-package.md) +######## [Get investigation package SAS URI](microsoft-defender-atp/get-package-sas-uri.md) +######## [Isolate machine](microsoft-defender-atp/isolate-machine.md) +######## [Release machine from isolation](microsoft-defender-atp/unisolate-machine.md) +######## [Restrict app execution](microsoft-defender-atp/restrict-code-execution.md) +######## [Remove app restriction](microsoft-defender-atp/unrestrict-code-execution.md) +######## [Run antivirus scan](microsoft-defender-atp/run-av-scan.md) +######## [Offboard machine](microsoft-defender-atp/offboard-machine-api.md) +######## [Stop and quarantine file](microsoft-defender-atp/stop-and-quarantine-file.md) +######## [Initiate investigation (preview)](microsoft-defender-atp/initiate-autoir-investigation.md) -####### [Indicators (preview)](microsoft-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md) -######## [Submit Indicator](microsoft-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md) -######## [List Indicators](microsoft-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md) -######## [Delete Indicator](microsoft-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) +####### [Indicators (preview)](microsoft-defender-atp/ti-indicator.md) +######## [Submit Indicator](microsoft-defender-atp/post-ti-indicator.md) +######## [List Indicators](microsoft-defender-atp/get-ti-indicators-collection.md) +######## [Delete Indicator](microsoft-defender-atp/delete-ti-indicator-by-id.md) ####### Domain -######## [Get domain related alerts](microsoft-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md) -######## [Get domain related machines](microsoft-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md) -######## [Get domain statistics](microsoft-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md) -######## [Is domain seen in organization](microsoft-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md) +######## [Get domain related alerts](microsoft-defender-atp/get-domain-related-alerts.md) +######## [Get domain related machines](microsoft-defender-atp/get-domain-related-machines.md) +######## [Get domain statistics](microsoft-defender-atp/get-domain-statistics.md) +######## [Is domain seen in organization](microsoft-defender-atp/is-domain-seen-in-org.md) -####### [File](microsoft-defender-atp/files-windows-defender-advanced-threat-protection-new.md) -######## [Get file information](microsoft-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md) -######## [Get file related alerts](microsoft-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md) -######## [Get file related machines](microsoft-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md) -######## [Get file statistics](microsoft-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md) +####### [File](microsoft-defender-atp/files.md) +######## [Get file information](microsoft-defender-atp/get-file-information.md) +######## [Get file related alerts](microsoft-defender-atp/get-file-related-alerts.md) +######## [Get file related machines](microsoft-defender-atp/get-file-related-machines.md) +######## [Get file statistics](microsoft-defender-atp/get-file-statistics.md) ####### IP -######## [Get IP related alerts](microsoft-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md) -######## [Get IP related machines](microsoft-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md) -######## [Get IP statistics](microsoft-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md) -######## [Is IP seen in organization](microsoft-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md) +######## [Get IP related alerts](microsoft-defender-atp/get-ip-related-alerts.md) +######## [Get IP related machines](microsoft-defender-atp/get-ip-related-machines.md) +######## [Get IP statistics](microsoft-defender-atp/get-ip-statistics.md) +######## [Is IP seen in organization](microsoft-defender-atp/is-ip-seen-org.md) -####### [User](microsoft-defender-atp/user-windows-defender-advanced-threat-protection-new.md) -######## [Get user related alerts](microsoft-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md) -######## [Get user related machines](microsoft-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md) +####### [User](microsoft-defender-atp/user.md) +######## [Get user related alerts](microsoft-defender-atp/get-user-related-alerts.md) +######## [Get user related machines](microsoft-defender-atp/get-user-related-machines.md) ###### How to use APIs - Samples @@ -400,7 +400,7 @@ ##### [Configure Windows Defender Security Center time zone settings](microsoft-defender-atp/time-settings.md) -### [Troubleshoot Windows Defender ATP](microsoft-defender-atp/troubleshoot-wdatp.md) +### [Troubleshoot Windows Defender ATP](microsoft-defender-atp/troubleshoot-overview.md) ####Troubleshoot sensor state ##### [Check sensor state](microsoft-defender-atp/check-sensor-status.md) ##### [Fix unhealthy sensors](microsoft-defender-atp/fix-unhealhty-sensors.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/advanced-features.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/alerts.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/community-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/community.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/community-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/community.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/conditional.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/conditional.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/configure-siem.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/custom-ti-api.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/custom-ti-api.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-custom-ti.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/enable-custom-ti.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/experiment-custom-ti.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/experiment-custom-ti.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/files-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/files.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/files-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/files.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/fix-unhealhty-sensors.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/fix-unhealhty-sensors.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-alerts.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-file-information.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-machines.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-ip-related-machines.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-machines.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-user-information.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/investigate-files.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/investigate-user.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/is-domain-seen-in-org.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/is-domain-seen-in-org.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/is-ip-seen-org.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/is-ip-seen-org.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/licensing-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/licensing.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/licensing-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/licensing.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/machine-groups.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-reports-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/machine-reports-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/machine-reports.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/machine-tags.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/machine.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/machine-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/machine.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/machineaction.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/machineaction.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/manage-allowed-blocked-list.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/manage-allowed-blocked-list.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-allowed-blocked-list.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/manage-automation-allowed-blocked-list.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/mssp-support.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/overview-hunting.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/overview-hunting.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/portal-overview.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/powershell-example-code.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/powershell-example-code.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/preview-settings.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/preview-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/preview.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/python-example-code.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/python-example-code.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/rbac-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/rbac.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/rbac-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/rbac.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/response-actions-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/response-actions.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/response-actions-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/response-actions.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/service-status-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/service-status.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/service-status-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/service-status.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/time-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/time-settings.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/time-settings-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/time-settings.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-custom-ti.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/troubleshoot-custom-ti.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-wdatp.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-overview.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/troubleshoot-wdatp.md rename to windows/security/threat-protection/microsoft-defender-atp/troubleshoot-overview.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/troubleshoot.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/update-alert.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/use-custom-ti.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/use-custom-ti.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/use-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/use.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/use-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/use.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/user-roles-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/user-roles-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/user-roles.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/user-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/microsoft-defender-atp/user.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/user-windows-defender-advanced-threat-protection-new.md rename to windows/security/threat-protection/microsoft-defender-atp/user.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-windows-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/whats-new-in-windows-defender-atp.md rename to windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md From 91bf200c2bbe2825c97642fd156a8ee1e6c98f6f Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 10 Apr 2019 14:50:43 -0700 Subject: [PATCH 115/492] remove all instances of wdatp within topics --- .../microsoft-defender-atp/TOC.md | 360 +++++++++--------- .../add-or-remove-machine-tags.md | 4 +- .../advanced-features.md | 28 +- .../advanced-hunting-best-practices.md | 12 +- .../advanced-hunting-reference.md | 12 +- .../advanced-hunting.md | 14 +- .../microsoft-defender-atp/alerts-queue.md | 30 +- .../microsoft-defender-atp/alerts.md | 4 +- .../microsoft-defender-atp/api-hello-world.md | 14 +- .../api-portal-mapping.md | 26 +- .../microsoft-defender-atp/apis-intro.md | 30 +- .../assign-portal-access.md | 12 +- .../attack-simulations.md | 18 +- .../automated-investigations.md | 6 +- .../basic-permissions.md | 6 +- .../check-sensor-status.md | 24 +- .../collect-investigation-package.md | 4 +- .../microsoft-defender-atp/community.md | 14 +- .../microsoft-defender-atp/conditional.md | 12 +- .../configure-arcsight.md | 24 +- .../configure-conditional-access.md | 20 +- .../configure-email-notifications.md | 22 +- .../configure-endpoints-gp.md | 18 +- .../configure-endpoints-mdm.md | 18 +- .../configure-endpoints-non-windows.md | 18 +- .../configure-endpoints-sccm.md | 22 +- .../configure-endpoints-script.md | 16 +- .../configure-endpoints-vdi.md | 14 +- .../configure-endpoints.md | 10 +- .../configure-microsoft-threat-experts.md | 14 +- .../configure-mssp-support.md | 16 +- .../configure-proxy-internet.md | 40 +- .../configure-server-endpoints.md | 58 +-- .../microsoft-defender-atp/configure-siem.md | 34 +- .../configure-splunk.md | 22 +- .../create-alert-by-reference.md | 4 +- .../custom-detection-rules.md | 4 +- .../microsoft-defender-atp/custom-ti-api.md | 14 +- .../data-retention-settings.md | 14 +- .../data-storage-privacy.md | 30 +- .../defender-compatibility.md | 18 +- .../delete-ti-indicator-by-id.md | 2 +- .../microsoft-defender-atp/deprecate.md | 2 +- .../enable-custom-ti.md | 10 +- .../enable-secure-score.md | 12 +- .../enable-siem-integration.md | 20 +- .../microsoft-defender-atp/evaluate-atp.md | 12 +- .../event-error-codes.md | 96 ++--- .../experiment-custom-ti.md | 20 +- .../exposed-apis-create-app-nativeapp.md | 30 +- .../exposed-apis-create-app-webapp.md | 34 +- .../exposed-apis-full-sample-powershell.md | 12 +- .../exposed-apis-list.md | 12 +- .../exposed-apis-odata-samples.md | 12 +- .../microsoft-defender-atp/files.md | 6 +- .../find-machine-info-by-ip.md | 4 +- .../find-machines-by-ip.md | 4 +- .../fix-unhealhty-sensors.md | 28 +- .../get-alert-info-by-id.md | 4 +- .../get-alert-related-domain-info.md | 4 +- .../get-alert-related-files-info.md | 4 +- .../get-alert-related-ip-info.md | 4 +- .../get-alert-related-machine-info.md | 4 +- .../get-alert-related-user-info.md | 4 +- .../microsoft-defender-atp/get-alerts.md | 8 +- .../get-cvekbmap-collection.md | 2 +- .../get-domain-related-alerts.md | 4 +- .../get-domain-related-machines.md | 4 +- .../get-domain-statistics.md | 4 +- .../get-file-information.md | 4 +- .../get-file-related-alerts.md | 4 +- .../get-file-related-machines.md | 4 +- .../get-file-statistics.md | 4 +- .../get-ip-related-alerts.md | 4 +- .../get-ip-related-machines.md | 4 +- .../get-ip-statistics.md | 4 +- .../get-kbinfo-collection.md | 2 +- .../get-machine-by-id.md | 4 +- .../get-machine-log-on-users.md | 4 +- .../get-machine-related-alerts.md | 4 +- .../get-machineaction-object.md | 4 +- .../get-machineactions-collection.md | 8 +- .../get-machinegroups-collection.md | 2 +- .../microsoft-defender-atp/get-machines.md | 8 +- .../get-machinesecuritystates-collection.md | 2 +- .../get-package-sas-uri.md | 4 +- .../microsoft-defender-atp/get-started.md | 32 +- .../get-ti-indicators-collection.md | 2 +- .../get-user-information.md | 4 +- .../get-user-related-alerts.md | 4 +- .../get-user-related-machines.md | 4 +- .../microsoft-defender-atp/incidents-queue.md | 10 +- ...nformation-protection-in-windows-config.md | 12 +- ...ormation-protection-in-windows-overview.md | 30 +- .../initiate-autoir-investigation.md | 4 +- .../investigate-alerts.md | 22 +- .../investigate-domain.md | 22 +- .../investigate-files.md | 22 +- .../investigate-incidents.md | 10 +- .../microsoft-defender-atp/investigate-ip.md | 20 +- .../investigate-machines.md | 28 +- .../investigate-user.md | 24 +- .../is-domain-seen-in-org.md | 4 +- .../microsoft-defender-atp/is-ip-seen-org.md | 4 +- .../microsoft-defender-atp/isolate-machine.md | 4 +- .../microsoft-defender-atp/licensing.md | 30 +- .../microsoft-defender-atp/machine-groups.md | 8 +- .../microsoft-defender-atp/machine-reports.md | 6 +- .../microsoft-defender-atp/machine.md | 10 +- .../microsoft-defender-atp/machineaction.md | 4 +- .../machineactionsnote.md | 2 +- .../machines-view-overview.md | 10 +- .../microsoft-defender-atp/manage-alerts.md | 26 +- .../manage-allowed-blocked-list.md | 4 +- .../manage-auto-investigation.md | 2 +- .../manage-automation-allowed-blocked-list.md | 4 +- .../manage-automation-file-uploads.md | 4 +- .../manage-automation-folder-exclusions.md | 4 +- .../manage-incidents.md | 6 +- .../manage-suppression-rules.md | 6 +- .../microsoft-defender-atp/management-apis.md | 24 +- .../microsoft-cloud-app-security-config.md | 10 +- ...icrosoft-cloud-app-security-integration.md | 12 +- ...oft-defender-advanced-threat-protection.md | 46 +-- .../microsoft-threat-experts.md | 4 +- .../minimum-requirements.md | 16 +- .../microsoft-defender-atp/mssp-support.md | 10 +- .../offboard-machine-api.md | 6 +- .../offboard-machines.md | 10 +- .../onboard-configure.md | 46 +-- .../onboard-downlevel.md | 28 +- .../microsoft-defender-atp/onboard.md | 12 +- .../overview-attack-surface-reduction.md | 6 +- .../overview-custom-detections.md | 4 +- .../overview-endpoint-detection-response.md | 8 +- .../overview-hardware-based-isolation.md | 4 +- .../overview-hunting.md | 2 +- .../overview-secure-score.md | 2 +- .../microsoft-defender-atp/overview.md | 20 +- .../microsoft-defender-atp/portal-overview.md | 22 +- .../post-ti-indicator.md | 2 +- .../microsoft-defender-atp/powerbi-reports.md | 50 +-- .../powershell-example-code.md | 6 +- .../preferences-setup.md | 4 +- .../preview-settings.md | 20 +- .../microsoft-defender-atp/preview.md | 18 +- .../pull-alerts-using-rest-api.md | 40 +- .../python-example-code.md | 6 +- .../microsoft-defender-atp/rbac.md | 14 +- .../respond-file-alerts.md | 16 +- .../respond-machine-alerts.md | 10 +- .../response-actions.md | 8 +- .../restrict-code-execution.md | 4 +- .../run-advanced-query-api.md | 12 +- .../run-advanced-query-sample-ms-flow.md | 4 +- ...dvanced-query-sample-power-bi-app-token.md | 2 +- ...vanced-query-sample-power-bi-user-token.md | 4 +- .../run-advanced-query-sample-powershell.md | 6 +- .../run-advanced-query-sample-python.md | 6 +- .../microsoft-defender-atp/run-av-scan.md | 4 +- .../run-detection-test.md | 11 +- .../secure-score-dashboard.md | 24 +- .../security-operations-dashboard.md | 22 +- .../microsoft-defender-atp/service-status.md | 12 +- .../stop-and-quarantine-file.md | 4 +- .../supported-response-apis.md | 10 +- .../threat-analytics.md | 6 +- .../threat-indicator-concepts.md | 16 +- .../threat-protection-integration.md | 16 +- .../threat-protection-reports.md | 8 +- .../microsoft-defender-atp/ti-indicator.md | 2 +- .../microsoft-defender-atp/time-settings.md | 22 +- .../troubleshoot-custom-ti.md | 10 +- .../troubleshoot-onboarding-error-messages.md | 18 +- .../troubleshoot-onboarding.md | 62 +-- .../troubleshoot-overview.md | 10 +- .../troubleshoot-siem.md | 18 +- .../microsoft-defender-atp/troubleshoot.md | 20 +- .../unisolate-machine.md | 4 +- .../unrestrict-code-execution.md | 4 +- .../microsoft-defender-atp/update-alert.md | 4 +- .../microsoft-defender-atp/use-apis.md | 12 +- .../microsoft-defender-atp/use-custom-ti.md | 6 +- .../microsoft-defender-atp/use.md | 8 +- .../microsoft-defender-atp/user-roles.md | 6 +- .../view-incidents-queue.md | 4 +- .../whats-new-in-microsoft-defender-atp.md | 44 +-- .../windows-defender-security-center-atp.md | 8 +- 188 files changed, 1409 insertions(+), 1410 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/TOC.md b/windows/security/threat-protection/microsoft-defender-atp/TOC.md index e8ea7a0740..0dc76f0fa0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/TOC.md +++ b/windows/security/threat-protection/microsoft-defender-atp/TOC.md @@ -1,4 +1,4 @@ -# [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) +# [Microsoft Defender Advanced Threat Protection](microsoft-defender-advanced-threat-protection.md) ## [Overview](overview.md) ### [Attack surface reduction](overview-attack-surface-reduction.md) @@ -14,82 +14,82 @@ #### [Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) ### [Next generation protection](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) ### [Endpoint detection and response](overview-endpoint-detection-response.md) -#### [Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md) +#### [Security operations dashboard](security-operations-dashboard.md) #### [Incidents queue](incidents-queue.md) ##### [View and organize the Incidents queue](view-incidents-queue.md) -##### [Manage incidents](manage-incidents-windows-defender-advanced-threat-protection.md) -##### [Investigate incidents](investigate-incidents-windows-defender-advanced-threat-protection.md) +##### [Manage incidents](manage-incidents.md) +##### [Investigate incidents](investigate-incidents.md) #### Alerts queue -##### [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) -##### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) -##### [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) -##### [Investigate files](investigate-files-windows-defender-advanced-threat-protection.md) -##### [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md) -##### [Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md) -##### [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md) -##### [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md) +##### [View and organize the Alerts queue](alerts-queue.md) +##### [Manage alerts](manage-alerts.md) +##### [Investigate alerts](investigate-alerts.md) +##### [Investigate files](investigate-files.md) +##### [Investigate machines](investigate-machines.md) +##### [Investigate an IP address](investigate-ip.md) +##### [Investigate a domain](investigate-domain.md) +##### [Investigate a user account](investigate-user.md) #### Machines list -##### [View and organize the Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) -##### [Manage machine group and tags](machine-tags-windows-defender-advanced-threat-protection.md) -##### [Alerts related to this machine](investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine) -##### [Machine timeline](investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline) -###### [Search for specific events](investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events) -###### [Filter events from a specific date](investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date) -###### [Export machine timeline events](investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events) -###### [Navigate between pages](investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages) +##### [View and organize the Machines list](machines-view-overview.md) +##### [Manage machine group and tags](machine-tags.md) +##### [Alerts related to this machine](investigate-machines.md#alerts-related-to-this-machine) +##### [Machine timeline](investigate-machines.md#machine-timeline) +###### [Search for specific events](investigate-machines.md#search-for-specific-events) +###### [Filter events from a specific date](investigate-machines.md#filter-events-from-a-specific-date) +###### [Export machine timeline events](investigate-machines.md#export-machine-timeline-events) +###### [Navigate between pages](investigate-machines.md#navigate-between-pages) -#### [Take response actions](response-actions-windows-defender-advanced-threat-protection.md) -##### [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md) -###### [Collect investigation package](respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines) -###### [Run antivirus scan](respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines) -###### [Restrict app execution](respond-machine-alerts-windows-defender-advanced-threat-protection.md#restrict-app-execution) -###### [Remove app restriction](respond-machine-alerts-windows-defender-advanced-threat-protection.md#remove-app-restriction) -###### [Isolate machines from the network](respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network) -###### [Release machine from isolation](respond-machine-alerts-windows-defender-advanced-threat-protection.md#release-machine-from-isolation) -###### [Check activity details in Action center](respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center) +#### [Take response actions](response-actions.md) +##### [Take response actions on a machine](respond-machine-alerts.md) +###### [Collect investigation package](respond-machine-alerts.md#collect-investigation-package-from-machines) +###### [Run antivirus scan](respond-machine-alerts.md#run-windows-defender-antivirus-scan-on-machines) +###### [Restrict app execution](respond-machine-alerts.md#restrict-app-execution) +###### [Remove app restriction](respond-machine-alerts.md#remove-app-restriction) +###### [Isolate machines from the network](respond-machine-alerts.md#isolate-machines-from-the-network) +###### [Release machine from isolation](respond-machine-alerts.md#release-machine-from-isolation) +###### [Check activity details in Action center](respond-machine-alerts.md#check-activity-details-in-action-center) -##### [Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md) -###### [Stop and quarantine files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network) -###### [Remove file from quarantine](respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine) -###### [Block files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network) -###### [Remove file from blocked list](respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-blocked-list) -###### [Check activity details in Action center](respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center) -###### [Deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis) -###### [Submit files for analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis) -###### [View deep analysis reports](respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports) -###### [Troubleshoot deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis) +##### [Take response actions on a file](respond-file-alerts.md) +###### [Stop and quarantine files in your network](respond-file-alerts.md#stop-and-quarantine-files-in-your-network) +###### [Remove file from quarantine](respond-file-alerts.md#remove-file-from-quarantine) +###### [Block files in your network](respond-file-alerts.md#block-files-in-your-network) +###### [Remove file from blocked list](respond-file-alerts.md#remove-file-from-blocked-list) +###### [Check activity details in Action center](respond-file-alerts.md#check-activity-details-in-action-center) +###### [Deep analysis](respond-file-alerts.md#deep-analysis) +###### [Submit files for analysis](respond-file-alerts.md#submit-files-for-analysis) +###### [View deep analysis reports](respond-file-alerts.md#view-deep-analysis-reports) +###### [Troubleshoot deep analysis](respond-file-alerts.md#troubleshoot-deep-analysis) -### [Automated investigation and remediation](automated-investigations-windows-defender-advanced-threat-protection.md) -#### [Learn about the automated investigation and remediation dashboard](manage-auto-investigation-windows-defender-advanced-threat-protection.md) +### [Automated investigation and remediation](automated-investigations.md) +#### [Learn about the automated investigation and remediation dashboard](manage-auto-investigation.md) -### [Secure score](overview-secure-score-windows-defender-advanced-threat-protection.md) +### [Secure score](overview-secure-score.md) ### [Threat analytics](threat-analytics.md) -### [Advanced hunting](overview-hunting-windows-defender-advanced-threat-protection.md) -#### [Query data using Advanced hunting](advanced-hunting-windows-defender-advanced-threat-protection.md) -##### [Advanced hunting reference](advanced-hunting-reference-windows-defender-advanced-threat-protection.md) -##### [Advanced hunting query language best practices](advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md) +### [Advanced hunting](overview-hunting.md) +#### [Query data using Advanced hunting](advanced-hunting.md) +##### [Advanced hunting reference](advanced-hunting-reference.md) +##### [Advanced hunting query language best practices](advanced-hunting-best-practices.md) #### [Custom detections](overview-custom-detections.md) #####[Create custom detections rules](custom-detection-rules.md) ### [Management and APIs](management-apis.md) -#### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) -#### [Windows Defender ATP APIs](apis-intro.md) -#### [Managed security service provider support](mssp-support-windows-defender-advanced-threat-protection.md) +#### [Understand threat intelligence concepts](threat-indicator-concepts.md) +#### [Microsoft Defender ATP APIs](apis-intro.md) +#### [Managed security service provider support](mssp-support.md) ### [Microsoft Threat Protection](threat-protection-integration.md) -#### [Protect users, data, and devices with conditional access](conditional-access-windows-defender-advanced-threat-protection.md) +#### [Protect users, data, and devices with conditional access](conditional-access.md) #### [Microsoft Cloud App Security in Windows overview](microsoft-cloud-app-security-integration.md) #### [Information protection in Windows overview](information-protection-in-windows-overview.md) @@ -98,18 +98,18 @@ ### [Microsoft Threat Experts](microsoft-threat-experts.md) -### [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) +### [Portal overview](portal-overview.md) ## [Get started](get-started.md) -### [What's new in Windows Defender ATP](whats-new-in-windows-defender-atp.md) -### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md) -### [Validate licensing and complete setup](licensing-windows-defender-advanced-threat-protection.md) -### [Preview features](preview-windows-defender-advanced-threat-protection.md) -### [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md) -### [Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md) +### [What's new in Microsoft Defender ATP](whats-new-in-microsoft-defender-atp.md) +### [Minimum requirements](minimum-requirements.md) +### [Validate licensing and complete setup](licensing.md) +### [Preview features](preview.md) +### [Data storage and privacy](data-storage-privacy.md) +### [Assign user access to the portal](assign-portal-access.md) -### [Evaluate Windows Defender ATP](evaluate-atp.md) +### [Evaluate Microsoft Defender ATP](evaluate-atp.md) ####Evaluate attack surface reduction ##### [Hardware-based isolation](../windows-defender-application-guard/test-scenarios-wd-app-guard.md) ##### [Application control](../windows-defender-application-control/audit-windows-defender-application-control-policies.md) @@ -120,7 +120,7 @@ ##### [Network firewall](../windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md) #### [Evaluate next generation protection](../windows-defender-antivirus/evaluate-windows-defender-antivirus.md) -### [Access the Windows Defender Security Center Community Center](community-windows-defender-advanced-threat-protection.md) +### [Access the Windows Defender Security Center Community Center](community.md) ## [Configure and manage capabilities](onboard.md) ### [Configure attack surface reduction](configure-attack-surface-reduction.md) @@ -210,29 +210,29 @@ ##### [Use the mpcmdrun.exe command line tool to manage next generation protection](../windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md) -### [Configure Secure score dashboard security controls](secure-score-dashboard-windows-defender-advanced-threat-protection.md) +### [Configure Secure score dashboard security controls](secure-score-dashboard.md) ### Management and API support -#### [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md) -##### [Onboard previous versions of Windows](onboard-downlevel-windows-defender-advanced-threat-protection.md) -##### [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) -###### [Onboard machines using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) -###### [Onboard machines using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) -###### [Onboard machines using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) -####### [Onboard machines using Microsoft Intune](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#onboard-machines-using-microsoft-intune) -###### [Onboard machines using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) -###### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) -##### [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md) -##### [Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) -##### [Run a detection test on a newly onboarded machine](run-detection-test-windows-defender-advanced-threat-protection.md) -##### [Run simulated attacks on machines](attack-simulations-windows-defender-advanced-threat-protection.md) -##### [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) -##### [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) -###### [Troubleshoot subscription and portal access issues](troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md) +#### [Onboard machines](onboard-configure.md) +##### [Onboard previous versions of Windows](onboard-downlevel.md) +##### [Onboard Windows 10 machines](configure-endpoints.md) +###### [Onboard machines using Group Policy](configure-endpoints-gp.md) +###### [Onboard machines using System Center Configuration Manager](configure-endpoints-sccm.md) +###### [Onboard machines using Mobile Device Management tools](configure-endpoints-mdm.md) +####### [Onboard machines using Microsoft Intune](configure-endpoints-mdm.md#onboard-machines-using-microsoft-intune) +###### [Onboard machines using a local script](configure-endpoints-script.md) +###### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi.md) +##### [Onboard servers](configure-server-endpoints.md) +##### [Onboard non-Windows machines](configure-endpoints-non-windows.md) +##### [Run a detection test on a newly onboarded machine](run-detection-test.md) +##### [Run simulated attacks on machines](attack-simulations.md) +##### [Configure proxy and Internet connectivity settings](configure-proxy-internet.md) +##### [Troubleshoot onboarding issues](troubleshoot-onboarding.md) +###### [Troubleshoot subscription and portal access issues](troubleshoot-onboarding-error-messages.md) -#### [Windows Defender ATP API](use-apis.md) -##### [Get started with Windows Defender ATP APIs](apis-intro.md) +#### [Microsoft Defender ATP API](use-apis.md) +##### [Get started with Microsoft Defender ATP APIs](apis-intro.md) ###### [Hello World](api-hello-world.md) ###### [Get access with application context](exposed-apis-create-app-webapp.md) ###### [Get access with user context](exposed-apis-create-app-nativeapp.md) @@ -240,65 +240,65 @@ ###### [Advanced Hunting](run-advanced-query-api.md) -###### [Alert](alerts-windows-defender-advanced-threat-protection-new.md) -####### [List alerts](get-alerts-windows-defender-advanced-threat-protection-new.md) -####### [Create alert](create-alert-by-reference-windows-defender-advanced-threat-protection-new.md) -####### [Update Alert](update-alert-windows-defender-advanced-threat-protection-new.md) -####### [Get alert information by ID](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md) -####### [Get alert related domains information](get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md) -####### [Get alert related file information](get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md) -####### [Get alert related IPs information](get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md) -####### [Get alert related machine information](get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md) -####### [Get alert related user information](get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md) +###### [Alert](alerts.md) +####### [List alerts](get-alerts.md) +####### [Create alert](create-alert-by-reference.md) +####### [Update Alert](update-alert.md) +####### [Get alert information by ID](get-alert-info-by-id.md) +####### [Get alert related domains information](get-alert-related-domain-info.md) +####### [Get alert related file information](get-alert-related-files-info.md) +####### [Get alert related IPs information](get-alert-related-ip-info.md) +####### [Get alert related machine information](get-alert-related-machine-info.md) +####### [Get alert related user information](get-alert-related-user-info.md) -###### [Machine](machine-windows-defender-advanced-threat-protection-new.md) -####### [List machines](get-machines-windows-defender-advanced-threat-protection-new.md) -####### [Get machine by ID](get-machine-by-id-windows-defender-advanced-threat-protection-new.md) -####### [Get machine log on users](get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md) -####### [Get machine related alerts](get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md) -####### [Add or Remove machine tags](add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md) -####### [Find machines by IP](find-machines-by-ip-windows-defender-advanced-threat-protection-new.md) +###### [Machine](machine.md) +####### [List machines](get-machines.md) +####### [Get machine by ID](get-machine-by-id.md) +####### [Get machine log on users](get-machine-log-on-users.md) +####### [Get machine related alerts](get-machine-related-alerts.md) +####### [Add or Remove machine tags](add-or-remove-machine-tags.md) +####### [Find machines by IP](find-machines-by-ip.md) -###### [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) -####### [List Machine Actions](get-machineactions-collection-windows-defender-advanced-threat-protection-new.md) -####### [Get Machine Action](get-machineaction-object-windows-defender-advanced-threat-protection-new.md) -####### [Collect investigation package](collect-investigation-package-windows-defender-advanced-threat-protection-new.md) -####### [Get investigation package SAS URI](get-package-sas-uri-windows-defender-advanced-threat-protection-new.md) -####### [Isolate machine](isolate-machine-windows-defender-advanced-threat-protection-new.md) -####### [Release machine from isolation](unisolate-machine-windows-defender-advanced-threat-protection-new.md) -####### [Restrict app execution](restrict-code-execution-windows-defender-advanced-threat-protection-new.md) -####### [Remove app restriction](unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md) -####### [Run antivirus scan](run-av-scan-windows-defender-advanced-threat-protection-new.md) -####### [Offboard machine](offboard-machine-api-windows-defender-advanced-threat-protection-new.md) -####### [Stop and quarantine file](stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md) -####### [Initiate investigation (preview)](initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md) +###### [Machine Action](machineaction.md) +####### [List Machine Actions](get-machineactions-collection.md) +####### [Get Machine Action](get-machineaction-object.md) +####### [Collect investigation package](collect-investigation-package.md) +####### [Get investigation package SAS URI](get-package-sas-uri.md) +####### [Isolate machine](isolate-machine.md) +####### [Release machine from isolation](unisolate-machine.md) +####### [Restrict app execution](restrict-code-execution.md) +####### [Remove app restriction](unrestrict-code-execution.md) +####### [Run antivirus scan](run-av-scan.md) +####### [Offboard machine](offboard-machine-api.md) +####### [Stop and quarantine file](stop-and-quarantine-file.md) +####### [Initiate investigation (preview)](initiate-autoir-investigation.md) -###### [Indicators (preview)](ti-indicator-windows-defender-advanced-threat-protection-new.md) -####### [Submit Indicator](post-ti-indicator-windows-defender-advanced-threat-protection-new.md) -####### [List Indicators](get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md) -####### [Delete Indicator](delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) +###### [Indicators (preview)](ti-indicator.md) +####### [Submit Indicator](post-ti-indicator.md) +####### [List Indicators](get-ti-indicators-collection.md) +####### [Delete Indicator](delete-ti-indicator-by-id.md) ###### Domain -####### [Get domain related alerts](get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md) -####### [Get domain related machines](get-domain-related-machines-windows-defender-advanced-threat-protection-new.md) -####### [Get domain statistics](get-domain-statistics-windows-defender-advanced-threat-protection-new.md) -####### [Is domain seen in organization](is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md) +####### [Get domain related alerts](get-domain-related-alerts.md) +####### [Get domain related machines](get-domain-related-machines.md) +####### [Get domain statistics](get-domain-statistics.md) +####### [Is domain seen in organization](is-domain-seen-in-org.md) -###### [File](files-windows-defender-advanced-threat-protection-new.md) -####### [Get file information](get-file-information-windows-defender-advanced-threat-protection-new.md) -####### [Get file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection-new.md) -####### [Get file related machines](get-file-related-machines-windows-defender-advanced-threat-protection-new.md) -####### [Get file statistics](get-file-statistics-windows-defender-advanced-threat-protection-new.md) +###### [File](files.md) +####### [Get file information](get-file-information.md) +####### [Get file related alerts](get-file-related-alerts.md) +####### [Get file related machines](get-file-related-machines.md) +####### [Get file statistics](get-file-statistics.md) ###### IP -####### [Get IP related alerts](get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md) -####### [Get IP related machines](get-ip-related-machines-windows-defender-advanced-threat-protection-new.md) -####### [Get IP statistics](get-ip-statistics-windows-defender-advanced-threat-protection-new.md) -####### [Is IP seen in organization](is-ip-seen-org-windows-defender-advanced-threat-protection-new.md) +####### [Get IP related alerts](get-ip-related-alerts.md) +####### [Get IP related machines](get-ip-related-machines.md) +####### [Get IP statistics](get-ip-statistics.md) +####### [Is IP seen in organization](is-ip-seen-org.md) -###### [User](user-windows-defender-advanced-threat-protection-new.md) -####### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection-new.md) -####### [Get user related machines](get-user-related-machines-windows-defender-advanced-threat-protection-new.md) +###### [User](user.md) +####### [Get user related alerts](get-user-related-alerts.md) +####### [Get user related machines](get-user-related-machines.md) ##### How to use APIs - Samples ###### Advanced Hunting API @@ -312,36 +312,36 @@ #### API for custom alerts -##### [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) -##### [Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md) -##### [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md) -##### [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md) -##### [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md) -##### [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md) -##### [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) +##### [Enable the custom threat intelligence application](enable-custom-ti.md) +##### [Use the threat intelligence API to create custom alerts](use-custom-ti.md) +##### [Create custom threat intelligence alerts](custom-ti-api.md) +##### [PowerShell code examples](powershell-example-code.md) +##### [Python code examples](python-example-code.md) +##### [Experiment with custom threat intelligence alerts](experiment-custom-ti.md) +##### [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti.md) -#### [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md) -##### [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md) -##### [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md) -##### [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) -##### [Windows Defender ATP SIEM alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) -##### [Pull alerts using SIEM REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) -##### [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md) +#### [Pull alerts to your SIEM tools](configure-siem.md) +##### [Enable SIEM integration](enable-siem-integration.md) +##### [Configure Splunk to pull alerts](configure-splunk.md) +##### [Configure HP ArcSight to pull alerts](configure-arcsight.md) +##### [Microsoft Defender ATP SIEM alert API fields](api-portal-mapping.md) +##### [Pull alerts using SIEM REST API](pull-alerts-using-rest-api.md) +##### [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) #### Reporting -##### [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md) -##### [Threat protection reports](threat-protection-reports-windows-defender-advanced-threat-protection.md) -##### [Machine health and compliance reports](machine-reports-windows-defender-advanced-threat-protection.md) +##### [Create and build Power BI reports using Microsoft Defender ATP data](powerbi-reports.md) +##### [Threat protection reports](threat-protection-reports.md) +##### [Machine health and compliance reports](machine-reports.md) #### Role-based access control -##### [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md) -###### [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) -###### [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) -####### [Create and manage machine tags](machine-tags-windows-defender-advanced-threat-protection.md) +##### [Manage portal access using RBAC](rbac.md) +###### [Create and manage roles](user-roles.md) +###### [Create and manage machine groups](machine-groups.md) +####### [Create and manage machine tags](machine-tags.md) -#### [Configure managed security service provider (MSSP) support](configure-mssp-support-windows-defender-advanced-threat-protection.md) +#### [Configure managed security service provider (MSSP) support](configure-mssp-support.md) @@ -349,56 +349,56 @@ ### [Configure and manage Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md) ### Configure Microsoft Threat Protection integration -#### [Configure conditional access](configure-conditional-access-windows-defender-advanced-threat-protection.md) +#### [Configure conditional access](configure-conditional-access.md) #### [Configure Microsoft Cloud App Security in Windows](microsoft-cloud-app-security-config.md) ####[Configure information protection in Windows](information-protection-in-windows-config.md) -### [Configure Windows Defender Security Center settings](preferences-setup-windows-defender-advanced-threat-protection.md) +### [Configure Windows Defender Security Center settings](preferences-setup.md) #### General -##### [Update data retention settings](data-retention-settings-windows-defender-advanced-threat-protection.md) -##### [Configure alert notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md) -##### [Enable and create Power BI reports using Windows Security app data](powerbi-reports-windows-defender-advanced-threat-protection.md) -##### [Enable Secure score security controls](enable-secure-score-windows-defender-advanced-threat-protection.md) -##### [Configure advanced features](advanced-features-windows-defender-advanced-threat-protection.md) +##### [Update data retention settings](data-retention-settings.md) +##### [Configure alert notifications](configure-email-notifications.md) +##### [Enable and create Power BI reports using Windows Security app data](powerbi-reports.md) +##### [Enable Secure score security controls](enable-secure-score.md) +##### [Configure advanced features](advanced-features.md) #### Permissions -##### [Use basic permissions to access the portal](basic-permissions-windows-defender-advanced-threat-protection.md) -##### [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md) -###### [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) -###### [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) -####### [Create and manage machine tags](machine-tags-windows-defender-advanced-threat-protection.md) +##### [Use basic permissions to access the portal](basic-permissions.md) +##### [Manage portal access using RBAC](rbac.md) +###### [Create and manage roles](user-roles.md) +###### [Create and manage machine groups](machine-groups.md) +####### [Create and manage machine tags](machine-tags.md) #### APIs -##### [Enable Threat intel](enable-custom-ti-windows-defender-advanced-threat-protection.md) -##### [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md) +##### [Enable Threat intel](enable-custom-ti.md) +##### [Enable SIEM integration](enable-siem-integration.md) ####Rules -##### [Manage suppression rules](manage-suppression-rules-windows-defender-advanced-threat-protection.md) -##### [Manage automation allowed/blocked lists](manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md) -##### [Manage allowed/blocked lists](manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md) -##### [Manage automation file uploads](manage-automation-file-uploads-windows-defender-advanced-threat-protection.md) -##### [Manage automation folder exclusions](manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md) +##### [Manage suppression rules](manage-suppression-rules.md) +##### [Manage automation allowed/blocked lists](manage-automation-allowed-blocked-list.md) +##### [Manage allowed/blocked lists](manage-allowed-blocked-list.md) +##### [Manage automation file uploads](manage-automation-file-uploads.md) +##### [Manage automation folder exclusions](manage-automation-folder-exclusions.md) ####Machine management -##### [Onboarding machines](onboard-configure-windows-defender-advanced-threat-protection.md) -##### [Offboarding machines](offboard-machines-windows-defender-advanced-threat-protection.md) +##### [Onboarding machines](onboard-configure.md) +##### [Offboarding machines](offboard-machines.md) -#### [Configure Windows Security app time zone settings](time-settings-windows-defender-advanced-threat-protection.md) +#### [Configure Windows Security app time zone settings](time-settings.md) -## [Troubleshoot Windows Defender ATP](troubleshoot-wdatp.md) +## [Troubleshoot Microsoft Defender ATP](troubleshoot-overview.md) ###Troubleshoot sensor state -#### [Check sensor state](check-sensor-status-windows-defender-advanced-threat-protection.md) -#### [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md) -#### [Inactive machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines) -#### [Misconfigured machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines) -#### [Review sensor events and errors on machines with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md) +#### [Check sensor state](check-sensor-status.md) +#### [Fix unhealthy sensors](fix-unhealhty-sensors.md) +#### [Inactive machines](fix-unhealhty-sensors.md#inactive-machines) +#### [Misconfigured machines](fix-unhealhty-sensors.md#misconfigured-machines) +#### [Review sensor events and errors on machines with Event Viewer](event-error-codes.md) -### [Troubleshoot Windows Defender ATP service issues](troubleshoot-windows-defender-advanced-threat-protection.md) -#### [Check service health](service-status-windows-defender-advanced-threat-protection.md) +### [Troubleshoot Microsoft Defender ATP service issues](troubleshoot.md) +#### [Check service health](service-status.md) ###Troubleshoot attack surface reduction #### [Network protection](../windows-defender-exploit-guard/troubleshoot-np.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md index 5ab62122e6..106306a8c5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md +++ b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md @@ -20,14 +20,14 @@ ms.topic: article **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) [!include[Prerelease information](prerelease.md)] - Adds or remove tag to a specific machine. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md index df2d4cbab8..98b6b36f1f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md @@ -1,6 +1,6 @@ --- -title: Configure advanced features in Windows Defender ATP -description: Turn on advanced features such as block file in Windows Defender Advanced Threat Protection. +title: Configure advanced features in Microsoft Defender ATP +description: Turn on advanced features such as block file in Microsoft Defender Advanced Threat Protection. keywords: advanced features, settings, block file, automated investigation, auto-resolve, skype, azure atp, office 365, azure information protection, intune search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -17,14 +17,14 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Configure advanced features in Windows Defender ATP +# Configure advanced features in Microsoft Defender ATP **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink) -Depending on the Microsoft security products that you use, some advanced features might be available for you to integrate Windows Defender ATP with. +Depending on the Microsoft security products that you use, some advanced features might be available for you to integrate Microsoft Defender ATP with. Use the following advanced features to get better protected from potentially malicious files and gain better insight during security investigations: @@ -69,7 +69,7 @@ The integration with Azure Advanced Threat Protection allows you to pivot direct >[!NOTE] >You'll need to have the appropriate license to enable this feature. -### Enable the Windows Defender ATP integration from the Azure ATP portal +### Enable the Microsoft Defender ATP integration from the Azure ATP portal To receive contextual machine integration in Azure ATP, you'll also need to enable the feature in the Azure ATP portal. 1. Login to the [Azure portal](https://portal.atp.azure.com/) with a Global Administrator or Security Administrator role. @@ -88,10 +88,10 @@ When you enable this feature, you'll be able to incorporate data from Office 365 >[!NOTE] >You'll need to have the appropriate license to enable this feature. -To receive contextual machine integration in Office 365 Threat Intelligence, you'll need to enable the Windows Defender ATP settings in the Security & Compliance dashboard. For more information, see [Office 365 Threat Intelligence overview](https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512). +To receive contextual machine integration in Office 365 Threat Intelligence, you'll need to enable the Microsoft Defender ATP settings in the Security & Compliance dashboard. For more information, see [Office 365 Threat Intelligence overview](https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512). ## Microsoft Threat Experts -This feature is currently on public preview. When you enable this feature, you'll receive targeted attack notifications from Microsoft Threat Experts through your Windows Defender ATP portal's alerts dashboard and via email if you configure it. +This feature is currently on public preview. When you enable this feature, you'll receive targeted attack notifications from Microsoft Threat Experts through your Microsoft Defender ATP portal's alerts dashboard and via email if you configure it. >[!NOTE] >This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10 version 1809 or later. @@ -99,7 +99,7 @@ This feature is currently on public preview. When you enable this feature, you'l ## Microsoft Cloud App Security -Enabling this setting forwards Windows Defender ATP signals to Microsoft Cloud App Security to provide deeper visibility into cloud application usage. Forwarded data is stored and processed in the same location as your Cloud App Security data. +Enabling this setting forwards Microsoft Defender ATP signals to Microsoft Cloud App Security to provide deeper visibility into cloud application usage. Forwarded data is stored and processed in the same location as your Cloud App Security data. >[!NOTE] >This feature is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10 version 1809 or later. @@ -111,14 +111,14 @@ Turning this setting on forwards signals to Azure Information Protection, giving ## Microsoft Intune connection This feature is only available if you have an active Microsoft Intune (Intune) license. -When you enable this feature, you'll be able to share Windows Defender ATP device information to Intune and enhance policy enforcement. +When you enable this feature, you'll be able to share Microsoft Defender ATP device information to Intune and enhance policy enforcement. >[!NOTE] ->You'll need to enable the integration on both Intune and Windows Defender ATP to use this feature. +>You'll need to enable the integration on both Intune and Microsoft Defender ATP to use this feature. ## Preview features -Learn about new features in the Windows Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience. +Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience. You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available. @@ -130,5 +130,5 @@ You'll have access to upcoming features which you can provide feedback on to hel ## Related topics - [Update data retention settings](data-retention-settings-windows-defender-advanced-threat-protection.md) - [Configure alert notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md) -- [Enable and create Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md) +- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md) - [Enable Secure Score security controls](enable-secure-score-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md index 6c0c82d32d..34401ec9b1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md @@ -1,5 +1,5 @@ --- -title: Advanced hunting best practices in Windows Defender ATP +title: Advanced hunting best practices in Microsoft Defender ATP description: Learn about Advanced hunting best practices such as what filters and keywords to use to effectively query data. keywords: advanced hunting, best practices, keyword, filters, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics search.product: eADQiWindows 10XVcnh @@ -18,16 +18,16 @@ ms.topic: conceptual ms.date: 04/24/2018 --- -# Advanced hunting query best practices Windows Defender ATP +# Advanced hunting query best practices Microsoft Defender ATP **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-bestpractices-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-bestpractices-abovefoldlink) ## Performance best practices The following best practices serve as a guideline of query performance best practices and for you to get faster results and be able to run complex queries. @@ -42,7 +42,7 @@ The following best practices serve as a guideline of query performance best prac ### Unique Process IDs Process IDs are recycled in Windows and reused for new processes and therefore can't serve as a unique identifier for a specific process. -To address this issue, Windows Defender ATP created the time process. To get a unique identifier for a process on a specific machine, use the process ID together with the process creation time. +To address this issue, Microsoft Defender ATP created the time process. To get a unique identifier for a process on a specific machine, use the process ID together with the process creation time. So, when you join data based on a specific process or summarize data for each process, you'll need to use a machine identifier (either MachineId or ComputerName), a process ID (ProcessId or InitiatingProcessId) and the process creation time (ProcessCreationTime or InitiatingProcessCreationTime) @@ -92,7 +92,7 @@ ProcessCreationEvents | where CanonicalCommandLine contains "stop" and CanonicalCommandLine contains "MpsSvc" ``` ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-bestpractices-belowfoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-bestpractices-belowfoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md index 467af897d1..fe8f545929 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md @@ -1,5 +1,5 @@ --- -title: Advanced hunting reference in Windows Defender ATP +title: Advanced hunting reference in Microsoft Defender ATP description: Learn about Advanced hunting table reference such as column name, data type, and description keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description search.product: eADQiWindows 10XVcnh @@ -18,16 +18,16 @@ ms.topic: article ms.date: 06/01/2018 --- -# Advanced hunting reference in Windows Defender ATP +# Advanced hunting reference in Microsoft Defender ATP **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) ## Advanced hunting column reference @@ -99,7 +99,7 @@ To effectively build queries that span multiple tables, you need to understand t | ProcessIntegrityLevel | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources. | | ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process | | Protocol | string | IP protocol used, whether TCP or UDP | -| PublicIP | string | Public IP address used by the onboarded machine to connect to the Windows Defender ATP service. This could be the IP address of the machine itself, a NAT device, or a proxy. | +| PublicIP | string | Public IP address used by the onboarded machine to connect to the Microsoft Defender ATP service. This could be the IP address of the machine itself, a NAT device, or a proxy. | | RegistryKey | string | Registry key that the recorded action was applied to | | RegistryValueData | string | Data of the registry value that the recorded action was applied to | | RegistryValueName | string | Name of the registry value that the recorded action was applied to | @@ -115,7 +115,7 @@ To effectively build queries that span multiple tables, you need to understand t | Table | string | Table that contains the details of the event | | TunnelingType | string | Tunneling protocol, if the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH | ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-belowfoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-belowfoldlink) ## Related topic - [Query data using Advanced hunting](advanced-hunting-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md index 2665b31d0e..4d711a8fff 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md @@ -1,6 +1,6 @@ --- -title: Query data using Advanced hunting in Windows Defender ATP -description: Learn about Advanced hunting in Windows Defender ATP and how to query ATP data. +title: Query data using Advanced hunting in Microsoft Defender ATP +description: Learn about Advanced hunting in Microsoft Defender ATP and how to query ATP data. keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -18,9 +18,9 @@ ms.topic: article ms.date: 08/15/2018 --- -# Query data using Advanced hunting in Windows Defender ATP +# Query data using Advanced hunting in Microsoft Defender ATP ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) To get you started in querying your data, you can use the basic or Advanced query examples that have some preloaded queries for you to understand the basic query syntax. @@ -33,7 +33,7 @@ A typical query starts with a table name followed by a series of operators separ In the following example, we start with the table name **ProcessCreationEvents** and add piped elements as needed. -![Image of Windows Defender ATP Advanced hunting query](images/advanced-hunting-query-example.png) +![Image of Microsoft Defender ATP Advanced hunting query](images/advanced-hunting-query-example.png) First, we define a time filter to review only records from the previous seven days. @@ -127,7 +127,7 @@ The result set has several capabilities to provide you with effective investigat - Columns that return entity-related objects, such as Machine name, Machine ID, File name, SHA1, User, IP, and URL, are linked to their entity pages in Windows Defender Security Center. - You can right-click on a cell in the result set and add a filter to your written query. The current filtering options are **include**, **exclude** or **advanced filter**, which provides additional filtering options on the cell value. These cell values are part of the row set. -![Image of Windows Defender ATP Advanced hunting result set](images/atp-advanced-hunting-results-filter.png) +![Image of Microsoft Defender ATP Advanced hunting result set](images/atp-advanced-hunting-results-filter.png) ## Filter results in Advanced hunting In Advanced hunting, you can use the advanced filter on the output result set of the query. @@ -146,7 +146,7 @@ The filter selections will resolve as an additional query term and the results w Check out the [Advanced hunting repository](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). Contribute and use example queries shared by our customers. ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink) ## Related topic - [Advanced hunting reference](advanced-hunting-reference-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md index fb04442da2..86249293b6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md @@ -1,6 +1,6 @@ --- -title: View and organize the Windows Defender ATP Alerts queue -description: Learn about how the Windows Defender ATP alerts queues work, and how to sort and filter lists of alerts. +title: View and organize the Microsoft Defender ATP Alerts queue +description: Learn about how the Microsoft Defender ATP alerts queues work, and how to sort and filter lists of alerts. keywords: alerts, queues, alerts queue, sort, order, filter, manage alerts, new, in progress, resolved, newest, time in queue, severity, time period, microsoft threat experts alerts search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -18,14 +18,14 @@ ms.topic: article ms.date: 04/24/2018 --- -# View and organize the Windows Defender Advanced Threat Protection Alerts queue +# View and organize the Microsoft Defender Advanced Threat Protection Alerts queue **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-alertsq-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-alertsq-abovefoldlink) The **Alerts queue** shows a list of alerts that were flagged from machines in your network. By default, the queue displays alerts seen in the last 30 days in a grouped view, with the most recent alerts showing at the top of the list, helping you see the most recent alerts first. @@ -55,14 +55,14 @@ Informational
(Grey) | Informational alerts are those that might not be con #### Understanding alert severity -It is important to understand that the Windows Defender Antivirus (Windows Defender AV) and Windows Defender ATP alert severities are different because they represent different scopes. +It is important to understand that the Windows Defender Antivirus (Windows Defender AV) and Microsoft Defender ATP alert severities are different because they represent different scopes. The Windows Defender AV threat severity represents the absolute severity of the detected threat (malware), and is assigned based on the potential risk to the individual machine, if infected. -The Windows Defender ATP alert severity represents the severity of the detected behavior, the actual risk to the machine but more importantly the potential risk to the organization. +The Microsoft Defender ATP alert severity represents the severity of the detected behavior, the actual risk to the machine but more importantly the potential risk to the organization. So, for example: -- The severity of a Windows Defender ATP alert about a Windows Defender AV detected threat that was completely prevented and did not infect the machine is categorized as "Informational" because there was no actual damage incurred. +- The severity of a Microsoft Defender ATP alert about a Windows Defender AV detected threat that was completely prevented and did not infect the machine is categorized as "Informational" because there was no actual damage incurred. - An alert about a commercial malware was detected while executing, but blocked and remediated by Windows Defender AV, is categorized as "Low" because it may have caused some damage to the individual machine but poses no organizational threat. - An alert about malware detected while executing which can pose a threat not only to the individual machine but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High". - Suspicious behavioral alerts which were not blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations. @@ -94,11 +94,11 @@ Use this filter to focus on alerts that are related to high profile threats. You ## Related topics -- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) -- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) -- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) -- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) -- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) +- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) +- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) +- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) +- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) +- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) +- [Investigate a user account in Microsoft Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md index da5c717e31..d2fdf0726f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md @@ -18,11 +18,11 @@ ms.topic: article # Alert resource type **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [!include[Prereleaseinformation](prerelease.md)] -Represents an alert entity in Windows Defender ATP. +Represents an alert entity in Microsoft Defender ATP. # Methods Method|Return Type |Description diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md b/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md index 9ee1dafbb9..a1fdedb347 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md @@ -16,12 +16,12 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Windows Defender ATP API - Hello World +# Microsoft Defender ATP API - Hello World **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -> Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## Get Alerts using a simple PowerShell script @@ -50,7 +50,7 @@ For the App registration stage, you must have a Global administrator role in you ![Image of Create application window](images/webapp-create.png) -4. Allow your App to access Windows Defender ATP and assign it 'Read all alerts' permission: +4. Allow your App to access Microsoft Defender ATP and assign it 'Read all alerts' permission: - Click **Settings** > **Required permissions** > **Add**. @@ -184,6 +184,6 @@ You’re all done! You have just successfully: ## Related topic -- [Windows Defender ATP APIs](exposed-apis-list.md) -- [Access Windows Defender ATP with application context](exposed-apis-create-app-webapp.md) -- [Access Windows Defender ATP with user context](exposed-apis-create-app-nativeapp.md) \ No newline at end of file +- [Microsoft Defender ATP APIs](exposed-apis-list.md) +- [Access Microsoft Defender ATP with application context](exposed-apis-create-app-webapp.md) +- [Access Microsoft Defender ATP with user context](exposed-apis-create-app-nativeapp.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md index 4520b214d1..aeb28a277e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md @@ -1,5 +1,5 @@ --- -title: Windows Defender ATP alert API fields +title: Microsoft Defender ATP alert API fields description: Understand how the alert API fields map to the values in Windows Defender Security Center keywords: alerts, alert fields, fields, api, fields, pull alerts, rest api, request, response search.product: eADQiWindows 10XVcnh @@ -18,17 +18,17 @@ ms.topic: article ms.date: 10/16/2017 --- -# Windows Defender ATP SIEM alert API fields +# Microsoft Defender ATP SIEM alert API fields **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-apiportalmapping-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-apiportalmapping-abovefoldlink) Understand what data fields are exposed as part of the alerts API and how they map to Windows Defender Security Center. @@ -37,7 +37,7 @@ Understand what data fields are exposed as part of the alerts API and how they m The following table lists the available fields exposed in the alerts API payload. It shows examples for the populated values and a reference on how data is reflected on the portal. -The ArcSight field column contains the default mapping between the Windows Defender ATP fields and the built-in fields in ArcSight. You can download the mapping file from the portal when you enable the SIEM integration feature and you can modify it to match the needs of your organization. For more information, see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md). +The ArcSight field column contains the default mapping between the Microsoft Defender ATP fields and the built-in fields in ArcSight. You can download the mapping file from the portal when you enable the SIEM integration feature and you can modify it to match the needs of your organization. For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md). Field numbers match the numbers in the images below. @@ -47,12 +47,12 @@ Field numbers match the numbers in the images below. | 1 | AlertTitle | name | A dll was unexpectedly loaded into a high integrity process without a UAC prompt | Value available for every alert. | | 2 | Severity | deviceSeverity | Medium | Value available for every alert. | | 3 | Category | deviceEventCategory | Privilege Escalation | Value available for every alert. | -| 4 | Source | sourceServiceName | WindowsDefenderATP | Windows Defender Antivirus or Windows Defender ATP. Value available for every alert. | +| 4 | Source | sourceServiceName | WindowsDefenderATP | Windows Defender Antivirus or Microsoft Defender ATP. Value available for every alert. | | 5 | MachineName | sourceHostName | liz-bean | Value available for every alert. | | 6 | FileName | fileName | Robocopy.exe | Available for alerts associated with a file or process. | | 7 | FilePath | filePath | C:\Windows\System32\Robocopy.exe | Available for alerts associated with a file or process. | -| 8 | UserDomain | sourceNtDomain | contoso | The domain of the user context running the activity, available for Windows Defender ATP behavioral based alerts. | -| 9 | UserName | sourceUserName | liz-bean | The user context running the activity, available for Windows Defender ATP behavioral based alerts. | +| 8 | UserDomain | sourceNtDomain | contoso | The domain of the user context running the activity, available for Microsoft Defender ATP behavioral based alerts. | +| 9 | UserName | sourceUserName | liz-bean | The user context running the activity, available for Microsoft Defender ATP behavioral based alerts. | | 10 | Sha1 | fileHash | 5b4b3985339529be3151d331395f667e1d5b7f35 | Available for alerts associated with a file or process. | | 11 | Md5 | deviceCustomString5 | 55394b85cb5edddff551f6f3faa9d8eb | Available for Windows Defender AV alerts. | | 12 | Sha256 | deviceCustomString6 | 9987474deb9f457ece2a9533a08ec173a0986fa3aa6ac355eeba5b622e4a43f5 | Available for Windows Defender AV alerts. | @@ -72,7 +72,7 @@ Field numbers match the numbers in the images below. | | InternalIPv6List | No mapping | fd30:0000:0000:0001:ff4e:003e:0009:000e, FE80:CD00:0000:0CDE:1257:0000:211E:729C | List of IPV6 internal IPs for active network interfaces. | | Internal field | LastProcessedTimeUtc | No mapping | 2017-05-07T01:56:58.9936648Z | Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that alerts are retrieved. | | | Not part of the schema | deviceVendor | | Static value in the ArcSight mapping - 'Microsoft'. | -| | Not part of the schema | deviceProduct | | Static value in the ArcSight mapping - 'Windows Defender ATP'. | +| | Not part of the schema | deviceProduct | | Static value in the ArcSight mapping - 'Microsoft Defender ATP'. | | | Not part of the schema | deviceVersion | | Static value in the ArcSight mapping - '2.0', used to identify the mapping versions. @@ -92,8 +92,8 @@ Field numbers match the numbers in the images below. ## Related topics -- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) -- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) -- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) -- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) +- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) +- [Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) +- [Configure ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) +- [Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) - [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md index d05ecd0f1b..1b042e2d4c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md +++ b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md @@ -1,6 +1,6 @@ --- -title: Windows Defender Advanced Threat Protection API overview -description: Learn how you can use APIs to automate workflows and innovate based on Windows Defender ATP capabilities +title: Microsoft Defender Advanced Threat Protection API overview +description: Learn how you can use APIs to automate workflows and innovate based on Microsoft Defender ATP capabilities keywords: apis, api, wdatp, open api, windows defender atp api, public api, supported apis, alerts, machine, user, domain, ip, file, advanced hunting, query search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -16,33 +16,33 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Windows Defender ATP API overview +# Microsoft Defender ATP API overview **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -> Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). +Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Microsoft Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). In general, you’ll need to take the following steps to use the APIs: - Create an AAD application - Get an access token using this application -- Use the token to access Windows Defender ATP API +- Use the token to access Microsoft Defender ATP API -You can access Windows Defender ATP API with **Application Context** or **User Context**. +You can access Microsoft Defender ATP API with **Application Context** or **User Context**. - **Application Context: (Recommended)**
Used by apps that run without a signed-in user present. for example, apps that run as background services or daemons. - Steps that need to be taken to access Windows Defender ATP API with application context: + Steps that need to be taken to access Microsoft Defender ATP API with application context: 1. Create an AAD Web-Application. 2. Assign the desired permission to the application, for example, 'Read Alerts', 'Isolate Machines'. 3. Create a key for this Application. 4. Get token using the application with its key. - 5. Use the token to access Windows Defender ATP API + 5. Use the token to access Microsoft Defender ATP API For more information, see [Get access with application context](exposed-apis-create-app-webapp.md). @@ -50,16 +50,16 @@ You can access Windows Defender ATP API with **Application Context** or **User C - **User Context:**
Used to perform actions in the API on behalf of a user. - Steps that needs to be taken to access Windows Defender ATP API with application context: + Steps that needs to be taken to access Microsoft Defender ATP API with application context: 1. Create AAD Native-Application. 2. Assign the desired permission to the application, e.g 'Read Alerts', 'Isolate Machines' etc. 3. Get token using the application with user credentials. - 4. Use the token to access Windows Defender ATP API + 4. Use the token to access Microsoft Defender ATP API For more information, see [Get access with user context](exposed-apis-create-app-nativeapp.md). ## Related topics -- [Windows Defender ATP APIs](exposed-apis-list.md) -- [Access Windows Defender ATP with application context](exposed-apis-create-app-webapp.md) -- [Access Windows Defender ATP with user context](exposed-apis-create-app-nativeapp.md) \ No newline at end of file +- [Microsoft Defender ATP APIs](exposed-apis-list.md) +- [Access Microsoft Defender ATP with application context](exposed-apis-create-app-webapp.md) +- [Access Microsoft Defender ATP with user context](exposed-apis-create-app-nativeapp.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md b/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md index bc87a4503f..227c780e28 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md +++ b/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md @@ -1,6 +1,6 @@ --- title: Assign user access to Windows Defender Security Center -description: Assign read and write or read only access to the Windows Defender Advanced Threat Protection portal. +description: Assign read and write or read only access to the Microsoft Defender Advanced Threat Protection portal. keywords: assign user roles, assign read and write access, assign read only access, user, user roles, roles search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -23,11 +23,11 @@ ms.date: 11/28/2018 **Applies to:** - Azure Active Directory - Office 365 -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-assignaccess-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-assignaccess-abovefoldlink) -Windows Defender ATP supports two ways to manage permissions: +Microsoft Defender ATP supports two ways to manage permissions: - **Basic permissions management**: Set permissions to either full access or read-only. - **Role-based access control (RBAC)**: Set granular permissions by defining roles, assigning Azure AD user groups to the roles, and granting the user groups access to machine groups. For more information on RBAC, see [Manage portal access using role-based access control](rbac-windows-defender-advanced-threat-protection.md). @@ -35,13 +35,13 @@ Windows Defender ATP supports two ways to manage permissions: > [!NOTE] >If you have already assigned basic permissions, you may switch to RBAC anytime. Consider the following before making the switch: ->- Users with full access (users that are assigned the Global Administrator or Security Administrator directory role in Azure AD), are automatically assigned the default Windows Defender ATP administrator role, which also has full access. Additional Azure AD user groups can be assigned to the Windows Defender ATP administrator role after switching to RBAC. Only users assigned to the Windows Defender ATP administrator role can manage permissions using RBAC. +>- Users with full access (users that are assigned the Global Administrator or Security Administrator directory role in Azure AD), are automatically assigned the default Microsoft Defender ATP administrator role, which also has full access. Additional Azure AD user groups can be assigned to the Microsoft Defender ATP administrator role after switching to RBAC. Only users assigned to the Microsoft Defender ATP administrator role can manage permissions using RBAC. >- Users that have read-only access (Security Readers) will lose access to the portal until they are assigned a role. Note that only Azure AD user groups can be assigned a role under RBAC. >- After switching to RBAC, you will not be able to switch back to using basic permissions management. ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portalaccess-belowfoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portalaccess-belowfoldlink) ## Related topic - [Use basic permissions to access the portal](basic-permissions-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md b/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md index a86ee0b027..9b4ee1c082 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md @@ -1,6 +1,6 @@ --- -title: Experience Windows Defender ATP through simulated attacks -description: Run the provided attack scenario simulations to experience how Windows Defender ATP can detect, investigate, and respond to breaches. +title: Experience Microsoft Defender ATP through simulated attacks +description: Run the provided attack scenario simulations to experience how Microsoft Defender ATP can detect, investigate, and respond to breaches. keywords: wdatp, test, scenario, attack, simulation, simulated, diy, windows defender advanced threat protection search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -18,23 +18,23 @@ ms.topic: article ms.date: 11/20/2018 --- -# Experience Windows Defender ATP through simulated attacks +# Experience Microsoft Defender ATP through simulated attacks **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-attacksimulations-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-attacksimulations-abovefoldlink) >[!TIP] ->- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). ->- Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). +>- Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Microsoft Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). +>- Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). -You might want to experience Windows Defender ATP before you onboard more than a few machines to the service. To do this, you can run controlled attack simulations on a few test machines. After running the simulated attacks, you can review how Windows Defender ATP surfaces malicious activity and explore how it enables an efficient response. +You might want to experience Microsoft Defender ATP before you onboard more than a few machines to the service. To do this, you can run controlled attack simulations on a few test machines. After running the simulated attacks, you can review how Microsoft Defender ATP surfaces malicious activity and explore how it enables an efficient response. ## Before you begin @@ -62,7 +62,7 @@ Read the walkthrough document provided with each attack scenario. Each document >Simulation files or scripts mimic attack activity but are actually benign and will not harm or compromise the test machine. ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-attacksimulations-belowfoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-attacksimulations-belowfoldlink) ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md index 8968b3b2cf..78375524ed 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md @@ -20,12 +20,12 @@ ms.date: 12/04/2018 # Overview of Automated investigations ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink) -The Windows Defender ATP service has a wide breadth of visibility on multiple machines. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address. +The Microsoft Defender ATP service has a wide breadth of visibility on multiple machines. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address. -To address this challenge, Windows Defender ATP uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. +To address this challenge, Microsoft Defender ATP uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. The Automated investigations list shows all the investigations that have been initiated automatically and shows other details such as its status, detection source, and the date for when the investigation was initiated. diff --git a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md index 7dc172d03f..ebb98886d3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md +++ b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md @@ -1,6 +1,6 @@ --- title: Use basic permissions to access Windows Defender Security Center -description: Assign read and write or read only access to the Windows Defender Advanced Threat Protection portal. +description: Assign read and write or read only access to the Microsoft Defender Advanced Threat Protection portal. keywords: assign user roles, assign read and write access, assign read only access, user, user roles, roles search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -21,9 +21,9 @@ ms.topic: article **Applies to:** - Azure Active Directory -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-basicaccess-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-basicaccess-abovefoldlink) Refer to the instructions below to use basic permissions management. diff --git a/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md b/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md index 007cfbede6..453a7575ed 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md +++ b/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md @@ -1,5 +1,5 @@ --- -title: Check the health state of the sensor in Windows Defender ATP +title: Check the health state of the sensor in Microsoft Defender ATP description: Check the sensor health on machines to identify which ones are misconfigured, inactive, or are not reporting sensor data. keywords: sensor, sensor health, misconfigured, inactive, no sensor data, sensor data, impaired communications, communication search.product: eADQiWindows 10XVcnh @@ -18,21 +18,21 @@ ms.topic: article ms.date: 04/24/2018 --- -# Check sensor health state in Windows Defender ATP +# Check sensor health state in Microsoft Defender ATP **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-checksensor-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-checksensor-abovefoldlink) -The sensor health tile provides information on the individual machine’s ability to provide sensor data and communicate with the Windows Defender ATP service. It reports how many machines require attention and helps you identify problematic machines and take action to correct known issues. +The sensor health tile provides information on the individual machine’s ability to provide sensor data and communicate with the Microsoft Defender ATP service. It reports how many machines require attention and helps you identify problematic machines and take action to correct known issues. There are two status indicators on the tile that provide information on the number of machines that are not reporting properly to the service: -- **Misconfigured** - These machines might partially be reporting sensor data to the Windows Defender ATP service and might have configuration errors that need to be corrected. -- **Inactive** - Machines that have stopped reporting to the Windows Defender ATP service for more than seven days in the past month. +- **Misconfigured** - These machines might partially be reporting sensor data to the Microsoft Defender ATP service and might have configuration errors that need to be corrected. +- **Inactive** - Machines that have stopped reporting to the Microsoft Defender ATP service for more than seven days in the past month. Clicking any of the groups directs you to Machines list, filtered according to your choice. @@ -40,16 +40,16 @@ Clicking any of the groups directs you to Machines list, filtered according to y You can also download the entire list in CSV format using the **Export to CSV** feature. For more information on filters, see [View and organize the Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md). You can filter the health state list by the following status: -- **Active** - Machines that are actively reporting to the Windows Defender ATP service. -- **Misconfigured** - These machines might partially be reporting sensor data to the Windows Defender ATP service but have configuration errors that need to be corrected. Misconfigured machines can have either one or a combination of the following issues: +- **Active** - Machines that are actively reporting to the Microsoft Defender ATP service. +- **Misconfigured** - These machines might partially be reporting sensor data to the Microsoft Defender ATP service but have configuration errors that need to be corrected. Misconfigured machines can have either one or a combination of the following issues: - **No sensor data** - Machines has stopped sending sensor data. Limited alerts can be triggered from the machine. - **Impaired communications** - Ability to communicate with machine is impaired. Sending files for deep analysis, blocking files, isolating machine from network and other actions that require communication with the machine may not work. -- **Inactive** - Machines that have stopped reporting to the Windows Defender ATP service. +- **Inactive** - Machines that have stopped reporting to the Microsoft Defender ATP service. You can view the machine details when you click on a misconfigured or inactive machine. You’ll see more specific machine information when you click the information icon. -![Windows Defender ATP sensor filter](images/atp-machine-health-details.png) +![Microsoft Defender ATP sensor filter](images/atp-machine-health-details.png) In the **Machines list**, you can download a full list of all the machines in your organization in a CSV format. @@ -57,4 +57,4 @@ In the **Machines list**, you can download a full list of all the machines in yo >Export the list in CSV format to display the unfiltered data. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself and can take a significant amount of time to download, depending on how large your organization is. ## Related topic -- [Fix unhealthy sensors in Windows Defender ATP](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md) +- [Fix unhealthy sensors in Microsoft Defender ATP](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md index 70fb7fe34a..133ce6e86c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md +++ b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md @@ -19,7 +19,7 @@ ms.date: 12/08/2017 # Collect investigation package API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) [!include[Prereleaseinformation](prerelease.md)] @@ -28,7 +28,7 @@ Collect investigation package from a machine. [!include[Machine actions note](machineactionsnote.md)] ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/community.md b/windows/security/threat-protection/microsoft-defender-atp/community.md index 35ed4d4458..a70adba5f5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/community.md +++ b/windows/security/threat-protection/microsoft-defender-atp/community.md @@ -1,6 +1,6 @@ --- -title: Access the Windows Defender ATP Community Center -description: Access the Windows Defender ATP Community Center to share experiences, engange, and learn about the product. +title: Access the Microsoft Defender ATP Community Center +description: Access the Microsoft Defender ATP Community Center to share experiences, engange, and learn about the product. keywords: community, community center, tech community, conversation, announcements search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -19,14 +19,14 @@ ms.date: 04/24/2018 --- -# Access the Windows Defender ATP Community Center +# Access the Microsoft Defender ATP Community Center **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -The Windows Defender ATP Community Center is a place where community members can learn, collaborate, and share experiences about the product. +The Microsoft Defender ATP Community Center is a place where community members can learn, collaborate, and share experiences about the product. There are several spaces you can explore to learn about specific information: - Announcements @@ -35,8 +35,8 @@ There are several spaces you can explore to learn about specific information: There are several ways you can access the Community Center: -- In the Windows Defender Security Center navigation pane, select **Community center**. A new browser tab opens and takes you to the Windows Defender ATP Tech Community page. -- Access the community through the [Windows Defender Advanced Threat Protection Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced) page +- In the Windows Defender Security Center navigation pane, select **Community center**. A new browser tab opens and takes you to the Microsoft Defender ATP Tech Community page. +- Access the community through the [Microsoft Defender Advanced Threat Protection Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced) page You can instantly view and read conversations that have been posted in the community. diff --git a/windows/security/threat-protection/microsoft-defender-atp/conditional.md b/windows/security/threat-protection/microsoft-defender-atp/conditional.md index d3dff32b11..eba91e7d07 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/conditional.md +++ b/windows/security/threat-protection/microsoft-defender-atp/conditional.md @@ -20,11 +20,11 @@ ms.topic: article # Enable conditional access to better protect users, devices, and data **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-conditionalaccess-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-conditionalaccess-abovefoldlink) Conditional access is a capability that helps you better protect your users and enterprise information by making sure that only secure devices have access to applications. @@ -32,7 +32,7 @@ With conditional access, you can control access to enterprise information based You can define security conditions under which devices and applications can run and access information from your network by enforcing policies to stop applications from running until a device returns to a compliant state. -The implementation of conditional access in Windows Defender ATP is based on Microsoft Intune (Intune) device compliance policies and Azure Active Directory (Azure AD) conditional access policies. +The implementation of conditional access in Microsoft Defender ATP is based on Microsoft Intune (Intune) device compliance policies and Azure Active Directory (Azure AD) conditional access policies. The compliance policy is used with conditional access to allow only devices that fulfill one or more device compliance policy rules to access applications. @@ -62,15 +62,15 @@ When the risk is removed either through manual or automated remediation, the dev The following example sequence of events explains conditional access in action: -1. A user opens a malicious file and Windows Defender ATP flags the device as high risk. +1. A user opens a malicious file and Microsoft Defender ATP flags the device as high risk. 2. The high risk assessment is passed along to Intune. In parallel, an automated investigation is initiated to remediate the identified threat. A manual remediation can also be done to remediate the identified threat. 3. Based on the policy created in Intune, the device is marked as not compliant. The assessment is then communicated to Azure AD by the Intune conditional access policy. In Azure AD, the corresponding policy is applied to block access to applications. -4. The manual or automated investigation and remediation is completed and the threat is removed. Windows Defender ATP sees that there is no risk on the device and Intune assesses the device to be in a compliant state. Azure AD applies the policy which allows access to applications. +4. The manual or automated investigation and remediation is completed and the threat is removed. Microsoft Defender ATP sees that there is no risk on the device and Intune assesses the device to be in a compliant state. Azure AD applies the policy which allows access to applications. 5. Users can now access applications. ## Related topic -- [Configure conditional access in Windows Defender ATP](configure-conditional-access-windows-defender-advanced-threat-protection.md) +- [Configure conditional access in Microsoft Defender ATP](configure-conditional-access-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md index d418764a45..2b787f64c8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md @@ -1,5 +1,5 @@ --- -title: Configure HP ArcSight to pull Windows Defender ATP alerts +title: Configure HP ArcSight to pull Microsoft Defender ATP alerts description: Configure HP ArcSight to receive and pull alerts from Windows Defender Security Center keywords: configure hp arcsight, security information and events management tools, arcsight search.product: eADQiWindows 10XVcnh @@ -18,25 +18,25 @@ ms.topic: article ms.date: 12/20/2018 --- -# Configure HP ArcSight to pull Windows Defender ATP alerts +# Configure HP ArcSight to pull Microsoft Defender ATP alerts **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configurearcsight-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configurearcsight-abovefoldlink) -You'll need to install and configure some files and tools to use HP ArcSight so that it can pull Windows Defender ATP alerts. +You'll need to install and configure some files and tools to use HP ArcSight so that it can pull Microsoft Defender ATP alerts. ## Before you begin Configuring the HP ArcSight Connector tool requires several configuration files for it to pull and parse alerts from your Azure Active Directory (AAD) application. This section guides you in getting the necessary information to set and use the required configuration files correctly. -- Make sure you have enabled the SIEM integration feature from the **Settings** menu. For more information, see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md). +- Make sure you have enabled the SIEM integration feature from the **Settings** menu. For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md). - Have the file you saved from enabling the SIEM integration feature ready. You'll need to get the following values: - OAuth 2.0 Token refresh URL @@ -107,7 +107,7 @@ The following steps assume that you have completed all the required steps in [Be - @@ -160,11 +160,11 @@ If the `redirect_uri` is a https URL, you'll be redirected to a URL on the local 9. Navigate to **Active channel set** > **New Condition** > **Device** > **Device Product**. -10. Set **Device Product = Windows Defender ATP**. When you've verified that events are flowing to the tool, stop the process again and go to Windows Services and start the ArcSight FlexConnector REST. +10. Set **Device Product = Microsoft Defender ATP**. When you've verified that events are flowing to the tool, stop the process again and go to Windows Services and start the ArcSight FlexConnector REST. You can now run queries in the HP ArcSight console. -Windows Defender ATP alerts will appear as discrete events, with "Microsoft” as the vendor and “Windows Defender ATP” as the device name. +Microsoft Defender ATP alerts will appear as discrete events, with "Microsoft” as the vendor and “Windows Defender ATP” as the device name. ## Troubleshooting HP ArcSight connection @@ -187,7 +187,7 @@ Windows Defender ATP alerts will appear as discrete events, with "Microsoft” a > Verify that the connector is running by stopping the process again. Then start the connector again, and no browser window should appear. ## Related topics -- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) -- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) -- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) +- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) +- [Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) +- [Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) - [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md b/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md index cd442ff5d6..e599ecf7be 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md @@ -1,5 +1,5 @@ --- -title: Configure conditional access in Windows Defender ATP +title: Configure conditional access in Microsoft Defender ATP description: keywords: search.product: eADQiWindows 10XVcnh @@ -18,9 +18,9 @@ ms.topic: article ms.date: 09/03/2018 --- -# Configure conditional access in Windows Defender ATP +# Configure conditional access in Microsoft Defender ATP **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) This section guides you through all the steps you need to take to properly implement conditional access. @@ -45,7 +45,7 @@ There are steps you'll need to take in Windows Defender Security Center, the Int Take the following steps to enable conditional access: - Step 1: Turn on the Microsoft Intune connection from Windows Defender Security Center -- Step 2: Turn on the Windows Defender ATP integration in Intune +- Step 2: Turn on the Microsoft Defender ATP integration in Intune - Step 3: Create the compliance policy in Intune - Step 4: Assign the policy - Step 5: Create an Azure AD conditional access policy @@ -57,10 +57,10 @@ Take the following steps to enable conditional access: 3. Click **Save preferences**. -### Step 2: Turn on the Windows Defender ATP integration in Intune +### Step 2: Turn on the Microsoft Defender ATP integration in Intune 1. Sign in to the [Azure portal](https://portal.azure.com). -2. Select **Device compliance** > **Windows Defender ATP**. -3. Set **Connect Windows 10.0.15063+ devices to Windows Defender Advanced Threat Protection** to **On**. +2. Select **Device compliance** > **Microsoft Defender ATP**. +3. Set **Connect Windows 10.0.15063+ devices to Microsoft Defender Advanced Threat Protection** to **On**. 4. Click **Save**. @@ -80,7 +80,7 @@ Take the following steps to enable conditional access: ### Step 4: Assign the policy 1. In the [Azure portal](https://portal.azure.com), select **All services**, filter on **Intune**, and select **Microsoft Intune**. -2. Select **Device compliance** > **Policies**> select your Windows Defender ATP compliance policy. +2. Select **Device compliance** > **Policies**> select your Microsoft Defender ATP compliance policy. 3. Select **Assignments**. 4. Include or exclude your Azure AD groups to assign them the policy. 5. To deploy the policy to the groups, select **Save**. The user devices targeted by the policy are evaluated for compliance. @@ -96,6 +96,6 @@ Take the following steps to enable conditional access: 6. Select **Enable policy**, and then **Create** to save your changes. -For more information, see [Enable Windows Defender ATP with conditional access in Intune](https://docs.microsoft.com/intune/advanced-threat-protection). +For more information, see [Enable Microsoft Defender ATP with conditional access in Intune](https://docs.microsoft.com/intune/advanced-threat-protection). ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-conditionalaccess-belowfoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-conditionalaccess-belowfoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md index 2d843ca2bd..5352b16859 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md @@ -1,6 +1,6 @@ --- -title: Configure alert notifications in Windows Defender ATP -description: Send email notifications to specified recipients to receive new alerts based on severity with Windows Defender ATP on Windows 10 Enterprise, Pro, and Education editions. +title: Configure alert notifications in Microsoft Defender ATP +description: Send email notifications to specified recipients to receive new alerts based on severity with Microsoft Defender ATP on Windows 10 Enterprise, Pro, and Education editions. keywords: email notifications, configure alert notifications, windows defender atp notifications, windows defender atp alerts, windows 10 enterprise, windows 10 education search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -18,15 +18,15 @@ ms.topic: article ms.date: 10/08/2018 --- -# Configure alert notifications in Windows Defender ATP +# Configure alert notifications in Microsoft Defender ATP **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-emailconfig-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-emailconfig-abovefoldlink) -You can configure Windows Defender ATP to send email notifications to specified recipients for new alerts. This feature enables you to identify a group of individuals who will immediately be informed and can act on alerts based on their severity. +You can configure Microsoft Defender ATP to send email notifications to specified recipients for new alerts. This feature enables you to identify a group of individuals who will immediately be informed and can act on alerts based on their severity. > [!NOTE] > Only users with 'Manage security settings' permissions can configure email notifications. If you've chosen to use basic permissions management, users with Security Administrator or Global Administrator roles can configure email notifications. @@ -55,7 +55,7 @@ You can create rules that determine the machines and alert severities to send em - **Include machine information** - Includes the machine name in the email alert body. >[!NOTE] - > This information might be processed by recipient mail servers that ar not in the geographic location you have selected for your Windows Defender ATP data. + > This information might be processed by recipient mail servers that ar not in the geographic location you have selected for your Microsoft Defender ATP data. - **Machines** - Choose whether to notify recipients for alerts on all machines (Global administrator role only) or on selected machine groups. For more information, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md). - **Alert severity** - Choose the alert severity level. @@ -94,12 +94,12 @@ This section lists various issues that you may encounter when using email notifi **Solution:** Make sure that the notifications are not blocked by email filters: -1. Check that the Windows Defender ATP email notifications are not sent to the Junk Email folder. Mark them as Not junk. -2. Check that your email security product is not blocking the email notifications from Windows Defender ATP. -3. Check your email application rules that might be catching and moving your Windows Defender ATP email notifications. +1. Check that the Microsoft Defender ATP email notifications are not sent to the Junk Email folder. Mark them as Not junk. +2. Check that your email security product is not blocking the email notifications from Microsoft Defender ATP. +3. Check your email application rules that might be catching and moving your Microsoft Defender ATP email notifications. ## Related topics - [Update data retention settings](data-retention-settings-windows-defender-advanced-threat-protection.md) -- [Enable and create Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md) +- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md) - [Enable Secure Score security controls](enable-secure-score-windows-defender-advanced-threat-protection.md) - [Configure advanced features](advanced-features-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md index a2e8e2a9d2..24f3338a41 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md @@ -1,7 +1,7 @@ --- -title: Onboard Windows 10 machines using Group Policy to Windows Defender ATP +title: Onboard Windows 10 machines using Group Policy to Microsoft Defender ATP description: Use Group Policy to deploy the configuration package on Windows 10 machines so that they are onboarded to the service. -keywords: configure machines using group policy, machine management, configure Windows ATP machines, onboard Windows Defender Advanced Threat Protection machines, group policy +keywords: configure machines using group policy, machine management, configure Windows ATP machines, onboard Microsoft Defender Advanced Threat Protection machines, group policy search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -24,12 +24,12 @@ ms.date: 04/24/2018 - Group Policy -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsgp-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsgp-abovefoldlink) > [!NOTE] @@ -63,9 +63,9 @@ ms.date: 04/24/2018 9. Click **OK** and close any open GPMC windows. >[!TIP] -> After onboarding the machine, you can choose to run a detection test to verify that the machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md). +> After onboarding the machine, you can choose to run a detection test to verify that the machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md). -## Additional Windows Defender ATP configuration settings +## Additional Microsoft Defender ATP configuration settings For each machine, you can state whether samples can be collected from the machine when a request is made through Windows Defender Security Center to submit a file for deep analysis. You can use Group Policy (GP) to configure settings, such as settings for the sample sharing used in the deep analysis feature. @@ -84,7 +84,7 @@ You can use Group Policy (GP) to configure settings, such as settings for the sa 4. Click **Policies**, then **Administrative templates**. -5. Click **Windows components** and then **Windows Defender ATP**. +5. Click **Windows components** and then **Microsoft Defender ATP**. 6. Choose to enable or disable sample sharing from your machines. @@ -145,5 +145,5 @@ With Group Policy there isn’t an option to monitor deployment of policies on t - [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) - [Onboard Windows 10 machines using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) - [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) -- [Run a detection test on a newly onboarded Windows Defender ATP machines](run-detection-test-windows-defender-advanced-threat-protection.md) -- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) +- [Run a detection test on a newly onboarded Microsoft Defender ATP machines](run-detection-test-windows-defender-advanced-threat-protection.md) +- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md index 57ba954930..79a5287504 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md @@ -1,7 +1,7 @@ --- title: Onboard Windows 10 machines using Mobile Device Management tools description: Use Mobile Device Management tools to deploy the configuration package on machines so that they are onboarded to the service. -keywords: onboard machines using mdm, machine management, onboard Windows ATP machines, onboard Windows Defender Advanced Threat Protection machines, mdm +keywords: onboard machines using mdm, machine management, onboard Windows ATP machines, onboard Microsoft Defender Advanced Threat Protection machines, mdm search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -23,13 +23,13 @@ ms.date: 12/06/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsmdm-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsmdm-abovefoldlink) -You can use mobile device management (MDM) solutions to configure machines. Windows Defender ATP supports MDMs by providing OMA-URIs to create policies to manage machines. +You can use mobile device management (MDM) solutions to configure machines. Microsoft Defender ATP supports MDMs by providing OMA-URIs to create policies to manage machines. -For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx). +For more information on using Microsoft Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx). ## Before you begin If you're using Microsoft Intune, you must have the device MDM Enrolled. Otherwise, settings will not be applied successfully. @@ -40,7 +40,7 @@ For more information on enabling MDM with Microsoft Intune, see [Setup Windows D Follow the instructions from [Intune](https://docs.microsoft.com/intune/advanced-threat-protection). -For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx). +For more information on using Microsoft Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx). > [!NOTE] @@ -49,7 +49,7 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre >[!TIP] -> After onboarding the machine, you can choose to run a detection test to verify that a machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md). +> After onboarding the machine, you can choose to run a detection test to verify that a machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md). ## Offboard and monitor machines using Mobile Device Management tools For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. @@ -83,5 +83,5 @@ For security reasons, the package used to Offboard machines will expire 30 days - [Onboard Windows 10 machines using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) - [Onboard Windows 10 machines using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) - [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) -- [Run a detection test on a newly onboarded Windows Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md) -- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) +- [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md) +- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md index de556b2903..f431da0f01 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md @@ -1,7 +1,7 @@ --- -title: Onboard non-Windows machines to the Windows Defender ATP service -description: Configure non-Winodws machines so that they can send sensor data to the Windows Defender ATP service. -keywords: onboard non-Windows machines, macos, linux, machine management, configure Windows ATP machines, configure Windows Defender Advanced Threat Protection machines +title: Onboard non-Windows machines to the Microsoft Defender ATP service +description: Configure non-Winodws machines so that they can send sensor data to the Microsoft Defender ATP service. +keywords: onboard non-Windows machines, macos, linux, machine management, configure Windows ATP machines, configure Microsoft Defender Advanced Threat Protection machines search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -22,15 +22,15 @@ ms.topic: article - macOS - Linux -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-nonwindows-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-nonwindows-abovefoldlink) -Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Windows Defender Security Center and better protect your organization's network. This experience leverages on a third-party security products’ sensor data. +Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Windows Defender Security Center and better protect your organization's network. This experience leverages on a third-party security products’ sensor data. -You'll need to know the exact Linux distros and macOS versions that are compatible with Windows Defender ATP for the integration to work. +You'll need to know the exact Linux distros and macOS versions that are compatible with Microsoft Defender ATP for the integration to work. You'll need to take the following steps to onboard non-Windows machines: 1. Turn on third-party integration @@ -55,7 +55,7 @@ You'll need to take the following steps to onboard non-Windows machines: ### Run detection test Create an EICAR test file by saving the string displayed on the portal in an empty text file. Then, introduce the test file to a machine running the third-party antivirus solution. -The file should trigger a detection and a corresponding alert on Windows Defender ATP. +The file should trigger a detection and a corresponding alert on Microsoft Defender ATP. ## Offboard non-Windows machines To effectively offboard the machine from the service, you'll need to disable the data push on the third-party portal first then switch the toggle to off in Windows Defender Security Center. The toggle in the portal only blocks the data inbound flow. @@ -74,4 +74,4 @@ To effectively offboard the machine from the service, you'll need to disable the - [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) - [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md) - [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) -- [Troubleshooting Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [Troubleshooting Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md index 4d6b519e13..8a91ad835d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md @@ -1,7 +1,7 @@ --- title: Onboard Windows 10 machines using System Center Configuration Manager description: Use System Center Configuration Manager to deploy the configuration package on machines so that they are onboarded to the service. -keywords: onboard machines using sccm, machine management, configure Windows ATP machines, configure Windows Defender Advanced Threat Protection machines, sccm +keywords: onboard machines using sccm, machine management, configure Windows ATP machines, configure Microsoft Defender Advanced Threat Protection machines, sccm search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -23,16 +23,16 @@ ms.date: 12/11/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - System Center 2012 Configuration Manager or later versions ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointssccm-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointssccm-abovefoldlink) ## Onboard Windows 10 machines using System Center Configuration Manager (current branch) version 1606 -System Center Configuration Manager (SCCM) (current branch) version 1606, has UI integrated support for configuring and managing Windows Defender ATP on machines. For more information, see [Support for Windows Defender Advanced Threat Protection service](https://go.microsoft.com/fwlink/p/?linkid=823682). +System Center Configuration Manager (SCCM) (current branch) version 1606, has UI integrated support for configuring and managing Microsoft Defender ATP on machines. For more information, see [Support for Microsoft Defender Advanced Threat Protection service](https://go.microsoft.com/fwlink/p/?linkid=823682). >[!NOTE] > If you’re using SCCM client version 1606 with server version 1610 or above, you must upgrade the client version to match the server version. @@ -66,10 +66,10 @@ You can use existing System Center Configuration Manager functionality to create a. Choose a predefined device collection to deploy the package to. > [!NOTE] -> Windows Defender ATP doesn't support onboarding during the [Out-Of-Box Experience (OOBE)](https://answers.microsoft.com/en-us/windows/wiki/windows_10/how-to-complete-the-windows-10-out-of-box/47e3f943-f000-45e3-8c5c-9d85a1a0cf87) phase. Make sure users complete OOBE after running Windows installation or upgrading. +> Microsoft Defender ATP doesn't support onboarding during the [Out-Of-Box Experience (OOBE)](https://answers.microsoft.com/en-us/windows/wiki/windows_10/how-to-complete-the-windows-10-out-of-box/47e3f943-f000-45e3-8c5c-9d85a1a0cf87) phase. Make sure users complete OOBE after running Windows installation or upgrading. >[!TIP] -> After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md). +> After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md). ### Configure sample collection settings For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through Windows Defender Security Center to submit a file for deep analysis. @@ -128,7 +128,7 @@ Monitoring with SCCM consists of two parts: 1. Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the machines in your network. -2. Checking that the machines are compliant with the Windows Defender ATP service (this ensures the machine can complete the onboarding process and can continue to report data to the service). +2. Checking that the machines are compliant with the Microsoft Defender ATP service (this ensures the machine can complete the onboarding process and can continue to report data to the service). **To confirm the configuration package has been correctly deployed:** @@ -140,11 +140,11 @@ Monitoring with SCCM consists of two parts: 4. Review the status indicators under **Completion Statistics** and **Content Status**. -If there are failed deployments (machines with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the machines. For more information see, [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md). +If there are failed deployments (machines with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the machines. For more information see, [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md). ![SCCM showing successful deployment with no errors](images/sccm-deployment.png) -**Check that the machines are compliant with the Windows Defender ATP service:**
+**Check that the machines are compliant with the Microsoft Defender ATP service:**
You can set a compliance rule for configuration item in System Center Configuration Manager to monitor your deployment. This rule should be a *non-remediating* compliance rule configuration item that monitors the value of a registry key on targeted machines. @@ -162,5 +162,5 @@ For more information about System Center Configuration Manager Compliance see [G - [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) - [Onboard Windows 10 machines using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) - [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) -- [Run a detection test on a newly onboarded Windows Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md) -- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) +- [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md) +- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md index fee63e07dd..9b0d319050 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md @@ -1,7 +1,7 @@ --- title: Onboard Windows 10 machines using a local script description: Use a local script to deploy the configuration package on machines so that they are onboarded to the service. -keywords: configure machines using a local script, machine management, configure Windows ATP machines, configure Windows Defender Advanced Threat Protection machines +keywords: configure machines using a local script, machine management, configure Windows ATP machines, configure Microsoft Defender Advanced Threat Protection machines search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -22,14 +22,14 @@ ms.topic: article **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink) -You can also manually onboard individual machines to Windows Defender ATP. You might want to do this first when testing the service before you commit to onboarding all machines in your network. +You can also manually onboard individual machines to Microsoft Defender ATP. You might want to do this first when testing the service before you commit to onboarding all machines in your network. > [!NOTE] > The script has been optimized to be used on a limited number of machines (1-10 machines). To deploy to scale, use other deployment options. For more information on using other deployment options, see [Onboard Window 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). @@ -60,11 +60,11 @@ You can also manually onboard individual machines to Windows Defender ATP. You m 5. Press the **Enter** key or click **OK**. -For information on how you can manually validate that the machine is compliant and correctly reports sensor data see, [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md). +For information on how you can manually validate that the machine is compliant and correctly reports sensor data see, [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md). >[!TIP] -> After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md). +> After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md). ## Configure sample collection settings For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through Windows Defender Security Center to submit a file for deep analysis. @@ -139,5 +139,5 @@ Monitoring can also be done directly on the portal, or by using the different de - [Onboard Windows 10 machines using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) - [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) - [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) -- [Run a detection test on a newly onboarded Windows Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md) -- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) +- [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md) +- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md index 8ee8615f84..be05604d0b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md @@ -1,7 +1,7 @@ --- title: Onboard non-persistent virtual desktop infrastructure (VDI) machines -description: Deploy the configuration package on virtual desktop infrastructure (VDI) machine so that they are onboarded to Windows Defender ATP the service. -keywords: configure virtual desktop infrastructure (VDI) machine, vdi, machine management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints +description: Deploy the configuration package on virtual desktop infrastructure (VDI) machine so that they are onboarded to Microsoft Defender ATP the service. +keywords: configure virtual desktop infrastructure (VDI) machine, vdi, machine management, configure Windows ATP endpoints, configure Microsoft Defender Advanced Threat Protection endpoints search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -25,15 +25,15 @@ ms.date: 04/24/2018 ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configvdi-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configvdi-abovefoldlink) ## Onboard non-persistent virtual desktop infrastructure (VDI) machines -Windows Defender ATP supports non-persistent VDI session onboarding. There might be associated challenges when onboarding VDIs. The following are typical challenges for this scenario: +Microsoft Defender ATP supports non-persistent VDI session onboarding. There might be associated challenges when onboarding VDIs. The following are typical challenges for this scenario: - Instant early onboarding of a short living session - - A session should be onboarded to Windows Defender ATP prior to the actual provisioning. + - A session should be onboarded to Microsoft Defender ATP prior to the actual provisioning. - Machine name persistence - The machine names are typically reused for new sessions. One may ask to have them as a single machine entry while others may prefer to have multiple entries per machine name. @@ -41,7 +41,7 @@ Windows Defender ATP supports non-persistent VDI session onboarding. There might You can onboard VDI machines using a single entry or multiple entries for each machine. The following steps will guide you through onboarding VDI machines and will highlight steps for single and multiple entries. >[!WARNING] -> For environments where there are low resource configurations, the VDI boot proceedure might slow the Windows Defender ATP sensor onboarding. +> For environments where there are low resource configurations, the VDI boot proceedure might slow the Microsoft Defender ATP sensor onboarding. 1. Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Windows Defender Security Center](https://securitycenter.windows.com/): @@ -95,6 +95,6 @@ You can onboard VDI machines using a single entry or multiple entries for each m - [Onboard Windows 10 machines using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) - [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) - [Onboard Windows 10 machines using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) -- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) +- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md index dc4a53e6ea..69ddf03031 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md @@ -1,6 +1,6 @@ --- -title: Onboard Windows 10 machines on Windows Defender ATP -description: Onboard Windows 10 machines so that they can send sensor data to the Windows Defender ATP sensor +title: Onboard Windows 10 machines on Microsoft Defender ATP +description: Onboard Windows 10 machines so that they can send sensor data to the Microsoft Defender ATP sensor keywords: Onboard Windows 10 machines, group policy, system center configuration manager, mobile device management, local script, gp, sccm, mdm, intune search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -23,11 +23,11 @@ ms.date: 07/12/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Machines in your organization must be configured so that the Windows Defender ATP service can get sensor data from them. There are various methods and deployment tools that you can use to configure the machines in your organization. +Machines in your organization must be configured so that the Microsoft Defender ATP service can get sensor data from them. There are various methods and deployment tools that you can use to configure the machines in your organization. The following deployment tools and methods are supported: @@ -46,4 +46,4 @@ Topic | Description [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) | Learn how to use the configuration package to configure VDI machines. ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpoints-belowfoldlink) \ No newline at end of file +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpoints-belowfoldlink) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md index 8e6edc791b..0f0180a75a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md @@ -21,18 +21,18 @@ ms.date: 02/28/2019 # Configure and manage Microsoft Threat Experts capabilities **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [!include[Prerelease�information](prerelease.md)] ## Before you begin -To experience the full Microsoft Threat Experts preview capability in Windows Defender ATP, you need to have a valid Premier customer service and support account. However, Premier charges will not be incurred during the preview. +To experience the full Microsoft Threat Experts preview capability in Microsoft Defender ATP, you need to have a valid Premier customer service and support account. However, Premier charges will not be incurred during the preview. -You also need to ensure that you have Windows Defender ATP deployed in your environment with machines enrolled, and not just on a laboratory set-up. +You also need to ensure that you have Microsoft Defender ATP deployed in your environment with machines enrolled, and not just on a laboratory set-up. ## Register to Microsoft Threat Experts preview -If you're already a Windows Defender ATP customer, you can apply for preview through the Windows Defender ATP portal. +If you're already a Microsoft Defender ATP customer, you can apply for preview through the Microsoft Defender ATP portal. 1. From the navigation pane, go to **Settings > General > Advanced features > Threat Experts**. @@ -50,7 +50,7 @@ If you're already a Windows Defender ATP customer, you can apply for preview thr ## Receive targeted attack notification from Microsoft Threat Experts You can receive targeted attack notification from Microsoft Threat Experts through the following: -- The Windows Defender ATP portal's **Alerts** dashboard +- The Microsoft Defender ATP portal's **Alerts** dashboard - Your email, if you choose to configure it To receive targeted attack notifications through email, you need to create an email notification rule. @@ -83,13 +83,13 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w **Step 2: Open a support ticket** >[!NOTE] - >To experience the full Microsoft Threat Experts preview capability in Windows Defender ATP, you need to have a Premier customer service and support account. However, you will not be charged for the Experts-on-demand service during the preview. + >To experience the full Microsoft Threat Experts preview capability in Microsoft Defender ATP, you need to have a Premier customer service and support account. However, you will not be charged for the Experts-on-demand service during the preview. a. In the **New support request** customer support page, select the following from the dropdown menu and then click **Next**:
**Select the product family**: **Security**
**Select a product**: **Microsoft Threat Experts**
- **Select a category that best describes the issue**: **Windows Defender ATP**
+ **Select a category that best describes the issue**: **Microsoft Defender ATP**
**Select a problem that best describes the issue**: Choose according to your inquiry category
b. Fill out the fields with the necessary information about the issue and use the auto-generated ID when you open a Customer Services and Support (CSS) ticket. Then, click **Next**.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md index 738c8f0548..3dd2f86f1f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md @@ -1,6 +1,6 @@ --- title: Configure managed security service provider support -description: Take the necessary steps to configure the MSSP integration with Windows Defender ATP +description: Take the necessary steps to configure the MSSP integration with Microsoft Defender ATP keywords: managed security service provider, mssp, configure, integration search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -21,9 +21,9 @@ ms.date: 09/03/2018 # Configure managed security service provider integration **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mssp-support-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mssp-support-abovefoldlink) [!include[Prerelease information](prerelease.md)] @@ -39,7 +39,7 @@ The integration will allow MSSPs to take the following actions: - Get email notifications, and - Fetch alerts through security information and event management (SIEM) tools -Before MSSPs can take these actions, the MSSP customer will need to grant access to their Windows Defender ATP tenant so that the MSSP can access the portal. +Before MSSPs can take these actions, the MSSP customer will need to grant access to their Microsoft Defender ATP tenant so that the MSSP can access the portal. Typically, MSSP customers take the initial configuration steps to grant MSSPs access to their Windows Defender Security Central tenant. After access is granted, other configuration steps can be done by either the MSSP customer or the MSSP. @@ -47,7 +47,7 @@ Typically, MSSP customers take the initial configuration steps to grant MSSPs ac In general, the following configuration steps need to be taken: - **Grant the MSSP access to Windows Defender Security Center**
-This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's Windows Defender ATP tenant. +This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's Microsoft Defender ATP tenant. - **Configure alert notifications sent to MSSPs**
This action can be taken by either the MSSP customer or MSSP. This lets the MSSPs know what alerts they need to address for the MSSP customer. @@ -85,7 +85,7 @@ Granting access to guest user is done the same way as granting access to a user If you're using basic permissions to access the portal, the guest user must be assigned a Security Administrator role in **your** tenant. For more information, see [Use basic permissions to access the portal](basic-permissions-windows-defender-advanced-threat-protection.md). -If you're using role-based access control (RBAC), the guest user must be to added to the appropriate group or groups in **your** tenant. Fore more information on RBAC in Windows Defender ATP, see [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md). +If you're using role-based access control (RBAC), the guest user must be to added to the appropriate group or groups in **your** tenant. Fore more information on RBAC in Microsoft Defender ATP, see [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md). >[!NOTE] >There is no difference between the Member user and Guest user roles from RBAC perspective. @@ -147,7 +147,7 @@ Step 3: Whitelist your application on Windows Defender Security Center ### Step 1: Create an application in Azure Active Directory (Azure AD) -You'll need to create an application and grant it permissions to fetch alerts from your customer's Windows Defender ATP tenant. +You'll need to create an application and grant it permissions to fetch alerts from your customer's Microsoft Defender ATP tenant. 1. Sign in to the [Azure AD portal](https://aad.portal.azure.com/). @@ -272,7 +272,7 @@ You'll need to have **Manage portal system settings** permission to whitelist th 5. Click **Authorize application**. -You can now download the relevant configuration file for your SIEM and connect to the Windows Defender ATP API. For more information see, [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md). +You can now download the relevant configuration file for your SIEM and connect to the Microsoft Defender ATP API. For more information see, [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md). - In the ArcSight configuration file / Splunk Authentication Properties file – you will have to write your application key manually by settings the secret value. - Instead of acquiring a refresh token in the portal, use the script from the previous step to acquire a refresh token (or acquire it by other means). diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md index 595b8af148..bc9f3d4a50 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md @@ -1,6 +1,6 @@ --- title: Configure machine proxy and Internet connection settings -description: Configure the Windows Defender ATP proxy and internet settings to enable communication with the cloud service. +description: Configure the Microsoft Defender ATP proxy and internet settings to enable communication with the cloud service. keywords: configure, proxy, internet, internet connectivity, settings, proxy settings, netsh, winhttp, proxy server search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -21,15 +21,15 @@ ms.topic: article # Configure machine proxy and Internet connectivity settings **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink) -The Windows Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service. +The Microsoft Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender ATP service. -The embedded Windows Defender ATP sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Windows Defender ATP cloud service. +The embedded Microsoft Defender ATP sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Microsoft Defender ATP cloud service. The WinHTTP configuration setting is independent of the Windows Internet (WinINet) internet browsing proxy settings and can only discover a proxy server by using the following discovery methods: @@ -38,7 +38,7 @@ The WinHTTP configuration setting is independent of the Windows Internet (WinINe - Web Proxy Auto-discovery Protocol (WPAD) > [!NOTE] -> If you're using Transparent proxy or WPAD in your network topology, you don't need special configuration settings. For more information on Windows Defender ATP URL exclusions in the proxy, see [Enable access to Windows Defender ATP service URLs in the proxy server](#enable-access-to-windows-defender-atp-service-urls-in-the-proxy-server). +> If you're using Transparent proxy or WPAD in your network topology, you don't need special configuration settings. For more information on Microsoft Defender ATP URL exclusions in the proxy, see [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-windows-defender-atp-service-urls-in-the-proxy-server). - Manual static proxy configuration: @@ -46,7 +46,7 @@ The WinHTTP configuration setting is independent of the Windows Internet (WinINe - WinHTTP configured using netsh command – Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy) ## Configure the proxy server manually using a registry-based static proxy -Configure a registry-based static proxy to allow only Windows Defender ATP sensor to report diagnostic data and communicate with Windows Defender ATP services if a computer is not be permitted to connect to the Internet. +Configure a registry-based static proxy to allow only Microsoft Defender ATP sensor to report diagnostic data and communicate with Microsoft Defender ATP services if a computer is not be permitted to connect to the Internet. The static proxy is configurable through Group Policy (GP). The group policy can be found under: - Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service @@ -87,8 +87,8 @@ netsh winhttp set proxy : ``` For example: netsh winhttp set proxy 10.0.0.6:8080 -## Enable access to Windows Defender ATP service URLs in the proxy server -If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are not blocked by default. Do not disable security monitoring or inspection of these URLs, but allow them as you would other internet traffic. They permit communication with Windows Defender ATP service in port 80 and 443: +## Enable access to Microsoft Defender ATP service URLs in the proxy server +If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are not blocked by default. Do not disable security monitoring or inspection of these URLs, but allow them as you would other internet traffic. They permit communication with Microsoft Defender ATP service in port 80 and 443: >[!NOTE] > URLs that include v20 in them are only needed if you have Windows 10, version 1803 or later machines. For example, ```us-v20.events.data.microsoft.com``` is only needed if the machine is on Windows 10, version 1803 or later. @@ -102,12 +102,12 @@ United States | ```us.vortex-win.data.microsoft.com```
```us-v20.events.data -If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs. +If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs. -## Windows Defender ATP service backend IP range +## Microsoft Defender ATP service backend IP range If you network devices don't support the URLs white-listed in the prior section, you can use the following information. -Windows Defender ATP is built on Azure cloud, deployed in the following regions: +Microsoft Defender ATP is built on Azure cloud, deployed in the following regions: - \+\ - \+\ @@ -124,11 +124,11 @@ You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https: > As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting. -## Verify client connectivity to Windows Defender ATP service URLs +## Verify client connectivity to Microsoft Defender ATP service URLs -Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Windows Defender ATP service URLs. +Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender ATP service URLs. -1. Download the [connectivity verification tool](https://go.microsoft.com/fwlink/p/?linkid=823683) to the PC where Windows Defender ATP sensor is running on. +1. Download the [connectivity verification tool](https://go.microsoft.com/fwlink/p/?linkid=823683) to the PC where Microsoft Defender ATP sensor is running on. 2. Extract the contents of WDATPConnectivityAnalyzer on the machine. @@ -151,7 +151,7 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover 5. Extract the *WDATPConnectivityAnalyzerResult.zip* file created by tool in the folder used in the *HardDrivePath*. 6. Open *WDATPConnectivityAnalyzer.txt* and verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs.

-The tool checks the connectivity of Windows Defender ATP service URLs that Windows Defender ATP client is configured to interact with. It then prints the results into the *WDATPConnectivityAnalyzer.txt* file for each URL that can potentially be used to communicate with the Windows Defender ATP services. For example: +The tool checks the connectivity of Microsoft Defender ATP service URLs that Microsoft Defender ATP client is configured to interact with. It then prints the results into the *WDATPConnectivityAnalyzer.txt* file for each URL that can potentially be used to communicate with the Microsoft Defender ATP services. For example: ```text Testing URL : https://xxx.microsoft.com/xxx 1 - Default proxy: Succeeded (200) @@ -161,13 +161,13 @@ The tool checks the connectivity of Windows Defender ATP service URLs that Windo 5 - Command line proxy: Doesn't exist ``` -If at least one of the connectivity options returns a (200) status, then the Windows Defender ATP client can communicate with the tested URL properly using this connectivity method.

+If at least one of the connectivity options returns a (200) status, then the Microsoft Defender ATP client can communicate with the tested URL properly using this connectivity method.

-However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in [Enable access to Windows Defender ATP service URLs in the proxy server](#enable-access-to-windows-defender-atp-service-urls-in-the-proxy-server). The URLs you'll use will depend on the region selected during the onboarding procedure. +However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-windows-defender-atp-service-urls-in-the-proxy-server). The URLs you'll use will depend on the region selected during the onboarding procedure. > [!NOTE] -> When the TelemetryProxyServer is set, in Registry or via Group Policy, Windows Defender ATP will fall back to direct if it can't access the defined proxy. +> When the TelemetryProxyServer is set, in Registry or via Group Policy, Microsoft Defender ATP will fall back to direct if it can't access the defined proxy. ## Related topics - [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) -- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) +- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index 03df5ce551..b247126bb2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -1,7 +1,7 @@ --- -title: Onboard servers to the Windows Defender ATP service -description: Onboard servers so that they can send sensor data to the Windows Defender ATP sensor. -keywords: onboard server, server, 2012r2, 2016, 2019, server onboarding, machine management, configure Windows ATP servers, onboard Windows Defender Advanced Threat Protection servers +title: Onboard servers to the Microsoft Defender ATP service +description: Onboard servers so that they can send sensor data to the Microsoft Defender ATP sensor. +keywords: onboard server, server, 2012r2, 2016, 2019, server onboarding, machine management, configure Windows ATP servers, onboard Microsoft Defender Advanced Threat Protection servers search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -16,7 +16,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Onboard servers to the Windows Defender ATP service +# Onboard servers to the Microsoft Defender ATP service **Applies to:** @@ -24,14 +24,14 @@ ms.topic: article - Windows Server 2016 - Windows Server, version 1803 - Windows Server, 2019 -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [!include[Prerelease information](prerelease.md)] ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configserver-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configserver-abovefoldlink) -Windows Defender ATP extends support to also include the Windows Server operating system, providing advanced attack detection and investigation capabilities, seamlessly through the Windows Defender Security Center console. +Microsoft Defender ATP extends support to also include the Windows Server operating system, providing advanced attack detection and investigation capabilities, seamlessly through the Windows Defender Security Center console. The service supports the onboarding of the following servers: - Windows Server 2012 R2 @@ -40,11 +40,11 @@ The service supports the onboarding of the following servers: - Windows Server 2019 -For a practical guidance on what needs to be in place for licensing and infrastructure, see [Protecting Windows Servers with Windows Defender ATP](https://techcommunity.microsoft.com/t5/What-s-New/Protecting-Windows-Server-with-Windows-Defender-ATP/m-p/267114#M128). +For a practical guidance on what needs to be in place for licensing and infrastructure, see [Protecting Windows Servers with Microsoft Defender ATP](https://techcommunity.microsoft.com/t5/What-s-New/Protecting-Windows-Server-with-Windows-Defender-ATP/m-p/267114#M128). ## Windows Server 2012 R2 and Windows Server 2016 -There are two options to onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP: +There are two options to onboard Windows Server 2012 R2 and Windows Server 2016 to Microsoft Defender ATP: - **Option 1**: Onboard through Azure Security Center - **Option 2**: Onboard through Windows Defender Security Center @@ -56,7 +56,7 @@ There are two options to onboard Windows Server 2012 R2 and Windows Server 2016 3. Click **Onboard Servers in Azure Security Center**. -4. Follow the onboarding instructions in [Windows Defender Advanced Threat Protection with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp). +4. Follow the onboarding instructions in [Microsoft Defender Advanced Threat Protection with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp). ### Option 2: Onboard servers through Windows Defender Security Center You'll need to tak the following steps if you choose to onboard servers through Windows Defender Security Center. @@ -67,16 +67,16 @@ You'll need to tak the following steps if you choose to onboard servers through >This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2012 R2. - Turn on server monitoring from Windows Defender Security Center. -- If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), simply attach the Microsoft Monitoring Agent (MMA) to report to your Windows Defender ATP workspace through Multi Homing support. Otherwise, install and configure MMA to report sensor data to Windows Defender ATP as instructed below. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). +- If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), simply attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multi Homing support. Otherwise, install and configure MMA to report sensor data to Microsoft Defender ATP as instructed below. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). >[!TIP] -> After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md). +> After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md). ### Configure and update System Center Endpoint Protection clients >[!IMPORTANT] >This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2012 R2. -Windows Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. +Microsoft Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. The following steps are required to enable this integration: - Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie) @@ -92,7 +92,7 @@ The following steps are required to enable this integration: 3. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment set up. When the set up completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent. -### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Windows Defender ATP +### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender ATP 1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603). @@ -109,7 +109,7 @@ Once completed, you should see onboarded servers in the portal within an hour. ### Configure server proxy and Internet connectivity settings - Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-gateway). -- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service: +- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Microsoft Defender ATP service: Agent Resource | Ports :---|:--- @@ -137,7 +137,7 @@ Supported tools include: For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server, version 1803 and Windows 2019 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. -1. Configure Windows Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). +1. Configure Microsoft Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). 2. If you’re running a third party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings and verify it was configured correctly: @@ -162,23 +162,23 @@ Supported tools include: ## Integration with Azure Security Center -Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers. +Microsoft Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Microsoft Defender ATP to provide improved threat detection for Windows Servers. >[!NOTE] >You'll need to have the appropriate license to enable this feature. The following capabilities are included in this integration: -- Automated onboarding - Windows Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding). +- Automated onboarding - Microsoft Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding). >[!NOTE] > Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016. -- Servers monitored by Azure Security Center will also be available in Windows Defender ATP - Azure Security Center seamlessly connects to the Windows Defender ATP tenant, providing a single view across clients and servers. In addition, Windows Defender ATP alerts will be available in the Azure Security Center console. +- Servers monitored by Azure Security Center will also be available in Microsoft Defender ATP - Azure Security Center seamlessly connects to the Microsoft Defender ATP tenant, providing a single view across clients and servers. In addition, Microsoft Defender ATP alerts will be available in the Azure Security Center console. - Server investigation - Azure Security Center customers can access Windows Defender Security Center to perform detailed investigation to uncover the scope of a potential breach >[!IMPORTANT] ->- When you use Azure Security Center to monitor servers, a Windows Defender ATP tenant is automatically created. The Windows Defender ATP data is stored in Europe by default. ->- If you use Windows Defender ATP before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time. +>- When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created. The Microsoft Defender ATP data is stored in Europe by default. +>- If you use Microsoft Defender ATP before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time. @@ -187,26 +187,26 @@ You can offboard Windows Server, version 1803 and Windows 2019 in the same metho For other server versions, you have two options to offboard servers from the service: - Uninstall the MMA agent -- Remove the Windows Defender ATP workspace configuration +- Remove the Microsoft Defender ATP workspace configuration >[!NOTE] >Offboarding causes the server to stop sending sensor data to the portal but data from the server, including reference to any alerts it has had will be retained for up to 6 months. ### Uninstall servers by uinstalling the MMA agent -To offboard the server, you can uninstall the MMA agent from the server or detach it from reporting to your Windows Defender ATP workspace. After offboarding the agent, the server will no longer send sensor data to Windows Defender ATP. +To offboard the server, you can uninstall the MMA agent from the server or detach it from reporting to your Microsoft Defender ATP workspace. After offboarding the agent, the server will no longer send sensor data to Microsoft Defender ATP. For more information, see [To disable an agent](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#to-disable-an-agent). -### Remove the Windows Defender ATP workspace configuration +### Remove the Microsoft Defender ATP workspace configuration To offboard the server, you can use either of the following methods: -- Remove the Windows Defender ATP workspace configuration from the MMA agent +- Remove the Microsoft Defender ATP workspace configuration from the MMA agent - Run a PowerShell command to remove the configuration -#### Remove the Windows Defender ATP workspace configuration from the MMA agent +#### Remove the Microsoft Defender ATP workspace configuration from the MMA agent 1. In the **Microsoft Monitoring Agent Properties**, select the **Azure Log Analytics (OMS)** tab. -2. Select the Windows Defender ATP workspace, and click **Remove**. +2. Select the Microsoft Defender ATP workspace, and click **Remove**. ![Image of Microsoft Monitoring Agen Properties](images/atp-mma.png) @@ -234,5 +234,5 @@ To offboard the server, you can use either of the following methods: - [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) - [Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) - [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) -- [Run a detection test on a newly onboarded Windows Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md) -- [Troubleshooting Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) +- [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md) +- [Troubleshooting Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md index 239c4d95db..9c544f5795 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md @@ -1,5 +1,5 @@ --- -title: Pull alerts to your SIEM tools from Windows Defender Advanced Threat Protection +title: Pull alerts to your SIEM tools from Microsoft Defender Advanced Threat Protection description: Learn how to use REST API and configure supported security information and events management tools to receive and pull alerts. keywords: configure siem, security information and events management tools, splunk, arcsight, custom indicators, rest api, alert definitions, indicators of compromise search.product: eADQiWindows 10XVcnh @@ -22,42 +22,42 @@ ms.date: 10/16/2017 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink) ## Pull alerts using security information and events management (SIEM) tools -Windows Defender ATP supports (SIEM) tools to pull alerts. Windows Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment. +Microsoft Defender ATP supports (SIEM) tools to pull alerts. Microsoft Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment. -Windows Defender ATP currently supports the following SIEM tools: +Microsoft Defender ATP currently supports the following SIEM tools: - Splunk - HP ArcSight To use either of these supported SIEM tools you'll need to: -- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) +- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) - Configure the supported SIEM tool: - - [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) - - [Configure HP ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) + - [Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) + - [Configure HP ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) -For more information on the list of fields exposed in the alerts API see, [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md). +For more information on the list of fields exposed in the alerts API see, [Microsoft Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md). -## Pull Windows Defender ATP alerts using REST API -Windows Defender ATP supports the OAuth 2.0 protocol to pull alerts using REST API. +## Pull Microsoft Defender ATP alerts using REST API +Microsoft Defender ATP supports the OAuth 2.0 protocol to pull alerts using REST API. -For more information, see [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md). +For more information, see [Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md). ## In this section Topic | Description :---|:--- -[Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)| Learn about enabling the SIEM integration feature in the **Settings** page in the portal so that you can use and generate the required information to configure supported SIEM tools. -[Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to pull Windows Defender ATP alerts. -[Configure HP ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Windows Defender ATP alerts. -[Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) | Understand what data fields are exposed as part of the alerts API and how they map to Windows Defender Security Center. -[Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) | Use the Client credentials OAuth 2.0 flow to pull alerts from Windows Defender ATP using REST API. +[Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)| Learn about enabling the SIEM integration feature in the **Settings** page in the portal so that you can use and generate the required information to configure supported SIEM tools. +[Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to pull Microsoft Defender ATP alerts. +[Configure HP ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Microsoft Defender ATP alerts. +[Microsoft Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) | Understand what data fields are exposed as part of the alerts API and how they map to Windows Defender Security Center. +[Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) | Use the Client credentials OAuth 2.0 flow to pull alerts from Microsoft Defender ATP using REST API. [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md) | Address issues you might encounter when using the SIEM integration feature. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md b/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md index baf0a25a95..bb3e6d4f5b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md @@ -1,5 +1,5 @@ --- -title: Configure Splunk to pull Windows Defender ATP alerts +title: Configure Splunk to pull Microsoft Defender ATP alerts description: Configure Splunk to receive and pull alerts from Windows Defender Security Center. keywords: configure splunk, security information and events management tools, splunk search.product: eADQiWindows 10XVcnh @@ -18,23 +18,23 @@ ms.topic: article ms.date: 10/16/2017 --- -# Configure Splunk to pull Windows Defender ATP alerts +# Configure Splunk to pull Microsoft Defender ATP alerts **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresplunk-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresplunk-abovefoldlink) -You'll need to configure Splunk so that it can pull Windows Defender ATP alerts. +You'll need to configure Splunk so that it can pull Microsoft Defender ATP alerts. ## Before you begin - Install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/) in Splunk. -- Make sure you have enabled the **SIEM integration** feature from the **Settings** menu. For more information, see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) +- Make sure you have enabled the **SIEM integration** feature from the **Settings** menu. For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) - Have the details file you saved from enabling the **SIEM integration** feature ready. You'll need to get the following values: - OAuth 2 Token refresh URL @@ -107,7 +107,7 @@ You'll need to configure Splunk so that it can pull Windows Defender ATP alerts. - + @@ -146,8 +146,8 @@ Use the solution explorer to view alerts in Splunk. >```source="rest://windows atp alerts" | spath | dedup _raw | table *``` ## Related topics -- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) -- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) -- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) -- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) +- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) +- [Configure ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) +- [Microsoft Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) +- [Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) - [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md index d20d381975..4d6bed28ef 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md @@ -20,7 +20,7 @@ ms.date: 12/08/2017 # Create alert from event API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) [!include[Prereleaseinformation](prerelease.md)] @@ -29,7 +29,7 @@ ms.date: 12/08/2017 Enables using event data, as obtained from the [Advanced Hunting](run-advanced-query-api.md) for creating a new alert entity. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index 4998ae8a80..bb24ba24f8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -1,5 +1,5 @@ --- -title: Create custom detection rules in Windows Defender ATP +title: Create custom detection rules in Microsoft Defender ATP description: Learn how to create custom detections rules based on advanced hunting queries keywords: create custom detections, detections, advanced hunting, hunt, detect, query search.product: eADQiWindows 10XVcnh @@ -20,7 +20,7 @@ ms.topic: article # Create custom detections rules **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) 1. In the navigation pane, select **Advanced hunting**. diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-ti-api.md b/windows/security/threat-protection/microsoft-defender-atp/custom-ti-api.md index bc9982d2ae..552a856b66 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-ti-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-ti-api.md @@ -1,6 +1,6 @@ --- title: Create custom alerts using the threat intelligence API -description: Create your custom alert definitions and indicators of compromise in Windows Defender ATP using the available APIs in Windows Enterprise, Education, and Pro editions. +description: Create your custom alert definitions and indicators of compromise in Microsoft Defender ATP using the available APIs in Windows Enterprise, Education, and Pro editions. keywords: alert definitions, indicators of compromise, threat intelligence, custom threat intelligence, rest api, api search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -23,11 +23,11 @@ ms.date: 04/24/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-customti-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-customti-abovefoldlink) You can define custom alert definitions and indicators of compromise (IOC) using the threat intelligence API. Creating custom threat intelligence alerts allows you to generate specific alerts that are applicable to your organization. @@ -61,7 +61,7 @@ For this URL: Each tenant has a defined quota that limits the number of possible alert definitions, IOCs and another quota for IOCs of Action different than “equals” in the system. If you upload data beyond this quota, you'll encounter an HTTP error status code 507 (Insufficient Storage). ## Request an access token from the token issuing endpoint -Windows Defender ATP Threat Intelligence API uses OAuth 2.0. In the context of Windows Defender ATP, the alert definitions are a protected resource. To issue tokens for ad-hoc, non-automatic operations you can use the **Settings** page and click the **Generate Token** button. However, if you’d like to create an automated client, you need to use the “Client Credentials Grant” flow. For more information, see the [OAuth 2.0 authorization framework](https://tools.ietf.org/html/rfc6749#section-4.4). +Microsoft Defender ATP Threat Intelligence API uses OAuth 2.0. In the context of Microsoft Defender ATP, the alert definitions are a protected resource. To issue tokens for ad-hoc, non-automatic operations you can use the **Settings** page and click the **Generate Token** button. However, if you’d like to create an automated client, you need to use the “Client Credentials Grant” flow. For more information, see the [OAuth 2.0 authorization framework](https://tools.ietf.org/html/rfc6749#section-4.4). For more information about the authorization flow, see [OAuth 2.0 authorization flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-protocols-oauth-code#oauth-20-authorization-flow). @@ -387,8 +387,8 @@ Upon a successful request the response will be HTTP 204. > As with all OData actions, this action is sending an HTTP POST request not DELETE. -## Windows Defender ATP optional query parameters -The Windows Defender ATP threat intelligence API provides several optional query parameters that you can use to specify and control the amount of data returned in a response. The threat intelligence API supports the following query options: +## Microsoft Defender ATP optional query parameters +The Microsoft Defender ATP threat intelligence API provides several optional query parameters that you can use to specify and control the amount of data returned in a response. The threat intelligence API supports the following query options: Name | Value | Description :---|:---|:-- @@ -411,7 +411,7 @@ The following articles provide detailed code examples that demonstrate how to us ## Related topics - [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) -- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) +- [Enable the custom threat intelligence API in Microsoft Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) - [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md) - [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md) - [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md index 8a393d5b81..76c3d3e1cb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md +++ b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md @@ -1,5 +1,5 @@ --- -title: Update data retention settings for Windows Defender Advanced Threat Protection +title: Update data retention settings for Microsoft Defender Advanced Threat Protection description: Update data retention settings by selecting between 30 days to 180 days. keywords: data, storage, settings, retention, update search.product: eADQiWindows 10XVcnh @@ -17,18 +17,18 @@ ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/24/2018 --- -# Update data retention settings for Windows Defender ATP +# Update data retention settings for Microsoft Defender ATP **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-gensettings-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-gensettings-abovefoldlink) -During the onboarding process, a wizard takes you through the general settings of Windows Defender ATP. After onboarding, you might want to update the data retention settings. +During the onboarding process, a wizard takes you through the general settings of Microsoft Defender ATP. After onboarding, you might want to update the data retention settings. 1. In the navigation pane, select **Settings** > **Data rention**. @@ -42,7 +42,7 @@ During the onboarding process, a wizard takes you through the general settings o ## Related topics - [Update data retention settings](data-retention-settings-windows-defender-advanced-threat-protection.md) -- [Configure alert notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md) -- [Enable and create Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md) +- [Configure alert notifications in Microsoft Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md) +- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md) - [Enable Secure Score security controls](enable-secure-score-windows-defender-advanced-threat-protection.md) - [Configure advanced features](advanced-features-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md index 67780a3f78..b320ac62c4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md @@ -1,7 +1,7 @@ --- -title: Windows Defender ATP data storage and privacy -description: Learn about how Windows Defender ATP handles privacy and data that it collects. -keywords: Windows Defender ATP data storage and privacy, storage, privacy, licensing, geolocation, data retention, data +title: Microsoft Defender ATP data storage and privacy +description: Learn about how Microsoft Defender ATP handles privacy and data that it collects. +keywords: Microsoft Defender ATP data storage and privacy, storage, privacy, licensing, geolocation, data retention, data search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -17,20 +17,20 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Windows Defender ATP data storage and privacy +# Microsoft Defender ATP data storage and privacy **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) -This section covers some of the most frequently asked questions regarding privacy and data handling for Windows Defender ATP. +This section covers some of the most frequently asked questions regarding privacy and data handling for Microsoft Defender ATP. > [!NOTE] -> This document explains the data storage and privacy details related to Windows Defender ATP. For more information related to Windows Defender ATP and other products and services like Windows Defender Antivirus and Windows 10, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576). See also [Windows 10 privacy FAQ](https://go.microsoft.com/fwlink/?linkid=827577) for more information. +> This document explains the data storage and privacy details related to Microsoft Defender ATP. For more information related to Microsoft Defender ATP and other products and services like Windows Defender Antivirus and Windows 10, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576). See also [Windows 10 privacy FAQ](https://go.microsoft.com/fwlink/?linkid=827577) for more information. -## What data does Windows Defender ATP collect? +## What data does Microsoft Defender ATP collect? -Windows Defender ATP will collect and store information from your configured machines in a customer dedicated and segregated tenant specific to the service for administration, tracking, and reporting purposes. +Microsoft Defender ATP will collect and store information from your configured machines in a customer dedicated and segregated tenant specific to the service for administration, tracking, and reporting purposes. Information collected includes file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and machine details (such as machine identifiers, names, and the operating system version). @@ -44,10 +44,10 @@ Microsoft uses this data to: Microsoft does not use your data for advertising or for any other purpose other than providing you the service. ## Data protection and encryption -The Windows Defender ATP service utilizes state of the art data protection technologies which are based on Microsoft Azure infrastructure. +The Microsoft Defender ATP service utilizes state of the art data protection technologies which are based on Microsoft Azure infrastructure. -There are various aspects relevant to data protection that our service takes care of. Encryption is one of the most critical and it includes data encryption at rest, encryption in flight, and key management with Key Vault. For more information on other technologies used by the Windows Defender ATP service, see [Azure encryption overview](https://docs.microsoft.com/azure/security/security-azure-encryption-overview). +There are various aspects relevant to data protection that our service takes care of. Encryption is one of the most critical and it includes data encryption at rest, encryption in flight, and key management with Key Vault. For more information on other technologies used by the Microsoft Defender ATP service, see [Azure encryption overview](https://docs.microsoft.com/azure/security/security-azure-encryption-overview). In all scenarios, data is encrypted using 256-bit [AES encyption](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) at the minimum. @@ -84,12 +84,12 @@ Your data will be kept and will be available to you while the licence is under g ## Can Microsoft help us maintain regulatory compliance? -Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help customers assess Windows Defender ATP services against their own legal and regulatory requirements. Windows Defender ATP is ISO 27001 certified and has a roadmap for obtaining national, regional and industry-specific certifications. +Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help customers assess Microsoft Defender ATP services against their own legal and regulatory requirements. Microsoft Defender ATP is ISO 27001 certified and has a roadmap for obtaining national, regional and industry-specific certifications. -Windows Defender ATP for Government (soon to be in preview) is currently undergoing audit for achieving FedRAMP High accreditation as well as Provisional Authorization (PA) at Impact Levels 4 and 5. +Microsoft Defender ATP for Government (soon to be in preview) is currently undergoing audit for achieving FedRAMP High accreditation as well as Provisional Authorization (PA) at Impact Levels 4 and 5. By providing customers with compliant, independently-verified services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run. -For more information on the Windows Defender ATP ISO certification reports, see [Microsoft Trust Center](https://www.microsoft.com/en-us/trustcenter/compliance/iso-iec-27001). +For more information on the Microsoft Defender ATP ISO certification reports, see [Microsoft Trust Center](https://www.microsoft.com/en-us/trustcenter/compliance/iso-iec-27001). ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-datastorage-belowfoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-datastorage-belowfoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md b/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md index 5050e3dcb1..4d9d0fa3ce 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md @@ -1,6 +1,6 @@ --- -title: Windows Defender Antivirus compatibility with Windows Defender ATP -description: Learn about how Windows Defender works with Windows Defender ATP and how it functions when a third-party antimalware client is used. +title: Windows Defender Antivirus compatibility with Microsoft Defender ATP +description: Learn about how Windows Defender works with Microsoft Defender ATP and how it functions when a third-party antimalware client is used. keywords: windows defender compatibility, defender, windows defender atp search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -18,24 +18,24 @@ ms.topic: conceptual ms.date: 04/24/2018 --- -# Windows Defender Antivirus compatibility with Windows Defender ATP +# Windows Defender Antivirus compatibility with Microsoft Defender ATP **Applies to:** - Windows Defender -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-defendercompat-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-defendercompat-abovefoldlink) -The Windows Defender Advanced Threat Protection agent depends on Windows Defender Antivirus for some capabilities such as file scanning. +The Microsoft Defender Advanced Threat Protection agent depends on Windows Defender Antivirus for some capabilities such as file scanning. >[!IMPORTANT] ->Windows Defender ATP does not adhere to the Windows Defender Antivirus Exclusions settings. +>Microsoft Defender ATP does not adhere to the Windows Defender Antivirus Exclusions settings. -You must configure Security intelligence updates on the Windows Defender ATP machines whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md). +You must configure Security intelligence updates on the Microsoft Defender ATP machines whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md). If an onboarded machine is protected by a third-party antimalware client, Windows Defender Antivirus on that endpoint will enter into passive mode. @@ -43,4 +43,4 @@ Windows Defender Antivirus will continue to receive updates, and the *mspeng.exe The Windows Defender Antivirus interface will be disabled, and users on the machine will not be able to use Windows Defender Antivirus to perform on-demand scans or configure most options. -For more information, see the [Windows Defender Antivirus and Windows Defender ATP compatibility topic](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). +For more information, see the [Windows Defender Antivirus and Microsoft Defender ATP compatibility topic](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md index 6399e4f311..40d6df11a5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md @@ -19,7 +19,7 @@ ms.topic: article # Delete Indicator API **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [!include[Prereleaseinformation](prerelease.md)] diff --git a/windows/security/threat-protection/microsoft-defender-atp/deprecate.md b/windows/security/threat-protection/microsoft-defender-atp/deprecate.md index fe73a4d416..ac6fe24aed 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/deprecate.md +++ b/windows/security/threat-protection/microsoft-defender-atp/deprecate.md @@ -4,4 +4,4 @@ ms.date: 10/17/2018 >[!WARNING] -> This page documents a feature that will soon be deprecated. For the updated and supported version, see [Use the Windows Defender ATP APIs](use-apis.md). \ No newline at end of file +> This page documents a feature that will soon be deprecated. For the updated and supported version, see [Use the Microsoft Defender ATP APIs](use-apis.md). \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-custom-ti.md b/windows/security/threat-protection/microsoft-defender-atp/enable-custom-ti.md index 49545c0428..c90107793c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-custom-ti.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-custom-ti.md @@ -1,6 +1,6 @@ --- -title: Enable the custom threat intelligence API in Windows Defender ATP -description: Learn how to setup the custom threat intelligence application in Windows Defender ATP to create custom threat intelligence (TI). +title: Enable the custom threat intelligence API in Microsoft Defender ATP +description: Learn how to setup the custom threat intelligence application in Microsoft Defender ATP to create custom threat intelligence (TI). keywords: enable custom threat intelligence application, custom ti application, application name, client id, authorization url, resource, client secret, access tokens search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -18,16 +18,16 @@ ms.topic: article ms.date: 04/24/2018 --- -# Enable the custom threat intelligence API in Windows Defender ATP +# Enable the custom threat intelligence API in Microsoft Defender ATP **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablecustomti-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablecustomti-abovefoldlink) Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat intelligence application through Windows Defender Security Center. diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md index c4590d0678..bf2bbbf003 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md @@ -1,5 +1,5 @@ --- -title: Enable Secure Score in Windows Defender ATP +title: Enable Secure Score in Microsoft Defender ATP description: Set the baselines for calculating the score of Windows Defender security controls on the Secure Score dashboard. keywords: enable secure score, baseline, calculation, analytics, score, secure score dashboard, dashboard search.product: eADQiWindows 10XVcnh @@ -23,7 +23,7 @@ ms.date: 04/24/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -40,7 +40,7 @@ Set the baselines for calculating the score of Windows Defender security control ## Related topics - [View the Secure Score dashboard](secure-score-dashboard-windows-defender-advanced-threat-protection.md) -- [Update data retention settings for Windows Defender ATP](data-retention-settings-windows-defender-advanced-threat-protection.md) -- [Configure alert notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md) -- [Enable and create Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md) -- [Configure advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md) +- [Update data retention settings for Microsoft Defender ATP](data-retention-settings-windows-defender-advanced-threat-protection.md) +- [Configure alert notifications in Microsoft Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md) +- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md) +- [Configure advanced features in Microsoft Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md index b3d89ea8d0..a5099be0b4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md @@ -1,5 +1,5 @@ --- -title: Enable SIEM integration in Windows Defender ATP +title: Enable SIEM integration in Microsoft Defender ATP description: Enable SIEM integration to receive alerts in your security information and event management (SIEM) solution. keywords: enable siem connector, siem, connector, security information and events search.product: eADQiWindows 10XVcnh @@ -18,13 +18,13 @@ ms.topic: article ms.date: 12/10/2018 --- -# Enable SIEM integration in Windows Defender ATP +# Enable SIEM integration in Microsoft Defender ATP **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablesiem-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablesiem-abovefoldlink) Enable security information and event management (SIEM) integration so you can pull alerts from Windows Defender Security Center using your SIEM solution or by connecting directly to the alerts REST API. @@ -66,12 +66,12 @@ Enable security information and event management (SIEM) integration so you can p You can now proceed with configuring your SIEM solution or connecting to the alerts REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive alerts from Windows Defender Security Center. -## Integrate Windows Defender ATP with IBM QRadar -You can configure IBM QRadar to collect alerts from Windows Defender ATP. For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1). +## Integrate Microsoft Defender ATP with IBM QRadar +You can configure IBM QRadar to collect alerts from Microsoft Defender ATP. For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1). ## Related topics -- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) -- [Configure HP ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) -- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) -- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) +- [Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) +- [Configure HP ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) +- [Microsoft Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) +- [Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) - [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md index 6dd9971ceb..85aa0f8290 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md @@ -1,5 +1,5 @@ --- -title: Evaluate Windows Defender Advanced Threat Protection +title: Evaluate Microsoft Defender Advanced Threat Protection description: keywords: search.product: eADQiWindows 10XVcnh @@ -18,12 +18,12 @@ ms.topic: conceptual ms.date: 08/10/2018 --- -# Evaluate Windows Defender ATP -[Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. +# Evaluate Microsoft Defender ATP +[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. -You can evaluate Windows Defender Advanced Threat Protection in your organization by [starting your free trial](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp). +You can evaluate Microsoft Defender Advanced Threat Protection in your organization by [starting your free trial](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp). -You can also evaluate the different security capabilities in Windows Defender ATP by using the following instructions. +You can also evaluate the different security capabilities in Microsoft Defender ATP by using the following instructions. ## Evaluate attack surface reduction These capabilities help prevent attacks and exploitations from infecting your organization. @@ -40,4 +40,4 @@ Next gen protections help detect and block the latest threats. ## See Also -[Get started with Windows Defender Advanced Threat Protection](get-started.md) \ No newline at end of file +[Get started with Microsoft Defender Advanced Threat Protection](get-started.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md index f49caf3929..b6e868da21 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md +++ b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md @@ -1,7 +1,7 @@ --- title: Review events and errors using Event Viewer -description: Get descriptions and further troubleshooting steps (if required) for all events reported by the Windows Defender ATP service. -keywords: troubleshoot, event viewer, log summary, failure code, failed, Windows Defender Advanced Threat Protection service, cannot start, broken, can't start +description: Get descriptions and further troubleshooting steps (if required) for all events reported by the Microsoft Defender ATP service. +keywords: troubleshoot, event viewer, log summary, failure code, failed, Microsoft Defender Advanced Threat Protection service, cannot start, broken, can't start search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -25,7 +25,7 @@ ms.date: 05/21/2018 - Event Viewer -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -34,9 +34,9 @@ You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/librar For example, if machines are not appearing in the **Machines list**, you might need to look for event IDs on the machines. You can then use this table to determine further troubleshooting steps. > [!NOTE] -> It can take several days for machines to begin reporting to the Windows Defender ATP service. +> It can take several days for machines to begin reporting to the Microsoft Defender ATP service. -**Open Event Viewer and find the Windows Defender ATP service event log:** +**Open Event Viewer and find the Microsoft Defender ATP service event log:** 1. Click **Start** on the Windows menu, type **Event Viewer**, and press **Enter**. @@ -46,7 +46,7 @@ For example, if machines are not appearing in the **Machines list**, you might n a. You can also access the log by expanding **Applications and Services Logs** > **Microsoft** > **Windows** > **SENSE** and click on **Operational**. > [!NOTE] - > SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP. + > SENSE is the internal name used to refer to the behavioral sensor that powers Microsoft Defender ATP. 3. Events recorded by the service will appear in the log. See the following table for a list of events recorded by the service. @@ -60,39 +60,39 @@ For example, if machines are not appearing in the **Machines list**, you might n - + - + - + - - + - - + - + - + - + - + - + - + - + - + - - + - + - + - + - - + + - + - - + + - + - + - + - + - + - - + + - + - + - + - + - + - + - + - + @@ -342,9 +342,9 @@ See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-
![step one](../images/one.png)![set up device](../images/set-up-device.png)

Enter a name for the device.

(Optional) Select a license file to upgrade Windows 10 to a different edition. [See the permitted upgrades.](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)

Toggle **Yes** or **No** to **Configure devices for shared use**. This setting optimizes Windows 10 for shared use scenarios. [Learn more about shared PC configuration.](../set-up-shared-or-guest-pc.md)

You can also select to remove pre-installed software from the device. 		![device name, upgrade to enterprise, shared use, remove pre-installed software](../images/set-up-device-details-desktop.png)
![step two](../images/two.png) ![set up network](../images/set-up-network.png)

Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.		![Enter network SSID and type](../images/set-up-network-details-desktop.png)
![step three](../images/three.png) ![account management](../images/account-management.png)

Enable account management if you want to configure settings on this page.

You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device

To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.

Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.

To create a local administrator account, select that option and enter a user name and password.

**Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. 		![join Active Directory, Azure AD, or create a local admin account](../images/account-management-details.png)
![step three](../images/three.png) ![account management](../images/account-management.png)

Enable account management if you want to configure settings on this page.

You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device

To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.

Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 180 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.

To create a local administrator account, select that option and enter a user name and password.

**Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. 		![join Active Directory, Azure AD, or create a local admin account](../images/account-management-details.png)
![step four](../images/four.png) ![add applications](../images/add-applications.png)

You can install multiple applications, both Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provision-pcs-with-apps.md). 		![add an application](../images/add-applications-details.png)
![step five](../images/five.png) ![add certificates](../images/add-certificates.png)

To provision the device with a certificate, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.		![add a certificate](../images/add-certificates-details.png)
![finish](../images/finish.png)

You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.		![Protect your package](../images/finish-details.png)
Browse to the location of the *wdatp-connector.properties* file. The name must match the file provided in the .zip that you downloaded.
Refresh TokenYou can obtain a refresh token in two ways: by generating a refresh token from the **SIEM settings** page or using the restutil tool.

For more information on generating a refresh token from the **Preferences setup** , see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md).

**Get your refresh token using the restutil tool:**
a. Open a command prompt. Navigate to C:\\*folder_location*\current\bin where *folder_location* represents the location where you installed the tool.

b. Type: `arcsight restutil token -config` from the bin directory.For example: **arcsight restutil boxtoken -proxy proxy.location.hp.com:8080** A Web browser window will open.

c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials.

d. A refresh token is shown in the command prompt.

e. Copy and paste it into the **Refresh Token** field. + 		You can obtain a refresh token in two ways: by generating a refresh token from the **SIEM settings** page or using the restutil tool.

For more information on generating a refresh token from the **Preferences setup** , see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md).

**Get your refresh token using the restutil tool:**
a. Open a command prompt. Navigate to C:\\*folder_location*\current\bin where *folder_location* represents the location where you installed the tool.

b. Type: `arcsight restutil token -config` from the bin directory.For example: **arcsight restutil boxtoken -proxy proxy.location.hp.com:8080** A Web browser window will open.

c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials.

d. A refresh token is shown in the command prompt.

e. Copy and paste it into the **Refresh Token** field.
Polling IntervalNumber of seconds that Splunk will ping the Windows Defender ATP machine. Accepted values are in seconds.Number of seconds that Splunk will ping the Microsoft Defender ATP machine. Accepted values are in seconds.
Set sourcetype
1Windows Defender Advanced Threat Protection service started (Version ```variable```).Microsoft Defender Advanced Threat Protection service started (Version ```variable```). Occurs during system start up, shut down, and during onbboarding. Normal operating notification; no action required.
2Windows Defender Advanced Threat Protection service shutdown.Microsoft Defender Advanced Threat Protection service shutdown. Occurs when the machine is shut down or offboarded. Normal operating notification; no action required.
3Windows Defender Advanced Threat Protection service failed to start. Failure code: ```variable```.Microsoft Defender Advanced Threat Protection service failed to start. Failure code: ```variable```. Service did not start. Review other messages to determine possible cause and troubleshooting steps.
4Windows Defender Advanced Threat Protection service contacted the server at ```variable```.Variable = URL of the Windows Defender ATP processing servers.
+		Microsoft Defender Advanced Threat Protection service contacted the server at ```variable```.Variable = URL of the Microsoft Defender ATP processing servers.
This URL will match that seen in the Firewall or network activity.		 Normal operating notification; no action required.
5Windows Defender Advanced Threat Protection service failed to connect to the server at ```variable```.Variable = URL of the Windows Defender ATP processing servers.
+		Microsoft Defender Advanced Threat Protection service failed to connect to the server at ```variable```.Variable = URL of the Microsoft Defender ATP processing servers.
The service could not contact the external processing servers at that URL.		 Check the connection to the URL. See [Configure proxy and Internet connectivity](configure-proxy-internet-windows-defender-advanced-threat-protection.md).
6Windows Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found.Microsoft Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. The machine did not onboard correctly and will not be reporting to the portal. Onboarding must be run before starting the service.
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
@@ -100,14 +100,14 @@ See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-
7Windows Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure: ```variable```.Microsoft Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure: ```variable```. Variable = detailed error description. The machine did not onboard correctly and will not be reporting to the portal. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).
8Windows Defender Advanced Threat Protection service failed to clean its configuration. Failure code: ```variable```.Microsoft Defender Advanced Threat Protection service failed to clean its configuration. Failure code: ```variable```. **During onboarding:** The service failed to clean its configuration during the onboarding. The onboarding process continues.

**During offboarding:** The service failed to clean its configuration during the offboarding. The offboarding process finished but the service keeps running. 		**Onboarding:** No action required.

**Offboarding:** Reboot the system.
@@ -115,47 +115,47 @@ See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-
9Windows Defender Advanced Threat Protection service failed to change its start type. Failure code: ```variable```.Microsoft Defender Advanced Threat Protection service failed to change its start type. Failure code: ```variable```. **During onboarding:** The machine did not onboard correctly and will not be reporting to the portal.

**During offboarding:** Failed to change the service start type. The offboarding process continues. 		Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).
10Windows Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: ```variable```.Microsoft Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: ```variable```. The machine did not onboard correctly and will not be reporting to the portal. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).
11Onboarding or re-onboarding of Windows Defender Advanced Threat Protection service completed.Onboarding or re-onboarding of Microsoft Defender Advanced Threat Protection service completed. The machine onboarded correctly. Normal operating notification; no action required.
It may take several hours for the machine to appear in the portal.
12Windows Defender Advanced Threat Protection failed to apply the default configuration.Microsoft Defender Advanced Threat Protection failed to apply the default configuration. Service was unable to apply the default configuration. This error should resolve after a short period of time.
13Windows Defender Advanced Threat Protection machine ID calculated: ```variable```.Microsoft Defender Advanced Threat Protection machine ID calculated: ```variable```. Normal operating process. Normal operating notification; no action required.
15Windows Defender Advanced Threat Protection cannot start command channel with URL: ```variable```.Variable = URL of the Windows Defender ATP processing servers.
+		Microsoft Defender Advanced Threat Protection cannot start command channel with URL: ```variable```.Variable = URL of the Microsoft Defender ATP processing servers.
The service could not contact the external processing servers at that URL.		 Check the connection to the URL. See [Configure proxy and Internet connectivity](configure-proxy-internet-windows-defender-advanced-threat-protection.md).
17Windows Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: ```variable```.Microsoft Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: ```variable```. An error occurred with the Windows telemetry service. [Ensure the diagnostic data service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-diagnostics-service-is-enabled).
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
@@ -182,7 +182,7 @@ If this error persists after a system restart, ensure all Windows updates have f
25Windows Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: ```variable```.Microsoft Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: ```variable```. The machine did not onboard correctly. It will report to the portal, however the service may not appear as registered in SCCM or the registry. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
@@ -190,7 +190,7 @@ See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-
26Windows Defender Advanced Threat Protection service failed to set the onboarding status in the registry. Failure code: ```variable```.Microsoft Defender Advanced Threat Protection service failed to set the onboarding status in the registry. Failure code: ```variable```. The machine did not onboard correctly.
It will report to the portal, however the service may not appear as registered in SCCM or the registry.		 Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
@@ -198,15 +198,15 @@ See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-
27Windows Defender Advanced Threat Protection service failed to enable SENSE aware mode in Windows Defender Antivirus. Onboarding process failed. Failure code: ```variable```.Normally, Windows Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the machine, and the machine is reporting to Windows Defender ATP.Microsoft Defender Advanced Threat Protection service failed to enable SENSE aware mode in Windows Defender Antivirus. Onboarding process failed. Failure code: ```variable```.Normally, Windows Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the machine, and the machine is reporting to Microsoft Defender ATP. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).
Ensure real-time antimalware protection is running properly.
28Windows Defender Advanced Threat Protection Connected User Experiences and Telemetry service registration failed. Failure code: ```variable```.Microsoft Defender Advanced Threat Protection Connected User Experiences and Telemetry service registration failed. Failure code: ```variable```. An error occurred with the Windows telemetry service. [Ensure the diagnostic data service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-diagnostic-data-service-is-enabled).
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
@@ -220,34 +220,34 @@ See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-
30Windows Defender Advanced Threat Protection service failed to disable SENSE aware mode in Windows Defender Antivirus. Failure code: ```variable```.Normally, Windows Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the machine, and the machine is reporting to Windows Defender ATP.Microsoft Defender Advanced Threat Protection service failed to disable SENSE aware mode in Windows Defender Antivirus. Failure code: ```variable```.Normally, Windows Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the machine, and the machine is reporting to Microsoft Defender ATP. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md)
Ensure real-time antimalware protection is running properly.
31Windows Defender Advanced Threat Protection Connected User Experiences and Telemetry service unregistration failed. Failure code: ```variable```.Microsoft Defender Advanced Threat Protection Connected User Experiences and Telemetry service unregistration failed. Failure code: ```variable```. An error occurred with the Windows telemetry service during onboarding. The offboarding process continues. [Check for errors with the Windows telemetry service](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-diagnostic-data-service-is-enabled).
32Windows Defender Advanced Threat Protection service failed to request to stop itself after offboarding process. Failure code: %1Microsoft Defender Advanced Threat Protection service failed to request to stop itself after offboarding process. Failure code: %1 An error occurred during offboarding. Reboot the machine.
33Windows Defender Advanced Threat Protection service failed to persist SENSE GUID. Failure code: ```variable```.Microsoft Defender Advanced Threat Protection service failed to persist SENSE GUID. Failure code: ```variable```. A unique identifier is used to represent each machine that is reporting to the portal.
If the identifier does not persist, the same machine might appear twice in the portal.		 Check registry permissions on the machine to ensure the service can update the registry.
34Windows Defender Advanced Threat Protection service failed to add itself as a dependency on the Connected User Experiences and Telemetry service, causing onboarding process to fail. Failure code: ```variable```.Microsoft Defender Advanced Threat Protection service failed to add itself as a dependency on the Connected User Experiences and Telemetry service, causing onboarding process to fail. Failure code: ```variable```. An error occurred with the Windows telemetry service. [Ensure the diagnostic data service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-diagnostic-data-service-is-enabled).
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
@@ -255,62 +255,62 @@ See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-
35Windows Defender Advanced Threat Protection service failed to remove itself as a dependency on the Connected User Experiences and Telemetry service. Failure code: ```variable```.Microsoft Defender Advanced Threat Protection service failed to remove itself as a dependency on the Connected User Experiences and Telemetry service. Failure code: ```variable```. An error occurred with the Windows telemetry service during offboarding. The offboarding process continues. Check for errors with the Windows diagnostic data service.
36Windows Defender Advanced Threat Protection Connected User Experiences and Telemetry service registration succeeded. Completion code: ```variable```.Registering Windows Defender Advanced Threat Protection with the Connected User Experiences and Telemetry service completed successfully.Microsoft Defender Advanced Threat Protection Connected User Experiences and Telemetry service registration succeeded. Completion code: ```variable```.Registering Microsoft Defender Advanced Threat Protection with the Connected User Experiences and Telemetry service completed successfully. Normal operating notification; no action required.
37Windows Defender Advanced Threat Protection A module is about to exceed its quota. Module: %1, Quota: {%2} {%3}, Percentage of quota utilization: %4.Microsoft Defender Advanced Threat Protection A module is about to exceed its quota. Module: %1, Quota: {%2} {%3}, Percentage of quota utilization: %4. The machine has almost used its allocated quota of the current 24-hour window. It’s about to be throttled. Normal operating notification; no action required.
38Network connection is identified as low. Windows Defender Advanced Threat Protection will contact the server every %1 minutes. Metered connection: %2, internet available: %3, free network available: %4.Network connection is identified as low. Microsoft Defender Advanced Threat Protection will contact the server every %1 minutes. Metered connection: %2, internet available: %3, free network available: %4. The machine is using a metered/paid network and will be contacting the server less frequently. Normal operating notification; no action required.
39Network connection is identified as normal. Windows Defender Advanced Threat Protection will contact the server every %1 minutes. Metered connection: %2, internet available: %3, free network available: %4.Network connection is identified as normal. Microsoft Defender Advanced Threat Protection will contact the server every %1 minutes. Metered connection: %2, internet available: %3, free network available: %4. The machine is not using a metered/paid connection and will contact the server as usual. Normal operating notification; no action required.
40Battery state is identified as low. Windows Defender Advanced Threat Protection will contact the server every %1 minutes. Battery state: %2.Battery state is identified as low. Microsoft Defender Advanced Threat Protection will contact the server every %1 minutes. Battery state: %2. The machine has low battery level and will contact the server less frequently. Normal operating notification; no action required.
41Battery state is identified as normal. Windows Defender Advanced Threat Protection will contact the server every %1 minutes. Battery state: %2.Battery state is identified as normal. Microsoft Defender Advanced Threat Protection will contact the server every %1 minutes. Battery state: %2. The machine doesn’t have low battery level and will contact the server as usual. Normal operating notification; no action required.
42Windows Defender Advanced Threat Protection WDATP component failed to perform action. Component: %1, Action: %2, Exception Type: %3, Exception message: %4Microsoft Defender Advanced Threat Protection WDATP component failed to perform action. Component: %1, Action: %2, Exception Type: %3, Exception message: %4 Internal error. The service failed to start. If this error persists, contact Support.
43Windows Defender Advanced Threat Protection WDATP component failed to perform action. Component: %1, Action: %2, Exception Type: %3, Exception Error: %4, Exception message: %5Microsoft Defender Advanced Threat Protection WDATP component failed to perform action. Component: %1, Action: %2, Exception Type: %3, Exception Error: %4, Exception message: %5 Internal error. The service failed to start. If this error persists, contact Support.
44Offboarding of Windows Defender Advanced Threat Protection service completed.Offboarding of Microsoft Defender Advanced Threat Protection service completed. The service was offboarded. Normal operating notification; no action required.
->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-eventerrorcodes-belowfoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-eventerrorcodes-belowfoldlink) ## Related topics - [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) - [Configure machine proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) -- [Troubleshoot Windows Defender ATP](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) +- [Troubleshoot Microsoft Defender ATP](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/experiment-custom-ti.md b/windows/security/threat-protection/microsoft-defender-atp/experiment-custom-ti.md index 3e8ba14f02..b89eeb886a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/experiment-custom-ti.md +++ b/windows/security/threat-protection/microsoft-defender-atp/experiment-custom-ti.md @@ -1,6 +1,6 @@ --- title: Experiment with custom threat intelligence alerts -description: Use this end-to-end guide to start using the Windows Defender ATP threat intelligence API. +description: Use this end-to-end guide to start using the Microsoft Defender ATP threat intelligence API. keywords: alert definitions, indicators of compromise, threat intelligence, custom threat intelligence, rest api, api search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -23,13 +23,13 @@ ms.date: 11/09/2017 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-experimentcustomti-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-experimentcustomti-abovefoldlink) -With the Windows Defender ATP threat intelligence API, you can create custom threat intelligence alerts that can help you keep track of possible attack activities in your organization. +With the Microsoft Defender ATP threat intelligence API, you can create custom threat intelligence alerts that can help you keep track of possible attack activities in your organization. For more information about threat intelligence concepts, see [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md). @@ -47,7 +47,7 @@ This step will guide you in creating an alert definition and an IOC for a malici 1. Open a Windows PowerShell ISE. -2. Copy and paste the following PowerShell script. This script will upload a sample alert definition and IOC to Windows Defender ATP which you can use to generate an alert. +2. Copy and paste the following PowerShell script. This script will upload a sample alert definition and IOC to Microsoft Defender ATP which you can use to generate an alert. NOTE: Make sure you replace the authUrl, clientId, and clientSecret values with your details which you saved in when you enabled the threat intelligence application. @@ -80,7 +80,7 @@ This step will guide you in creating an alert definition and an IOC for a malici $alertDefinitionPayload = @{ "Name" = "Test Alert" "Severity" = "Medium" - "InternalDescription" = "A test alert used to demonstrate the Windows Defender ATP TI API feature" + "InternalDescription" = "A test alert used to demonstrate the Microsoft Defender ATP TI API feature" "Title" = "Test alert." "UxDescription" = "This is a test alert based on a sample custom alert definition. This alert was triggered manually using a provided test command. It indicates that the Threat Intelligence API has been properly enabled." "RecommendedAction" = "No recommended action for this test alert." @@ -130,9 +130,9 @@ This step will guide you in creating an alert definition and an IOC for a malici ~~~~ ## Step 3: Simulate a custom TI alert -This step will guide you in simulating an event in connection to a malicious IP that will trigger the Windows Defender ATP custom TI alert. +This step will guide you in simulating an event in connection to a malicious IP that will trigger the Microsoft Defender ATP custom TI alert. -1. Open a Windows PowerShell ISE in the machine you onboarded to Windows Defender ATP. +1. Open a Windows PowerShell ISE in the machine you onboarded to Microsoft Defender ATP. 2. Type `Invoke-WebRequest 52.184.197.12` in the editor and click **Run**. This call will generate a network communication event to a Microsoft's dedicated demo server that will raise an alert based on the custom alert definition. @@ -143,7 +143,7 @@ This step will guide you in exploring the custom alert in the portal. 1. Open [Windows Defender Security Center](http://securitycenter.windows.com/) on a browser. -2. Log in with your Windows Defender ATP credentials. +2. Log in with your Microsoft Defender ATP credentials. 3. The dashboard should display the custom TI alert for the victim machine resulting from the simulated attack. @@ -154,7 +154,7 @@ This step will guide you in exploring the custom alert in the portal. ## Related topics - [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) -- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) +- [Enable the custom threat intelligence API in Microsoft Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) - [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md) - [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md) - [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md index 56c66b472e..f94e8cbf84 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md @@ -1,5 +1,5 @@ --- -title: Use Windows Defender Advanced Threat Protection APIs +title: Use Microsoft Defender Advanced Threat Protection APIs description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph. keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file, advanced hunting, query search.product: eADQiWindows 10XVcnh @@ -17,33 +17,33 @@ ms.topic: article ms.date: 09/03/2018 --- -# Use Windows Defender ATP APIs +# Use Microsoft Defender ATP APIs -**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) -> Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) [!include[Prerelease information](prerelease.md)] -This page describes how to create an application to get programmatic access to Windows Defender ATP on behalf of a user. +This page describes how to create an application to get programmatic access to Microsoft Defender ATP on behalf of a user. -If you need programmatic access Windows Defender ATP without a user, refer to [Access Windows Defender ATP with application context](exposed-apis-create-app-webapp.md). +If you need programmatic access Microsoft Defender ATP without a user, refer to [Access Microsoft Defender ATP with application context](exposed-apis-create-app-webapp.md). If you are not sure which access you need, read the [Introduction page](apis-intro.md). -Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate work flows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). +Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate work flows and innovate based on Microsoft Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). In general, you’ll need to take the following steps to use the APIs: - Create an AAD application - Get an access token using this application -- Use the token to access Windows Defender ATP API +- Use the token to access Microsoft Defender ATP API -This page explains how to create an AAD application, get an access token to Windows Defender ATP and validate the token. +This page explains how to create an AAD application, get an access token to Microsoft Defender ATP and validate the token. >[!NOTE] -> When accessing Windows Defender ATP API on behalf of a user, you will need the correct App permission and user permission. -> If you are not familiar with user permissions on Windows Defender ATP, see [Manage portal access using role-based access control](rbac-windows-defender-advanced-threat-protection.md). +> When accessing Microsoft Defender ATP API on behalf of a user, you will need the correct App permission and user permission. +> If you are not familiar with user permissions on Microsoft Defender ATP, see [Manage portal access using role-based access control](rbac-windows-defender-advanced-threat-protection.md). >[!TIP] > If you have the permission to perform an action in the portal, you have the permission to perform the action in the API. @@ -162,9 +162,9 @@ Sanity check to make sure you got a correct token: ![Image of token validation](images/nativeapp-decoded-token.png) -## Use the token to access Windows Defender ATP API +## Use the token to access Microsoft Defender ATP API -- Choose the API you want to use - [Supported Windows Defender ATP APIs](exposed-apis-list.md) +- Choose the API you want to use - [Supported Microsoft Defender ATP APIs](exposed-apis-list.md) - Set the Authorization header in the HTTP request you send to "Bearer {token}" (Bearer is the Authorization scheme) - The Expiration time of the token is 1 hour (you can send more then one request with the same token) @@ -182,5 +182,5 @@ Sanity check to make sure you got a correct token: ``` ## Related topics -- [Windows Defender ATP APIs](exposed-apis-list.md) -- [Access Windows Defender ATP with application context](exposed-apis-create-app-webapp.md) \ No newline at end of file +- [Microsoft Defender ATP APIs](exposed-apis-list.md) +- [Access Microsoft Defender ATP with application context](exposed-apis-create-app-webapp.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md index 4d6b21364d..e0800f060b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md @@ -1,5 +1,5 @@ --- -title: Create an app to access Windows Defender ATP without a user +title: Create an app to access Microsoft Defender ATP without a user description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph. keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file, advanced hunting, query search.product: eADQiWindows 10XVcnh @@ -17,28 +17,28 @@ ms.topic: article ms.date: 09/03/2018 --- -# Create an app to access Windows Defender ATP without a user +# Create an app to access Microsoft Defender ATP without a user -**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) -> Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) [!include[Prerelease information](prerelease.md)] -This page describes how to create an application to get programmatic access to Windows Defender ATP without a user. +This page describes how to create an application to get programmatic access to Microsoft Defender ATP without a user. -If you need programmatic access Windows Defender ATP on behalf of a user, see [Get access wtih user context](exposed-apis-create-app-nativeapp.md) +If you need programmatic access Microsoft Defender ATP on behalf of a user, see [Get access wtih user context](exposed-apis-create-app-nativeapp.md) If you are not sure which access you need, see [Get started](apis-intro.md). -Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will help you automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). +Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will help you automate workflows and innovate based on Microsoft Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). In general, you’ll need to take the following steps to use the APIs: - Create an AAD application - Get an access token using this application -- Use the token to access Windows Defender ATP API +- Use the token to access Microsoft Defender ATP API -This page explains how to create an AAD application, get an access token to Windows Defender ATP and validate the token. +This page explains how to create an AAD application, get an access token to Microsoft Defender ATP and validate the token. ## Create an app @@ -101,7 +101,7 @@ This page explains how to create an AAD application, get an access token to Wind ![Image of created app id](images/webapp-app-id1.png) -11. **For Windows Defender ATP Partners only** - Set your application to be multi-tenanted +11. **For Microsoft Defender ATP Partners only** - Set your application to be multi-tenanted This is **required** for 3rd party apps (for example, if you create an application that is intended to run in multiple customers tenant). @@ -113,7 +113,7 @@ This page explains how to create an AAD application, get an access token to Wind - Application consent for your multi-tenant App: - You need your application to be approved in each tenant where you intend to use it. This is because your application interacts with Windows Defender ATP application on behalf of your customer. + You need your application to be approved in each tenant where you intend to use it. This is because your application interacts with Microsoft Defender ATP application on behalf of your customer. You (or your customer if you are writing a 3rd party application) need to click the consent link and approve your application. The consent should be done with a user who has admin privileges in the active directory. @@ -199,7 +199,7 @@ Refer to [Get token using Python](run-advanced-query-sample-python.md#get-token) - Open a command window - ​Set CLIENT_ID to your Azure application ID - Set CLIENT_SECRET to your Azure application secret -- Set TENANT_ID to the Azure tenant ID of the customer that wants to use your application to access Windows Defender ATP application +- Set TENANT_ID to the Azure tenant ID of the customer that wants to use your application to access Microsoft Defender ATP application - Run the below command: ``` @@ -217,13 +217,13 @@ You will get an answer of the form: Sanity check to make sure you got a correct token: - Copy/paste into [JWT](https://jwt.ms) the token you get in the previous step in order to decode it - Validate you get a 'roles' claim with the desired permissions -- In the screenshot below you can see a decoded token acquired from an app with permissions to all of Windows Defender ATP's roles: +- In the screenshot below you can see a decoded token acquired from an app with permissions to all of Microsoft Defender ATP's roles: ![Image of token validation](images/webapp-decoded-token.png) -## Use the token to access Windows Defender ATP API +## Use the token to access Microsoft Defender ATP API -- Choose the API you want to use, for more information, see [Supported Windows Defender ATP APIs](exposed-apis-list.md) +- Choose the API you want to use, for more information, see [Supported Microsoft Defender ATP APIs](exposed-apis-list.md) - Set the Authorization header in the Http request you send to "Bearer {token}" (Bearer is the Authorization scheme) - The Expiration time of the token is 1 hour (you can send more then one request with the same token) @@ -241,5 +241,5 @@ Sanity check to make sure you got a correct token: ``` ## Related topics -- [Supported Windows Defender ATP APIs](exposed-apis-list.md) -- [Access Windows Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md) \ No newline at end of file +- [Supported Microsoft Defender ATP APIs](exposed-apis-list.md) +- [Access Microsoft Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md index 80c3f2dfdf..baa4e06aca 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md @@ -17,18 +17,18 @@ ms.topic: article ms.date: 09/24/2018 --- -# Windows Defender ATP APIs using PowerShell +# Microsoft Defender ATP APIs using PowerShell **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [!include[Prerelease information](prerelease.md)] -Full scenario using multiple APIs from Windows Defender ATP. +Full scenario using multiple APIs from Microsoft Defender ATP. In this section we share PowerShell samples to - Retrieve a token - - Use token to retrieve the latest alerts in Windows Defender ATP + - Use token to retrieve the latest alerts in Microsoft Defender ATP - For each alert, if the alert has medium or high priority and is still in progress, check how many times the machine has connected to suspicious URL. >**Prerequisite**: You first need to [create an app](apis-intro.md). @@ -48,7 +48,7 @@ Set-ExecutionPolicy -ExecutionPolicy Bypass - Run the below > - $tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant) -> - $appId: ID of your AAD app (the app must have 'Run advanced queries' permission to Windows Defender ATP) +> - $appId: ID of your AAD app (the app must have 'Run advanced queries' permission to Microsoft Defender ATP) > - $appSecret: Secret of your AAD app > - $suspiciousUrl: The URL @@ -116,7 +116,7 @@ $response ## Related topic -- [Windows Defender ATP APIs](apis-intro.md) +- [Microsoft Defender ATP APIs](apis-intro.md) - [Advanced Hunting API](run-advanced-query-api.md) - [Advanced Hunting using Python](run-advanced-query-sample-python.md) - [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md index 2be8b96e04..a0676ff144 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md @@ -1,6 +1,6 @@ --- -title: Supported Windows Defender Advanced Threat Protection query APIs -description: Learn about the specific supported Windows Defender Advanced Threat Protection entities where you can create API calls to. +title: Supported Microsoft Defender Advanced Threat Protection query APIs +description: Learn about the specific supported Microsoft Defender Advanced Threat Protection entities where you can create API calls to. keywords: apis, supported apis, actor, alerts, machine, user, domain, ip, file, advanced queries, advanced hunting search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -16,14 +16,14 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Supported Windows Defender ATP query APIs +# Supported Microsoft Defender ATP query APIs **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-supportedapis-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-supportedapis-abovefoldlink) ## End Point URI and Versioning @@ -58,4 +58,4 @@ Machines | Run API calls such as find machine information by IP, get machines, g User | Run API calls such as get alert related user information, user information, user related alerts, and user related machines. ## Related topic -- [Windows Defender ATP APIs](apis-intro.md) +- [Microsoft Defender ATP APIs](apis-intro.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md index 8892195292..3eb6c6eb6b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md @@ -1,6 +1,6 @@ --- -title: OData queries with Windows Defender ATP -description: OData queries with Windows Defender ATP +title: OData queries with Microsoft Defender ATP +description: OData queries with Microsoft Defender ATP keywords: apis, supported apis, odata, query search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -17,9 +17,9 @@ ms.topic: article ms.date: 11/15/2018 --- -# OData queries with Windows Defender ATP +# OData queries with Microsoft Defender ATP **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) [!include[Prerelease information](prerelease.md)] @@ -242,7 +242,7 @@ Content-type: application/json ### Example 6 -- Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Windows Defender ATP +- Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Microsoft Defender ATP ``` HTTP GET https://api.securitycenter.windows.com/api/machineactions?$filter=requestor eq 'Analyst@WcdTestPrd.onmicrosoft.com' and type eq 'RunAntiVirusScan' @@ -293,4 +293,4 @@ Content-type: application/json ``` ## Related topic -- [Windows Defender ATP APIs](apis-intro.md) +- [Microsoft Defender ATP APIs](apis-intro.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/files.md b/windows/security/threat-protection/microsoft-defender-atp/files.md index 0491fe98c9..8a89db801c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/files.md +++ b/windows/security/threat-protection/microsoft-defender-atp/files.md @@ -18,11 +18,11 @@ ms.topic: article # File resource type **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [!include[Prerelease information](prerelease.md)] -Represent a file entity in Windows Defender ATP. +Represent a file entity in Microsoft Defender ATP. # Methods Method|Return Type |Description @@ -50,5 +50,5 @@ fileProductName | String | Product name. signer | String | File signer. issuer | String | File issuer. signerHash | String | Hash of the signing certificate. -isValidCertificate | Boolean | Was signing certificate successfully verified by Windows Defender ATP agent. +isValidCertificate | Boolean | Was signing certificate successfully verified by Microsoft Defender ATP agent. diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md b/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md index 5e8d10dd1e..da2a070318 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md +++ b/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md @@ -23,7 +23,7 @@ ms.date: 07/25/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) Find a machine by internal IP. @@ -32,7 +32,7 @@ Find a machine by internal IP. >The timestamp must be within the last 30 days. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md index 687f9ab304..d46afc1621 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md +++ b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md @@ -21,7 +21,7 @@ ms.date: 12/08/2017 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) [!include[Prereleaseinformation](prerelease.md)] @@ -29,7 +29,7 @@ ms.date: 12/08/2017 - The given timestamp must be in the past 30 days. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/fix-unhealhty-sensors.md b/windows/security/threat-protection/microsoft-defender-atp/fix-unhealhty-sensors.md index f6ed806476..25198b66e2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/fix-unhealhty-sensors.md +++ b/windows/security/threat-protection/microsoft-defender-atp/fix-unhealhty-sensors.md @@ -1,5 +1,5 @@ --- -title: Fix unhealthy sensors in Windows Defender ATP +title: Fix unhealthy sensors in Microsoft Defender ATP description: Fix machine sensors that are reporting as misconfigured or inactive so that the service receives data from the machine. keywords: misconfigured, inactive, fix sensor, sensor health, no sensor data, sensor data, impaired communications, communication search.product: eADQiWindows 10XVcnh @@ -18,16 +18,16 @@ ms.topic: article ms.date: 10/23/2017 --- -# Fix unhealthy sensors in Windows Defender ATP +# Fix unhealthy sensors in Microsoft Defender ATP **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-fixsensor-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-fixsensor-abovefoldlink) Machines that are categorized as misconfigured or inactive can be flagged due to varying causes. This section provides some explanations as to what might have caused a machine to be categorized as inactive or misconfigured. @@ -39,14 +39,14 @@ An inactive machine is not necessarily flagged due to an issue. The following ac If the machine has not been in use for more than 7 days for any reason, it will remain in an ‘Inactive’ status in the portal. **Machine was reinstalled or renamed**
-A reinstalled or renamed machine will generate a new machine entity in Windows Defender Security Center. The previous machine entity will remain with an ‘Inactive’ status in the portal. If you reinstalled a machine and deployed the Windows Defender ATP package, search for the new machine name to verify that the machine is reporting normally. +A reinstalled or renamed machine will generate a new machine entity in Windows Defender Security Center. The previous machine entity will remain with an ‘Inactive’ status in the portal. If you reinstalled a machine and deployed the Microsoft Defender ATP package, search for the new machine name to verify that the machine is reporting normally. **Machine was offboarded**
If the machine was offboarded it will still appear in machines list. After 7 days, the machine health state should change to inactive. **Machine is not sending signals** -If the machine is not sending any signals for more than 7 days to any of the Windows Defender ATP channels for any reason including conditions that fall under misconfigured machines classification, a machine can be considered inactive. +If the machine is not sending any signals for more than 7 days to any of the Microsoft Defender ATP channels for any reason including conditions that fall under misconfigured machines classification, a machine can be considered inactive. Do you expect a machine to be in ‘Active’ status? [Open a support ticket ticket](https://support.microsoft.com/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561). @@ -62,10 +62,10 @@ This status indicates that there's limited communication between the machine and The following suggested actions can help fix issues related to a misconfigured machine with impaired communications: - [Ensure the machine has Internet connection](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#troubleshoot-onboarding-issues-on-the-machine)
- The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service. + The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender ATP service. -- [Verify client connectivity to Windows Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls)
- Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Windows Defender ATP service URLs. +- [Verify client connectivity to Microsoft Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls)
+ Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender ATP service URLs. If you took corrective actions and the machine status is still misconfigured, [open a support ticket](https://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409). @@ -74,18 +74,18 @@ A misconfigured machine with status ‘No sensor data’ has communication with Follow theses actions to correct known issues related to a misconfigured machine with status ‘No sensor data’: - [Ensure the machine has Internet connection](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#troubleshoot-onboarding-issues-on-the-machine)
- The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service. + The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender ATP service. -- [Verify client connectivity to Windows Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls)
- Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Windows Defender ATP service URLs. +- [Verify client connectivity to Microsoft Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls)
+ Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender ATP service URLs. - [Ensure the diagnostic data service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-diagnostics-service-is-enabled)
If the machines aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the endpoint. - [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy)
-If your machines are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Antivirus Early Launch Antimalware (ELAM) driver to be enabled. +If your machines are running a third-party antimalware client, the Microsoft Defender ATP agent needs the Windows Defender Antivirus Early Launch Antimalware (ELAM) driver to be enabled. If you took corrective actions and the machine status is still misconfigured, [open a support ticket](https://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409). ## Related topic -- [Check sensor health state in Windows Defender ATP](check-sensor-status-windows-defender-advanced-threat-protection.md) +- [Check sensor health state in Microsoft Defender ATP](check-sensor-status-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md index 3cbd5cc31e..bbd89aa3a9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md @@ -19,14 +19,14 @@ ms.date: 12/08/2017 # Get alert information by ID API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) [!include[Prereleaseinformation](prerelease.md)] Retrieves an alert by its ID. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md index 5e0a0256ae..1fca507328 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md @@ -19,14 +19,14 @@ ms.date: 12/08/2017 # Get alert related domain information API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) [!include[Prereleaseinformation](prerelease.md)] Retrieves all domains related to a specific alert. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md index a286bb19f9..9bbfea2471 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md @@ -19,14 +19,14 @@ ms.date: 12/08/2017 # Get alert related files information API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) [!include[Prereleaseinformation](prerelease.md)] Retrieves all files related to a specific alert. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md index af24309c36..097a942506 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md @@ -19,7 +19,7 @@ ms.date: 12/08/2017 # Get alert related IP information API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) [!include[Prereleaseinformation](prerelease.md)] @@ -27,7 +27,7 @@ ms.date: 12/08/2017 Retrieves all IPs related to a specific alert. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md index 55b0895b5f..67b08cb95f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md @@ -20,14 +20,14 @@ ms.date: 12/08/2017 # Get alert related machine information API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) [!include[Prereleaseinformation](prerelease.md)] - Retrieves machine that is related to a specific alert. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md index a96ecfe588..13feffeb9e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md @@ -19,7 +19,7 @@ ms.date: 12/08/2017 # Get alert related user information API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) [!include[Prereleaseinformation](prerelease.md)] @@ -27,7 +27,7 @@ ms.date: 12/08/2017 Retrieves the user associated to a specific alert. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md index 45820ed888..f75ea370fe 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md @@ -19,7 +19,7 @@ ms.date: 12/08/2017 # List alerts API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) [!include[Prereleaseinformation](prerelease.md)] @@ -28,10 +28,10 @@ ms.date: 12/08/2017 - Retrieves a collection of Alerts. - Supports [OData V4 queries](https://www.odata.org/documentation/). - The OData's Filter query is supported on: "Id", "IncidentId", "AlertCreationTime", "Status", "Severity" and "Category". -- See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md) +- See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md) ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- @@ -136,4 +136,4 @@ Here is an example of the response. ``` ## Related topics -- [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md) +- [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md index e65b940689..0d1e9286c3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md @@ -22,7 +22,7 @@ ms.date: 10/07/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Retrieves a map of CVE's to KB's and CVE details. diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md index 2a44ef58e4..5ba64ec4c7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md @@ -19,7 +19,7 @@ ms.date: 12/08/2017 # Get domain related alerts API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) [!include[Prereleaseinformation](prerelease.md)] @@ -31,7 +31,7 @@ ms.date: 12/08/2017 Retrieves a collection of alerts related to a given domain address. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md index c1136545a5..5d423ce391 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md @@ -19,14 +19,14 @@ ms.date: 12/08/2017 # Get domain related machines API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) [!include[Prereleaseinformation](prerelease.md)] Retrieves a collection of machines that have communicated to or from a given domain address. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md index f4f669e5a2..ae79790f9a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md @@ -19,7 +19,7 @@ ms.date: 12/08/2017 # Get domain statistics API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) [!include[Prereleaseinformation](prerelease.md)] @@ -27,7 +27,7 @@ ms.date: 12/08/2017 Retrieves the prevalence for the given domain. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md index 792f618d5f..35e9289aa3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md @@ -20,7 +20,7 @@ ms.date: 12/08/2017 # Get file information API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) [!include[Prereleaseinformation](prerelease.md)] @@ -28,7 +28,7 @@ ms.date: 12/08/2017 Retrieves a file by identifier Sha1, Sha256, or MD5. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md index 46f6a80f2a..5df7bcbdb8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md @@ -20,7 +20,7 @@ ms.date: 12/08/2017 # Get file related alerts API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) [!include[Prereleaseinformation](prerelease.md)] @@ -29,7 +29,7 @@ ms.date: 12/08/2017 Retrieves a collection of alerts related to a given file hash. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md index cf9e003f26..389c9e1c36 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md @@ -21,14 +21,14 @@ ms.date: 12/08/2017 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) [!include[Prereleaseinformation](prerelease.md)] - Retrieves a collection of machines related to a given file hash. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md index 17f1f3525d..674203724b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md @@ -20,7 +20,7 @@ ms.date: 12/08/2017 # Get file statistics API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) [!include[Prereleaseinformation](prerelease.md)] @@ -31,7 +31,7 @@ ms.date: 12/08/2017 Retrieves the prevalence for the given file. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md index 08817b8e70..41683118e7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md @@ -20,14 +20,14 @@ ms.date: 12/08/2017 # Get IP related alerts API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) [!include[Prereleaseinformation](prerelease.md)] Retrieves a collection of alerts related to a given IP address. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-machines.md index e17c0a1457..a1ab48a5a3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-machines.md @@ -19,7 +19,7 @@ ms.date: 12/08/2017 # Get IP related machines API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) [!include[Prereleaseinformation](prerelease.md)] @@ -27,7 +27,7 @@ ms.date: 12/08/2017 Retrieves a collection of machines that communicated with or from a particular IP. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md index 3c2c965ffb..1a1062304c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md @@ -20,7 +20,7 @@ ms.date: 12/08/2017 # Get IP statistics API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) [!include[Prereleaseinformation](prerelease.md)] @@ -29,7 +29,7 @@ ms.date: 12/08/2017 Retrieves the prevalence for the given IP. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md index cfc710240a..7617020547 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md @@ -22,7 +22,7 @@ ms.date: 10/07/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Retrieves a collection of KB's and KB details. diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md index 5a6a77b908..57cb51ba8b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md @@ -21,14 +21,14 @@ ms.date: 12/08/2017 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) [!include[Prereleaseinformation](prerelease.md)] - Retrieves a machine entity by ID. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md index eb0edbe3e4..0315fbb35c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md @@ -23,11 +23,11 @@ ms.date: 12/08/2017 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) Retrieves a collection of logged on users. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md index df392f1ef1..19f9e99ebc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md @@ -23,11 +23,11 @@ ms.date: 12/08/2017 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) Retrieves a collection of alerts related to a given machine ID. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md index 19a78ab6d8..ac88ef7f97 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md @@ -21,14 +21,14 @@ ms.date: 12/08/2017 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) [!include[Prereleaseinformation](prerelease.md)] - Get action performed on a machine. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md index 4be4316a45..c91a221921 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md @@ -21,17 +21,17 @@ ms.date: 12/08/2017 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) [!include[Prereleaseinformation](prerelease.md)] - Gets collection of actions done on machines. - Get MachineAction collection API supports [OData V4 queries](https://www.odata.org/documentation/). - The OData's Filter query is supported on: "Id", "Status", "MachineId", "Type", "Requestor" and "CreationDateTimeUtc". -- See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md) +- See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md) ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- @@ -175,4 +175,4 @@ Content-type: application/json ``` ## Related topics -- [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md) +- [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md index 85bfd9945a..9205fdc61c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md @@ -22,7 +22,7 @@ ms.date: 10/07/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Retrieves a collection of RBAC machine groups. diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md index 7e2ad2eaf1..d7104b407e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md @@ -19,14 +19,14 @@ ms.topic: article # List machines API **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [!include[Prereleaseinformation](prerelease.md)] -- Retrieves a collection of machines that have communicated with Windows Defender ATP cloud on the last 30 days. +- Retrieves a collection of machines that have communicated with Microsoft Defender ATP cloud on the last 30 days. - Get Machines collection API supports [OData V4 queries](https://www.odata.org/documentation/). - The OData's Filter query is supported on: "Id", "ComputerDnsName", "LastSeen", "LastIpAddress", "HealthStatus", "OsPlatform", "RiskScore", "MachineTags" and "RbacGroupId". -- See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md) +- See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md) ## Permissions @@ -127,4 +127,4 @@ Content-type: application/json ``` ## Related topics -- [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md) +- [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md index 55803636b8..70fec0601d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md @@ -22,7 +22,7 @@ ms.date: 10/07/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Retrieves a collection of machines security states. diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md index 32bc25c9bd..aad27c712c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md @@ -19,14 +19,14 @@ ms.date: 12/08/2017 # Get package SAS URI API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) [!include[Prerelease information](prerelease.md)] Get a URI that allows downloading of an [investigation package](collect-investigation-package-windows-defender-advanced-threat-protection-new.md). ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-started.md b/windows/security/threat-protection/microsoft-defender-atp/get-started.md index 6086863cb6..f5a6fa236f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-started.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-started.md @@ -1,6 +1,6 @@ --- -title: Get started with Windows Defender Advanced Threat Protection -description: Learn about the minimum requirements and initial steps you need to take to get started with Windows Defender ATP. +title: Get started with Microsoft Defender Advanced Threat Protection +description: Learn about the minimum requirements and initial steps you need to take to get started with Microsoft Defender ATP. keywords: get started, minimum requirements, setup, subscription, features, data storage, privacy, user access search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -18,39 +18,39 @@ ms.topic: conceptual ms.date: 11/20/2018 --- -# Get started with Windows Defender Advanced Threat Protection +# Get started with Microsoft Defender Advanced Threat Protection **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >[!TIP] ->- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). ->- Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). +>- Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Microsoft Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). +>- Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). -Learn about the minimum requirements and initial steps you need to take to get started with Windows Defender ATP. +Learn about the minimum requirements and initial steps you need to take to get started with Microsoft Defender ATP. -The following capabilities are available across multiple products that make up the Windows Defender ATP platform. +The following capabilities are available across multiple products that make up the Microsoft Defender ATP platform. **Attack surface reduction**
The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. **Next generation protection**
-To further reinforce the security perimeter of your network, Windows Defender ATP uses next generation protection designed to catch all types of emerging threats. +To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next generation protection designed to catch all types of emerging threats. **Endpoint detection and response**
Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. **Auto investigation and remediation**
-In conjunction with being able to quickly respond to advanced attacks, Windows Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. +In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. **Secure score**
-Windows Defender ATP provides a security posture capability to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security state of your network. +Microsoft Defender ATP provides a security posture capability to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security state of your network. **Advanced hunting**
Advanced hunting allows you to hunt for possible threats across your organization using a powerful search and query tool. You can also create custom detection rules based on the queries you created and surface alerts in Windows Defender Security Center. **Management and APIs**
-Integrate Windows Defender Advanced Threat Protection into your existing workflows. +Integrate Microsoft Defender Advanced Threat Protection into your existing workflows. **Microsoft threat protection**
Bring the power of Microsoft Threat Protection to your organization. @@ -60,8 +60,8 @@ Topic | Description :---|:--- [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md) | Learn about the requirements for onboarding machines to the platform. [Validate licensing and complete setup](licensing-windows-defender-advanced-threat-protection.md) | Get guidance on how to check that licenses have been provisioned to your organization and how to access the portal for the first time. -[Preview features](preview-windows-defender-advanced-threat-protection.md) | Learn about new features in the Windows Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience. -[Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md) | Explains the data storage and privacy details related to Windows Defender ATP. +[Preview features](preview-windows-defender-advanced-threat-protection.md) | Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience. +[Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md) | Explains the data storage and privacy details related to Microsoft Defender ATP. [Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md) | Set permissions to manage who can access the portal. You can set basic permissions or set granular permissions using role-based access control (RBAC). -[Evaluate Windows Defender ATP](evaluate-atp.md) | Evaluate the various capabilities in Windows Defender ATP and test features out. -[Access the Windows Defender Security Center Community Center](community-windows-defender-advanced-threat-protection.md) | The Windows Defender ATP Community Center is a place where community members can learn, collaborate, and share experiences about the product. \ No newline at end of file +[Evaluate Microsoft Defender ATP](evaluate-atp.md) | Evaluate the various capabilities in Microsoft Defender ATP and test features out. +[Access the Windows Defender Security Center Community Center](community-windows-defender-advanced-threat-protection.md) | The Microsoft Defender ATP Community Center is a place where community members can learn, collaborate, and share experiences about the product. \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md index 837155f677..6fe62b0834 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md @@ -20,7 +20,7 @@ ms.date: 12/08/2017 # List Indicators API **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [!include[Prereleaseinformation](prerelease.md)] diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md index 75c9bc7f08..ee1b42726f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md @@ -18,14 +18,14 @@ ms.topic: article # Get user information API **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [!include[Prerelease information](prerelease.md)] Retrieve a User entity by key (user name). ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md index 6044ca7009..ad8a4ad671 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md @@ -19,14 +19,14 @@ ms.date: 12/08/2017 # Get user related alerts API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) [!include[Prereleaseinformation](prerelease.md)] Retrieves a collection of alerts related to a given user ID. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md index a3597ff7ac..ee24ebc6e3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md @@ -20,14 +20,14 @@ ms.date: 12/08/2017 # Get user related machines API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) [!include[Prereleaseinformation](prerelease.md)] Retrieves a collection of machines related to a given user ID. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/incidents-queue.md b/windows/security/threat-protection/microsoft-defender-atp/incidents-queue.md index 1a769c409b..3ac978d6bd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/incidents-queue.md +++ b/windows/security/threat-protection/microsoft-defender-atp/incidents-queue.md @@ -1,5 +1,5 @@ --- -title: Incidents queue in Windows Defender ATP +title: Incidents queue in Microsoft Defender ATP description: keywords: incidents, aggregate, investigations, queue, ttp search.product: eADQiWindows 10XVcnh @@ -17,14 +17,14 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Incidents in Windows Defender ATP +# Incidents in Microsoft Defender ATP **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -When a cybersecurity threat is emerging, or a potential attacker is deploying its tactics, techniques/tools, and procedures (TTPs) on the network, Windows Defender ATP will quickly trigger alerts and launch matching automatic investigations. +When a cybersecurity threat is emerging, or a potential attacker is deploying its tactics, techniques/tools, and procedures (TTPs) on the network, Microsoft Defender ATP will quickly trigger alerts and launch matching automatic investigations. -Windows Defender ATP applies correlation analytics and aggregates all related alerts and investigations into an incident. Doing so helps narrate a broader story of an attack, thus providing you with the right visuals (upgraded incident graph) and data representations to understand and deal with complex cross-entity threats to your organization's network. +Microsoft Defender ATP applies correlation analytics and aggregates all related alerts and investigations into an incident. Doing so helps narrate a broader story of an attack, thus providing you with the right visuals (upgraded incident graph) and data representations to understand and deal with complex cross-entity threats to your organization's network. ## In this section diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md index 9eedb8b8f5..e147c2ee32 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md +++ b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md @@ -19,18 +19,18 @@ ms.date: 12/05/2018 # Configure information protection in Windows **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [!include[Prerelease information](prerelease.md)] -Learn how you can use Windows Defender ATP to expand the coverage of Windows Information Protection (WIP) to protect files based on their label, regardless of their origin. +Learn how you can use Microsoft Defender ATP to expand the coverage of Windows Information Protection (WIP) to protect files based on their label, regardless of their origin. >[!TIP] -> Read our blog post about how [Windows Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices](https://cloudblogs.microsoft.com/microsoftsecure/2019/01/17/windows-defender-atp-integrates-with-microsoft-information-protection-to-discover-protect-and-monitor-sensitive-data-on-windows-devices/). +> Read our blog post about how [Microsoft Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices](https://cloudblogs.microsoft.com/microsoftsecure/2019/01/17/windows-defender-atp-integrates-with-microsoft-information-protection-to-discover-protect-and-monitor-sensitive-data-on-windows-devices/). ## Prerequisites - Endpoints need to be on Windows 10, version 1809 or later -- You'll need the appropriate license to leverage the Windows Defender ATP and Azure Information Protection integration +- You'll need the appropriate license to leverage the Microsoft Defender ATP and Azure Information Protection integration - Your tenant needs to be onboarded to Azure Information Protection analytics, for more information see, [Configure a Log Analytics workspace for the reports](https://docs.microsoft.comazure/information-protection/reports-aip#configure-a-log-analytics-workspace-for-the-reports) @@ -46,10 +46,10 @@ Learn how you can use Windows Defender ATP to expand the coverage of Windows Inf 4. Repeat for every label that you want to get WIP applied to in Windows. -After completing these steps Windows Defender ATP will automatically identify labeled documents stored on the device and enable WIP on them. +After completing these steps Microsoft Defender ATP will automatically identify labeled documents stored on the device and enable WIP on them. >[!NOTE] ->- The Windows Defender ATP configuration is pulled every 15 minutes. Allow up to 30 minutes for the new policy to take effect and ensure that the endpoint is online. Otherwise, it will not receive the policy. +>- The Microsoft Defender ATP configuration is pulled every 15 minutes. Allow up to 30 minutes for the new policy to take effect and ensure that the endpoint is online. Otherwise, it will not receive the policy. >- Data forwarded to Azure Information Protection is stored in the same location as your other Azure Information Protection data. ## Related topic diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md index 976dfff7e4..f594da75a4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md @@ -19,56 +19,56 @@ ms.date: 12/05/2018 # Information protection in Windows overview **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [!include[Prerelease information](prerelease.md)] Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace. -Windows Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices. This solution is delivered and managed as part of the unified Microsoft 365 information protection suite. +Microsoft Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices. This solution is delivered and managed as part of the unified Microsoft 365 information protection suite. >[!TIP] -> Read our blog post about how [Windows Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices](https://cloudblogs.microsoft.com/microsoftsecure/2019/01/17/windows-defender-atp-integrates-with-microsoft-information-protection-to-discover-protect-and-monitor-sensitive-data-on-windows-devices/). +> Read our blog post about how [Microsoft Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices](https://cloudblogs.microsoft.com/microsoftsecure/2019/01/17/windows-defender-atp-integrates-with-microsoft-information-protection-to-discover-protect-and-monitor-sensitive-data-on-windows-devices/). -Windows Defender ATP applies two methods to discover and protect data: +Microsoft Defender ATP applies two methods to discover and protect data: - **Data discovery** - Identify sensitive data on Windows devices at risk - **Data protection** - Windows Information Protection (WIP) as outcome of Azure Information Protection label ## Data discovery -Windows Defender ATP automatically discovers files with sensitivity labels on Windows devices when the feature is enabled. You can enable the Azure Information Protection integration feature from Windows Defender Security Center. For more information, see [Configure advanced features](advanced-features-windows-defender-advanced-threat-protection.md#azure-information-protection). +Microsoft Defender ATP automatically discovers files with sensitivity labels on Windows devices when the feature is enabled. You can enable the Azure Information Protection integration feature from Windows Defender Security Center. For more information, see [Configure advanced features](advanced-features-windows-defender-advanced-threat-protection.md#azure-information-protection). ![Image of settings page with Azure Information Protection](images/atp-settings-aip.png) -After enabling the Azure Information Protection integration, data discovery signals are immediately forwarded to Azure Information Protection from the device. When a labeled file is created or modified on a Windows device, Windows Defender ATP automatically reports the signal to Azure Information Protection. +After enabling the Azure Information Protection integration, data discovery signals are immediately forwarded to Azure Information Protection from the device. When a labeled file is created or modified on a Windows device, Microsoft Defender ATP automatically reports the signal to Azure Information Protection. The reported signals can be viewed on the Azure Information Protection - Data discovery dashboard. ### Azure Information Protection - Data discovery dashboard -This dashboard presents a summarized discovery information of data discovered by both Windows Defender ATP and Azure Information Protection. Data from Windows Defender ATP is marked with Location Type - Endpoint. +This dashboard presents a summarized discovery information of data discovered by both Microsoft Defender ATP and Azure Information Protection. Data from Microsoft Defender ATP is marked with Location Type - Endpoint. ![Image of Azure Information Protection - Data discovery](images/azure-data-discovery.png) -Notice the Device Risk column on the right, this device risk is derived directly from Windows Defender ATP, indicating the risk level of the security device where the file was discovered, based on the active security threats detected by Windows Defender ATP. +Notice the Device Risk column on the right, this device risk is derived directly from Microsoft Defender ATP, indicating the risk level of the security device where the file was discovered, based on the active security threats detected by Microsoft Defender ATP. -Clicking the device risk level will redirect you to the device page in Windows Defender ATP, where you can get a comprehensive view of the device security status and its active alerts. +Clicking the device risk level will redirect you to the device page in Microsoft Defender ATP, where you can get a comprehensive view of the device security status and its active alerts. >[!NOTE] ->Windows Defender ATP does not currently report the Information Types. +>Microsoft Defender ATP does not currently report the Information Types. ### Log Analytics -Data discovery based on Windows Defender ATP is also available in [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-overview), where you can perform complex queries over the raw data. +Data discovery based on Microsoft Defender ATP is also available in [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-overview), where you can perform complex queries over the raw data. For more information on Azure Information Protection analytics, see [Central reporting for Azure Information Protection](https://docs.microsoft.com/azure/information-protection/reports-aip). Open Azure Log Analytics in Azure Portal and open a query builder (standard or classic). -To view Windows Defender ATP data, perform a query that contains: +To view Microsoft Defender ATP data, perform a query that contains: ``` @@ -83,15 +83,15 @@ InformationProtectionLogs_CL ## Data protection -For data to be protected, they must first be identified through labels. Sensitivity labels are created in Office Security and Compliance (SCC). Windows Defender ATP then uses the labels to identify endpoints that need Windows Information Protection (WIP) applied on them. +For data to be protected, they must first be identified through labels. Sensitivity labels are created in Office Security and Compliance (SCC). Microsoft Defender ATP then uses the labels to identify endpoints that need Windows Information Protection (WIP) applied on them. -When you create sensitivity labels, you can set the information protection functionalities that will be applied on the file. The setting that applies to Windows Defender ATP is the Data loss prevention. You'll need to turn on the Data loss prevention and select Enable Windows end point protection (DLP for devices). +When you create sensitivity labels, you can set the information protection functionalities that will be applied on the file. The setting that applies to Microsoft Defender ATP is the Data loss prevention. You'll need to turn on the Data loss prevention and select Enable Windows end point protection (DLP for devices). ![Image of Office 365 Security and Compliance sensitivity label](images/office-scc-label.png) -Once, the policy is set and published, Windows Defender ATP automatically enables WIP for labeled files. When a labeled file is created or modified on a Windows device, Windows Defender ATP automatically detects it and enables WIP on that file if its label corresponds with Office Security and Compliance (SCC) policy. +Once, the policy is set and published, Microsoft Defender ATP automatically enables WIP for labeled files. When a labeled file is created or modified on a Windows device, Microsoft Defender ATP automatically detects it and enables WIP on that file if its label corresponds with Office Security and Compliance (SCC) policy. This functionality expands the coverage of WIP to protect files based on their label, regardless of their origin. diff --git a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md index 7e91cf5285..13ed50b836 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md @@ -18,7 +18,7 @@ ms.topic: article # Initiate machine investigation API (Preview) **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) > [!IMPORTANT] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. @@ -33,7 +33,7 @@ Initiate AutoIR investigation on a machine. 2. For Automated Investigation limitations, see [Automated Investigation](automated-investigations-windows-defender-advanced-threat-protection.md). ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md index 1c60dae5b7..fd445e7665 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md @@ -1,5 +1,5 @@ --- -title: Investigate Windows Defender Advanced Threat Protection alerts +title: Investigate Microsoft Defender Advanced Threat Protection alerts description: Use the investigation options to get details on alerts are affecting your network, what they mean, and how to resolve them. keywords: investigate, investigation, machines, machine, alerts queue, dashboard, IP address, file, submit, submissions, deep analysis, timeline, search, domain, URL, IP search.product: eADQiWindows 10XVcnh @@ -18,15 +18,15 @@ ms.topic: article ms.date: 04/24/2018 --- -# Investigate Windows Defender Advanced Threat Protection alerts +# Investigate Microsoft Defender Advanced Threat Protection alerts **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatealerts-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatealerts-abovefoldlink) Investigate alerts that are affecting your network, understand what they mean, and how to resolve them. @@ -93,12 +93,12 @@ The **Artifact timeline** feature provides an addition view of the evidence that Selecting an alert detail brings up the **Details pane** where you'll be able to see more information about the alert such as file details, detections, instances of it observed worldwide, and in the organization. ## Related topics -- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) -- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) -- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) -- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) -- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) +- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) +- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) +- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) +- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) +- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) +- [Investigate a user account in Microsoft Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md index 010408840d..14ceae480d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md @@ -1,5 +1,5 @@ --- -title: Investigate Windows Defender Advanced Threat Protection domains +title: Investigate Microsoft Defender Advanced Threat Protection domains description: Use the investigation options to see if machines and servers have been communicating with malicious domains. keywords: investigate domain, domain, malicious domain, windows defender atp, alert, URL search.product: eADQiWindows 10XVcnh @@ -17,16 +17,16 @@ ms.collection: M365-security-compliance ms.topic: article ms.date: 04/24/2018 --- -# Investigate a domain associated with a Windows Defender ATP alert +# Investigate a domain associated with a Microsoft Defender ATP alert **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatedomain-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatedomain-abovefoldlink) Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain. @@ -60,10 +60,10 @@ The **Most recent observed machinew with URL** section provides a chronological 5. Clicking any of the machine names will take you to that machine's view, where you can continue investigate reported alerts, behaviors, and events. ## Related topics -- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) -- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) -- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) -- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) -- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) -- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) +- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) +- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) +- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) +- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) +- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) +- [Investigate a user account in Microsoft Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md index cf4b455f24..3f570b3926 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md @@ -1,5 +1,5 @@ --- -title: Investigate Windows Defender Advanced Threat Protection files +title: Investigate Microsoft Defender Advanced Threat Protection files description: Use the investigation options to get details on files associated with alerts, behaviours, or events. keywords: investigate, investigation, file, malicious activity, attack motivation, deep analysis, deep analysis report search.product: eADQiWindows 10XVcnh @@ -17,16 +17,16 @@ ms.collection: M365-security-compliance ms.topic: article ms.date: 04/24/2018 --- -# Investigate a file associated with a Windows Defender ATP alert +# Investigate a file associated with a Microsoft Defender ATP alert **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatefiles-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatefiles-abovefoldlink) Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach. @@ -65,10 +65,10 @@ The **Most recent observed machines with the file** section allows you to specif This allows for greater accuracy in defining entities to display such as if and when an entity was observed in the organization. For example, if you’re trying to identify the origin of a network communication to a certain IP Address within a 10-minute period on a given date, you can specify that exact time interval, and see only files that communicated with that IP Address at that time, drastically reducing unnecessary scrolling and searching. ## Related topics -- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) -- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) -- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) -- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) -- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) +- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) +- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) +- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) +- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) +- [Investigate a user account in Microsoft Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md index 47c0edb764..cb3221071a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md @@ -1,5 +1,5 @@ --- -title: Investigate incidents in Windows Defender ATP +title: Investigate incidents in Microsoft Defender ATP description: See associated alerts, manage the incident, and see alert metadata to help you investigate an incident keywords: investigate, incident, alerts, metadata, risk, detection source, affected machines, patterns, correlation search.product: eADQiWindows 10XVcnh @@ -17,10 +17,10 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Investigate incidents in Windows Defender ATP +# Investigate incidents in Microsoft Defender ATP **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Investigate incidents that affect your network, understand what they mean, and collate evidence to resolve them. @@ -57,13 +57,13 @@ Select **Investigations** to see all the automatic investigations launched by th ![Image of investigations tab in incident details page](images/atp-incident-investigations-tab.png) ## Going through the evidence -Windows Defender Advanced Threat Protection automatically investigates all the incidents' supported events and suspicious entities in the alerts, providing you with auto-response and information about the important files, processes, services, and more. This helps quickly detect and block potential threats in the incident. +Microsoft Defender Advanced Threat Protection automatically investigates all the incidents' supported events and suspicious entities in the alerts, providing you with auto-response and information about the important files, processes, services, and more. This helps quickly detect and block potential threats in the incident. Each of the analyzed entities will be marked as infected, remediated, or suspicious. ![Image of evidence tab in incident details page](images/atp-incident-evidence-tab.png) ## Visualizing associated cybersecurity threats -Windows Defender Advanced Threat Protection aggregates the threat information into an incident so you can see the patterns and correlations coming in from various data points. You can view such correlation through the incident graph. +Microsoft Defender Advanced Threat Protection aggregates the threat information into an incident so you can see the patterns and correlations coming in from various data points. You can view such correlation through the incident graph. ### Incident graph The **Graph** tells the story of the cybersecurity attack. For example, it shows you what was the entry point, which indicator of compromise or activity was observed on which machine. etc. diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md index cf77b8afb9..0d5a09260c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md @@ -17,16 +17,16 @@ ms.collection: M365-security-compliance ms.topic: article ms.date: 04/24/2018 --- -# Investigate an IP address associated with a Windows Defender ATP alert +# Investigate an IP address associated with a Microsoft Defender ATP alert **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigateip-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigateip-abovefoldlink) Examine possible communication between your machines and external internet protocol (IP) addresses. @@ -67,10 +67,10 @@ Use the search filters to define the search criteria. You can also use the timel Clicking any of the machine names will take you to that machine's view, where you can continue investigate reported alerts, behaviors, and events. ## Related topics -- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) -- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) -- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) -- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) -- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) +- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) +- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) +- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) +- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) +- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) +- [Investigate a user account in Microsoft Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md index 2b9d2d90f5..8ca174ec64 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md @@ -1,5 +1,5 @@ --- -title: Investigate machines in the Windows Defender ATP Machines list +title: Investigate machines in the Microsoft Defender ATP Machines list description: Investigate affected machines by reviewing alerts, network connection information, adding machine tags and groups, and checking the service health. keywords: machines, tags, groups, endpoint, alerts queue, alerts, machine name, domain, last seen, internal IP, active alerts, threat category, filter, sort, review alerts, network, connection, type, password stealer, ransomware, exploit, threat, low severity, service heatlh search.product: eADQiWindows 10XVcnh @@ -18,12 +18,12 @@ ms.topic: article ms.date: 09/18/2018 --- -# Investigate machines in the Windows Defender ATP Machines list +# Investigate machines in the Microsoft Defender ATP Machines list **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink) ## Investigate machines Investigate the details of an alert raised on a specific machine to identify other behaviors or events that might be related to the alert or the potential scope of breach. @@ -71,7 +71,7 @@ The Machine risk tile shows the overall risk assessment of a machine. A machine' If you have enabled the Azure ATP feature and there are alerts related to the machine, you can click on the link that will take you to the Azure ATP page where more information about the alerts are provided. >[!NOTE] ->You'll need to enable the integration on both Azure ATP and Windows Defender ATP to use this feature. In Windows Defender ATP, you can enable this feature in advanced features. For more information on how to enable advanced features, see [Turn on advanced features](advanced-features-windows-defender-advanced-threat-protection.md). +>You'll need to enable the integration on both Azure ATP and Microsoft Defender ATP to use this feature. In Microsoft Defender ATP, you can enable this feature in advanced features. For more information on how to enable advanced features, see [Turn on advanced features](advanced-features-windows-defender-advanced-threat-protection.md). **Machine reporting**
Provides the last internal IP and external IP of the machine. It also shows when the machine was first and last seen reporting to the service. @@ -92,7 +92,7 @@ This feature also enables you to selectively drill down into events that occurre ![Image of machine timeline with events](images/atp-machines-timeline.png) -Windows Defender ATP monitors and captures suspicious or anomalous behavior on Windows 10 machines and displays the process tree flow in the **Machine timeline**. This gives you better context of the behavior which can contribute to understanding the correlation between events, files, and IP addresses in relation to the machine. +Microsoft Defender ATP monitors and captures suspicious or anomalous behavior on Windows 10 machines and displays the process tree flow in the **Machine timeline**. This gives you better context of the behavior which can contribute to understanding the correlation between events, files, and IP addresses in relation to the machine. ### Search for specific events @@ -114,7 +114,7 @@ Use the search bar to look for specific timeline events. Harness the power of us - Behaviors mode: displays "detections" and selected events of interest - Verbose mode: displays all raw events without aggregation or filtering -- **Event type** - Click the drop-down button to filter by events such as Windows - Windows Defender ATP alerts, Windows Defender Application Guard events, registry events, file events, and others. +- **Event type** - Click the drop-down button to filter by events such as Windows - Microsoft Defender ATP alerts, Windows Defender Application Guard events, registry events, file events, and others. Filtering by event type allows you to define precise queries so that you see events with a specific focus. For example, you can search for a file name, then filter the results to only see Process events matching the search criteria or to only view file events, or even better: to view only network events over a period of time to make sure no suspicious outbound communications go unnoticed. @@ -173,10 +173,10 @@ The details pane enriches the ‘in-context’ information across investigation ## Related topics -- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) -- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) -- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) -- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) -- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) -- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) +- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) +- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) +- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) +- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) +- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) +- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) +- [Investigate a user account in Microsoft Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md index 4260159191..886c34c0f8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md @@ -1,5 +1,5 @@ --- -title: Investigate a user account in Windows Defender ATP +title: Investigate a user account in Microsoft Defender ATP description: Investigate a user account for potential compromised credentials or pivot on the associated user account during an investigation. keywords: investigate, account, user, user entity, alert, windows defender atp search.product: eADQiWindows 10XVcnh @@ -17,15 +17,15 @@ ms.collection: M365-security-compliance ms.topic: article ms.date: 04/24/2018 --- -# Investigate a user account in Windows Defender ATP +# Investigate a user account in Microsoft Defender ATP **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatgeuser-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatgeuser-abovefoldlink) ## Investigate user account entities Identify user accounts with the most active alerts (displayed on dashboard as "Users at risk") and investigate cases of potential compromised credentials, or pivot on the associated user account when investigating an alert or machine to identify possible lateral movement between machines with that user account. @@ -53,7 +53,7 @@ The user entity tile provides details about the user such as when the user was f If you have enabled the Azure ATP feature and there are alerts related to the user, you can click on the link that will take you to the Azure ATP page where more information about the alerts are provided. The Azure ATP tile also provides details such as the last AD site, total group memberships, and login failure associated with the user. >[!NOTE] ->You'll need to enable the integration on both Azure ATP and Windows Defender ATP to use this feature. In Windows Defender ATP, you can enable this feature in advanced features. For more information on how to enable advanced features, see [Turn on advanced features](advanced-features-windows-defender-advanced-threat-protection.md). +>You'll need to enable the integration on both Azure ATP and Microsoft Defender ATP to use this feature. In Microsoft Defender ATP, you can enable this feature in advanced features. For more information on how to enable advanced features, see [Turn on advanced features](advanced-features-windows-defender-advanced-threat-protection.md). **Logged on machines**
You'll also see a list of the machines that the user logged on to, and can expand these to see details of the logon events on each machine. @@ -85,11 +85,11 @@ You can filter the results by the following time periods: - 6 months ## Related topics -- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) -- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) -- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) -- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) -- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) -- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) +- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) +- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) +- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) +- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) +- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) +- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/is-domain-seen-in-org.md b/windows/security/threat-protection/microsoft-defender-atp/is-domain-seen-in-org.md index 026174d5f5..6ff1bae6e0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/is-domain-seen-in-org.md +++ b/windows/security/threat-protection/microsoft-defender-atp/is-domain-seen-in-org.md @@ -19,7 +19,7 @@ ms.date: 04/24/2018 # Was domain seen in org **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) [!include[Prereleaseinformation](prerelease.md)] @@ -27,7 +27,7 @@ ms.date: 04/24/2018 Answers whether a domain was seen in the organization. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/is-ip-seen-org.md b/windows/security/threat-protection/microsoft-defender-atp/is-ip-seen-org.md index 8cfb010fc6..08e8c07149 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/is-ip-seen-org.md +++ b/windows/security/threat-protection/microsoft-defender-atp/is-ip-seen-org.md @@ -20,7 +20,7 @@ ms.date: 12/08/2017 # Was IP seen in org **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) [!include[Prereleaseinformation](prerelease.md)] @@ -28,7 +28,7 @@ ms.date: 12/08/2017 Answers whether an IP was seen in the organization. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md index a09ded139b..1379df6c30 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md @@ -19,7 +19,7 @@ ms.date: 12/08/2017 # Isolate machine API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) [!include[Prerelease information](prerelease.md)] @@ -28,7 +28,7 @@ Isolates a machine from accessing external network. [!include[Machine actions note](machineactionsnote.md)] ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/licensing.md b/windows/security/threat-protection/microsoft-defender-atp/licensing.md index 9dcb0b6f60..efbcf00dab 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/licensing.md +++ b/windows/security/threat-protection/microsoft-defender-atp/licensing.md @@ -1,6 +1,6 @@ --- -title: Validate licensing provisioning and complete Windows Defender ATP set up -description: Validating licensing provisioning, setting up initial preferences, and completing the user set up for Windows Defender Advanced Threat Protection portal. +title: Validate licensing provisioning and complete Microsoft Defender ATP set up +description: Validating licensing provisioning, setting up initial preferences, and completing the user set up for Microsoft Defender Advanced Threat Protection portal. keywords: license, licensing, account, set up, validating licensing, windows defender atp search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -16,16 +16,16 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: article --- -# Validate licensing provisioning and complete set up for Windows Defender ATP +# Validate licensing provisioning and complete set up for Microsoft Defender ATP **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-validatelicense-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-validatelicense-abovefoldlink) ## Check license state @@ -53,11 +53,11 @@ To gain access into which licenses are provisioned to your company, and to check ## Access Windows Defender Security Center for the first time -When accessing [Windows Defender Security Center](https://SecurityCenter.Windows.com) for the first time there will be a setup wizard that will guide you through some initial steps. At the end of the setup wizard there will be a dedicated cloud instance of Windows Defender ATP created. +When accessing [Windows Defender Security Center](https://SecurityCenter.Windows.com) for the first time there will be a setup wizard that will guide you through some initial steps. At the end of the setup wizard there will be a dedicated cloud instance of Microsoft Defender ATP created. 1. Each time you access the portal you will need to validate that you are authorized to access the product. This **Set up your permissions** step will only be available if you are not currently authorized to access the product. - ![Image of Set up your permissions for Windows Defender ATP](images\atp-setup-permissions-wdatp-portal.png) + ![Image of Set up your permissions for Microsoft Defender ATP](images\atp-setup-permissions-wdatp-portal.png) Once the authorization step is completed, the **Welcome** screen will be displayed. @@ -74,9 +74,9 @@ When accessing [Windows Defender Security Center](https://SecurityCenter.Windows 1. **Select data storage location**
When onboarding the service for the first time, you can choose to store your data in the Microsoft Azure datacenters in the United States, the European Union, or the United Kingdom. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation. > [!WARNING] - > This option cannot be changed without completely offboarding from Windows Defender ATP and completing a new enrollment process. + > This option cannot be changed without completely offboarding from Microsoft Defender ATP and completing a new enrollment process. - 2. **Select the data retention policy**
Windows Defender ATP will store data up to a period of 6 months in your cloud instance, however, you have the option to set the data retention period for a shorter timeframe during this step of the set up process. + 2. **Select the data retention policy**
Microsoft Defender ATP will store data up to a period of 6 months in your cloud instance, however, you have the option to set the data retention period for a shorter timeframe during this step of the set up process. > [!NOTE] > This option can be changed at a later time. @@ -86,7 +86,7 @@ When accessing [Windows Defender Security Center](https://SecurityCenter.Windows > [!NOTE] > The **organization size** question is not related to how many licenses were purchased for your organization. It is used by the service to optimize the creation of the data cluster for your organization. - 4. **Turn on preview features**
Learn about new features in the Windows Defender ATP preview release and be among the first to try upcoming features by turning on **Preview features**. + 4. **Turn on preview features**
Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on **Preview features**. You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available. @@ -104,9 +104,9 @@ When accessing [Windows Defender Security Center](https://SecurityCenter.Windows 5. A dedicated cloud instance of Windows Defender Security Center is being created at this time. This step will take an average of 5 minutes to complete. - ![Image of Windows Defender ATP cloud instance](images\creating-account.png) + ![Image of Microsoft Defender ATP cloud instance](images\creating-account.png) -6. You are almost done. Before you can start using Windows Defender ATP you'll need to: +6. You are almost done. Before you can start using Microsoft Defender ATP you'll need to: - [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) @@ -115,13 +115,13 @@ When accessing [Windows Defender Security Center](https://SecurityCenter.Windows ![Image of Onboard machines and run detection test](images\atp-onboard-endpoints-run-detection-test.png) > [!IMPORTANT] - > If you click **Start using Windows Defender ATP** before onboarding machines you will receive the following notification: + > If you click **Start using Microsoft Defender ATP** before onboarding machines you will receive the following notification: >![Image of setup imcomplete](images\atp-setup-incomplete.png) -7. After onboarding machines you can click **Start using Windows Defender ATP**. You will now launch Windows Defender ATP for the first time. +7. After onboarding machines you can click **Start using Microsoft Defender ATP**. You will now launch Microsoft Defender ATP for the first time. ![Image of onboard machines](images\atp-onboard-endpoints-WDATP-portal.png) ## Related topics -- [Onboard machines to the Windows Defender Advanced Threat Protection service](onboard-configure-windows-defender-advanced-threat-protection.md) +- [Onboard machines to the Microsoft Defender Advanced Threat Protection service](onboard-configure-windows-defender-advanced-threat-protection.md) - [Troubleshoot onboarding process and portal access issues](troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md b/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md index d983539915..a932128539 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md @@ -1,5 +1,5 @@ --- -title: Create and manage machine groups in Windows Defender ATP +title: Create and manage machine groups in Microsoft Defender ATP description: Create machine groups and set automated remediation levels on them by confiring the rules that apply on the group keywords: machine groups, groups, remediation, level, rules, aad group, role, assign, rank search.product: eADQiWindows 10XVcnh @@ -17,19 +17,19 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Create and manage machine groups in Windows Defender ATP +# Create and manage machine groups in Microsoft Defender ATP **Applies to:** - Azure Active Directory - Office 365 -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) In an enterprise scenario, security operation teams are typically assigned a set of machines. These machines are grouped together based on a set of attributes such as their domains, computer names, or designated tags. -In Windows Defender ATP, you can create machine groups and use them to: +In Microsoft Defender ATP, you can create machine groups and use them to: - Limit access to related alerts and data to specific Azure AD user groups with [assigned RBAC roles](rbac-windows-defender-advanced-threat-protection.md) - Configure different auto-remediation settings for different sets of machines diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md b/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md index 86bf166722..77885b5540 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md @@ -1,5 +1,5 @@ --- -title: Machine health and compliance report in Windows Defender ATP +title: Machine health and compliance report in Microsoft Defender ATP description: Track machine health state detections, antivirus status, OS platform, and Windows 10 versions using the machine health and compliance report keywords: health state, antivirus, os platform, windows 10 version, version, health, compliance, state search.product: eADQiWindows 10XVcnh @@ -17,10 +17,10 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Machine health and compliance report in Windows Defender ATP +# Machine health and compliance report in Microsoft Defender ATP **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) [!include[Prerelease information](prerelease.md)] diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine.md b/windows/security/threat-protection/microsoft-defender-atp/machine.md index 40687ef4f7..c118700037 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine.md @@ -18,7 +18,7 @@ ms.topic: article # Machine resource type **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) # Methods @@ -36,17 +36,17 @@ Property | Type | Description :---|:---|:--- id | String | [machine](machine-windows-defender-advanced-threat-protection-new.md) identity. computerDnsName | String | [machine](machine-windows-defender-advanced-threat-protection-new.md) fully qualified name. -firstSeen | DateTimeOffset | First date and time where the [machine](machine-windows-defender-advanced-threat-protection-new.md) was observed by Windows Defender ATP. -lastSeen | DateTimeOffset | Last date and time where the [machine](machine-windows-defender-advanced-threat-protection-new.md) was observed by Windows Defender ATP. +firstSeen | DateTimeOffset | First date and time where the [machine](machine-windows-defender-advanced-threat-protection-new.md) was observed by Microsoft Defender ATP. +lastSeen | DateTimeOffset | Last date and time where the [machine](machine-windows-defender-advanced-threat-protection-new.md) was observed by Microsoft Defender ATP. osPlatform | String | OS platform. osVersion | String | OS Version. lastIpAddress | String | Last IP on local NIC on the [machine](machine-windows-defender-advanced-threat-protection-new.md). lastExternalIpAddress | String | Last IP through which the [machine](machine-windows-defender-advanced-threat-protection-new.md) accessed the internet. -agentVersion | String | Version of Windows Defender ATP agent. +agentVersion | String | Version of Microsoft Defender ATP agent. osBuild | Nullable long | OS build number. healthStatus | Enum | [machine](machine-windows-defender-advanced-threat-protection-new.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData" and "NoSensorDataImpairedCommunication" rbacGroupId | Int | RBAC Group ID. rbacGroupName | String | RBAC Group Name. -riskScore | Nullable Enum | Risk score as evaluated by Windows Defender ATP. Possible values are: 'None', 'Low', 'Medium' and 'High'. +riskScore | Nullable Enum | Risk score as evaluated by Microsoft Defender ATP. Possible values are: 'None', 'Low', 'Medium' and 'High'. aadDeviceId | Nullable Guid | AAD Device ID (when [machine](machine-windows-defender-advanced-threat-protection-new.md) is Aad Joined). machineTags | String collection | Set of [machine](machine-windows-defender-advanced-threat-protection-new.md) tags. \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/machineaction.md b/windows/security/threat-protection/microsoft-defender-atp/machineaction.md index c4f16727e0..66271b6633 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machineaction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machineaction.md @@ -20,7 +20,7 @@ ms.date: 12/08/2017 # MachineAction resource type **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [!include[Prereleaseinformation](prerelease.md)] @@ -35,7 +35,7 @@ Method|Return Type |Description [Restrict app execution](restrict-code-execution-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Restrict application execution. [Remove app restriction](unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Remove application execution restriction. [Run antivirus scan](run-av-scan-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Run an AV scan using Windows Defender (when applicable). -[Offboard machine](offboard-machine-api-windows-defender-advanced-threat-protection-new.md)|[Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Offboard [machine](machine-windows-defender-advanced-threat-protection-new.md) from Windows Defender ATP. +[Offboard machine](offboard-machine-api-windows-defender-advanced-threat-protection-new.md)|[Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Offboard [machine](machine-windows-defender-advanced-threat-protection-new.md) from Microsoft Defender ATP. # Properties Property | Type | Description diff --git a/windows/security/threat-protection/microsoft-defender-atp/machineactionsnote.md b/windows/security/threat-protection/microsoft-defender-atp/machineactionsnote.md index 3f4a20dcbc..ef5a31ec33 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machineactionsnote.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machineactionsnote.md @@ -3,4 +3,4 @@ ms.date: 08/28/2017 author: zavidor --- >[!Note] -> This page focuses on performing a machine action via API. See [take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md) for more information about response actions functionality via Windows Defender ATP. +> This page focuses on performing a machine action via API. See [take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md) for more information about response actions functionality via Microsoft Defender ATP. diff --git a/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md b/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md index c94234e9e1..73f5d50ed2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md @@ -1,5 +1,5 @@ --- -title: View and organize the Windows Defender ATP machines list +title: View and organize the Microsoft Defender ATP machines list description: Learn about the available features that you can use from the Machines list such as sorting, filtering, and exporting the list to enhance investigations. keywords: sort, filter, export, csv, machine name, domain, last seen, internal IP, health state, active alerts, active malware detections, threat category, review alerts, network, connection, malware, type, password stealer, ransomware, exploit, threat, general malware, unwanted software search.product: eADQiWindows 10XVcnh @@ -18,14 +18,14 @@ ms.topic: article ms.date: 09/03/2018 --- -# View and organize the Windows Defender ATP Machines list +# View and organize the Microsoft Defender ATP Machines list **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-machinesview-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-machinesview-abovefoldlink) The **Machines list** shows a list of the machines in your network where alerts were generated. By default, the queue displays machines with alerts seen in the last 30 days. @@ -92,6 +92,6 @@ You can filter the list based on the grouping and tagging that you've added to i ## Related topics -- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md index fe70b2cba7..85be05b201 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md @@ -1,5 +1,5 @@ --- -title: Manage Windows Defender Advanced Threat Protection alerts +title: Manage Microsoft Defender Advanced Threat Protection alerts description: Change the status of alerts, create suppression rules to hide alerts, submit comments, and review change history for individual alerts with the Manage Alert menu. keywords: manage alerts, manage, alerts, status, new, in progress, resolved, resolve alerts, suppress, supression, rules, context, history, comments, changes search.product: eADQiWindows 10XVcnh @@ -18,14 +18,14 @@ ms.topic: article ms.date: 09/03/2018 --- -# Manage Windows Defender Advanced Threat Protection alerts +# Manage Microsoft Defender Advanced Threat Protection alerts **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-managealerts-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-managealerts-abovefoldlink) -Windows Defender ATP notifies you of possible malicious events, attributes, and contextual information through alerts. A summary of new alerts is displayed in the **Security operations dashboard**, and you can access all alerts in the **Alerts queue**. +Microsoft Defender ATP notifies you of possible malicious events, attributes, and contextual information through alerts. A summary of new alerts is displayed in the **Security operations dashboard**, and you can access all alerts in the **Alerts queue**. You can manage alerts by selecting an alert in the **Alerts queue** or the **Alerts related to this machine** section of the machine details view. @@ -41,7 +41,7 @@ If an alert is no yet assigned, you can select **Assign to me** to assign the al ## Suppress alerts -There might be scenarios where you need to suppress alerts from appearing in Windows Defender Security Center. Windows Defender ATP lets you create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization. +There might be scenarios where you need to suppress alerts from appearing in Windows Defender Security Center. Microsoft Defender ATP lets you create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization. Suppression rules can be created from an existing alert. They can be disabled and reenabled if needed. @@ -118,10 +118,10 @@ Added comments instantly appear on the pane. ## Related topics - [Manage suppression rules](manage-suppression-rules-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) -- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) -- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) -- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) -- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) +- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) +- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) +- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) +- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) +- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) +- [Investigate a user account in Microsoft Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-allowed-blocked-list.md b/windows/security/threat-protection/microsoft-defender-atp/manage-allowed-blocked-list.md index 150cd87e78..dc313000a3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-allowed-blocked-list.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-allowed-blocked-list.md @@ -20,11 +20,11 @@ ms.topic: article # Manage allowed/blocked lists **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [!include[Prerelease information](prerelease.md)] ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink) Create indicators that define the detection, prevention, and exclusion of entities. You can define the action to be taken as well as the duration for when to apply the action as well as the scope of the machine group to apply it to. diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md index 3b6362ab90..fa2c696f10 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md @@ -196,4 +196,4 @@ From the panel, you can click on the Open investigation page link to see the inv You also have the option of selecting multiple investigations to approve or reject actions on multiple investigations. ## Related topic -- [Investigate Windows Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) +- [Investigate Microsoft Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-allowed-blocked-list.md b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-allowed-blocked-list.md index 5afed1e6df..4960840dca 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-allowed-blocked-list.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-allowed-blocked-list.md @@ -20,11 +20,11 @@ ms.topic: article # Manage automation allowed/blocked lists **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink) Create a rule to control which entities are automatically incriminated or exonerated during Automated investigations. diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md index 84706f7a5a..baf0ac27bb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md @@ -23,11 +23,11 @@ ms.date: 04/24/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationefileuploads-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationefileuploads-abovefoldlink) Enable the content analysis capability so that certain files and email attachments can automatically be uploaded to the cloud for additional inspection in Automated investigation. diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md index 23133475a4..e63a8c6207 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md @@ -23,11 +23,11 @@ ms.date: 04/24/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionfolder-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionfolder-abovefoldlink) Automation folder exclusions allow you to specify folders that the Automated investigation will skip. diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md index 8b8fa19749..d03aec8131 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md @@ -1,5 +1,5 @@ --- -title: Manage Windows Defender ATP incidents +title: Manage Microsoft Defender ATP incidents description: Manage incidents by assigning it, updating its status, or setting its classification. keywords: incidents, manage, assign, status, classification, true alert, false alert search.product: eADQiWindows 10XVcnh @@ -18,10 +18,10 @@ ms.topic: article ms.date: 010/08/2018 --- -# Manage Windows Defender ATP incidents +# Manage Microsoft Defender ATP incidents **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Managing incidents is an important part of every cybersecurity operation. You can manage incidents by selecting an incident from the **Incidents queue** or the **Incidents management pane**. You can assign incidents to yourself, change the status, classify, rename, or comment on them to keep track of their progress. diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md b/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md index 9b89a258e4..2e6bbe1507 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md @@ -1,5 +1,5 @@ --- -title: Manage Windows Defender Advanced Threat Protection suppression rules +title: Manage Microsoft Defender Advanced Threat Protection suppression rules description: Manage suppression rules keywords: manage suppression, rules, rule name, scope, action, alerts, turn on, turn off search.product: eADQiWindows 10XVcnh @@ -22,9 +22,9 @@ ms.date: 04/24/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-suppressionrules-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-suppressionrules-abovefoldlink) There might be scenarios where you need to suppress alerts from appearing in the portal. You can create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization. For more information on how to suppress alerts, see [Suppress alerts](manage-alerts-windows-defender-advanced-threat-protection.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md index c0408e9e5f..fd37543f72 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md +++ b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md @@ -21,38 +21,38 @@ ms.date: 09/03/2018 # Overview of management and APIs **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mgt-apis-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mgt-apis-abovefoldlink) -Windows Defender ATP supports a wide variety of options to ensure that customers can easily adopt the platform. +Microsoft Defender ATP supports a wide variety of options to ensure that customers can easily adopt the platform. -Acknowledging that customer environments and structures can vary, Windows Defender ATP was created with flexibility and granular control to fit varying customer requirements. +Acknowledging that customer environments and structures can vary, Microsoft Defender ATP was created with flexibility and granular control to fit varying customer requirements. -Machine onboarding is fully integrated into System Center Configuration Manager and Microsoft Intune for client machines and Azure Security Center for server machines, providing complete end-to-end experience of configuration, deployment, and monitoring. In addition, Windows Defender ATP supports Group Policy and other third-party tools used for machines management. +Machine onboarding is fully integrated into System Center Configuration Manager and Microsoft Intune for client machines and Azure Security Center for server machines, providing complete end-to-end experience of configuration, deployment, and monitoring. In addition, Microsoft Defender ATP supports Group Policy and other third-party tools used for machines management. -Windows Defender ATP provides fine-grained control over what users with access to the portal can see and do through the flexibility of role-based access control (RBAC). The RBAC model supports all flavors of security teams structure: +Microsoft Defender ATP provides fine-grained control over what users with access to the portal can see and do through the flexibility of role-based access control (RBAC). The RBAC model supports all flavors of security teams structure: - Globally distributed organizations and security teams - Tiered model security operations teams - Fully segregated devisions with single centralized global security operations teams -The Windows Defender ATP solution is built on top of an integration-ready platform: +The Microsoft Defender ATP solution is built on top of an integration-ready platform: - It supports integration with a number of security information and event management (SIEM) solutions and also exposes APIs to fully support pulling all the alerts and detection information into any SIEM solution. - It supports a rich set of application programming interface (APIs) providing flexibility for those who are already heavily invested in data enrichment and automation: - Enriching events coming from other security systems with foot print or prevalence information - Triggering file or machine level response actions through APIs - - Keeping systems in-sync such as importing machine tags from asset management systems into Windows Defender ATP, synchronize alerts and incidents status cross ticketing systems with Windows Defender ATP. + - Keeping systems in-sync such as importing machine tags from asset management systems into Microsoft Defender ATP, synchronize alerts and incidents status cross ticketing systems with Microsoft Defender ATP. An important aspect of machine management is the ability to analyze the environment from varying and broad perspectives. This often helps drive new insights and proper priority identification: - The Secure score dashboard provides metrics based method of prioritizing the most important proactive security measures. -- Windows Defender ATP includes a built-in PowerBI based reporting solution to quickly review trends and details related to Windows Defender ATP alerts and secure score of machines. The platform also supports full customization of the reports, including mashing of Windows Defender ATP data with your own data stream to produce business specific reports. +- Microsoft Defender ATP includes a built-in PowerBI based reporting solution to quickly review trends and details related to Microsoft Defender ATP alerts and secure score of machines. The platform also supports full customization of the reports, including mashing of Microsoft Defender ATP data with your own data stream to produce business specific reports. ## In this section Topic | Description :---|:--- Understand threat intelligence concepts | Learn about alert definitions, indicators of compromise, and other threat intelligence concepts. -Supported Windows Defender ATP APIs | Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses. +Supported Microsoft Defender ATP APIs | Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses. Managed security service provider | Get a quick overview on managed security service provider support. @@ -61,9 +61,9 @@ Managed security service provider | Get a quick overview on managed security ser ## Related topics - [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md) - [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) -- [Windows Defender ATP Public API](use-apis.md) +- [Microsoft Defender ATP Public API](use-apis.md) - [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md) -- [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md) +- [Create and build Power BI reports using Microsoft Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md) - [Role-based access control](rbac-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md index 52627d87be..1256fa301c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md @@ -1,6 +1,6 @@ --- title: Configure Microsoft Cloud App Security integration -description: Learn how to turn on the settings to enable the Windows Defender ATP integration with Microsoft Cloud App Security. +description: Learn how to turn on the settings to enable the Microsoft Defender ATP integration with Microsoft Cloud App Security. keywords: cloud, app, security, settings, integration, discovery, report search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -21,12 +21,12 @@ ms.date: 10/19/2018 # Configure Microsoft Cloud App Security in Windows **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [!include[Prerelease�information](prerelease.md)] -To benefit from Windows Defender Advanced Threat Protection (ATP) cloud app discovery signals, turn on Microsoft Cloud App Security integration. +To benefit from Microsoft Defender Advanced Threat Protection (ATP) cloud app discovery signals, turn on Microsoft Cloud App Security integration. >[!NOTE] @@ -40,7 +40,7 @@ To benefit from Windows Defender Advanced Threat Protection (ATP) cloud app disc ![Advanced features](images/atp-mcas-settings.png) -Once activated, Windows Defender ATP will immediately start forwarding discovery signals to Cloud App Security. +Once activated, Microsoft Defender ATP will immediately start forwarding discovery signals to Cloud App Security. ## View the data collected @@ -50,7 +50,7 @@ Once activated, Windows Defender ATP will immediately start forwarding discovery ![Image of menu to cloud discovery dashboard](images/atp-cloud-discovery-dashboard-menu.png) -3. Select **Win10 Endpoint Users report**, which contains the data coming from Windows Defender ATP. +3. Select **Win10 Endpoint Users report**, which contains the data coming from Microsoft Defender ATP. ![Win10 endpoint users](./images/win10-endpoint-users.png) diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md index 6c2400b885..f8990f3871 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md @@ -1,6 +1,6 @@ --- title: Microsoft Cloud App Security integration overview -description: Windows Defender ATP integrates with Cloud App Security by collecting and forwarding all cloud app networking activities, providing unparalleled visibility to cloud app usage +description: Microsoft Defender ATP integrates with Cloud App Security by collecting and forwarding all cloud app networking activities, providing unparalleled visibility to cloud app usage keywords: cloud, app, networking, visibility, usage search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -20,7 +20,7 @@ ms.date: 10/18/2018 # Microsoft Cloud App Security in Windows overview **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [!include[Prerelease�information](prerelease.md)] @@ -29,17 +29,17 @@ Microsoft Cloud App Security (Cloud App Security) is a comprehensive solution th >[!NOTE] >This feature is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10 version 1809 or later. -## Windows Defender ATP and Cloud App Security integration +## Microsoft Defender ATP and Cloud App Security integration -Cloud App Security discovery relies on cloud traffic logs being forwarded to it from enterprise firewall and proxy servers. Windows Defender ATP integrates with Cloud App Security by collecting and forwarding all cloud app networking activities, providing unparalleled visibility to cloud app usage. The monitoring functionality is built into the device, providing complete coverage of network activity. +Cloud App Security discovery relies on cloud traffic logs being forwarded to it from enterprise firewall and proxy servers. Microsoft Defender ATP integrates with Cloud App Security by collecting and forwarding all cloud app networking activities, providing unparalleled visibility to cloud app usage. The monitoring functionality is built into the device, providing complete coverage of network activity. The integration provides the following major improvements to the existing Cloud App Security discovery: - Available everywhere - Since the network activity is collected directly from the endpoint, it's available wherever the device is, on or off corporate network, as it's no longer depended on traffic routed through the enterprise firewall or proxy servers. -- Works out of the box, no configuration required - Forwarding cloud traffic logs to Cloud App Security requires firewall and proxy server configuration. With the Windows Defender ATP and Cloud App Security integration, there's no configuration required. Just switch it on in Windows Defender Security Center settings and you're good to go. +- Works out of the box, no configuration required - Forwarding cloud traffic logs to Cloud App Security requires firewall and proxy server configuration. With the Microsoft Defender ATP and Cloud App Security integration, there's no configuration required. Just switch it on in Windows Defender Security Center settings and you're good to go. -- Device context - Cloud traffic logs lack device context. Windows Defender ATP network activity is reported with the device context (which device accessed the cloud app), so you are able to understand exactly where (device) the network activity took place, in addition to who (user) performed it. +- Device context - Cloud traffic logs lack device context. Microsoft Defender ATP network activity is reported with the device context (which device accessed the cloud app), so you are able to understand exactly where (device) the network activity took place, in addition to who (user) performed it. For more information about cloud discovery, see [Working with discovered apps](https://docs.microsoft.com/cloud-app-security/discovered-apps). diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md index 43bb2202f5..4b2be0215b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- -title: Windows Defender Advanced Threat Protection -description: Windows Defender Advanced Threat Protection is an enterprise security platform that helps secops to prevent, detect, investigate, and respond to possible cybersecurity threats related to advanced persistent threats. -keywords: introduction to Windows Defender Advanced Threat Protection, introduction to Windows Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence, attack surface reduction, next generation protection, automated investigation and remediation, microsoft threat experts, secure score, advanced hunting, microsoft threat protection +title: Microsoft Defender Advanced Threat Protection +description: Microsoft Defender Advanced Threat Protection is an enterprise security platform that helps secops to prevent, detect, investigate, and respond to possible cybersecurity threats related to advanced persistent threats. +keywords: introduction to Microsoft Defender Advanced Threat Protection, introduction to Microsoft Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence, attack surface reduction, next generation protection, automated investigation and remediation, microsoft threat experts, secure score, advanced hunting, microsoft threat protection search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -17,18 +17,18 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Windows Defender Advanced Threat Protection +# Microsoft Defender Advanced Threat Protection ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-main-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-main-abovefoldlink) > >For more info about Windows 10 Enterprise Edition features and functionality, see [Windows 10 Enterprise edition](https://www.microsoft.com/WindowsForBusiness/buy). -Windows Defender Advanced Threat Protection is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. +Microsoft Defender Advanced Threat Protection is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. -Windows Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service: +Microsoft Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service: - **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors - collect and process behavioral signals from the operating system and sends this sensor data to your private, isolated, cloud instance of Windows Defender ATP. + collect and process behavioral signals from the operating system and sends this sensor data to your private, isolated, cloud instance of Microsoft Defender ATP. - **Cloud security analytics**: Leveraging big-data, machine-learning, and @@ -39,12 +39,12 @@ Windows Defender ATP uses the following combination of technology built into Win - **Threat intelligence**: Generated by Microsoft hunters, security teams, and augmented by threat intelligence provided by partners, threat - intelligence enables Windows Defender ATP to identify attacker + intelligence enables Microsoft Defender ATP to identify attacker tools, techniques, and procedures, and generate alerts when these are observed in collected sensor data. -

Windows Defender ATP

+

Microsoft Defender ATP

- @@ -187,7 +187,7 @@ Microsoft Defender ATP alerts will appear as discrete events, with "Microsoft” > Verify that the connector is running by stopping the process again. Then start the connector again, and no browser window should appear. ## Related topics -- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) -- [Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) -- [Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) -- [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md) +- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) +- [Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk.md) +- [Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api.md) +- [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md index 5352b16859..460880caa2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md @@ -31,7 +31,7 @@ You can configure Microsoft Defender ATP to send email notifications to specifie > [!NOTE] > Only users with 'Manage security settings' permissions can configure email notifications. If you've chosen to use basic permissions management, users with Security Administrator or Global Administrator roles can configure email notifications. -You can set the alert severity levels that trigger notifications. You can also add or remove recipients of the email notification. New recipients get notified about alerts encountered after they are added. For more information about alerts, see [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md). +You can set the alert severity levels that trigger notifications. You can also add or remove recipients of the email notification. New recipients get notified about alerts encountered after they are added. For more information about alerts, see [View and organize the Alerts queue](alerts-queue.md). If you're using role-based access control (RBAC), recipients will only receive notifications based on the machine groups that were configured in the notification rule. Users with the proper permission can only create, edit, or delete notifications that are limited to their machine group management scope. @@ -57,7 +57,7 @@ You can create rules that determine the machines and alert severities to send em >[!NOTE] > This information might be processed by recipient mail servers that ar not in the geographic location you have selected for your Microsoft Defender ATP data. - - **Machines** - Choose whether to notify recipients for alerts on all machines (Global administrator role only) or on selected machine groups. For more information, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md). + - **Machines** - Choose whether to notify recipients for alerts on all machines (Global administrator role only) or on selected machine groups. For more information, see [Create and manage machine groups](machine-groups.md). - **Alert severity** - Choose the alert severity level. 4. Click **Next**. @@ -99,7 +99,7 @@ This section lists various issues that you may encounter when using email notifi 3. Check your email application rules that might be catching and moving your Microsoft Defender ATP email notifications. ## Related topics -- [Update data retention settings](data-retention-settings-windows-defender-advanced-threat-protection.md) -- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md) -- [Enable Secure Score security controls](enable-secure-score-windows-defender-advanced-threat-protection.md) -- [Configure advanced features](advanced-features-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [Update data retention settings](data-retention-settings.md) +- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md) +- [Enable Secure Score security controls](enable-secure-score.md) +- [Configure advanced features](advanced-features.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md index 03ef4fb943..9a81c74448 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md @@ -63,7 +63,7 @@ ms.date: 04/24/2018 9. Click **OK** and close any open GPMC windows. >[!TIP] -> After onboarding the machine, you can choose to run a detection test to verify that the machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md). +> After onboarding the machine, you can choose to run a detection test to verify that the machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md). ## Additional Microsoft Defender ATP configuration settings For each machine, you can state whether samples can be collected from the machine when a request is made through Microsoft Defender Security Center to submit a file for deep analysis. @@ -141,9 +141,9 @@ With Group Policy there isn’t an option to monitor deployment of policies on t ## Related topics -- [Onboard Windows 10 machines using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) -- [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) -- [Onboard Windows 10 machines using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) -- [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) -- [Run a detection test on a newly onboarded Microsoft Defender ATP machines](run-detection-test-windows-defender-advanced-threat-protection.md) -- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) +- [Onboard Windows 10 machines using System Center Configuration Manager](configure-endpoints-sccm.md) +- [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm.md) +- [Onboard Windows 10 machines using a local script](configure-endpoints-script.md) +- [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi.md) +- [Run a detection test on a newly onboarded Microsoft Defender ATP machines](run-detection-test.md) +- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md index b4aa4e7b94..01b6ee0ef8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md @@ -49,7 +49,7 @@ For more information on using Microsoft Defender ATP CSP see, [WindowsAdvancedTh >[!TIP] -> After onboarding the machine, you can choose to run a detection test to verify that a machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md). +> After onboarding the machine, you can choose to run a detection test to verify that a machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md). ## Offboard and monitor machines using Mobile Device Management tools For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. @@ -79,9 +79,9 @@ For security reasons, the package used to Offboard machines will expire 30 days > Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months. ## Related topics -- [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) -- [Onboard Windows 10 machines using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) -- [Onboard Windows 10 machines using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) -- [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) -- [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md) -- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) +- [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md) +- [Onboard Windows 10 machines using System Center Configuration Manager](configure-endpoints-sccm.md) +- [Onboard Windows 10 machines using a local script](configure-endpoints-script.md) +- [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi.md) +- [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md) +- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md index 11e887fd72..f3d4f3bdce 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md @@ -71,7 +71,7 @@ To effectively offboard the machine from the service, you'll need to disable the >If you decide to turn on the third-party integration again after disabling the integration, you'll need to regenerate the token and reapply it on machines. ## Related topics -- [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) -- [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md) -- [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) -- [Troubleshooting Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [Onboard Windows 10 machines](configure-endpoints.md) +- [Onboard servers](configure-server-endpoints.md) +- [Configure proxy and Internet connectivity settings](configure-proxy-internet.md) +- [Troubleshooting Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md index 509661ca90..4790139b77 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md @@ -69,7 +69,7 @@ You can use existing System Center Configuration Manager functionality to create > Microsoft Defender ATP doesn't support onboarding during the [Out-Of-Box Experience (OOBE)](https://answers.microsoft.com/en-us/windows/wiki/windows_10/how-to-complete-the-windows-10-out-of-box/47e3f943-f000-45e3-8c5c-9d85a1a0cf87) phase. Make sure users complete OOBE after running Windows installation or upgrading. >[!TIP] -> After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md). +> After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md). ### Configure sample collection settings For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through Microsoft Defender Security Center to submit a file for deep analysis. @@ -140,7 +140,7 @@ Monitoring with SCCM consists of two parts: 4. Review the status indicators under **Completion Statistics** and **Content Status**. -If there are failed deployments (machines with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the machines. For more information see, [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md). +If there are failed deployments (machines with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the machines. For more information see, [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md). ![SCCM showing successful deployment with no errors](images/sccm-deployment.png) @@ -158,9 +158,9 @@ Value: “1” For more information about System Center Configuration Manager Compliance see [Get started with compliance settings in System Center Configuration Manager](https://docs.microsoft.com/sccm/compliance/get-started/get-started-with-compliance-settings). ## Related topics -- [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) -- [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) -- [Onboard Windows 10 machines using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) -- [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) -- [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md) -- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) +- [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md) +- [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm.md) +- [Onboard Windows 10 machines using a local script](configure-endpoints-script.md) +- [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi.md) +- [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md) +- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md index 88cd708b56..d18d805cd6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md @@ -32,7 +32,7 @@ ms.topic: article You can also manually onboard individual machines to Microsoft Defender ATP. You might want to do this first when testing the service before you commit to onboarding all machines in your network. > [!NOTE] -> The script has been optimized to be used on a limited number of machines (1-10 machines). To deploy to scale, use other deployment options. For more information on using other deployment options, see [Onboard Window 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). +> The script has been optimized to be used on a limited number of machines (1-10 machines). To deploy to scale, use other deployment options. For more information on using other deployment options, see [Onboard Window 10 machines](configure-endpoints.md). ## Onboard machines 1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): @@ -60,11 +60,11 @@ You can also manually onboard individual machines to Microsoft Defender ATP. You 5. Press the **Enter** key or click **OK**. -For information on how you can manually validate that the machine is compliant and correctly reports sensor data see, [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md). +For information on how you can manually validate that the machine is compliant and correctly reports sensor data see, [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md). >[!TIP] -> After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md). +> After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md). ## Configure sample collection settings For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through Microsoft Defender Security Center to submit a file for deep analysis. @@ -122,7 +122,7 @@ For security reasons, the package used to Offboard machines will expire 30 days ## Monitor machine configuration -You can follow the different verification steps in the [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) to verify that the script completed successfully and the agent is running. +You can follow the different verification steps in the [Troubleshoot onboarding issues](troubleshoot-onboarding.md) to verify that the script completed successfully and the agent is running. Monitoring can also be done directly on the portal, or by using the different deployment tools. @@ -135,9 +135,9 @@ Monitoring can also be done directly on the portal, or by using the different de ## Related topics -- [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) -- [Onboard Windows 10 machines using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) -- [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) -- [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) -- [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md) -- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) +- [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md) +- [Onboard Windows 10 machines using System Center Configuration Manager](configure-endpoints-sccm.md) +- [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm.md) +- [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi.md) +- [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md) +- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md index 95c0a67fb9..9bcaf00305 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md @@ -91,10 +91,10 @@ You can onboard VDI machines using a single entry or multiple entries for each m 8. Use the search function by entering the machine name and select **Machine** as search type. ## Related topics -- [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) -- [Onboard Windows 10 machines using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) -- [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) -- [Onboard Windows 10 machines using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) -- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) +- [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md) +- [Onboard Windows 10 machines using System Center Configuration Manager](configure-endpoints-sccm.md) +- [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm.md) +- [Onboard Windows 10 machines using a local script](configure-endpoints-script.md) +- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md index 69ddf03031..3507beb090 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md @@ -39,11 +39,11 @@ The following deployment tools and methods are supported: ## In this section Topic | Description :---|:--- -[Onboard Windows 10 machines using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) | Use Group Policy to deploy the configuration package on machines. -[Onboard Windows 10 machines using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) | You can use either use System Center Configuration Manager (current branch) version 1606 or System Center Configuration Manager(current branch) version 1602 or earlier to deploy the configuration package on machines. -[Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) | Use Mobile Device Management tools or Microsoft Intune to deploy the configuration package on machine. -[Onboard Windows 10 machines using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) | Learn how to use the local script to deploy the configuration package on endpoints. -[Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) | Learn how to use the configuration package to configure VDI machines. +[Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md) | Use Group Policy to deploy the configuration package on machines. +[Onboard Windows 10 machines using System Center Configuration Manager](configure-endpoints-sccm.md) | You can use either use System Center Configuration Manager (current branch) version 1606 or System Center Configuration Manager(current branch) version 1602 or earlier to deploy the configuration package on machines. +[Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm.md) | Use Mobile Device Management tools or Microsoft Intune to deploy the configuration package on machine. +[Onboard Windows 10 machines using a local script](configure-endpoints-script.md) | Learn how to use the local script to deploy the configuration package on endpoints. +[Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi.md) | Learn how to use the configuration package to configure VDI machines. >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpoints-belowfoldlink) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md index abe48eeec7..a5a9380158 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md @@ -83,9 +83,9 @@ Grant the guest user access and permissions to your Microsoft Defender Security Granting access to guest user is done the same way as granting access to a user who is a member of your tenant. -If you're using basic permissions to access the portal, the guest user must be assigned a Security Administrator role in **your** tenant. For more information, see [Use basic permissions to access the portal](basic-permissions-windows-defender-advanced-threat-protection.md). +If you're using basic permissions to access the portal, the guest user must be assigned a Security Administrator role in **your** tenant. For more information, see [Use basic permissions to access the portal](basic-permissions.md). -If you're using role-based access control (RBAC), the guest user must be to added to the appropriate group or groups in **your** tenant. Fore more information on RBAC in Microsoft Defender ATP, see [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md). +If you're using role-based access control (RBAC), the guest user must be to added to the appropriate group or groups in **your** tenant. Fore more information on RBAC in Microsoft Defender ATP, see [Manage portal access using RBAC](rbac.md). >[!NOTE] >There is no difference between the Member user and Guest user roles from RBAC perspective. @@ -123,7 +123,7 @@ Use the following steps to obtain the MSSP customer tenant ID and then use the I After access the portal is granted, alert notification rules can to be created so that emails are sent to MSSPs when alerts associated with the tenant are created and set conditions are met. -For more information, see [Create rules for alert notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md#create-rules-for-alert-notifications). +For more information, see [Create rules for alert notifications](configure-email-notifications.md#create-rules-for-alert-notifications). These check boxes must be checked: - **Include organization name** - The customer name will be added to email notifications @@ -272,17 +272,17 @@ You'll need to have **Manage portal system settings** permission to whitelist th 5. Click **Authorize application**. -You can now download the relevant configuration file for your SIEM and connect to the Microsoft Defender ATP API. For more information see, [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md). +You can now download the relevant configuration file for your SIEM and connect to the Microsoft Defender ATP API. For more information see, [Pull alerts to your SIEM tools](configure-siem.md). - In the ArcSight configuration file / Splunk Authentication Properties file – you will have to write your application key manually by settings the secret value. - Instead of acquiring a refresh token in the portal, use the script from the previous step to acquire a refresh token (or acquire it by other means). ## Fetch alerts from MSSP customer's tenant using APIs -For information on how to fetch alerts using REST API, see [Pull alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md). +For information on how to fetch alerts using REST API, see [Pull alerts using REST API](pull-alerts-using-rest-api.md). ## Related topics -- [Use basic permissions to access the portal](basic-permissions-windows-defender-advanced-threat-protection.md) -- [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md) -- [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md) -- [Pull alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) +- [Use basic permissions to access the portal](basic-permissions.md) +- [Manage portal access using RBAC](rbac.md) +- [Pull alerts to your SIEM tools](configure-siem.md) +- [Pull alerts using REST API](pull-alerts-using-rest-api.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md index bc9f3d4a50..46c3f745a8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md @@ -169,5 +169,5 @@ However, if the connectivity check results indicate a failure, an HTTP error is > When the TelemetryProxyServer is set, in Registry or via Group Policy, Microsoft Defender ATP will fall back to direct if it can't access the defined proxy. ## Related topics -- [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) -- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) +- [Onboard Windows 10 machines](configure-endpoints.md) +- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index 5150173b16..bdd5095876 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -70,7 +70,7 @@ You'll need to tak the following steps if you choose to onboard servers through - If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), simply attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multi Homing support. Otherwise, install and configure MMA to report sensor data to Microsoft Defender ATP as instructed below. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). >[!TIP] -> After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md). +> After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md). ### Configure and update System Center Endpoint Protection clients >[!IMPORTANT] @@ -135,9 +135,9 @@ Supported tools include: - System Center Configuration Manager 2012 / 2012 R2 1511 / 1602 - VDI onboarding scripts for non-persistent machines - For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server, version 1803 and Windows 2019 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. + For more information, see [Onboard Windows 10 machines](configure-endpoints.md). Support for Windows Server, version 1803 and Windows 2019 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. -1. Configure Microsoft Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). +1. Configure Microsoft Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints.md). 2. If you’re running a third party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings and verify it was configured correctly: @@ -231,8 +231,8 @@ To offboard the server, you can use either of the following methods: ``` ## Related topics -- [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) -- [Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) -- [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) -- [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md) -- [Troubleshooting Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) +- [Onboard Windows 10 machines](configure-endpoints.md) +- [Onboard non-Windows machines](configure-endpoints-non-windows.md) +- [Configure proxy and Internet connectivity settings](configure-proxy-internet.md) +- [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md) +- [Troubleshooting Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md index 1cc071a515..c5e8719018 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md @@ -37,27 +37,27 @@ Microsoft Defender ATP currently supports the following SIEM tools: To use either of these supported SIEM tools you'll need to: -- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) +- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) - Configure the supported SIEM tool: - - [Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) - - [Configure HP ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) + - [Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk.md) + - [Configure HP ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight.md) -For more information on the list of fields exposed in the alerts API see, [Microsoft Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md). +For more information on the list of fields exposed in the alerts API see, [Microsoft Defender ATP alert API fields](api-portal-mapping.md). ## Pull Microsoft Defender ATP alerts using REST API Microsoft Defender ATP supports the OAuth 2.0 protocol to pull alerts using REST API. -For more information, see [Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md). +For more information, see [Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api.md). ## In this section Topic | Description :---|:--- -[Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)| Learn about enabling the SIEM integration feature in the **Settings** page in the portal so that you can use and generate the required information to configure supported SIEM tools. -[Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to pull Microsoft Defender ATP alerts. -[Configure HP ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Microsoft Defender ATP alerts. -[Microsoft Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) | Understand what data fields are exposed as part of the alerts API and how they map to Microsoft Defender Security Center. -[Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) | Use the Client credentials OAuth 2.0 flow to pull alerts from Microsoft Defender ATP using REST API. -[Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md) | Address issues you might encounter when using the SIEM integration feature. +[Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)| Learn about enabling the SIEM integration feature in the **Settings** page in the portal so that you can use and generate the required information to configure supported SIEM tools. +[Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to pull Microsoft Defender ATP alerts. +[Configure HP ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Microsoft Defender ATP alerts. +[Microsoft Defender ATP alert API fields](api-portal-mapping.md) | Understand what data fields are exposed as part of the alerts API and how they map to Microsoft Defender Security Center. +[Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api.md) | Use the Client credentials OAuth 2.0 flow to pull alerts from Microsoft Defender ATP using REST API. +[Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) | Address issues you might encounter when using the SIEM integration feature. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md b/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md index a59e0fb017..6e5283c7f0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md @@ -34,7 +34,7 @@ You'll need to configure Splunk so that it can pull Microsoft Defender ATP alert ## Before you begin - Install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/) in Splunk. -- Make sure you have enabled the **SIEM integration** feature from the **Settings** menu. For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) +- Make sure you have enabled the **SIEM integration** feature from the **Settings** menu. For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) - Have the details file you saved from enabling the **SIEM integration** feature ready. You'll need to get the following values: - OAuth 2 Token refresh URL @@ -146,8 +146,8 @@ Use the solution explorer to view alerts in Splunk. >```source="rest://windows atp alerts" | spath | dedup _raw | table *``` ## Related topics -- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) -- [Configure ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) -- [Microsoft Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) -- [Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) -- [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md) +- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) +- [Configure ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight.md) +- [Microsoft Defender ATP alert API fields](api-portal-mapping.md) +- [Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api.md) +- [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md index 4d6bed28ef..f21867e552 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md @@ -38,8 +38,8 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'Alerts investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have at least the following role permission: 'Alerts investigation' (See [Create and manage roles](user-roles.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-ti-api.md b/windows/security/threat-protection/microsoft-defender-atp/custom-ti-api.md index 8da5ea770d..daf80ba68b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-ti-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-ti-api.md @@ -32,7 +32,7 @@ ms.date: 04/24/2018 You can define custom alert definitions and indicators of compromise (IOC) using the threat intelligence API. Creating custom threat intelligence alerts allows you to generate specific alerts that are applicable to your organization. ## Before you begin -Before creating custom alerts, you'll need to enable the threat intelligence application in Azure Active Directory and generate access tokens. For more information, see [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md). +Before creating custom alerts, you'll need to enable the threat intelligence application in Azure Active Directory and generate access tokens. For more information, see [Enable the custom threat intelligence application](enable-custom-ti.md). ### Use the threat intelligence REST API to create custom threat intelligence alerts You can call and specify the resource URLs using one of the following operations to access and manipulate a threat intelligence resource: @@ -71,7 +71,7 @@ Make an HTTP POST request to the token issuing endpoint with the following param > The authorization server URL is `https://login.windows.net//oauth2/token`. Replace `` with your Azure Active Directory tenant ID. >[!NOTE] -> The ``, ``, and the `` are all provided to you when enabling the custom threat intelligence application. For more information, see [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md). +> The ``, ``, and the `` are all provided to you when enabling the custom threat intelligence application. For more information, see [Enable the custom threat intelligence application](enable-custom-ti.md). ``` @@ -405,14 +405,14 @@ These parameters are compatible with the [OData V4 query language](http://docs.o ## Code examples The following articles provide detailed code examples that demonstrate how to use the custom threat intelligence API in several programming languages: -- [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md) -- [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md) +- [PowerShell code examples](powershell-example-code.md) +- [Python code examples](python-example-code.md) ## Related topics -- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) -- [Enable the custom threat intelligence API in Microsoft Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) -- [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md) -- [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md) -- [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md) -- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) +- [Understand threat intelligence concepts](threat-indicator-concepts.md) +- [Enable the custom threat intelligence API in Microsoft Defender ATP](enable-custom-ti.md) +- [PowerShell code examples for the custom threat intelligence API](powershell-example-code.md) +- [Python code examples for the custom threat intelligence API](python-example-code.md) +- [Experiment with custom threat intelligence alerts](experiment-custom-ti.md) +- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md index 76c3d3e1cb..eac5c12814 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md +++ b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md @@ -41,8 +41,8 @@ During the onboarding process, a wizard takes you through the general settings o ## Related topics -- [Update data retention settings](data-retention-settings-windows-defender-advanced-threat-protection.md) -- [Configure alert notifications in Microsoft Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md) -- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md) -- [Enable Secure Score security controls](enable-secure-score-windows-defender-advanced-threat-protection.md) -- [Configure advanced features](advanced-features-windows-defender-advanced-threat-protection.md) +- [Update data retention settings](data-retention-settings.md) +- [Configure alert notifications in Microsoft Defender ATP](configure-email-notifications.md) +- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md) +- [Enable Secure Score security controls](enable-secure-score.md) +- [Configure advanced features](advanced-features.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-custom-ti.md b/windows/security/threat-protection/microsoft-defender-atp/enable-custom-ti.md index d450893080..5f4decb253 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-custom-ti.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-custom-ti.md @@ -41,16 +41,16 @@ Before you can create custom threat intelligence (TI) using REST API, you'll nee >[!WARNING] >The client secret is only displayed once. Make sure you keep a copy of it in a safe place.
- For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret). + For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti.md#learn-how-to-get-a-new-client-secret). 4. Select **Generate tokens** to get an access and refresh token. You’ll need to use the access token in the Authorization header when doing REST API calls. ## Related topics -- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) -- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md) -- [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md) -- [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md) -- [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md) -- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) +- [Understand threat intelligence concepts](threat-indicator-concepts.md) +- [Create custom alerts using the threat intelligence API](custom-ti-api.md) +- [PowerShell code examples for the custom threat intelligence API](powershell-example-code.md) +- [Python code examples for the custom threat intelligence API](python-example-code.md) +- [Experiment with custom threat intelligence alerts](experiment-custom-ti.md) +- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md index bf2bbbf003..7d87930ea5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md @@ -39,8 +39,8 @@ Set the baselines for calculating the score of Windows Defender security control 3. Click **Save preferences**. ## Related topics -- [View the Secure Score dashboard](secure-score-dashboard-windows-defender-advanced-threat-protection.md) -- [Update data retention settings for Microsoft Defender ATP](data-retention-settings-windows-defender-advanced-threat-protection.md) -- [Configure alert notifications in Microsoft Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md) -- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md) -- [Configure advanced features in Microsoft Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md) +- [View the Secure Score dashboard](secure-score-dashboard.md) +- [Update data retention settings for Microsoft Defender ATP](data-retention-settings.md) +- [Configure alert notifications in Microsoft Defender ATP](configure-email-notifications.md) +- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md) +- [Configure advanced features in Microsoft Defender ATP](advanced-features.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md index 333a44a06f..14f0555964 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md @@ -44,7 +44,7 @@ Enable security information and event management (SIEM) integration so you can p > [!WARNING] >The client secret is only displayed once. Make sure you keep a copy of it in a safe place.
- For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret). + For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti.md#learn-how-to-get-a-new-client-secret). ![Image of SIEM integration from Settings menu](images/siem_details.png) @@ -70,8 +70,8 @@ You can now proceed with configuring your SIEM solution or connecting to the ale You can configure IBM QRadar to collect alerts from Microsoft Defender ATP. For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1). ## Related topics -- [Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) -- [Configure HP ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) -- [Microsoft Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) -- [Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) -- [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md) +- [Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk.md) +- [Configure HP ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight.md) +- [Microsoft Defender ATP alert API fields](api-portal-mapping.md) +- [Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api.md) +- [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md index b6e868da21..cf3bab142d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md +++ b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md @@ -88,7 +88,7 @@ This URL will match that seen in the Firewall or network activity. - + @@ -96,14 +96,14 @@ The service could not contact the external processing servers at that URL. +See [Onboard Windows 10 machines](configure-endpoints.md). +See [Onboard Windows 10 machines](configure-endpoints.md). @@ -111,21 +111,21 @@ See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced- +See [Onboard Windows 10 machines](configure-endpoints.md). +See [Onboard Windows 10 machines](configure-endpoints.md). +See [Onboard Windows 10 machines](configure-endpoints.md). @@ -151,15 +151,15 @@ It may take several hours for the machine to appear in the portal. - + - +See [Onboard Windows 10 machines](configure-endpoints.md). @@ -186,7 +186,7 @@ If this error persists after a system restart, ensure all Windows updates have f +See [Onboard Windows 10 machines](configure-endpoints.md). @@ -194,23 +194,23 @@ See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced- +See [Onboard Windows 10 machines](configure-endpoints.md). - +See [Onboard Windows 10 machines](configure-endpoints.md). @@ -223,14 +223,14 @@ See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced- - + @@ -249,9 +249,9 @@ If the identifier does not persist, the same machine might appear twice in the p - +See [Onboard Windows 10 machines](configure-endpoints.md). @@ -345,6 +345,6 @@ See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced- >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-eventerrorcodes-belowfoldlink) ## Related topics -- [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) -- [Configure machine proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) -- [Troubleshoot Microsoft Defender ATP](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) +- [Onboard Windows 10 machines](configure-endpoints.md) +- [Configure machine proxy and Internet connectivity settings](configure-proxy-internet.md) +- [Troubleshoot Microsoft Defender ATP](troubleshoot-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/experiment-custom-ti.md b/windows/security/threat-protection/microsoft-defender-atp/experiment-custom-ti.md index b6eee8768f..46b9862de4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/experiment-custom-ti.md +++ b/windows/security/threat-protection/microsoft-defender-atp/experiment-custom-ti.md @@ -31,14 +31,14 @@ ms.date: 11/09/2017 With the Microsoft Defender ATP threat intelligence API, you can create custom threat intelligence alerts that can help you keep track of possible attack activities in your organization. -For more information about threat intelligence concepts, see [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md). +For more information about threat intelligence concepts, see [Understand threat intelligence concepts](threat-indicator-concepts.md). This article demonstrates an end-to-end usage of the threat intelligence API to get you started in using the threat intelligence API. You'll be guided through sample steps so you can experience how the threat intelligence API feature works. Sample steps include creating alerts definitions and indicators of compromise (IOCs), and examples of how triggered custom TI alerts look like. ## Step 1: Enable the threat intelligence API and obtain authentication details -To use the threat intelligence API feature, you'll need to enable the feature. For more information, see [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md). +To use the threat intelligence API feature, you'll need to enable the feature. For more information, see [Enable the custom threat intelligence application](enable-custom-ti.md). This step is required to generate security credentials that you need to use while working with the API. @@ -153,9 +153,9 @@ This step will guide you in exploring the custom alert in the portal. > There is a latency time of approximately 20 minutes between the time a custom TI is introduced and when it becomes effective. ## Related topics -- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) -- [Enable the custom threat intelligence API in Microsoft Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) -- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md) -- [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md) -- [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md) -- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) +- [Understand threat intelligence concepts](threat-indicator-concepts.md) +- [Enable the custom threat intelligence API in Microsoft Defender ATP](enable-custom-ti.md) +- [Create custom alerts using the threat intelligence API](custom-ti-api.md) +- [PowerShell code examples for the custom threat intelligence API](powershell-example-code.md) +- [Python code examples for the custom threat intelligence API](python-example-code.md) +- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md index f94e8cbf84..5d6e59a7c2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md @@ -43,7 +43,7 @@ This page explains how to create an AAD application, get an access token to Micr >[!NOTE] > When accessing Microsoft Defender ATP API on behalf of a user, you will need the correct App permission and user permission. -> If you are not familiar with user permissions on Microsoft Defender ATP, see [Manage portal access using role-based access control](rbac-windows-defender-advanced-threat-protection.md). +> If you are not familiar with user permissions on Microsoft Defender ATP, see [Manage portal access using role-based access control](rbac.md). >[!TIP] > If you have the permission to perform an action in the portal, you have the permission to perform the action in the API. diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md index d46afc1621..04009c5fae 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md +++ b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md @@ -40,8 +40,8 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- Response will include only machines,that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) +>- Response will include only machines,that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/fix-unhealhty-sensors.md b/windows/security/threat-protection/microsoft-defender-atp/fix-unhealhty-sensors.md index ba0614caa3..5c2458d459 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/fix-unhealhty-sensors.md +++ b/windows/security/threat-protection/microsoft-defender-atp/fix-unhealhty-sensors.md @@ -61,10 +61,10 @@ This status indicates that there's limited communication between the machine and The following suggested actions can help fix issues related to a misconfigured machine with impaired communications: -- [Ensure the machine has Internet connection](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#troubleshoot-onboarding-issues-on-the-machine)
+- [Ensure the machine has Internet connection](troubleshoot-onboarding.md#troubleshoot-onboarding-issues-on-the-machine)
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender ATP service. -- [Verify client connectivity to Microsoft Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls)
+- [Verify client connectivity to Microsoft Defender ATP service URLs](configure-proxy-internet.md#verify-client-connectivity-to-windows-defender-atp-service-urls)
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender ATP service URLs. If you took corrective actions and the machine status is still misconfigured, [open a support ticket](https://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409). @@ -73,19 +73,19 @@ If you took corrective actions and the machine status is still misconfigured, [o A misconfigured machine with status ‘No sensor data’ has communication with the service but can only report partial sensor data. Follow theses actions to correct known issues related to a misconfigured machine with status ‘No sensor data’: -- [Ensure the machine has Internet connection](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#troubleshoot-onboarding-issues-on-the-machine)
+- [Ensure the machine has Internet connection](troubleshoot-onboarding.md#troubleshoot-onboarding-issues-on-the-machine)
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender ATP service. -- [Verify client connectivity to Microsoft Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls)
+- [Verify client connectivity to Microsoft Defender ATP service URLs](configure-proxy-internet.md#verify-client-connectivity-to-windows-defender-atp-service-urls)
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender ATP service URLs. -- [Ensure the diagnostic data service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-diagnostics-service-is-enabled)
+- [Ensure the diagnostic data service is enabled](troubleshoot-onboarding.md#ensure-the-diagnostics-service-is-enabled)
If the machines aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the endpoint. -- [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy)
+- [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy)
If your machines are running a third-party antimalware client, the Microsoft Defender ATP agent needs the Windows Defender Antivirus Early Launch Antimalware (ELAM) driver to be enabled. If you took corrective actions and the machine status is still misconfigured, [open a support ticket](https://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409). ## Related topic -- [Check sensor health state in Microsoft Defender ATP](check-sensor-status-windows-defender-advanced-threat-protection.md) +- [Check sensor health state in Microsoft Defender ATP](check-sensor-status.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md index bbd89aa3a9..270323aae6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md @@ -37,8 +37,8 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md index 1fca507328..b61db5a4e3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md @@ -35,8 +35,8 @@ Delegated (work or school account) | URL.Read.All | 'Read URLs' >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md index 9bbfea2471..de2acd3731 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md @@ -35,8 +35,8 @@ Delegated (work or school account) | File.Read.All | 'Read file profiles' >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md index 097a942506..17b8139faf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md @@ -36,8 +36,8 @@ Delegated (work or school account) | Ip.Read.All | 'Read IP address profiles' >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md index 67b08cb95f..c706b3635e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md @@ -38,8 +38,8 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md index 13feffeb9e..1402b61b4e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md @@ -36,8 +36,8 @@ Delegated (work or school account) | User.Read.All | 'Read user profiles' >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md index f75ea370fe..6fb1bbbf17 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md @@ -42,8 +42,8 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- The response will include only alerts that are associated with machines that the user can access, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) +>- The response will include only alerts that are associated with machines that the user can access, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md index 5ba64ec4c7..6e1478cb72 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md @@ -42,8 +42,8 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) +>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md index 5d423ce391..b6ee9ba801 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md @@ -37,8 +37,8 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- Response will include only machines that the user can access, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) +>- Response will include only machines that the user can access, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md index ae79790f9a..de9444bbd7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md @@ -36,7 +36,7 @@ Delegated (work or school account) | URL.Read.All | 'Read URLs' >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md index 35e9289aa3..0315a79f79 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md @@ -37,7 +37,7 @@ Delegated (work or school account) | File.Read.All | 'Read all file profiles' >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) ## HTTP request diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md index 5df7bcbdb8..f3709ad133 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md @@ -40,8 +40,8 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) +>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md index 389c9e1c36..599b60b82e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md @@ -39,8 +39,8 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- Response will include only machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) +>- Response will include only machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md index 674203724b..f828a524f3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md @@ -40,7 +40,7 @@ Delegated (work or school account) | File.Read.All | 'Read file profiles' >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md index 41683118e7..28b400897f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md @@ -38,8 +38,8 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) +>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-machines.md index a1ab48a5a3..a8875b7324 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-machines.md @@ -38,8 +38,8 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- Response will include only machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) +>- Response will include only machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md index 1a1062304c..4fae9d2d61 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md @@ -38,7 +38,7 @@ Delegated (work or school account) | Ip.Read.All | 'Read IP address profiles' >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md index 57cb51ba8b..017460ba7e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md @@ -39,8 +39,8 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- User needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) +>- User needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) ## HTTP request diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md index 0315fbb35c..a4233e222f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md @@ -36,8 +36,8 @@ Delegated (work or school account) | User.Read.All | 'Read user profiles' >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- Response will include users only if the machine is visible to the user, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) +>- Response will include users only if the machine is visible to the user, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md index 19f9e99ebc..0250ee9a19 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md @@ -38,8 +38,8 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- User needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) +>- User needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md index ac88ef7f97..3cb8e46926 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md @@ -39,7 +39,7 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md index c91a221921..9bfc5cab5b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md @@ -42,7 +42,7 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md index d7104b407e..6d6a921754 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md @@ -39,8 +39,8 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- Response will include only machines,that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) +>- Response will include only machines,that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md index aad27c712c..b4e18b9069 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md @@ -35,8 +35,8 @@ Delegated (work or school account) | Machine.CollectForensics | 'Collect forensi >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-started.md b/windows/security/threat-protection/microsoft-defender-atp/get-started.md index cc12829160..f2607a0544 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-started.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-started.md @@ -58,10 +58,10 @@ Bring the power of Microsoft Threat Protection to your organization. ## In this section Topic | Description :---|:--- -[Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md) | Learn about the requirements for onboarding machines to the platform. -[Validate licensing and complete setup](licensing-windows-defender-advanced-threat-protection.md) | Get guidance on how to check that licenses have been provisioned to your organization and how to access the portal for the first time. -[Preview features](preview-windows-defender-advanced-threat-protection.md) | Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience. -[Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md) | Explains the data storage and privacy details related to Microsoft Defender ATP. -[Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md) | Set permissions to manage who can access the portal. You can set basic permissions or set granular permissions using role-based access control (RBAC). +[Minimum requirements](minimum-requirements.md) | Learn about the requirements for onboarding machines to the platform. +[Validate licensing and complete setup](licensing.md) | Get guidance on how to check that licenses have been provisioned to your organization and how to access the portal for the first time. +[Preview features](preview.md) | Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience. +[Data storage and privacy](data-storage-privacy.md) | Explains the data storage and privacy details related to Microsoft Defender ATP. +[Assign user access to the portal](assign-portal-access.md) | Set permissions to manage who can access the portal. You can set basic permissions or set granular permissions using role-based access control (RBAC). [Evaluate Microsoft Defender ATP](evaluate-atp.md) | Evaluate the various capabilities in Microsoft Defender ATP and test features out. -[Access the Microsoft Defender Security Center Community Center](community-windows-defender-advanced-threat-protection.md) | The Microsoft Defender ATP Community Center is a place where community members can learn, collaborate, and share experiences about the product. \ No newline at end of file +[Access the Microsoft Defender Security Center Community Center](community.md) | The Microsoft Defender ATP Community Center is a place where community members can learn, collaborate, and share experiences about the product. \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md index ad8a4ad671..0761a2dfb9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md @@ -37,8 +37,8 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) +>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md index ee24ebc6e3..9562240757 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md @@ -38,8 +38,8 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- Response will include only machines that the user can access, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) +>- Response will include only machines that the user can access, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/incidents-queue.md b/windows/security/threat-protection/microsoft-defender-atp/incidents-queue.md index 3ac978d6bd..9ac051b1dd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/incidents-queue.md +++ b/windows/security/threat-protection/microsoft-defender-atp/incidents-queue.md @@ -32,7 +32,7 @@ Microsoft Defender ATP applies correlation analytics and aggregates all related Topic | Description :---|:--- [View and organize the Incidents queue](view-incidents-queue.md)| See the list of incidents and learn how to apply filters to limit the list and get a more focused view. -[Manage incidents](manage-incidents-windows-defender-advanced-threat-protection.md) | Learn how to manage incidents by assigning it, updating its status, or setting its classification and other actions. -[Investigate incidents](investigate-incidents-windows-defender-advanced-threat-protection.md)| See associated alerts, manage the incident, see alert metadata, and visualizations to help you investigate an incident. +[Manage incidents](manage-incidents.md) | Learn how to manage incidents by assigning it, updating its status, or setting its classification and other actions. +[Investigate incidents](investigate-incidents.md)| See associated alerts, manage the incident, see alert metadata, and visualizations to help you investigate an incident. diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md index fad5873fe4..6a3739e714 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md @@ -38,7 +38,7 @@ Microsoft Defender ATP applies two methods to discover and protect data: ## Data discovery -Microsoft Defender ATP automatically discovers files with sensitivity labels on Windows devices when the feature is enabled. You can enable the Azure Information Protection integration feature from Microsoft Defender Security Center. For more information, see [Configure advanced features](advanced-features-windows-defender-advanced-threat-protection.md#azure-information-protection). +Microsoft Defender ATP automatically discovers files with sensitivity labels on Windows devices when the feature is enabled. You can enable the Azure Information Protection integration feature from Microsoft Defender Security Center. For more information, see [Configure advanced features](advanced-features.md#azure-information-protection). ![Image of settings page with Azure Information Protection](images/atp-settings-aip.png) diff --git a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md index 13ed50b836..dbf0d58497 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md @@ -26,11 +26,11 @@ ms.topic: article Initiate AutoIR investigation on a machine. >[!Note] -> This page focuses on performing an automated investigation on a machine. See [Automated Investigation](automated-investigations-windows-defender-advanced-threat-protection.md) for more information. +> This page focuses on performing an automated investigation on a machine. See [Automated Investigation](automated-investigations.md) for more information. ## Limitations 1. The number of executions is limited (up to 5 calls per hour). -2. For Automated Investigation limitations, see [Automated Investigation](automated-investigations-windows-defender-advanced-threat-protection.md). +2. For Automated Investigation limitations, see [Automated Investigation](automated-investigations.md). ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) @@ -42,8 +42,8 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md index fd445e7665..275fc11cea 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md @@ -32,14 +32,14 @@ Investigate alerts that are affecting your network, understand what they mean, a Click an alert to see the alert details view and the various tiles that provide information about the alert. -You can also manage an alert and see alert metadata along with other information that can help you make better decisions on how to approach them. You'll also see a status of the automated investigation on the upper right corner. Clicking on the link will take you to the Automated investigations view. For more information, see [Automated investigations](automated-investigations-windows-defender-advanced-threat-protection.md). +You can also manage an alert and see alert metadata along with other information that can help you make better decisions on how to approach them. You'll also see a status of the automated investigation on the upper right corner. Clicking on the link will take you to the Automated investigations view. For more information, see [Automated investigations](automated-investigations.md). ![Image of the alert page](images/atp-alert-view.png) The alert context tile shows the where, who, and when context of the alert. As with other pages, you can click on the icon beside the name or user account to bring up the machine or user details pane. The alert details view also has a status tile that shows the status of the alert in the queue. You'll also see a description and a set of recommended actions which you can expand. -For more information about managing alerts, see [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md). +For more information about managing alerts, see [Manage alerts](manage-alerts.md). The alert details page also shows the alert process tree, an incident graph, and an artifact timeline. @@ -93,12 +93,12 @@ The **Artifact timeline** feature provides an addition view of the evidence that Selecting an alert detail brings up the **Details pane** where you'll be able to see more information about the alert such as file details, detections, instances of it observed worldwide, and in the organization. ## Related topics -- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) -- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) -- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) -- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) -- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [Investigate a user account in Microsoft Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) +- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue ](alerts-queue.md) +- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md) +- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md) +- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) +- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md) +- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md) +- [Investigate a user account in Microsoft Defender ATP](investigate-user.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md index 14ceae480d..283772ed84 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md @@ -60,10 +60,10 @@ The **Most recent observed machinew with URL** section provides a chronological 5. Clicking any of the machine names will take you to that machine's view, where you can continue investigate reported alerts, behaviors, and events. ## Related topics -- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) -- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) -- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) -- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) -- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) -- [Investigate a user account in Microsoft Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) +- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue ](alerts-queue.md) +- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md) +- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md) +- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md) +- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) +- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md) +- [Investigate a user account in Microsoft Defender ATP](investigate-user.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md index 3f570b3926..fc752990fc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md @@ -41,9 +41,9 @@ You can get information from the following sections in the file view: - Most recent observed machines with file ## File worldwide and Deep analysis -The file details, malware detection, and prevalence worldwide sections display various attributes about the file. You’ll see actions you can take on the file. For more information on how to take action on a file, see [Take response action on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md). +The file details, malware detection, and prevalence worldwide sections display various attributes about the file. You’ll see actions you can take on the file. For more information on how to take action on a file, see [Take response action on a file](respond-file-alerts.md). -You'll see details such as the file’s MD5, the VirusTotal detection ratio and Windows Defender AV detection if available, and the file’s prevalence worldwide. You'll also be able to [submit a file for deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis). +You'll see details such as the file’s MD5, the VirusTotal detection ratio and Windows Defender AV detection if available, and the file’s prevalence worldwide. You'll also be able to [submit a file for deep analysis](respond-file-alerts.md#deep-analysis). ![Image of file information](images/atp-file-information.png) @@ -65,10 +65,10 @@ The **Most recent observed machines with the file** section allows you to specif This allows for greater accuracy in defining entities to display such as if and when an entity was observed in the organization. For example, if you’re trying to identify the origin of a network communication to a certain IP Address within a 10-minute period on a given date, you can specify that exact time interval, and see only files that communicated with that IP Address at that time, drastically reducing unnecessary scrolling and searching. ## Related topics -- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) -- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) -- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) -- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) -- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [Investigate a user account in Microsoft Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue ](alerts-queue.md) +- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md) +- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md) +- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) +- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md) +- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md) +- [Investigate a user account in Microsoft Defender ATP](investigate-user.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md index cb3221071a..cddaa7e5f6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md @@ -44,10 +44,10 @@ Alerts are grouped into incidents based on the following reasons: ![Image of alerts tab with incident details page showing the reasons the alerts were linked together in that incident](images/atp-incidents-alerts-reason.png) -You can also manage an alert and see alert metadata along with other information. For more information, see [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md). +You can also manage an alert and see alert metadata along with other information. For more information, see [Investigate alerts](investigate-alerts.md). ### Machines -You can also investigate the machines that are part of, or related to, a given incident. For more information, see [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md). +You can also investigate the machines that are part of, or related to, a given incident. For more information, see [Investigate machines](investigate-machines.md). ![Image of machines tab in incident details page](images/atp-incident-machine-tab.png) @@ -77,6 +77,6 @@ You can click the circles on the incident graph to view the details of the malic ## Related topics - [Incidents queue](incidents-queue.md) - [View and organize the Incidents queue](view-incidents-queue.md) -- [Manage incidents](manage-incidents-windows-defender-advanced-threat-protection.md) +- [Manage incidents](manage-incidents.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md index 0d5a09260c..fda84c5cce 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md @@ -67,10 +67,10 @@ Use the search filters to define the search criteria. You can also use the timel Clicking any of the machine names will take you to that machine's view, where you can continue investigate reported alerts, behaviors, and events. ## Related topics -- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) -- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) -- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) -- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) -- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [Investigate a user account in Microsoft Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) +- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue ](alerts-queue.md) +- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md) +- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md) +- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md) +- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) +- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md) +- [Investigate a user account in Microsoft Defender ATP](investigate-user.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md index 8ca174ec64..c8a7e86f97 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md @@ -30,9 +30,9 @@ Investigate the details of an alert raised on a specific machine to identify oth You can click on affected machines whenever you see them in the portal to open a detailed report about that machine. Affected machines are identified in the following areas: -- The [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) -- The [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) -- The [Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md) +- The [Machines list](investigate-machines.md) +- The [Alerts queue](alerts-queue.md) +- The [Security operations dashboard](security-operations-dashboard.md) - Any individual alert - Any individual file details view - Any IP address or domain details view @@ -49,7 +49,7 @@ The machine details, logged on users, machine risk, and machine reporting sectio **Machine details**
The machine details tile provides information such as the domain and OS of the machine. If there's an investigation package available on the machine, you'll see a link that allows you to download the package. -For more information on how to take action on a machine, see [Take response action on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md). +For more information on how to take action on a machine, see [Take response action on a machine](respond-machine-alerts.md). **Logged on users**
@@ -62,7 +62,7 @@ Clicking on the logged on users in the Logged on users tile opens the Users Deta You'll also see details such as logon types for each user account, the user group, and when the account logon occurred. - For more information, see [Investigate user entities](investigate-user-windows-defender-advanced-threat-protection.md). + For more information, see [Investigate user entities](investigate-user.md). **Machine risk**
The Machine risk tile shows the overall risk assessment of a machine. A machine's risk level can be determined using the number of active alerts or by a combination of multiple risks that may increase the risk assessment and their severity levels. You can influence a machine's risk level by resolving associated alerts manually or automatically and also by suppressing an alert. It's also indicators of the active threats that machines could be exposed to. @@ -71,7 +71,7 @@ The Machine risk tile shows the overall risk assessment of a machine. A machine' If you have enabled the Azure ATP feature and there are alerts related to the machine, you can click on the link that will take you to the Azure ATP page where more information about the alerts are provided. >[!NOTE] ->You'll need to enable the integration on both Azure ATP and Microsoft Defender ATP to use this feature. In Microsoft Defender ATP, you can enable this feature in advanced features. For more information on how to enable advanced features, see [Turn on advanced features](advanced-features-windows-defender-advanced-threat-protection.md). +>You'll need to enable the integration on both Azure ATP and Microsoft Defender ATP to use this feature. In Microsoft Defender ATP, you can enable this feature in advanced features. For more information on how to enable advanced features, see [Turn on advanced features](advanced-features.md). **Machine reporting**
Provides the last internal IP and external IP of the machine. It also shows when the machine was first and last seen reporting to the service. @@ -81,7 +81,7 @@ The **Alerts related to this machine** section provides a list of alerts that ar ![Image of alerts related to machine](images/atp-alerts-related-to-machine.png) -This list is a filtered version of the [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows the date when the alert's last activity was detected, a short description of the alert, the user account associated with the alert, the alert's severity, the alert's status in the queue, and who is addressing the alert. +This list is a filtered version of the [Alerts queue](alerts-queue.md), and shows the date when the alert's last activity was detected, a short description of the alert, the user account associated with the alert, the alert's severity, the alert's status in the queue, and who is addressing the alert. You can also choose to highlight an alert from the **Alerts related to this machine** or from the **Machine timeline** section to see the correlation between the alert and its related events on the machine by right-clicking on the alert and selecting **Select and mark events**. This highlights the alert and its related events and helps distinguish them from other alerts and events appearing in the timeline. Highlighted events are displayed in all information levels whether you choose to view the timeline by **Detections**, **Behaviors**, or **Verbose**. @@ -163,7 +163,7 @@ From the list of events that are displayed in the timeline, you can examine the ![Image of machine timeline details pane](images/atp-machine-timeline-details-panel.png) -You can also use the [Artifact timeline](investigate-alerts-windows-defender-advanced-threat-protection.md#artifact-timeline) feature to see the correlation between alerts and events on a specific machine. +You can also use the [Artifact timeline](investigate-alerts.md#artifact-timeline) feature to see the correlation between alerts and events on a specific machine. Expand an event to view associated processes related to the event. Click on the circle next to any process or IP address in the process tree to investigate additional details of the identified processes. This action brings up the **Details pane** which includes execution context of processes, network communications and a summary of meta data on the file or IP address. @@ -173,10 +173,10 @@ The details pane enriches the ‘in-context’ information across investigation ## Related topics -- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) -- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) -- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) -- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) -- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) -- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [Investigate a user account in Microsoft Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) +- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue ](alerts-queue.md) +- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md) +- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md) +- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md) +- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md) +- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md) +- [Investigate a user account in Microsoft Defender ATP](investigate-user.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md index 886c34c0f8..69493fe5ec 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md @@ -53,14 +53,14 @@ The user entity tile provides details about the user such as when the user was f If you have enabled the Azure ATP feature and there are alerts related to the user, you can click on the link that will take you to the Azure ATP page where more information about the alerts are provided. The Azure ATP tile also provides details such as the last AD site, total group memberships, and login failure associated with the user. >[!NOTE] ->You'll need to enable the integration on both Azure ATP and Microsoft Defender ATP to use this feature. In Microsoft Defender ATP, you can enable this feature in advanced features. For more information on how to enable advanced features, see [Turn on advanced features](advanced-features-windows-defender-advanced-threat-protection.md). +>You'll need to enable the integration on both Azure ATP and Microsoft Defender ATP to use this feature. In Microsoft Defender ATP, you can enable this feature in advanced features. For more information on how to enable advanced features, see [Turn on advanced features](advanced-features.md). **Logged on machines**
You'll also see a list of the machines that the user logged on to, and can expand these to see details of the logon events on each machine. ## Alerts related to this user -This section provides a list of alerts that are associated with the user account. This list is a filtered view of the [Alert queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows alerts where the user context is the selected user account, the date when the last activity was detected, a short description of the alert, the machine associated with the alert, the alert's severity, the alert's status in the queue, and who is assigned the alert. +This section provides a list of alerts that are associated with the user account. This list is a filtered view of the [Alert queue](alerts-queue.md), and shows alerts where the user context is the selected user account, the date when the last activity was detected, a short description of the alert, the machine associated with the alert, the alert's severity, the alert's status in the queue, and who is assigned the alert. ## Observed in organization This section allows you to specify a date range to see a list of machines where this user was observed logged on to, and the most frequent and least frequent logged on user account on each of these machines. @@ -85,11 +85,11 @@ You can filter the results by the following time periods: - 6 months ## Related topics -- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) -- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) -- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) -- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) -- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) -- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) +- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue ](alerts-queue.md) +- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md) +- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md) +- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md) +- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) +- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md) +- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/is-domain-seen-in-org.md b/windows/security/threat-protection/microsoft-defender-atp/is-domain-seen-in-org.md index 6ff1bae6e0..47ad22f715 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/is-domain-seen-in-org.md +++ b/windows/security/threat-protection/microsoft-defender-atp/is-domain-seen-in-org.md @@ -36,7 +36,7 @@ Delegated (work or school account) | URL.Read.All | 'Read URLs' >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/is-ip-seen-org.md b/windows/security/threat-protection/microsoft-defender-atp/is-ip-seen-org.md index 08e8c07149..34b518cee9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/is-ip-seen-org.md +++ b/windows/security/threat-protection/microsoft-defender-atp/is-ip-seen-org.md @@ -37,7 +37,7 @@ Delegated (work or school account) | Ip.Read.All | 'Read IP address profiles' >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md index 1379df6c30..a83da49e7f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md @@ -37,8 +37,8 @@ Delegated (work or school account) | Machine.Isolate | 'Isolate machine' >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) ## HTTP request @@ -63,7 +63,7 @@ IsolationType | String | Type of the isolation. Allowed values are: 'Full' or 'S **IsolationType** controls the type of isolation to perform and can be one of the following: - Full – Full isolation -- Selective – Restrict only limited set of applications from accessing the network (see [Isolate machines from the network](respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network) for more details) +- Selective – Restrict only limited set of applications from accessing the network (see [Isolate machines from the network](respond-machine-alerts.md#isolate-machines-from-the-network) for more details) ## Response diff --git a/windows/security/threat-protection/microsoft-defender-atp/licensing.md b/windows/security/threat-protection/microsoft-defender-atp/licensing.md index 1011ef2e74..c2fe9ab390 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/licensing.md +++ b/windows/security/threat-protection/microsoft-defender-atp/licensing.md @@ -108,7 +108,7 @@ When accessing [Microsoft Defender Security Center](https://SecurityCenter.Windo 6. You are almost done. Before you can start using Microsoft Defender ATP you'll need to: - - [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) + - [Onboard Windows 10 machines](configure-endpoints.md) - Run detection test (optional) @@ -123,5 +123,5 @@ When accessing [Microsoft Defender Security Center](https://SecurityCenter.Windo ![Image of onboard machines](images\atp-onboard-endpoints-WDATP-portal.png) ## Related topics -- [Onboard machines to the Microsoft Defender Advanced Threat Protection service](onboard-configure-windows-defender-advanced-threat-protection.md) -- [Troubleshoot onboarding process and portal access issues](troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md) +- [Onboard machines to the Microsoft Defender Advanced Threat Protection service](onboard-configure.md) +- [Troubleshoot onboarding process and portal access issues](troubleshoot-onboarding-error-messages.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md b/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md index a932128539..bdb50d0354 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md @@ -30,14 +30,14 @@ ms.topic: article In an enterprise scenario, security operation teams are typically assigned a set of machines. These machines are grouped together based on a set of attributes such as their domains, computer names, or designated tags. In Microsoft Defender ATP, you can create machine groups and use them to: -- Limit access to related alerts and data to specific Azure AD user groups with [assigned RBAC roles](rbac-windows-defender-advanced-threat-protection.md) +- Limit access to related alerts and data to specific Azure AD user groups with [assigned RBAC roles](rbac.md) - Configure different auto-remediation settings for different sets of machines >[!TIP] > For a comprehensive look into RBAC application, read: [Is your SOC running flat with RBAC](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Is-your-SOC-running-flat-with-limited-RBAC/ba-p/320015). As part of the process of creating a machine group, you'll: -- Set the automated remediation level for that group. For more information on remediation levels, see [Use Automated investigation to investigate and remediate threats](automated-investigations-windows-defender-advanced-threat-protection.md). +- Set the automated remediation level for that group. For more information on remediation levels, see [Use Automated investigation to investigate and remediate threats](automated-investigations.md). - Specify the matching rule that determines which machine group belongs to the group based on the machine name, domain, tags, and OS platform. If a machine is also matched to other groups, it is added only to the highest ranked machine group. - Select the Azure AD user group that should have access to the machine group. - Rank the machine group relative to other groups after it is created. @@ -63,7 +63,7 @@ As part of the process of creating a machine group, you'll: - **Full - remediate threats automatically** >[!NOTE] - > For more information on automation levels, see [Understand the Automated investigation flow](automated-investigations-windows-defender-advanced-threat-protection.md#understand-the-automated-investigation-flow). + > For more information on automation levels, see [Understand the Automated investigation flow](automated-investigations.md#understand-the-automated-investigation-flow). - **Description** - **Members** @@ -96,5 +96,5 @@ Machines that are not matched to any groups are added to Ungrouped machines (def ## Related topic -- [Manage portal access using role-based based access control](rbac-windows-defender-advanced-threat-protection.md) -- [Get list of tenant machine groups using Graph API](get-machinegroups-collection-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [Manage portal access using role-based based access control](rbac.md) +- [Get list of tenant machine groups using Graph API](get-machinegroups-collection.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md b/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md index 77885b5540..911ac4adb9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md @@ -81,4 +81,4 @@ For example, to show data about Windows 10 machines with Active sensor health st ## Related topic -- [Threat protection report ](threat-protection-reports-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [Threat protection report ](threat-protection-reports.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md index 61d6e8a22e..624d4c2542 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md @@ -20,9 +20,9 @@ ms.topic: article # Create and manage machine tags Add tags on machines to create a logical group affiliation. Machine group affiliation can represent geographic location, specific activity, importance level and others. -You can create machine groups in the context of role-based access (RBAC) to control who can take specific action or who can see information on a specific machine group or groups by assigning the machine group to a user group. For more information, see [Manage portal access using role-based access control](rbac-windows-defender-advanced-threat-protection.md). +You can create machine groups in the context of role-based access (RBAC) to control who can take specific action or who can see information on a specific machine group or groups by assigning the machine group to a user group. For more information, see [Manage portal access using role-based access control](rbac.md). -You can also use machine groups to assign specific remediation levels to apply during automated investigations. For more information, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md). +You can also use machine groups to assign specific remediation levels to apply during automated investigations. For more information, see [Create and manage machine groups](machine-groups.md). In an investigation, you can filter the Machines list to just specific machine groups by using the Groups filter. diff --git a/windows/security/threat-protection/microsoft-defender-atp/machineactionsnote.md b/windows/security/threat-protection/microsoft-defender-atp/machineactionsnote.md index ef5a31ec33..2e235e713e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machineactionsnote.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machineactionsnote.md @@ -3,4 +3,4 @@ ms.date: 08/28/2017 author: zavidor --- >[!Note] -> This page focuses on performing a machine action via API. See [take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md) for more information about response actions functionality via Microsoft Defender ATP. +> This page focuses on performing a machine action via API. See [take response actions on a machine](respond-machine-alerts.md) for more information about response actions functionality via Microsoft Defender ATP. diff --git a/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md b/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md index 73f5d50ed2..657eac1d96 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md @@ -74,7 +74,7 @@ Filter the list to view specific machines grouped together by the following mach - No sensor data - Impaired communications - For more information on how to address issues on misconfigured machines see, [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md). + For more information on how to address issues on misconfigured machines see, [Fix unhealthy sensors](fix-unhealhty-sensors.md). - **Inactive** – Machines that have completely stopped sending signals for more than 7 days. @@ -85,13 +85,13 @@ Filter the list to view specific machines that are well configured or require at - **Well configured** - Machines have the Windows Defender security controls well configured. - **Requires attention** - Machines where improvements can be made to increase the overall security posture of your organization. -For more information, see [View the Secure Score dashboard](secure-score-dashboard-windows-defender-advanced-threat-protection.md). +For more information, see [View the Secure Score dashboard](secure-score-dashboard.md). ### Tags You can filter the list based on the grouping and tagging that you've added to individual machines. ## Related topics -- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md index 6aafe49de3..4765a373dd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md @@ -92,7 +92,7 @@ Create custom rules to control when alerts are suppressed, or resolved. You can 2. The list of suppression rules shows all the rules that users in your organization have created. -For more information on managing suppression rules, see [Manage suppression rules](manage-suppression-rules-windows-defender-advanced-threat-protection.md) +For more information on managing suppression rules, see [Manage suppression rules](manage-suppression-rules.md) ## Change the status of an alert @@ -117,11 +117,11 @@ Added comments instantly appear on the pane. ## Related topics -- [Manage suppression rules](manage-suppression-rules-windows-defender-advanced-threat-protection.md) -- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) -- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) -- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) -- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) -- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [Investigate a user account in Microsoft Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) +- [Manage suppression rules](manage-suppression-rules.md) +- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue ](alerts-queue.md) +- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md) +- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md) +- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) +- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md) +- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md) +- [Investigate a user account in Microsoft Defender ATP](investigate-user.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-allowed-blocked-list.md b/windows/security/threat-protection/microsoft-defender-atp/manage-allowed-blocked-list.md index dc313000a3..c852df752c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-allowed-blocked-list.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-allowed-blocked-list.md @@ -76,7 +76,7 @@ Download the sample CSV to know the supported column attributes. ## Related topics -- [Manage automation allowed/blocked lists](manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md) +- [Manage automation allowed/blocked lists](manage-automation-allowed-blocked-list.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md index 92c91b1b6f..24817cb48c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md @@ -196,4 +196,4 @@ From the panel, you can click on the Open investigation page link to see the inv You also have the option of selecting multiple investigations to approve or reject actions on multiple investigations. ## Related topic -- [Investigate Microsoft Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) +- [Investigate Microsoft Defender ATP alerts](investigate-alerts.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-allowed-blocked-list.md b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-allowed-blocked-list.md index 4960840dca..357563de57 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-allowed-blocked-list.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-allowed-blocked-list.md @@ -66,6 +66,6 @@ You can define the conditions for when entities are identified as malicious or s ## Related topics -- [Manage automation file uploads](manage-automation-file-uploads-windows-defender-advanced-threat-protection.md) -- [Manage allowed/blocked lists](manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md) -- [Manage automation folder exclusions](manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md) +- [Manage automation file uploads](manage-automation-file-uploads.md) +- [Manage allowed/blocked lists](manage-allowed-blocked-list.md) +- [Manage automation folder exclusions](manage-automation-folder-exclusions.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md index baf0ac27bb..3a6a4864dc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md @@ -46,5 +46,5 @@ For example, if you add *exe* and *bat* as file or attachment extension names, t ## Related topics -- [Manage automation allowed/blocked lists](manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md) -- [Manage automation folder exclusions](manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [Manage automation allowed/blocked lists](manage-automation-allowed-blocked-list.md) +- [Manage automation folder exclusions](manage-automation-folder-exclusions.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md index e63a8c6207..e6b7c8bd5e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md @@ -76,5 +76,5 @@ You can specify the file names that you want to be excluded in a specific direct ## Related topics -- [Manage automation allowed/blocked lists](manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md) -- [Manage automation file uploads](manage-automation-file-uploads-windows-defender-advanced-threat-protection.md) +- [Manage automation allowed/blocked lists](manage-automation-allowed-blocked-list.md) +- [Manage automation file uploads](manage-automation-file-uploads.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md b/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md index 84835dc6f5..916bbb2776 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md @@ -27,6 +27,6 @@ Manage the alerts queue, investigate machines in the machines list, take respons Topic | Description :---|:--- [Alerts queue](alerts-queue-endpoint-detection-response.md)| View the alerts surfaced in Microsoft Defender Security Center. -[Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) | Learn how you can view and manage the machines list, manage machine groups, and investigate machine related alerts. -[Take response actions](response-actions-windows-defender-advanced-threat-protection.md)| Take response actions on machines and files to quickly respond to detected attacks and contain threats. -[Query data using advanced hunting](advanced-hunting-windows-defender-advanced-threat-protection.md)| Proactively hunt for possible threats across your organization using a powerful search and query tool. \ No newline at end of file +[Machines list](machines-view-overview.md) | Learn how you can view and manage the machines list, manage machine groups, and investigate machine related alerts. +[Take response actions](response-actions.md)| Take response actions on machines and files to quickly respond to detected attacks and contain threats. +[Query data using advanced hunting](advanced-hunting.md)| Proactively hunt for possible threats across your organization using a powerful search and query tool. \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md index d03aec8131..31fb4bb075 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md @@ -60,4 +60,4 @@ Added comments instantly appear on the pane. ## Related topics - [Incidents queue](incidents-queue.md) - [View and organize the Incidents queue](view-incidents-queue.md) -- [Investigate incidents](investigate-incidents-windows-defender-advanced-threat-protection.md) +- [Investigate incidents](investigate-incidents.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md b/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md index 2e6bbe1507..c0d382b786 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md @@ -26,7 +26,7 @@ ms.date: 04/24/2018 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-suppressionrules-abovefoldlink) -There might be scenarios where you need to suppress alerts from appearing in the portal. You can create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization. For more information on how to suppress alerts, see [Suppress alerts](manage-alerts-windows-defender-advanced-threat-protection.md). +There might be scenarios where you need to suppress alerts from appearing in the portal. You can create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization. For more information on how to suppress alerts, see [Suppress alerts](manage-alerts.md). You can view a list of all the suppression rules and manage them in one place. You can also turn an alert suppression rule on or off. @@ -46,4 +46,4 @@ You can view a list of all the suppression rules and manage them in one place. Y ## Related topics -- [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [Manage alerts](manage-alerts.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md index fd37543f72..a4fe146a16 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md +++ b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md @@ -59,11 +59,11 @@ Managed security service provider | Get a quick overview on managed security ser ## Related topics -- [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md) -- [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) +- [Onboard machines](onboard-configure.md) +- [Enable the custom threat intelligence application](enable-custom-ti.md) - [Microsoft Defender ATP Public API](use-apis.md) -- [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md) -- [Create and build Power BI reports using Microsoft Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md) -- [Role-based access control](rbac-windows-defender-advanced-threat-protection.md) +- [Pull alerts to your SIEM tools](configure-siem.md) +- [Create and build Power BI reports using Microsoft Defender ATP data](powerbi-reports.md) +- [Role-based access control](rbac.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md index 1e661e11f1..8efb9d7b22 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md @@ -90,12 +90,12 @@ You can also do advanced hunting to create custom threat intelligence and use a -**[Automated investigation and remediation](automated-investigations-windows-defender-advanced-threat-protection.md)**
+**[Automated investigation and remediation](automated-investigations.md)**
In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. -**[Secure score](overview-secure-score-windows-defender-advanced-threat-protection.md)**
+**[Secure score](overview-secure-score.md)**
Microsoft Defender ATP includes a secure score to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization. diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md index 5a4a309e6f..b9112f5c8c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md +++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md @@ -46,5 +46,5 @@ For more information about licensing requirements for Microsoft Defender ATP pla ## Related topic -- [Validate licensing and complete setup](licensing-windows-defender-advanced-threat-protection.md) -- [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md) +- [Validate licensing and complete setup](licensing.md) +- [Onboard machines](onboard-configure.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md b/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md index 71bf5122da..07d8cb0e6e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md @@ -41,7 +41,7 @@ Microsoft Defender ATP adds support for this scenario and to allow MSSPs to take ## Related topic -- [Configure managed security service provider integration](configure-mssp-support-windows-defender-advanced-threat-protection.md) +- [Configure managed security service provider integration](configure-mssp-support.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md index d2eff9b682..738b4d31ee 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md @@ -37,7 +37,7 @@ Delegated (work or school account) | Machine.Offboard | 'Offboard machine' >[!Note] > When obtaining a token using user credentials: >- The user needs to 'Global Admin' AD role ->- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md index a22fafe295..68ca47d378 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md @@ -34,14 +34,14 @@ ms.date: 04/24/2018 Follow the corresponding instructions depending on your preferred deployment method. ## Offboard Windows 10 machines - - [Offboard machines using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md#offboard-machines-using-a-local-script) - - [Offboard machines using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md#offboard-machines-using-group-policy) - - [Offboard machines using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md#offboard-machines-using-system-center-configuration-manager) - - [Offboard machines using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#offboard-and-monitor-machines-using-mobile-device-management-tools) + - [Offboard machines using a local script](configure-endpoints-script.md#offboard-machines-using-a-local-script) + - [Offboard machines using Group Policy](configure-endpoints-gp.md#offboard-machines-using-group-policy) + - [Offboard machines using System Center Configuration Manager](configure-endpoints-sccm.md#offboard-machines-using-system-center-configuration-manager) + - [Offboard machines using Mobile Device Management tools](configure-endpoints-mdm.md#offboard-and-monitor-machines-using-mobile-device-management-tools) ## Offboard Servers - - [Offboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md#offboard-servers) + - [Offboard servers](configure-server-endpoints.md#offboard-servers) ## Offboard non-Windows machines - - [Offboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md#offboard-non-windows-machines) + - [Offboard non-Windows machines](configure-endpoints-non-windows.md#offboard-non-windows-machines) diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md index 61dc191dc5..7528d22790 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md @@ -78,7 +78,7 @@ When you run the onboarding wizard for the first time, you must choose where you > [!NOTE] > - You cannot change your data storage location after the first-time setup. -> - Review the [Microsoft Defender ATP data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md) for more information on where and how Microsoft stores your data. +> - Review the [Microsoft Defender ATP data storage and privacy](data-storage-privacy.md) for more information on where and how Microsoft stores your data. ### Diagnostic data settings @@ -134,7 +134,7 @@ Internet connectivity on machines is required either directly or through proxy. The Microsoft Defender ATP sensor can utilize a daily average bandwidth of 5MB to communicate with the Microsoft Defender ATP cloud service and report cyber data. One-off activities such as file uploads and investigation package collection are not included in this daily average bandwidth. -For more information on additional proxy configuration settings see, [Configure machine proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) . +For more information on additional proxy configuration settings see, [Configure machine proxy and Internet connectivity settings](configure-proxy-internet.md) . Before you onboard machines, the diagnostic data service must be enabled. The service is enabled by default in Windows 10. @@ -146,7 +146,7 @@ You must configure Security intelligence updates on the Microsoft Defender ATP m When Windows Defender Antivirus is not the active antimalware in your organization and you use the Microsoft Defender ATP service, Windows Defender Antivirus goes on passive mode. If your organization has disabled Windows Defender Antivirus through group policy or other methods, machines that are onboarded to Microsoft Defender ATP must be excluded from this group policy. -If you are onboarding servers and Windows Defender Antivirus is not the active antimalware on your servers, you shouldn't uninstall Windows Defender Antivirus. You'll need to configure it to run on passive mode. For more information, see [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md). +If you are onboarding servers and Windows Defender Antivirus is not the active antimalware on your servers, you shouldn't uninstall Windows Defender Antivirus. You'll need to configure it to run on passive mode. For more information, see [Onboard servers](configure-server-endpoints.md). For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). @@ -154,18 +154,18 @@ For more information, see [Windows Defender Antivirus compatibility](../windows- ## Windows Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled If you're running Windows Defender Antivirus as the primary antimalware product on your machines, the Microsoft Defender ATP agent will successfully onboard. -If you're running a third-party antimalware client and use Mobile Device Management solutions or System Center Configuration Manager (current branch) version 1606, you'll need to ensure that the Windows Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy). +If you're running a third-party antimalware client and use Mobile Device Management solutions or System Center Configuration Manager (current branch) version 1606, you'll need to ensure that the Windows Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy). ## In this section Topic | Description :---|:--- -[Onboard previous versions of Windows](onboard-downlevel-windows-defender-advanced-threat-protection.md)| Onboard Windows 7 and Windows 8.1 machines to Microsoft Defender ATP. -[Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) | You'll need to onboard machines for it to report to the Microsoft Defender ATP service. Learn about the tools and methods you can use to configure machines in your enterprise. -[Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md) | Onboard Windows Server 2012 R2 and Windows Server 2016 to Microsoft Defender ATP -[Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) | Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft Defender Security Center and better protect your organization's network. This experience leverages on a third-party security products' sensor data. -[Run a detection test on a newly onboarded machine](run-detection-test-windows-defender-advanced-threat-protection.md) | Run a script on a newly onboarded machine to verify that it is properly reporting to the Microsoft Defender ATP service. -[Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)| Enable communication with the Microsoft Defender ATP cloud service by configuring the proxy and Internet connectivity settings. -[Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) | Learn about resolving issues that might arise during onboarding. +[Onboard previous versions of Windows](onboard-downlevel.md)| Onboard Windows 7 and Windows 8.1 machines to Microsoft Defender ATP. +[Onboard Windows 10 machines](configure-endpoints.md) | You'll need to onboard machines for it to report to the Microsoft Defender ATP service. Learn about the tools and methods you can use to configure machines in your enterprise. +[Onboard servers](configure-server-endpoints.md) | Onboard Windows Server 2012 R2 and Windows Server 2016 to Microsoft Defender ATP +[Onboard non-Windows machines](configure-endpoints-non-windows.md) | Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft Defender Security Center and better protect your organization's network. This experience leverages on a third-party security products' sensor data. +[Run a detection test on a newly onboarded machine](run-detection-test.md) | Run a script on a newly onboarded machine to verify that it is properly reporting to the Microsoft Defender ATP service. +[Configure proxy and Internet settings](configure-proxy-internet.md)| Enable communication with the Microsoft Defender ATP cloud service by configuring the proxy and Internet connectivity settings. +[Troubleshoot onboarding issues](troubleshoot-onboarding.md) | Learn about resolving issues that might arise during onboarding. >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md index 140c14d487..9e5d1c75b1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md @@ -33,14 +33,14 @@ ms.topic: article Microsoft Defender ATP extends support to include down-level operating systems, providing advanced attack detection and investigation capabilities on supported Windows versions. >[!IMPORTANT] ->This capability is currently in preview. You'll need to turn on the preview features to take advantage of this feature. For more information, see [Preview features](preview-windows-defender-advanced-threat-protection.md). +>This capability is currently in preview. You'll need to turn on the preview features to take advantage of this feature. For more information, see [Preview features](preview.md). To onboard down-level Windows client endpoints to Microsoft Defender ATP, you'll need to: - Configure and update System Center Endpoint Protection clients. - Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender ATP as instructed below. >[!TIP] -> After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md). +> After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md). ## Configure and update System Center Endpoint Protection clients >[!IMPORTANT] diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard.md b/windows/security/threat-protection/microsoft-defender-atp/onboard.md index 582233db3c..f2cbb4cb17 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard.md @@ -31,10 +31,10 @@ Topic | Description :---|:--- [Configure attack surface reduction capabilities](configure-attack-surface-reduction.md) | By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. [Configure next generation protection](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md) | Configure next generation protection to catch all types of emerging threats. -[Configure Secure score dashboard security controls](secure-score-dashboard-windows-defender-advanced-threat-protection.md) | Configure the security controls in Secure score to increase the security posture of your organization. +[Configure Secure score dashboard security controls](secure-score-dashboard.md) | Configure the security controls in Secure score to increase the security posture of your organization. Configure Microsoft Threat Protection integration| Configure other solutions that integrate with Microsoft Defender ATP. Management and API support| Pull alerts to your SIEM or use APIs to create custom alerts. Create and build Power BI reports. -[Configure Microsoft Defender Security Center settings](preferences-setup-windows-defender-advanced-threat-protection.md) | Configure portal related settings such as general settings, advanced features, enable the preview experience and others. +[Configure Microsoft Defender Security Center settings](preferences-setup.md) | Configure portal related settings such as general settings, advanced features, enable the preview experience and others. diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md b/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md index 0d954897a9..f529841ee6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md @@ -36,8 +36,8 @@ The response capabilities give you the power to promptly remediate threats by ac Topic | Description :---|:--- -[Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md) | Explore a high level overview of detections, highlighting where response actions are needed. +[Security operations dashboard](security-operations-dashboard.md) | Explore a high level overview of detections, highlighting where response actions are needed. [Incidents queue](incidents-queue.md) | View and organize the incidents queue, and manage and investigate alerts. -[Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) | View and organize the machine alerts queue, and manage and investigate alerts. -[Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) | Investigate machines with generated alerts and search for specific events over time. -[Take response actions](response-actions-windows-defender-advanced-threat-protection.md) | Learn about the available response actions and apply them to machines and files. \ No newline at end of file +[Alerts queue](alerts-queue.md) | View and organize the machine alerts queue, and manage and investigate alerts. +[Machines list](machines-view-overview.md) | Investigate machines with generated alerts and search for specific events over time. +[Take response actions](response-actions.md) | Learn about the available response actions and apply them to machines and files. \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-hunting.md b/windows/security/threat-protection/microsoft-defender-atp/overview-hunting.md index b6d5d31b21..b3aad8c507 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-hunting.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-hunting.md @@ -34,7 +34,7 @@ With advanced hunting, you can take advantage of the following capabilities: ## In this section Topic | Description :---|:--- -[Query data using Advanced hunting](advanced-hunting-windows-defender-advanced-threat-protection.md) | Learn how to use the basic or advanced query examples to search for possible emerging threats in your organization. +[Query data using Advanced hunting](advanced-hunting.md) | Learn how to use the basic or advanced query examples to search for possible emerging threats in your organization. [Custom detections](overview-custom-detections.md)| With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md index f1b31e4f2a..ec0b0550d8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md @@ -48,7 +48,7 @@ The Office 365 Secure Score looks at your settings and activities and compares t In the example image, the total points for the Windows security controls and Office 365 add up to 602 points. -You can set the baselines for calculating the score of Windows Defender security controls on the Secure score dashboard through the **Settings**. For more information, see [Enable Secure score security controls](enable-secure-score-windows-defender-advanced-threat-protection.md). +You can set the baselines for calculating the score of Windows Defender security controls on the Secure score dashboard through the **Settings**. For more information, see [Enable Secure score security controls](enable-secure-score.md). ## Secure score over time You can track the progression of your organizational security posture over time using this tile. It displays the overall score in a historical trend line enabling you to see how taking the recommended actions increase your overall security posture. @@ -78,5 +78,5 @@ Within the tile, you can click on each control to see the recommended optimizati Clicking the link under the Misconfigured machines column opens up the **Machines list** with filters applied to show only the list of machines where the recommendation is applicable. You can export the list in Excel to create a target collection and apply relevant policies using a management solution of your choice. ## Related topic -- [Threat analytics](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md) -- [Threat analytics for Spectre and Meltdown](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md) +- [Threat analytics](threat-analytics-dashboard.md) +- [Threat analytics for Spectre and Meltdown](threat-analytics-dashboard.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview.md b/windows/security/threat-protection/microsoft-defender-atp/overview.md index 0bfb1b24c9..b9e251ae4d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview.md @@ -36,12 +36,12 @@ Topic | Description [Attack surface reduction](overview-attack-surface-reduction.md) | Leverage the attack surface reduction capabilities to protect the perimeter of your organization. [Next generation protection](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) | Learn about the antivirus capabilities in Microsoft Defender ATP so you can protect desktops, portable computers, and servers. [Endpoint detection and response](overview-endpoint-detection-response.md) | Understand how Microsoft Defender ATP continuously monitors your organization for possible attacks against systems, networks, or users in your organization and the features you can use to mitigate and remediate threats. -[Automated investigation and remediation](automated-investigations-windows-defender-advanced-threat-protection.md) | In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. -[Secure score](overview-secure-score-windows-defender-advanced-threat-protection.md) | Quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to better protect your organization - all in one place. -[Advanced hunting](overview-hunting-windows-defender-advanced-threat-protection.md) | Use a powerful search and query language to create custom queries and detection rules. +[Automated investigation and remediation](automated-investigations.md) | In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. +[Secure score](overview-secure-score.md) | Quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to better protect your organization - all in one place. +[Advanced hunting](overview-hunting.md) | Use a powerful search and query language to create custom queries and detection rules. [Management and APIs](management-apis.md) | Microsoft Defender ATP supports a wide variety of tools to help you manage and interact with the platform so that you can integrate the service into your existing workflows. [Microsoft Threat Protection](threat-protection-integration.md) | Microsoft security products work better together. Learn about other security capabilities in the Microsoft threat protection stack. -[Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) |Learn to navigate your way around Microsoft Defender Security Center. +[Portal overview](portal-overview.md) |Learn to navigate your way around Microsoft Defender Security Center. diff --git a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md index 2a989a87e4..349f685730 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md @@ -111,7 +111,7 @@ Icon | Description ## Related topics -- [Understand the Microsoft Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md) -- [View the Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md) -- [View the Secure Score dashboard and improve your secure score](secure-score-dashboard-windows-defender-advanced-threat-protection.md) -- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [Understand the Microsoft Defender Advanced Threat Protection portal](use.md) +- [View the Security operations dashboard](security-operations-dashboard.md) +- [View the Secure Score dashboard and improve your secure score](secure-score-dashboard.md) +- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-dashboard.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/powershell-example-code.md b/windows/security/threat-protection/microsoft-defender-atp/powershell-example-code.md index 6847252b33..08b7acca0e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/powershell-example-code.md +++ b/windows/security/threat-protection/microsoft-defender-atp/powershell-example-code.md @@ -179,9 +179,9 @@ $ioc = ## Related topics -- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) -- [Enable the custom threat intelligence API in Microsoft Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) -- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md) -- [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md) -- [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md) -- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) +- [Understand threat intelligence concepts](threat-indicator-concepts.md) +- [Enable the custom threat intelligence API in Microsoft Defender ATP](enable-custom-ti.md) +- [Create custom alerts using the threat intelligence API](custom-ti-api.md) +- [Python code examples for the custom threat intelligence API](python-example-code.md) +- [Experiment with custom threat intelligence alerts](experiment-custom-ti.md) +- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md b/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md index 1e98001f5e..a651cb7907 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md +++ b/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md @@ -36,9 +36,9 @@ Turn on the preview experience setting to be among the first to try upcoming fea 2. Toggle the setting between **On** and **Off** and select **Save preferences**. ## Related topics -- [Update general settings in Microsoft Defender ATP](data-retention-settings-windows-defender-advanced-threat-protection.md) -- [Turn on advanced features in Microsoft Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md) -- [Configure email notifications in Microsoft Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md) -- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) -- [Enable the custom threat intelligence API in Microsoft Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) -- [Create and build Power BI reports](powerbi-reports-windows-defender-advanced-threat-protection.md) +- [Update general settings in Microsoft Defender ATP](data-retention-settings.md) +- [Turn on advanced features in Microsoft Defender ATP](advanced-features.md) +- [Configure email notifications in Microsoft Defender ATP](configure-email-notifications.md) +- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) +- [Enable the custom threat intelligence API in Microsoft Defender ATP](enable-custom-ti.md) +- [Create and build Power BI reports](powerbi-reports.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md index 41c78cc6f9..35352f18b7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md @@ -48,7 +48,7 @@ Use the following method in the Microsoft Defender ATP API to pull alerts in JSO >Microsoft Defender Security Center merges similar alert detections into a single alert. This API pulls alert detections in its raw form based on the query parameters you set, enabling you to apply your own grouping and filtering. ## Before you begin -- Before calling the Microsoft Defender ATP endpoint to pull alerts, you'll need to enable the SIEM integration application in Azure Active Directory (AAD). For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md). +- Before calling the Microsoft Defender ATP endpoint to pull alerts, you'll need to enable the SIEM integration application in Azure Active Directory (AAD). For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md). - Take note of the following values in your Azure application registration. You need these values to configure the OAuth flow in your service or daemon app: - Application ID (unique to your application) @@ -202,8 +202,8 @@ HTTP error code | Description 500 | Error in the service. ## Related topics -- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) -- [Configure ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) -- [Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) -- [Microsoft Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) -- [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md) +- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) +- [Configure ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight.md) +- [Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk.md) +- [Microsoft Defender ATP alert API fields](api-portal-mapping.md) +- [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/python-example-code.md b/windows/security/threat-protection/microsoft-defender-atp/python-example-code.md index 09522e6ab2..4cf4e52899 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/python-example-code.md +++ b/windows/security/threat-protection/microsoft-defender-atp/python-example-code.md @@ -184,9 +184,9 @@ with requests.Session() as session: ## Related topics -- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) -- [Enable the custom threat intelligence API in Microsoft Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) -- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md) -- [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md) -- [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md) -- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) +- [Understand threat intelligence concepts](threat-indicator-concepts.md) +- [Enable the custom threat intelligence API in Microsoft Defender ATP](enable-custom-ti.md) +- [Create custom alerts using the threat intelligence API](custom-ti-api.md) +- [PowerShell code examples for the custom threat intelligence API](powershell-example-code.md) +- [Experiment with custom threat intelligence alerts](experiment-custom-ti.md) +- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/rbac.md b/windows/security/threat-protection/microsoft-defender-atp/rbac.md index 1fa86fd35c..2df2a61b56 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/rbac.md +++ b/windows/security/threat-protection/microsoft-defender-atp/rbac.md @@ -43,7 +43,7 @@ Microsoft Defender ATP RBAC is designed to support your tier- or role-based mode - Create custom roles and control what Microsoft Defender ATP capabilities they can access with granularity. - **Control who can see information on specific machine group or groups** - - [Create machine groups](machine-groups-windows-defender-advanced-threat-protection.md) by specific criteria such as names, tags, domains, and others, then grant role access to them using a specific Azure Active Directory (Azure AD) user group. + - [Create machine groups](machine-groups.md) by specific criteria such as names, tags, domains, and others, then grant role access to them using a specific Azure Active Directory (Azure AD) user group. To implement role-based access, you'll need to define admin roles, assign corresponding permissions, and assign Azure AD user groups assigned to the roles. @@ -71,4 +71,4 @@ Someone with a Microsoft Defender ATP Global administrator role has unrestricted ## Related topic -- [Create and manage machine groups in Microsoft Defender ATP](machine-groups-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [Create and manage machine groups in Microsoft Defender ATP](machine-groups.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md index e2a48992a8..bf1c957ebe 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md @@ -261,11 +261,11 @@ HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection Value = 0 – block sample collection Value = 1 – allow sample collection ``` -5. Change the organizational unit through the Group Policy. For more information, see [Configure with Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md). +5. Change the organizational unit through the Group Policy. For more information, see [Configure with Group Policy](configure-endpoints-gp.md). 6. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com). > [!NOTE] > If the value *AllowSampleCollection* is not available, the client will allow sample collection by default. ## Related topic -- [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md) +- [Take response actions on a machine](respond-machine-alerts.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md index 16b781e106..f90dd5dda3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md @@ -250,4 +250,4 @@ All other related details are also shown, for example, submission time, submitti ![Image of action center with information](images/atp-action-center-with-info.png) ## Related topic -- [Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md) +- [Take response actions on a file](respond-file-alerts.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/response-actions.md b/windows/security/threat-protection/microsoft-defender-atp/response-actions.md index 643f72739e..51b90af80c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/response-actions.md +++ b/windows/security/threat-protection/microsoft-defender-atp/response-actions.md @@ -36,5 +36,5 @@ You can take response actions on machines and files to quickly respond to detect ## In this section Topic | Description :---|:--- -[Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md)| Isolate machines or collect an investigation package. -[Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md)| Stop and quarantine files or block a file from your network. +[Take response actions on a machine](respond-machine-alerts.md)| Isolate machines or collect an investigation package. +[Take response actions on a file](respond-file-alerts.md)| Stop and quarantine files or block a file from your network. diff --git a/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md b/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md index 81b063e148..6443996f08 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md +++ b/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md @@ -23,7 +23,7 @@ ms.date: 12/08/2017 [!include[Prereleaseinformation](prerelease.md)] -Restrict execution of all applications on the machine except a predefined set (see [Response machine alerts](respond-machine-alerts-windows-defender-advanced-threat-protection.md) for more information) +Restrict execution of all applications on the machine except a predefined set (see [Response machine alerts](respond-machine-alerts.md) for more information) [!include[Machine actions note](machineactionsnote.md)] @@ -37,8 +37,8 @@ Delegated (work or school account) | Machine.RestrictExecution | 'Restrict code >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md index d7b2db640d..af4e3a7870 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md @@ -43,7 +43,7 @@ Delegated (work or school account) | AdvancedQuery.Read | 'Run advanced queries' >[!Note] > When obtaining a token using user credentials: >- The user needs to have 'View Data' AD role ->- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) ## HTTP request ``` @@ -147,6 +147,6 @@ Content-Type: application/json​ ## Related topic - [Microsoft Defender ATP APIs](apis-intro.md) -- [Advanced Hunting from Portal](advanced-hunting-windows-defender-advanced-threat-protection.md) +- [Advanced Hunting from Portal](advanced-hunting.md) - [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) - [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md index 470cf1fc02..240efd12ca 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md @@ -37,8 +37,8 @@ Delegated (work or school account) | Machine.Scan | 'Scan machine' >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md index 7f80d83213..d9a36f6795 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md @@ -48,5 +48,5 @@ Run the following PowerShell script on a newly onboarded machine to verify that The Command Prompt window will close automatically. If successful, the detection test will be marked as completed and a new alert will appear in the portal for the onboarded machine in approximately 10 minutes. ## Related topics -- [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) -- [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md) +- [Onboard Windows 10 machines](configure-endpoints.md) +- [Onboard servers](configure-server-endpoints.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md b/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md index 1ee8334e7a..61f17b701f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md @@ -40,7 +40,7 @@ You can take the following actions to increase the overall security score of you - Fix sensor data collection - Fix impaired communications -For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md). +For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors.md). ### Windows Defender Antivirus (Windows Defender AV) optimization For a machine to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender AV is fulfilled. @@ -82,7 +82,7 @@ This tile shows you the exact number of machines that require the latest securit You can take the following actions to increase the overall security score of your organization: - Install the latest security updates - Fix sensor data collection - - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md). + - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors.md). For more information, see [Windows Update Troubleshooter](https://support.microsoft.com/help/4027322/windows-windows-update-troubleshooter). @@ -229,7 +229,7 @@ You can take the following actions to increase the overall security score of you - Secure public profile - Verify secure configuration of third-party firewall - Fix sensor data collection - - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md). + - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors.md). For more information, see [Windows Defender Firewall with Advanced Security](https://docs.microsoft.com/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security). @@ -251,7 +251,7 @@ You can take the following actions to increase the overall security score of you - Resume protection on all drives - Ensure drive compatibility - Fix sensor data collection - - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md). + - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors.md). For more information, see [Bitlocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview). @@ -274,14 +274,14 @@ You can take the following actions to increase the overall security score of you - Ensure hardware and software prerequisites are met - Turn on Credential Guard - Fix sensor data collection - - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md). + - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors.md). For more information, see [Manage Windows Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-manage). >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-belowfoldlink) ## Related topics -- [Overview of Secure score](overview-secure-score-windows-defender-advanced-threat-protection.md) +- [Overview of Secure score](overview-secure-score.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md index 97e6cbec7e..ee063018af 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md @@ -55,9 +55,9 @@ You can view the overall number of active alerts from the last 30 days in your n Each group is further sub-categorized into their corresponding alert severity levels. Click the number of alerts inside each alert ring to see a sorted view of that category's queue (**New** or **In progress**). -For more information see, [Alerts overview](alerts-queue-windows-defender-advanced-threat-protection.md). +For more information see, [Alerts overview](alerts-queue.md). -Each row includes an alert severity category and a short description of the alert. You can click an alert to see its detailed view. For more information see, [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) and [Alerts overview](alerts-queue-windows-defender-advanced-threat-protection.md). +Each row includes an alert severity category and a short description of the alert. You can click an alert to see its detailed view. For more information see, [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md) and [Alerts overview](alerts-queue.md). @@ -66,9 +66,9 @@ This tile shows you a list of machines with the highest number of active alerts. ![The Machines at risk tile shows a list of machines with the highest number of alerts, and a breakdown of the severity of the alerts](images/machines-at-risk-tile.png) -Click the name of the machine to see details about that machine. For more information see, [Investigate machines in the Microsoft Defender Advanced Threat Protection Machines list](investigate-machines-windows-defender-advanced-threat-protection.md). +Click the name of the machine to see details about that machine. For more information see, [Investigate machines in the Microsoft Defender Advanced Threat Protection Machines list](investigate-machines.md). -You can also click **Machines list** at the top of the tile to go directly to the **Machines list**, sorted by the number of active alerts. For more information see, [Investigate machines in the Microsoft Defender Advanced Threat Protection Machines list](investigate-machines-windows-defender-advanced-threat-protection.md). +You can also click **Machines list** at the top of the tile to go directly to the **Machines list**, sorted by the number of active alerts. For more information see, [Investigate machines in the Microsoft Defender Advanced Threat Protection Machines list](investigate-machines.md). ## Sensor health The **Sensor health** tile provides information on the individual machine’s ability to provide sensor data to the Microsoft Defender ATP service. It reports how many machines require attention and helps you identify problematic machines. @@ -80,14 +80,14 @@ There are two status indicators that provide information on the number of machin - **Inactive** - Machines that have stopped reporting to the Microsoft Defender ATP service for more than seven days in the past month. -When you click any of the groups, you’ll be directed to machines list, filtered according to your choice. For more information, see [Check sensor state](check-sensor-status-windows-defender-advanced-threat-protection.md) and [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md). +When you click any of the groups, you’ll be directed to machines list, filtered according to your choice. For more information, see [Check sensor state](check-sensor-status.md) and [Investigate machines](investigate-machines.md). ## Service health The **Service health** tile informs you if the service is active or if there are issues. ![The Service health tile shows an overall indicator of the service](images/status-tile.png) -For more information on the service health, see [Check the Microsoft Defender ATP service health](service-status-windows-defender-advanced-threat-protection.md). +For more information on the service health, see [Check the Microsoft Defender ATP service health](service-status.md). ## Daily machines reporting @@ -115,7 +115,7 @@ The tile shows you a list of user accounts with the most active alerts and the n ![User accounts at risk tile shows a list of user accounts with the highest number of alerts and a breakdown of the severity of the alerts](images/atp-users-at-risk.png) -Click the user account to see details about the user account. For more information see [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md). +Click the user account to see details about the user account. For more information see [Investigate a user account](investigate-user.md). ## Suspicious activities This tile shows audit events based on detections from various security components. @@ -127,8 +127,8 @@ This tile shows audit events based on detections from various security component >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-secopsdashboard-belowfoldlink) ## Related topics -- [Understand the Microsoft Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md) -- [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) -- [View the Secure Score dashboard and improve your secure score](secure-score-dashboard-windows-defender-advanced-threat-protection.md) -- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md) +- [Understand the Microsoft Defender Advanced Threat Protection portal](use.md) +- [Portal overview](portal-overview.md) +- [View the Secure Score dashboard and improve your secure score](secure-score-dashboard.md) +- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-dashboard.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/service-status.md b/windows/security/threat-protection/microsoft-defender-atp/service-status.md index 2a553f0551..31c8a5ee1a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/service-status.md +++ b/windows/security/threat-protection/microsoft-defender-atp/service-status.md @@ -57,4 +57,4 @@ When an issue is resolved, it gets recorded in the **Status history** tab. The **Status history** tab reflects all the historical issues that were seen and resolved. You'll see details of the resolved issues along with the other information that were included while it was being resolved. ### Related topic -- [View the Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md) +- [View the Security operations dashboard](security-operations-dashboard.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md b/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md index 745cdec188..9fde8c8592 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md +++ b/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md @@ -38,8 +38,8 @@ Delegated (work or school account) | Machine.StopAndQuarantine | 'Stop And Quara >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md index 534c8fb1d3..f4b1020dc3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md @@ -65,5 +65,5 @@ The **Mitigation status** and **Mitigation status over time** shows the endpoint ## Related topics -- [Threat analytics for Spectre and Meltdown](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md) +- [Threat analytics for Spectre and Meltdown](threat-analytics-dashboard.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md b/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md index 5274b81da4..7b758a94bc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md @@ -39,7 +39,7 @@ Alert definitions are contextual attributes that can be used collectively to ide IOCs are individually-known malicious events that indicate that a network or machine has already been breached. Unlike alert definitions, these indicators are considered as evidence of a breach. They are often seen after an attack has already been carried out and the objective has been reached, such as exfiltration. Keeping track of IOCs is also important during forensic investigations. Although it might not provide the ability to intervene with an attack chain, gathering these indicators can be useful in creating better defenses for possible future attacks. ## Relationship between alert definitions and IOCs -In the context of Microsoft Defender ATP, alert definitions are containers for IOCs and defines the alert, including the metadata that is raised in case of a specific IOC match. Various metadata is provided as part of the alert definitions. Metadata such as alert definition name of attack, severity, and description is provided along with other options. For more information on available metadata options, see [Threat Intelligence API metadata](custom-ti-api-windows-defender-advanced-threat-protection.md#threat-intelligence-api-metadata). +In the context of Microsoft Defender ATP, alert definitions are containers for IOCs and defines the alert, including the metadata that is raised in case of a specific IOC match. Various metadata is provided as part of the alert definitions. Metadata such as alert definition name of attack, severity, and description is provided along with other options. For more information on available metadata options, see [Threat Intelligence API metadata](custom-ti-api.md#threat-intelligence-api-metadata). Each IOC defines the concrete detection logic based on its type and value as well as its action, which determines how it is matched. It is bound to a specific alert definition that defines how a detection is displayed as an alert on the Microsoft Defender ATP console. @@ -51,9 +51,9 @@ Here is an example of an IOC: IOCs have a many-to-one relationship with alert definitions such that an alert definition can have many IOCs that correspond to it. ## Related topics -- [Enable the custom threat intelligence API in Microsoft Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) -- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md) -- [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md) -- [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md) -- [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md) -- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) +- [Enable the custom threat intelligence API in Microsoft Defender ATP](enable-custom-ti.md) +- [Create custom alerts using the threat intelligence API](custom-ti-api.md) +- [PowerShell code examples for the custom threat intelligence API](powershell-example-code.md) +- [Python code examples for the custom threat intelligence API](python-example-code.md) +- [Experiment with custom threat intelligence alerts](experiment-custom-ti.md) +- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md index da34c747c5..a532cdc3b6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md @@ -57,7 +57,7 @@ The Skype for Business integration provides s a way for analysts to communicate ## Related topic -- [Protect users, data, and devices with conditional access](conditional-access-windows-defender-advanced-threat-protection.md) +- [Protect users, data, and devices with conditional access](conditional-access.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md index 37eb716bfc..200d9396de 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md @@ -79,4 +79,4 @@ For example, to show data about high-severity alerts only: 3. Select **Apply**. ## Related topic -- [Machine health and compliance report](machine-reports-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [Machine health and compliance report](machine-reports.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-custom-ti.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-custom-ti.md index c2d0bdf3c6..497987c490 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-custom-ti.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-custom-ti.md @@ -56,9 +56,9 @@ If your client secret expires or if you've misplaced the copy provided when you ## Related topics -- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) -- [Enable the custom threat intelligence API in Microsoft Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) -- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md) -- [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md) -- [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md) -- [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md) +- [Understand threat intelligence concepts](threat-indicator-concepts.md) +- [Enable the custom threat intelligence API in Microsoft Defender ATP](enable-custom-ti.md) +- [Create custom alerts using the threat intelligence API](custom-ti-api.md) +- [PowerShell code examples for the custom threat intelligence API](powershell-example-code.md) +- [Python code examples for the custom threat intelligence API](python-example-code.md) +- [Experiment with custom threat intelligence alerts](experiment-custom-ti.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md index 64c4946662..db5503aa11 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md @@ -91,4 +91,4 @@ crl.microsoft.com` ## Related topics -- [Validate licensing provisioning and complete setup for Microsoft Defender ATP](licensing-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [Validate licensing provisioning and complete setup for Microsoft Defender ATP](licensing.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md index 5993a17f98..b46b9c95ac 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md @@ -29,12 +29,12 @@ ms.topic: troubleshooting You might need to troubleshoot the Microsoft Defender ATP onboarding process if you encounter issues. This page provides detailed steps to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur on the machines. -If you have completed the onboarding process and don't see machines in the [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, it might indicate an onboarding or connectivity problem. +If you have completed the onboarding process and don't see machines in the [Machines list](investigate-machines.md) after an hour, it might indicate an onboarding or connectivity problem. ## Troubleshoot onboarding when deploying with Group Policy Deployment with Group Policy is done by running the onboarding script on the machines. The Group Policy console does not indicate if the deployment has succeeded or not. -If you have completed the onboarding process and don't see machines in the [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, you can check the output of the script on the machines. For more information, see [Troubleshoot onboarding when deploying with a script](#troubleshoot-onboarding-when-deploying-with-a-script). +If you have completed the onboarding process and don't see machines in the [Machines list](investigate-machines.md) after an hour, you can check the output of the script on the machines. For more information, see [Troubleshoot onboarding when deploying with a script](#troubleshoot-onboarding-when-deploying-with-a-script). If the script completes successfully, see [Troubleshoot onboarding issues on the machines](#troubleshoot-onboarding-issues-on-the-machine) for additional errors that might occur. @@ -71,9 +71,9 @@ Event ID | Error Type | Resolution steps 10 | Onboarding data couldn't be written to registry | Check the permissions on the registry, specifically
```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat```.
Verify that the script was ran as an administrator. 15 | Failed to start SENSE service |Check the service health (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights).

If the machine is running Windows 10, version 1607 and running the command `sc query sense` returns `START_PENDING`, reboot the machine. If rebooting the machine doesn't address the issue, upgrade to KB4015217 and try onboarding again. 15 | Failed to start SENSE service | If the message of the error is: System error 577 has occurred. You need to enable the Windows Defender Antivirus ELAM driver, see [Ensure that Windows Defender Antivirus is not disabled by a policy](#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy) for instructions. -30 | The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). -35 | The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location
```HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status```.
The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). -40 | SENSE service onboarding status is not set to **1** | The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). +30 | The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md). +35 | The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location
```HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status```.
The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md). +40 | SENSE service onboarding status is not set to **1** | The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md). 65 | Insufficient privileges| Run the script again with administrator privileges. ## Troubleshoot onboarding issues using Microsoft Intune @@ -155,12 +155,12 @@ If the deployment tools used does not indicate an error in the onboarding proces Event ID | Message | Resolution steps :---|:---|:--- 5 | Microsoft Defender Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the machine has Internet access](#ensure-the-machine-has-an-internet-connection). -6 | Microsoft Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-script-windows-defender-advanced-threat-protection.md). +6 | Microsoft Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-script.md). 7 | Microsoft Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the machine has Internet access](#ensure-the-machine-has-an-internet-connection), then run the entire onboarding process again. -9 | Microsoft Defender Advanced Threat Protection service failed to change its start type. Failure code: variable | If the event happened during onboarding, reboot and re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-script-windows-defender-advanced-threat-protection.md).

If the event happened during offboarding, contact support. -10 | Microsoft Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: variable | If the event happened during onboarding, re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-script-windows-defender-advanced-threat-protection.md).

If the problem persists, contact support. +9 | Microsoft Defender Advanced Threat Protection service failed to change its start type. Failure code: variable | If the event happened during onboarding, reboot and re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-script.md).

If the event happened during offboarding, contact support. +10 | Microsoft Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: variable | If the event happened during onboarding, re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-script.md).

If the problem persists, contact support. 15 | Microsoft Defender Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the machine has Internet access](#ensure-the-machine-has-an-internet-connection). -17 | Microsoft Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: variable | [Run the onboarding script again](configure-endpoints-script-windows-defender-advanced-threat-protection.md). If the problem persists, contact support. +17 | Microsoft Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: variable | [Run the onboarding script again](configure-endpoints-script.md). If the problem persists, contact support. 25 | Microsoft Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: _variable_ | Contact support. 27 | Failed to enable Microsoft Defender Advanced Threat Protection mode in Windows Defender. Onboarding process failed. Failure code: variable | Contact support. 29 | Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3 | Ensure the machine has Internet access, then run the entire offboarding process again. @@ -238,9 +238,9 @@ The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to repo WinHTTP is independent of the Internet browsing proxy settings and other user context applications and must be able to detect the proxy servers that are available in your particular environment. -To ensure that sensor has service connectivity, follow the steps described in the [Verify client connectivity to Microsoft Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls) topic. +To ensure that sensor has service connectivity, follow the steps described in the [Verify client connectivity to Microsoft Defender ATP service URLs](configure-proxy-internet.md#verify-client-connectivity-to-windows-defender-atp-service-urls) topic. -If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) topic. +If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in [Configure proxy and Internet connectivity settings](configure-proxy-internet.md) topic. ### Ensure that Windows Defender Antivirus is not disabled by a policy **Problem**: The Microsoft Defender ATP service does not start after onboarding. @@ -271,8 +271,8 @@ If the verification fails and your environment is using a proxy to connect to th ## Troubleshoot onboarding issues on a server If you encounter issues while onboarding a server, go through the following verification steps to address possible issues. -- [Ensure Microsoft Monitoring Agent (MMA) is installed and configured to report sensor data to the service](configure-server-endpoints-windows-defender-advanced-threat-protection.md#server-mma) -- [Ensure that the server proxy and Internet connectivity settings are configured properly](configure-server-endpoints-windows-defender-advanced-threat-protection.md#server-proxy) +- [Ensure Microsoft Monitoring Agent (MMA) is installed and configured to report sensor data to the service](configure-server-endpoints.md#server-mma) +- [Ensure that the server proxy and Internet connectivity settings are configured properly](configure-server-endpoints.md#server-proxy) You might also need to check the following: - Check that there is a Microsoft Defender Advanced Threat Protection Service running in the **Processes** tab in **Task Manager**. For example: @@ -306,7 +306,7 @@ For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us ## Related topics -- [Troubleshoot Microsoft Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md) -- [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md) -- [Configure machine proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) +- [Troubleshoot Microsoft Defender ATP](troubleshoot.md) +- [Onboard machines](onboard-configure.md) +- [Configure machine proxy and Internet connectivity settings](configure-proxy-internet.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md index 7d2a7d86da..1ff99f3d60 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md @@ -80,8 +80,8 @@ If you encounter an error when trying to enable the SIEM connector application, >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshootsiem-belowfoldlink) ## Related topics -- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) -- [Configure ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) -- [Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) -- [Microsoft Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) -- [Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) +- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) +- [Configure ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight.md) +- [Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk.md) +- [Microsoft Defender ATP alert API fields](api-portal-mapping.md) +- [Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot.md index b5201a5814..84c7b19ed4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot.md @@ -37,13 +37,13 @@ Make sure that `*.securitycenter.windows.com` is included the proxy whitelist. ## Microsoft Defender ATP service shows event or error logs in the Event Viewer -See the topic [Review events and errors using Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md) for a list of event IDs that are reported by the Microsoft Defender ATP service. The topic also contains troubleshooting steps for event errors. +See the topic [Review events and errors using Event Viewer](event-error-codes.md) for a list of event IDs that are reported by the Microsoft Defender ATP service. The topic also contains troubleshooting steps for event errors. ## Microsoft Defender ATP service fails to start after a reboot and shows error 577 If onboarding machines successfully completes but Microsoft Defender ATP does not start after a reboot and shows error 577, check that Windows Defender is not disabled by a policy. -For more information, see [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy). +For more information, see [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy). ## Known issues with regional formats @@ -73,5 +73,5 @@ When you use Azure Security Center to monitor servers, a Microsoft Defender ATP ## Related topics -- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) -- [Review events and errors using Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md) +- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) +- [Review events and errors using Event Viewer](event-error-codes.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md index 4320d58d31..c1bfd3a410 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md @@ -37,8 +37,8 @@ Delegated (work or school account) | Machine.Isolate | 'Isolate machine' >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md b/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md index 9531e39835..9680a57aec 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md +++ b/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md @@ -37,8 +37,8 @@ Delegated (work or school account) | Machine.RestrictExecution | 'Restrict code >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md index be7b420a9b..9752745d78 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md +++ b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md @@ -36,8 +36,8 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'Alerts investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have at least the following role permission: 'Alerts investigation' (See [Create and manage roles](user-roles.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/use-custom-ti.md b/windows/security/threat-protection/microsoft-defender-atp/use-custom-ti.md index 580beea62a..c8174671cd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/use-custom-ti.md +++ b/windows/security/threat-protection/microsoft-defender-atp/use-custom-ti.md @@ -35,10 +35,10 @@ You can use the code examples to guide you in creating calls to the custom threa Topic | Description :---|:--- -[Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) | Understand the concepts around threat intelligence so that you can effectively create custom intelligence for your organization. -[Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) | Set up the custom threat intelligence application through Microsoft Defender Security Center so that you can create custom threat intelligence (TI) using REST API. -[Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md) | Create custom threat intelligence alerts so that you can generate specific alerts that are applicable to your organization. -[PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md) | Use the PowerShell code examples to guide you in using the custom threat intelligence API. -[Python code examples](python-example-code-windows-defender-advanced-threat-protection.md) | Use the Python code examples to guide you in using the custom threat intelligence API. -[Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md) | This article demonstrates an end-to-end usage of the threat intelligence API to get you started in using the threat intelligence API. -[Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) | Learn how to address possible issues you might encounter while using the threat intelligence API. +[Understand threat intelligence concepts](threat-indicator-concepts.md) | Understand the concepts around threat intelligence so that you can effectively create custom intelligence for your organization. +[Enable the custom threat intelligence application](enable-custom-ti.md) | Set up the custom threat intelligence application through Microsoft Defender Security Center so that you can create custom threat intelligence (TI) using REST API. +[Create custom threat intelligence alerts](custom-ti-api.md) | Create custom threat intelligence alerts so that you can generate specific alerts that are applicable to your organization. +[PowerShell code examples](powershell-example-code.md) | Use the PowerShell code examples to guide you in using the custom threat intelligence API. +[Python code examples](python-example-code.md) | Use the Python code examples to guide you in using the custom threat intelligence API. +[Experiment with custom threat intelligence alerts](experiment-custom-ti.md) | This article demonstrates an end-to-end usage of the threat intelligence API to get you started in using the threat intelligence API. +[Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti.md) | Learn how to address possible issues you might encounter while using the threat intelligence API. diff --git a/windows/security/threat-protection/microsoft-defender-atp/use.md b/windows/security/threat-protection/microsoft-defender-atp/use.md index 2f1fff7f2e..df066b9b7e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/use.md +++ b/windows/security/threat-protection/microsoft-defender-atp/use.md @@ -39,9 +39,9 @@ Use the **Threat analytics** dashboard to continually assess and control risk ex Topic | Description :---|:--- -[Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) | Understand the portal layout and area descriptions. -[View the Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md) | The Microsoft Defender ATP **Security operations dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the machines on your network, investigate machines, files, and URLs, and see snapshots of threats seen on machines. -[View the Secure Score dashboard and improve your secure score](secure-score-dashboard-windows-defender-advanced-threat-protection.md) | The **Secure Score dashboard** expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. -[View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md) | The **Threat analytics** dashboard helps you continually assess and control risk exposure to Spectre and Meltdown. Use the charts to quickly identify machines for the presence or absence of mitigations. +[Portal overview](portal-overview.md) | Understand the portal layout and area descriptions. +[View the Security operations dashboard](security-operations-dashboard.md) | The Microsoft Defender ATP **Security operations dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the machines on your network, investigate machines, files, and URLs, and see snapshots of threats seen on machines. +[View the Secure Score dashboard and improve your secure score](secure-score-dashboard.md) | The **Secure Score dashboard** expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. +[View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-dashboard.md) | The **Threat analytics** dashboard helps you continually assess and control risk exposure to Spectre and Meltdown. Use the charts to quickly identify machines for the presence or absence of mitigations. diff --git a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md index 2c305c28e0..fd2f77e7a0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md +++ b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md @@ -77,5 +77,5 @@ After creating roles, you'll need to create a machine group and provide access t ##Related topic -- [User basic permissions to access the portal](basic-permissions-windows-defender-advanced-threat-protection.md) -- [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [User basic permissions to access the portal](basic-permissions.md) +- [Create and manage machine groups](machine-groups.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md b/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md index a7d944a061..060b92ef38 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md +++ b/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md @@ -73,6 +73,6 @@ Use this filter to choose between focusing on incidents flagged as true or false ## Related topics - [Incidents queue](incidents-queue.md) -- [Manage incidents](manage-incidents-windows-defender-advanced-threat-protection.md) -- [Investigate incidents](investigate-incidents-windows-defender-advanced-threat-protection.md) +- [Manage incidents](manage-incidents.md) +- [Investigate incidents](investigate-incidents.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md index 93ec317ca9..d08d240b1c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md @@ -93,7 +93,7 @@ Microsoft Defender ATP is seamlessly integrated in Microsoft Threat Protection t - [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019)
Microsoft Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines. -- [Power BI reports using Microsoft Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
+- [Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)
Microsoft Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal. diff --git a/windows/security/threat-protection/microsoft-defender-atp/windows-defender-security-center-atp.md b/windows/security/threat-protection/microsoft-defender-atp/windows-defender-security-center-atp.md index af2106bf2b..89b74b62a0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/windows-defender-security-center-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/windows-defender-security-center-atp.md @@ -27,13 +27,13 @@ Microsoft Defender Security Center is the portal where you can access Microsoft Topic | Description :---|:--- Get started | Learn about the minimum requirements, validate licensing and complete setup, know about preview features, understand data storage and privacy, and how to assign user access to the portal. -[Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md) | Learn about onboarding client, server, and non-Windows machines. Learn how to run a detection test, configure proxy and Internet connectivity settings, and how to troubleshoot potential onboarding issues. -[Understand the portal](use-windows-defender-advanced-threat-protection.md) | Understand the Security operations, Secure Score, and Threat analytics dashboards as well as how to navigate the portal. +[Onboard machines](onboard-configure.md) | Learn about onboarding client, server, and non-Windows machines. Learn how to run a detection test, configure proxy and Internet connectivity settings, and how to troubleshoot potential onboarding issues. +[Understand the portal](use.md) | Understand the Security operations, Secure Score, and Threat analytics dashboards as well as how to navigate the portal. Investigate and remediate threats | Investigate alerts, machines, and take response actions to remediate threats. API and SIEM support | Use the supported APIs to pull and create custom alerts, or automate workflows. Use the supported SIEM tools to pull alerts from Microsoft Defender Security Center. Reporting | Create and build Power BI reports using Microsoft Defender ATP data. Check service health and sensor state | Verify that the service is running and check the sensor state on machines. -[Configure Microsoft Defender Security Center settings](preferences-setup-windows-defender-advanced-threat-protection.md) | Configure general settings, turn on the preview experience, notifications, and enable other features. -[Access the Microsoft Defender ATP Community Center](community-windows-defender-advanced-threat-protection.md) | Access the Microsoft Defender ATP Community Center to learn, collaborate, and share experiences about the product. -[Troubleshoot service issues](troubleshoot-windows-defender-advanced-threat-protection.md) | This section addresses issues that might arise as you use the Windows Defender Advanced Threat service. +[Configure Microsoft Defender Security Center settings](preferences-setup.md) | Configure general settings, turn on the preview experience, notifications, and enable other features. +[Access the Microsoft Defender ATP Community Center](community.md) | Access the Microsoft Defender ATP Community Center to learn, collaborate, and share experiences about the product. +[Troubleshoot service issues](troubleshoot.md) | This section addresses issues that might arise as you use the Windows Defender Advanced Threat service. From c8594e7e6f47e1e5716859e28d2bdb4ca262182f Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 10 Apr 2019 15:12:26 -0700 Subject: [PATCH 118/492] fix index file --- .../change-history-for-threat-protection.md | 5 +- windows/security/threat-protection/index.md | 98 +++++++++---------- .../{conditional.md => conditional-access.md} | 0 3 files changed, 51 insertions(+), 52 deletions(-) rename windows/security/threat-protection/microsoft-defender-atp/{conditional.md => conditional-access.md} (100%) diff --git a/windows/security/threat-protection/change-history-for-threat-protection.md b/windows/security/threat-protection/change-history-for-threat-protection.md index 1deaa652b8..76b8efdb9f 100644 --- a/windows/security/threat-protection/change-history-for-threat-protection.md +++ b/windows/security/threat-protection/change-history-for-threat-protection.md @@ -10,16 +10,15 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/11/2018 ms.localizationpriority: medium --- # Change history for threat protection -This topic lists new and updated topics in the [Windows Defender ATP](windows-defender-atp/windows-defender-advanced-threat-protection.md) documentation. +This topic lists new and updated topics in the [Microsoft Defender ATP](microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) documentation. ## August 2018 New or changed topic | Description ---------------------|------------ -[Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md) | Reorganized Windows 10 security topics to reflect the Windows Defender ATP platform. +[Microsoft Defender Advanced Threat Protection](microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) | Reorganized Windows 10 security topics to reflect the Windows Defender ATP platform. diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index 44c4ef2a2f..d657ec1311 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -1,7 +1,7 @@ --- title: Threat Protection (Windows 10) -description: Learn how Windows Defender ATP helps protect against threats. -keywords: threat protection, windows defender advanced threat protection, attack surface reduction, next generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, secure score, advanced hunting +description: Learn how Microsoft Defender ATP helps protect against threats. +keywords: threat protection, Microsoft Defender Advanced Threat Protection, attack surface reduction, next generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, secure score, advanced hunting search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -12,9 +12,9 @@ ms.localizationpriority: medium --- # Threat Protection -[Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Windows Defender ATP protects endpoints from cyber threats; detects advanced attacks and data breaches, automates security incidents and improves security posture. +[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Microsoft Defender ATP protects endpoints from cyber threats; detects advanced attacks and data breaches, automates security incidents and improves security posture. -

Windows Defender ATP

+

Microsoft Defender ATP

@@ -71,8 +71,8 @@ Windows Defender ATP uses the following combination of technology built into Win >[!TIP] ->- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). ->- Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). +>- Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Microsoft Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). +>- Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). **[Attack surface reduction](overview-attack-surface-reduction.md)**
The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. @@ -80,7 +80,7 @@ The attack surface reduction set of capabilities provide the first line of defen **[Next generation protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)**
-To further reinforce the security perimeter of your network, Windows Defender ATP uses next generation protection designed to catch all types of emerging threats. +To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next generation protection designed to catch all types of emerging threats. @@ -91,27 +91,27 @@ You can also do advanced hunting to create custom threat intelligence and use a **[Automated investigation and remediation](automated-investigations-windows-defender-advanced-threat-protection.md)**
-In conjunction with being able to quickly respond to advanced attacks, Windows Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. +In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. **[Secure score](overview-secure-score-windows-defender-advanced-threat-protection.md)**
-Windows Defender ATP includes a secure score to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization. +Microsoft Defender ATP includes a secure score to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization. **[Microsoft Threat Experts](microsoft-threat-experts.md)**
-Windows Defender ATP's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights that further empower Security operation centers (SOCs) to identify and respond to threats quickly and accurately. +Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights that further empower Security operation centers (SOCs) to identify and respond to threats quickly and accurately. **[Management and APIs](management-apis.md)**
-Integrate Windows Defender Advanced Threat Protection into your existing workflows. +Integrate Microsoft Defender Advanced Threat Protection into your existing workflows. **[Microsoft Threat Protection](threat-protection-integration.md)**
- Windows Defender ATP is part of the Microsoft Threat Protection solution that helps implement end-to-end security across possible attack surfaces in the modern workplace. Bring the power of Microsoft threat protection to your organization. + Microsoft Defender ATP is part of the Microsoft Threat Protection solution that helps implement end-to-end security across possible attack surfaces in the modern workplace. Bring the power of Microsoft threat protection to your organization. @@ -120,10 +120,10 @@ To help you maximize the effectiveness of the security platform, you can configu Topic | Description :---|:--- -[Overview](overview.md) | Understand the concepts behind the capabilities in Windows Defender ATP so you take full advantage of the complete threat protection platform. -[Get started](get-started.md) | Learn about the requirements of the platform and the initial steps you need to take to get started with Windows Defender ATP. -[Configure and manage capabilities](onboard.md)| Configure and manage the individual capabilities in Windows Defender ATP. -[Troubleshoot Windows Defender ATP](troubleshoot-wdatp.md) | Learn how to address issues that you might encounter while using the platform. +[Overview](overview.md) | Understand the concepts behind the capabilities in Microsoft Defender ATP so you take full advantage of the complete threat protection platform. +[Get started](get-started.md) | Learn about the requirements of the platform and the initial steps you need to take to get started with Microsoft Defender ATP. +[Configure and manage capabilities](onboard.md)| Configure and manage the individual capabilities in Microsoft Defender ATP. +[Troubleshoot Microsoft Defender ATP](troubleshoot-wdatp.md) | Learn how to address issues that you might encounter while using the platform. ## Related topic -[Windows Defender ATP helps detect sophisticated threats](https://www.microsoft.com/itshowcase/Article/Content/854/Windows-Defender-ATP-helps-detect-sophisticated-threats) +[Microsoft Defender ATP helps detect sophisticated threats](https://www.microsoft.com/itshowcase/Article/Content/854/Windows-Defender-ATP-helps-detect-sophisticated-threats) diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md index 380af8ef33..652eaf3652 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md @@ -1,6 +1,6 @@ --- title: Microsoft Threat Experts -description: Microsoft Threat Experts is the new managed threat hunting service in Windows Defender Advanced Threat Protection (Windows Defender ATP) that provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately. It provides additional layer of expertise and optics that Microsoft customers can utilize to augment security operation capabilities as part of Microsoft 365. +description: Microsoft Threat Experts is the new managed threat hunting service in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) that provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately. It provides additional layer of expertise and optics that Microsoft customers can utilize to augment security operation capabilities as part of Microsoft 365. keywords: managed threat hunting service, managed threat hunting, MTE, Microsoft Threat Experts search.product: Windows 10 search.appverid: met150 @@ -20,7 +20,7 @@ ms.date: 02/28/2019 # Microsoft Threat Experts **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [!include[Prerelease�information](prerelease.md)] diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md index afd1ba57b5..5a4a309e6f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md +++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md @@ -1,5 +1,5 @@ --- -title: Minimum requirements for Windows Defender ATP +title: Minimum requirements for Microsoft Defender ATP description: Understand the licensing requirements and requirements for onboarding machines to the sercvie keywords: minimum requirements, licensing, comparison table search.product: eADQiWindows 10XVcnh @@ -17,22 +17,22 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Minimum requirements for Windows Defender ATP +# Minimum requirements for Microsoft Defender ATP **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) There are some minimum requirements for onboarding machines to the service. ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-minreqs-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-minreqs-abovefoldlink) >[!TIP] ->- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). ->- Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). +>- Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Microsoft Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). +>- Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). ## Licensing requirements -Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers: +Microsoft Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers: - Windows 10 Enterprise E5 - Windows 10 Education E5 @@ -42,7 +42,7 @@ For more information on the array of features in Windows 10 editions, see [Compa For a detailed comparison table of Windows 10 commercial edition comparison, see the [comparison PDF](https://go.microsoft.com/fwlink/p/?linkid=2069559). -For more information about licensing requirements for Windows Defender ATP platform on Windows Server, see [Protecting Windows Servers with Windows Defender ATP](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114). +For more information about licensing requirements for Microsoft Defender ATP platform on Windows Server, see [Protecting Windows Servers with Microsoft Defender ATP](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114). ## Related topic diff --git a/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md b/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md index dfd40d8852..33e5a03df9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md @@ -1,6 +1,6 @@ --- title: Managed security service provider (MSSP) support -description: Understand how Windows Defender ATP integrates with managed security service providers (MSSP) +description: Understand how Microsoft Defender ATP integrates with managed security service providers (MSSP) keywords: mssp, integration, managed, security, service, provider search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -21,19 +21,19 @@ ms.date: 10/29/2018 # Managed security service provider support **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mssp-support-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mssp-support-abovefoldlink) Security is recognized as a key component in running an enterprise, however some organizations might not have the capacity or expertise to have a dedicated security operations team to manage the security of their endpoints and network, others may want to have a second set of eyes to review alerts in their network. -To address this demand, managed security service providers (MSSP) offer to deliver managed detection and response (MDR) services on top of Windows Defender ATP. +To address this demand, managed security service providers (MSSP) offer to deliver managed detection and response (MDR) services on top of Microsoft Defender ATP. -Windows Defender ATP adds support for this scenario and to allow MSSPs to take the following actions: +Microsoft Defender ATP adds support for this scenario and to allow MSSPs to take the following actions: - Get access to MSSP customer's Windows Defender Security Center portal - Get email notifications, and diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md index 50855b0351..d2eff9b682 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md @@ -18,16 +18,16 @@ ms.topic: article # Offboard machine API **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [!include[Prereleaseinformation](prerelease.md)] -Offboard machine from Windows Defender ATP. +Offboard machine from Microsoft Defender ATP. [!include[Machine actions note](machineactionsnote.md)] ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md index 273bfed16c..a22fafe295 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md @@ -1,6 +1,6 @@ --- -title: Offboard machines from the Windows Defender ATP service -description: Onboard Windows 10 machines, servers, non-Windows machines from the Windows Defender ATP service +title: Offboard machines from the Microsoft Defender ATP service +description: Onboard Windows 10 machines, servers, non-Windows machines from the Microsoft Defender ATP service keywords: offboarding, windows defender advanced threat protection offboarding, windows atp offboarding search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -18,18 +18,18 @@ ms.topic: conceptual ms.date: 04/24/2018 --- -# Offboard machines from the Windows Defender ATP service +# Offboard machines from the Microsoft Defender ATP service **Applies to:** - macOS - Linux - Windows Server 2012 R2 - Windows Server 2016 -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-offboardmachines-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-offboardmachines-abovefoldlink) Follow the corresponding instructions depending on your preferred deployment method. diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md index a33cae087b..353ee5e12b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md @@ -1,5 +1,5 @@ --- -title: Onboard machines to the Windows Defender ATP service +title: Onboard machines to the Microsoft Defender ATP service description: Onboard Windows 10 machines, servers, non-Windows machines and learn how to run a detection test. keywords: onboarding, windows defender advanced threat protection onboarding, windows atp onboarding, sccm, group policy, mdm, local script, detection test search.product: eADQiWindows 10XVcnh @@ -18,21 +18,21 @@ ms.topic: conceptual ms.date: 11/19/2018 --- -# Onboard machines to the Windows Defender ATP service +# Onboard machines to the Microsoft Defender ATP service **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -You need to turn on the sensor to give visibility within Windows Defender ATP. +You need to turn on the sensor to give visibility within Microsoft Defender ATP. -For more information, see [Onboard your Windows 10 machines to Windows Defender ATP](https://www.youtube.com/watch?v=JT7VGYfeRlA&feature=youtu.be). +For more information, see [Onboard your Windows 10 machines to Microsoft Defender ATP](https://www.youtube.com/watch?v=JT7VGYfeRlA&feature=youtu.be). [!include[Prerelease information](prerelease.md)] ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink) ## Licensing requirements -Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers: +Microsoft Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers: - Windows 10 Enterprise E5 - Windows 10 Education E5 @@ -59,7 +59,7 @@ For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us Machines on your network must be running one of these editions. -The hardware requirements for Windows Defender ATP on machines is the same as those for the supported editions. +The hardware requirements for Microsoft Defender ATP on machines is the same as those for the supported editions. > [!NOTE] > Machines that are running mobile versions of Windows are not supported. @@ -70,15 +70,15 @@ The hardware requirements for Windows Defender ATP on machines is the same as th - Linux >[!NOTE] ->You'll need to know the exact Linux distros and macOS versions that are compatible with Windows Defender ATP for the integration to work. +>You'll need to know the exact Linux distros and macOS versions that are compatible with Microsoft Defender ATP for the integration to work. ### Network and data storage and configuration requirements -When you run the onboarding wizard for the first time, you must choose where your Windows Defender Advanced Threat Protection-related information is stored: in the European Union, the United Kingdom, or the United States datacenter. +When you run the onboarding wizard for the first time, you must choose where your Microsoft Defender Advanced Threat Protection-related information is stored: in the European Union, the United Kingdom, or the United States datacenter. > [!NOTE] > - You cannot change your data storage location after the first-time setup. -> - Review the [Windows Defender ATP data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md) for more information on where and how Microsoft stores your data. +> - Review the [Microsoft Defender ATP data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md) for more information on where and how Microsoft stores your data. ### Diagnostic data settings @@ -132,7 +132,7 @@ If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the #### Internet connectivity Internet connectivity on machines is required either directly or through proxy. -The Windows Defender ATP sensor can utilize a daily average bandwidth of 5MB to communicate with the Windows Defender ATP cloud service and report cyber data. One-off activities such as file uploads and investigation package collection are not included in this daily average bandwidth. +The Microsoft Defender ATP sensor can utilize a daily average bandwidth of 5MB to communicate with the Microsoft Defender ATP cloud service and report cyber data. One-off activities such as file uploads and investigation package collection are not included in this daily average bandwidth. For more information on additional proxy configuration settings see, [Configure machine proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) . @@ -140,11 +140,11 @@ Before you onboard machines, the diagnostic data service must be enabled. The se ## Windows Defender Antivirus configuration requirement -The Windows Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and provide information about them. +The Microsoft Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and provide information about them. -You must configure Security intelligence updates on the Windows Defender ATP machines whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md). +You must configure Security intelligence updates on the Microsoft Defender ATP machines whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md). -When Windows Defender Antivirus is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender Antivirus goes on passive mode. If your organization has disabled Windows Defender Antivirus through group policy or other methods, machines that are onboarded to Windows Defender ATP must be excluded from this group policy. +When Windows Defender Antivirus is not the active antimalware in your organization and you use the Microsoft Defender ATP service, Windows Defender Antivirus goes on passive mode. If your organization has disabled Windows Defender Antivirus through group policy or other methods, machines that are onboarded to Microsoft Defender ATP must be excluded from this group policy. If you are onboarding servers and Windows Defender Antivirus is not the active antimalware on your servers, you shouldn't uninstall Windows Defender Antivirus. You'll need to configure it to run on passive mode. For more information, see [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md). @@ -152,7 +152,7 @@ If you are onboarding servers and Windows Defender Antivirus is not the active a For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). ## Windows Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled -If you're running Windows Defender Antivirus as the primary antimalware product on your machines, the Windows Defender ATP agent will successfully onboard. +If you're running Windows Defender Antivirus as the primary antimalware product on your machines, the Microsoft Defender ATP agent will successfully onboard. If you're running a third-party antimalware client and use Mobile Device Management solutions or System Center Configuration Manager (current branch) version 1606, you'll need to ensure that the Windows Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy). @@ -160,12 +160,12 @@ If you're running a third-party antimalware client and use Mobile Device Managem ## In this section Topic | Description :---|:--- -[Onboard previous versions of Windows](onboard-downlevel-windows-defender-advanced-threat-protection.md)| Onboard Windows 7 and Windows 8.1 machines to Windows Defender ATP. -[Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) | You'll need to onboard machines for it to report to the Windows Defender ATP service. Learn about the tools and methods you can use to configure machines in your enterprise. -[Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md) | Onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP -[Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) | Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Windows Defender Security Center and better protect your organization's network. This experience leverages on a third-party security products' sensor data. -[Run a detection test on a newly onboarded machine](run-detection-test-windows-defender-advanced-threat-protection.md) | Run a script on a newly onboarded machine to verify that it is properly reporting to the Windows Defender ATP service. -[Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)| Enable communication with the Windows Defender ATP cloud service by configuring the proxy and Internet connectivity settings. +[Onboard previous versions of Windows](onboard-downlevel-windows-defender-advanced-threat-protection.md)| Onboard Windows 7 and Windows 8.1 machines to Microsoft Defender ATP. +[Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) | You'll need to onboard machines for it to report to the Microsoft Defender ATP service. Learn about the tools and methods you can use to configure machines in your enterprise. +[Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md) | Onboard Windows Server 2012 R2 and Windows Server 2016 to Microsoft Defender ATP +[Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) | Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Windows Defender Security Center and better protect your organization's network. This experience leverages on a third-party security products' sensor data. +[Run a detection test on a newly onboarded machine](run-detection-test-windows-defender-advanced-threat-protection.md) | Run a script on a newly onboarded machine to verify that it is properly reporting to the Microsoft Defender ATP service. +[Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)| Enable communication with the Microsoft Defender ATP cloud service by configuring the proxy and Internet connectivity settings. [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) | Learn about resolving issues that might arise during onboarding. ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md index 700436d636..140c14d487 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md @@ -1,6 +1,6 @@ --- -title: Onboard previous versions of Windows on Windows Defender ATP -description: Onboard supported previous versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor +title: Onboard previous versions of Windows on Microsoft Defender ATP +description: Onboard supported previous versions of Windows machines so that they can send sensor data to the Microsoft Defender ATP sensor keywords: onboard, windows, 7, 81, oms, sp1, enterprise, pro, down level search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -25,35 +25,35 @@ ms.topic: article - Windows 7 SP1 Pro - Windows 8.1 Pro - Windows 8.1 Enterprise -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-downlevel-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-downlevel-abovefoldlink) -Windows Defender ATP extends support to include down-level operating systems, providing advanced attack detection and investigation capabilities on supported Windows versions. +Microsoft Defender ATP extends support to include down-level operating systems, providing advanced attack detection and investigation capabilities on supported Windows versions. >[!IMPORTANT] >This capability is currently in preview. You'll need to turn on the preview features to take advantage of this feature. For more information, see [Preview features](preview-windows-defender-advanced-threat-protection.md). -To onboard down-level Windows client endpoints to Windows Defender ATP, you'll need to: +To onboard down-level Windows client endpoints to Microsoft Defender ATP, you'll need to: - Configure and update System Center Endpoint Protection clients. -- Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Windows Defender ATP as instructed below. +- Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender ATP as instructed below. >[!TIP] -> After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md). +> After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md). ## Configure and update System Center Endpoint Protection clients >[!IMPORTANT] >This step is required only if your organization uses System Center Endpoint Protection (SCEP). -Windows Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. +Microsoft Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. The following steps are required to enable this integration: - Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie) - Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting - Configure your network to allow connections to the Windows Defender Antivirus cloud. For more information, see [Allow connections to the Windows Defender Antivirus cloud](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus#allow-connections-to-the-windows-defender-antivirus-cloud) -## Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Windows Defender ATP +## Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender ATP ### Before you begin Review the following details to verify minimum system requirements: @@ -77,7 +77,7 @@ Review the following details to verify minimum system requirements: 1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603) or [Windows 32-bit agent](https://go.microsoft.com/fwlink/?LinkId=828604). 2. Obtain the workspace ID: - - In the Windows Defender ATP navigation pane, select **Settings > Machine management > Onboarding** + - In the Microsoft Defender ATP navigation pane, select **Settings > Machine management > Onboarding** - Select **Windows 7 SP1 and 8.1** as the operating system - Copy the workspace ID and workspace key @@ -93,7 +93,7 @@ Once completed, you should see onboarded endpoints in the portal within an hour. ### Configure proxy and Internet connectivity settings - Each Windows endpoint must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-oms-gateway). -- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service: +- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Microsoft Defender ATP service: Agent Resource | Ports :---|:--- @@ -110,9 +110,9 @@ Agent Resource | Ports ## Offboard client endpoints -To offboard, you can uninstall the MMA agent from the endpoint or detach it from reporting to your Windows Defender ATP workspace. After offboarding the agent, the endpoint will no longer send sensor data to Windows Defender ATP. +To offboard, you can uninstall the MMA agent from the endpoint or detach it from reporting to your Microsoft Defender ATP workspace. After offboarding the agent, the endpoint will no longer send sensor data to Microsoft Defender ATP. ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-downlevele-belowfoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-downlevele-belowfoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard.md b/windows/security/threat-protection/microsoft-defender-atp/onboard.md index 319d254a8e..9bb3eaa985 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard.md @@ -1,6 +1,6 @@ --- -title: Configure and manage Windows Defender ATP capabilities -description: Configure and manage Windows Defender ATP capabilities such as attack surface reduction, next generation protection, and security controls +title: Configure and manage Microsoft Defender ATP capabilities +description: Configure and manage Microsoft Defender ATP capabilities such as attack surface reduction, next generation protection, and security controls keywords: configure, manage, capabilities, attack surface reduction, next generation protection, security controls, endpoint detection and response, auto investigation and remediation, security controls, controls search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -18,12 +18,12 @@ ms.topic: conceptual ms.date: 09/03/2018 --- -# Configure and manage Windows Defender ATP capabilities +# Configure and manage Microsoft Defender ATP capabilities **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Configure and manage all the Windows Defender ATP capabilities to get the best security protection for your organization. +Configure and manage all the Microsoft Defender ATP capabilities to get the best security protection for your organization. ## In this section @@ -32,7 +32,7 @@ Topic | Description [Configure attack surface reduction capabilities](configure-attack-surface-reduction.md) | By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. [Configure next generation protection](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md) | Configure next generation protection to catch all types of emerging threats. [Configure Secure score dashboard security controls](secure-score-dashboard-windows-defender-advanced-threat-protection.md) | Configure the security controls in Secure score to increase the security posture of your organization. -Configure Microsoft Threat Protection integration| Configure other solutions that integrate with Windows Defender ATP. +Configure Microsoft Threat Protection integration| Configure other solutions that integrate with Microsoft Defender ATP. Management and API support| Pull alerts to your SIEM or use APIs to create custom alerts. Create and build Power BI reports. [Configure Windows Defender Security Center settings](preferences-setup-windows-defender-advanced-threat-protection.md) | Configure portal related settings such as general settings, advanced features, enable the preview experience and others. diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md index c2617a285e..f5e0f9e489 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md @@ -1,6 +1,6 @@ --- title: Overview of attack surface reduction -description: Learn about the attack surface reduction capability in Windows Defender ATP +description: Learn about the attack surface reduction capability in Microsoft Defender ATP keywords: search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -21,9 +21,9 @@ ms.date: 02/21/2019 # Overview of attack surface reduction **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Attack surface reduction capabilities in Windows Defender ATP helps protect the devices and applications in your organization from new and emerging threats. +Attack surface reduction capabilities in Microsoft Defender ATP helps protect the devices and applications in your organization from new and emerging threats. | Capability | Description | |------------|-------------| diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md index 13268d34ad..8101a199e5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md @@ -21,10 +21,10 @@ ms.date: 10/29/2018 # Custom detections overview **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Alerts in Windows Defender ATP are surfaced through the system based on signals gathered from endpoints. With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. +Alerts in Microsoft Defender ATP are surfaced through the system based on signals gathered from endpoints. With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. Custom detections are queries that run periodically every 24 hours and can be configured so that when the query meets the criteria you set, alerts are created and are surfaced in Windows Defender Security Center. These alerts will be treated like any other alert in the system. diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md b/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md index 1fb9eea8e2..0d954897a9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md @@ -1,6 +1,6 @@ --- title: Overview of endpoint detection and response capabilities -description: Learn about the endpoint detection and response capabilities in Windows Defender ATP +description: Learn about the endpoint detection and response capabilities in Microsoft Defender ATP keywords: search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -22,13 +22,13 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Windows Defender ATP endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats. +Microsoft Defender ATP endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats. When a threat is detected, alerts are created in the system for an analyst to investigate. Alerts with the same attack techniques or attributed to the same attacker are aggregated into an entity called an _incident_. Aggregating alerts in this manner makes it easy for analysts to collectively investigate and respond to threats. -Inspired by the "assume breach" mindset, Windows Defender ATP continuously collects behavioral cyber telemetry. This includes process information, network activities, deep optics into the kernel and memory manager, user login activities, registry and file system changes, and others. The information is stored for six months, enabling an analyst to travel back in time to the start of an attack. The analyst can then pivot in various views and approach an investigation through multiple vectors. +Inspired by the "assume breach" mindset, Microsoft Defender ATP continuously collects behavioral cyber telemetry. This includes process information, network activities, deep optics into the kernel and memory manager, user login activities, registry and file system changes, and others. The information is stored for six months, enabling an analyst to travel back in time to the start of an attack. The analyst can then pivot in various views and approach an investigation through multiple vectors. The response capabilities give you the power to promptly remediate threats by acting on the affected entities. diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md b/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md index b86fea8fb4..2c91a25599 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md @@ -18,9 +18,9 @@ ms.date: 09/07/2018 # Hardware-based isolation in Windows 10 -**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Hardware-based isolation helps protect system integrity in Windows 10 and is integrated with Windows Defender ATP. +Hardware-based isolation helps protect system integrity in Windows 10 and is integrated with Microsoft Defender ATP. | Feature | Description | |------------|-------------| diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-hunting.md b/windows/security/threat-protection/microsoft-defender-atp/overview-hunting.md index 8d95c6f102..6742a95514 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-hunting.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-hunting.md @@ -20,7 +20,7 @@ ms.date: 09/12/2018 # Overview of advanced hunting **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Advanced hunting allows you to hunt for possible threats across your organization using a powerful search and query tool. You can also create custom detection rules based on the queries you created and surface alerts in Windows Defender Security Center. diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md index 33671e8778..3d27aa1319 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md @@ -20,7 +20,7 @@ ms.date: 09/03/2018 # Overview of Secure score in Windows Defender Security Center **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) The Secure score dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. From there you can take action based on the recommended configuration baselines. diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview.md b/windows/security/threat-protection/microsoft-defender-atp/overview.md index f9989d69f7..84d99f3816 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview.md @@ -1,5 +1,5 @@ --- -title: Overview of Windows Defender ATP +title: Overview of Microsoft Defender ATP description: keywords: search.product: eADQiWindows 10XVcnh @@ -18,28 +18,28 @@ ms.topic: conceptual ms.date: 11/20/2018 --- -# Overview of Windows Defender ATP capabilities +# Overview of Microsoft Defender ATP capabilities **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Understand the concepts behind the capabilities in Windows Defender ATP so you take full advantage of the complete threat protection platform. +Understand the concepts behind the capabilities in Microsoft Defender ATP so you take full advantage of the complete threat protection platform. >[!TIP] ->- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). ->- Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). +>- Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Microsoft Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). +>- Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). ## In this section Topic | Description :---|:--- [Attack surface reduction](overview-attack-surface-reduction.md) | Leverage the attack surface reduction capabilities to protect the perimeter of your organization. -[Next generation protection](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) | Learn about the antivirus capabilities in Windows Defender ATP so you can protect desktops, portable computers, and servers. -[Endpoint detection and response](overview-endpoint-detection-response.md) | Understand how Windows Defender ATP continuously monitors your organization for possible attacks against systems, networks, or users in your organization and the features you can use to mitigate and remediate threats. -[Automated investigation and remediation](automated-investigations-windows-defender-advanced-threat-protection.md) | In conjunction with being able to quickly respond to advanced attacks, Windows Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. +[Next generation protection](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) | Learn about the antivirus capabilities in Microsoft Defender ATP so you can protect desktops, portable computers, and servers. +[Endpoint detection and response](overview-endpoint-detection-response.md) | Understand how Microsoft Defender ATP continuously monitors your organization for possible attacks against systems, networks, or users in your organization and the features you can use to mitigate and remediate threats. +[Automated investigation and remediation](automated-investigations-windows-defender-advanced-threat-protection.md) | In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. [Secure score](overview-secure-score-windows-defender-advanced-threat-protection.md) | Quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to better protect your organization - all in one place. [Advanced hunting](overview-hunting-windows-defender-advanced-threat-protection.md) | Use a powerful search and query language to create custom queries and detection rules. -[Management and APIs](management-apis.md) | Windows Defender ATP supports a wide variety of tools to help you manage and interact with the platform so that you can integrate the service into your existing workflows. +[Management and APIs](management-apis.md) | Microsoft Defender ATP supports a wide variety of tools to help you manage and interact with the platform so that you can integrate the service into your existing workflows. [Microsoft Threat Protection](threat-protection-integration.md) | Microsoft security products work better together. Learn about other security capabilities in the Microsoft threat protection stack. [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) |Learn to navigate your way around Windows Defender Security Center. diff --git a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md index 352394a662..7a4701750d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md @@ -1,5 +1,5 @@ --- -title: Windows Defender Advanced Threat Protection portal overview +title: Microsoft Defender Advanced Threat Protection portal overview description: Use Windows Defender Security Center to monitor your enterprise network and assist in responding to alerts to potential advanced persistent threat (APT) activity or data breaches. keywords: Windows Defender Security Center, portal, cybersecurity threat intelligence, dashboard, alerts queue, machines list, settings, machine management, advanced attacks search.product: eADQiWindows 10XVcnh @@ -18,26 +18,26 @@ ms.topic: conceptual ms.date: 04/24/2018 --- -# Windows Defender Advanced Threat Protection portal overview +# Microsoft Defender Advanced Threat Protection portal overview **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) Enterprise security teams can use Windows Defender Security Center to monitor and assist in responding to alerts of potential advanced persistent threat (APT) activity or data breaches. You can use [Windows Defender Security Center](https://securitycenter.windows.com/) to: - View, sort, and triage alerts from your endpoints - Search for more information on observed indicators such as files and IP Addresses -- Change Windows Defender ATP settings, including time zone and review licensing information. +- Change Microsoft Defender ATP settings, including time zone and review licensing information. ## Windows Defender Security Center When you open the portal, you’ll see the main areas of the application: - ![Windows Defender Advanced Threat Protection portal](images/dashboard.png) + ![Microsoft Defender Advanced Threat Protection portal](images/dashboard.png) - (1) Navigation pane - (2) Main portal @@ -56,18 +56,18 @@ Area | Description **Alerts** | View alerts generated from machines in your organizations. **Automated investigations** | Displays a list of automated investigations that's been conducted in the network, the status of each investigation and other details such as when the investigation started and the duration of the investigation. **Advanced hunting** | Advanced hunting allows you to proactively hunt and investigate across your organization using a powerful search and query tool. -**Machines list** | Displays the list of machines that are onboarded to Windows Defender ATP, some information about them, and the corresponding number of alerts. +**Machines list** | Displays the list of machines that are onboarded to Microsoft Defender ATP, some information about them, and the corresponding number of alerts. **Service health** | Provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues. **Settings** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set other configuration settings such as email notifications, activate the preview experience, enable or turn off advanced features, SIEM integration, threat intel API, build Power BI reports, and set baselines for the Secure Score dashboard. **(2) Main portal** | Main area where you will see the different views such as the Dashboards, Alerts queue, and Machines list. -**(3) Community center, Time settings, Help and support, Feedback** | **Community center** -Access the Community center to learn, collaborate, and share experiences about the product.

**Time settings** - Gives you access to the configuration settings where you can set time zones and view license information.

**Help and support** - Gives you access to the Windows Defender ATP guide, Microsoft support, and Premier support.

**Feedback** - Access the feedback button to provide comments about the portal. +**(3) Community center, Time settings, Help and support, Feedback** | **Community center** -Access the Community center to learn, collaborate, and share experiences about the product.

**Time settings** - Gives you access to the configuration settings where you can set time zones and view license information.

**Help and support** - Gives you access to the Microsoft Defender ATP guide, Microsoft support, and Premier support.

**Feedback** - Access the feedback button to provide comments about the portal. -## Windows Defender ATP icons +## Microsoft Defender ATP icons The following table provides information on the icons used all throughout the portal: Icon | Description :---|:--- -![ATP logo icon](images\atp-logo-icon.png)| Windows Defender ATP logo +![ATP logo icon](images\atp-logo-icon.png)| Microsoft Defender ATP logo ![Alert icon](images\alert-icon.png)| Alert – Indication of an activity correlated with advanced attacks. ![Detection icon](images\detection-icon.png)| Detection – Indication of a malware threat detection. ![Active threat icon](images\active-threat-icon.png)| Active threat – Threats actively executing at the time of detection. @@ -111,7 +111,7 @@ Icon | Description ## Related topics -- [Understand the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md) +- [Understand the Microsoft Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md) - [View the Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md) - [View the Secure Score dashboard and improve your secure score](secure-score-dashboard-windows-defender-advanced-threat-protection.md) - [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md index 1116788ea1..cbeeeeb7ef 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md +++ b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md @@ -20,7 +20,7 @@ ms.date: 12/08/2017 # Submit or Update Indicator API **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [!include[Prerelease information](prerelease.md)] diff --git a/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md b/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md index faa5965b72..0d4640bbf3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md +++ b/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md @@ -1,6 +1,6 @@ --- -title: Create and build Power BI reports using Windows Defender ATP data -description: Get security insights by creating and building Power BI dashboards using data from Windows Defender ATP and other data sources. +title: Create and build Power BI reports using Microsoft Defender ATP data +description: Get security insights by creating and building Power BI dashboards using data from Microsoft Defender ATP and other data sources. keywords: settings, power bi, power bi service, power bi desktop, reports, dashboards, connectors , security insights, mashup search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -18,10 +18,10 @@ ms.date: 11/26/2018 --- -# Create and build Power BI reports using Windows Defender ATP data +# Create and build Power BI reports using Microsoft Defender ATP data **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [!include[Prerelease information](prerelease.md)] @@ -29,11 +29,11 @@ ms.date: 11/26/2018 >[!TIP] >Go to **Advanced features** in the **Settings** page to turn on the preview features. ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-powerbireports-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-powerbireports-abovefoldlink) -Understand the security status of your organization, including the status of machines, alerts, and investigations using the Windows Defender ATP reporting feature that integrates with Power BI. +Understand the security status of your organization, including the status of machines, alerts, and investigations using the Microsoft Defender ATP reporting feature that integrates with Power BI. -Windows Defender ATP supports the use of Power BI data connectors to enable you to connect and access Windows Defender ATP data using Microsoft Graph. +Microsoft Defender ATP supports the use of Power BI data connectors to enable you to connect and access Microsoft Defender ATP data using Microsoft Graph. Data connectors integrate seamlessly in Power BI, and make it easy for power users to query, shape and combine data to build reports and dashboards that meet the needs of your organization. @@ -43,8 +43,8 @@ You can easily get started by: You can access these options from Windows Defender Security Center. Both the Power BI service and Power BI Desktop are supported. -## Create a Windows Defender ATP dashboard on Power BI service -Windows Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal. +## Create a Microsoft Defender ATP dashboard on Power BI service +Microsoft Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal. 1. In the navigation pane, select **Settings** > **Power BI reports**. @@ -66,11 +66,11 @@ Windows Defender ATP makes it easy to create a Power BI dashboard by providing a ![Image of Power BI authentication method](images/atp-powerbi-extension.png) -4. Click **Sign in**. If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing Windows Defender ATP Power BI to sign in and read your profile, access your data, and be used for report refresh. +4. Click **Sign in**. If this is the first time you’re using Power BI with Microsoft Defender ATP, you’ll need to sign in and give consent to Microsoft Defender ATP Power BI app. By providing consent, you’re allowing Microsoft Defender ATP Power BI to sign in and read your profile, access your data, and be used for report refresh. ![Consent image](images/atp-powerbi-accept.png) -5. Click **Accept**. Power BI service will start downloading your Windows Defender ATP data from Microsoft Graph. After a successful login, you'll see a notification that data is being imported: +5. Click **Accept**. Power BI service will start downloading your Microsoft Defender ATP data from Microsoft Graph. After a successful login, you'll see a notification that data is being imported: ![Image of importing data](images/atp-powerbi-importing.png) @@ -96,9 +96,9 @@ For more information, see [Create a Power BI dashboard from a report](https://po ![Image of Microsoft AppSource to get data](images/atp-get-data.png) -4. In the AppSource window, select **Apps** and search for Windows Defender Advanced Threat Protection. +4. In the AppSource window, select **Apps** and search for Microsoft Defender Advanced Threat Protection. - ![Image of AppSource to get Windows Defender ATP](images/atp-appsource.png) + ![Image of AppSource to get Microsoft Defender ATP](images/atp-appsource.png) 5. Click **Get it now**. @@ -109,11 +109,11 @@ For more information, see [Create a Power BI dashboard from a report](https://po ![Image of Power BI authentication method](images/atp-powerbi-extension.png) -7. Click **Sign in**. If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing Windows Defender ATP Power BI to sign in and read your profile, access your data, and be used for report refresh. +7. Click **Sign in**. If this is the first time you’re using Power BI with Microsoft Defender ATP, you’ll need to sign in and give consent to Microsoft Defender ATP Power BI app. By providing consent, you’re allowing Microsoft Defender ATP Power BI to sign in and read your profile, access your data, and be used for report refresh. ![Consent image](images/atp-powerbi-accept.png) -8. Click **Accept**. Power BI service will start downloading your Windows Defender ATP data from Microsoft Graph. After a successful login, you'll see a notification that data is being imported: +8. Click **Accept**. Power BI service will start downloading your Microsoft Defender ATP data from Microsoft Graph. After a successful login, you'll see a notification that data is being imported: ![Image of importing data](images/atp-powerbi-importing.png) @@ -127,7 +127,7 @@ For more information, see [Create a Power BI dashboard from a report](https://po 9. Click **View dataset** to explore your data. -## Build a custom Windows Defender ATP dashboard in Power BI Desktop +## Build a custom Microsoft Defender ATP dashboard in Power BI Desktop You can create a custom dashboard in Power BI Desktop to create visualizations that cater to the specific views that your organization requires. ### Before you begin @@ -158,23 +158,23 @@ You can create a custom dashboard in Power BI Desktop to create visualizations t 9. Restart Power BI Desktop. -## Customize the Windows Defender ATP Power BI dashboard +## Customize the Microsoft Defender ATP Power BI dashboard After completing the steps in the Before you begin section, you can proceed with building your custom dashboard. 1. Open WDATPPowerBI.pbit from the zip with Power BI Desktop. -2. If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing Windows Defender ATP Power BI to sign in and read your profile, and access your data. +2. If this is the first time you’re using Power BI with Microsoft Defender ATP, you’ll need to sign in and give consent to Microsoft Defender ATP Power BI app. By providing consent, you’re allowing Microsoft Defender ATP Power BI to sign in and read your profile, and access your data. ![Consent image](images/atp-powerbi-consent.png) -3. Click **Accept**. Power BI Desktop will start downloading your Windows Defender ATP data from Microsoft Graph. When all data has been downloaded, you can proceed to customize your reports. +3. Click **Accept**. Power BI Desktop will start downloading your Microsoft Defender ATP data from Microsoft Graph. When all data has been downloaded, you can proceed to customize your reports. -## Mashup Windows Defender ATP data with other data sources -You can use Power BI Desktop to analyse data from Windows Defender ATP and mash that data up with other data sources to gain better security perspective in your organization. +## Mashup Microsoft Defender ATP data with other data sources +You can use Power BI Desktop to analyse data from Microsoft Defender ATP and mash that data up with other data sources to gain better security perspective in your organization. -1. In Power BI Desktop, in the Home ribbon, click **Get data** and search for **Windows Defender Advanced Threat Protection**. +1. In Power BI Desktop, in the Home ribbon, click **Get data** and search for **Microsoft Defender Advanced Threat Protection**. ![Get data in Power BI](images/atp-powerbi-get-data.png) @@ -184,13 +184,13 @@ You can use Power BI Desktop to analyse data from Windows Defender ATP and mash ![Power BI preview connector](images/atp-powerbi-preview.png) -4. If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing Windows Defender ATP Power BI to sign in and read your profile, and access your data. +4. If this is the first time you’re using Power BI with Microsoft Defender ATP, you’ll need to sign in and give consent to Microsoft Defender ATP Power BI app. By providing consent, you’re allowing Microsoft Defender ATP Power BI to sign in and read your profile, and access your data. ![Consent image](images/atp-powerbi-consent.png) -5. Click **Accept**. Power BI Desktop will start downloading your Windows Defender ATP data from Microsoft Graph. When all data has been downloaded, you can proceed to customize your reports. +5. Click **Accept**. Power BI Desktop will start downloading your Microsoft Defender ATP data from Microsoft Graph. When all data has been downloaded, you can proceed to customize your reports. -6. In the Navigator dialog box, select the Windows Defender ATP feeds you'd like to download and use in your reports and click Load. Data will start to be downloaded from the Microsoft Graph. +6. In the Navigator dialog box, select the Microsoft Defender ATP feeds you'd like to download and use in your reports and click Load. Data will start to be downloaded from the Microsoft Graph. ![Power BI navigator page](images/atp-powerbi-navigator.png) diff --git a/windows/security/threat-protection/microsoft-defender-atp/powershell-example-code.md b/windows/security/threat-protection/microsoft-defender-atp/powershell-example-code.md index 4a47170925..6847252b33 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/powershell-example-code.md +++ b/windows/security/threat-protection/microsoft-defender-atp/powershell-example-code.md @@ -21,7 +21,7 @@ ms.date: 04/24/2018 # PowerShell code examples for the custom threat intelligence API **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -175,12 +175,12 @@ $ioc = ``` ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-psexample-belowfoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-psexample-belowfoldlink) ## Related topics - [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) -- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) +- [Enable the custom threat intelligence API in Microsoft Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) - [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md) - [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md) - [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md b/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md index 91b8900c14..d9035a183b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md +++ b/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md @@ -20,9 +20,9 @@ ms.date: 04/24/2018 # Configure Windows Defender Security Center settings **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-prefsettings-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-prefsettings-abovefoldlink) Use the **Settings** menu to modify general settings, advanced features, enable the preview experience, email notifications, and the custom threat intelligence feature. diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md b/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md index 66f745bb56..1e98001f5e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md +++ b/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md @@ -1,6 +1,6 @@ --- -title: Turn on the preview experience in Windows Defender ATP -description: Turn on the preview experience in Windows Defender Advanced Threat Protection to try upcoming features. +title: Turn on the preview experience in Microsoft Defender ATP +description: Turn on the preview experience in Microsoft Defender Advanced Threat Protection to try upcoming features. keywords: advanced features, settings, block file search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -17,14 +17,14 @@ ms.collection: M365-security-compliance ms.topic: article ms.date: 04/24/2018 --- -# Turn on the preview experience in Windows Defender ATP +# Turn on the preview experience in Microsoft Defender ATP **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-previewsettings-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-previewsettings-abovefoldlink) Turn on the preview experience setting to be among the first to try upcoming features. @@ -36,9 +36,9 @@ Turn on the preview experience setting to be among the first to try upcoming fea 2. Toggle the setting between **On** and **Off** and select **Save preferences**. ## Related topics -- [Update general settings in Windows Defender ATP](data-retention-settings-windows-defender-advanced-threat-protection.md) -- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md) -- [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md) -- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) -- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) +- [Update general settings in Microsoft Defender ATP](data-retention-settings-windows-defender-advanced-threat-protection.md) +- [Turn on advanced features in Microsoft Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md) +- [Configure email notifications in Microsoft Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md) +- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) +- [Enable the custom threat intelligence API in Microsoft Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) - [Create and build Power BI reports](powerbi-reports-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md index 934fbed168..9e361a3d44 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/preview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md @@ -1,7 +1,7 @@ --- -title: Windows Defender ATP preview features -description: Learn how to access Windows Defender Advanced Threat Protection preview features. -keywords: preview, preview experience, Windows Defender Advanced Threat Protection, features, updates +title: Microsoft Defender ATP preview features +description: Learn how to access Microsoft Defender Advanced Threat Protection preview features. +keywords: preview, preview experience, Microsoft Defender Advanced Threat Protection, features, updates search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -17,19 +17,19 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Windows Defender ATP preview features +# Microsoft Defender ATP preview features **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -The Windows Defender ATP service is constantly being updated to include new feature enhancements and capabilities. +The Microsoft Defender ATP service is constantly being updated to include new feature enhancements and capabilities. ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-preview-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-preview-abovefoldlink) -Learn about new features in the Windows Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience. +Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience. For more information on capabilities that are generally available or in preview, see [What's new in Windows Defender](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp). ) @@ -44,5 +44,5 @@ Turn on the preview experience setting to be among the first to try upcoming fea 2. Toggle the setting between **On** and **Off** and select **Save preferences**. ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-preview-belowfoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-preview-belowfoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md index 22a8c2fd31..a91e2ea546 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md @@ -1,6 +1,6 @@ --- -title: Pull Windows Defender ATP alerts using REST API -description: Pull alerts from Windows Defender ATP REST API. +title: Pull Microsoft Defender ATP alerts using REST API +description: Pull alerts from Microsoft Defender ATP REST API. keywords: alerts, pull alerts, rest api, request, response search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -17,16 +17,16 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Pull Windows Defender ATP alerts using SIEM REST API +# Pull Microsoft Defender ATP alerts using SIEM REST API **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-pullalerts-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-pullalerts-abovefoldlink) -Windows Defender ATP supports the OAuth 2.0 protocol to pull alerts from the portal. +Microsoft Defender ATP supports the OAuth 2.0 protocol to pull alerts from the portal. In general, the OAuth 2.0 protocol supports four types of flows: - Authorization grant flow @@ -36,19 +36,19 @@ In general, the OAuth 2.0 protocol supports four types of flows: For more information about the OAuth specifications, see the [OAuth Website](http://www.oauth.net). -Windows Defender ATP supports the _Authorization grant flow_ and _Client credential flow_ to obtain access to generate alerts from the portal, with Azure Active Directory (AAD) as the authorization server. +Microsoft Defender ATP supports the _Authorization grant flow_ and _Client credential flow_ to obtain access to generate alerts from the portal, with Azure Active Directory (AAD) as the authorization server. The _Authorization grant flow_ uses user credentials to get an authorization code, which is then used to obtain an access token. -The _Client credential flow_ uses client credentials to authenticate against the Windows Defender ATP endpoint URL. This flow is suitable for scenarios when an OAuth client creates requests to an API that doesn't require user credentials. +The _Client credential flow_ uses client credentials to authenticate against the Microsoft Defender ATP endpoint URL. This flow is suitable for scenarios when an OAuth client creates requests to an API that doesn't require user credentials. -Use the following method in the Windows Defender ATP API to pull alerts in JSON format. +Use the following method in the Microsoft Defender ATP API to pull alerts in JSON format. >[!NOTE] >Windows Defender Security Center merges similar alert detections into a single alert. This API pulls alert detections in its raw form based on the query parameters you set, enabling you to apply your own grouping and filtering. ## Before you begin -- Before calling the Windows Defender ATP endpoint to pull alerts, you'll need to enable the SIEM integration application in Azure Active Directory (AAD). For more information, see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md). +- Before calling the Microsoft Defender ATP endpoint to pull alerts, you'll need to enable the SIEM integration application in Azure Active Directory (AAD). For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md). - Take note of the following values in your Azure application registration. You need these values to configure the OAuth flow in your service or daemon app: - Application ID (unique to your application) @@ -59,7 +59,7 @@ Use the following method in the Windows Defender ATP API to pull alerts in JSON ## Get an access token Before creating calls to the endpoint, you'll need to get an access token. -You'll use the access token to access the protected resource, which are alerts in Windows Defender ATP. +You'll use the access token to access the protected resource, which are alerts in Microsoft Defender ATP. To get an access token, you'll need to do a POST request to the token issuing endpoint. Here is a sample request: @@ -84,10 +84,10 @@ The response will include an access token and expiry information. "access_token":"eyJ0eXaioJJOIneiowiouqSuzNiZ345FYOVkaJL0625TueyaJasjhIjEnbMlWqP..." } ``` -You can now use the value in the *access_token* field in a request to the Windows Defender ATP API. +You can now use the value in the *access_token* field in a request to the Microsoft Defender ATP API. ## Request -With an access token, your app can make authenticated requests to the Windows Defender ATP API. Your app must append the access token to the Authorization header of each request. +With an access token, your app can make authenticated requests to the Microsoft Defender ATP API. Your app must append the access token to the Authorization header of each request. ### Request syntax Method | Request URI @@ -161,7 +161,7 @@ Here is an example return value: "ThreatName":null, "RemediationAction":null, "RemediationIsSuccess":null, -"Source":"Windows Defender ATP", +"Source":"Microsoft Defender ATP", "Md5":null, "Sha256":null, "WasExecutingWhileDetected":null, @@ -171,7 +171,7 @@ Here is an example return value: ## Code examples ### Get access token -The following code example demonstrates how to obtain an access token and call the Windows Defender ATP API. +The following code example demonstrates how to obtain an access token and call the Microsoft Defender ATP API. ```syntax AuthenticationContext context = new AuthenticationContext(string.Format("https://login.windows.net/{0}/oauth2", tenantId)); @@ -193,7 +193,7 @@ Console.WriteLine("Got alert list: {0}", alertsJson); ## Error codes -The Windows Defender ATP REST API returns the following error codes caused by an invalid request. +The Microsoft Defender ATP REST API returns the following error codes caused by an invalid request. HTTP error code | Description :---|:--- @@ -202,8 +202,8 @@ HTTP error code | Description 500 | Error in the service. ## Related topics -- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) -- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) -- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) -- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) +- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) +- [Configure ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) +- [Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) +- [Microsoft Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) - [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/python-example-code.md b/windows/security/threat-protection/microsoft-defender-atp/python-example-code.md index f4b63ae583..09522e6ab2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/python-example-code.md +++ b/windows/security/threat-protection/microsoft-defender-atp/python-example-code.md @@ -23,7 +23,7 @@ ms.date: 04/24/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -180,12 +180,12 @@ with requests.Session() as session: ``` ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-pyexample-belowfoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-pyexample-belowfoldlink) ## Related topics - [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) -- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) +- [Enable the custom threat intelligence API in Microsoft Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) - [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md) - [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md) - [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/rbac.md b/windows/security/threat-protection/microsoft-defender-atp/rbac.md index 8446e86a04..b5a8ca5ce4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/rbac.md +++ b/windows/security/threat-protection/microsoft-defender-atp/rbac.md @@ -22,9 +22,9 @@ ms.date: 05/08/2018 **Applies to:** - Azure Active Directory - Office 365 -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-rbac-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-rbac-abovefoldlink) Using role-based access control (RBAC), you can create roles and groups within your security operations team to grant appropriate access to the portal. Based on the roles and groups you create, you have fine-grained control over what users with access to the portal can see and do. @@ -37,10 +37,10 @@ Tier 1 | **Local security operations team / IT team**
This team usually tri Tier 2 | **Regional security operations team**
This team can see all the machines for their region and perform remediation actions. Tier 3 | **Global security operations team**
This team consists of security experts and are authorized to see and perform all actions from the portal. -Windows Defender ATP RBAC is designed to support your tier- or role-based model of choice and gives you granular control over what roles can see, machines they can access, and actions they can take. The RBAC framework is centered around the following controls: +Microsoft Defender ATP RBAC is designed to support your tier- or role-based model of choice and gives you granular control over what roles can see, machines they can access, and actions they can take. The RBAC framework is centered around the following controls: - **Control who can take specific action** - - Create custom roles and control what Windows Defender ATP capabilities they can access with granularity. + - Create custom roles and control what Microsoft Defender ATP capabilities they can access with granularity. - **Control who can see information on specific machine group or groups** - [Create machine groups](machine-groups-windows-defender-advanced-threat-protection.md) by specific criteria such as names, tags, domains, and others, then grant role access to them using a specific Azure Active Directory (Azure AD) user group. @@ -57,18 +57,18 @@ Before using RBAC, it's important that you understand the roles that can grant p When you first log in to Windows Defender Security Center, you're granted either full access or read only access. Full access rights are granted to users with Security Administrator or Global Administrator roles in Azure AD. Read only access is granted to users with a Security Reader role in Azure AD. -Someone with a Windows Defender ATP Global administrator role has unrestricted access to all machines, regardless of their machine group association and the Azure AD user groups assignments +Someone with a Microsoft Defender ATP Global administrator role has unrestricted access to all machines, regardless of their machine group association and the Azure AD user groups assignments > [!WARNING] > Initially, only those with Azure AD Global Administrator or Security Administrator rights will be able to create and assign roles in Windows Defender Security Center, therefore, having the right groups ready in Azure AD is important. > > **Turning on role-based access control will cause users with read-only permissions (for example, users assigned to Azure AD Security reader role) to lose access until they are assigned to a role.** > ->Users with admin permissions are automatically assigned the default built-in Windows Defender ATP global administrator role with full permissions. After opting in to use RBAC, you can assign additional users that are not Azure AD Global or Security Administrators to the Windows Defender ATP global administrator role. +>Users with admin permissions are automatically assigned the default built-in Microsoft Defender ATP global administrator role with full permissions. After opting in to use RBAC, you can assign additional users that are not Azure AD Global or Security Administrators to the Microsoft Defender ATP global administrator role. > > After opting in to use RBAC, you cannot revert to the initial roles as when you first logged into the portal. ## Related topic -- [Create and manage machine groups in Windows Defender ATP](machine-groups-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [Create and manage machine groups in Microsoft Defender ATP](machine-groups-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md index e5f643f908..e2a48992a8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md @@ -1,5 +1,5 @@ --- -title: Take response actions on a file in Windows Defender ATP +title: Take response actions on a file in Microsoft Defender ATP description: Take response actions on file related alerts by stopping and quarantining a file or blocking a file and checking activity details. keywords: respond, stop and quarantine, block file, deep analysis search.product: eADQiWindows 10XVcnh @@ -20,11 +20,11 @@ ms.topic: article # Take response actions on a file **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-responddile-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-responddile-abovefoldlink) Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files, you can check activity details on the Action center. @@ -102,7 +102,7 @@ You can roll back and remove a file from quarantine if you’ve determined that ``` > [!NOTE] -> Windows Defender ATP will restore all files that were quarantined on this machine in the last 30 days. +> Microsoft Defender ATP will restore all files that were quarantined on this machine in the last 30 days. ## Block files in your network You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization. @@ -199,7 +199,7 @@ Results of deep analysis are matched against threat intelligence and any matches Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available in the context of the file view. -In the file's page, **Submit for deep analysis** is enabled when the file is available in the Windows Defender ATP backend sample collection or if it was observed on a Windows 10 machine that supports submitting to deep analysis. +In the file's page, **Submit for deep analysis** is enabled when the file is available in the Microsoft Defender ATP backend sample collection or if it was observed on a Windows 10 machine that supports submitting to deep analysis. > [!NOTE] > Only files from Windows 10 can be automatically collected. @@ -207,9 +207,9 @@ In the file's page, **Submit for deep analysis** is enabled when the file is ava You can also manually submit a sample through the [Malware Protection Center Portal](https://www.microsoft.com/security/portal/submission/submit.aspx) if the file was not observed on a Windows 10 machine, and wait for **Submit for deep analysis** button to become available. > [!NOTE] -> Due to backend processing flows in the Malware Protection Center Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Windows Defender ATP. +> Due to backend processing flows in the Malware Protection Center Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Microsoft Defender ATP. -When the sample is collected, Windows Defender ATP runs the file in is a secure environment and creates a detailed report of observed behaviors and associated artifacts, such as files dropped on machines, communication to IPs, and registry modifications. +When the sample is collected, Microsoft Defender ATP runs the file in is a secure environment and creates a detailed report of observed behaviors and associated artifacts, such as files dropped on machines, communication to IPs, and registry modifications. **Submit files for deep analysis:** @@ -230,7 +230,7 @@ A progress bar is displayed and provides information on the different stages of ### View deep analysis reports -View the deep analysis report that Windows Defender ATP provides to see the details of the deep analysis that was conducted on the file you submitted. This feature is available in the file view context. +View the deep analysis report that Microsoft Defender ATP provides to see the details of the deep analysis that was conducted on the file you submitted. This feature is available in the file view context. You can view the comprehensive report that provides details on the following sections: diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md index 37e946eb11..16b781e106 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md @@ -1,5 +1,5 @@ --- -title: Take response actions on a machine in Windows Defender ATP +title: Take response actions on a machine in Microsoft Defender ATP description: Take response actions on a machine such as isolating machines, collecting an investigation package, managing tags, running av scan, and restricting app execution. keywords: respond, isolate, isolate machine, collect investigation package, action center, restrict, manage tags, av scan, restrict app search.product: eADQiWindows 10XVcnh @@ -21,10 +21,10 @@ ms.date: 11/28/2018 # Take response actions on a machine **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-respondmachine-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-respondmachine-abovefoldlink) Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action on machines, you can check activity details on the Action center. @@ -185,7 +185,7 @@ Depending on the severity of the attack and the sensitivity of the machine, you >- Selective isolation is available for machines on Windows 10, version 1709 or later. -This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Windows Defender ATP service, which continues to monitor the machine. +This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Microsoft Defender ATP service, which continues to monitor the machine. On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity (a.k.a 'Selective Isolation'). @@ -210,7 +210,7 @@ On Windows 10, version 1709 or later, you'll have additional control over the ne 4. Type a comment and select **Yes, isolate machine** to take action on the machine. >[!NOTE] - >The machine will remain connected to the Windows Defender ATP service even if it is isolated from the network. If you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the machine is isolated. + >The machine will remain connected to the Microsoft Defender ATP service even if it is isolated from the network. If you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the machine is isolated. The Action center shows the submission information: ![Image of machine isolation](images/atp-machine-isolation.png) diff --git a/windows/security/threat-protection/microsoft-defender-atp/response-actions.md b/windows/security/threat-protection/microsoft-defender-atp/response-actions.md index bc0073bf43..643f72739e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/response-actions.md +++ b/windows/security/threat-protection/microsoft-defender-atp/response-actions.md @@ -1,5 +1,5 @@ --- -title: Take response actions on files and machines in Windows Defender ATP +title: Take response actions on files and machines in Microsoft Defender ATP description: Take response actions on files and machines by stopping and quarantining files, blocking a file, isolating machines, or collecting an investigation package. keywords: respond, stop and quarantine, block file, deep analysis, isolate machine, collect investigation package, action center search.product: eADQiWindows 10XVcnh @@ -18,15 +18,15 @@ ms.topic: article ms.date: 11/12/2017 --- -# Take response actions in Windows Defender ATP +# Take response actions in Microsoft Defender ATP **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-responseactions-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-responseactions-abovefoldlink) You can take response actions on machines and files to quickly respond to detected attacks so that you can contain or reduce and prevent further damage caused by malicious attackers in your organization. diff --git a/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md b/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md index 5cf3e7bd28..81b063e148 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md +++ b/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md @@ -19,7 +19,7 @@ ms.date: 12/08/2017 # Restrict app execution API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) [!include[Prereleaseinformation](prerelease.md)] @@ -28,7 +28,7 @@ Restrict execution of all applications on the machine except a predefined set (s [!include[Machine actions note](machineactionsnote.md)] ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md index 5077e43d6c..d7b2db640d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md @@ -19,11 +19,11 @@ ms.date: 09/03/2018 # Advanced hunting API -**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) [!include[Prerelease information](prerelease.md)] -This API allows you to run programmatic queries that you are used to running from [Windows Defender ATP Portal](https://securitycenter.windows.com/hunting). +This API allows you to run programmatic queries that you are used to running from [Microsoft Defender ATP Portal](https://securitycenter.windows.com/hunting). ## Limitations @@ -33,7 +33,7 @@ This API allows you to run programmatic queries that you are used to running fro 4. The maximal execution time of a single request is 10 minutes. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- @@ -135,18 +135,18 @@ Content-Type: application/json​ - Error: (403) Forbidden / (401) Unauthorized - If you get this error when calling Windows Defender ATP API, your token might not include the necessary permission. + If you get this error when calling Microsoft Defender ATP API, your token might not include the necessary permission. Check [app permissions](exposed-apis-create-app-webapp.md#validate-the-token) or [delegated permissions](exposed-apis-create-app-nativeapp.md#validate-the-token) included in your token. If the 'roles' section in the token does not include the necessary permission: - - The necessary permission to your app might not have been granted. For more information, see [Access Windows Defender ATP without a user](exposed-apis-create-app-webapp.md#create-an-app) or [Access Windows Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md#create-an-app) or, + - The necessary permission to your app might not have been granted. For more information, see [Access Microsoft Defender ATP without a user](exposed-apis-create-app-webapp.md#create-an-app) or [Access Microsoft Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md#create-an-app) or, - The app was not authorized in the tenant, see [Application consent](exposed-apis-create-app-webapp.md#application-consent). ## Related topic -- [Windows Defender ATP APIs](apis-intro.md) +- [Microsoft Defender ATP APIs](apis-intro.md) - [Advanced Hunting from Portal](advanced-hunting-windows-defender-advanced-threat-protection.md) - [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) - [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-ms-flow.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-ms-flow.md index 90d62c40c1..9b6ba020c2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-ms-flow.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-ms-flow.md @@ -19,7 +19,7 @@ ms.date: 09/24/2018 # Schedule Advanced Hunting using Microsoft Flow **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) [!include[Prerelease information](prerelease.md)] @@ -87,6 +87,6 @@ You can find below the full definition ![Image of E2E flow](images/ms-flow-e2e.png) ## Related topic -- [Windows Defender ATP APIs](apis-intro.md) +- [Microsoft Defender ATP APIs](apis-intro.md) - [Advanced Hunting API](run-advanced-query-api.md) - [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-app-token.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-app-token.md index 9282b0c321..55075237cb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-app-token.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-app-token.md @@ -131,7 +131,7 @@ If you want to use **user token** instead please refer to [this](run-advanced-qu ## Related topic - [Create custom Power BI reports with user authentication](run-advanced-query-sample-power-bi-user-token.md) -- [Windows Defender ATP APIs](apis-intro.md) +- [Microsoft Defender ATP APIs](apis-intro.md) - [Advanced Hunting API](run-advanced-query-api.md) - [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) - [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-user-token.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-user-token.md index 336ac77edb..bbec645b5a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-user-token.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-user-token.md @@ -18,7 +18,7 @@ ms.topic: article # Create custom reports using Power BI (user authentication) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) [!include[Prerelease information](prerelease.md)] @@ -112,7 +112,7 @@ You first need to [create an app](exposed-apis-create-app-nativeapp.md). ## Related topic - [Create custom Power BI reports with app authentication](run-advanced-query-sample-power-bi-app-token.md) -- [Windows Defender ATP APIs](apis-intro.md) +- [Microsoft Defender ATP APIs](apis-intro.md) - [Advanced Hunting API](run-advanced-query-api.md) - [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) - [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md index 547b531909..b510a94b78 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md @@ -19,7 +19,7 @@ ms.date: 09/24/2018 # Advanced Hunting using PowerShell **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [!include[Prerelease information](prerelease.md)] @@ -65,7 +65,7 @@ $aadToken = $response.access_token where - $tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant) -- $appId: ID of your AAD app (the app must have 'Run advanced queries' permission to Windows Defender ATP) +- $appId: ID of your AAD app (the app must have 'Run advanced queries' permission to Microsoft Defender ATP) - $appSecret: Secret of your AAD app ## Run query @@ -117,7 +117,7 @@ $results | ConvertTo-Json | Set-Content file1.json ## Related topic -- [Windows Defender ATP APIs](apis-intro.md) +- [Microsoft Defender ATP APIs](apis-intro.md) - [Advanced Hunting API](run-advanced-query-api.md) - [Advanced Hunting using Python](run-advanced-query-sample-python.md) - [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md index 07bb15a7cf..8bd9817c9f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md @@ -18,7 +18,7 @@ ms.topic: article # Advanced Hunting using Python **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) [!include[Prerelease information](prerelease.md)] @@ -64,7 +64,7 @@ aadToken = jsonResponse["access_token"] where - tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant) -- appId: ID of your AAD app (the app must have 'Run advanced queries' permission to Windows Defender ATP) +- appId: ID of your AAD app (the app must have 'Run advanced queries' permission to Microsoft Defender ATP) - appSecret: Secret of your AAD app ## Run query @@ -143,7 +143,7 @@ outputFile.close() ## Related topic -- [Windows Defender ATP APIs](apis-intro.md) +- [Microsoft Defender ATP APIs](apis-intro.md) - [Advanced Hunting API](run-advanced-query-api.md) - [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) - [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md index 4a58f9eedf..470cf1fc02 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md @@ -19,7 +19,7 @@ ms.date: 12/08/2017 # Run antivirus scan API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) [!include[Prerelease information](prerelease.md)] @@ -28,7 +28,7 @@ Initiate Windows Defender Antivirus scan on a machine. [!include[Machine actions note](machineactionsnote.md)] ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md index b5d51b9cf4..7f80d83213 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md @@ -1,6 +1,6 @@ --- -title: Run a detection test on a newly onboarded Windows Defender ATP machine -description: Run the detection script on a newly onboarded machine to verify that it is properly onboarded to the Windows Defender ATP service. +title: Run a detection test on a newly onboarded Microsoft Defender ATP machine +description: Run the detection script on a newly onboarded machine to verify that it is properly onboarded to the Microsoft Defender ATP service. keywords: detection test, detection, powershell, script, verify, onboarding, windows defender advanced threat protection onboarding, clients, servers, test search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -15,10 +15,9 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 09/07/2018 --- -# Run a detection test on a newly onboarded Windows Defender ATP machine +# Run a detection test on a newly onboarded Microsoft Defender ATP machine **Applies to:** - Supported Windows 10 versions @@ -26,10 +25,10 @@ ms.date: 09/07/2018 - Windows Server 2016 - Windows Server, version 1803 - Windows Server, 2019 -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Run the following PowerShell script on a newly onboarded machine to verify that it is properly reporting to the Windows Defender ATP service. +Run the following PowerShell script on a newly onboarded machine to verify that it is properly reporting to the Microsoft Defender ATP service. 1. Create a folder: 'C:\test-WDATP-test'. 2. Open an elevated command-line prompt on the machine and run the script: diff --git a/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md b/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md index d501a0d824..1ee8334e7a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md @@ -19,7 +19,7 @@ ms.date: 10/26/2018 # Configure the security controls in Secure score **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Each security control lists recommendations that you can take to increase the security posture of your organization. @@ -30,9 +30,9 @@ For an machine to be considered "well configured", it must comply to a minimum b >This feature is available for machines on Windows 10, version 1607 or later. #### Minimum baseline configuration setting for EDR: -- Windows Defender ATP sensor is on +- Microsoft Defender ATP sensor is on - Data collection is working correctly -- Communication to Windows Defender ATP service is not impaired +- Communication to Microsoft Defender ATP service is not impaired ##### Recommended actions: You can take the following actions to increase the overall security score of your organization: @@ -82,13 +82,13 @@ This tile shows you the exact number of machines that require the latest securit You can take the following actions to increase the overall security score of your organization: - Install the latest security updates - Fix sensor data collection - - The Windows Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md). + - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md). For more information, see [Windows Update Troubleshooter](https://support.microsoft.com/help/4027322/windows-windows-update-troubleshooter). ### Windows Defender Exploit Guard (Windows Defender EG) optimization -For a machine to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on machines so that the minimum baseline configuration setting for Windows Defender EG is fulfilled. When endpoints are configured according to the baseline you'll be able to see Windows Defender EG events on the Windows Defender ATP Machine timeline. +For a machine to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on machines so that the minimum baseline configuration setting for Windows Defender EG is fulfilled. When endpoints are configured according to the baseline you'll be able to see Windows Defender EG events on the Microsoft Defender ATP Machine timeline. >[!IMPORTANT] @@ -137,7 +137,7 @@ Block Win32 imports from Macro code in Office | 92E97FA1-2EDF-4476-BDD6-9DD0B4DD The Controlled Folder Access setting must be configured to **Audit mode** or **Enabled**. >[!NOTE] -> Audit mode, allows you to see audit events in the Windows Defender ATP Machine timeline however it does not block suspicious applications. +> Audit mode, allows you to see audit events in the Microsoft Defender ATP Machine timeline however it does not block suspicious applications. >Consider enabling Controlled Folder Access for better protection. ##### Recommended actions: @@ -150,7 +150,7 @@ You can take the following actions to increase the overall security score of you For more information, see [Windows Defender Exploit Guard](../windows-defender-exploit-guard/windows-defender-exploit-guard.md). ### Windows Defender Application Guard (Windows Defender AG) optimization -For a machine to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender AG is fulfilled. When endpoints are configured according to the baseline you'll be able to see Windows Defender AG events on the Windows Defender ATP Machine timeline. +For a machine to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender AG is fulfilled. When endpoints are configured according to the baseline you'll be able to see Windows Defender AG events on the Microsoft Defender ATP Machine timeline. >[!IMPORTANT] >This security control is only applicable for machines with Windows 10, version 1709 or later. @@ -180,7 +180,7 @@ For more information, see [Windows Defender Application Guard overview](../windo For a machine to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender SmartScreen is fulfilled. >[!WARNING] -> Data collected by Windows Defender SmartScreen might be stored and processed outside of the storage location you have selected for your Windows Defender ATP data. +> Data collected by Windows Defender SmartScreen might be stored and processed outside of the storage location you have selected for your Microsoft Defender ATP data. >[!IMPORTANT] @@ -229,7 +229,7 @@ You can take the following actions to increase the overall security score of you - Secure public profile - Verify secure configuration of third-party firewall - Fix sensor data collection - - The Windows Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md). + - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md). For more information, see [Windows Defender Firewall with Advanced Security](https://docs.microsoft.com/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security). @@ -251,7 +251,7 @@ You can take the following actions to increase the overall security score of you - Resume protection on all drives - Ensure drive compatibility - Fix sensor data collection - - The Windows Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md). + - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md). For more information, see [Bitlocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview). @@ -274,11 +274,11 @@ You can take the following actions to increase the overall security score of you - Ensure hardware and software prerequisites are met - Turn on Credential Guard - Fix sensor data collection - - The Windows Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md). + - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md). For more information, see [Manage Windows Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-manage). ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-belowfoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-belowfoldlink) ## Related topics - [Overview of Secure score](overview-secure-score-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md index 1c071364b8..eea36cb084 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md @@ -21,9 +21,9 @@ ms.date: 09/04/2018 # Windows Defender Security Center Security operations dashboard **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-secopsdashboard-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-secopsdashboard-abovefoldlink) The **Security operations dashboard** is where the endpoint detection and response capabilities are surfaced. It provides a high level overview of where detections were seen and highlights where response actions are needed. @@ -57,7 +57,7 @@ Each group is further sub-categorized into their corresponding alert severity le For more information see, [Alerts overview](alerts-queue-windows-defender-advanced-threat-protection.md). -Each row includes an alert severity category and a short description of the alert. You can click an alert to see its detailed view. For more information see, [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) and [Alerts overview](alerts-queue-windows-defender-advanced-threat-protection.md). +Each row includes an alert severity category and a short description of the alert. You can click an alert to see its detailed view. For more information see, [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) and [Alerts overview](alerts-queue-windows-defender-advanced-threat-protection.md). @@ -66,18 +66,18 @@ This tile shows you a list of machines with the highest number of active alerts. ![The Machines at risk tile shows a list of machines with the highest number of alerts, and a breakdown of the severity of the alerts](images/machines-at-risk-tile.png) -Click the name of the machine to see details about that machine. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines list](investigate-machines-windows-defender-advanced-threat-protection.md). +Click the name of the machine to see details about that machine. For more information see, [Investigate machines in the Microsoft Defender Advanced Threat Protection Machines list](investigate-machines-windows-defender-advanced-threat-protection.md). -You can also click **Machines list** at the top of the tile to go directly to the **Machines list**, sorted by the number of active alerts. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines list](investigate-machines-windows-defender-advanced-threat-protection.md). +You can also click **Machines list** at the top of the tile to go directly to the **Machines list**, sorted by the number of active alerts. For more information see, [Investigate machines in the Microsoft Defender Advanced Threat Protection Machines list](investigate-machines-windows-defender-advanced-threat-protection.md). ## Sensor health -The **Sensor health** tile provides information on the individual machine’s ability to provide sensor data to the Windows Defender ATP service. It reports how many machines require attention and helps you identify problematic machines. +The **Sensor health** tile provides information on the individual machine’s ability to provide sensor data to the Microsoft Defender ATP service. It reports how many machines require attention and helps you identify problematic machines. ![Sensor health tile](images/atp-tile-sensor-health.png) There are two status indicators that provide information on the number of machines that are not reporting properly to the service: -- **Misconfigured** – These machines might partially be reporting sensor data to the Windows Defender ATP service and might have configuration errors that need to be corrected. -- **Inactive** - Machines that have stopped reporting to the Windows Defender ATP service for more than seven days in the past month. +- **Misconfigured** – These machines might partially be reporting sensor data to the Microsoft Defender ATP service and might have configuration errors that need to be corrected. +- **Inactive** - Machines that have stopped reporting to the Microsoft Defender ATP service for more than seven days in the past month. When you click any of the groups, you’ll be directed to machines list, filtered according to your choice. For more information, see [Check sensor state](check-sensor-status-windows-defender-advanced-threat-protection.md) and [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md). @@ -87,7 +87,7 @@ The **Service health** tile informs you if the service is active or if there are ![The Service health tile shows an overall indicator of the service](images/status-tile.png) -For more information on the service health, see [Check the Windows Defender ATP service health](service-status-windows-defender-advanced-threat-protection.md). +For more information on the service health, see [Check the Microsoft Defender ATP service health](service-status-windows-defender-advanced-threat-protection.md). ## Daily machines reporting @@ -124,10 +124,10 @@ This tile shows audit events based on detections from various security component ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-secopsdashboard-belowfoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-secopsdashboard-belowfoldlink) ## Related topics -- [Understand the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md) +- [Understand the Microsoft Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md) - [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) - [View the Secure Score dashboard and improve your secure score](secure-score-dashboard-windows-defender-advanced-threat-protection.md) - [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/service-status.md b/windows/security/threat-protection/microsoft-defender-atp/service-status.md index a0ace19060..2a553f0551 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/service-status.md +++ b/windows/security/threat-protection/microsoft-defender-atp/service-status.md @@ -1,6 +1,6 @@ --- -title: Check the Windows Defender ATP service health -description: Check Windows Defender ATP service health, see if the service is experiencing issues and review previous issues that have been resolved. +title: Check the Microsoft Defender ATP service health +description: Check Microsoft Defender ATP service health, see if the service is experiencing issues and review previous issues that have been resolved. keywords: dashboard, service, issues, service health, current status, status history, summary of impact, preliminary root cause, resolution, resolution time, expected resolution time search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -18,14 +18,14 @@ ms.topic: article ms.date: 04/24/2018 --- -# Check the Windows Defender Advanced Threat Protection service health +# Check the Microsoft Defender Advanced Threat Protection service health **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-servicestatus-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-servicestatus-abovefoldlink) The **Service health** provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues. If there are issues, you'll see details related to the issue such as when the issue was detected, what the preliminary root cause is, and the expected resolution time. @@ -39,7 +39,7 @@ The **Service health** details page has the following tabs: - **Status history** ## Current status -The **Current status** tab shows the current state of the Windows Defender ATP service. When the service is running smoothly a healthy service health is shown. If there are issues seen, the following service details are shown to help you gain better insight about the issue: +The **Current status** tab shows the current state of the Microsoft Defender ATP service. When the service is running smoothly a healthy service health is shown. If there are issues seen, the following service details are shown to help you gain better insight about the issue: - Date and time for when the issue was detected - A short description of the issue diff --git a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md b/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md index 49687ff26c..745cdec188 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md +++ b/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md @@ -20,7 +20,7 @@ ms.date: 12/08/2017 # Stop and quarantine file API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) [!include[Prereleaseinformation](prerelease.md)] @@ -29,7 +29,7 @@ ms.date: 12/08/2017 [!include[Machine actions note](machineactionsnote.md)] ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md b/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md index 14621034da..1e52dffbc2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md +++ b/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md @@ -1,6 +1,6 @@ --- -title: Supported Windows Defender Advanced Threat Protection response APIs -description: Learn about the specific response related Windows Defender Advanced Threat Protection API calls. +title: Supported Microsoft Defender Advanced Threat Protection response APIs +description: Learn about the specific response related Microsoft Defender Advanced Threat Protection API calls. keywords: response apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -18,13 +18,13 @@ ms.topic: conceptual ms.date: 12/01/2017 --- -# Supported Windows Defender ATP query APIs +# Supported Microsoft Defender ATP query APIs **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-supported-response-apis-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-supported-response-apis-abovefoldlink) Learn about the supported response related API calls you can run and details such as the required request headers, and expected response from the calls. diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md index 9a145edebb..534c8fb1d3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md @@ -1,5 +1,5 @@ --- -title: Windows Defender Advanced Threat Protection Threat analytics +title: Microsoft Defender Advanced Threat Protection Threat analytics description: Get a tailored organizational risk evaluation and actionable steps you can take to minimize risks in your organization. keywords: threat analytics, risk evaluation, OS mitigation, microcode mitigation, mitigation status search.product: eADQiWindows 10XVcnh @@ -20,12 +20,12 @@ ms.date: 10/29/2018 # Threat analytics **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Cyberthreats are emerging more frequently and prevalently. It is critical for organizations to be able to quickly assess their security posture, including impact, and organizational resilience in the context of specific emerging threats. -Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help you the assess impact of threats in your environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats. +Threat Analytics is a set of interactive reports published by the Microsoft Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help you the assess impact of threats in your environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats. >[!NOTE] diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md b/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md index 005f30d3e8..5274b81da4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md @@ -1,6 +1,6 @@ --- -title: Understand threat intelligence concepts in Windows Defender ATP -description: Create custom threat alerts for your organization and learn the concepts around threat intelligence in Windows Defender Advanced Threat Protection. +title: Understand threat intelligence concepts in Microsoft Defender ATP +description: Create custom threat alerts for your organization and learn the concepts around threat intelligence in Microsoft Defender Advanced Threat Protection. keywords: threat intelligence, alert definitions, indicators of compromise, ioc search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -20,15 +20,15 @@ ms.topic: conceptual # Understand threat intelligence concepts **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-threatindicator-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-threatindicator-abovefoldlink) Advanced cybersecurity attacks comprise of multiple complex malicious events, attributes, and contextual information. Identifying and deciding which of these activities qualify as suspicious can be a challenging task. Your knowledge of known attributes and abnormal activities specific to your industry is fundamental in knowing when to call an observed behavior as suspicious. -With Windows Defender ATP, you can create custom threat alerts that can help you keep track of possible attack activities in your organization. You can flag suspicious events to piece together clues and possibly stop an attack chain. These custom threat alerts will only appear in your organization and will flag events that you set it to track. +With Microsoft Defender ATP, you can create custom threat alerts that can help you keep track of possible attack activities in your organization. You can flag suspicious events to piece together clues and possibly stop an attack chain. These custom threat alerts will only appear in your organization and will flag events that you set it to track. Before creating custom threat alerts, it's important to know the concepts behind alert definitions and indicators of compromise (IOCs) and the relationship between them. @@ -39,9 +39,9 @@ Alert definitions are contextual attributes that can be used collectively to ide IOCs are individually-known malicious events that indicate that a network or machine has already been breached. Unlike alert definitions, these indicators are considered as evidence of a breach. They are often seen after an attack has already been carried out and the objective has been reached, such as exfiltration. Keeping track of IOCs is also important during forensic investigations. Although it might not provide the ability to intervene with an attack chain, gathering these indicators can be useful in creating better defenses for possible future attacks. ## Relationship between alert definitions and IOCs -In the context of Windows Defender ATP, alert definitions are containers for IOCs and defines the alert, including the metadata that is raised in case of a specific IOC match. Various metadata is provided as part of the alert definitions. Metadata such as alert definition name of attack, severity, and description is provided along with other options. For more information on available metadata options, see [Threat Intelligence API metadata](custom-ti-api-windows-defender-advanced-threat-protection.md#threat-intelligence-api-metadata). +In the context of Microsoft Defender ATP, alert definitions are containers for IOCs and defines the alert, including the metadata that is raised in case of a specific IOC match. Various metadata is provided as part of the alert definitions. Metadata such as alert definition name of attack, severity, and description is provided along with other options. For more information on available metadata options, see [Threat Intelligence API metadata](custom-ti-api-windows-defender-advanced-threat-protection.md#threat-intelligence-api-metadata). -Each IOC defines the concrete detection logic based on its type and value as well as its action, which determines how it is matched. It is bound to a specific alert definition that defines how a detection is displayed as an alert on the Windows Defender ATP console. +Each IOC defines the concrete detection logic based on its type and value as well as its action, which determines how it is matched. It is bound to a specific alert definition that defines how a detection is displayed as an alert on the Microsoft Defender ATP console. Here is an example of an IOC: - Type: Sha1 @@ -51,7 +51,7 @@ Here is an example of an IOC: IOCs have a many-to-one relationship with alert definitions such that an alert definition can have many IOCs that correspond to it. ## Related topics -- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) +- [Enable the custom threat intelligence API in Microsoft Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) - [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md) - [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md) - [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md index 026ac5e02d..da34c747c5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md @@ -1,5 +1,5 @@ --- -title: Windows Defender ATP in Microsoft Threat Protection +title: Microsoft Defender ATP in Microsoft Threat Protection description: Learn about the capabilities within the Microsoft Threat Protection keywords: microsoft threat protection, conditional access, office, advanced threat protection, azure atp, azure security center, microsoft cloud app security search.product: eADQiWindows 10XVcnh @@ -22,9 +22,9 @@ ms.date: 12/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Windows Defender ATP is part of the Microsoft Threat Protection solution that helps implement end-to-end security across possible attack surfaces in the modern workplace. +Microsoft Defender ATP is part of the Microsoft Threat Protection solution that helps implement end-to-end security across possible attack surfaces in the modern workplace. For more information on Microsoft Threat Protection, see [Announcing Microsoft Threat Protection](https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Announcing-Microsoft-Threat-Protection/ba-p/262783). @@ -33,23 +33,23 @@ Microsoft's multiple layers of threat protection across data, applications, devi Each layer in the threat protection stack plays a critical role in protecting customers. The deep integration between these layers results in better protected customers. ## Azure Advanced Threat Protection (Azure ATP) - Suspicious activities are processes running under a user context. The integration between Windows Defender ATP and Azure ATP provides the flexibility of conducting cyber security investigation across activities and identities. + Suspicious activities are processes running under a user context. The integration between Microsoft Defender ATP and Azure ATP provides the flexibility of conducting cyber security investigation across activities and identities. ## Azure Security Center -Windows Defender ATP provides a comprehensive server protection solution, including endpoint detection and response (EDR) capabilities on Windows Servers. +Microsoft Defender ATP provides a comprehensive server protection solution, including endpoint detection and response (EDR) capabilities on Windows Servers. ## Azure Information Protection Keep sensitive data secure while enabling productivity in the workplace through data data discovery and data protection. ## Conditional access -Windows Defender ATP's dynamic machine risk score is integrated into the conditional access evaluation, ensuring that only secure devices have access to resources. +Microsoft Defender ATP's dynamic machine risk score is integrated into the conditional access evaluation, ensuring that only secure devices have access to resources. ## Microsoft Cloud App Security -Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines. +Microsoft Cloud App Security leverages Microsoft Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Microsoft Defender ATP monitored machines. ## Office 365 Advanced Threat Protection (Office 365 ATP) -[Office 365 ATP](https://docs.microsoft.com/office365/securitycompliance/office-365-atp) helps protect your organization from malware in email messages or files through ATP Safe Links, ATP Safe Attachments, advanced Anti-Phishing, and spoof intelligence capabilities. The integration between Office 365 ATP and Windows Defender ATP enables security analysts to go upstream to investigate the entry point of an attack. Through threat intelligence sharing, attacks can be contained and blocked. +[Office 365 ATP](https://docs.microsoft.com/office365/securitycompliance/office-365-atp) helps protect your organization from malware in email messages or files through ATP Safe Links, ATP Safe Attachments, advanced Anti-Phishing, and spoof intelligence capabilities. The integration between Office 365 ATP and Microsoft Defender ATP enables security analysts to go upstream to investigate the entry point of an attack. Through threat intelligence sharing, attacks can be contained and blocked. ## Skype for Business The Skype for Business integration provides s a way for analysts to communicate with a potentially compromised user or device owner through ao simple button from the portal. diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md index c95bd47a62..37eb716bfc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md @@ -1,5 +1,5 @@ --- -title: Threat protection report in Windows Defender ATP +title: Threat protection report in Microsoft Defender ATP description: Track alert detections, categories, and severity using the threat protection report keywords: alert detection, source, alert by category, alert severity, alert classification, determination search.product: eADQiWindows 10XVcnh @@ -17,10 +17,10 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Threat protection report in Windows Defender ATP +# Threat protection report in Microsoft Defender ATP **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [!include[Prerelease information](prerelease.md)] @@ -52,7 +52,7 @@ While the alert trends shows trending alert information, the alert summary shows ## Alert attributes The report is made up of cards that display the following alert attributes: -- **Detection sources**: shows information about the sensors and detection technologies that provide the data used by Windows Defender ATP to trigger alerts. +- **Detection sources**: shows information about the sensors and detection technologies that provide the data used by Microsoft Defender ATP to trigger alerts. - **Threat categories**: shows the types of threat or attack activity that triggered alerts, indicating possible focus areas for your security operations. diff --git a/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md index ae5f7b984d..944fdf6c3c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md +++ b/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md @@ -18,7 +18,7 @@ ms.topic: article # Indicator resource type -**Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) +**Applies to:** - Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) [!include[Prerelease information](prerelease.md)] diff --git a/windows/security/threat-protection/microsoft-defender-atp/time-settings.md b/windows/security/threat-protection/microsoft-defender-atp/time-settings.md index 0a8c046f35..a2617401bd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/time-settings.md +++ b/windows/security/threat-protection/microsoft-defender-atp/time-settings.md @@ -21,11 +21,11 @@ ms.date: 02/13/2018 # Windows Defender Security Center time zone settings **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-settings-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-settings-abovefoldlink) Use the **Time zone** menu ![Time zone settings icon](images/atp-time-zone.png) to configure the time zone and view license information. @@ -34,25 +34,25 @@ The aspect of time is important in the assessment and analysis of perceived and Cyberforensic investigations often rely on time stamps to piece together the sequence of events. It’s important that your system reflects the correct time zone settings. -Windows Defender ATP can display either Coordinated Universal Time (UTC) or local time. +Microsoft Defender ATP can display either Coordinated Universal Time (UTC) or local time. -Your current time zone setting is shown in the Windows Defender ATP menu. You can change the displayed time zone in the **Time zone** menu ![Time zone settings icon](images/atp-time-zone.png). +Your current time zone setting is shown in the Microsoft Defender ATP menu. You can change the displayed time zone in the **Time zone** menu ![Time zone settings icon](images/atp-time-zone.png). ### UTC time zone -Windows Defender ATP uses UTC time by default. +Microsoft Defender ATP uses UTC time by default. -Setting the Windows Defender ATP time zone to UTC will display all system timestamps (alerts, events, and others) in UTC for all users. This can help security analysts working in different locations across the globe to use the same time stamps while investigating events. +Setting the Microsoft Defender ATP time zone to UTC will display all system timestamps (alerts, events, and others) in UTC for all users. This can help security analysts working in different locations across the globe to use the same time stamps while investigating events. ### Local time zone -You can choose to have Windows Defender ATP use local time zone settings. All alerts and events will be displayed using your local time zone. +You can choose to have Microsoft Defender ATP use local time zone settings. All alerts and events will be displayed using your local time zone. -The local time zone is taken from your machine’s regional settings. If you change your regional settings, the Windows Defender ATP time zone will also change. Choosing this setting means that the timestamps displayed in Windows Defender ATP will be aligned to local time for all Windows Defender ATP users. Analysts located in different global locations will now see the Windows Defender ATP alerts according to their regional settings. +The local time zone is taken from your machine’s regional settings. If you change your regional settings, the Microsoft Defender ATP time zone will also change. Choosing this setting means that the timestamps displayed in Microsoft Defender ATP will be aligned to local time for all Microsoft Defender ATP users. Analysts located in different global locations will now see the Microsoft Defender ATP alerts according to their regional settings. Choosing to use local time can be useful if the analysts are located in a single location. In this case it might be easier to correlate events to local time, for example – when a local user clicked on a suspicious email link. ### Set the time zone -The Windows Defender ATP time zone is set by default to UTC. -Setting the time zone also changes the times for all Windows Defender ATP views. +The Microsoft Defender ATP time zone is set by default to UTC. +Setting the time zone also changes the times for all Microsoft Defender ATP views. To set the time zone: 1. Click the **Time zone** menu ![Time zone settings icon](images/atp-time-zone.png). @@ -60,7 +60,7 @@ To set the time zone: 3. Select **Timezone UTC** or your local time zone, for example -7:00. ### Regional settings -To apply different date formats for Windows Defender ATP, use regional settings for Internet Explorer (IE) and Microsoft Edge (Edge). If you're using another browser such as Google Chrome, follow the required steps to change the time and date settings for that browser. +To apply different date formats for Microsoft Defender ATP, use regional settings for Internet Explorer (IE) and Microsoft Edge (Edge). If you're using another browser such as Google Chrome, follow the required steps to change the time and date settings for that browser. **Internet Explorer (IE) and Microsoft Edge** diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-custom-ti.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-custom-ti.md index 500048787b..c2d0bdf3c6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-custom-ti.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-custom-ti.md @@ -1,6 +1,6 @@ --- -title: Troubleshoot custom threat intelligence issues in Windows Defender ATP -description: Troubleshoot issues that might arise when using the custom threat intelligence feature in Windows Defender ATP. +title: Troubleshoot custom threat intelligence issues in Microsoft Defender ATP +description: Troubleshoot issues that might arise when using the custom threat intelligence feature in Microsoft Defender ATP. keywords: troubleshoot, custom threat intelligence, custom ti, rest api, api, alert definitions, indicators of compromise search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -23,7 +23,7 @@ ms.date: 06/25/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -52,12 +52,12 @@ If your client secret expires or if you've misplaced the copy provided when you 7. Copy the value and save it in a safe place. ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshootcustomti-belowfoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshootcustomti-belowfoldlink) ## Related topics - [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) -- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) +- [Enable the custom threat intelligence API in Microsoft Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) - [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md) - [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md) - [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md index 3f520e22f4..01557d7ec5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md @@ -1,6 +1,6 @@ --- title: Troubleshoot onboarding issues and error messages -description: Troubleshoot onboarding issues and error message while completing setup of Windows Defender Advanced Threat Protection. +description: Troubleshoot onboarding issues and error message while completing setup of Microsoft Defender Advanced Threat Protection. keywords: troubleshoot, troubleshooting, Azure Active Directory, onboarding, error message, error messages, windows defender atp search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -23,19 +23,19 @@ ms.date: 08/01/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troublshootonboarding-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troublshootonboarding-abovefoldlink) -This page provides detailed steps to troubleshoot issues that might occur when setting up your Windows Defender ATP service. +This page provides detailed steps to troubleshoot issues that might occur when setting up your Microsoft Defender ATP service. If you receive an error message, Windows Defender Security Center will provide a detailed explanation on what the issue is and relevant links will be supplied. ## No subscriptions found -If while accessing Windows Defender Security Center you get a **No subscriptions found** message, it means the Azure Active Directory (AAD) used to login the user to the portal, does not have a Windows Defender ATP license. +If while accessing Windows Defender Security Center you get a **No subscriptions found** message, it means the Azure Active Directory (AAD) used to login the user to the portal, does not have a Microsoft Defender ATP license. Potential reasons: - The Windows E5 and Office E5 licenses are separate licenses. @@ -43,14 +43,14 @@ Potential reasons: - It could be a license provisioning issue. - It could be you inadvertently provisioned the license to a different Microsoft AAD than the one used for authentication into the service. -For both cases you should contact Microsoft support at [General Windows Defender ATP Support](https://support.microsoft.com/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636419533611396913) or +For both cases you should contact Microsoft support at [General Microsoft Defender ATP Support](https://support.microsoft.com/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636419533611396913) or [Volume license support](https://www.microsoft.com/licensing/servicecenter/Help/Contact.aspx). ![Image of no subscriptions found](images\atp-no-subscriptions-found.png) ## Your subscription has expired -If while accessing Windows Defender Security Center you get a **Your subscription has expired** message, your online service subscription has expired. Windows Defender ATP subscription, like any other online service subscription, has an expiration date. +If while accessing Windows Defender Security Center you get a **Your subscription has expired** message, your online service subscription has expired. Microsoft Defender ATP subscription, like any other online service subscription, has an expiration date. You can choose to renew or extend the license at any point in time. When accessing the portal after the expiration date a **Your subscription has expired** message will be presented with an option to download the machine offboarding package, should you choose to not renew the license. @@ -61,7 +61,7 @@ You can choose to renew or extend the license at any point in time. When accessi ## You are not authorized to access the portal -If you receive a **You are not authorized to access the portal**, be aware that Windows Defender ATP is a security monitoring, incident investigation and response product, and as such, access to it is restricted and controlled by the user. +If you receive a **You are not authorized to access the portal**, be aware that Microsoft Defender ATP is a security monitoring, incident investigation and response product, and as such, access to it is restricted and controlled by the user. For more information see, [**Assign user access to the portal**](https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection). ![Image of not authorized to access portal](images\atp-not-authorized-to-access-portal.png) @@ -91,4 +91,4 @@ crl.microsoft.com` ## Related topics -- [Validate licensing provisioning and complete setup for Windows Defender ATP](licensing-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [Validate licensing provisioning and complete setup for Microsoft Defender ATP](licensing-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md index 0f2789ceb5..5993a17f98 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md @@ -1,6 +1,6 @@ --- -title: Troubleshoot Windows Defender ATP onboarding issues -description: Troubleshoot issues that might arise during the onboarding of machines or to the Windows Defender ATP service. +title: Troubleshoot Microsoft Defender ATP onboarding issues +description: Troubleshoot issues that might arise during the onboarding of machines or to the Microsoft Defender ATP service. keywords: troubleshoot onboarding, onboarding issues, event viewer, data collection and preview builds, sensor data and diagnostics search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -17,16 +17,16 @@ ms.collection: M365-security-compliance ms.topic: troubleshooting --- -# Troubleshoot Windows Defender Advanced Threat Protection onboarding issues +# Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - Windows Server 2012 R2 - Windows Server 2016 -You might need to troubleshoot the Windows Defender ATP onboarding process if you encounter issues. +You might need to troubleshoot the Microsoft Defender ATP onboarding process if you encounter issues. This page provides detailed steps to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur on the machines. If you have completed the onboarding process and don't see machines in the [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, it might indicate an onboarding or connectivity problem. @@ -95,10 +95,10 @@ If none of the event logs and troubleshooting steps work, download the Local scr Error Code Hex | Error Code Dec | Error Description | OMA-URI | Possible cause and troubleshooting steps :---|:---|:---|:---|:--- 0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding
Offboarding | **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields.

**Troubleshooting steps:**
Check the event IDs in the [View agent onboarding errors in the machine event log](#view-agent-onboarding-errors-in-the-machine-event-log) section.

Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx). - | | | | Onboarding
Offboarding
SampleSharing | **Possible cause:** Windows Defender ATP Policy registry key does not exist or the OMA DM client doesn't have permissions to write to it.

**Troubleshooting steps:** Ensure that the following registry key exists: ```HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```

If it doesn't exist, open an elevated command and add the key. + | | | | Onboarding
Offboarding
SampleSharing | **Possible cause:** Microsoft Defender ATP Policy registry key does not exist or the OMA DM client doesn't have permissions to write to it.

**Troubleshooting steps:** Ensure that the following registry key exists: ```HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```

If it doesn't exist, open an elevated command and add the key. | | | | SenseIsRunning
OnboardingState
OrgId | **Possible cause:** An attempt to remediate by read-only property. Onboarding has failed.

**Troubleshooting steps:** Check the troubleshooting steps in [Troubleshoot onboarding issues on the machine](#troubleshoot-onboarding-issues-on-the-machine).

Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx). - || | | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.

Currently is supported platforms: Enterprise, Education, and Professional.
Server is not supported. - 0x87D101A9 | -2016345687 |Syncml(425): The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.

Currently is supported platforms: Enterprise, Education, and Professional. + || | | All | **Possible cause:** Attempt to deploy Microsoft Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.

Currently is supported platforms: Enterprise, Education, and Professional.
Server is not supported. + 0x87D101A9 | -2016345687 |Syncml(425): The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. | All | **Possible cause:** Attempt to deploy Microsoft Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.

Currently is supported platforms: Enterprise, Education, and Professional.
**Known issues with non-compliance** @@ -122,10 +122,10 @@ Channel name: Admin ID | Severity | Event description | Troubleshooting steps :---|:---|:---|:--- -1819 | Error | Windows Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Download the [Cumulative Update for Windows 10, 1607](https://go.microsoft.com/fwlink/?linkid=829760). +1819 | Error | Microsoft Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Download the [Cumulative Update for Windows 10, 1607](https://go.microsoft.com/fwlink/?linkid=829760). ## Troubleshoot onboarding issues on the machine -If the deployment tools used does not indicate an error in the onboarding process, but machines are still not appearing in the machines list in an hour, go through the following verification topics to check if an error occurred with the Windows Defender ATP agent: +If the deployment tools used does not indicate an error in the onboarding process, but machines are still not appearing in the machines list in an hour, go through the following verification topics to check if an error occurred with the Microsoft Defender ATP agent: - [View agent onboarding errors in the machine event log](#view-agent-onboarding-errors-in-the-machine-event-log) - [Ensure the diagnostic data service is enabled](#ensure-the-diagnostics-service-is-enabled) - [Ensure the service is set to start](#ensure-the-service-is-set-to-start) @@ -140,7 +140,7 @@ If the deployment tools used does not indicate an error in the onboarding proces 2. In the **Event Viewer (Local)** pane, expand **Applications and Services Logs** > **Microsoft** > **Windows** > **SENSE**. > [!NOTE] - > SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP. + > SENSE is the internal name used to refer to the behavioral sensor that powers Microsoft Defender ATP. 3. Select **Operational** to load the log. @@ -154,17 +154,17 @@ If the deployment tools used does not indicate an error in the onboarding proces Event ID | Message | Resolution steps :---|:---|:--- -5 | Windows Defender Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the machine has Internet access](#ensure-the-machine-has-an-internet-connection). -6 | Windows Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-script-windows-defender-advanced-threat-protection.md). -7 | Windows Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the machine has Internet access](#ensure-the-machine-has-an-internet-connection), then run the entire onboarding process again. -9 | Windows Defender Advanced Threat Protection service failed to change its start type. Failure code: variable | If the event happened during onboarding, reboot and re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-script-windows-defender-advanced-threat-protection.md).

If the event happened during offboarding, contact support. -10 | Windows Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: variable | If the event happened during onboarding, re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-script-windows-defender-advanced-threat-protection.md).

If the problem persists, contact support. -15 | Windows Defender Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the machine has Internet access](#ensure-the-machine-has-an-internet-connection). -17 | Windows Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: variable | [Run the onboarding script again](configure-endpoints-script-windows-defender-advanced-threat-protection.md). If the problem persists, contact support. -25 | Windows Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: _variable_ | Contact support. -27 | Failed to enable Windows Defender Advanced Threat Protection mode in Windows Defender. Onboarding process failed. Failure code: variable | Contact support. +5 | Microsoft Defender Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the machine has Internet access](#ensure-the-machine-has-an-internet-connection). +6 | Microsoft Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-script-windows-defender-advanced-threat-protection.md). +7 | Microsoft Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the machine has Internet access](#ensure-the-machine-has-an-internet-connection), then run the entire onboarding process again. +9 | Microsoft Defender Advanced Threat Protection service failed to change its start type. Failure code: variable | If the event happened during onboarding, reboot and re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-script-windows-defender-advanced-threat-protection.md).

If the event happened during offboarding, contact support. +10 | Microsoft Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: variable | If the event happened during onboarding, re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-script-windows-defender-advanced-threat-protection.md).

If the problem persists, contact support. +15 | Microsoft Defender Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the machine has Internet access](#ensure-the-machine-has-an-internet-connection). +17 | Microsoft Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: variable | [Run the onboarding script again](configure-endpoints-script-windows-defender-advanced-threat-protection.md). If the problem persists, contact support. +25 | Microsoft Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: _variable_ | Contact support. +27 | Failed to enable Microsoft Defender Advanced Threat Protection mode in Windows Defender. Onboarding process failed. Failure code: variable | Contact support. 29 | Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3 | Ensure the machine has Internet access, then run the entire offboarding process again. -30 | Failed to disable $(build.sense.productDisplayName) mode in Windows Defender Advanced Threat Protection. Failure code: %1 | Contact support. +30 | Failed to disable $(build.sense.productDisplayName) mode in Microsoft Defender Advanced Threat Protection. Failure code: %1 | Contact support. 32 | $(build.sense.productDisplayName) service failed to request to stop itself after offboarding process. Failure code: %1 | Verify that the service start type is manual and reboot the machine. 55 | Failed to create the Secure ETW autologger. Failure code: %1 | Reboot the machine. 63 | Updating the start type of external service. Name: %1, actual start type: %2, expected start type: %3, exit code: %4 | Identify what is causing changes in start type of mentioned service. If the exit code is not 0, fix the start type manually to expected start type. @@ -173,7 +173,7 @@ Event ID | Message | Resolution steps 69 | The service is stopped. Service name: %1 | Start the mentioned service. Contact support if persists.
-There are additional components on the machine that the Windows Defender ATP agent depends on to function properly. If there are no onboarding related errors in the Windows Defender ATP agent event log, proceed with the following steps to ensure that the additional components are configured correctly. +There are additional components on the machine that the Microsoft Defender ATP agent depends on to function properly. If there are no onboarding related errors in the Microsoft Defender ATP agent event log, proceed with the following steps to ensure that the additional components are configured correctly. ### Ensure the diagnostic data service is enabled @@ -234,20 +234,20 @@ First, you should check that the service is set to start automatically when Wind ### Ensure the machine has an Internet connection -The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service. +The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender ATP service. WinHTTP is independent of the Internet browsing proxy settings and other user context applications and must be able to detect the proxy servers that are available in your particular environment. -To ensure that sensor has service connectivity, follow the steps described in the [Verify client connectivity to Windows Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls) topic. +To ensure that sensor has service connectivity, follow the steps described in the [Verify client connectivity to Microsoft Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls) topic. If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) topic. ### Ensure that Windows Defender Antivirus is not disabled by a policy -**Problem**: The Windows Defender ATP service does not start after onboarding. +**Problem**: The Microsoft Defender ATP service does not start after onboarding. **Symptom**: Onboarding successfully completes, but you see error 577 when trying to start the service. -**Solution**: If your machines are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled. You must ensure that it's not disabled in system policy. +**Solution**: If your machines are running a third-party antimalware client, the Microsoft Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled. You must ensure that it's not disabled in system policy. - Depending on the tool that you use to implement policies, you'll need to verify that the following Windows Defender policies are cleared: @@ -275,9 +275,9 @@ If you encounter issues while onboarding a server, go through the following veri - [Ensure that the server proxy and Internet connectivity settings are configured properly](configure-server-endpoints-windows-defender-advanced-threat-protection.md#server-proxy) You might also need to check the following: -- Check that there is a Windows Defender Advanced Threat Protection Service running in the **Processes** tab in **Task Manager**. For example: +- Check that there is a Microsoft Defender Advanced Threat Protection Service running in the **Processes** tab in **Task Manager**. For example: - ![Image of process view with Windows Defender Advanced Threat Protection Service running](images/atp-task-manager.png) + ![Image of process view with Microsoft Defender Advanced Threat Protection Service running](images/atp-task-manager.png) - Check **Event Viewer** > **Applications and Services Logs** > **Operation Manager** to see if there are any errors. @@ -293,7 +293,7 @@ You might also need to check the following: ## Licensing requirements -Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers: +Microsoft Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers: - Windows 10 Enterprise E5 - Windows 10 Education E5 @@ -302,11 +302,11 @@ Windows Defender Advanced Threat Protection requires one of the following Micros For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2). ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshootonboarding-belowfoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshootonboarding-belowfoldlink) ## Related topics -- [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md) +- [Troubleshoot Microsoft Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md) - [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md) - [Configure machine proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-overview.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-overview.md index fccd8ca55a..c065888a3c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-overview.md @@ -1,6 +1,6 @@ --- -title: Troubleshoot Windows Defender Advanced Threat Protection capabilities -description: Find solutions to issues on sensor state, service issues, or other Windows Defender ATP capabilities +title: Troubleshoot Microsoft Defender Advanced Threat Protection capabilities +description: Find solutions to issues on sensor state, service issues, or other Microsoft Defender ATP capabilities keywords: troubleshoot, sensor, state, service, issues, attack surface reduction, next generation protection search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -18,14 +18,14 @@ ms.topic: troubleshooting ms.date: 09/03/2018 --- -# Troubleshoot Windows Defender Advanced Threat Protection +# Troubleshoot Microsoft Defender Advanced Threat Protection -Troubleshoot issues that might arise as you use Windows Defender ATP capabilities. +Troubleshoot issues that might arise as you use Microsoft Defender ATP capabilities. ## In this section Topic | Description :---|:--- -Troubleshoot sensor state | Find solutions for issues related to the Windows Defender ATP sensor +Troubleshoot sensor state | Find solutions for issues related to the Microsoft Defender ATP sensor Troubleshoot service issues | Fix issues related to the Windows Defender Advanced Threat service Troubleshoot attack surface reduction | Fix issues related to network protection and attack surface reduction rules Troubleshoot next generation protection | If you encounter a problem with antivirus, you can search the tables in this topic to find a matching issue and potential solution diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md index a3097cd460..7d2a7d86da 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md @@ -1,6 +1,6 @@ --- -title: Troubleshoot SIEM tool integration issues in Windows Defender ATP -description: Troubleshoot issues that might arise when using SIEM tools with Windows Defender ATP. +title: Troubleshoot SIEM tool integration issues in Microsoft Defender ATP +description: Troubleshoot issues that might arise when using SIEM tools with Microsoft Defender ATP. keywords: troubleshoot, siem, client secret, secret search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -21,7 +21,7 @@ ms.date: 11/08/2018 # Troubleshoot SIEM tool integration issues **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -77,11 +77,11 @@ If you encounter an error when trying to enable the SIEM connector application, ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshootsiem-belowfoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshootsiem-belowfoldlink) ## Related topics -- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) -- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) -- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) -- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) -- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) +- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) +- [Configure ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) +- [Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) +- [Microsoft Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) +- [Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot.md index ee883b6d7f..655895b298 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot.md @@ -1,7 +1,7 @@ --- -title: Troubleshoot Windows Defender Advanced Threat Protection service issues +title: Troubleshoot Microsoft Defender Advanced Threat Protection service issues description: Find solutions and work arounds to known issues such as server errors when trying to access the service. -keywords: troubleshoot Windows Defender Advanced Threat Protection, troubleshoot Windows ATP, server error, access denied, invalid credentials, no data, dashboard portal, whitelist, event viewer +keywords: troubleshoot Microsoft Defender Advanced Threat Protection, troubleshoot Windows ATP, server error, access denied, invalid credentials, no data, dashboard portal, whitelist, event viewer search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -35,13 +35,13 @@ Make sure that `*.securitycenter.windows.com` is included the proxy whitelist. > [!NOTE] > You must use the HTTPS protocol when adding the following endpoints. -## Windows Defender ATP service shows event or error logs in the Event Viewer +## Microsoft Defender ATP service shows event or error logs in the Event Viewer -See the topic [Review events and errors using Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md) for a list of event IDs that are reported by the Windows Defender ATP service. The topic also contains troubleshooting steps for event errors. +See the topic [Review events and errors using Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md) for a list of event IDs that are reported by the Microsoft Defender ATP service. The topic also contains troubleshooting steps for event errors. -## Windows Defender ATP service fails to start after a reboot and shows error 577 +## Microsoft Defender ATP service fails to start after a reboot and shows error 577 -If onboarding machines successfully completes but Windows Defender ATP does not start after a reboot and shows error 577, check that Windows Defender is not disabled by a policy. +If onboarding machines successfully completes but Microsoft Defender ATP does not start after a reboot and shows error 577, check that Windows Defender is not disabled by a policy. For more information, see [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy). @@ -63,15 +63,15 @@ The following date and time formats are currently not supported: **Use of comma to indicate thousand**
Support of use of comma as a separator in numbers are not supported. Regions where a number is separated with a comma to indicate a thousand, will only see the use of a dot as a separator. For example, 15,5K is displayed as 15.5K. ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshoot-belowfoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshoot-belowfoldlink) -## Windows Defender ATP tenant was automatically created in Europe -When you use Azure Security Center to monitor servers, a Windows Defender ATP tenant is automatically created. The Windows Defender ATP data is stored in Europe by default. +## Microsoft Defender ATP tenant was automatically created in Europe +When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created. The Microsoft Defender ATP data is stored in Europe by default. ## Related topics -- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) +- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) - [Review events and errors using Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md index 07203db964..4320d58d31 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md @@ -19,7 +19,7 @@ ms.date: 12/08/2017 # Release machine from isolation API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) [!include[Prereleaseinformation](prerelease.md)] @@ -28,7 +28,7 @@ Undo isolation of a machine. [!include[Machine actions note](machineactionsnote.md)] ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md b/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md index d6bd15719c..9531e39835 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md +++ b/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md @@ -19,7 +19,7 @@ ms.date: 12/08/2017 # Remove app restriction API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) [!include[Prereleaseinformation](prerelease.md)] @@ -28,7 +28,7 @@ Enable execution of any application on the machine. [!include[Machine actions note](machineactionsnote.md)] ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md index 8c700cf5fd..be7b420a9b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md +++ b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md @@ -20,14 +20,14 @@ ms.date: 12/08/2017 # Update alert **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) [!include[Prereleaseinformation](prerelease.md)] Update the properties of an alert entity. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/use-apis.md b/windows/security/threat-protection/microsoft-defender-atp/use-apis.md index 9104f53a2b..a152053d8d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/use-apis.md +++ b/windows/security/threat-protection/microsoft-defender-atp/use-apis.md @@ -1,5 +1,5 @@ --- -title: Windows Defender ATP Public API +title: Microsoft Defender ATP Public API description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph. keywords: apis, api, wdatp, open api, windows defender atp api, public api, alerts, machine, user, domain, ip, file search.product: eADQiWindows 10XVcnh @@ -17,15 +17,15 @@ ms.topic: conceptual ms.date: 11/28/2018 --- -# Windows Defender ATP Public API +# Microsoft Defender ATP Public API -**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) -> Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## In this section Topic | Description :---|:--- -[Windows Defender ATP API overview](apis-intro.md) | Learn how to access to Windows Defender ATP Public API and on which context. -[Supported Windows Defender ATP APIs](exposed-apis-list.md) | Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses. Examples include APIs for [alert resource type](alerts-windows-defender-advanced-threat-protection-new.md), [domain related alerts](get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md), or even actions such as [isolate machine](isolate-machine-windows-defender-advanced-threat-protection-new.md). +[Microsoft Defender ATP API overview](apis-intro.md) | Learn how to access to Microsoft Defender ATP Public API and on which context. +[Supported Microsoft Defender ATP APIs](exposed-apis-list.md) | Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses. Examples include APIs for [alert resource type](alerts-windows-defender-advanced-threat-protection-new.md), [domain related alerts](get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md), or even actions such as [isolate machine](isolate-machine-windows-defender-advanced-threat-protection-new.md). How to use APIs - Samples | Learn how to use Advanced hunting APIs and multiple APIs such as PowerShell. Other examples include [schedule advanced hunting using Microsoft Flow](run-advanced-query-sample-ms-flow.md) or [OData queries](exposed-apis-odata-samples.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/use-custom-ti.md b/windows/security/threat-protection/microsoft-defender-atp/use-custom-ti.md index a5bf6b10dc..f8109a93b6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/use-custom-ti.md +++ b/windows/security/threat-protection/microsoft-defender-atp/use-custom-ti.md @@ -1,6 +1,6 @@ --- title: Use the custom threat intelligence API to create custom alerts -description: Use the threat intelligence API in Windows Defender Advanced Threat Protection to create custom alerts +description: Use the threat intelligence API in Microsoft Defender Advanced Threat Protection to create custom alerts keywords: threat intelligence, alert definitions, indicators of compromise search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -21,11 +21,11 @@ ms.date: 04/24/2018 # Use the threat intelligence API to create custom alerts **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-customti-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-customti-abovefoldlink) Understand threat intelligence concepts, then enable the custom threat intelligence application so that you can proceed to create custom threat intelligence alerts that are specific to your organization. diff --git a/windows/security/threat-protection/microsoft-defender-atp/use.md b/windows/security/threat-protection/microsoft-defender-atp/use.md index 07291b3a48..94b1666439 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/use.md +++ b/windows/security/threat-protection/microsoft-defender-atp/use.md @@ -22,11 +22,11 @@ ms.date: 03/12/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-usewdatp-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-usewdatp-abovefoldlink) -Windows Defender Security Center is the portal where you can access Windows Defender Advanced Threat Protection capabilities. +Windows Defender Security Center is the portal where you can access Microsoft Defender Advanced Threat Protection capabilities. Use the **Security operations** dashboard to gain insight on the various alerts on machines and users in your network. @@ -40,7 +40,7 @@ Use the **Threat analytics** dashboard to continually assess and control risk ex Topic | Description :---|:--- [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) | Understand the portal layout and area descriptions. -[View the Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md) | The Windows Defender ATP **Security operations dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the machines on your network, investigate machines, files, and URLs, and see snapshots of threats seen on machines. +[View the Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md) | The Microsoft Defender ATP **Security operations dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the machines on your network, investigate machines, files, and URLs, and see snapshots of threats seen on machines. [View the Secure Score dashboard and improve your secure score](secure-score-dashboard-windows-defender-advanced-threat-protection.md) | The **Secure Score dashboard** expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md) | The **Threat analytics** dashboard helps you continually assess and control risk exposure to Spectre and Meltdown. Use the charts to quickly identify machines for the presence or absence of mitigations. diff --git a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md index ab60042a21..152c31812c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md +++ b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md @@ -20,10 +20,10 @@ ms.topic: article # Create and manage roles for role-based access control **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-roles-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-roles-abovefoldlink) ## Create roles and assign the role to an Azure Active Directory group The following steps guide you on how to create roles in Windows Defender Security Center. It assumes that you have already created Azure Active Directory user groups. @@ -43,7 +43,7 @@ The following steps guide you on how to create roles in Windows Defender Securit - **Manage portal system settings** - Users can configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and machine groups. >[!NOTE] - >This setting is only available in the Windows Defender ATP administrator (default) role. + >This setting is only available in the Microsoft Defender ATP administrator (default) role. - **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications. diff --git a/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md b/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md index 5f6903dad8..a7d944a061 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md +++ b/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md @@ -18,9 +18,9 @@ ms.topic: article ms.date: 10/08/2018 --- -# View and organize the Windows Defender Advanced Threat Protection Incidents queue +# View and organize the Microsoft Defender Advanced Threat Protection Incidents queue **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) The **Incidents queue** shows a collection of incidents that were flagged from machines in your network. It helps you sort through incidents to prioritize and create an informed cybersecurity response decision. diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md index b73e7bc8b1..af06ab295c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md @@ -1,6 +1,6 @@ --- -title: What's new in Windows Defender ATP -description: Lists the new features and functionality in Windows Defender ATP +title: What's new in Microsoft Defender ATP +description: Lists the new features and functionality in Microsoft Defender ATP keywords: what's new in windows defender atp search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -17,11 +17,11 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# What's new in Windows Defender ATP +# What's new in Microsoft Defender ATP **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) -Here are the new features in the latest release of Windows Defender ATP as well as security features in Windows 10 and Windows Server. +Here are the new features in the latest release of Microsoft Defender ATP as well as security features in Windows 10 and Windows Server. ## March 2019 ### In preview @@ -32,16 +32,16 @@ The following capability are included in the February 2019 preview release. ## February 2019 The following capabilities are generally available (GA). -- [Incidents](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/incidents-queue)
Incident is a new entity in Windows Defender ATP that brings together all relevant alerts and related entities to narrate the broader attack story, giving analysts better perspective on the purview of complex threats. +- [Incidents](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/incidents-queue)
Incident is a new entity in Microsoft Defender ATP that brings together all relevant alerts and related entities to narrate the broader attack story, giving analysts better perspective on the purview of complex threats. -- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection)
Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor. +- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection)
Onboard supported versions of Windows machines so that they can send sensor data to the Microsoft Defender ATP sensor. ### In preview The following capability are included in the February 2019 preview release. - [Reports](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-protection-reports-windows-defender-advanced-threat-protection)
The threat protection report provides high-level information about alerts generated in your organization. -- [Microsoft Threat Experts](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts)
Microsoft Threat Experts is the new managed threat hunting service in Windows Defender ATP that provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately. It provides additional layer of expertise and optics that Microsoft customers can utilize to augment security operation capabilities as part of Microsoft 365. +- [Microsoft Threat Experts](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts)
Microsoft Threat Experts is the new managed threat hunting service in Microsoft Defender ATP that provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately. It provides additional layer of expertise and optics that Microsoft customers can utilize to augment security operation capabilities as part of Microsoft 365. ## October 2018 @@ -53,16 +53,16 @@ The following capabilities are generally available (GA). - [Custom detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-custom-detections)
With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. -- [Integration with Azure Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center)
Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers. +- [Integration with Azure Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center)
Microsoft Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Microsoft Defender ATP to provide improved threat detection for Windows Servers. -- [Managed security service provider (MSSP) support](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection)
Windows Defender ATP adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools. +- [Managed security service provider (MSSP) support](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection)
Microsoft Defender ATP adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools. -- [Removable device control](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/19/windows-defender-atp-has-protections-for-usb-and-removable-devices/)
Windows Defender ATP provides multiple monitoring and control features to help prevent threats from removable devices, including new settings to allow or block specific hardware IDs. +- [Removable device control](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/19/windows-defender-atp-has-protections-for-usb-and-removable-devices/)
Microsoft Defender ATP provides multiple monitoring and control features to help prevent threats from removable devices, including new settings to allow or block specific hardware IDs. - [Support for iOS and Android devices](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection#turn-on-third-party-integration)
iOS and Android devices are now supported and can be onboarded to the service. - [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics)
-Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats. +Threat Analytics is a set of interactive reports published by the Microsoft Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats. - New in Windows 10 version 1809, there are two new attack surface reduction rules: - Block Adobe Reader from creating child processes @@ -81,25 +81,25 @@ For more information on how to turn on preview features, see [Preview features]( - [Information protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview)
Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace. -Windows Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices. +Microsoft Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices. >[!NOTE] >Partially available from Windows 10, version 1809. -- [Integration with Microsoft Cloud App Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration)
Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines. +- [Integration with Microsoft Cloud App Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration)
Microsoft Cloud App Security leverages Microsoft Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Microsoft Defender ATP monitored machines. >[!NOTE] >Available from Windows 10, version 1809 or later. -- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019)
Windows Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines. +- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019)
Microsoft Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines. -- [Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
-Windows Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal. +- [Power BI reports using Microsoft Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
+Microsoft Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal. ## March 2018 - [Advanced Hunting](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)
-Query data using Advanced hunting in Windows Defender ATP. +Query data using Advanced hunting in Microsoft Defender ATP. - [Attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)
New attack surface reduction rules: @@ -116,21 +116,21 @@ Query data using Advanced hunting in Windows Defender ATP. - [Conditional access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection)
Enable conditional access to better protect users, devices, and data. -- [Windows Defender ATP Community center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection)
- The Windows Defender ATP Community Center is a place where community members can learn, collaborate, and share experiences about the product. +- [Microsoft Defender ATP Community center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection)
+ The Microsoft Defender ATP Community Center is a place where community members can learn, collaborate, and share experiences about the product. - [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard)
You can now block untrusted processes from writing to disk sectors using Controlled Folder Access. - [Onboard non-Windows machines](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection)
- Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Windows Defender Security Center and better protect your organization's network. + Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Windows Defender Security Center and better protect your organization's network. - [Role-based access control (RBAC)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection)
Using role-based access control (RBAC), you can create roles and groups within your security operations team to grant appropriate access to the portal. - [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)
-Windows Defender Antivirus now shares detection status between M365 services and interoperates with Windows Defender ATP. For more information, see [Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). +Windows Defender Antivirus now shares detection status between M365 services and interoperates with Microsoft Defender ATP. For more information, see [Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). Block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files. For more information, see [Enable block at first sight](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus). diff --git a/windows/security/threat-protection/microsoft-defender-atp/windows-defender-security-center-atp.md b/windows/security/threat-protection/microsoft-defender-atp/windows-defender-security-center-atp.md index d85d398e43..468fcd0924 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/windows-defender-security-center-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/windows-defender-security-center-atp.md @@ -1,6 +1,6 @@ --- title: Windows Defender Security Center -description: Windows Defender Security Center is the portal where you can access Windows Defender Advanced Threat Protection. +description: Windows Defender Security Center is the portal where you can access Microsoft Defender Advanced Threat Protection. keywords: windows, defender, security, center, defender, advanced, threat, protection search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -20,7 +20,7 @@ ms.date: 07/01/2018 # Windows Defender Security Center -Windows Defender Security Center is the portal where you can access Windows Defender Advanced Threat Protection capabilities. It gives enterprise security operations teams a single pane of glass experience to help secure networks. +Windows Defender Security Center is the portal where you can access Microsoft Defender Advanced Threat Protection capabilities. It gives enterprise security operations teams a single pane of glass experience to help secure networks. ## In this section @@ -31,9 +31,9 @@ Get started | Learn about the minimum requirements, validate licensing and com [Understand the portal](use-windows-defender-advanced-threat-protection.md) | Understand the Security operations, Secure Score, and Threat analytics dashboards as well as how to navigate the portal. Investigate and remediate threats | Investigate alerts, machines, and take response actions to remediate threats. API and SIEM support | Use the supported APIs to pull and create custom alerts, or automate workflows. Use the supported SIEM tools to pull alerts from Windows Defender Security Center. -Reporting | Create and build Power BI reports using Windows Defender ATP data. +Reporting | Create and build Power BI reports using Microsoft Defender ATP data. Check service health and sensor state | Verify that the service is running and check the sensor state on machines. [Configure Windows Defender Security Center settings](preferences-setup-windows-defender-advanced-threat-protection.md) | Configure general settings, turn on the preview experience, notifications, and enable other features. -[Access the Windows Defender ATP Community Center](community-windows-defender-advanced-threat-protection.md) | Access the Windows Defender ATP Community Center to learn, collaborate, and share experiences about the product. +[Access the Microsoft Defender ATP Community Center](community-windows-defender-advanced-threat-protection.md) | Access the Microsoft Defender ATP Community Center to learn, collaborate, and share experiences about the product. [Troubleshoot service issues](troubleshoot-windows-defender-advanced-threat-protection.md) | This section addresses issues that might arise as you use the Windows Defender Advanced Threat service. From dbb77d063b94fd08c177516b3210e1e7cde75744 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 10 Apr 2019 14:58:31 -0700 Subject: [PATCH 116/492] update windows defender security center to microsoft defender security center --- .../microsoft-defender-atp/TOC.md | 4 ++-- .../advanced-features.md | 2 +- .../advanced-hunting.md | 4 ++-- ...lerts-queue-endpoint-detection-response.md | 6 ++--- .../api-portal-mapping.md | 4 ++-- .../assign-portal-access.md | 4 ++-- .../basic-permissions.md | 2 +- .../microsoft-defender-atp/community.md | 2 +- .../configure-arcsight.md | 2 +- .../configure-conditional-access.md | 4 ++-- .../configure-endpoints-gp.md | 8 +++---- .../configure-endpoints-mdm.md | 2 +- .../configure-endpoints-non-windows.md | 4 ++-- .../configure-endpoints-sccm.md | 6 ++--- .../configure-endpoints-script.md | 8 +++---- .../configure-endpoints-vdi.md | 6 ++--- .../configure-microsoft-threat-experts.md | 2 +- .../configure-mssp-support.md | 22 +++++++++---------- .../configure-server-endpoints.md | 14 ++++++------ .../microsoft-defender-atp/configure-siem.md | 2 +- .../configure-splunk.md | 2 +- .../microsoft-defender-atp/custom-ti-api.md | 2 +- .../enable-custom-ti.md | 2 +- .../enable-siem-integration.md | 4 ++-- .../experiment-custom-ti.md | 2 +- .../fix-unhealhty-sensors.md | 2 +- .../microsoft-defender-atp/get-started.md | 4 ++-- ...ormation-protection-in-windows-overview.md | 6 ++--- .../microsoft-defender-atp/licensing.md | 10 ++++----- .../microsoft-defender-atp/manage-alerts.md | 2 +- .../manage-auto-investigation.md | 2 +- .../microsoft-defender-atp/manage-edr.md | 2 +- ...icrosoft-cloud-app-security-integration.md | 2 +- ...oft-defender-advanced-threat-protection.md | 2 +- .../microsoft-threat-experts.md | 2 +- .../microsoft-defender-atp/mssp-support.md | 2 +- .../onboard-configure.md | 2 +- .../microsoft-defender-atp/onboard.md | 2 +- .../overview-custom-detections.md | 2 +- .../overview-hunting.md | 2 +- .../overview-secure-score.md | 4 ++-- .../microsoft-defender-atp/overview.md | 2 +- .../microsoft-defender-atp/portal-overview.md | 10 ++++----- .../microsoft-defender-atp/powerbi-reports.md | 4 ++-- .../preferences-setup.md | 4 ++-- .../pull-alerts-using-rest-api.md | 4 ++-- .../microsoft-defender-atp/rbac.md | 6 ++--- .../security-operations-dashboard.md | 4 ++-- .../microsoft-defender-atp/time-settings.md | 4 ++-- .../troubleshoot-onboarding-error-messages.md | 6 ++--- .../microsoft-defender-atp/troubleshoot.md | 2 +- .../microsoft-defender-atp/use-custom-ti.md | 2 +- .../microsoft-defender-atp/use.md | 8 +++---- .../microsoft-defender-atp/user-roles.md | 2 +- .../whats-new-in-microsoft-defender-atp.md | 4 ++-- .../windows-defender-security-center-atp.md | 12 +++++----- 56 files changed, 121 insertions(+), 121 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/TOC.md b/windows/security/threat-protection/microsoft-defender-atp/TOC.md index 0dc76f0fa0..297f7f6173 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/TOC.md +++ b/windows/security/threat-protection/microsoft-defender-atp/TOC.md @@ -120,7 +120,7 @@ ##### [Network firewall](../windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md) #### [Evaluate next generation protection](../windows-defender-antivirus/evaluate-windows-defender-antivirus.md) -### [Access the Windows Defender Security Center Community Center](community.md) +### [Access the Microsoft Defender Security Center Community Center](community.md) ## [Configure and manage capabilities](onboard.md) ### [Configure attack surface reduction](configure-attack-surface-reduction.md) @@ -354,7 +354,7 @@ ####[Configure information protection in Windows](information-protection-in-windows-config.md) -### [Configure Windows Defender Security Center settings](preferences-setup.md) +### [Configure Microsoft Defender Security Center settings](preferences-setup.md) #### General ##### [Update data retention settings](data-retention-settings.md) ##### [Configure alert notifications](configure-email-notifications.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md index 98b6b36f1f..dee0d64ec2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md @@ -83,7 +83,7 @@ When you complete the integration steps on both portals, you'll be able to see r ## Office 365 Threat Intelligence connection This feature is only available if you have an active Office 365 E5 or the Threat Intelligence add-on. For more information, see the Office 365 Enterprise E5 product page. -When you enable this feature, you'll be able to incorporate data from Office 365 Advanced Threat Protection into Windows Defender Security Center to conduct a holistic security investigation across Office 365 mailboxes and Windows machines. +When you enable this feature, you'll be able to incorporate data from Office 365 Advanced Threat Protection into Microsoft Defender Security Center to conduct a holistic security investigation across Office 365 mailboxes and Windows machines. >[!NOTE] >You'll need to have the appropriate license to enable this feature. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md index 4d711a8fff..000918bc98 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md @@ -69,7 +69,7 @@ For more information on the query language and supported operators, see [Query The following tables are exposed as part of Advanced hunting: -- **AlertEvents** - Alerts on Windows Defender Security Center +- **AlertEvents** - Alerts on Microsoft Defender Security Center - **MachineInfo** - Machine information, including OS information - **MachineNetworkInfo** - Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains - **ProcessCreationEvents** - Process creation and related events @@ -124,7 +124,7 @@ These steps guide you on modifying and overwriting an existing query. The result set has several capabilities to provide you with effective investigation, including: -- Columns that return entity-related objects, such as Machine name, Machine ID, File name, SHA1, User, IP, and URL, are linked to their entity pages in Windows Defender Security Center. +- Columns that return entity-related objects, such as Machine name, Machine ID, File name, SHA1, User, IP, and URL, are linked to their entity pages in Microsoft Defender Security Center. - You can right-click on a cell in the result set and add a filter to your written query. The current filtering options are **include**, **exclude** or **advanced filter**, which provides additional filtering options on the cell value. These cell values are part of the row set. ![Image of Microsoft Defender ATP Advanced hunting result set](images/atp-advanced-hunting-results-filter.png) diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md index cbe44720d3..525a4afacb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md @@ -1,6 +1,6 @@ --- -title: Alerts queue in Windows Defender Security Center -description: View and manage the alerts surfaced in Windows Defender Security Center +title: Alerts queue in Microsoft Defender Security Center +description: View and manage the alerts surfaced in Microsoft Defender Security Center keywords: search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -18,7 +18,7 @@ ms.topic: conceptual ms.date: 09/03/2018 --- -# Alerts queue in Windows Defender Security Center +# Alerts queue in Microsoft Defender Security Center Learn how you can view and manage the queue so that you can effectively investigate threats seen on entities such as machines, files, or user accounts. diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md index aeb28a277e..c85f9de2b6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md @@ -1,6 +1,6 @@ --- title: Microsoft Defender ATP alert API fields -description: Understand how the alert API fields map to the values in Windows Defender Security Center +description: Understand how the alert API fields map to the values in Microsoft Defender Security Center keywords: alerts, alert fields, fields, api, fields, pull alerts, rest api, request, response search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -30,7 +30,7 @@ ms.date: 10/16/2017 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-apiportalmapping-abovefoldlink) -Understand what data fields are exposed as part of the alerts API and how they map to Windows Defender Security Center. +Understand what data fields are exposed as part of the alerts API and how they map to Microsoft Defender Security Center. ## Alert API fields and portal mapping diff --git a/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md b/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md index 227c780e28..b1cb1f4d55 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md +++ b/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md @@ -1,5 +1,5 @@ --- -title: Assign user access to Windows Defender Security Center +title: Assign user access to Microsoft Defender Security Center description: Assign read and write or read only access to the Microsoft Defender Advanced Threat Protection portal. keywords: assign user roles, assign read and write access, assign read only access, user, user roles, roles search.product: eADQiWindows 10XVcnh @@ -18,7 +18,7 @@ ms.topic: article ms.date: 11/28/2018 --- -# Assign user access to Windows Defender Security Center +# Assign user access to Microsoft Defender Security Center **Applies to:** - Azure Active Directory diff --git a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md index ebb98886d3..c7f6f4517c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md +++ b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md @@ -1,5 +1,5 @@ --- -title: Use basic permissions to access Windows Defender Security Center +title: Use basic permissions to access Microsoft Defender Security Center description: Assign read and write or read only access to the Microsoft Defender Advanced Threat Protection portal. keywords: assign user roles, assign read and write access, assign read only access, user, user roles, roles search.product: eADQiWindows 10XVcnh diff --git a/windows/security/threat-protection/microsoft-defender-atp/community.md b/windows/security/threat-protection/microsoft-defender-atp/community.md index a70adba5f5..78f18ff20e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/community.md +++ b/windows/security/threat-protection/microsoft-defender-atp/community.md @@ -35,7 +35,7 @@ There are several spaces you can explore to learn about specific information: There are several ways you can access the Community Center: -- In the Windows Defender Security Center navigation pane, select **Community center**. A new browser tab opens and takes you to the Microsoft Defender ATP Tech Community page. +- In the Microsoft Defender Security Center navigation pane, select **Community center**. A new browser tab opens and takes you to the Microsoft Defender ATP Tech Community page. - Access the community through the [Microsoft Defender Advanced Threat Protection Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced) page diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md index 2b787f64c8..05c9269bca 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md @@ -1,6 +1,6 @@ --- title: Configure HP ArcSight to pull Microsoft Defender ATP alerts -description: Configure HP ArcSight to receive and pull alerts from Windows Defender Security Center +description: Configure HP ArcSight to receive and pull alerts from Microsoft Defender Security Center keywords: configure hp arcsight, security information and events management tools, arcsight search.product: eADQiWindows 10XVcnh search.appverid: met150 diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md b/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md index e599ecf7be..87e9fe515f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md @@ -38,13 +38,13 @@ You need to make sure that all your devices are enrolled in Intune. You can use -There are steps you'll need to take in Windows Defender Security Center, the Intune portal, and Azure AD portal. +There are steps you'll need to take in Microsoft Defender Security Center, the Intune portal, and Azure AD portal. > [!NOTE] > You'll need a Microsoft Intune environment, with Intune managed and Azure AD joined Windows 10 devices. Take the following steps to enable conditional access: -- Step 1: Turn on the Microsoft Intune connection from Windows Defender Security Center +- Step 1: Turn on the Microsoft Intune connection from Microsoft Defender Security Center - Step 2: Turn on the Microsoft Defender ATP integration in Intune - Step 3: Create the compliance policy in Intune - Step 4: Assign the policy diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md index 24f3338a41..03ef4fb943 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md @@ -36,7 +36,7 @@ ms.date: 04/24/2018 > To use Group Policy (GP) updates to deploy the package, you must be on Windows Server 2008 R2 or later. ## Onboard machines using Group Policy -1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Windows Defender Security Center](https://securitycenter.windows.com/): +1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): a. In the navigation pane, select **Settings** > **Onboarding**. @@ -66,7 +66,7 @@ ms.date: 04/24/2018 > After onboarding the machine, you can choose to run a detection test to verify that the machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md). ## Additional Microsoft Defender ATP configuration settings -For each machine, you can state whether samples can be collected from the machine when a request is made through Windows Defender Security Center to submit a file for deep analysis. +For each machine, you can state whether samples can be collected from the machine when a request is made through Microsoft Defender Security Center to submit a file for deep analysis. You can use Group Policy (GP) to configure settings, such as settings for the sample sharing used in the deep analysis feature. @@ -98,7 +98,7 @@ For security reasons, the package used to Offboard machines will expire 30 days > [!NOTE] > Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions. -1. Get the offboarding package from [Windows Defender Security Center](https://securitycenter.windows.com/): +1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): a. In the navigation pane, select **Settings** > **Offboarding**. @@ -132,7 +132,7 @@ For security reasons, the package used to Offboard machines will expire 30 days With Group Policy there isn’t an option to monitor deployment of policies on the machines. Monitoring can be done directly on the portal, or by using the different deployment tools. ## Monitor machines using the portal -1. Go to [Windows Defender Security Center](https://securitycenter.windows.com/). +1. Go to [Microsoft Defender Security Center](https://securitycenter.windows.com/). 2. Click **Machines list**. 3. Verify that machines are appearing. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md index 79a5287504..b4aa4e7b94 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md @@ -57,7 +57,7 @@ For security reasons, the package used to Offboard machines will expire 30 days > [!NOTE] > Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions. -1. Get the offboarding package from [Windows Defender Security Center](https://securitycenter.windows.com/): +1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): a. In the navigation pane, select **Settings** > **Offboarding**. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md index f431da0f01..11e887fd72 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md @@ -28,7 +28,7 @@ ms.topic: article -Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Windows Defender Security Center and better protect your organization's network. This experience leverages on a third-party security products’ sensor data. +Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft Defender Security Center and better protect your organization's network. This experience leverages on a third-party security products’ sensor data. You'll need to know the exact Linux distros and macOS versions that are compatible with Microsoft Defender ATP for the integration to work. @@ -58,7 +58,7 @@ Create an EICAR test file by saving the string displayed on the portal in an emp The file should trigger a detection and a corresponding alert on Microsoft Defender ATP. ## Offboard non-Windows machines -To effectively offboard the machine from the service, you'll need to disable the data push on the third-party portal first then switch the toggle to off in Windows Defender Security Center. The toggle in the portal only blocks the data inbound flow. +To effectively offboard the machine from the service, you'll need to disable the data push on the third-party portal first then switch the toggle to off in Microsoft Defender Security Center. The toggle in the portal only blocks the data inbound flow. 1. Follow the third-party documentation to opt-out on the third-party service side. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md index 8a91ad835d..509661ca90 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md @@ -49,7 +49,7 @@ You can use existing System Center Configuration Manager functionality to create ### Onboard machines using System Center Configuration Manager -1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Windows Defender Security Center](https://securitycenter.windows.com/): +1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): a. In the navigation pane, select **Settings** > **Onboarding**. @@ -72,7 +72,7 @@ You can use existing System Center Configuration Manager functionality to create > After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md). ### Configure sample collection settings -For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through Windows Defender Security Center to submit a file for deep analysis. +For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through Microsoft Defender Security Center to submit a file for deep analysis. You can set a compliance rule for configuration item in System Center Configuration Manager to change the sample share setting on a machine. This rule should be a *remediating* compliance rule configuration item that sets the value of a registry key on targeted machines to make sure they’re complaint. @@ -103,7 +103,7 @@ For security reasons, the package used to Offboard machines will expire 30 days > [!NOTE] > Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions. -1. Get the offboarding package from [Windows Defender Security Center](https://securitycenter.windows.com/): +1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): a. In the navigation pane, select **Settings** > **Offboarding**. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md index 9b0d319050..88cd708b56 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md @@ -35,7 +35,7 @@ You can also manually onboard individual machines to Microsoft Defender ATP. You > The script has been optimized to be used on a limited number of machines (1-10 machines). To deploy to scale, use other deployment options. For more information on using other deployment options, see [Onboard Window 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). ## Onboard machines -1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Windows Defender Security Center](https://securitycenter.windows.com/): +1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): a. In the navigation pane, select **Settings** > **Onboarding**. @@ -67,7 +67,7 @@ For information on how you can manually validate that the machine is compliant a > After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md). ## Configure sample collection settings -For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through Windows Defender Security Center to submit a file for deep analysis. +For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through Microsoft Defender Security Center to submit a file for deep analysis. You can manually configure the sample sharing setting on the machine by using *regedit* or creating and running a *.reg* file. @@ -93,7 +93,7 @@ For security reasons, the package used to Offboard machines will expire 30 days > [!NOTE] > Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions. -1. Get the offboarding package from [Windows Defender Security Center](https://securitycenter.windows.com/): +1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): a. In the navigation pane, select **Settings** > **Offboarding**. @@ -127,7 +127,7 @@ You can follow the different verification steps in the [Troubleshoot onboarding Monitoring can also be done directly on the portal, or by using the different deployment tools. ### Monitor machines using the portal -1. Go to Windows Defender Security Center. +1. Go to Microsoft Defender Security Center. 2. Click **Machines list**. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md index be05604d0b..95c0a67fb9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md @@ -43,7 +43,7 @@ You can onboard VDI machines using a single entry or multiple entries for each m >[!WARNING] > For environments where there are low resource configurations, the VDI boot proceedure might slow the Microsoft Defender ATP sensor onboarding. -1. Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Windows Defender Security Center](https://securitycenter.windows.com/): +1. Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): a. In the navigation pane, select **Settings** > **Onboarding**. @@ -83,8 +83,8 @@ You can onboard VDI machines using a single entry or multiple entries for each m d. Logon to machine with another user. - e. **For single entry for each machine**: Check only one entry in Windows Defender Security Center.
- **For multiple entries for each machine**: Check multiple entries in Windows Defender Security Center. + e. **For single entry for each machine**: Check only one entry in Microsoft Defender Security Center.
+ **For multiple entries for each machine**: Check multiple entries in Microsoft Defender Security Center. 7. Click **Machines list** on the Navigation pane. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md index 0f0180a75a..cc7fc9a6ee 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md @@ -68,7 +68,7 @@ You'll start receiving targeted attack notification from Microsoft Threat Expert ## Ask a Microsoft threat expert about suspicious cybersecurity activities in your organization -You can partner with Microsoft Threat Experts who can be engaged directly from within the Windows Defender Security Center for timely and accurate response. Experts provide insights needed to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised machine, or a threat intelligence context that you see on your portal dashboard. +You can partner with Microsoft Threat Experts who can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights needed to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised machine, or a threat intelligence context that you see on your portal dashboard. 1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or machine is in view before raising an inquiry. 2. From the upper right-hand menu, click **?**, then select **Ask a threat expert**. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md index 3dd2f86f1f..abe48eeec7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md @@ -35,7 +35,7 @@ You'll need to take the following configuration steps to enable the managed secu > - MSSP customers: Organizations that engage the services of MSSPs. The integration will allow MSSPs to take the following actions: -- Get access to MSSP customer's Windows Defender Security Center portal +- Get access to MSSP customer's Microsoft Defender Security Center portal - Get email notifications, and - Fetch alerts through security information and event management (SIEM) tools @@ -46,7 +46,7 @@ Typically, MSSP customers take the initial configuration steps to grant MSSPs ac In general, the following configuration steps need to be taken: -- **Grant the MSSP access to Windows Defender Security Center**
+- **Grant the MSSP access to Microsoft Defender Security Center**
This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's Microsoft Defender ATP tenant. - **Configure alert notifications sent to MSSPs**
@@ -65,21 +65,21 @@ This action is taken by the MSSP. It allows MSSPs to fetch alerts using APIs. > These set of steps are directed towards the MSSP customer.
> Access to the portal can only be done by the MSSP customer. -As a MSSP customer, you'll need to take the following configuration steps to grant the MSSP access to Windows Defender Security Center. +As a MSSP customer, you'll need to take the following configuration steps to grant the MSSP access to Microsoft Defender Security Center. Authentication and authorization of the MSSP user is built on top of Azure Active Directory (Azure AD) B2B functionality. You'll need to take the following 2 steps: - Add MSSP user to your tenant as a guest user -- Grant MSSP user access to Windows Defender Security Center +- Grant MSSP user access to Microsoft Defender Security Center ### Add MSSP user to your tenant as a guest user Add a user who is a member of the MSSP tenant to your tenant as a guest user. To grant portal access to the MSSP, you must add the MSSP user to your Azure AD as a guest user. For more information, see [Add Azure Active Directory B2B collaboration users in the Azure portal](https://docs.microsoft.com/azure/active-directory/b2b/add-users-administrator). -### Grant MSSP user access to Windows Defender Security Center -Grant the guest user access and permissions to your Windows Defender Security Center tenant. +### Grant MSSP user access to Microsoft Defender Security Center +Grant the guest user access and permissions to your Microsoft Defender Security Center tenant. Granting access to guest user is done the same way as granting access to a user who is a member of your tenant. @@ -94,12 +94,12 @@ It is recommended that groups are created for MSSPs to make authorization access As a MSSP customer, you can always remove or modify the permissions granted to the MSSP by updating the Azure AD user groups. -## Access the Windows Defender Security Center MSSP customer portal +## Access the Microsoft Defender Security Center MSSP customer portal >[!NOTE] >These set of steps are directed towards the MSSP. -By default, MSSP customers access their Windows Defender Security Center tenant through the following URL: `https://securitycenter.windows.com`. +By default, MSSP customers access their Microsoft Defender Security Center tenant through the following URL: `https://securitycenter.windows.com`. MSSPs however, will need to use a tenant-specific URL in the following format: `https://securitycenter.windows.com?tid=customer_tenant_id` to access the MSSP customer portal. @@ -142,7 +142,7 @@ Step 1: Create a third-party application Step 2: Get access and refresh tokens from your customer's tenant -Step 3: Whitelist your application on Windows Defender Security Center +Step 3: Whitelist your application on Microsoft Defender Security Center @@ -257,8 +257,8 @@ After providing your credentials, you'll need to grant consent to the applicatio 8. In the PowerShell window, you'll receive an access token and a refresh token. Save the refresh token to configure your SIEM connector. -### Step 3: Whitelist your application on Windows Defender Security Center -You'll need to whitelist the application you created in Windows Defender Security Center. +### Step 3: Whitelist your application on Microsoft Defender Security Center +You'll need to whitelist the application you created in Microsoft Defender Security Center. You'll need to have **Manage portal system settings** permission to whitelist the application. Otherwise, you'll need to request your customer to whitelist the application for you. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index b247126bb2..5150173b16 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -31,7 +31,7 @@ ms.topic: article >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configserver-abovefoldlink) -Microsoft Defender ATP extends support to also include the Windows Server operating system, providing advanced attack detection and investigation capabilities, seamlessly through the Windows Defender Security Center console. +Microsoft Defender ATP extends support to also include the Windows Server operating system, providing advanced attack detection and investigation capabilities, seamlessly through the Microsoft Defender Security Center console. The service supports the onboarding of the following servers: - Windows Server 2012 R2 @@ -47,7 +47,7 @@ For a practical guidance on what needs to be in place for licensing and infrastr There are two options to onboard Windows Server 2012 R2 and Windows Server 2016 to Microsoft Defender ATP: - **Option 1**: Onboard through Azure Security Center -- **Option 2**: Onboard through Windows Defender Security Center +- **Option 2**: Onboard through Microsoft Defender Security Center ### Option 1: Onboard servers through Azure Security Center 1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. @@ -58,15 +58,15 @@ There are two options to onboard Windows Server 2012 R2 and Windows Server 2016 4. Follow the onboarding instructions in [Microsoft Defender Advanced Threat Protection with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp). -### Option 2: Onboard servers through Windows Defender Security Center -You'll need to tak the following steps if you choose to onboard servers through Windows Defender Security Center. +### Option 2: Onboard servers through Microsoft Defender Security Center +You'll need to tak the following steps if you choose to onboard servers through Microsoft Defender Security Center. - For Windows Server 2012 R2: Configure and update System Center Endpoint Protection clients. >[!NOTE] >This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2012 R2. -- Turn on server monitoring from Windows Defender Security Center. +- Turn on server monitoring from Microsoft Defender Security Center. - If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), simply attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multi Homing support. Otherwise, install and configure MMA to report sensor data to Microsoft Defender ATP as instructed below. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). >[!TIP] @@ -83,7 +83,7 @@ The following steps are required to enable this integration: - Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting -### Turn on Server monitoring from the Windows Defender Security Center portal +### Turn on Server monitoring from the Microsoft Defender Security Center portal 1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. @@ -174,7 +174,7 @@ The following capabilities are included in this integration: > Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016. - Servers monitored by Azure Security Center will also be available in Microsoft Defender ATP - Azure Security Center seamlessly connects to the Microsoft Defender ATP tenant, providing a single view across clients and servers. In addition, Microsoft Defender ATP alerts will be available in the Azure Security Center console. -- Server investigation - Azure Security Center customers can access Windows Defender Security Center to perform detailed investigation to uncover the scope of a potential breach +- Server investigation - Azure Security Center customers can access Microsoft Defender Security Center to perform detailed investigation to uncover the scope of a potential breach >[!IMPORTANT] >- When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created. The Microsoft Defender ATP data is stored in Europe by default. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md index 9c544f5795..1cc071a515 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md @@ -58,6 +58,6 @@ Topic | Description [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)| Learn about enabling the SIEM integration feature in the **Settings** page in the portal so that you can use and generate the required information to configure supported SIEM tools. [Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to pull Microsoft Defender ATP alerts. [Configure HP ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Microsoft Defender ATP alerts. -[Microsoft Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) | Understand what data fields are exposed as part of the alerts API and how they map to Windows Defender Security Center. +[Microsoft Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) | Understand what data fields are exposed as part of the alerts API and how they map to Microsoft Defender Security Center. [Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) | Use the Client credentials OAuth 2.0 flow to pull alerts from Microsoft Defender ATP using REST API. [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md) | Address issues you might encounter when using the SIEM integration feature. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md b/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md index bb3e6d4f5b..a59e0fb017 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md @@ -1,6 +1,6 @@ --- title: Configure Splunk to pull Microsoft Defender ATP alerts -description: Configure Splunk to receive and pull alerts from Windows Defender Security Center. +description: Configure Splunk to receive and pull alerts from Microsoft Defender Security Center. keywords: configure splunk, security information and events management tools, splunk search.product: eADQiWindows 10XVcnh search.appverid: met150 diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-ti-api.md b/windows/security/threat-protection/microsoft-defender-atp/custom-ti-api.md index 552a856b66..8da5ea770d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-ti-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-ti-api.md @@ -137,7 +137,7 @@ Content-Type: application/json; } ``` -The following values correspond to the alert sections surfaced on Windows Defender Security Center: +The following values correspond to the alert sections surfaced on Microsoft Defender Security Center: ![Image of alert from the portal](images/atp-custom-ti-mapping.png) Highlighted section | JSON key name diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-custom-ti.md b/windows/security/threat-protection/microsoft-defender-atp/enable-custom-ti.md index c90107793c..d450893080 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-custom-ti.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-custom-ti.md @@ -29,7 +29,7 @@ ms.date: 04/24/2018 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablecustomti-abovefoldlink) -Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat intelligence application through Windows Defender Security Center. +Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat intelligence application through Microsoft Defender Security Center. 1. In the navigation pane, select **Settings** > **Threat intel**. diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md index a5099be0b4..333a44a06f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md @@ -26,7 +26,7 @@ ms.date: 12/10/2018 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablesiem-abovefoldlink) -Enable security information and event management (SIEM) integration so you can pull alerts from Windows Defender Security Center using your SIEM solution or by connecting directly to the alerts REST API. +Enable security information and event management (SIEM) integration so you can pull alerts from Microsoft Defender Security Center using your SIEM solution or by connecting directly to the alerts REST API. ## Prerequisites - The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD). This is typically someone with a **Global administrator** role. @@ -64,7 +64,7 @@ Enable security information and event management (SIEM) integration so you can p > [!NOTE] > You'll need to generate a new Refresh token every 90 days. -You can now proceed with configuring your SIEM solution or connecting to the alerts REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive alerts from Windows Defender Security Center. +You can now proceed with configuring your SIEM solution or connecting to the alerts REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive alerts from Microsoft Defender Security Center. ## Integrate Microsoft Defender ATP with IBM QRadar You can configure IBM QRadar to collect alerts from Microsoft Defender ATP. For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1). diff --git a/windows/security/threat-protection/microsoft-defender-atp/experiment-custom-ti.md b/windows/security/threat-protection/microsoft-defender-atp/experiment-custom-ti.md index b89eeb886a..b6eee8768f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/experiment-custom-ti.md +++ b/windows/security/threat-protection/microsoft-defender-atp/experiment-custom-ti.md @@ -141,7 +141,7 @@ This step will guide you in simulating an event in connection to a malicious IP ## Step 4: Explore the custom alert in the portal This step will guide you in exploring the custom alert in the portal. -1. Open [Windows Defender Security Center](http://securitycenter.windows.com/) on a browser. +1. Open [Microsoft Defender Security Center](http://securitycenter.windows.com/) on a browser. 2. Log in with your Microsoft Defender ATP credentials. diff --git a/windows/security/threat-protection/microsoft-defender-atp/fix-unhealhty-sensors.md b/windows/security/threat-protection/microsoft-defender-atp/fix-unhealhty-sensors.md index 25198b66e2..ba0614caa3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/fix-unhealhty-sensors.md +++ b/windows/security/threat-protection/microsoft-defender-atp/fix-unhealhty-sensors.md @@ -39,7 +39,7 @@ An inactive machine is not necessarily flagged due to an issue. The following ac If the machine has not been in use for more than 7 days for any reason, it will remain in an ‘Inactive’ status in the portal. **Machine was reinstalled or renamed**
-A reinstalled or renamed machine will generate a new machine entity in Windows Defender Security Center. The previous machine entity will remain with an ‘Inactive’ status in the portal. If you reinstalled a machine and deployed the Microsoft Defender ATP package, search for the new machine name to verify that the machine is reporting normally. +A reinstalled or renamed machine will generate a new machine entity in Microsoft Defender Security Center. The previous machine entity will remain with an ‘Inactive’ status in the portal. If you reinstalled a machine and deployed the Microsoft Defender ATP package, search for the new machine name to verify that the machine is reporting normally. **Machine was offboarded**
If the machine was offboarded it will still appear in machines list. After 7 days, the machine health state should change to inactive. diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-started.md b/windows/security/threat-protection/microsoft-defender-atp/get-started.md index f5a6fa236f..cc12829160 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-started.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-started.md @@ -47,7 +47,7 @@ In conjunction with being able to quickly respond to advanced attacks, Microsoft Microsoft Defender ATP provides a security posture capability to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security state of your network. **Advanced hunting**
-Advanced hunting allows you to hunt for possible threats across your organization using a powerful search and query tool. You can also create custom detection rules based on the queries you created and surface alerts in Windows Defender Security Center. +Advanced hunting allows you to hunt for possible threats across your organization using a powerful search and query tool. You can also create custom detection rules based on the queries you created and surface alerts in Microsoft Defender Security Center. **Management and APIs**
Integrate Microsoft Defender Advanced Threat Protection into your existing workflows. @@ -64,4 +64,4 @@ Topic | Description [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md) | Explains the data storage and privacy details related to Microsoft Defender ATP. [Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md) | Set permissions to manage who can access the portal. You can set basic permissions or set granular permissions using role-based access control (RBAC). [Evaluate Microsoft Defender ATP](evaluate-atp.md) | Evaluate the various capabilities in Microsoft Defender ATP and test features out. -[Access the Windows Defender Security Center Community Center](community-windows-defender-advanced-threat-protection.md) | The Microsoft Defender ATP Community Center is a place where community members can learn, collaborate, and share experiences about the product. \ No newline at end of file +[Access the Microsoft Defender Security Center Community Center](community-windows-defender-advanced-threat-protection.md) | The Microsoft Defender ATP Community Center is a place where community members can learn, collaborate, and share experiences about the product. \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md index f594da75a4..fad5873fe4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md @@ -38,7 +38,7 @@ Microsoft Defender ATP applies two methods to discover and protect data: ## Data discovery -Microsoft Defender ATP automatically discovers files with sensitivity labels on Windows devices when the feature is enabled. You can enable the Azure Information Protection integration feature from Windows Defender Security Center. For more information, see [Configure advanced features](advanced-features-windows-defender-advanced-threat-protection.md#azure-information-protection). +Microsoft Defender ATP automatically discovers files with sensitivity labels on Windows devices when the feature is enabled. You can enable the Azure Information Protection integration feature from Microsoft Defender Security Center. For more information, see [Configure advanced features](advanced-features-windows-defender-advanced-threat-protection.md#azure-information-protection). ![Image of settings page with Azure Information Protection](images/atp-settings-aip.png) @@ -78,8 +78,8 @@ InformationProtectionLogs_CL **Prerequisites:** - Customers must have a subscription for Azure Information Protection. -- Enable Azure Information Protection integration in Windows Defender Security Center: - - Go to **Settings** in Windows Defender Security Center, click on **Advanced Settings** under **General**. +- Enable Azure Information Protection integration in Microsoft Defender Security Center: + - Go to **Settings** in Microsoft Defender Security Center, click on **Advanced Settings** under **General**. ## Data protection diff --git a/windows/security/threat-protection/microsoft-defender-atp/licensing.md b/windows/security/threat-protection/microsoft-defender-atp/licensing.md index efbcf00dab..1011ef2e74 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/licensing.md +++ b/windows/security/threat-protection/microsoft-defender-atp/licensing.md @@ -51,9 +51,9 @@ To gain access into which licenses are provisioned to your company, and to check ![Image of O365 admin portal](images\atp-O365-admin-portal-customer.png) -## Access Windows Defender Security Center for the first time +## Access Microsoft Defender Security Center for the first time -When accessing [Windows Defender Security Center](https://SecurityCenter.Windows.com) for the first time there will be a setup wizard that will guide you through some initial steps. At the end of the setup wizard there will be a dedicated cloud instance of Microsoft Defender ATP created. +When accessing [Microsoft Defender Security Center](https://SecurityCenter.Windows.com) for the first time there will be a setup wizard that will guide you through some initial steps. At the end of the setup wizard there will be a dedicated cloud instance of Microsoft Defender ATP created. 1. Each time you access the portal you will need to validate that you are authorized to access the product. This **Set up your permissions** step will only be available if you are not currently authorized to access the product. @@ -65,7 +65,7 @@ When accessing [Windows Defender Security Center](https://SecurityCenter.Windows ![Image of Welcome screen for portal set up](images\welcome1.png) - You will need to set up your preferences for Windows Defender Security Center. + You will need to set up your preferences for Microsoft Defender Security Center. 3. Set up preferences @@ -98,11 +98,11 @@ When accessing [Windows Defender Security Center](https://SecurityCenter.Windows 4. You will receive a warning notifying you that you won't be able to change some of your preferences once you click **Continue**. > [!NOTE] - > Some of these options can be changed at a later time in Windows Defender Security Center. + > Some of these options can be changed at a later time in Microsoft Defender Security Center. ![Image of final preference set up](images\setup-preferences2.png) -5. A dedicated cloud instance of Windows Defender Security Center is being created at this time. This step will take an average of 5 minutes to complete. +5. A dedicated cloud instance of Microsoft Defender Security Center is being created at this time. This step will take an average of 5 minutes to complete. ![Image of Microsoft Defender ATP cloud instance](images\creating-account.png) diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md index 85be05b201..6aafe49de3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md @@ -41,7 +41,7 @@ If an alert is no yet assigned, you can select **Assign to me** to assign the al ## Suppress alerts -There might be scenarios where you need to suppress alerts from appearing in Windows Defender Security Center. Microsoft Defender ATP lets you create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization. +There might be scenarios where you need to suppress alerts from appearing in Microsoft Defender Security Center. Microsoft Defender ATP lets you create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization. Suppression rules can be created from an existing alert. They can be disabled and reenabled if needed. diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md index fa2c696f10..92c91b1b6f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md @@ -1,5 +1,5 @@ --- -title: Learn about the automated investigations dashboard in Windows Defender Security Center +title: Learn about the automated investigations dashboard in Microsoft Defender Security Center description: View the list of automated investigations, its status, detection source and other details. keywords: autoir, automated, investigation, detection, dashboard, source, threat types, id, tags, machines, duration, filter export search.product: eADQiWindows 10XVcnh diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md b/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md index b430f21281..84835dc6f5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md @@ -26,7 +26,7 @@ Manage the alerts queue, investigate machines in the machines list, take respons ## In this section Topic | Description :---|:--- -[Alerts queue](alerts-queue-endpoint-detection-response.md)| View the alerts surfaced in Windows Defender Security Center. +[Alerts queue](alerts-queue-endpoint-detection-response.md)| View the alerts surfaced in Microsoft Defender Security Center. [Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) | Learn how you can view and manage the machines list, manage machine groups, and investigate machine related alerts. [Take response actions](response-actions-windows-defender-advanced-threat-protection.md)| Take response actions on machines and files to quickly respond to detected attacks and contain threats. [Query data using advanced hunting](advanced-hunting-windows-defender-advanced-threat-protection.md)| Proactively hunt for possible threats across your organization using a powerful search and query tool. \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md index f8990f3871..36122f938c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md @@ -37,7 +37,7 @@ The integration provides the following major improvements to the existing Cloud - Available everywhere - Since the network activity is collected directly from the endpoint, it's available wherever the device is, on or off corporate network, as it's no longer depended on traffic routed through the enterprise firewall or proxy servers. -- Works out of the box, no configuration required - Forwarding cloud traffic logs to Cloud App Security requires firewall and proxy server configuration. With the Microsoft Defender ATP and Cloud App Security integration, there's no configuration required. Just switch it on in Windows Defender Security Center settings and you're good to go. +- Works out of the box, no configuration required - Forwarding cloud traffic logs to Cloud App Security requires firewall and proxy server configuration. With the Microsoft Defender ATP and Cloud App Security integration, there's no configuration required. Just switch it on in Microsoft Defender Security Center settings and you're good to go. - Device context - Cloud traffic logs lack device context. Microsoft Defender ATP network activity is reported with the device context (which device accessed the cloud app), so you are able to understand exactly where (device) the network activity took place, in addition to who (user) performed it. diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md index 4b2be0215b..1e661e11f1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md @@ -116,7 +116,7 @@ Integrate Microsoft Defender Advanced Threat Protection into your existing workf ## In this section -To help you maximize the effectiveness of the security platform, you can configure individual capabilities that surface in Windows Defender Security Center. +To help you maximize the effectiveness of the security platform, you can configure individual capabilities that surface in Microsoft Defender Security Center. Topic | Description :---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md index 652eaf3652..5541a2edb5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md @@ -36,7 +36,7 @@ Microsoft Threat Experts provides proactive hunting for the most important threa - Scope of compromise and as much context as can be quickly delivered to enable fast SOC response. ## Collaborate with experts, on demand -Customers can engage our security experts directly from within Windows Defender Security Center for timely and accurate response. Experts provide insights needed to better understand the complex threats affecting your organization, from alert inquiries, potentially compromised machines, root cause of a suspicious network connection, to additional threat intelligence regarding ongoing advanced persistent threat campaigns. With this capability, you can: +Customers can engage our security experts directly from within Microsoft Defender Security Center for timely and accurate response. Experts provide insights needed to better understand the complex threats affecting your organization, from alert inquiries, potentially compromised machines, root cause of a suspicious network connection, to additional threat intelligence regarding ongoing advanced persistent threat campaigns. With this capability, you can: - Get additional clarification on alerts including root cause or scope of the incident - Gain clarity into suspicious machine behavior and next steps if faced with an advanced attacker - Determine risk and protection regarding threat actors, campaigns, or emerging attacker techniques diff --git a/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md b/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md index 33e5a03df9..71bf5122da 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md @@ -35,7 +35,7 @@ To address this demand, managed security service providers (MSSP) offer to deliv Microsoft Defender ATP adds support for this scenario and to allow MSSPs to take the following actions: -- Get access to MSSP customer's Windows Defender Security Center portal +- Get access to MSSP customer's Microsoft Defender Security Center portal - Get email notifications, and - Fetch alerts through security information and event management (SIEM) tools diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md index 353ee5e12b..61dc191dc5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md @@ -163,7 +163,7 @@ Topic | Description [Onboard previous versions of Windows](onboard-downlevel-windows-defender-advanced-threat-protection.md)| Onboard Windows 7 and Windows 8.1 machines to Microsoft Defender ATP. [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) | You'll need to onboard machines for it to report to the Microsoft Defender ATP service. Learn about the tools and methods you can use to configure machines in your enterprise. [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md) | Onboard Windows Server 2012 R2 and Windows Server 2016 to Microsoft Defender ATP -[Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) | Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Windows Defender Security Center and better protect your organization's network. This experience leverages on a third-party security products' sensor data. +[Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) | Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft Defender Security Center and better protect your organization's network. This experience leverages on a third-party security products' sensor data. [Run a detection test on a newly onboarded machine](run-detection-test-windows-defender-advanced-threat-protection.md) | Run a script on a newly onboarded machine to verify that it is properly reporting to the Microsoft Defender ATP service. [Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)| Enable communication with the Microsoft Defender ATP cloud service by configuring the proxy and Internet connectivity settings. [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) | Learn about resolving issues that might arise during onboarding. diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard.md b/windows/security/threat-protection/microsoft-defender-atp/onboard.md index 9bb3eaa985..582233db3c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard.md @@ -34,7 +34,7 @@ Topic | Description [Configure Secure score dashboard security controls](secure-score-dashboard-windows-defender-advanced-threat-protection.md) | Configure the security controls in Secure score to increase the security posture of your organization. Configure Microsoft Threat Protection integration| Configure other solutions that integrate with Microsoft Defender ATP. Management and API support| Pull alerts to your SIEM or use APIs to create custom alerts. Create and build Power BI reports. -[Configure Windows Defender Security Center settings](preferences-setup-windows-defender-advanced-threat-protection.md) | Configure portal related settings such as general settings, advanced features, enable the preview experience and others. +[Configure Microsoft Defender Security Center settings](preferences-setup-windows-defender-advanced-threat-protection.md) | Configure portal related settings such as general settings, advanced features, enable the preview experience and others. diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md index 8101a199e5..37f04e38cb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md @@ -27,7 +27,7 @@ ms.date: 10/29/2018 Alerts in Microsoft Defender ATP are surfaced through the system based on signals gathered from endpoints. With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. -Custom detections are queries that run periodically every 24 hours and can be configured so that when the query meets the criteria you set, alerts are created and are surfaced in Windows Defender Security Center. These alerts will be treated like any other alert in the system. +Custom detections are queries that run periodically every 24 hours and can be configured so that when the query meets the criteria you set, alerts are created and are surfaced in Microsoft Defender Security Center. These alerts will be treated like any other alert in the system. This capability is particularly useful for scenarios when you want to pro-actively prevent threats and be notified quickly of emerging threats. diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-hunting.md b/windows/security/threat-protection/microsoft-defender-atp/overview-hunting.md index 6742a95514..b6d5d31b21 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-hunting.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-hunting.md @@ -22,7 +22,7 @@ ms.date: 09/12/2018 **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Advanced hunting allows you to hunt for possible threats across your organization using a powerful search and query tool. You can also create custom detection rules based on the queries you created and surface alerts in Windows Defender Security Center. +Advanced hunting allows you to hunt for possible threats across your organization using a powerful search and query tool. You can also create custom detection rules based on the queries you created and surface alerts in Microsoft Defender Security Center. With advanced hunting, you can take advantage of the following capabilities: diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md index 3d27aa1319..f1b31e4f2a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md @@ -1,5 +1,5 @@ --- -title: Overview of Secure score in Windows Defender Security Center +title: Overview of Secure score in Microsoft Defender Security Center description: Expand your visibility into the overall security posture of your organization keywords: secure score, security controls, improvement opportunities, security score over time, score, posture, baseline search.product: eADQiWindows 10XVcnh @@ -18,7 +18,7 @@ ms.topic: conceptual ms.date: 09/03/2018 --- -# Overview of Secure score in Windows Defender Security Center +# Overview of Secure score in Microsoft Defender Security Center **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview.md b/windows/security/threat-protection/microsoft-defender-atp/overview.md index 84d99f3816..0bfb1b24c9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview.md @@ -41,7 +41,7 @@ Topic | Description [Advanced hunting](overview-hunting-windows-defender-advanced-threat-protection.md) | Use a powerful search and query language to create custom queries and detection rules. [Management and APIs](management-apis.md) | Microsoft Defender ATP supports a wide variety of tools to help you manage and interact with the platform so that you can integrate the service into your existing workflows. [Microsoft Threat Protection](threat-protection-integration.md) | Microsoft security products work better together. Learn about other security capabilities in the Microsoft threat protection stack. -[Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) |Learn to navigate your way around Windows Defender Security Center. +[Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) |Learn to navigate your way around Microsoft Defender Security Center. diff --git a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md index 7a4701750d..2a989a87e4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md @@ -1,7 +1,7 @@ --- title: Microsoft Defender Advanced Threat Protection portal overview -description: Use Windows Defender Security Center to monitor your enterprise network and assist in responding to alerts to potential advanced persistent threat (APT) activity or data breaches. -keywords: Windows Defender Security Center, portal, cybersecurity threat intelligence, dashboard, alerts queue, machines list, settings, machine management, advanced attacks +description: Use Microsoft Defender Security Center to monitor your enterprise network and assist in responding to alerts to potential advanced persistent threat (APT) activity or data breaches. +keywords: Microsoft Defender Security Center, portal, cybersecurity threat intelligence, dashboard, alerts queue, machines list, settings, machine management, advanced attacks search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -27,14 +27,14 @@ ms.date: 04/24/2018 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) -Enterprise security teams can use Windows Defender Security Center to monitor and assist in responding to alerts of potential advanced persistent threat (APT) activity or data breaches. +Enterprise security teams can use Microsoft Defender Security Center to monitor and assist in responding to alerts of potential advanced persistent threat (APT) activity or data breaches. -You can use [Windows Defender Security Center](https://securitycenter.windows.com/) to: +You can use [Microsoft Defender Security Center](https://securitycenter.windows.com/) to: - View, sort, and triage alerts from your endpoints - Search for more information on observed indicators such as files and IP Addresses - Change Microsoft Defender ATP settings, including time zone and review licensing information. -## Windows Defender Security Center +## Microsoft Defender Security Center When you open the portal, you’ll see the main areas of the application: ![Microsoft Defender Advanced Threat Protection portal](images/dashboard.png) diff --git a/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md b/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md index 0d4640bbf3..46ffbdcef5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md +++ b/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md @@ -41,7 +41,7 @@ You can easily get started by: - Creating a dashboard on the Power BI service - Building a custom dashboard on Power BI Desktop and tweaking it to fit the visual analytics and reporting requirements of your organization -You can access these options from Windows Defender Security Center. Both the Power BI service and Power BI Desktop are supported. +You can access these options from Microsoft Defender Security Center. Both the Power BI service and Power BI Desktop are supported. ## Create a Microsoft Defender ATP dashboard on Power BI service Microsoft Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal. @@ -133,7 +133,7 @@ You can create a custom dashboard in Power BI Desktop to create visualizations t ### Before you begin 1. Make sure you use Power BI Desktop June 2017 and above. [Download the latest version](https://powerbi.microsoft.com/en-us/desktop/). -2. In the Windows Defender Security Center navigation pane, select **Settings** > **Power BI reports**. +2. In the Microsoft Defender Security Center navigation pane, select **Settings** > **Power BI reports**. ![Image of settings Power BI reports](images/atp-settings-powerbi.png) diff --git a/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md b/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md index d9035a183b..72c0e3c1e6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md +++ b/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md @@ -1,5 +1,5 @@ --- -title: Configure Windows Defender Security Center settings +title: Configure Microsoft Defender Security Center settings description: Use the settings page to configure general settings, permissions, apis, and rules. keywords: settings, general settings, permissions, apis, rules search.product: eADQiWindows 10XVcnh @@ -17,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: article ms.date: 04/24/2018 --- -# Configure Windows Defender Security Center settings +# Configure Microsoft Defender Security Center settings **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md index a91e2ea546..41c78cc6f9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md @@ -45,7 +45,7 @@ The _Client credential flow_ uses client credentials to authenticate against the Use the following method in the Microsoft Defender ATP API to pull alerts in JSON format. >[!NOTE] ->Windows Defender Security Center merges similar alert detections into a single alert. This API pulls alert detections in its raw form based on the query parameters you set, enabling you to apply your own grouping and filtering. +>Microsoft Defender Security Center merges similar alert detections into a single alert. This API pulls alert detections in its raw form based on the query parameters you set, enabling you to apply your own grouping and filtering. ## Before you begin - Before calling the Microsoft Defender ATP endpoint to pull alerts, you'll need to enable the SIEM integration application in Azure Active Directory (AAD). For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md). @@ -111,7 +111,7 @@ string ago | string | Pulls alerts in the following time range: from `(current_t int?limit | int | Defines the number of alerts to be retrieved. Most recent alerts will be retrieved based on the number defined.

**NOTE**: When not specified, all alerts available in the time range will be retrieved. machinegroups | String | Specifies machine groups to pull alerts from.

**NOTE**: When not specified, alerts from all machine groups will be retrieved.

Example:

```https://wdatp-alertexporter-eu.securitycenter.windows.com/api/Alerts/?machinegroups=UKMachines&machinegroups=FranceMachines``` DeviceCreatedMachineTags | string | Single machine tag from the registry. -CloudCreatedMachineTags | string | Machine tags that were created in Windows Defender Security Center. +CloudCreatedMachineTags | string | Machine tags that were created in Microsoft Defender Security Center. ### Request example The following example demonstrates how to retrieve all the alerts in your organization. diff --git a/windows/security/threat-protection/microsoft-defender-atp/rbac.md b/windows/security/threat-protection/microsoft-defender-atp/rbac.md index b5a8ca5ce4..1fa86fd35c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/rbac.md +++ b/windows/security/threat-protection/microsoft-defender-atp/rbac.md @@ -1,5 +1,5 @@ --- -title: Use role-based access control to grant fine-grained access to Windows Defender Security Center +title: Use role-based access control to grant fine-grained access to Microsoft Defender Security Center description: Create roles and groups within your security operations to grant access to the portal. keywords: rbac, role, based, access, control, groups, control, tier, aad search.product: eADQiWindows 10XVcnh @@ -55,12 +55,12 @@ Before using RBAC, it's important that you understand the roles that can grant p > [!WARNING] > Before enabling the feature, it's important that you have a Global Administrator role or Security Administrator role in Azure AD and that you have your Azure AD groups ready to reduce the risk of being locked out of the portal. -When you first log in to Windows Defender Security Center, you're granted either full access or read only access. Full access rights are granted to users with Security Administrator or Global Administrator roles in Azure AD. Read only access is granted to users with a Security Reader role in Azure AD. +When you first log in to Microsoft Defender Security Center, you're granted either full access or read only access. Full access rights are granted to users with Security Administrator or Global Administrator roles in Azure AD. Read only access is granted to users with a Security Reader role in Azure AD. Someone with a Microsoft Defender ATP Global administrator role has unrestricted access to all machines, regardless of their machine group association and the Azure AD user groups assignments > [!WARNING] -> Initially, only those with Azure AD Global Administrator or Security Administrator rights will be able to create and assign roles in Windows Defender Security Center, therefore, having the right groups ready in Azure AD is important. +> Initially, only those with Azure AD Global Administrator or Security Administrator rights will be able to create and assign roles in Microsoft Defender Security Center, therefore, having the right groups ready in Azure AD is important. > > **Turning on role-based access control will cause users with read-only permissions (for example, users assigned to Azure AD Security reader role) to lose access until they are assigned to a role.** > diff --git a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md index eea36cb084..97e6cbec7e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md @@ -1,5 +1,5 @@ --- -title: Windows Defender Security Center Security operations dashboard +title: Microsoft Defender Security Center Security operations dashboard description: Use the dashboard to identify machines at risk, keep track of the status of the service, and see statistics and information about machines and alerts. keywords: dashboard, alerts, new, in progress, resolved, risk, machines at risk, infections, reporting, statistics, charts, graphs, health, active malware detections, threat category, categories, password stealer, ransomware, exploit, threat, low severity, active malware search.product: eADQiWindows 10XVcnh @@ -18,7 +18,7 @@ ms.topic: conceptual ms.date: 09/04/2018 --- -# Windows Defender Security Center Security operations dashboard +# Microsoft Defender Security Center Security operations dashboard **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/microsoft-defender-atp/time-settings.md b/windows/security/threat-protection/microsoft-defender-atp/time-settings.md index a2617401bd..5dcfc7b1e4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/time-settings.md +++ b/windows/security/threat-protection/microsoft-defender-atp/time-settings.md @@ -1,5 +1,5 @@ --- -title: Windows Defender Security Center time zone settings +title: Microsoft Defender Security Center time zone settings description: Use the menu to configure the time zone and view license information. keywords: settings, Windows Defender, cybersecurity threat intelligence, advanced threat protection, time zone, utc, local time, license search.product: eADQiWindows 10XVcnh @@ -18,7 +18,7 @@ ms.topic: article ms.date: 02/13/2018 --- -# Windows Defender Security Center time zone settings +# Microsoft Defender Security Center time zone settings **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md index 01557d7ec5..64c4946662 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md @@ -31,11 +31,11 @@ ms.date: 08/01/2018 This page provides detailed steps to troubleshoot issues that might occur when setting up your Microsoft Defender ATP service. -If you receive an error message, Windows Defender Security Center will provide a detailed explanation on what the issue is and relevant links will be supplied. +If you receive an error message, Microsoft Defender Security Center will provide a detailed explanation on what the issue is and relevant links will be supplied. ## No subscriptions found -If while accessing Windows Defender Security Center you get a **No subscriptions found** message, it means the Azure Active Directory (AAD) used to login the user to the portal, does not have a Microsoft Defender ATP license. +If while accessing Microsoft Defender Security Center you get a **No subscriptions found** message, it means the Azure Active Directory (AAD) used to login the user to the portal, does not have a Microsoft Defender ATP license. Potential reasons: - The Windows E5 and Office E5 licenses are separate licenses. @@ -50,7 +50,7 @@ For both cases you should contact Microsoft support at [General Microsoft Defend ## Your subscription has expired -If while accessing Windows Defender Security Center you get a **Your subscription has expired** message, your online service subscription has expired. Microsoft Defender ATP subscription, like any other online service subscription, has an expiration date. +If while accessing Microsoft Defender Security Center you get a **Your subscription has expired** message, your online service subscription has expired. Microsoft Defender ATP subscription, like any other online service subscription, has an expiration date. You can choose to renew or extend the license at any point in time. When accessing the portal after the expiration date a **Your subscription has expired** message will be presented with an option to download the machine offboarding package, should you choose to not renew the license. diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot.md index 655895b298..b5201a5814 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot.md @@ -27,7 +27,7 @@ If you encounter a server error when trying to access the service, you’ll need Configure your browser to allow cookies. ## Elements or data missing on the portal -If some UI elements or data is missing on Windows Defender Security Center it’s possible that proxy settings are blocking it. +If some UI elements or data is missing on Microsoft Defender Security Center it’s possible that proxy settings are blocking it. Make sure that `*.securitycenter.windows.com` is included the proxy whitelist. diff --git a/windows/security/threat-protection/microsoft-defender-atp/use-custom-ti.md b/windows/security/threat-protection/microsoft-defender-atp/use-custom-ti.md index f8109a93b6..580beea62a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/use-custom-ti.md +++ b/windows/security/threat-protection/microsoft-defender-atp/use-custom-ti.md @@ -36,7 +36,7 @@ You can use the code examples to guide you in creating calls to the custom threa Topic | Description :---|:--- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) | Understand the concepts around threat intelligence so that you can effectively create custom intelligence for your organization. -[Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) | Set up the custom threat intelligence application through Windows Defender Security Center so that you can create custom threat intelligence (TI) using REST API. +[Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) | Set up the custom threat intelligence application through Microsoft Defender Security Center so that you can create custom threat intelligence (TI) using REST API. [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md) | Create custom threat intelligence alerts so that you can generate specific alerts that are applicable to your organization. [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md) | Use the PowerShell code examples to guide you in using the custom threat intelligence API. [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md) | Use the Python code examples to guide you in using the custom threat intelligence API. diff --git a/windows/security/threat-protection/microsoft-defender-atp/use.md b/windows/security/threat-protection/microsoft-defender-atp/use.md index 94b1666439..2f1fff7f2e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/use.md +++ b/windows/security/threat-protection/microsoft-defender-atp/use.md @@ -1,6 +1,6 @@ --- -title: Overview of Windows Defender Security Center -description: Learn about the features on Windows Defender Security Center, including how alerts work, and suggestions on how to investigate possible breaches and attacks. +title: Overview of Microsoft Defender Security Center +description: Learn about the features on Microsoft Defender Security Center, including how alerts work, and suggestions on how to investigate possible breaches and attacks. keywords: dashboard, alerts queue, manage alerts, investigation, investigate alerts, investigate machines, submit files, deep analysis, high, medium, low, severity, ioc, ioa search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -18,7 +18,7 @@ ms.topic: conceptual ms.date: 03/12/2018 --- -# Overview of Windows Defender Security Center +# Overview of Microsoft Defender Security Center **Applies to:** @@ -26,7 +26,7 @@ ms.date: 03/12/2018 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-usewdatp-abovefoldlink) -Windows Defender Security Center is the portal where you can access Microsoft Defender Advanced Threat Protection capabilities. +Microsoft Defender Security Center is the portal where you can access Microsoft Defender Advanced Threat Protection capabilities. Use the **Security operations** dashboard to gain insight on the various alerts on machines and users in your network. diff --git a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md index 152c31812c..2c305c28e0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md +++ b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md @@ -26,7 +26,7 @@ ms.topic: article >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-roles-abovefoldlink) ## Create roles and assign the role to an Azure Active Directory group -The following steps guide you on how to create roles in Windows Defender Security Center. It assumes that you have already created Azure Active Directory user groups. +The following steps guide you on how to create roles in Microsoft Defender Security Center. It assumes that you have already created Azure Active Directory user groups. 1. In the navigation pane, select **Settings > Roles**. diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md index af06ab295c..93ec317ca9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md @@ -55,7 +55,7 @@ The following capabilities are generally available (GA). - [Integration with Azure Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center)
Microsoft Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Microsoft Defender ATP to provide improved threat detection for Windows Servers. -- [Managed security service provider (MSSP) support](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection)
Microsoft Defender ATP adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools. +- [Managed security service provider (MSSP) support](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection)
Microsoft Defender ATP adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Microsoft Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools. - [Removable device control](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/19/windows-defender-atp-has-protections-for-usb-and-removable-devices/)
Microsoft Defender ATP provides multiple monitoring and control features to help prevent threats from removable devices, including new settings to allow or block specific hardware IDs. @@ -123,7 +123,7 @@ Query data using Advanced hunting in Microsoft Defender ATP. You can now block untrusted processes from writing to disk sectors using Controlled Folder Access. - [Onboard non-Windows machines](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection)
- Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Windows Defender Security Center and better protect your organization's network. + Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft Defender Security Center and better protect your organization's network. - [Role-based access control (RBAC)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection)
Using role-based access control (RBAC), you can create roles and groups within your security operations team to grant appropriate access to the portal. diff --git a/windows/security/threat-protection/microsoft-defender-atp/windows-defender-security-center-atp.md b/windows/security/threat-protection/microsoft-defender-atp/windows-defender-security-center-atp.md index 468fcd0924..af2106bf2b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/windows-defender-security-center-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/windows-defender-security-center-atp.md @@ -1,6 +1,6 @@ --- -title: Windows Defender Security Center -description: Windows Defender Security Center is the portal where you can access Microsoft Defender Advanced Threat Protection. +title: Microsoft Defender Security Center +description: Microsoft Defender Security Center is the portal where you can access Microsoft Defender Advanced Threat Protection. keywords: windows, defender, security, center, defender, advanced, threat, protection search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -18,9 +18,9 @@ ms.topic: conceptual ms.date: 07/01/2018 --- -# Windows Defender Security Center +# Microsoft Defender Security Center -Windows Defender Security Center is the portal where you can access Microsoft Defender Advanced Threat Protection capabilities. It gives enterprise security operations teams a single pane of glass experience to help secure networks. +Microsoft Defender Security Center is the portal where you can access Microsoft Defender Advanced Threat Protection capabilities. It gives enterprise security operations teams a single pane of glass experience to help secure networks. ## In this section @@ -30,10 +30,10 @@ Get started | Learn about the minimum requirements, validate licensing and com [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md) | Learn about onboarding client, server, and non-Windows machines. Learn how to run a detection test, configure proxy and Internet connectivity settings, and how to troubleshoot potential onboarding issues. [Understand the portal](use-windows-defender-advanced-threat-protection.md) | Understand the Security operations, Secure Score, and Threat analytics dashboards as well as how to navigate the portal. Investigate and remediate threats | Investigate alerts, machines, and take response actions to remediate threats. -API and SIEM support | Use the supported APIs to pull and create custom alerts, or automate workflows. Use the supported SIEM tools to pull alerts from Windows Defender Security Center. +API and SIEM support | Use the supported APIs to pull and create custom alerts, or automate workflows. Use the supported SIEM tools to pull alerts from Microsoft Defender Security Center. Reporting | Create and build Power BI reports using Microsoft Defender ATP data. Check service health and sensor state | Verify that the service is running and check the sensor state on machines. -[Configure Windows Defender Security Center settings](preferences-setup-windows-defender-advanced-threat-protection.md) | Configure general settings, turn on the preview experience, notifications, and enable other features. +[Configure Microsoft Defender Security Center settings](preferences-setup-windows-defender-advanced-threat-protection.md) | Configure general settings, turn on the preview experience, notifications, and enable other features. [Access the Microsoft Defender ATP Community Center](community-windows-defender-advanced-threat-protection.md) | Access the Microsoft Defender ATP Community Center to learn, collaborate, and share experiences about the product. [Troubleshoot service issues](troubleshoot-windows-defender-advanced-threat-protection.md) | This section addresses issues that might arise as you use the Windows Defender Advanced Threat service. From e52b3e7a87d8aac6cdf30d2503eb15b104106e10 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 10 Apr 2019 15:04:55 -0700 Subject: [PATCH 117/492] remove -wdatp from within file links --- .../add-or-remove-machine-tags.md | 4 +- .../advanced-features.md | 12 +++--- .../advanced-hunting-reference.md | 4 +- .../advanced-hunting.md | 4 +- ...lerts-queue-endpoint-detection-response.md | 16 +++---- .../microsoft-defender-atp/alerts-queue.md | 16 +++---- .../api-portal-mapping.md | 12 +++--- .../assign-portal-access.md | 6 +-- .../attack-simulations.md | 6 +-- .../automated-investigations.md | 4 +- .../basic-permissions.md | 4 +- .../check-sensor-status.md | 4 +- .../collect-investigation-package.md | 4 +- .../microsoft-defender-atp/conditional.md | 4 +- .../configure-arcsight.md | 12 +++--- .../configure-email-notifications.md | 12 +++--- .../configure-endpoints-gp.md | 14 +++---- .../configure-endpoints-mdm.md | 14 +++---- .../configure-endpoints-non-windows.md | 8 ++-- .../configure-endpoints-sccm.md | 16 +++---- .../configure-endpoints-script.md | 20 ++++----- .../configure-endpoints-vdi.md | 10 ++--- .../configure-endpoints.md | 10 ++--- .../configure-mssp-support.md | 18 ++++---- .../configure-proxy-internet.md | 4 +- .../configure-server-endpoints.md | 16 +++---- .../microsoft-defender-atp/configure-siem.md | 22 +++++----- .../configure-splunk.md | 12 +++--- .../create-alert-by-reference.md | 4 +- .../microsoft-defender-atp/custom-ti-api.md | 20 ++++----- .../data-retention-settings.md | 10 ++--- .../enable-custom-ti.md | 14 +++---- .../enable-secure-score.md | 10 ++--- .../enable-siem-integration.md | 12 +++--- .../event-error-codes.md | 42 +++++++++---------- .../experiment-custom-ti.md | 16 +++---- .../exposed-apis-create-app-nativeapp.md | 2 +- .../find-machines-by-ip.md | 4 +- .../fix-unhealhty-sensors.md | 14 +++---- .../get-alert-info-by-id.md | 4 +- .../get-alert-related-domain-info.md | 4 +- .../get-alert-related-files-info.md | 4 +- .../get-alert-related-ip-info.md | 4 +- .../get-alert-related-machine-info.md | 4 +- .../get-alert-related-user-info.md | 4 +- .../microsoft-defender-atp/get-alerts.md | 4 +- .../get-domain-related-alerts.md | 4 +- .../get-domain-related-machines.md | 4 +- .../get-domain-statistics.md | 2 +- .../get-file-information.md | 2 +- .../get-file-related-alerts.md | 4 +- .../get-file-related-machines.md | 4 +- .../get-file-statistics.md | 2 +- .../get-ip-related-alerts.md | 4 +- .../get-ip-related-machines.md | 4 +- .../get-ip-statistics.md | 2 +- .../get-machine-by-id.md | 4 +- .../get-machine-log-on-users.md | 4 +- .../get-machine-related-alerts.md | 4 +- .../get-machineaction-object.md | 2 +- .../get-machineactions-collection.md | 2 +- .../microsoft-defender-atp/get-machines.md | 4 +- .../get-package-sas-uri.md | 4 +- .../microsoft-defender-atp/get-started.md | 12 +++--- .../get-user-related-alerts.md | 4 +- .../get-user-related-machines.md | 4 +- .../microsoft-defender-atp/incidents-queue.md | 4 +- ...ormation-protection-in-windows-overview.md | 2 +- .../initiate-autoir-investigation.md | 8 ++-- .../investigate-alerts.md | 18 ++++---- .../investigate-domain.md | 14 +++---- .../investigate-files.md | 18 ++++---- .../investigate-incidents.md | 6 +-- .../microsoft-defender-atp/investigate-ip.md | 14 +++---- .../investigate-machines.md | 30 ++++++------- .../investigate-user.md | 18 ++++---- .../is-domain-seen-in-org.md | 2 +- .../microsoft-defender-atp/is-ip-seen-org.md | 2 +- .../microsoft-defender-atp/isolate-machine.md | 6 +-- .../microsoft-defender-atp/licensing.md | 6 +-- .../microsoft-defender-atp/machine-groups.md | 10 ++--- .../microsoft-defender-atp/machine-reports.md | 2 +- .../microsoft-defender-atp/machine-tags.md | 4 +- .../machineactionsnote.md | 2 +- .../machines-view-overview.md | 6 +-- .../microsoft-defender-atp/manage-alerts.md | 18 ++++---- .../manage-allowed-blocked-list.md | 2 +- .../manage-auto-investigation.md | 2 +- .../manage-automation-allowed-blocked-list.md | 6 +-- .../manage-automation-file-uploads.md | 4 +- .../manage-automation-folder-exclusions.md | 4 +- .../microsoft-defender-atp/manage-edr.md | 6 +-- .../manage-incidents.md | 2 +- .../manage-suppression-rules.md | 4 +- .../microsoft-defender-atp/management-apis.md | 10 ++--- ...oft-defender-advanced-threat-protection.md | 4 +- .../minimum-requirements.md | 4 +- .../microsoft-defender-atp/mssp-support.md | 2 +- .../offboard-machine-api.md | 2 +- .../offboard-machines.md | 12 +++--- .../onboard-configure.md | 22 +++++----- .../onboard-downlevel.md | 4 +- .../microsoft-defender-atp/onboard.md | 4 +- .../overview-endpoint-detection-response.md | 8 ++-- .../overview-hunting.md | 2 +- .../overview-secure-score.md | 6 +-- .../microsoft-defender-atp/overview.md | 8 ++-- .../microsoft-defender-atp/portal-overview.md | 8 ++-- .../powershell-example-code.md | 12 +++--- .../preview-settings.md | 12 +++--- .../pull-alerts-using-rest-api.md | 12 +++--- .../python-example-code.md | 12 +++--- .../microsoft-defender-atp/rbac.md | 4 +- .../respond-file-alerts.md | 4 +- .../respond-machine-alerts.md | 2 +- .../response-actions.md | 4 +- .../restrict-code-execution.md | 6 +-- .../run-advanced-query-api.md | 4 +- .../microsoft-defender-atp/run-av-scan.md | 4 +- .../run-detection-test.md | 4 +- .../secure-score-dashboard.md | 12 +++--- .../security-operations-dashboard.md | 22 +++++----- .../microsoft-defender-atp/service-status.md | 2 +- .../stop-and-quarantine-file.md | 4 +- .../threat-analytics.md | 2 +- .../threat-indicator-concepts.md | 14 +++---- .../threat-protection-integration.md | 2 +- .../threat-protection-reports.md | 2 +- .../troubleshoot-custom-ti.md | 12 +++--- .../troubleshoot-onboarding-error-messages.md | 2 +- .../troubleshoot-onboarding.md | 32 +++++++------- .../troubleshoot-siem.md | 10 ++--- .../microsoft-defender-atp/troubleshoot.md | 8 ++-- .../unisolate-machine.md | 4 +- .../unrestrict-code-execution.md | 4 +- .../microsoft-defender-atp/update-alert.md | 4 +- .../microsoft-defender-atp/use-custom-ti.md | 14 +++---- .../microsoft-defender-atp/use.md | 8 ++-- .../microsoft-defender-atp/user-roles.md | 4 +- .../view-incidents-queue.md | 4 +- .../whats-new-in-microsoft-defender-atp.md | 2 +- .../windows-defender-security-center-atp.md | 10 ++--- 142 files changed, 557 insertions(+), 557 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md index 106306a8c5..045be04e37 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md +++ b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md @@ -36,8 +36,8 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'Manage security setting' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- User needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have at least the following role permission: 'Manage security setting' (See [Create and manage roles](user-roles.md) for more information) +>- User needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md index dee0d64ec2..a16aebe6e6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md @@ -29,7 +29,7 @@ Depending on the Microsoft security products that you use, some advanced feature Use the following advanced features to get better protected from potentially malicious files and gain better insight during security investigations: ## Automated investigation -When you enable this feature, you'll be able to take advantage of the automated investigation and remediation features of the service. For more information, see [Automated investigations](automated-investigations-windows-defender-advanced-threat-protection.md). +When you enable this feature, you'll be able to take advantage of the automated investigation and remediation features of the service. For more information, see [Automated investigations](automated-investigations.md). ## Auto-resolve remediated alerts For tenants created on or after Windows 10, version 1809 the automated investigations capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated". If you don’t want to have alerts auto-resolved, you’ll need to manually turn off the feature. @@ -53,7 +53,7 @@ When you enable this feature, you'll be able to see user details stored in Azure - Alert queue - Machine details page -For more information, see [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md). +For more information, see [Investigate a user account](investigate-user.md). ## Skype for Business integration Enabling the Skype for Business integration gives you the ability to communicate with users using Skype for Business, email, or phone. This can be handy when you need to communicate with the user and mitigate risks. @@ -128,7 +128,7 @@ You'll have access to upcoming features which you can provide feedback on to hel 3. Click **Save preferences**. ## Related topics -- [Update data retention settings](data-retention-settings-windows-defender-advanced-threat-protection.md) -- [Configure alert notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md) -- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md) -- [Enable Secure Score security controls](enable-secure-score-windows-defender-advanced-threat-protection.md) +- [Update data retention settings](data-retention-settings.md) +- [Configure alert notifications](configure-email-notifications.md) +- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md) +- [Enable Secure Score security controls](enable-secure-score.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md index fe8f545929..e05cf85951 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md @@ -118,5 +118,5 @@ To effectively build queries that span multiple tables, you need to understand t >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-belowfoldlink) ## Related topic -- [Query data using Advanced hunting](advanced-hunting-windows-defender-advanced-threat-protection.md) -- [Advanced hunting query language best practices](advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [Query data using Advanced hunting](advanced-hunting.md) +- [Advanced hunting query language best practices](advanced-hunting-best-practices.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md index 000918bc98..44e20add28 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md @@ -149,8 +149,8 @@ Check out the [Advanced hunting repository](https://github.com/Microsoft/Windows >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink) ## Related topic -- [Advanced hunting reference](advanced-hunting-reference-windows-defender-advanced-threat-protection.md) -- [Advanced hunting query language best practices](advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md) +- [Advanced hunting reference](advanced-hunting-reference.md) +- [Advanced hunting query language best practices](advanced-hunting-best-practices.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md index 525a4afacb..1e817593bb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md @@ -25,13 +25,13 @@ Learn how you can view and manage the queue so that you can effectively investig ## In this section Topic | Description :---|:--- -[View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) | Shows a list of alerts that were flagged in your network. -[Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) | Learn about how you can manage alerts such as change its status, assign it to a security operations member, and see the history of an alert. -[Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)| Investigate alerts that are affecting your network, understand what they mean, and how to resolve them. -[Investigate files](investigate-files-windows-defender-advanced-threat-protection.md)| Investigate the details of a file associated with a specific alert, behaviour, or event. -[Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md)| Investigate the details of a machine associated with a specific alert, behaviour, or event. -[Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md) | Examine possible communication between machines in your network and external internet protocol (IP) addresses. -[Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md) | Investigate a domain to see if machines and servers in your network have been communicating with a known malicious domain. -[Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md) | Identify user accounts with the most active alerts and investigate cases of potential compromised credentials. +[View and organize the Alerts queue](alerts-queue.md) | Shows a list of alerts that were flagged in your network. +[Manage alerts](manage-alerts.md) | Learn about how you can manage alerts such as change its status, assign it to a security operations member, and see the history of an alert. +[Investigate alerts](investigate-alerts.md)| Investigate alerts that are affecting your network, understand what they mean, and how to resolve them. +[Investigate files](investigate-files.md)| Investigate the details of a file associated with a specific alert, behaviour, or event. +[Investigate machines](investigate-machines.md)| Investigate the details of a machine associated with a specific alert, behaviour, or event. +[Investigate an IP address](investigate-ip.md) | Examine possible communication between machines in your network and external internet protocol (IP) addresses. +[Investigate a domain](investigate-domain.md) | Investigate a domain to see if machines and servers in your network have been communicating with a known malicious domain. +[Investigate a user account](investigate-user.md) | Identify user accounts with the most active alerts and investigate cases of potential compromised credentials. diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md index 86249293b6..fbe92937d8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md @@ -90,15 +90,15 @@ Limit the alerts queue view by selecting the OS platform that you're interested If you have specific machine groups that you're interested in checking the alerts on, you can select the groups to limit the alerts queue view to display just those machine groups. ### Associated threat -Use this filter to focus on alerts that are related to high profile threats. You can see the full list of high-profile threats in [Threat analytics](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md). +Use this filter to focus on alerts that are related to high profile threats. You can see the full list of high-profile threats in [Threat analytics](threat-analytics-dashboard.md). ## Related topics -- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) -- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) -- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) -- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) -- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [Investigate a user account in Microsoft Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) +- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md) +- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md) +- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md) +- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) +- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md) +- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md) +- [Investigate a user account in Microsoft Defender ATP](investigate-user.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md index c85f9de2b6..054edf688a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md @@ -37,7 +37,7 @@ Understand what data fields are exposed as part of the alerts API and how they m The following table lists the available fields exposed in the alerts API payload. It shows examples for the populated values and a reference on how data is reflected on the portal. -The ArcSight field column contains the default mapping between the Microsoft Defender ATP fields and the built-in fields in ArcSight. You can download the mapping file from the portal when you enable the SIEM integration feature and you can modify it to match the needs of your organization. For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md). +The ArcSight field column contains the default mapping between the Microsoft Defender ATP fields and the built-in fields in ArcSight. You can download the mapping file from the portal when you enable the SIEM integration feature and you can modify it to match the needs of your organization. For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md). Field numbers match the numbers in the images below. @@ -92,8 +92,8 @@ Field numbers match the numbers in the images below. ## Related topics -- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) -- [Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) -- [Configure ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) -- [Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) -- [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md) +- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) +- [Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk.md) +- [Configure ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight.md) +- [Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api.md) +- [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md b/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md index b1cb1f4d55..484e346117 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md +++ b/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md @@ -30,7 +30,7 @@ ms.date: 11/28/2018 Microsoft Defender ATP supports two ways to manage permissions: - **Basic permissions management**: Set permissions to either full access or read-only. -- **Role-based access control (RBAC)**: Set granular permissions by defining roles, assigning Azure AD user groups to the roles, and granting the user groups access to machine groups. For more information on RBAC, see [Manage portal access using role-based access control](rbac-windows-defender-advanced-threat-protection.md). +- **Role-based access control (RBAC)**: Set granular permissions by defining roles, assigning Azure AD user groups to the roles, and granting the user groups access to machine groups. For more information on RBAC, see [Manage portal access using role-based access control](rbac.md). > [!NOTE] >If you have already assigned basic permissions, you may switch to RBAC anytime. Consider the following before making the switch: @@ -44,5 +44,5 @@ Microsoft Defender ATP supports two ways to manage permissions: >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portalaccess-belowfoldlink) ## Related topic -- [Use basic permissions to access the portal](basic-permissions-windows-defender-advanced-threat-protection.md) -- [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md) +- [Use basic permissions to access the portal](basic-permissions.md) +- [Manage portal access using RBAC](rbac.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md b/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md index 9b4ee1c082..f88df725ea 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md @@ -38,7 +38,7 @@ You might want to experience Microsoft Defender ATP before you onboard more than ## Before you begin -To run any of the provided simulations, you need at least [one onboarded machine](onboard-configure-windows-defender-advanced-threat-protection.md). +To run any of the provided simulations, you need at least [one onboarded machine](onboard-configure.md). Read the walkthrough document provided with each attack scenario. Each document includes OS and application requirements as well as detailed instructions that are specific to an attack scenario. @@ -66,5 +66,5 @@ Read the walkthrough document provided with each attack scenario. Each document ## Related topics -- [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md) -- [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [Onboard machines](onboard-configure.md) +- [Onboard Windows 10 machines](configure-endpoints.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md index 78375524ed..a413656b87 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md @@ -73,14 +73,14 @@ Semi - require approval for non-temp folders remediation | An approval is requir Semi - require approval for core folders remediation | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder.

Files or executables in all other folders will automatically be remediated if needed. Full - remediate threats automatically | All remediation actions will be performed automatically. -For more information on how to configure these automation levels, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md). +For more information on how to configure these automation levels, see [Create and manage machine groups](machine-groups.md). The default machine group is configured for semi-automatic remediation. This means that any malicious entity that needs to be remediated requires an approval and the investigation is added to the **Pending actions** section, this can be changed to fully automatic so that no user approval is needed. When a pending action is approved, the entity is then remediated and this new state is reflected in the **Entities** tab of the investigation. ## Related topic -- [Learn about the automated investigations dashboard](manage-auto-investigation-windows-defender-advanced-threat-protection.md) +- [Learn about the automated investigations dashboard](manage-auto-investigation.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md index c7f6f4517c..294a775bb9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md +++ b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md @@ -31,7 +31,7 @@ You can use either of the following: - Azure PowerShell - Azure Portal -For granular control over permissions, [switch to role-based access control](rbac-windows-defender-advanced-threat-protection.md). +For granular control over permissions, [switch to role-based access control](rbac.md). ## Assign user access using Azure PowerShell You can assign users with one of the following levels of permissions: @@ -73,4 +73,4 @@ For more information, see [Assign administrator and non-administrator roles to u ## Related topic -- [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md) +- [Manage portal access using RBAC](rbac.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md b/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md index 453a7575ed..4e675729c2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md +++ b/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md @@ -37,7 +37,7 @@ There are two status indicators on the tile that provide information on the numb Clicking any of the groups directs you to Machines list, filtered according to your choice. -You can also download the entire list in CSV format using the **Export to CSV** feature. For more information on filters, see [View and organize the Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md). +You can also download the entire list in CSV format using the **Export to CSV** feature. For more information on filters, see [View and organize the Machines list](machines-view-overview.md). You can filter the health state list by the following status: - **Active** - Machines that are actively reporting to the Microsoft Defender ATP service. @@ -57,4 +57,4 @@ In the **Machines list**, you can download a full list of all the machines in yo >Export the list in CSV format to display the unfiltered data. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself and can take a significant amount of time to download, depending on how large your organization is. ## Related topic -- [Fix unhealthy sensors in Microsoft Defender ATP](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md) +- [Fix unhealthy sensors in Microsoft Defender ATP](fix-unhealhty-sensors.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md index 133ce6e86c..c828e5a9b8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md +++ b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md @@ -37,8 +37,8 @@ Delegated (work or school account) | Machine.CollectForensics | 'Collect forensi >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/conditional.md b/windows/security/threat-protection/microsoft-defender-atp/conditional.md index eba91e7d07..f4a0532ef7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/conditional.md +++ b/windows/security/threat-protection/microsoft-defender-atp/conditional.md @@ -56,7 +56,7 @@ There are three ways to address a risk: 2. Resolve active alerts on the machine. This will remove the risk from the machine. 3. You can remove the machine from the active policies and consequently, conditional access will not be applied on the machine. -Manual remediation requires a secops admin to investigate an alert and address the risk seen on the device. The automated remediation is configured through configuration settings provided in the following section, [Configure conditional access](configure-conditional-access-windows-defender-advanced-threat-protection.md). +Manual remediation requires a secops admin to investigate an alert and address the risk seen on the device. The automated remediation is configured through configuration settings provided in the following section, [Configure conditional access](configure-conditional-access.md). When the risk is removed either through manual or automated remediation, the device returns to a compliant state and access to applications is granted. @@ -70,7 +70,7 @@ The following example sequence of events explains conditional access in action: ## Related topic -- [Configure conditional access in Microsoft Defender ATP](configure-conditional-access-windows-defender-advanced-threat-protection.md) +- [Configure conditional access in Microsoft Defender ATP](configure-conditional-access.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md index 05c9269bca..862e906979 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md @@ -36,7 +36,7 @@ Configuring the HP ArcSight Connector tool requires several configuration files This section guides you in getting the necessary information to set and use the required configuration files correctly. -- Make sure you have enabled the SIEM integration feature from the **Settings** menu. For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md). +- Make sure you have enabled the SIEM integration feature from the **Settings** menu. For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md). - Have the file you saved from enabling the SIEM integration feature ready. You'll need to get the following values: - OAuth 2.0 Token refresh URL @@ -107,7 +107,7 @@ The following steps assume that you have completed all the required steps in [Be 		Browse to the location of the *wdatp-connector.properties* file. The name must match the file provided in the .zip that you downloaded.
Refresh TokenYou can obtain a refresh token in two ways: by generating a refresh token from the **SIEM settings** page or using the restutil tool.

For more information on generating a refresh token from the **Preferences setup** , see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md).

**Get your refresh token using the restutil tool:**
a. Open a command prompt. Navigate to C:\\*folder_location*\current\bin where *folder_location* represents the location where you installed the tool.

b. Type: `arcsight restutil token -config` from the bin directory.For example: **arcsight restutil boxtoken -proxy proxy.location.hp.com:8080** A Web browser window will open.

c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials.

d. A refresh token is shown in the command prompt.

e. Copy and paste it into the **Refresh Token** field. + 		You can obtain a refresh token in two ways: by generating a refresh token from the **SIEM settings** page or using the restutil tool.

For more information on generating a refresh token from the **Preferences setup** , see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md).

**Get your refresh token using the restutil tool:**
a. Open a command prompt. Navigate to C:\\*folder_location*\current\bin where *folder_location* represents the location where you installed the tool.

b. Type: `arcsight restutil token -config` from the bin directory.For example: **arcsight restutil boxtoken -proxy proxy.location.hp.com:8080** A Web browser window will open.

c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials.

d. A refresh token is shown in the command prompt.

e. Copy and paste it into the **Refresh Token** field.
Microsoft Defender Advanced Threat Protection service failed to connect to the server at ```variable```. Variable = URL of the Microsoft Defender ATP processing servers.
The service could not contact the external processing servers at that URL.		Check the connection to the URL. See [Configure proxy and Internet connectivity](configure-proxy-internet-windows-defender-advanced-threat-protection.md).Check the connection to the URL. See [Configure proxy and Internet connectivity](configure-proxy-internet.md).
6 The machine did not onboard correctly and will not be reporting to the portal. Onboarding must be run before starting the service.
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).
7 Microsoft Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure: ```variable```. Variable = detailed error description. The machine did not onboard correctly and will not be reporting to the portal. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).
8**During onboarding:** The service failed to clean its configuration during the onboarding. The onboarding process continues.

**During offboarding:** The service failed to clean its configuration during the offboarding. The offboarding process finished but the service keeps running. 		**Onboarding:** No action required.

**Offboarding:** Reboot the system.
-See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).
9 Microsoft Defender Advanced Threat Protection service failed to change its start type. Failure code: ```variable```. **During onboarding:** The machine did not onboard correctly and will not be reporting to the portal.

**During offboarding:** Failed to change the service start type. The offboarding process continues. 		Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).
10 Microsoft Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: ```variable```. The machine did not onboard correctly and will not be reporting to the portal. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).
11 Microsoft Defender Advanced Threat Protection cannot start command channel with URL: ```variable```. Variable = URL of the Microsoft Defender ATP processing servers.
The service could not contact the external processing servers at that URL.		Check the connection to the URL. See [Configure proxy and Internet connectivity](configure-proxy-internet-windows-defender-advanced-threat-protection.md).Check the connection to the URL. See [Configure proxy and Internet connectivity](configure-proxy-internet.md).
17 Microsoft Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: ```variable```. An error occurred with the Windows telemetry service.[Ensure the diagnostic data service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-diagnostics-service-is-enabled).
+		[Ensure the diagnostic data service is enabled](troubleshoot-onboarding.md#ensure-the-diagnostics-service-is-enabled).
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).
18The machine did not onboard correctly. It will report to the portal, however the service may not appear as registered in SCCM or the registry. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).
26The machine did not onboard correctly.
It will report to the portal, however the service may not appear as registered in SCCM or the registry.		 Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).
27 Microsoft Defender Advanced Threat Protection service failed to enable SENSE aware mode in Windows Defender Antivirus. Onboarding process failed. Failure code: ```variable```. Normally, Windows Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the machine, and the machine is reporting to Microsoft Defender ATP. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).
+See [Onboard Windows 10 machines](configure-endpoints.md).
Ensure real-time antimalware protection is running properly.
28 Microsoft Defender Advanced Threat Protection Connected User Experiences and Telemetry service registration failed. Failure code: ```variable```. An error occurred with the Windows telemetry service.[Ensure the diagnostic data service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-diagnostic-data-service-is-enabled).
+		[Ensure the diagnostic data service is enabled](troubleshoot-onboarding.md#ensure-the-diagnostic-data-service-is-enabled).
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).
29Microsoft Defender Advanced Threat Protection service failed to disable SENSE aware mode in Windows Defender Antivirus. Failure code: ```variable```. Normally, Windows Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the machine, and the machine is reporting to Microsoft Defender ATP. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md)
+See [Onboard Windows 10 machines](configure-endpoints.md)
Ensure real-time antimalware protection is running properly.
31 Microsoft Defender Advanced Threat Protection Connected User Experiences and Telemetry service unregistration failed. Failure code: ```variable```. An error occurred with the Windows telemetry service during onboarding. The offboarding process continues.[Check for errors with the Windows telemetry service](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-diagnostic-data-service-is-enabled).[Check for errors with the Windows telemetry service](troubleshoot-onboarding.md#ensure-the-diagnostic-data-service-is-enabled).
3234 Microsoft Defender Advanced Threat Protection service failed to add itself as a dependency on the Connected User Experiences and Telemetry service, causing onboarding process to fail. Failure code: ```variable```. An error occurred with the Windows telemetry service.[Ensure the diagnostic data service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-diagnostic-data-service-is-enabled).
+		[Ensure the diagnostic data service is enabled](troubleshoot-onboarding.md#ensure-the-diagnostic-data-service-is-enabled).
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).
35
@@ -37,10 +37,10 @@ ms.localizationpriority: medium -**[Attack surface reduction](windows-defender-atp/overview-attack-surface-reduction.md)**
+**[Attack surface reduction](microsoft-defender-atp/overview-attack-surface-reduction.md)**
The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. -- [Hardware based isolation](windows-defender-atp/overview-hardware-based-isolation.md) +- [Hardware based isolation](microsoft-defender-atp/overview-hardware-based-isolation.md) - [Application control](windows-defender-application-control/windows-defender-application-control.md) - [Device control](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) - [Exploit protection](windows-defender-exploit-guard/exploit-protection-exploit-guard.md) @@ -52,7 +52,7 @@ The attack surface reduction set of capabilities provide the first line of defen **[Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)**
-To further reinforce the security perimeter of your network, Windows Defender ATP uses next generation protection designed to catch all types of emerging threats. +To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next generation protection designed to catch all types of emerging threats. - [Behavior monitoring](/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) - [Cloud-based protection](/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) @@ -62,67 +62,67 @@ To further reinforce the security perimeter of your network, Windows Defender AT -**[Endpoint detection and response](windows-defender-atp/overview-endpoint-detection-response.md)**
+**[Endpoint detection and response](microsoft-defender-atp/overview-endpoint-detection-response.md)**
Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. -- [Alerts](windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md) -- [Historical endpoint data](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline) -- [Response orchestration](windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md) -- [Forensic collection](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines) -- [Threat intelligence](windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md) -- [Advanced detonation and analysis service](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis) -- [Advanced hunting](windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md) - - [Custom detection](windows-defender-atp/overview-custom-detections.md) - - [Realtime and historical hunting](windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md) +- [Alerts](microsoft-defender-atp/alerts-queue.md) +- [Historical endpoint data](microsoft-defender-atp/investigate-machines.md#machine-timeline) +- [Response orchestration](microsoft-defender-atp/response-actions.md) +- [Forensic collection](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-machines) +- [Threat intelligence](microsoft-defender-atp/threat-indicator-concepts.md) +- [Advanced detonation and analysis service](microsoft-defender-atp/respond-file-alerts.md#deep-analysis) +- [Advanced hunting](microsoft-defender-atp/overview-hunting.md) + - [Custom detection](microsoft-defender-atp/overview-custom-detections.md) + - [Realtime and historical hunting](microsoft-defender-atp/advanced-hunting.md) -**[Automated investigation and remediation](windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md)**
-In conjunction with being able to quickly respond to advanced attacks, Windows Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. +**[Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md)**
+In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. -- [Automated investigation and remediation](windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md) -- [Threat remediation](windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md#how-threats-are-remediated) -- [Manage automated investigations](windows-defender-atp/manage-auto-investigation-windows-defender-advanced-threat-protection.md) -- [Analyze automated investigation](windows-defender-atp/manage-auto-investigation-windows-defender-advanced-threat-protection.md#analyze-automated-investigations) +- [Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md) +- [Threat remediation](microsoft-defender-atp/automated-investigations.md#how-threats-are-remediated) +- [Manage automated investigations](microsoft-defender-atp/manage-auto-investigation.md) +- [Analyze automated investigation](microsoft-defender-atp/manage-auto-investigation.md#analyze-automated-investigations) -**[Secure score](windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md)**
-Windows Defender ATP includes a secure score to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization. -- [Asset inventory](windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md) -- [Recommended improvement actions](windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md) -- [Secure score](windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md) -- [Threat analytics](windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md) +**[Secure score](microsoft-defender-atp/overview-secure-score.md)**
+Microsoft Defender ATP includes a secure score to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization. +- [Asset inventory](microsoft-defender-atp/secure-score-dashboard.md) +- [Recommended improvement actions](microsoft-defender-atp/secure-score-dashboard.md) +- [Secure score](microsoft-defender-atp/overview-secure-score.md) +- [Threat analytics](microsoft-defender-atp/threat-analytics.md) -**[Microsoft Threat Experts](windows-defender-atp/microsoft-threat-experts.md)**
-Windows Defender ATP's new managed threat hunting service provides proactive hunting, prioritization and additional context and insights that further empower Security Operation Centers (SOCs) to identify and respond to threats quickly and accurately. +**[Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md)**
+Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization and additional context and insights that further empower Security Operation Centers (SOCs) to identify and respond to threats quickly and accurately. -- [Targeted attack notification](windows-defender-atp/microsoft-threat-experts.md) -- [Experts-on-demand](windows-defender-atp/microsoft-threat-experts.md) -- [Configure your Microsoft Threat Protection managed hunting service](windows-defender-atp/configure-microsoft-threat-experts.md) +- [Targeted attack notification](microsoft-defender-atp/microsoft-threat-experts.md) +- [Experts-on-demand](microsoft-defender-atp/microsoft-threat-experts.md) +- [Configure your Microsoft Threat Protection managed hunting service](microsoft-defender-atp/configure-microsoft-threat-experts.md) -**[Management and APIs](windows-defender-atp/management-apis.md)**
-Integrate Windows Defender Advanced Threat Protection into your existing workflows. -- [Onboarding](windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md) -- [API and SIEM integration](windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md) -- [Exposed APIs](windows-defender-atp/use-apis.md) -- [Role-based access control (RBAC)](windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md) -- [Reporting and trends](windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md) +**[Management and APIs](microsoft-defender-atp/management-apis.md)**
+Integrate Microsoft Defender Advanced Threat Protection into your existing workflows. +- [Onboarding](microsoft-defender-atp/onboard-configure.md) +- [API and SIEM integration](microsoft-defender-atp/configure-siem.md) +- [Exposed APIs](microsoft-defender-atp/use-apis.md) +- [Role-based access control (RBAC)](microsoft-defender-atp/rbac.md) +- [Reporting and trends](microsoft-defender-atp/powerbi-reports.md) -**[Microsoft Threat Protection](windows-defender-atp/threat-protection-integration.md)**
- Windows Defender ATP is part of the Microsoft Threat Protection solution that helps implement end-to-end security across possible attack surfaces in the modern workplace. Bring the power of Microsoft threat protection to your organization. -- [Conditional access](windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md) -- [O365 ATP](windows-defender-atp/threat-protection-integration.md) -- [Azure ATP](windows-defender-atp/threat-protection-integration.md) -- [Azure Security Center](windows-defender-atp/threat-protection-integration.md) -- [Skype for Business](windows-defender-atp/threat-protection-integration.md) -- [Microsoft Cloud App Security](windows-defender-atp/microsoft-cloud-app-security-integration.md) +**[Microsoft Threat Protection](microsoft-defender-atp/threat-protection-integration.md)**
+ Microsoft Defender ATP is part of the Microsoft Threat Protection solution that helps implement end-to-end security across possible attack surfaces in the modern workplace. Bring the power of Microsoft threat protection to your organization. +- [Conditional access](microsoft-defender-atp/conditional-access.md) +- [O365 ATP](microsoft-defender-atp/threat-protection-integration.md) +- [Azure ATP](microsoft-defender-atp/threat-protection-integration.md) +- [Azure Security Center](microsoft-defender-atp/threat-protection-integration.md) +- [Skype for Business](microsoft-defender-atp/threat-protection-integration.md) +- [Microsoft Cloud App Security](microsoft-defender-atp/microsoft-cloud-app-security-integration.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/conditional.md b/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/conditional.md rename to windows/security/threat-protection/microsoft-defender-atp/conditional-access.md From fd2e2b3287897bc4622292e6faea5130824c28ef Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 10 Apr 2019 15:25:22 -0700 Subject: [PATCH 119/492] update author and product names in exploit guard folder --- .../attack-surface-reduction-exploit-guard.md | 10 +++++----- ...eduction-rules-in-windows-10-enterprise-e3.md | 6 +++--- .../audit-windows-defender-exploit-guard.md | 12 ++++++------ .../controlled-folders-exploit-guard.md | 14 +++++++------- .../customize-attack-surface-reduction.md | 6 +++--- ...customize-controlled-folders-exploit-guard.md | 6 +++--- .../customize-exploit-protection.md | 6 +++--- .../emet-exploit-protection-exploit-guard.md | 16 ++++++++-------- .../enable-attack-surface-reduction.md | 6 +++--- .../enable-controlled-folders-exploit-guard.md | 8 ++++---- .../enable-exploit-protection.md | 6 +++--- .../enable-network-protection.md | 6 +++--- ...ization-based-protection-of-code-integrity.md | 2 +- .../evaluate-attack-surface-reduction.md | 6 +++--- .../evaluate-controlled-folder-access.md | 8 ++++---- .../evaluate-exploit-protection.md | 6 +++--- .../evaluate-network-protection.md | 6 +++--- .../evaluate-windows-defender-exploit-guard.md | 4 ++-- .../event-views-exploit-guard.md | 8 ++++---- .../exploit-protection-exploit-guard.md | 14 +++++++------- .../import-export-exploit-protection-emet-xml.md | 6 +++--- .../memory-integrity.md | 2 +- .../network-protection-exploit-guard.md | 14 +++++++------- ...ization-based-protection-of-code-integrity.md | 2 +- .../troubleshoot-asr.md | 8 ++++---- ...roubleshoot-exploit-protection-mitigations.md | 6 +++--- .../troubleshoot-np.md | 8 ++++---- .../windows-defender-exploit-guard.md | 12 ++++++------ 28 files changed, 107 insertions(+), 107 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index e16b905b59..93cfaddf25 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 04/02/2019 --- @@ -18,11 +18,11 @@ ms.date: 04/02/2019 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, version 1709 or later, Windows Server 2016 1803 or later, or Windows Server 2019. -To use attack surface reduction rules, you need a Windows 10 Enterprise E3 license or higher. A Windows E5 license gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the M365 Security Center. These advanced capabilities aren't available with an E3 license, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment. +To use attack surface reduction rules, you need a Windows 10 Enterprise E3 license or higher. A Windows E5 license gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the M365 Security Center. These advanced capabilities aren't available with an E3 license, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment. Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including: @@ -32,7 +32,7 @@ Attack surface reduction rules target behaviors that malware and malicious apps You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity. -Triggered rules display a notification on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays in the Windows Defender Security Center and in the Microsoft 365 securty center. +Triggered rules display a notification on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays in the Microsoft Defender Security Center and in the Microsoft 365 securty center. For information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md). diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md index 4cc8fbd9f5..60bdf42183 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 10/15/2018 --- @@ -20,7 +20,7 @@ ms.date: 10/15/2018 - Windows 10 Enterprise E3 -Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. This feature area includes the rules, monitoring, reporting, and analytics necessary for deployment that are included in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), and require the Windows 10 Enterprise E5 license. +Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. This feature area includes the rules, monitoring, reporting, and analytics necessary for deployment that are included in [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), and require the Windows 10 Enterprise E5 license. A limited subset of basic attack surface reduction rules can technically be used with Windows 10 Enterprise E3. They can be used without the benefits of reporting, monitoring, and analytics, which provide the ease of deployment and management capabilities necessary for enterprises. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md index 5d82fb8254..0bc78c8573 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md @@ -1,6 +1,6 @@ --- -title: Test how Windows Defender ATP features work -description: Audit mode lets you use the event log to see how Windows Defender ATP would protect your devices if it were enabled +title: Test how Microsoft Defender ATP features work +description: Audit mode lets you use the event log to see how Microsoft Defender ATP would protect your devices if it were enabled keywords: exploit guard, audit, auditing, mode, enabled, disabled, test, demo, evaluate, lab search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 04/02/2019 --- @@ -19,7 +19,7 @@ ms.date: 04/02/2019 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) You can enable attack surface reduction rules, exploit protection, network protection, and controlled folder access in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature. @@ -27,7 +27,7 @@ You might want to do this when testing how the features will work in your organi While the features will not block or prevent apps, scripts, or files from being modified, the Windows Event Log will record events as if the features were fully enabled. This means you can enable audit mode and then review the event log to see what impact the feature would have had were it enabled. -You can use Windows Defender Advanced Threat Protection to get greater deatils for each event, especially for investigating attack surface reduction rules. Using the Windows Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). +You can use Microsoft Defender Advanced Threat Protection to get greater deatils for each event, especially for investigating attack surface reduction rules. Using the Microsoft Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md index 77098d4c10..fd33e84578 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 11/29/2018 --- @@ -18,10 +18,10 @@ ms.date: 11/29/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. -Controlled folder access works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). +Controlled folder access works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Windows Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder. @@ -39,11 +39,11 @@ Controlled folder access is supported on Windows 10, version 1709 and later and Controlled folder access requires enabling [Windows Defender Antivirus real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md). -## Review controlled folder access events in the Windows Defender ATP Security Center +## Review controlled folder access events in the Microsoft Defender ATP Security Center -Windows Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). +Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). -You can query Windows Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled. +You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled. ## Review controlled folder access events in Windows Event Viewer diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md index b772be4c4c..99f4b9d52c 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 12/19/2018 --- @@ -18,7 +18,7 @@ ms.date: 12/19/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md index 05037553e3..88e1a4623b 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md @@ -9,15 +9,15 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha --- # Customize controlled folder access **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md index c49eae7912..139a12bd0e 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 03/26/2019 --- @@ -18,7 +18,7 @@ ms.date: 03/26/2019 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md index 843e0e7f4c..5a5dc12514 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 08/08/2018 --- @@ -18,22 +18,22 @@ ms.date: 08/08/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >[!IMPORTANT] ->If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Windows Defender ATP. +>If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Microsoft Defender ATP. > >You can [convert an existing EMET configuration file into Exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings. -This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and exploit protection in Windows Defender ATP. +This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and exploit protection in Microsoft Defender ATP. -Exploit protection in Windows Defender ATP is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options. +Exploit protection in Microsoft Defender ATP is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options. EMET is a standalone product for earlier versions of Windows and provides some mitigation against older, known exploit techniques. After July 31, 2018, it will not be supported. -For more information about the individual features and mitigations available in Windows Defender ATP, as well as how to enable, configure, and deploy them to better protect your network, see the following topics: +For more information about the individual features and mitigations available in Microsoft Defender ATP, as well as how to enable, configure, and deploy them to better protect your network, see the following topics: - [Protect devices from exploits](exploit-protection-exploit-guard.md) - [Configure and audit exploit protection mitigations](customize-exploit-protection.md) @@ -59,7 +59,7 @@ Configuration with Group Policy | [!include[Check mark yes](images/svg/check-yes Configuration with shell tools | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use PowerShell to customize and manage configurations](customize-exploit-protection.md#powershell-reference) | [!include[Check mark yes](images/svg/check-yes.svg)]
Requires use of EMET tool (EMET_CONF) System Center Configuration Manager | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use Configuration Manager to customize, deploy, and manage configurations](https://docs.microsoft.com/sccm/protect/deploy-use/create-deploy-exploit-guard-policy) | [!include[Check mark no](images/svg/check-no.svg)]
Not available Microsoft Intune | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use Intune to customize, deploy, and manage configurations](https://docs.microsoft.com/intune/whats-new#window-defender-exploit-guard-is-a-new-set-of-intrusion-prevention-capabilities-for-windows-10----1063615---) | [!include[Check mark no](images/svg/check-no.svg)]
Not available -Reporting | [!include[Check mark yes](images/svg/check-yes.svg)]
With [Windows event logs](event-views-exploit-guard.md) and [full audit mode reporting](audit-windows-defender-exploit-guard.md)
[Full integration with Windows Defender Advanced Threat Protection](../windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
Limited Windows event log monitoring +Reporting | [!include[Check mark yes](images/svg/check-yes.svg)]
With [Windows event logs](event-views-exploit-guard.md) and [full audit mode reporting](audit-windows-defender-exploit-guard.md)
[Full integration with Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/security-analytics-dashboard.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
Limited Windows event log monitoring Audit mode | [!include[Check mark yes](images/svg/check-yes.svg)]
[Full audit mode with Windows event reporting](audit-windows-defender-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)]
Limited to EAF, EAF+, and anti-ROP mitigations ([1](#ref1)) Requires an enterprise subscription with Azure Active Directory or a [Software Assurance ID](https://www.microsoft.com/en-us/licensing/licensing-programs/software-assurance-default.aspx). diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index c5d238cf59..5239e149c8 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -9,15 +9,15 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha --- # Enable attack surface reduction rules [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) help prevent actions and apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019. -To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Windows Defender Advanced Threat Protection (Windows Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjuction with ASR rules. +To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjuction with ASR rules. ## Exclude files and folders from ASR rules diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md index 4cc8d86d0a..6c8a9ba1d5 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 03/29/2019 --- @@ -18,7 +18,7 @@ ms.date: 03/29/2019 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [Controlled folder access](controlled-folders-exploit-guard.md) helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. @@ -103,4 +103,4 @@ Use `Disabled` to turn the feature off. - [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md) - [Customize controlled folder access](customize-controlled-folders-exploit-guard.md) -- [Evaluate Windows Defender ATP](evaluate-windows-defender-exploit-guard.md) +- [Evaluate Microsoft Defender ATP](evaluate-windows-defender-exploit-guard.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md index 86f640ad6f..da528e3360 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 03/29/2019 --- @@ -18,7 +18,7 @@ ms.date: 03/29/2019 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [Exploit protection](exploit-protection-exploit-guard.md) helps protect against malware that uses exploits to infect devices and spread. It consists of a number of mitigations that can be applied to either the operating system or individual apps. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md index b1e858ebcb..291b023277 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 04/01/2019 --- @@ -18,7 +18,7 @@ ms.date: 04/01/2019 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [Network protection](network-protection-exploit-guard.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. You can [audit network protection](evaluate-network-protection.md) in a test environment to see which apps would be blocked before you enable it. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md index 8648bcd508..08fe9b44f4 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -17,7 +17,7 @@ ms.date: 04/01/2019 **Applies to** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10. Some applications, including device drivers, may be incompatible with HVCI. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md index 307b13fd20..83db94a6af 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 04/02/2019 --- @@ -18,7 +18,7 @@ ms.date: 04/02/2019 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md index 667c554a43..08847c82c5 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 11/16/2018 --- @@ -18,7 +18,7 @@ ms.date: 11/16/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [Controlled folder access](controlled-folders-exploit-guard.md) is a feature that helps protect your documents and files from modification by suspicious or malicious apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. @@ -62,5 +62,5 @@ See [Protect important folders with controlled folder access](controlled-folders ## Related topics - [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md) -- [Evaluate Windows Defender ATP](evaluate-windows-defender-exploit-guard.md) +- [Evaluate Microsoft Defender ATP](evaluate-windows-defender-exploit-guard.md) - [Use audit mode](audit-windows-defender-exploit-guard.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md index 6ae70924c7..64c227f6e5 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 04/02/2019 --- @@ -18,7 +18,7 @@ ms.date: 04/02/2019 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [Exploit protection](exploit-protection-exploit-guard.md) helps protect devices from malware that uses exploits to spread and infect other devices. It consists of a number of mitigations that can be applied to either the operating system or an individual app. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md index 74605b559a..a7de3f8d9d 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 04/02/2019 --- @@ -18,7 +18,7 @@ ms.date: 04/02/2019 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [Network protection](network-protection-exploit-guard.md) helps prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md index ee57054634..8015e81dde 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 05/30/2018 --- diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md index c15f7d5f95..443e9929ff 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md @@ -10,8 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.date: 04/16/2018 ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 03/26/2019 --- @@ -19,7 +19,7 @@ ms.date: 03/26/2019 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) You can review attack surface reduction events in Event Viewer. This is useful so you can monitor what rules or settings are working, and determine if any settings are too "noisy" or impacting your day to day workflow. @@ -27,7 +27,7 @@ Reviewing the events is also handy when you are evaluating the features, as you This topic lists all the events, their associated feature or setting, and describes how to create custom views to filter to specific events. -You can also get detailed reporting into events and blocks as part of Windows Security, which you access if you have an E5 subscription and use [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md). +You can also get detailed reporting into events and blocks as part of Windows Security, which you access if you have an E5 subscription and use [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/windows-defender-advanced-threat-protection.md). ## Use custom views to review attack surface reduction capabilities diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md index 72869c7925..6cc021334d 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 04/02/2019 --- @@ -18,7 +18,7 @@ ms.date: 04/02/2019 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Exploit protection automatically applies a number of exploit mitigation techniques to operating system processes and apps. @@ -27,7 +27,7 @@ It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md >[!TIP] >You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. -Exploit protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into exploit protection events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). +Exploit protection works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into exploit protection events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). You can [enable exploit protection](enable-exploit-protection.md) on an individual machine, and then use [Group Policy](import-export-exploit-protection-emet-xml.md) to distribute the XML file to multiple devices at once. @@ -79,11 +79,11 @@ Win32K | 260 | Untrusted Font ## Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard >[!IMPORTANT] ->If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Windows Defender ATP. +>If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Microsoft Defender ATP. > >You can [convert an existing EMET configuration file into exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings. -This section compares exploit protection in Windows Defender ATP with the Enhance Mitigation Experience Toolkit (EMET) for reference. +This section compares exploit protection in Microsoft Defender ATP with the Enhance Mitigation Experience Toolkit (EMET) for reference. The table in this section illustrates the differences between EMET and Windows Defender Exploit Guard.   | Windows Defender Exploit Guard | EMET @@ -102,7 +102,7 @@ Configuration with Group Policy | [!include[Check mark yes](images/svg/check-yes Configuration with shell tools | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use PowerShell to customize and manage configurations](customize-exploit-protection.md#powershell-reference) | [!include[Check mark yes](images/svg/check-yes.svg)]
Requires use of EMET tool (EMET_CONF) System Center Configuration Manager | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use Configuration Manager to customize, deploy, and manage configurations](https://docs.microsoft.com/sccm/protect/deploy-use/create-deploy-exploit-guard-policy) | [!include[Check mark no](images/svg/check-no.svg)]
Not available Microsoft Intune | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use Intune to customize, deploy, and manage configurations](https://docs.microsoft.com/intune/whats-new#window-defender-exploit-guard-is-a-new-set-of-intrusion-prevention-capabilities-for-windows-10----1063615---) | [!include[Check mark no](images/svg/check-no.svg)]
Not available -Reporting | [!include[Check mark yes](images/svg/check-yes.svg)]
With [Windows event logs](event-views-exploit-guard.md) and [full audit mode reporting](audit-windows-defender-exploit-guard.md)
[Full integration with Windows Defender Advanced Threat Protection](../windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
Limited Windows event log monitoring +Reporting | [!include[Check mark yes](images/svg/check-yes.svg)]
With [Windows event logs](event-views-exploit-guard.md) and [full audit mode reporting](audit-windows-defender-exploit-guard.md)
[Full integration with Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/security-analytics-dashboard.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
Limited Windows event log monitoring Audit mode | [!include[Check mark yes](images/svg/check-yes.svg)]
[Full audit mode with Windows event reporting](audit-windows-defender-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)]
Limited to EAF, EAF+, and anti-ROP mitigations ([1](#ref1)) Requires an enterprise subscription with Azure Active Directory or a [Software Assurance ID](https://www.microsoft.com/en-us/licensing/licensing-programs/software-assurance-default.aspx). diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md index 1be2ff6cb2..3246dc8164 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 04/30/2018 --- @@ -18,7 +18,7 @@ ms.date: 04/30/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md index aed6d58094..40ac8a84cd 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md @@ -18,7 +18,7 @@ ms.date: 08/09/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Memory integrity is a powerful system mitigation that leverages hardware virtualization and the Windows Hyper-V hypervisor to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code. Code integrity validation is performed in a secure environment that is resistant to attack from malicious software, and page permissions for kernel mode are set and maintained by the Hyper-V hypervisor. Memory integrity helps block many types of malware from running on computers that run Windows 10 and Windows Server 2016. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md index 8ffcfaf3cd..8b883ee82b 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 02/14/2019 --- @@ -18,7 +18,7 @@ ms.date: 02/14/2019 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. @@ -29,7 +29,7 @@ Network protection is supported on Windows 10, version 1709 and later and Window >[!TIP] >You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. -Network protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). +Network protection works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). When network protection blocks a connection, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. @@ -43,11 +43,11 @@ Windows 10 version | Windows Defender Antivirus - | - Windows 10 version 1709 or later | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled -## Review network protection events in the Windows Defender ATP Security Center +## Review network protection events in the Microsoft Defender ATP Security Center -Windows Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). +Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). -You can query Windows Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how network protection settings would affect your environment if they were enabled. +You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how network protection settings would affect your environment if they were enabled. ## Review network protection events in Windows Event Viewer diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md index 514a74a4ea..bd01a47dbb 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md @@ -17,7 +17,7 @@ ms.date: 10/20/2017 **Applies to** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Computers must meet certain hardware, firmware, and software requirements in order to take adavantage of all of the virtualization-based security (VBS) features in [Windows Defender Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md). Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md index 0eea5319db..0ffe534d26 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 03/27/2019 --- @@ -18,7 +18,7 @@ ms.date: 03/27/2019 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) When you use [attack surface reduction rules](attack-surface-reduction-exploit-guard.md) you may encounter issues, such as: @@ -76,7 +76,7 @@ To add an exclusion, see [Customize Attack surface reduction](customize-attack-s ## Report a false positive or false negative -Use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) to report a false negative or false positive for network protection. With an E5 subscription, you can also [provide a link to any associated alert](../windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md). +Use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) to report a false negative or false positive for network protection. With an E5 subscription, you can also [provide a link to any associated alert](../microsoft-defender-atp/alerts-queue.md). ## Collect diagnostic data for file submissions diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md index 7820eac52f..e8e2f3e46b 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 08/09/2018 --- @@ -18,7 +18,7 @@ ms.date: 08/09/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) When you create a set of exploit protection mitigations (known as a configuration), you might find that the configuration export and import process does not remove all unwanted mitigations. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md index 708142ccf5..3feaedade3 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 03/27/2019 --- @@ -18,7 +18,7 @@ ms.date: 03/27/2019 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - IT administrators @@ -65,7 +65,7 @@ Set-MpPreference -EnableNetworkProtection Enabled ## Report a false positive or false negative -If you've tested the feature with the demo site and with audit mode, and network protection is working on pre-configured scenarios, but is not working as expected for a specific connection, use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) to report a false negative or false positive for network protection. With an E5 subscription, you can also [provide a link to any associated alert](../windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md). +If you've tested the feature with the demo site and with audit mode, and network protection is working on pre-configured scenarios, but is not working as expected for a specific connection, use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) to report a false negative or false positive for network protection. With an E5 subscription, you can also [provide a link to any associated alert](../microsoft-defender-atp/alerts-queue.md). ## Collect diagnostic data for file submissions diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md index 32055b2546..b6733d5ed0 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 08/09/2018 --- @@ -18,7 +18,7 @@ ms.date: 08/09/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrusion prevention capabilities for Windows 10, allowing you to manage and reduce the attack surface of apps used by your employees. @@ -43,9 +43,9 @@ You can also [enable audit mode](audit-windows-defender-exploit-guard.md) for th >[!TIP] >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how each of them work. -Windows Defender EG can be managed and reported on in the Windows Security app as part of the Windows Defender Advanced Threat Protection suite of threat mitigation, preventing, protection, and analysis technologies. +Windows Defender EG can be managed and reported on in the Windows Security app as part of the Microsoft Defender Advanced Threat Protection suite of threat mitigation, preventing, protection, and analysis technologies. -You can use the Windows Security app to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). You can [sign up for a free trial of Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-msa4053440) to see how it works. +You can use the Windows Security app to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). You can [sign up for a free trial of Microsoft Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-msa4053440) to see how it works. ## Requirements @@ -55,7 +55,7 @@ This section covers requirements for each feature in Windows Defender EG. |--------|---------| | ![not supported](./images/ball_empty.png) | Not supported | | ![supported](./images/ball_50.png) | Supported | -| ![supported, full reporting](./images/ball_full.png) | Recommended. Includes full, automated reporting into the Windows Defender ATP console. Provides additional cloud-powered capabilities, including the Network protection ability to block apps from accessing low-reputation websites and an attack surface reduction rule that blocks executable files that meet age or prevalence criteria.| +| ![supported, full reporting](./images/ball_full.png) | Recommended. Includes full, automated reporting into the Microsoft Defender ATP console. Provides additional cloud-powered capabilities, including the Network protection ability to block apps from accessing low-reputation websites and an attack surface reduction rule that blocks executable files that meet age or prevalence criteria.| | Feature | Windows 10 Home | Windows 10 Professional | Windows 10 E3 | Windows 10 E5 | | ----------------- | :------------------------------------: | :---------------------------: | :-------------------------: | :--------------------------------------: | From 4e53f9e8da68835d55732dfbfef7f569de391ab1 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 10 Apr 2019 15:27:33 -0700 Subject: [PATCH 120/492] Revert "update author and product names in exploit guard folder" This reverts commit fd2e2b3287897bc4622292e6faea5130824c28ef. --- .../attack-surface-reduction-exploit-guard.md | 10 +++++----- ...eduction-rules-in-windows-10-enterprise-e3.md | 6 +++--- .../audit-windows-defender-exploit-guard.md | 12 ++++++------ .../controlled-folders-exploit-guard.md | 14 +++++++------- .../customize-attack-surface-reduction.md | 6 +++--- ...customize-controlled-folders-exploit-guard.md | 6 +++--- .../customize-exploit-protection.md | 6 +++--- .../emet-exploit-protection-exploit-guard.md | 16 ++++++++-------- .../enable-attack-surface-reduction.md | 6 +++--- .../enable-controlled-folders-exploit-guard.md | 8 ++++---- .../enable-exploit-protection.md | 6 +++--- .../enable-network-protection.md | 6 +++--- ...ization-based-protection-of-code-integrity.md | 2 +- .../evaluate-attack-surface-reduction.md | 6 +++--- .../evaluate-controlled-folder-access.md | 8 ++++---- .../evaluate-exploit-protection.md | 6 +++--- .../evaluate-network-protection.md | 6 +++--- .../evaluate-windows-defender-exploit-guard.md | 4 ++-- .../event-views-exploit-guard.md | 8 ++++---- .../exploit-protection-exploit-guard.md | 14 +++++++------- .../import-export-exploit-protection-emet-xml.md | 6 +++--- .../memory-integrity.md | 2 +- .../network-protection-exploit-guard.md | 14 +++++++------- ...ization-based-protection-of-code-integrity.md | 2 +- .../troubleshoot-asr.md | 8 ++++---- ...roubleshoot-exploit-protection-mitigations.md | 6 +++--- .../troubleshoot-np.md | 8 ++++---- .../windows-defender-exploit-guard.md | 12 ++++++------ 28 files changed, 107 insertions(+), 107 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 93cfaddf25..e16b905b59 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: justinha -ms.author: justinha +author: andreabichsel +ms.author: v-anbic ms.date: 04/02/2019 --- @@ -18,11 +18,11 @@ ms.date: 04/02/2019 **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, version 1709 or later, Windows Server 2016 1803 or later, or Windows Server 2019. -To use attack surface reduction rules, you need a Windows 10 Enterprise E3 license or higher. A Windows E5 license gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the M365 Security Center. These advanced capabilities aren't available with an E3 license, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment. +To use attack surface reduction rules, you need a Windows 10 Enterprise E3 license or higher. A Windows E5 license gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the M365 Security Center. These advanced capabilities aren't available with an E3 license, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment. Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including: @@ -32,7 +32,7 @@ Attack surface reduction rules target behaviors that malware and malicious apps You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity. -Triggered rules display a notification on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays in the Microsoft Defender Security Center and in the Microsoft 365 securty center. +Triggered rules display a notification on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays in the Windows Defender Security Center and in the Microsoft 365 securty center. For information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md). diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md index 60bdf42183..4cc8fbd9f5 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: justinha -ms.author: justinha +author: andreabichsel +ms.author: v-anbic ms.date: 10/15/2018 --- @@ -20,7 +20,7 @@ ms.date: 10/15/2018 - Windows 10 Enterprise E3 -Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. This feature area includes the rules, monitoring, reporting, and analytics necessary for deployment that are included in [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), and require the Windows 10 Enterprise E5 license. +Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. This feature area includes the rules, monitoring, reporting, and analytics necessary for deployment that are included in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), and require the Windows 10 Enterprise E5 license. A limited subset of basic attack surface reduction rules can technically be used with Windows 10 Enterprise E3. They can be used without the benefits of reporting, monitoring, and analytics, which provide the ease of deployment and management capabilities necessary for enterprises. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md index 0bc78c8573..5d82fb8254 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md @@ -1,6 +1,6 @@ --- -title: Test how Microsoft Defender ATP features work -description: Audit mode lets you use the event log to see how Microsoft Defender ATP would protect your devices if it were enabled +title: Test how Windows Defender ATP features work +description: Audit mode lets you use the event log to see how Windows Defender ATP would protect your devices if it were enabled keywords: exploit guard, audit, auditing, mode, enabled, disabled, test, demo, evaluate, lab search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: justinha -ms.author: justinha +author: andreabichsel +ms.author: v-anbic ms.date: 04/02/2019 --- @@ -19,7 +19,7 @@ ms.date: 04/02/2019 **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) You can enable attack surface reduction rules, exploit protection, network protection, and controlled folder access in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature. @@ -27,7 +27,7 @@ You might want to do this when testing how the features will work in your organi While the features will not block or prevent apps, scripts, or files from being modified, the Windows Event Log will record events as if the features were fully enabled. This means you can enable audit mode and then review the event log to see what impact the feature would have had were it enabled. -You can use Microsoft Defender Advanced Threat Protection to get greater deatils for each event, especially for investigating attack surface reduction rules. Using the Microsoft Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). +You can use Windows Defender Advanced Threat Protection to get greater deatils for each event, especially for investigating attack surface reduction rules. Using the Windows Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md index fd33e84578..77098d4c10 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: justinha -ms.author: justinha +author: andreabichsel +ms.author: v-anbic ms.date: 11/29/2018 --- @@ -18,10 +18,10 @@ ms.date: 11/29/2018 **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. -Controlled folder access works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). +Controlled folder access works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Windows Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder. @@ -39,11 +39,11 @@ Controlled folder access is supported on Windows 10, version 1709 and later and Controlled folder access requires enabling [Windows Defender Antivirus real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md). -## Review controlled folder access events in the Microsoft Defender ATP Security Center +## Review controlled folder access events in the Windows Defender ATP Security Center -Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). +Windows Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). -You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled. +You can query Windows Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled. ## Review controlled folder access events in Windows Event Viewer diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md index 99f4b9d52c..b772be4c4c 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: justinha -ms.author: justinha +author: andreabichsel +ms.author: v-anbic ms.date: 12/19/2018 --- @@ -18,7 +18,7 @@ ms.date: 12/19/2018 **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md index 88e1a4623b..05037553e3 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md @@ -9,15 +9,15 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: justinha -ms.author: justinha +author: andreabichsel +ms.author: v-anbic --- # Customize controlled folder access **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md index 139a12bd0e..c49eae7912 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: justinha -ms.author: justinha +author: andreabichsel +ms.author: v-anbic ms.date: 03/26/2019 --- @@ -18,7 +18,7 @@ ms.date: 03/26/2019 **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md index 5a5dc12514..843e0e7f4c 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: justinha -ms.author: justinha +author: andreabichsel +ms.author: v-anbic ms.date: 08/08/2018 --- @@ -18,22 +18,22 @@ ms.date: 08/08/2018 **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >[!IMPORTANT] ->If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Microsoft Defender ATP. +>If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Windows Defender ATP. > >You can [convert an existing EMET configuration file into Exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings. -This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and exploit protection in Microsoft Defender ATP. +This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and exploit protection in Windows Defender ATP. -Exploit protection in Microsoft Defender ATP is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options. +Exploit protection in Windows Defender ATP is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options. EMET is a standalone product for earlier versions of Windows and provides some mitigation against older, known exploit techniques. After July 31, 2018, it will not be supported. -For more information about the individual features and mitigations available in Microsoft Defender ATP, as well as how to enable, configure, and deploy them to better protect your network, see the following topics: +For more information about the individual features and mitigations available in Windows Defender ATP, as well as how to enable, configure, and deploy them to better protect your network, see the following topics: - [Protect devices from exploits](exploit-protection-exploit-guard.md) - [Configure and audit exploit protection mitigations](customize-exploit-protection.md) @@ -59,7 +59,7 @@ Configuration with Group Policy | [!include[Check mark yes](images/svg/check-yes Configuration with shell tools | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use PowerShell to customize and manage configurations](customize-exploit-protection.md#powershell-reference) | [!include[Check mark yes](images/svg/check-yes.svg)]
Requires use of EMET tool (EMET_CONF) System Center Configuration Manager | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use Configuration Manager to customize, deploy, and manage configurations](https://docs.microsoft.com/sccm/protect/deploy-use/create-deploy-exploit-guard-policy) | [!include[Check mark no](images/svg/check-no.svg)]
Not available Microsoft Intune | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use Intune to customize, deploy, and manage configurations](https://docs.microsoft.com/intune/whats-new#window-defender-exploit-guard-is-a-new-set-of-intrusion-prevention-capabilities-for-windows-10----1063615---) | [!include[Check mark no](images/svg/check-no.svg)]
Not available -Reporting | [!include[Check mark yes](images/svg/check-yes.svg)]
With [Windows event logs](event-views-exploit-guard.md) and [full audit mode reporting](audit-windows-defender-exploit-guard.md)
[Full integration with Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/security-analytics-dashboard.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
Limited Windows event log monitoring +Reporting | [!include[Check mark yes](images/svg/check-yes.svg)]
With [Windows event logs](event-views-exploit-guard.md) and [full audit mode reporting](audit-windows-defender-exploit-guard.md)
[Full integration with Windows Defender Advanced Threat Protection](../windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
Limited Windows event log monitoring Audit mode | [!include[Check mark yes](images/svg/check-yes.svg)]
[Full audit mode with Windows event reporting](audit-windows-defender-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)]
Limited to EAF, EAF+, and anti-ROP mitigations ([1](#ref1)) Requires an enterprise subscription with Azure Active Directory or a [Software Assurance ID](https://www.microsoft.com/en-us/licensing/licensing-programs/software-assurance-default.aspx). diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index 5239e149c8..c5d238cf59 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -9,15 +9,15 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: justinha -ms.author: justinha +author: andreabichsel +ms.author: v-anbic --- # Enable attack surface reduction rules [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) help prevent actions and apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019. -To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjuction with ASR rules. +To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Windows Defender Advanced Threat Protection (Windows Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjuction with ASR rules. ## Exclude files and folders from ASR rules diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md index 6c8a9ba1d5..4cc8d86d0a 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: justinha -ms.author: justinha +author: andreabichsel +ms.author: v-anbic ms.date: 03/29/2019 --- @@ -18,7 +18,7 @@ ms.date: 03/29/2019 **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [Controlled folder access](controlled-folders-exploit-guard.md) helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. @@ -103,4 +103,4 @@ Use `Disabled` to turn the feature off. - [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md) - [Customize controlled folder access](customize-controlled-folders-exploit-guard.md) -- [Evaluate Microsoft Defender ATP](evaluate-windows-defender-exploit-guard.md) +- [Evaluate Windows Defender ATP](evaluate-windows-defender-exploit-guard.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md index da528e3360..86f640ad6f 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: justinha -ms.author: justinha +author: andreabichsel +ms.author: v-anbic ms.date: 03/29/2019 --- @@ -18,7 +18,7 @@ ms.date: 03/29/2019 **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [Exploit protection](exploit-protection-exploit-guard.md) helps protect against malware that uses exploits to infect devices and spread. It consists of a number of mitigations that can be applied to either the operating system or individual apps. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md index 291b023277..b1e858ebcb 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: justinha -ms.author: justinha +author: andreabichsel +ms.author: v-anbic ms.date: 04/01/2019 --- @@ -18,7 +18,7 @@ ms.date: 04/01/2019 **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [Network protection](network-protection-exploit-guard.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. You can [audit network protection](evaluate-network-protection.md) in a test environment to see which apps would be blocked before you enable it. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md index 08fe9b44f4..8648bcd508 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -17,7 +17,7 @@ ms.date: 04/01/2019 **Applies to** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10. Some applications, including device drivers, may be incompatible with HVCI. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md index 83db94a6af..307b13fd20 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: justinha -ms.author: justinha +author: andreabichsel +ms.author: v-anbic ms.date: 04/02/2019 --- @@ -18,7 +18,7 @@ ms.date: 04/02/2019 **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md index 08847c82c5..667c554a43 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: justinha -ms.author: justinha +author: andreabichsel +ms.author: v-anbic ms.date: 11/16/2018 --- @@ -18,7 +18,7 @@ ms.date: 11/16/2018 **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [Controlled folder access](controlled-folders-exploit-guard.md) is a feature that helps protect your documents and files from modification by suspicious or malicious apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. @@ -62,5 +62,5 @@ See [Protect important folders with controlled folder access](controlled-folders ## Related topics - [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md) -- [Evaluate Microsoft Defender ATP](evaluate-windows-defender-exploit-guard.md) +- [Evaluate Windows Defender ATP](evaluate-windows-defender-exploit-guard.md) - [Use audit mode](audit-windows-defender-exploit-guard.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md index 64c227f6e5..6ae70924c7 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: justinha -ms.author: justinha +author: andreabichsel +ms.author: v-anbic ms.date: 04/02/2019 --- @@ -18,7 +18,7 @@ ms.date: 04/02/2019 **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [Exploit protection](exploit-protection-exploit-guard.md) helps protect devices from malware that uses exploits to spread and infect other devices. It consists of a number of mitigations that can be applied to either the operating system or an individual app. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md index a7de3f8d9d..74605b559a 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: justinha -ms.author: justinha +author: andreabichsel +ms.author: v-anbic ms.date: 04/02/2019 --- @@ -18,7 +18,7 @@ ms.date: 04/02/2019 **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [Network protection](network-protection-exploit-guard.md) helps prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md index 8015e81dde..ee57054634 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: justinha -ms.author: justinha +author: andreabichsel +ms.author: v-anbic ms.date: 05/30/2018 --- diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md index 443e9929ff..c15f7d5f95 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md @@ -10,8 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.date: 04/16/2018 ms.localizationpriority: medium -author: justinha -ms.author: justinha +author: andreabichsel +ms.author: v-anbic ms.date: 03/26/2019 --- @@ -19,7 +19,7 @@ ms.date: 03/26/2019 **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) You can review attack surface reduction events in Event Viewer. This is useful so you can monitor what rules or settings are working, and determine if any settings are too "noisy" or impacting your day to day workflow. @@ -27,7 +27,7 @@ Reviewing the events is also handy when you are evaluating the features, as you This topic lists all the events, their associated feature or setting, and describes how to create custom views to filter to specific events. -You can also get detailed reporting into events and blocks as part of Windows Security, which you access if you have an E5 subscription and use [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/windows-defender-advanced-threat-protection.md). +You can also get detailed reporting into events and blocks as part of Windows Security, which you access if you have an E5 subscription and use [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md). ## Use custom views to review attack surface reduction capabilities diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md index 6cc021334d..72869c7925 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: justinha -ms.author: justinha +author: andreabichsel +ms.author: v-anbic ms.date: 04/02/2019 --- @@ -18,7 +18,7 @@ ms.date: 04/02/2019 **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Exploit protection automatically applies a number of exploit mitigation techniques to operating system processes and apps. @@ -27,7 +27,7 @@ It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md >[!TIP] >You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. -Exploit protection works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into exploit protection events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). +Exploit protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into exploit protection events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). You can [enable exploit protection](enable-exploit-protection.md) on an individual machine, and then use [Group Policy](import-export-exploit-protection-emet-xml.md) to distribute the XML file to multiple devices at once. @@ -79,11 +79,11 @@ Win32K | 260 | Untrusted Font ## Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard >[!IMPORTANT] ->If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Microsoft Defender ATP. +>If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Windows Defender ATP. > >You can [convert an existing EMET configuration file into exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings. -This section compares exploit protection in Microsoft Defender ATP with the Enhance Mitigation Experience Toolkit (EMET) for reference. +This section compares exploit protection in Windows Defender ATP with the Enhance Mitigation Experience Toolkit (EMET) for reference. The table in this section illustrates the differences between EMET and Windows Defender Exploit Guard.   | Windows Defender Exploit Guard | EMET @@ -102,7 +102,7 @@ Configuration with Group Policy | [!include[Check mark yes](images/svg/check-yes Configuration with shell tools | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use PowerShell to customize and manage configurations](customize-exploit-protection.md#powershell-reference) | [!include[Check mark yes](images/svg/check-yes.svg)]
Requires use of EMET tool (EMET_CONF) System Center Configuration Manager | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use Configuration Manager to customize, deploy, and manage configurations](https://docs.microsoft.com/sccm/protect/deploy-use/create-deploy-exploit-guard-policy) | [!include[Check mark no](images/svg/check-no.svg)]
Not available Microsoft Intune | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use Intune to customize, deploy, and manage configurations](https://docs.microsoft.com/intune/whats-new#window-defender-exploit-guard-is-a-new-set-of-intrusion-prevention-capabilities-for-windows-10----1063615---) | [!include[Check mark no](images/svg/check-no.svg)]
Not available -Reporting | [!include[Check mark yes](images/svg/check-yes.svg)]
With [Windows event logs](event-views-exploit-guard.md) and [full audit mode reporting](audit-windows-defender-exploit-guard.md)
[Full integration with Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/security-analytics-dashboard.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
Limited Windows event log monitoring +Reporting | [!include[Check mark yes](images/svg/check-yes.svg)]
With [Windows event logs](event-views-exploit-guard.md) and [full audit mode reporting](audit-windows-defender-exploit-guard.md)
[Full integration with Windows Defender Advanced Threat Protection](../windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
Limited Windows event log monitoring Audit mode | [!include[Check mark yes](images/svg/check-yes.svg)]
[Full audit mode with Windows event reporting](audit-windows-defender-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)]
Limited to EAF, EAF+, and anti-ROP mitigations ([1](#ref1)) Requires an enterprise subscription with Azure Active Directory or a [Software Assurance ID](https://www.microsoft.com/en-us/licensing/licensing-programs/software-assurance-default.aspx). diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md index 3246dc8164..1be2ff6cb2 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: justinha -ms.author: justinha +author: andreabichsel +ms.author: v-anbic ms.date: 04/30/2018 --- @@ -18,7 +18,7 @@ ms.date: 04/30/2018 **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md index 40ac8a84cd..aed6d58094 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md @@ -18,7 +18,7 @@ ms.date: 08/09/2018 **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Memory integrity is a powerful system mitigation that leverages hardware virtualization and the Windows Hyper-V hypervisor to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code. Code integrity validation is performed in a secure environment that is resistant to attack from malicious software, and page permissions for kernel mode are set and maintained by the Hyper-V hypervisor. Memory integrity helps block many types of malware from running on computers that run Windows 10 and Windows Server 2016. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md index 8b883ee82b..8ffcfaf3cd 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: justinha -ms.author: justinha +author: andreabichsel +ms.author: v-anbic ms.date: 02/14/2019 --- @@ -18,7 +18,7 @@ ms.date: 02/14/2019 **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. @@ -29,7 +29,7 @@ Network protection is supported on Windows 10, version 1709 and later and Window >[!TIP] >You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. -Network protection works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). +Network protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). When network protection blocks a connection, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. @@ -43,11 +43,11 @@ Windows 10 version | Windows Defender Antivirus - | - Windows 10 version 1709 or later | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled -## Review network protection events in the Microsoft Defender ATP Security Center +## Review network protection events in the Windows Defender ATP Security Center -Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). +Windows Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). -You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how network protection settings would affect your environment if they were enabled. +You can query Windows Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how network protection settings would affect your environment if they were enabled. ## Review network protection events in Windows Event Viewer diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md index bd01a47dbb..514a74a4ea 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md @@ -17,7 +17,7 @@ ms.date: 10/20/2017 **Applies to** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Computers must meet certain hardware, firmware, and software requirements in order to take adavantage of all of the virtualization-based security (VBS) features in [Windows Defender Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md). Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md index 0ffe534d26..0eea5319db 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: justinha -ms.author: justinha +author: andreabichsel +ms.author: v-anbic ms.date: 03/27/2019 --- @@ -18,7 +18,7 @@ ms.date: 03/27/2019 **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) When you use [attack surface reduction rules](attack-surface-reduction-exploit-guard.md) you may encounter issues, such as: @@ -76,7 +76,7 @@ To add an exclusion, see [Customize Attack surface reduction](customize-attack-s ## Report a false positive or false negative -Use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) to report a false negative or false positive for network protection. With an E5 subscription, you can also [provide a link to any associated alert](../microsoft-defender-atp/alerts-queue.md). +Use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) to report a false negative or false positive for network protection. With an E5 subscription, you can also [provide a link to any associated alert](../windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md). ## Collect diagnostic data for file submissions diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md index e8e2f3e46b..7820eac52f 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: justinha -ms.author: justinha +author: andreabichsel +ms.author: v-anbic ms.date: 08/09/2018 --- @@ -18,7 +18,7 @@ ms.date: 08/09/2018 **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) When you create a set of exploit protection mitigations (known as a configuration), you might find that the configuration export and import process does not remove all unwanted mitigations. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md index 3feaedade3..708142ccf5 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: justinha -ms.author: justinha +author: andreabichsel +ms.author: v-anbic ms.date: 03/27/2019 --- @@ -18,7 +18,7 @@ ms.date: 03/27/2019 **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - IT administrators @@ -65,7 +65,7 @@ Set-MpPreference -EnableNetworkProtection Enabled ## Report a false positive or false negative -If you've tested the feature with the demo site and with audit mode, and network protection is working on pre-configured scenarios, but is not working as expected for a specific connection, use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) to report a false negative or false positive for network protection. With an E5 subscription, you can also [provide a link to any associated alert](../microsoft-defender-atp/alerts-queue.md). +If you've tested the feature with the demo site and with audit mode, and network protection is working on pre-configured scenarios, but is not working as expected for a specific connection, use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) to report a false negative or false positive for network protection. With an E5 subscription, you can also [provide a link to any associated alert](../windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md). ## Collect diagnostic data for file submissions diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md index b6733d5ed0..32055b2546 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: justinha -ms.author: justinha +author: andreabichsel +ms.author: v-anbic ms.date: 08/09/2018 --- @@ -18,7 +18,7 @@ ms.date: 08/09/2018 **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrusion prevention capabilities for Windows 10, allowing you to manage and reduce the attack surface of apps used by your employees. @@ -43,9 +43,9 @@ You can also [enable audit mode](audit-windows-defender-exploit-guard.md) for th >[!TIP] >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how each of them work. -Windows Defender EG can be managed and reported on in the Windows Security app as part of the Microsoft Defender Advanced Threat Protection suite of threat mitigation, preventing, protection, and analysis technologies. +Windows Defender EG can be managed and reported on in the Windows Security app as part of the Windows Defender Advanced Threat Protection suite of threat mitigation, preventing, protection, and analysis technologies. -You can use the Windows Security app to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). You can [sign up for a free trial of Microsoft Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-msa4053440) to see how it works. +You can use the Windows Security app to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). You can [sign up for a free trial of Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-msa4053440) to see how it works. ## Requirements @@ -55,7 +55,7 @@ This section covers requirements for each feature in Windows Defender EG. |--------|---------| | ![not supported](./images/ball_empty.png) | Not supported | | ![supported](./images/ball_50.png) | Supported | -| ![supported, full reporting](./images/ball_full.png) | Recommended. Includes full, automated reporting into the Microsoft Defender ATP console. Provides additional cloud-powered capabilities, including the Network protection ability to block apps from accessing low-reputation websites and an attack surface reduction rule that blocks executable files that meet age or prevalence criteria.| +| ![supported, full reporting](./images/ball_full.png) | Recommended. Includes full, automated reporting into the Windows Defender ATP console. Provides additional cloud-powered capabilities, including the Network protection ability to block apps from accessing low-reputation websites and an attack surface reduction rule that blocks executable files that meet age or prevalence criteria.| | Feature | Windows 10 Home | Windows 10 Professional | Windows 10 E3 | Windows 10 E5 | | ----------------- | :------------------------------------: | :---------------------------: | :-------------------------: | :--------------------------------------: | From 6f2e3fea96fd6ed80be4144ba8290756318e5cf7 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 10 Apr 2019 15:31:51 -0700 Subject: [PATCH 121/492] update product names and author in exploit guard folder --- .../attack-surface-reduction-exploit-guard.md | 10 +++++----- ...eduction-rules-in-windows-10-enterprise-e3.md | 6 +++--- .../audit-windows-defender-exploit-guard.md | 12 ++++++------ .../controlled-folders-exploit-guard.md | 14 +++++++------- .../customize-attack-surface-reduction.md | 6 +++--- ...customize-controlled-folders-exploit-guard.md | 6 +++--- .../customize-exploit-protection.md | 6 +++--- .../emet-exploit-protection-exploit-guard.md | 16 ++++++++-------- .../enable-attack-surface-reduction.md | 6 +++--- .../enable-controlled-folders-exploit-guard.md | 8 ++++---- .../enable-exploit-protection.md | 6 +++--- .../enable-network-protection.md | 6 +++--- ...ization-based-protection-of-code-integrity.md | 2 +- .../evaluate-attack-surface-reduction.md | 6 +++--- .../evaluate-controlled-folder-access.md | 8 ++++---- .../evaluate-exploit-protection.md | 6 +++--- .../evaluate-network-protection.md | 6 +++--- .../evaluate-windows-defender-exploit-guard.md | 4 ++-- .../event-views-exploit-guard.md | 8 ++++---- .../exploit-protection-exploit-guard.md | 14 +++++++------- .../import-export-exploit-protection-emet-xml.md | 6 +++--- .../memory-integrity.md | 2 +- .../network-protection-exploit-guard.md | 14 +++++++------- ...ization-based-protection-of-code-integrity.md | 2 +- .../troubleshoot-asr.md | 6 +++--- ...roubleshoot-exploit-protection-mitigations.md | 6 +++--- .../troubleshoot-np.md | 6 +++--- .../windows-defender-exploit-guard.md | 12 ++++++------ 28 files changed, 105 insertions(+), 105 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index e16b905b59..51b3340555 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 04/02/2019 --- @@ -18,11 +18,11 @@ ms.date: 04/02/2019 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, version 1709 or later, Windows Server 2016 1803 or later, or Windows Server 2019. -To use attack surface reduction rules, you need a Windows 10 Enterprise E3 license or higher. A Windows E5 license gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the M365 Security Center. These advanced capabilities aren't available with an E3 license, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment. +To use attack surface reduction rules, you need a Windows 10 Enterprise E3 license or higher. A Windows E5 license gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the M365 Security Center. These advanced capabilities aren't available with an E3 license, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment. Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including: @@ -32,7 +32,7 @@ Attack surface reduction rules target behaviors that malware and malicious apps You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity. -Triggered rules display a notification on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays in the Windows Defender Security Center and in the Microsoft 365 securty center. +Triggered rules display a notification on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays in the Microsoft Defender Security Center and in the Microsoft 365 securty center. For information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md). diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md index 4cc8fbd9f5..9b29796bee 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 10/15/2018 --- @@ -20,7 +20,7 @@ ms.date: 10/15/2018 - Windows 10 Enterprise E3 -Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. This feature area includes the rules, monitoring, reporting, and analytics necessary for deployment that are included in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), and require the Windows 10 Enterprise E5 license. +Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. This feature area includes the rules, monitoring, reporting, and analytics necessary for deployment that are included in [Microsoft Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), and require the Windows 10 Enterprise E5 license. A limited subset of basic attack surface reduction rules can technically be used with Windows 10 Enterprise E3. They can be used without the benefits of reporting, monitoring, and analytics, which provide the ease of deployment and management capabilities necessary for enterprises. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md index 5d82fb8254..672ab8575a 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md @@ -1,6 +1,6 @@ --- -title: Test how Windows Defender ATP features work -description: Audit mode lets you use the event log to see how Windows Defender ATP would protect your devices if it were enabled +title: Test how Microsoft Defender ATP features work +description: Audit mode lets you use the event log to see how Microsoft Defender ATP would protect your devices if it were enabled keywords: exploit guard, audit, auditing, mode, enabled, disabled, test, demo, evaluate, lab search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 04/02/2019 --- @@ -19,7 +19,7 @@ ms.date: 04/02/2019 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) You can enable attack surface reduction rules, exploit protection, network protection, and controlled folder access in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature. @@ -27,7 +27,7 @@ You might want to do this when testing how the features will work in your organi While the features will not block or prevent apps, scripts, or files from being modified, the Windows Event Log will record events as if the features were fully enabled. This means you can enable audit mode and then review the event log to see what impact the feature would have had were it enabled. -You can use Windows Defender Advanced Threat Protection to get greater deatils for each event, especially for investigating attack surface reduction rules. Using the Windows Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). +You can use Microsoft Defender Advanced Threat Protection to get greater deatils for each event, especially for investigating attack surface reduction rules. Using the Microsoft Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md index 77098d4c10..c137f791e5 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 11/29/2018 --- @@ -18,10 +18,10 @@ ms.date: 11/29/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. -Controlled folder access works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). +Controlled folder access works best with [Microsoft Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Windows Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder. @@ -39,11 +39,11 @@ Controlled folder access is supported on Windows 10, version 1709 and later and Controlled folder access requires enabling [Windows Defender Antivirus real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md). -## Review controlled folder access events in the Windows Defender ATP Security Center +## Review controlled folder access events in the Microsoft Defender ATP Security Center -Windows Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). +Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). -You can query Windows Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled. +You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled. ## Review controlled folder access events in Windows Event Viewer diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md index b772be4c4c..99f4b9d52c 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 12/19/2018 --- @@ -18,7 +18,7 @@ ms.date: 12/19/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md index 05037553e3..88e1a4623b 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md @@ -9,15 +9,15 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha --- # Customize controlled folder access **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md index c49eae7912..139a12bd0e 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 03/26/2019 --- @@ -18,7 +18,7 @@ ms.date: 03/26/2019 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md index 843e0e7f4c..bc4ff6e8aa 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 08/08/2018 --- @@ -18,22 +18,22 @@ ms.date: 08/08/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >[!IMPORTANT] ->If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Windows Defender ATP. +>If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Microsoft Defender ATP. > >You can [convert an existing EMET configuration file into Exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings. -This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and exploit protection in Windows Defender ATP. +This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and exploit protection in Microsoft Defender ATP. -Exploit protection in Windows Defender ATP is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options. +Exploit protection in Microsoft Defender ATP is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options. EMET is a standalone product for earlier versions of Windows and provides some mitigation against older, known exploit techniques. After July 31, 2018, it will not be supported. -For more information about the individual features and mitigations available in Windows Defender ATP, as well as how to enable, configure, and deploy them to better protect your network, see the following topics: +For more information about the individual features and mitigations available in Microsoft Defender ATP, as well as how to enable, configure, and deploy them to better protect your network, see the following topics: - [Protect devices from exploits](exploit-protection-exploit-guard.md) - [Configure and audit exploit protection mitigations](customize-exploit-protection.md) @@ -59,7 +59,7 @@ Configuration with Group Policy | [!include[Check mark yes](images/svg/check-yes Configuration with shell tools | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use PowerShell to customize and manage configurations](customize-exploit-protection.md#powershell-reference) | [!include[Check mark yes](images/svg/check-yes.svg)]
Requires use of EMET tool (EMET_CONF) System Center Configuration Manager | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use Configuration Manager to customize, deploy, and manage configurations](https://docs.microsoft.com/sccm/protect/deploy-use/create-deploy-exploit-guard-policy) | [!include[Check mark no](images/svg/check-no.svg)]
Not available Microsoft Intune | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use Intune to customize, deploy, and manage configurations](https://docs.microsoft.com/intune/whats-new#window-defender-exploit-guard-is-a-new-set-of-intrusion-prevention-capabilities-for-windows-10----1063615---) | [!include[Check mark no](images/svg/check-no.svg)]
Not available -Reporting | [!include[Check mark yes](images/svg/check-yes.svg)]
With [Windows event logs](event-views-exploit-guard.md) and [full audit mode reporting](audit-windows-defender-exploit-guard.md)
[Full integration with Windows Defender Advanced Threat Protection](../windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
Limited Windows event log monitoring +Reporting | [!include[Check mark yes](images/svg/check-yes.svg)]
With [Windows event logs](event-views-exploit-guard.md) and [full audit mode reporting](audit-windows-defender-exploit-guard.md)
[Full integration with Microsoft Defender Advanced Threat Protection](../windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
Limited Windows event log monitoring Audit mode | [!include[Check mark yes](images/svg/check-yes.svg)]
[Full audit mode with Windows event reporting](audit-windows-defender-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)]
Limited to EAF, EAF+, and anti-ROP mitigations ([1](#ref1)) Requires an enterprise subscription with Azure Active Directory or a [Software Assurance ID](https://www.microsoft.com/en-us/licensing/licensing-programs/software-assurance-default.aspx). diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index c5d238cf59..5239e149c8 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -9,15 +9,15 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha --- # Enable attack surface reduction rules [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) help prevent actions and apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019. -To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Windows Defender Advanced Threat Protection (Windows Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjuction with ASR rules. +To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjuction with ASR rules. ## Exclude files and folders from ASR rules diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md index 4cc8d86d0a..6c8a9ba1d5 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 03/29/2019 --- @@ -18,7 +18,7 @@ ms.date: 03/29/2019 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [Controlled folder access](controlled-folders-exploit-guard.md) helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. @@ -103,4 +103,4 @@ Use `Disabled` to turn the feature off. - [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md) - [Customize controlled folder access](customize-controlled-folders-exploit-guard.md) -- [Evaluate Windows Defender ATP](evaluate-windows-defender-exploit-guard.md) +- [Evaluate Microsoft Defender ATP](evaluate-windows-defender-exploit-guard.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md index 86f640ad6f..da528e3360 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 03/29/2019 --- @@ -18,7 +18,7 @@ ms.date: 03/29/2019 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [Exploit protection](exploit-protection-exploit-guard.md) helps protect against malware that uses exploits to infect devices and spread. It consists of a number of mitigations that can be applied to either the operating system or individual apps. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md index b1e858ebcb..291b023277 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 04/01/2019 --- @@ -18,7 +18,7 @@ ms.date: 04/01/2019 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [Network protection](network-protection-exploit-guard.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. You can [audit network protection](evaluate-network-protection.md) in a test environment to see which apps would be blocked before you enable it. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md index 8648bcd508..08fe9b44f4 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -17,7 +17,7 @@ ms.date: 04/01/2019 **Applies to** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10. Some applications, including device drivers, may be incompatible with HVCI. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md index 307b13fd20..83db94a6af 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 04/02/2019 --- @@ -18,7 +18,7 @@ ms.date: 04/02/2019 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md index 667c554a43..08847c82c5 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 11/16/2018 --- @@ -18,7 +18,7 @@ ms.date: 11/16/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [Controlled folder access](controlled-folders-exploit-guard.md) is a feature that helps protect your documents and files from modification by suspicious or malicious apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. @@ -62,5 +62,5 @@ See [Protect important folders with controlled folder access](controlled-folders ## Related topics - [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md) -- [Evaluate Windows Defender ATP](evaluate-windows-defender-exploit-guard.md) +- [Evaluate Microsoft Defender ATP](evaluate-windows-defender-exploit-guard.md) - [Use audit mode](audit-windows-defender-exploit-guard.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md index 6ae70924c7..64c227f6e5 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 04/02/2019 --- @@ -18,7 +18,7 @@ ms.date: 04/02/2019 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [Exploit protection](exploit-protection-exploit-guard.md) helps protect devices from malware that uses exploits to spread and infect other devices. It consists of a number of mitigations that can be applied to either the operating system or an individual app. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md index 74605b559a..a7de3f8d9d 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 04/02/2019 --- @@ -18,7 +18,7 @@ ms.date: 04/02/2019 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [Network protection](network-protection-exploit-guard.md) helps prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md index ee57054634..8015e81dde 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 05/30/2018 --- diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md index c15f7d5f95..58ecc61775 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md @@ -10,8 +10,8 @@ ms.sitesec: library ms.pagetype: security ms.date: 04/16/2018 ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 03/26/2019 --- @@ -19,7 +19,7 @@ ms.date: 03/26/2019 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) You can review attack surface reduction events in Event Viewer. This is useful so you can monitor what rules or settings are working, and determine if any settings are too "noisy" or impacting your day to day workflow. @@ -27,7 +27,7 @@ Reviewing the events is also handy when you are evaluating the features, as you This topic lists all the events, their associated feature or setting, and describes how to create custom views to filter to specific events. -You can also get detailed reporting into events and blocks as part of Windows Security, which you access if you have an E5 subscription and use [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md). +You can also get detailed reporting into events and blocks as part of Windows Security, which you access if you have an E5 subscription and use [Microsoft Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md). ## Use custom views to review attack surface reduction capabilities diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md index 72869c7925..2f26612542 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 04/02/2019 --- @@ -18,7 +18,7 @@ ms.date: 04/02/2019 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Exploit protection automatically applies a number of exploit mitigation techniques to operating system processes and apps. @@ -27,7 +27,7 @@ It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md >[!TIP] >You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. -Exploit protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into exploit protection events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). +Exploit protection works best with [Microsoft Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into exploit protection events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). You can [enable exploit protection](enable-exploit-protection.md) on an individual machine, and then use [Group Policy](import-export-exploit-protection-emet-xml.md) to distribute the XML file to multiple devices at once. @@ -79,11 +79,11 @@ Win32K | 260 | Untrusted Font ## Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard >[!IMPORTANT] ->If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Windows Defender ATP. +>If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Microsoft Defender ATP. > >You can [convert an existing EMET configuration file into exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings. -This section compares exploit protection in Windows Defender ATP with the Enhance Mitigation Experience Toolkit (EMET) for reference. +This section compares exploit protection in Microsoft Defender ATP with the Enhance Mitigation Experience Toolkit (EMET) for reference. The table in this section illustrates the differences between EMET and Windows Defender Exploit Guard.   | Windows Defender Exploit Guard | EMET @@ -102,7 +102,7 @@ Configuration with Group Policy | [!include[Check mark yes](images/svg/check-yes Configuration with shell tools | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use PowerShell to customize and manage configurations](customize-exploit-protection.md#powershell-reference) | [!include[Check mark yes](images/svg/check-yes.svg)]
Requires use of EMET tool (EMET_CONF) System Center Configuration Manager | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use Configuration Manager to customize, deploy, and manage configurations](https://docs.microsoft.com/sccm/protect/deploy-use/create-deploy-exploit-guard-policy) | [!include[Check mark no](images/svg/check-no.svg)]
Not available Microsoft Intune | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use Intune to customize, deploy, and manage configurations](https://docs.microsoft.com/intune/whats-new#window-defender-exploit-guard-is-a-new-set-of-intrusion-prevention-capabilities-for-windows-10----1063615---) | [!include[Check mark no](images/svg/check-no.svg)]
Not available -Reporting | [!include[Check mark yes](images/svg/check-yes.svg)]
With [Windows event logs](event-views-exploit-guard.md) and [full audit mode reporting](audit-windows-defender-exploit-guard.md)
[Full integration with Windows Defender Advanced Threat Protection](../windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
Limited Windows event log monitoring +Reporting | [!include[Check mark yes](images/svg/check-yes.svg)]
With [Windows event logs](event-views-exploit-guard.md) and [full audit mode reporting](audit-windows-defender-exploit-guard.md)
[Full integration with Microsoft Defender Advanced Threat Protection](../windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
Limited Windows event log monitoring Audit mode | [!include[Check mark yes](images/svg/check-yes.svg)]
[Full audit mode with Windows event reporting](audit-windows-defender-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)]
Limited to EAF, EAF+, and anti-ROP mitigations ([1](#ref1)) Requires an enterprise subscription with Azure Active Directory or a [Software Assurance ID](https://www.microsoft.com/en-us/licensing/licensing-programs/software-assurance-default.aspx). diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md index 1be2ff6cb2..3246dc8164 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 04/30/2018 --- @@ -18,7 +18,7 @@ ms.date: 04/30/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md index aed6d58094..40ac8a84cd 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md @@ -18,7 +18,7 @@ ms.date: 08/09/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Memory integrity is a powerful system mitigation that leverages hardware virtualization and the Windows Hyper-V hypervisor to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code. Code integrity validation is performed in a secure environment that is resistant to attack from malicious software, and page permissions for kernel mode are set and maintained by the Hyper-V hypervisor. Memory integrity helps block many types of malware from running on computers that run Windows 10 and Windows Server 2016. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md index 8ffcfaf3cd..e65dcc4777 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 02/14/2019 --- @@ -18,7 +18,7 @@ ms.date: 02/14/2019 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. @@ -29,7 +29,7 @@ Network protection is supported on Windows 10, version 1709 and later and Window >[!TIP] >You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. -Network protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). +Network protection works best with [Microsoft Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). When network protection blocks a connection, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. @@ -43,11 +43,11 @@ Windows 10 version | Windows Defender Antivirus - | - Windows 10 version 1709 or later | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled -## Review network protection events in the Windows Defender ATP Security Center +## Review network protection events in the Microsoft Defender ATP Security Center -Windows Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). +Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). -You can query Windows Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how network protection settings would affect your environment if they were enabled. +You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how network protection settings would affect your environment if they were enabled. ## Review network protection events in Windows Event Viewer diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md index 514a74a4ea..bd01a47dbb 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md @@ -17,7 +17,7 @@ ms.date: 10/20/2017 **Applies to** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Computers must meet certain hardware, firmware, and software requirements in order to take adavantage of all of the virtualization-based security (VBS) features in [Windows Defender Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md). Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md index 0eea5319db..d1f516eacc 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 03/27/2019 --- @@ -18,7 +18,7 @@ ms.date: 03/27/2019 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) When you use [attack surface reduction rules](attack-surface-reduction-exploit-guard.md) you may encounter issues, such as: diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md index 7820eac52f..e8e2f3e46b 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 08/09/2018 --- @@ -18,7 +18,7 @@ ms.date: 08/09/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) When you create a set of exploit protection mitigations (known as a configuration), you might find that the configuration export and import process does not remove all unwanted mitigations. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md index 708142ccf5..40c261016a 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 03/27/2019 --- @@ -18,7 +18,7 @@ ms.date: 03/27/2019 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - IT administrators diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md index 32055b2546..cd2b47c9fe 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 08/09/2018 --- @@ -18,7 +18,7 @@ ms.date: 08/09/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrusion prevention capabilities for Windows 10, allowing you to manage and reduce the attack surface of apps used by your employees. @@ -43,9 +43,9 @@ You can also [enable audit mode](audit-windows-defender-exploit-guard.md) for th >[!TIP] >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how each of them work. -Windows Defender EG can be managed and reported on in the Windows Security app as part of the Windows Defender Advanced Threat Protection suite of threat mitigation, preventing, protection, and analysis technologies. +Windows Defender EG can be managed and reported on in the Windows Security app as part of the Microsoft Defender Advanced Threat Protection suite of threat mitigation, preventing, protection, and analysis technologies. -You can use the Windows Security app to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). You can [sign up for a free trial of Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-msa4053440) to see how it works. +You can use the Windows Security app to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). You can [sign up for a free trial of Microsoft Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-msa4053440) to see how it works. ## Requirements @@ -55,7 +55,7 @@ This section covers requirements for each feature in Windows Defender EG. |--------|---------| | ![not supported](./images/ball_empty.png) | Not supported | | ![supported](./images/ball_50.png) | Supported | -| ![supported, full reporting](./images/ball_full.png) | Recommended. Includes full, automated reporting into the Windows Defender ATP console. Provides additional cloud-powered capabilities, including the Network protection ability to block apps from accessing low-reputation websites and an attack surface reduction rule that blocks executable files that meet age or prevalence criteria.| +| ![supported, full reporting](./images/ball_full.png) | Recommended. Includes full, automated reporting into the Microsoft Defender ATP console. Provides additional cloud-powered capabilities, including the Network protection ability to block apps from accessing low-reputation websites and an attack surface reduction rule that blocks executable files that meet age or prevalence criteria.| | Feature | Windows 10 Home | Windows 10 Professional | Windows 10 E3 | Windows 10 E5 | | ----------------- | :------------------------------------: | :---------------------------: | :-------------------------: | :--------------------------------------: | From c75688a5863194392fdab581889545968bca9716 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 10 Apr 2019 15:34:41 -0700 Subject: [PATCH 122/492] update all product names and author in av folder --- ...llect-diagnostic-data-update-compliance.md | 4 +-- ...ne-arguments-windows-defender-antivirus.md | 4 +-- ...nt-reference-windows-defender-antivirus.md | 4 +-- ...d-scan-types-windows-defender-antivirus.md | 4 +-- ...-first-sight-windows-defender-antivirus.md | 6 ++--- ...meout-period-windows-defender-antivirus.md | 4 +-- ...-interaction-windows-defender-antivirus.md | 4 +-- ...e-exclusions-windows-defender-antivirus.md | 4 +-- ...e-exclusions-windows-defender-antivirus.md | 4 +-- ...cy-overrides-windows-defender-antivirus.md | 4 +-- ...-connections-windows-defender-antivirus.md | 6 ++--- ...otifications-windows-defender-antivirus.md | 4 +-- ...e-exclusions-windows-defender-antivirus.md | 4 +-- ...ion-features-windows-defender-antivirus.md | 4 +-- ...e-protection-windows-defender-antivirus.md | 4 +-- ...-remediation-windows-defender-antivirus.md | 4 +-- ...r-exclusions-windows-defender-antivirus.md | 4 +-- ...ure-windows-defender-antivirus-features.md | 4 +-- ...ediate-scans-windows-defender-antivirus.md | 4 +-- ...anage-report-windows-defender-antivirus.md | 4 +-- .../deploy-windows-defender-antivirus.md | 4 +-- ...ployment-vdi-windows-defender-antivirus.md | 4 +-- ...nwanted-apps-windows-defender-antivirus.md | 6 ++--- ...d-protection-windows-defender-antivirus.md | 4 +-- .../evaluate-windows-defender-antivirus.md | 6 ++--- ...dic-scanning-windows-defender-antivirus.md | 4 +-- ...ased-updates-windows-defender-antivirus.md | 4 +-- ...ed-endpoints-windows-defender-antivirus.md | 4 +-- ...ate-schedule-windows-defender-antivirus.md | 4 +-- ...tion-updates-windows-defender-antivirus.md | 4 +-- ...es-baselines-windows-defender-antivirus.md | 4 +-- ...-devices-vms-windows-defender-antivirus.md | 4 +-- .../microsoft-defender-atp-mac.md | 26 +++++++++---------- .../windows-defender-antivirus/oldTOC.md | 2 +- ...-interaction-windows-defender-antivirus.md | 6 ++--- ...port-monitor-windows-defender-antivirus.md | 4 +-- ...ntined-files-windows-defender-antivirus.md | 4 +-- ...scan-results-windows-defender-antivirus.md | 4 +-- .../run-scan-windows-defender-antivirus.md | 4 +-- ...tch-up-scans-windows-defender-antivirus.md | 4 +-- ...ection-level-windows-defender-antivirus.md | 4 +-- .../troubleshoot-reporting.md | 4 +-- ...troubleshoot-windows-defender-antivirus.md | 6 ++--- ...group-policy-windows-defender-antivirus.md | 4 +-- ...nfig-manager-windows-defender-antivirus.md | 4 +-- ...hell-cmdlets-windows-defender-antivirus.md | 4 +-- .../use-wmi-windows-defender-antivirus.md | 4 +-- ...d-protection-windows-defender-antivirus.md | 4 +-- ...indows-defender-antivirus-compatibility.md | 16 ++++++------ ...indows-defender-antivirus-in-windows-10.md | 4 +-- ...fender-antivirus-on-windows-server-2016.md | 4 +-- .../windows-defender-offline.md | 4 +-- ...dows-defender-security-center-antivirus.md | 6 ++--- 53 files changed, 129 insertions(+), 129 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md b/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md index 61bd6e91de..d1d493ca47 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md +++ b/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 09/03/2018 --- @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) This topic describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Windows Defender AV Assessment section in the Update Compliance add-in. diff --git a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md index 2d08b48bfe..c27ea9d49d 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 12/10/2018 --- @@ -18,7 +18,7 @@ ms.date: 12/10/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) You can perform various Windows Defender Antivirus functions with the dedicated command-line tool mpcmdrun.exe. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md index b2246f6bc2..901c6c4995 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 09/03/2018 --- @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) You can manage and configure Windows Defender Antivirus with the following tools: diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md index 5714563915..88526a1351 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 10/25/2018 @@ -19,7 +19,7 @@ ms.date: 10/25/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) **Use Microsoft Intune to configure scanning options** diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md index b5d15d6b55..de780c12e7 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 09/03/2018 --- @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Block at first sight is a feature of next gen protection that provides a way to detect and block new malware within seconds. @@ -32,7 +32,7 @@ You can also [customize the message displayed on users' desktops](https://docs.m > There is no specific individual setting in System Center Configuration Manager to enable or disable block at first sight. It is enabled by default when the pre-requisite settings are configured correctly. You must use Group Policy settings to enable or disable the feature. >[!TIP] ->You can also visit the Windows Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work. +>You can also visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work. ## How it works diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md index d7ffbcbafd..1db5465f6e 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 09/03/2018 --- @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) When Windows Defender Antivirus finds a suspicious file, it can prevent the file from running while it queries the [Windows Defender Antivirus cloud service](utilize-microsoft-cloud-protection-windows-defender-antivirus.md). diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md index d72265f76a..bc655530db 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 09/03/2018 --- @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) You can configure how users of the endpoints on your network can interact with Windows Defender Antivirus. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md index 430acbec64..354dd5cf6b 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 09/03/2018 --- @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) You can exclude certain files, folders, processes, and process-opened files from Windows Defender Antivirus scans. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index 78351fac00..7250b72a17 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 12/10/2018 --- @@ -18,7 +18,7 @@ ms.date: 12/10/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) You can exclude certain files from Windows Defender Antivirus scans by modifying exclusion lists. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md index 9feb4b7840..3670b50c42 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 09/03/2018 --- @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) By default, Windows Defender Antivirus settings that are deployed via a Group Policy Object to the endpoints in your network will prevent users from locally changing the settings. You can change this in some instances. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md index 71db8e1517..b895c48fac 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 10/08/2018 --- @@ -18,7 +18,7 @@ ms.date: 10/08/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) To ensure Windows Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers. @@ -27,7 +27,7 @@ This topic lists the connections that must be allowed, such as by using firewall See the Enterprise Mobility and Security blog post [Important changes to Microsoft Active Protection Services endpoint](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/important-changes-to-microsoft-active-protection-service-maps-endpoint/) for some details about network connectivity. >[!TIP] ->You can also visit the Windows Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working: +>You can also visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working: > >- Cloud-delivered protection >- Fast learning (including block at first sight) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md index 9874e1fe22..4da87e4759 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 09/03/2018 --- @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) In Windows 10, application notifications about malware detection and remediation are more robust, consistent, and concise. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md index 15f82314e7..0d029074a7 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 12/10/2018 --- @@ -18,7 +18,7 @@ ms.date: 12/10/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) You can exclude files that have been opened by specific processes from Windows Defender Antivirus scans. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md index de47e8d1a8..3c50b7b45c 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 09/03/2018 --- @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Windows Defender Antivirus uses several methods to provide threat protection: diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md index 84cef362eb..594dcb0971 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 11/13/2018 --- @@ -18,7 +18,7 @@ ms.date: 11/13/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious activities. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md index d09e59a96a..7d76d8a3ca 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 09/03/2018 --- @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) When Windows Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can configure how Windows Defender Antivirus should react to certain threats, whether it should create a restore point before remediating, and when it should remove remediated threats. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md index 64037f0090..c56a79193a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic --- @@ -17,7 +17,7 @@ ms.author: v-anbic **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Windows Defender Antivirus on Windows Server 2016 computers automatically enrolls you in certain exclusions, as defined by your specified server role. See [the end of this topic](#list-of-automatic-exclusions) for a list of these exclusions. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md b/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md index 862b5513c4..168cab8841 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 09/03/2018 --- @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) You can configure Windows Defender Antivirus with a number of tools, including: diff --git a/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md index b719577c49..ee7a843321 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 09/03/2018 --- @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Windows Defender Antivirus scans. diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md index 5d587e3b8d..3dee12bfa2 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 09/03/2018 --- @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) You can deploy, manage, and report on Windows Defender Antivirus in a number of ways. diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md index df219115d7..dbdd57f33f 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 09/03/2018 --- @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Depending on the management tool you are using, you may need to specifically enable or configure Windows Defender Antivirus protection. diff --git a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md index 1bf3ab9c2f..fe13cfa820 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 09/03/2018 --- @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) In addition to standard on-premises or hardware configurations, you can also use Windows Defender Antivirus in a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment. diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md index 37859694d9..3185d40ef9 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md @@ -9,7 +9,7 @@ ms.mktglfcycl: detect ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 10/02/2018 --- @@ -18,7 +18,7 @@ ms.date: 10/02/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) The potentially unwanted application (PUA) protection feature in Windows Defender Antivirus can identify and block PUAs from downloading and installing on endpoints in your network. @@ -33,7 +33,7 @@ Typical PUA behavior includes: These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify, and can waste IT resources in cleaning up the applications. >[!TIP] ->You can also visit the Windows Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. +>You can also visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. ## How it works diff --git a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md index 787c9a85ad..a2f69a956b 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 09/03/2018 --- @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >[!NOTE] >The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. diff --git a/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md index c937715d4a..05165e019c 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 09/03/2018 --- @@ -18,12 +18,12 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Use this guide to determine how well Windows Defender Antivirus protects you from viruses, malware, and potentially unwanted applications. >[!TIP] ->You can also visit the Windows Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working and see how they work: +>You can also visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working and see how they work: >- Cloud-delivered protection >- Fast learning (including Block at first sight) >- Potentially unwanted application blocking diff --git a/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md index 93ef8703d6..36df0b6adf 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 09/03/2018 --- @@ -20,7 +20,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Limited periodic scanning is a special type of threat detection and remediation that can be enabled when you have installed another antivirus product on a Windows 10 device. diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md index 4e04685c61..bb6efd9718 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 09/03/2018 --- @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Windows Defender Antivirus allows you to determine if updates should (or should not) occur after certain events, such as at startup or after receiving specific reports from the cloud-delivered protection service. diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md index 9a77e63d64..38ca9e9c62 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 09/03/2018 --- @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Windows Defender Antivirus lets you define how long an endpoint can avoid an update or how many scans it can miss before it is required to update and scan itself. This is especially useful in environments where devices are not often connected to a corporate or external network, or devices that are not used on a daily basis. diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md index 4f8774109a..29534e1b63 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 09/03/2018 --- @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Windows Defender Antivirus lets you determine when it should look for and download updates. diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md index f05c21e0b5..2b0abfb132 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 09/03/2018 --- @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md index 99e2c737d9..f9883aa6c4 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 09/03/2018 --- @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) There are two types of updates related to keeping Windows Defender Antivirus up to date: 1. Protection updates diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md index 93a9e45f84..b6b70e86ce 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 09/03/2018 --- @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Mobile devices and VMs may require additional configuration to ensure performance is not impacted by updates. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index 15865ca9fa..d78140a765 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -28,7 +28,7 @@ Microsoft Defender ATP for Mac is not yet widely available, and this topic only ## Prerequisites You should have beginner-level experience in macOS and BASH scripting. You must have administrative privileges on the machine. -You should also have access to Windows Defender Security Center. +You should also have access to Microsoft Defender Security Center. ### System Requirements Microsoft Defender ATP for Mac system requirements: @@ -56,7 +56,7 @@ SIP is a built-in macOS security feature that prevents low-level tampering with ## Installation and configuration overview There are various methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac. In general you'll need to take the following steps: - - [Register macOS devices](#register-macos-devices) with Windows Defender ATP + - [Register macOS devices](#register-macos-devices) with Microsoft Defender ATP - Deploy Microsoft Defender ATP for Mac using any of the following deployment methods and tools: - [Microsoft Intune based deployment](#microsoft-intune-based-deployment) - [JAMF based deployment](#jamf-based-deployment) @@ -68,14 +68,14 @@ Use any of the supported methods to deploy Microsoft Defender ATP for Mac ## Microsoft Intune based deployment ### Download installation and onboarding packages -Download the installation and onboarding packages from Windows Defender Security Center: -1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +Download the installation and onboarding packages from Microsoft Defender Security Center: +1. In Microsoft Defender Security Center, go to **Settings > Machine Management > Onboarding**. 2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. 3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. 4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. 5. Download IntuneAppUtil from https://docs.microsoft.com/en-us/intune/lob-apps-macos. - ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) + ![Microsoft Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) 6. From a command prompt, verify that you have the three files. Extract the contents of the .zip files: @@ -198,13 +198,13 @@ You need to be familiar with JAMF administration tasks, have a JAMF tenant, and ### Download installation and onboarding packages -Download the installation and onboarding packages from Windows Defender Security Center: -1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +Download the installation and onboarding packages from Microsoft Defender Security Center: +1. In Microsoft Defender Security Center, go to **Settings > Machine Management > Onboarding**. 2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. 3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. 4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. - ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) + ![Microsoft Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) 5. From a command prompt, verify that you have the two files. Extract the contents of the .zip files: @@ -377,18 +377,18 @@ You can check that machines are correctly onboarded by creating a script. For ex /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+' ``` -This script returns 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service, and another exit code if it is not installed or registered. +This script returns 0 if Microsoft Defender ATP is registered with the Microsoft Defender ATP service, and another exit code if it is not installed or registered. ## Manual deployment ### Download installation and onboarding packages -Download the installation and onboarding packages from Windows Defender Security Center: -1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +Download the installation and onboarding packages from Microsoft Defender Security Center: +1. In Microsoft Defender Security Center, go to **Settings > Machine Management > Onboarding**. 2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Local script**. 3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. 4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. - ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) + ![Microsoft Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) 5. From a command prompt, verify that you have the two files. Extract the contents of the .zip files: @@ -471,7 +471,7 @@ Or, from a command line: - Microsoft Defender ATP is not yet optimized for performance or disk space. - Centrally managed uninstall using Intune is still in development. To uninstall (as a workaround) a manual uninstall action has to be completed on each client device). - Geo preference for telemetry traffic is not yet supported. Cloud traffic (definition updates) routed to US only. -- Full Windows Defender ATP integration is not yet available +- Full Microsoft Defender ATP integration is not yet available - Not localized yet - There might be accessibility issues diff --git a/windows/security/threat-protection/windows-defender-antivirus/oldTOC.md b/windows/security/threat-protection/windows-defender-antivirus/oldTOC.md index 8c12b9ff9d..f9457d3f21 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/oldTOC.md +++ b/windows/security/threat-protection/windows-defender-antivirus/oldTOC.md @@ -1,7 +1,7 @@ # [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) -## [Windows Defender AV in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md) +## [Windows Defender AV in the Microsoft Defender Security Center app](windows-defender-security-center-antivirus.md) ## [Windows Defender AV on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md index a156c5b1dd..2de691deb9 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 09/03/2018 --- @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) You can use Group Policy to prevent users on endpoints from seeing the Windows Defender Antivirus interface. You can also prevent them from pausing scans. @@ -35,7 +35,7 @@ With the setting set to **Disabled** or not configured: ![Scheenshot of Windows Security showing the shield icon and virus and threat protection section](images/defender/wdav-headless-mode-off-1703.png) >[!NOTE] ->Hiding the interface will also prevent Windows Defender Antivirus notifications from appearing on the endpoint. Windows Defender Advanced Threat Protection notifications will still appear. You can also individually [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) +>Hiding the interface will also prevent Windows Defender Antivirus notifications from appearing on the endpoint. Microsoft Defender Advanced Threat Protection notifications will still appear. You can also individually [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) In earlier versions of Windows 10, the setting will hide the Windows Defender client interface. If the user attempts to open it, they will receive a warning "Your system administrator has restricted access to this app.": diff --git a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md index 6e22b89713..ed1703b544 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 09/03/2018 --- @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) There are a number of ways you can review protection status and alerts, depending on the management tool you are using for Windows Defender Antivirus. diff --git a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md index 1718727ee2..4de3b92e99 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 11/16/2018 --- @@ -18,7 +18,7 @@ ms.date: 11/16/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) If Windows Defender Antivirus is configured to detect and remediate threats on your device, Windows Defender Antivirus quarantines suspicious files. If you are certain these files do not present a threat, you can restore them. diff --git a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md index ae3a67efe6..8be9dc4db1 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 09/03/2018 --- @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) After an Windows Defender Antivirus scan completes, whether it is an [on-demand](run-scan-windows-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-windows-defender-antivirus.md), the results are recorded and you can view the results. diff --git a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md index 15a9be7d17..d3cdab176e 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 09/03/2018 --- @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can define parameters for the scan, such as the location or type. diff --git a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md index 9a451f585c..42310786b4 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 12/10/2018 --- @@ -18,7 +18,7 @@ ms.date: 12/10/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) > [!NOTE] > By default, Windows Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) to override this default. diff --git a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md index 089226de14..0f59883e27 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 09/03/2018 --- @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) You can specify the level of cloud-protection offered by Windows Defender Antivirus with Group Policy and System Center Configuration Manager. diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md index 85b5650e9c..935339fb99 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md +++ b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 09/03/2018 --- @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) When you use [Windows Analytics Update Compliance to obtain reporting into the protection status of machines or endpoints](/windows/deployment/update/update-compliance-using#wdav-assessment) in your network that are using Windows Defender Antivirus, you may encounter problems or issues. diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md index 0bdced17c6..1fcbeccd26 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 09/11/2018 --- @@ -18,7 +18,7 @@ ms.date: 09/11/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) If you encounter a problem with Windows Defender Antivirus, you can search the tables in this topic to find a matching issue and potential solution. @@ -29,7 +29,7 @@ The tables list: - [Internal Windows Defender Antivirus client error codes (used by Microsoft during development and testing)](#internal-error-codes) >[!TIP] ->You can also visit the Windows Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working: +>You can also visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working: >- Cloud-delivered protection >- Fast learning (including Block at first sight) diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md index dcb8f76069..1d000caef1 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 09/03/2018 --- @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) You can use [Group Policy](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx) to configure and manage Windows Defender Antivirus on your endpoints. diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md index 566898708b..b8eff33e4a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 09/03/2018 --- @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) If you are using System Center Configuration Manager or Microsoft Intune to manage the endpoints on your network, you can also use them to manage Windows Defender Antivirus scans. diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md index 8e45003982..9fc1d12db3 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 09/03/2018 --- @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration, and you can read more about it at the [PowerShell hub on MSDN](https://msdn.microsoft.com/powershell/mt173057.aspx). diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md index c4f3239b0c..ef249aaa42 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 09/03/2018 --- @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Windows Management Instrumentation (WMI) is a scripting interface that allows you to retrieve, modify, and update settings. diff --git a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md index 59ec895413..6dbff069e4 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 09/03/2018 --- @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Microsoft next-gen technologies in Windows Defender Antivirus provide near-instant, automated protection against new and emerging threats. To dynamically identify new threats, these technologies work with large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems driven by advanced machine learning models. diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md index 449d118890..34ee455d8a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 09/03/2018 --- @@ -18,17 +18,17 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. However, on endpoints and devices that are protected with a non-Microsoft antivirus or antimalware app, Windows Defender Antivirus will automatically disable itself. You can then choose to enable an optional, limited protection feature, called [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md). -If you are also using Windows Defender Advanced Threat Protection, then Windows Defender AV will enter a passive mode. +If you are also using Microsoft Defender Advanced Threat Protection, then Windows Defender AV will enter a passive mode. -The following matrix illustrates the states that Windows Defender AV will enter when third-party antivirus products or Windows Defender ATP are also used. +The following matrix illustrates the states that Windows Defender AV will enter when third-party antivirus products or Microsoft Defender ATP are also used. -Windows version | Antimalware protection offered by | Organization enrolled in Windows Defender ATP | Windows Defender AV state +Windows version | Antimalware protection offered by | Organization enrolled in Microsoft Defender ATP | Windows Defender AV state -|-|-|- Windows 10 | A third-party product that is not offered or developed by Microsoft | Yes | Passive mode Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Automatic disabled mode @@ -59,11 +59,11 @@ This table indicates the functionality and features that are available in each s State | Description | [Real-time protection](configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | [Limited periodic scanning availability](limited-periodic-scanning-windows-defender-antivirus.md) | [File scanning and detection information](customize-run-review-remediate-scans-windows-defender-antivirus.md) | [Threat remediation](configure-remediation-windows-defender-antivirus.md) | [Security intelligence updates](manage-updates-baselines-windows-defender-antivirus.md) :-|:-|:-:|:-:|:-:|:-:|:-: -Passive mode | Windows Defender AV will not be used as the antivirus app, and threats will not be remediated by Windows Defender AV. Files will be scanned and reports will be provided for threat detections which are shared with the Windows Defender ATP service. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] +Passive mode | Windows Defender AV will not be used as the antivirus app, and threats will not be remediated by Windows Defender AV. Files will be scanned and reports will be provided for threat detections which are shared with the Microsoft Defender ATP service. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] Automatic disabled mode | Windows Defender AV will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] Active mode | Windows Defender AV is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files will be scanned and threats remediated, and detection information will be reported in your configuration tool (such as Configuration Manager or the Windows Defender AV app on the machine itself). | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] -If you are enrolled in Windows Defender ATP and you are using a third party antimalware product then passive mode is enabled because [the service requires common information sharing from the Windows Defender AV service](../windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md) in order to properly monitor your devices and network for intrusion attempts and attacks. +If you are enrolled in Microsoft Defender ATP and you are using a third party antimalware product then passive mode is enabled because [the service requires common information sharing from the Windows Defender AV service](../windows-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks. Automatic disabled mode is enabled so that if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats, Windows Defender AV will automatically enable itself to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md), which uses the Windows Defender AV engine to periodically check for threats in addition to your main antivirus app. @@ -72,7 +72,7 @@ In passive and automatic disabled mode, you can still [manage updates for Window If you uninstall the other product, and choose to use Windows Defender AV to provide protection to your endpoints, Windows Defender AV will automatically return to its normal active mode. >[!WARNING] ->You should not attempt to disable, stop, or modify any of the associated services used by Windows Defender AV, Windows Defender ATP, or the Windows Security app. +>You should not attempt to disable, stop, or modify any of the associated services used by Windows Defender AV, Microsoft Defender ATP, or the Windows Security app. > >This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks. > diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md index de41958e5e..1e9f3e028e 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 09/03/2018 --- @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Windows Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers. diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md index f38d0b3823..b272703ba3 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 09/03/2018 --- @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Windows Defender Antivirus is available on Windows Server 2016. In some instances it is referred to as Endpoint Protection - however, the protection engine is the same. diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md index e860e58f69..f8279e4b09 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 09/03/2018 --- @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Windows Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR). diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md index 4b78bafccb..739439af03 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md @@ -9,7 +9,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel +author: justinha ms.author: v-anbic ms.date: 09/03/2018 --- @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) In Windows 10, version 1703 and later, the Windows Defender app is part of the Windows Security. @@ -36,7 +36,7 @@ Settings that were previously part of the Windows Defender client and main Windo See the [Windows Security topic](/windows/threat-protection/windows-defender-security-center/windows-defender-security-center) for more information on other Windows security features that can be monitored in the app. >[!NOTE] ->The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Windows Defender Security Center web portal that is used to review and manage [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md). +>The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal that is used to review and manage [Microsoft Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md). **Review virus and threat protection settings in the Windows Security app:** From 86160de735f398daaf15c681e17e8e49e8b9d8a4 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 10 Apr 2019 15:37:59 -0700 Subject: [PATCH 123/492] update product name in ac --- ...ation-control-events-centrally-using-advanced-hunting.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md index b1018f5e79..af40ccb8a4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md +++ b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md @@ -16,12 +16,12 @@ ms.date: 12/06/2018 A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. While Event Viewer helps to see the impact on a single system, IT Pros want to gauge the impact across many systems. -In November 2018, we added functionality in Windows Defender Advanced Threat Protection (Windows Defender ATP) that makes it easy to view WDAC events centrally from all systems that are connected to Windows Defender ATP. +In November 2018, we added functionality in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) that makes it easy to view WDAC events centrally from all systems that are connected to Microsoft Defender ATP. -Advanced hunting in Windows Defender ATP allows customers to query data using a rich set of capabilities. WDAC events can be queried with using an ActionType that starts with “AppControl”. +Advanced hunting in Microsoft Defender ATP allows customers to query data using a rich set of capabilities. WDAC events can be queried with using an ActionType that starts with “AppControl”. This capability is supported beginning with Windows version 1607. -Here is a simple example query that shows all the WDAC events generated in the last seven days from machines being monitored by Windows Defender ATP: +Here is a simple example query that shows all the WDAC events generated in the last seven days from machines being monitored by Microsoft Defender ATP: ``` MiscEvents From e415425c97c022173af243931e9e4ba0420a5ce1 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 10 Apr 2019 15:39:39 -0700 Subject: [PATCH 124/492] update ag product names --- .../configure-wd-app-guard.md | 2 +- .../windows-defender-application-guard/faq-wd-app-guard.md | 2 +- .../windows-defender-application-guard/install-wd-app-guard.md | 2 +- .../windows-defender-application-guard/reqs-wd-app-guard.md | 2 +- .../test-scenarios-wd-app-guard.md | 2 +- .../windows-defender-application-guard/wd-app-guard-overview.md | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md index 80dbb5a03b..062d1ab9f3 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md @@ -13,7 +13,7 @@ ms.date: 10/17/2017 # Configure Windows Defender Application Guard policy settings -**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Windows Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a GPO, which is linked to a domain, and then apply all those settings to every computer in the domain. diff --git a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md index 8be213c70e..2bd4f7732a 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md @@ -14,7 +14,7 @@ ms.date: 03/28/2019 # Frequently asked questions - Windows Defender Application Guard -**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Answering frequently asked questions about Windows Defender Application Guard (Application Guard) features, integration with the Windows operating system, and general configuration. diff --git a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md index 7bbb3edc4c..b340cb1da4 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md @@ -14,7 +14,7 @@ ms.date: 02/19/2019 # Prepare to install Windows Defender Application Guard **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ## Review system requirements diff --git a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md index fc2f274410..7ae28017bf 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md @@ -13,7 +13,7 @@ ms.date: 11/09/2017 # System requirements for Windows Defender Application Guard -**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Windows Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive. diff --git a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md index 092d966221..e372ec40e6 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md @@ -14,7 +14,7 @@ ms.date: 03/15/2019 # Application Guard testing scenarios -**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) We've come up with a list of scenarios that you can use to test hardware-based isolation in your organization. diff --git a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md index 41cf3d2bd0..e8dd4b2672 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md +++ b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md @@ -13,7 +13,7 @@ ms.date: 03/28/2019 # Windows Defender Application Guard overview -**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Windows Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete. From f7f39d937e9fe0e669b5c319b9b39fab276ccaa0 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 10 Apr 2019 15:41:49 -0700 Subject: [PATCH 125/492] update wdsc folder with product name and author --- .../windows-defender-security-center/oldTOC.md | 8 ++++---- .../wdsc-account-protection.md | 4 ++-- .../wdsc-app-browser-control.md | 4 ++-- .../wdsc-customize-contact-information.md | 4 ++-- .../wdsc-device-performance-health.md | 4 ++-- .../wdsc-device-security.md | 4 ++-- .../wdsc-family-options.md | 4 ++-- .../wdsc-firewall-network-protection.md | 4 ++-- .../wdsc-hide-notifications.md | 4 ++-- .../wdsc-virus-threat-protection.md | 4 ++-- .../wdsc-windows-10-in-s-mode.md | 4 ++-- .../windows-defender-security-center.md | 6 +++--- 12 files changed, 27 insertions(+), 27 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-security-center/oldTOC.md b/windows/security/threat-protection/windows-defender-security-center/oldTOC.md index 92d6f70f01..4ca95e5608 100644 --- a/windows/security/threat-protection/windows-defender-security-center/oldTOC.md +++ b/windows/security/threat-protection/windows-defender-security-center/oldTOC.md @@ -1,9 +1,9 @@ -# [The Windows Defender Security Center app](windows-defender-security-center.md) +# [The Microsoft Defender Security Center app](windows-defender-security-center.md) -## [Customize the Windows Defender Security Center app for your organization](wdsc-customize-contact-information.md) -## [Hide Windows Defender Security Center app notifications](wdsc-hide-notifications.md) -## [Manage Windows Defender Security Center in Windows 10 in S mode](wdsc-windows-10-in-s-mode.md) +## [Customize the Microsoft Defender Security Center app for your organization](wdsc-customize-contact-information.md) +## [Hide Microsoft Defender Security Center app notifications](wdsc-hide-notifications.md) +## [Manage Microsoft Defender Security Center in Windows 10 in S mode](wdsc-windows-10-in-s-mode.md) ## [Virus and threat protection](wdsc-virus-threat-protection.md) ## [Account protection](wdsc-account-protection.md) ## [Firewall and network protection](wdsc-firewall-network-protection.md) diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md index eb6433dadd..f0717a9b1f 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 04/30/2018 --- diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md index f8a95593d9..4b44cd3f09 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 04/30/2018 --- diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md index 30cc2c355d..f8ac757f91 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 04/30/2018 --- diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md index 83258123af..4abfa20ff5 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 04/30/2018 --- diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md index 5df35a849e..6b828b0347 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 10/02/2018 --- diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md index cc7706945e..84f4c82eae 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 04/30/2018 --- diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md index 1aea2d2d26..29be0d4d92 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 04/30/2018 --- diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md index b936dc1dcb..98abf1ab59 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 04/30/2018 --- diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md index f4ee73535b..db876c5abf 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 04/30/2018 --- diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md index f13658dab4..b17f381379 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 04/30/2018 --- diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md index 60a0d3278b..938c532c3d 100644 --- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md +++ b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: andreabichsel -ms.author: v-anbic +author: justinha +ms.author: justinha ms.date: 10/02/2018 --- @@ -37,7 +37,7 @@ In Windows 10, version 1803, the app has two new areas, **Account protection** a ![Screen shot of the Windows Security app showing that the device is protected and five icons for each of the features](images/security-center-home.png) >[!NOTE] ->The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Windows Defender Security Center web portal console that is used to review and manage [Windows Defender Advanced Threat Protection](https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection). +>The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal console that is used to review and manage [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection). You can't uninstall the Windows Security app, but you can do one of the following: From 0c3ad2be39a454727316522f1366bfe1625d7cb3 Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Wed, 10 Apr 2019 15:42:04 -0700 Subject: [PATCH 126/492] updeate redirects --- .openpublishing.redirection.json | 171 +++++++++++++++++++++++-------- 1 file changed, 128 insertions(+), 43 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 068c8c88fa..fc7f418de0 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -856,14 +856,19 @@ "redirect_document_id": true }, { +"source_path": "windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection", +"redirect_document_id": true +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/advanced-features", "redirect_document_id": true }, { -"source_path": "windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md", -"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/advanced-features", -"redirect_document_id": false +"source_path": "windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection", +"redirect_document_id": true }, { "source_path": "windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md", @@ -871,8 +876,8 @@ "redirect_document_id": true }, { -"source_path": "windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md", -"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/alerts-queue", +"source_path": "windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection", "redirect_document_id": true }, { @@ -881,8 +886,8 @@ "redirect_document_id": true }, { -"source_path": "windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md", -"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping", +"source_path": "windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection", "redirect_document_id": true }, { @@ -891,8 +896,8 @@ "redirect_document_id": true }, { -"source_path": "windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md", -"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access", +"source_path": "windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection", "redirect_document_id": true }, { @@ -901,53 +906,33 @@ "redirect_document_id": true }, { -"source_path": "windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md", -"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status", -"redirect_document_id": true -}, -{ "source_path": "windows/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection", "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/community", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection", "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection", "redirect_document_id": true }, { -"source_path": "windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md", -"redirect_url": "/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection", -"redirect_document_id": true -}, -{ -"source_path": "windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md", -"redirect_url": "/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection", -"redirect_document_id": true -}, -{ -"source_path": "windows/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md", -"redirect_url": "/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection", -"redirect_document_id": true -}, -{ -"source_path": "windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md", -"redirect_url": "/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection", -"redirect_document_id": true -}, -{ -"source_path": "windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md", -"redirect_url": "/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection", -"redirect_document_id": true -}, -{ -"source_path": "windows/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md", -"redirect_url": "/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection", +"source_path": "windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications", "redirect_document_id": true }, { @@ -956,33 +941,118 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints", +"redirect_document_id": true +}, +{ +"source_path": "windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp", +"redirect_document_id": true +}, +{ +"source_path": "windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm", +"redirect_document_id": true +}, +{ +"source_path": "windows/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows", +"redirect_document_id": true +}, +{ +"source_path": "windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm", +"redirect_document_id": true +}, +{ +"source_path": "windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script", +"redirect_document_id": true +}, +{ +"source_path": "windows/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection", "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection", "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection", "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/configure-siem", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection", "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/configure-splunk", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection", "redirect_document_id": true }, { -"source_path": "windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md", -"redirect_url": "/windows/security/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection", +"source_path": "windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/custom-ti-api", "redirect_document_id": true }, { @@ -991,16 +1061,31 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection", "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection", "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/enable-custom-ti", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection", "redirect_document_id": true From 50e74994efceb3b662077ed34aa53e2ea7d6d00c Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 10 Apr 2019 15:48:58 -0700 Subject: [PATCH 127/492] remove wdatp in links --- .../microsoft-defender-atp/alerts.md | 18 +++++------ .../collect-investigation-package.md | 2 +- .../create-alert-by-reference.md | 2 +- .../exposed-apis-create-app-nativeapp.md | 2 +- .../exposed-apis-create-app-webapp.md | 2 +- .../exposed-apis-odata-samples.md | 6 ++-- .../microsoft-defender-atp/files.md | 8 ++--- .../get-alert-info-by-id.md | 2 +- .../microsoft-defender-atp/get-alerts.md | 2 +- .../get-domain-related-alerts.md | 2 +- .../get-domain-related-machines.md | 2 +- .../get-file-information.md | 2 +- .../get-file-related-alerts.md | 2 +- .../get-file-related-machines.md | 2 +- .../get-ip-related-alerts.md | 2 +- .../get-ip-related-machines.md | 2 +- .../get-machine-by-id.md | 2 +- .../get-machine-log-on-users.md | 2 +- .../get-machine-related-alerts.md | 2 +- .../get-machineaction-object.md | 2 +- .../get-machineactions-collection.md | 2 +- .../microsoft-defender-atp/get-machines.md | 2 +- .../get-package-sas-uri.md | 2 +- .../get-ti-indicators-collection.md | 2 +- .../get-user-information.md | 2 +- .../get-user-related-machines.md | 2 +- .../microsoft-defender-atp/isolate-machine.md | 4 +-- .../microsoft-defender-atp/machine-tags.md | 2 +- .../microsoft-defender-atp/machine.md | 30 +++++++++---------- .../microsoft-defender-atp/machineaction.md | 22 +++++++------- .../offboard-machine-api.md | 2 +- .../post-ti-indicator.md | 6 ++-- .../restrict-code-execution.md | 4 +-- .../stop-and-quarantine-file.md | 2 +- .../microsoft-defender-atp/ti-indicator.md | 8 ++--- .../unisolate-machine.md | 4 +-- .../unrestrict-code-execution.md | 4 +-- .../microsoft-defender-atp/update-alert.md | 2 +- .../microsoft-defender-atp/use-apis.md | 2 +- .../microsoft-defender-atp/user.md | 4 +-- 40 files changed, 87 insertions(+), 87 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md index d2fdf0726f..761f24b3f0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md @@ -27,14 +27,14 @@ Represents an alert entity in Microsoft Defender ATP. # Methods Method|Return Type |Description :---|:---|:--- -[Get alert](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md) | [Alert](alerts-windows-defender-advanced-threat-protection-new.md) | Get a single [alert](alerts-windows-defender-advanced-threat-protection-new.md) object. -[List alerts](get-alerts-windows-defender-advanced-threat-protection-new.md) | [Alert](alerts-windows-defender-advanced-threat-protection-new.md) collection | List [alert](alerts-windows-defender-advanced-threat-protection-new.md) collection. -[Create alert](create-alert-by-reference-windows-defender-advanced-threat-protection-new.md)|[Alert](alerts-windows-defender-advanced-threat-protection-new.md)|Create an alert based on event data obtained from [Advanced Hunting](run-advanced-query-api.md). -[List related domains](get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md)|Domain collection| List URLs associated with the alert. -[List related files](get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md) | [File](files-windows-defender-advanced-threat-protection-new.md) collection | List the [file](files-windows-defender-advanced-threat-protection-new.md) entities that are associated with the [alert](alerts-windows-defender-advanced-threat-protection-new.md). -[List related IPs](get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md) | IP collection | List IPs that are associated with the alert. -[Get related machines](get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md) | [Machine](machine-windows-defender-advanced-threat-protection-new.md) | The [machine](machine-windows-defender-advanced-threat-protection-new.md) that is associated with the [alert](alerts-windows-defender-advanced-threat-protection-new.md). -[Get related users](get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md) | [User](user-windows-defender-advanced-threat-protection-new.md) | The [user](user-windows-defender-advanced-threat-protection-new.md) that is associated with the [alert](alerts-windows-defender-advanced-threat-protection-new.md). +[Get alert](get-alert-info-by-id.md) | [Alert](alerts.md) | Get a single [alert](alerts.md) object. +[List alerts](get-alerts.md) | [Alert](alerts.md) collection | List [alert](alerts.md) collection. +[Create alert](create-alert-by-reference.md)|[Alert](alerts.md)|Create an alert based on event data obtained from [Advanced Hunting](run-advanced-query-api.md). +[List related domains](get-alert-related-domain-info.md)|Domain collection| List URLs associated with the alert. +[List related files](get-alert-related-files-info.md) | [File](files.md) collection | List the [file](files.md) entities that are associated with the [alert](alerts.md). +[List related IPs](get-alert-related-ip-info.md) | IP collection | List IPs that are associated with the alert. +[Get related machines](get-alert-related-machine-info.md) | [Machine](machine.md) | The [machine](machine.md) that is associated with the [alert](alerts.md). +[Get related users](get-alert-related-user-info.md) | [User](user.md) | The [user](user.md) that is associated with the [alert](alerts.md). # Properties @@ -57,7 +57,7 @@ alertCreationTime | DateTimeOffset | The date and time (in UTC) the alert was cr lastEventTime | DateTimeOffset | The last occurance of the event that triggered the alert on the same machine. firstEventTime | DateTimeOffset | The first occurance of the event that triggered the alert on that machine. resolvedTime | DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'. -machineId | String | ID of a [machine](machine-windows-defender-advanced-threat-protection-new.md) entity that is associated with the alert. +machineId | String | ID of a [machine](machine.md) entity that is associated with the alert. # JSON representation ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md index c828e5a9b8..49aa2a3832 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md +++ b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md @@ -60,7 +60,7 @@ Parameter | Type | Description Comment | String | Comment to associate with the action. **Required**. ## Response -If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body. +If successful, this method returns 201 - Created response code and [Machine Action](machineaction.md) in the response body. ## Example diff --git a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md index f21867e552..67376f8415 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md @@ -69,7 +69,7 @@ category| String | Category of the alert. The property values are: 'None', 'Susp ## Response -If successful, this method returns 200 OK, and a new [alert](alerts-windows-defender-advanced-threat-protection-new.md) object in the response body. If event with the specified properties (_reportId_, _eventTime_ and _machineId_) was not found - 404 Not Found. +If successful, this method returns 200 OK, and a new [alert](alerts.md) object in the response body. If event with the specified properties (_reportId_, _eventTime_ and _machineId_) was not found - 404 Not Found. ## Example diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md index 5d6e59a7c2..4d8dbed5a8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md @@ -82,7 +82,7 @@ This page explains how to create an AAD application, get an access token to Micr For instance, - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission - - To [isolate a machine](isolate-machine-windows-defender-advanced-threat-protection-new.md), select 'Isolate machine' permission + - To [isolate a machine](isolate-machine.md), select 'Isolate machine' permission To determine which permission you need, look at the **Permissions** section in the API you are interested to call. diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md index e0800f060b..9d46f63fe7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md @@ -74,7 +74,7 @@ This page explains how to create an AAD application, get an access token to Micr For instance, - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission - - To [isolate a machine](isolate-machine-windows-defender-advanced-threat-protection-new.md), select 'Isolate machine' permission + - To [isolate a machine](isolate-machine.md), select 'Isolate machine' permission - To determine which permission you need, please look at the **Permissions** section in the API you are interested to call. ![Image of select permissions](images/webapp-select-permission.png) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md index 3eb6c6eb6b..393903a87e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md @@ -29,9 +29,9 @@ ms.date: 11/15/2018 ### Properties that supports $filter: -- [Alert](alerts-windows-defender-advanced-threat-protection-new.md): Id, IncidentId, AlertCreationTime, Status, Severity and Category. -- [Machine](machine-windows-defender-advanced-threat-protection-new.md): Id, ComputerDnsName, LastSeen, LastIpAddress, HealthStatus, OsPlatform, RiskScore, MachineTags and RbacGroupId. -- [MachineAction](machineaction-windows-defender-advanced-threat-protection-new.md): Id, Status, MachineId, Type, Requestor and CreationDateTimeUtc. +- [Alert](alerts.md): Id, IncidentId, AlertCreationTime, Status, Severity and Category. +- [Machine](machine.md): Id, ComputerDnsName, LastSeen, LastIpAddress, HealthStatus, OsPlatform, RiskScore, MachineTags and RbacGroupId. +- [MachineAction](machineaction.md): Id, Status, MachineId, Type, Requestor and CreationDateTimeUtc. ### Example 1 diff --git a/windows/security/threat-protection/microsoft-defender-atp/files.md b/windows/security/threat-protection/microsoft-defender-atp/files.md index 8a89db801c..85db198384 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/files.md +++ b/windows/security/threat-protection/microsoft-defender-atp/files.md @@ -27,10 +27,10 @@ Represent a file entity in Microsoft Defender ATP. # Methods Method|Return Type |Description :---|:---|:--- -[Get file](get-file-information-windows-defender-advanced-threat-protection-new.md) | [file](files-windows-defender-advanced-threat-protection-new.md) | Get a single file -[List file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection-new.md) | [alert](alerts-windows-defender-advanced-threat-protection-new.md) collection | Get the [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities that are associated with the file. -[List file related machines](get-file-related-machines-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) collection | Get the [machine](machine-windows-defender-advanced-threat-protection-new.md) entities associated with the alert. -[file statistics](get-file-statistics-windows-defender-advanced-threat-protection-new.md) | Statistics summary | Retrieves the prevalence for the given file. +[Get file](get-file-information.md) | [file](files.md) | Get a single file +[List file related alerts](get-file-related-alerts.md) | [alert](alerts.md) collection | Get the [alert](alerts.md) entities that are associated with the file. +[List file related machines](get-file-related-machines.md) | [machine](machine.md) collection | Get the [machine](machine.md) entities associated with the alert. +[file statistics](get-file-statistics.md) | Statistics summary | Retrieves the prevalence for the given file. # Properties diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md index 270323aae6..f8eea40763 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md @@ -56,7 +56,7 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful, this method returns 200 OK, and the [alert](alerts-windows-defender-advanced-threat-protection-new.md) entity in the response body. If alert with the specified id was not found - 404 Not Found. +If successful, this method returns 200 OK, and the [alert](alerts.md) entity in the response body. If alert with the specified id was not found - 404 Not Found. ## Example diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md index 6fb1bbbf17..46726fec58 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md @@ -64,7 +64,7 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful, this method returns 200 OK, and a list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) objects in the response body. +If successful, this method returns 200 OK, and a list of [alert](alerts.md) objects in the response body. ## Example diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md index 6e1478cb72..4201cbf4d8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md @@ -61,7 +61,7 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful and domain exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities. If domain does not exist - 404 Not Found. +If successful and domain exists - 200 OK with list of [alert](alerts.md) entities. If domain does not exist - 404 Not Found. ## Example diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md index b6ee9ba801..9168ffdd7e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md @@ -56,7 +56,7 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful and domain exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities. If domain do not exist - 404 Not Found. +If successful and domain exists - 200 OK with list of [machine](machine.md) entities. If domain do not exist - 404 Not Found. ## Example diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md index 0315a79f79..474e98f273 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md @@ -56,7 +56,7 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful and file exists - 200 OK with the [file](files-windows-defender-advanced-threat-protection-new.md) entity in the body. If file does not exist - 404 Not Found. +If successful and file exists - 200 OK with the [file](files.md) entity in the body. If file does not exist - 404 Not Found. ## Example diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md index f3709ad133..d28d08c520 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md @@ -59,7 +59,7 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful and file exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body. If file do not exist - 404 Not Found. +If successful and file exists - 200 OK with list of [alert](alerts.md) entities in the body. If file do not exist - 404 Not Found. ## Example diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md index 599b60b82e..88d1a2e8ea 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md @@ -58,7 +58,7 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful and file exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. If file do not exist - 404 Not Found. +If successful and file exists - 200 OK with list of [machine](machine.md) entities in the body. If file do not exist - 404 Not Found. ## Example diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md index 28b400897f..711a6def63 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md @@ -57,7 +57,7 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful and IP exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body. If IP do not exist - 404 Not Found. +If successful and IP exists - 200 OK with list of [alert](alerts.md) entities in the body. If IP do not exist - 404 Not Found. ## Example diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-machines.md index a8875b7324..9cf6c3784a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-machines.md @@ -57,7 +57,7 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful and IP exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. If IP do not exist - 404 Not Found. +If successful and IP exists - 200 OK with list of [machine](machine.md) entities in the body. If IP do not exist - 404 Not Found. ## Example diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md index 017460ba7e..93cc44b4f7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md @@ -59,7 +59,7 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful and machine exists - 200 OK with the [machine](machine-windows-defender-advanced-threat-protection-new.md) entity in the body. +If successful and machine exists - 200 OK with the [machine](machine.md) entity in the body. If machine with the specified id was not found - 404 Not Found. diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md index a4233e222f..4c87962798 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md @@ -55,7 +55,7 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful and machine exist - 200 OK with list of [user](user-windows-defender-advanced-threat-protection-new.md) entities in the body. If machine was not found - 404 Not Found. +If successful and machine exist - 200 OK with list of [user](user.md) entities in the body. If machine was not found - 404 Not Found. ## Example diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md index 0250ee9a19..97d706a373 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md @@ -57,7 +57,7 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful and machine exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body. If machine was not found - 404 Not Found. +If successful and machine exists - 200 OK with list of [alert](alerts.md) entities in the body. If machine was not found - 404 Not Found. ## Example diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md index 3cb8e46926..3740226c86 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md @@ -57,7 +57,7 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful, this method returns 200, Ok response code with a [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entity. If machine action entity with the specified id was not found - 404 Not Found. +If successful, this method returns 200, Ok response code with a [Machine Action](machineaction.md) entity. If machine action entity with the specified id was not found - 404 Not Found. ## Example diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md index 9bfc5cab5b..6dc52d9c42 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md @@ -60,7 +60,7 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful, this method returns 200, Ok response code with a collection of [machineAction](machineaction-windows-defender-advanced-threat-protection-new.md) entities. +If successful, this method returns 200, Ok response code with a collection of [machineAction](machineaction.md) entities. ## Example 1 diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md index 6d6a921754..db7af73a74 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md @@ -58,7 +58,7 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful and machines exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. If no recent machines - 404 Not Found. +If successful and machines exists - 200 OK with list of [machine](machine.md) entities in the body. If no recent machines - 404 Not Found. ## Example diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md index b4e18b9069..8b8827362c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md @@ -23,7 +23,7 @@ ms.date: 12/08/2017 [!include[Prerelease information](prerelease.md)] -Get a URI that allows downloading of an [investigation package](collect-investigation-package-windows-defender-advanced-threat-protection-new.md). +Get a URI that allows downloading of an [investigation package](collect-investigation-package.md). ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md index 6fe62b0834..69018dc935 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md @@ -58,7 +58,7 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful, this method returns 200, Ok response code with a collection of [Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entities. +If successful, this method returns 200, Ok response code with a collection of [Indicator](ti-indicator.md) entities. >[!Note] > If the Application has 'Ti.ReadWrite.All' permission, it will be exposed to all Indicators. Otherwise, it will be exposed only to the Indicators it created. diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md index ee1b42726f..276869768f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md @@ -47,7 +47,7 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful and user exists - 200 OK with [user](user-windows-defender-advanced-threat-protection-new.md) entity in the body. If user does not exist - 404 Not Found. +If successful and user exists - 200 OK with [user](user.md) entity in the body. If user does not exist - 404 Not Found. ## Example diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md index 9562240757..f4304056b4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md @@ -60,7 +60,7 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful and user exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. If user does not exist - 404 Not Found. +If successful and user exists - 200 OK with list of [machine](machine.md) entities in the body. If user does not exist - 404 Not Found. ## Example diff --git a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md index a83da49e7f..d8aec274af 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md @@ -67,7 +67,7 @@ IsolationType | String | Type of the isolation. Allowed values are: 'Full' or 'S ## Response -If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body. +If successful, this method returns 201 - Created response code and [Machine Action](machineaction.md) in the response body. ## Example @@ -109,4 +109,4 @@ Content-type: application/json ``` -To unisolate a machine, see [Release machine from isolation](unisolate-machine-windows-defender-advanced-threat-protection-new.md). +To unisolate a machine, see [Release machine from isolation](unisolate-machine.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md index 624d4c2542..899c910e78 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md @@ -83,7 +83,7 @@ You can manage tags from the Actions button or by selecting a machine from the M ![Image of adding tags on a machine](images/atp-tag-management.png) ## Add machine tags using APIs -For more information, see [Add or remove machine tags API](add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md). +For more information, see [Add or remove machine tags API](add-or-remove-machine-tags.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine.md b/windows/security/threat-protection/microsoft-defender-atp/machine.md index c118700037..c7a7c7bf2b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine.md @@ -24,29 +24,29 @@ ms.topic: article # Methods Method|Return Type |Description :---|:---|:--- -[List machines](get-machines-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) collection | List set of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the org. -[Get machine](get-machine-by-id-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) | Get a [machine](machine-windows-defender-advanced-threat-protection-new.md) by its identity. -[Get logged on users](get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md) | [user](user-windows-defender-advanced-threat-protection-new.md) collection | Get the set of [User](user-windows-defender-advanced-threat-protection-new.md) that logged on to the [machine](machine-windows-defender-advanced-threat-protection-new.md). -[Get related alerts](get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md) | [alert](alerts-windows-defender-advanced-threat-protection-new.md) collection | Get the set of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities that were raised on the [machine](machine-windows-defender-advanced-threat-protection-new.md). -[Add or Remove machine tags](add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) | Add or Remove tag to a specific machine. -[Find machines by IP](find-machines-by-ip-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) collection | Find machines seen with IP. +[List machines](get-machines.md) | [machine](machine.md) collection | List set of [machine](machine.md) entities in the org. +[Get machine](get-machine-by-id.md) | [machine](machine.md) | Get a [machine](machine.md) by its identity. +[Get logged on users](get-machine-log-on-users.md) | [user](user.md) collection | Get the set of [User](user.md) that logged on to the [machine](machine.md). +[Get related alerts](get-machine-related-alerts.md) | [alert](alerts.md) collection | Get the set of [alert](alerts.md) entities that were raised on the [machine](machine.md). +[Add or Remove machine tags](add-or-remove-machine-tags.md) | [machine](machine.md) | Add or Remove tag to a specific machine. +[Find machines by IP](find-machines-by-ip.md) | [machine](machine.md) collection | Find machines seen with IP. # Properties Property | Type | Description :---|:---|:--- -id | String | [machine](machine-windows-defender-advanced-threat-protection-new.md) identity. -computerDnsName | String | [machine](machine-windows-defender-advanced-threat-protection-new.md) fully qualified name. -firstSeen | DateTimeOffset | First date and time where the [machine](machine-windows-defender-advanced-threat-protection-new.md) was observed by Microsoft Defender ATP. -lastSeen | DateTimeOffset | Last date and time where the [machine](machine-windows-defender-advanced-threat-protection-new.md) was observed by Microsoft Defender ATP. +id | String | [machine](machine.md) identity. +computerDnsName | String | [machine](machine.md) fully qualified name. +firstSeen | DateTimeOffset | First date and time where the [machine](machine.md) was observed by Microsoft Defender ATP. +lastSeen | DateTimeOffset | Last date and time where the [machine](machine.md) was observed by Microsoft Defender ATP. osPlatform | String | OS platform. osVersion | String | OS Version. -lastIpAddress | String | Last IP on local NIC on the [machine](machine-windows-defender-advanced-threat-protection-new.md). -lastExternalIpAddress | String | Last IP through which the [machine](machine-windows-defender-advanced-threat-protection-new.md) accessed the internet. +lastIpAddress | String | Last IP on local NIC on the [machine](machine.md). +lastExternalIpAddress | String | Last IP through which the [machine](machine.md) accessed the internet. agentVersion | String | Version of Microsoft Defender ATP agent. osBuild | Nullable long | OS build number. -healthStatus | Enum | [machine](machine-windows-defender-advanced-threat-protection-new.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData" and "NoSensorDataImpairedCommunication" +healthStatus | Enum | [machine](machine.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData" and "NoSensorDataImpairedCommunication" rbacGroupId | Int | RBAC Group ID. rbacGroupName | String | RBAC Group Name. riskScore | Nullable Enum | Risk score as evaluated by Microsoft Defender ATP. Possible values are: 'None', 'Low', 'Medium' and 'High'. -aadDeviceId | Nullable Guid | AAD Device ID (when [machine](machine-windows-defender-advanced-threat-protection-new.md) is Aad Joined). -machineTags | String collection | Set of [machine](machine-windows-defender-advanced-threat-protection-new.md) tags. \ No newline at end of file +aadDeviceId | Nullable Guid | AAD Device ID (when [machine](machine.md) is Aad Joined). +machineTags | String collection | Set of [machine](machine.md) tags. diff --git a/windows/security/threat-protection/microsoft-defender-atp/machineaction.md b/windows/security/threat-protection/microsoft-defender-atp/machineaction.md index 66271b6633..6bf2a9b4b6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machineaction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machineaction.md @@ -26,21 +26,21 @@ ms.date: 12/08/2017 Method|Return Type |Description :---|:---|:--- -[List MachineActions](get-machineactions-collection-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | List [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entities. -[Get MachineAction](get-machineaction-object-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Get a single [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entity. -[Collect investigation package](collect-investigation-package-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Collect investigation package from a [machine](machine-windows-defender-advanced-threat-protection-new.md). -[Get investigation package SAS URI](get-package-sas-uri-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Get URI for downloading the investigation package. -[Isolate machine](isolate-machine-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Isolate [machine](machine-windows-defender-advanced-threat-protection-new.md) from network. -[Release machine from isolation](unisolate-machine-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Release [machine](machine-windows-defender-advanced-threat-protection-new.md) from Isolation. -[Restrict app execution](restrict-code-execution-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Restrict application execution. -[Remove app restriction](unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Remove application execution restriction. -[Run antivirus scan](run-av-scan-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Run an AV scan using Windows Defender (when applicable). -[Offboard machine](offboard-machine-api-windows-defender-advanced-threat-protection-new.md)|[Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Offboard [machine](machine-windows-defender-advanced-threat-protection-new.md) from Microsoft Defender ATP. +[List MachineActions](get-machineactions-collection.md) | [Machine Action](machineaction.md) | List [Machine Action](machineaction.md) entities. +[Get MachineAction](get-machineaction-object.md) | [Machine Action](machineaction.md) | Get a single [Machine Action](machineaction.md) entity. +[Collect investigation package](collect-investigation-package.md) | [Machine Action](machineaction.md) | Collect investigation package from a [machine](machine.md). +[Get investigation package SAS URI](get-package-sas-uri.md) | [Machine Action](machineaction.md) | Get URI for downloading the investigation package. +[Isolate machine](isolate-machine.md) | [Machine Action](machineaction.md) | Isolate [machine](machine.md) from network. +[Release machine from isolation](unisolate-machine.md) | [Machine Action](machineaction.md) | Release [machine](machine.md) from Isolation. +[Restrict app execution](restrict-code-execution.md) | [Machine Action](machineaction.md) | Restrict application execution. +[Remove app restriction](unrestrict-code-execution.md) | [Machine Action](machineaction.md) | Remove application execution restriction. +[Run antivirus scan](run-av-scan.md) | [Machine Action](machineaction.md) | Run an AV scan using Windows Defender (when applicable). +[Offboard machine](offboard-machine-api.md)|[Machine Action](machineaction.md) | Offboard [machine](machine.md) from Microsoft Defender ATP. # Properties Property | Type | Description :---|:---|:--- -id | Guid | Identity of the [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entity. +id | Guid | Identity of the [Machine Action](machineaction.md) entity. type | Enum | Type of the action. Possible values are: "RunAntiVirusScan", "Offboard", "CollectInvestigationPackage", "Isolate", "Unisolate", "StopAndQuarantineFile", "RestrictCodeExecution" and "UnrestrictCodeExecution" requestor | String | Identity of the person that executed the action. requestorComment | String | Comment that was written when issuing the action. diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md index 738b4d31ee..89ba1d35f3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md @@ -59,7 +59,7 @@ Parameter | Type | Description Comment | String | Comment to associate with the action. **Required**. ## Response -If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body. +If successful, this method returns 201 - Created response code and [Machine Action](machineaction.md) in the response body. ## Example diff --git a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md index cbeeeeb7ef..a9b58bd743 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md +++ b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md @@ -28,7 +28,7 @@ ms.date: 12/08/2017 > Currently this API is supported only for AppOnly context requests. (See [Get access with application context](exposed-apis-create-app-webapp.md) for more information) -- Submits or Updates new [Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. +- Submits or Updates new [Indicator](ti-indicator.md) entity. ## Permissions @@ -60,7 +60,7 @@ In the request body, supply a JSON object with the following parameters: Parameter | Type | Description :---|:---|:--- -indicatorValue | String | Identity of the [Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. **Required** +indicatorValue | String | Identity of the [Indicator](ti-indicator.md) entity. **Required** indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url". **Required** action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed". **Required** title | String | Indicator alert title. **Optional** @@ -71,7 +71,7 @@ recommendedActions | String | TI indicator alert recommended actions. **Optional ## Response -- If successful, this method returns 200 - OK response code and the created / updated [Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity in the response body. +- If successful, this method returns 200 - OK response code and the created / updated [Indicator](ti-indicator.md) entity in the response body. - If not successful: this method return 400 - Bad Request / 409 - Conflict with the failure reason. Bad request usually indicates incorrect body and Conflict can happen if you try to submit an Indicator that conflicts with an existing Indicator type or Action. ## Example diff --git a/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md b/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md index 6443996f08..be5f7fdb33 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md +++ b/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md @@ -60,7 +60,7 @@ Parameter | Type | Description Comment | String | Comment to associate with the action. **Required**. ## Response -If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body. +If successful, this method returns 201 - Created response code and [Machine Action](machineaction.md) in the response body. ## Example @@ -101,5 +101,5 @@ Content-type: application/json ``` -To remove code execution restriction from a machine, see [Remove app restriction](unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md). +To remove code execution restriction from a machine, see [Remove app restriction](unrestrict-code-execution.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md b/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md index 9fde8c8592..c6f058274c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md +++ b/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md @@ -62,7 +62,7 @@ Comment | String | Comment to associate with the action. **Required**. Sha1 | String | Sha1 of the file to stop and quarantine on the machine. **Required**. ## Response -If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body. +If successful, this method returns 201 - Created response code and [Machine Action](machineaction.md) in the response body. ## Example diff --git a/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md index 944fdf6c3c..7c15c26dd6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md +++ b/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md @@ -24,16 +24,16 @@ ms.topic: article Method|Return Type |Description :---|:---|:--- -[List Indicators](get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md) | [Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) Collection | List [Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entities. -[Submit Indicator](post-ti-indicator-windows-defender-advanced-threat-protection-new.md) | [Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) | Submits [Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. -[Delete Indicator](delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) | No Content | Deletes [Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. +[List Indicators](get-ti-indicators-collection.md) | [Indicator](ti-indicator.md) Collection | List [Indicator](ti-indicator.md) entities. +[Submit Indicator](post-ti-indicator.md) | [Indicator](ti-indicator.md) | Submits [Indicator](ti-indicator.md) entity. +[Delete Indicator](delete-ti-indicator-by-id.md) | No Content | Deletes [Indicator](ti-indicator.md) entity. - See the corresponding [page](https://securitycenter.windows.com/preferences2/custom_ti_indicators/files) in the portal: # Properties Property | Type | Description :---|:---|:--- -indicatorValue | String | Identity of the [Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. +indicatorValue | String | Identity of the [Indicator](ti-indicator.md) entity. indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url" title | String | Indicator alert title. creationTimeDateTimeUtc | DateTimeOffset | The date and time when the indicator was created. diff --git a/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md index c1bfd3a410..51d270d828 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md @@ -61,7 +61,7 @@ Parameter | Type | Description Comment | String | Comment to associate with the action. **Required**. ## Response -If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body. +If successful, this method returns 201 - Created response code and [Machine Action](machineaction.md) in the response body. ## Example @@ -105,5 +105,5 @@ Content-type: application/json ``` -To isolate a machine, see [Isolate machine](isolate-machine-windows-defender-advanced-threat-protection-new.md). +To isolate a machine, see [Isolate machine](isolate-machine.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md b/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md index 9680a57aec..3df0690019 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md +++ b/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md @@ -59,7 +59,7 @@ Parameter | Type | Description Comment | String | Comment to associate with the action. **Required**. ## Response -If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body. +If successful, this method returns 201 - Created response code and [Machine Action](machineaction.md) in the response body. ## Example @@ -101,4 +101,4 @@ Content-type: application/json ``` -To restrict code execution on a machine, see [Restrict app execution](restrict-code-execution-windows-defender-advanced-threat-protection-new.md). \ No newline at end of file +To restrict code execution on a machine, see [Restrict app execution](restrict-code-execution.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md index 9752745d78..1a81370b13 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md +++ b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md @@ -64,7 +64,7 @@ determination | String | Specifies the determination of the alert. The property ## Response -If successful, this method returns 200 OK, and the [alert](alerts-windows-defender-advanced-threat-protection-new.md) entity in the response body with the updated properties. If alert with the specified id was not found - 404 Not Found. +If successful, this method returns 200 OK, and the [alert](alerts.md) entity in the response body with the updated properties. If alert with the specified id was not found - 404 Not Found. ## Example diff --git a/windows/security/threat-protection/microsoft-defender-atp/use-apis.md b/windows/security/threat-protection/microsoft-defender-atp/use-apis.md index a152053d8d..5f3f6b0f0a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/use-apis.md +++ b/windows/security/threat-protection/microsoft-defender-atp/use-apis.md @@ -27,5 +27,5 @@ ms.date: 11/28/2018 Topic | Description :---|:--- [Microsoft Defender ATP API overview](apis-intro.md) | Learn how to access to Microsoft Defender ATP Public API and on which context. -[Supported Microsoft Defender ATP APIs](exposed-apis-list.md) | Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses. Examples include APIs for [alert resource type](alerts-windows-defender-advanced-threat-protection-new.md), [domain related alerts](get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md), or even actions such as [isolate machine](isolate-machine-windows-defender-advanced-threat-protection-new.md). +[Supported Microsoft Defender ATP APIs](exposed-apis-list.md) | Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses. Examples include APIs for [alert resource type](alerts.md), [domain related alerts](get-domain-related-alerts.md), or even actions such as [isolate machine](isolate-machine.md). How to use APIs - Samples | Learn how to use Advanced hunting APIs and multiple APIs such as PowerShell. Other examples include [schedule advanced hunting using Microsoft Flow](run-advanced-query-sample-ms-flow.md) or [OData queries](exposed-apis-odata-samples.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/user.md b/windows/security/threat-protection/microsoft-defender-atp/user.md index 12ad0a75b8..3f001924f1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/user.md +++ b/windows/security/threat-protection/microsoft-defender-atp/user.md @@ -21,7 +21,7 @@ ms.date: 12/08/2017 Method|Return Type |Description :---|:---|:--- -[List User related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection-new.md) | [alert](alerts-windows-defender-advanced-threat-protection-new.md) collection | List all the alerts that are associated with a [user](user-windows-defender-advanced-threat-protection-new.md). -[List User related machines](get-user-related-machines-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) collection | List all the machines that were logged on by a [user](user-windows-defender-advanced-threat-protection-new.md). +[List User related alerts](get-user-related-alerts.md) | [alert](alerts.md) collection | List all the alerts that are associated with a [user](user.md). +[List User related machines](get-user-related-machines.md) | [machine](machine.md) collection | List all the machines that were logged on by a [user](user.md). From 83e0716c221c998fdbd189e1e5ecd01129717cf7 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 10 Apr 2019 15:54:47 -0700 Subject: [PATCH 128/492] fix broken link --- .../threat-protection/microsoft-defender-atp/alerts-queue.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md index fbe92937d8..f2aaa2d6aa 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md @@ -90,7 +90,7 @@ Limit the alerts queue view by selecting the OS platform that you're interested If you have specific machine groups that you're interested in checking the alerts on, you can select the groups to limit the alerts queue view to display just those machine groups. ### Associated threat -Use this filter to focus on alerts that are related to high profile threats. You can see the full list of high-profile threats in [Threat analytics](threat-analytics-dashboard.md). +Use this filter to focus on alerts that are related to high profile threats. You can see the full list of high-profile threats in [Threat analytics](threat-analytics.md). ## Related topics From 7330fb3e0f9f74669f473e5302b9fe228b65587a Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 10 Apr 2019 15:57:08 -0700 Subject: [PATCH 129/492] fix file name typo unhealhty to unhealthy --- .../threat-protection/microsoft-defender-atp/TOC.md | 6 +++--- .../microsoft-defender-atp/check-sensor-status.md | 2 +- ...x-unhealhty-sensors.md => fix-unhealthy-sensors.md} | 0 .../microsoft-defender-atp/machines-view-overview.md | 2 +- .../microsoft-defender-atp/secure-score-dashboard.md | 10 +++++----- 5 files changed, 10 insertions(+), 10 deletions(-) rename windows/security/threat-protection/microsoft-defender-atp/{fix-unhealhty-sensors.md => fix-unhealthy-sensors.md} (100%) diff --git a/windows/security/threat-protection/microsoft-defender-atp/TOC.md b/windows/security/threat-protection/microsoft-defender-atp/TOC.md index 297f7f6173..0a5682ebc9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/TOC.md +++ b/windows/security/threat-protection/microsoft-defender-atp/TOC.md @@ -392,9 +392,9 @@ ## [Troubleshoot Microsoft Defender ATP](troubleshoot-overview.md) ###Troubleshoot sensor state #### [Check sensor state](check-sensor-status.md) -#### [Fix unhealthy sensors](fix-unhealhty-sensors.md) -#### [Inactive machines](fix-unhealhty-sensors.md#inactive-machines) -#### [Misconfigured machines](fix-unhealhty-sensors.md#misconfigured-machines) +#### [Fix unhealthy sensors](fix-unhealthy-sensors.md) +#### [Inactive machines](fix-unhealthy-sensors.md#inactive-machines) +#### [Misconfigured machines](fix-unhealthy-sensors.md#misconfigured-machines) #### [Review sensor events and errors on machines with Event Viewer](event-error-codes.md) ### [Troubleshoot Microsoft Defender ATP service issues](troubleshoot.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md b/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md index 4e675729c2..d5c18cff52 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md +++ b/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md @@ -57,4 +57,4 @@ In the **Machines list**, you can download a full list of all the machines in yo >Export the list in CSV format to display the unfiltered data. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself and can take a significant amount of time to download, depending on how large your organization is. ## Related topic -- [Fix unhealthy sensors in Microsoft Defender ATP](fix-unhealhty-sensors.md) +- [Fix unhealthy sensors in Microsoft Defender ATP](fix-unhealthy-sensors.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/fix-unhealhty-sensors.md b/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/fix-unhealhty-sensors.md rename to windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md b/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md index 657eac1d96..79720ee3a3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md @@ -74,7 +74,7 @@ Filter the list to view specific machines grouped together by the following mach - No sensor data - Impaired communications - For more information on how to address issues on misconfigured machines see, [Fix unhealthy sensors](fix-unhealhty-sensors.md). + For more information on how to address issues on misconfigured machines see, [Fix unhealthy sensors](fix-unhealthy-sensors.md). - **Inactive** – Machines that have completely stopped sending signals for more than 7 days. diff --git a/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md b/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md index 61f17b701f..ebf3512bf7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md @@ -40,7 +40,7 @@ You can take the following actions to increase the overall security score of you - Fix sensor data collection - Fix impaired communications -For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors.md). +For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md). ### Windows Defender Antivirus (Windows Defender AV) optimization For a machine to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender AV is fulfilled. @@ -82,7 +82,7 @@ This tile shows you the exact number of machines that require the latest securit You can take the following actions to increase the overall security score of your organization: - Install the latest security updates - Fix sensor data collection - - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors.md). + - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md). For more information, see [Windows Update Troubleshooter](https://support.microsoft.com/help/4027322/windows-windows-update-troubleshooter). @@ -229,7 +229,7 @@ You can take the following actions to increase the overall security score of you - Secure public profile - Verify secure configuration of third-party firewall - Fix sensor data collection - - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors.md). + - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md). For more information, see [Windows Defender Firewall with Advanced Security](https://docs.microsoft.com/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security). @@ -251,7 +251,7 @@ You can take the following actions to increase the overall security score of you - Resume protection on all drives - Ensure drive compatibility - Fix sensor data collection - - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors.md). + - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md). For more information, see [Bitlocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview). @@ -274,7 +274,7 @@ You can take the following actions to increase the overall security score of you - Ensure hardware and software prerequisites are met - Turn on Credential Guard - Fix sensor data collection - - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors.md). + - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md). For more information, see [Manage Windows Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-manage). From fa3be69c2ea5de103ac17c14e2a2269dee9353fb Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 10 Apr 2019 16:00:21 -0700 Subject: [PATCH 130/492] fix anchor links --- .../microsoft-defender-atp/configure-proxy-internet.md | 4 ++-- .../microsoft-defender-atp/fix-unhealthy-sensors.md | 4 ++-- .../microsoft-defender-atp/troubleshoot-onboarding.md | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md index 46c3f745a8..07cedb408e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md @@ -38,7 +38,7 @@ The WinHTTP configuration setting is independent of the Windows Internet (WinINe - Web Proxy Auto-discovery Protocol (WPAD) > [!NOTE] -> If you're using Transparent proxy or WPAD in your network topology, you don't need special configuration settings. For more information on Microsoft Defender ATP URL exclusions in the proxy, see [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-windows-defender-atp-service-urls-in-the-proxy-server). +> If you're using Transparent proxy or WPAD in your network topology, you don't need special configuration settings. For more information on Microsoft Defender ATP URL exclusions in the proxy, see [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). - Manual static proxy configuration: @@ -163,7 +163,7 @@ The tool checks the connectivity of Microsoft Defender ATP service URLs that Mic If at least one of the connectivity options returns a (200) status, then the Microsoft Defender ATP client can communicate with the tested URL properly using this connectivity method.

-However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-windows-defender-atp-service-urls-in-the-proxy-server). The URLs you'll use will depend on the region selected during the onboarding procedure. +However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). The URLs you'll use will depend on the region selected during the onboarding procedure. > [!NOTE] > When the TelemetryProxyServer is set, in Registry or via Group Policy, Microsoft Defender ATP will fall back to direct if it can't access the defined proxy. diff --git a/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md b/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md index 5c2458d459..d874f34507 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md +++ b/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md @@ -64,7 +64,7 @@ The following suggested actions can help fix issues related to a misconfigured m - [Ensure the machine has Internet connection](troubleshoot-onboarding.md#troubleshoot-onboarding-issues-on-the-machine)
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender ATP service. -- [Verify client connectivity to Microsoft Defender ATP service URLs](configure-proxy-internet.md#verify-client-connectivity-to-windows-defender-atp-service-urls)
+- [Verify client connectivity to Microsoft Defender ATP service URLs](configure-proxy-internet.md#verify-client-connectivity-to-microsoft-defender-atp-service-urls)
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender ATP service URLs. If you took corrective actions and the machine status is still misconfigured, [open a support ticket](https://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409). @@ -76,7 +76,7 @@ Follow theses actions to correct known issues related to a misconfigured machine - [Ensure the machine has Internet connection](troubleshoot-onboarding.md#troubleshoot-onboarding-issues-on-the-machine)
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender ATP service. -- [Verify client connectivity to Microsoft Defender ATP service URLs](configure-proxy-internet.md#verify-client-connectivity-to-windows-defender-atp-service-urls)
+- [Verify client connectivity to Microsoft Defender ATP service URLs](configure-proxy-internet.md#verify-client-connectivity-to-microsoft-defender-atp-service-urls)
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender ATP service URLs. - [Ensure the diagnostic data service is enabled](troubleshoot-onboarding.md#ensure-the-diagnostics-service-is-enabled)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md index b46b9c95ac..69c3b620ca 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md @@ -238,7 +238,7 @@ The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to repo WinHTTP is independent of the Internet browsing proxy settings and other user context applications and must be able to detect the proxy servers that are available in your particular environment. -To ensure that sensor has service connectivity, follow the steps described in the [Verify client connectivity to Microsoft Defender ATP service URLs](configure-proxy-internet.md#verify-client-connectivity-to-windows-defender-atp-service-urls) topic. +To ensure that sensor has service connectivity, follow the steps described in the [Verify client connectivity to Microsoft Defender ATP service URLs](configure-proxy-internet.md#verify-client-connectivity-to-microsoft-defender-atp-service-urls) topic. If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in [Configure proxy and Internet connectivity settings](configure-proxy-internet.md) topic. From d33361fe9b7259bf758294bc45ed08691227c41d Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Wed, 10 Apr 2019 16:03:15 -0700 Subject: [PATCH 131/492] redirects --- .openpublishing.redirection.json | 57 +++++++++++++++++-- .../microsoft-defender-atp/TOC.md | 6 +- ...ty-sensors.md => fix-unhealthy-sensors.md} | 0 3 files changed, 54 insertions(+), 9 deletions(-) rename windows/security/threat-protection/microsoft-defender-atp/{fix-unhealhty-sensors.md => fix-unhealthy-sensors.md} (100%) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 9f59abb6d7..7b46d8e423 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1101,13 +1101,13 @@ "redirect_document_id": true }, { -"source_path": "windows/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md", -"redirect_url": "/windows/security/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection", +"source_path": "windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection", "redirect_document_id": true }, { -"source_path": "windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md", -"redirect_url": "/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection", +"source_path": "windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration", "redirect_document_id": true }, { @@ -1116,18 +1116,28 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/event-error-codes", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection", "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/experiment-custom-ti", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection", "redirect_document_id": true }, { -"source_path": "windows/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md", -"redirect_url": "/windows/security/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection", +"source_path": "windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/windows-defender-atp/fix-unhealthy-sensors", "redirect_document_id": true }, { @@ -1136,36 +1146,71 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection", "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/investigate-domain", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection", "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/investigate-files", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection", "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/investigate-ip", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection", "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/investigate-machines", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection", "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/investigate-user", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection", "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/licensing", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection", "redirect_document_id": true diff --git a/windows/security/threat-protection/microsoft-defender-atp/TOC.md b/windows/security/threat-protection/microsoft-defender-atp/TOC.md index 297f7f6173..0a5682ebc9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/TOC.md +++ b/windows/security/threat-protection/microsoft-defender-atp/TOC.md @@ -392,9 +392,9 @@ ## [Troubleshoot Microsoft Defender ATP](troubleshoot-overview.md) ###Troubleshoot sensor state #### [Check sensor state](check-sensor-status.md) -#### [Fix unhealthy sensors](fix-unhealhty-sensors.md) -#### [Inactive machines](fix-unhealhty-sensors.md#inactive-machines) -#### [Misconfigured machines](fix-unhealhty-sensors.md#misconfigured-machines) +#### [Fix unhealthy sensors](fix-unhealthy-sensors.md) +#### [Inactive machines](fix-unhealthy-sensors.md#inactive-machines) +#### [Misconfigured machines](fix-unhealthy-sensors.md#misconfigured-machines) #### [Review sensor events and errors on machines with Event Viewer](event-error-codes.md) ### [Troubleshoot Microsoft Defender ATP service issues](troubleshoot.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/fix-unhealhty-sensors.md b/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/fix-unhealhty-sensors.md rename to windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md From e4003c516e9d1bdf45757da7fa3b4473e0a429a2 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 10 Apr 2019 16:03:17 -0700 Subject: [PATCH 132/492] threat-analytics-dashboard filename --- .../security/threat-protection/microsoft-defender-atp/TOC.md | 2 +- .../threat-protection/microsoft-defender-atp/alerts-queue.md | 2 +- .../{threat-analytics.md => threat-analytics-dashboard.md} | 0 3 files changed, 2 insertions(+), 2 deletions(-) rename windows/security/threat-protection/microsoft-defender-atp/{threat-analytics.md => threat-analytics-dashboard.md} (100%) diff --git a/windows/security/threat-protection/microsoft-defender-atp/TOC.md b/windows/security/threat-protection/microsoft-defender-atp/TOC.md index 0a5682ebc9..3c6dda9da7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/TOC.md +++ b/windows/security/threat-protection/microsoft-defender-atp/TOC.md @@ -70,7 +70,7 @@ ### [Secure score](overview-secure-score.md) -### [Threat analytics](threat-analytics.md) +### [Threat analytics](threat-analytics-dashboard.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md index f2aaa2d6aa..fbe92937d8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md @@ -90,7 +90,7 @@ Limit the alerts queue view by selecting the OS platform that you're interested If you have specific machine groups that you're interested in checking the alerts on, you can select the groups to limit the alerts queue view to display just those machine groups. ### Associated threat -Use this filter to focus on alerts that are related to high profile threats. You can see the full list of high-profile threats in [Threat analytics](threat-analytics.md). +Use this filter to focus on alerts that are related to high profile threats. You can see the full list of high-profile threats in [Threat analytics](threat-analytics-dashboard.md). ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics-dashboard.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md rename to windows/security/threat-protection/microsoft-defender-atp/threat-analytics-dashboard.md From cded9b9c19b8b743a1026539e52b847858c23a51 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 10 Apr 2019 16:04:22 -0700 Subject: [PATCH 133/492] ta --- .../security/threat-protection/microsoft-defender-atp/TOC.md | 2 +- .../threat-protection/microsoft-defender-atp/alerts-queue.md | 2 +- .../microsoft-defender-atp/overview-secure-score.md | 4 ++-- .../microsoft-defender-atp/portal-overview.md | 2 +- .../microsoft-defender-atp/security-operations-dashboard.md | 2 +- .../microsoft-defender-atp/threat-analytics-dashboard.md | 2 +- .../security/threat-protection/microsoft-defender-atp/use.md | 2 +- 7 files changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/TOC.md b/windows/security/threat-protection/microsoft-defender-atp/TOC.md index 3c6dda9da7..0a5682ebc9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/TOC.md +++ b/windows/security/threat-protection/microsoft-defender-atp/TOC.md @@ -70,7 +70,7 @@ ### [Secure score](overview-secure-score.md) -### [Threat analytics](threat-analytics-dashboard.md) +### [Threat analytics](threat-analytics.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md index fbe92937d8..f2aaa2d6aa 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md @@ -90,7 +90,7 @@ Limit the alerts queue view by selecting the OS platform that you're interested If you have specific machine groups that you're interested in checking the alerts on, you can select the groups to limit the alerts queue view to display just those machine groups. ### Associated threat -Use this filter to focus on alerts that are related to high profile threats. You can see the full list of high-profile threats in [Threat analytics](threat-analytics-dashboard.md). +Use this filter to focus on alerts that are related to high profile threats. You can see the full list of high-profile threats in [Threat analytics](threat-analytics.md). ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md index ec0b0550d8..7aad2ad004 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md @@ -78,5 +78,5 @@ Within the tile, you can click on each control to see the recommended optimizati Clicking the link under the Misconfigured machines column opens up the **Machines list** with filters applied to show only the list of machines where the recommendation is applicable. You can export the list in Excel to create a target collection and apply relevant policies using a management solution of your choice. ## Related topic -- [Threat analytics](threat-analytics-dashboard.md) -- [Threat analytics for Spectre and Meltdown](threat-analytics-dashboard.md) +- [Threat analytics](threat-analytics.md) +- [Threat analytics for Spectre and Meltdown](threat-analytics.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md index 349f685730..07ac3f1831 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md @@ -114,4 +114,4 @@ Icon | Description - [Understand the Microsoft Defender Advanced Threat Protection portal](use.md) - [View the Security operations dashboard](security-operations-dashboard.md) - [View the Secure Score dashboard and improve your secure score](secure-score-dashboard.md) -- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-dashboard.md) \ No newline at end of file +- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md index ee063018af..9d6eced4c4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md @@ -130,5 +130,5 @@ This tile shows audit events based on detections from various security component - [Understand the Microsoft Defender Advanced Threat Protection portal](use.md) - [Portal overview](portal-overview.md) - [View the Secure Score dashboard and improve your secure score](secure-score-dashboard.md) -- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-dashboard.md) +- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics-dashboard.md b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics-dashboard.md index f4b1020dc3..c4b5ae9d96 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics-dashboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics-dashboard.md @@ -65,5 +65,5 @@ The **Mitigation status** and **Mitigation status over time** shows the endpoint ## Related topics -- [Threat analytics for Spectre and Meltdown](threat-analytics-dashboard.md) +- [Threat analytics for Spectre and Meltdown](threat-analytics.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/use.md b/windows/security/threat-protection/microsoft-defender-atp/use.md index df066b9b7e..501f6f9019 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/use.md +++ b/windows/security/threat-protection/microsoft-defender-atp/use.md @@ -42,6 +42,6 @@ Topic | Description [Portal overview](portal-overview.md) | Understand the portal layout and area descriptions. [View the Security operations dashboard](security-operations-dashboard.md) | The Microsoft Defender ATP **Security operations dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the machines on your network, investigate machines, files, and URLs, and see snapshots of threats seen on machines. [View the Secure Score dashboard and improve your secure score](secure-score-dashboard.md) | The **Secure Score dashboard** expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. -[View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-dashboard.md) | The **Threat analytics** dashboard helps you continually assess and control risk exposure to Spectre and Meltdown. Use the charts to quickly identify machines for the presence or absence of mitigations. +[View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics.md) | The **Threat analytics** dashboard helps you continually assess and control risk exposure to Spectre and Meltdown. Use the charts to quickly identify machines for the presence or absence of mitigations. From 554538ed0198797c6435eb5675953ecf09b7188e Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 10 Apr 2019 16:05:01 -0700 Subject: [PATCH 134/492] file name --- .../{threat-analytics-dashboard.md => threat-analytics.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename windows/security/threat-protection/microsoft-defender-atp/{threat-analytics-dashboard.md => threat-analytics.md} (100%) diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics-dashboard.md b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/threat-analytics-dashboard.md rename to windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md From a7ccceaaf30ac88f326c4f5818ccf165ff5e2514 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 10 Apr 2019 16:08:43 -0700 Subject: [PATCH 135/492] troubleshoot file name --- .../microsoft-defender-advanced-threat-protection.md | 2 +- .../{troubleshoot.md => troubleshoot-mdatp.md} | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename windows/security/threat-protection/microsoft-defender-atp/{troubleshoot.md => troubleshoot-mdatp.md} (100%) diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md index 8efb9d7b22..d9cd1f742a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md @@ -123,7 +123,7 @@ Topic | Description [Overview](overview.md) | Understand the concepts behind the capabilities in Microsoft Defender ATP so you take full advantage of the complete threat protection platform. [Get started](get-started.md) | Learn about the requirements of the platform and the initial steps you need to take to get started with Microsoft Defender ATP. [Configure and manage capabilities](onboard.md)| Configure and manage the individual capabilities in Microsoft Defender ATP. -[Troubleshoot Microsoft Defender ATP](troubleshoot-wdatp.md) | Learn how to address issues that you might encounter while using the platform. +[Troubleshoot Microsoft Defender ATP](troubleshoot-mdatp.md) | Learn how to address issues that you might encounter while using the platform. ## Related topic [Microsoft Defender ATP helps detect sophisticated threats](https://www.microsoft.com/itshowcase/Article/Content/854/Windows-Defender-ATP-helps-detect-sophisticated-threats) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/troubleshoot.md rename to windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md From c3fc41a124a8b9c2bb8eadac0df46004ad483b0b Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 10 Apr 2019 16:12:18 -0700 Subject: [PATCH 136/492] update overview topic --- .../overview-of-threat-mitigations-in-windows-10.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md index bb4bb74070..c3738fd5f6 100644 --- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md +++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md @@ -103,7 +103,7 @@ Windows Defender Antivirus in Windows 10 uses a multi-pronged approach to improv For more information, see [Windows Defender in Windows 10](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) and [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server). -For information about Windows Defender Advanced Threat Protection, a service that helps enterprises to detect, investigate, and respond to advanced and targeted attacks on their networks, see [Windows Defender Advanced Threat Protection (ATP)](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp) (resources) and [Windows Defender Advanced Threat Protection (ATP)](https://technet.microsoft.com/itpro/windows/keep-secure/windows-defender-advanced-threat-protection) (documentation). +For information about Microsoft Defender Advanced Threat Protection, a service that helps enterprises to detect, investigate, and respond to advanced and targeted attacks on their networks, see [Microsoft Defender Advanced Threat Protection (ATP)](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp) (resources) and [Microsoft Defender Advanced Threat Protection (ATP)](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) (documentation). ### Data Execution Prevention @@ -442,13 +442,13 @@ Examples: #### EMET-related products -Microsoft Consulting Services (MCS) and Microsoft Support/Premier Field Engineering (PFE) offer a range of options for EMET, support for EMET, and EMET-related reporting and auditing products such as the EMET Enterprise Reporting Service (ERS). For any enterprise customers who use such products today or who are interested in similar capabilities, we recommend evaluating [Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md) (ATP). +Microsoft Consulting Services (MCS) and Microsoft Support/Premier Field Engineering (PFE) offer a range of options for EMET, support for EMET, and EMET-related reporting and auditing products such as the EMET Enterprise Reporting Service (ERS). For any enterprise customers who use such products today or who are interested in similar capabilities, we recommend evaluating [Microsoft Defender Advanced Threat Protection](microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) (ATP). ## Related topics - [Security and Assurance in Windows Server 2016](https://technet.microsoft.com/windows-server-docs/security/security-and-assurance) -- [Windows Defender Advanced Threat Protection (ATP) - resources](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp) -- [Windows Defender Advanced Threat Protection (ATP) - documentation](windows-defender-atp/windows-defender-advanced-threat-protection.md) +- [Microsoft Defender Advanced Threat Protection (ATP) - resources](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp) +- [Microsoft Defender Advanced Threat Protection (ATP) - documentation](microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) - [Exchange Online Advanced Threat Protection Service Description](https://technet.microsoft.com/library/exchange-online-advanced-threat-protection-service-description.aspx) - [Office 365 Advanced Threat Protection](https://products.office.com/en-us/exchange/online-email-threat-protection) - [Microsoft Malware Protection Center](https://www.microsoft.com/en-us/security/portal/mmpc/default.aspx) From eab433bf3c27688c26c95404fe0676e6a8884386 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 10 Apr 2019 16:20:27 -0700 Subject: [PATCH 137/492] update url --- ...curity-center-atp.md => windows-defender-security-center.md} | 1 - .../overview-of-threat-mitigations-in-windows-10.md | 2 +- .../windows-defender-antivirus-compatibility.md | 2 +- 3 files changed, 2 insertions(+), 3 deletions(-) rename windows/security/threat-protection/microsoft-defender-atp/{windows-defender-security-center-atp.md => windows-defender-security-center.md} (99%) diff --git a/windows/security/threat-protection/microsoft-defender-atp/windows-defender-security-center-atp.md b/windows/security/threat-protection/microsoft-defender-atp/windows-defender-security-center.md similarity index 99% rename from windows/security/threat-protection/microsoft-defender-atp/windows-defender-security-center-atp.md rename to windows/security/threat-protection/microsoft-defender-atp/windows-defender-security-center.md index 89b74b62a0..7c7ef2d01e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/windows-defender-security-center-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/windows-defender-security-center.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 07/01/2018 --- # Microsoft Defender Security Center diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md index c3738fd5f6..12f446cb26 100644 --- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md +++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md @@ -448,7 +448,7 @@ Microsoft Consulting Services (MCS) and Microsoft Support/Premier Field Engineer - [Security and Assurance in Windows Server 2016](https://technet.microsoft.com/windows-server-docs/security/security-and-assurance) - [Microsoft Defender Advanced Threat Protection (ATP) - resources](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp) -- [Microsoft Defender Advanced Threat Protection (ATP) - documentation](microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) +- [Microsoft Defender Advanced Threat Protection (ATP) - documentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) - [Exchange Online Advanced Threat Protection Service Description](https://technet.microsoft.com/library/exchange-online-advanced-threat-protection-service-description.aspx) - [Office 365 Advanced Threat Protection](https://products.office.com/en-us/exchange/online-email-threat-protection) - [Microsoft Malware Protection Center](https://www.microsoft.com/en-us/security/portal/mmpc/default.aspx) diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md index 34ee455d8a..4b8cc048a4 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md @@ -63,7 +63,7 @@ Passive mode | Windows Defender AV will not be used as the antivirus app, and th Automatic disabled mode | Windows Defender AV will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] Active mode | Windows Defender AV is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files will be scanned and threats remediated, and detection information will be reported in your configuration tool (such as Configuration Manager or the Windows Defender AV app on the machine itself). | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] -If you are enrolled in Microsoft Defender ATP and you are using a third party antimalware product then passive mode is enabled because [the service requires common information sharing from the Windows Defender AV service](../windows-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks. +If you are enrolled in Microsoft Defender ATP and you are using a third party antimalware product then passive mode is enabled because [the service requires common information sharing from the Windows Defender AV service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks. Automatic disabled mode is enabled so that if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats, Windows Defender AV will automatically enable itself to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md), which uses the Windows Defender AV engine to periodically check for threats in addition to your main antivirus app. From 440345de4d1bcfffeee6fe44a21f042152cb1893 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 10 Apr 2019 16:24:04 -0700 Subject: [PATCH 138/492] fix eg file names --- .../attack-surface-reduction-exploit-guard.md | 2 +- ...k-surface-reduction-rules-in-windows-10-enterprise-e3.md | 2 +- .../audit-windows-defender-exploit-guard.md | 2 +- .../controlled-folders-exploit-guard.md | 6 +++--- .../emet-exploit-protection-exploit-guard.md | 2 +- .../event-views-exploit-guard.md | 2 +- .../exploit-protection-exploit-guard.md | 4 ++-- .../network-protection-exploit-guard.md | 6 +++--- .../windows-defender-exploit-guard/troubleshoot-asr.md | 2 +- .../windows-defender-exploit-guard/troubleshoot-np.md | 2 +- .../windows-defender-exploit-guard.md | 2 +- 11 files changed, 16 insertions(+), 16 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 51b3340555..93cfaddf25 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -22,7 +22,7 @@ ms.date: 04/02/2019 Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, version 1709 or later, Windows Server 2016 1803 or later, or Windows Server 2019. -To use attack surface reduction rules, you need a Windows 10 Enterprise E3 license or higher. A Windows E5 license gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the M365 Security Center. These advanced capabilities aren't available with an E3 license, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment. +To use attack surface reduction rules, you need a Windows 10 Enterprise E3 license or higher. A Windows E5 license gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the M365 Security Center. These advanced capabilities aren't available with an E3 license, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment. Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including: diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md index 9b29796bee..60bdf42183 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md @@ -20,7 +20,7 @@ ms.date: 10/15/2018 - Windows 10 Enterprise E3 -Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. This feature area includes the rules, monitoring, reporting, and analytics necessary for deployment that are included in [Microsoft Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), and require the Windows 10 Enterprise E5 license. +Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. This feature area includes the rules, monitoring, reporting, and analytics necessary for deployment that are included in [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), and require the Windows 10 Enterprise E5 license. A limited subset of basic attack surface reduction rules can technically be used with Windows 10 Enterprise E3. They can be used without the benefits of reporting, monitoring, and analytics, which provide the ease of deployment and management capabilities necessary for enterprises. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md index 672ab8575a..0bc78c8573 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md @@ -27,7 +27,7 @@ You might want to do this when testing how the features will work in your organi While the features will not block or prevent apps, scripts, or files from being modified, the Windows Event Log will record events as if the features were fully enabled. This means you can enable audit mode and then review the event log to see what impact the feature would have had were it enabled. -You can use Microsoft Defender Advanced Threat Protection to get greater deatils for each event, especially for investigating attack surface reduction rules. Using the Microsoft Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). +You can use Microsoft Defender Advanced Threat Protection to get greater deatils for each event, especially for investigating attack surface reduction rules. Using the Microsoft Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md index c137f791e5..fc8c602805 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md @@ -21,7 +21,7 @@ ms.date: 11/29/2018 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. -Controlled folder access works best with [Microsoft Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). +Controlled folder access works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Windows Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder. @@ -41,9 +41,9 @@ Controlled folder access requires enabling [Windows Defender Antivirus real-time ## Review controlled folder access events in the Microsoft Defender ATP Security Center -Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). +Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). -You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled. +You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled. ## Review controlled folder access events in Windows Event Viewer diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md index bc4ff6e8aa..5a5dc12514 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md @@ -59,7 +59,7 @@ Configuration with Group Policy | [!include[Check mark yes](images/svg/check-yes Configuration with shell tools | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use PowerShell to customize and manage configurations](customize-exploit-protection.md#powershell-reference) | [!include[Check mark yes](images/svg/check-yes.svg)]
Requires use of EMET tool (EMET_CONF) System Center Configuration Manager | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use Configuration Manager to customize, deploy, and manage configurations](https://docs.microsoft.com/sccm/protect/deploy-use/create-deploy-exploit-guard-policy) | [!include[Check mark no](images/svg/check-no.svg)]
Not available Microsoft Intune | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use Intune to customize, deploy, and manage configurations](https://docs.microsoft.com/intune/whats-new#window-defender-exploit-guard-is-a-new-set-of-intrusion-prevention-capabilities-for-windows-10----1063615---) | [!include[Check mark no](images/svg/check-no.svg)]
Not available -Reporting | [!include[Check mark yes](images/svg/check-yes.svg)]
With [Windows event logs](event-views-exploit-guard.md) and [full audit mode reporting](audit-windows-defender-exploit-guard.md)
[Full integration with Microsoft Defender Advanced Threat Protection](../windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
Limited Windows event log monitoring +Reporting | [!include[Check mark yes](images/svg/check-yes.svg)]
With [Windows event logs](event-views-exploit-guard.md) and [full audit mode reporting](audit-windows-defender-exploit-guard.md)
[Full integration with Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/security-analytics-dashboard.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
Limited Windows event log monitoring Audit mode | [!include[Check mark yes](images/svg/check-yes.svg)]
[Full audit mode with Windows event reporting](audit-windows-defender-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)]
Limited to EAF, EAF+, and anti-ROP mitigations ([1](#ref1)) Requires an enterprise subscription with Azure Active Directory or a [Software Assurance ID](https://www.microsoft.com/en-us/licensing/licensing-programs/software-assurance-default.aspx). diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md index 58ecc61775..13fcbf3167 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md @@ -27,7 +27,7 @@ Reviewing the events is also handy when you are evaluating the features, as you This topic lists all the events, their associated feature or setting, and describes how to create custom views to filter to specific events. -You can also get detailed reporting into events and blocks as part of Windows Security, which you access if you have an E5 subscription and use [Microsoft Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md). +You can also get detailed reporting into events and blocks as part of Windows Security, which you access if you have an E5 subscription and use [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md). ## Use custom views to review attack surface reduction capabilities diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md index 2f26612542..fa1dae1039 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md @@ -27,7 +27,7 @@ It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md >[!TIP] >You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. -Exploit protection works best with [Microsoft Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into exploit protection events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). +Exploit protection works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) - which gives you detailed reporting into exploit protection events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). You can [enable exploit protection](enable-exploit-protection.md) on an individual machine, and then use [Group Policy](import-export-exploit-protection-emet-xml.md) to distribute the XML file to multiple devices at once. @@ -102,7 +102,7 @@ Configuration with Group Policy | [!include[Check mark yes](images/svg/check-yes Configuration with shell tools | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use PowerShell to customize and manage configurations](customize-exploit-protection.md#powershell-reference) | [!include[Check mark yes](images/svg/check-yes.svg)]
Requires use of EMET tool (EMET_CONF) System Center Configuration Manager | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use Configuration Manager to customize, deploy, and manage configurations](https://docs.microsoft.com/sccm/protect/deploy-use/create-deploy-exploit-guard-policy) | [!include[Check mark no](images/svg/check-no.svg)]
Not available Microsoft Intune | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use Intune to customize, deploy, and manage configurations](https://docs.microsoft.com/intune/whats-new#window-defender-exploit-guard-is-a-new-set-of-intrusion-prevention-capabilities-for-windows-10----1063615---) | [!include[Check mark no](images/svg/check-no.svg)]
Not available -Reporting | [!include[Check mark yes](images/svg/check-yes.svg)]
With [Windows event logs](event-views-exploit-guard.md) and [full audit mode reporting](audit-windows-defender-exploit-guard.md)
[Full integration with Microsoft Defender Advanced Threat Protection](../windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
Limited Windows event log monitoring +Reporting | [!include[Check mark yes](images/svg/check-yes.svg)]
With [Windows event logs](event-views-exploit-guard.md) and [full audit mode reporting](audit-windows-defender-exploit-guard.md)
[Full integration with Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/security-analytics-dashboard.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
Limited Windows event log monitoring Audit mode | [!include[Check mark yes](images/svg/check-yes.svg)]
[Full audit mode with Windows event reporting](audit-windows-defender-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)]
Limited to EAF, EAF+, and anti-ROP mitigations ([1](#ref1)) Requires an enterprise subscription with Azure Active Directory or a [Software Assurance ID](https://www.microsoft.com/en-us/licensing/licensing-programs/software-assurance-default.aspx). diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md index e65dcc4777..d259d88575 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md @@ -29,7 +29,7 @@ Network protection is supported on Windows 10, version 1709 and later and Window >[!TIP] >You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. -Network protection works best with [Microsoft Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). +Network protection works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). When network protection blocks a connection, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. @@ -45,9 +45,9 @@ Windows 10 version 1709 or later | [Windows Defender AV real-time protection](.. ## Review network protection events in the Microsoft Defender ATP Security Center -Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). +Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). -You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how network protection settings would affect your environment if they were enabled. +You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how network protection settings would affect your environment if they were enabled. ## Review network protection events in Windows Event Viewer diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md index d1f516eacc..0ffe534d26 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md @@ -76,7 +76,7 @@ To add an exclusion, see [Customize Attack surface reduction](customize-attack-s ## Report a false positive or false negative -Use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) to report a false negative or false positive for network protection. With an E5 subscription, you can also [provide a link to any associated alert](../windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md). +Use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) to report a false negative or false positive for network protection. With an E5 subscription, you can also [provide a link to any associated alert](../microsoft-defender-atp/alerts-queue.md). ## Collect diagnostic data for file submissions diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md index 40c261016a..3feaedade3 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md @@ -65,7 +65,7 @@ Set-MpPreference -EnableNetworkProtection Enabled ## Report a false positive or false negative -If you've tested the feature with the demo site and with audit mode, and network protection is working on pre-configured scenarios, but is not working as expected for a specific connection, use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) to report a false negative or false positive for network protection. With an E5 subscription, you can also [provide a link to any associated alert](../windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md). +If you've tested the feature with the demo site and with audit mode, and network protection is working on pre-configured scenarios, but is not working as expected for a specific connection, use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) to report a false negative or false positive for network protection. With an E5 subscription, you can also [provide a link to any associated alert](../microsoft-defender-atp/alerts-queue.md). ## Collect diagnostic data for file submissions diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md index cd2b47c9fe..b6733d5ed0 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md @@ -45,7 +45,7 @@ You can also [enable audit mode](audit-windows-defender-exploit-guard.md) for th Windows Defender EG can be managed and reported on in the Windows Security app as part of the Microsoft Defender Advanced Threat Protection suite of threat mitigation, preventing, protection, and analysis technologies. -You can use the Windows Security app to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). You can [sign up for a free trial of Microsoft Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-msa4053440) to see how it works. +You can use the Windows Security app to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). You can [sign up for a free trial of Microsoft Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-msa4053440) to see how it works. ## Requirements From ffc85728257c22cf40a7f359dae996d36ad89077 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 10 Apr 2019 16:28:44 -0700 Subject: [PATCH 139/492] remove link --- .../microsoft-defender-atp/threat-analytics.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md index c4b5ae9d96..91fc9e3b31 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md @@ -64,6 +64,3 @@ The **Mitigation status** and **Mitigation status over time** shows the endpoint >The Unavailable category indicates that there is no data available from the specific machine yet. -## Related topics -- [Threat analytics for Spectre and Meltdown](threat-analytics.md) - From 02863694656b97cc750a4fb11e16feb4ba1d17d4 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 10 Apr 2019 16:31:06 -0700 Subject: [PATCH 140/492] update toc typo file --- windows/security/threat-protection/TOC.md | 6 +++--- .../threat-protection/microsoft-defender-atp/TOC.md | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index caca71920d..749db9c96b 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -403,9 +403,9 @@ ### [Troubleshoot Windows Defender ATP](microsoft-defender-atp/troubleshoot-overview.md) ####Troubleshoot sensor state ##### [Check sensor state](microsoft-defender-atp/check-sensor-status.md) -##### [Fix unhealthy sensors](microsoft-defender-atp/fix-unhealhty-sensors.md) -##### [Inactive machines](microsoft-defender-atp/fix-unhealhty-sensors.md#inactive-machines) -##### [Misconfigured machines](microsoft-defender-atp/fix-unhealhty-sensors.md#misconfigured-machines) +##### [Fix unhealthy sensors](microsoft-defender-atp/fix-unhealthy-sensors.md) +##### [Inactive machines](microsoft-defender-atp/fix-unhealthy-sensors.md#inactive-machines) +##### [Misconfigured machines](microsoft-defender-atp/fix-unhealthy-sensors.md#misconfigured-machines) ##### [Review sensor events and errors on machines with Event Viewer](microsoft-defender-atp/event-error-codes.md) #### [Troubleshoot Windows Defender ATP service issues](microsoft-defender-atp/troubleshoot.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/TOC.md b/windows/security/threat-protection/microsoft-defender-atp/TOC.md index 0a5682ebc9..69977fe4cc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/TOC.md +++ b/windows/security/threat-protection/microsoft-defender-atp/TOC.md @@ -397,7 +397,7 @@ #### [Misconfigured machines](fix-unhealthy-sensors.md#misconfigured-machines) #### [Review sensor events and errors on machines with Event Viewer](event-error-codes.md) -### [Troubleshoot Microsoft Defender ATP service issues](troubleshoot.md) +### [Troubleshoot Microsoft Defender ATP service issues](troubleshoot-mdatp.md) #### [Check service health](service-status.md) ###Troubleshoot attack surface reduction From f3a2c4e16b5d54a8e78451fee9430e538ad811df Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 10 Apr 2019 16:37:44 -0700 Subject: [PATCH 141/492] fix troubleshoot file name --- windows/security/threat-protection/TOC.md | 2 +- .../microsoft-defender-atp/troubleshoot-onboarding.md | 2 +- .../microsoft-defender-atp/windows-defender-security-center.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 749db9c96b..29c713479e 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -408,7 +408,7 @@ ##### [Misconfigured machines](microsoft-defender-atp/fix-unhealthy-sensors.md#misconfigured-machines) ##### [Review sensor events and errors on machines with Event Viewer](microsoft-defender-atp/event-error-codes.md) -#### [Troubleshoot Windows Defender ATP service issues](microsoft-defender-atp/troubleshoot.md) +#### [Troubleshoot Windows Defender ATP service issues](microsoft-defender-atp/troubleshoot-mdatp.md) ##### [Check service health](microsoft-defender-atp/service-status.md) ####Troubleshoot attack surface reduction diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md index 69c3b620ca..36fe7db04c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md @@ -306,7 +306,7 @@ For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us ## Related topics -- [Troubleshoot Microsoft Defender ATP](troubleshoot.md) +- [Troubleshoot Microsoft Defender ATP](troubleshoot-mdatp.md) - [Onboard machines](onboard-configure.md) - [Configure machine proxy and Internet connectivity settings](configure-proxy-internet.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/windows-defender-security-center.md b/windows/security/threat-protection/microsoft-defender-atp/windows-defender-security-center.md index 7c7ef2d01e..b0ce4f4679 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/windows-defender-security-center.md +++ b/windows/security/threat-protection/microsoft-defender-atp/windows-defender-security-center.md @@ -34,5 +34,5 @@ Reporting | Create and build Power BI reports using Microsoft Defender ATP data. Check service health and sensor state | Verify that the service is running and check the sensor state on machines. [Configure Microsoft Defender Security Center settings](preferences-setup.md) | Configure general settings, turn on the preview experience, notifications, and enable other features. [Access the Microsoft Defender ATP Community Center](community.md) | Access the Microsoft Defender ATP Community Center to learn, collaborate, and share experiences about the product. -[Troubleshoot service issues](troubleshoot.md) | This section addresses issues that might arise as you use the Windows Defender Advanced Threat service. +[Troubleshoot service issues](troubleshoot-mdatp.md) | This section addresses issues that might arise as you use the Windows Defender Advanced Threat service. From cfea3c446cfa77fccf6bfa38229a471a713f53d9 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 10 Apr 2019 16:58:57 -0700 Subject: [PATCH 142/492] fix warnings --- ...security-center.md => microsoft-defender-security-center.md} | 0 .../windows-defender-security-center-antivirus.md | 2 +- .../emet-exploit-protection-exploit-guard.md | 2 +- .../exploit-protection-exploit-guard.md | 2 +- 4 files changed, 3 insertions(+), 3 deletions(-) rename windows/security/threat-protection/microsoft-defender-atp/{windows-defender-security-center.md => microsoft-defender-security-center.md} (100%) diff --git a/windows/security/threat-protection/microsoft-defender-atp/windows-defender-security-center.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-security-center.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/windows-defender-security-center.md rename to windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-security-center.md diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md index 739439af03..b8b4f4cb60 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md @@ -36,7 +36,7 @@ Settings that were previously part of the Windows Defender client and main Windo See the [Windows Security topic](/windows/threat-protection/windows-defender-security-center/windows-defender-security-center) for more information on other Windows security features that can be monitored in the app. >[!NOTE] ->The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal that is used to review and manage [Microsoft Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md). +>The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal that is used to review and manage [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md). **Review virus and threat protection settings in the Windows Security app:** diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md index 5a5dc12514..013ea04010 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md @@ -59,7 +59,7 @@ Configuration with Group Policy | [!include[Check mark yes](images/svg/check-yes Configuration with shell tools | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use PowerShell to customize and manage configurations](customize-exploit-protection.md#powershell-reference) | [!include[Check mark yes](images/svg/check-yes.svg)]
Requires use of EMET tool (EMET_CONF) System Center Configuration Manager | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use Configuration Manager to customize, deploy, and manage configurations](https://docs.microsoft.com/sccm/protect/deploy-use/create-deploy-exploit-guard-policy) | [!include[Check mark no](images/svg/check-no.svg)]
Not available Microsoft Intune | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use Intune to customize, deploy, and manage configurations](https://docs.microsoft.com/intune/whats-new#window-defender-exploit-guard-is-a-new-set-of-intrusion-prevention-capabilities-for-windows-10----1063615---) | [!include[Check mark no](images/svg/check-no.svg)]
Not available -Reporting | [!include[Check mark yes](images/svg/check-yes.svg)]
With [Windows event logs](event-views-exploit-guard.md) and [full audit mode reporting](audit-windows-defender-exploit-guard.md)
[Full integration with Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/security-analytics-dashboard.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
Limited Windows event log monitoring +Reporting | [!include[Check mark yes](images/svg/check-yes.svg)]
With [Windows event logs](event-views-exploit-guard.md) and [full audit mode reporting](audit-windows-defender-exploit-guard.md)
[Full integration with Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/secure-score-dashboard.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
Limited Windows event log monitoring Audit mode | [!include[Check mark yes](images/svg/check-yes.svg)]
[Full audit mode with Windows event reporting](audit-windows-defender-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)]
Limited to EAF, EAF+, and anti-ROP mitigations ([1](#ref1)) Requires an enterprise subscription with Azure Active Directory or a [Software Assurance ID](https://www.microsoft.com/en-us/licensing/licensing-programs/software-assurance-default.aspx). diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md index fa1dae1039..f00aadcdbf 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md @@ -102,7 +102,7 @@ Configuration with Group Policy | [!include[Check mark yes](images/svg/check-yes Configuration with shell tools | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use PowerShell to customize and manage configurations](customize-exploit-protection.md#powershell-reference) | [!include[Check mark yes](images/svg/check-yes.svg)]
Requires use of EMET tool (EMET_CONF) System Center Configuration Manager | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use Configuration Manager to customize, deploy, and manage configurations](https://docs.microsoft.com/sccm/protect/deploy-use/create-deploy-exploit-guard-policy) | [!include[Check mark no](images/svg/check-no.svg)]
Not available Microsoft Intune | [!include[Check mark yes](images/svg/check-yes.svg)]
[Use Intune to customize, deploy, and manage configurations](https://docs.microsoft.com/intune/whats-new#window-defender-exploit-guard-is-a-new-set-of-intrusion-prevention-capabilities-for-windows-10----1063615---) | [!include[Check mark no](images/svg/check-no.svg)]
Not available -Reporting | [!include[Check mark yes](images/svg/check-yes.svg)]
With [Windows event logs](event-views-exploit-guard.md) and [full audit mode reporting](audit-windows-defender-exploit-guard.md)
[Full integration with Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/security-analytics-dashboard.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
Limited Windows event log monitoring +Reporting | [!include[Check mark yes](images/svg/check-yes.svg)]
With [Windows event logs](event-views-exploit-guard.md) and [full audit mode reporting](audit-windows-defender-exploit-guard.md)
[Full integration with Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/secure-score-dashboard.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
Limited Windows event log monitoring Audit mode | [!include[Check mark yes](images/svg/check-yes.svg)]
[Full audit mode with Windows event reporting](audit-windows-defender-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)]
Limited to EAF, EAF+, and anti-ROP mitigations ([1](#ref1)) Requires an enterprise subscription with Azure Active Directory or a [Software Assurance ID](https://www.microsoft.com/en-us/licensing/licensing-programs/software-assurance-default.aspx). From f041fcb7884a55fc53e0c73f1a1259a1b7d90754 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 10 Apr 2019 17:08:01 -0700 Subject: [PATCH 143/492] remove link --- .../microsoft-defender-atp/overview-secure-score.md | 2 +- .../security/threat-protection/microsoft-defender-atp/use.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md index 7aad2ad004..dd41c155c3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md @@ -79,4 +79,4 @@ Clicking the link under the Misconfigured machines column opens up the **Machine ## Related topic - [Threat analytics](threat-analytics.md) -- [Threat analytics for Spectre and Meltdown](threat-analytics.md) + diff --git a/windows/security/threat-protection/microsoft-defender-atp/use.md b/windows/security/threat-protection/microsoft-defender-atp/use.md index 501f6f9019..1220885f55 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/use.md +++ b/windows/security/threat-protection/microsoft-defender-atp/use.md @@ -42,6 +42,6 @@ Topic | Description [Portal overview](portal-overview.md) | Understand the portal layout and area descriptions. [View the Security operations dashboard](security-operations-dashboard.md) | The Microsoft Defender ATP **Security operations dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the machines on your network, investigate machines, files, and URLs, and see snapshots of threats seen on machines. [View the Secure Score dashboard and improve your secure score](secure-score-dashboard.md) | The **Secure Score dashboard** expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. -[View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics.md) | The **Threat analytics** dashboard helps you continually assess and control risk exposure to Spectre and Meltdown. Use the charts to quickly identify machines for the presence or absence of mitigations. +[View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics.md) | The **Threat analytics** dashboard helps you continually assess and control risk exposure to threats. Use the charts to quickly identify machines for the presence or absence of mitigations. From 1e1cdb1790be67543d928e81af2fa1220d148d82 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 11 Apr 2019 08:13:38 -0700 Subject: [PATCH 144/492] new build 4/11/2019 8:13 AM --- ...basic-level-windows-diagnostic-events-and-fields-1903.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index bd6c4e2161..7cc546dd61 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/10/2019 +ms.date: 04/11/2019 --- @@ -3336,6 +3336,8 @@ The following fields are available: - **COMPID** The device setup class guid of the driver loaded for the device. - **ContainerId** The list of compat ids for the device. - **Description** System-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the computer. +- **DeviceDriverFlightId** The test build (Flight) identifier of the device driver. +- **DeviceExtDriversFlightIds** The test build (Flight) identifier for all extended device drivers. - **DeviceInterfaceClasses** The device interfaces that this device implements. - **DeviceState** The device description. - **DriverId** DeviceState is a bitmask of the following: DEVICE_IS_CONNECTED 0x0001 (currently only for container). DEVICE_IS_NETWORK_DEVICE 0x0002 (currently only for container). DEVICE_IS_PAIRED 0x0004 (currently only for container). DEVICE_IS_ACTIVE 0x0008 (currently never set). DEVICE_IS_MACHINE 0x0010 (currently only for container). DEVICE_IS_PRESENT 0x0020 (currently always set). DEVICE_IS_HIDDEN 0x0040. DEVICE_IS_PRINTER 0x0080 (currently only for container). DEVICE_IS_WIRELESS 0x0100. DEVICE_IS_WIRELESS_FAT 0x0200. The most common values are therefore: 32 (0x20)= device is present. 96 (0x60)= device is present but hidden. 288 (0x120)= device is a wireless device that is present @@ -3345,8 +3347,10 @@ The following fields are available: - **DriverVerVersion** The immediate parent directory name in the Directory field of InventoryDriverPackage. - **Enumerator** The date of the driver loaded for the device. - **ExtendedInfs** The extended INF file names. +- **FirstInstallDate** The first time this device was installed on the machine. - **HWID** The version of the driver loaded for the device. - **Inf** The bus that enumerated the device. +- **InstallDate** The date of the most recent installation of the device on the machine. - **InstallState** The device installation state. One of these values: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx - **InventoryVersion** List of hardware ids for the device. - **LowerClassFilters** Lower filter class drivers IDs installed for the device From 5aa38071f3fe3e488d9ee670a4474ac3f3c9689e Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 11 Apr 2019 08:13:47 -0700 Subject: [PATCH 145/492] new build 4/11/2019 8:13 AM --- ...ndows-diagnostic-events-and-fields-1703.md | 4 +- ...ndows-diagnostic-events-and-fields-1709.md | 4 +- ...ndows-diagnostic-events-and-fields-1803.md | 4 +- ...ndows-diagnostic-events-and-fields-1809.md | 456 +++++++++++++----- 4 files changed, 334 insertions(+), 134 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index cc4a260492..bf54d09ae5 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/10/2019 +ms.date: 04/11/2019 --- @@ -3075,7 +3075,7 @@ The following fields are available: - **CV** The Correlation Vector. - **DateTimeDifference** The difference between the local and reference clocks. - **DaysSinceOsInstallation** The number of days since the installation of the Operating System. -- **DiskMbCleaned** The amount of space cleaned on the hard disk, measured in Megabytes. +- **DiskMbCleaned** The amount of space cleaned on the hard disk, measured in megabytes. - **DiskMbFreeAfterCleanup** The amount of free hard disk space after cleanup, measured in Megabytes. - **DiskMbFreeBeforeCleanup** The amount of free hard disk space before cleanup, measured in Megabytes. - **ForcedAppraiserTaskTriggered** TRUE if Appraiser task ran from the plug-in. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index aef6875c51..e82222b6ab 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/10/2019 +ms.date: 04/11/2019 --- @@ -3284,7 +3284,7 @@ The following fields are available: - **CV** The Correlation Vector. - **DateTimeDifference** The difference between the local and reference clocks. - **DaysSinceOsInstallation** The number of days since the installation of the Operating System. -- **DiskMbCleaned** The amount of space cleaned on the hard disk, measured in Megabytes. +- **DiskMbCleaned** The amount of space cleaned on the hard disk, measured in megabytes. - **DiskMbFreeAfterCleanup** The amount of free hard disk space after cleanup, measured in Megabytes. - **DiskMbFreeBeforeCleanup** The amount of free hard disk space before cleanup, measured in Megabytes. - **ForcedAppraiserTaskTriggered** TRUE if Appraiser task ran from the plug-in. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index 1b2f1c8932..5339268f09 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/10/2019 +ms.date: 04/11/2019 --- @@ -4386,7 +4386,7 @@ The following fields are available: - **CV** The Correlation Vector. - **DateTimeDifference** The difference between the local and reference clocks. - **DaysSinceOsInstallation** The number of days since the installation of the Operating System. -- **DiskMbCleaned** The amount of space cleaned on the hard disk, measured in Megabytes. +- **DiskMbCleaned** The amount of space cleaned on the hard disk, measured in megabytes. - **DiskMbFreeAfterCleanup** The amount of free hard disk space after cleanup, measured in Megabytes. - **DiskMbFreeBeforeCleanup** The amount of free hard disk space before cleanup, measured in Megabytes. - **ForcedAppraiserTaskTriggered** TRUE if Appraiser task ran from the plug-in. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index a5e90b5538..9c1f8ed87b 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/10/2019 +ms.date: 04/11/2019 --- @@ -550,10 +550,12 @@ The following fields are available: - **AppraiserVersion** The version of the appraiser file that is generating the events. - **AvDisplayName** If the app is an anti-virus app, this is its display name. +- **CompateClasIndex** No content is currently available. - **CompatModelIndex** The compatibility prediction for this file. - **HasCitData** Indicates whether the file is present in CIT data. - **HasUpgradeExe** Indicates whether the anti-virus app has an upgrade.exe file. - **IsAv** Is the file an anti-virus reporting EXE? +- **ResolveAd85mpted** No content is currently available. - **ResolveAttempted** This will always be an empty string when sending telemetry. - **SdbEntries** An array of fields that indicates the SDB entries that apply to this file. @@ -589,6 +591,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: - **ActiveNetworkConnection** Indicates whether the device is an active network device. +- **ActiveNetworkCoompction** No content is currently available. - **AppraiserVersion** The version of the appraiser file generating the events. - **CosDeviceRating** An enumeration that indicates if there is a driver on the target operating system. - **CosDeviceSolution** An enumeration that indicates how a driver on the target operating system is available. @@ -2005,6 +2008,7 @@ The following fields are available: - **ServiceMachineIP** Retrieves the IP address of the KMS host used for anti-piracy. - **ServiceMachinePort** Retrieves the port of the KMS host used for anti-piracy. - **ServiceProductKeyID** Retrieves the License key of the KMS +- **SharedpCMode** No content is currently available. - **SharedPCMode** Returns Boolean for education devices used as shared cart - **Signature** Retrieves if it is a signature machine sold by Microsoft store. - **SLICStatus** Whether a SLIC table exists on the device. @@ -2049,6 +2053,7 @@ The following fields are available: - **Sms** Current state of the text messaging setting. - **SpeechPersonalization** Current state of the speech services setting. - **USB** Current state of the USB setting. +- **UserAccotntInformation** No content is currently available. - **UserAccountInformation** Current state of the account information setting. - **UserDataTasks** Current state of the tasks setting. - **UserNotificationListener** Current state of the notifications setting. @@ -2456,8 +2461,10 @@ Describes the installation state for all hardware and software components availa The following fields are available: +- **** No content is currently available. - **action** The change that was invoked on a device inventory object. - **inventoryId** Device ID used for Compatibility testing +- **objectIn** No content is currently available. - **objectInstanceId** Object identity which is unique within the device scope. - **objectType** Indicates the object type that the event applies to. - **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. @@ -2507,6 +2514,7 @@ This event provides information about the results of installing or uninstalling The following fields are available: +- **`ighestState** No content is currently available. - **capabilities** The names of the optional content packages that were installed. - **clientId** The name of the application requesting the optional content. - **currentID** The ID of the current install session. @@ -2725,6 +2733,7 @@ The following fields are available: - **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. - **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. - **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. +- **CanPerformDyagnosticEscalations** No content is currently available. - **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise. - **CanReportScenarios** True if we can report scenario completions, false otherwise. - **PreviousPermissions** Bitmask of previous telemetry state. @@ -2737,7 +2746,9 @@ This event sends data about the connectivity status of the Connected User Experi The following fields are available: +- **CensõsTaskEnabled** No content is currently available. - **CensusExitCode** Returns last execution codes from census client run. +- **CensusExitCodeoaderCensusStartTime** No content is currently available. - **CensusStartTime** Returns timestamp corresponding to last successful census run. - **CensusTaskEnabled** Returns Boolean value for the census task (Enable/Disable) on client machine. - **LastConnectivityLossTime** Retrieves the last time the device lost free network. @@ -2752,13 +2763,18 @@ This event sends data about the health and quality of the diagnostic data from t The following fields are available: +- **ꭤ↑롥戅ꔠ촉꤆䳨㢳桜ꀽ㴂颭ྞ䚿ꆁ억ﱎ콧ꓘ먗** No content is currently available. +- **AgentConneCouonErrorsCount** No content is currently available. - **AgentConnectionErrorsCount** Number of non-timeout errors associated with the host/agent channel. +- **CensõsTaskEnabled** No content is currently available. - **CensusExitCode** The last exit code of the Census task. - **CensusStartTime** Time of last Census run. - **CensusTaskEnabled** True if Census is enabled, false otherwise. - **CompressedBytesUploaded** Number of compressed bytes uploaded. +- **ConsumerDrop0edCount** No content is currently available. - **ConsumerDroppedCount** Number of events dropped at consumer layer of telemetry client. - **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. +- **CriticalDatasbDroppedCount** No content is currently available. - **CriticalDataThrottleDroppedCount** The number of critical data sampled events that were dropped because of throttling. - **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event DB. - **DbCriticalDroppedCount** Total number of dropped critical events in event DB. @@ -2767,6 +2783,7 @@ The following fields are available: - **DbDroppedFullCount** Number of events dropped due to DB fullness. - **DecodingDroppedCount** Number of events dropped due to decoding failures. - **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. +- **EnteringCriticalOverflowDrOppedCounter** No content is currently available. - **EtwDroppedBufferCount** Number of buffers dropped in the UTC ETW session. - **EtwDroppedCount** Number of events dropped at ETW layer of telemetry client. - **EventsPersistedCount** Number of events that reached the PersistEvent stage. @@ -2780,26 +2797,55 @@ The following fields are available: - **FullTriggerBufferDroppedCount** Number of events dropped due to trigger buffer being full. - **HeartBeatSequenceNumber** The sequence number of this heartbeat. - **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. +- **LastAgentConneCouonError** No content is currently available. - **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel. - **LastEventSizeOffender** Event name of last event which exceeded max event size. - **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. +- **MaxACouveAgentConneCouonCount** No content is currently available. - **MaxActiveAgentConnectionCount** The maximum number of active agents during this heartbeat timeframe. - **MaxInUseScenarioCounter** Soft maximum number of scenarios loaded by UTC. +- **ᴗ㜛ﭮ紀⁻嬝藱唬穉聮쁪カ鳄髈** No content is currently available. - **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events). - **PrivacyBlockedCount** The number of events blocked due to privacy settings or tags. +- **RepeatedUploadFailur$Dropped** No content is currently available. - **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. +- **RepeatedUpѬoadFailureDropped** No content is currently available. +- **sbCriticalDroppedCount** No content is currently available. +- **sbDroppedCount** No content is currently available. +- **sbDroppedFailureCount** No content is currently available. +- **sbDroppedFullCount** No content is currently available. - **SettingsHttpAttempts** Number of attempts to contact OneSettings service. - **SettingsHttpFailures** The number of failures from contacting the OneSettings service. +- **sorBdingDroppedCount** No content is currently available. - **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers. +- **ThrottlgdDroppedCount** No content is currently available. - **TopUploaderErrors** List of top errors received from the upload endpoint. +- **TopUploaeerErrors** No content is currently available. - **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client. - **UploaderErrorCount** Number of errors received from the upload endpoint. +- **ǔ໦岋ࣉ䫕꧓ꏖ훭늓겲均効座⺽ඕ��嘩璽춒** No content is currently available. - **VortexFailuresTimeout** The number of timeout failures received from Vortex. - **VortexHttpAttempts** Number of attempts to contact Vortex. - **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. - **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. - **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. - **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. +- **ჯ⌷脻㍛䮥肑鍼Ⅵ䄪ꬃ鳃抍⓯钑볨䨎ᖪ먩諢涇͙켦榩偊撏嫄艸** No content is currently available. +- **반쐍⾋ꯈ��玱䁕��龓ⴶ샴賷헖쉺分╅㾚흦დ** No content is currently available. +- **빛䨮哆茠뢶☲偍矉繡귴틐⤺॓酠ꐜ⇫ꈚᑋ勰叙湧ㆧ噟ܝ㸇朤ಳ** No content is currently available. +- **쩤খ䠸퇫秂窇벘货齳��ꕢ顦ᜃⲎ耡��옥䦏��淨㖘⃵┵ᘵ鳝톈如癶첛ᲃ絍** No content is currently available. +- **퓙쏴撑⋇뭟혦꩑戙厀뎓燼㼿渺** No content is currently available. +- **훾電쇔䕅碎霶퍕◲⫒븩ὴ앏艐堗详鲝‶ᜧ** No content is currently available. +- **军伽礋圿萦꒎㲮꿨휒慢䷳橱瘒糜劷墹鎗ꭖ潨ᓔ** No content is currently available. +- **唹켴亰铳ᮍ㭨狣N洹滓ꦲ횴䝃怭픱烰彧魋阭刏⅄ꙹ꯬襖** No content is currently available. +- **櫠䰩遗ᆖᑒ��噊썻ࣆ鮷��㑡Ḯ偬ƚ㣸☂灚Ἇ汆磚䐯槴** No content is currently available. +- **蔇İᏘ࢔谼��ﰊ庸涝芦ᅳ蔭隷嵨̐ꊰ** No content is currently available. +- **裎墴_郐堩��ᴰ뵾핝㳊愨鳘鯡廭顩圧由꽆餢俗䡄ﳻ捳褮ꨞ㵙钫욯홏Ը໤ꖠ䬞悺俽** No content is currently available. +- **趬ᛉ뛀䲮憎** No content is currently available. +- **铽ჟᔛ}䘅��讀랃帷덉侙쩠뙆档玳꼱** No content is currently available. +- **㝫��粆疺⃩��렩榽ႚൾ滑햓ꎢ** No content is currently available. +- **㮆퍈栵ᥳⷣ뤏䳬HttpAttempts** No content is currently available. +- **䱪��໿��雔僽땧觪⊝쵥虚䧁嶟轶** No content is currently available. ### TelClientSynthetic.HeartBeat_Aria_5 @@ -2816,6 +2862,7 @@ The following fields are available: - **DbDroppedFailureCount** Number of events dropped due to database failures. - **DbDroppedFullCount** Number of events dropped due to database being full. - **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. +- **EnteringCriticalOverflowDrOppedCounter** No content is currently available. - **EventsPersistedCount** Number of events that reached the PersistEvent stage. - **EventStoreLifetimeResetCounter** Number of times the event store has been reset. - **EventStoreResetCounter** Number of times the event store has been reset during this heartbeat. @@ -2823,14 +2870,18 @@ The following fields are available: - **EventsUploaded** Number of events uploaded. - **HeartBeatSequenceNumber** The sequence number of this heartbeat. - **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. +- **InvalidHttpCsdeCount** No content is currently available. - **LastEventSizeOffender** Event name of last event which exceeded max event size. - **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. +- **LastInvalidHttpCsde** No content is currently available. - **PreviousHeartBeatTime** The FILETIME of the previous heartbeat fire. - **PrivacyBlockedCount** The number of events blocked due to privacy settings or tags. +- **RepeatedUploadFailur$Dropped** No content is currently available. - **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. - **SettingsHttpAttempts** Number of attempts to contact OneSettings service. - **SettingsHttpFailures** Number of failures from contacting OneSettings service. - **TopUploaderErrors** List of top errors received from the upload endpoint. +- **TopUploaeerErrors** No content is currently available. - **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client. - **UploaderErrorCount** Number of errors received from the upload endpoint. - **VortexFailuresTimeout** Number of time out failures received from Vortex. @@ -3405,30 +3456,43 @@ The following fields are available: - **AdapterTypeValue** The numeric value indicating the type of Graphics adapter. - **aiSeqId** The event sequence ID. - **bootId** The system boot ID. +- **BraghtnessVersionViaDDI** No content is currently available. - **BrightnessVersionViaDDI** The version of the Display Brightness Interface. +- **BrightnessVersionVyaDDI** No content is currently available. - **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload. +- **DedDcatedSystemMemoryB** No content is currently available. +- **DedDcatedVideoMemoryB** No content is currently available. - **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes). - **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes). - **DisplayAdapterLuid** The display adapter LUID. +- **DisplayAdapTerLuid** No content is currently available. - **DriverDate** The date of the display driver. - **DriverRank** The rank of the display driver. - **DriverVersion** The display driver version. - **DX10UMDFilePath** The file path to the location of the DirectX 10 Display User Mode Driver in the Driver Store. +- **DX11EMDFilePath** No content is currently available. - **DX11UMDFilePath** The file path to the location of the DirectX 11 Display User Mode Driver in the Driver Store. - **DX12UMDFilePath** The file path to the location of the DirectX 12 Display User Mode Driver in the Driver Store. - **DX9UMDFilePath** The file path to the location of the DirectX 9 Display User Mode Driver in the Driver Store. +- **FX9UMDFilePath** No content is currently available. +- **GPQPreemptionLevel** No content is currently available. - **GPUDeviceID** The GPU device ID. - **GPUPreemptionLevel** The maximum preemption level supported by GPU for graphics payload. - **GPURevisionID** The GPU revision ID. - **GPUVendorID** The GPU vendor ID. +- **I3SoftwareDevice** No content is currently available. - **InterfaceId** The GPU interface ID. +- **InturfaceId** No content is currently available. +- **Is@ybridDiscrete** No content is currently available. - **IsDisplayDevice** Does the GPU have displaying capabilities? - **IsHwSchSupported** Indicates whether the adapter supports hardware scheduling. - **IsHybridDiscrete** Does the GPU have discrete GPU capabilities in a hybrid device? - **IsHybridIntegrated** Does the GPU have integrated GPU capabilities in a hybrid device? +- **IsHyrridDiscrete** No content is currently available. - **IsLDA** Is the GPU comprised of Linked Display Adapters? - **IsMiracastSupported** Does the GPU support Miracast? - **IsMismatchLDA** Is at least one device in the Linked Display Adapters chain from a different vendor? +- **IsMismaTchLDA** No content is currently available. - **IsMPOSupported** Does the GPU support Multi-Plane Overlays? - **IsMsMiracastSupported** Are the GPU Miracast capabilities driven by a Microsoft solution? - **IsPostAdapter** Is this GPU the POST GPU in the device? @@ -3443,10 +3507,17 @@ The following fields are available: - **SharedSystemMemoryB** The amount of system memory shared by GPU and CPU (in bytes). - **SubSystemID** The subsystem ID. - **SubVendorID** The GPU sub vendor ID. +- **Tele}etryEnabled** No content is currently available. - **TelemetryEnabled** Is the device listening to MICROSOFT_KEYWORD_TELEMETRY? +- **TelInv2YntTrigger** No content is currently available. - **TelInvEvntTrigger** What triggered this event to be logged? Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling) +- **TX10UMDFilePath** No content is currently available. - **version** The event version. - **WDDMVersion** The Windows Display Driver Model version. +- **WPUPreemptionLevel** No content is currently available. +- **YsDisplayDevice** No content is currently available. +- **YsLDA** No content is currently available. +- **YsRenderDevice** No content is currently available. ## Failover Clustering events @@ -3532,24 +3603,42 @@ This event sends data about crashes for both native and managed applications, to The following fields are available: +- **.xceptionCode** No content is currently available. +- **.xceptionOffset** No content is currently available. +- **ags** No content is currently available. - **AppName** The name of the app that has crashed. - **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend. - **AppTimeStamp** The date/time stamp of the app. - **AppVersion** The version of the app that has crashed. +- **argetAsId** No content is currently available. +- **argetAsppId** No content is currently available. +- **argetAsppVer** No content is currently available. +- **d** No content is currently available. - **ExceptionCode** The exception code returned by the process that has crashed. - **ExceptionOffset** The address where the exception had occurred. - **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting. - **FriendlyAppName** The description of the app that has crashed, if different from the AppName. Otherwise, the process name. - **IsFatal** True/False to indicate whether the crash resulted in process termination. +- **Modame** No content is currently available. - **ModName** Exception module name (e.g. bar.dll). - **ModTimeStamp** The date/time stamp of the module. - **ModVersion** The version of the module that has crashed. +- **nCode** No content is currently available. +- **Pack9OeFullName** No content is currently available. +- **Pack9OeRelativeAppId** No content is currently available. +- **PackageFullame** No content is currently available. +- **PackageFullFame** No content is currently available. - **PackageFullName** Store application identity. - **PackageRelativeAppId** Store application identity. +- **ProcessArchite2kure** No content is currently available. - **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. - **ProcessCreateTime** The time of creation of the process that has crashed. - **ProcessId** The ID of the process that has crashed. +- **pSessionGuid** No content is currently available. - **ReportId** A GUID used to identify the report. This can used to track the report across Watson. +- **RepoztId** No content is currently available. +- **TargetAId** No content is currently available. +- **TargetAppI4StartTime** No content is currently available. - **TargetAppId** The kernel reported AppId of the application being reported. - **TargetAppVer** The specific version of the application being reported - **TargetAsId** The sequence number for the hanging process. @@ -3675,15 +3764,19 @@ The following fields are available: - **InstallDateArpLastModified** The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015 00:00:00 - **InstallDateFromLinkFile** The estimated date of install based on the links to the files. Passed as an array. - **InstallDateMsi** The install date if the application was installed via Microsoft Installer (MSI). Passed as an array. +- **InstallDatgArpLastModified** No content is currently available. - **InventoryVersion** The version of the inventory file generating the events. - **Language** The language code of the program. - **MsiPackageCode** A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage. +- **MsiPackageColm** No content is currently available. - **MsiProductCode** A GUID that describe the MSI Product. - **Name** The name of the application. - **OSVersionAtInstallTime** The four octets from the OS version at the time of the application's install. +- **OSVersionAtInstallTioe** No content is currently available. - **PackageFullName** The package full name for a Store application. - **ProgramInstanceId** A hash of the file IDs in an app. - **Publisher** The Publisher of the application. Location pulled from depends on the 'Source' field. +- **RackageFullName** No content is currently available. - **RootDirPath** The path to the root directory where the program was installed. - **Source** How the program was installed (for example, ARP, MSI, Appx). - **StoreAppType** A sub-classification for the type of Microsoft Store app, such as UWP or Win8StoreApp. @@ -3781,6 +3874,7 @@ The following fields are available: - **ModelId** A unique model ID. - **ModelName** The model name. - **ModelNumber** The model number for the device container. +- **primaryCategory** No content is currently available. - **PrimaryCategory** The primary category for the device container. @@ -3937,7 +4031,9 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: +- **inventoryId** No content is currently available. - **InventoryVersion** The version of the inventory file generating the events. +- **syncId** No content is currently available. ### Microsoft.Windows.Inventory.Core.InventoryDevicePnpStartSync @@ -3996,9 +4092,11 @@ The following fields are available: - **ImageSize** The size of the driver file. - **Inf** The name of the INF file. - **InventoryVersion** The version of the inventory file generating the events. +- **LriverName** No content is currently available. - **Product** The product name that is included in the driver file. - **ProductVersion** The product version that is included in the driver file. - **Service** The name of the service that is installed for the device. +- **TriverSigned** No content is currently available. - **WdfVersion** The Windows Driver Framework version. @@ -4070,12 +4168,19 @@ The following fields are available: This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the beginning of the event download, and that tracing should begin. +The following fields are available: + +- **key** No content is currently available. +- **UniqueKey** No content is currently available. ### Microsoft.Windows.Inventory.Core.StopUtcJsonTrace This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the end of the event download, and that tracing should end. +The following fields are available: + +- **key** No content is currently available. ### Microsoft.Windows.Inventory.General.AppHealthStaticAdd @@ -4516,6 +4621,7 @@ OS information collected during Boot, used to evaluate the success of the upgrad The following fields are available: +- **BootApplicatio~Id** No content is currently available. - **BootApplicationId** This field tells us what the OS Loader Application Identifier is. - **BootAttemptCount** The number of consecutive times the boot manager has attempted to boot into this operating system. - **BootSequence** The current Boot ID, used to correlate events related to a particular boot session. @@ -4798,107 +4904,107 @@ This event indicates whether a remediation plug-in is applicable, to help keep W The following fields are available: -- **AllowAutoUpdateExists** No content is currently available. +- **AllowAutoUpdateExists** Indicates whether the Automatic Update feature is turned on. - **AllowAutoUpdateProviderSetExists** No content is currently available. - **AppraiserBinariesValidResult** Indicates whether plug-in was appraised as valid. - **AppraiserRegistryValidResult** Indicates whether the registry entry checks out as valid. - **AppraiserTaskRepairDisabled** Task repair performed by the appraiser plugin is disabled. - **AppraiserTaskValid** Indicates that the appraiser task is valid. - **AUOptionsExists** Indicates whether the Automatic Update option exist. -- **CTACTargetingAttributesInvalid** No content is currently available. -- **CTACVersion** No content is currently available. +- **CTACTargetingAttributesInvalid** Indicates whether the Common Targeting Attribute Client (CTAC) attributes are valid. CTAC is a Windows Runtime client library. +- **CTACVersion** The Common Targeting Attribute Client (CTAT) version on the device. CTAT is a Windows Runtime client library. - **CV** Correlation vector - **DataStoreSizeInBytes** Size of the data store, in bytes. - **DateTimeDifference** The difference between local and reference clock times. - **DateTimeSyncEnabled** Indicates whether the datetime sync plug-in is enabled. -- **daysSinceInstallThreshold** No content is currently available. -- **daysSinceInstallValue** No content is currently available. +- **daysSinceInstallThreshold** The maximum number of days since the operating system was installed before we check to see if remediation is needed. +- **daysSinceInstallValue** Number of days since the operating system was installed. - **DaysSinceLastSIH** The number of days since the most recent SIH executed. - **DaysToNextSIH** The number of days until the next scheduled SIH execution. -- **DetectConditionEnabled** No content is currently available. +- **DetectConditionEnabled** Indicates whether a condition that the remediation tool can repair was detected. - **DetectedCondition** Indicates whether detect condition is true and the perform action will be run. -- **DetectionFailedReason** No content is currently available. -- **DiskFreeSpaceBeforeSedimentPackInMB** No content is currently available. -- **DiskSpaceBefore** No content is currently available. -- **EditionIdFixCorrupted** No content is currently available. -- **EscalationTimerResetFixResult** No content is currently available. +- **DetectionFailedReason** Indicates why a given remediation failed to fix a problem that was detected. +- **DiskFreeSpaceBeforeSedimentPackInMB** Number of megabytes of disk space available on the device before running the Sediment Pack. +- **DiskSpaceBefore** The amount of free disk space available before a remediation was run. +- **EditionIdFixCorrupted** Indicates whether the Edition ID is corrupted. +- **EscalationTimerResetFixResult** The result of fixing the escalation timer. - **EvalAndReportAppraiserRegEntries** Indicates the EvalAndReportAppraiserRegEntriesFailed event failed. -- **FixedEditionId** No content is currently available. -- **FlightRebootTime** No content is currently available. -- **ForcedRebootToleranceDays** No content is currently available. -- **FreeSpaceRequirement** No content is currently available. +- **FixedEditionId** Indicates whether we fixed Edition ID. +- **FlightRebootTime** The amount of time before the system is rebooted. +- **ForcedRebootToleranceDays** The maximum number of days before a system reboot is forced on the devie. +- **FreeSpaceRequirement** The amount of free space required. - **GlobalEventCounter** Client side counter that indicates ordering of events sent by the remediation system. - **HResult** The HRESULT for detection or perform action phases of the plugin. -- **installDateValue** No content is currently available. +- **installDateValue** The date of the installation. - **IsAppraiserLatestResult** The HRESULT from the appraiser task. - **IsConfigurationCorrected** Indicates whether the configuration of SIH task was successfully corrected. -- **IsEscalationTimerResetFixNeeded** No content is currently available. -- **IsForcedModeEnabled** No content is currently available. -- **IsHomeSku** No content is currently available. -- **IsRebootForcedMode** No content is currently available. -- **IsServiceHardeningEnabled** No content is currently available. -- **IsServiceHardeningNeeded** No content is currently available. -- **isThreshold** No content is currently available. -- **IsUsoRebootPending** No content is currently available. -- **IsUsoRebootPendingInUpdateStore** No content is currently available. -- **IsUsoRebootTaskEnabled** No content is currently available. -- **IsUsoRebootTaskExists** No content is currently available. -- **IsUsoRebootTaskValid** No content is currently available. +- **IsEscalationTimerResetFixNeeded** Determines whether a fix is applicable. +- **IsForcedModeEnabled** Indicates whether forced reboot mode is enabled. +- **IsHomeSku** Indicates whether the device is running the Windows 10 Home edition. +- **IsRebootForcedMode** Indicates whether the forced reboot mode is turned on. +- **IsServiceHardeningEnabled** Indicates whether the Windows Service Hardening feature was turned on for the device. +- **IsServiceHardeningNeeded** Indicates whether Windows Service Hardening was needed for the device (multiple instances of service tampering were detected.) +- **isThreshold** Indicates whether the value meets our threshold. +- **IsUsoRebootPending** Indicates whether a system reboot is pending. +- **IsUsoRebootPendingInUpdateStore** Indicates whether a reboot is pending. +- **IsUsoRebootTaskEnabled** Indicates whether the Update Service Orchestrator (USO) reboot task is enabled +- **IsUsoRebootTaskExists** Indicates whether the Update Service Orchestrator (USO) reboot task exists. +- **IsUsoRebootTaskValid** Indicates whether the Update Service Orchestrator (USO) reboot task is valid. - **LastHresult** The HRESULT for detection or perform action phases of the plugin. -- **LastRebootTaskRunResult** No content is currently available. -- **LastRebootTaskRunTime** No content is currently available. +- **LastRebootTaskRunResult** Indicates the result of the last reboot task. +- **LastRebootTaskRunTime** The length of time the last reboot task took to run. - **LastRun** The date of the most recent SIH run. -- **LPCountBefore** No content is currently available. -- **NextCheck** No content is currently available. -- **NextRebootTaskRunTime** No content is currently available. +- **LPCountBefore** The number of language packs on the device before remediation started. +- **NextCheck** Indicates when remediation will next be attempted. +- **NextRebootTaskRunTime** Indicates when the next system reboot task will run. - **NextRun** Date of the next scheduled SIH run. -- **NoAutoUpdateExists** No content is currently available. -- **NumberOfDaysStuckInReboot** No content is currently available. -- **OriginalEditionId** No content is currently available. +- **NoAutoUpdateExists** Indicates whether the Automatic Updates feature is turned off. +- **NumberOfDaysStuckInReboot** The number of days tht the device has been unable to successfully reboot. +- **OriginalEditionId** The Windows edition ID before remediation started. - **PackageVersion** The version of the current remediation package. - **PluginName** Name of the plugin specified for each generic plugin event. -- **ProductType** No content is currently available. -- **QualityUpdateSedimentFunnelState** No content is currently available. +- **ProductType** The product type of Windows 10. +- **QualityUpdateSedimentFunnelState** Provides information about whether Windows Quality Updates are missing on the device. - **QualityUpdateSedimentJsonSchemaVersion** No content is currently available. -- **QualityUpdateSedimentLastRunSeconds** No content is currently available. -- **QualityUpdateSedimentLocalStartTime** No content is currently available. +- **QualityUpdateSedimentLastRunSeconds** The number of seconds since the Quality Update Sediment Pack ran. +- **QualityUpdateSedimentLocalStartTime** Provides information about when Quality Updates were run. - **QualityUpdateSedimentLocaltTime** No content is currently available. -- **QualityUpdateSedimentTargetedPlugins** No content is currently available. -- **QualityUpdateSedimentTargetedTriggers** No content is currently available. -- **RegkeysExist** No content is currently available. +- **QualityUpdateSedimentTargetedPlugins** Provides the list of remediation plug-ins that are applicable to enable Quality Updates on the device. +- **QualityUpdateSedimentTargetedTriggers** Provides information about remediations that are applicable to enable Quality Updates on the device. +- **RegkeysExist** Indicates whether specified registry keys exist. - **Reload** True if SIH reload is required. -- **RemediationAutoUAAcLineStatus** No content is currently available. -- **RemediationAutoUAAutoStartCount** No content is currently available. -- **RemediationAutoUACalendarTaskEnabled** No content is currently available. -- **RemediationAutoUACalendarTaskExists** No content is currently available. -- **RemediationAutoUACalendarTaskTriggerEnabledCount** No content is currently available. -- **RemediationAutoUADaysSinceLastTaskRunTime** No content is currently available. -- **RemediationAutoUAGetCurrentSize** No content is currently available. -- **RemediationAutoUAIsInstalled** No content is currently available. -- **RemediationAutoUALastTaskRunResult** No content is currently available. -- **RemediationAutoUAMeteredNetwork** No content is currently available. -- **RemediationAutoUATaskEnabled** No content is currently available. -- **RemediationAutoUATaskExists** No content is currently available. -- **RemediationAutoUATasksStalled** No content is currently available. -- **RemediationAutoUATaskTriggerEnabledCount** No content is currently available. -- **RemediationAutoUAUAExitCode** No content is currently available. -- **RemediationAutoUAUAExitState** No content is currently available. -- **RemediationAutoUAUserLoggedIn** No content is currently available. -- **RemediationAutoUAUserLoggedInAdmin** No content is currently available. -- **RemediationCorruptionRepairBuildNumber** No content is currently available. -- **RemediationCorruptionRepairCorruptionsDetected** No content is currently available. -- **RemediationCorruptionRepairDetected** No content is currently available. -- **RemediationDeliverToastBuildNumber** No content is currently available. -- **RemediationDeliverToastDetected** No content is currently available. -- **RemediationDeliverToastDeviceExcludedNation** No content is currently available. -- **RemediationDeliverToastDeviceFreeSpaceInMB** No content is currently available. -- **RemediationDeliverToastDeviceHomeSku** No content is currently available. -- **RemediationDeliverToastDeviceIncludedNation** No content is currently available. -- **RemediationDeliverToastDeviceProSku** No content is currently available. -- **RemediationDeliverToastDeviceSystemDiskSizeInMB** No content is currently available. -- **RemediationDeliverToastGeoId** No content is currently available. -- **RemediationDeviceSkuId** No content is currently available. -- **RemediationGetCurrentFolderExist** No content is currently available. +- **RemediationAutoUAAcLineStatus** Indicates the power status returned by the Automatic Update Assistant tool. +- **RemediationAutoUAAutoStartCount** Indicates the number of times the Automatic Update Assistant tool has automatically started. +- **RemediationAutoUACalendarTaskEnabled** Indicates whether an Automatic Update Assistant tool task is enabled. +- **RemediationAutoUACalendarTaskExists** Indicates whether an Automatic Update Assistant tool task exists. +- **RemediationAutoUACalendarTaskTriggerEnabledCount** Indicates the number of times an Automatic Update Assistant tool task has been triggered. +- **RemediationAutoUADaysSinceLastTaskRunTime** Indicates the last run time of an Automatic Update Assistant tool task. +- **RemediationAutoUAGetCurrentSize** Indicates the current size of the Automatic Update Assistant tool. +- **RemediationAutoUAIsInstalled** Indicates whether the Automatic Update Assistant tool is installed. +- **RemediationAutoUALastTaskRunResult** Indicates the result from the last time the Automatic Update Assistant tool was run. +- **RemediationAutoUAMeteredNetwork** Indicates whether the Automatic Update Assistant tool is running on a metered network. +- **RemediationAutoUATaskEnabled** Indicates whether the Automatic Update Assistant tool task is enabled. +- **RemediationAutoUATaskExists** Indicates whether an Automatic Update Assistant tool task exists. +- **RemediationAutoUATasksStalled** Indicates whether an Automatic Update Assistant tool task is stalled. +- **RemediationAutoUATaskTriggerEnabledCount** Indicates how many times an Automatic Update Assistant tool task has been triggered. +- **RemediationAutoUAUAExitCode** Indicates any exit code provided by the Automatic Update Assistant tool. +- **RemediationAutoUAUAExitState** Indicates the exit state of the Automatic Update Assistant tool. +- **RemediationAutoUAUserLoggedIn** Indicates whether a user is logged in. +- **RemediationAutoUAUserLoggedInAdmin** Indicates whether an Administrator user is logged in. +- **RemediationCorruptionRepairBuildNumber** The build number to use to repair corruption. +- **RemediationCorruptionRepairCorruptionsDetected** Indicates whether corruption was detected. +- **RemediationCorruptionRepairDetected** Indicates whether an attempt was made to repair the corruption. +- **RemediationDeliverToastBuildNumber** Indicates a build number that should be applicable to this device. +- **RemediationDeliverToastDetected** Indicates that a plugin has been detected. +- **RemediationDeliverToastDeviceExcludedNation** Indicates the geographic identity (GEO ID) that is not applicable for a given plug-in. +- **RemediationDeliverToastDeviceFreeSpaceInMB** Indicates the amount of free space, in megabytes. +- **RemediationDeliverToastDeviceHomeSku** Indicates whether the plug-in is applicable for the Windows 10 Home edition. +- **RemediationDeliverToastDeviceIncludedNation** Indicates the geographic identifier (GEO ID) that is applicable for a given plug-in. +- **RemediationDeliverToastDeviceProSku** Indicates whether the plug-in is applicable for the Windows 10 Professional edition. +- **RemediationDeliverToastDeviceSystemDiskSizeInMB** Indicates the size of a system disk, in megabytes. +- **RemediationDeliverToastGeoId** Indicates the geographic identifier (GEO ID) that is applicable for a given plug-in. +- **RemediationDeviceSkuId** The Windows 10 edition ID that maps to the version of Windows 10 on the device. +- **RemediationGetCurrentFolderExist** Indicates whether the GetCurrent folder exists. - **RemediationNoisyHammerAcLineStatus** Event that indicates the AC Line Status of the machine. - **RemediationNoisyHammerAutoStartCount** The number of times hammer auto-started. - **RemediationNoisyHammerCalendarTaskEnabled** Event that indicates Update Assistant Calendar Task is enabled. @@ -4911,35 +5017,40 @@ The following fields are available: - **RemediationNoisyHammerMeteredNetwork** TRUE if the machine is on a metered network. - **RemediationNoisyHammerTaskEnabled** Indicates whether the Update Assistant Task (Noisy Hammer) is enabled. - **RemediationNoisyHammerTaskExists** Indicates whether the Update Assistant Task (Noisy Hammer) exists. -- **RemediationNoisyHammerTasksStalled** No content is currently available. +- **RemediationNoisyHammerTasksStalled** Indicates whether a task (Noisy Hammer) is stalled. - **RemediationNoisyHammerTaskTriggerEnabledCount** Indicates whether counting is enabled for the Update Assistant (Noisy Hammer) task trigger. - **RemediationNoisyHammerUAExitCode** The exit code of the Update Assistant (Noisy Hammer) task. - **RemediationNoisyHammerUAExitState** The code for the exit state of the Update Assistant (Noisy Hammer) task. - **RemediationNoisyHammerUserLoggedIn** TRUE if there is a user logged in. - **RemediationNoisyHammerUserLoggedInAdmin** TRUE if there is the user currently logged in is an Admin. -- **RemediationNotifyUserFixIssuesBoxStatusKey** No content is currently available. -- **RemediationNotifyUserFixIssuesBuildNumber** No content is currently available. -- **RemediationNotifyUserFixIssuesDetected** No content is currently available. -- **RemediationNotifyUserFixIssuesDiskSpace** No content is currently available. -- **RemediationNotifyUserFixIssuesFeatureUpdateBlocked** No content is currently available. -- **RemediationNotifyUserFixIssuesFeatureUpdateInProgress** No content is currently available. -- **RemediationNotifyUserFixIssuesIsUserAdmin** No content is currently available. -- **RemediationNotifyUserFixIssuesIsUserLoggedIn** No content is currently available. -- **RemediationProgramDataFolderSizeInMB** No content is currently available. -- **RemediationProgramFilesFolderSizeInMB** No content is currently available. -- **RemediationShellDeviceEducationSku** No content is currently available. -- **RemediationShellDeviceEnterpriseSku** No content is currently available. -- **RemediationShellDeviceFeatureUpdatesPaused** No content is currently available. -- **RemediationShellDeviceHomeSku** No content is currently available. -- **RemediationShellDeviceIsAllowedSku** No content is currently available. +- **RemediationNotifyUserFixIssuesBoxStatusKey** Status of the remediation plug-in. +- **RemediationNotifyUserFixIssuesBuildNumber** The build number of the remediation plug-in. +- **RemediationNotifyUserFixIssuesDetected** Indicates whether the remediation is necessary. +- **RemediationNotifyUserFixIssuesDiskSpace** Indicates whether the remediation is necessary due to low disk space. +- **RemediationNotifyUserFixIssuesFeatureUpdateBlocked** Indicates whether the remediation is necessary due to Feature Updates being blocked. +- **RemediationNotifyUserFixIssuesFeatureUpdateInProgress** Indicates whether the remediation is necessary due to Feature Updates in progress. +- **RemediationNotifyUserFixIssuesIsUserAdmin** Indicates whether the remediation requires that an Administrator is logged in. +- **RemediationNotifyUserFixIssuesIsUserLoggedIn** Indicates whether the remediation can take place when a non-Administrator is logged in. +- **RemediationProgramDataFolderSizeInMB** The size (in megabytes) of the Program Data folder on the device. +- **RemediationProgramFilesFolderSizeInMB** The size (in megabytes) of the Program Files folder on the device. +- **RemediationShellDeviceApplicabilityFailedReason** No content is currently available. +- **RemediationShellDeviceEducationSku** Indicates whether a Windows 10 Education edition is detected on the device. +- **RemediationShellDeviceEnterpriseSku** Indicates whether a Windows 10 Enterprise edition is detected on the device. +- **RemediationShellDeviceFeatureUpdatesPaused** Indicates whether Feature Updates are paused on the device. +- **RemediationShellDeviceHomeSku** Indicates whether a Windows 10 Home edition is detected on the device. +- **RemediationShellDeviceIsAllowedSku** Indicates whether the Windows 10 edition is applicable to the device. - **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated disabled. - **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS. -- **RemediationShellDeviceProSku** No content is currently available. -- **RemediationShellDeviceQualityUpdatesPaused** No content is currently available. +- **RemediationShellDeviceProSku** Indicates whether a Windows 10 Professional edition is detected. +- **RemediationShellDeviceQualityUpdatesPaused** Indicates whether Quality Updates are paused on the device. - **RemediationShellDeviceSccm** TRUE if the device is managed by SCCM (Microsoft System Center Configuration Manager). -- **RemediationShellDeviceSetupMutexInUse** No content is currently available. -- **RemediationShellDeviceWuRegistryBlocked** No content is currently available. +- **RemediationShellDeviceSedimentMutexInUse** No content is currently available. +- **RemediationShellDeviceSetupMutexInUse** Indicates whether device setup is in progress. +- **RemediationShellDeviceWuRegistryBlocked** Indicates whether the Windows Update is blocked on the device via the registry. - **RemediationShellDeviceZeroExhaust** TRUE if the device has opted out of Windows Updates completely. +- **RemediationShellHasExpired** No content is currently available. +- **RemediationShellHasUpgraded** No content is currently available. +- **RemediationShellIsDeviceApplicable** No content is currently available. - **RemediationTargetMachine** Indicates whether the device is a target of the specified fix. - **RemediationTaskHealthAutochkProxy** True/False based on the health of the AutochkProxy task. - **RemediationTaskHealthChkdskProactiveScan** True/False based on the health of the Check Disk task. @@ -4949,26 +5060,26 @@ The following fields are available: - **RemediationTaskHealthUSO_ScheduleScanTask** True/False based on the health of the USO (Update Session Orchestrator) Schedule task. - **RemediationTaskHealthWindowsUpdate_ScheduledStartTask** True/False based on the health of the Windows Update Scheduled Start task. - **RemediationTaskHealthWindowsUpdate_SihbootTask** True/False based on the health of the Sihboot task. -- **RemediationUHServiceDisabledBitMap** No content is currently available. -- **RemediationUHServiceNotExistBitMap** No content is currently available. -- **RemediationUsersFolderSizeInMB** No content is currently available. -- **RemediationWindows10UpgradeFolderExist** No content is currently available. -- **RemediationWindows10UpgradeFolderSizeInMB** No content is currently available. -- **RemediationWindowsAppsFolderSizeInMB** No content is currently available. -- **RemediationWindowsBtFolderSizeInMB** No content is currently available. -- **RemediationWindowsFolderSizeInMB** No content is currently available. -- **RemediationWindowsServiceProfilesFolderSizeInMB** No content is currently available. +- **RemediationUHServiceDisabledBitMap** A bitmap indicating which services were disabled. +- **RemediationUHServiceNotExistBitMap** A bitmap indicating which services were deleted. +- **RemediationUsersFolderSizeInMB** The size (in megabytes) of the Users folder on the device. +- **RemediationWindows10UpgradeFolderExist** Indicates whether the Windows 10 Upgrade folder exists. +- **RemediationWindows10UpgradeFolderSizeInMB** The size (in megabytes) of Windows 10 Upgrade folder on the device. +- **RemediationWindowsAppsFolderSizeInMB** The size (in megabytes) of the Windows Applications folder on the device. +- **RemediationWindowsBtFolderSizeInMB** The size (in megabytes) of the Windows BT folder on the device. +- **RemediationWindowsFolderSizeInMB** The size (in megabytes) of the Windows folder on the device. +- **RemediationWindowsServiceProfilesFolderSizeInMB** The size (in megabytes) of the Windows service profile on the device. - **Result** This is the HRESULT for Detection or Perform Action phases of the plugin. - **RunTask** TRUE if SIH task should be run by the plug-in. -- **StorageSenseDiskCompresserEstimateInMB** No content is currently available. -- **StorageSenseHelloFaceRecognitionFodCleanupEstimateInByte** No content is currently available. -- **StorageSenseRestorePointCleanupEstimateInMB** No content is currently available. -- **StorageSenseUserDownloadFolderCleanupEstimateInByte** No content is currently available. +- **StorageSenseDiskCompresserEstimateInMB** The estimated amount of free space that can be cleaned up by running Storage Sense. +- **StorageSenseHelloFaceRecognitionFodCleanupEstimateInByte** The estimated amount of space that can be cleaned up by running Storage Sense and removing Windows Hello facial recognition. +- **StorageSenseRestorePointCleanupEstimateInMB** The estimated amount of free space (in megabytes) that can be cleaned up by running Storage Sense. +- **StorageSenseUserDownloadFolderCleanupEstimateInByte** The estimated amount of space that can be cleaned up by running Storage Sense to clean up the User Download folder. - **TimeServiceNTPServer** The URL for the NTP time server used by device. - **TimeServiceStartType** The startup type for the NTP time service. - **TimeServiceSyncDomainJoined** True if device domain joined and hence uses DC for clock. - **TimeServiceSyncType** Type of sync behavior for Date & Time service on device. -- **uninstallActiveValue** No content is currently available. +- **uninstallActiveValue** Indicates whether an uninstall is in progress. - **UpdateApplicabilityFixerTriggerBitMap** No content is currently available. - **UpdateRebootTime** No content is currently available. - **usoScanHoursSinceLastScan** No content is currently available. @@ -4992,10 +5103,16 @@ The following fields are available: - **branchReadinessLevel** Branch readiness level policy. - **cloudControlState** Value indicating whether the shell is enabled on the cloud control settings. - **CV** The Correlation Vector. -- **DiskFreeSpaceAfterSedimentPackInMB** No content is currently available. -- **DiskFreeSpaceBeforeSedimentPackInMB** No content is currently available. +- **DiskFreeSpaceAfterSedimentPackInMB** The amount of free disk space (in megabytes) after executing the Sediment Pack. +- **DiskFreeSpaceBeforeSedimentPackInMB** The amount of free disk space (in megabytes) before executing the Sediment Pack. +- **DiskMbFreeAfterCleanup** The amount of free hard disk space after cleanup, measured in Megabytes. +- **DiskMbFreeBeforeCleanup** The amount of free hard disk space before cleanup, measured in Megabytes. +- **DiskSpaceCleanedByComponentCleanup** No content is currently available. +- **DiskSpaceCleanedByNGenRemoval** No content is currently available. +- **DiskSpaceCleanedByRestorePointRemoval** No content is currently available. - **ForcedAppraiserTaskTriggered** TRUE if Appraiser task ran from the plug-in. - **GlobalEventCounter** Client-side counter that indicates ordering of events sent by the active user. +- **HandlerCleanupFreeDiskInMegabytes** The amount of hard disk space cleaned by the storage sense handlers, measured in Megabytes. - **hasRolledBack** Indicates whether the client machine has rolled back. - **hasUninstalled** Indicates whether the client machine has uninstalled a later version of the OS. - **hResult** The result of the event execution. @@ -5006,47 +5123,69 @@ The following fields are available: - **MicrosoftCompatibilityAppraiser** The name of the component targeted by the Appraiser plug-in. - **PackageVersion** The package version for the current Remediation. - **PluginName** The name of the plug-in specified for each generic plug-in event. -- **QualityUpdateSedimentExecutedPlugins** No content is currently available. -- **QualityUpdateSedimentFunnelState** No content is currently available. +- **QualityUpdateSedimentExecutedPlugins** The number of plug-ins executed by the Windows Quality Update remediation. +- **QualityUpdateSedimentFunnelState** The state of the Windows Quality Update remediation funnel for the device. - **QualityUpdateSedimentJsonSchemaVersion** No content is currently available. -- **QualityUpdateSedimentLocalEndTime** No content is currently available. +- **QualityUpdateSedimentLocalEndTime** The local time on the device when the Windows Quality Update remediation executed. - **QualityUpdateSedimentLocaltTime** No content is currently available. -- **QualityUpdateSedimentMatchedTriggers** No content is currently available. -- **QualityUpdateSedimentModelExecutionSeconds** No content is currently available. +- **QualityUpdateSedimentMatchedTriggers** The list of triggers that were matched by the Windows Quality Update remediation. +- **QualityUpdateSedimentModelExecutionSeconds** The number of seconds needed to execute the Windows Quality Update remediation. - **recoveredFromTargetOS** No content is currently available. - **RemediationBatteryPowerBatteryLevel** Indicates the battery level at which it is acceptable to continue operation. - **RemediationBatteryPowerExitDueToLowBattery** True when we exit due to low battery power. - **RemediationBatteryPowerOnBattery** True if we allow execution on battery. +- **RemediationCbsTempDiskSpaceCleanedInMB** No content is currently available. +- **RemediationCbsTempEstimateInMB** No content is currently available. +- **RemediationComponentCleanupEstimateInMB** No content is currently available. - **RemediationConfigurationTroubleshooterIpconfigFix** TRUE if IPConfig Fix completed successfully. - **RemediationConfigurationTroubleshooterNetShFix** TRUE if network card cache reset ran successfully. - **RemediationCorruptionRepairCorruptionsDetected** Number of corruptions detected on the device. - **RemediationCorruptionRepairCorruptionsFixed** Number of detected corruptions that were fixed on the device. - **RemediationCorruptionRepairPerformActionSuccessful** Indicates whether corruption repair was successful on the device. +- **RemediationDiskCleanupSearchFileSizeInMB** No content is currently available. +- **RemediationDiskSpaceSavedByCompressionInMB** No content is currently available. +- **RemediationDiskSpaceSavedByUserProfileCompressionInMB** No content is currently available. - **remediationExecution** Remediation shell is in "applying remediation" state. +- **RemediationHandlerCleanupEstimateInMB** No content is currently available. - **RemediationHibernationMigrated** TRUE if hibernation was migrated. - **RemediationHibernationMigrationSucceeded** TRUE if hibernation migration succeeded. -- **RemediationNGenDiskSpaceRestored** No content is currently available. -- **RemediationNGenMigrationSucceeded** No content is currently available. +- **RemediationNGenDiskSpaceRestored** The amount of disk space (in megabytes) that was restored after re-running the Native Image Generator (NGEN). +- **RemediationNGenEstimateInMB** No content is currently available. +- **RemediationNGenMigrationSucceeded** Indicates whether the Native Image Generator (NGEN) migration succeeded. +- **RemediationRestorePointEstimateInMB** No content is currently available. +- **RemediationSearchFileSizeEstimateInMB** No content is currently available. - **RemediationShellHasUpgraded** TRUE if the device upgraded. - **RemediationShellMinimumTimeBetweenShellRuns** Indicates the time between shell runs exceeded the minimum required to execute plugins. - **RemediationShellRunFromService** TRUE if the shell driver was run from the service. - **RemediationShellSessionIdentifier** Unique identifier tracking a shell session. - **RemediationShellSessionTimeInSeconds** Indicates the time the shell session took in seconds. - **RemediationShellTaskDeleted** Indicates that the shell task has been deleted so no additional sediment pack runs occur for this installation. +- **RemediationSoftwareDistributionCleanedInMB** No content is currently available. +- **RemediationSoftwareDistributionEstimateInMB** No content is currently available. +- **RemediationTotalDiskSpaceCleanedInMB** No content is currently available. - **RemediationUpdateServiceHealthRemediationResult** The result of the Update Service Health plug-in. - **RemediationUpdateTaskHealthRemediationResult** The result of the Update Task Health plug-in. - **RemediationUpdateTaskHealthTaskList** A list of tasks fixed by the Update Task Health plug-in. +- **RemediationUserFolderCompressionEstimateInMB** No content is currently available. +- **RemediationUserProfileCompressionEstimateInMB** No content is currently available. - **RemediationUSORebootRequred** Indicates whether a reboot is determined to be required by calling the Update Service Orchestrator (USO). +- **RemediationWindowsCompactedEstimateInMB** No content is currently available. +- **RemediationWindowsLogSpaceEstimateInMB** No content is currently available. +- **RemediationWindowsLogSpaceFreed** The amount of disk space freed by deleting the Windows log files, measured in Megabytes. +- **RemediationWindowsOldSpaceEstimateInMB** No content is currently available. +- **RemediationWindowsSpaceCompactedInMB** No content is currently available. +- **RemediationWindowsStoreSpaceCleanedInMB** No content is currently available. +- **RemediationWindowsStoreSpaceEstimateInMB** No content is currently available. - **Result** The HRESULT for Detection or Perform Action phases of the plug-in. - **RunCount** The number of times the plugin has executed. - **RunResult** The HRESULT for Detection or Perform Action phases of the plug-in. - **ServiceHardeningExitCode** The exit code returned by Windows Service Repair. - **ServiceHealthEnabledBitMap** List of services updated by the plugin. - **ServiceHealthInstalledBitMap** List of services installed by the plugin. -- **StorageSenseDiskCompresserTotalInMB** No content is currently available. -- **StorageSenseHelloFaceRecognitionFodCleanupTotalInByte** No content is currently available. -- **StorageSenseRestorePointCleanupTotalInMB** No content is currently available. -- **StorageSenseUserDownloadFolderCleanupTotalInByte** No content is currently available. +- **StorageSenseDiskCompresserTotalInMB** The total number of megabytes that Storage Sense cleaned up in the User Download folder. +- **StorageSenseHelloFaceRecognitionFodCleanupTotalInByte** The amount of space that Storage Sense was able to clean up in the User Download folder by removing Windows Hello facial recognition. +- **StorageSenseRestorePointCleanupTotalInMB** The total number of megabytes that Storage Sense cleaned up in the User Download folder. +- **StorageSenseUserDownloadFolderCleanupTotalInByte** The total number of bytes that Storage Sense cleaned up in the User Download folder. - **systemDriveFreeDiskSpace** Indicates the free disk space on system drive in MBs. - **systemUptimeInHours** Indicates the amount of time the system in hours has been on since the last boot. - **uninstallActive** TRUE if previous uninstall has occurred for current OS @@ -5063,6 +5202,7 @@ The following fields are available: - **usoScanType** The type of USO (Update Session Orchestrator) scan: "Interactive" or "Background". - **windows10UpgraderBlockWuUpdates** Event to report the value of Windows 10 Upgrader BlockWuUpdates Key. - **windowsEditionId** Event to report the value of Windows Edition ID. +- **WindowsOldSpaceCleanedInMB** The amount of disk space freed by removing the Windows.OLD folder, measured in Megabytes. - **windowsUpgradeRecoveredFromRs4** Event to report the value of the Windows Upgrade Recovered key. @@ -5076,16 +5216,32 @@ The following fields are available: - **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. - **PackageVersion** Current package version of Remediation. - **PluginName** Name of the plugin specified for each generic plugin event. -- **QualityUpdateSedimentFunnelState** No content is currently available. +- **QualityUpdateSedimentFunnelState** Provides information about whether quality updates are missing on the device. +- **QualityUpdateSedimentFunnelType** No content is currently available. - **QualityUpdateSedimentJsonSchemaVersion** No content is currently available. -- **QualityUpdateSedimentLastRunSeconds** No content is currently available. +- **QualityUpdateSedimentLastRunSeconds** The number of seconds since Quality Updates were run. - **QualityUpdateSedimentLocaltTime** No content is currently available. - **QualityUpdateSedimentMatchedTriggers** No content is currently available. - **QualityUpdateSedimentSelectedPlugins** No content is currently available. - **QualityUpdateSedimentTargetedPlugins** No content is currently available. -- **QualityUpdateSedimentTargetedTriggers** No content is currently available. +- **QualityUpdateSedimentTargetedTriggers** The list of triggers targeted by the current quality update sediment remediation run. +- **RemediationProgramDataFolderSizeInMB** No content is currently available. +- **RemediationProgramFilesFolderSizeInMB** No content is currently available. +- **RemediationUsersFolderSizeInMB** No content is currently available. +- **RemediationWindowsAppsFolderSizeInMB** No content is currently available. +- **RemediationWindowsBtFolderSizeInMB** No content is currently available. +- **RemediationWindowsFolderSizeInMB** No content is currently available. +- **RemediationWindowsServiceProfilesFolderSizeInMB** No content is currently available. +- **RemediationWindowsTotalSystemDiskSize** No content is currently available. - **Result** This is the HRESULT for detection or perform action phases of the plugin. - **RunCount** The number of times the remediation event started (whether it completed successfully or not). +- **WindowsHiberFilSysSizeInMegabytes** No content is currently available. +- **WindowsInstallerFolderSizeInMegabytes** No content is currently available. +- **WindowsOldFolderSizeInMegabytes** No content is currently available. +- **WindowsPageFileSysSizeInMegabytes** No content is currently available. +- **WindowsSoftwareDistributionFolderSizeInMegabytes** No content is currently available. +- **WindowsSwapFileSysSizeInMegabytes** No content is currently available. +- **WindowsSxsFolderSizeInMegabytes** No content is currently available. ## Sediment events @@ -5263,8 +5419,15 @@ This service retrieves events generated by SetupPlatform, the engine that drives The following fields are available: +- **FaeldName** No content is currently available. +- **FieddName** No content is currently available. - **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. +- **FieldNime** No content is currently available. +- **Gro}pName** No content is currently available. - **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. +- **GzoupName** No content is currently available. +- **OroupName** No content is currently available. +- **Vadue** No content is currently available. - **Value** Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time. @@ -5276,6 +5439,7 @@ Scan process event on Windows Update client. See the EventScenario field for spe The following fields are available: +- **__TlgCV_W** No content is currently available. - **ActivityMatchingId** Contains a unique ID identifying a single CheckForUpdates session from initialization to completion. - **AllowCachedResults** Indicates if the scan allowed using cached results. - **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable @@ -5287,12 +5451,15 @@ The following fields are available: - **BiosVersion** The version of the BIOS. - **BranchReadinessLevel** The servicing branch configured on the device. - **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. +- **CallerApplacationN!me** No content is currently available. - **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. - **CapabilityDetectoidGuid** The GUID for a hardware applicability detectoid that could not be evaluated. - **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. - **CDNId** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. - **ClientVersion** The version number of the software distribution client. +- **ClientWersion** No content is currently available. - **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No data is currently reported in this field. Expected value for this field is 0. +- **ComvonProps** No content is currently available. - **Context** Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown - **CurrentMobileOperator** The mobile operator the device is currently connected to. - **DeferralPolicySources** Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000). @@ -5301,8 +5468,11 @@ The following fields are available: - **DriverError** The error code hit during a driver scan. This is 0 if no error was encountered. - **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled. - **DriverSyncPassPerformed** Were drivers scanned this time? +- **EventIfstanceI** No content is currently available. - **EventInstanceID** A globally unique identifier for event instance. - **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. +- **ExsendedMetadataCabUrl** No content is currently available. +- **ExsendedStatusCode** No content is currently available. - **ExtendedMetadataCabUrl** Hostname that is used to download an update. - **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. - **FailedUpdateGuids** The GUIDs for the updates that failed to be evaluated during the scan. @@ -5314,6 +5484,7 @@ The following fields are available: - **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). - **HomeMobileOperator** The mobile operator that the device was originally intended to work with. - **IntentPFNs** Intended application-set metadata for atomic update scenarios. +- **IntentPINs** No content is currently available. - **IPVersion** Indicates whether the download took place over IPv4 or IPv6 - **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. - **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. @@ -5321,10 +5492,12 @@ The following fields are available: - **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce - **MSIError** The last error that was encountered during a scan for updates. - **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6 +- **NumberOfApplicableUpdatds** No content is currently available. - **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete - **NumberOfApplicationsCategoryScanEvaluated** The number of categories (apps) for which an app update scan checked - **NumberOfLoop** The number of round trips the scan required - **NumberOfNewUpdatesFromServiceSync** The number of updates which were seen for the first time in this scan +- **NumberOfNewUpdatesFrvFServiceSync** No content is currently available. - **NumberOfUpdatesEvaluated** The total number of updates which were evaluated as a part of the scan - **NumFailedMetadataSignatures** The number of metadata signatures checks which failed for new metadata synced down. - **Online** Indicates if this was an online scan. @@ -5346,6 +5519,7 @@ The following fields are available: - **ServiceUrl** The environment URL a device is configured to scan with - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult). +- **Statusode** No content is currently available. - **SyncType** Describes the type of scan the event was - **SystemBIOSMajorRelease** Major version of the BIOS. - **SystemBIOSMinorRelease** Minor version of the BIOS. @@ -5411,17 +5585,19 @@ The following fields are available: - **BytesDownloaded** Number of bytes that were downloaded for an individual piece of content (not the entire bundle). - **CachedEngineVersion** The version of the “Self-Initiated Healing” (SIH) engine that is cached on the device, if applicable. - **CallerApplicationName** The name provided by the application that initiated API calls into the software distribution client. +- **CaLlerApplicationName** No content is currently available. - **CbsDownloadMethod** Indicates whether the download was a full- or a partial-file download. - **CbsMethod** The method used for downloading the update content related to the Component Based Servicing (CBS) technology. - **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. - **CDNId** ID which defines which CDN the software distribution client downloaded the content from. - **ClientVersion** The version number of the software distribution client. - **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. +- **ComvonProps** No content is currently available. - **ConnectTime** Indicates the cumulative amount of time (in seconds) it took to establish the connection for all updates in an update bundle. - **CurrentMobileOperator** The mobile operator the device is currently connected to. - **DeviceModel** The model of the device. - **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority. -- **DownloadProps** Information about the download operation properties in the form of a bitmask. +- **DownloadProps** Information about the download operation. - **DownloadType** Differentiates the download type of “Self-Initiated Healing” (SIH) downloads between Metadata and Payload downloads. - **EventInstanceID** A globally unique identifier for event instance. - **EventScenario** Indicates the purpose for sending this event: whether because the software distribution just started downloading content; or whether it was cancelled, succeeded, or failed. @@ -5429,6 +5605,7 @@ The following fields are available: - **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. - **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. - **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). +- **FlightBuildN�mber** No content is currently available. - **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight. - **FlightId** The specific ID of the flight (pre-release build) the device is getting. - **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). @@ -5471,7 +5648,6 @@ The following fields are available: - **UpdateId** An identifier associated with the specific piece of content. - **UpdateID** An identifier associated with the specific piece of content. - **UpdateImportance** Indicates whether the content was marked as Important, Recommended, or Optional. -- **UpdatEImportance** No content is currently available. - **UsedDO** Indicates whether the download used the Delivery Optimization (DO) service. - **UsedSystemVolume** Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive. - **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. @@ -5575,6 +5751,7 @@ The following fields are available: - **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. - **IsFirmware** Indicates whether this update is a firmware update. - **IsSuccessFailurePostReboot** Indicates whether the update succeeded and then failed after a restart. +- **IsWufBDualScanEnabled** No content is currently available. - **IsWUfBDualScanEnabled** Indicates whether Windows Update for Business dual scan is enabled on the device. - **IsWUfBEnabled** Indicates whether Windows Update for Business is enabled on the device. - **MergedUpdate** Indicates whether the OS update and a BSP update merged for installation. @@ -6324,10 +6501,15 @@ This event sends data about OS deployment scenarios, to help keep Windows up-to- The following fields are available: +- **^alue** No content is currently available. - **ClientId** Retrieves the upgrade ID. In the Windows Update scenario, this will be the Windows Update client ID. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FdightData** No content is currently available. - **FieldName** Retrieves the data point. +- **FimldName** No content is currently available. - **FlightData** Specifies a unique identifier for each group of Windows Insider builds. - **InstanceId** Retrieves a unique identifier for each instance of a setup session. +- **InstanceIl** No content is currently available. +- **InstancmId** No content is currently available. - **ReportId** Retrieves the report ID. - **ScenarioId** Retrieves the deployment scenario. - **Value** Retrieves the value associated with the corresponding FieldName. @@ -6366,6 +6548,7 @@ The following fields are available: - **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE. - **MitigationScenario** The update scenario in which the mitigation was executed. - **Name** The friendly (descriptive) name of the mitigation. +- **OperatignName** No content is currently available. - **OperationIndex** The mitigation operation index (in the event of a failure). - **OperationName** The friendly (descriptive) name of the mitigation operation (in the event of failure). - **RegistryCount** The number of registry operations in the mitigation entry. @@ -6444,6 +6627,7 @@ The following fields are available: - **callerApplication** The name of the calling application. - **capsuleCount** The number of Sediment Pack capsules. - **capsuleFailureCount** The number of capsule failures. +- **detecd1drSummary** No content is currently available. - **detectionSummary** Result of each applicable detection that was run. - **featureAssessmentImpact** WaaS Assessment impact for feature updates. - **hrEngineBlockReason** Indicates the reason for stopping WaaSMedic. @@ -6454,10 +6638,12 @@ The following fields are available: - **isInteractiveMode** The user started a run of WaaSMedic. - **isManaged** Device is managed for updates. - **isWUConnected** Device is connected to Windows Update. +- **noMoreAcd1drs** No content is currently available. - **noMoreActions** No more applicable diagnostics. - **pluginFailureCount** The number of plugins that have failed. - **pluginsCount** The number of plugins. - **qualityAssessmentImpact** WaaS Assessment impact for quality updates. +- **remediad1drSummary** No content is currently available. - **remediationSummary** Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on. - **usingBackupFeatureAssessment** Relying on backup feature assessment. - **usingBackupQualityAssessment** Relying on backup quality assessment. @@ -6643,6 +6829,7 @@ The following fields are available: - **IsBundle** Is this a bundle? - **IsInteractive** Is this initiated by the user? - **IsMandatory** Is this a mandatory installation? +- **IsRemedi-0000** No content is currently available. - **IsRemediation** Is this repairing a previous installation? - **IsRestore** Is this a restore of a previously acquired product? - **IsUpdate** Is this an update? @@ -6792,6 +6979,7 @@ This event is sent at the beginning of an app install or update to help keep Win The following fields are available: +- **__lgCV__** No content is currently available. - **CatalogId** The name of the product catalog from which this app was chosen. - **FulfillmentPluginId** The ID of the plugin needed to install the package type of the product. - **PFN** The Package Family Name of the app that is being installed or updated. @@ -6988,15 +7176,18 @@ The following fields are available: - **bytesFromGroupPeers** The number of bytes received from a peer in the same domain group. - **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same domain group. - **bytesFromLinkLocalPeers** The number of bytes received from local peers. +- **bytesFromLocadCache** No content is currently available. - **bytesFromLocalCache** Bytes copied over from local (on disk) cache. - **bytesFromPeers** The number of bytes received from a peer in the same LAN. - **bytesRequested** The total number of bytes requested for download. +- **byvesFromCacheServer** No content is currently available. - **cacheServerConnectionCount** Number of connections made to cache hosts. - **cdnConnectionCount** The total number of connections made to the CDN. - **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. - **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. - **cdnIp** The IP address of the source CDN. - **cdnUrl** Url of the source Content Distribution Network (CDN). +- **cfileSize** No content is currently available. - **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. - **doErrorCode** The Delivery Optimization error code that was returned. - **downlinkBps** The maximum measured available download bandwidth (in bytes per second). @@ -7015,11 +7206,14 @@ The following fields are available: - **isEncrypted** TRUE if the file is encrypted and will be decrypted after download. - **isVpn** Is the device connected to a Virtual Private Network? - **jobID** Identifier for the Windows Update job. +- **lanConnectionCoujt** No content is currently available. - **lanConnectionCount** The total number of connections made to peers in the same LAN. - **linkLocalConnectionCount** The number of connections made to peers in the same Link-local network. - **numPeers** The total number of peers used for this download. - **numPeersLocal** The total number of local peers used for this download. - **predefinedCallerName** The name of the API Caller. +- **restrictederRepo** No content is currently available. +- **restrictedloaded** No content is currently available. - **restrictedUpload** Is the upload restricted? - **routeToCacheServer** The cache server setting, source, and value. - **sessionID** The ID of the download session. @@ -7028,6 +7222,7 @@ The following fields are available: - **uplinkBps** The maximum measured available upload bandwidth (in bytes per second). - **uplinkUsageBps** The upload speed (in bytes per second). - **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. +- **ytesRequested** No content is currently available. ### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused @@ -7043,6 +7238,7 @@ The following fields are available: - **fileID** The ID of the file being paused. - **isVpn** Is the device connected to a Virtual Private Network? - **jobID** Identifier for the Windows Update job. +- **pagaefinedCallerName** No content is currently available. - **predefinedCallerName** The name of the API Caller object. - **reasonCode** The reason for pausing the download. - **routeToCacheServer** The cache server setting, source, and value. @@ -7063,6 +7259,7 @@ The following fields are available: - **deviceProfile** Identifies the usage or form factor (such as Desktop, Xbox, or VM). - **diceRoll** Random number used for determining if a client will use peering. - **doClientVersion** The version of the Delivery Optimization client. +- **doEr2orCode** No content is currently available. - **doErrorCode** The Delivery Optimization error code that was returned. - **downloadMode** The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100). - **downloadModeReason** Reason for the download. @@ -7078,8 +7275,10 @@ The following fields are available: - **isVpn** Indicates whether the device is connected to a Virtual Private Network. - **jobID** The ID of the Windows Update job. - **peerID** The ID for this delivery optimization client. +- **pgerID** No content is currently available. - **predefinedCallerName** Name of the API caller. - **routeToCacheServer** Cache server setting, source, and value. +- **sessionId** No content is currently available. - **sessionID** The ID for the file download session. - **setConbigs** No content is currently available. - **setConfigs** A JSON representation of the configurations that have been set, and their sources. @@ -7701,6 +7900,7 @@ The following fields are available: - **minutesOverScanSla** Indicates how many minutes the scan exceeded the scan SLA. - **minutesOverScanTriggerSla** Indicates how many minutes the scan exceeded the scan trigger SLA. - **scanTriggerSource** Indicates what caused the scan. +- **scanTriggerSouRce** No content is currently available. - **updateScenarioType** The update session type. - **wuDeviceid** Unique device ID used by Windows Update. From 419edba10b52a37d6f534609782ae5de35cea607 Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Thu, 11 Apr 2019 10:03:34 -0700 Subject: [PATCH 146/492] source paths --- .openpublishing.redirection.json | 172 ++++++++++++++++++++++++++----- 1 file changed, 146 insertions(+), 26 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 7b46d8e423..1e2d95073b 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1216,8 +1216,13 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md", -"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/manage-alerts", +"redirect_url": "/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md", "redirect_document_id": true }, { @@ -1231,38 +1236,68 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection", "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/onboard-configure", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection", "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/portal-overview", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection", "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection", "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/powershell-example-code", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection", "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/preferences-setup", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/prerelease.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/prerelease", "redirect_document_id": true }, { -"source_path": "windows/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md", -"redirect_url": "/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection", +"source_path": "windows/security/threat-protection/windows-defender-atp/prerelease.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/prerelease", "redirect_document_id": true }, { @@ -1271,38 +1306,78 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/preview", +"redirect_document_id": true +}, +{ +"source_path": "windows/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/preview-settings", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection", "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection", "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/python-example-code", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection", "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection", "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection", "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/response-actions", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection", "redirect_document_id": true }, { -"source_path": "windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md", -"redirect_url": "/windows/security/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection", +"source_path": "windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/run-detection-test", "redirect_document_id": true }, { @@ -1311,8 +1386,8 @@ "redirect_document_id": true }, { -"source_path": "windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md", -"redirect_url": "/windows/security/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection", +"source_path": "windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/service-status", "redirect_document_id": true }, { @@ -1321,28 +1396,18 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection", "redirect_document_id": true }, { -"source_path": "windows/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md", -"redirect_url": "/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection", -"redirect_document_id": true -}, -{ -"source_path": "windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md", -"redirect_url": "/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection", -"redirect_document_id": true -}, -{ -"source_path": "windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md", -"redirect_url": "/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection", -"redirect_document_id": true -}, -{ -"source_path": "windows/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md", -"redirect_url": "/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection", +"source_path": "windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts", "redirect_document_id": true }, { @@ -1351,8 +1416,48 @@ "redirect_document_id": true }, { -"source_path": "windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md", -"redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection", +"source_path": "windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/troubleshoot", +"redirect_document_id": true +}, +{ +"source_path": "windows/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-custom-ti", +"redirect_document_id": true +}, +{ +"source_path": "windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding", +"redirect_document_id": true +}, +{ +"source_path": "windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages", +"redirect_document_id": true +}, +{ +"source_path": "windows/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem", "redirect_document_id": true }, { @@ -1361,6 +1466,21 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/use", +"redirect_document_id": true +}, +{ +"source_path": "windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/use-custom-ti", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection", "redirect_document_id": true From f8c21a798f4377016fd44696b30bc8f5a289fd44 Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Thu, 11 Apr 2019 10:52:44 -0700 Subject: [PATCH 147/492] redirects --- .openpublishing.redirection.json | 170 +++++++++++++++++++++++-------- 1 file changed, 125 insertions(+), 45 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 1e2d95073b..7cad091704 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -871,6 +871,11 @@ "redirect_document_id": true }, { +"source_path": "windows/keep-secure/advanced-features-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection", "redirect_document_id": true @@ -881,6 +886,21 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection", "redirect_document_id": true @@ -901,6 +921,11 @@ "redirect_document_id": true }, { +"source_path": "windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection", "redirect_document_id": true @@ -911,6 +936,21 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/attack-simulations", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/automated-investigations", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/basic-permissions", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection", "redirect_document_id": true @@ -931,6 +971,11 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/conditional-access", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection", "redirect_document_id": true @@ -941,6 +986,11 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection", "redirect_document_id": true @@ -951,6 +1001,21 @@ "redirect_document_id": true }, { +"source_path": "windows/keep-secure/additional-configuration-windows-advanced-threat-protection.md", +"redirect_url": "/windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/monitor-onboarding-windows-advanced-threat-protection.md", +"redirect_url": "/windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection", +"redirect_document_id": false +}, +{ +"source_path": "windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection", "redirect_document_id": true @@ -1021,6 +1086,11 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection", "redirect_document_id": true @@ -1071,6 +1141,16 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/windows-defender-atp/data-retention-settings", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection", "redirect_document_id": true @@ -1101,6 +1181,26 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/windows-defender-atp/enable-secure-score", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection", "redirect_document_id": true @@ -1141,6 +1241,26 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/windows-defender-atp/get-cvekbmap-collection", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/windows-defender-atp/get-kbinfo-collection", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/get-machinegroups-collection-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/windows-defender-atp/get-machinegroups-collection", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/windows-defender-atp/get-machinesecuritystates-collection", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection", "redirect_document_id": true @@ -1486,6 +1606,11 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md", "redirect_url": "/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard", "redirect_document_id": true @@ -5491,11 +5616,6 @@ "redirect_document_id": true }, { -"source_path": "windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md", -"redirect_url": "/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection", -"redirect_document_id": true -}, -{ "source_path": "windows/manage/cortana-at-work-scenario-7.md", "redirect_url": "/windows/configuration/cortana-at-work/cortana-at-work-scenario-7", "redirect_document_id": true @@ -6006,11 +6126,6 @@ "redirect_document_id": true }, { -"source_path": "windows/keep-secure/additional-configuration-windows-advanced-threat-protection.md", -"redirect_url": "/windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection", -"redirect_document_id": true -}, -{ "source_path": "windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md", "redirect_url": "https://technet.microsoft.com/library/jj635854.aspx", "redirect_document_id": true @@ -6061,11 +6176,6 @@ "redirect_document_id": false }, { -"source_path": "windows/keep-secure/monitor-onboarding-windows-advanced-threat-protection.md", -"redirect_url": "/windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection", -"redirect_document_id": false -}, -{ "source_path": "windows/keep-secure/passport-event-300.md", "redirect_url": "/windows/access-protection/hello-for-business/hello-event-300", "redirect_document_id": true @@ -8046,11 +8156,6 @@ "redirect_document_id": true }, { -"source_path": "windows/keep-secure/advanced-features-windows-defender-advanced-threat-protection.md", -"redirect_url": "/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection", -"redirect_document_id": true -}, -{ "source_path": "windows/keep-secure/advanced-security-audit-policy-settings.md", "redirect_url": "/windows/device-security/auditing/advanced-security-audit-policy-settings", "redirect_document_id": true @@ -8151,11 +8256,6 @@ "redirect_document_id": true }, { -"source_path": "windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md", -"redirect_url": "/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection", -"redirect_document_id": true -}, -{ "source_path": "windows/keep-secure/assign-security-group-filters-to-the-gpo.md", "redirect_url": "/windows/access-protection/windows-firewall/assign-security-group-filters-to-the-gpo", "redirect_document_id": true @@ -8816,11 +8916,6 @@ "redirect_document_id": true }, { -"source_path": "windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md", -"redirect_url": "/windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection", -"redirect_document_id": true -}, -{ "source_path": "windows/keep-secure/configure-exceptions-for-an-applocker-rule.md", "redirect_url": "/windows/device-security/applocker/configure-exceptions-for-an-applocker-rule", "redirect_document_id": true @@ -9456,11 +9551,6 @@ "redirect_document_id": true }, { -"source_path": "windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md", -"redirect_url": "/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection", -"redirect_document_id": true -}, -{ "source_path": "windows/keep-secure/enable-the-dll-rule-collection.md", "redirect_url": "/windows/device-security/applocker/enable-the-dll-rule-collection", "redirect_document_id": true @@ -13896,16 +13986,6 @@ "redirect_document_id": true }, { -"source_path": "windows/security/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md", -"redirect_url": "/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection", -"redirect_document_id": true -}, -{ -"source_path": "windows/security/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md", -"redirect_url": "/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection", -"redirect_document_id": true -}, -{ "source_path": "windows/security/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection", "redirect_document_id": true From 2b80aa42e36d19e3d6571d097d9121d93f0484ad Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Thu, 11 Apr 2019 14:22:50 -0700 Subject: [PATCH 148/492] redirects --- .openpublishing.redirection.json | 145 +++++++++++++++++++++++++++---- 1 file changed, 130 insertions(+), 15 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 7cad091704..0871ecbeb5 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1291,6 +1291,11 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection", "redirect_document_id": true @@ -1331,6 +1336,16 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/machine-groups", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/machine-reports-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/machine-reports", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection", "redirect_document_id": true @@ -1341,6 +1356,11 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/machine-tags", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md", "redirect_document_id": true @@ -1351,6 +1371,41 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/manage-allowed-blocked-list", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/manage-auto-investigation-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/manage-automation-allowed-blocked-list", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/manage-incidents", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection", "redirect_document_id": true @@ -1361,6 +1416,16 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/mssp-support", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/offboard-machines", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection", "redirect_document_id": true @@ -1371,6 +1436,21 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/overview-hunting", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection", "redirect_document_id": true @@ -1461,6 +1541,11 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/rbac", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection", "redirect_document_id": true @@ -1501,6 +1586,26 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection", "redirect_document_id": true @@ -1531,6 +1636,21 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/threat-protection-reports-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/time-settings", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection", "redirect_document_id": true @@ -1601,6 +1721,11 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/user-roles", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection", "redirect_document_id": true @@ -1611,6 +1736,11 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-security-center", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md", "redirect_url": "/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard", "redirect_document_id": true @@ -13971,26 +14101,11 @@ "redirect_document_id": true }, { -"source_path": "windows/security/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md", -"redirect_url": "/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection", -"redirect_document_id": true -}, -{ -"source_path": "windows/security/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md", -"redirect_url": "/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection", -"redirect_document_id": true -}, -{ "source_path": "windows/security/threat-protection/windows-defender-atp/threat-analytics-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection", "redirect_document_id": true }, { -"source_path": "windows/security/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md", -"redirect_url": "/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection", -"redirect_document_id": true -}, -{ "source_path": "windows/privacy/basic-level-windows-diagnostic-events-and-fields.md", "redirect_url": "/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809", "redirect_document_id": true From 9362faa749dda8b810888ccccf8a77ae5bf02b81 Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Thu, 11 Apr 2019 16:22:17 -0700 Subject: [PATCH 149/492] redirects --- .openpublishing.redirection.json | 67 ++++++++++++++++++++++++++++++-- 1 file changed, 64 insertions(+), 3 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 0871ecbeb5..e287ccb9e0 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -14211,11 +14211,21 @@ "redirect_document_id": false }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/get-alerts", +"redirect_document_id": false +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis", "redirect_document_id": false }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id", +"redirect_document_id": false +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis", "redirect_document_id": false @@ -14226,33 +14236,63 @@ "redirect_document_id": false }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info", +"redirect_document_id": false +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis", "redirect_document_id": false }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info", +"redirect_document_id": false +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis", "redirect_document_id": false }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info", +"redirect_document_id": false +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis", "redirect_document_id": false }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info", +"redirect_document_id": false +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis", "redirect_document_id": false }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts", +"redirect_document_id": false +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis", "redirect_document_id": false }, { -"source_path": "windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md", -"redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis", +"source_path": "windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines", +"redirect_document_id": false +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics", "redirect_document_id": false }, { @@ -14261,6 +14301,11 @@ "redirect_document_id": false }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/is-domain-seen-in-org", +"redirect_document_id": false +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis", "redirect_document_id": false @@ -14269,7 +14314,13 @@ "source_path": "windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis", "redirect_document_id": false -},{ +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/get-file-information", +"redirect_document_id": false +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis", "redirect_document_id": false @@ -14320,11 +14371,21 @@ "redirect_document_id": false }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package", +"redirect_document_id": true +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis", "redirect_document_id": false }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip", +"redirect_document_id": false +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis", "redirect_document_id": false From 4577041a35c33988074ad3fcc499af040c685b13 Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Fri, 12 Apr 2019 11:38:52 -0700 Subject: [PATCH 150/492] redirects --- .openpublishing.redirection.json | 117 ++++++++++++++++++++++++++++--- 1 file changed, 106 insertions(+), 11 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index e287ccb9e0..8d85371c03 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -14223,7 +14223,7 @@ { "source_path": "windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md", "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id", -"redirect_document_id": false +"redirect_document_id": true }, { "source_path": "windows/security/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md", @@ -14238,7 +14238,7 @@ { "source_path": "windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md", "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info", -"redirect_document_id": false +"redirect_document_id": true }, { "source_path": "windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md", @@ -14248,7 +14248,7 @@ { "source_path": "windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md", "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info", -"redirect_document_id": false +"redirect_document_id": true }, { "source_path": "windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md", @@ -14258,7 +14258,7 @@ { "source_path": "windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md", "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info", -"redirect_document_id": false +"redirect_document_id": true }, { "source_path": "windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md", @@ -14268,7 +14268,7 @@ { "source_path": "windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md", "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info", -"redirect_document_id": false +"redirect_document_id": true }, { "source_path": "windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md", @@ -14278,7 +14278,7 @@ { "source_path": "windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md", "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts", -"redirect_document_id": false +"redirect_document_id": true }, { "source_path": "windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md", @@ -14288,12 +14288,12 @@ { "source_path": "windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md", "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines", -"redirect_document_id": false +"redirect_document_id": true }, { "source_path": "windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md", "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics", -"redirect_document_id": false +"redirect_document_id": true }, { "source_path": "windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md", @@ -14303,7 +14303,7 @@ { "source_path": "windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md", "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/is-domain-seen-in-org", -"redirect_document_id": false +"redirect_document_id": true }, { "source_path": "windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md", @@ -14318,7 +14318,7 @@ { "source_path": "windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md", "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/get-file-information", -"redirect_document_id": false +"redirect_document_id": true }, { "source_path": "windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md", @@ -14326,16 +14326,31 @@ "redirect_document_id": false }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts", +"redirect_document_id": true +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis", "redirect_document_id": false }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines", +"redirect_document_id": true +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis", "redirect_document_id": false }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics", +"redirect_document_id": true +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis", "redirect_document_id": false @@ -14351,16 +14366,31 @@ "redirect_document_id": false }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts", +"redirect_document_id": true +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis", "redirect_document_id": false }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-machines", +"redirect_document_id": true +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis", "redirect_document_id": false }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics", +"redirect_document_id": true +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis", "redirect_document_id": false @@ -14383,7 +14413,7 @@ { "source_path": "windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md", "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip", -"redirect_document_id": false +"redirect_document_id": true }, { "source_path": "windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md", @@ -14391,26 +14421,51 @@ "redirect_document_id": false }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/get-filemachineaction-object", +"redirect_document_id": true +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis", "redirect_document_id": false }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/get-filemachineactions-collection", +"redirect_document_id": true +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis", "redirect_document_id": false }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id", +"redirect_document_id": true +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis", "redirect_document_id": false }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users", +"redirect_document_id": true +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis", "redirect_document_id": false }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts", +"redirect_document_id": true +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis", "redirect_document_id": false @@ -14426,11 +14481,21 @@ "redirect_document_id": false }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/get-machines", +"redirect_document_id": true +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis", "redirect_document_id": false }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri", +"redirect_document_id": true +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis", "redirect_document_id": false @@ -14471,21 +14536,51 @@ "redirect_document_id": false }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection", +"redirect_document_id": true +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis", "redirect_document_id": false }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/get-user-information", +"redirect_document_id": true +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis", "redirect_document_id": false }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts", +"redirect_document_id": true +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis", "redirect_document_id": false }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/initiate-autoir-investigation-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation", +"redirect_document_id": true +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/get-ti-indicator-by-id-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis", "redirect_document_id": false From 843b9988a4ec0b69aeecb5579772ef240bfe1e14 Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Fri, 12 Apr 2019 12:07:14 -0700 Subject: [PATCH 151/492] redirects --- .openpublishing.redirection.json | 100 +++++++++++++++++++++++++++++++ 1 file changed, 100 insertions(+) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 8d85371c03..79df2e526c 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -14396,6 +14396,11 @@ "redirect_document_id": false }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/is-ip-seen-org", +"redirect_document_id": true +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis", "redirect_document_id": false @@ -14496,21 +14501,41 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/machine", +"redirect_document_id": true +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis", "redirect_document_id": false }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/isolate-machine", +"redirect_document_id": true +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis", "redirect_document_id": false }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine", +"redirect_document_id": true +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis", "redirect_document_id": false }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution", +"redirect_document_id": true +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis", "redirect_document_id": false @@ -14521,16 +14546,31 @@ "redirect_document_id": false }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution", +"redirect_document_id": true +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis", "redirect_document_id": false }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/run-av-scan", +"redirect_document_id": true +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis", "redirect_document_id": false }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/stop-quarantine-file", +"redirect_document_id": true +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-apis", "redirect_document_id": false @@ -14590,5 +14630,65 @@ "redirect_url": "/windows/security/threat-protection/windows-defender-atp/threat-analytics", "redirect_document_id": true }, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/alerts", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/files", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/machineaction", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/ti-indicator", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/update-alert", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-atp/user-alert-windows-defender-advanced-threat-protection-new.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/user", +"redirect_document_id": true +} ] } From 46d34c80780e5d09db9ab693efb2137935b8ab29 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Mon, 15 Apr 2019 08:39:56 -0700 Subject: [PATCH 152/492] new build 4/15/2019 8:39 AM --- .../basic-level-windows-diagnostic-events-and-fields-1903.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index 7cc546dd61..a32ec507e3 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/11/2019 +ms.date: 04/15/2019 --- @@ -2388,6 +2388,7 @@ This event sends data about boot IDs for which a normal clean shutdown was not o The following fields are available: - **AbnormalShutdownBootId** BootId of the abnormal shutdown being reported by this event. +- **AbsCausedbyAutoChk** No content is currently available. - **AcDcStateAtLastShutdown** Identifies if the device was on battery or plugged in. - **BatteryLevelAtLastShutdown** The last recorded battery level. - **BatteryPercentageAtLastShutdown** The battery percentage at the last shutdown. @@ -2402,6 +2403,7 @@ The following fields are available: - **FirmwareType** ID of the FirmwareType as enumerated in DimFirmwareType. - **HardwareWatchdogTimerGeneratedLastReset** Indicates whether the hardware watchdog timer caused the last reset. - **HardwareWatchdogTimerPresent** Indicates whether hardware watchdog timer was present or not. +- **InvalidBootStat** No content is currently available. - **LastBugCheckBootId** bootId of the last captured crash. - **LastBugCheckCode** Code that indicates the type of error. - **LastBugCheckContextFlags** Additional crash dump settings. From 064240b87cbf2d34a0ca9add89caacc8a5d5d2fa Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Mon, 15 Apr 2019 08:40:04 -0700 Subject: [PATCH 153/492] new build 4/15/2019 8:39 AM --- ...ndows-diagnostic-events-and-fields-1703.md | 26 +- ...ndows-diagnostic-events-and-fields-1709.md | 38 ++- ...ndows-diagnostic-events-and-fields-1803.md | 26 +- ...ndows-diagnostic-events-and-fields-1809.md | 313 +++++------------- 4 files changed, 142 insertions(+), 261 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index bf54d09ae5..a9d6322d66 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/11/2019 +ms.date: 04/15/2019 --- @@ -2958,24 +2958,24 @@ The following fields are available: ### Microsoft.Windows.Shell.PrivacyNotifierLogging.PrivacyNotifierCompleted -No content is currently available. +This event returns data to report the efficacy of a single-use tool to inform users impacted by a known issue and to take corrective action to address the issue. The following fields are available: -- **cleanupTask** No content is currently available. -- **cleanupTaskResult** No content is currently available. -- **deviceEvaluated** No content is currently available. -- **deviceImpacted** No content is currently available. -- **modalAction** No content is currently available. -- **modalResult** No content is currently available. -- **resetSettingsResult** No content is currently available. +- **cleanupTask** Indicates whether the task that launched the dialog should be cleaned up. +- **cleanupTaskResult** The return code of the attempt to clean up the task used to show the dialog. +- **deviceEvaluated** Indicates whether the device was eligible for evaluation of a known issue. +- **deviceImpacted** Indicates whether the device was impacted by a known issue. +- **modalAction** The action the user took on the dialog that was presented to them. +- **modalResult** The return code of the attempt to show a dialog to the user explaining the issue. +- **resetSettingsResult** The return code of the action to correct the known issue. ## Remediation events ### Microsoft.Windows.Remediation.Applicable -This event indicates whether a remediation plug-in is applicable, to help keep Windows up to date. A remediation plug-in addresses issues on the system that prevent the device from receiving security and quality updates. +deny The following fields are available: @@ -3059,7 +3059,7 @@ The following fields are available: ### Microsoft.Windows.Remediation.Completed -This event is sent when a remediation plug-in has completed, to help keep Windows up to date. A remediation plug-in addresses issues on the system that prevent the device from receiving security and quality updates. +This event is sent when Windows Update Sediment Remediations have completed on a device to keep Windows up to date. The remediations address issues on the system that prevent sediment devices from receiving OS updates. “Sediment” refers to devices that have been on a previous OS version for an extended period. The following fields are available: @@ -3264,13 +3264,13 @@ The following fields are available: ### Microsoft.Windows.Remediation.Started -This event reports whether a plug-in started, to help ensure Windows is up to date. +deny The following fields are available: - **CV** Correlation vector. - **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. -- **PackageVersion** Current package version of Remediation. +- **PackageVersion** The version of the current remediation package. - **PluginName** Name of the plugin specified for each generic plugin event. - **Result** This is the HRESULT for detection or perform action phases of the plugin. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index e82222b6ab..8c42efe77e 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/11/2019 +ms.date: 04/15/2019 --- @@ -3146,24 +3146,24 @@ The following fields are available: ### Microsoft.Windows.Shell.PrivacyNotifierLogging.PrivacyNotifierCompleted -No content is currently available. +This event returns data to report the efficacy of a single-use tool to inform users impacted by a known issue and to take corrective action to address the issue. The following fields are available: -- **cleanupTask** No content is currently available. -- **cleanupTaskResult** No content is currently available. -- **deviceEvaluated** No content is currently available. -- **deviceImpacted** No content is currently available. -- **modalAction** No content is currently available. -- **modalResult** No content is currently available. -- **resetSettingsResult** No content is currently available. +- **cleanupTask** Indicates whether the task that launched the dialog should be cleaned up. +- **cleanupTaskResult** The return code of the attempt to clean up the task used to show the dialog. +- **deviceEvaluated** Indicates whether the device was eligible for evaluation of a known issue. +- **deviceImpacted** Indicates whether the device was impacted by a known issue. +- **modalAction** The action the user took on the dialog that was presented to them. +- **modalResult** The return code of the attempt to show a dialog to the user explaining the issue. +- **resetSettingsResult** The return code of the action to correct the known issue. ## Remediation events ### Microsoft.Windows.Remediation.Applicable -This event indicates whether a remediation plug-in is applicable, to help keep Windows up to date. A remediation plug-in addresses issues on the system that prevent the device from receiving security and quality updates. +deny The following fields are available: @@ -3266,7 +3266,7 @@ The following fields are available: ### Microsoft.Windows.Remediation.Completed -This event is sent when a remediation plug-in has completed, to help keep Windows up to date. A remediation plug-in addresses issues on the system that prevent the device from receiving security and quality updates. +This event is sent when Windows Update Sediment Remediations have completed on a device to keep Windows up to date. The remediations address issues on the system that prevent sediment devices from receiving OS updates. “Sediment” refers to devices that have been on a previous OS version for an extended period. The following fields are available: @@ -3399,13 +3399,13 @@ The following fields are available: ### Microsoft.Windows.Remediation.Started -This event reports whether a plug-in started, to help ensure Windows is up to date. +This event is sent when Windows Update Sediment Remediations have started on a device to keep Windows up to date. The remediations address issues on the system that prevent sediment devices from receiving OS updates. “Sediment” refers to devices that have been on a previous OS version for an extended period. The following fields are available: - **CV** Correlation vector. - **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. -- **PackageVersion** Current package version of Remediation. +- **PackageVersion** The version of the current remediation package. - **PluginName** Name of the plugin specified for each generic plugin event. - **Result** This is the HRESULT for detection or perform action phases of the plugin. @@ -6566,6 +6566,12 @@ The following fields are available: ## Windows Update Reserve Manager events +### Microsoft.Windows.UpdateReserveManager.CommitPendingHardReserveAdjustment + +This event is sent when the Update Reserve Manager commits a hard reserve adjustment that was pending. + + + ### Microsoft.Windows.UpdateReserveManager.InitializeUpdateReserveManager This event returns data about the Update Reserve Manager, including whether it’s been initialized. @@ -6578,6 +6584,12 @@ This event is sent when the Update Reserve Manager removes a pending hard reserv +### Microsoft.Windows.UpdateReserveManager.UpdatePendingHardReserveAdjustment + +This event is sent when the Update Reserve Manager needs to adjust the size of the hard reserve after the option content is installed. + + + ## Winlogon events ### Microsoft.Windows.Security.Winlogon.SetupCompleteLogon diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index 5339268f09..38e274be19 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/11/2019 +ms.date: 04/15/2019 --- @@ -4247,24 +4247,24 @@ The following fields are available: ### Microsoft.Windows.Shell.PrivacyNotifierLogging.PrivacyNotifierCompleted -No content is currently available. +This event returns data to report the efficacy of a single-use tool to inform users impacted by a known issue and to take corrective action to address the issue. The following fields are available: -- **cleanupTask** No content is currently available. -- **cleanupTaskResult** No content is currently available. -- **deviceEvaluated** No content is currently available. -- **deviceImpacted** No content is currently available. -- **modalAction** No content is currently available. -- **modalResult** No content is currently available. -- **resetSettingsResult** No content is currently available. +- **cleanupTask** Indicates whether the task that launched the dialog should be cleaned up. +- **cleanupTaskResult** The return code of the attempt to clean up the task used to show the dialog. +- **deviceEvaluated** Indicates whether the device was eligible for evaluation of a known issue. +- **deviceImpacted** Indicates whether the device was impacted by a known issue. +- **modalAction** The action the user took on the dialog that was presented to them. +- **modalResult** The return code of the attempt to show a dialog to the user explaining the issue. +- **resetSettingsResult** The return code of the action to correct the known issue. ## Remediation events ### Microsoft.Windows.Remediation.Applicable -This event indicates whether a remediation plug-in is applicable, to help keep Windows up to date. A remediation plug-in addresses issues on the system that prevent the device from receiving security and quality updates. +deny The following fields are available: @@ -4368,7 +4368,7 @@ The following fields are available: ### Microsoft.Windows.Remediation.Completed -This event is sent when a remediation plug-in has completed, to help keep Windows up to date. A remediation plug-in addresses issues on the system that prevent the device from receiving security and quality updates. +This event is sent when Windows Update Sediment Remediations have completed on a device to keep Windows up to date. The remediations address issues on the system that prevent sediment devices from receiving OS updates. “Sediment” refers to devices that have been on a previous OS version for an extended period. The following fields are available: @@ -4505,13 +4505,13 @@ The following fields are available: ### Microsoft.Windows.Remediation.Started -This event reports whether a plug-in started, to help ensure Windows is up to date. +This event is sent when Windows Update Sediment Remediations have started on a device to keep Windows up to date. The remediations address issues on the system that prevent sediment devices from receiving OS updates. “Sediment” refers to devices that have been on a previous OS version for an extended period. The following fields are available: - **CV** Correlation vector. - **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. -- **PackageVersion** Current package version of Remediation. +- **PackageVersion** The version of the current remediation package. - **PluginName** Name of the plugin specified for each generic plugin event. - **Result** This is the HRESULT for detection or perform action phases of the plugin. - **RunCount** The number of times the remediation event started (whether it completed successfully or not). diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index 9c1f8ed87b..f359c36a0c 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/11/2019 +ms.date: 04/15/2019 --- @@ -550,12 +550,10 @@ The following fields are available: - **AppraiserVersion** The version of the appraiser file that is generating the events. - **AvDisplayName** If the app is an anti-virus app, this is its display name. -- **CompateClasIndex** No content is currently available. - **CompatModelIndex** The compatibility prediction for this file. - **HasCitData** Indicates whether the file is present in CIT data. - **HasUpgradeExe** Indicates whether the anti-virus app has an upgrade.exe file. - **IsAv** Is the file an anti-virus reporting EXE? -- **ResolveAd85mpted** No content is currently available. - **ResolveAttempted** This will always be an empty string when sending telemetry. - **SdbEntries** An array of fields that indicates the SDB entries that apply to this file. @@ -591,7 +589,6 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: - **ActiveNetworkConnection** Indicates whether the device is an active network device. -- **ActiveNetworkCoompction** No content is currently available. - **AppraiserVersion** The version of the appraiser file generating the events. - **CosDeviceRating** An enumeration that indicates if there is a driver on the target operating system. - **CosDeviceSolution** An enumeration that indicates how a driver on the target operating system is available. @@ -2008,7 +2005,6 @@ The following fields are available: - **ServiceMachineIP** Retrieves the IP address of the KMS host used for anti-piracy. - **ServiceMachinePort** Retrieves the port of the KMS host used for anti-piracy. - **ServiceProductKeyID** Retrieves the License key of the KMS -- **SharedpCMode** No content is currently available. - **SharedPCMode** Returns Boolean for education devices used as shared cart - **Signature** Retrieves if it is a signature machine sold by Microsoft store. - **SLICStatus** Whether a SLIC table exists on the device. @@ -2053,7 +2049,6 @@ The following fields are available: - **Sms** Current state of the text messaging setting. - **SpeechPersonalization** Current state of the speech services setting. - **USB** Current state of the USB setting. -- **UserAccotntInformation** No content is currently available. - **UserAccountInformation** Current state of the account information setting. - **UserDataTasks** Current state of the tasks setting. - **UserNotificationListener** Current state of the notifications setting. @@ -2461,10 +2456,8 @@ Describes the installation state for all hardware and software components availa The following fields are available: -- **** No content is currently available. - **action** The change that was invoked on a device inventory object. - **inventoryId** Device ID used for Compatibility testing -- **objectIn** No content is currently available. - **objectInstanceId** Object identity which is unique within the device scope. - **objectType** Indicates the object type that the event applies to. - **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. @@ -2514,7 +2507,6 @@ This event provides information about the results of installing or uninstalling The following fields are available: -- **`ighestState** No content is currently available. - **capabilities** The names of the optional content packages that were installed. - **clientId** The name of the application requesting the optional content. - **currentID** The ID of the current install session. @@ -2733,7 +2725,6 @@ The following fields are available: - **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. - **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. - **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. -- **CanPerformDyagnosticEscalations** No content is currently available. - **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise. - **CanReportScenarios** True if we can report scenario completions, false otherwise. - **PreviousPermissions** Bitmask of previous telemetry state. @@ -2746,9 +2737,7 @@ This event sends data about the connectivity status of the Connected User Experi The following fields are available: -- **CensõsTaskEnabled** No content is currently available. - **CensusExitCode** Returns last execution codes from census client run. -- **CensusExitCodeoaderCensusStartTime** No content is currently available. - **CensusStartTime** Returns timestamp corresponding to last successful census run. - **CensusTaskEnabled** Returns Boolean value for the census task (Enable/Disable) on client machine. - **LastConnectivityLossTime** Retrieves the last time the device lost free network. @@ -2763,18 +2752,13 @@ This event sends data about the health and quality of the diagnostic data from t The following fields are available: -- **ꭤ↑롥戅ꔠ촉꤆䳨㢳桜ꀽ㴂颭ྞ䚿ꆁ억ﱎ콧ꓘ먗** No content is currently available. -- **AgentConneCouonErrorsCount** No content is currently available. - **AgentConnectionErrorsCount** Number of non-timeout errors associated with the host/agent channel. -- **CensõsTaskEnabled** No content is currently available. - **CensusExitCode** The last exit code of the Census task. - **CensusStartTime** Time of last Census run. - **CensusTaskEnabled** True if Census is enabled, false otherwise. - **CompressedBytesUploaded** Number of compressed bytes uploaded. -- **ConsumerDrop0edCount** No content is currently available. - **ConsumerDroppedCount** Number of events dropped at consumer layer of telemetry client. - **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. -- **CriticalDatasbDroppedCount** No content is currently available. - **CriticalDataThrottleDroppedCount** The number of critical data sampled events that were dropped because of throttling. - **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event DB. - **DbCriticalDroppedCount** Total number of dropped critical events in event DB. @@ -2783,7 +2767,6 @@ The following fields are available: - **DbDroppedFullCount** Number of events dropped due to DB fullness. - **DecodingDroppedCount** Number of events dropped due to decoding failures. - **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. -- **EnteringCriticalOverflowDrOppedCounter** No content is currently available. - **EtwDroppedBufferCount** Number of buffers dropped in the UTC ETW session. - **EtwDroppedCount** Number of events dropped at ETW layer of telemetry client. - **EventsPersistedCount** Number of events that reached the PersistEvent stage. @@ -2797,55 +2780,26 @@ The following fields are available: - **FullTriggerBufferDroppedCount** Number of events dropped due to trigger buffer being full. - **HeartBeatSequenceNumber** The sequence number of this heartbeat. - **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. -- **LastAgentConneCouonError** No content is currently available. - **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel. - **LastEventSizeOffender** Event name of last event which exceeded max event size. - **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. -- **MaxACouveAgentConneCouonCount** No content is currently available. - **MaxActiveAgentConnectionCount** The maximum number of active agents during this heartbeat timeframe. - **MaxInUseScenarioCounter** Soft maximum number of scenarios loaded by UTC. -- **ᴗ㜛ﭮ紀⁻嬝藱唬穉聮쁪カ鳄髈** No content is currently available. - **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events). - **PrivacyBlockedCount** The number of events blocked due to privacy settings or tags. -- **RepeatedUploadFailur$Dropped** No content is currently available. - **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. -- **RepeatedUpѬoadFailureDropped** No content is currently available. -- **sbCriticalDroppedCount** No content is currently available. -- **sbDroppedCount** No content is currently available. -- **sbDroppedFailureCount** No content is currently available. -- **sbDroppedFullCount** No content is currently available. - **SettingsHttpAttempts** Number of attempts to contact OneSettings service. - **SettingsHttpFailures** The number of failures from contacting the OneSettings service. -- **sorBdingDroppedCount** No content is currently available. - **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers. -- **ThrottlgdDroppedCount** No content is currently available. - **TopUploaderErrors** List of top errors received from the upload endpoint. -- **TopUploaeerErrors** No content is currently available. - **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client. - **UploaderErrorCount** Number of errors received from the upload endpoint. -- **ǔ໦岋ࣉ䫕꧓ꏖ훭늓겲均効座⺽ඕ��嘩璽춒** No content is currently available. - **VortexFailuresTimeout** The number of timeout failures received from Vortex. - **VortexHttpAttempts** Number of attempts to contact Vortex. - **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. - **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. - **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. - **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. -- **ჯ⌷脻㍛䮥肑鍼Ⅵ䄪ꬃ鳃抍⓯钑볨䨎ᖪ먩諢涇͙켦榩偊撏嫄艸** No content is currently available. -- **반쐍⾋ꯈ��玱䁕��龓ⴶ샴賷헖쉺分╅㾚흦დ** No content is currently available. -- **빛䨮哆茠뢶☲偍矉繡귴틐⤺॓酠ꐜ⇫ꈚᑋ勰叙湧ㆧ噟ܝ㸇朤ಳ** No content is currently available. -- **쩤খ䠸퇫秂窇벘货齳��ꕢ顦ᜃⲎ耡��옥䦏��淨㖘⃵┵ᘵ鳝톈如癶첛ᲃ絍** No content is currently available. -- **퓙쏴撑⋇뭟혦꩑戙厀뎓燼㼿渺** No content is currently available. -- **훾電쇔䕅碎霶퍕◲⫒븩ὴ앏艐堗详鲝‶ᜧ** No content is currently available. -- **军伽礋圿萦꒎㲮꿨휒慢䷳橱瘒糜劷墹鎗ꭖ潨ᓔ** No content is currently available. -- **唹켴亰铳ᮍ㭨狣N洹滓ꦲ횴䝃怭픱烰彧魋阭刏⅄ꙹ꯬襖** No content is currently available. -- **櫠䰩遗ᆖᑒ��噊썻ࣆ鮷��㑡Ḯ偬ƚ㣸☂灚Ἇ汆磚䐯槴** No content is currently available. -- **蔇İᏘ࢔谼��ﰊ庸涝芦ᅳ蔭隷嵨̐ꊰ** No content is currently available. -- **裎墴_郐堩��ᴰ뵾핝㳊愨鳘鯡廭顩圧由꽆餢俗䡄ﳻ捳褮ꨞ㵙钫욯홏Ը໤ꖠ䬞悺俽** No content is currently available. -- **趬ᛉ뛀䲮憎** No content is currently available. -- **铽ჟᔛ}䘅��讀랃帷덉侙쩠뙆档玳꼱** No content is currently available. -- **㝫��粆疺⃩��렩榽ႚൾ滑햓ꎢ** No content is currently available. -- **㮆퍈栵ᥳⷣ뤏䳬HttpAttempts** No content is currently available. -- **䱪��໿��雔僽땧觪⊝쵥虚䧁嶟轶** No content is currently available. ### TelClientSynthetic.HeartBeat_Aria_5 @@ -2862,7 +2816,6 @@ The following fields are available: - **DbDroppedFailureCount** Number of events dropped due to database failures. - **DbDroppedFullCount** Number of events dropped due to database being full. - **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. -- **EnteringCriticalOverflowDrOppedCounter** No content is currently available. - **EventsPersistedCount** Number of events that reached the PersistEvent stage. - **EventStoreLifetimeResetCounter** Number of times the event store has been reset. - **EventStoreResetCounter** Number of times the event store has been reset during this heartbeat. @@ -2870,18 +2823,14 @@ The following fields are available: - **EventsUploaded** Number of events uploaded. - **HeartBeatSequenceNumber** The sequence number of this heartbeat. - **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. -- **InvalidHttpCsdeCount** No content is currently available. - **LastEventSizeOffender** Event name of last event which exceeded max event size. - **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. -- **LastInvalidHttpCsde** No content is currently available. - **PreviousHeartBeatTime** The FILETIME of the previous heartbeat fire. - **PrivacyBlockedCount** The number of events blocked due to privacy settings or tags. -- **RepeatedUploadFailur$Dropped** No content is currently available. - **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. - **SettingsHttpAttempts** Number of attempts to contact OneSettings service. - **SettingsHttpFailures** Number of failures from contacting OneSettings service. - **TopUploaderErrors** List of top errors received from the upload endpoint. -- **TopUploaeerErrors** No content is currently available. - **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client. - **UploaderErrorCount** Number of errors received from the upload endpoint. - **VortexFailuresTimeout** Number of time out failures received from Vortex. @@ -3456,43 +3405,30 @@ The following fields are available: - **AdapterTypeValue** The numeric value indicating the type of Graphics adapter. - **aiSeqId** The event sequence ID. - **bootId** The system boot ID. -- **BraghtnessVersionViaDDI** No content is currently available. - **BrightnessVersionViaDDI** The version of the Display Brightness Interface. -- **BrightnessVersionVyaDDI** No content is currently available. - **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload. -- **DedDcatedSystemMemoryB** No content is currently available. -- **DedDcatedVideoMemoryB** No content is currently available. - **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes). - **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes). - **DisplayAdapterLuid** The display adapter LUID. -- **DisplayAdapTerLuid** No content is currently available. - **DriverDate** The date of the display driver. - **DriverRank** The rank of the display driver. - **DriverVersion** The display driver version. - **DX10UMDFilePath** The file path to the location of the DirectX 10 Display User Mode Driver in the Driver Store. -- **DX11EMDFilePath** No content is currently available. - **DX11UMDFilePath** The file path to the location of the DirectX 11 Display User Mode Driver in the Driver Store. - **DX12UMDFilePath** The file path to the location of the DirectX 12 Display User Mode Driver in the Driver Store. - **DX9UMDFilePath** The file path to the location of the DirectX 9 Display User Mode Driver in the Driver Store. -- **FX9UMDFilePath** No content is currently available. -- **GPQPreemptionLevel** No content is currently available. - **GPUDeviceID** The GPU device ID. - **GPUPreemptionLevel** The maximum preemption level supported by GPU for graphics payload. - **GPURevisionID** The GPU revision ID. - **GPUVendorID** The GPU vendor ID. -- **I3SoftwareDevice** No content is currently available. - **InterfaceId** The GPU interface ID. -- **InturfaceId** No content is currently available. -- **Is@ybridDiscrete** No content is currently available. - **IsDisplayDevice** Does the GPU have displaying capabilities? - **IsHwSchSupported** Indicates whether the adapter supports hardware scheduling. - **IsHybridDiscrete** Does the GPU have discrete GPU capabilities in a hybrid device? - **IsHybridIntegrated** Does the GPU have integrated GPU capabilities in a hybrid device? -- **IsHyrridDiscrete** No content is currently available. - **IsLDA** Is the GPU comprised of Linked Display Adapters? - **IsMiracastSupported** Does the GPU support Miracast? - **IsMismatchLDA** Is at least one device in the Linked Display Adapters chain from a different vendor? -- **IsMismaTchLDA** No content is currently available. - **IsMPOSupported** Does the GPU support Multi-Plane Overlays? - **IsMsMiracastSupported** Are the GPU Miracast capabilities driven by a Microsoft solution? - **IsPostAdapter** Is this GPU the POST GPU in the device? @@ -3507,17 +3443,10 @@ The following fields are available: - **SharedSystemMemoryB** The amount of system memory shared by GPU and CPU (in bytes). - **SubSystemID** The subsystem ID. - **SubVendorID** The GPU sub vendor ID. -- **Tele}etryEnabled** No content is currently available. - **TelemetryEnabled** Is the device listening to MICROSOFT_KEYWORD_TELEMETRY? -- **TelInv2YntTrigger** No content is currently available. - **TelInvEvntTrigger** What triggered this event to be logged? Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling) -- **TX10UMDFilePath** No content is currently available. - **version** The event version. - **WDDMVersion** The Windows Display Driver Model version. -- **WPUPreemptionLevel** No content is currently available. -- **YsDisplayDevice** No content is currently available. -- **YsLDA** No content is currently available. -- **YsRenderDevice** No content is currently available. ## Failover Clustering events @@ -3603,42 +3532,24 @@ This event sends data about crashes for both native and managed applications, to The following fields are available: -- **.xceptionCode** No content is currently available. -- **.xceptionOffset** No content is currently available. -- **ags** No content is currently available. - **AppName** The name of the app that has crashed. - **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend. - **AppTimeStamp** The date/time stamp of the app. - **AppVersion** The version of the app that has crashed. -- **argetAsId** No content is currently available. -- **argetAsppId** No content is currently available. -- **argetAsppVer** No content is currently available. -- **d** No content is currently available. - **ExceptionCode** The exception code returned by the process that has crashed. - **ExceptionOffset** The address where the exception had occurred. - **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting. - **FriendlyAppName** The description of the app that has crashed, if different from the AppName. Otherwise, the process name. - **IsFatal** True/False to indicate whether the crash resulted in process termination. -- **Modame** No content is currently available. - **ModName** Exception module name (e.g. bar.dll). - **ModTimeStamp** The date/time stamp of the module. - **ModVersion** The version of the module that has crashed. -- **nCode** No content is currently available. -- **Pack9OeFullName** No content is currently available. -- **Pack9OeRelativeAppId** No content is currently available. -- **PackageFullame** No content is currently available. -- **PackageFullFame** No content is currently available. - **PackageFullName** Store application identity. - **PackageRelativeAppId** Store application identity. -- **ProcessArchite2kure** No content is currently available. - **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. - **ProcessCreateTime** The time of creation of the process that has crashed. - **ProcessId** The ID of the process that has crashed. -- **pSessionGuid** No content is currently available. - **ReportId** A GUID used to identify the report. This can used to track the report across Watson. -- **RepoztId** No content is currently available. -- **TargetAId** No content is currently available. -- **TargetAppI4StartTime** No content is currently available. - **TargetAppId** The kernel reported AppId of the application being reported. - **TargetAppVer** The specific version of the application being reported - **TargetAsId** The sequence number for the hanging process. @@ -3764,19 +3675,15 @@ The following fields are available: - **InstallDateArpLastModified** The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015 00:00:00 - **InstallDateFromLinkFile** The estimated date of install based on the links to the files. Passed as an array. - **InstallDateMsi** The install date if the application was installed via Microsoft Installer (MSI). Passed as an array. -- **InstallDatgArpLastModified** No content is currently available. - **InventoryVersion** The version of the inventory file generating the events. - **Language** The language code of the program. - **MsiPackageCode** A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage. -- **MsiPackageColm** No content is currently available. - **MsiProductCode** A GUID that describe the MSI Product. - **Name** The name of the application. - **OSVersionAtInstallTime** The four octets from the OS version at the time of the application's install. -- **OSVersionAtInstallTioe** No content is currently available. - **PackageFullName** The package full name for a Store application. - **ProgramInstanceId** A hash of the file IDs in an app. - **Publisher** The Publisher of the application. Location pulled from depends on the 'Source' field. -- **RackageFullName** No content is currently available. - **RootDirPath** The path to the root directory where the program was installed. - **Source** How the program was installed (for example, ARP, MSI, Appx). - **StoreAppType** A sub-classification for the type of Microsoft Store app, such as UWP or Win8StoreApp. @@ -3874,7 +3781,6 @@ The following fields are available: - **ModelId** A unique model ID. - **ModelName** The model name. - **ModelNumber** The model number for the device container. -- **primaryCategory** No content is currently available. - **PrimaryCategory** The primary category for the device container. @@ -4031,9 +3937,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: -- **inventoryId** No content is currently available. - **InventoryVersion** The version of the inventory file generating the events. -- **syncId** No content is currently available. ### Microsoft.Windows.Inventory.Core.InventoryDevicePnpStartSync @@ -4092,11 +3996,9 @@ The following fields are available: - **ImageSize** The size of the driver file. - **Inf** The name of the INF file. - **InventoryVersion** The version of the inventory file generating the events. -- **LriverName** No content is currently available. - **Product** The product name that is included in the driver file. - **ProductVersion** The product version that is included in the driver file. - **Service** The name of the service that is installed for the device. -- **TriverSigned** No content is currently available. - **WdfVersion** The Windows Driver Framework version. @@ -4170,8 +4072,7 @@ This event collects traces of all other Core events, not used in typical custome The following fields are available: -- **key** No content is currently available. -- **UniqueKey** No content is currently available. +- **key** The globally unique identifier (GUID) used to identify the specific Json Trace logging session. ### Microsoft.Windows.Inventory.Core.StopUtcJsonTrace @@ -4180,7 +4081,7 @@ This event collects traces of all other Core events, not used in typical custome The following fields are available: -- **key** No content is currently available. +- **key** The globally unique identifier (GUID) used to identify the specific Json Trace logging session. ### Microsoft.Windows.Inventory.General.AppHealthStaticAdd @@ -4621,24 +4522,19 @@ OS information collected during Boot, used to evaluate the success of the upgrad The following fields are available: -- **BootApplicatio~Id** No content is currently available. - **BootApplicationId** This field tells us what the OS Loader Application Identifier is. - **BootAttemptCount** The number of consecutive times the boot manager has attempted to boot into this operating system. - **BootSequence** The current Boot ID, used to correlate events related to a particular boot session. -- **BootSequenft** No content is currently available. - **BootStatusPolicy** Identifies the applicable Boot Status Policy. - **BootType** Identifies the type of boot (e.g.: "Cold", "Hiber", "Resume"). - **EventTimestamp** Seconds elapsed since an arbitrary time point. This can be used to identify the time difference in successive boot attempts being made. - **FirmwareResetReasonEmbeddedController** Reason for system reset provided by firmware. -- **FirmwareresetReasonEmbeddedControllerAdditional** No content is currently available. - **FirmwareResetReasonEmbeddedControllerAdditional** Additional information on system reset reason provided by firmware if needed. - **FirmwareResetReasonPch** Reason for system reset provided by firmware. - **FirmwareResetReasonPchAdditional** Additional information on system reset reason provided by firmware if needed. -- **FirmwareResetReasonPchADditional** No content is currently available. - **FirmwareResetReasonSupplied** Flag indicating that a reason for system reset was provided by firmware. - **IO** Amount of data written to and read from the disk by the OS Loader during boot. See [IO](#io). - **LastBootSucceeded** Flag indicating whether the last boot was successful. -- **LastBootSucceedEd** No content is currently available. - **LastShutdownSucceeded** Flag indicating whether the last shutdown was successful. - **MaxAbove4GbFreeRange** This field describes the largest memory range available above 4Gb. - **MaxBelow4GbFreeRange** This field describes the largest memory range available below 4Gb. @@ -4664,6 +4560,19 @@ The following fields are available: - **objectCount** The count of the number of objects that are being transferred. +### Microsoft.Windows.MigrationCore.MigObjectCountKFUsr + +No content is currently available. + +The following fields are available: + +- **currentSid** No content is currently available. +- **knownFolderLoc->DirName->CString** No content is currently available. +- **knownFoldersUsr[i]** No content is currently available. +- **migDiagSession->CString** No content is currently available. +- **objectCount** No content is currently available. + + ## Miracast events ### Microsoft.Windows.Cast.Miracast.MiracastSessionEnd @@ -4900,17 +4809,17 @@ The following fields are available: ### Microsoft.Windows.Remediation.Applicable -This event indicates whether a remediation plug-in is applicable, to help keep Windows up to date. A remediation plug-in addresses issues on the system that prevent the device from receiving security and quality updates. +This event indicates whether Windows Update Sediment Remediations need to be applied to a device to keep Windows up to date. The remediations address issues on the system that prevent sediment devices from receiving OS updates. “Sediment” refers to devices that have been on a previous OS version for an extended period. The following fields are available: - **AllowAutoUpdateExists** Indicates whether the Automatic Update feature is turned on. -- **AllowAutoUpdateProviderSetExists** No content is currently available. +- **AllowAutoUpdateProviderSetExists** Indicates whether the Allow Automatic Update provider exists. - **AppraiserBinariesValidResult** Indicates whether plug-in was appraised as valid. - **AppraiserRegistryValidResult** Indicates whether the registry entry checks out as valid. - **AppraiserTaskRepairDisabled** Task repair performed by the appraiser plugin is disabled. - **AppraiserTaskValid** Indicates that the appraiser task is valid. -- **AUOptionsExists** Indicates whether the Automatic Update option exist. +- **AUOptionsExists** Indicates whether automatic update options exist. - **CTACTargetingAttributesInvalid** Indicates whether the Common Targeting Attribute Client (CTAC) attributes are valid. CTAC is a Windows Runtime client library. - **CTACVersion** The Common Targeting Attribute Client (CTAT) version on the device. CTAT is a Windows Runtime client library. - **CV** Correlation vector @@ -4965,10 +4874,10 @@ The following fields are available: - **PluginName** Name of the plugin specified for each generic plugin event. - **ProductType** The product type of Windows 10. - **QualityUpdateSedimentFunnelState** Provides information about whether Windows Quality Updates are missing on the device. -- **QualityUpdateSedimentJsonSchemaVersion** No content is currently available. -- **QualityUpdateSedimentLastRunSeconds** The number of seconds since the Quality Update Sediment Pack ran. +- **QualityUpdateSedimentJsonSchemaVersion** The schema version of the Quality Update Sediment Remediation. +- **QualityUpdateSedimentLastRunSeconds** The number of seconds since the Quality Updates were run - **QualityUpdateSedimentLocalStartTime** Provides information about when Quality Updates were run. -- **QualityUpdateSedimentLocaltTime** No content is currently available. +- **QualityUpdateSedimentLocaltTime** The local time of the device running the Quality Update Sediment Remediation. - **QualityUpdateSedimentTargetedPlugins** Provides the list of remediation plug-ins that are applicable to enable Quality Updates on the device. - **QualityUpdateSedimentTargetedTriggers** Provides information about remediations that are applicable to enable Quality Updates on the device. - **RegkeysExist** Indicates whether specified registry keys exist. @@ -5033,7 +4942,7 @@ The following fields are available: - **RemediationNotifyUserFixIssuesIsUserLoggedIn** Indicates whether the remediation can take place when a non-Administrator is logged in. - **RemediationProgramDataFolderSizeInMB** The size (in megabytes) of the Program Data folder on the device. - **RemediationProgramFilesFolderSizeInMB** The size (in megabytes) of the Program Files folder on the device. -- **RemediationShellDeviceApplicabilityFailedReason** No content is currently available. +- **RemediationShellDeviceApplicabilityFailedReason** The reason the Remediation is not applicable to the device (expressed as a bitmap). - **RemediationShellDeviceEducationSku** Indicates whether a Windows 10 Education edition is detected on the device. - **RemediationShellDeviceEnterpriseSku** Indicates whether a Windows 10 Enterprise edition is detected on the device. - **RemediationShellDeviceFeatureUpdatesPaused** Indicates whether Feature Updates are paused on the device. @@ -5044,13 +4953,13 @@ The following fields are available: - **RemediationShellDeviceProSku** Indicates whether a Windows 10 Professional edition is detected. - **RemediationShellDeviceQualityUpdatesPaused** Indicates whether Quality Updates are paused on the device. - **RemediationShellDeviceSccm** TRUE if the device is managed by SCCM (Microsoft System Center Configuration Manager). -- **RemediationShellDeviceSedimentMutexInUse** No content is currently available. +- **RemediationShellDeviceSedimentMutexInUse** Indicates whether the Sediment Pack mutual exclusion object (mutex) is in use. - **RemediationShellDeviceSetupMutexInUse** Indicates whether device setup is in progress. - **RemediationShellDeviceWuRegistryBlocked** Indicates whether the Windows Update is blocked on the device via the registry. - **RemediationShellDeviceZeroExhaust** TRUE if the device has opted out of Windows Updates completely. -- **RemediationShellHasExpired** No content is currently available. -- **RemediationShellHasUpgraded** No content is currently available. -- **RemediationShellIsDeviceApplicable** No content is currently available. +- **RemediationShellHasExpired** Indicates whether the Remediation iterations have ended. +- **RemediationShellHasUpgraded** Indicates whether the device upgraded. +- **RemediationShellIsDeviceApplicable** Indicates whether the Remediation is applicable to the device. - **RemediationTargetMachine** Indicates whether the device is a target of the specified fix. - **RemediationTaskHealthAutochkProxy** True/False based on the health of the AutochkProxy task. - **RemediationTaskHealthChkdskProactiveScan** True/False based on the health of the Check Disk task. @@ -5080,21 +4989,21 @@ The following fields are available: - **TimeServiceSyncDomainJoined** True if device domain joined and hence uses DC for clock. - **TimeServiceSyncType** Type of sync behavior for Date & Time service on device. - **uninstallActiveValue** Indicates whether an uninstall is in progress. -- **UpdateApplicabilityFixerTriggerBitMap** No content is currently available. -- **UpdateRebootTime** No content is currently available. -- **usoScanHoursSinceLastScan** No content is currently available. -- **usoScanPastThreshold** No content is currently available. -- **WindowsHiberFilSysSizeInMegabytes** No content is currently available. -- **WindowsInstallerFolderSizeInMegabytes** No content is currently available. -- **WindowsPageFileSysSizeInMegabytes** No content is currently available. -- **WindowsSoftwareDistributionFolderSizeInMegabytes** No content is currently available. -- **WindowsSwapFileSysSizeInMegabytes** No content is currently available. -- **WindowsSxsFolderSizeInMegabytes** No content is currently available. +- **UpdateApplicabilityFixerTriggerBitMap** A bitmap containing the reason(s) why the Update Applicability Fixer Plugin was executed. +- **UpdateRebootTime** The amount of time it took to reboot to install the updates. +- **usoScanHoursSinceLastScan** The number of hours since the last scan by the Update Service Orchestrator (USO). +- **usoScanPastThreshold** Indicates whether the Update Service Orchestrator (USO) scan is overdue. +- **WindowsHiberFilSysSizeInMegabytes** The size of the Windows Hibernation file, in megabytes. +- **WindowsInstallerFolderSizeInMegabytes** The size of the Windows Installer folder, in megabytes. +- **WindowsPageFileSysSizeInMegabytes** The size of the Windows Page file, in megabytes. +- **WindowsSoftwareDistributionFolderSizeInMegabytes** The size of the Software Distribution folder, in megabytes. +- **WindowsSwapFileSysSizeInMegabytes** The size of the Windows Swap file, in megabytes. +- **WindowsSxsFolderSizeInMegabytes** The size of the WinSxS (Windows Side-by-Side) folder, in megabytes. ### Microsoft.Windows.Remediation.Completed -This event is sent when a remediation plug-in has completed, to help keep Windows up to date. A remediation plug-in addresses issues on the system that prevent the device from receiving security and quality updates. +This event is sent when Windows Update Sediment Remediations have completed on a device to keep Windows up to date. The remediations address issues on the system that prevent sediment devices from receiving OS updates. “Sediment” refers to devices that have been on a previous OS version for an extended period. The following fields are available: @@ -5107,9 +5016,9 @@ The following fields are available: - **DiskFreeSpaceBeforeSedimentPackInMB** The amount of free disk space (in megabytes) before executing the Sediment Pack. - **DiskMbFreeAfterCleanup** The amount of free hard disk space after cleanup, measured in Megabytes. - **DiskMbFreeBeforeCleanup** The amount of free hard disk space before cleanup, measured in Megabytes. -- **DiskSpaceCleanedByComponentCleanup** No content is currently available. -- **DiskSpaceCleanedByNGenRemoval** No content is currently available. -- **DiskSpaceCleanedByRestorePointRemoval** No content is currently available. +- **DiskSpaceCleanedByComponentCleanup** The amount of disk space (in megabytes) in the component store that was cleaned up by the plug-in. +- **DiskSpaceCleanedByNGenRemoval** The amount of diskspace (megabytes) in the Native Image Generator (NGEN) cache that was cleaned up by the plug-in. +- **DiskSpaceCleanedByRestorePointRemoval** The amount of disk space (megabytes) in restore points that was cleaned up by the plug-in. - **ForcedAppraiserTaskTriggered** TRUE if Appraiser task ran from the plug-in. - **GlobalEventCounter** Client-side counter that indicates ordering of events sent by the active user. - **HandlerCleanupFreeDiskInMegabytes** The amount of hard disk space cleaned by the storage sense handlers, measured in Megabytes. @@ -5125,57 +5034,57 @@ The following fields are available: - **PluginName** The name of the plug-in specified for each generic plug-in event. - **QualityUpdateSedimentExecutedPlugins** The number of plug-ins executed by the Windows Quality Update remediation. - **QualityUpdateSedimentFunnelState** The state of the Windows Quality Update remediation funnel for the device. -- **QualityUpdateSedimentJsonSchemaVersion** No content is currently available. +- **QualityUpdateSedimentJsonSchemaVersion** The schema version of the Quality Update Sediment Remediation. - **QualityUpdateSedimentLocalEndTime** The local time on the device when the Windows Quality Update remediation executed. -- **QualityUpdateSedimentLocaltTime** No content is currently available. +- **QualityUpdateSedimentLocaltTime** The local time of the device running the Quality Update Sediment Remediation. - **QualityUpdateSedimentMatchedTriggers** The list of triggers that were matched by the Windows Quality Update remediation. - **QualityUpdateSedimentModelExecutionSeconds** The number of seconds needed to execute the Windows Quality Update remediation. -- **recoveredFromTargetOS** No content is currently available. +- **recoveredFromTargetOS** Indicates whether the device recovered from the target operating system (OS). - **RemediationBatteryPowerBatteryLevel** Indicates the battery level at which it is acceptable to continue operation. - **RemediationBatteryPowerExitDueToLowBattery** True when we exit due to low battery power. - **RemediationBatteryPowerOnBattery** True if we allow execution on battery. -- **RemediationCbsTempDiskSpaceCleanedInMB** No content is currently available. -- **RemediationCbsTempEstimateInMB** No content is currently available. -- **RemediationComponentCleanupEstimateInMB** No content is currently available. +- **RemediationCbsTempDiskSpaceCleanedInMB** The amount of space (in megabytes) that the plug-in cleaned up in the CbsTemp folder. +- **RemediationCbsTempEstimateInMB** The amount of space (megabytes) in the CbsTemp folder that is available for cleanup by the plug-in. +- **RemediationComponentCleanupEstimateInMB** The amount of space (megabytes) in the WinSxS (Windows Side-by-Side) folder that is available for cleanup by the plug-in. - **RemediationConfigurationTroubleshooterIpconfigFix** TRUE if IPConfig Fix completed successfully. - **RemediationConfigurationTroubleshooterNetShFix** TRUE if network card cache reset ran successfully. - **RemediationCorruptionRepairCorruptionsDetected** Number of corruptions detected on the device. - **RemediationCorruptionRepairCorruptionsFixed** Number of detected corruptions that were fixed on the device. - **RemediationCorruptionRepairPerformActionSuccessful** Indicates whether corruption repair was successful on the device. -- **RemediationDiskCleanupSearchFileSizeInMB** No content is currently available. -- **RemediationDiskSpaceSavedByCompressionInMB** No content is currently available. -- **RemediationDiskSpaceSavedByUserProfileCompressionInMB** No content is currently available. +- **RemediationDiskCleanupSearchFileSizeInMB** The size of the Cleanup Search index file, measured in megabytes. +- **RemediationDiskSpaceSavedByCompressionInMB** The amount of disk space (megabytes) that was compressed by the plug-in. +- **RemediationDiskSpaceSavedByUserProfileCompressionInMB** The amount of User disk space (in megabytes) that was compressed by the plug-in. - **remediationExecution** Remediation shell is in "applying remediation" state. -- **RemediationHandlerCleanupEstimateInMB** No content is currently available. +- **RemediationHandlerCleanupEstimateInMB** The estimated amount of disk space (in megabytes) to be cleaned up by running Storage Sense. - **RemediationHibernationMigrated** TRUE if hibernation was migrated. - **RemediationHibernationMigrationSucceeded** TRUE if hibernation migration succeeded. - **RemediationNGenDiskSpaceRestored** The amount of disk space (in megabytes) that was restored after re-running the Native Image Generator (NGEN). -- **RemediationNGenEstimateInMB** No content is currently available. +- **RemediationNGenEstimateInMB** The amount of disk space (in megabytes) estimated to be in the Native Image Generator (NGEN) cache by the plug-in. - **RemediationNGenMigrationSucceeded** Indicates whether the Native Image Generator (NGEN) migration succeeded. -- **RemediationRestorePointEstimateInMB** No content is currently available. -- **RemediationSearchFileSizeEstimateInMB** No content is currently available. +- **RemediationRestorePointEstimateInMB** The amount of disk space (in megabytes) estimated to be used by storage points found by the plug-in. +- **RemediationSearchFileSizeEstimateInMB** The amount of disk space (megabytes) estimated to be used by the Cleanup Search index file found by the plug-in. - **RemediationShellHasUpgraded** TRUE if the device upgraded. - **RemediationShellMinimumTimeBetweenShellRuns** Indicates the time between shell runs exceeded the minimum required to execute plugins. - **RemediationShellRunFromService** TRUE if the shell driver was run from the service. - **RemediationShellSessionIdentifier** Unique identifier tracking a shell session. - **RemediationShellSessionTimeInSeconds** Indicates the time the shell session took in seconds. - **RemediationShellTaskDeleted** Indicates that the shell task has been deleted so no additional sediment pack runs occur for this installation. -- **RemediationSoftwareDistributionCleanedInMB** No content is currently available. -- **RemediationSoftwareDistributionEstimateInMB** No content is currently available. -- **RemediationTotalDiskSpaceCleanedInMB** No content is currently available. +- **RemediationSoftwareDistributionCleanedInMB** The amount of disk space (megabytes) in the Software Distribution folder that was cleaned up by the plug-in. +- **RemediationSoftwareDistributionEstimateInMB** The amount of disk space (megabytes) in the Software Distribution folder that is available for clean up by the plug-in. +- **RemediationTotalDiskSpaceCleanedInMB** The total disk space (in megabytes) that was cleaned up by the plug-in. - **RemediationUpdateServiceHealthRemediationResult** The result of the Update Service Health plug-in. - **RemediationUpdateTaskHealthRemediationResult** The result of the Update Task Health plug-in. - **RemediationUpdateTaskHealthTaskList** A list of tasks fixed by the Update Task Health plug-in. -- **RemediationUserFolderCompressionEstimateInMB** No content is currently available. -- **RemediationUserProfileCompressionEstimateInMB** No content is currently available. +- **RemediationUserFolderCompressionEstimateInMB** The amount of disk space (in megabytes) estimated to be compressible in User folders by the plug-in. +- **RemediationUserProfileCompressionEstimateInMB** The amount of disk space (megabytes) estimated to be compressible in User Profile folders by the plug-in. - **RemediationUSORebootRequred** Indicates whether a reboot is determined to be required by calling the Update Service Orchestrator (USO). -- **RemediationWindowsCompactedEstimateInMB** No content is currently available. -- **RemediationWindowsLogSpaceEstimateInMB** No content is currently available. +- **RemediationWindowsCompactedEstimateInMB** The amount of disk space (megabytes) estimated to be available by compacting the operating system using the plug-in. +- **RemediationWindowsLogSpaceEstimateInMB** The amount of disk space (in megabytes) available in Windows logs that can be cleaned by the plug-in. - **RemediationWindowsLogSpaceFreed** The amount of disk space freed by deleting the Windows log files, measured in Megabytes. -- **RemediationWindowsOldSpaceEstimateInMB** No content is currently available. -- **RemediationWindowsSpaceCompactedInMB** No content is currently available. -- **RemediationWindowsStoreSpaceCleanedInMB** No content is currently available. -- **RemediationWindowsStoreSpaceEstimateInMB** No content is currently available. +- **RemediationWindowsOldSpaceEstimateInMB** The amount of disk space (megabytes) in the Windows.OLD folder that can be cleaned up by the plug-in. +- **RemediationWindowsSpaceCompactedInMB** The amount of disk space (megabytes) that can be cleaned up by the plug-in. +- **RemediationWindowsStoreSpaceCleanedInMB** The amount of disk space (megabytes) from the Windows Store cache that was cleaned up by the plug-in. +- **RemediationWindowsStoreSpaceEstimateInMB** The amount of disk space (megabytes) in the Windows store cache that is estimated to be cleanable by the plug-in. - **Result** The HRESULT for Detection or Perform Action phases of the plug-in. - **RunCount** The number of times the plugin has executed. - **RunResult** The HRESULT for Detection or Perform Action phases of the plug-in. @@ -5208,40 +5117,40 @@ The following fields are available: ### Microsoft.Windows.Remediation.Started -This event reports whether a plug-in started, to help ensure Windows is up to date. +This event is sent when Windows Update Sediment Remediations have started on a device to keep Windows up to date. The remediations address issues on the system that prevent sediment devices from receiving OS updates. “Sediment” refers to devices that have been on a previous OS version for an extended period. The following fields are available: - **CV** Correlation vector. - **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. -- **PackageVersion** Current package version of Remediation. +- **PackageVersion** The version of the current remediation package. - **PluginName** Name of the plugin specified for each generic plugin event. - **QualityUpdateSedimentFunnelState** Provides information about whether quality updates are missing on the device. -- **QualityUpdateSedimentFunnelType** No content is currently available. -- **QualityUpdateSedimentJsonSchemaVersion** No content is currently available. +- **QualityUpdateSedimentFunnelType** Indicates whether the Remediation is for Quality Updates or Feature Updates. +- **QualityUpdateSedimentJsonSchemaVersion** The schema version of the Quality Update Sediment Remediation. - **QualityUpdateSedimentLastRunSeconds** The number of seconds since Quality Updates were run. -- **QualityUpdateSedimentLocaltTime** No content is currently available. -- **QualityUpdateSedimentMatchedTriggers** No content is currently available. -- **QualityUpdateSedimentSelectedPlugins** No content is currently available. -- **QualityUpdateSedimentTargetedPlugins** No content is currently available. -- **QualityUpdateSedimentTargetedTriggers** The list of triggers targeted by the current quality update sediment remediation run. -- **RemediationProgramDataFolderSizeInMB** No content is currently available. -- **RemediationProgramFilesFolderSizeInMB** No content is currently available. -- **RemediationUsersFolderSizeInMB** No content is currently available. -- **RemediationWindowsAppsFolderSizeInMB** No content is currently available. -- **RemediationWindowsBtFolderSizeInMB** No content is currently available. -- **RemediationWindowsFolderSizeInMB** No content is currently available. -- **RemediationWindowsServiceProfilesFolderSizeInMB** No content is currently available. -- **RemediationWindowsTotalSystemDiskSize** No content is currently available. +- **QualityUpdateSedimentLocaltTime** The local time of the device running the Quality Update Sediment Remediation. +- **QualityUpdateSedimentMatchedTriggers** The list of triggers that were matched by the Windows Quality Update Remediation. +- **QualityUpdateSedimentSelectedPlugins** The number of plugins that were selected for execution in the Quality Update Sediment Remediation. +- **QualityUpdateSedimentTargetedPlugins** The list of plug-ins targeted by the current Quality Update Sediment Remediation. +- **QualityUpdateSedimentTargetedTriggers** The list of triggers targeted by the current Quality Update Sediment Remediation. +- **RemediationProgramDataFolderSizeInMB** The size (in megabytes) of the Program Data folder on the device. +- **RemediationProgramFilesFolderSizeInMB** The size (in megabytes) of the Program Files folder on the device. +- **RemediationUsersFolderSizeInMB** The size (in megabytes) of the Users folder on the device. +- **RemediationWindowsAppsFolderSizeInMB** The size (in megabytes) of the Windows Applications folder on the device. +- **RemediationWindowsBtFolderSizeInMB** The size (in megabytes) of the Windows BT folder on the device. +- **RemediationWindowsFolderSizeInMB** The size (in megabytes) of the Windows folder on the device. +- **RemediationWindowsServiceProfilesFolderSizeInMB** The size (in megabytes) of the Windows Service Profiles folder on the device. +- **RemediationWindowsTotalSystemDiskSize** The total storage capacity of the System disk drive, measured in megabytes. - **Result** This is the HRESULT for detection or perform action phases of the plugin. - **RunCount** The number of times the remediation event started (whether it completed successfully or not). -- **WindowsHiberFilSysSizeInMegabytes** No content is currently available. -- **WindowsInstallerFolderSizeInMegabytes** No content is currently available. -- **WindowsOldFolderSizeInMegabytes** No content is currently available. -- **WindowsPageFileSysSizeInMegabytes** No content is currently available. -- **WindowsSoftwareDistributionFolderSizeInMegabytes** No content is currently available. -- **WindowsSwapFileSysSizeInMegabytes** No content is currently available. -- **WindowsSxsFolderSizeInMegabytes** No content is currently available. +- **WindowsHiberFilSysSizeInMegabytes** The size of the Windows Hibernation file, measured in megabytes. +- **WindowsInstallerFolderSizeInMegabytes** The size of the Windows Installer folder, measured in megabytes. +- **WindowsOldFolderSizeInMegabytes** The size of the Windows.OLD folder, measured in megabytes. +- **WindowsPageFileSysSizeInMegabytes** The size of the Windows Page file, measured in megabytes. +- **WindowsSoftwareDistributionFolderSizeInMegabytes** The size of the Software Distribution folder, measured in megabytes. +- **WindowsSwapFileSysSizeInMegabytes** The size of the Windows Swap file, measured in megabytes. +- **WindowsSxsFolderSizeInMegabytes** The size of the WinSxS (Windows Side-by-Side) folder, measured in megabytes. ## Sediment events @@ -5419,15 +5328,8 @@ This service retrieves events generated by SetupPlatform, the engine that drives The following fields are available: -- **FaeldName** No content is currently available. -- **FieddName** No content is currently available. - **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. -- **FieldNime** No content is currently available. -- **Gro}pName** No content is currently available. - **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. -- **GzoupName** No content is currently available. -- **OroupName** No content is currently available. -- **Vadue** No content is currently available. - **Value** Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time. @@ -5439,7 +5341,6 @@ Scan process event on Windows Update client. See the EventScenario field for spe The following fields are available: -- **__TlgCV_W** No content is currently available. - **ActivityMatchingId** Contains a unique ID identifying a single CheckForUpdates session from initialization to completion. - **AllowCachedResults** Indicates if the scan allowed using cached results. - **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable @@ -5451,15 +5352,12 @@ The following fields are available: - **BiosVersion** The version of the BIOS. - **BranchReadinessLevel** The servicing branch configured on the device. - **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. -- **CallerApplacationN!me** No content is currently available. - **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. - **CapabilityDetectoidGuid** The GUID for a hardware applicability detectoid that could not be evaluated. - **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. - **CDNId** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. - **ClientVersion** The version number of the software distribution client. -- **ClientWersion** No content is currently available. - **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No data is currently reported in this field. Expected value for this field is 0. -- **ComvonProps** No content is currently available. - **Context** Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown - **CurrentMobileOperator** The mobile operator the device is currently connected to. - **DeferralPolicySources** Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000). @@ -5468,11 +5366,8 @@ The following fields are available: - **DriverError** The error code hit during a driver scan. This is 0 if no error was encountered. - **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled. - **DriverSyncPassPerformed** Were drivers scanned this time? -- **EventIfstanceI** No content is currently available. - **EventInstanceID** A globally unique identifier for event instance. - **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. -- **ExsendedMetadataCabUrl** No content is currently available. -- **ExsendedStatusCode** No content is currently available. - **ExtendedMetadataCabUrl** Hostname that is used to download an update. - **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. - **FailedUpdateGuids** The GUIDs for the updates that failed to be evaluated during the scan. @@ -5484,7 +5379,6 @@ The following fields are available: - **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). - **HomeMobileOperator** The mobile operator that the device was originally intended to work with. - **IntentPFNs** Intended application-set metadata for atomic update scenarios. -- **IntentPINs** No content is currently available. - **IPVersion** Indicates whether the download took place over IPv4 or IPv6 - **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. - **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. @@ -5492,12 +5386,10 @@ The following fields are available: - **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce - **MSIError** The last error that was encountered during a scan for updates. - **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6 -- **NumberOfApplicableUpdatds** No content is currently available. - **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete - **NumberOfApplicationsCategoryScanEvaluated** The number of categories (apps) for which an app update scan checked - **NumberOfLoop** The number of round trips the scan required - **NumberOfNewUpdatesFromServiceSync** The number of updates which were seen for the first time in this scan -- **NumberOfNewUpdatesFrvFServiceSync** No content is currently available. - **NumberOfUpdatesEvaluated** The total number of updates which were evaluated as a part of the scan - **NumFailedMetadataSignatures** The number of metadata signatures checks which failed for new metadata synced down. - **Online** Indicates if this was an online scan. @@ -5519,7 +5411,6 @@ The following fields are available: - **ServiceUrl** The environment URL a device is configured to scan with - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult). -- **Statusode** No content is currently available. - **SyncType** Describes the type of scan the event was - **SystemBIOSMajorRelease** Major version of the BIOS. - **SystemBIOSMinorRelease** Minor version of the BIOS. @@ -5577,6 +5468,7 @@ The following fields are available: - **BiosSKUNumber** The sku number of the device BIOS. - **BIOSVendor** The vendor of the BIOS. - **BiosVersion** The version of the BIOS. +- **Bundle02,UsedDO** No content is currently available. - **BundleBytesDownloaded** Number of bytes downloaded for the specific content bundle. - **BundleId** Identifier associated with the specific content bundle. - **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. @@ -5585,7 +5477,6 @@ The following fields are available: - **BytesDownloaded** Number of bytes that were downloaded for an individual piece of content (not the entire bundle). - **CachedEngineVersion** The version of the “Self-Initiated Healing” (SIH) engine that is cached on the device, if applicable. - **CallerApplicationName** The name provided by the application that initiated API calls into the software distribution client. -- **CaLlerApplicationName** No content is currently available. - **CbsDownloadMethod** Indicates whether the download was a full- or a partial-file download. - **CbsMethod** The method used for downloading the update content related to the Component Based Servicing (CBS) technology. - **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. @@ -5597,7 +5488,7 @@ The following fields are available: - **CurrentMobileOperator** The mobile operator the device is currently connected to. - **DeviceModel** The model of the device. - **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority. -- **DownloadProps** Information about the download operation. +- **DownloadProps** Information about the download operation properties in the form of a bitmask. - **DownloadType** Differentiates the download type of “Self-Initiated Healing” (SIH) downloads between Metadata and Payload downloads. - **EventInstanceID** A globally unique identifier for event instance. - **EventScenario** Indicates the purpose for sending this event: whether because the software distribution just started downloading content; or whether it was cancelled, succeeded, or failed. @@ -5605,7 +5496,6 @@ The following fields are available: - **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. - **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. - **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). -- **FlightBuildN�mber** No content is currently available. - **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight. - **FlightId** The specific ID of the flight (pre-release build) the device is getting. - **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). @@ -5751,7 +5641,6 @@ The following fields are available: - **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. - **IsFirmware** Indicates whether this update is a firmware update. - **IsSuccessFailurePostReboot** Indicates whether the update succeeded and then failed after a restart. -- **IsWufBDualScanEnabled** No content is currently available. - **IsWUfBDualScanEnabled** Indicates whether Windows Update for Business dual scan is enabled on the device. - **IsWUfBEnabled** Indicates whether Windows Update for Business is enabled on the device. - **MergedUpdate** Indicates whether the OS update and a BSP update merged for installation. @@ -6501,15 +6390,11 @@ This event sends data about OS deployment scenarios, to help keep Windows up-to- The following fields are available: -- **^alue** No content is currently available. - **ClientId** Retrieves the upgrade ID. In the Windows Update scenario, this will be the Windows Update client ID. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FdightData** No content is currently available. - **FieldName** Retrieves the data point. - **FimldName** No content is currently available. - **FlightData** Specifies a unique identifier for each group of Windows Insider builds. - **InstanceId** Retrieves a unique identifier for each instance of a setup session. -- **InstanceIl** No content is currently available. -- **InstancmId** No content is currently available. - **ReportId** Retrieves the report ID. - **ScenarioId** Retrieves the deployment scenario. - **Value** Retrieves the value associated with the corresponding FieldName. @@ -6548,7 +6433,6 @@ The following fields are available: - **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE. - **MitigationScenario** The update scenario in which the mitigation was executed. - **Name** The friendly (descriptive) name of the mitigation. -- **OperatignName** No content is currently available. - **OperationIndex** The mitigation operation index (in the event of a failure). - **OperationName** The friendly (descriptive) name of the mitigation operation (in the event of failure). - **RegistryCount** The number of registry operations in the mitigation entry. @@ -6627,7 +6511,6 @@ The following fields are available: - **callerApplication** The name of the calling application. - **capsuleCount** The number of Sediment Pack capsules. - **capsuleFailureCount** The number of capsule failures. -- **detecd1drSummary** No content is currently available. - **detectionSummary** Result of each applicable detection that was run. - **featureAssessmentImpact** WaaS Assessment impact for feature updates. - **hrEngineBlockReason** Indicates the reason for stopping WaaSMedic. @@ -6638,12 +6521,10 @@ The following fields are available: - **isInteractiveMode** The user started a run of WaaSMedic. - **isManaged** Device is managed for updates. - **isWUConnected** Device is connected to Windows Update. -- **noMoreAcd1drs** No content is currently available. - **noMoreActions** No more applicable diagnostics. - **pluginFailureCount** The number of plugins that have failed. - **pluginsCount** The number of plugins. - **qualityAssessmentImpact** WaaS Assessment impact for quality updates. -- **remediad1drSummary** No content is currently available. - **remediationSummary** Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on. - **usingBackupFeatureAssessment** Relying on backup feature assessment. - **usingBackupQualityAssessment** Relying on backup quality assessment. @@ -6829,7 +6710,6 @@ The following fields are available: - **IsBundle** Is this a bundle? - **IsInteractive** Is this initiated by the user? - **IsMandatory** Is this a mandatory installation? -- **IsRemedi-0000** No content is currently available. - **IsRemediation** Is this repairing a previous installation? - **IsRestore** Is this a restore of a previously acquired product? - **IsUpdate** Is this an update? @@ -6979,7 +6859,6 @@ This event is sent at the beginning of an app install or update to help keep Win The following fields are available: -- **__lgCV__** No content is currently available. - **CatalogId** The name of the product catalog from which this app was chosen. - **FulfillmentPluginId** The ID of the plugin needed to install the package type of the product. - **PFN** The Package Family Name of the app that is being installed or updated. @@ -7176,18 +7055,15 @@ The following fields are available: - **bytesFromGroupPeers** The number of bytes received from a peer in the same domain group. - **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same domain group. - **bytesFromLinkLocalPeers** The number of bytes received from local peers. -- **bytesFromLocadCache** No content is currently available. - **bytesFromLocalCache** Bytes copied over from local (on disk) cache. - **bytesFromPeers** The number of bytes received from a peer in the same LAN. - **bytesRequested** The total number of bytes requested for download. -- **byvesFromCacheServer** No content is currently available. - **cacheServerConnectionCount** Number of connections made to cache hosts. - **cdnConnectionCount** The total number of connections made to the CDN. - **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. - **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. - **cdnIp** The IP address of the source CDN. - **cdnUrl** Url of the source Content Distribution Network (CDN). -- **cfileSize** No content is currently available. - **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. - **doErrorCode** The Delivery Optimization error code that was returned. - **downlinkBps** The maximum measured available download bandwidth (in bytes per second). @@ -7206,7 +7082,6 @@ The following fields are available: - **isEncrypted** TRUE if the file is encrypted and will be decrypted after download. - **isVpn** Is the device connected to a Virtual Private Network? - **jobID** Identifier for the Windows Update job. -- **lanConnectionCoujt** No content is currently available. - **lanConnectionCount** The total number of connections made to peers in the same LAN. - **linkLocalConnectionCount** The number of connections made to peers in the same Link-local network. - **numPeers** The total number of peers used for this download. @@ -7222,7 +7097,6 @@ The following fields are available: - **uplinkBps** The maximum measured available upload bandwidth (in bytes per second). - **uplinkUsageBps** The upload speed (in bytes per second). - **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. -- **ytesRequested** No content is currently available. ### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused @@ -7238,7 +7112,6 @@ The following fields are available: - **fileID** The ID of the file being paused. - **isVpn** Is the device connected to a Virtual Private Network? - **jobID** Identifier for the Windows Update job. -- **pagaefinedCallerName** No content is currently available. - **predefinedCallerName** The name of the API Caller object. - **reasonCode** The reason for pausing the download. - **routeToCacheServer** The cache server setting, source, and value. @@ -7259,7 +7132,6 @@ The following fields are available: - **deviceProfile** Identifies the usage or form factor (such as Desktop, Xbox, or VM). - **diceRoll** Random number used for determining if a client will use peering. - **doClientVersion** The version of the Delivery Optimization client. -- **doEr2orCode** No content is currently available. - **doErrorCode** The Delivery Optimization error code that was returned. - **downloadMode** The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100). - **downloadModeReason** Reason for the download. @@ -7275,10 +7147,8 @@ The following fields are available: - **isVpn** Indicates whether the device is connected to a Virtual Private Network. - **jobID** The ID of the Windows Update job. - **peerID** The ID for this delivery optimization client. -- **pgerID** No content is currently available. - **predefinedCallerName** Name of the API caller. - **routeToCacheServer** Cache server setting, source, and value. -- **sessionId** No content is currently available. - **sessionID** The ID for the file download session. - **setConbigs** No content is currently available. - **setConfigs** A JSON representation of the configurations that have been set, and their sources. @@ -7900,7 +7770,6 @@ The following fields are available: - **minutesOverScanSla** Indicates how many minutes the scan exceeded the scan SLA. - **minutesOverScanTriggerSla** Indicates how many minutes the scan exceeded the scan trigger SLA. - **scanTriggerSource** Indicates what caused the scan. -- **scanTriggerSouRce** No content is currently available. - **updateScenarioType** The update session type. - **wuDeviceid** Unique device ID used by Windows Update. From 51ae9eb3760a7fa2149060542d8e17a56119ebdd Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Mon, 15 Apr 2019 10:23:27 -0700 Subject: [PATCH 154/492] updating 1903 links --- windows/privacy/windows-diagnostic-data.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/privacy/windows-diagnostic-data.md b/windows/privacy/windows-diagnostic-data.md index 4a50f70b53..d3587cfb5a 100644 --- a/windows/privacy/windows-diagnostic-data.md +++ b/windows/privacy/windows-diagnostic-data.md @@ -12,17 +12,18 @@ ms.author: daniha manager: dansimp ms.collection: M365-security-compliance ms.topic: article -ms.date: 03/13/2018 +ms.date: 04/15/2019 --- # Windows 10, version 1709 and newer diagnostic data for the Full level Applies to: +- Windows 10, version 1903 - Windows 10, version 1809 - Windows 10, version 1803 - Windows 10, version 1709 -Microsoft uses Windows diagnostic data to keep Windows secure and up-to-date, troubleshoot problems, and make product improvements. For users who have turned on "Tailored experiences", it can also be used to offer you personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. This article describes all types of diagnostic data collected by Windows at the Full level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 1809 Basic level diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields). +Microsoft uses Windows diagnostic data to keep Windows secure and up-to-date, troubleshoot problems, and make product improvements. For users who have turned on "Tailored experiences", it can also be used to offer you personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. This article describes all types of diagnostic data collected by Windows at the Full level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 1903 Basic level diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields). In addition, this article provides references to equivalent definitions for the data types and examples from [ISO/IEC 19944:2017 Information technology -- Cloud computing -- Cloud services and devices: Data flow, data categories and data use](https://www.iso.org/standard/66674.html). Each data type also has a Data Use statement, for diagnostics and for Tailored experiences on the device, using the terms as defined by the standard. These Data Use statements define the purposes for which Microsoft processes each type of Windows diagnostic data, using a uniform set of definitions referenced at the end of this document and based on the ISO standard. Reference to the ISO standard provides additional clarity about the information collected, and allows easy comparison with other services or guidance that also references the standard. From 6edf2539bbdaf2f09370eea1ff001442267b8c2d Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Tue, 16 Apr 2019 05:57:55 -0700 Subject: [PATCH 155/492] add 1903 download for 19H1 --- windows/application-management/manage-windows-mixed-reality.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md index 20b71d39e8..333dbab4b5 100644 --- a/windows/application-management/manage-windows-mixed-reality.md +++ b/windows/application-management/manage-windows-mixed-reality.md @@ -9,7 +9,6 @@ ms.localizationpriority: medium author: jdeckerms ms.author: jdecker ms.topic: article -ms.date: 10/02/2018 --- # Enable or block Windows Mixed Reality apps in the enterprise @@ -34,7 +33,7 @@ Organizations that use Windows Server Update Services (WSUS) must take action to 2. Windows Mixed Reality Feature on Demand (FOD) is downloaded from Windows Update. If access to Windows Update is blocked, you must manually install the Windows Mixed Reality FOD. - a. Download the FOD .cab file for [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab), [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), or [Windows 10, version 1709](http://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab). + a. Download the FOD .cab file for [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab), [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), or [Windows 10, version 1709](http://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab), or [Windows 10, version 1903](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab). >[!NOTE] >You must download the FOD .cab file that matches your operating system version. From 245662323a5347bc2c11d72cd8936736f0cff134 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Tue, 16 Apr 2019 06:29:24 -0700 Subject: [PATCH 156/492] remove extra or --- windows/application-management/manage-windows-mixed-reality.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md index 333dbab4b5..789eabab79 100644 --- a/windows/application-management/manage-windows-mixed-reality.md +++ b/windows/application-management/manage-windows-mixed-reality.md @@ -33,7 +33,7 @@ Organizations that use Windows Server Update Services (WSUS) must take action to 2. Windows Mixed Reality Feature on Demand (FOD) is downloaded from Windows Update. If access to Windows Update is blocked, you must manually install the Windows Mixed Reality FOD. - a. Download the FOD .cab file for [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab), [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), or [Windows 10, version 1709](http://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab), or [Windows 10, version 1903](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab). + a. Download the FOD .cab file for [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab), [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), [Windows 10, version 1709](http://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab), or [Windows 10, version 1903](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab). >[!NOTE] >You must download the FOD .cab file that matches your operating system version. From d1a9f02529e5314f2abc2f18a6067279bc9b8fcd Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 16 Apr 2019 08:35:57 -0700 Subject: [PATCH 157/492] new build 4/16/2019 8:35 AM --- ...ndows-diagnostic-events-and-fields-1903.md | 174 ++++++++++++++++-- 1 file changed, 163 insertions(+), 11 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index a32ec507e3..04b2280580 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -1,6 +1,6 @@ --- description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. -title: Windows 10, version 19H1 basic diagnostic events and fields (Windows 10) +title: Windows 10, version 1903 basic diagnostic events and fields (Windows 10) keywords: privacy, telemetry ms.prod: w10 ms.mktglfcycl: manage @@ -13,11 +13,11 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/15/2019 +ms.date: 04/16/2019 --- -# Windows 10, version 19H1 basic level Windows diagnostic events and fields +# Windows 10, version 1903 basic level Windows diagnostic events and fields > [!IMPORTANT] @@ -26,7 +26,7 @@ ms.date: 04/15/2019 **Applies to** -- Windows 10, version 19H1 +- Windows 10, version 1903 The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information. @@ -2088,6 +2088,18 @@ The following fields are available: - **ver** Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app. +### Common Data Extensions.cloud + +Describes the service-related fields populated by the cloud service. + +The following fields are available: + +- **role** The role of the service. +- **roleInstance** The instance id of the deployed role instance generating the event. +- **roleVer** The build version of the role. +- **ver** No content is currently available. + + ### Common Data Extensions.container Describes the properties of the container for events logged within a container. @@ -2101,13 +2113,18 @@ The following fields are available: - **type** The container type. Examples: Process or VMHost -### Common Data Extensions.cs +### Common Data Extensions.cs1 -Describes properties related to the schema of the event. +No content is currently available. The following fields are available: -- **sig** A common schema signature that identifies new and modified event schemas. +- **dblp** A bitfield that is set to a non-zero value if the event in the newer schema has an equivalent event from the 1.0 schema. +- **esc** The event sequence clock. +- **ev** The version of the event. +- **locale** The client language locale on the device. +- **scid** The Service Config ID of the running title that sent the event. +- **users** A comma-separated list of all users logged into the device when the event was created. The user ID is encoded. Example: x:12345678 ### Common Data Extensions.device @@ -2116,10 +2133,15 @@ Describes the device-related fields. The following fields are available: +- **authId** The ID of the device associated with this event. For Microsoft Account tickets, this is expected to be the MSA Global ID. +- **authSecId** The secondary ID of the device associated with this event. For Microsoft Account tickets, this is expected to be the MSA Hardware ID. - **deviceClass** The device classification. For example, Desktop, Server, or Mobile. +- **id** A unique device ID. - **localId** A locally-defined unique ID for the device. This is not the human-readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId - **make** Device manufacturer. - **model** Device model. +- **orgAuthId** ID used to authenticate the orgId. +- **orgId** Organization ID associated with the event. ### Common Data Extensions.Envelope @@ -2128,26 +2150,91 @@ Represents an envelope that contains all of the common data extensions. The following fields are available: -- **cV** Represents the Correlation Vector: A single field for tracking partial order of related telemetry events across component boundaries. - **data** Represents the optional unique diagnostic data for a particular event schema. - **ext_app** Describes the properties of the running application. This extension could be populated by either a client app or a web app. See [Common Data Extensions.app](#common-data-extensionsapp). +- **ext_cloud** Describes the service-related fields populated by the cloud service. See [Common Data Extensions.cloud](#common-data-extensionscloud). - **ext_container** Describes the properties of the container for events logged within a container. See [Common Data Extensions.container](#common-data-extensionscontainer). -- **ext_cs** Describes properties related to the schema of the event. See [Common Data Extensions.cs](#common-data-extensionscs). +- **ext_cs1** If the field doesn't exist in the newer schema, this contains the fields from an earlier schema. See [Common Data Extensions.cs1](#common-data-extensionscs1). - **ext_device** Describes the device-related fields. See [Common Data Extensions.device](#common-data-extensionsdevice). +- **ext_ingest** Describes the fields added dynamically by the service. See [Common Data Extensions.ingest](#common-data-extensionsingest). +- **ext_intService** No content is currently available. See [Common Data Extensions.intService](#common-data-extensionsintservice). +- **ext_intWeb** No content is currently available. See [Common Data Extensions.intWeb](#common-data-extensionsintweb). +- **ext_loc** Describes the location from which the event was logged. See [Common Data Extensions.loc](#common-data-extensionsloc). +- **ext_mscv** No content is currently available. See [Common Data Extensions.mscv](#common-data-extensionsmscv). - **ext_os** Describes the operating system properties that would be populated by the client. See [Common Data Extensions.os](#common-data-extensionsos). - **ext_receipts** Describes the fields related to time as provided by the client for debugging purposes. See [Common Data Extensions.receipts](#common-data-extensionsreceipts). - **ext_sdk** Describes the fields related to a platform library required for a specific SDK. See [Common Data Extensions.sdk](#common-data-extensionssdk). - **ext_user** Describes the fields related to a user. See [Common Data Extensions.user](#common-data-extensionsuser). - **ext_utc** Describes the fields that might be populated by a logging library on Windows. See [Common Data Extensions.utc](#common-data-extensionsutc). +- **ext_web** No content is currently available. See [Common Data Extensions.web](#common-data-extensionsweb). - **ext_xbl** Describes the fields related to XBOX Live. See [Common Data Extensions.xbl](#common-data-extensionsxbl). -- **flags** Represents a collection of bits that describe how the event should be processed by the Connected User Experience and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency. - **iKey** Represents an ID for applications or other logical groupings of events. - **name** Represents the uniquely qualified name for the event. -- **popSample** Represents the effective sample rate for this event at the time it was generated by a client. - **time** Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the client. This should be in ISO 8601 format. - **ver** Represents the major and minor version of the extension. +### Common Data Extensions.ingest + +Describes the fields that are added by the ingestion service. + +The following fields are available: + +- **auth** Used to assess the trustworthiness of the data. +- **client** The client name. +- **clientIp** The IP address seen by the service. This is not necessarily the client IP address, but could be a router or some other device. +- **processedIngest** If the event already had an ingest extension and the client was authenticated as a first party, the ingest extension will be inserted as processedIngest. +- **quality** A bitfield added by the service to all events coming from a client device. +- **time** The time that the event was received by the service. +- **userAgent** For events that are not using the CUET component, this is the user agent of the browser. + + +### Common Data Extensions.intService + +No content is currently available. + +The following fields are available: + +- **deploymentUnit** No content is currently available. +- **environment** No content is currently available. +- **fullEnvName** No content is currently available. +- **location** No content is currently available. +- **name** No content is currently available. + + +### Common Data Extensions.intWeb + +No content is currently available. + +The following fields are available: + +- **anid** No content is currently available. +- **mc1Id** No content is currently available. +- **mscom** No content is currently available. +- **msfpc** No content is currently available. +- **serviceName** No content is currently available. + + +### Common Data Extensions.loc + +Describes the location from which the event was logged. + +The following fields are available: + +- **country** 2 letter country code using the codes from the ISO 3166-1 alpha-2 standard. +- **id** Location ID based on the client's IP address. +- **tz** The time zone of the device. + + +### Common Data Extensions.mscv + +No content is currently available. + +The following fields are available: + +- **cV** No content is currently available. + + ### Common Data Extensions.os Describes some properties of the operating system. @@ -2167,6 +2254,8 @@ Represents various time information as provided by the client and helps for debu The following fields are available: +- **flags** No content is currently available. +- **originalName** No content is currently available. - **originalTime** The original event time. - **uploadTime** The time the event was uploaded. @@ -2181,6 +2270,7 @@ The following fields are available: - **installId** An ID that's created during the initialization of the SDK for the first time. - **libVer** The SDK version. - **seq** An ID that is incremented for each event. +- **ver** No content is currently available. ### Common Data Extensions.user @@ -2190,6 +2280,7 @@ Describes the fields related to a user. The following fields are available: - **authId** This is an ID of the user associated with this event that is deduced from a token such as a Microsoft Account ticket or an XBOX token. +- **id** Unique user Id. Example: x:12345678. - **locale** The language and region. - **localId** Represents a unique user identity that is created locally and added by the client. This is not the user's account ID. @@ -2205,12 +2296,36 @@ The following fields are available: - **cat** Represents a bitmask of the ETW Keywords associated with the event. - **cpId** The composer ID, such as Reference, Desktop, Phone, Holographic, Hub, IoT Composer. - **epoch** Represents the epoch and seqNum fields, which help track how many events were fired and how many events were uploaded, and enables identification of data lost during upload and de-duplication of events on the ingress server. +- **eventFlags** No content is currently available. - **flags** Represents the bitmap that captures various Windows specific flags. +- **loggingBinary** No content is currently available. - **mon** Combined monitor and event sequence numbers in the format: monitor sequence : event sequence - **op** Represents the ETW Op Code. +- **pgName** No content is currently available. +- **popSample** No content is currently available. +- **providerGuid** No content is currently available. - **raId** Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW. - **seq** Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue. The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server. +- **sqmId** No content is currently available. - **stId** Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID. +- **wcmp** No content is currently available. +- **wPId** No content is currently available. +- **wsId** No content is currently available. + + +### Common Data Extensions.web + +No content is currently available. + +The following fields are available: + +- **browser** No content is currently available. +- **browserLang** No content is currently available. +- **browserVer** No content is currently available. +- **domain** No content is currently available. +- **isManual** No content is currently available. +- **screenRes** No content is currently available. +- **userConsent** No content is currently available. ### Common Data Extensions.xbl @@ -4068,6 +4183,43 @@ The following fields are available: - **WFD2Supported** Indicates if the Miracast receiver supports WFD2 protocol. +## Other events + +### Microsoft.Windows.MigrationCore.MigObjectCountDLUsr + +No content is currently available. + +The following fields are available: + +- **currentSid** No content is currently available. +- **knownFoldersUsr[i]** No content is currently available. +- **migDiagSession->CString** No content is currently available. +- **objectCount** No content is currently available. + + +### Microsoft.Windows.MigrationCore.MigObjectCountKFSys + +This event returns data about the count of the migration objects across various phases during feature update. + +The following fields are available: + +- **knownFoldersSys[i]** The predefined folder path locations. +- **migDiagSession->CString** Identifies the phase of the upgrade where migration happens. +- **objectCount** The count of the number of objects that are being transferred. + + +### Microsoft.Windows.MigrationCore.MigObjectCountKFUsr + +This event returns data to track the count of the migration objects across various phases during feature update. + +The following fields are available: + +- **currentSid** Indicates the user SID for which the migration is being performed. +- **knownFoldersUsr[i]** No content is currently available. +- **migDiagSession->CString** No content is currently available. +- **objectCount** No content is currently available. + + ## Privacy consent logging events ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted From 6766d38b9ded0a209bd4971d2e2a517ce1f50d7d Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 16 Apr 2019 08:36:06 -0700 Subject: [PATCH 158/492] new build 4/16/2019 8:35 AM --- ...ndows-diagnostic-events-and-fields-1703.md | 30 +++--- ...ndows-diagnostic-events-and-fields-1709.md | 34 +++---- ...ndows-diagnostic-events-and-fields-1803.md | 34 +++---- ...ndows-diagnostic-events-and-fields-1809.md | 99 ++++++++++--------- 4 files changed, 101 insertions(+), 96 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index a9d6322d66..187e5b5800 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/15/2019 +ms.date: 04/16/2019 --- @@ -2980,17 +2980,17 @@ deny The following fields are available: - **ActionName** The name of the action to be taken by the plug-in. -- **AppraiserBinariesValidResult** Indicates whether plug-in was appraised as valid. +- **AppraiserBinariesValidResult** Indicates whether the plug-in was appraised as valid. - **AppraiserDetectCondition** Indicates whether the plug-in passed the appraiser's check. - **AppraiserRegistryValidResult** Indicates whether the registry entry checks out as valid. - **AppraiserTaskDisabled** Indicates the appraiser task is disabled. - **AppraiserTaskValidFailed** Indicates the Appraiser task did not function and requires intervention. - **CV** Correlation vector - **DateTimeDifference** The difference between local and reference clock times. -- **DateTimeSyncEnabled** Indicates whether the datetime sync plug-in is enabled. +- **DateTimeSyncEnabled** Indicates whether the Datetime Sync plug-in is enabled. - **DaysSinceLastSIH** The number of days since the most recent SIH executed. - **DaysToNextSIH** The number of days until the next scheduled SIH execution. -- **DetectedCondition** Indicates whether detect condition is true and the perform action will be run. +- **DetectedCondition** Indicates whether detected condition is true and the perform action will be run. - **EvalAndReportAppraiserBinariesFailed** Indicates the EvalAndReportAppraiserBinaries event failed. - **EvalAndReportAppraiserRegEntries** Indicates the EvalAndReportAppraiserRegEntriesFailed event failed. - **EvalAndReportAppraiserRegEntriesFailed** Indicates the EvalAndReportAppraiserRegEntriesFailed event failed. @@ -3004,12 +3004,12 @@ The following fields are available: - **PackageVersion** The version of the current remediation package. - **PluginName** Name of the plugin specified for each generic plugin event. - **Reload** True if SIH reload is required. -- **RemediationNoisyHammerAcLineStatus** Event that indicates the AC Line Status of the machine. +- **RemediationNoisyHammerAcLineStatus** Indicates the AC Line Status of the device. - **RemediationNoisyHammerAutoStartCount** The number of times hammer auto-started. - **RemediationNoisyHammerCalendarTaskEnabled** Event that indicates Update Assistant Calendar Task is enabled. - **RemediationNoisyHammerCalendarTaskExists** Event that indicates an Update Assistant Calendar Task exists. - **RemediationNoisyHammerCalendarTaskTriggerEnabledCount** Event that indicates calendar triggers are enabled in the task. -- **RemediationNoisyHammerDaysSinceLastTaskRunTime** The number of days since the most recent hammer task ran. +- **RemediationNoisyHammerDaysSinceLastTaskRunTime** The number of days since the most recent Noisy Hammer task ran. - **RemediationNoisyHammerGetCurrentSize** Size in MB of the $GetCurrent folder. - **RemediationNoisyHammerIsInstalled** TRUE if the noisy hammer is installed. - **RemediationNoisyHammerLastTaskRunResult** The result of the last hammer task run. @@ -3059,7 +3059,7 @@ The following fields are available: ### Microsoft.Windows.Remediation.Completed -This event is sent when Windows Update Sediment Remediations have completed on a device to keep Windows up to date. The remediations address issues on the system that prevent sediment devices from receiving OS updates. “Sediment” refers to devices that have been on a previous OS version for an extended period. +This event is sent when Windows Update sediment remediations have completed on the sediment device to keep Windows up to date. A sediment device is one that has been on a previous OS version for an extended period. The remediations address issues on the system that prevent the device from receiving OS updates. The following fields are available: @@ -3080,7 +3080,7 @@ The following fields are available: - **DiskMbFreeBeforeCleanup** The amount of free hard disk space before cleanup, measured in Megabytes. - **ForcedAppraiserTaskTriggered** TRUE if Appraiser task ran from the plug-in. - **GlobalEventCounter** Client-side counter that indicates ordering of events sent by the active user. -- **HandlerCleanupFreeDiskInMegabytes** The amount of hard disk space cleaned by the storage sense handlers, measured in Megabytes. +- **HandlerCleanupFreeDiskInMegabytes** The amount of hard disk space cleaned by the storage sense handlers, measured in megabytes. - **HResult** The result of the event execution. - **LatestState** The final state of the plug-in component. - **PackageVersion** The package version for the current Remediation. @@ -3135,7 +3135,7 @@ The following fields are available: - **usoScanIsNetworkMetered** TRUE if the device is currently connected to a metered network. - **usoScanIsNoAutoUpdateKeyPresent** TRUE if no Auto Update registry key is set/present. - **usoScanIsUserLoggedOn** TRUE if the user is logged on. -- **usoScanPastThreshold** TRUE if the most recent USO (Update Session Orchestrator) scan is past the threshold (late). +- **usoScanPastThreshold** TRUE if the most recent Update Session Orchestrator (USO) scan is past the threshold (late). - **usoScanType** The type of USO (Update Session Orchestrator) scan: "Interactive" or "Background". - **WindowsHyberFilSysSizeInMegabytes** The size of the Windows Hibernation file, measured in Megabytes. - **WindowsInstallerFolderSizeInMegabytes** The size of the Windows Installer folder, measured in Megabytes. @@ -3679,7 +3679,7 @@ The following fields are available: ### Microsoft.Windows.SedimentLauncher.Applicable -Indicates whether a given plugin is applicable. +This event is sent when the Windows Update sediment remediations launcher finds that an applicable plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period. The following fields are available: @@ -3695,7 +3695,7 @@ The following fields are available: ### Microsoft.Windows.SedimentLauncher.Completed -Indicates whether a given plugin has completed its work. +This event is sent when the Windows Update sediment remediations launcher finishes running a plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period. The following fields are available: @@ -3741,7 +3741,7 @@ The following fields are available: ### Microsoft.Windows.SedimentLauncher.Started -This event indicates that a given plug-in has started. +This event is sent when the Windows Update sediment remediations launcher starts running a plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period. The following fields are available: @@ -3779,7 +3779,7 @@ The following fields are available: ### Microsoft.Windows.SedimentService.Applicable -This event indicates whether a given plug-in is applicable. +This event is sent when the Windows Update sediment remediations service finds that an applicable plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period. The following fields are available: @@ -3795,7 +3795,7 @@ The following fields are available: ### Microsoft.Windows.SedimentService.Completed -This event indicates whether a given plug-in has completed its work. +This event is sent when the Windows Update sediment remediations service finishes running a plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period. The following fields are available: @@ -3848,7 +3848,7 @@ The following fields are available: ### Microsoft.Windows.SedimentService.Started -This event indicates a specified plug-in has started. This information helps ensure Windows is up to date. +This event is sent when the Windows Update sediment remediations service starts running a plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period. The following fields are available: diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index 8c42efe77e..8aed3dab5e 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/15/2019 +ms.date: 04/16/2019 --- @@ -3168,16 +3168,16 @@ deny The following fields are available: - **ActionName** The name of the action to be taken by the plug-in. -- **AppraiserBinariesValidResult** Indicates whether plug-in was appraised as valid. +- **AppraiserBinariesValidResult** Indicates whether the plug-in was appraised as valid. - **AppraiserDetectCondition** Indicates whether the plug-in passed the appraiser's check. - **AppraiserRegistryValidResult** Indicates whether the registry entry checks out as valid. - **AppraiserTaskDisabled** Indicates the appraiser task is disabled. - **CV** Correlation vector - **DateTimeDifference** The difference between local and reference clock times. -- **DateTimeSyncEnabled** Indicates whether the datetime sync plug-in is enabled. +- **DateTimeSyncEnabled** Indicates whether the Datetime Sync plug-in is enabled. - **DaysSinceLastSIH** The number of days since the most recent SIH executed. - **DaysToNextSIH** The number of days until the next scheduled SIH execution. -- **DetectedCondition** Indicates whether detect condition is true and the perform action will be run. +- **DetectedCondition** Indicates whether detected condition is true and the perform action will be run. - **EvalAndReportAppraiserBinariesFailed** Indicates the EvalAndReportAppraiserBinaries event failed. - **EvalAndReportAppraiserRegEntries** Indicates the EvalAndReportAppraiserRegEntriesFailed event failed. - **EvalAndReportAppraiserRegEntriesFailed** Indicates the EvalAndReportAppraiserRegEntriesFailed event failed. @@ -3191,12 +3191,12 @@ The following fields are available: - **PackageVersion** The version of the current remediation package. - **PluginName** Name of the plugin specified for each generic plugin event. - **Reload** True if SIH reload is required. -- **RemediationNoisyHammerAcLineStatus** Event that indicates the AC Line Status of the machine. +- **RemediationNoisyHammerAcLineStatus** Indicates the AC Line Status of the device. - **RemediationNoisyHammerAutoStartCount** The number of times hammer auto-started. - **RemediationNoisyHammerCalendarTaskEnabled** Event that indicates Update Assistant Calendar Task is enabled. - **RemediationNoisyHammerCalendarTaskExists** Event that indicates an Update Assistant Calendar Task exists. - **RemediationNoisyHammerCalendarTaskTriggerEnabledCount** Event that indicates calendar triggers are enabled in the task. -- **RemediationNoisyHammerDaysSinceLastTaskRunTime** The number of days since the most recent hammer task ran. +- **RemediationNoisyHammerDaysSinceLastTaskRunTime** The number of days since the most recent Noisy Hammer task ran. - **RemediationNoisyHammerGetCurrentSize** Size in MB of the $GetCurrent folder. - **RemediationNoisyHammerIsInstalled** TRUE if the noisy hammer is installed. - **RemediationNoisyHammerLastTaskRunResult** The result of the last hammer task run. @@ -3266,7 +3266,7 @@ The following fields are available: ### Microsoft.Windows.Remediation.Completed -This event is sent when Windows Update Sediment Remediations have completed on a device to keep Windows up to date. The remediations address issues on the system that prevent sediment devices from receiving OS updates. “Sediment” refers to devices that have been on a previous OS version for an extended period. +This event is sent when Windows Update sediment remediations have completed on the sediment device to keep Windows up to date. A sediment device is one that has been on a previous OS version for an extended period. The remediations address issues on the system that prevent the device from receiving OS updates. The following fields are available: @@ -3289,7 +3289,7 @@ The following fields are available: - **DiskMbFreeBeforeCleanup** The amount of free hard disk space before cleanup, measured in Megabytes. - **ForcedAppraiserTaskTriggered** TRUE if Appraiser task ran from the plug-in. - **GlobalEventCounter** Client-side counter that indicates ordering of events sent by the active user. -- **HandlerCleanupFreeDiskInMegabytes** The amount of hard disk space cleaned by the storage sense handlers, measured in Megabytes. +- **HandlerCleanupFreeDiskInMegabytes** The amount of hard disk space cleaned by the storage sense handlers, measured in megabytes. - **hasRolledBack** Indicates whether the client machine has rolled back. - **hasUninstalled** Indicates whether the client machine has uninstalled a later version of the OS. - **hResult** The result of the event execution. @@ -3350,7 +3350,7 @@ The following fields are available: - **RunResult** The HRESULT for Detection or Perform Action phases of the plug-in. - **ServiceHealthPlugin** The nae of the Service Health plug-in. - **StartComponentCleanupTask** TRUE if the Component Cleanup task started successfully. -- **systemDriveFreeDiskSpace** Indicates the free disk space on system drive in MBs. +- **systemDriveFreeDiskSpace** Indicates the free disk space on system drive, in megabytes. - **systemUptimeInHours** Indicates the amount of time the system in hours has been on since the last boot. - **TotalSizeofOrphanedInstallerFilesInMegabytes** The size of any orphaned Windows Installer files, measured in Megabytes. - **TotalSizeofStoreCacheAfterCleanupInMegabytes** The size of the Microsoft Store cache after cleanup, measured in Megabytes. @@ -3365,7 +3365,7 @@ The following fields are available: - **usoScanIsNetworkMetered** TRUE if the device is currently connected to a metered network. - **usoScanIsNoAutoUpdateKeyPresent** TRUE if no Auto Update registry key is set/present. - **usoScanIsUserLoggedOn** TRUE if the user is logged on. -- **usoScanPastThreshold** TRUE if the most recent USO (Update Session Orchestrator) scan is past the threshold (late). +- **usoScanPastThreshold** TRUE if the most recent Update Session Orchestrator (USO) scan is past the threshold (late). - **usoScanType** The type of USO (Update Session Orchestrator) scan: "Interactive" or "Background". - **windows10UpgraderBlockWuUpdates** Event to report the value of Windows 10 Upgrader BlockWuUpdates Key. - **windowsEditionId** Event to report the value of Windows Edition ID. @@ -3399,7 +3399,7 @@ The following fields are available: ### Microsoft.Windows.Remediation.Started -This event is sent when Windows Update Sediment Remediations have started on a device to keep Windows up to date. The remediations address issues on the system that prevent sediment devices from receiving OS updates. “Sediment” refers to devices that have been on a previous OS version for an extended period. +This event is sent when Windows Update sediment remediations have started on the sediment device to keep Windows up to date. A sediment device is one that has been on a previous OS version for an extended period. The remediations address issues on the system that prevent the device from receiving OS updates. The following fields are available: @@ -3667,7 +3667,7 @@ The following fields are available: ### Microsoft.Windows.SedimentLauncher.Applicable -Indicates whether a given plugin is applicable. +This event is sent when the Windows Update sediment remediations launcher finds that an applicable plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period. The following fields are available: @@ -3683,7 +3683,7 @@ The following fields are available: ### Microsoft.Windows.SedimentLauncher.Completed -Indicates whether a given plugin has completed its work. +This event is sent when the Windows Update sediment remediations launcher finishes running a plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period. The following fields are available: @@ -3730,7 +3730,7 @@ The following fields are available: ### Microsoft.Windows.SedimentLauncher.Started -This event indicates that a given plug-in has started. +This event is sent when the Windows Update sediment remediations launcher starts running a plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period. The following fields are available: @@ -3768,7 +3768,7 @@ The following fields are available: ### Microsoft.Windows.SedimentService.Applicable -This event indicates whether a given plug-in is applicable. +This event is sent when the Windows Update sediment remediations service finds that an applicable plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period. The following fields are available: @@ -3784,7 +3784,7 @@ The following fields are available: ### Microsoft.Windows.SedimentService.Completed -This event indicates whether a given plug-in has completed its work. +This event is sent when the Windows Update sediment remediations service finishes running a plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period. The following fields are available: @@ -3838,7 +3838,7 @@ The following fields are available: ### Microsoft.Windows.SedimentService.Started -This event indicates a specified plug-in has started. This information helps ensure Windows is up to date. +This event is sent when the Windows Update sediment remediations service starts running a plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period. The following fields are available: diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index 38e274be19..d26544c92c 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/15/2019 +ms.date: 04/16/2019 --- @@ -4269,17 +4269,17 @@ deny The following fields are available: - **ActionName** The name of the action to be taken by the plug-in. -- **AppraiserBinariesValidResult** Indicates whether plug-in was appraised as valid. +- **AppraiserBinariesValidResult** Indicates whether the plug-in was appraised as valid. - **AppraiserDetectCondition** Indicates whether the plug-in passed the appraiser's check. - **AppraiserRegistryValidResult** Indicates whether the registry entry checks out as valid. - **AppraiserTaskDisabled** Indicates the appraiser task is disabled. - **AppraiserTaskValidFailed** Indicates the Appraiser task did not function and requires intervention. - **CV** Correlation vector - **DateTimeDifference** The difference between local and reference clock times. -- **DateTimeSyncEnabled** Indicates whether the datetime sync plug-in is enabled. +- **DateTimeSyncEnabled** Indicates whether the Datetime Sync plug-in is enabled. - **DaysSinceLastSIH** The number of days since the most recent SIH executed. - **DaysToNextSIH** The number of days until the next scheduled SIH execution. -- **DetectedCondition** Indicates whether detect condition is true and the perform action will be run. +- **DetectedCondition** Indicates whether detected condition is true and the perform action will be run. - **EvalAndReportAppraiserBinariesFailed** Indicates the EvalAndReportAppraiserBinaries event failed. - **EvalAndReportAppraiserRegEntries** Indicates the EvalAndReportAppraiserRegEntriesFailed event failed. - **EvalAndReportAppraiserRegEntriesFailed** Indicates the EvalAndReportAppraiserRegEntriesFailed event failed. @@ -4293,12 +4293,12 @@ The following fields are available: - **PackageVersion** The version of the current remediation package. - **PluginName** Name of the plugin specified for each generic plugin event. - **Reload** True if SIH reload is required. -- **RemediationNoisyHammerAcLineStatus** Event that indicates the AC Line Status of the machine. +- **RemediationNoisyHammerAcLineStatus** Indicates the AC Line Status of the device. - **RemediationNoisyHammerAutoStartCount** The number of times hammer auto-started. - **RemediationNoisyHammerCalendarTaskEnabled** Event that indicates Update Assistant Calendar Task is enabled. - **RemediationNoisyHammerCalendarTaskExists** Event that indicates an Update Assistant Calendar Task exists. - **RemediationNoisyHammerCalendarTaskTriggerEnabledCount** Event that indicates calendar triggers are enabled in the task. -- **RemediationNoisyHammerDaysSinceLastTaskRunTime** The number of days since the most recent hammer task ran. +- **RemediationNoisyHammerDaysSinceLastTaskRunTime** The number of days since the most recent Noisy Hammer task ran. - **RemediationNoisyHammerGetCurrentSize** Size in MB of the $GetCurrent folder. - **RemediationNoisyHammerIsInstalled** TRUE if the noisy hammer is installed. - **RemediationNoisyHammerLastTaskRunResult** The result of the last hammer task run. @@ -4368,7 +4368,7 @@ The following fields are available: ### Microsoft.Windows.Remediation.Completed -This event is sent when Windows Update Sediment Remediations have completed on a device to keep Windows up to date. The remediations address issues on the system that prevent sediment devices from receiving OS updates. “Sediment” refers to devices that have been on a previous OS version for an extended period. +This event is sent when Windows Update sediment remediations have completed on the sediment device to keep Windows up to date. A sediment device is one that has been on a previous OS version for an extended period. The remediations address issues on the system that prevent the device from receiving OS updates. The following fields are available: @@ -4391,7 +4391,7 @@ The following fields are available: - **DiskMbFreeBeforeCleanup** The amount of free hard disk space before cleanup, measured in Megabytes. - **ForcedAppraiserTaskTriggered** TRUE if Appraiser task ran from the plug-in. - **GlobalEventCounter** Client-side counter that indicates ordering of events sent by the active user. -- **HandlerCleanupFreeDiskInMegabytes** The amount of hard disk space cleaned by the storage sense handlers, measured in Megabytes. +- **HandlerCleanupFreeDiskInMegabytes** The amount of hard disk space cleaned by the storage sense handlers, measured in megabytes. - **hasRolledBack** Indicates whether the client machine has rolled back. - **hasUninstalled** Indicates whether the client machine has uninstalled a later version of the OS. - **hResult** The result of the event execution. @@ -4456,7 +4456,7 @@ The following fields are available: - **ServiceHealthInstalledBitMap** List of services installed by the plugin. - **ServiceHealthPlugin** The nae of the Service Health plug-in. - **StartComponentCleanupTask** TRUE if the Component Cleanup task started successfully. -- **systemDriveFreeDiskSpace** Indicates the free disk space on system drive in MBs. +- **systemDriveFreeDiskSpace** Indicates the free disk space on system drive, in megabytes. - **systemUptimeInHours** Indicates the amount of time the system in hours has been on since the last boot. - **TotalSizeofOrphanedInstallerFilesInMegabytes** The size of any orphaned Windows Installer files, measured in Megabytes. - **TotalSizeofStoreCacheAfterCleanupInMegabytes** The size of the Microsoft Store cache after cleanup, measured in Megabytes. @@ -4471,7 +4471,7 @@ The following fields are available: - **usoScanIsNetworkMetered** TRUE if the device is currently connected to a metered network. - **usoScanIsNoAutoUpdateKeyPresent** TRUE if no Auto Update registry key is set/present. - **usoScanIsUserLoggedOn** TRUE if the user is logged on. -- **usoScanPastThreshold** TRUE if the most recent USO (Update Session Orchestrator) scan is past the threshold (late). +- **usoScanPastThreshold** TRUE if the most recent Update Session Orchestrator (USO) scan is past the threshold (late). - **usoScanType** The type of USO (Update Session Orchestrator) scan: "Interactive" or "Background". - **windows10UpgraderBlockWuUpdates** Event to report the value of Windows 10 Upgrader BlockWuUpdates Key. - **windowsEditionId** Event to report the value of Windows Edition ID. @@ -4505,7 +4505,7 @@ The following fields are available: ### Microsoft.Windows.Remediation.Started -This event is sent when Windows Update Sediment Remediations have started on a device to keep Windows up to date. The remediations address issues on the system that prevent sediment devices from receiving OS updates. “Sediment” refers to devices that have been on a previous OS version for an extended period. +This event is sent when Windows Update sediment remediations have started on the sediment device to keep Windows up to date. A sediment device is one that has been on a previous OS version for an extended period. The remediations address issues on the system that prevent the device from receiving OS updates. The following fields are available: @@ -4738,7 +4738,7 @@ The following fields are available: ### Microsoft.Windows.SedimentLauncher.Applicable -Indicates whether a given plugin is applicable. +This event is sent when the Windows Update sediment remediations launcher finds that an applicable plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period. The following fields are available: @@ -4754,7 +4754,7 @@ The following fields are available: ### Microsoft.Windows.SedimentLauncher.Completed -Indicates whether a given plugin has completed its work. +This event is sent when the Windows Update sediment remediations launcher finishes running a plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period. The following fields are available: @@ -4769,7 +4769,7 @@ The following fields are available: ### Microsoft.Windows.SedimentLauncher.Started -This event indicates that a given plug-in has started. +This event is sent when the Windows Update sediment remediations launcher starts running a plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period. The following fields are available: @@ -4782,7 +4782,7 @@ The following fields are available: ### Microsoft.Windows.SedimentService.Applicable -This event indicates whether a given plug-in is applicable. +This event is sent when the Windows Update sediment remediations service finds that an applicable plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period. The following fields are available: @@ -4798,7 +4798,7 @@ The following fields are available: ### Microsoft.Windows.SedimentService.Completed -This event indicates whether a given plug-in has completed its work. +This event is sent when the Windows Update sediment remediations service finishes running a plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period. The following fields are available: @@ -4820,7 +4820,7 @@ The following fields are available: ### Microsoft.Windows.SedimentService.Started -This event indicates a specified plug-in has started. This information helps ensure Windows is up to date. +This event is sent when the Windows Update sediment remediations service starts running a plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period. The following fields are available: diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index f359c36a0c..26bb7bab6a 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/15/2019 +ms.date: 04/16/2019 --- @@ -4549,6 +4549,19 @@ The following fields are available: ## Migration events +### Microsoft.Windows.MigrationCore.MigObjectCountDLUsr + +No content is currently available. + +The following fields are available: + +- **currentSid** No content is currently available. +- **defaultLoc->DirName->CString** No content is currently available. +- **knownFoldersUsr[i]** No content is currently available. +- **migDiagSession->CString** No content is currently available. +- **objectCount** No content is currently available. + + ### Microsoft.Windows.MigrationCore.MigObjectCountKFSys This event returns data about the count of the migration objects across various phases during feature update. @@ -4562,15 +4575,14 @@ The following fields are available: ### Microsoft.Windows.MigrationCore.MigObjectCountKFUsr -No content is currently available. +This event returns data to track the count of the migration objects across various phases during feature update. The following fields are available: -- **currentSid** No content is currently available. -- **knownFolderLoc->DirName->CString** No content is currently available. -- **knownFoldersUsr[i]** No content is currently available. -- **migDiagSession->CString** No content is currently available. -- **objectCount** No content is currently available. +- **currentSid** Indicates the user SID for which the migration is being performed. +- **knownFoldersUsr[i]** Predefined folder path locations. +- **migDiagSession->CString** The phase of the upgrade where migration occurs. (E.g.: Validate tracked content) +- **objectCount** The count for the number of objects that are being transferred. ## Miracast events @@ -4809,36 +4821,36 @@ The following fields are available: ### Microsoft.Windows.Remediation.Applicable -This event indicates whether Windows Update Sediment Remediations need to be applied to a device to keep Windows up to date. The remediations address issues on the system that prevent sediment devices from receiving OS updates. “Sediment” refers to devices that have been on a previous OS version for an extended period. +This event indicates whether Windows Update sediment remediations need to be applied to the sediment device to keep Windows up to date. A sediment device is one that has been on a previous OS version for an extended period. The remediations address issues on the system that prevent the device from receiving OS updates. The following fields are available: - **AllowAutoUpdateExists** Indicates whether the Automatic Update feature is turned on. - **AllowAutoUpdateProviderSetExists** Indicates whether the Allow Automatic Update provider exists. -- **AppraiserBinariesValidResult** Indicates whether plug-in was appraised as valid. +- **AppraiserBinariesValidResult** Indicates whether the plug-in was appraised as valid. - **AppraiserRegistryValidResult** Indicates whether the registry entry checks out as valid. -- **AppraiserTaskRepairDisabled** Task repair performed by the appraiser plugin is disabled. -- **AppraiserTaskValid** Indicates that the appraiser task is valid. -- **AUOptionsExists** Indicates whether automatic update options exist. +- **AppraiserTaskRepairDisabled** Task repair performed by the Appraiser plug-in is disabled. +- **AppraiserTaskValid** Indicates that the Appraiser task is valid. +- **AUOptionsExists** Indicates whether the Automatic Update options exist. - **CTACTargetingAttributesInvalid** Indicates whether the Common Targeting Attribute Client (CTAC) attributes are valid. CTAC is a Windows Runtime client library. - **CTACVersion** The Common Targeting Attribute Client (CTAT) version on the device. CTAT is a Windows Runtime client library. - **CV** Correlation vector - **DataStoreSizeInBytes** Size of the data store, in bytes. - **DateTimeDifference** The difference between local and reference clock times. -- **DateTimeSyncEnabled** Indicates whether the datetime sync plug-in is enabled. -- **daysSinceInstallThreshold** The maximum number of days since the operating system was installed before we check to see if remediation is needed. +- **DateTimeSyncEnabled** Indicates whether the Datetime Sync plug-in is enabled. +- **daysSinceInstallThreshold** The maximum number of days since the operating system was installed before the device is checked to see if remediation is needed. - **daysSinceInstallValue** Number of days since the operating system was installed. - **DaysSinceLastSIH** The number of days since the most recent SIH executed. - **DaysToNextSIH** The number of days until the next scheduled SIH execution. - **DetectConditionEnabled** Indicates whether a condition that the remediation tool can repair was detected. -- **DetectedCondition** Indicates whether detect condition is true and the perform action will be run. +- **DetectedCondition** Indicates whether detected condition is true and the perform action will be run. - **DetectionFailedReason** Indicates why a given remediation failed to fix a problem that was detected. - **DiskFreeSpaceBeforeSedimentPackInMB** Number of megabytes of disk space available on the device before running the Sediment Pack. - **DiskSpaceBefore** The amount of free disk space available before a remediation was run. - **EditionIdFixCorrupted** Indicates whether the Edition ID is corrupted. - **EscalationTimerResetFixResult** The result of fixing the escalation timer. - **EvalAndReportAppraiserRegEntries** Indicates the EvalAndReportAppraiserRegEntriesFailed event failed. -- **FixedEditionId** Indicates whether we fixed Edition ID. +- **FixedEditionId** Indicates whether we fixed the edition ID. - **FlightRebootTime** The amount of time before the system is rebooted. - **ForcedRebootToleranceDays** The maximum number of days before a system reboot is forced on the devie. - **FreeSpaceRequirement** The amount of free space required. @@ -4875,7 +4887,7 @@ The following fields are available: - **ProductType** The product type of Windows 10. - **QualityUpdateSedimentFunnelState** Provides information about whether Windows Quality Updates are missing on the device. - **QualityUpdateSedimentJsonSchemaVersion** The schema version of the Quality Update Sediment Remediation. -- **QualityUpdateSedimentLastRunSeconds** The number of seconds since the Quality Updates were run +- **QualityUpdateSedimentLastRunSeconds** The number of seconds since the Quality Updates were run. - **QualityUpdateSedimentLocalStartTime** Provides information about when Quality Updates were run. - **QualityUpdateSedimentLocaltTime** The local time of the device running the Quality Update Sediment Remediation. - **QualityUpdateSedimentTargetedPlugins** Provides the list of remediation plug-ins that are applicable to enable Quality Updates on the device. @@ -4887,7 +4899,7 @@ The following fields are available: - **RemediationAutoUACalendarTaskEnabled** Indicates whether an Automatic Update Assistant tool task is enabled. - **RemediationAutoUACalendarTaskExists** Indicates whether an Automatic Update Assistant tool task exists. - **RemediationAutoUACalendarTaskTriggerEnabledCount** Indicates the number of times an Automatic Update Assistant tool task has been triggered. -- **RemediationAutoUADaysSinceLastTaskRunTime** Indicates the last run time of an Automatic Update Assistant tool task. +- **RemediationAutoUADaysSinceLastTaskRunTime** Indicates the last run time an Automatic Update Assistant tool task was run. - **RemediationAutoUAGetCurrentSize** Indicates the current size of the Automatic Update Assistant tool. - **RemediationAutoUAIsInstalled** Indicates whether the Automatic Update Assistant tool is installed. - **RemediationAutoUALastTaskRunResult** Indicates the result from the last time the Automatic Update Assistant tool was run. @@ -4895,16 +4907,16 @@ The following fields are available: - **RemediationAutoUATaskEnabled** Indicates whether the Automatic Update Assistant tool task is enabled. - **RemediationAutoUATaskExists** Indicates whether an Automatic Update Assistant tool task exists. - **RemediationAutoUATasksStalled** Indicates whether an Automatic Update Assistant tool task is stalled. -- **RemediationAutoUATaskTriggerEnabledCount** Indicates how many times an Automatic Update Assistant tool task has been triggered. +- **RemediationAutoUATaskTriggerEnabledCount** Indicates how many times an Automatic Update Assistant tool task was triggered. - **RemediationAutoUAUAExitCode** Indicates any exit code provided by the Automatic Update Assistant tool. - **RemediationAutoUAUAExitState** Indicates the exit state of the Automatic Update Assistant tool. - **RemediationAutoUAUserLoggedIn** Indicates whether a user is logged in. -- **RemediationAutoUAUserLoggedInAdmin** Indicates whether an Administrator user is logged in. +- **RemediationAutoUAUserLoggedInAdmin** Indicates whether a user is logged in as an Administrator. - **RemediationCorruptionRepairBuildNumber** The build number to use to repair corruption. - **RemediationCorruptionRepairCorruptionsDetected** Indicates whether corruption was detected. - **RemediationCorruptionRepairDetected** Indicates whether an attempt was made to repair the corruption. - **RemediationDeliverToastBuildNumber** Indicates a build number that should be applicable to this device. -- **RemediationDeliverToastDetected** Indicates that a plugin has been detected. +- **RemediationDeliverToastDetected** Indicates that a plug-in has been detected. - **RemediationDeliverToastDeviceExcludedNation** Indicates the geographic identity (GEO ID) that is not applicable for a given plug-in. - **RemediationDeliverToastDeviceFreeSpaceInMB** Indicates the amount of free space, in megabytes. - **RemediationDeliverToastDeviceHomeSku** Indicates whether the plug-in is applicable for the Windows 10 Home edition. @@ -4914,12 +4926,12 @@ The following fields are available: - **RemediationDeliverToastGeoId** Indicates the geographic identifier (GEO ID) that is applicable for a given plug-in. - **RemediationDeviceSkuId** The Windows 10 edition ID that maps to the version of Windows 10 on the device. - **RemediationGetCurrentFolderExist** Indicates whether the GetCurrent folder exists. -- **RemediationNoisyHammerAcLineStatus** Event that indicates the AC Line Status of the machine. +- **RemediationNoisyHammerAcLineStatus** Indicates the AC Line Status of the device. - **RemediationNoisyHammerAutoStartCount** The number of times hammer auto-started. - **RemediationNoisyHammerCalendarTaskEnabled** Event that indicates Update Assistant Calendar Task is enabled. - **RemediationNoisyHammerCalendarTaskExists** Event that indicates an Update Assistant Calendar Task exists. - **RemediationNoisyHammerCalendarTaskTriggerEnabledCount** Event that indicates calendar triggers are enabled in the task. -- **RemediationNoisyHammerDaysSinceLastTaskRunTime** The number of days since the most recent hammer task ran. +- **RemediationNoisyHammerDaysSinceLastTaskRunTime** The number of days since the most recent Noisy Hammer task ran. - **RemediationNoisyHammerGetCurrentSize** Size in MB of the $GetCurrent folder. - **RemediationNoisyHammerIsInstalled** TRUE if the noisy hammer is installed. - **RemediationNoisyHammerLastTaskRunResult** The result of the last hammer task run. @@ -4943,10 +4955,10 @@ The following fields are available: - **RemediationProgramDataFolderSizeInMB** The size (in megabytes) of the Program Data folder on the device. - **RemediationProgramFilesFolderSizeInMB** The size (in megabytes) of the Program Files folder on the device. - **RemediationShellDeviceApplicabilityFailedReason** The reason the Remediation is not applicable to the device (expressed as a bitmap). -- **RemediationShellDeviceEducationSku** Indicates whether a Windows 10 Education edition is detected on the device. -- **RemediationShellDeviceEnterpriseSku** Indicates whether a Windows 10 Enterprise edition is detected on the device. +- **RemediationShellDeviceEducationSku** Indicates whether the Windows 10 Education edition is detected on the device. +- **RemediationShellDeviceEnterpriseSku** Indicates whether the Windows 10 Enterprise edition is detected on the device. - **RemediationShellDeviceFeatureUpdatesPaused** Indicates whether Feature Updates are paused on the device. -- **RemediationShellDeviceHomeSku** Indicates whether a Windows 10 Home edition is detected on the device. +- **RemediationShellDeviceHomeSku** Indicates whether the Windows 10 Home edition is detected on the device. - **RemediationShellDeviceIsAllowedSku** Indicates whether the Windows 10 edition is applicable to the device. - **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated disabled. - **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS. @@ -4957,9 +4969,9 @@ The following fields are available: - **RemediationShellDeviceSetupMutexInUse** Indicates whether device setup is in progress. - **RemediationShellDeviceWuRegistryBlocked** Indicates whether the Windows Update is blocked on the device via the registry. - **RemediationShellDeviceZeroExhaust** TRUE if the device has opted out of Windows Updates completely. -- **RemediationShellHasExpired** Indicates whether the Remediation iterations have ended. +- **RemediationShellHasExpired** Indicates whether the remediation iterations have ended. - **RemediationShellHasUpgraded** Indicates whether the device upgraded. -- **RemediationShellIsDeviceApplicable** Indicates whether the Remediation is applicable to the device. +- **RemediationShellIsDeviceApplicable** Indicates whether the remediation is applicable to the device. - **RemediationTargetMachine** Indicates whether the device is a target of the specified fix. - **RemediationTaskHealthAutochkProxy** True/False based on the health of the AutochkProxy task. - **RemediationTaskHealthChkdskProactiveScan** True/False based on the health of the Check Disk task. @@ -4973,7 +4985,7 @@ The following fields are available: - **RemediationUHServiceNotExistBitMap** A bitmap indicating which services were deleted. - **RemediationUsersFolderSizeInMB** The size (in megabytes) of the Users folder on the device. - **RemediationWindows10UpgradeFolderExist** Indicates whether the Windows 10 Upgrade folder exists. -- **RemediationWindows10UpgradeFolderSizeInMB** The size (in megabytes) of Windows 10 Upgrade folder on the device. +- **RemediationWindows10UpgradeFolderSizeInMB** The size (in megabytes) of the Windows 10 Upgrade folder on the device. - **RemediationWindowsAppsFolderSizeInMB** The size (in megabytes) of the Windows Applications folder on the device. - **RemediationWindowsBtFolderSizeInMB** The size (in megabytes) of the Windows BT folder on the device. - **RemediationWindowsFolderSizeInMB** The size (in megabytes) of the Windows folder on the device. @@ -5003,7 +5015,7 @@ The following fields are available: ### Microsoft.Windows.Remediation.Completed -This event is sent when Windows Update Sediment Remediations have completed on a device to keep Windows up to date. The remediations address issues on the system that prevent sediment devices from receiving OS updates. “Sediment” refers to devices that have been on a previous OS version for an extended period. +This event is sent when Windows Update sediment remediations have completed on the sediment device to keep Windows up to date. A sediment device is one that has been on a previous OS version for an extended period. The remediations address issues on the system that prevent the device from receiving OS updates. The following fields are available: @@ -5021,7 +5033,7 @@ The following fields are available: - **DiskSpaceCleanedByRestorePointRemoval** The amount of disk space (megabytes) in restore points that was cleaned up by the plug-in. - **ForcedAppraiserTaskTriggered** TRUE if Appraiser task ran from the plug-in. - **GlobalEventCounter** Client-side counter that indicates ordering of events sent by the active user. -- **HandlerCleanupFreeDiskInMegabytes** The amount of hard disk space cleaned by the storage sense handlers, measured in Megabytes. +- **HandlerCleanupFreeDiskInMegabytes** The amount of hard disk space cleaned by the storage sense handlers, measured in megabytes. - **hasRolledBack** Indicates whether the client machine has rolled back. - **hasUninstalled** Indicates whether the client machine has uninstalled a later version of the OS. - **hResult** The result of the event execution. @@ -5095,7 +5107,7 @@ The following fields are available: - **StorageSenseHelloFaceRecognitionFodCleanupTotalInByte** The amount of space that Storage Sense was able to clean up in the User Download folder by removing Windows Hello facial recognition. - **StorageSenseRestorePointCleanupTotalInMB** The total number of megabytes that Storage Sense cleaned up in the User Download folder. - **StorageSenseUserDownloadFolderCleanupTotalInByte** The total number of bytes that Storage Sense cleaned up in the User Download folder. -- **systemDriveFreeDiskSpace** Indicates the free disk space on system drive in MBs. +- **systemDriveFreeDiskSpace** Indicates the free disk space on system drive, in megabytes. - **systemUptimeInHours** Indicates the amount of time the system in hours has been on since the last boot. - **uninstallActive** TRUE if previous uninstall has occurred for current OS - **usoScanDaysSinceLastScan** The number of days since the last USO (Update Session Orchestrator) scan. @@ -5107,7 +5119,7 @@ The following fields are available: - **usoScanIsNetworkMetered** TRUE if the device is currently connected to a metered network. - **usoScanIsNoAutoUpdateKeyPresent** TRUE if no Auto Update registry key is set/present. - **usoScanIsUserLoggedOn** TRUE if the user is logged on. -- **usoScanPastThreshold** TRUE if the most recent USO (Update Session Orchestrator) scan is past the threshold (late). +- **usoScanPastThreshold** TRUE if the most recent Update Session Orchestrator (USO) scan is past the threshold (late). - **usoScanType** The type of USO (Update Session Orchestrator) scan: "Interactive" or "Background". - **windows10UpgraderBlockWuUpdates** Event to report the value of Windows 10 Upgrader BlockWuUpdates Key. - **windowsEditionId** Event to report the value of Windows Edition ID. @@ -5117,7 +5129,7 @@ The following fields are available: ### Microsoft.Windows.Remediation.Started -This event is sent when Windows Update Sediment Remediations have started on a device to keep Windows up to date. The remediations address issues on the system that prevent sediment devices from receiving OS updates. “Sediment” refers to devices that have been on a previous OS version for an extended period. +This event is sent when Windows Update sediment remediations have started on the sediment device to keep Windows up to date. A sediment device is one that has been on a previous OS version for an extended period. The remediations address issues on the system that prevent the device from receiving OS updates. The following fields are available: @@ -5195,7 +5207,7 @@ The following fields are available: ### Microsoft.Windows.SedimentLauncher.Applicable -Indicates whether a given plugin is applicable. +This event is sent when the Windows Update sediment remediations launcher finds that an applicable plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period. The following fields are available: @@ -5213,7 +5225,7 @@ The following fields are available: ### Microsoft.Windows.SedimentLauncher.Completed -Indicates whether a given plugin has completed its work. +This event is sent when the Windows Update sediment remediations launcher finishes running a plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period. The following fields are available: @@ -5228,7 +5240,7 @@ The following fields are available: ### Microsoft.Windows.SedimentLauncher.Started -This event indicates that a given plug-in has started. +This event is sent when the Windows Update sediment remediations launcher starts running a plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period. The following fields are available: @@ -5241,7 +5253,7 @@ The following fields are available: ### Microsoft.Windows.SedimentService.Applicable -This event indicates whether a given plug-in is applicable. +This event is sent when the Windows Update sediment remediations service finds that an applicable plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period. The following fields are available: @@ -5259,7 +5271,7 @@ The following fields are available: ### Microsoft.Windows.SedimentService.Completed -This event indicates whether a given plug-in has completed its work. +This event is sent when the Windows Update sediment remediations service finishes running a plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period. The following fields are available: @@ -5283,7 +5295,7 @@ The following fields are available: ### Microsoft.Windows.SedimentService.Started -This event indicates a specified plug-in has started. This information helps ensure Windows is up to date. +This event is sent when the Windows Update sediment remediations service starts running a plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period. The following fields are available: @@ -5468,7 +5480,6 @@ The following fields are available: - **BiosSKUNumber** The sku number of the device BIOS. - **BIOSVendor** The vendor of the BIOS. - **BiosVersion** The version of the BIOS. -- **Bundle02,UsedDO** No content is currently available. - **BundleBytesDownloaded** Number of bytes downloaded for the specific content bundle. - **BundleId** Identifier associated with the specific content bundle. - **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. @@ -5483,7 +5494,6 @@ The following fields are available: - **CDNId** ID which defines which CDN the software distribution client downloaded the content from. - **ClientVersion** The version number of the software distribution client. - **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. -- **ComvonProps** No content is currently available. - **ConnectTime** Indicates the cumulative amount of time (in seconds) it took to establish the connection for all updates in an update bundle. - **CurrentMobileOperator** The mobile operator the device is currently connected to. - **DeviceModel** The model of the device. @@ -5621,7 +5631,6 @@ The following fields are available: - **DeviceModel** The device model. - **DriverPingBack** Contains information about the previous driver and system state. - **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required. -- **DriverReuoveryIds** No content is currently available. - **EventInstanceID** A globally unique identifier for event instance. - **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. - **EventType** Possible values are Child, Bundle, or Driver. @@ -6392,7 +6401,6 @@ The following fields are available: - **ClientId** Retrieves the upgrade ID. In the Windows Update scenario, this will be the Windows Update client ID. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **FieldName** Retrieves the data point. -- **FimldName** No content is currently available. - **FlightData** Specifies a unique identifier for each group of Windows Insider builds. - **InstanceId** Retrieves a unique identifier for each instance of a setup session. - **ReportId** Retrieves the report ID. @@ -7087,8 +7095,6 @@ The following fields are available: - **numPeers** The total number of peers used for this download. - **numPeersLocal** The total number of local peers used for this download. - **predefinedCallerName** The name of the API Caller. -- **restrictederRepo** No content is currently available. -- **restrictedloaded** No content is currently available. - **restrictedUpload** Is the upload restricted? - **routeToCacheServer** The cache server setting, source, and value. - **sessionID** The ID of the download session. @@ -7150,7 +7156,6 @@ The following fields are available: - **predefinedCallerName** Name of the API caller. - **routeToCacheServer** Cache server setting, source, and value. - **sessionID** The ID for the file download session. -- **setConbigs** No content is currently available. - **setConfigs** A JSON representation of the configurations that have been set, and their sources. - **updateID** The ID of the update being downloaded. - **usedMemoryStream** Indicates whether the download used memory streaming. From 27b525e366e7221874e89b7bf3fbb59fe7d420af Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Tue, 16 Apr 2019 12:39:03 -0700 Subject: [PATCH 159/492] fix order --- windows/application-management/manage-windows-mixed-reality.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md index 789eabab79..5f7378bd96 100644 --- a/windows/application-management/manage-windows-mixed-reality.md +++ b/windows/application-management/manage-windows-mixed-reality.md @@ -33,7 +33,7 @@ Organizations that use Windows Server Update Services (WSUS) must take action to 2. Windows Mixed Reality Feature on Demand (FOD) is downloaded from Windows Update. If access to Windows Update is blocked, you must manually install the Windows Mixed Reality FOD. - a. Download the FOD .cab file for [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab), [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), [Windows 10, version 1709](http://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab), or [Windows 10, version 1903](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab). + a. Download the FOD .cab file for [Windows 10, version 1903](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab), [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab), [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), or [Windows 10, version 1709](http://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab). >[!NOTE] >You must download the FOD .cab file that matches your operating system version. From 85337ba37717c4193472115297020fa2c67368d2 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 17 Apr 2019 08:32:51 -0700 Subject: [PATCH 160/492] new build 4/17/2019 8:32 AM --- ...ndows-diagnostic-events-and-fields-1903.md | 76 +++++++++---------- 1 file changed, 38 insertions(+), 38 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index 04b2280580..c229f9a624 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/16/2019 +ms.date: 04/17/2019 --- @@ -4109,6 +4109,43 @@ The following fields are available: - **ServiceName** The driver or service name that is attached to the device. +## Migration events + +### Microsoft.Windows.MigrationCore.MigObjectCountDLUsr + +This event returns data to track the count of the migration objects across various phases during feature update. + +The following fields are available: + +- **currentSid** Indicates the user SID for which the migration is being performed. +- **knownFoldersUsr[i]** Predefined folder path locations. +- **migDiagSession->CString** The phase of the upgrade where migration occurs. (E.g.: Validate tracked content) +- **objectCount** The count for the number of objects that are being transferred. + + +### Microsoft.Windows.MigrationCore.MigObjectCountKFSys + +This event returns data about the count of the migration objects across various phases during feature update. + +The following fields are available: + +- **knownFoldersSys[i]** The predefined folder path locations. +- **migDiagSession->CString** Identifies the phase of the upgrade where migration happens. +- **objectCount** The count of the number of objects that are being transferred. + + +### Microsoft.Windows.MigrationCore.MigObjectCountKFUsr + +This event returns data to track the count of the migration objects across various phases during feature update. + +The following fields are available: + +- **currentSid** Indicates the user SID for which the migration is being performed. +- **knownFoldersUsr[i]** No content is currently available. +- **migDiagSession->CString** No content is currently available. +- **objectCount** No content is currently available. + + ## Miracast events ### Microsoft.Windows.Cast.Miracast.MiracastSessionEnd @@ -4183,43 +4220,6 @@ The following fields are available: - **WFD2Supported** Indicates if the Miracast receiver supports WFD2 protocol. -## Other events - -### Microsoft.Windows.MigrationCore.MigObjectCountDLUsr - -No content is currently available. - -The following fields are available: - -- **currentSid** No content is currently available. -- **knownFoldersUsr[i]** No content is currently available. -- **migDiagSession->CString** No content is currently available. -- **objectCount** No content is currently available. - - -### Microsoft.Windows.MigrationCore.MigObjectCountKFSys - -This event returns data about the count of the migration objects across various phases during feature update. - -The following fields are available: - -- **knownFoldersSys[i]** The predefined folder path locations. -- **migDiagSession->CString** Identifies the phase of the upgrade where migration happens. -- **objectCount** The count of the number of objects that are being transferred. - - -### Microsoft.Windows.MigrationCore.MigObjectCountKFUsr - -This event returns data to track the count of the migration objects across various phases during feature update. - -The following fields are available: - -- **currentSid** Indicates the user SID for which the migration is being performed. -- **knownFoldersUsr[i]** No content is currently available. -- **migDiagSession->CString** No content is currently available. -- **objectCount** No content is currently available. - - ## Privacy consent logging events ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted From cc14178c1f01b831c446a70f458b9be01be273db Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 17 Apr 2019 08:32:59 -0700 Subject: [PATCH 161/492] new build 4/17/2019 8:32 AM --- ...ndows-diagnostic-events-and-fields-1703.md | 2 +- ...ndows-diagnostic-events-and-fields-1709.md | 2 +- ...ndows-diagnostic-events-and-fields-1803.md | 2 +- ...ndows-diagnostic-events-and-fields-1809.md | 40 +++++++++++++++---- 4 files changed, 36 insertions(+), 10 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index 187e5b5800..7d66c1ca89 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/16/2019 +ms.date: 04/17/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index 8aed3dab5e..add7ca9310 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/16/2019 +ms.date: 04/17/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index d26544c92c..d43561bf66 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/16/2019 +ms.date: 04/17/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index 26bb7bab6a..3826050602 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/16/2019 +ms.date: 04/17/2019 --- @@ -2790,10 +2790,12 @@ The following fields are available: - **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. - **SettingsHttpAttempts** Number of attempts to contact OneSettings service. - **SettingsHttpFailures** The number of failures from contacting the OneSettings service. +- **T`rottledDroppedCount** No content is currently available. - **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers. - **TopUploaderErrors** List of top errors received from the upload endpoint. - **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client. - **UploaderErrorCount** Number of errors received from the upload endpoint. +- **UreviousHeartBeatTime** No content is currently available. - **VortexFailuresTimeout** The number of timeout failures received from Vortex. - **VortexHttpAttempts** Number of attempts to contact Vortex. - **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. @@ -3408,6 +3410,7 @@ The following fields are available: - **BrightnessVersionViaDDI** The version of the Display Brightness Interface. - **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload. - **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes). +- **DedicatedVideoMemmryB** No content is currently available. - **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes). - **DisplayAdapterLuid** The display adapter LUID. - **DriverDate** The date of the display driver. @@ -3420,11 +3423,14 @@ The following fields are available: - **GPUDeviceID** The GPU device ID. - **GPUPreemptionLevel** The maximum preemption level supported by GPU for graphics payload. - **GPURevisionID** The GPU revision ID. +- **GPUVefdorID** No content is currently available. - **GPUVendorID** The GPU vendor ID. - **InterfaceId** The GPU interface ID. - **IsDisplayDevice** Does the GPU have displaying capabilities? - **IsHwSchSupported** Indicates whether the adapter supports hardware scheduling. +- **IsHy`ridIntegrated** No content is currently available. - **IsHybridDiscrete** Does the GPU have discrete GPU capabilities in a hybrid device? +- **IsHybridDiscRete** No content is currently available. - **IsHybridIntegrated** Does the GPU have integrated GPU capabilities in a hybrid device? - **IsLDA** Is the GPU comprised of Linked Display Adapters? - **IsMiracastSupported** Does the GPU support Miracast? @@ -3538,12 +3544,16 @@ The following fields are available: - **AppVersion** The version of the app that has crashed. - **ExceptionCode** The exception code returned by the process that has crashed. - **ExceptionOffset** The address where the exception had occurred. +- **EzceptionCode** No content is currently available. - **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting. - **FriendlyAppName** The description of the app that has crashed, if different from the AppName. Otherwise, the process name. +- **FriendlyArpName** No content is currently available. - **IsFatal** True/False to indicate whether the crash resulted in process termination. - **ModName** Exception module name (e.g. bar.dll). - **ModTimeStamp** The date/time stamp of the module. +- **ModVdrsion** No content is currently available. - **ModVersion** The version of the module that has crashed. +- **PackageFullNale** No content is currently available. - **PackageFullName** Store application identity. - **PackageRelativeAppId** Store application identity. - **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. @@ -4551,15 +4561,14 @@ The following fields are available: ### Microsoft.Windows.MigrationCore.MigObjectCountDLUsr -No content is currently available. +This event returns data to track the count of the migration objects across various phases during feature update. The following fields are available: -- **currentSid** No content is currently available. -- **defaultLoc->DirName->CString** No content is currently available. -- **knownFoldersUsr[i]** No content is currently available. -- **migDiagSession->CString** No content is currently available. -- **objectCount** No content is currently available. +- **currentSid** Indicates the user SID for which the migration is being performed. +- **knownFoldersUsr[i]** Predefined folder path locations. +- **migDiagSession->CString** The phase of the upgrade where migration occurs. (E.g.: Validate tracked content) +- **objectCount** The count for the number of objects that are being transferred. ### Microsoft.Windows.MigrationCore.MigObjectCountKFSys @@ -5340,6 +5349,7 @@ This service retrieves events generated by SetupPlatform, the engine that drives The following fields are available: +- **Fie** No content is currently available. - **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. - **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. - **Value** Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time. @@ -5372,6 +5382,7 @@ The following fields are available: - **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No data is currently reported in this field. Expected value for this field is 0. - **Context** Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown - **CurrentMobileOperator** The mobile operator the device is currently connected to. +- **Deferral@olicySources** No content is currently available. - **DeferralPolicySources** Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000). - **DeferredUpdates** Update IDs which are currently being deferred until a later time - **DeviceModel** What is the device model. @@ -5398,6 +5409,7 @@ The following fields are available: - **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce - **MSIError** The last error that was encountered during a scan for updates. - **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6 +- **Num`erOfNewUpdatesFromServiceSync** No content is currently available. - **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete - **NumberOfApplicationsCategoryScanEvaluated** The number of categories (apps) for which an app update scan checked - **NumberOfLoop** The number of round trips the scan required @@ -5469,6 +5481,7 @@ Download process event for target update on Windows Update client. See the Event The following fields are available: +- **ActiveDownload4ime** No content is currently available. - **ActiveDownloadTime** How long the download took, in seconds, excluding time where the update wasn't actively being downloaded. - **AppXBlockHashFailures** Indicates the number of blocks that failed hash validation during download of the app payload. - **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded. @@ -5493,6 +5506,7 @@ The following fields are available: - **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. - **CDNId** ID which defines which CDN the software distribution client downloaded the content from. - **ClientVersion** The version number of the software distribution client. +- **Co,76dB4ime** No content is currently available. - **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. - **ConnectTime** Indicates the cumulative amount of time (in seconds) it took to establish the connection for all updates in an update bundle. - **CurrentMobileOperator** The mobile operator the device is currently connected to. @@ -5506,6 +5520,7 @@ The following fields are available: - **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. - **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. - **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). +- **FlightBu9ldNumber** No content is currently available. - **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight. - **FlightId** The specific ID of the flight (pre-release build) the device is getting. - **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). @@ -5517,11 +5532,13 @@ The following fields are available: - **IsDependentSet** Indicates whether a driver is a part of a larger System Hardware/Firmware Update - **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. - **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. +- **IsWUfBEncbled** No content is currently available. - **NetworkCost** A flag indicating the cost of the network (congested, fixed, variable, over data limit, roaming, etc.) used for downloading the update content. - **NetworkCostBitMask** Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.) - **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered." - **PackageFullName** The package name of the content. - **PhonePreviewEnabled** Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced. +- **PostDnld4ime** No content is currently available. - **PostDnldTime** Time (in seconds) taken to signal download completion after the last job completed downloading the payload. - **ProcessName** The process name of the application that initiated API calls, in the event where CallerApplicationName was not provided. - **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. @@ -5535,6 +5552,7 @@ The following fields are available: - **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). - **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade. - **ShippingMobileOperator** The mobile operator linked to the device when the device shipped. +- **SizeCalc4ime** No content is currently available. - **SizeCalcTime** Time (in seconds) taken to calculate the total download size of the payload. - **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). - **SystemBIOSMajorRelease** Major version of the BIOS. @@ -5544,6 +5562,7 @@ The following fields are available: - **TargetMetadataVersion** The version of the currently downloading (or most recently downloaded) package. - **ThrottlingServiceHResult** Result code (success/failure) while contacting a web service to determine whether this device should download content yet. - **TimeToEstablishConnection** Time (in milliseconds) it took to establish the connection prior to beginning downloaded. +- **TotalExp6dBedBytes** No content is currently available. - **TotalExpectedBytes** The total size (in Bytes) expected to be downloaded. - **UpdateId** An identifier associated with the specific piece of content. - **UpdateID** An identifier associated with the specific piece of content. @@ -5587,6 +5606,7 @@ The following fields are available: - **ClientVersion** The version number of the software distribution client - **ConnectionStatus** Indicates the connectivity state of the device at the time of heartbeat - **CurrentError** Last (transient) error encountered by the active download +- **CurrentMrror** No content is currently available. - **DownloadFlags** Flags indicating if power state is ignored - **DownloadState** Current state of the active download for this content (queued, suspended, or progressing) - **EventType** Possible values are "Child", "Bundle", or "Driver" @@ -7073,9 +7093,11 @@ The following fields are available: - **cdnIp** The IP address of the source CDN. - **cdnUrl** Url of the source Content Distribution Network (CDN). - **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. +- **dileID** No content is currently available. - **doErrorCode** The Delivery Optimization error code that was returned. - **downlinkBps** The maximum measured available download bandwidth (in bytes per second). - **downlinkUsageBps** The download speed (in bytes per second). +- **downlinkUsageFps** No content is currently available. - **downloadMode** The download mode used for this file download session. - **downloadModeReason** Reason for the download. - **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). @@ -7094,6 +7116,7 @@ The following fields are available: - **linkLocalConnectionCount** The number of connections made to peers in the same Link-local network. - **numPeers** The total number of peers used for this download. - **numPeersLocal** The total number of local peers used for this download. +- **ppedefinedCallerName** No content is currently available. - **predefinedCallerName** The name of the API Caller. - **restrictedUpload** Is the upload restricted? - **routeToCacheServer** The cache server setting, source, and value. @@ -7101,7 +7124,9 @@ The following fields are available: - **totalTimeMs** Duration of the download (in seconds). - **updateID** The ID of the update being downloaded. - **uplinkBps** The maximum measured available upload bandwidth (in bytes per second). +- **uplinkFps** No content is currently available. - **uplinkUsageBps** The upload speed (in bytes per second). +- **uplinkUsageFps** No content is currently available. - **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. @@ -7149,6 +7174,7 @@ The following fields are available: - **fileSize** Total file size of the file that was downloaded. - **fileSizeCaller** Value for total file size provided by our caller. - **groupID** ID for the group. +- **grOupID** No content is currently available. - **isEncrypted** Indicates whether the download is encrypted. - **isVpn** Indicates whether the device is connected to a Virtual Private Network. - **jobID** The ID of the Windows Update job. From 4ae7c10b9aa1a308e235ac234c6dae8f87b5bef7 Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Wed, 17 Apr 2019 15:25:44 -0700 Subject: [PATCH 162/492] updated names --- windows/security/threat-protection/index.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index 8747fb3827..bface3f851 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -37,12 +37,12 @@ ms.localizationpriority: medium -**[Threat & Vulnerability Management](windows-defender-atp/next-gen-threat-and-vuln-mgt.md)**
+**[Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)**
This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. -- [Risk-based Threat & Vulnerability Management](windows-defender-atp/next-gen-threat-and-vuln-mgt.md) -- [What's in the dashboard and what it means for my organization](windows-defender-atp/tvm-dashboard-insights.md) -- [Configuration score](windows-defender-atp/configuration-score.md) -- [Scenarios](windows-defender-atp/threat-and-vuln-mgt-scenarios.md) +- [Risk-based Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md) +- [What's in the dashboard and what it means for my organization](microsoft-defender-atp/tvm-dashboard-insights.md) +- [Configuration score](microsoft-defender-atp/configuration-score.md) +- [Scenarios](microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md) From 0e10de048c051784558a0868a2183724aa115a19 Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Wed, 17 Apr 2019 15:35:11 -0700 Subject: [PATCH 163/492] search product --- .../microsoft-defender-atp/configuration-score.md | 2 +- .../microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md | 2 +- .../microsoft-defender-atp/tvm-dashboard-insights.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md index 746d31cc8f..bb6764a9a3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md @@ -2,7 +2,7 @@ title: Overview of Configuration score in Microsoft Defender Security Center description: Expand your visibility into the overall security configuration posture of your organization keywords: configuration score, mdatp configuration score, secure score, security controls, improvement opportunities, security configuration score over time, security posture, baseline -search.product: Windows 10 +search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md index d83dc2575a..cefa8aada0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md +++ b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md @@ -2,7 +2,7 @@ title: Next-generation Threat & Vulnerability Management description: This new capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. keywords: threat and vulnerability management, MDATP-TVM, vulnerability management, threat and vulnerability scanning -search.product: Windows 10 +search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md index 9613ef139d..c0236a5f88 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md @@ -2,7 +2,7 @@ title: What's in the dashboard and what it means for my organization's security posture description: keywords: -search.product: Windows 10 +search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy From 021bc3707ea97df8a7f3b03163782c49de022c33 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 18 Apr 2019 10:01:12 -0700 Subject: [PATCH 164/492] new build 4/18/2019 10:01 AM --- ...ndows-diagnostic-events-and-fields-1903.md | 121 +++--------------- 1 file changed, 18 insertions(+), 103 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index c229f9a624..161e810b9e 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/17/2019 +ms.date: 04/18/2019 --- @@ -1606,6 +1606,17 @@ The following fields are available: - **IEVersion** The version of Internet Explorer that is running on the device. +### Census.Azure + +No content is currently available. + +The following fields are available: + +- **CloudCoreBuildEx** No content is currently available. +- **CloudCoreSupportBuildEx** No content is currently available. +- **NodeID** No content is currently available. + + ### Census.Battery This event sends type and capacity data about the battery on the device, as well as the number of connected standby devices in use, type to help keep Windows up to date. @@ -2088,18 +2099,6 @@ The following fields are available: - **ver** Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app. -### Common Data Extensions.cloud - -Describes the service-related fields populated by the cloud service. - -The following fields are available: - -- **role** The role of the service. -- **roleInstance** The instance id of the deployed role instance generating the event. -- **roleVer** The build version of the role. -- **ver** No content is currently available. - - ### Common Data Extensions.container Describes the properties of the container for events logged within a container. @@ -2113,35 +2112,16 @@ The following fields are available: - **type** The container type. Examples: Process or VMHost -### Common Data Extensions.cs1 - -No content is currently available. - -The following fields are available: - -- **dblp** A bitfield that is set to a non-zero value if the event in the newer schema has an equivalent event from the 1.0 schema. -- **esc** The event sequence clock. -- **ev** The version of the event. -- **locale** The client language locale on the device. -- **scid** The Service Config ID of the running title that sent the event. -- **users** A comma-separated list of all users logged into the device when the event was created. The user ID is encoded. Example: x:12345678 - - ### Common Data Extensions.device Describes the device-related fields. The following fields are available: -- **authId** The ID of the device associated with this event. For Microsoft Account tickets, this is expected to be the MSA Global ID. -- **authSecId** The secondary ID of the device associated with this event. For Microsoft Account tickets, this is expected to be the MSA Hardware ID. - **deviceClass** The device classification. For example, Desktop, Server, or Mobile. -- **id** A unique device ID. - **localId** A locally-defined unique ID for the device. This is not the human-readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId - **make** Device manufacturer. - **model** Device model. -- **orgAuthId** ID used to authenticate the orgId. -- **orgId** Organization ID associated with the event. ### Common Data Extensions.Envelope @@ -2152,14 +2132,8 @@ The following fields are available: - **data** Represents the optional unique diagnostic data for a particular event schema. - **ext_app** Describes the properties of the running application. This extension could be populated by either a client app or a web app. See [Common Data Extensions.app](#common-data-extensionsapp). -- **ext_cloud** Describes the service-related fields populated by the cloud service. See [Common Data Extensions.cloud](#common-data-extensionscloud). - **ext_container** Describes the properties of the container for events logged within a container. See [Common Data Extensions.container](#common-data-extensionscontainer). -- **ext_cs1** If the field doesn't exist in the newer schema, this contains the fields from an earlier schema. See [Common Data Extensions.cs1](#common-data-extensionscs1). - **ext_device** Describes the device-related fields. See [Common Data Extensions.device](#common-data-extensionsdevice). -- **ext_ingest** Describes the fields added dynamically by the service. See [Common Data Extensions.ingest](#common-data-extensionsingest). -- **ext_intService** No content is currently available. See [Common Data Extensions.intService](#common-data-extensionsintservice). -- **ext_intWeb** No content is currently available. See [Common Data Extensions.intWeb](#common-data-extensionsintweb). -- **ext_loc** Describes the location from which the event was logged. See [Common Data Extensions.loc](#common-data-extensionsloc). - **ext_mscv** No content is currently available. See [Common Data Extensions.mscv](#common-data-extensionsmscv). - **ext_os** Describes the operating system properties that would be populated by the client. See [Common Data Extensions.os](#common-data-extensionsos). - **ext_receipts** Describes the fields related to time as provided by the client for debugging purposes. See [Common Data Extensions.receipts](#common-data-extensionsreceipts). @@ -2174,65 +2148,13 @@ The following fields are available: - **ver** Represents the major and minor version of the extension. -### Common Data Extensions.ingest - -Describes the fields that are added by the ingestion service. - -The following fields are available: - -- **auth** Used to assess the trustworthiness of the data. -- **client** The client name. -- **clientIp** The IP address seen by the service. This is not necessarily the client IP address, but could be a router or some other device. -- **processedIngest** If the event already had an ingest extension and the client was authenticated as a first party, the ingest extension will be inserted as processedIngest. -- **quality** A bitfield added by the service to all events coming from a client device. -- **time** The time that the event was received by the service. -- **userAgent** For events that are not using the CUET component, this is the user agent of the browser. - - -### Common Data Extensions.intService - -No content is currently available. - -The following fields are available: - -- **deploymentUnit** No content is currently available. -- **environment** No content is currently available. -- **fullEnvName** No content is currently available. -- **location** No content is currently available. -- **name** No content is currently available. - - -### Common Data Extensions.intWeb - -No content is currently available. - -The following fields are available: - -- **anid** No content is currently available. -- **mc1Id** No content is currently available. -- **mscom** No content is currently available. -- **msfpc** No content is currently available. -- **serviceName** No content is currently available. - - -### Common Data Extensions.loc - -Describes the location from which the event was logged. - -The following fields are available: - -- **country** 2 letter country code using the codes from the ISO 3166-1 alpha-2 standard. -- **id** Location ID based on the client's IP address. -- **tz** The time zone of the device. - - ### Common Data Extensions.mscv -No content is currently available. +Describes the correlation vector-related fields. The following fields are available: -- **cV** No content is currently available. +- **cV** Represents the Correlation Vector: A single field for tracking partial order of related events across component boundaries. ### Common Data Extensions.os @@ -2280,7 +2202,6 @@ Describes the fields related to a user. The following fields are available: - **authId** This is an ID of the user associated with this event that is deduced from a token such as a Microsoft Account ticket or an XBOX token. -- **id** Unique user Id. Example: x:12345678. - **locale** The language and region. - **localId** Represents a unique user identity that is created locally and added by the client. This is not the user's account ID. @@ -2296,7 +2217,7 @@ The following fields are available: - **cat** Represents a bitmask of the ETW Keywords associated with the event. - **cpId** The composer ID, such as Reference, Desktop, Phone, Holographic, Hub, IoT Composer. - **epoch** Represents the epoch and seqNum fields, which help track how many events were fired and how many events were uploaded, and enables identification of data lost during upload and de-duplication of events on the ingress server. -- **eventFlags** No content is currently available. +- **eventFlags** Represents a collection of bits that describe how the event should be processed by the Connected User Experience and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency. - **flags** Represents the bitmap that captures various Windows specific flags. - **loggingBinary** No content is currently available. - **mon** Combined monitor and event sequence numbers in the format: monitor sequence : event sequence @@ -2319,13 +2240,7 @@ No content is currently available. The following fields are available: -- **browser** No content is currently available. -- **browserLang** No content is currently available. - **browserVer** No content is currently available. -- **domain** No content is currently available. -- **isManual** No content is currently available. -- **screenRes** No content is currently available. -- **userConsent** No content is currently available. ### Common Data Extensions.xbl @@ -4141,9 +4056,9 @@ This event returns data to track the count of the migration objects across vario The following fields are available: - **currentSid** Indicates the user SID for which the migration is being performed. -- **knownFoldersUsr[i]** No content is currently available. -- **migDiagSession->CString** No content is currently available. -- **objectCount** No content is currently available. +- **knownFoldersUsr[i]** Predefined folder path locations. +- **migDiagSession->CString** The phase of the upgrade where the migration occurs. (For example, Validate tracked content.) +- **objectCount** The number of objects that are being transferred. ## Miracast events From 57ddb2d7104103e6b85a6b84a7c937f7ed4a69b3 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 18 Apr 2019 10:01:20 -0700 Subject: [PATCH 165/492] new build 4/18/2019 10:01 AM --- ...ndows-diagnostic-events-and-fields-1703.md | 4 +- ...ndows-diagnostic-events-and-fields-1709.md | 2 +- ...ndows-diagnostic-events-and-fields-1803.md | 2 +- ...ndows-diagnostic-events-and-fields-1809.md | 70 +++++++++++-------- 4 files changed, 44 insertions(+), 34 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index 7d66c1ca89..086a835957 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/17/2019 +ms.date: 04/18/2019 --- @@ -4004,7 +4004,7 @@ The following fields are available: ### SIHEngineTelemetry.EvalApplicability -This event is sent when targeting logic is evaluated to determine if a device is eligible a given action. +This event is sent when targeting logic is evaluated to determine if a device is eligible for a given action. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index add7ca9310..8dedfc835b 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/17/2019 +ms.date: 04/18/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index d43561bf66..452ecb0c6d 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/17/2019 +ms.date: 04/18/2019 --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index 3826050602..122c0460b9 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/17/2019 +ms.date: 04/18/2019 --- @@ -1817,6 +1817,17 @@ The following fields are available: - **IEVersion** The version of Internet Explorer that is running on the device. +### Census.Azure + +No content is currently available. + +The following fields are available: + +- **CloudCoreBuildEx** No content is currently available. +- **CloudCoreSupportBuildEx** No content is currently available. +- **NodeID** No content is currently available. + + ### Census.Battery This event sends type and capacity data about the battery on the device, as well as the number of connected standby devices in use, type to help keep Windows up to date. @@ -2790,12 +2801,10 @@ The following fields are available: - **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. - **SettingsHttpAttempts** Number of attempts to contact OneSettings service. - **SettingsHttpFailures** The number of failures from contacting the OneSettings service. -- **T`rottledDroppedCount** No content is currently available. - **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers. - **TopUploaderErrors** List of top errors received from the upload endpoint. - **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client. - **UploaderErrorCount** Number of errors received from the upload endpoint. -- **UreviousHeartBeatTime** No content is currently available. - **VortexFailuresTimeout** The number of timeout failures received from Vortex. - **VortexHttpAttempts** Number of attempts to contact Vortex. - **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. @@ -3410,7 +3419,6 @@ The following fields are available: - **BrightnessVersionViaDDI** The version of the Display Brightness Interface. - **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload. - **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes). -- **DedicatedVideoMemmryB** No content is currently available. - **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes). - **DisplayAdapterLuid** The display adapter LUID. - **DriverDate** The date of the display driver. @@ -3423,14 +3431,11 @@ The following fields are available: - **GPUDeviceID** The GPU device ID. - **GPUPreemptionLevel** The maximum preemption level supported by GPU for graphics payload. - **GPURevisionID** The GPU revision ID. -- **GPUVefdorID** No content is currently available. - **GPUVendorID** The GPU vendor ID. - **InterfaceId** The GPU interface ID. - **IsDisplayDevice** Does the GPU have displaying capabilities? - **IsHwSchSupported** Indicates whether the adapter supports hardware scheduling. -- **IsHy`ridIntegrated** No content is currently available. - **IsHybridDiscrete** Does the GPU have discrete GPU capabilities in a hybrid device? -- **IsHybridDiscRete** No content is currently available. - **IsHybridIntegrated** Does the GPU have integrated GPU capabilities in a hybrid device? - **IsLDA** Is the GPU comprised of Linked Display Adapters? - **IsMiracastSupported** Does the GPU support Miracast? @@ -3544,16 +3549,12 @@ The following fields are available: - **AppVersion** The version of the app that has crashed. - **ExceptionCode** The exception code returned by the process that has crashed. - **ExceptionOffset** The address where the exception had occurred. -- **EzceptionCode** No content is currently available. - **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting. - **FriendlyAppName** The description of the app that has crashed, if different from the AppName. Otherwise, the process name. -- **FriendlyArpName** No content is currently available. - **IsFatal** True/False to indicate whether the crash resulted in process termination. - **ModName** Exception module name (e.g. bar.dll). - **ModTimeStamp** The date/time stamp of the module. -- **ModVdrsion** No content is currently available. - **ModVersion** The version of the module that has crashed. -- **PackageFullNale** No content is currently available. - **PackageFullName** Store application identity. - **PackageRelativeAppId** Store application identity. - **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. @@ -4590,8 +4591,8 @@ The following fields are available: - **currentSid** Indicates the user SID for which the migration is being performed. - **knownFoldersUsr[i]** Predefined folder path locations. -- **migDiagSession->CString** The phase of the upgrade where migration occurs. (E.g.: Validate tracked content) -- **objectCount** The count for the number of objects that are being transferred. +- **migDiagSession->CString** The phase of the upgrade where the migration occurs. (For example, Validate tracked content.) +- **objectCount** The number of objects that are being transferred. ## Miracast events @@ -5349,12 +5350,37 @@ This service retrieves events generated by SetupPlatform, the engine that drives The following fields are available: -- **Fie** No content is currently available. - **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. - **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. - **Value** Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time. +## SIH events + +### SIHEngineTelemetry.EvalApplicability + +This event is sent when targeting logic is evaluated to determine if a device is eligible for a given action. + +The following fields are available: + +- **ActionReasons** If an action has been assessed as inapplicable, the additional logic prevented it. +- **AdditionalReasons** If an action has been assessed as inapplicable, the additional logic prevented it. +- **CachedEngineVersion** The engine DLL version that is being used. +- **EventInstanceID** A unique identifier for event instance. +- **EventScenario** Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. +- **HandlerReasons** If an action has been assessed as inapplicable, the installer technology-specific logic prevented it. +- **IsExecutingAction** If the action is presently being executed. +- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.) +- **SihclientVersion** The client version that is being used. +- **StandardReasons** If an action has been assessed as inapplicable, the standard logic the prevented it. +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **UpdateID** A unique identifier for the action being acted upon. +- **WuapiVersion** The Windows Update API version that is currently installed. +- **WuaucltVersion** The Windows Update client version that is currently installed. +- **WuauengVersion** The Windows Update engine version that is currently installed. +- **WUDeviceID** The unique identifier controlled by the software distribution client. + + ## Software update events ### SoftwareUpdateClientTelemetry.CheckForUpdates @@ -5382,7 +5408,6 @@ The following fields are available: - **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No data is currently reported in this field. Expected value for this field is 0. - **Context** Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown - **CurrentMobileOperator** The mobile operator the device is currently connected to. -- **Deferral@olicySources** No content is currently available. - **DeferralPolicySources** Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000). - **DeferredUpdates** Update IDs which are currently being deferred until a later time - **DeviceModel** What is the device model. @@ -5409,7 +5434,6 @@ The following fields are available: - **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce - **MSIError** The last error that was encountered during a scan for updates. - **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6 -- **Num`erOfNewUpdatesFromServiceSync** No content is currently available. - **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete - **NumberOfApplicationsCategoryScanEvaluated** The number of categories (apps) for which an app update scan checked - **NumberOfLoop** The number of round trips the scan required @@ -5481,7 +5505,6 @@ Download process event for target update on Windows Update client. See the Event The following fields are available: -- **ActiveDownload4ime** No content is currently available. - **ActiveDownloadTime** How long the download took, in seconds, excluding time where the update wasn't actively being downloaded. - **AppXBlockHashFailures** Indicates the number of blocks that failed hash validation during download of the app payload. - **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded. @@ -5506,7 +5529,6 @@ The following fields are available: - **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. - **CDNId** ID which defines which CDN the software distribution client downloaded the content from. - **ClientVersion** The version number of the software distribution client. -- **Co,76dB4ime** No content is currently available. - **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. - **ConnectTime** Indicates the cumulative amount of time (in seconds) it took to establish the connection for all updates in an update bundle. - **CurrentMobileOperator** The mobile operator the device is currently connected to. @@ -5520,7 +5542,6 @@ The following fields are available: - **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. - **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. - **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). -- **FlightBu9ldNumber** No content is currently available. - **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight. - **FlightId** The specific ID of the flight (pre-release build) the device is getting. - **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). @@ -5532,13 +5553,11 @@ The following fields are available: - **IsDependentSet** Indicates whether a driver is a part of a larger System Hardware/Firmware Update - **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. - **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. -- **IsWUfBEncbled** No content is currently available. - **NetworkCost** A flag indicating the cost of the network (congested, fixed, variable, over data limit, roaming, etc.) used for downloading the update content. - **NetworkCostBitMask** Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.) - **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered." - **PackageFullName** The package name of the content. - **PhonePreviewEnabled** Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced. -- **PostDnld4ime** No content is currently available. - **PostDnldTime** Time (in seconds) taken to signal download completion after the last job completed downloading the payload. - **ProcessName** The process name of the application that initiated API calls, in the event where CallerApplicationName was not provided. - **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. @@ -5552,7 +5571,6 @@ The following fields are available: - **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). - **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade. - **ShippingMobileOperator** The mobile operator linked to the device when the device shipped. -- **SizeCalc4ime** No content is currently available. - **SizeCalcTime** Time (in seconds) taken to calculate the total download size of the payload. - **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). - **SystemBIOSMajorRelease** Major version of the BIOS. @@ -5562,7 +5580,6 @@ The following fields are available: - **TargetMetadataVersion** The version of the currently downloading (or most recently downloaded) package. - **ThrottlingServiceHResult** Result code (success/failure) while contacting a web service to determine whether this device should download content yet. - **TimeToEstablishConnection** Time (in milliseconds) it took to establish the connection prior to beginning downloaded. -- **TotalExp6dBedBytes** No content is currently available. - **TotalExpectedBytes** The total size (in Bytes) expected to be downloaded. - **UpdateId** An identifier associated with the specific piece of content. - **UpdateID** An identifier associated with the specific piece of content. @@ -5606,7 +5623,6 @@ The following fields are available: - **ClientVersion** The version number of the software distribution client - **ConnectionStatus** Indicates the connectivity state of the device at the time of heartbeat - **CurrentError** Last (transient) error encountered by the active download -- **CurrentMrror** No content is currently available. - **DownloadFlags** Flags indicating if power state is ignored - **DownloadState** Current state of the active download for this content (queued, suspended, or progressing) - **EventType** Possible values are "Child", "Bundle", or "Driver" @@ -7093,11 +7109,9 @@ The following fields are available: - **cdnIp** The IP address of the source CDN. - **cdnUrl** Url of the source Content Distribution Network (CDN). - **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. -- **dileID** No content is currently available. - **doErrorCode** The Delivery Optimization error code that was returned. - **downlinkBps** The maximum measured available download bandwidth (in bytes per second). - **downlinkUsageBps** The download speed (in bytes per second). -- **downlinkUsageFps** No content is currently available. - **downloadMode** The download mode used for this file download session. - **downloadModeReason** Reason for the download. - **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). @@ -7116,7 +7130,6 @@ The following fields are available: - **linkLocalConnectionCount** The number of connections made to peers in the same Link-local network. - **numPeers** The total number of peers used for this download. - **numPeersLocal** The total number of local peers used for this download. -- **ppedefinedCallerName** No content is currently available. - **predefinedCallerName** The name of the API Caller. - **restrictedUpload** Is the upload restricted? - **routeToCacheServer** The cache server setting, source, and value. @@ -7124,9 +7137,7 @@ The following fields are available: - **totalTimeMs** Duration of the download (in seconds). - **updateID** The ID of the update being downloaded. - **uplinkBps** The maximum measured available upload bandwidth (in bytes per second). -- **uplinkFps** No content is currently available. - **uplinkUsageBps** The upload speed (in bytes per second). -- **uplinkUsageFps** No content is currently available. - **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. @@ -7174,7 +7185,6 @@ The following fields are available: - **fileSize** Total file size of the file that was downloaded. - **fileSizeCaller** Value for total file size provided by our caller. - **groupID** ID for the group. -- **grOupID** No content is currently available. - **isEncrypted** Indicates whether the download is encrypted. - **isVpn** Indicates whether the device is connected to a Virtual Private Network. - **jobID** The ID of the Windows Update job. From 9b7198fbc27033affb7ca0f899119a2d86b68033 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 18 Apr 2019 15:09:13 -0700 Subject: [PATCH 166/492] new build 4/18/2019 3:09 PM --- ...ndows-diagnostic-events-and-fields-1903.md | 58 +++++++++++++------ 1 file changed, 41 insertions(+), 17 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index 161e810b9e..a8a6106419 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -2134,13 +2134,12 @@ The following fields are available: - **ext_app** Describes the properties of the running application. This extension could be populated by either a client app or a web app. See [Common Data Extensions.app](#common-data-extensionsapp). - **ext_container** Describes the properties of the container for events logged within a container. See [Common Data Extensions.container](#common-data-extensionscontainer). - **ext_device** Describes the device-related fields. See [Common Data Extensions.device](#common-data-extensionsdevice). -- **ext_mscv** No content is currently available. See [Common Data Extensions.mscv](#common-data-extensionsmscv). +- **ext_mscv** Describes the correlation vector-related fields. See [Common Data Extensions.mscv](#common-data-extensionsmscv). - **ext_os** Describes the operating system properties that would be populated by the client. See [Common Data Extensions.os](#common-data-extensionsos). - **ext_receipts** Describes the fields related to time as provided by the client for debugging purposes. See [Common Data Extensions.receipts](#common-data-extensionsreceipts). - **ext_sdk** Describes the fields related to a platform library required for a specific SDK. See [Common Data Extensions.sdk](#common-data-extensionssdk). - **ext_user** Describes the fields related to a user. See [Common Data Extensions.user](#common-data-extensionsuser). - **ext_utc** Describes the fields that might be populated by a logging library on Windows. See [Common Data Extensions.utc](#common-data-extensionsutc). -- **ext_web** No content is currently available. See [Common Data Extensions.web](#common-data-extensionsweb). - **ext_xbl** Describes the fields related to XBOX Live. See [Common Data Extensions.xbl](#common-data-extensionsxbl). - **iKey** Represents an ID for applications or other logical groupings of events. - **name** Represents the uniquely qualified name for the event. @@ -2219,28 +2218,19 @@ The following fields are available: - **epoch** Represents the epoch and seqNum fields, which help track how many events were fired and how many events were uploaded, and enables identification of data lost during upload and de-duplication of events on the ingress server. - **eventFlags** Represents a collection of bits that describe how the event should be processed by the Connected User Experience and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency. - **flags** Represents the bitmap that captures various Windows specific flags. -- **loggingBinary** No content is currently available. +- **loggingBinary** The binary (executable, library, driver, etc.) that fired the event. - **mon** Combined monitor and event sequence numbers in the format: monitor sequence : event sequence - **op** Represents the ETW Op Code. -- **pgName** No content is currently available. +- **pgName** The short form of the provider group name associated with the event. - **popSample** No content is currently available. -- **providerGuid** No content is currently available. +- **providerGuid** The ETW provider ID associated with the provider name. - **raId** Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW. - **seq** Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue. The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server. - **sqmId** No content is currently available. - **stId** Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID. -- **wcmp** No content is currently available. -- **wPId** No content is currently available. -- **wsId** No content is currently available. - - -### Common Data Extensions.web - -No content is currently available. - -The following fields are available: - -- **browserVer** No content is currently available. +- **wcmp** The Windows Shell Composer ID. +- **wPId** The Windows Core OS product ID. +- **wsId** The Windows Core OS session ID. ### Common Data Extensions.xbl @@ -7480,6 +7470,17 @@ The following fields are available: - **wuDeviceid** Unique device ID used by Windows Update. +### Microsoft.Windows.Update.Orchestrator.UniversalOrchestratorInvalidSignature + +No content is currently available. + +The following fields are available: + +- **updaterCmdLine** No content is currently available. +- **updaterId** No content is currently available. +- **wuDeviceid** No content is currently available. + + ### Microsoft.Windows.Update.Orchestrator.UnstickUpdate This event is sent when the update service orchestrator (USO) indicates that the update can be superseded by a newer update. @@ -7503,6 +7504,18 @@ The following fields are available: - **wuDeviceid** Unique device ID used by Windows Update. +### Microsoft.Windows.Update.Orchestrator.UpdaterCallbackFailed + +No content is currently available. + +The following fields are available: + +- **updaterArgument** No content is currently available. +- **updaterCmdLine** No content is currently available. +- **updaterId** No content is currently available. +- **wuDeviceid** No content is currently available. + + ### Microsoft.Windows.Update.Orchestrator.UpdateRebootRequired This event sends data about whether an update required a reboot to help keep Windows up to date. @@ -7518,6 +7531,17 @@ The following fields are available: - **wuDeviceid** Unique device ID used by Windows Update. +### Microsoft.Windows.Update.Orchestrator.UpdaterMalformedData + +No content is currently available. + +The following fields are available: + +- **malformedRegValue** No content is currently available. +- **updaterId** No content is currently available. +- **wuDeviceid** No content is currently available. + + ### Microsoft.Windows.Update.Orchestrator.updateSettingsFlushFailed This event sends information about an update that encountered problems and was not able to complete. From 1115f64c67d3d2e99d082fcdfdc3f3f6b14cf308 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 19 Apr 2019 08:31:12 -0700 Subject: [PATCH 167/492] new build 4/19/2019 8:31 AM --- ...ndows-diagnostic-events-and-fields-1903.md | 61 ++++++++----------- 1 file changed, 24 insertions(+), 37 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index a8a6106419..97b84fbcf7 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/18/2019 +ms.date: 04/19/2019 --- @@ -1590,7 +1590,7 @@ The following fields are available: ### Census.App -Provides information on IE and Census versions running on the device +This event sends version data about the Apps running on this device, to help keep Windows up to date. The following fields are available: @@ -1608,13 +1608,13 @@ The following fields are available: ### Census.Azure -No content is currently available. +This event returns data from Microsoft-internal Azure server machines (only from Microsoft-internal machines with Server SKUs). All other machines (those outside Microsoft and/or machines that are not part of the “Azure fleet”) return empty data sets. The following fields are available: -- **CloudCoreBuildEx** No content is currently available. -- **CloudCoreSupportBuildEx** No content is currently available. -- **NodeID** No content is currently available. +- **CloudCoreBuildEx** The Azure CloudCore build number. +- **CloudCoreSupportBuildEx** The Azure CloudCore support build number. +- **NodeID** The node identifier on the device that indicates whether the device is part of the Azure fleet. ### Census.Battery @@ -1865,7 +1865,7 @@ The following fields are available: ### Census.Processor -Provides information on several important data points about Processor settings +This event sends data about the processor to help keep Windows up to date. The following fields are available: @@ -2136,7 +2136,6 @@ The following fields are available: - **ext_device** Describes the device-related fields. See [Common Data Extensions.device](#common-data-extensionsdevice). - **ext_mscv** Describes the correlation vector-related fields. See [Common Data Extensions.mscv](#common-data-extensionsmscv). - **ext_os** Describes the operating system properties that would be populated by the client. See [Common Data Extensions.os](#common-data-extensionsos). -- **ext_receipts** Describes the fields related to time as provided by the client for debugging purposes. See [Common Data Extensions.receipts](#common-data-extensionsreceipts). - **ext_sdk** Describes the fields related to a platform library required for a specific SDK. See [Common Data Extensions.sdk](#common-data-extensionssdk). - **ext_user** Describes the fields related to a user. See [Common Data Extensions.user](#common-data-extensionsuser). - **ext_utc** Describes the fields that might be populated by a logging library on Windows. See [Common Data Extensions.utc](#common-data-extensionsutc). @@ -2169,18 +2168,6 @@ The following fields are available: - **ver** Represents the major and minor version of the extension. -### Common Data Extensions.receipts - -Represents various time information as provided by the client and helps for debugging purposes. - -The following fields are available: - -- **flags** No content is currently available. -- **originalName** No content is currently available. -- **originalTime** The original event time. -- **uploadTime** The time the event was uploaded. - - ### Common Data Extensions.sdk Used by platform specific libraries to record fields that are required for a specific SDK. @@ -2191,7 +2178,7 @@ The following fields are available: - **installId** An ID that's created during the initialization of the SDK for the first time. - **libVer** The SDK version. - **seq** An ID that is incremented for each event. -- **ver** No content is currently available. +- **ver** The version of the logging SDK. ### Common Data Extensions.user @@ -2222,7 +2209,7 @@ The following fields are available: - **mon** Combined monitor and event sequence numbers in the format: monitor sequence : event sequence - **op** Represents the ETW Op Code. - **pgName** The short form of the provider group name associated with the event. -- **popSample** No content is currently available. +- **popSample** Represents the effective sample rate for this event at the time it was generated by a client. - **providerGuid** The ETW provider ID associated with the provider name. - **raId** Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW. - **seq** Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue. The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server. @@ -2408,7 +2395,7 @@ This event sends data about boot IDs for which a normal clean shutdown was not o The following fields are available: - **AbnormalShutdownBootId** BootId of the abnormal shutdown being reported by this event. -- **AbsCausedbyAutoChk** No content is currently available. +- **AbsCausedbyAutoChk** This flag is set when AutoCheck forces a device restart to indicate that the shutdown was not an abnormal shutdown. - **AcDcStateAtLastShutdown** Identifies if the device was on battery or plugged in. - **BatteryLevelAtLastShutdown** The last recorded battery level. - **BatteryPercentageAtLastShutdown** The battery percentage at the last shutdown. @@ -2423,7 +2410,7 @@ The following fields are available: - **FirmwareType** ID of the FirmwareType as enumerated in DimFirmwareType. - **HardwareWatchdogTimerGeneratedLastReset** Indicates whether the hardware watchdog timer caused the last reset. - **HardwareWatchdogTimerPresent** Indicates whether hardware watchdog timer was present or not. -- **InvalidBootStat** No content is currently available. +- **InvalidBootStat** This is a sanity check flag that ensures the validity of the bootstat file. - **LastBugCheckBootId** bootId of the last captured crash. - **LastBugCheckCode** Code that indicates the type of error. - **LastBugCheckContextFlags** Additional crash dump settings. @@ -7472,13 +7459,13 @@ The following fields are available: ### Microsoft.Windows.Update.Orchestrator.UniversalOrchestratorInvalidSignature -No content is currently available. +This event is sent when an updater has attempted to register a binary that is not signed by Microsoft. The following fields are available: -- **updaterCmdLine** No content is currently available. -- **updaterId** No content is currently available. -- **wuDeviceid** No content is currently available. +- **updaterCmdLine** The callback executable for the updater. +- **updaterId** The ID of the updater. +- **wuDeviceid** Unique device ID used by Windows Update. ### Microsoft.Windows.Update.Orchestrator.UnstickUpdate @@ -7506,14 +7493,14 @@ The following fields are available: ### Microsoft.Windows.Update.Orchestrator.UpdaterCallbackFailed -No content is currently available. +This event is sent when an updater failed to execute the registered callback. The following fields are available: -- **updaterArgument** No content is currently available. -- **updaterCmdLine** No content is currently available. -- **updaterId** No content is currently available. -- **wuDeviceid** No content is currently available. +- **updaterArgument** The argument to pass to the updater callback. +- **updaterCmdLine** The callback executable for the updater. +- **updaterId** The ID of the updater. +- **wuDeviceid** Unique device ID used by Windows Update. ### Microsoft.Windows.Update.Orchestrator.UpdateRebootRequired @@ -7533,13 +7520,13 @@ The following fields are available: ### Microsoft.Windows.Update.Orchestrator.UpdaterMalformedData -No content is currently available. +This event is sent when a registered updater has missing or corrupted information, to help keep Windows up to date. The following fields are available: -- **malformedRegValue** No content is currently available. -- **updaterId** No content is currently available. -- **wuDeviceid** No content is currently available. +- **malformedRegValue** The registry value that contains the malformed or missing entry. +- **updaterId** The ID of the updater. +- **wuDeviceid** Unique device ID used by Windows Update. ### Microsoft.Windows.Update.Orchestrator.updateSettingsFlushFailed From b7f16d21b4f76cf232f3250a00e43b6ba64b861b Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 19 Apr 2019 08:31:23 -0700 Subject: [PATCH 168/492] new build 4/19/2019 8:31 AM --- ...ndows-diagnostic-events-and-fields-1703.md | 4 +- ...ndows-diagnostic-events-and-fields-1709.md | 6 +-- ...ndows-diagnostic-events-and-fields-1803.md | 17 ++------ ...ndows-diagnostic-events-and-fields-1809.md | 39 ++++--------------- 4 files changed, 15 insertions(+), 51 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index 086a835957..ab24b15b13 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/18/2019 +ms.date: 04/19/2019 --- @@ -1464,7 +1464,7 @@ The following fields are available: ### Census.Processor -This event sends data about the processor (architecture, speed, number of cores, manufacturer, and model number), to help keep Windows up to date. +This event sends data about the processor to help keep Windows up to date. The following fields are available: diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index 8dedfc835b..a4a2c28bc5 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/18/2019 +ms.date: 04/19/2019 --- @@ -1329,7 +1329,7 @@ The following fields are available: ### Census.App -Provides information on IE and Census versions running on the device +This event sends version data about the Apps running on this device, to help keep Windows up to date. The following fields are available: @@ -1538,7 +1538,7 @@ The following fields are available: ### Census.Processor -Provides information on several important data points about Processor settings +This event sends data about the processor to help keep Windows up to date. The following fields are available: diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index 452ecb0c6d..e199627613 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/18/2019 +ms.date: 04/19/2019 --- @@ -1374,7 +1374,7 @@ The following fields are available: ### Census.App -Provides information on IE and Census versions running on the device. +This event sends version data about the Apps running on this device, to help keep Windows up to date. The following fields are available: @@ -1628,7 +1628,7 @@ The following fields are available: ### Census.Processor -Provides information on several important data points about Processor settings. +This event sends data about the processor to help keep Windows up to date. The following fields are available: @@ -1907,7 +1907,6 @@ The following fields are available: - **ext_cs** Describes properties related to the schema of the event. See [Common Data Extensions.cs](#common-data-extensionscs). - **ext_device** Describes the device-related fields. See [Common Data Extensions.device](#common-data-extensionsdevice). - **ext_os** Describes the operating system properties that would be populated by the client. See [Common Data Extensions.os](#common-data-extensionsos). -- **ext_receipts** Describes the fields related to time as provided by the client for debugging purposes. See [Common Data Extensions.receipts](#common-data-extensionsreceipts). - **ext_sdk** Describes the fields related to a platform library required for a specific SDK. See [Common Data Extensions.sdk](#common-data-extensionssdk). - **ext_user** Describes the fields related to a user. See [Common Data Extensions.user](#common-data-extensionsuser). - **ext_utc** Describes the fields that might be populated by a logging library on Windows. See [Common Data Extensions.utc](#common-data-extensionsutc). @@ -1933,16 +1932,6 @@ The following fields are available: - **ver** Represents the major and minor version of the extension. -### Common Data Extensions.receipts - -Represents various time information as provided by the client and helps for debugging purposes. - -The following fields are available: - -- **originalTime** The original event time. -- **uploadTime** The time the event was uploaded. - - ### Common Data Extensions.sdk Used by platform specific libraries to record fields that are required for a specific SDK. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index 122c0460b9..19d1f81064 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/18/2019 +ms.date: 04/19/2019 --- @@ -1801,7 +1801,7 @@ The following fields are available: ### Census.App -Provides information on IE and Census versions running on the device +This event sends version data about the Apps running on this device, to help keep Windows up to date. The following fields are available: @@ -1819,13 +1819,13 @@ The following fields are available: ### Census.Azure -No content is currently available. +This event returns data from Microsoft-internal Azure server machines (only from Microsoft-internal machines with Server SKUs). All other machines (those outside Microsoft and/or machines that are not part of the “Azure fleet”) return empty data sets. The following fields are available: -- **CloudCoreBuildEx** No content is currently available. -- **CloudCoreSupportBuildEx** No content is currently available. -- **NodeID** No content is currently available. +- **CloudCoreBuildEx** The Azure CloudCore build number. +- **CloudCoreSupportBuildEx** The Azure CloudCore support build number. +- **NodeID** The node identifier on the device that indicates whether the device is part of the Azure fleet. ### Census.Battery @@ -2070,7 +2070,7 @@ The following fields are available: ### Census.Processor -Provides information on several important data points about Processor settings +This event sends data about the processor to help keep Windows up to date. The following fields are available: @@ -2357,7 +2357,6 @@ The following fields are available: - **ext_cs** Describes properties related to the schema of the event. See [Common Data Extensions.cs](#common-data-extensionscs). - **ext_device** Describes the device-related fields. See [Common Data Extensions.device](#common-data-extensionsdevice). - **ext_os** Describes the operating system properties that would be populated by the client. See [Common Data Extensions.os](#common-data-extensionsos). -- **ext_receipts** Describes the fields related to time as provided by the client for debugging purposes. See [Common Data Extensions.receipts](#common-data-extensionsreceipts). - **ext_sdk** Describes the fields related to a platform library required for a specific SDK. See [Common Data Extensions.sdk](#common-data-extensionssdk). - **ext_user** Describes the fields related to a user. See [Common Data Extensions.user](#common-data-extensionsuser). - **ext_utc** Describes the fields that might be populated by a logging library on Windows. See [Common Data Extensions.utc](#common-data-extensionsutc). @@ -2383,16 +2382,6 @@ The following fields are available: - **ver** Represents the major and minor version of the extension. -### Common Data Extensions.receipts - -Represents various time information as provided by the client and helps for debugging purposes. - -The following fields are available: - -- **originalTime** The original event time. -- **uploadTime** The time the event was uploaded. - - ### Common Data Extensions.sdk Used by platform specific libraries to record fields that are required for a specific SDK. @@ -4509,22 +4498,8 @@ This event indicates the number of bytes read from or read by the OS and written The following fields are available: -- **BootAttemptCount** No content is currently available. -- **BootStatusPolicy** No content is currently available. -- **BootType** No content is currently available. - **BytesRead** The total number of bytes read from or read by the OS upon system startup. - **BytesWritten** The total number of bytes written to or written by the OS upon system startup. -- **FirmwareResetReasonEmbeddedController** No content is currently available. -- **FirmwareResetReasonEmbeddedControllerAdditional** No content is currently available. -- **FirmwareResetReasonPch** No content is currently available. -- **FirmwareResetReasonPchAdditional** No content is currently available. -- **FirmwareResetReasonSupplied** No content is currently available. -- **LastBootSucceeded** No content is currently available. -- **LastShutdownSucceeded** No content is currently available. -- **MeasuredLaunchResume** No content is currently available. -- **MenuPolicy** No content is currently available. -- **RecoveryEnabled** No content is currently available. -- **UserInputTime** No content is currently available. ### Microsoft.Windows.Kernel.BootEnvironment.OsLaunch From 2e9e683afabb7f8381c3270f5d5b890a7cdabc5f Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 19 Apr 2019 13:13:02 -0700 Subject: [PATCH 169/492] fixing typo --- .../basic-level-windows-diagnostic-events-and-fields-1809.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index 19d1f81064..b312c42c9d 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -3877,7 +3877,7 @@ The following fields are available: This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent. -This event includes fields from [Ms.Device.De~iceInventoryChange](#msdevicede~iceinventorychange). +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). The following fields are available: @@ -3968,7 +3968,7 @@ The following fields are available: This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent. -This event includes fields from [Ms.De~ice.DeviceInventoryChange](#msde~icedeviceinventorychange). +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). The following fields are available: From 5ce77666e16a6f318781a6703c1506d817189274 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 21 Apr 2019 20:07:28 +0500 Subject: [PATCH 170/492] update attack-surface-reduction-exploit-guard.md --- .../attack-surface-reduction-exploit-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 5bfe2c6ba4..4181785422 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -22,7 +22,7 @@ ms.date: 04/02/2019 Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, version 1709 or later, Windows Server 2016 1803 or later, or Windows Server 2019. -To use attack surface reduction rules, you need a Windows 10 Enterprise E3 license or higher. A Windows E5 license gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the M365 Security Center. These advanced capabilities aren't available with an E3 license, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment. +To use attack surface reduction rules, you need a Windows 10 Enterprise license. If you have Windows E5 license, it gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the M365 Security Center. These advanced capabilities aren't available with an E3 license or with Windows 10 Enterprise without subsciption, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment. Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including: From b7fc3ce24c06828000fc4037776a4e8496feb516 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 21 Apr 2019 20:59:33 +0500 Subject: [PATCH 171/492] update attack-surface-reduction-exploit-guard.md --- .../attack-surface-reduction-exploit-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 4181785422..272c13081f 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -22,7 +22,7 @@ ms.date: 04/02/2019 Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, version 1709 or later, Windows Server 2016 1803 or later, or Windows Server 2019. -To use attack surface reduction rules, you need a Windows 10 Enterprise license. If you have Windows E5 license, it gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the M365 Security Center. These advanced capabilities aren't available with an E3 license or with Windows 10 Enterprise without subsciption, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment. +To use attack surface reduction rules, you need a Windows 10 Enterprise license. If you have a Windows E5 license, it gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the M365 Security Center. These advanced capabilities aren't available with an E3 license or with Windows 10 Enterprise without subsciption, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment. Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including: From 3d577dc32ce2b9b140b1deb9d2e2107a1dbff248 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 23 Apr 2019 10:06:39 -0700 Subject: [PATCH 172/492] final build 04232019 --- ...-level-windows-diagnostic-events-and-fields-1903.md | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index 97b84fbcf7..9f8a2900c9 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -13,17 +13,12 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/19/2019 +ms.date: 04/23/2019 --- # Windows 10, version 1903 basic level Windows diagnostic events and fields - -> [!IMPORTANT] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - - **Applies to** - Windows 10, version 1903 @@ -46,8 +41,6 @@ You can learn more about Windows functional and diagnostic data through these ar - [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) - - ## AppLocker events ### Microsoft.Windows.Security.AppLockerCSP.AddParams @@ -2213,7 +2206,6 @@ The following fields are available: - **providerGuid** The ETW provider ID associated with the provider name. - **raId** Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW. - **seq** Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue. The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server. -- **sqmId** No content is currently available. - **stId** Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID. - **wcmp** The Windows Shell Composer ID. - **wPId** The Windows Core OS product ID. From dc90e8ddde7012f009025936fdc54465b2d1a484 Mon Sep 17 00:00:00 2001 From: karthigb Date: Tue, 23 Apr 2019 11:45:44 -0700 Subject: [PATCH 173/492] Update configure-windows-defender-smartscreen-shortdesc.md --- .../configure-windows-defender-smartscreen-shortdesc.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md b/browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md index 58dfd6be9a..ce0f753466 100644 --- a/browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md +++ b/browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md @@ -6,4 +6,4 @@ ms.prod: edge ms:topic: include --- -Microsoft Edge uses Windows Defender SmartScreen (turned on) to protect users from potential phishing scams and malicious software by default. Also, by default, users cannot disable (turn off) Windows Defender SmartScreen. Enabling this policy turns off Windows Defender SmartScreen and prevent users from turning it on. Don’t configure this policy to let users choose to turn Windows defender SmartScreen on or off. \ No newline at end of file +Microsoft Edge uses Windows Defender SmartScreen (turned on) to protect users from potential phishing scams and malicious software by default. Also, by default, users cannot disable (turn off) Windows Defender SmartScreen. Enabling this policy turns on Windows Defender SmartScreen and prevent users from turning it off. Don’t configure this policy to let users choose to turn Windows defender SmartScreen on or off. From 5f0d4b97e71cfa2263f32f7c58215f631f2e6619 Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Tue, 23 Apr 2019 14:23:30 -0700 Subject: [PATCH 174/492] fix error --- .openpublishing.redirection.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 22d6eeea52..974018c147 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -14674,10 +14674,11 @@ "source_path": "windows/security/threat-protection/windows-defender-atp/user-alert-windows-defender-advanced-threat-protection-new.md", "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/user", "redirect_document_id": true -} +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/windows-defender-atp/manage-indicators", "redirect_document_id": true -}, +} ] } From 54c0c02c2dd5a160a781e8cab345d7d305124639 Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Tue, 23 Apr 2019 14:57:28 -0700 Subject: [PATCH 175/492] update links --- .openpublishing.redirection.json | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 974018c147..4b84e0c62b 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1356,11 +1356,6 @@ "redirect_document_id": true }, { -"source_path": "windows/security/threat-protection/windows-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md", -"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/manage-allowed-blocked-list", -"redirect_document_id": true -}, -{ "source_path": "windows/security/threat-protection/windows-defender-atp/manage-auto-investigation-windows-defender-advanced-threat-protection.md", "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation", "redirect_document_id": true From 900a8d0c28fb44f2ac52ac1d36b3a91ac2ba4d02 Mon Sep 17 00:00:00 2001 From: Malin De Silva Date: Wed, 24 Apr 2019 18:47:47 +0530 Subject: [PATCH 176/492] Added Azure AD MFA Auth with O365 --- .../hello-for-business/hello-hybrid-key-trust-prereqs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index f59a78c750..c191cc7a49 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -97,7 +97,7 @@ You can deploy Windows Hello for Business key trust in non-federated and federat ## Multifactor Authentication ## Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but needs a second factor of authentication. -Hybrid Windows Hello for Business deployments can use Azure’s Multi-factor Authentication service or they can use multi-factor authentication provides by Windows Server 2012 R2 or later Active Directory Federation Services, which includes an adapter model that enables third parties to integrate their multi-factor authentication into AD FS. +Hybrid Windows Hello for Business deployments can use Azure’s Multi-factor Authentication service or they can use multi-factor authentication provides by Windows Server 2012 R2 or later Active Directory Federation Services, which includes an adapter model that enables third parties to integrate their multi-factor authentication into AD FS. The Multi-factor authentication enabled in Office 365 license is sufficient for direct Multi-factor Authentication against Azure AD. ### Section Review > [!div class="checklist"] From 7d8272272e88665e0ca5bc441f51c94f5c4fbdb5 Mon Sep 17 00:00:00 2001 From: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> Date: Thu, 25 Apr 2019 18:54:11 +0530 Subject: [PATCH 177/492] Update windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md Co-Authored-By: Malind19 --- .../hello-for-business/hello-hybrid-key-trust-prereqs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index c191cc7a49..a4a1cc41b4 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -97,7 +97,7 @@ You can deploy Windows Hello for Business key trust in non-federated and federat ## Multifactor Authentication ## Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but needs a second factor of authentication. -Hybrid Windows Hello for Business deployments can use Azure’s Multi-factor Authentication service or they can use multi-factor authentication provides by Windows Server 2012 R2 or later Active Directory Federation Services, which includes an adapter model that enables third parties to integrate their multi-factor authentication into AD FS. The Multi-factor authentication enabled in Office 365 license is sufficient for direct Multi-factor Authentication against Azure AD. +Hybrid Windows Hello for Business deployments can use Azure’s Multi-factor Authentication service or they can use multi-factor authentication provided by Windows Server 2012 R2 or later Active Directory Federation Services, which include an adapter model that enables third parties to integrate their multi-factor authentication into AD FS. The Multi-factor authentication enabled in Office 365 license is sufficient for direct Multi-factor Authentication against Azure AD. ### Section Review > [!div class="checklist"] From 4e534972c11a14e238e7b022290435c41bb7961f Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Fri, 26 Apr 2019 16:13:26 +0500 Subject: [PATCH 178/492] update hello-cert-trust-deploy-mfa.md --- .../hello-for-business/hello-cert-trust-deploy-mfa.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md index 561df3ca7b..afee1b6159 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md @@ -23,7 +23,7 @@ ms.date: 08/19/2018 - Certificate trust -On-premises deployments must use the On-premises Azure MFA Server using the AD FS adapter model Optionally, you can use a third-party MFA server that provides an AD FS Multifactor authentication adapter. +On-premises deployments must use on-premises MFA Server that provides an AD FS Multifactor authentication adapter. It could be Azure Multi-Factor Authentication Server or third-party MFA solution. >[!TIP] >Please make sure you've read [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) before proceeding any further. From 84e8a5a03ee541c5b5ae4fd9e849308b27308af5 Mon Sep 17 00:00:00 2001 From: Lindsay <45809756+lindspea@users.noreply.github.com> Date: Sat, 27 Apr 2019 16:35:21 +0200 Subject: [PATCH 179/492] Update assignedaccess-csp.md Added note about assigned access. --- windows/client-management/mdm/assignedaccess-csp.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index 13f0987eca..55d8e8b012 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -22,6 +22,9 @@ For a step-by-step guide for setting up devices to run in kiosk mode, see [Set u > [!Warning] > You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups. +> [!Note] +> If the application runs in assigned access mode, when the app calls KeyCredentialManager.IsSupportedAsync and it returns false on the first run, try invoking the settings screen to have the user select a convenience PIN to use with Windows Hello. This is the settings screen that is hidden by the application running in assigned access mode. This means you can only use Windows Hello if you first leave Assigned Access. The user must then select his/her convenience pin and then go into Assigned Access again. + > [!Note] > The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting from Windows 10, version 1709 it is also supported in Windows 10 Pro and Windows 10 S. Starting in Windows 10, version 1803, it is also supported in Windows Holographic for Business edition. From 94c56a08ecf1eceec1d2ce0d1a0852ac5cc6cbf8 Mon Sep 17 00:00:00 2001 From: illfated Date: Sun, 28 Apr 2019 18:23:56 +0200 Subject: [PATCH 180/492] Windows/Privacy: URL correction update This is a follow-up to my previous PR #3305 (Windows/Privacy: change formatting code to text). I found one URL that I missed in my previous solution. This is a 1 line change, making the starting and ending asterisk show up on the page, instead of formatting the text as italics. Addendum: For future web page documentation, it may be a good idea to use the HTML codes `*` + `\` for `*` and `\` respectively, to avoid situations where pages look OK on Github, but not translating well to the docs.microsoft.com pages. Ref. issue ticket #3304 (Domain misspelling) --- .../privacy/windows-endpoints-1809-non-enterprise-editions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md index b6be3b5acd..1df90d39e0 100644 --- a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md @@ -98,7 +98,7 @@ We used the following methodology to derive these network endpoints: | *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | | *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | | *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| *.tlu.dl.delivery.mp.microsoft.com/* | HTTP | Enables connections to Windows Update. | +| \*.tlu.dl.delivery.mp.microsoft.com/\* | HTTP | Enables connections to Windows Update. | | *geo-prod.dodsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update. | | arc.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | | au.download.windowsupdate.com/* | HTTP | Enables connections to Windows Update. | From aacdf73752e02cbc2bac019ebf26164b78376416 Mon Sep 17 00:00:00 2001 From: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> Date: Mon, 29 Apr 2019 05:29:27 +0200 Subject: [PATCH 181/492] Update windows/client-management/mdm/assignedaccess-csp.md Changed wording. Co-Authored-By: lindspea <45809756+lindspea@users.noreply.github.com> --- windows/client-management/mdm/assignedaccess-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index 55d8e8b012..b6470b0c3d 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -23,7 +23,7 @@ For a step-by-step guide for setting up devices to run in kiosk mode, see [Set u > You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups. > [!Note] -> If the application runs in assigned access mode, when the app calls KeyCredentialManager.IsSupportedAsync and it returns false on the first run, try invoking the settings screen to have the user select a convenience PIN to use with Windows Hello. This is the settings screen that is hidden by the application running in assigned access mode. This means you can only use Windows Hello if you first leave Assigned Access. The user must then select his/her convenience pin and then go into Assigned Access again. +> If the application calls KeyCredentialManager.IsSupportedAsync when it is running in assigned access mode and it returns false on the first run, invoke the settings screen and select a convenience PIN to use with Windows Hello. This is the settings screen that is hidden by the application running in assigned access mode. You can only use Windows Hello if you first leave assigned access mode, select your convenience pin, and then go back into assigned access mode again. > [!Note] > The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting from Windows 10, version 1709 it is also supported in Windows 10 Pro and Windows 10 S. Starting in Windows 10, version 1803, it is also supported in Windows Holographic for Business edition. From 8d32eea85633ce5d7f70731f7602bc1851ca9c6f Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 30 Apr 2019 16:17:49 -0700 Subject: [PATCH 182/492] Updates per bug 3122154 --- windows/client-management/mdm/devicestatus-csp.md | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md index a20317c21f..568485b1b6 100644 --- a/windows/client-management/mdm/devicestatus-csp.md +++ b/windows/client-management/mdm/devicestatus-csp.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 07/26/2018 +ms.date: 04/30/2019 --- # DeviceStatus CSP @@ -157,6 +157,12 @@ Valid values: Supported operation is Get. +If more than one antivirus provider is active, the **DeviceStatus/Antivirus/SignatureStatus** node returns: +- 1 – If every active antivirus provider has a valid signature status +- 0 – If any of the active antivirus providers has an invalid signature status + +The **DeviceStatus/Antivirus/SignatureStatus** node also returns 0 when no antivirus provider is active. + **DeviceStatus/Antivirus/Status** Added in Windows, version 1607. Integer that specifies the status of the antivirus. @@ -186,6 +192,12 @@ Valid values: Supported operation is Get. +If more than one antispyware provider is active, the **DeviceStatus/Antispyware/SignatureStatus** node returns: +- 1 – If every active antispyware provider has a valid signature status +- 0 – If any of the active antispyware providers has an invalid signature status + +The **DeviceStatus/Antispyware/SignatureStatus** node also returns 0 when no antispyware provider is active. + **DeviceStatus/Antispyware/Status** Added in Windows, version 1607. Integer that specifies the status of the antispyware. From cc151d53a7e4e511dc8dc79e11499c72e268ac88 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 30 Apr 2019 16:53:19 -0700 Subject: [PATCH 183/492] Updater per bug 3122154 --- .../client-management/mdm/devicestatus-csp.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md index 568485b1b6..d286f6f918 100644 --- a/windows/client-management/mdm/devicestatus-csp.md +++ b/windows/client-management/mdm/devicestatus-csp.md @@ -157,11 +157,11 @@ Valid values: Supported operation is Get. -If more than one antivirus provider is active, the **DeviceStatus/Antivirus/SignatureStatus** node returns: -- 1 – If every active antivirus provider has a valid signature status -- 0 – If any of the active antivirus providers has an invalid signature status +If more than one antivirus provider is active, this node returns: +- 1 – If every active antivirus provider has a valid signature status. +- 0 – If any of the active antivirus providers has an invalid signature status. -The **DeviceStatus/Antivirus/SignatureStatus** node also returns 0 when no antivirus provider is active. +This node also returns 0 when no antivirus provider is active. **DeviceStatus/Antivirus/Status** Added in Windows, version 1607. Integer that specifies the status of the antivirus. @@ -192,11 +192,11 @@ Valid values: Supported operation is Get. -If more than one antispyware provider is active, the **DeviceStatus/Antispyware/SignatureStatus** node returns: -- 1 – If every active antispyware provider has a valid signature status -- 0 – If any of the active antispyware providers has an invalid signature status +If more than one antispyware provider is active, this node returns: +- 1 – If every active antispyware provider has a valid signature status. +- 0 – If any of the active antispyware providers has an invalid signature status. -The **DeviceStatus/Antispyware/SignatureStatus** node also returns 0 when no antispyware provider is active. +This node also returns 0 when no antispyware provider is active. **DeviceStatus/Antispyware/Status** Added in Windows, version 1607. Integer that specifies the status of the antispyware. From 783fc36d3e55d39c1a9a7e4dcdc873a504476bbc Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Wed, 1 May 2019 19:08:57 +0500 Subject: [PATCH 184/492] cloud experience host information Cloud experience host related information was missing in the document. Required information has been added. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/3276 --- .../hello-how-it-works-technology.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md index d12e00c028..401dcdc382 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md @@ -39,6 +39,7 @@ ms.date: 10/08/2018 - [Storage Root Key](#storage-root-key) - [Trust Type](#trust-type) - [Trusted Platform Module](#trusted-platform-module) +- [Cloud Experience Host](#cloud-experience-host)
## Attestation Identity Keys @@ -304,7 +305,16 @@ In a simplified manner, the TPM is a passive component with limited resources. I [Return to Top](hello-how-it-works-technology.md) +## Cloud Experience Host +In Windows 10 Enterprise edition, cloud experience host is a component that helps you join the workplace environment or Azure AD using your company provided credentials. Once you enroll your device to your workplace environment or Azure AD, your organization will be able to manage your PC and collect information about you(including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC. +### Related topics +[Windows Hello for Business](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-identity-verification), [Managed Windows Hello in Organization](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-manage-in-organization) + +### More information +- [Windows Hello for Business and Device Registration](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration) + +[Return to Top](hello-how-it-works-technology.md) From 516a00b153a899ba80256385771790a00cfd92c9 Mon Sep 17 00:00:00 2001 From: Michael Niehaus Date: Wed, 1 May 2019 10:26:12 -0400 Subject: [PATCH 185/492] Update user-driven-hybrid.md Adjusted the AD DC requirements to make them more clear. --- windows/deployment/windows-autopilot/user-driven-hybrid.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopilot/user-driven-hybrid.md b/windows/deployment/windows-autopilot/user-driven-hybrid.md index d69c5869ba..c75f3e2df4 100644 --- a/windows/deployment/windows-autopilot/user-driven-hybrid.md +++ b/windows/deployment/windows-autopilot/user-driven-hybrid.md @@ -29,7 +29,8 @@ To perform a user-driven hybrid AAD joined deployment using Windows Autopilot: - **Hybrid Azure AD joined** must be specified as the selected option under **Join to Azure AD as** in the Autopilot profile. - If using Intune, a device group in Azure Active Directory must exist with the Windows Autopilot profile assigned to that group. - The device must be running Windows 10, version 1809 or later. -- The device must be connected to the Internet and have access to an Active Directory domain controller. +- The device must be able to access an Active Directory domain controller, so it must be connected to the organization's network (where it can resolve the DNS records for the AD domain and the AD domain controller, and communicate with the domain controller to authenticate the user). +- The device must be able to access the Internet, following the [documented Windows Autopilot network requirements](windows-autopilot-requirements-network.md). - The Intune Connector for Active Directory must be installed. - Note: The Intune Connector will perform an on-prem AD join, therefore users do not need on-prem AD-join permission, assuming the Connector is [configured to perform this action](https://docs.microsoft.com/intune/windows-autopilot-hybrid#increase-the-computer-account-limit-in-the-organizational-unit) on the user's behalf. - If using Proxy, WPAD Proxy settings option must be enabled and configured. From 3020dfae762b7ad5ae675a3346cc1e5f2d580dd3 Mon Sep 17 00:00:00 2001 From: martyav Date: Wed, 1 May 2019 11:48:22 -0400 Subject: [PATCH 186/492] first pass at updating known issues section --- .../microsoft-defender-atp-mac.md | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index f643a3b454..82acdc4d29 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -464,12 +464,15 @@ Or, from a command line: - ```sudo rm -rf '/Applications/Microsoft Defender ATP'``` ## Known issues -- Microsoft Defender ATP is not yet optimized for performance or disk space. -- Centrally managed uninstall using Intune is still in development. To uninstall (as a workaround) a manual uninstall action has to be completed on each client device). -- Geo preference for telemetry traffic is not yet supported. Cloud traffic (definition updates) routed to US only. -- Full Windows Defender ATP integration is not yet available -- Not localized yet -- There might be accessibility issues + +- Not localized yet. +- There might be accessibility issues. +- Not optimized for performance or disk space yet. +- Full Windows Defender ATP integration is not available yet. +- Mac devices that switch networks may appear multiple times in the APT portal. +- Geo preference for telemetry traffic is not supported yet. Cloud traffic is routed to the US only. +- Centrally managed uninstall is still being developed. As a workaround, a manual uninstall must be performed on each client device. + ## Collecting diagnostic information If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default. From c77397e197a5bf176ada23cd8883e8c1946aa22f Mon Sep 17 00:00:00 2001 From: martyav Date: Wed, 1 May 2019 12:45:00 -0400 Subject: [PATCH 187/492] added what's new section --- .../microsoft-defender-atp-mac.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index 82acdc4d29..fd141aaa08 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -25,6 +25,21 @@ ms.topic: conceptual This topic describes how to install and use Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. +## What’s new in the public preview + +- Fully accessible +- Various bug fixes +- Improved performance +- Improved user experience +- Improved threat handling +- Localized for 37 languages +- Improved anti-tampering protections +- Feedback can now be submitted via the Mac Client UI. +- Product health can now be queried via Jamf or the command line. +- Reduced delay for Mac devices to appear in the ATP console, following deployment. +- Admins can now set their cloud geo preference for any location, not just those in the US. + + ## Prerequisites You should have beginner-level experience in macOS and BASH scripting. You must have administrative privileges on the machine. From 5733e9b39311dab6057bd7c8bea356c63838ecbc Mon Sep 17 00:00:00 2001 From: martyav Date: Wed, 1 May 2019 12:59:11 -0400 Subject: [PATCH 188/492] refining what's new section text --- .../microsoft-defender-atp-mac.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index fd141aaa08..44e8b765e4 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -34,10 +34,10 @@ Microsoft Defender ATP for Mac is not yet widely available, and this topic only - Improved threat handling - Localized for 37 languages - Improved anti-tampering protections -- Feedback can now be submitted via the Mac Client UI. -- Product health can now be queried via Jamf or the command line. +- Feedback and samples can be submitted via the GUI. +- Product health can be queried via Jamf or the command line. - Reduced delay for Mac devices to appear in the ATP console, following deployment. -- Admins can now set their cloud geo preference for any location, not just those in the US. +- Admins can set their cloud preference for any location, not just those in the US. ## Prerequisites From 522bb702bb2177779c7b30dc037ee2df0e1f9cf7 Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Wed, 1 May 2019 22:21:50 +0500 Subject: [PATCH 189/492] Update windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md Co-Authored-By: joinimran <47118050+joinimran@users.noreply.github.com> --- .../hello-for-business/hello-how-it-works-technology.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md index 401dcdc382..6fb3df408c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md @@ -312,7 +312,7 @@ In Windows 10 Enterprise edition, cloud experience host is a component that help [Windows Hello for Business](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-identity-verification), [Managed Windows Hello in Organization](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-manage-in-organization) ### More information -- [Windows Hello for Business and Device Registration](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration) +- [Windows Hello for Business and Device Registration](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration) [Return to Top](hello-how-it-works-technology.md) From 0ceb9f2a5e6fa6c0d1d8f7a5bfb8b5592c34dc44 Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Wed, 1 May 2019 22:22:06 +0500 Subject: [PATCH 190/492] Update windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md Co-Authored-By: joinimran <47118050+joinimran@users.noreply.github.com> --- .../hello-for-business/hello-how-it-works-technology.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md index 6fb3df408c..23acc75c13 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md @@ -306,7 +306,7 @@ In a simplified manner, the TPM is a passive component with limited resources. I [Return to Top](hello-how-it-works-technology.md) ## Cloud Experience Host -In Windows 10 Enterprise edition, cloud experience host is a component that helps you join the workplace environment or Azure AD using your company provided credentials. Once you enroll your device to your workplace environment or Azure AD, your organization will be able to manage your PC and collect information about you(including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC. +In Windows 10 Enterprise edition, Cloud Experience Host is an application that helps you join the workplace environment or Azure AD using your company-provided credentials. Once you enroll your device to your workplace environment or Azure AD, your organization will be able to manage your PC and collect information about you (including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC. ### Related topics [Windows Hello for Business](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-identity-verification), [Managed Windows Hello in Organization](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-manage-in-organization) From 53e037095bc9b0837f79c9d7c882b2dfc5883d4c Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Wed, 1 May 2019 22:22:25 +0500 Subject: [PATCH 191/492] Update windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md Co-Authored-By: joinimran <47118050+joinimran@users.noreply.github.com> --- .../hello-for-business/hello-how-it-works-technology.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md index 23acc75c13..5f740c9437 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md @@ -309,7 +309,7 @@ In a simplified manner, the TPM is a passive component with limited resources. I In Windows 10 Enterprise edition, Cloud Experience Host is an application that helps you join the workplace environment or Azure AD using your company-provided credentials. Once you enroll your device to your workplace environment or Azure AD, your organization will be able to manage your PC and collect information about you (including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC. ### Related topics -[Windows Hello for Business](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-identity-verification), [Managed Windows Hello in Organization](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-manage-in-organization) +[Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification), [Managed Windows Hello in Organization](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-manage-in-organization) ### More information - [Windows Hello for Business and Device Registration](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration) From 8162acd4cddfe26b4f61e0c31e295214b6bcba01 Mon Sep 17 00:00:00 2001 From: martyav Date: Wed, 1 May 2019 14:21:07 -0400 Subject: [PATCH 192/492] added atp portal section --- .../microsoft-defender-atp-mac.md | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index 44e8b765e4..eff522741e 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -468,6 +468,32 @@ After installation, you'll see the Microsoft Defender icon in the macOS status b ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) +## What to expect in the ATP portal + +- Severity +- Scan type +- Antivirus alerts +- Device information: + - Machine identifier + - Tenant identifier + - App version + - Hostname + - OS type + - OS version + - Computer model + - Processor architecture + - Whether the device is a virtual machine +- File information: + - Hashes + - Size + - Path + - Name +- Threat information: + - Type + - State + - Name + + ## Uninstallation ### Removing Microsoft Defender ATP from Mac devices To remove Microsoft Defender ATP from your macOS devices: From 24efe934039130e2c78fcc911d0470adb413b0fa Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Wed, 1 May 2019 12:53:52 -0700 Subject: [PATCH 193/492] Updates per task 3309387 --- .../mdm/policy-csp-deliveryoptimization.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index 95e6d74539..47a3305652 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -6,13 +6,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 07/06/2018 +ms.date: 05/01/2019 --- # Policy CSP - DeliveryOptimization > [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
@@ -985,7 +985,7 @@ ADMX Info: > This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. -Added in Windows 10, version 1703. Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The value 0 means "not-limited" which means the cloud service set default value will be used. Recommended values: 64 GB to 256 GB. +Added in Windows 10, version 1703. Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. Recommended values: 64 GB to 256 GB. > [!NOTE] > If the DOMofidyCacheDrive policy is set, the disk size check will apply to the new working directory specified by this policy. @@ -1046,7 +1046,7 @@ ADMX Info: > This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. -Added in Windows 10, version 1703. Specifies the minimum content file size in MB enabled to use Peer Caching. The value 0 means "unlimited" which means the cloud service set default value will be used. Recommended values: 1 MB to 100,000 MB. +Added in Windows 10, version 1703. Specifies the minimum content file size in MB enabled to use Peer Caching. Recommended values: 1 MB to 100,000 MB. The default value is 100 MB. @@ -1104,7 +1104,7 @@ ADMX Info: > This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. -Added in Windows 10, version 1703. Specifies the minimum RAM size in GB required to use Peer Caching. The value 0 means "not-limited" which means the cloud service set default value will be used. For example if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB. +Added in Windows 10, version 1703. Specifies the minimum RAM size in GB required to use Peer Caching. For example, if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB. The default value is 4 GB. From c68e5f808b4324e0d7b8c465732ae4d405fe761b Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Thu, 2 May 2019 12:52:36 +0500 Subject: [PATCH 194/492] Changes applied Changes applied as suggested by copy/edit review. --- .../hello-how-it-works-technology.md | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md index 5f740c9437..015c33f72a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md @@ -24,6 +24,7 @@ ms.date: 10/08/2018 - [Azure AD Registered](#azure-ad-registered) - [Certificate Trust](#certificate-trust) - [Cloud Deployment](#cloud-deployment) +- [Cloud Experience Host](#cloud-experience-host) - [Deployment Type](#deployment-type) - [Endorsement Key](#endorsement-key) - [Federated Environment](#federated-environment) @@ -39,7 +40,6 @@ ms.date: 10/08/2018 - [Storage Root Key](#storage-root-key) - [Trust Type](#trust-type) - [Trusted Platform Module](#trusted-platform-module) -- [Cloud Experience Host](#cloud-experience-host)
## Attestation Identity Keys @@ -100,6 +100,17 @@ The Windows Hello for Business Cloud deployment is exclusively for organizations [Azure AD Joined](#azure-ad-joined), [Azure AD Registered](#azure-ad-registered), [Deployment Type](#deployment-type), [Join Type](#join-type) [Return to Top](hello-how-it-works-technology.md) +## Cloud Experience Host +In Windows 10 Enterprise edition, Cloud Experience Host is an application that helps you join the workplace environment or Azure AD using your company-provided credentials. Once you enroll your device to your workplace environment or Azure AD, your organization will be able to manage your PC and collect information about you (including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC. + +### Related topics +[Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification), [Managed Windows Hello in Organization](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-manage-in-organization) + +### More information +- [Windows Hello for Business and Device Registration](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration) + +[Return to Top](hello-how-it-works-technology.md) + ## Deployment Type Windows Hello for Business has three deployment models to accommodate the needs of different organizations. The three deployment models include: - Cloud @@ -305,17 +316,6 @@ In a simplified manner, the TPM is a passive component with limited resources. I [Return to Top](hello-how-it-works-technology.md) -## Cloud Experience Host -In Windows 10 Enterprise edition, Cloud Experience Host is an application that helps you join the workplace environment or Azure AD using your company-provided credentials. Once you enroll your device to your workplace environment or Azure AD, your organization will be able to manage your PC and collect information about you (including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC. - -### Related topics -[Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification), [Managed Windows Hello in Organization](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-manage-in-organization) - -### More information -- [Windows Hello for Business and Device Registration](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration) - -[Return to Top](hello-how-it-works-technology.md) - From 33f1c7e37a5e64a7b30c5214c8aea7b1fbcd46bc Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Thu, 2 May 2019 15:39:26 +0500 Subject: [PATCH 195/492] update hello-planning-guide.md --- .../hello-for-business/hello-planning-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 1700566e52..a936892039 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -274,7 +274,7 @@ Public key infrastructure prerequisites already exist in your planning worksheet If box **1a** on your planning worksheet reads **cloud only**, ignore the public key infrastructure section of your planning worksheet. Cloud only deployments do not use a public key infrastructure. -If box **1b** on your planning worksheet reads **key trust**, write **N/A** in box **5b** on your planning worksheet. +If box **1b** on your planning worksheet reads **key trust**, write **N/A** in box **5b** on your planning worksheet. Key trust doesn't require any change in public key infrastructure, skip this part and go to **Cloud** section. The registration authority only relates to certificate trust deployments and the management used for domain and non-domain joined devices. Hybrid Azure AD joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates. Hybrid Azure AD joined devices and Azure AD joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates. From 58618eb4e7609e299ce616f5f9294c95910ff2f6 Mon Sep 17 00:00:00 2001 From: martyav Date: Thu, 2 May 2019 07:40:59 -0400 Subject: [PATCH 196/492] added configuring via the command line section & table --- .../microsoft-defender-atp-mac.md | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index eff522741e..274a348c8b 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -468,6 +468,28 @@ After installation, you'll see the Microsoft Defender icon in the macOS status b ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) +## Configuring with the command line + +Controlling product settings, triggering on-demand scans, and several other important tasks can be done via the following CLI commands: + +|Group |Scenario |Command | +|-------------|-------------------------------------------|-----------------------------------------------------------------------| +|Configuration|Turn on/off real-time protection |`mdatp config --rtp [true/false]` | +|Configuration|Turn on/off cloud protection |`mdatp config --cloud [true/false]` | +|Configuration|Turn on/off product diagnostics |`mdatp config --diagnostic [true/false]` | +|Configuration|Turn on/off automatic sample submission |`mdatp config --sample-submission [true/false]` | +|Configuration|Turn on PUA protection |`mdatp threat --type-handling --potentially_unwanted_application block`| +|Configuration|Turn off PUA protection |`mdatp threat --type-handling --potentially_unwanted_application off` | +|Configuration|Turn on audit mode for PUA protection |`mdatp threat --type-handling --potentially_unwanted_application audit`| +|Diagnostics |Change the log level |`mdatp log-level --[error/warning/info/verbose]` | +|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic` | +|Health |Check the product's health |`mdatp --health` | +|Protection |Scan a path |`mdatp scan --path [path]` | +|Protection |Do a quick scan |`mdatp scan --quick` | +|Protection |Do a full scan |`mdatp scan --full` | +|Protection |Cancel an ongoing on-demand scan |`mdatp scan --cancel` | +|Protection |Request a definition update |`mdatp --signature-update` | + ## What to expect in the ATP portal - Severity From 3c6938f6d81c091be95028cec8c18598fc7c2b5c Mon Sep 17 00:00:00 2001 From: martyav Date: Thu, 2 May 2019 07:54:37 -0400 Subject: [PATCH 197/492] fixed inaccuracies in portal section --- .../microsoft-defender-atp-mac.md | 23 ++++++++----------- 1 file changed, 9 insertions(+), 14 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index 274a348c8b..1e0f483f69 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -470,7 +470,7 @@ After installation, you'll see the Microsoft Defender icon in the macOS status b ## Configuring with the command line -Controlling product settings, triggering on-demand scans, and several other important tasks can be done via the following CLI commands: +Controlling product settings, triggering on-demand scans, and several other important tasks can be done with the following CLI commands: |Group |Scenario |Command | |-------------|-------------------------------------------|-----------------------------------------------------------------------| @@ -492,9 +492,12 @@ Controlling product settings, triggering on-demand scans, and several other impo ## What to expect in the ATP portal -- Severity -- Scan type -- Antivirus alerts +- AV alerts: + - Severity + - Scan type + - Device information (hostname, machine identifier, tenant identifier, app version, and OS type) + - File information (name, path, size, and hash) + - Threat information (name, type, and state) - Device information: - Machine identifier - Tenant identifier @@ -505,19 +508,11 @@ Controlling product settings, triggering on-demand scans, and several other impo - Computer model - Processor architecture - Whether the device is a virtual machine -- File information: - - Hashes - - Size - - Path - - Name -- Threat information: - - Type - - State - - Name - ## Uninstallation + ### Removing Microsoft Defender ATP from Mac devices + To remove Microsoft Defender ATP from your macOS devices: - Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**. From 38811a81906227c6da50e83308f429cd4bc87f84 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Thu, 2 May 2019 17:02:24 +0500 Subject: [PATCH 198/492] update hello-planning-guide.md --- .../hello-for-business/hello-planning-guide.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index a936892039..05fb09a45a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -77,7 +77,7 @@ A deployment's trust type defines how each Windows Hello for Business client aut The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. -The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers. Users can authenticate using their certificate to any Windows Server 2008 R2 or later domain controller. +The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 Active Directory schema](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs#directories)). Users can authenticate using their certificate to any Windows Server 2008 R2 or later domain controller. #### Device registration @@ -101,7 +101,6 @@ Cloud only and hybrid deployments provide many choices for multi-factor authenti > * Azure Active Directory Premium > * Enterprise Mobility Suite > * Enterprise Cloud Suite ->* A per-user and per-authentication consumption-based model that is billed monthly against Azure monetary commitment (Read [Multi-Factor Authentication Pricing](https://azure.microsoft.com/pricing/details/multi-factor-authentication/) for more information) #### Directory synchronization From 9584215fd34e27cfa6c5a264f536a7a31f6d9f1a Mon Sep 17 00:00:00 2001 From: msjbja <49055479+msjbja@users.noreply.github.com> Date: Thu, 2 May 2019 08:50:14 -0500 Subject: [PATCH 199/492] Update windows-local-autopilot-reset.md Addition of the permission required to perform this task --- .../windows-autopilot/windows-autopilot-reset-local.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md b/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md index ac25a597f7..2df22358c3 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md @@ -19,6 +19,8 @@ ms.topic: article **Applies to: Windows 10, version 1709 and above +The Microsoft Intune Service Administrator Directory role is required to perform this task. The process of adding directory roles is documented at https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal + IT admins can perform a local Windows Autopilot Reset to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen any time and apply original settings and management enrollment (Azure Active Directory and device management) so the devices are ready to use. With a local Autopilot Reset, devices are returned to a fully configured or known IT-approved state. To enable local Autopilot Reset in Windows 10: From 1372d3faed690728d953a85eba6a7a9efb1eaeaa Mon Sep 17 00:00:00 2001 From: martyav Date: Thu, 2 May 2019 10:37:07 -0400 Subject: [PATCH 200/492] refining what's new section --- .../microsoft-defender-atp-mac.md | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index 1e0f483f69..52531fa8c9 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -27,18 +27,15 @@ Microsoft Defender ATP for Mac is not yet widely available, and this topic only ## What’s new in the public preview -- Fully accessible -- Various bug fixes -- Improved performance -- Improved user experience -- Improved threat handling -- Localized for 37 languages -- Improved anti-tampering protections -- Feedback and samples can be submitted via the GUI. -- Product health can be queried via Jamf or the command line. -- Reduced delay for Mac devices to appear in the ATP console, following deployment. -- Admins can set their cloud preference for any location, not just those in the US. +We've been working hard through the private preview period, and we've heard your concerns. We've reduced the delay for when new Mac devices appear in the ATP console after they've been deployed. We've improved threat handling, and enhanced the user experience. We've also made numerous bug fixes. Other updates to Microsoft Defender ATP include: +- Full accessibility +- Improved performance +- Localization for 37 languages +- Improved anti-tampering protections +- Feedback and samples can now be submitted via the GUI. +- Product health can be queried with JAMF or the command line. +- Admins can set their cloud preference for any location, not just for those in the US. ## Prerequisites You should have beginner-level experience in macOS and BASH scripting. You must have administrative privileges on the machine. From 12bebd56e8258562ec62b79d7bc13e2f90c26a86 Mon Sep 17 00:00:00 2001 From: martyav Date: Thu, 2 May 2019 11:01:29 -0400 Subject: [PATCH 201/492] markdown linting --- .../microsoft-defender-atp-mac.md | 221 ++++++++++-------- 1 file changed, 127 insertions(+), 94 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index 52531fa8c9..17df14a9be 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -22,8 +22,8 @@ ms.topic: conceptual >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -This topic describes how to install and use Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. -Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. +This topic describes how to install and use Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. +Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. ## What’s new in the public preview @@ -38,14 +38,17 @@ We've been working hard through the private preview period, and we've heard your - Admins can set their cloud preference for any location, not just for those in the US. ## Prerequisites + You should have beginner-level experience in macOS and BASH scripting. You must have administrative privileges on the machine. You should also have access to Windows Defender Security Center. ### System Requirements + Microsoft Defender ATP for Mac system requirements: + - macOS version: 10.14 (Mojave), 10.13 (High Sierra), 10.12 (Sierra) -- Disk space during preview: 1GB +- Disk space during preview: 1GB After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints. @@ -57,39 +60,43 @@ The following table lists the services and their associated URLs that your netwo To test that a connection is not blocked, open `https://x.cp.wd.microsoft.com/api/report` and `https://wu-cdn.x.cp.wd.microsoft.com/` in a browser, or run the following command in Terminal: -``` +```bash mavel-mojave:~ testuser$ curl 'https://x.cp.wd.microsoft.com/api/report' OK ``` -We recommend to keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) ([Wiki](https://en.wikipedia.org/wiki/System_Integrity_Protection)) enabled (default setting) on client machines. +We recommend to keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) ([Wiki](https://en.wikipedia.org/wiki/System_Integrity_Protection)) enabled (default setting) on client machines. SIP is a built-in macOS security feature that prevents low-level tampering with the OS. ## Installation and configuration overview -There are various methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac. + +There are various methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac. In general you'll need to take the following steps: - - Ensure you have a Windows Defender ATP subscription and have access to the Windows Defender ATP Portal - - Deploy Microsoft Defender ATP for Mac using one of the following deployment methods: - * [Microsoft Intune based deployment](#microsoft-intune-based-deployment) - * [JAMF based deployment](#jamf-based-deployment) - * [Manual deployment](#manual-deployment) + +- Ensure you have a Windows Defender ATP subscription and have access to the Windows Defender ATP Portal +- Deploy Microsoft Defender ATP for Mac using one of the following deployment methods: + - [Microsoft Intune based deployment](#microsoft-intune-based-deployment) + - [JAMF based deployment](#jamf-based-deployment) + - [Manual deployment](#manual-deployment) ## Microsoft Intune based deployment ### Download installation and onboarding packages + Download the installation and onboarding packages from Windows Defender Security Center: -1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. -3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. -5. Download IntuneAppUtil from https://docs.microsoft.com/en-us/intune/lob-apps-macos. + +1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. +3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. +4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. +5. Download IntuneAppUtil from [https://docs.microsoft.com/en-us/intune/lob-apps-macos](https://docs.microsoft.com/en-us/intune/lob-apps-macos). ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) -6. From a command prompt, verify that you have the three files. +6. From a command prompt, verify that you have the three files. Extract the contents of the .zip files: - - ``` + + ```bash mavel-macmini:Downloads test$ ls -l total 721688 -rw-r--r-- 1 test staff 269280 Mar 15 11:25 IntuneAppUtil @@ -103,13 +110,14 @@ Download the installation and onboarding packages from Windows Defender Security inflating: jamf/WindowsDefenderATPOnboarding.plist mavel-macmini:Downloads test$ ``` -7. Make IntuneAppUtil an executable: + +7. Make IntuneAppUtil an executable: ```mavel-macmini:Downloads test$ chmod +x IntuneAppUtil``` 8. Create the wdav.pkg.intunemac package from wdav.pkg: - ``` + ```bash mavel-macmini:Downloads test$ ./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav" -n "1.0.0" Microsoft Intune Application Utility for Mac OS X Version: 1.0.0.0 @@ -124,6 +132,7 @@ Download the installation and onboarding packages from Windows Defender Security ``` ### Client Machine Setup + You need no special provisioning for a Mac machine beyond a standard [Company Portal installation](https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos-cp). 1. You'll be asked to confirm device management. @@ -143,17 +152,18 @@ You can enroll additional machines. Optionally, you can do it later, after syste ![Add Devices screenshot](images/MDATP_5_allDevices.png) ### Create System Configuration profiles -1. In Intune open the **Manage > Device configuration** blade. Select **Manage > Profiles > Create Profile**. -2. Choose a name for the profile. Change **Platform=macOS**, **Profile type=Custom**. Select **Configure**. -3. Open the configuration profile and upload intune/kext.xml. This file was created during the Generate settings step above. -4. Select **OK**. + +1. In Intune open the **Manage > Device configuration** blade. Select **Manage > Profiles > Create Profile**. +2. Choose a name for the profile. Change **Platform=macOS**, **Profile type=Custom**. Select **Configure**. +3. Open the configuration profile and upload intune/kext.xml. This file was created during the Generate settings step above. +4. Select **OK**. ![System configuration profiles screenshot](images/MDATP_6_SystemConfigurationProfiles.png) -5. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. -7. Repeat these steps with the second profile. -8. Create Profile one more time, give it a name, upload the intune/WindowsDefenderATPOnboarding.xml file. -9. Select **Manage > Assignments**. In the Include tab, select **Assign to All Users & All devices**. +5. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. +6. Repeat these steps with the second profile. +7. Create Profile one more time, give it a name, upload the intune/WindowsDefenderATPOnboarding.xml file. +8. Select **Manage > Assignments**. In the Include tab, select **Assign to All Users & All devices**. After Intune changes are propagated to the enrolled machines, you'll see it on the **Monitor > Device status** blade: @@ -161,16 +171,16 @@ After Intune changes are propagated to the enrolled machines, you'll see it on t ### Publish application -1. In Intune, open the **Manage > Client apps** blade. Select **Apps > Add**. -2. Select **App type=Other/Line-of-business app**. -3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload. -4. Select **Configure** and add the required information. -5. Use **macOS Sierra 10.12** as the minimum OS. Other settings can be any other value. +1. In Intune, open the **Manage > Client apps** blade. Select **Apps > Add**. +2. Select **App type=Other/Line-of-business app**. +3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload. +4. Select **Configure** and add the required information. +5. Use **macOS Sierra 10.12** as the minimum OS. Other settings can be any other value. ![Device status blade screenshot](images/MDATP_8_IntuneAppInfo.png) 6. Select **OK** and **Add**. - + ![Device status blade screenshot](images/MDATP_9_IntunePkgInfo.png) 7. It will take a while to upload the package. After it's done, select the name and then go to **Assignments** and **Add group**. @@ -187,7 +197,8 @@ After Intune changes are propagated to the enrolled machines, you'll see it on t ![Intune device status screenshot](images/MDATP_12_DeviceInstall.png) ### Verify client machine state -1. After the configuration profiles are deployed to your machines, on your Mac device, open **System Preferences > Profiles**. + +1. After the configuration profiles are deployed to your machines, on your Mac device, open **System Preferences > Profiles**. ![System Preferences screenshot](images/MDATP_13_SystemPreferences.png) ![System Preferences Profiles screenshot](images/MDATP_14_SystemPreferencesProfiles.png) @@ -195,30 +206,33 @@ After Intune changes are propagated to the enrolled machines, you'll see it on t 2. Verify the three profiles listed there: ![Profiles screenshot](images/MDATP_15_ManagementProfileConfig.png) -3. The **Management Profile** should be the Intune system profile. -4. wdav-config and wdav-kext are system configuration profiles that we added in Intune. -5. You should also see the Microsoft Defender icon in the top-right corner: +3. The **Management Profile** should be the Intune system profile. +4. wdav-config and wdav-kext are system configuration profiles that we added in Intune. +5. You should also see the Microsoft Defender icon in the top-right corner: ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) ## JAMF based deployment -### Prerequsites -You need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes a properly configured distribution point. JAMF has many alternative ways to complete the same task. These instructions provide you an example for most common processes. Your organization might use a different workflow. +### Prerequsites + +You need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes a properly configured distribution point. JAMF has many alternative ways to complete the same task. These instructions provide you an example for most common processes. Your organization might use a different workflow. ### Download installation and onboarding packages + Download the installation and onboarding packages from Windows Defender Security Center: -1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. -3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. + +1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. +3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. +4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) -5. From a command prompt, verify that you have the two files. +5. From a command prompt, verify that you have the two files. Extract the contents of the .zip files: - - ``` + + ```bash mavel-macmini:Downloads test$ ls -l total 721160 -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip @@ -230,18 +244,19 @@ Download the installation and onboarding packages from Windows Defender Security inflating: intune/WindowsDefenderATPOnboarding.xml inflating: jamf/WindowsDefenderATPOnboarding.plist mavel-macmini:Downloads test$ - ``` + ``` ### Create JAMF Policies + You need to create a configuration profile and a policy to start deploying Microsoft Defender ATP for Mac to client machines. #### Configuration Profile + The configuration profile contains one custom settings payload that includes: -- Microsoft Defender ATP for Mac onboarding information +- Microsoft Defender ATP for Mac onboarding information - Approved Kernel Extensions payload to enable the Microsoft kernel driver to run - 1. Upload jamf/WindowsDefenderATPOnboarding.plist as the Property List File. >[!NOTE] @@ -252,15 +267,17 @@ The configuration profile contains one custom settings payload that includes: #### Approved Kernel Extension To approve the kernel extension: -1. In **Computers > Configuration Profiles** select **Options > Approved Kernel Extensions**. -2. Use **UBF8T346G9** for Team Id. + +1. In **Computers > Configuration Profiles** select **Options > Approved Kernel Extensions**. +2. Use **UBF8T346G9** for Team Id. ![Approved kernel extensions screenshot](images/MDATP_17_approvedKernelExtensions.png) -#### Configuration Profile's Scope +#### Configuration Profile's Scope + Configure the appropriate scope to specify the machines that will receive this configuration profile. -Open Computers -> Configuration Profiles, select **Scope > Targets**. Select the appropriate Target computers. +Open Computers -> Configuration Profiles, select **Scope > Targets**. Select the appropriate Target computers. ![Configuration profile scope screenshot](images/MDATP_18_ConfigurationProfilesScope.png) @@ -269,14 +286,16 @@ Save the **Configuration Profile**. Use the **Logs** tab to monitor deployment status for each enrolled machine. #### Package + 1. Create a package in **Settings > Computer Management > Packages**. ![Computer management packages screenshot](images/MDATP_19_MicrosoftDefenderWDAVPKG.png) -2. Upload wdav.pkg to the Distribution Point. +2. Upload wdav.pkg to the Distribution Point. 3. In the **filename** field, enter the name of the package. For example, wdav.pkg. #### Policy + Your policy should contain a single package for Microsoft Defender. ![Microsoft Defender packages screenshot](images/MDATP_20_MicrosoftDefenderPackages.png) @@ -286,34 +305,38 @@ Configure the appropriate scope to specify the computers that will receive this After you save the Configuration Profile, you can use the Logs tab to monitor the deployment status for each enrolled machine. ### Client machine setup + You need no special provisioning for a macOS computer beyond the standard JAMF Enrollment. > [!NOTE] -> After a computer is enrolled, it will show up in the Computers inventory (All Computers). +> After a computer is enrolled, it will show up in the Computers inventory (All Computers). -1. Open the machine details, from **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile. +1. Open the machine details, from **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile. ![MDM approve button screenshot](images/MDATP_21_MDMProfile1.png) ![MDM screenshot](images/MDATP_22_MDMProfileApproved.png) -After some time, the machine's User Approved MDM status will change to Yes. +After some time, the machine's User Approved MDM status will change to Yes. ![MDM status screenshot](images/MDATP_23_MDMStatus.png) You can enroll additional machines now. Optionally, can do it after system configuration and application packages are provisioned. ### Deployment + Enrolled client machines periodically poll the JAMF Server and install new configuration profiles and policies as soon as they are detected. #### Status on server + You can monitor the deployment status in the Logs tab: - - **Pending** means that the deployment is scheduled but has not yet happened - - **Completed** means that the deployment succeeded and is no longer scheduled + +- **Pending** means that the deployment is scheduled but has not yet happened +- **Completed** means that the deployment succeeded and is no longer scheduled ![Status on server screenshot](images/MDATP_24_StatusOnServer.png) - #### Status on client machine + After the Configuration Profile is deployed, you'll see the profile on the machine in the **System Preferences > Profiles >** Name of Configuration Profile. ![Status on client screenshot](images/MDATP_25_StatusOnClient.png) @@ -324,7 +347,7 @@ After the policy is applied, you'll see the Microsoft Defender icon in the macOS You can monitor policy installation on a machine by following the JAMF's log file: -``` +```bash mavel-mojave:~ testuser$ tail -f /var/log/jamf.log Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found. Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for user "testuser"... @@ -336,7 +359,8 @@ Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found. ``` You can also check the onboarding status: -``` + +```bash mavel-mojave:~ testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 orgid : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 @@ -349,6 +373,7 @@ orgid effective : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 - **orgid effective**: This is the Microsoft Defender ATP org id currently in use. If it does not match the value in the Configuration Profile, then the configuration has not been refreshed. ### Uninstalling Microsoft Defender ATP for Mac + #### Uninstalling with a script Create a script in **Settings > Computer Management > Scripts**. @@ -357,7 +382,7 @@ Create a script in **Settings > Computer Management > Scripts**. For example, this script removes Microsoft Defender ATP from the /Applications directory: -``` +```bash echo "Is WDAV installed?" ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null @@ -371,6 +396,7 @@ echo "Done!" ``` #### Uninstalling with a policy + Your policy should contain a single script: ![Microsoft Defender uninstall script screenshot](images/MDATP_27_UninstallScript.png) @@ -381,7 +407,7 @@ Configure the appropriate scope in the **Scope** tab to specify the machines tha You can check that machines are correctly onboarded by creating a script. For example, the following script checks that enrolled machines are onboarded: -``` +```bash sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+' ``` @@ -390,18 +416,20 @@ This script returns 0 if Microsoft Defender ATP is registered with the Windows D ## Manual deployment ### Download installation and onboarding packages + Download the installation and onboarding packages from Windows Defender Security Center: -1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Local script**. -3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. + +1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Local script**. +3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. +4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) -5. From a command prompt, verify that you have the two files. +5. From a command prompt, verify that you have the two files. Extract the contents of the .zip files: - - ``` + + ```bash mavel-macmini:Downloads test$ ls -l total 721152 -rw-r--r-- 1 test staff 6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip @@ -409,9 +437,10 @@ Download the installation and onboarding packages from Windows Defender Security mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip Archive: WindowsDefenderATPOnboardingPackage.zip inflating: WindowsDefenderATPOnboarding.py - ``` + ``` ### Application installation + To complete this process, you must have admin privileges on the machine. 1. Navigate to the downloaded wdav.pkg in Finder and open it. @@ -431,36 +460,38 @@ To complete this process, you must have admin privileges on the machine. ![Security and privacy window screenshot](images/MDATP_31_SecurityPrivacySettings.png) - The installation will proceed. > [!NOTE] > If you don't select **Allow**, the installation will fail after 5 minutes. You can restart it again at any time. ### Client configuration -1. Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac. + +1. Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac. The client machine is not associated with orgId. Note that the orgid is blank. - ``` + ```bash mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 orgid : ``` -2. Install the configuration file on a client machine: - ``` +2. Install the configuration file on a client machine: + + ```bash mavel-mojave:wdavconfig testuser$ python WindowsDefenderATPOnboarding.py Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password) ``` -3. Verify that the machine is now associated with orgId: +3. Verify that the machine is now associated with orgId: - ``` + ```bash mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 orgid : E6875323-A6C0-4C60-87AD-114BBE7439B8 ``` + After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) @@ -490,7 +521,7 @@ Controlling product settings, triggering on-demand scans, and several other impo ## What to expect in the ATP portal - AV alerts: - - Severity + - Severity - Scan type - Device information (hostname, machine identifier, tenant identifier, app version, and OS type) - File information (name, path, size, and hash) @@ -528,37 +559,39 @@ Or, from a command line: - Geo preference for telemetry traffic is not supported yet. Cloud traffic is routed to the US only. - Centrally managed uninstall is still being developed. As a workaround, a manual uninstall must be performed on each client device. - ## Collecting diagnostic information + If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default. 1) Increase logging level: -``` - mavel-mojave:~ testuser$ mdatp log-level --verbose - Creating connection to daemon - Connection established - Operation succeeded + +```bash + mavel-mojave:~ testuser$ mdatp log-level --verbose + Creating connection to daemon + Connection established + Operation succeeded ``` 2) Reproduce the problem 3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. - ``` + ```bash mavel-mojave:~ testuser$ mdatp --diagnostic Creating connection to daemon Connection established "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" - ``` - + ``` + 4) Restore logging level: -``` + + ```bash mavel-mojave:~ testuser$ mdatp log-level --info Creating connection to daemon Connection established Operation succeeded -``` + ``` - ### Installation issues + If an error occurs during installation, the installer will only report a general failure. The detailed log is saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. From 4336fb97432614ec0cfe4b69e2c61bbb200e404c Mon Sep 17 00:00:00 2001 From: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> Date: Thu, 2 May 2019 12:13:50 -0500 Subject: [PATCH 202/492] Update windows/deployment/windows-autopilot/windows-autopilot-reset-local.md Adjusting the wording based on suggestion by JohnFreelancer9 Co-Authored-By: msjbja <49055479+msjbja@users.noreply.github.com> --- .../windows-autopilot/windows-autopilot-reset-local.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md b/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md index 2df22358c3..5f82790f46 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md @@ -19,7 +19,7 @@ ms.topic: article **Applies to: Windows 10, version 1709 and above -The Microsoft Intune Service Administrator Directory role is required to perform this task. The process of adding directory roles is documented at https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal +The Microsoft Intune Service Administrator Directory role is required to perform this task. To learn more about the process of adding directory roles, refer to https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal IT admins can perform a local Windows Autopilot Reset to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen any time and apply original settings and management enrollment (Azure Active Directory and device management) so the devices are ready to use. With a local Autopilot Reset, devices are returned to a fully configured or known IT-approved state. From b37b1b9e69ebd787de443bc26d601baa6d431bf2 Mon Sep 17 00:00:00 2001 From: Joyce Y <47188252+mypil@users.noreply.github.com> Date: Thu, 2 May 2019 12:44:43 -0500 Subject: [PATCH 203/492] Update windows/deployment/windows-autopilot/windows-autopilot-reset-local.md Changes committed to fit Microsoft style Co-Authored-By: msjbja <49055479+msjbja@users.noreply.github.com> --- .../windows-autopilot/windows-autopilot-reset-local.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md b/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md index 5f82790f46..c94be655bb 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md @@ -19,7 +19,7 @@ ms.topic: article **Applies to: Windows 10, version 1709 and above -The Microsoft Intune Service Administrator Directory role is required to perform this task. To learn more about the process of adding directory roles, refer to https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal +The Intune Service Administrator role is required to perform this task. Learn more about how to [Assign Azure Active Directory roles](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). IT admins can perform a local Windows Autopilot Reset to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen any time and apply original settings and management enrollment (Azure Active Directory and device management) so the devices are ready to use. With a local Autopilot Reset, devices are returned to a fully configured or known IT-approved state. From 78cf0150a08587a7321277c9fe4090762cdf6a53 Mon Sep 17 00:00:00 2001 From: martyav Date: Thu, 2 May 2019 14:22:37 -0400 Subject: [PATCH 204/492] updated known issues + small refinements to other owned sections --- .../microsoft-defender-atp-mac.md | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index a145ddc2d6..e159d86a94 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -27,7 +27,7 @@ Microsoft Defender ATP for Mac is not yet widely available, and this topic only ## What’s new in the public preview -We've been working hard through the private preview period, and we've heard your concerns. We've reduced the delay for when new Mac devices appear in the ATP console after they've been deployed. We've improved threat handling, and enhanced the user experience. We've also made numerous bug fixes. Other updates to Microsoft Defender ATP include: +We've been working hard through the private preview period, and we've heard your concerns. We've reduced the delay for when new Mac devices appear in the ATP console after they've been deployed. We've improved threat handling, and enhanced the user experience. We've also made numerous bug fixes. Other updates to Microsoft Defender ATP for Mac include: - Full accessibility - Improved performance @@ -501,7 +501,7 @@ After installation, you'll see the Microsoft Defender icon in the macOS status b ## Configuring with the command line -Controlling product settings, triggering on-demand scans, and several other important tasks can be done with the following CLI commands: +Controlling product settings, triggering on-demand scans, and several other important tasks can be done from the command line with the following commands: |Group |Scenario |Command | |-------------|-------------------------------------------|-----------------------------------------------------------------------| @@ -554,12 +554,9 @@ Or, from a command line: ## Known issues -- Not localized yet. -- There might be accessibility issues. -- Not optimized for performance or disk space yet. +- Not fully optimized for performance or disk space yet. - Full Windows Defender ATP integration is not available yet. - Mac devices that switch networks may appear multiple times in the APT portal. -- Geo preference for telemetry traffic is not supported yet. Cloud traffic is routed to the US only. - Centrally managed uninstall is still being developed. As a workaround, a manual uninstall must be performed on each client device. ## Collecting diagnostic information From 69b54b8d9640c97fc9fedf589dff4c622c995178 Mon Sep 17 00:00:00 2001 From: Jie RONG Date: Fri, 3 May 2019 14:32:52 +0800 Subject: [PATCH 205/492] Update set-up-enterprise-mode-portal.md In previous doc: Step 3, following 10 of To create the website will change the connectionstring to like following: But for Model first connection string, it should be like following as displayed in Web.config in the project folder. This will introduce data access error, throwing "Keyword not supported: 'server'." 2. The fix is in step 1 - 6, just update server name and database name, then remove the manual setting steps in Step 2. --- .../set-up-enterprise-mode-portal.md | 18 +++++------------- 1 file changed, 5 insertions(+), 13 deletions(-) diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md index 47c4caf92b..c6c5cf099e 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md @@ -43,7 +43,10 @@ You must download the deployment folder (**EMIEWebPortal/**), which includes all Installs the npm package manager and bulk adds all the third-party libraries back into your codebase. -6. Go back up a directory, open the solution file **EMIEWebPortal.sln** in Visual Studio, and then build the entire solution. +6. Go back up a directory, open the solution file **EMIEWebPortal.sln** in Visual Studio, open **Web.config** from **EMIEWebPortal/** folder, and replace MSIT-LOB-COMPAT with your server name hosting your database, replace LOBMerged with your database name, and build the entire solution. + + >[!Note] + >Step 3 of this topic provides the steps to create your database. 7. Copy the contents of the **EMIEWebPortal/** folder to a dedicated folder on your file system. For example, _D:\EMIEWebApp_. In a later step, you'll designate this folder as your website in the IIS Manager. @@ -105,17 +108,6 @@ Create a new Application Pool and the website, by using the IIS Manager. >[!Note] >You must also make sure that **Anonymous Authentication** is marked as **Enabled**. -10. Return to the **<website_name> Home** pane, and double-click the **Connection Strings** icon. - -11. Open the **LOBMergedEntities Connection String** to edit: - - - **Data source.** Type the name of your local computer. - - - **Initial catalog.** The name of your database. - - >[!Note] - >Step 3 of this topic provides the steps to create your database. - ## Step 3 - Create and prep your database Create a SQL Server database and run our custom query to create the Enterprise Mode Site List tables. @@ -229,4 +221,4 @@ Register the EMIEScheduler tool and service for production site list changes. - [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md) -- [Use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md) \ No newline at end of file +- [Use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md) From 07120081bf9e857679d3206b06f47f00adb65b01 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Fri, 3 May 2019 12:25:57 +0500 Subject: [PATCH 206/492] update hello-planning-guide.md --- .../hello-for-business/hello-planning-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 05fb09a45a..77945e6f69 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -77,7 +77,7 @@ A deployment's trust type defines how each Windows Hello for Business client aut The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. -The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 Active Directory schema](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs#directories)). Users can authenticate using their certificate to any Windows Server 2008 R2 or later domain controller. +The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 Active Directory schema](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller. #### Device registration From 355c7ccc34fd830e040373cd7156aa1a33ae36d7 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Fri, 3 May 2019 16:11:27 +0500 Subject: [PATCH 207/492] update nodecache-csp.md removed DFType value, as it is out of the scope of this article --- windows/client-management/mdm/nodecache-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/nodecache-csp.md b/windows/client-management/mdm/nodecache-csp.md index 28bcf637f6..d04fa8b63b 100644 --- a/windows/client-management/mdm/nodecache-csp.md +++ b/windows/client-management/mdm/nodecache-csp.md @@ -30,7 +30,7 @@ The following diagram shows the NodeCache configuration service provider in tree ![nodecache csp](images/provisioning-csp-nodecache.png) **./Device/Vendor/MSFT and ./User/Vendor/MSFT** -Required. The root node for the NodeCache object. Supported operation is Get. This configuration service provider is used for enterprise device management only. This is a predefined MIME type to identify this managed object in OMA DM syntax. Starting in Windows 10, version 1607 the value is com.microsoft/\/MDM/NodeCache. +Required. The root node for the NodeCache object. Supported operation is Get. This configuration service provider is used for enterprise device management only. This is a predefined MIME type to identify this managed object in OMA DM syntax. ***ProviderID*** Optional. Group settings per DM server. Each group of settings is distinguished by the server’s Provider ID. It should be the same DM server **PROVIDER-ID** value that was supplied through the [w7 APPLICATION configuration service provider](w7-application-csp.md) XML during the enrollment process. Only one enterprise management server is supported. That is, there should be only one *ProviderID* node under **NodeCache**. Scope is dynamic. From 31978baa1a4bb4a0c509349a7d91026e98e8a5c3 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 08:25:55 -0700 Subject: [PATCH 208/492] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...system-components-to-microsoft-services.md | 22 +++---------------- 1 file changed, 3 insertions(+), 19 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index b46666da35..096932fb04 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -1824,9 +1824,6 @@ You can disable Teredo by using Group Policy or by using the netsh.exe command. - Create a new REG_SZ registry setting named **Teredo_State** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\TCPIP\\v6Transition** with a value of **Disabled**. - -or- - -- From an elevated command prompt, run **netsh interface teredo set state disabled** ### 23. Wi-Fi Sense @@ -1847,13 +1844,6 @@ To turn off **Connect to suggested open hotspots** and **Connect to networks sha - Create a new REG_DWORD registry setting named **AutoConnectAllowedOEM** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WcmSvc\\wifinetworkmanager\\config** with a **value of 0 (zero)**. - -or- - -- Change the Windows Provisioning setting, WiFISenseAllowed, to **0 (zero)**. For more info, see the Windows Provisioning Settings reference doc, [WiFiSenseAllowed](https://go.microsoft.com/fwlink/p/?LinkId=620909). - - -or- - -- Use the Unattended settings to set the value of WiFiSenseAllowed to **0 (zero)**. For more info, see the Unattended Windows Setup reference doc, [WiFiSenseAllowed](https://go.microsoft.com/fwlink/p/?LinkId=620910). When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional and they can’t be controlled by the employee. @@ -1863,21 +1853,15 @@ You can disconnect from the Microsoft Antimalware Protection Service. - **Enable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **MAPS** > **Join Microsoft MAPS** and then select **Disabled** from the drop down box named **Join Microsoft MAPS** - -or- +-OR- - Use the registry to set the REG_DWORD value **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SpyNetReporting** to **0 (zero)**. - -or- -- Delete the registry setting **named** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Updates**. - - -or- +-OR- - For Windows 10 only, apply the Defender/AllowClouldProtection MDM policy from the [Defender CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). - -and- - - From an elevated Windows PowerShell prompt, run **set-mppreference -Mapsreporting 0** You can stop sending file samples back to Microsoft. @@ -2076,7 +2060,7 @@ On Windows Server 2016, this will block Microsoft Store calls from Universal Win You can turn off apps for websites, preventing customers who visit websites that are registered with their associated app from directly launching the app. -**Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Group Policy** > **Configure web-to-app linking with URI handlers** +- **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Group Policy** > **Configure web-to-app linking with URI handlers** -or- From d8f450c1868cb2de5322447ee0c4e8f21af92ea9 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 08:39:32 -0700 Subject: [PATCH 209/492] Create manage-windows-19H1-endpoints.md --- .../privacy/manage-windows-19H1-endpoints.md | 492 ++++++++++++++++++ 1 file changed, 492 insertions(+) create mode 100644 windows/privacy/manage-windows-19H1-endpoints.md diff --git a/windows/privacy/manage-windows-19H1-endpoints.md b/windows/privacy/manage-windows-19H1-endpoints.md new file mode 100644 index 0000000000..211c59c07e --- /dev/null +++ b/windows/privacy/manage-windows-19H1-endpoints.md @@ -0,0 +1,492 @@ +--- +title: Connection endpoints for Windows 10, version 19H1 +description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. +keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: high +audience: ITPro +author: danihalfin +ms.author: v-medgar +manager: sanashar +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 5/3/2019 +--- +# Manage connection endpoints for Windows 10, version 1809 + +**Applies to** + +- Windows 10, version 19H1 + +Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include: + +- Connecting to Microsoft Office and Windows sites to download the latest app and security updates. +- Connecting to email servers to send and receive email. +- Connecting to the web for every day web browsing. +- Connecting to the cloud to store and access backups. +- Using your location to show a weather forecast. + +This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later. +Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). +Where applicable, each endpoint covered in this topic includes a link to specific details about how to control traffic to it. + +We used the following methodology to derive these network endpoints: + +1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. +2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). +3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. +4. Compile reports on traffic going to public IP addresses. +5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. + +> [!NOTE] +> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. + +## Windows 10 Enterprise connection endpoints + +## Apps + +The following endpoint is used to download updates to the Weather app Live Tile. +If you [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), no Live Tiles will be updated. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| explorer | HTTP | tile-service.weather.microsoft.com | +| | HTTP | blob.weather.microsoft.com | + +The following endpoint is used for OneNote Live Tile. +To turn off traffic for this endpoint, either uninstall OneNote or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | cdn.onenote.net/livetile/?Language=en-US | + +The following endpoints are used for Twitter updates. +To turn off traffic for these endpoints, either uninstall Twitter or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | wildcard.twimg.com | +| svchost.exe | | oem.twimg.com/windows/tile.xml | + +The following endpoint is used for Facebook updates. +To turn off traffic for this endpoint, either uninstall Facebook or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | star-mini.c10r.facebook.com | + +The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. +To turn off traffic for this endpoint, either uninstall the Photos app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net | + +The following endpoint is used for Candy Crush Saga updates. +To turn off traffic for this endpoint, either uninstall Candy Crush Saga or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | TLS v1.2 | candycrushsoda.king.com | + +The following endpoint is used for by the Microsoft Wallet app. +To turn off traffic for this endpoint, either uninstall the Wallet app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com | + +The following endpoint is used by the Groove Music app for update HTTP handler status. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-apps-for-websites), apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com | + +The following endpoints are used when using the Whiteboard app. +To turn off traffic for this endpoint [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | wbd.ms | +| | HTTPS | int.whiteboard.microsoft.com | +| | HTTPS | whiteboard.microsoft.com | +| | HTTP / HTTPS | whiteboard.ms | + +## Cortana and Search + +The following endpoint is used to get images that are used for Microsoft Store suggestions. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block images that are used for Microsoft Store suggestions. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| searchui | HTTPS |store-images.s-microsoft.com | + +The following endpoint is used to update Cortana greetings, tips, and Live Tiles. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block updates to Cortana greetings, tips, and Live Tiles. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | www.bing.com/client | + +The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to activate experiments. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), parameters would not be updated and the device would no longer participate in experiments. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | www.bing.com/proactive | + +The following endpoint is used by Cortana to report diagnostic and diagnostic data information. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), Microsoft won't be aware of issues with Cortana and won't be able to fix them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| searchui
backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx | + +## Certificates + +The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. + +Additionally, it is used to download certificates that are publicly known to be fraudulent. +These settings are critical for both Windows security and the overall security of the Internet. +We do not recommend blocking this endpoint. +If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTP | ctldl.windowsupdate.com | + +## Device authentication + +The following endpoint is used to authenticate a device. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), the device will not be authenticated. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | login.live.com/ppsecure | + +## Device metadata + +The following endpoint is used to retrieve device metadata. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-devinst), metadata will not be updated for the device. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | dmd.metaservices.microsoft.com.akadns.net | +| | HTTP | dmd.metaservices.microsoft.com | + +## Diagnostic Data + +The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | cy2.vortex.data.microsoft.com.akadns.net | + +The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | v10.vortex-win.data.microsoft.com/collect/v1 | + +The following endpoints are used by Windows Error Reporting. +To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| wermgr | | watson.telemetry.microsoft.com | +| | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net | + +## Font streaming + +The following endpoints are used to download fonts on demand. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#font-streaming), you will not be able to download fonts on demand. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | fs.microsoft.com | +| | | fs.microsoft.com/fs/windows/config.json | + +## Licensing + +The following endpoint is used for online activation and some app licensing. +To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content | + +## Location + +The following endpoint is used for location data. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location), apps cannot use location data. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | location-inference-westus.cloudapp.net | +| | HTTPS | inference.location.live.net | + +## Maps + +The following endpoint is used to check for updates to maps that have been downloaded for offline use. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps), offline maps will not be updated. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | *g.akamaiedge.net | + +## Microsoft account + +The following endpoints are used for Microsoft accounts to sign in. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account), users cannot sign in with Microsoft accounts. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | login.msa.akadns6.net | +| system32\Auth.Host.exe | HTTPS | auth.gfx.ms | +| | | us.configsvc1.live.com.akadns.net | + +## Microsoft Store + +The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | *.wns.windows.com | + +The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. +To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | storecatalogrevocation.storequality.microsoft.com | + +The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net | +| backgroundtransferhost | HTTPS | store-images.microsoft.com | + +The following endpoints are used to communicate with Microsoft Store. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | storeedgefd.dsx.mp.microsoft.com | +| | HTTP \ HTTPS | pti.store.microsoft.com | +||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.| +| svchost | HTTPS | displaycatalog.mp.microsoft.com | + +## Network Connection Status Indicator (NCSI) + +Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi), NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | www.msftconnecttest.com/connecttest.txt | + +## Office + +The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). +You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. +If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | *.a-msedge.net | +| hxstr | | *.c-msedge.net | +| | | *.e-msedge.net | +| | | *.s-msedge.net | +| | HTTPS | ocos-office365-s2s.msedge.net | +| | HTTPS | nexusrules.officeapps.live.com | +| | HTTPS | officeclient.microsoft.com | + +The following endpoint is used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). +You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. +If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\Auth.Host.exe | HTTPS | outlook.office365.com | + +The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net| + +The following endpoint is used to connect the Office To-Do app to it's cloud service. +To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| |HTTPS|to-do.microsoft.com| + +## OneDrive + +The following endpoint is a redirection service that’s used to automatically update URLs. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive), anything that relies on g.live.com to get updated URL information will no longer work. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| onedrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/ODSUProduction | + +The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US). +To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| onedrive | HTTPS | oneclient.sfx.ms | + +## Settings + +The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| dmclient | | cy2.settings.data.microsoft.com.akadns.net | + +The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| dmclient | HTTPS | settings.data.microsoft.com | + +The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experiences and Telemetry component and Windows Insider Program use it. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | settings-win.data.microsoft.com | + +## Skype + +The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com | +| | HTTPS | browser.pipe.aria.microsoft.com | +| | | skypeecs-prod-usw-0-b.cloudapp.net | + +## Windows Defender + +The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | wdcp.microsoft.com | + +The following endpoints are used for Windows Defender definition updates. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions will not be updated. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | definitionupdates.microsoft.com | +|MpCmdRun.exe|HTTPS|go.microsoft.com | + +The following endpoints are used for Windows Defender Smartscreen reporting and notifications. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender-smartscreen), Smartscreen notifications will no appear. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | ars.smartscreen.microsoft.com | +| | HTTPS | unitedstates.smartscreen-prod.microsoft.com | +| | | smartscreen-sn3p.smartscreen.microsoft.com | + +## Windows Spotlight + +The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see [Windows Spotlight](/windows/configuration/windows-spotlight). + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | arc.msn.com | +| backgroundtaskhost | | g.msn.com.nsatc.net | +| |TLS v1.2| *.search.msn.com | +| | HTTPS | ris.api.iris.microsoft.com | +| | HTTPS | query.prod.cms.rt.microsoft.com | + +## Windows Update + +The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates), Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com | + +The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTP | *.windowsupdate.com | +| svchost | HTTP | *.dl.delivery.mp.microsoft.com | + +The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | *.update.microsoft.com | +| svchost | HTTPS | *.delivery.mp.microsoft.com | + +The following endpoint is used for content regulation. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com | + + +## Microsoft forward link redirection service (FWLink) + +The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. + +If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +|Various|HTTPS|go.microsoft.com| + +## Other Windows 10 editions + +To view endpoints for other versions of Windows 10 Enterprise, see: +- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) + +To view endpoints for non-Enterprise Windows 10 editions, see: +- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md) +- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) +- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) + + +## Related links + +- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US) +- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune) From 3ca8fa560ee97febf256538e64c249e9bbaa23fd Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 09:03:55 -0700 Subject: [PATCH 210/492] Update manage-windows-19H1-endpoints.md --- windows/privacy/manage-windows-19H1-endpoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-windows-19H1-endpoints.md b/windows/privacy/manage-windows-19H1-endpoints.md index 211c59c07e..8c7ac6dde4 100644 --- a/windows/privacy/manage-windows-19H1-endpoints.md +++ b/windows/privacy/manage-windows-19H1-endpoints.md @@ -14,7 +14,7 @@ ms.collection: M365-security-compliance ms.topic: article ms.date: 5/3/2019 --- -# Manage connection endpoints for Windows 10, version 1809 +# Manage connection endpoints for Windows 10, version 19H1 **Applies to** From 7a6fb2cc5e15c53934f2d0f9d27df7bc8b53feba Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 09:17:11 -0700 Subject: [PATCH 211/492] Update manage-windows-19H1-endpoints.md --- .../privacy/manage-windows-19H1-endpoints.md | 552 ++++-------------- 1 file changed, 124 insertions(+), 428 deletions(-) diff --git a/windows/privacy/manage-windows-19H1-endpoints.md b/windows/privacy/manage-windows-19H1-endpoints.md index 8c7ac6dde4..57e41a1616 100644 --- a/windows/privacy/manage-windows-19H1-endpoints.md +++ b/windows/privacy/manage-windows-19H1-endpoints.md @@ -44,435 +44,131 @@ We used the following methodology to derive these network endpoints: > [!NOTE] > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. -## Windows 10 Enterprise connection endpoints +## Windows 10 19H1 Enterprise connection endpoints + +| Area | Description | Protocol | Destination | + +|Apps|The following endpoints are used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|blob.weather.microsoft.com +||The following endpoint is used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|tile-service.weather.microsoft.com +||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. +||HTTPS|cdn.onenote.net/livetile/?Language=en-US +||The following endpoints are used for Twitter updates. To turn off traffic for these endpoints, either uninstall Twitter or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. +||HTTPS|*.twimg.com* +||The following endpoint is used for Facebook updates. To turn off traffic for this endpoint, either uninstall Facebook or disable the Microsoft Store. If you disable the Microsoft Store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. +|||star-mini.c10r.facebook.com +||The following endpoint is used for Candy Crush Saga updates. To turn off traffic for this endpoint, either uninstall Candy Crush Saga or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. +||TLS v1.2|candycrushsoda.king.com +||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|evoke-windowsservices-tas.msedge.net +||The following endpoint is used for by the Microsoft Wallet app. To turn off traffic for this endpoint, either uninstall the Wallet app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. +||HTTPS|wallet.microsoft.com +||The following endpoint is used by the Groove Music app for update HTTP handler status. If you turn off traffic for this endpoint, apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app. +||HTTPS|mediaredirect.microsoft.com +||The following endpoints are used when using the Whiteboard app. To turn off traffic for this endpoint disable the Microsoft Store. +|HTTPS|int.whiteboard.microsoft.com| +|||HTTPS|wbd.ms +|||HTTPS|whiteboard.microsoft.com +|||HTTP / HTTPS|whiteboard.ms| +|Azure |The following endpoints are related to Azure. |HTTPS|wd-prod-*fe*.cloudapp.azure.com +|| |HTTPS|ris-prod-atm.trafficmanager.net +|| |HTTPS|validation-v2.sls.trafficmanager.net +|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible turn off traffic to this endpoint, but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses.| +|Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.|HTTP|ctldl.windowsupdate.com +|Cortana and Search|The following endpoint is used to get images that are used for Microsoft Store suggestions. If you turn off traffic for this endpoint, you will block images that are used for Microsoft Store suggestions. +||HTTPS|store-images.*microsoft.com +|Cortana and Search2|The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|HTTPS|www.bing.com/client +|| |HTTPS|www.bing.com +|||HTTPS|www.bing.com/proactive +|||HTTPS|www.bing.com/threshold/xls.aspx +|||HTTP|exo-ring.msedge.net +|||HTTP|fp.msedge.net +|||HTTP|fp-vp.azureedge.net +|||HTTP|odinvzc.azureedge.net +|||HTTP|spo-ring.msedge.net +|Device authentication +||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com* +||The following endpoints are used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.|HTTP|dmd.metaservices.microsoft.com +|Diagnostic Data +||The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.|HTTP|v10.events.data.microsoft.com +|||HTTPS|v10.vortex-win.data.microsoft.com/collect/v1 +|||HTTP|www.microsoft.com +||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|HTTPS|co4.telecommand.telemetry.microsoft.com +|| |HTTP|cs11.wpc.v0cdn.net +|| |HTTPS|cs1137.wpc.gammacdn.net +|||TLS v1.2|modern.watson.data.microsoft.com* +|||HTTPS|watson.telemetry.microsoft.com +|Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work. +||HTTPS|*licensing.mp.microsoft.com* +|Location|The following endpoint is used for location data. If you turn off traffic for this endpoint, apps cannot use location data.|HTTPS|inference.location.live.net +|||HTTP|location-inference-westus.cloudapp.net +|Maps|The following endpoint is used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|HTTPS|*g.akamaiedge.net +|| |HTTP|*maps.windows.com* +|Microsoft account|The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. +||HTTP|login.msa.akadns6.net| +|||HTTP|us.configsvc1.live.com.akadns.net +|Microsoft Edge| This traffic is related to the Microsoft Edge browser.|HTTPS|iecvlist.microsoft.com +|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. +|If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTPS|go.microsoft.com +|Microsoft Store|The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|HTTPS|*.wns.windows.com +||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. +||HTTP|storecatalogrevocation.storequality.microsoft.com +||The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com* +|||HTTPS|store-images.microsoft.com +||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. +||TLS v1.2|*.md.mp.microsoft.com* +|||HTTPS|*displaycatalog.mp.microsoft.com +|||HTTP \ HTTPS|pti.store.microsoft.com +|||HTTP|storeedgefd.dsx.mp.microsoft.com +|| |HTTP|markets.books.microsoft.com +|| |HTTP |share.microsoft.com +|Network Connection Status Indicator (NCSI) +||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.|HTTP|www.msftconnecttest.com*|Office +||Online. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.|HTTP|*.c-msedge.net +|||HTTPS|*.e-msedge.net +|||HTTPS|*.s-msedge.net +|||HTTPS|nexusrules.officeapps.live.com +|||HTTPS|ocos-office365-s2s.msedge.net +|||HTTPS|officeclient.microsoft.com +|||HTTPS|outlook.office365.com +|||HTTPS|client-office365-tas.msedge.net +|| |HTTPS|www.office.com +|| |HTTPS|onecollector.cloudapp.aria +|| |HTTP|v10.events.data.microsoft.com/onecollector/1.0/ +|| |HTTPS|self.events.data.microsoft.com +||The following endpoint is used to connect the Office To-Do app to its cloud service. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. +|HTTPS|to-do.microsoft.com +|OneDrive|The following endpoints are related to OneDrive. If you turn off traffic for these endpoints, anything that relies on g.live.com to get updated URL information will no longer work.|HTTP \ HTTPS|g.live.com/1rewlive5skydrive/* +|| |HTTP|msagfx.live.com +|||HTTPS +||oneclient.sfx.ms +|Settings +||The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.||cy2.settings.data.microsoft.com.akadns.net +|||HTTPS|settings.data.microsoft.com +|||HTTPS|settings-win.data.microsoft.com +|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|browser.pipe.aria.microsoft.com +|||HTTP|config.edge.skype.com +|| |HTTP|s2s.config.skype.com +|||HTTPS|skypeecs-prod-usw-0-b.cloudapp.net +|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.|HTTPS|wdcp.microsoft.com +|||HTTPS|definitionupdates.microsoft.com| +|||HTTPS|go.microsoft.com +||The following endpoints are used for Windows Defender Smartscreen reporting and notifications. If you turn off traffic for these endpoints, Smartscreen notifications will not appear.|HTTPS|*smartscreen.microsoft.com +|||HTTPS|smartscreen-sn3p.smartscreen.microsoft.com| +|||HTTPS|unitedstates.smartscreen-prod.microsoft.com +|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see Windows Spotlight. +|TLS v1.2|*.search.msn.com +|||HTTPS|arc.msn.com +|||HTTPS|g.msn.com* +|||HTTPS|query.prod.cms.rt.microsoft.com +|||HTTPS|ris.api.iris.microsoft.com +|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.|HTTPS|*.prod.do.dsp.mp.microsoft.com +|| |HTTP|cs9.wac.phicdn.net +|| |HTTP|emdl.ws.microsoft.com +||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|HTTP|*.dl.delivery.mp.microsoft.com +|||HTTP|*.windowsupdate.com* +||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store.|HTTPS|*.delivery.mp.microsoft.com +|||HTTPS|*.update.microsoft.com +||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly|HTTPS|tsfe.trafficshaping.dsp.mp.microsoft.com| -## Apps - -The following endpoint is used to download updates to the Weather app Live Tile. -If you [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), no Live Tiles will be updated. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| explorer | HTTP | tile-service.weather.microsoft.com | -| | HTTP | blob.weather.microsoft.com | - -The following endpoint is used for OneNote Live Tile. -To turn off traffic for this endpoint, either uninstall OneNote or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTPS | cdn.onenote.net/livetile/?Language=en-US | - -The following endpoints are used for Twitter updates. -To turn off traffic for these endpoints, either uninstall Twitter or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTPS | wildcard.twimg.com | -| svchost.exe | | oem.twimg.com/windows/tile.xml | - -The following endpoint is used for Facebook updates. -To turn off traffic for this endpoint, either uninstall Facebook or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | star-mini.c10r.facebook.com | - -The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. -To turn off traffic for this endpoint, either uninstall the Photos app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net | - -The following endpoint is used for Candy Crush Saga updates. -To turn off traffic for this endpoint, either uninstall Candy Crush Saga or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | TLS v1.2 | candycrushsoda.king.com | - -The following endpoint is used for by the Microsoft Wallet app. -To turn off traffic for this endpoint, either uninstall the Wallet app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com | - -The following endpoint is used by the Groove Music app for update HTTP handler status. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-apps-for-websites), apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com | - -The following endpoints are used when using the Whiteboard app. -To turn off traffic for this endpoint [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTPS | wbd.ms | -| | HTTPS | int.whiteboard.microsoft.com | -| | HTTPS | whiteboard.microsoft.com | -| | HTTP / HTTPS | whiteboard.ms | - -## Cortana and Search - -The following endpoint is used to get images that are used for Microsoft Store suggestions. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block images that are used for Microsoft Store suggestions. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| searchui | HTTPS |store-images.s-microsoft.com | - -The following endpoint is used to update Cortana greetings, tips, and Live Tiles. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block updates to Cortana greetings, tips, and Live Tiles. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| backgroundtaskhost | HTTPS | www.bing.com/client | - -The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to activate experiments. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), parameters would not be updated and the device would no longer participate in experiments. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| backgroundtaskhost | HTTPS | www.bing.com/proactive | - -The following endpoint is used by Cortana to report diagnostic and diagnostic data information. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), Microsoft won't be aware of issues with Cortana and won't be able to fix them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| searchui
backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx | - -## Certificates - -The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. - -Additionally, it is used to download certificates that are publicly known to be fraudulent. -These settings are critical for both Windows security and the overall security of the Internet. -We do not recommend blocking this endpoint. -If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTP | ctldl.windowsupdate.com | - -## Device authentication - -The following endpoint is used to authenticate a device. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), the device will not be authenticated. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTPS | login.live.com/ppsecure | - -## Device metadata - -The following endpoint is used to retrieve device metadata. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-devinst), metadata will not be updated for the device. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | dmd.metaservices.microsoft.com.akadns.net | -| | HTTP | dmd.metaservices.microsoft.com | - -## Diagnostic Data - -The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | | cy2.vortex.data.microsoft.com.akadns.net | - -The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTPS | v10.vortex-win.data.microsoft.com/collect/v1 | - -The following endpoints are used by Windows Error Reporting. -To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| wermgr | | watson.telemetry.microsoft.com | -| | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net | - -## Font streaming - -The following endpoints are used to download fonts on demand. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#font-streaming), you will not be able to download fonts on demand. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | | fs.microsoft.com | -| | | fs.microsoft.com/fs/windows/config.json | - -## Licensing - -The following endpoint is used for online activation and some app licensing. -To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content | - -## Location - -The following endpoint is used for location data. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location), apps cannot use location data. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTP | location-inference-westus.cloudapp.net | -| | HTTPS | inference.location.live.net | - -## Maps - -The following endpoint is used to check for updates to maps that have been downloaded for offline use. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps), offline maps will not be updated. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTPS | *g.akamaiedge.net | - -## Microsoft account - -The following endpoints are used for Microsoft accounts to sign in. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account), users cannot sign in with Microsoft accounts. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | login.msa.akadns6.net | -| system32\Auth.Host.exe | HTTPS | auth.gfx.ms | -| | | us.configsvc1.live.com.akadns.net | - -## Microsoft Store - -The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTPS | *.wns.windows.com | - -The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. -To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTP | storecatalogrevocation.storequality.microsoft.com | - -The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net | -| backgroundtransferhost | HTTPS | store-images.microsoft.com | - -The following endpoints are used to communicate with Microsoft Store. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTP | storeedgefd.dsx.mp.microsoft.com | -| | HTTP \ HTTPS | pti.store.microsoft.com | -||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.| -| svchost | HTTPS | displaycatalog.mp.microsoft.com | - -## Network Connection Status Indicator (NCSI) - -Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi), NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTP | www.msftconnecttest.com/connecttest.txt | - -## Office - -The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). -You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. -If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | *.a-msedge.net | -| hxstr | | *.c-msedge.net | -| | | *.e-msedge.net | -| | | *.s-msedge.net | -| | HTTPS | ocos-office365-s2s.msedge.net | -| | HTTPS | nexusrules.officeapps.live.com | -| | HTTPS | officeclient.microsoft.com | - -The following endpoint is used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). -You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. -If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| system32\Auth.Host.exe | HTTPS | outlook.office365.com | - -The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net| - -The following endpoint is used to connect the Office To-Do app to it's cloud service. -To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| |HTTPS|to-do.microsoft.com| - -## OneDrive - -The following endpoint is a redirection service that’s used to automatically update URLs. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive), anything that relies on g.live.com to get updated URL information will no longer work. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| onedrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/ODSUProduction | - -The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US). -To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| onedrive | HTTPS | oneclient.sfx.ms | - -## Settings - -The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| dmclient | | cy2.settings.data.microsoft.com.akadns.net | - -The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| dmclient | HTTPS | settings.data.microsoft.com | - -The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experiences and Telemetry component and Windows Insider Program use it. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTPS | settings-win.data.microsoft.com | - -## Skype - -The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com | -| | HTTPS | browser.pipe.aria.microsoft.com | -| | | skypeecs-prod-usw-0-b.cloudapp.net | - -## Windows Defender - -The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | wdcp.microsoft.com | - -The following endpoints are used for Windows Defender definition updates. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions will not be updated. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | definitionupdates.microsoft.com | -|MpCmdRun.exe|HTTPS|go.microsoft.com | - -The following endpoints are used for Windows Defender Smartscreen reporting and notifications. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender-smartscreen), Smartscreen notifications will no appear. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTPS | ars.smartscreen.microsoft.com | -| | HTTPS | unitedstates.smartscreen-prod.microsoft.com | -| | | smartscreen-sn3p.smartscreen.microsoft.com | - -## Windows Spotlight - -The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see [Windows Spotlight](/windows/configuration/windows-spotlight). - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| backgroundtaskhost | HTTPS | arc.msn.com | -| backgroundtaskhost | | g.msn.com.nsatc.net | -| |TLS v1.2| *.search.msn.com | -| | HTTPS | ris.api.iris.microsoft.com | -| | HTTPS | query.prod.cms.rt.microsoft.com | - -## Windows Update - -The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates), Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com | - -The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTP | *.windowsupdate.com | -| svchost | HTTP | *.dl.delivery.mp.microsoft.com | - -The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTPS | *.update.microsoft.com | -| svchost | HTTPS | *.delivery.mp.microsoft.com | - -The following endpoint is used for content regulation. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com | - - -## Microsoft forward link redirection service (FWLink) - -The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. - -If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -|Various|HTTPS|go.microsoft.com| ## Other Windows 10 editions From d3d97220593b00a1c9e77bf451e98e741ca68ef8 Mon Sep 17 00:00:00 2001 From: martyav Date: Fri, 3 May 2019 13:11:09 -0400 Subject: [PATCH 212/492] added intune back into known issues --- .../windows-defender-antivirus/microsoft-defender-atp-mac.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index e159d86a94..e05ea856f0 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -557,7 +557,7 @@ Or, from a command line: - Not fully optimized for performance or disk space yet. - Full Windows Defender ATP integration is not available yet. - Mac devices that switch networks may appear multiple times in the APT portal. -- Centrally managed uninstall is still being developed. As a workaround, a manual uninstall must be performed on each client device. +- Centrally managed uninstall via Intune is still in development. As an alternative, manually uninstall Microsoft Defender ATP for Mac from each client device. ## Collecting diagnostic information From 2a6248937c504561c5e34d29e9e2074e03dcd851 Mon Sep 17 00:00:00 2001 From: Rona Song <38082753+qrscharmed@users.noreply.github.com> Date: Fri, 3 May 2019 11:27:51 -0700 Subject: [PATCH 213/492] Update faq-wd-app-guard.md --- .../windows-defender-application-guard/faq-wd-app-guard.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md index 8be213c70e..2e9c8a2adc 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md @@ -70,3 +70,9 @@ Answering frequently asked questions about Windows Defender Application Guard (A |**Q:** |What is the WDAGUtilityAccount local account?| |**A:** |This account is part of Application Guard beginning with Windows 10 version 1709 (Fall Creators Update). This account remains disabled until Application Guard is enabled on your device. This item is integrated to the OS and is not considered as a threat/virus/malware.|
+ +| | | +|---|----------------------------| +|**Q:** |How do I trust a subdomain in my site list?| +|**A:** |To trust a subdomain, you must precede your domain with two dots, for example: ..contoso.com.| +
From 1e492c00a924c78d29efd9912856f8a0f89a92ec Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 11:43:29 -0700 Subject: [PATCH 214/492] Update manage-windows-19H1-endpoints.md --- windows/privacy/manage-windows-19H1-endpoints.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/windows/privacy/manage-windows-19H1-endpoints.md b/windows/privacy/manage-windows-19H1-endpoints.md index 57e41a1616..2cea2a6414 100644 --- a/windows/privacy/manage-windows-19H1-endpoints.md +++ b/windows/privacy/manage-windows-19H1-endpoints.md @@ -46,7 +46,18 @@ We used the following methodology to derive these network endpoints: ## Windows 10 19H1 Enterprise connection endpoints +| Source process | Protocol | Destination | +|----------------|----------|------------| +| explorer | HTTP | tile-service.weather.microsoft.com | +| | HTTP | blob.weather.microsoft.com | + + + | Area | Description | Protocol | Destination | +|----------------|----------|------------| +| explorer | HTTP | tile-service.weather.microsoft.com | +| | HTTP | blob.weather.microsoft.com | + |Apps|The following endpoints are used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|blob.weather.microsoft.com ||The following endpoint is used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|tile-service.weather.microsoft.com From 3365319a053d60121ae02354a13ea09510b672c1 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 11:44:16 -0700 Subject: [PATCH 215/492] Update manage-windows-19H1-endpoints.md --- windows/privacy/manage-windows-19H1-endpoints.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/privacy/manage-windows-19H1-endpoints.md b/windows/privacy/manage-windows-19H1-endpoints.md index 2cea2a6414..0e54f28d7c 100644 --- a/windows/privacy/manage-windows-19H1-endpoints.md +++ b/windows/privacy/manage-windows-19H1-endpoints.md @@ -54,6 +54,7 @@ We used the following methodology to derive these network endpoints: | Area | Description | Protocol | Destination | +| Source process | Protocol | Destination | |----------------|----------|------------| | explorer | HTTP | tile-service.weather.microsoft.com | | | HTTP | blob.weather.microsoft.com | From d1972eab4ad293b3188b6c32774bbaeb7e2fa834 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 11:46:01 -0700 Subject: [PATCH 216/492] Update manage-windows-19H1-endpoints.md --- windows/privacy/manage-windows-19H1-endpoints.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/privacy/manage-windows-19H1-endpoints.md b/windows/privacy/manage-windows-19H1-endpoints.md index 0e54f28d7c..05f810e388 100644 --- a/windows/privacy/manage-windows-19H1-endpoints.md +++ b/windows/privacy/manage-windows-19H1-endpoints.md @@ -53,7 +53,6 @@ We used the following methodology to derive these network endpoints: -| Area | Description | Protocol | Destination | | Source process | Protocol | Destination | |----------------|----------|------------| | explorer | HTTP | tile-service.weather.microsoft.com | @@ -198,3 +197,6 @@ To view endpoints for non-Enterprise Windows 10 editions, see: - [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US) - [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune) + + +| Area | Description | Protocol | Destination | From 239cdbaf7f96775c18f174580a6910c7943f375b Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 11:56:28 -0700 Subject: [PATCH 217/492] Update manage-windows-19H1-endpoints.md --- .../privacy/manage-windows-19H1-endpoints.md | 19 ++++++------------- 1 file changed, 6 insertions(+), 13 deletions(-) diff --git a/windows/privacy/manage-windows-19H1-endpoints.md b/windows/privacy/manage-windows-19H1-endpoints.md index 05f810e388..8017f3a4eb 100644 --- a/windows/privacy/manage-windows-19H1-endpoints.md +++ b/windows/privacy/manage-windows-19H1-endpoints.md @@ -44,21 +44,15 @@ We used the following methodology to derive these network endpoints: > [!NOTE] > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. +| Area | Protocol | Destination | +|----------------|----------|------------| +| explorer | HTTP | tile-service.weather.microsoft.com | + ## Windows 10 19H1 Enterprise connection endpoints -| Source process | Protocol | Destination | + +| Area | Protocol | Destination | |----------------|----------|------------| -| explorer | HTTP | tile-service.weather.microsoft.com | -| | HTTP | blob.weather.microsoft.com | - - - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| explorer | HTTP | tile-service.weather.microsoft.com | -| | HTTP | blob.weather.microsoft.com | - - |Apps|The following endpoints are used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|blob.weather.microsoft.com ||The following endpoint is used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|tile-service.weather.microsoft.com ||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. @@ -199,4 +193,3 @@ To view endpoints for non-Enterprise Windows 10 editions, see: - [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune) -| Area | Description | Protocol | Destination | From 66895adc528149860e62e31d07e425e8fc5e624d Mon Sep 17 00:00:00 2001 From: martyav Date: Fri, 3 May 2019 15:50:26 -0400 Subject: [PATCH 218/492] created separate mdatp for mac logging page --- ...rosoft-defender-atp-mac-diagnostic-logging | 64 +++++++++++++++++++ ...oft-defender-atp-mac-diagnostic-logging.md | 0 2 files changed, 64 insertions(+) create mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging create mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging.md diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging new file mode 100644 index 0000000000..d2ccd7fac2 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging @@ -0,0 +1,64 @@ +--- +title: Collecting diagnostic information from Microsoft Defender ATP for Mac +description: Describes how to collect diagnostic information from Microsoft Defender ATP for Mac. +keywords: microsoft, defender, atp, mac, installation, deploy, intune, jamf, macos, mojave, high sierra, sierra +search.product: eADQiWindows 10XVcnh +search.appverid: #met150 +ms.prod: #w10 +ms.mktglfcycl: #deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-maave +author: martyav +ms.localizationpriority: #medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Collecting diagnostic information + +**Applies to:** + +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default. + +1) Increase logging level: + +```bash + mavel-mojave:~ testuser$ mdatp log-level --verbose + Creating connection to daemon + Connection established + Operation succeeded +``` + +2) Reproduce the problem + +3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. + + ```bash + mavel-mojave:~ testuser$ mdatp --diagnostic + Creating connection to daemon + Connection established + "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" + ``` + +4) Restore logging level: + + ```bash + mavel-mojave:~ testuser$ mdatp log-level --info + Creating connection to daemon + Connection established + Operation succeeded + ``` + +## Installation issues + +If an error occurs during installation, the installer will only report a general failure. + +The detailed log will be saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging.md new file mode 100644 index 0000000000..e69de29bb2 From e66b83c15d43c5529561cd9942e01ea69b3e4649 Mon Sep 17 00:00:00 2001 From: martyav Date: Fri, 3 May 2019 15:52:37 -0400 Subject: [PATCH 219/492] removed logging section from mdatp for mac --- .../microsoft-defender-atp-mac.md | 39 +------------------ 1 file changed, 1 insertion(+), 38 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index e05ea856f0..08918bc9be 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -557,41 +557,4 @@ Or, from a command line: - Not fully optimized for performance or disk space yet. - Full Windows Defender ATP integration is not available yet. - Mac devices that switch networks may appear multiple times in the APT portal. -- Centrally managed uninstall via Intune is still in development. As an alternative, manually uninstall Microsoft Defender ATP for Mac from each client device. - -## Collecting diagnostic information - -If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default. - -1) Increase logging level: - -```bash - mavel-mojave:~ testuser$ mdatp log-level --verbose - Creating connection to daemon - Connection established - Operation succeeded -``` - -2) Reproduce the problem - -3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. - - ```bash - mavel-mojave:~ testuser$ mdatp --diagnostic - Creating connection to daemon - Connection established - "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" - ``` - -4) Restore logging level: - - ```bash - mavel-mojave:~ testuser$ mdatp log-level --info - Creating connection to daemon - Connection established - Operation succeeded - ``` - -### Installation issues - -If an error occurs during installation, the installer will only report a general failure. The detailed log is saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. +- Centrally managed uninstall via Intune is still in development. As an alternative, manually uninstall Microsoft Defender ATP for Mac from each client device. \ No newline at end of file From f98baf2b4b9fd113299ad33c7a0aa3cb1e44ace0 Mon Sep 17 00:00:00 2001 From: martyav Date: Fri, 3 May 2019 16:00:01 -0400 Subject: [PATCH 220/492] added text to mdatp for mac diagnostic logging --- ...rosoft-defender-atp-mac-diagnostic-logging | 64 ------------------- ...oft-defender-atp-mac-diagnostic-logging.md | 64 +++++++++++++++++++ 2 files changed, 64 insertions(+), 64 deletions(-) delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging deleted file mode 100644 index d2ccd7fac2..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging +++ /dev/null @@ -1,64 +0,0 @@ ---- -title: Collecting diagnostic information from Microsoft Defender ATP for Mac -description: Describes how to collect diagnostic information from Microsoft Defender ATP for Mac. -keywords: microsoft, defender, atp, mac, installation, deploy, intune, jamf, macos, mojave, high sierra, sierra -search.product: eADQiWindows 10XVcnh -search.appverid: #met150 -ms.prod: #w10 -ms.mktglfcycl: #deploy -ms.sitesec: library -ms.pagetype: security -ms.author: v-maave -author: martyav -ms.localizationpriority: #medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual ---- - -# Collecting diagnostic information - -**Applies to:** - -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default. - -1) Increase logging level: - -```bash - mavel-mojave:~ testuser$ mdatp log-level --verbose - Creating connection to daemon - Connection established - Operation succeeded -``` - -2) Reproduce the problem - -3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. - - ```bash - mavel-mojave:~ testuser$ mdatp --diagnostic - Creating connection to daemon - Connection established - "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" - ``` - -4) Restore logging level: - - ```bash - mavel-mojave:~ testuser$ mdatp log-level --info - Creating connection to daemon - Connection established - Operation succeeded - ``` - -## Installation issues - -If an error occurs during installation, the installer will only report a general failure. - -The detailed log will be saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging.md index e69de29bb2..d2ccd7fac2 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging.md @@ -0,0 +1,64 @@ +--- +title: Collecting diagnostic information from Microsoft Defender ATP for Mac +description: Describes how to collect diagnostic information from Microsoft Defender ATP for Mac. +keywords: microsoft, defender, atp, mac, installation, deploy, intune, jamf, macos, mojave, high sierra, sierra +search.product: eADQiWindows 10XVcnh +search.appverid: #met150 +ms.prod: #w10 +ms.mktglfcycl: #deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-maave +author: martyav +ms.localizationpriority: #medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Collecting diagnostic information + +**Applies to:** + +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default. + +1) Increase logging level: + +```bash + mavel-mojave:~ testuser$ mdatp log-level --verbose + Creating connection to daemon + Connection established + Operation succeeded +``` + +2) Reproduce the problem + +3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. + + ```bash + mavel-mojave:~ testuser$ mdatp --diagnostic + Creating connection to daemon + Connection established + "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" + ``` + +4) Restore logging level: + + ```bash + mavel-mojave:~ testuser$ mdatp log-level --info + Creating connection to daemon + Connection established + Operation succeeded + ``` + +## Installation issues + +If an error occurs during installation, the installer will only report a general failure. + +The detailed log will be saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. \ No newline at end of file From 6a3fd9878885f1dc686aba622fa1c065ff870d05 Mon Sep 17 00:00:00 2001 From: martyav Date: Fri, 3 May 2019 16:26:32 -0400 Subject: [PATCH 221/492] created uninstallation for mdatp-mac page --- ...microsoft-defender-atp-mac-uninstalling.md | 66 +++++++++++++++++++ .../microsoft-defender-atp-mac.md | 43 ------------ 2 files changed, 66 insertions(+), 43 deletions(-) create mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-uninstalling.md diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-uninstalling.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-uninstalling.md new file mode 100644 index 0000000000..5004b31c5b --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-uninstalling.md @@ -0,0 +1,66 @@ +--- +title: Uninstalling Microsoft Defender ATP for Mac +description: Describes how to uninstall Microsoft Defender ATP for Mac. +keywords: microsoft, defender, atp, mac, installation, deploy, intune, jamf, macos, mojave, high sierra, sierra +search.product: eADQiWindows 10XVcnh +search.appverid: #met150 +ms.prod: #w10 +ms.mktglfcycl: #deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-maave +author: martyav +ms.localizationpriority: #medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Uninstalling + +**Applies to:** + +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +There are several ways to uninstall Microsoft Defender ATP for Mac. Please note that while centrally managed uninstall is available for JAMF, it is not yet available for Intune. See [Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) for updates on development. + +## Within the GUI + +- Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**. + +## From the command line: + +- ```sudo rm -rf '/Applications/Microsoft Defender ATP'``` + +## With a script + +Create a script in **Settings > Computer Management > Scripts**. + +![Microsoft Defender uninstall screenshot](images/MDATP_26_Uninstall.png) + +For example, this script removes Microsoft Defender ATP from the /Applications directory: + +```bash +echo "Is WDAV installed?" +ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null + +echo "Uninstalling WDAV..." +rm -rf '/Applications/Microsoft Defender ATP.app' + +echo "Is WDAV still installed?" +ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null + +echo "Done!" +``` + +## With a JAMF policy + +If you are running JAMF, your policy should contain a single script: + +![Microsoft Defender uninstall script screenshot](images/MDATP_27_UninstallScript.png) + +Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index 08918bc9be..42b5eb2508 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -375,37 +375,6 @@ orgid effective : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 - **orgid effective**: This is the Microsoft Defender ATP org id currently in use. If it does not match the value in the Configuration Profile, then the configuration has not been refreshed. -### Uninstalling Microsoft Defender ATP for Mac - -#### Uninstalling with a script - -Create a script in **Settings > Computer Management > Scripts**. - -![Microsoft Defender uninstall screenshot](images/MDATP_26_Uninstall.png) - -For example, this script removes Microsoft Defender ATP from the /Applications directory: - -```bash -echo "Is WDAV installed?" -ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null - -echo "Uninstalling WDAV..." -rm -rf '/Applications/Microsoft Defender ATP.app' - -echo "Is WDAV still installed?" -ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null - -echo "Done!" -``` - -#### Uninstalling with a policy - -Your policy should contain a single script: - -![Microsoft Defender uninstall script screenshot](images/MDATP_27_UninstallScript.png) - -Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy. - ### Check onboarding status You can check that machines are correctly onboarded by creating a script. For example, the following script checks that enrolled machines are onboarded: @@ -540,18 +509,6 @@ Controlling product settings, triggering on-demand scans, and several other impo - Processor architecture - Whether the device is a virtual machine -## Uninstallation - -### Removing Microsoft Defender ATP from Mac devices - -To remove Microsoft Defender ATP from your macOS devices: - -- Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**. - -Or, from a command line: - -- ```sudo rm -rf '/Applications/Microsoft Defender ATP'``` - ## Known issues - Not fully optimized for performance or disk space yet. From 875aeade4e6f57d886733a9edb192206720ede3d Mon Sep 17 00:00:00 2001 From: martyav Date: Fri, 3 May 2019 16:40:02 -0400 Subject: [PATCH 222/492] rm'd 2 previous pages split from mdatp-mac & collated them into resources page alongside known issues --- ...oft-defender-atp-mac-diagnostic-logging.md | 64 ---------- .../microsoft-defender-atp-mac-resources.md | 112 ++++++++++++++++++ ...microsoft-defender-atp-mac-uninstalling.md | 66 ----------- .../microsoft-defender-atp-mac.md | 9 +- 4 files changed, 113 insertions(+), 138 deletions(-) delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-uninstalling.md diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging.md deleted file mode 100644 index d2ccd7fac2..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging.md +++ /dev/null @@ -1,64 +0,0 @@ ---- -title: Collecting diagnostic information from Microsoft Defender ATP for Mac -description: Describes how to collect diagnostic information from Microsoft Defender ATP for Mac. -keywords: microsoft, defender, atp, mac, installation, deploy, intune, jamf, macos, mojave, high sierra, sierra -search.product: eADQiWindows 10XVcnh -search.appverid: #met150 -ms.prod: #w10 -ms.mktglfcycl: #deploy -ms.sitesec: library -ms.pagetype: security -ms.author: v-maave -author: martyav -ms.localizationpriority: #medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual ---- - -# Collecting diagnostic information - -**Applies to:** - -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default. - -1) Increase logging level: - -```bash - mavel-mojave:~ testuser$ mdatp log-level --verbose - Creating connection to daemon - Connection established - Operation succeeded -``` - -2) Reproduce the problem - -3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. - - ```bash - mavel-mojave:~ testuser$ mdatp --diagnostic - Creating connection to daemon - Connection established - "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" - ``` - -4) Restore logging level: - - ```bash - mavel-mojave:~ testuser$ mdatp log-level --info - Creating connection to daemon - Connection established - Operation succeeded - ``` - -## Installation issues - -If an error occurs during installation, the installer will only report a general failure. - -The detailed log will be saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md new file mode 100644 index 0000000000..7f2b515f99 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md @@ -0,0 +1,112 @@ +--- +title: Microsoft Defender ATP for Mac Resources +description: Describes resources for Microsoft Defender ATP for Mac, including how to uninstall it, how to collect diagnostic logs, and known issues with the product. +keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +search.product: eADQiWindows 10XVcnh +search.appverid: #met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-maave +author: martyav +ms.localizationpriority: #medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: #conceptual +--- + +## Collecting diagnostic information + +**Applies to:** + +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default. + +1) Increase logging level: + +```bash + mavel-mojave:~ testuser$ mdatp log-level --verbose + Creating connection to daemon + Connection established + Operation succeeded +``` + +2) Reproduce the problem + +3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. + + ```bash + mavel-mojave:~ testuser$ mdatp --diagnostic + Creating connection to daemon + Connection established + "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" + ``` + +4) Restore logging level: + + ```bash + mavel-mojave:~ testuser$ mdatp log-level --info + Creating connection to daemon + Connection established + Operation succeeded + ``` + +### Installation issues + +If an error occurs during installation, the installer will only report a general failure. + +The detailed log will be saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. + +## Uninstalling + +There are several ways to uninstall Microsoft Defender ATP for Mac. Please note that while centrally managed uninstall is available for JAMF, it is not yet available for Intune. + +### Within the GUI + +- Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**. + +### From the command line: + +- ```sudo rm -rf '/Applications/Microsoft Defender ATP'``` + +### With a script + +Create a script in **Settings > Computer Management > Scripts**. + +![Microsoft Defender uninstall screenshot](images/MDATP_26_Uninstall.png) + +For example, this script removes Microsoft Defender ATP from the /Applications directory: + +```bash + echo "Is WDAV installed?" + ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null + + echo "Uninstalling WDAV..." + rm -rf '/Applications/Microsoft Defender ATP.app' + + echo "Is WDAV still installed?" + ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null + + echo "Done!" +``` + +### With a JAMF policy + +If you are running JAMF, your policy should contain a single script: + +![Microsoft Defender uninstall script screenshot](images/MDATP_27_UninstallScript.png) + +Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy. + +## Known issues + +- Not fully optimized for performance or disk space yet. +- Full Windows Defender ATP integration is not available yet. +- Mac devices that switch networks may appear multiple times in the APT portal. +- Centrally managed uninstall via Intune is still in development. As an alternative, manually uninstall Microsoft Defender ATP for Mac from each client device. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-uninstalling.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-uninstalling.md deleted file mode 100644 index 5004b31c5b..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-uninstalling.md +++ /dev/null @@ -1,66 +0,0 @@ ---- -title: Uninstalling Microsoft Defender ATP for Mac -description: Describes how to uninstall Microsoft Defender ATP for Mac. -keywords: microsoft, defender, atp, mac, installation, deploy, intune, jamf, macos, mojave, high sierra, sierra -search.product: eADQiWindows 10XVcnh -search.appverid: #met150 -ms.prod: #w10 -ms.mktglfcycl: #deploy -ms.sitesec: library -ms.pagetype: security -ms.author: v-maave -author: martyav -ms.localizationpriority: #medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual ---- - -# Uninstalling - -**Applies to:** - -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -There are several ways to uninstall Microsoft Defender ATP for Mac. Please note that while centrally managed uninstall is available for JAMF, it is not yet available for Intune. See [Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) for updates on development. - -## Within the GUI - -- Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**. - -## From the command line: - -- ```sudo rm -rf '/Applications/Microsoft Defender ATP'``` - -## With a script - -Create a script in **Settings > Computer Management > Scripts**. - -![Microsoft Defender uninstall screenshot](images/MDATP_26_Uninstall.png) - -For example, this script removes Microsoft Defender ATP from the /Applications directory: - -```bash -echo "Is WDAV installed?" -ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null - -echo "Uninstalling WDAV..." -rm -rf '/Applications/Microsoft Defender ATP.app' - -echo "Is WDAV still installed?" -ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null - -echo "Done!" -``` - -## With a JAMF policy - -If you are running JAMF, your policy should contain a single script: - -![Microsoft Defender uninstall script screenshot](images/MDATP_27_UninstallScript.png) - -Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index 42b5eb2508..fe62a0b6a7 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -507,11 +507,4 @@ Controlling product settings, triggering on-demand scans, and several other impo - OS version - Computer model - Processor architecture - - Whether the device is a virtual machine - -## Known issues - -- Not fully optimized for performance or disk space yet. -- Full Windows Defender ATP integration is not available yet. -- Mac devices that switch networks may appear multiple times in the APT portal. -- Centrally managed uninstall via Intune is still in development. As an alternative, manually uninstall Microsoft Defender ATP for Mac from each client device. \ No newline at end of file + - Whether the device is a virtual machine \ No newline at end of file From 139958d30b4647f590ab94f33bafabf199634531 Mon Sep 17 00:00:00 2001 From: martyav Date: Fri, 3 May 2019 17:11:23 -0400 Subject: [PATCH 223/492] added seperate mdatp-mac installation pages --- ...osoft-defender-atp-mac-install-manually.md | 130 ++++++ ...ft-defender-atp-mac-install-with-intune.md | 158 +++++++ ...soft-defender-atp-mac-install-with-jamf.md | 195 ++++++++ .../microsoft-defender-atp-mac.md | 428 +----------------- 4 files changed, 495 insertions(+), 416 deletions(-) create mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md new file mode 100644 index 0000000000..4fbed04668 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md @@ -0,0 +1,130 @@ +--- +title: Installing Microsoft Defender ATP for Mac with JAMF +description: Describes how to install Microsoft Defender ATP for Mac, using JAMF. +keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +search.product: eADQiWindows 10XVcnh +search.appverid: #met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-maave +author: martyav +ms.localizationpriority: #medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: #conceptual +--- + +# Manual deployment + +**Applies to:** + +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +## Download installation and onboarding packages + +Download the installation and onboarding packages from Windows Defender Security Center: + +1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Local script**. +3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. +4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. + + ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) + +5. From a command prompt, verify that you have the two files. + Extract the contents of the .zip files: + + ```bash + mavel-macmini:Downloads test$ ls -l + total 721152 + -rw-r--r-- 1 test staff 6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip + -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg + mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip + Archive: WindowsDefenderATPOnboardingPackage.zip + inflating: WindowsDefenderATPOnboarding.py + ``` + +## Application installation + +To complete this process, you must have admin privileges on the machine. + +1. Navigate to the downloaded wdav.pkg in Finder and open it. + + ![App install screenshot](images/MDATP_28_AppInstall.png) + +2. Select **Continue**, agree with the License terms, and enter the password when prompted. + + ![App install screenshot](images/MDATP_29_AppInstallLogin.png) + + > [!IMPORTANT] + > You will be prompted to allow a driver from Microsoft to be installed (either "System Exception Blocked" or "Installation is on hold" or both. The driver must be allowed to be installed. + + ![App install screenshot](images/MDATP_30_SystemExtension.png) + +3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**: + + ![Security and privacy window screenshot](images/MDATP_31_SecurityPrivacySettings.png) + +The installation will proceed. + +> [!NOTE] +> If you don't select **Allow**, the installation will fail after 5 minutes. You can restart it again at any time. + +## Client configuration + +1. Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac. + + The client machine is not associated with orgId. Note that the orgid is blank. + + ```bash + mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py + uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 + orgid : + ``` + +2. Install the configuration file on a client machine: + + ```bash + mavel-mojave:wdavconfig testuser$ python WindowsDefenderATPOnboarding.py + Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password) + ``` + +3. Verify that the machine is now associated with orgId: + + ```bash + mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py + uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 + orgid : E6875323-A6C0-4C60-87AD-114BBE7439B8 + ``` + +After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. + + ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) + +## Configuring from the command line + +Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line: + +|Group |Scenario |Command | +|-------------|-------------------------------------------|-----------------------------------------------------------------------| +|Configuration|Turn on/off real-time protection |`mdatp config --rtp [true/false]` | +|Configuration|Turn on/off cloud protection |`mdatp config --cloud [true/false]` | +|Configuration|Turn on/off product diagnostics |`mdatp config --diagnostic [true/false]` | +|Configuration|Turn on/off automatic sample submission |`mdatp config --sample-submission [true/false]` | +|Configuration|Turn on PUA protection |`mdatp threat --type-handling --potentially_unwanted_application block`| +|Configuration|Turn off PUA protection |`mdatp threat --type-handling --potentially_unwanted_application off` | +|Configuration|Turn on audit mode for PUA protection |`mdatp threat --type-handling --potentially_unwanted_application audit`| +|Diagnostics |Change the log level |`mdatp log-level --[error/warning/info/verbose]` | +|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic` | +|Health |Check the product's health |`mdatp --health` | +|Protection |Scan a path |`mdatp scan --path [path]` | +|Protection |Do a quick scan |`mdatp scan --quick` | +|Protection |Do a full scan |`mdatp scan --full` | +|Protection |Cancel an ongoing on-demand scan |`mdatp scan --cancel` | +|Protection |Request a definition update |`mdatp --signature-update` | \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md new file mode 100644 index 0000000000..5cd1e22a19 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md @@ -0,0 +1,158 @@ +--- +title: Installing Microsoft Defender ATP for Mac with Microsoft Intune +description: Describes how to install Microsoft Defender ATP for Mac, using Microsoft Intune. +keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +search.product: eADQiWindows 10XVcnh +search.appverid: #met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-maave +author: martyav +ms.localizationpriority: #medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: #conceptual +--- + +# Microsoft Intune-based deployment + +**Applies to:** + +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +## Download installation and onboarding packages + +Download the installation and onboarding packages from Windows Defender Security Center: + +1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. +3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. +4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. +5. Download IntuneAppUtil from [https://docs.microsoft.com/en-us/intune/lob-apps-macos](https://docs.microsoft.com/en-us/intune/lob-apps-macos). + + ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) + +6. From a command prompt, verify that you have the three files. + Extract the contents of the .zip files: + + ```bash + mavel-macmini:Downloads test$ ls -l + total 721688 + -rw-r--r-- 1 test staff 269280 Mar 15 11:25 IntuneAppUtil + -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip + -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg + mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip + Archive: WindowsDefenderATPOnboardingPackage.zip + warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators + inflating: intune/kext.xml + inflating: intune/WindowsDefenderATPOnboarding.xml + inflating: jamf/WindowsDefenderATPOnboarding.plist + mavel-macmini:Downloads test$ + ``` + +7. Make IntuneAppUtil an executable: + + ```mavel-macmini:Downloads test$ chmod +x IntuneAppUtil``` + +8. Create the wdav.pkg.intunemac package from wdav.pkg: + + ```bash + mavel-macmini:Downloads test$ ./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav" -n "1.0.0" + Microsoft Intune Application Utility for Mac OS X + Version: 1.0.0.0 + Copyright 2018 Microsoft Corporation + + Creating intunemac file for /Users/test/Downloads/wdav.pkg + Composing the intunemac file output + Output written to ./wdav.pkg.intunemac. + + IntuneAppUtil successfully processed "wdav.pkg", + to deploy refer to the product documentation. + ``` + +## Client Machine Setup + +You need no special provisioning for a Mac machine beyond a standard [Company Portal installation](https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos-cp). + +1. You'll be asked to confirm device management. + +![Confirm device management screenshot](images/MDATP_3_ConfirmDeviceMgmt.png) + +Select Open System Preferences, locate Management Profile on the list and select the **Approve...** button. Your Management Profile would be displayed as **Verified**: + +![Management profile screenshot](images/MDATP_4_ManagementProfile.png) + +2. Select the **Continue** button and complete the enrollment. + +You can enroll additional machines. Optionally, you can do it later, after system configuration and application package are provisioned. + +3. In Intune, open the **Manage > Devices > All devices** blade. You'll see your machine: + +![Add Devices screenshot](images/MDATP_5_allDevices.png) + +## Create System Configuration profiles + +1. In Intune open the **Manage > Device configuration** blade. Select **Manage > Profiles > Create Profile**. +2. Choose a name for the profile. Change **Platform=macOS**, **Profile type=Custom**. Select **Configure**. +3. Open the configuration profile and upload intune/kext.xml. This file was created during the Generate settings step above. +4. Select **OK**. + + ![System configuration profiles screenshot](images/MDATP_6_SystemConfigurationProfiles.png) + +5. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. +6. Repeat these steps with the second profile. +7. Create Profile one more time, give it a name, upload the intune/WindowsDefenderATPOnboarding.xml file. +8. Select **Manage > Assignments**. In the Include tab, select **Assign to All Users & All devices**. + +After Intune changes are propagated to the enrolled machines, you'll see it on the **Monitor > Device status** blade: + +![System configuration profiles screenshot](images/MDATP_7_DeviceStatusBlade.png) + +## Publish application + +1. In Intune, open the **Manage > Client apps** blade. Select **Apps > Add**. +2. Select **App type=Other/Line-of-business app**. +3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload. +4. Select **Configure** and add the required information. +5. Use **macOS Sierra 10.12** as the minimum OS. Other settings can be any other value. + + ![Device status blade screenshot](images/MDATP_8_IntuneAppInfo.png) + +6. Select **OK** and **Add**. + + ![Device status blade screenshot](images/MDATP_9_IntunePkgInfo.png) + +7. It will take a while to upload the package. After it's done, select the name and then go to **Assignments** and **Add group**. + + ![Client apps screenshot](images/MDATP_10_ClientApps.png) + +8. Change **Assignment type=Required**. +9. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**. + + ![Intune assignments info screenshot](images/MDATP_11_Assignments.png) + +10. After some time the application will be published to all enrolled machines. You'll see it on the **Monitor > Device** install status blade: + + ![Intune device status screenshot](images/MDATP_12_DeviceInstall.png) + +## Verify client machine state + +1. After the configuration profiles are deployed to your machines, on your Mac device, open **System Preferences > Profiles**. + + ![System Preferences screenshot](images/MDATP_13_SystemPreferences.png) + ![System Preferences Profiles screenshot](images/MDATP_14_SystemPreferencesProfiles.png) + +2. Verify the three profiles listed there: + ![Profiles screenshot](images/MDATP_15_ManagementProfileConfig.png) + +3. The **Management Profile** should be the Intune system profile. +4. wdav-config and wdav-kext are system configuration profiles that we added in Intune. +5. You should also see the Microsoft Defender icon in the top-right corner: + + ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md new file mode 100644 index 0000000000..82aaf8ffe2 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md @@ -0,0 +1,195 @@ +--- +title: Installing Microsoft Defender ATP for Mac with JAMF +description: Describes how to install Microsoft Defender ATP for Mac, using JAMF. +keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +search.product: eADQiWindows 10XVcnh +search.appverid: #met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-maave +author: martyav +ms.localizationpriority: #medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: #conceptual +--- + +# JAMF-based deployment + +**Applies to:** + +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +## Prerequsites + +You need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes a properly configured distribution point. JAMF has many alternative ways to complete the same task. These instructions provide you an example for most common processes. Your organization might use a different workflow. + +## Download installation and onboarding packages + +Download the installation and onboarding packages from Windows Defender Security Center: + +1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. +3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. +4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. + + ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) + +5. From a command prompt, verify that you have the two files. + Extract the contents of the .zip files: + + ```bash + mavel-macmini:Downloads test$ ls -l + total 721160 + -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip + -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg + mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip + Archive: WindowsDefenderATPOnboardingPackage.zip + warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators + inflating: intune/kext.xml + inflating: intune/WindowsDefenderATPOnboarding.xml + inflating: jamf/WindowsDefenderATPOnboarding.plist + mavel-macmini:Downloads test$ + ``` + +## Create JAMF Policies + +You need to create a configuration profile and a policy to start deploying Microsoft Defender ATP for Mac to client machines. + +### Configuration Profile + +The configuration profile contains one custom settings payload that includes: + +- Microsoft Defender ATP for Mac onboarding information +- Approved Kernel Extensions payload to enable the Microsoft kernel driver to run + +1. Upload jamf/WindowsDefenderATPOnboarding.plist as the Property List File. + + >[!NOTE] + > You must use exactly "com.microsoft.wdav.atp" as the Preference Domain. + + ![Configuration profile screenshot](images/MDATP_16_PreferenceDomain.png) + +### Approved Kernel Extension + +To approve the kernel extension: + +1. In **Computers > Configuration Profiles** select **Options > Approved Kernel Extensions**. +2. Use **UBF8T346G9** for Team Id. + +![Approved kernel extensions screenshot](images/MDATP_17_approvedKernelExtensions.png) + +#### Configuration Profile's Scope + +Configure the appropriate scope to specify the machines that will receive this configuration profile. + +Open Computers -> Configuration Profiles, select **Scope > Targets**. Select the appropriate Target computers. + +![Configuration profile scope screenshot](images/MDATP_18_ConfigurationProfilesScope.png) + +Save the **Configuration Profile**. + +Use the **Logs** tab to monitor deployment status for each enrolled machine. + +### Package + +1. Create a package in **Settings > Computer Management > Packages**. + + ![Computer management packages screenshot](images/MDATP_19_MicrosoftDefenderWDAVPKG.png) + +2. Upload wdav.pkg to the Distribution Point. +3. In the **filename** field, enter the name of the package. For example, wdav.pkg. + +### Policy + +Your policy should contain a single package for Microsoft Defender. + +![Microsoft Defender packages screenshot](images/MDATP_20_MicrosoftDefenderPackages.png) + +Configure the appropriate scope to specify the computers that will receive this policy. + +After you save the Configuration Profile, you can use the Logs tab to monitor the deployment status for each enrolled machine. + +## Client machine setup + +You need no special provisioning for a macOS computer beyond the standard JAMF Enrollment. + +> [!NOTE] +> After a computer is enrolled, it will show up in the Computers inventory (All Computers). + +1. Open the machine details, from **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile. + +![MDM approve button screenshot](images/MDATP_21_MDMProfile1.png) +![MDM screenshot](images/MDATP_22_MDMProfileApproved.png) + +After some time, the machine's User Approved MDM status will change to Yes. + +![MDM status screenshot](images/MDATP_23_MDMStatus.png) + +You can enroll additional machines now. Optionally, can do it after system configuration and application packages are provisioned. + +## Deployment + +Enrolled client machines periodically poll the JAMF Server and install new configuration profiles and policies as soon as they are detected. + +### Status on server + +You can monitor the deployment status in the Logs tab: + +- **Pending** means that the deployment is scheduled but has not yet happened +- **Completed** means that the deployment succeeded and is no longer scheduled + +![Status on server screenshot](images/MDATP_24_StatusOnServer.png) + +### Status on client machine + +After the Configuration Profile is deployed, you'll see the profile on the machine in the **System Preferences > Profiles >** Name of Configuration Profile. + +![Status on client screenshot](images/MDATP_25_StatusOnClient.png) + +After the policy is applied, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. + +![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) + +You can monitor policy installation on a machine by following the JAMF's log file: + +```bash +mavel-mojave:~ testuser$ tail -f /var/log/jamf.log +Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found. +Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for user "testuser"... +Thu Feb 21 11:16:43 mavel-mojave jamf[8051]: Executing Policy WDAV +Thu Feb 21 11:17:02 mavel-mojave jamf[8051]: Installing Microsoft Defender... +Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Successfully installed Microsoft Defender. +Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Checking for patches... +Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found. +``` + +You can also check the onboarding status: + +```bash +mavel-mojave:~ testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py +uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 +orgid : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 +orgid managed : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 +orgid effective : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 +``` + +- **orgid/orgid managed**: This is the Microsoft Defender ATP org id specified in the configuration profile. If this value is blank, then the Configuration Profile was not properly set. + +- **orgid effective**: This is the Microsoft Defender ATP org id currently in use. If it does not match the value in the Configuration Profile, then the configuration has not been refreshed. + +## Check onboarding status + +You can check that machines are correctly onboarded by creating a script. For example, the following script checks that enrolled machines are onboarded: + +```bash +sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+' +``` + +This script returns 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service, and another exit code if it is not installed or registered. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index fe62a0b6a7..3eb0b476e4 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -37,7 +37,18 @@ We've been working hard through the private preview period, and we've heard your - Product health can be queried with JAMF or the command line. - Admins can set their cloud preference for any location, not just for those in the US. -## Prerequisites +## Installing and configuring + +There are various methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac. +In general you'll need to take the following steps: + +- Ensure you have a Windows Defender ATP subscription and have access to the Windows Defender ATP Portal +- Deploy Microsoft Defender ATP for Mac using one of the following deployment methods: + - [Microsoft Intune-based deployment](separate-page-url) + - [JAMF-based deployment](seperate-page-url) + - [Manual deployment](seperate-page-url) + +### Prerequisites You should have beginner-level experience in macOS and BASH scripting. You must have administrative privileges on the machine. @@ -71,424 +82,9 @@ To test that a connection is not blocked, open `https://x.cp.wd.microsoft.com/ap We recommend to keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) ([Wiki](https://en.wikipedia.org/wiki/System_Integrity_Protection)) enabled (default setting) on client machines. SIP is a built-in macOS security feature that prevents low-level tampering with the OS. -## Installation and configuration overview -There are various methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac. -In general you'll need to take the following steps: -- Ensure you have a Windows Defender ATP subscription and have access to the Windows Defender ATP Portal -- Deploy Microsoft Defender ATP for Mac using one of the following deployment methods: - - [Microsoft Intune based deployment](#microsoft-intune-based-deployment) - - [JAMF based deployment](#jamf-based-deployment) - - [Manual deployment](#manual-deployment) -## Microsoft Intune based deployment - -### Download installation and onboarding packages - -Download the installation and onboarding packages from Windows Defender Security Center: - -1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. -3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. -5. Download IntuneAppUtil from [https://docs.microsoft.com/en-us/intune/lob-apps-macos](https://docs.microsoft.com/en-us/intune/lob-apps-macos). - - ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) - -6. From a command prompt, verify that you have the three files. - Extract the contents of the .zip files: - - ```bash - mavel-macmini:Downloads test$ ls -l - total 721688 - -rw-r--r-- 1 test staff 269280 Mar 15 11:25 IntuneAppUtil - -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip - -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg - mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip - Archive: WindowsDefenderATPOnboardingPackage.zip - warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators - inflating: intune/kext.xml - inflating: intune/WindowsDefenderATPOnboarding.xml - inflating: jamf/WindowsDefenderATPOnboarding.plist - mavel-macmini:Downloads test$ - ``` - -7. Make IntuneAppUtil an executable: - - ```mavel-macmini:Downloads test$ chmod +x IntuneAppUtil``` - -8. Create the wdav.pkg.intunemac package from wdav.pkg: - - ```bash - mavel-macmini:Downloads test$ ./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav" -n "1.0.0" - Microsoft Intune Application Utility for Mac OS X - Version: 1.0.0.0 - Copyright 2018 Microsoft Corporation - - Creating intunemac file for /Users/test/Downloads/wdav.pkg - Composing the intunemac file output - Output written to ./wdav.pkg.intunemac. - - IntuneAppUtil successfully processed "wdav.pkg", - to deploy refer to the product documentation. - ``` - -### Client Machine Setup - -You need no special provisioning for a Mac machine beyond a standard [Company Portal installation](https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos-cp). - -1. You'll be asked to confirm device management. - -![Confirm device management screenshot](images/MDATP_3_ConfirmDeviceMgmt.png) - -Select Open System Preferences, locate Management Profile on the list and select the **Approve...** button. Your Management Profile would be displayed as **Verified**: - -![Management profile screenshot](images/MDATP_4_ManagementProfile.png) - -2. Select the **Continue** button and complete the enrollment. - -You can enroll additional machines. Optionally, you can do it later, after system configuration and application package are provisioned. - -3. In Intune, open the **Manage > Devices > All devices** blade. You'll see your machine: - -![Add Devices screenshot](images/MDATP_5_allDevices.png) - -### Create System Configuration profiles - -1. In Intune open the **Manage > Device configuration** blade. Select **Manage > Profiles > Create Profile**. -2. Choose a name for the profile. Change **Platform=macOS**, **Profile type=Custom**. Select **Configure**. -3. Open the configuration profile and upload intune/kext.xml. This file was created during the Generate settings step above. -4. Select **OK**. - - ![System configuration profiles screenshot](images/MDATP_6_SystemConfigurationProfiles.png) - -5. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. -6. Repeat these steps with the second profile. -7. Create Profile one more time, give it a name, upload the intune/WindowsDefenderATPOnboarding.xml file. -8. Select **Manage > Assignments**. In the Include tab, select **Assign to All Users & All devices**. - -After Intune changes are propagated to the enrolled machines, you'll see it on the **Monitor > Device status** blade: - -![System configuration profiles screenshot](images/MDATP_7_DeviceStatusBlade.png) - -### Publish application - -1. In Intune, open the **Manage > Client apps** blade. Select **Apps > Add**. -2. Select **App type=Other/Line-of-business app**. -3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload. -4. Select **Configure** and add the required information. -5. Use **macOS Sierra 10.12** as the minimum OS. Other settings can be any other value. - - ![Device status blade screenshot](images/MDATP_8_IntuneAppInfo.png) - -6. Select **OK** and **Add**. - - ![Device status blade screenshot](images/MDATP_9_IntunePkgInfo.png) - -7. It will take a while to upload the package. After it's done, select the name and then go to **Assignments** and **Add group**. - - ![Client apps screenshot](images/MDATP_10_ClientApps.png) - -8. Change **Assignment type=Required**. -9. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**. - - ![Intune assignments info screenshot](images/MDATP_11_Assignments.png) - -10. After some time the application will be published to all enrolled machines. You'll see it on the **Monitor > Device** install status blade: - - ![Intune device status screenshot](images/MDATP_12_DeviceInstall.png) - -### Verify client machine state - -1. After the configuration profiles are deployed to your machines, on your Mac device, open **System Preferences > Profiles**. - - ![System Preferences screenshot](images/MDATP_13_SystemPreferences.png) - ![System Preferences Profiles screenshot](images/MDATP_14_SystemPreferencesProfiles.png) - -2. Verify the three profiles listed there: - ![Profiles screenshot](images/MDATP_15_ManagementProfileConfig.png) - -3. The **Management Profile** should be the Intune system profile. -4. wdav-config and wdav-kext are system configuration profiles that we added in Intune. -5. You should also see the Microsoft Defender icon in the top-right corner: - - ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) - -## JAMF based deployment - -### Prerequsites - -You need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes a properly configured distribution point. JAMF has many alternative ways to complete the same task. These instructions provide you an example for most common processes. Your organization might use a different workflow. - -### Download installation and onboarding packages - -Download the installation and onboarding packages from Windows Defender Security Center: - -1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. -3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. - - ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) - -5. From a command prompt, verify that you have the two files. - Extract the contents of the .zip files: - - ```bash - mavel-macmini:Downloads test$ ls -l - total 721160 - -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip - -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg - mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip - Archive: WindowsDefenderATPOnboardingPackage.zip - warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators - inflating: intune/kext.xml - inflating: intune/WindowsDefenderATPOnboarding.xml - inflating: jamf/WindowsDefenderATPOnboarding.plist - mavel-macmini:Downloads test$ - ``` - -### Create JAMF Policies - -You need to create a configuration profile and a policy to start deploying Microsoft Defender ATP for Mac to client machines. - -#### Configuration Profile - -The configuration profile contains one custom settings payload that includes: - -- Microsoft Defender ATP for Mac onboarding information -- Approved Kernel Extensions payload to enable the Microsoft kernel driver to run - -1. Upload jamf/WindowsDefenderATPOnboarding.plist as the Property List File. - - >[!NOTE] - > You must use exactly "com.microsoft.wdav.atp" as the Preference Domain. - - ![Configuration profile screenshot](images/MDATP_16_PreferenceDomain.png) - -#### Approved Kernel Extension - -To approve the kernel extension: - -1. In **Computers > Configuration Profiles** select **Options > Approved Kernel Extensions**. -2. Use **UBF8T346G9** for Team Id. - -![Approved kernel extensions screenshot](images/MDATP_17_approvedKernelExtensions.png) - -#### Configuration Profile's Scope - -Configure the appropriate scope to specify the machines that will receive this configuration profile. - -Open Computers -> Configuration Profiles, select **Scope > Targets**. Select the appropriate Target computers. - -![Configuration profile scope screenshot](images/MDATP_18_ConfigurationProfilesScope.png) - -Save the **Configuration Profile**. - -Use the **Logs** tab to monitor deployment status for each enrolled machine. - -#### Package - -1. Create a package in **Settings > Computer Management > Packages**. - - ![Computer management packages screenshot](images/MDATP_19_MicrosoftDefenderWDAVPKG.png) - -2. Upload wdav.pkg to the Distribution Point. -3. In the **filename** field, enter the name of the package. For example, wdav.pkg. - -#### Policy - -Your policy should contain a single package for Microsoft Defender. - -![Microsoft Defender packages screenshot](images/MDATP_20_MicrosoftDefenderPackages.png) - -Configure the appropriate scope to specify the computers that will receive this policy. - -After you save the Configuration Profile, you can use the Logs tab to monitor the deployment status for each enrolled machine. - -### Client machine setup - -You need no special provisioning for a macOS computer beyond the standard JAMF Enrollment. - -> [!NOTE] -> After a computer is enrolled, it will show up in the Computers inventory (All Computers). - -1. Open the machine details, from **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile. - -![MDM approve button screenshot](images/MDATP_21_MDMProfile1.png) -![MDM screenshot](images/MDATP_22_MDMProfileApproved.png) - -After some time, the machine's User Approved MDM status will change to Yes. - -![MDM status screenshot](images/MDATP_23_MDMStatus.png) - -You can enroll additional machines now. Optionally, can do it after system configuration and application packages are provisioned. - -### Deployment - -Enrolled client machines periodically poll the JAMF Server and install new configuration profiles and policies as soon as they are detected. - -#### Status on server - -You can monitor the deployment status in the Logs tab: - -- **Pending** means that the deployment is scheduled but has not yet happened -- **Completed** means that the deployment succeeded and is no longer scheduled - -![Status on server screenshot](images/MDATP_24_StatusOnServer.png) - -#### Status on client machine - -After the Configuration Profile is deployed, you'll see the profile on the machine in the **System Preferences > Profiles >** Name of Configuration Profile. - -![Status on client screenshot](images/MDATP_25_StatusOnClient.png) - -After the policy is applied, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. - -![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) - -You can monitor policy installation on a machine by following the JAMF's log file: - -```bash -mavel-mojave:~ testuser$ tail -f /var/log/jamf.log -Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found. -Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for user "testuser"... -Thu Feb 21 11:16:43 mavel-mojave jamf[8051]: Executing Policy WDAV -Thu Feb 21 11:17:02 mavel-mojave jamf[8051]: Installing Microsoft Defender... -Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Successfully installed Microsoft Defender. -Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Checking for patches... -Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found. -``` - -You can also check the onboarding status: - -```bash -mavel-mojave:~ testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py -uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 -orgid : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 -orgid managed : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 -orgid effective : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 -``` - -- **orgid/orgid managed**: This is the Microsoft Defender ATP org id specified in the configuration profile. If this value is blank, then the Configuration Profile was not properly set. - -- **orgid effective**: This is the Microsoft Defender ATP org id currently in use. If it does not match the value in the Configuration Profile, then the configuration has not been refreshed. - -### Check onboarding status - -You can check that machines are correctly onboarded by creating a script. For example, the following script checks that enrolled machines are onboarded: - -```bash -sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+' -``` - -This script returns 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service, and another exit code if it is not installed or registered. - -## Manual deployment - -### Download installation and onboarding packages - -Download the installation and onboarding packages from Windows Defender Security Center: - -1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Local script**. -3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. - - ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) - -5. From a command prompt, verify that you have the two files. - Extract the contents of the .zip files: - - ```bash - mavel-macmini:Downloads test$ ls -l - total 721152 - -rw-r--r-- 1 test staff 6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip - -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg - mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip - Archive: WindowsDefenderATPOnboardingPackage.zip - inflating: WindowsDefenderATPOnboarding.py - ``` - -### Application installation - -To complete this process, you must have admin privileges on the machine. - -1. Navigate to the downloaded wdav.pkg in Finder and open it. - - ![App install screenshot](images/MDATP_28_AppInstall.png) - -2. Select **Continue**, agree with the License terms, and enter the password when prompted. - - ![App install screenshot](images/MDATP_29_AppInstallLogin.png) - - > [!IMPORTANT] - > You will be prompted to allow a driver from Microsoft to be installed (either "System Exception Blocked" or "Installation is on hold" or both. The driver must be allowed to be installed. - - ![App install screenshot](images/MDATP_30_SystemExtension.png) - -3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**: - - ![Security and privacy window screenshot](images/MDATP_31_SecurityPrivacySettings.png) - -The installation will proceed. - -> [!NOTE] -> If you don't select **Allow**, the installation will fail after 5 minutes. You can restart it again at any time. - -### Client configuration - -1. Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac. - - The client machine is not associated with orgId. Note that the orgid is blank. - - ```bash - mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py - uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 - orgid : - ``` - -2. Install the configuration file on a client machine: - - ```bash - mavel-mojave:wdavconfig testuser$ python WindowsDefenderATPOnboarding.py - Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password) - ``` - -3. Verify that the machine is now associated with orgId: - - ```bash - mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py - uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 - orgid : E6875323-A6C0-4C60-87AD-114BBE7439B8 - ``` - -After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. - - ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) - -## Configuring with the command line - -Controlling product settings, triggering on-demand scans, and several other important tasks can be done from the command line with the following commands: - -|Group |Scenario |Command | -|-------------|-------------------------------------------|-----------------------------------------------------------------------| -|Configuration|Turn on/off real-time protection |`mdatp config --rtp [true/false]` | -|Configuration|Turn on/off cloud protection |`mdatp config --cloud [true/false]` | -|Configuration|Turn on/off product diagnostics |`mdatp config --diagnostic [true/false]` | -|Configuration|Turn on/off automatic sample submission |`mdatp config --sample-submission [true/false]` | -|Configuration|Turn on PUA protection |`mdatp threat --type-handling --potentially_unwanted_application block`| -|Configuration|Turn off PUA protection |`mdatp threat --type-handling --potentially_unwanted_application off` | -|Configuration|Turn on audit mode for PUA protection |`mdatp threat --type-handling --potentially_unwanted_application audit`| -|Diagnostics |Change the log level |`mdatp log-level --[error/warning/info/verbose]` | -|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic` | -|Health |Check the product's health |`mdatp --health` | -|Protection |Scan a path |`mdatp scan --path [path]` | -|Protection |Do a quick scan |`mdatp scan --quick` | -|Protection |Do a full scan |`mdatp scan --full` | -|Protection |Cancel an ongoing on-demand scan |`mdatp scan --cancel` | -|Protection |Request a definition update |`mdatp --signature-update` | ## What to expect in the ATP portal From 8b9f0da22d48315f1cddffdc025b92e2a8805288 Mon Sep 17 00:00:00 2001 From: martyav Date: Fri, 3 May 2019 17:17:28 -0400 Subject: [PATCH 224/492] moved what to expect from mdatp-mac to mdatp-mac resources --- .../microsoft-defender-atp-mac-resources.md | 19 +++++++++++++ .../microsoft-defender-atp-mac.md | 27 ++----------------- 2 files changed, 21 insertions(+), 25 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md index 7f2b515f99..4de5bdb96c 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md @@ -104,6 +104,25 @@ If you are running JAMF, your policy should contain a single script: Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy. +## What to expect in the ATP portal + +- AV alerts: + - Severity + - Scan type + - Device information (hostname, machine identifier, tenant identifier, app version, and OS type) + - File information (name, path, size, and hash) + - Threat information (name, type, and state) +- Device information: + - Machine identifier + - Tenant identifier + - App version + - Hostname + - OS type + - OS version + - Computer model + - Processor architecture + - Whether the device is a virtual machine + ## Known issues - Not fully optimized for performance or disk space yet. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index 3eb0b476e4..5132b03e9b 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -37,7 +37,7 @@ We've been working hard through the private preview period, and we've heard your - Product health can be queried with JAMF or the command line. - Admins can set their cloud preference for any location, not just for those in the US. -## Installing and configuring +## Installing and configuring There are various methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac. In general you'll need to take the following steps: @@ -80,27 +80,4 @@ To test that a connection is not blocked, open `https://x.cp.wd.microsoft.com/ap ``` We recommend to keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) ([Wiki](https://en.wikipedia.org/wiki/System_Integrity_Protection)) enabled (default setting) on client machines. -SIP is a built-in macOS security feature that prevents low-level tampering with the OS. - - - - - -## What to expect in the ATP portal - -- AV alerts: - - Severity - - Scan type - - Device information (hostname, machine identifier, tenant identifier, app version, and OS type) - - File information (name, path, size, and hash) - - Threat information (name, type, and state) -- Device information: - - Machine identifier - - Tenant identifier - - App version - - Hostname - - OS type - - OS version - - Computer model - - Processor architecture - - Whether the device is a virtual machine \ No newline at end of file +SIP is a built-in macOS security feature that prevents low-level tampering with the OS. \ No newline at end of file From 955791a7d49eadacb73925da42d610b25a837ad0 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 14:34:45 -0700 Subject: [PATCH 225/492] Update manage-windows-19H1-endpoints.md --- .../privacy/manage-windows-19H1-endpoints.md | 221 ++++++++---------- 1 file changed, 98 insertions(+), 123 deletions(-) diff --git a/windows/privacy/manage-windows-19H1-endpoints.md b/windows/privacy/manage-windows-19H1-endpoints.md index 8017f3a4eb..1bc006fe0b 100644 --- a/windows/privacy/manage-windows-19H1-endpoints.md +++ b/windows/privacy/manage-windows-19H1-endpoints.md @@ -44,137 +44,112 @@ We used the following methodology to derive these network endpoints: > [!NOTE] > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. -| Area | Protocol | Destination | -|----------------|----------|------------| -| explorer | HTTP | tile-service.weather.microsoft.com | - ## Windows 10 19H1 Enterprise connection endpoints - -| Area | Protocol | Destination | -|----------------|----------|------------| -|Apps|The following endpoints are used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|blob.weather.microsoft.com -||The following endpoint is used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|tile-service.weather.microsoft.com -||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -||HTTPS|cdn.onenote.net/livetile/?Language=en-US -||The following endpoints are used for Twitter updates. To turn off traffic for these endpoints, either uninstall Twitter or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -||HTTPS|*.twimg.com* -||The following endpoint is used for Facebook updates. To turn off traffic for this endpoint, either uninstall Facebook or disable the Microsoft Store. If you disable the Microsoft Store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -|||star-mini.c10r.facebook.com -||The following endpoint is used for Candy Crush Saga updates. To turn off traffic for this endpoint, either uninstall Candy Crush Saga or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -||TLS v1.2|candycrushsoda.king.com -||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|evoke-windowsservices-tas.msedge.net -||The following endpoint is used for by the Microsoft Wallet app. To turn off traffic for this endpoint, either uninstall the Wallet app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -||HTTPS|wallet.microsoft.com -||The following endpoint is used by the Groove Music app for update HTTP handler status. If you turn off traffic for this endpoint, apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app. -||HTTPS|mediaredirect.microsoft.com -||The following endpoints are used when using the Whiteboard app. To turn off traffic for this endpoint disable the Microsoft Store. -|HTTPS|int.whiteboard.microsoft.com| -|||HTTPS|wbd.ms -|||HTTPS|whiteboard.microsoft.com +|Area|Description|Protocol|Destination| +|----------------|----------|----------|------------| +|Apps|The following endpoints are used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|blob.weather.microsoft.com| +|||HTTP|tile-service.weather.microsoft.com +||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/livetile/?Language=en-US +||The following endpoints are used for Twitter updates. To turn off traffic for these endpoints, either uninstall Twitter or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|*.twimg.com*| +||The following endpoint is used for Candy Crush Saga updates. To turn off traffic for this endpoint, either uninstall Candy Crush Saga or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLS v1.2|candycrushsoda.king.com| +||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|evoke-windowsservices-tas.msedge.net| +||The following endpoint is used for by the Microsoft Wallet app. To turn off traffic for this endpoint, either uninstall the Wallet app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|wallet.microsoft.com| +||The following endpoint is used by the Groove Music app for update HTTP handler status. If you turn off traffic for this endpoint, apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app.|HTTPS|mediaredirect.microsoft.com| +||The following endpoints are used when using the Whiteboard app. To turn off traffic for this endpoint disable the Microsoft Store.|HTTPS|int.whiteboard.microsoft.com| +|||HTTPS|wbd.ms| +|||HTTPS|whiteboard.microsoft.com| |||HTTP / HTTPS|whiteboard.ms| -|Azure |The following endpoints are related to Azure. |HTTPS|wd-prod-*fe*.cloudapp.azure.com -|| |HTTPS|ris-prod-atm.trafficmanager.net -|| |HTTPS|validation-v2.sls.trafficmanager.net -|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible turn off traffic to this endpoint, but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses.| -|Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.|HTTP|ctldl.windowsupdate.com -|Cortana and Search|The following endpoint is used to get images that are used for Microsoft Store suggestions. If you turn off traffic for this endpoint, you will block images that are used for Microsoft Store suggestions. -||HTTPS|store-images.*microsoft.com -|Cortana and Search2|The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|HTTPS|www.bing.com/client -|| |HTTPS|www.bing.com -|||HTTPS|www.bing.com/proactive -|||HTTPS|www.bing.com/threshold/xls.aspx -|||HTTP|exo-ring.msedge.net -|||HTTP|fp.msedge.net -|||HTTP|fp-vp.azureedge.net -|||HTTP|odinvzc.azureedge.net -|||HTTP|spo-ring.msedge.net -|Device authentication -||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com* -||The following endpoints are used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.|HTTP|dmd.metaservices.microsoft.com -|Diagnostic Data -||The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.|HTTP|v10.events.data.microsoft.com -|||HTTPS|v10.vortex-win.data.microsoft.com/collect/v1 -|||HTTP|www.microsoft.com -||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|HTTPS|co4.telecommand.telemetry.microsoft.com -|| |HTTP|cs11.wpc.v0cdn.net -|| |HTTPS|cs1137.wpc.gammacdn.net -|||TLS v1.2|modern.watson.data.microsoft.com* -|||HTTPS|watson.telemetry.microsoft.com -|Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work. -||HTTPS|*licensing.mp.microsoft.com* -|Location|The following endpoint is used for location data. If you turn off traffic for this endpoint, apps cannot use location data.|HTTPS|inference.location.live.net -|||HTTP|location-inference-westus.cloudapp.net -|Maps|The following endpoint is used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|HTTPS|*g.akamaiedge.net -|| |HTTP|*maps.windows.com* -|Microsoft account|The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. -||HTTP|login.msa.akadns6.net| -|||HTTP|us.configsvc1.live.com.akadns.net -|Microsoft Edge| This traffic is related to the Microsoft Edge browser.|HTTPS|iecvlist.microsoft.com -|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. -|If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTPS|go.microsoft.com -|Microsoft Store|The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|HTTPS|*.wns.windows.com -||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. -||HTTP|storecatalogrevocation.storequality.microsoft.com -||The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com* -|||HTTPS|store-images.microsoft.com -||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. -||TLS v1.2|*.md.mp.microsoft.com* -|||HTTPS|*displaycatalog.mp.microsoft.com -|||HTTP \ HTTPS|pti.store.microsoft.com -|||HTTP|storeedgefd.dsx.mp.microsoft.com -|| |HTTP|markets.books.microsoft.com -|| |HTTP |share.microsoft.com -|Network Connection Status Indicator (NCSI) -||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.|HTTP|www.msftconnecttest.com*|Office -||Online. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.|HTTP|*.c-msedge.net -|||HTTPS|*.e-msedge.net -|||HTTPS|*.s-msedge.net -|||HTTPS|nexusrules.officeapps.live.com -|||HTTPS|ocos-office365-s2s.msedge.net -|||HTTPS|officeclient.microsoft.com -|||HTTPS|outlook.office365.com -|||HTTPS|client-office365-tas.msedge.net -|| |HTTPS|www.office.com -|| |HTTPS|onecollector.cloudapp.aria -|| |HTTP|v10.events.data.microsoft.com/onecollector/1.0/ -|| |HTTPS|self.events.data.microsoft.com -||The following endpoint is used to connect the Office To-Do app to its cloud service. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. -|HTTPS|to-do.microsoft.com -|OneDrive|The following endpoints are related to OneDrive. If you turn off traffic for these endpoints, anything that relies on g.live.com to get updated URL information will no longer work.|HTTP \ HTTPS|g.live.com/1rewlive5skydrive/* -|| |HTTP|msagfx.live.com -|||HTTPS -||oneclient.sfx.ms -|Settings -||The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.||cy2.settings.data.microsoft.com.akadns.net -|||HTTPS|settings.data.microsoft.com -|||HTTPS|settings-win.data.microsoft.com -|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|browser.pipe.aria.microsoft.com -|||HTTP|config.edge.skype.com -|| |HTTP|s2s.config.skype.com -|||HTTPS|skypeecs-prod-usw-0-b.cloudapp.net -|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.|HTTPS|wdcp.microsoft.com +|Azure |The following endpoints are related to Azure. |HTTPS|wd-prod-*fe*.cloudapp.azure.com| +|||HTTPS|ris-prod-atm.trafficmanager.net| +|||HTTPS|validation-v2.sls.trafficmanager.net| +|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible turn off traffic to this endpoint, but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.|HTTP|ctldl.windowsupdate.com| +|Cortana and Search|The following endpoint is used to get images that are used for Microsoft Store suggestions. If you turn off traffic for this endpoint, you will block images that are used for Microsoft Store suggestions. |HTTPS|store-images.*microsoft.com| +||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|HTTPS|www.bing.com/client| +|||HTTPS|www.bing.com| +|||HTTPS|www.bing.com/proactive| +|||HTTPS|www.bing.com/threshold/xls.aspx| +|||HTTP|exo-ring.msedge.net| +|||HTTP|fp.msedge.net| +|||HTTP|fp-vp.azureedge.net| +|||HTTP|odinvzc.azureedge.net| +|||HTTP|spo-ring.msedge.net| +|Device authentication| +||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com*| +||The following endpoints are used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.|HTTP|dmd.metaservices.microsoft.com| +|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.|HTTP|v10.events.data.microsoft.com| +|||HTTPS|v10.vortex-win.data.microsoft.com/collect/v1| +|||HTTP|www.microsoft.com| +||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|HTTPS|co4.telecommand.telemetry.microsoft.com| +|||HTTP|cs11.wpc.v0cdn.net| +|||HTTPS|cs1137.wpc.gammacdn.net| +|||TLS v1.2|modern.watson.data.microsoft.com*| +|||HTTPS|watson.telemetry.microsoft.com| +|Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.|HTTPS|*licensing.mp.microsoft.com*| +|Location|The following endpoint is used for location data. If you turn off traffic for this endpoint, apps cannot use location data.|HTTPS|inference.location.live.net| +|||HTTP|location-inference-westus.cloudapp.net| +|Maps|The following endpoint is used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|HTTPS|*g.akamaiedge.net| +|||HTTP|*maps.windows.com*| +|Microsoft Account|The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |HTTP|login.msa.akadns6.net| +|||HTTP|us.configsvc1.live.com.akadns.net| +|Microsoft Edge|This traffic is related to the Microsoft Edge browser.|HTTPS|iecvlist.microsoft.com| +|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTPS|go.microsoft.com| +|Microsoft Store|The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|HTTPS|*.wns.windows.com| +||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTP|storecatalogrevocation.storequality.microsoft.com| +||The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com*|HTTPS|store-images.microsoft.com| +||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|TLS v1.2|*.md.mp.microsoft.com*| +|||HTTPS|*displaycatalog.mp.microsoft.com| +|||HTTP \ HTTPS|pti.store.microsoft.com| +|||HTTP|storeedgefd.dsx.mp.microsoft.com| +|| |HTTP|markets.books.microsoft.com| +|| |HTTP |share.microsoft.com| +|Network Connection Status Indicator (NCSI)| +||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.|HTTP|www.msftconnecttest.com*| +Office|Online. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.|HTTP|*.c-msedge.net| +|||HTTPS|*.e-msedge.net| +|||HTTPS|*.s-msedge.net| +|||HTTPS|nexusrules.officeapps.live.com| +|||HTTPS|ocos-office365-s2s.msedge.net| +|||HTTPS|officeclient.microsoft.com| +|||HTTPS|outlook.office365.com| +|||HTTPS|client-office365-tas.msedge.net| +|||HTTPS|www.office.com| +|||HTTPS|onecollector.cloudapp.aria| +|||HTTP|v10.events.data.microsoft.com/onecollector/1.0/| +|||HTTPS|self.events.data.microsoft.com| +||The following endpoint is used to connect the Office To-Do app to its cloud service. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store.|HTTPS|to-do.microsoft.com +|OneDrive|The following endpoints are related to OneDrive. If you turn off traffic for these endpoints, anything that relies on g.live.com to get updated URL information will no longer work.|HTTP \ HTTPS|g.live.com/1rewlive5skydrive/*| +|||HTTP|msagfx.live.com| +|||HTTPS|oneclient.sfx.ms| +|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.|HTTPS|cy2.settings.data.microsoft.com.akadns.net| +|||HTTPS|settings.data.microsoft.com| +|||HTTPS|settings-win.data.microsoft.com| +|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|browser.pipe.aria.microsoft.com| +|||HTTP|config.edge.skype.com| +|||HTTP|s2s.config.skype.com| +|||HTTPS|skypeecs-prod-usw-0-b.cloudapp.net| +|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.|HTTPS|wdcp.microsoft.com| |||HTTPS|definitionupdates.microsoft.com| -|||HTTPS|go.microsoft.com -||The following endpoints are used for Windows Defender Smartscreen reporting and notifications. If you turn off traffic for these endpoints, Smartscreen notifications will not appear.|HTTPS|*smartscreen.microsoft.com +|||HTTPS|go.microsoft.com| +||The following endpoints are used for Windows Defender Smartscreen reporting and notifications. If you turn off traffic for these endpoints, Smartscreen notifications will not appear.|HTTPS|*smartscreen.microsoft.com| |||HTTPS|smartscreen-sn3p.smartscreen.microsoft.com| -|||HTTPS|unitedstates.smartscreen-prod.microsoft.com -|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see Windows Spotlight. -|TLS v1.2|*.search.msn.com -|||HTTPS|arc.msn.com -|||HTTPS|g.msn.com* -|||HTTPS|query.prod.cms.rt.microsoft.com -|||HTTPS|ris.api.iris.microsoft.com -|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.|HTTPS|*.prod.do.dsp.mp.microsoft.com -|| |HTTP|cs9.wac.phicdn.net -|| |HTTP|emdl.ws.microsoft.com -||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|HTTP|*.dl.delivery.mp.microsoft.com -|||HTTP|*.windowsupdate.com* -||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store.|HTTPS|*.delivery.mp.microsoft.com -|||HTTPS|*.update.microsoft.com +|||HTTPS|unitedstates.smartscreen-prod.microsoft.com| +|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see Windows Spotlight.|TLS v1.2|*.search.msn.com| +|||HTTPS|arc.msn.com| +|||HTTPS|g.msn.com*| +|||HTTPS|query.prod.cms.rt.microsoft.com| +|||HTTPS|ris.api.iris.microsoft.com| +|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.|HTTPS|*.prod.do.dsp.mp.microsoft.com| +|||HTTP|cs9.wac.phicdn.net| +|||HTTP|emdl.ws.microsoft.com| +||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|HTTP|*.dl.delivery.mp.microsoft.com| +|||HTTP|*.windowsupdate.com*| +||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store.|HTTPS|*.delivery.mp.microsoft.com| +|||HTTPS|*.update.microsoft.com| ||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly|HTTPS|tsfe.trafficshaping.dsp.mp.microsoft.com| + ## Other Windows 10 editions To view endpoints for other versions of Windows 10 Enterprise, see: From c393427dfa4550a6b03b458b1f144bbc9872f01a Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 14:37:06 -0700 Subject: [PATCH 226/492] Update manage-windows-19H1-endpoints.md --- windows/privacy/manage-windows-19H1-endpoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-windows-19H1-endpoints.md b/windows/privacy/manage-windows-19H1-endpoints.md index 1bc006fe0b..fb5b96a836 100644 --- a/windows/privacy/manage-windows-19H1-endpoints.md +++ b/windows/privacy/manage-windows-19H1-endpoints.md @@ -139,7 +139,7 @@ Office|Online. For more info, see Office 365 URLs and IP address ranges. You can |||HTTPS|g.msn.com*| |||HTTPS|query.prod.cms.rt.microsoft.com| |||HTTPS|ris.api.iris.microsoft.com| -|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.|HTTPS|*.prod.do.dsp.mp.microsoft.com| +|Windows Update|The following endpoints are used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.|HTTPS|*.prod.do.dsp.mp.microsoft.com| |||HTTP|cs9.wac.phicdn.net| |||HTTP|emdl.ws.microsoft.com| ||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|HTTP|*.dl.delivery.mp.microsoft.com| From bb3e6d988c6d6798f707c70ba024e20c8683d1ac Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 14:43:56 -0700 Subject: [PATCH 227/492] Update manage-windows-19H1-endpoints.md --- .../privacy/manage-windows-19H1-endpoints.md | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/windows/privacy/manage-windows-19H1-endpoints.md b/windows/privacy/manage-windows-19H1-endpoints.md index fb5b96a836..31c2253611 100644 --- a/windows/privacy/manage-windows-19H1-endpoints.md +++ b/windows/privacy/manage-windows-19H1-endpoints.md @@ -76,7 +76,7 @@ We used the following methodology to derive these network endpoints: |||HTTP|spo-ring.msedge.net| |Device authentication| ||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com*| -||The following endpoints are used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.|HTTP|dmd.metaservices.microsoft.com| +||The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.|HTTP|dmd.metaservices.microsoft.com| |Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.|HTTP|v10.events.data.microsoft.com| |||HTTPS|v10.vortex-win.data.microsoft.com/collect/v1| |||HTTP|www.microsoft.com| @@ -88,7 +88,7 @@ We used the following methodology to derive these network endpoints: |Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.|HTTPS|*licensing.mp.microsoft.com*| |Location|The following endpoint is used for location data. If you turn off traffic for this endpoint, apps cannot use location data.|HTTPS|inference.location.live.net| |||HTTP|location-inference-westus.cloudapp.net| -|Maps|The following endpoint is used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|HTTPS|*g.akamaiedge.net| +|Maps|The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|HTTPS|*g.akamaiedge.net| |||HTTP|*maps.windows.com*| |Microsoft Account|The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |HTTP|login.msa.akadns6.net| |||HTTP|us.configsvc1.live.com.akadns.net| @@ -96,16 +96,16 @@ We used the following methodology to derive these network endpoints: |Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTPS|go.microsoft.com| |Microsoft Store|The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|HTTPS|*.wns.windows.com| ||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTP|storecatalogrevocation.storequality.microsoft.com| -||The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com*|HTTPS|store-images.microsoft.com| +||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com*|HTTPS|store-images.microsoft.com| ||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|TLS v1.2|*.md.mp.microsoft.com*| |||HTTPS|*displaycatalog.mp.microsoft.com| |||HTTP \ HTTPS|pti.store.microsoft.com| |||HTTP|storeedgefd.dsx.mp.microsoft.com| -|| |HTTP|markets.books.microsoft.com| -|| |HTTP |share.microsoft.com| +|||HTTP|markets.books.microsoft.com| +|||HTTP |share.microsoft.com| |Network Connection Status Indicator (NCSI)| ||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.|HTTP|www.msftconnecttest.com*| -Office|Online. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.|HTTP|*.c-msedge.net| +Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.|HTTP|*.c-msedge.net| |||HTTPS|*.e-msedge.net| |||HTTPS|*.s-msedge.net| |||HTTPS|nexusrules.officeapps.live.com| @@ -139,14 +139,15 @@ Office|Online. For more info, see Office 365 URLs and IP address ranges. You can |||HTTPS|g.msn.com*| |||HTTPS|query.prod.cms.rt.microsoft.com| |||HTTPS|ris.api.iris.microsoft.com| -|Windows Update|The following endpoints are used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.|HTTPS|*.prod.do.dsp.mp.microsoft.com| +|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.|HTTPS|*.prod.do.dsp.mp.microsoft.com| |||HTTP|cs9.wac.phicdn.net| |||HTTP|emdl.ws.microsoft.com| ||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|HTTP|*.dl.delivery.mp.microsoft.com| |||HTTP|*.windowsupdate.com*| ||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store.|HTTPS|*.delivery.mp.microsoft.com| |||HTTPS|*.update.microsoft.com| -||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly|HTTPS|tsfe.trafficshaping.dsp.mp.microsoft.com| +||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly.|HTTPS|tsfe.trafficshaping.dsp.mp.microsoft.com| + From ddf0bd016b7174f81cead24b4fb591778ac0ce86 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 14:44:53 -0700 Subject: [PATCH 228/492] Update manage-windows-19H1-endpoints.md --- windows/privacy/manage-windows-19H1-endpoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-windows-19H1-endpoints.md b/windows/privacy/manage-windows-19H1-endpoints.md index 31c2253611..6b9ec17db4 100644 --- a/windows/privacy/manage-windows-19H1-endpoints.md +++ b/windows/privacy/manage-windows-19H1-endpoints.md @@ -51,7 +51,7 @@ We used the following methodology to derive these network endpoints: |Apps|The following endpoints are used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|blob.weather.microsoft.com| |||HTTP|tile-service.weather.microsoft.com ||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/livetile/?Language=en-US -||The following endpoints are used for Twitter updates. To turn off traffic for these endpoints, either uninstall Twitter or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|*.twimg.com*| +||The following endpoint is used for Twitter updates. To turn off traffic for these endpoints, either uninstall Twitter or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|*.twimg.com*| ||The following endpoint is used for Candy Crush Saga updates. To turn off traffic for this endpoint, either uninstall Candy Crush Saga or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLS v1.2|candycrushsoda.king.com| ||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|evoke-windowsservices-tas.msedge.net| ||The following endpoint is used for by the Microsoft Wallet app. To turn off traffic for this endpoint, either uninstall the Wallet app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|wallet.microsoft.com| From 6cb4a435aaea4c3712b6abd8d236abdd228e2bc6 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 14:47:18 -0700 Subject: [PATCH 229/492] Update manage-windows-19H1-endpoints.md --- windows/privacy/manage-windows-19H1-endpoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-windows-19H1-endpoints.md b/windows/privacy/manage-windows-19H1-endpoints.md index 6b9ec17db4..b213bc094d 100644 --- a/windows/privacy/manage-windows-19H1-endpoints.md +++ b/windows/privacy/manage-windows-19H1-endpoints.md @@ -86,7 +86,7 @@ We used the following methodology to derive these network endpoints: |||TLS v1.2|modern.watson.data.microsoft.com*| |||HTTPS|watson.telemetry.microsoft.com| |Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.|HTTPS|*licensing.mp.microsoft.com*| -|Location|The following endpoint is used for location data. If you turn off traffic for this endpoint, apps cannot use location data.|HTTPS|inference.location.live.net| +|Location|The following endpoints are used for location data. If you turn off traffic for this endpoint, apps cannot use location data.|HTTPS|inference.location.live.net| |||HTTP|location-inference-westus.cloudapp.net| |Maps|The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|HTTPS|*g.akamaiedge.net| |||HTTP|*maps.windows.com*| From a2f4e5a593d9b703c7346db701bed920ad5dc240 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 16:27:43 -0700 Subject: [PATCH 230/492] Update and rename manage-windows-19H1-endpoints.md to manage-windows-1903-endpoints.md --- ...19H1-endpoints.md => manage-windows-1903-endpoints.md} | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) rename windows/privacy/{manage-windows-19H1-endpoints.md => manage-windows-1903-endpoints.md} (98%) diff --git a/windows/privacy/manage-windows-19H1-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md similarity index 98% rename from windows/privacy/manage-windows-19H1-endpoints.md rename to windows/privacy/manage-windows-1903-endpoints.md index b213bc094d..6378fa5507 100644 --- a/windows/privacy/manage-windows-19H1-endpoints.md +++ b/windows/privacy/manage-windows-1903-endpoints.md @@ -1,5 +1,5 @@ --- -title: Connection endpoints for Windows 10, version 19H1 +title: Connection endpoints for Windows 10, version 1903 description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 ms.prod: w10 @@ -14,11 +14,11 @@ ms.collection: M365-security-compliance ms.topic: article ms.date: 5/3/2019 --- -# Manage connection endpoints for Windows 10, version 19H1 +# Manage connection endpoints for Windows 10, version 1903 **Applies to** -- Windows 10, version 19H1 +- Windows 10, version 1903 Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include: @@ -44,7 +44,7 @@ We used the following methodology to derive these network endpoints: > [!NOTE] > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. -## Windows 10 19H1 Enterprise connection endpoints +## Windows 10 1903 Enterprise connection endpoints |Area|Description|Protocol|Destination| |----------------|----------|----------|------------| From 16447d2b9dac76aed5074d143d5c2203c1702374 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 16:29:08 -0700 Subject: [PATCH 231/492] Update manage-windows-1903-endpoints.md --- windows/privacy/manage-windows-1903-endpoints.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md index 6378fa5507..c1ded7a689 100644 --- a/windows/privacy/manage-windows-1903-endpoints.md +++ b/windows/privacy/manage-windows-1903-endpoints.md @@ -154,6 +154,7 @@ Office|The following endpoints are used to connect to the Office 365 portal's sh ## Other Windows 10 editions To view endpoints for other versions of Windows 10 Enterprise, see: +- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) - [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) - [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) From c59973a405c7fca8cc68bcf2428ce0549fe918aa Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 3 May 2019 22:09:38 -0700 Subject: [PATCH 232/492] Update manage-windows-1903-endpoints.md --- windows/privacy/manage-windows-1903-endpoints.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md index c1ded7a689..f73b24241a 100644 --- a/windows/privacy/manage-windows-1903-endpoints.md +++ b/windows/privacy/manage-windows-1903-endpoints.md @@ -149,8 +149,6 @@ Office|The following endpoints are used to connect to the Office 365 portal's sh ||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly.|HTTPS|tsfe.trafficshaping.dsp.mp.microsoft.com| - - ## Other Windows 10 editions To view endpoints for other versions of Windows 10 Enterprise, see: From 79cc2eea39f66affaf700d8efa707b82b5d8eff7 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sat, 4 May 2019 17:21:18 +0500 Subject: [PATCH 233/492] update start-layout-troubleshoot.md --- windows/configuration/start-layout-troubleshoot.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/start-layout-troubleshoot.md b/windows/configuration/start-layout-troubleshoot.md index c29f399bba..bab10f57b6 100644 --- a/windows/configuration/start-layout-troubleshoot.md +++ b/windows/configuration/start-layout-troubleshoot.md @@ -280,7 +280,7 @@ Additionally, users may see blank tiles if logon was attempted without network c ### Symptom: Start Menu issues with Tile Data Layer corruption -**Cause**: Windows 10, version 1507 through the release of version 1607 uses a database for the Tile image information. This is called the Tile Data Layer database. +**Cause**: Windows 10, version 1507 through the release of version 1607 uses a database for the Tile image information. This is called the Tile Data Layer database (The feature was deprecated in [Windows 10 1703](https://support.microsoft.com/help/4014193/features-that-are-removed-or-deprecated-in-windows-10-creators-update)). **Resolution** There are steps you can take to fix the icons, first is to confirm that is the issue that needs to be addressed. From d021bb36b9833a9a9fc59259cbf5a43ce385b958 Mon Sep 17 00:00:00 2001 From: illfated Date: Sun, 5 May 2019 22:13:12 +0200 Subject: [PATCH 234/492] Delivery Optimization settings: copy-paste error The description content of this line has inadvertently been copy-pasted from the next line and therefore contains a wrong keyword: background Correction: background -> foreground Updates issue ticket #3416 (**Cut and paste error in the article**) --- .../deployment/update/waas-delivery-optimization-reference.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index 582639b74e..57bdd0311c 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -79,7 +79,7 @@ Additional options available that control the impact Delivery Optimization has o - [Max Upload Bandwidth](#max-upload-bandwidth) controls the Delivery Optimization upload bandwidth usage. - [Monthly Upload Data Cap](#monthly-upload-data-cap) controls the amount of data a client can upload to peers each month. - [Minimum Background QoS](#minimum-background-qos) lets administrators guarantee a minimum download speed for Windows updates. This is achieved by adjusting the amount of data downloaded directly from Windows Update or WSUS servers, rather than other peers in the network. -- [Maximum Foreground Download Bandwidth](#maximum-foreground-download-bandwidth) specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. +- [Maximum Foreground Download Bandwidth](#maximum-foreground-download-bandwidth) specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. - [Maximum Background Download Bandwidth](#maximum-background-download-bandwidth) specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. - [Set Business Hours to Limit Background Download Bandwidth](#set-business-hours-to-limit-background-download-bandwidth) specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. - [Set Business Hours to Limit Foreground Download Bandwidth](#set-business-hours-to-limit-foreground-download-bandwidth) specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. From 021a00f05bc8004caa3637638f9f082abec460e5 Mon Sep 17 00:00:00 2001 From: illfated Date: Sun, 5 May 2019 23:23:24 +0200 Subject: [PATCH 235/492] Reboot CSP: sentence end closing HTML tag restored Excerpt from the docs.microsoft.com page before restoring the HTML tag: > The supported operations are Execute and Get. **Schedule** Ref. closed issue ticket #3471 (**How to set null**) --- windows/client-management/mdm/reboot-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md index 77dea602cf..f5d0d53a0f 100644 --- a/windows/client-management/mdm/reboot-csp.md +++ b/windows/client-management/mdm/reboot-csp.md @@ -30,7 +30,7 @@ The following diagram shows the Reboot configuration service provider management > [!Note]   > If this node is set to execute during a sync session, the device will reboot at the end of the sync session. -

The supported operations are Execute and Get. +

The supported operations are Execute and Get.

**Schedule**

The supported operation is Get.

From a37a05a2f0c48d518a7e5708b3f4f798f823b1b0 Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Mon, 6 May 2019 12:21:36 +0300 Subject: [PATCH 236/492] updated info about NDES server name https://github.com/MicrosoftDocs/windows-itpro-docs/issues/2450 --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index b571ee817f..a5d222346e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -425,7 +425,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 3. Under **MANAGE**, click **Application proxy**. 4. Click **Configure an app**. 5. Under **Basic Settings** next to **Name**, type **WHFB NDES 01**. Choose a name that correlates this Azure AD Application Proxy setting with the on-premises NDES server. Each NDES server must have its own Azure AD Application Proxy as two NDES servers cannot share the same internal URL. -6. Next to **Internal Url**, type the internal fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy. For example, https://ndes.corp.mstepdemo.net). This must match the internal DNS name of the NDES server and ensure you prefix the Url with **https**. +6. Next to **Internal Url**, type the internal fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy. For example, https://ndes.corp.mstepdemo.net). This must match the primary hostname (AD Computer Account name) of the NDES server and ensure you prefix the Url with **https**. 7. Under **Internal Url**, select **https://** from the first list. In the text box next to **https://**, type the hostname you want to use as your external hostname for the Azure AD Application Proxy. In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Azure AD Application Proxy. It is recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Azure Active Directory tenant name (-mstephendemo.msappproxy.net). ![Azure NDES Application Proxy Configuration](images/aadjcert/azureconsole-appproxyconfig.png) 8. Select **Passthrough** from the **Pre Authentication** list. From 621e845fe599d4e1b7f4f94be41ac938c7328a46 Mon Sep 17 00:00:00 2001 From: Malin De Silva Date: Mon, 6 May 2019 15:02:11 +0530 Subject: [PATCH 237/492] added skipping auto enrollment info --- windows/deployment/windows-autopilot/enrollment-status.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/deployment/windows-autopilot/enrollment-status.md b/windows/deployment/windows-autopilot/enrollment-status.md index d2e6471454..895cf49881 100644 --- a/windows/deployment/windows-autopilot/enrollment-status.md +++ b/windows/deployment/windows-autopilot/enrollment-status.md @@ -20,6 +20,8 @@ ms.topic: article The Windows Autopilot Enrollment Status page displaying the status of the complete device configuration process. Incorporating feedback from customers, this provides information to the user to show that the device is being set up and can be configured to prevent access to the desktop until the configuration is complete. ![Enrollment status page](images/enrollment-status-page.png) + +From Windows 10 version 1803 onwards, you can opt-out of the account setup phase. When it is skipped, the settings will be applied for the users when as they access their desktop for the first time. ## Available settings From 3d6346be58ff3183923271ae7c7646c34e539fda Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Mon, 6 May 2019 12:49:49 +0300 Subject: [PATCH 238/492] removed obsolete information https://github.com/MicrosoftDocs/windows-itpro-docs/issues/3085 --- ...policy-csp-localpoliciessecurityoptions.md | 131 ------------------ 1 file changed, 131 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index b1594d5d38..dc9a2c4e0c 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -24,12 +24,6 @@ ms.date: 06/26/2018
LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts
-
- LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus -
-
- LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus -
LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly
@@ -255,131 +249,6 @@ The following list shows the supported values:
- -**LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus** - - -

Attack surface reduction
- - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark3check mark3check mark3check mark3cross markcross mark
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This security setting determines whether the local Administrator account is enabled or disabled. - -If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password. -Disabling the Administrator account can become a maintenance issue under certain circumstances. - -Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts. If the computer is domain joined the disabled administrator will not be enabled. - -Default: Disabled. - -Value type is integer. Supported operations are Add, Get, Replace, and Delete. - - - -GP Info: -- GP English name: *Accounts: Administrator account status* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - -Valid values: -- 0 - local Administrator account is disabled -- 1 - local Administrator account is enabled - - - - -
- - -**LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark3check mark3check mark3check mark3cross markcross mark
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This security setting determines if the Guest account is enabled or disabled. - -Default: Disabled. - -Note: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail. - -Value type is integer. Supported operations are Add, Get, Replace, and Delete. - - - -GP Info: -- GP English name: *Accounts: Guest account status* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - -Valid values: -- 0 - local Guest account is disabled -- 1 - local Guest account is enabled - - - - -
- **LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly** From 9873e82524118009a405dc1c5f523587aef8bcca Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 6 May 2019 14:56:41 +0500 Subject: [PATCH 239/492] update hello-cert-trust-deploy-mfa.md --- .../hello-for-business/hello-cert-trust-deploy-mfa.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md index afee1b6159..3c90a6c465 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md @@ -23,7 +23,7 @@ ms.date: 08/19/2018 - Certificate trust -On-premises deployments must use on-premises MFA Server that provides an AD FS Multifactor authentication adapter. It could be Azure Multi-Factor Authentication Server or third-party MFA solution. +On-premises deployments must use an on-premises MFA Server that provides an AD FS Multifactor authentication adapter. It can be an Azure Multi-Factor Authentication Server or a third-party MFA solution. >[!TIP] >Please make sure you've read [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) before proceeding any further. From 81c924a15f51467a0816b9b0e974c0af8087fceb Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 6 May 2019 15:38:54 +0500 Subject: [PATCH 240/492] update waas-restart.md --- windows/deployment/update/waas-restart.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md index 13c1dce96d..fb98782087 100644 --- a/windows/deployment/update/waas-restart.md +++ b/windows/deployment/update/waas-restart.md @@ -42,6 +42,9 @@ When **Configure Automatic Updates** is enabled in Group Policy, you can enable - **Turn off auto-restart for updates during active hours** prevents automatic restart during active hours. - **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device will restart at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**. +>[!NOTE] +>In case of using Remote Desktop connection, only active RDP sessions are considered as logged on users. Devices, that do not have locally logged on users or active RDP sessions, will be restarted. + You can also use Registry, to prevent automatic restarts when a user is signed in. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4** and enable **NoAutoRebootWithLoggedOnUsers**. As with Group Policy, if a user schedules the restart in the update notification, it will override this setting. For a detailed description of these registry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart). @@ -159,8 +162,9 @@ In the Group Policy editor, you will see a number of policy settings that pertai >[!NOTE] >You can only choose one path for restart behavior. -> >If you set conflicting restart policies, the actual restart behavior may not be what you expected. +>In case of using RDP, only active RDP sessions are considered as logged on users. + ## Registry keys used to manage restart The following tables list registry values that correspond to the Group Policy settings for controlling restarts after updates in Windows 10. From 4545c71e37eb683049c2c256523a5b425876fe22 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 6 May 2019 15:44:44 +0500 Subject: [PATCH 241/492] update waas-restart.md --- windows/deployment/update/waas-restart.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md index fb98782087..6d11b20ee9 100644 --- a/windows/deployment/update/waas-restart.md +++ b/windows/deployment/update/waas-restart.md @@ -43,7 +43,7 @@ When **Configure Automatic Updates** is enabled in Group Policy, you can enable - **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device will restart at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**. >[!NOTE] ->In case of using Remote Desktop connection, only active RDP sessions are considered as logged on users. Devices, that do not have locally logged on users or active RDP sessions, will be restarted. +>In case of using Remote Desktop Protocol connections, only active RDP sessions are considered as logged on users. Devices, that do not have locally logged on users or active RDP sessions, will be restarted. You can also use Registry, to prevent automatic restarts when a user is signed in. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4** and enable **NoAutoRebootWithLoggedOnUsers**. As with Group Policy, if a user schedules the restart in the update notification, it will override this setting. From 80b15d0cc524e910cb285465199a5b765e87f121 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 6 May 2019 17:34:28 +0500 Subject: [PATCH 242/492] update activate-using-active-directory-based-activation-client.md source: [KMS Activation for Windows Server 2016](https://blogs.technet.microsoft.com/askpfeplat/2016/10/24/kms-activation-for-windows-server-2016/) --- .../activate-using-active-directory-based-activation-client.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md index 03e0029f83..ddbabe01f8 100644 --- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md +++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md @@ -20,6 +20,7 @@ ms.topic: article - Windows 8 - Windows Server 2012 R2 - Windows Server 2012 +- Windows Server 2016 **Looking for retail activation?** - [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) From 0b8a2c84a141eee6516ae775782e75760e44de38 Mon Sep 17 00:00:00 2001 From: martyav Date: Mon, 6 May 2019 10:52:59 -0400 Subject: [PATCH 243/492] cross links within mdatp-mac pages --- ...osoft-defender-atp-mac-install-manually.md | 17 ++++++++++++++++- ...ft-defender-atp-mac-install-with-intune.md | 19 +++++++++++++++++-- ...soft-defender-atp-mac-install-with-jamf.md | 19 ++++++++++++++++--- .../microsoft-defender-atp-mac-resources.md | 13 +++++++++---- .../microsoft-defender-atp-mac.md | 12 ++++++++---- 5 files changed, 66 insertions(+), 14 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md index 4fbed04668..27b3a8f924 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md @@ -26,6 +26,13 @@ ms.topic: #conceptual >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +This topic describes how to install Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. +Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. + +## Prerequisites and system requirements + +Before you get started, please see [the main Microsoft Defender ATP for Mac page]((microsoft-defender-atp.md)) for a description of prerequisites and system requirements for the current software version. + ## Download installation and onboarding packages Download the installation and onboarding packages from Windows Defender Security Center: @@ -127,4 +134,12 @@ Important tasks, such as controlling product settings and triggering on-demand s |Protection |Do a quick scan |`mdatp scan --quick` | |Protection |Do a full scan |`mdatp scan --full` | |Protection |Cancel an ongoing on-demand scan |`mdatp scan --cancel` | -|Protection |Request a definition update |`mdatp --signature-update` | \ No newline at end of file +|Protection |Request a definition update |`mdatp --signature-update` | + +## Logging installation issues + +See [Logging installation issues](microsoft-defender-atp-mac-resources#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. + +## Uninstallation + +See [Uninstalling](microsoft-defender-atp-mac-resources#Uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md index 5cd1e22a19..8af90fded1 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md @@ -22,10 +22,17 @@ ms.topic: #conceptual **Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) - + >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +This topic describes how to install Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. +Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. + +## Prerequisites and system requirements + +Before you get started, please see [the main Microsoft Defender ATP for Mac page]((microsoft-defender-atp.md)) for a description of prerequisites and system requirements for the current software version. + ## Download installation and onboarding packages Download the installation and onboarding packages from Windows Defender Security Center: @@ -155,4 +162,12 @@ After Intune changes are propagated to the enrolled machines, you'll see it on t 4. wdav-config and wdav-kext are system configuration profiles that we added in Intune. 5. You should also see the Microsoft Defender icon in the top-right corner: - ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) \ No newline at end of file + ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) + +## Logging installation issues + +See [Logging installation issues](microsoft-defender-atp-mac-resources#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. + +## Uninstallation + +See [Uninstalling](microsoft-defender-atp-mac-resources#Uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md index 82aaf8ffe2..8837b3bcc5 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md @@ -26,9 +26,14 @@ ms.topic: #conceptual >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -## Prerequsites +This topic describes how to install Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. +Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. -You need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes a properly configured distribution point. JAMF has many alternative ways to complete the same task. These instructions provide you an example for most common processes. Your organization might use a different workflow. +## Prerequisites and system requirements + +Before you get started, please see [the main Microsoft Defender ATP for Mac page]((microsoft-defender-atp.md)) for a description of prerequisites and system requirements for the current software version. + +In addition, for JAMF deployment, you need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes having a properly configured distribution point. JAMF has many ways to complete the same task. These instructions provide an example for most common processes. Your organization might use a different workflow. ## Download installation and onboarding packages @@ -192,4 +197,12 @@ You can check that machines are correctly onboarded by creating a script. For ex sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+' ``` -This script returns 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service, and another exit code if it is not installed or registered. \ No newline at end of file +This script returns 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service, and another exit code if it is not installed or registered. + +## Logging installation issues + +See [Logging installation issues](microsoft-defender-atp-mac-resources#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. + +## Uninstallation + +See [Uninstalling](microsoft-defender-atp-mac-resources#Uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md index 4de5bdb96c..09a4dcceae 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md @@ -17,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: #conceptual --- -## Collecting diagnostic information +# Resources **Applies to:** @@ -26,6 +26,11 @@ ms.topic: #conceptual >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +This topic describes how to use, and details about, Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. +Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. + +## Collecting diagnostic information + If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default. 1) Increase logging level: @@ -57,7 +62,7 @@ If you can reproduce a problem, please increase the logging level, run the syste Operation succeeded ``` -### Installation issues +## Logging installation issues If an error occurs during installation, the installer will only report a general failure. @@ -65,13 +70,13 @@ The detailed log will be saved to /Library/Logs/Microsoft/wdav.install.log. If y ## Uninstalling -There are several ways to uninstall Microsoft Defender ATP for Mac. Please note that while centrally managed uninstall is available for JAMF, it is not yet available for Intune. +There are several ways to uninstall Microsoft Defender ATP for Mac. Please note that while centrally managed uninstall is available on JAMF, it is not yet available for Microsoft Intune. ### Within the GUI - Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**. -### From the command line: +### From the command line - ```sudo rm -rf '/Applications/Microsoft Defender ATP'``` diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index 5132b03e9b..af6205c2ca 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -44,9 +44,9 @@ In general you'll need to take the following steps: - Ensure you have a Windows Defender ATP subscription and have access to the Windows Defender ATP Portal - Deploy Microsoft Defender ATP for Mac using one of the following deployment methods: - - [Microsoft Intune-based deployment](separate-page-url) - - [JAMF-based deployment](seperate-page-url) - - [Manual deployment](seperate-page-url) + - [Microsoft Intune-based deployment](microsoft-defender-atp-mac-install-with-intune) + - [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf) + - [Manual deployment](microsoft-defender-atp-mac-install-manually) ### Prerequisites @@ -80,4 +80,8 @@ To test that a connection is not blocked, open `https://x.cp.wd.microsoft.com/ap ``` We recommend to keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) ([Wiki](https://en.wikipedia.org/wiki/System_Integrity_Protection)) enabled (default setting) on client machines. -SIP is a built-in macOS security feature that prevents low-level tampering with the OS. \ No newline at end of file +SIP is a built-in macOS security feature that prevents low-level tampering with the OS. + +## Resources + +For further information on logging, uninstalling, the ATP portal, or known issues, see our [Resources](microsoft-defender-atp-mac-resources) page. \ No newline at end of file From 5dda164f30955b84fc13ffcbb76b2d072d58f6d9 Mon Sep 17 00:00:00 2001 From: cbelcher00 <32375431+cbelcher00@users.noreply.github.com> Date: Mon, 6 May 2019 12:36:24 -0500 Subject: [PATCH 244/492] Added Note to Auto-login section --- windows/configuration/kiosk-prepare.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md index 436a96f0a8..79761a6c5d 100644 --- a/windows/configuration/kiosk-prepare.md +++ b/windows/configuration/kiosk-prepare.md @@ -57,6 +57,9 @@ Logs can help you [troubleshoot issues](multi-app-kiosk-troubleshoot.md) kiosk i In addition to the settings in the table, you may want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, whether from an update or power outage, you can sign in the assigned access account manually or you can configure the device to sign in to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic sign in. +>[!NOTE] +>If you are using a Windows 10 and later device restriction CSP to set "Preferred Azure AD tenant domain", this will break the "User logon type" auto-login feature of the Kiosk profile. + >[!TIP] >If you use the [kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) or [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) to configure your kiosk, you can set an account to sign in automatically in the wizard or XML. From 42695d0f6c9c8160c0f7a2d5a0305d457a0d98a1 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 6 May 2019 23:34:21 +0500 Subject: [PATCH 245/492] update waas-restart.md --- windows/deployment/update/waas-restart.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md index 6d11b20ee9..e7e1866acc 100644 --- a/windows/deployment/update/waas-restart.md +++ b/windows/deployment/update/waas-restart.md @@ -42,8 +42,8 @@ When **Configure Automatic Updates** is enabled in Group Policy, you can enable - **Turn off auto-restart for updates during active hours** prevents automatic restart during active hours. - **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device will restart at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**. ->[!NOTE] ->In case of using Remote Desktop Protocol connections, only active RDP sessions are considered as logged on users. Devices, that do not have locally logged on users or active RDP sessions, will be restarted. +> [!NOTE] +> When using Remote Desktop Protocol connections, only active RDP sessions are considered as logged on users. Devices, that do not have locally logged on users, or active RDP sessions, will be restarted. You can also use Registry, to prevent automatic restarts when a user is signed in. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4** and enable **NoAutoRebootWithLoggedOnUsers**. As with Group Policy, if a user schedules the restart in the update notification, it will override this setting. @@ -163,7 +163,7 @@ In the Group Policy editor, you will see a number of policy settings that pertai >[!NOTE] >You can only choose one path for restart behavior. >If you set conflicting restart policies, the actual restart behavior may not be what you expected. ->In case of using RDP, only active RDP sessions are considered as logged on users. +>When using RDP, only active RDP sessions are considered as logged on users. ## Registry keys used to manage restart From 3f848033697c90f18b6efc4065e5c5fc76126284 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 6 May 2019 23:36:43 +0500 Subject: [PATCH 246/492] update waas-restart.md --- windows/deployment/update/waas-restart.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md index e7e1866acc..ee8f3c4fde 100644 --- a/windows/deployment/update/waas-restart.md +++ b/windows/deployment/update/waas-restart.md @@ -43,7 +43,7 @@ When **Configure Automatic Updates** is enabled in Group Policy, you can enable - **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device will restart at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**. > [!NOTE] -> When using Remote Desktop Protocol connections, only active RDP sessions are considered as logged on users. Devices, that do not have locally logged on users, or active RDP sessions, will be restarted. +> When using Remote Desktop Protocol connections, only active RDP sessions are considered as logged on users. Devices that do not have locally logged on users, or active RDP sessions, will be restarted. You can also use Registry, to prevent automatic restarts when a user is signed in. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4** and enable **NoAutoRebootWithLoggedOnUsers**. As with Group Policy, if a user schedules the restart in the update notification, it will override this setting. From c45366c82056f6caecedabec9a79feb00dbab7e2 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Mon, 6 May 2019 11:43:34 -0700 Subject: [PATCH 247/492] Added 19H1 Power policies --- .../policy-configuration-service-provider.md | 60 ++ .../client-management/mdm/policy-csp-power.md | 975 +++++++++++++++++- 2 files changed, 1029 insertions(+), 6 deletions(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index a27926a537..a565731cbb 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -2413,6 +2413,14 @@ The following diagram shows the Policy configuration service provider in tree fo
Power/DisplayOffTimeoutPluggedIn
+
+ Power/EnergySaverBatteryThresholdOnBattery +
+
+ Power/EnergySaverBatteryThresholdPluggedIn +
Power/HibernateTimeoutOnBattery
@@ -2425,12 +2433,52 @@ The following diagram shows the Policy configuration service provider in tree fo
Power/RequirePasswordWhenComputerWakesPluggedIn
+
+ Power/SelectLidCloseActionOnBattery +
+
+ Power/SelectLidCloseActionPluggedIn +
+
+ Power/SelectPowerButtonActionOnBattery +
+
+ Power/SelectPowerButtonActionPluggedIn +
+
+ Power/SelectSleepButtonActionOnBattery +
+
+ Power/SelectSleepButtonActionPluggedIn +
Power/StandbyTimeoutOnBattery
Power/StandbyTimeoutPluggedIn
+
+ Power/TurnOffHybridSleepOnBattery +
+
+ Power/TurnOffHybridSleepPluggedIn +
+
+ Power/UnattendedSleepTimeoutOnBattery +
+
+ Power/UnattendedSleepTimeoutPluggedIn +
### Printers policies @@ -4069,12 +4117,24 @@ The following diagram shows the Policy configuration service provider in tree fo - [Power/AllowStandbyWhenSleepingPluggedIn](./policy-csp-power.md#power-allowstandbywhensleepingpluggedin) - [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery) - [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin) +- [Power/EnergySaverBatteryThresholdOnBattery](./policy-csp-power.md#power-energysaverbatterythresholdonbattery) +- [Power/EnergySaverBatteryThresholdPluggedIn](./policy-csp-power.md#power-energysaverbatterythresholdpluggedin) - [Power/HibernateTimeoutOnBattery](./policy-csp-power.md#power-hibernatetimeoutonbattery) - [Power/HibernateTimeoutPluggedIn](./policy-csp-power.md#power-hibernatetimeoutpluggedin) - [Power/RequirePasswordWhenComputerWakesOnBattery](./policy-csp-power.md#power-requirepasswordwhencomputerwakesonbattery) - [Power/RequirePasswordWhenComputerWakesPluggedIn](./policy-csp-power.md#power-requirepasswordwhencomputerwakespluggedin) +- [Power/SelectLidCloseActionOnBattery](./policy-csp-power.md#power-selectlidcloseactiononbattery) +- [Power/SelectLidCloseActionPluggedIn](./policy-csp-power.md#power-selectlidcloseactionpluggedin) +- [Power/SelectPowerButtonActionOnBattery](./policy-csp-power.md#power-selectpowerbuttonactiononbattery) +- [Power/SelectPowerButtonActionPluggedIn](./policy-csp-power.md#power-selectpowerbuttonactionpluggedin) +- [Power/SelectSleepButtonActionOnBattery](./policy-csp-power.md#power-selectsleepbuttonactiononbattery) +- [Power/SelectSleepButtonActionPluggedIn](./policy-csp-power.md#power-selectsleepbuttonactionpluggedin) - [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery) - [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin) +- [Power/TurnOffHybridSleepOnBattery](./policy-csp-power.md#power-turnoffhybridsleeponbattery) +- [Power/TurnOffHybridSleepPluggedIn](./policy-csp-power.md#power-turnoffhybridsleeppluggedin) +- [Power/UnattendedSleepTimeoutOnBattery](./policy-csp-power.md#power-unattendedsleeptimeoutonbattery) +- [Power/UnattendedSleepTimeoutPluggedIn](./policy-csp-power.md#power-unattendedsleeptimeoutpluggedin) - [Printers/PointAndPrintRestrictions](./policy-csp-printers.md#printers-pointandprintrestrictions) - [Printers/PointAndPrintRestrictions_User](./policy-csp-printers.md#printers-pointandprintrestrictions-user) - [Printers/PublishPrinters](./policy-csp-printers.md#printers-publishprinters) diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md index 51f9efc4a5..376605a87a 100644 --- a/windows/client-management/mdm/policy-csp-power.md +++ b/windows/client-management/mdm/policy-csp-power.md @@ -6,12 +6,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 04/16/2018 +ms.date: 05/03/2019 --- # Policy CSP - Power - +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
@@ -31,6 +32,12 @@ ms.date: 04/16/2018
Power/DisplayOffTimeoutPluggedIn
+
+ Power/EnergySaverBatteryThresholdOnBattery +
+
+ Power/EnergySaverBatteryThresholdPluggedIn +
Power/HibernateTimeoutOnBattery
@@ -43,12 +50,42 @@ ms.date: 04/16/2018
Power/RequirePasswordWhenComputerWakesPluggedIn
+
+ Power/SelectLidCloseActionOnBattery +
+
+ Power/SelectLidCloseActionPluggedIn +
+
+ Power/SelectPowerButtonActionOnBattery +
+
+ Power/SelectPowerButtonActionPluggedIn +
+
+ Power/SelectSleepButtonActionOnBattery +
+
+ Power/SelectSleepButtonActionPluggedIn +
Power/StandbyTimeoutOnBattery
Power/StandbyTimeoutPluggedIn
+
+ Power/TurnOffHybridSleepOnBattery +
+
+ Power/TurnOffHybridSleepPluggedIn +
+
+ Power/UnattendedSleepTimeoutOnBattery +
+
+ Power/UnattendedSleepTimeoutPluggedIn +
@@ -306,6 +343,153 @@ ADMX Info:
+ +**Power/EnergySaverBatteryThresholdOnBattery** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +Added in Windows 10, version 1903. This policy setting allows you to specify battery charge level at which Energy Saver is turned on. + +If you enable this policy setting, you must specify a percentage value that indicates the battery charge level. Energy Saver is automatically turned on at (and below) the specified battery charge level. + +If you disable or do not configure this policy setting, users control this setting. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Energy Saver Battery Threshold (on battery)* +- GP name: *EsBattThresholdDC* +- GP element: *EnterEsBattThreshold* +- GP path: *System/Power Management/Energy Saver Settings* +- GP ADMX file name: *power.admx* + + + +Supported values: 0-100. The default is 70. + + + + + + + + + +
+ + +**Power/EnergySaverBatteryThresholdPluggedIn** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in Windows 10, version 1903. This policy setting allows you to specify battery charge level at which Energy Saver is turned on. + +If you enable this policy setting, you must provide a percentage value that indicates the battery charge level. Energy Saver is automatically turned on at (and below) the specified battery charge level. + +If you disable or do not configure this policy setting, users control this setting. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Energy Saver Battery Threshold (plugged in)* +- GP name: *EsBattThresholdAC* +- GP element: *EnterEsBattThreshold* +- GP path: *System/Power Management/Energy Saver Settings* +- GP ADMX file name: *power.admx* + + + +Supported values: 0-100. The default is 70. + + + + + + + + + +
+ **Power/HibernateTimeoutOnBattery** @@ -558,6 +742,480 @@ ADMX Info:
+ +**Power/SelectLidCloseActionOnBattery** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in Windows 10, version 1903. This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC. + +If you enable this policy setting, you must select the desired action. + +If you disable this policy setting or do not configure it, users can see and change this setting. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Select the lid switch action (on battery)* +- GP name: *DCSystemLidAction_2* +- GP element: *SelectDCSystemLidAction* +- GP path: *System/Power Management/Button Settings* +- GP ADMX file name: *power.admx* + + + + +The following are the supported lid close switch actions (on battery): +- 0 - Take no action +- 1 - Sleep +- 2 - System hibernate sleep state +- 3 - System shutdown + + + + + + + + + + +
+ + +**Power/SelectLidCloseActionPluggedIn** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in Windows 10, version 1903. This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC. + +If you enable this policy setting, you must select the desired action. + +If you disable this policy setting or do not configure it, users can see and change this setting. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Select the lid switch action (plugged in)* +- GP name: *ACSystemLidAction_2* +- GP element: *SelectACSystemLidAction* +- GP path: *System/Power Management/Button Settings* +- GP ADMX file name: *power.admx* + + + + +The following are the supported lid close switch actions (plugged in): +- 0 - Take no action +- 1 - Sleep +- 2 - System hibernate sleep state +- 3 - System shutdown + + + + + + + + + + +
+ + +**Power/SelectPowerButtonActionOnBattery** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in Windows 10, version 1903. This policy setting specifies the action that Windows takes when a user presses the Power button. + +If you enable this policy setting, you must select the desired action. + +If you disable this policy setting or do not configure it, users can see and change this setting. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Select the Power button action (on battery)* +- GP name: *DCPowerButtonAction_2* +- GP element: *SelectDCPowerButtonAction* +- GP path: *System/Power Management/Button Settings* +- GP ADMX file name: *power.admx* + + + + +The following are the supported Power button actions (on battery): +- 0 - Take no action +- 1 - Sleep +- 2 - System hibernate sleep state +- 3 - System shutdown + + + + + + + + + + +
+ + +**Power/SelectPowerButtonActionPluggedIn** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in Windows 10, version 1903. This policy setting specifies the action that Windows takes when a user presses the Power button. + +If you enable this policy setting, you must select the desired action. + +If you disable this policy setting or do not configure it, users can see and change this setting. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Select the Power button action (plugged in)* +- GP name: *ACPowerButtonAction_2* +- GP element: *SelectACPowerButtonAction* +- GP path: *System/Power Management/Button Settings* +- GP ADMX file name: *power.admx* + + + + +The following are the supported Power button actions (plugged in): +- 0 - Take no action +- 1 - Sleep +- 2 - System hibernate sleep state +- 3 - System shutdown + + + + + + + + + + +
+ + +**Power/SelectSleepButtonActionOnBattery** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in Windows 10, version 1903. This policy setting specifies the action that Windows takes when a user presses the Sleep button. + +If you enable this policy setting, you must select the desired action. + +If you disable this policy setting or do not configure it, users can see and change this setting. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Select the Sleep button action (on battery)* +- GP name: *DCSleepButtonAction_2* +- GP element: *SelectDCSleepButtonAction* +- GP path: *System/Power Management/Button Settings* +- GP ADMX file name: *power.admx* + + + + +The following are the supported Sleep button actions (on battery): +- 0 - Take no action +- 1 - Sleep +- 2 - System hibernate sleep state +- 3 - System shutdown + + + + + + + + + + +
+ + +**Power/SelectSleepButtonActionPluggedIn** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in Windows 10, version 1903. This policy setting specifies the action that Windows takes when a user presses the Sleep button. + +If you enable this policy setting, you must select the desired action. + +If you disable this policy setting or do not configure it, users can see and change this setting. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Select the Sleep button action (plugged in)* +- GP name: *ACSleepButtonAction_2* +- GP element: *SelectACSleepButtonAction* +- GP path: *System/Power Management/Button Settings* +- GP ADMX file name: *power.admx* + + + + +The following are the supported Sleep button actions (plugged in): +- 0 - Take no action +- 1 - Sleep +- 2 - System hibernate sleep state +- 3 - System shutdown + + + + + + + + + + +
+ **Power/StandbyTimeoutOnBattery** @@ -683,14 +1341,319 @@ ADMX Info: +
-Footnote: + +**Power/TurnOffHybridSleepOnBattery** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in Windows 10, version 1903. This policy setting allows you to turn off hybrid sleep. + +If you set this policy setting to 0, a hiberfile is not generated when the system transitions to sleep (Stand By). + +If you set this policy setting to 1 or do not configure this policy setting, users control this setting. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off hybrid sleep (on battery)* +- GP name: *DCStandbyWithHiberfileEnable_2* +- GP path: *System/Power Management/Sleep Settings* +- GP ADMX file name: *power.admx* + + + + +The following are the supported values for Hybrid sleep (on battery): +- 0 - no hibernation file for sleep (default) +- 1 - hybrid sleep + + + + + + + + + + +
+ + +**Power/TurnOffHybridSleepPluggedIn** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in Windows 10, version 1903. This policy setting allows you to turn off hybrid sleep. + +If you set this policy setting to 0, a hiberfile is not generated when the system transitions to sleep (Stand By). + +If you set this policy setting to 1 or do not configure this policy setting, users control this setting. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off hybrid sleep (plugged in)* +- GP name: *ACStandbyWithHiberfileEnable_2* +- GP path: *System/Power Management/Sleep Settings* +- GP ADMX file name: *power.admx* + + + + +The following are the supported values for Hybrid sleep (plugged in): +- 0 - no hibernation file for sleep (default) +- 1 - hybrid sleep + + + + + + + + + + +
+ + +**Power/UnattendedSleepTimeoutOnBattery** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in Windows 10, version 1903. This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer. + +If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep. + +If you disable or do not configure this policy setting, users control this setting. + +If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify the unattended sleep timeout (on battery)* +- GP name: *UnattendedSleepTimeOutDC* +- GP element: *EnterUnattendedSleepTimeOut* +- GP path: *System/Power Management/Sleep Settings* +- GP ADMX file name: *power.admx* + + + +Default value for unattended sleep timeout (on battery): +300 + + + + + + + + + +
+ + +**Power/UnattendedSleepTimeoutPluggedIn** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in Windows 10, version 1903. This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer. + +If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep. + +If you disable or do not configure this policy setting, users control this setting. + +If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify the unattended sleep timeout (plugged in)* +- GP name: *UnattendedSleepTimeOutAC* +- GP element: *EnterUnattendedSleepTimeOut* +- GP path: *System/Power Management/Sleep Settings* +- GP ADMX file name: *power.admx* + + + +Default value for unattended sleep timeout (plugged in): +300 + + + + + + + + + + +
+ +Footnotes: - 1 - Added in Windows 10, version 1607. - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. - - - +- 5 - Added in Windows 10, version 1809. +- 6 - Added in Windows 10, version 1903. \ No newline at end of file From 2956823beaf3cb062fc8c9f285fa13c825b67d7b Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Mon, 6 May 2019 12:07:09 -0700 Subject: [PATCH 248/492] removed extra space --- windows/client-management/mdm/policy-csp-power.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md index 376605a87a..c1696a003a 100644 --- a/windows/client-management/mdm/policy-csp-power.md +++ b/windows/client-management/mdm/policy-csp-power.md @@ -67,7 +67,7 @@ ms.date: 05/03/2019
Power/SelectSleepButtonActionPluggedIn -
+
Power/StandbyTimeoutOnBattery
From 7d5154f5375c15ad8daa97fad59e6e2bd2f0f4cb Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Mon, 6 May 2019 22:10:39 +0200 Subject: [PATCH 249/492] Update increase-scheduling-priority.md Fixes https://github.com/MicrosoftDocs/windows-itpro-docs/issues/3156 --- .../increase-scheduling-priority.md | 18 ++---------------- 1 file changed, 2 insertions(+), 16 deletions(-) diff --git a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md index 7cd6b91162..565e032adb 100644 --- a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md +++ b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md @@ -38,26 +38,11 @@ Constant: SeIncreaseBasePriorityPrivilege ### Best practices -- Allow the default value, Administrators and Window Manager/Window Manager Group, as the only accounts responsible for controlling process scheduling priorities. +- Retain the default value and allow Administrators, and Window Manager/Window Manager Group, as the only accounts responsible for controlling process scheduling priorities. ### Location Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment - -### Default values - -By default this setting is Administrators on domain controllers and on stand-alone servers. - -The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - -| Server type or GPO | Default value | -| - | - | -| Default Domain Policy| Not defined| -| Default Domain Controller Policy| Not defined| -| Stand-Alone Server Default Settings | Administrators and Window Manager/Window Manager Group| -| Domain Controller Effective Default Settings | Administrators and Window Manager/Window Manager Group| -| Member Server Effective Default Settings | Administrators and Window Manager/Window Manager Group| -| Client Computer Effective Default Settings | Administrators and Window Manager/Window Manager Group|   ## Policy management @@ -97,3 +82,4 @@ None. Restricting the **Increase scheduling priority** user right to members of ## Related topics - [User Rights Assignment](user-rights-assignment.md) +- [Increase scheduling priority for Windows Server 2012 and earlier](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn221960(v%3dws.11)) From e177eeff58aac8b8445d5c425016e9e74dac7f68 Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Mon, 6 May 2019 22:38:39 +0200 Subject: [PATCH 250/492] Update hello-adequate-domain-controllers.md Typo and grammar fixes https://github.com/MicrosoftDocs/windows-itpro-docs/issues/3203 --- .../hello-adequate-domain-controllers.md | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md index ebb6eed030..680fe15627 100644 --- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md +++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md @@ -24,21 +24,21 @@ ms.date: 08/20/2018 ## How many is adequate -How can you find out how many domain controllers are needed? You can use performance monitoring on your domain controllers to determine existing authentication traffic. Windows Server 2016 includes the KDC AS Requests performance counter. You can use these counters to determine how much of a domain controllers load is due to initial Kerberos authentication. It's important to remember that authentication for a Windows Hello for Business key trust deployment does not affect Kerberos authentication--it remains unchanged. +How can you find out how many domain controllers are needed? You can use performance monitoring on your domain controllers to determine existing authentication traffic. Windows Server 2016 includes the KDC AS Requests performance counter. You can use these counters to determine how much of a domain controller's load is due to initial Kerberos authentication. It's important to remember that authentication for a Windows Hello for Business key trust deployment does not affect Kerberos authentication--it remains unchanged. Windows 10 accomplishes Windows Hello for Business key trust authentication by mapping an Active Directory user account to one or more public keys. This mapping occurs on the domain controller, which is why the deployment needs Windows Server 2016 domain controllers. Public key mapping is only supported by Windows Server 2016 domain controllers. Therefore, users in a key trust deployment must authenticate to a Windows Server 2016 domain controller. -Determining an adequate number of Windows Server 2016 domain controllers is important to ensure you have enough domain controllers to satisfy all authentication requests, including users mapped with public key trust. What many administrators do not realize is that adding the most current version of a domain controller (in this case Windows Server 2016) to a deployment of existing domain controllers (Windows Server 2008R2 or Windows Server 2012R2) instantly makes that single domain controller susceptible to carrying the most load, or what is commonly referred to as "piling on". To illustrate the "piling on" concept, consider the following scenario. +Determining an adequate number of Windows Server 2016 domain controllers is important to ensure you have enough domain controllers to satisfy all authentication requests, including users mapped with public key trust. What many administrators do not realize is that adding the most current version of a domain controller (in this case Windows Server 2016) to a deployment of existing domain controllers (Windows Server 2008R2 or Windows Server 2012R2) instantly makes that single domain controller susceptible to carrying the most load, or what is commonly referred to as "piling on". To illustrate the "piling on" concept, consider the following scenario: -Consider a controlled environment where there are 1000 client computers and the authentication load of these 1000 client computers is evenly distributed across 10 domain controllers in the environment. The Kerberos AS requests load would look something like the following. +Consider a controlled environment where there are 1000 client computers and the authentication load of these 1000 client computers is evenly distributed across 10 domain controllers in the environment. The Kerberos AS requests load would look something like the following: ![dc-chart1](images/plan/dc-chart1.png) -The environment changes. The first change includes DC1 upgraded to Windows Server 2016 to support Windows Hello for Business key-trust authentication. Next, 100 clients enroll for Windows Hello for Business using the public key trust deployment. Given all other factors stay constant, the authentication would now look like the following. +The environment changes. The first change includes DC1 upgraded to Windows Server 2016 to support Windows Hello for Business key-trust authentication. Next, 100 clients enroll for Windows Hello for Business using the public key trust deployment. Given all other factors stay constant, the authentication would now look like the following: ![dc-chart2](images/plan/dc-chart2.png) -The Windows Server 2016 domain controller is handling 100 percent of all public key trust authentication. However, it is also handling 10 percent of the password authentication. Why? This behavior occurs because domain controllers 2- 10 only support password and certificate trust authentication; only a Windows Server 2016 domain controller supports authentication public key trust authentication. The Windows Server 2016 domain controller understands how to authenticate password and certificate trust authentication and will continue to share the load of authenticating those clients. Because DC1 can handle all forms of authentication, it will be bear more of the authentication load, and easily become overloaded. What if another Windows Server 2016 domain controller is added, but without deploying Windows Hello for Business to anymore clients. +The Windows Server 2016 domain controller is handling 100 percent of all public key trust authentication. However, it is also handling 10 percent of the password authentication. Why? This behavior occurs because domain controllers 2- 10 only support password and certificate trust authentication; only a Windows Server 2016 domain controller supports authentication public key trust authentication. The Windows Server 2016 domain controller understands how to authenticate password and certificate trust authentication and will continue to share the load of authenticating those clients. Because DC1 can handle all forms of authentication, it will be bear more of the authentication load, and easily become overloaded. What if another Windows Server 2016 domain controller is added, but without deploying Windows Hello for Business to anymore clients? ![dc-chart3](images/plan/dc-chart3.png) @@ -63,7 +63,7 @@ The preceding was an example to show why it's unrealistic to have a "one-size-fi ## Determining total AS Request load -Each organization needs to have an baseline of the AS request load that occurs in their environment. Windows Server provides the KDC AS Requests performance counter that helps you determine this. +Each organization needs to have a baseline of the AS request load that occurs in their environment. Windows Server provides the KDC AS Requests performance counter that helps you determine this. Pick a site where you plan to upgrade the clients to Windows Hello for Business public key trust. Pick a time when authentication traffic is most significant--Monday morning is great time as everyone is returning to the office. Enable the performance counter on *all* the domain controllers in that site. Collect KDC AS Requests performance counters for two hours: * A half-hour before you expect initial authentication (sign-ins and unlocks) to be significant @@ -75,29 +75,29 @@ For example, if employees are scheduled to come into the office at 9:00am. Your > [!NOTE] > To capture all the authentication traffic. Ensure that all computers are powered down to get the most accurate authentication information (computers and services authenticate at first power up--you need to consider this authentication in your evaluation). -Aggregate the performance data of all domain controllers. Look for the maximum KDC AS Requests for each domain controller. Find the median time when the maximum number of requests occurred for the site, this should represent when the site is experience the highest amount of authentication. +Aggregate the performance data of all domain controllers. Look for the maximum KDC AS Requests for each domain controller. Find the median time when the maximum number of requests occurred for the site, this should represent when the site is experiencing the highest amount of authentication. -Add the number of authentications for each domain controller for the median time. You now have the total authentication for the site during a peak time. Using this metric, you can determine the distribution of authentication across the domain controllers in the site by dividing the domain controller's authentication number for the median time by the total authentication. Multiple the quotient by 10 to convert the distribution to a percentage. To validate your math, all the distributions should equal 100 percent. +Add the number of authentications for each domain controller for the median time. You now have the total authentication for the site during a peak time. Using this metric, you can determine the distribution of authentication across the domain controllers in the site by dividing the domain controller's authentication number for the median time by the total authentication. Multiply the quotient by 10 to convert the distribution to a percentage. To validate your math, all the distributions should equal 100 percent. -Review the distribution of authentication. Hopefully, none of these are above 70 percent. It's always good to reserve some capacity for the unexpected. Also, the primary purposes of a domain controller is to provide authentication and handle Active Directory operations. Identify domain controllers with lower distributions of authentication as potential candidates for the initial domain controller upgrades in conjunction with a reasonable distribution of clients provisioned for Windows Hello for Business. +Review the distribution of authentication. Hopefully, none of these are above 70 percent. It's always good to reserve some capacity for the unexpected. Also, the primary purposes of a domain controller are to provide authentication and handle Active Directory operations. Identify domain controllers with lower distributions of authentication as potential candidates for the initial domain controller upgrades in conjunction with a reasonable distribution of clients provisioned for Windows Hello for Business. ## Monitoring Authentication -Using the same methods previously described above, monitor the Kerberos authentication after upgrading a domain controller and your first phase of Windows Hello for Business deployments. Make note of the delta of authentication before and after upgrading the domain controller to Windows Server 2016. This delta is representative of authentication resulting from the first phase of your Windows Hello for Business clients. This gives you a baseline for your environment to where you can form a statement such as +Using the same methods previously described above, monitor the Kerberos authentication after upgrading a domain controller and your first phase of Windows Hello for Business deployments. Make note of the delta of authentication before and after upgrading the domain controller to Windows Server 2016. This delta is representative of authentication resulting from the first phase of your Windows Hello for Business clients. This gives you a baseline for your environment from which you can form a statement such as ```"Every n Windows Hello for Business clients results in x percentage of key-trust authentication."``` -Where _n_ equals the number of clients you switched to Windows Hello for Business and _x_ equals the increased percentage of authentication from the upgraded domain controller. Armed with information, you can apply the observations of upgrading domain controllers and increasing Windows Hello for Business client count to appropriately phase your deployment. +Where _n_ equals the number of clients you switched to Windows Hello for Business and _x_ equals the increased percentage of authentication from the upgraded domain controller. Armed with this information, you can apply the observations of upgrading domain controllers and increasing Windows Hello for Business client count to appropriately phase your deployment. Remember, increasing the number of clients changes the volume of authentication distributed across the Windows Server 2016 domain controllers. If there is only one Windows Server 2016 domain controller, there's no distribution and you are simply increasing the volume of authentication for which THAT domain controller is responsible. -Increasing the number of number of domain controllers distributes the volume of authentication, but doesn't change it. Therefore, as you add more domain controllers, the burden of authentication for which each domain controller is responsible decrease. Upgrading two domain controller changes the distribution to 50 percent. Upgrading three domain controllers changes the distribution to 33 percent, and so on. +Increasing the number of domain controllers distributes the volume of authentication, but doesn't change it. Therefore, as you add more domain controllers, the burden of authentication, for which each domain controller is responsible, decreases. Upgrading two domain controller changes the distribution to 50 percent. Upgrading three domain controllers changes the distribution to 33 percent, and so on. ## Strategy The simplest strategy you can employ is to upgrade one domain controller and monitor the single domain controller as you continue to phase in new Windows Hello for Business key-trust clients until it reaches a 70 or 80 percent threshold. -Then, upgrade a second domain controller. Monitor the authentication on both domain controllers to determine how the authentication distributes between the two domain controllers. Introduce more Windows Hello for Business clients while monitoring the authentication on the two upgraded domain controllers. Once those reach your environments designated capacity, then upgrade another domain controller. +Then, upgrade a second domain controller. Monitor the authentication on both domain controllers to determine how the authentication distributes between the two domain controllers. Introduce more Windows Hello for Business clients while monitoring the authentication on the two upgraded domain controllers. Once those reach your environment's designated capacity, you can upgrade another domain controller. Repeat until your deployment for that site is complete. Now, monitor authentication across all your domain controllers like you did the very first time. Determine the distribution of authentication for each domain controller. Identify the percentage of distribution for which it is responsible. If a single domain controller is responsible for 70 percent of more of the authentication, you may want to consider adding a domain controller to reduce the distribution of authentication volume. -However, before considering this, ensure the high load of authentication is not a result of applications and services where their configuration has a statically configured domain controller. Adding domain controllers will not resolve the additional authentication load problem in this scenario. Instead, manually distribute the authentication to different domain controllers among all the services or applications. Alternatively, try simply using the domain name rather than a specific domain controller. Each domain controller has an A record registered in DNS for the domain name, which DNS will round robin with each DNS query. It's not the best load balancer, however, it is a better alternative to static domain controller configurations, provided the configuration is compatible with your service or application. +However, before considering this, ensure the high load of authentication is not a result of applications and services where their configuration has a statically-configured domain controller. Adding domain controllers will not resolve the additional authentication load problem in this scenario. Instead, manually distribute the authentication to different domain controllers among all the services or applications. Alternatively, try simply using the domain name rather than a specific domain controller. Each domain controller has an A record registered in DNS for the domain name, which DNS will round robin with each DNS query. It's not the best load balancer, however, it is a better alternative to static domain controller configurations, provided the configuration is compatible with your service or application. From 7556ea14b48f3b3bc481507b95395b3a9c3560ad Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Mon, 6 May 2019 22:42:41 +0200 Subject: [PATCH 251/492] Update hello-hybrid-key-trust.md Typo https://github.com/MicrosoftDocs/windows-itpro-docs/issues/3203 --- .../hello-for-business/hello-hybrid-key-trust.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md index 303b6ce403..d74bd02a0e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md @@ -34,7 +34,7 @@ The new deployment baseline helps organizations who are moving to Azure and Offi This baseline provides detailed procedures to move your environment from an on-premises only environment to a hybrid environment using Windows Hello for Business to authenticate to Azure Active Directory and to your on-premises Active Directory using a single Windows sign-in. -You’re next step is to familiarize yourself with the prerequisites needed for the deployment. Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates. +Your next step is to familiarize yourself with the prerequisites needed for the deployment. Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates. > [!div class="nextstepaction"] > [Prerequistes](hello-hybrid-key-trust-prereqs.md) From 52f92056d8658810a2cfa33861389b441956b207 Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Mon, 6 May 2019 22:48:13 +0200 Subject: [PATCH 252/492] Update hello-hybrid-key-new-install.md Typos https://github.com/MicrosoftDocs/windows-itpro-docs/issues/3203 --- .../hello-for-business/hello-hybrid-key-new-install.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md index d9874f88c3..831a9879cb 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md @@ -80,7 +80,7 @@ If you do not have an existing public key infrastructure, please review [Certifi > [!IMPORTANT] > For Azure AD joined device to authenticate to and use on-premises resources, ensure you: > * Install the root certificate authority certificate for your organization in the user's trusted root certificate store. -> * Publish your certificate revocation list to a location that is available to Azure AD joined devices, such as a web-based url. +> * Publish your certificate revocation list to a location that is available to Azure AD joined devices, such as a web-based URL. ### Section Review ### @@ -135,7 +135,7 @@ Alternatively, you can configure Windows Server 2016 Active Directory Federation > * Review the overview and uses of Azure Multifactor Authentication. > * Review your Azure Active Directory subscription for Azure Multifactor Authentication. > * Create an Azure Multifactor Authentication Provider, if necessary. -> * Configure Azure Multifactor Authentiation features and settings. +> * Configure Azure Multifactor Authentication features and settings. > * Understand the different User States and their effect on Azure Multifactor Authentication. > * Consider using Azure Multifactor Authentication or a third-party multifactor authentication provider with Windows Server Active Directory Federation Services, if necessary. From e486b2536bf6035772818f7579d5618c8b662771 Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Mon, 6 May 2019 22:53:20 +0200 Subject: [PATCH 253/492] Update hello-hybrid-key-trust-devreg.md Typos https://github.com/MicrosoftDocs/windows-itpro-docs/issues/3203 --- .../hello-for-business/hello-hybrid-key-trust-devreg.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md index 9a49d7ab15..f7ec72d697 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md @@ -38,7 +38,7 @@ Begin configuring device registration to support Hybrid Windows Hello for Busine To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-setup/) -Next, follow the guidance on the [How to configure hybrid Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-hybrid-azuread-joined-devices-setup) page. In the **Configuration steps** section, identify you configuration at the top of the table (either **Windows current and password hash sync** or **Windows current and federation**) and perform only the steps identified with a check mark. +Next, follow the guidance on the [How to configure hybrid Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-hybrid-azuread-joined-devices-setup) page. In the **Configuration steps** section, identify your configuration at the top of the table (either **Windows current and password hash sync** or **Windows current and federation**) and perform only the steps identified with a check mark.

@@ -47,7 +47,7 @@ Next, follow the guidance on the [How to configure hybrid Azure Active Directory ## Follow the Windows Hello for Business hybrid key trust deployment guide 1. [Overview](hello-hybrid-cert-trust.md) -2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) 5. Configure Azure Device Registration (*You are here*) From 83a316f4dfa239f785f48abf9ea612ebb056841a Mon Sep 17 00:00:00 2001 From: yoosi Date: Mon, 6 May 2019 14:06:22 -0700 Subject: [PATCH 254/492] correct typo in bitlocker-basic-deployment.md --- .../bitlocker/bitlocker-basic-deployment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index c9ba5464a6..9ea0ddd3dc 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -529,7 +529,7 @@ Disable-BitLocker -MountPoint E:,F:,G: ``` ## See also -- [Prepare your organization for BitLocker: Planning and p\\olicies](prepare-your-organization-for-bitlocker-planning-and-policies.md) +- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) - [BitLocker recovery guide](bitlocker-recovery-guide-plan.md) - [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) - [BitLocker overview](bitlocker-overview.md) From 68c1c54c477b45cfb1f12eeb9831de1c349c2650 Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Mon, 6 May 2019 23:13:19 +0200 Subject: [PATCH 255/492] Update hello-planning-guide.md Typos https://github.com/MicrosoftDocs/windows-itpro-docs/issues/3203 --- .../hello-for-business/hello-planning-guide.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 1700566e52..462ce37ed5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -136,7 +136,7 @@ The Windows Hello for Business deployment depends on an enterprise public key in ### Cloud -Some deployment combinations require an Azure account and some require Azure Active Directory for user identities. These cloud requirements may only need an Azure account while other features need an Azure Active Directory Premium subscription. The planning process identifies and differentiates the components that are needed from the those that are optional. +Some deployment combinations require an Azure account, and some require Azure Active Directory for user identities. These cloud requirements may only need an Azure account while other features need an Azure Active Directory Premium subscription. The planning process identifies and differentiates the components that are needed from the those that are optional. ## Planning a Deployment @@ -150,13 +150,13 @@ Choose the deployment model based on the resources your users access. Use the f If your organization does not have on-premises resources, write **Cloud Only** in box **1a** on your planning worksheet. -If your organization is federated with Azure or uses any online service, such as Office365 or OneDrive, or your users access cloud and on-premises resources, write **Hybrid** in box **1a** on your planning worksheet. +If your organization is federated with Azure or uses any online service, such as Office365 or OneDrive, or your users' access cloud and on-premises resources, write **Hybrid** in box **1a** on your planning worksheet. If your organization does not have cloud resources, write **On-Premises** in box **1a** on your planning worksheet. >[!NOTE] >If you’re unsure if your organization is federated, run the following Active Directory Windows PowerShell command from an elevated Windows PowerShell prompt and evaluate the results. >```Get-AdObject “CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=[forest_root_CN_name],DC=com" -Properties keywords``` ->* If the command returns an error stating it could not find the object, then you have yet to configured AAD Connect or on-premises Device Registration Services using AD FS. Ensure the name is accurate and validate the object does not exist with another Active Directory Management tool such as **ADSIEdit.msc**. If the object truly does not exist, then you environment does not bind you to a specific deployment or require changes to accommodate the desired deployment type. +>* If the command returns an error stating it could not find the object, then you have yet to configured AAD Connect or on-premises Device Registration Services using AD FS. Ensure the name is accurate and validate the object does not exist with another Active Directory Management tool such as **ADSIEdit.msc**. If the object truly does not exist, then your environment does not bind you to a specific deployment or require changes to accommodate the desired deployment type. >* If the command returns a value, compare that value with the values below. The value indicates the deployment model you should implement > * If the value begins with **azureADName:** – write **Hybrid** in box **1a**on your planning worksheet. > * If the value begins with **enterpriseDrsName:** – write **On-Premises** in box **1a** on your planning worksheet. @@ -197,7 +197,7 @@ If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in If box **1a** on your planning worksheet reads **hybrid**, then write **Azure AD Connect** in box **1e** on your planning worksheet. -If box **1a** on your planning worksheet reads **on-premises**, then write **Azure MFA Server**. This deployment exclusively uses Active Directory for user information with the exception of the multi-factor authentication. The on-premises Azure MFA server synchronizes a subset of the user information, such as phone number, to provide multi-factor authentication while the user’s credential remain on the on-premises network. +If box **1a** on your planning worksheet reads **on-premises**, then write **Azure MFA Server**. This deployment exclusively uses Active Directory for user information with the exception of the multi-factor authentication. The on-premises Azure MFA server synchronizes a subset of the user information, such as phone number, to provide multi-factor authentication while the user’s credentials remain on the on-premises network. ### Multifactor Authentication From f3d02254eb14dddf1734357306dd5d6a73d869e5 Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Mon, 6 May 2019 23:23:32 +0200 Subject: [PATCH 256/492] Update hello-hybrid-key-trust.md Typo "prerequisites" --- .../hello-for-business/hello-hybrid-key-trust.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md index 303b6ce403..1c42c615c5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md @@ -37,7 +37,7 @@ This baseline provides detailed procedures to move your environment from an on-p You’re next step is to familiarize yourself with the prerequisites needed for the deployment. Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates. > [!div class="nextstepaction"] -> [Prerequistes](hello-hybrid-key-trust-prereqs.md) +> [Prerequisites](hello-hybrid-key-trust-prereqs.md)

@@ -45,7 +45,7 @@ You’re next step is to familiarize yourself with the prerequisites needed for ## Follow the Windows Hello for Business hybrid key trust deployment guide 1. Overview (*You are here*) -2. [Prerequistes](hello-hybrid-key-trust-prereqs.md) +2. [Prerequisites](hello-hybrid-key-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-key-new-install.md) 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) From 3c65e9363bfae0eba476a72fd8f0b48d98b36fd3 Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Tue, 7 May 2019 00:17:21 +0200 Subject: [PATCH 257/492] Update upgrade-readiness-data-sharing.md Typo and format fixes https://github.com/MicrosoftDocs/windows-itpro-docs/issues/3523 --- .../deployment/upgrade/upgrade-readiness-data-sharing.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/upgrade/upgrade-readiness-data-sharing.md b/windows/deployment/upgrade/upgrade-readiness-data-sharing.md index 3eff878d63..b7b51ae981 100644 --- a/windows/deployment/upgrade/upgrade-readiness-data-sharing.md +++ b/windows/deployment/upgrade/upgrade-readiness-data-sharing.md @@ -29,10 +29,10 @@ In order to use the direct connection scenario, set the parameter **ClientProxy= This is the first and most simple proxy scenario. The WinHTTP stack was designed for use in services and does not support proxy autodetection, PAC scripts or authentication. In order to set the WinHTTP proxy system-wide on your computers, you need to -•Use the command netsh winhttp set proxy \:\ -•Set ClientProxy=System in runconfig.bat +- Use the command netsh winhttp set proxy \:\ +- Set ClientProxy=System in runconfig.bat -The WinHTTP scenario is most appropriate for customers who use a single proxy or f. If you have more advanced proxy requirements, refer to Scenario 3. +The WinHTTP scenario is most appropriate for customers who use a single proxy. If you have more advanced proxy requirements, refer to Scenario 3. If you want to learn more about proxy considerations on Windows, see [Understanding Web Proxy Configuration](https://blogs.msdn.microsoft.com/ieinternals/2013/10/11/understanding-web-proxy-configuration/). From 113fbb13600b75d42459155e378d5d6c8ef52730 Mon Sep 17 00:00:00 2001 From: martyav Date: Mon, 6 May 2019 18:45:02 -0400 Subject: [PATCH 258/492] added links to see also section of trusted-platform-module-overview.md --- .../tpm/trusted-platform-module-overview.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md index 3f858bbcb9..fc03050770 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md @@ -87,5 +87,12 @@ Some things that you can check on the device are: ## Related topics - [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) -- [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule) -- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations) +- [Details on the TPM standard](https://www.microsoft.com/en-us/research/project/the-trusted-platform-module-tpm/) (has links to features using TPM) +- [TPM Base Services Portal](https://docs.microsoft.com/en-us/windows/desktop/TBS/tpm-base-services-portal) +- [TPM Base Services API](https://docs.microsoft.com/en-us/windows/desktop/api/_tbs/) +- [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule) +- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations) +- [Azure device provisioning: Identity attestation with TPM](https://azure.microsoft.com/en-us/blog/device-provisioning-identity-attestation-with-tpm/) +- [Azure device provisioning: A manufacturing timeline for TPM devices](https://azure.microsoft.com/en-us/blog/device-provisioning-a-manufacturing-timeline-for-tpm-devices/) +- [Windows 10: Enabling vTPM (Virtual TPM)](https://social.technet.microsoft.com/wiki/contents/articles/34431.windows-10-enabling-vtpm-virtual-tpm.aspx) +- [How to Multiboot with Bitlocker, TPM, and a Non-Windows OS](https://social.technet.microsoft.com/wiki/contents/articles/9528.how-to-multiboot-with-bitlocker-tpm-and-a-non-windows-os.aspx) \ No newline at end of file From e656ed40b56379912671eb3fdcd7e9527da41c69 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 6 May 2019 16:03:07 -0700 Subject: [PATCH 259/492] Update attack-surface-reduction-exploit-guard.md --- .../attack-surface-reduction-exploit-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 272c13081f..9e11ba030f 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -22,7 +22,7 @@ ms.date: 04/02/2019 Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, version 1709 or later, Windows Server 2016 1803 or later, or Windows Server 2019. -To use attack surface reduction rules, you need a Windows 10 Enterprise license. If you have a Windows E5 license, it gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the M365 Security Center. These advanced capabilities aren't available with an E3 license or with Windows 10 Enterprise without subsciption, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment. +To use attack surface reduction rules, you need a Windows 10 Enterprise license. If you have a Windows E5 license, it gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 Security Center. These advanced capabilities aren't available with an E3 license or with Windows 10 Enterprise without subsciption, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment. Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including: From 6ee5d7c96f8b0cb7104bd52e67fd3b3c9ec656a4 Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Tue, 7 May 2019 05:27:22 +0200 Subject: [PATCH 260/492] Update hello-hybrid-key-trust.md Prerequisites typo --- .../hello-for-business/hello-hybrid-key-trust.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md index d74bd02a0e..129be903cb 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md @@ -37,7 +37,7 @@ This baseline provides detailed procedures to move your environment from an on-p Your next step is to familiarize yourself with the prerequisites needed for the deployment. Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates. > [!div class="nextstepaction"] -> [Prerequistes](hello-hybrid-key-trust-prereqs.md) +> [Prerequisites](hello-hybrid-key-trust-prereqs.md)

@@ -45,7 +45,7 @@ Your next step is to familiarize yourself with the prerequisites needed for the ## Follow the Windows Hello for Business hybrid key trust deployment guide 1. Overview (*You are here*) -2. [Prerequistes](hello-hybrid-key-trust-prereqs.md) +2. [Prerequisites](hello-hybrid-key-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-key-new-install.md) 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) From 1e39927854b20f76169b9f32d18468f1617ea401 Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Tue, 7 May 2019 05:30:27 +0200 Subject: [PATCH 261/492] Update hello-hybrid-key-new-install.md Typo Prerequisites --- .../hello-for-business/hello-hybrid-key-new-install.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md index 831a9879cb..4a4a80eced 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md @@ -124,7 +124,7 @@ If your organization uses Azure MFA on a per-consumption model (no licenses), th Once you have created your Azure MFA authentication provider and associated it with an Azure tenant, you need to configure the multi-factor authentication settings. Review the [Configure Azure Multi-Factor Authentication settings](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-whats-next) section to configure your settings. #### Azure MFA User States #### -After you have completed configuring your Azure MFA settings, you want to review configure [User States](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-user-states) to understand user states. User states determine how you enable Azure MFA for your users. +After you have completed configuring your Azure MFA settings, you want to review configure [User States](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-user-states) to understand user states. User states determine how you enable Azure MFA for your users. ### Azure MFA via ADFS ### Alternatively, you can configure Windows Server 2016 Active Directory Federation Services (AD FS) to provide additional multi-factor authentication. To configure, read the [Configure AD FS 2016 and Azure MFA](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa) section. @@ -148,7 +148,7 @@ Alternatively, you can configure Windows Server 2016 Active Directory Federation ## Follow the Windows Hello for Business hybrid key trust deployment guide 1. [Overview](hello-hybrid-key-trust.md) -2. [Prerequistes](hello-hybrid-key-trust-prereqs.md) +2. [Prerequisites](hello-hybrid-key-trust-prereqs.md) 3. New Installation Baseline (*You are here*) 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) From 9cd14c4a4cab864228c727e44dff1e1184c5849c Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Tue, 7 May 2019 05:41:47 +0200 Subject: [PATCH 262/492] Update hello-hybrid-key-trust-dirsync.md Typos https://github.com/MicrosoftDocs/windows-itpro-docs/issues/3203 --- .../hello-for-business/hello-hybrid-key-trust-dirsync.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md index 2c4dc3093c..617e922f94 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md @@ -26,7 +26,7 @@ ms.date: 08/19/2018 You are ready to configure directory synchronization for your hybrid environment. Hybrid Windows Hello for Business deployment needs both a cloud and an on-premises identity to authenticate and access resources in the cloud or on-premises. ## Deploy Azure AD Connect -Next, you need to synchronizes the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](http://go.microsoft.com/fwlink/?LinkId=615771). +Next, you need to synchronize the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](http://go.microsoft.com/fwlink/?LinkId=615771). > [!NOTE] @@ -38,7 +38,7 @@ Next, you need to synchronizes the on-premises Active Directory with Azure Activ ## Follow the Windows Hello for Business hybrid key trust deployment guide 1. [Overview](hello-hybrid-key-trust.md) -2. [Prerequistes](hello-hybrid-key-trust-prereqs.md) +2. [Prerequisites](hello-hybrid-key-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-key-new-install.md) 4. Configure Directory Synchronization (*You are here*) 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) From 322c28aa7290a18f3f4fcc861e91e1625646d7f4 Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Tue, 7 May 2019 05:48:08 +0200 Subject: [PATCH 263/492] Update hello-hybrid-cert-trust.md Typos --- .../hello-for-business/hello-hybrid-cert-trust.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md index f8613819f5..c622ab65bb 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md @@ -37,10 +37,10 @@ This baseline provides detailed procedures to move your environment from an on-p ## Federated Baseline ## The federated baseline helps organizations that have completed their federation with Azure Active Directory and Office 365 and enables them to introduce Windows Hello for Business into their hybrid environment. This baseline exclusively focuses on the procedures needed to add Azure Device Registration and Windows Hello for Business to an existing hybrid deployment. -Regardless of the baseline you choose, you’re next step is to familiarize yourself with the prerequisites needed for the deployment. Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates. +Regardless of the baseline you choose, your next step is to familiarize yourself with the prerequisites needed for the deployment. Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates. > [!div class="nextstepaction"] -> [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +> [Prerequisites](hello-hybrid-cert-trust-prereqs.md)

@@ -48,7 +48,7 @@ Regardless of the baseline you choose, you’re next step is to familiarize your ## Follow the Windows Hello for Business hybrid certificate trust deployment guide 1. Overview (*You are here*) -2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) 4. [Device Registration](hello-hybrid-cert-trust-devreg.md) 5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) From ec38b89126d53bf0b4fdbad6e044ce40bd6aab5c Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Tue, 7 May 2019 06:02:08 +0200 Subject: [PATCH 264/492] Update hello-hybrid-cert-trust-prereqs.md Typos --- .../hello-hybrid-cert-trust-prereqs.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index 6b4a465a9c..3dd1963a94 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -27,10 +27,10 @@ Hybrid environments are distributed systems that enable organizations to use on- The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include: * [Directories](#directories) -* [Public Key Infrastucture](#public-key-infrastructure) +* [Public Key Infrastructure](#public-key-infrastructure) * [Directory Synchronization](#directory-synchronization) * [Federation](#federation) -* [MultiFactor Authentication](#multifactor-authentication) +* [Multifactor Authentication](#multifactor-authentication) * [Device Registration](#device-registration) ## Directories ## @@ -57,7 +57,7 @@ Review these requirements and those from the Windows Hello for Business planning ## Public Key Infrastructure ## The Windows Hello for Business deployment depends on an enterprise public key infrastructure as trust anchor for authentication. Domain controllers for hybrid deployments need a certificate in order for Windows 10 devices to trust the domain controller. -Certificate trust deployments need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. When using Group Policy, hybrid certificate trust deployment use the Windows Server 2016 Active Directory Federation Server (AS FS) as a certificate registration authority. +Certificate trust deployments need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. When using Group Policy, hybrid certificate trust deployment uses the Windows Server 2016 Active Directory Federation Server (AS FS) as a certificate registration authority. The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012. @@ -96,7 +96,7 @@ The AD FS farm used with Windows Hello for Business must be Windows Server 2016 ## Multifactor Authentication ## Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their username and password as one factor. but needs a second factor of authentication. -Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Authentication service or they can use multifactor authentication provides by Windows Server 2016 Active Directory Federation Services, which includes an adapter model that enables third parties to integrate their multifactor authentication into AD FS. +Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Authentication service, or they can use multifactor authentication provides by Windows Server 2016 Active Directory Federation Services, which includes an adapter model that enables third parties to integrate their multifactor authentication into AD FS. ### Section Review > [!div class="checklist"] @@ -119,7 +119,7 @@ Hybrid certificate trust deployments need the device write back feature. Authen
### Next Steps ### -Follow the Windows Hello for Business hybrid certificate trust deployment guide. For proof-of-concepts, labs, and new installations, choose the **New Installation Basline**. +Follow the Windows Hello for Business hybrid certificate trust deployment guide. For proof-of-concepts, labs, and new installations, choose the **New Installation Baseline**. If your environment is already federated, but does not include Azure device registration, choose **Configure Azure Device Registration**. From 91e9e7b8089f61f08260c8c101090f457372bc4b Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Tue, 7 May 2019 06:14:48 +0200 Subject: [PATCH 265/492] Update hello-hybrid-cert-new-install.md Typos lines 83,131,144, --- .../hello-for-business/hello-hybrid-cert-new-install.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md index 2e3ac6b145..81a325489b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md @@ -80,7 +80,7 @@ If you do have an existing public key infrastructure, please review [Certificati ### Section Review ### > [!div class="checklist"] -> * Miniumum Windows Server 2012 Certificate Authority. +> * Minimum Windows Server 2012 Certificate Authority. > * Enterprise Certificate Authority. > * Functioning public key infrastructure. @@ -128,7 +128,7 @@ Alternatively, you can configure Windows Server 2016 Active Directory Federation > * Review the overview and uses of Azure Multifactor Authentication. > * Review your Azure Active Directory subscription for Azure Multifactor Authentication. > * Create an Azure Multifactor Authentication Provider, if necessary. -> * Configure Azure Multufactor Authentiation features and settings. +> * Configure Azure Multifactor Authentication features and settings. > * Understand the different User States and their effect on Azure Multifactor Authentication. > * Consider using Azure Multifactor Authentication or a third-party multifactor authentication provider with Windows Server 2016 Active Directory Federation Services, if necessary. @@ -141,7 +141,7 @@ Alternatively, you can configure Windows Server 2016 Active Directory Federation ## Follow the Windows Hello for Business hybrid certificate trust deployment guide 1. [Overview](hello-hybrid-cert-trust.md) -2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md) 3. New Installation Baseline (*You are here*) 4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) 5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) From b6816dedf09d7422aa581f96e5a8880c252c90ec Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Tue, 7 May 2019 06:32:48 +0200 Subject: [PATCH 266/492] Update hello-hybrid-cert-trust-devreg.md Typos lines 37, 103, 517 --- .../hello-for-business/hello-hybrid-cert-trust-devreg.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index bab9bcf458..273991ec82 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -28,13 +28,13 @@ Your environment is federated and you are ready to configure device registration > [!IMPORTANT] > If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment. -Use this three phased approach for configuring device registration. +Use this three-phased approach for configuring device registration. 1. [Configure devices to register in Azure](#configure-azure-for-device-registration) 2. [Synchronize devices to on-premises Active Directory](#configure-active-directory-to-support-azure-device-syncrhonization) 3. [Configure AD FS to use cloud devices](#configure-ad-fs-to-use-azure-registered-devices) > [!NOTE] -> Before proceeding, you should familiarize yourself with device regisration concepts such as: +> Before proceeding, you should familiarize yourself with device registration concepts such as: > * Azure AD registered devices > * Azure AD joined devices > * Hybrid Azure AD joined devices @@ -100,7 +100,7 @@ Federation server proxies are computers that run AD FS software that have been c Use the [Setting of a Federation Proxy](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/checklist--setting-up-a-federation-server-proxy) checklist to configure AD FS proxy servers in your environment. ### Deploy Azure AD Connect -Next, you need to synchronizes the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](http://go.microsoft.com/fwlink/?LinkId=615771). +Next, you need to synchronize the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](http://go.microsoft.com/fwlink/?LinkId=615771). When you are ready to install, follow the **Configuring federation with AD FS** section of [Custom installation of Azure AD Connect](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-get-started-custom). Select the **Federation with AD FS** option on the **User sign-in** page. At the **AD FS Farm** page, select the use an existing option and click **Next**. @@ -514,7 +514,7 @@ For your reference, below is a comprehensive list of the AD DS devices, containe ## Follow the Windows Hello for Business hybrid certificate trust deployment guide 1. [Overview](hello-hybrid-cert-trust.md) -2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) 4. Configure Azure Device Registration (*You are here*) 5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) From 6c20152a49c6d5ed62a316d5908c9f7e58a62fd7 Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Tue, 7 May 2019 06:35:34 +0200 Subject: [PATCH 267/492] Update hello-hybrid-cert-whfb-settings.md Typos lines 26 and 47 --- .../hello-for-business/hello-hybrid-cert-whfb-settings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md index 3d78b7a719..f127c06ae9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md @@ -23,7 +23,7 @@ ms.date: 08/19/2018 - Certificate trust -You're environment is federated and you are ready to configure your hybrid environment for Windows Hello for business using the certificate trust model. +Your environment is federated and you are ready to configure your hybrid environment for Windows Hello for business using the certificate trust model. > [!IMPORTANT] > If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment. @@ -44,7 +44,7 @@ For the most efficient deployment, configure these technologies in order beginni ## Follow the Windows Hello for Business hybrid certificate trust deployment guide 1. [Overview](hello-hybrid-cert-trust.md) -2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) 4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) 5. Configure Windows Hello for Business settings (*You are here*) From 7b1ac59f12a73df162c08bb0e3c6e1af1df07a8a Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Tue, 7 May 2019 06:42:18 +0200 Subject: [PATCH 268/492] Update hello-hybrid-cert-whfb-provision.md Typos lines 58, 62, 68, 76, 80 --- .../hello-hybrid-cert-whfb-provision.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md index e295b98d48..22b4bd30cd 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md @@ -18,7 +18,7 @@ ms.date: 08/19/2018 # Hybrid Windows Hello for Business Provisioning **Applies to** -- Windows10, version 1703 or later +- Windows 10, version 1703 or later - Hybrid deployment - Certificate trust @@ -55,17 +55,17 @@ The remainder of the provisioning includes Windows Hello for Business requesting > The following is the enrollment behavior prior to Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889). > The minimum time needed to synchronize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. The Azure AD Connect scheduler controls the synchronization interval. -> **This synchronization latency delays the user's ability to authenticate and use on-premises resouces until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources. +> **This synchronization latency delays the user's ability to authenticate and use on-premises resources until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources. > Read [Azure AD Connect sync: Scheduler](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler) to view and adjust the **synchronization cycle** for your organization. > [!NOTE] -> Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889) provides synchronous certificate enrollment during hybrid certificate trust provisioning. With this update, users no longer need to wait for Azure AD Connect to sync their public key on-premises. Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completeling the provisioning. The update needs to be installed on the federation servers. +> Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889) provides synchronous certificate enrollment during hybrid certificate trust provisioning. With this update, users no longer need to wait for Azure AD Connect to sync their public key on-premises. Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completing the provisioning. The update needs to be installed on the federation servers. After a successful key registration, Windows creates a certificate request using the same key pair to request a certificate. Windows send the certificate request to the AD FS server for certificate enrollment. The AD FS registration authority verifies the key used in the certificate request matches the key that was previously registered. On a successful match, the AD FS registration authority signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. -The certificate authority validates the certificate was signed by the registration authority. On successful validation of the signature, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current users certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user they can use their PIN to sign-in through the Windows Action Center. +The certificate authority validates the certificate was signed by the registration authority. On successful validation of the signature, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current user’s certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user that they can use their PIN to sign-in through the Windows Action Center.

@@ -73,9 +73,9 @@ The certificate authority validates the certificate was signed by the registrati ## Follow the Windows Hello for Business hybrid certificate trust deployment guide 1. [Overview](hello-hybrid-cert-trust.md) -2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) 4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) 5. [Configure Windows Hello for Business policy settings](hello-hybrid-cert-whfb-settings-policy.md) -6. Sign-in and Provision(*You are here*) +6. Sign-in and Provision (*You are here*) From 34e23be6411b087eff0daafbf4471b214d7358c0 Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Tue, 7 May 2019 06:57:54 +0200 Subject: [PATCH 269/492] Update hello-hybrid-aadj-sso-base.md Typos lines 144, 283, 286 --- .../hello-for-business/hello-hybrid-aadj-sso-base.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index bf17a84426..84d389751b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -141,7 +141,7 @@ These procedures configure NTFS and share permissions on the web server to allow 1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server). 2. Right-click the **cdp** folder and click **Properties**. Click the **Sharing** tab. Click **Advanced Sharing**. -3. Select **Share this folder**. Type **cdp$** in **Share name:**. Click **Permissions**. +3. Select **Share this folder**. Type **cdp$** in **Share name**. Click **Permissions**. ![cdp sharing](images/aadj/cdp-sharing.png) 4. In the **Permissions for cdp$** dialog box, click **Add**. 5. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, click **Object Types**. In the **Object Types** dialog box, select **Computers**, and then click **OK**. @@ -280,10 +280,10 @@ A **Trusted Certificate** device configuration profile is how you deploy trusted 1. Sign-in to the [Microsoft Azure Portal](https://portal.azure.com) and select **Microsoft Intune**. 2. Click **Device configuration**. In the **Device Configuration** blade, click **Create profile**. ![Intune Create Profile](images/aadj/intune-create-device-config-profile.png) -3. In the **Create profle** blade, type **Enterprise Root Certificate** in **Name**. Provide a description. Select **Windows 10 and later** from the **Platform** list. Select **Trusted certificate** from the **Profile type** list. Click **Configure**. +3. In the **Create profile** blade, type **Enterprise Root Certificate** in **Name**. Provide a description. Select **Windows 10 and later** from the **Platform** list. Select **Trusted certificate** from the **Profile type** list. Click **Configure**. 4. In the **Trusted Certificate** blade, use the folder icon to browse for the location of the enterprise root certificate file you created in step 8 of [Export Enterprise Root certificate](#export-enterprise-root-certificate). Click **OK**. Click **Create**. ![Intune Trusted Certificate Profile](images/aadj/intune-create-trusted-certificate-profile.png) -5. In the **Enterprise Root Certificate** blade, click **Assignmnets**. In the **Include** tab, select **All Devices** from the **Assign to** list. Click **Save**. +5. In the **Enterprise Root Certificate** blade, click **Assignments**. In the **Include** tab, select **All Devices** from the **Assign to** list. Click **Save**. ![Intune Profile assignment](images/aadj/intune-device-config-enterprise-root-assignment.png) 6. Sign out of the Microsoft Azure Portal. From 39a69c639722cab6c188230f9d80ab67f1c30cf9 Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Tue, 7 May 2019 10:19:06 +0300 Subject: [PATCH 270/492] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md Co-Authored-By: VLG17 <41186174+VLG17@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index a5d222346e..f3c76726c8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -425,7 +425,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 3. Under **MANAGE**, click **Application proxy**. 4. Click **Configure an app**. 5. Under **Basic Settings** next to **Name**, type **WHFB NDES 01**. Choose a name that correlates this Azure AD Application Proxy setting with the on-premises NDES server. Each NDES server must have its own Azure AD Application Proxy as two NDES servers cannot share the same internal URL. -6. Next to **Internal Url**, type the internal fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy. For example, https://ndes.corp.mstepdemo.net). This must match the primary hostname (AD Computer Account name) of the NDES server and ensure you prefix the Url with **https**. +6. Next to **Internal Url**, type the internal, fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy. For example, https://ndes.corp.mstepdemo.net). You need to match the primary host name (AD Computer Account name) of the NDES server, and prefix the URL with **https**. 7. Under **Internal Url**, select **https://** from the first list. In the text box next to **https://**, type the hostname you want to use as your external hostname for the Azure AD Application Proxy. In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Azure AD Application Proxy. It is recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Azure Active Directory tenant name (-mstephendemo.msappproxy.net). ![Azure NDES Application Proxy Configuration](images/aadjcert/azureconsole-appproxyconfig.png) 8. Select **Passthrough** from the **Pre Authentication** list. From b2ed14a6a2efb673f31324bdacbb7976afca8d99 Mon Sep 17 00:00:00 2001 From: larsstaalm <50363667+larsstaalm@users.noreply.github.com> Date: Tue, 7 May 2019 12:46:50 +0200 Subject: [PATCH 271/492] Update windows-analytics-FAQ-troubleshooting.md Step 6 currently wants to remove the solution like in step 1. We need to re-add it here instead, can be phrased differently :) --- .../deployment/update/windows-analytics-FAQ-troubleshooting.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md index ea9214c57b..9942044960 100644 --- a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md +++ b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md @@ -86,7 +86,7 @@ If you have devices that appear in other solutions, but not Device Health (the D 3. Verify that the Commercial ID is present in the device's registry. For details see [https://gpsearch.azurewebsites.net/#13551](https://gpsearch.azurewebsites.net/#13551). 4. Confirm that devices have opted in to provide diagnostic data by checking in the registry that **AllowTelemetry** is set to 2 (Enhanced) or 3 (Full) in **HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection** (or **HKLM\Software\Policies\Microsoft\Windows\DataCollection**, which takes precedence if set). 5. Verify that devices can reach the endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). Also check settings for SSL inspection and proxy authentication; see [Configuring endpoint access with SSL inspection](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#configuring-endpoint-access-with-ssl-inspection) for more information. -6. Remove the Device Health (appears as DeviceHealthProd on some pages) from your Log Analytics workspace +6. Add the Device Health solution back to your Log Analytics workspace. 7. Wait 48 hours for activity to appear in the reports. 8. If you need additional troubleshooting, contact Microsoft Support. From 05b003cb318d528d226c8e1f77700c4dbe93ca31 Mon Sep 17 00:00:00 2001 From: Russ Rimmerman Date: Tue, 7 May 2019 08:26:33 -0500 Subject: [PATCH 272/492] Update hello-faq.md Typo --- .../identity-protection/hello-for-business/hello-faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.md b/windows/security/identity-protection/hello-for-business/hello-faq.md index 1dabe3c95d..ecdde0e294 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.md +++ b/windows/security/identity-protection/hello-for-business/hello-faq.md @@ -27,7 +27,7 @@ Windows Hello for Business is the modern, two-factor credential for Windows 10. Microsoft is committed to its vision of a world without passwords. We recognize the *convenience* provided by convenience PIN, but it stills uses a password for authentication. Microsoft recommends customers using Windows 10 and convenience PINs should move to Windows Hello for Business. New Windows 10 deployments should deploy Windows Hello for Business and not convenience PINs. Microsoft will be deprecating convenience PINs in the future and will publish the date early to ensure customers have adequate lead time to deploy Windows Hello for Business. ## Can I deploy Windows Hello for Business using System Center Configuration Manager? -Windows Hello for Business deployments using System Center Configuration Manager need to move to the hybrid deployment model that uses Active Directory Federation Services. Deployments using System Center Configuration Manager will no long be supported after November 2018. +Windows Hello for Business deployments using System Center Configuration Manager need to move to the hybrid deployment model that uses Active Directory Federation Services. Deployments using System Center Configuration Manager will no longer be supported after November 2018. ## How many users can enroll for Windows Hello for Business on a single Windows 10 computer? The maximum number of supported enrollments on a single Windows 10 computer is 10. That enables 10 users to each enroll their face and up to 10 fingerprints. While we support 10 enrollments, we will strongly encourage the use of Windows Hello security keys for the shared computer scenario when they become available. From be33f0358941dc5cc8c4c9edc3cbeb3ceaee8e3c Mon Sep 17 00:00:00 2001 From: Russ Rimmerman Date: Tue, 7 May 2019 08:28:11 -0500 Subject: [PATCH 273/492] Update hello-faq.md Typo --- .../identity-protection/hello-for-business/hello-faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.md b/windows/security/identity-protection/hello-for-business/hello-faq.md index 1dabe3c95d..d44e767bc5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.md +++ b/windows/security/identity-protection/hello-for-business/hello-faq.md @@ -15,7 +15,7 @@ ms.topic: article localizationpriority: medium ms.date: 08/19/2018 --- -# Windows Hello for Business Frequently Ask Questions +# Windows Hello for Business Frequently Asked Questions **Applies to** - Windows 10 From 7be9f5d81b552ea892561dca441899d395c745e2 Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 7 May 2019 12:32:12 -0400 Subject: [PATCH 274/492] added related topic links to tpm-overview.md --- .../tpm/trusted-platform-module-overview.md | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md index 3f858bbcb9..263963d4db 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md @@ -19,7 +19,7 @@ ms.date: 11/29/2018 # Trusted Platform Module Technology Overview **Applies to** -- Windows 10 +- Windows 10 - Windows Server 2016 - Windows Server 2019 @@ -53,13 +53,13 @@ Certificates can be installed or created on computers that are using the TPM. Af Automated provisioning in the TPM reduces the cost of TPM deployment in an enterprise. New APIs for TPM management can determine if TPM provisioning actions require physical presence of a service technician to approve TPM state change requests during the boot process. -Antimalware software can use the boot measurements of the operating system start state to prove the integrity of a computer running Windows 10 or Windows Server 2016. These measurements include the launch of Hyper-V to test that datacenters using virtualization are not running untrusted hypervisors. With BitLocker Network Unlock, IT administrators can push an update without concerns that a computer is waiting for PIN entry. +Antimalware software can use the boot measurements of the operating system start state to prove the integrity of a computer running Windows 10 or Windows Server 2016. These measurements include the launch of Hyper-V to test that datacenters using virtualization are not running untrusted hypervisors. With BitLocker Network Unlock, IT administrators can push an update without concerns that a computer is waiting for PIN entry. The TPM has several Group Policy settings that might be useful in certain enterprise scenarios. For more info, see [TPM Group Policy Settings](trusted-platform-module-services-group-policy-settings.md). ## New and changed functionality -For more info on new and changed functionality for Trusted Platform Module in Windows 10, see [What's new in Trusted Platform Module?](https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511#trusted-platform-module). +For more info on new and changed functionality for Trusted Platform Module in Windows 10, see [What's new in Trusted Platform Module?](https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511#trusted-platform-module). ## Device health attestation @@ -78,7 +78,7 @@ Some things that you can check on the device are: ## Supported versions for device health attestation -| TPM version | Windows 10 | Windows Server 2016 | Windows Server 2019 | +| TPM version | Windows 10 | Windows Server 2016 | Windows Server 2019 | |-------------|-------------|---------------------|---------------------| | TPM 1.2 | >= ver 1607 | >= ver 1607 | Yes | | TPM 2.0 | Yes | Yes | Yes | @@ -87,5 +87,12 @@ Some things that you can check on the device are: ## Related topics - [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) -- [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule) -- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations) +- [Details on the TPM standard](https://www.microsoft.com/en-us/research/project/the-trusted-platform-module-tpm/) (has links to features using TPM) +- [TPM Base Services Portal](https://docs.microsoft.com/en-us/windows/desktop/TBS/tpm-base-services-portal) +- [TPM Base Services API](https://docs.microsoft.com/en-us/windows/desktop/api/_tbs/) +- [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule) +- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations) +- [Azure device provisioning: Identity attestation with TPM](https://azure.microsoft.com/en-us/blog/device-provisioning-identity-attestation-with-tpm/) +- [Azure device provisioning: A manufacturing timeline for TPM devices](https://azure.microsoft.com/en-us/blog/device-provisioning-a-manufacturing-timeline-for-tpm-devices/) +- [Windows 10: Enabling vTPM (Virtual TPM)](https://social.technet.microsoft.com/wiki/contents/articles/34431.windows-10-enabling-vtpm-virtual-tpm.aspx) +- [How to Multiboot with Bitlocker, TPM, and a Non-Windows OS](https://social.technet.microsoft.com/wiki/contents/articles/9528.how-to-multiboot-with-bitlocker-tpm-and-a-non-windows-os.aspx) \ No newline at end of file From e350e7b5cc557ce0802338590f6edcd5f1999979 Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 7 May 2019 13:13:08 -0400 Subject: [PATCH 275/492] split & updated mdatp-mac.md into 4 new pages --- ...osoft-defender-atp-mac-install-manually.md | 145 ++++++ ...ft-defender-atp-mac-install-with-intune.md | 173 +++++++ ...soft-defender-atp-mac-install-with-jamf.md | 145 ++++++ .../microsoft-defender-atp-mac-resources.md | 136 +++++ .../microsoft-defender-atp-mac.md | 487 ++---------------- 5 files changed, 631 insertions(+), 455 deletions(-) create mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md new file mode 100644 index 0000000000..27b3a8f924 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md @@ -0,0 +1,145 @@ +--- +title: Installing Microsoft Defender ATP for Mac with JAMF +description: Describes how to install Microsoft Defender ATP for Mac, using JAMF. +keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +search.product: eADQiWindows 10XVcnh +search.appverid: #met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-maave +author: martyav +ms.localizationpriority: #medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: #conceptual +--- + +# Manual deployment + +**Applies to:** + +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +This topic describes how to install Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. +Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. + +## Prerequisites and system requirements + +Before you get started, please see [the main Microsoft Defender ATP for Mac page]((microsoft-defender-atp.md)) for a description of prerequisites and system requirements for the current software version. + +## Download installation and onboarding packages + +Download the installation and onboarding packages from Windows Defender Security Center: + +1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Local script**. +3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. +4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. + + ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) + +5. From a command prompt, verify that you have the two files. + Extract the contents of the .zip files: + + ```bash + mavel-macmini:Downloads test$ ls -l + total 721152 + -rw-r--r-- 1 test staff 6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip + -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg + mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip + Archive: WindowsDefenderATPOnboardingPackage.zip + inflating: WindowsDefenderATPOnboarding.py + ``` + +## Application installation + +To complete this process, you must have admin privileges on the machine. + +1. Navigate to the downloaded wdav.pkg in Finder and open it. + + ![App install screenshot](images/MDATP_28_AppInstall.png) + +2. Select **Continue**, agree with the License terms, and enter the password when prompted. + + ![App install screenshot](images/MDATP_29_AppInstallLogin.png) + + > [!IMPORTANT] + > You will be prompted to allow a driver from Microsoft to be installed (either "System Exception Blocked" or "Installation is on hold" or both. The driver must be allowed to be installed. + + ![App install screenshot](images/MDATP_30_SystemExtension.png) + +3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**: + + ![Security and privacy window screenshot](images/MDATP_31_SecurityPrivacySettings.png) + +The installation will proceed. + +> [!NOTE] +> If you don't select **Allow**, the installation will fail after 5 minutes. You can restart it again at any time. + +## Client configuration + +1. Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac. + + The client machine is not associated with orgId. Note that the orgid is blank. + + ```bash + mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py + uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 + orgid : + ``` + +2. Install the configuration file on a client machine: + + ```bash + mavel-mojave:wdavconfig testuser$ python WindowsDefenderATPOnboarding.py + Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password) + ``` + +3. Verify that the machine is now associated with orgId: + + ```bash + mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py + uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 + orgid : E6875323-A6C0-4C60-87AD-114BBE7439B8 + ``` + +After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. + + ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) + +## Configuring from the command line + +Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line: + +|Group |Scenario |Command | +|-------------|-------------------------------------------|-----------------------------------------------------------------------| +|Configuration|Turn on/off real-time protection |`mdatp config --rtp [true/false]` | +|Configuration|Turn on/off cloud protection |`mdatp config --cloud [true/false]` | +|Configuration|Turn on/off product diagnostics |`mdatp config --diagnostic [true/false]` | +|Configuration|Turn on/off automatic sample submission |`mdatp config --sample-submission [true/false]` | +|Configuration|Turn on PUA protection |`mdatp threat --type-handling --potentially_unwanted_application block`| +|Configuration|Turn off PUA protection |`mdatp threat --type-handling --potentially_unwanted_application off` | +|Configuration|Turn on audit mode for PUA protection |`mdatp threat --type-handling --potentially_unwanted_application audit`| +|Diagnostics |Change the log level |`mdatp log-level --[error/warning/info/verbose]` | +|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic` | +|Health |Check the product's health |`mdatp --health` | +|Protection |Scan a path |`mdatp scan --path [path]` | +|Protection |Do a quick scan |`mdatp scan --quick` | +|Protection |Do a full scan |`mdatp scan --full` | +|Protection |Cancel an ongoing on-demand scan |`mdatp scan --cancel` | +|Protection |Request a definition update |`mdatp --signature-update` | + +## Logging installation issues + +See [Logging installation issues](microsoft-defender-atp-mac-resources#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. + +## Uninstallation + +See [Uninstalling](microsoft-defender-atp-mac-resources#Uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md new file mode 100644 index 0000000000..8af90fded1 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md @@ -0,0 +1,173 @@ +--- +title: Installing Microsoft Defender ATP for Mac with Microsoft Intune +description: Describes how to install Microsoft Defender ATP for Mac, using Microsoft Intune. +keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +search.product: eADQiWindows 10XVcnh +search.appverid: #met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-maave +author: martyav +ms.localizationpriority: #medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: #conceptual +--- + +# Microsoft Intune-based deployment + +**Applies to:** + +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +This topic describes how to install Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. +Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. + +## Prerequisites and system requirements + +Before you get started, please see [the main Microsoft Defender ATP for Mac page]((microsoft-defender-atp.md)) for a description of prerequisites and system requirements for the current software version. + +## Download installation and onboarding packages + +Download the installation and onboarding packages from Windows Defender Security Center: + +1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. +3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. +4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. +5. Download IntuneAppUtil from [https://docs.microsoft.com/en-us/intune/lob-apps-macos](https://docs.microsoft.com/en-us/intune/lob-apps-macos). + + ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) + +6. From a command prompt, verify that you have the three files. + Extract the contents of the .zip files: + + ```bash + mavel-macmini:Downloads test$ ls -l + total 721688 + -rw-r--r-- 1 test staff 269280 Mar 15 11:25 IntuneAppUtil + -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip + -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg + mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip + Archive: WindowsDefenderATPOnboardingPackage.zip + warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators + inflating: intune/kext.xml + inflating: intune/WindowsDefenderATPOnboarding.xml + inflating: jamf/WindowsDefenderATPOnboarding.plist + mavel-macmini:Downloads test$ + ``` + +7. Make IntuneAppUtil an executable: + + ```mavel-macmini:Downloads test$ chmod +x IntuneAppUtil``` + +8. Create the wdav.pkg.intunemac package from wdav.pkg: + + ```bash + mavel-macmini:Downloads test$ ./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav" -n "1.0.0" + Microsoft Intune Application Utility for Mac OS X + Version: 1.0.0.0 + Copyright 2018 Microsoft Corporation + + Creating intunemac file for /Users/test/Downloads/wdav.pkg + Composing the intunemac file output + Output written to ./wdav.pkg.intunemac. + + IntuneAppUtil successfully processed "wdav.pkg", + to deploy refer to the product documentation. + ``` + +## Client Machine Setup + +You need no special provisioning for a Mac machine beyond a standard [Company Portal installation](https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos-cp). + +1. You'll be asked to confirm device management. + +![Confirm device management screenshot](images/MDATP_3_ConfirmDeviceMgmt.png) + +Select Open System Preferences, locate Management Profile on the list and select the **Approve...** button. Your Management Profile would be displayed as **Verified**: + +![Management profile screenshot](images/MDATP_4_ManagementProfile.png) + +2. Select the **Continue** button and complete the enrollment. + +You can enroll additional machines. Optionally, you can do it later, after system configuration and application package are provisioned. + +3. In Intune, open the **Manage > Devices > All devices** blade. You'll see your machine: + +![Add Devices screenshot](images/MDATP_5_allDevices.png) + +## Create System Configuration profiles + +1. In Intune open the **Manage > Device configuration** blade. Select **Manage > Profiles > Create Profile**. +2. Choose a name for the profile. Change **Platform=macOS**, **Profile type=Custom**. Select **Configure**. +3. Open the configuration profile and upload intune/kext.xml. This file was created during the Generate settings step above. +4. Select **OK**. + + ![System configuration profiles screenshot](images/MDATP_6_SystemConfigurationProfiles.png) + +5. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. +6. Repeat these steps with the second profile. +7. Create Profile one more time, give it a name, upload the intune/WindowsDefenderATPOnboarding.xml file. +8. Select **Manage > Assignments**. In the Include tab, select **Assign to All Users & All devices**. + +After Intune changes are propagated to the enrolled machines, you'll see it on the **Monitor > Device status** blade: + +![System configuration profiles screenshot](images/MDATP_7_DeviceStatusBlade.png) + +## Publish application + +1. In Intune, open the **Manage > Client apps** blade. Select **Apps > Add**. +2. Select **App type=Other/Line-of-business app**. +3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload. +4. Select **Configure** and add the required information. +5. Use **macOS Sierra 10.12** as the minimum OS. Other settings can be any other value. + + ![Device status blade screenshot](images/MDATP_8_IntuneAppInfo.png) + +6. Select **OK** and **Add**. + + ![Device status blade screenshot](images/MDATP_9_IntunePkgInfo.png) + +7. It will take a while to upload the package. After it's done, select the name and then go to **Assignments** and **Add group**. + + ![Client apps screenshot](images/MDATP_10_ClientApps.png) + +8. Change **Assignment type=Required**. +9. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**. + + ![Intune assignments info screenshot](images/MDATP_11_Assignments.png) + +10. After some time the application will be published to all enrolled machines. You'll see it on the **Monitor > Device** install status blade: + + ![Intune device status screenshot](images/MDATP_12_DeviceInstall.png) + +## Verify client machine state + +1. After the configuration profiles are deployed to your machines, on your Mac device, open **System Preferences > Profiles**. + + ![System Preferences screenshot](images/MDATP_13_SystemPreferences.png) + ![System Preferences Profiles screenshot](images/MDATP_14_SystemPreferencesProfiles.png) + +2. Verify the three profiles listed there: + ![Profiles screenshot](images/MDATP_15_ManagementProfileConfig.png) + +3. The **Management Profile** should be the Intune system profile. +4. wdav-config and wdav-kext are system configuration profiles that we added in Intune. +5. You should also see the Microsoft Defender icon in the top-right corner: + + ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) + +## Logging installation issues + +See [Logging installation issues](microsoft-defender-atp-mac-resources#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. + +## Uninstallation + +See [Uninstalling](microsoft-defender-atp-mac-resources#Uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md new file mode 100644 index 0000000000..27b3a8f924 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md @@ -0,0 +1,145 @@ +--- +title: Installing Microsoft Defender ATP for Mac with JAMF +description: Describes how to install Microsoft Defender ATP for Mac, using JAMF. +keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +search.product: eADQiWindows 10XVcnh +search.appverid: #met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-maave +author: martyav +ms.localizationpriority: #medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: #conceptual +--- + +# Manual deployment + +**Applies to:** + +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +This topic describes how to install Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. +Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. + +## Prerequisites and system requirements + +Before you get started, please see [the main Microsoft Defender ATP for Mac page]((microsoft-defender-atp.md)) for a description of prerequisites and system requirements for the current software version. + +## Download installation and onboarding packages + +Download the installation and onboarding packages from Windows Defender Security Center: + +1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Local script**. +3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. +4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. + + ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) + +5. From a command prompt, verify that you have the two files. + Extract the contents of the .zip files: + + ```bash + mavel-macmini:Downloads test$ ls -l + total 721152 + -rw-r--r-- 1 test staff 6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip + -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg + mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip + Archive: WindowsDefenderATPOnboardingPackage.zip + inflating: WindowsDefenderATPOnboarding.py + ``` + +## Application installation + +To complete this process, you must have admin privileges on the machine. + +1. Navigate to the downloaded wdav.pkg in Finder and open it. + + ![App install screenshot](images/MDATP_28_AppInstall.png) + +2. Select **Continue**, agree with the License terms, and enter the password when prompted. + + ![App install screenshot](images/MDATP_29_AppInstallLogin.png) + + > [!IMPORTANT] + > You will be prompted to allow a driver from Microsoft to be installed (either "System Exception Blocked" or "Installation is on hold" or both. The driver must be allowed to be installed. + + ![App install screenshot](images/MDATP_30_SystemExtension.png) + +3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**: + + ![Security and privacy window screenshot](images/MDATP_31_SecurityPrivacySettings.png) + +The installation will proceed. + +> [!NOTE] +> If you don't select **Allow**, the installation will fail after 5 minutes. You can restart it again at any time. + +## Client configuration + +1. Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac. + + The client machine is not associated with orgId. Note that the orgid is blank. + + ```bash + mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py + uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 + orgid : + ``` + +2. Install the configuration file on a client machine: + + ```bash + mavel-mojave:wdavconfig testuser$ python WindowsDefenderATPOnboarding.py + Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password) + ``` + +3. Verify that the machine is now associated with orgId: + + ```bash + mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py + uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 + orgid : E6875323-A6C0-4C60-87AD-114BBE7439B8 + ``` + +After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. + + ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) + +## Configuring from the command line + +Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line: + +|Group |Scenario |Command | +|-------------|-------------------------------------------|-----------------------------------------------------------------------| +|Configuration|Turn on/off real-time protection |`mdatp config --rtp [true/false]` | +|Configuration|Turn on/off cloud protection |`mdatp config --cloud [true/false]` | +|Configuration|Turn on/off product diagnostics |`mdatp config --diagnostic [true/false]` | +|Configuration|Turn on/off automatic sample submission |`mdatp config --sample-submission [true/false]` | +|Configuration|Turn on PUA protection |`mdatp threat --type-handling --potentially_unwanted_application block`| +|Configuration|Turn off PUA protection |`mdatp threat --type-handling --potentially_unwanted_application off` | +|Configuration|Turn on audit mode for PUA protection |`mdatp threat --type-handling --potentially_unwanted_application audit`| +|Diagnostics |Change the log level |`mdatp log-level --[error/warning/info/verbose]` | +|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic` | +|Health |Check the product's health |`mdatp --health` | +|Protection |Scan a path |`mdatp scan --path [path]` | +|Protection |Do a quick scan |`mdatp scan --quick` | +|Protection |Do a full scan |`mdatp scan --full` | +|Protection |Cancel an ongoing on-demand scan |`mdatp scan --cancel` | +|Protection |Request a definition update |`mdatp --signature-update` | + +## Logging installation issues + +See [Logging installation issues](microsoft-defender-atp-mac-resources#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. + +## Uninstallation + +See [Uninstalling](microsoft-defender-atp-mac-resources#Uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md new file mode 100644 index 0000000000..09a4dcceae --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md @@ -0,0 +1,136 @@ +--- +title: Microsoft Defender ATP for Mac Resources +description: Describes resources for Microsoft Defender ATP for Mac, including how to uninstall it, how to collect diagnostic logs, and known issues with the product. +keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +search.product: eADQiWindows 10XVcnh +search.appverid: #met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-maave +author: martyav +ms.localizationpriority: #medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: #conceptual +--- + +# Resources + +**Applies to:** + +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +This topic describes how to use, and details about, Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. +Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. + +## Collecting diagnostic information + +If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default. + +1) Increase logging level: + +```bash + mavel-mojave:~ testuser$ mdatp log-level --verbose + Creating connection to daemon + Connection established + Operation succeeded +``` + +2) Reproduce the problem + +3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. + + ```bash + mavel-mojave:~ testuser$ mdatp --diagnostic + Creating connection to daemon + Connection established + "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" + ``` + +4) Restore logging level: + + ```bash + mavel-mojave:~ testuser$ mdatp log-level --info + Creating connection to daemon + Connection established + Operation succeeded + ``` + +## Logging installation issues + +If an error occurs during installation, the installer will only report a general failure. + +The detailed log will be saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. + +## Uninstalling + +There are several ways to uninstall Microsoft Defender ATP for Mac. Please note that while centrally managed uninstall is available on JAMF, it is not yet available for Microsoft Intune. + +### Within the GUI + +- Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**. + +### From the command line + +- ```sudo rm -rf '/Applications/Microsoft Defender ATP'``` + +### With a script + +Create a script in **Settings > Computer Management > Scripts**. + +![Microsoft Defender uninstall screenshot](images/MDATP_26_Uninstall.png) + +For example, this script removes Microsoft Defender ATP from the /Applications directory: + +```bash + echo "Is WDAV installed?" + ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null + + echo "Uninstalling WDAV..." + rm -rf '/Applications/Microsoft Defender ATP.app' + + echo "Is WDAV still installed?" + ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null + + echo "Done!" +``` + +### With a JAMF policy + +If you are running JAMF, your policy should contain a single script: + +![Microsoft Defender uninstall script screenshot](images/MDATP_27_UninstallScript.png) + +Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy. + +## What to expect in the ATP portal + +- AV alerts: + - Severity + - Scan type + - Device information (hostname, machine identifier, tenant identifier, app version, and OS type) + - File information (name, path, size, and hash) + - Threat information (name, type, and state) +- Device information: + - Machine identifier + - Tenant identifier + - App version + - Hostname + - OS type + - OS version + - Computer model + - Processor architecture + - Whether the device is a virtual machine + +## Known issues + +- Not fully optimized for performance or disk space yet. +- Full Windows Defender ATP integration is not available yet. +- Mac devices that switch networks may appear multiple times in the APT portal. +- Centrally managed uninstall via Intune is still in development. As an alternative, manually uninstall Microsoft Defender ATP for Mac from each client device. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index cccde77573..af6205c2ca 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -22,15 +22,40 @@ ms.topic: conceptual >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -This topic describes how to install and use Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. -Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. +This topic describes how to install and use Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. +Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. + +## What’s new in the public preview + +We've been working hard through the private preview period, and we've heard your concerns. We've reduced the delay for when new Mac devices appear in the ATP console after they've been deployed. We've improved threat handling, and enhanced the user experience. We've also made numerous bug fixes. Other updates to Microsoft Defender ATP for Mac include: + +- Full accessibility +- Improved performance +- Localization for 37 languages +- Improved anti-tampering protections +- Feedback and samples can now be submitted via the GUI. +- Product health can be queried with JAMF or the command line. +- Admins can set their cloud preference for any location, not just for those in the US. + +## Installing and configuring + +There are various methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac. +In general you'll need to take the following steps: + +- Ensure you have a Windows Defender ATP subscription and have access to the Windows Defender ATP Portal +- Deploy Microsoft Defender ATP for Mac using one of the following deployment methods: + - [Microsoft Intune-based deployment](microsoft-defender-atp-mac-install-with-intune) + - [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf) + - [Manual deployment](microsoft-defender-atp-mac-install-manually) + +### Prerequisites -## Prerequisites You should have beginner-level experience in macOS and BASH scripting. You must have administrative privileges on the machine. You should also have access to Windows Defender Security Center. ### System Requirements + - macOS version: 10.14 (Mojave), 10.13 (High Sierra), 10.12 (Sierra) - Disk space during preview: 1GB @@ -49,462 +74,14 @@ The following table lists the services and their associated URLs that your netwo To test that a connection is not blocked, open `https://x.cp.wd.microsoft.com/api/report` and `https://wu-cdn.x.cp.wd.microsoft.com/` in a browser, or run the following command in Terminal: -``` +```bash mavel-mojave:~ testuser$ curl 'https://x.cp.wd.microsoft.com/api/report' OK ``` -We recommend to keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) ([Wiki](https://en.wikipedia.org/wiki/System_Integrity_Protection)) enabled (default setting) on client machines. +We recommend to keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) ([Wiki](https://en.wikipedia.org/wiki/System_Integrity_Protection)) enabled (default setting) on client machines. SIP is a built-in macOS security feature that prevents low-level tampering with the OS. -## Installation and configuration overview -There are various methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac. -In general you'll need to take the following steps: - - Ensure you have a Windows Defender ATP subscription and have access to the Windows Defender ATP Portal - - Deploy Microsoft Defender ATP for Mac using one of the following deployment methods: - * [Microsoft Intune based deployment](#microsoft-intune-based-deployment) - * [JAMF based deployment](#jamf-based-deployment) - * [Manual deployment](#manual-deployment) +## Resources -## Microsoft Intune based deployment - -### Download installation and onboarding packages -Download the installation and onboarding packages from Windows Defender Security Center: -1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. -3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. -5. Download IntuneAppUtil from https://docs.microsoft.com/en-us/intune/lob-apps-macos. - - ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) - -6. From a command prompt, verify that you have the three files. - Extract the contents of the .zip files: - - ``` - mavel-macmini:Downloads test$ ls -l - total 721688 - -rw-r--r-- 1 test staff 269280 Mar 15 11:25 IntuneAppUtil - -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip - -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg - mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip - Archive: WindowsDefenderATPOnboardingPackage.zip - warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators - inflating: intune/kext.xml - inflating: intune/WindowsDefenderATPOnboarding.xml - inflating: jamf/WindowsDefenderATPOnboarding.plist - mavel-macmini:Downloads test$ - ``` -7. Make IntuneAppUtil an executable: - - ```mavel-macmini:Downloads test$ chmod +x IntuneAppUtil``` - -8. Create the wdav.pkg.intunemac package from wdav.pkg: - - ``` - mavel-macmini:Downloads test$ ./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav" -n "1.0.0" - Microsoft Intune Application Utility for Mac OS X - Version: 1.0.0.0 - Copyright 2018 Microsoft Corporation - - Creating intunemac file for /Users/test/Downloads/wdav.pkg - Composing the intunemac file output - Output written to ./wdav.pkg.intunemac. - - IntuneAppUtil successfully processed "wdav.pkg", - to deploy refer to the product documentation. - ``` - -### Client Machine Setup -You need no special provisioning for a Mac machine beyond a standard [Company Portal installation](https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos-cp). - -1. You'll be asked to confirm device management. - -![Confirm device management screenshot](images/MDATP_3_ConfirmDeviceMgmt.png) - -Select Open System Preferences, locate Management Profile on the list and select the **Approve...** button. Your Management Profile would be displayed as **Verified**: - -![Management profile screenshot](images/MDATP_4_ManagementProfile.png) - -2. Select the **Continue** button and complete the enrollment. - -You can enroll additional machines. Optionally, you can do it later, after system configuration and application package are provisioned. - -3. In Intune, open the **Manage > Devices > All devices** blade. You'll see your machine: - -![Add Devices screenshot](images/MDATP_5_allDevices.png) - -### Create System Configuration profiles -1. In Intune open the **Manage > Device configuration** blade. Select **Manage > Profiles > Create Profile**. -2. Choose a name for the profile. Change **Platform=macOS**, **Profile type=Custom**. Select **Configure**. -3. Open the configuration profile and upload intune/kext.xml. This file was created during the Generate settings step above. -4. Select **OK**. - - ![System configuration profiles screenshot](images/MDATP_6_SystemConfigurationProfiles.png) - -5. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. -7. Repeat these steps with the second profile. -8. Create Profile one more time, give it a name, upload the intune/WindowsDefenderATPOnboarding.xml file. -9. Select **Manage > Assignments**. In the Include tab, select **Assign to All Users & All devices**. - -After Intune changes are propagated to the enrolled machines, you'll see it on the **Monitor > Device status** blade: - -![System configuration profiles screenshot](images/MDATP_7_DeviceStatusBlade.png) - -### Publish application - -1. In Intune, open the **Manage > Client apps** blade. Select **Apps > Add**. -2. Select **App type=Other/Line-of-business app**. -3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload. -4. Select **Configure** and add the required information. -5. Use **macOS Sierra 10.12** as the minimum OS. Other settings can be any other value. - - ![Device status blade screenshot](images/MDATP_8_IntuneAppInfo.png) - -6. Select **OK** and **Add**. - - ![Device status blade screenshot](images/MDATP_9_IntunePkgInfo.png) - -7. It will take a while to upload the package. After it's done, select the name and then go to **Assignments** and **Add group**. - - ![Client apps screenshot](images/MDATP_10_ClientApps.png) - -8. Change **Assignment type=Required**. -9. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**. - - ![Intune assignments info screenshot](images/MDATP_11_Assignments.png) - -10. After some time the application will be published to all enrolled machines. You'll see it on the **Monitor > Device** install status blade: - - ![Intune device status screenshot](images/MDATP_12_DeviceInstall.png) - -### Verify client machine state -1. After the configuration profiles are deployed to your machines, on your Mac device, open **System Preferences > Profiles**. - - ![System Preferences screenshot](images/MDATP_13_SystemPreferences.png) - ![System Preferences Profiles screenshot](images/MDATP_14_SystemPreferencesProfiles.png) - -2. Verify the three profiles listed there: - ![Profiles screenshot](images/MDATP_15_ManagementProfileConfig.png) - -3. The **Management Profile** should be the Intune system profile. -4. wdav-config and wdav-kext are system configuration profiles that we added in Intune. -5. You should also see the Microsoft Defender icon in the top-right corner: - - ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) - -## JAMF based deployment -### Prerequsites -You need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes a properly configured distribution point. JAMF has many alternative ways to complete the same task. These instructions provide you an example for most common processes. Your organization might use a different workflow. - - -### Download installation and onboarding packages -Download the installation and onboarding packages from Windows Defender Security Center: -1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. -3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. - - ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) - -5. From a command prompt, verify that you have the two files. - Extract the contents of the .zip files: - - ``` - mavel-macmini:Downloads test$ ls -l - total 721160 - -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip - -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg - mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip - Archive: WindowsDefenderATPOnboardingPackage.zip - warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators - inflating: intune/kext.xml - inflating: intune/WindowsDefenderATPOnboarding.xml - inflating: jamf/WindowsDefenderATPOnboarding.plist - mavel-macmini:Downloads test$ - ``` - -### Create JAMF Policies -You need to create a configuration profile and a policy to start deploying Microsoft Defender ATP for Mac to client machines. - -#### Configuration Profile -The configuration profile contains one custom settings payload that includes: - -- Microsoft Defender ATP for Mac onboarding information -- Approved Kernel Extensions payload to enable the Microsoft kernel driver to run - - -1. Upload jamf/WindowsDefenderATPOnboarding.plist as the Property List File. - - >[!NOTE] - > You must use exactly "com.microsoft.wdav.atp" as the Preference Domain. - - ![Configuration profile screenshot](images/MDATP_16_PreferenceDomain.png) - -#### Approved Kernel Extension - -To approve the kernel extension: -1. In **Computers > Configuration Profiles** select **Options > Approved Kernel Extensions**. -2. Use **UBF8T346G9** for Team Id. - -![Approved kernel extensions screenshot](images/MDATP_17_approvedKernelExtensions.png) - -#### Configuration Profile's Scope -Configure the appropriate scope to specify the machines that will receive this configuration profile. - -Open Computers -> Configuration Profiles, select **Scope > Targets**. Select the appropriate Target computers. - -![Configuration profile scope screenshot](images/MDATP_18_ConfigurationProfilesScope.png) - -Save the **Configuration Profile**. - -Use the **Logs** tab to monitor deployment status for each enrolled machine. - -#### Package -1. Create a package in **Settings > Computer Management > Packages**. - - ![Computer management packages screenshot](images/MDATP_19_MicrosoftDefenderWDAVPKG.png) - -2. Upload wdav.pkg to the Distribution Point. -3. In the **filename** field, enter the name of the package. For example, wdav.pkg. - -#### Policy -Your policy should contain a single package for Microsoft Defender. - -![Microsoft Defender packages screenshot](images/MDATP_20_MicrosoftDefenderPackages.png) - -Configure the appropriate scope to specify the computers that will receive this policy. - -After you save the Configuration Profile, you can use the Logs tab to monitor the deployment status for each enrolled machine. - -### Client machine setup -You need no special provisioning for a macOS computer beyond the standard JAMF Enrollment. - -> [!NOTE] -> After a computer is enrolled, it will show up in the Computers inventory (All Computers). - -1. Open the machine details, from **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile. - -![MDM approve button screenshot](images/MDATP_21_MDMProfile1.png) -![MDM screenshot](images/MDATP_22_MDMProfileApproved.png) - -After some time, the machine's User Approved MDM status will change to Yes. - -![MDM status screenshot](images/MDATP_23_MDMStatus.png) - -You can enroll additional machines now. Optionally, can do it after system configuration and application packages are provisioned. - -### Deployment -Enrolled client machines periodically poll the JAMF Server and install new configuration profiles and policies as soon as they are detected. - -#### Status on server -You can monitor the deployment status in the Logs tab: - - **Pending** means that the deployment is scheduled but has not yet happened - - **Completed** means that the deployment succeeded and is no longer scheduled - -![Status on server screenshot](images/MDATP_24_StatusOnServer.png) - - -#### Status on client machine -After the Configuration Profile is deployed, you'll see the profile on the machine in the **System Preferences > Profiles >** Name of Configuration Profile. - -![Status on client screenshot](images/MDATP_25_StatusOnClient.png) - -After the policy is applied, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. - -![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) - -You can monitor policy installation on a machine by following the JAMF's log file: - -``` -mavel-mojave:~ testuser$ tail -f /var/log/jamf.log -Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found. -Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for user "testuser"... -Thu Feb 21 11:16:43 mavel-mojave jamf[8051]: Executing Policy WDAV -Thu Feb 21 11:17:02 mavel-mojave jamf[8051]: Installing Microsoft Defender... -Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Successfully installed Microsoft Defender. -Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Checking for patches... -Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found. -``` - -You can also check the onboarding status: -``` -mavel-mojave:~ testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py -uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 -orgid : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 -orgid managed : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 -orgid effective : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 -``` - -- **orgid/orgid managed**: This is the Microsoft Defender ATP org id specified in the configuration profile. If this value is blank, then the Configuration Profile was not properly set. - -- **orgid effective**: This is the Microsoft Defender ATP org id currently in use. If it does not match the value in the Configuration Profile, then the configuration has not been refreshed. - -### Uninstalling Microsoft Defender ATP for Mac -#### Uninstalling with a script - -Create a script in **Settings > Computer Management > Scripts**. - -![Microsoft Defender uninstall screenshot](images/MDATP_26_Uninstall.png) - -For example, this script removes Microsoft Defender ATP from the /Applications directory: - -``` -echo "Is WDAV installed?" -ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null - -echo "Uninstalling WDAV..." -rm -rf '/Applications/Microsoft Defender ATP.app' - -echo "Is WDAV still installed?" -ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null - -echo "Done!" -``` - -#### Uninstalling with a policy -Your policy should contain a single script: - -![Microsoft Defender uninstall script screenshot](images/MDATP_27_UninstallScript.png) - -Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy. - -### Check onboarding status - -You can check that machines are correctly onboarded by creating a script. For example, the following script checks that enrolled machines are onboarded: - -``` -sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+' -``` - -This script returns 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service, and another exit code if it is not installed or registered. - -## Manual deployment - -### Download installation and onboarding packages -Download the installation and onboarding packages from Windows Defender Security Center: -1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Local script**. -3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. - - ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) - -5. From a command prompt, verify that you have the two files. - Extract the contents of the .zip files: - - ``` - mavel-macmini:Downloads test$ ls -l - total 721152 - -rw-r--r-- 1 test staff 6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip - -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg - mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip - Archive: WindowsDefenderATPOnboardingPackage.zip - inflating: WindowsDefenderATPOnboarding.py - ``` - -### Application installation -To complete this process, you must have admin privileges on the machine. - -1. Navigate to the downloaded wdav.pkg in Finder and open it. - - ![App install screenshot](images/MDATP_28_AppInstall.png) - -2. Select **Continue**, agree with the License terms, and enter the password when prompted. - - ![App install screenshot](images/MDATP_29_AppInstallLogin.png) - - > [!IMPORTANT] - > You will be prompted to allow a driver from Microsoft to be installed (either "System Exception Blocked" or "Installation is on hold" or both. The driver must be allowed to be installed. - - ![App install screenshot](images/MDATP_30_SystemExtension.png) - -3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**: - - ![Security and privacy window screenshot](images/MDATP_31_SecurityPrivacySettings.png) - - -The installation will proceed. - -> [!NOTE] -> If you don't select **Allow**, the installation will fail after 5 minutes. You can restart it again at any time. - -### Client configuration -1. Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac. - - The client machine is not associated with orgId. Note that the orgid is blank. - - ``` - mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py - uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 - orgid : - ``` -2. Install the configuration file on a client machine: - - ``` - mavel-mojave:wdavconfig testuser$ python WindowsDefenderATPOnboarding.py - Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password) - ``` - -3. Verify that the machine is now associated with orgId: - - ``` - mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py - uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 - orgid : E6875323-A6C0-4C60-87AD-114BBE7439B8 - ``` -After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. - - ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) - -## Uninstallation -### Removing Microsoft Defender ATP from Mac devices -To remove Microsoft Defender ATP from your macOS devices: - -- Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**. - -Or, from a command line: - -- ```sudo rm -rf '/Applications/Microsoft Defender ATP'``` - -## Known issues -- Microsoft Defender ATP is not yet optimized for performance or disk space. -- Centrally managed uninstall using Intune is still in development. To uninstall (as a workaround) a manual uninstall action has to be completed on each client device). -- Geo preference for telemetry traffic is not yet supported. Cloud traffic (definition updates) routed to US only. -- Full Windows Defender ATP integration is not yet available -- Not localized yet -- There might be accessibility issues - -## Collecting diagnostic information -If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default. - -1) Increase logging level: -``` - mavel-mojave:~ testuser$ mdatp log-level --verbose - Creating connection to daemon - Connection established - Operation succeeded -``` - -2) Reproduce the problem - -3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. - - ``` - mavel-mojave:~ testuser$ mdatp --diagnostic - Creating connection to daemon - Connection established - "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" - ``` - -4) Restore logging level: -``` - mavel-mojave:~ testuser$ mdatp log-level --info - Creating connection to daemon - Connection established - Operation succeeded -``` - - -### Installation issues -If an error occurs during installation, the installer will only report a general failure. The detailed log is saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. +For further information on logging, uninstalling, the ATP portal, or known issues, see our [Resources](microsoft-defender-atp-mac-resources) page. \ No newline at end of file From a4025fa754257dd9793a122d3f19697b39a7ea35 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 7 May 2019 10:28:24 -0700 Subject: [PATCH 276/492] Update create-wip-policy-using-intune-azure.md --- .../create-wip-policy-using-intune-azure.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 2a82682a3c..4932416954 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -39,7 +39,7 @@ You can create an app protection policy in Intune either with device enrollment ## Prerequisites -Before you can create a WIP policy using Intune, you need to configure an MDM or MAM provider in Azure Active Directory (Azure AD). MAM requires an [Azure Active Direcory (Azure AD) Premium license](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses). An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and re-gain access to protected data. WIP auto-recovery depends on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM. +Before you can create a WIP policy using Intune, you need to configure an MDM or MAM provider in Azure Active Directory (Azure AD). MAM requires an [Azure Active Direcory (Azure AD) Premium license](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses). An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and re-gain access to protected data. WIP auto-recovery relies on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM. ## Configure the MDM or MAM provider From 2030a9ecb3b02798520ad9ab94dff4ee5f08527a Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 7 May 2019 10:35:07 -0700 Subject: [PATCH 277/492] check in preview content --- ...ows-defender-advanced-threat-protection.md | 33 +++++++++++-- .../whats-new-in-windows-defender-atp.md | 46 ++----------------- 2 files changed, 34 insertions(+), 45 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md index 934fbed168..c715722f19 100644 --- a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md @@ -23,7 +23,6 @@ ms.topic: conceptual - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - The Windows Defender ATP service is constantly being updated to include new feature enhancements and capabilities. >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-preview-abovefoldlink) @@ -31,8 +30,9 @@ The Windows Defender ATP service is constantly being updated to include new feat Learn about new features in the Windows Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience. -For more information on capabilities that are generally available or in preview, see [What's new in Windows Defender](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp). -) +For more information on capabilities that are generally available, see [What's new in Windows Defender](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp). + + ## Turn on preview features You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available. @@ -43,6 +43,33 @@ Turn on the preview experience setting to be among the first to try upcoming fea 2. Toggle the setting between **On** and **Off** and select **Save preferences**. +## Preview features +The following features are included in the preview release: + +- [Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/next-gen-threat-and-vuln-mgt)
A new built-in capability that uses a risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. + +- [Interoperability](https://docs.microsoft.com/windows/security/threat-protection/partner-applications)
Microsoft Defender ATP supports third-party applications to help enhance the detection, investigation, and threat intelligence capabilities of the platform. + +- [Machine health and compliance report](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/machine-reports-windows-defender-advanced-threat-protection) The machine health and compliance report provides high-level information about the devices in your organization. + +- [Information protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview)
+Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace. +Windows Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices. + + >[!NOTE] + >Partially available from Windows 10, version 1809. + +- [Integration with Microsoft Cloud App Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration)
Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines. + + >[!NOTE] + >Available from Windows 10, version 1809 or later. + +- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019)
Windows Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines. + +- [Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
+Windows Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal. + + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-preview-belowfoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp.md b/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp.md index 8ce696c455..c5d340e5c1 100644 --- a/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp.md +++ b/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp.md @@ -21,10 +21,12 @@ ms.topic: conceptual **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Here are the new features in the latest release of Windows Defender ATP as well as security features in Windows 10 and Windows Server. +Here are the new features that are generally available (GA) in the latest release of Windows Defender ATP as well as security features in Windows 10 and Windows Server. + + +For more information preview features, see [Preview features](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection). ## May 2019 -The following capability is generally available (GA). - [Threat protection reports](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-protection-reports-windows-defender-advanced-threat-protection)
The threat protection report provides high-level information about alerts generated in your organization. @@ -33,37 +35,19 @@ The following capability is generally available (GA). ## April 2019 -The following capability is generally available (GA). - - [Microsoft Threat Experts Targeted Attack Notification capability](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts#targeted-attack-notification)
Microsoft Threat Experts' Targeted Attack Notification alerts are tailored to organizations to provide as much information as can be quickly delivered thus bringing attention to critical threats in their network, including the timeline, scope of breach, and the methods of intrusion. - [Microsoft Defender ATP API](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/use-apis)
Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities. -### In preview -The following capabilities are included in the April 2019 preview release. - -- [Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/next-gen-threat-and-vuln-mgt)
A new built-in capability that uses a risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. - -- [Interoperability](https://docs.microsoft.com/windows/security/threat-protection/partner-applications)
Microsoft Defender ATP supports third-party applications to help enhance the detection, investigation, and threat intelligence capabilities of the platform. - -## March 2019 -### In preview -The following capability are included in the March 2019 preview release. - -- [Machine health and compliance report](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/machine-reports-windows-defender-advanced-threat-protection) The machine health and compliance report provides high-level information about the devices in your organization. - ## February 2019 -The following capabilities are generally available (GA). - [Incidents](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/incidents-queue)
Incident is a new entity in Windows Defender ATP that brings together all relevant alerts and related entities to narrate the broader attack story, giving analysts better perspective on the purview of complex threats. - [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection)
Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor. ## October 2018 -The following capabilities are generally available (GA). - - [Attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)
All Attack surface reduction rules are now supported on Windows Server 2019. - [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard)
Controlled folder access is now supported on Windows Server 2019. @@ -91,28 +75,6 @@ Threat Analytics is a set of interactive reports published by the Windows Defend - [Configure CPU priority settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus) for Windows Defender Antivirus scans. -### In preview -The following capabilities are included in the October 2018 preview release. - -For more information on how to turn on preview features, see [Preview features](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection). - -- [Information protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview)
-Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace. -Windows Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices. - - >[!NOTE] - >Partially available from Windows 10, version 1809. - -- [Integration with Microsoft Cloud App Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration)
Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines. - - >[!NOTE] - >Available from Windows 10, version 1809 or later. - -- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019)
Windows Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines. - -- [Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
-Windows Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal. - ## March 2018 - [Advanced Hunting](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)
From 6d03ea32eccd0c8b4de454637a0acbf7a121484f Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 7 May 2019 13:49:15 -0400 Subject: [PATCH 278/492] removed language codes from urls --- .../tpm/trusted-platform-module-overview.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md index 263963d4db..2892caba58 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md @@ -88,11 +88,11 @@ Some things that you can check on the device are: - [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) - [Details on the TPM standard](https://www.microsoft.com/en-us/research/project/the-trusted-platform-module-tpm/) (has links to features using TPM) -- [TPM Base Services Portal](https://docs.microsoft.com/en-us/windows/desktop/TBS/tpm-base-services-portal) -- [TPM Base Services API](https://docs.microsoft.com/en-us/windows/desktop/api/_tbs/) +- [TPM Base Services Portal](https://docs.microsoft.com/windows/desktop/TBS/tpm-base-services-portal) +- [TPM Base Services API](https://docs.microsoft.com/windows/desktop/api/_tbs/) - [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule) - [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations) -- [Azure device provisioning: Identity attestation with TPM](https://azure.microsoft.com/en-us/blog/device-provisioning-identity-attestation-with-tpm/) -- [Azure device provisioning: A manufacturing timeline for TPM devices](https://azure.microsoft.com/en-us/blog/device-provisioning-a-manufacturing-timeline-for-tpm-devices/) +- [Azure device provisioning: Identity attestation with TPM](https://azure.microsoft.com/blog/device-provisioning-identity-attestation-with-tpm/) +- [Azure device provisioning: A manufacturing timeline for TPM devices](https://azure.microsoft.com/blog/device-provisioning-a-manufacturing-timeline-for-tpm-devices/) - [Windows 10: Enabling vTPM (Virtual TPM)](https://social.technet.microsoft.com/wiki/contents/articles/34431.windows-10-enabling-vtpm-virtual-tpm.aspx) - [How to Multiboot with Bitlocker, TPM, and a Non-Windows OS](https://social.technet.microsoft.com/wiki/contents/articles/9528.how-to-multiboot-with-bitlocker-tpm-and-a-non-windows-os.aspx) \ No newline at end of file From 73d487b39303c6ead5a2e35423f581d895d543f4 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 7 May 2019 11:22:51 -0700 Subject: [PATCH 279/492] Update create-wip-policy-using-intune-azure.md --- .../create-wip-policy-using-intune-azure.md | 23 +++++-------------- 1 file changed, 6 insertions(+), 17 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 2a82682a3c..6bd2b66834 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -11,7 +11,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/29/2019 +ms.date: 05/07/2019 --- # Create a Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune @@ -586,13 +586,13 @@ After you've decided where your protected apps can access enterprise data on you - **On.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but protected apps, the icon overlay also appears on the app tile and with Managed text on the app name in the **Start** menu. - - **Off, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but protected apps. Not configured is the default option. + - **Off, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but protected apps. Not configured is the default option. - - **Use Azure RMS for WIP.** Determines whether to use Azure Rights Management encryption with Windows Information Protection. + - **Use Azure RMS for WIP.** Determines whether WIP encrypts [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management) Files that are copied from Windows 10 to USB or other removable drives so they can be securely shared amongst employees. You must already have Azure Rights Management set up. The RMS template is only applied to the files on removable media, and is only used for access control—it doesn’t actually apply Azure Information Protection to the files. - - **On.** Starts using Azure Rights Management encryption with WIP. By turning this option on, you can also add a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. For more info about setting up Azure Rights management and using a template ID with WIP, see the [Choose to set up Azure Rights Management with WIP](#choose-to-set-up-azure-rights-management-with-wip) section of this topic. + - **On.** Starts protecting Azure Rights Management files that are copied to a removable drive. You can also add a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. Curly braces -- {} -- are required around the RMS Template ID. The EFS file uses the key from the RMS template’s license to protect the EFS file encryption key. Only users with access to that template will be able to read it off of the USB. If you don’t specify a template, it’s a regular EFS file using a default RMS template that everyone in the tenant will have access to. - - **Off, or not configured.** Stops using Azure Rights Management encryption with WIP. + - **Off, or not configured.** Stops WIP from encrypting Azure Rights Management files that are copied to a removable drive. - **Allow Windows Search Indexer to search encrypted files.** Determines whether to allow the Windows Search Indexer to index items that are encrypted, such as WIP protected files. @@ -600,18 +600,7 @@ After you've decided where your protected apps can access enterprise data on you - **Off, or not configured.** Stops Windows Search Indexer from indexing encrypted files. -## Choose to set up Azure Rights Management with WIP -WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files by using removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up. - -To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to encrypt files copied to removable drives with Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703. - -Optionally, if you don’t want everyone in your organization to be able to share your enterprise data, you can set the **RMSTemplateIDForEDP** MDM setting to the **TemplateID** of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the **EditRightsData** option. This template will be applied to the protected data that is copied to a removable drive. - ->[!IMPORTANT] ->Curly braces -- {} -- are required around the RMS Template ID. - ->[!NOTE] ->For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates) topic. +For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates). WIP can also integrate with AZure RMS by using the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings in the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp). ## Related topics From b9be7905f38301508a50fd86b724ef14308ac73d Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 7 May 2019 12:02:56 -0700 Subject: [PATCH 280/492] --- .../create-wip-policy-using-intune-azure.md | 8 +++++++- .../images/wip-encrypted-file-extensions.png | Bin 0 -> 10846 bytes 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 windows/security/information-protection/windows-information-protection/images/wip-encrypted-file-extensions.png diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 6bd2b66834..9701e21082 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -403,7 +403,7 @@ Starting with Windows 10, version 1703, Intune automatically determines your cor ![Add protected domains](images/add-protected-domains.png) ## Choose where apps can access enterprise data -After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. Every WIP policy should include policy that defines your enterprise network locations. +After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. Every WIP policy should include your enterprise network locations. There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT). @@ -602,6 +602,12 @@ After you've decided where your protected apps can access enterprise data on you For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates). WIP can also integrate with AZure RMS by using the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings in the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp). +## Encrypted file extensions + +You can restrict which files are protected by WIP when they are downloaded from an SMB share within your enterprise network locations. When this policy is not specified, the existing auto-encryption behavior is applied. When this policy is configured, only files with the extensions in the list will be encrypted. + +![WIP encrypted file extensions](images/wip-encrypted-file-extensions.png) + ## Related topics - [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md) diff --git a/windows/security/information-protection/windows-information-protection/images/wip-encrypted-file-extensions.png b/windows/security/information-protection/windows-information-protection/images/wip-encrypted-file-extensions.png new file mode 100644 index 0000000000000000000000000000000000000000..1a0ec5397d87e4b1f8af36ddd7fa49b20a528a64 GIT binary patch literal 10846 zcmc(FXH*ky+iegLMZtm;saB9K0@4Wz2uO*P(3>JgLhn5w76hbs2t_)f2STrp6p@|~ zsubw~A+*o~XLz3Towd$;&iVDO_d7qh$;_IW`?|}u_rCT_@Jmf)S{fD_5C}x8s-mb3 z0#RNEfhcZVJa=}6uD=TSN8zHa{0vmm$3_4S&cmK+JOzQuBQ77mq5_UDIjR`CfIv4~ z&;BT;-g0_^Ks?*3icfVt&DJJOW7zS2#LY%?c|lj7brY8;8~xtP5>41ip6LSKPF3V+ zxkz}-42>YK0x}@XHX3Us?^^{+O0iPKEyDWRkJH zN?J98X?PGDcYB5rEPh}y46GP`iWr@=DLx@mhe;&}nyvtWWq_B|z0ZR{@_f!*AW(qJ z|D$afTvSg@5V{E#Py1s=PV44%_4h>cpDs+K9*u--DcDR3HB5R5pPzO`ABEksY7tYe zSL6PGaHPA3;@vloaBtS9I_;HC^-BW+`+lO=PmUG_X`UcOTtQHeM@o9?THPd9~H2 z-?iDf=F0x==6dy%Q1|JE{n9Q@=^*K9$c(bTaV$}Cg6z!T`+ajA1Kj{OP1K5=Fa0>9 z{A{BUR_}kLd23^mUdqSnAU(p>UJe?Yep+@Bu`jOVHC?;TR5(LSA8_O8uG6l6wsHB6 zr~k#KQPmAYq?=4bhSmdC zk9J}l#rDz!c9#Q)MMUmupoc#er7r~7@|9J(w`l~Korfw6lrCYP(k;YSk zrhGC98N#h!Y=vAMgbXdQmx)Y3`WRqc6w}7j5ceQ8e~U7Nv(80?lOK5S%1i(!-7v(A zmql!1XPx^umUvZv`%@KSi@buhnd;t+A?mfV@K}QlFD0A|w;pzh+}YnHk>@9%W$WjB zzTaLv~|9dV;% zF%+1&pJYzhq_D9D-LPziUy^%CMZDbVae}_$nJKVe%ey~i&e-Y! zZG}`*fsLuA=>v%+f$7$lhZ#+#SOfh{s7f2gZXCa1Xy877I!}5m-``GQy)g&fU=IqJ zIYP}ajR(5PnKlWW2fw6h9%3xwTi6n~v;U2EA3P1egs9;q(zSLw#8U7Uwp+DJNSF%m z#sodVLR{x*rcBOugFMTx!t`Y$iQBZ{WW^D!)+B_sX@(J4tDX`&V@6i=ag}FbI|>fh zYqeZHTXK~TtK{suoe!j#%p&Euqdj`N-UW>vdfCg=J49|NZkpi(C;3xEW<~J~Es5S# z=j`mt9U47{zt1-1%?y(0!`P{p`6d7E@19mG%MoB$WwAcKY(ktaD>}b zuA8VU@`ARqu5j0NOIrZ99=B2yliL>hn;-K@;=;JyYODb4v}lM8ddSMd_x+Y#-w+x5 z$|@thad$b&<+Smr<)Dy5qVT!?9{JCA4P9{cwn5e5d|`7aeq`#XMh|LKSBv^tet2NY zZCq&Hu1abE;Kiu)ol=wysT8q@y2o0KI(<{fYg_4kGRuuw zaf>L&LJ?}IQqK*aTRd*VyKaup=+?ti zT0$+0_3#_NOrQ$}c$qOH{3BaE(lY$C%RTY`(yv(IPled9d?(MW-Xtj@^HI{c5_=^V z6O{C8M1GA4?=zNBt$?6;!tOU(uXsej(O zW_8cXN&@KocTS zN5Us^^aGuz`-k-a^81laT&x;<8&9kECu+>en@Q-j<%)O1BrkX&?BvLwy!d(>zVpo*+D|C*Wj0rczH_JBh0}Z~ z<2~Me*_9S2#>(Q}k$!2(EEpB*7-x+ow$r0<9XKaxZ1fjBK}Z$>N=R^y=r{Ax_4F(jrhW$xTJR<#uwP!PxtR4ujR0z|9>U6C}aylmG-B@iMFZK%q1cer!%?lRm~_Q|dJ z0x#*4!RJ_++<06z=WoJ6)!Uq6VYw%qsB^B7@LR{h5@^zWzNxT7t)~LTokh?g=KgPO zkJj4N{NCR;RZ1v@Y|)xn_n9Bhcj^0!OHae<7MHhJ+s$*ADkL+WS1U};`-!_IK?u%LbQt+}lS`5U~w z#ww4l4(8)l3}lG{SPnEf;`YcWXQZ5Vf9U37nFOH+)^-w;uoiZP)NGas&E2Hd5FHd zxQRNn7`iBbOk4~hikRwLS^6Dz55~&}x`FUf*qby6_foA>ah2A^SL1<+rwQG&9$Yhr zGWbgG70c@RCEy!nOxxj`vy7amy>+w;*Yu1M71Yn7X}X@jG2E^tk83KSo6vzn>qlJr z$N~+6jUKku6oJ@{eGe(+u9r@DM?+s4&AFG3%Dk2Ryr2~DBr#V{uoE?cMYyfazG^!M zN=ZU?rT3bWS`4RP=d|m}bE@TG%yrcDsCo;N`xw?YrAj<71`H=AZ;xmM{p1PK5-^L! z<+u9`t$~}C=4I<_g^S!H|A~aqge|KC;MWFBppTLhu9NqMqjCuoeK`RHgZhiS02 z)LpWr>mwtSf*Z6_)ZW}%_PWFH!dqy zxWSdtG5u64JaZz=-`8UYW-Qq0lNaB?`X*h8$D!Hl$kn&OKMy)-A4gI7mO*$5xpBZM z z_Q*}MQJB`xJ>9iuuXtDKijT_284BDn68y!7pVtIdJBgC`+1@>8I}=rfG2I1WGt(69 z00gj;wn>@XC$+b7Jy2gb9h9c`$6?cZ;}}5i*Nf_^ z4^EP?z1nMiBCgV|&^=pj`c1?bOzTCcujO#WdQ%gLR~wp;0%ec3Z-H;x)!(`%=Fs2N zYLhn=h$1kRkgGxvzec@nGbd@ch8lztF!oo}x-LGsw@8YZ-Q&pqC_YXHQV=++&P5)X6pI=MY-y2W}*ni883A;_wS7RaBeSM07xmZ zcW4@Ri2Y6JfS3o1W>j`1;bL{k!%X<6s7{OYfu0K#9_4-y?m7Pwe$`p@~CG(rMU*$P{Y(pxN>`NoEA^qqt5CeVQDNOL6pAS<6V;UW3Tp&i^1!=T zRG|iM7P8c`7Q^Lgzd~t$%Rw1Tpk6LeyE4qmEz5smh%qT#x$?CRmBo^aIvHz5g^w6P zIUS+0URhAmff1Cl%pa;?tpE*MHTrv?Vss8|lDKZBli9edZZ(HvfIuK;FPwT8@)P~% zGQB5ygMJ1mj|ZBU1akT|UTnh9ASwm++r_)L$bgjQ-7h!Coadu-^D@8Kw4Gqp5@Xle z4{hB$L0@btq(RgP?2qy8r(N^)U^rGcE~}c^n!0v8$LqP!8*jm$((UtX17apbxnsf> zc>!!jHSLstv8j{>@lC*B3AZruY=aWIp=Q@wr!6>rBajmnc)DF2KND2AwSKMP`1!32 zw2_J4*AF-bOR(3wdt^oBk~4{!%1OQa^&c?_GyYplDpSD@Ro&jh$%<=$TJ<5(uMGmi z@(;I^5tTzp`rpcP9S?CmVUN53s7{+a3sYt4E5ncwGzWBj8d52i02CwK?2mvdpu$n! z20W*J-Y%hqrd&|6Ovev)&A-Hmw{MSS(lfs4ucm1@4 z_5~A{%6ivK{!@~4>QNuV!ouw7n`O3#nonVS1?y1gMl;76qLk(&#Y1ZE^H~k*!g+JS zSkvv4F!|VGlf2$HXLXY%VNRTdVq71M6MgtOF|a>+f~gKoHW-ZYPA(v$Z1Jd^iq zWA2V8F=<_&E`efNuH+t1w^Y>xglPdL_b`x?Y^T+$;l8%7SaYIcN7fzGZZoB-9bg8U%l=G=@!6)A>%R!mO2 zqF~@LCPDJ|)uZ6F1j;S)ysJ|Oo1>jE*vqvHffhdxmQy^djY^0><(o6@Q#G1J*;LV# z{)UN~6t-)Sg=cnZiz+Sv2htmBw^~Weu z*11=#JwDFliBCZgMkIQY7xkYa5>T#>kYZfc$co$B>(_iOzWlxWz-&e74Z5Q6D#GMh zyqqO(ZNLWzH-Z?^E;s#SVJ+Ye6f5k+IOw<5UH(I>zrE=wW_;A;hR+!xKUm|2e4MF2 z1dISeI-UM@xg&vSHVru`uG=x^%t+_gYpt8eCC{IJR6C6U3TMY#i4>Z(hA>tyd{1H(|4#ZZcI~K*#4Us0iCvj=xP|{o1b; zG|$YrCN^R+x0_spQ!##LpY3joA*0&4Wn>#fx$GRO_9fwYyd!FJ)0qux{ zM~#*YKY5u^xlSo1OxVfs95Zt1>5{sA@bhGm9Lgt+5#BFD3t5Ox)+Y1D4&Ij|_IwzS zv=Y@Dv9o?TM{b%k%&Ov6jda>;B^}6n9C2RV)|N6=Mv@^1iiYN;wNF*k9kySl6n-3i zOo8z{o;A(u)SJldSND!LVRR5FSxv3u-@MYflxVM58EOV$i-~S>3~>$aO6uSarNoU4$u0*yvm|44E*Cf%L>40Rm)U>ZRej;$}PzD=m3`%=B; z+MMP%G^<3&EgE^+0d1pZtah;98G0j}o*$Q$2#F<;l36QjJizhAPhA+G?cANd7ua~< zsu8`A=BlwBz$BUcl;F+4(8jvA9nwGeDw^X;E{&v)@P%Uu9;dR}jLz}%^Vf3JanNqi62Hv=Kdse zq_7I4#qaQYML}|NmO9mNw1<+11+{}AV!~EGl0p!YV^d>NqdUtKi{Ikna}0`;YhMRk z9#0m}?_{RW`Oe&O8!j2sJbcY17lXkJ_~TG@LJv&764 z=cXRCz0{wOqn02?-ocHS`#FInU~*`St<770_38of`a36U>PexaOO5~Ez>$>1;$ z6KIJYqiu_I zZ!}Z80)xYSj?d!H`a~B*kHxNj;rb|${z!FDhulpHR-sO5)5;!XrZ#3%=_Ry;{z?ot zknKo($i4=8(rb-d&`8Xdw2+<0n?2Y4U@Eg~Q}{)%pqDp1I4Nixhmw%zizg}C>0noH z+hCzRN2H-QP9bXDQQ>8~ndR{co*$z6qp$Y+Y_`@z-CEwrL`}_$JpRu{HPDbKLh#QI$CphaKt76S$&(tiwh!)Q@U40215bmU9wBbq| zcrOQ6P{l&lWS2#erpw>~8Rxk~w>XN67PyeE{}mz=6JXe$&-RG!oB=A;0EwCL*9A9v~H!ItLO4vHb^aDlv!0Gion%b1@1q2`hYG7_T>rA{`+K82w=;)mZaLX+1(Wm@gJv*slczkw=hP%&a>v;1~&-HE8 zD0Z-H{2cEP_2TTVxp3drYPSq)=a-fh?4T#8#23fiBq!e8$trUgc$4+YY{3BWPB7Qg z-e?-fukm$K=44CpI0m9eF+8~fWxQiBOn>t7Hlkyxe-W8~Ns``i%&V*o(r*mD7Qva| zlW{=rWlbmQ|0GX2!bC2G^3j!EZk+@X)otk+Va^-e&}52KhJ!gt=p2*GWTqk3{AOHD z-A|*~K9v2Sr6FYBMcyuNRFU)vml$Fv3d0I7dtyx~^EWMmKaA)+WqZNl$`TB}{;7ba zGu8dq!a|1j1IQO|T}i+9%cX*J9m@py&%mY>x?}u2~nN%v+X)*`qP< z7oFMSIDQaDsUOM8?7Gzpt-fa!i|_WHNsz~MYz`o}<3%Xs!}5NZC57QK(B~{J^I)Sg zim0t{hmx(^^2JUvA&rL#tDr|u=ha){tc8!GZUbg%z|%7;$Y@?2lzS1-@dZl%23(#2 zAMl2~B|FZm%kg=NNF(q9{=W_Q&LDLvE?R`4Kc?YYq8NZrLq8^){Co_l1G;!bf;X4w z0Z_zg>g(%wALgj}?EWdx2)D7ZfhVP;@U1EgxMvrE60e_4gL0DUS8%$4fx&=gLPEmX z#mS7JS*qc0tgMvq?d|PoxsT)V6g}sGSMRv2p8Fl?kcY-t%{a;0mFigaifq<6fdW)d z7ygxJw-r^(*W0jjk7R$Uzdk-tTyv@3kB{a^h>!oZ?2&epfWj6X9C%@VgtJS(hChI7 zIo2J1QwU;fu$y?Y1e>)0;nXShL_S<7;z;2f+e@Mr)nB$s1n=#&jL2j-BVi^FC@IS% z+Z*P9gpA>q^UvubgwrGwhB)FAk|Mk52JYr4^7+& zU7*<)o2a3DczZkG1{Z`UnYuyuAbuRGm$k(mhhZ;{Mugn}UC8Tt^IB3zD#1ErNbNbp zPX2QZe*|Qz!pv8P7qHB8%#?J8b(hheuSxOkg`tI@T)ji>7szLluoduCPr1#nQQBpC zgU2%(Vw4~Y`D6vIc##7?=f;Oa$IMHQA4u`qxNl!s){jiPg}*V(SMZ?eP`x`7ZS?cS zfGx$NPjE}a*J`I;EtWF5Iy|M!_b4n}LcH1liV5>dnV7`t+pEJr z_a`0CVu0n-!<7Hoi~sdlrEk82rCBC43It4$%o$>hJ=+hZO#Tro8K?2vMGE3i*o)EC zu$1xX06DZ-ZBqO4;lVYbBDugY;>~!h^E;|Tj{|>Z)t}1DbY+jgTxP3F4s7XKa;@o- z-t^5wX79fR&pO;wJ$@ElBTQb;YZH=vrs*CD~IaBP;4|9C%_)z>?Fo2^QFt6NrQP>T; zf!1U*uk=facZ8wXM|-xBe?R6YBEnE~15;uy*N#syrhN23v{Fn4C;qZ6toP_B`vQ7b zx(j&;_)0`YIS|betI@?-&uFFA+p+m@cg4Jf5(N611b)8cclPB-(!cK({QpmPy}l$m z4w?KVOl76+FhvhP?HgJc?FyO>WGUW-EEwJMPVjhk|IG9Ta+O~H4e!aqp#;Mbouo!( zU7e9&J=>3@009L`!|zGROD*Ra3`6~E_t!m2LK`X zOpGqc2VVk@qG|sOnsFYuFJdYgd=RFQlxAe^<;_M-26 z4;$_1@Nc5~)wNHbsN&+D6rhwNoFY5~LRvQ$=s_lo$p&0Vk(^%~=J((~b>`A!eSYOL zVn)m)q&h^3-g!gu+gv~xE=EDk*^)8NJaKa)oO8%B%T79sjZ$$5nw4V4dGLw|AkuVR z=?dm!*@GRpYL!ZPOv5VU@9CI@A}=K>_5K#(AoL|2$5%WQb`Cv=iyJ2y_&8C4zVj`z zpE~;?L;UteOPf1yV~_<&ATKU_s1}u?k!h&zJ5#C_Q5!mcRTnNpQ&Up|1IN!d&0ieI z@?s)ID40LJe!caN#+*RNZmRYK4J}`t95P6uA%|2PoWuZ^h~&BLt0jxHtIAV}@hUju z(|f%%XDTE?38{6tqnHYlr?kiLMbp2TBO#I(rh2MyRIitj|^&wI!6IFH$t7 zVm6f$MP=S19PShJ~@~a;fSOvWu z3(qLp5%atcy5ayZOSUWQM#>dB(#wg3m>oQ(tmy)O1$uB5~D&l|P75DvSsZzThsONT=d4zYE zE5k8Mmw=#6q78?Esi|Gq`G6=a5=c}W5QVP>PhZgSgFIQE-Ta~ht-^;LL~yXqLrgu5 zMXt5PQCzfjwoL;c6ubIR04wuS@SWnh78PI+CCCDajL-Y)Q6F%OcK{f=LAzwcH7`76 z>re%1S-y#j1n>sYi?l`{%yi!HHs#Eh3J0@H-sLU)guFD$B8s$0ifrx}`rod`Agu+D z3GWl{=NykAImqo?fU2#!PrD>azXfy26kflTVFH-J77e0H>iT{2Z9lfNfZ+=A^XL1y zxj_rC$HxsnySuwXHa%L}C1c`wdAOl}D?hA#u#s604+W^Xu*6F~?#X z1{(J!&sjVd_#_@}V>uS)^dn_jyg)2GXjl6889AB!4spHzaP{d}<%wDk;%d&Y1V_6W zx!VmOCE@KQrG|dM%YL*Cyu$>6w*H+K5TK^OGZHJ$zAJm@lB*9S9#?UX+GmmRvoI`d r0DuR9e%$*%+N0C6${ggq;(EflePYHe+VkBXI0mUIX)2aHvk3ejDV@d2 literal 0 HcmV?d00001 From 9aad02aa689ca7a518a1177ab0132412abb4bebb Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 7 May 2019 12:06:43 -0700 Subject: [PATCH 281/492] edits --- .../create-wip-policy-using-intune-azure.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 9701e21082..dfb3d3f4cf 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -590,7 +590,7 @@ After you've decided where your protected apps can access enterprise data on you - **Use Azure RMS for WIP.** Determines whether WIP encrypts [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management) Files that are copied from Windows 10 to USB or other removable drives so they can be securely shared amongst employees. You must already have Azure Rights Management set up. The RMS template is only applied to the files on removable media, and is only used for access control—it doesn’t actually apply Azure Information Protection to the files. - - **On.** Starts protecting Azure Rights Management files that are copied to a removable drive. You can also add a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. Curly braces -- {} -- are required around the RMS Template ID. The EFS file uses the key from the RMS template’s license to protect the EFS file encryption key. Only users with access to that template will be able to read it off of the USB. If you don’t specify a template, it’s a regular EFS file using a default RMS template that everyone in the tenant will have access to. + - **On.** Starts protecting Azure Rights Management files that are copied to a removable drive. You can also add a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. Curly braces -- {} -- are required around the RMS Template ID. The EFS file uses the key from the RMS template’s license to protect the EFS file encryption key. Only users with permission to that template will be able to read it from the USB. If you don’t specify a template, it’s a regular EFS file using a default RMS template that everyone in the tenant will have access to. - **Off, or not configured.** Stops WIP from encrypting Azure Rights Management files that are copied to a removable drive. @@ -600,7 +600,7 @@ After you've decided where your protected apps can access enterprise data on you - **Off, or not configured.** Stops Windows Search Indexer from indexing encrypted files. -For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates). WIP can also integrate with AZure RMS by using the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings in the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp). +For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates). WIP can also integrate with Azure RMS by using the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings in the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp). ## Encrypted file extensions From e75744fbb5ad7dc5f756a80d590931e9aa86e06f Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 7 May 2019 12:45:06 -0700 Subject: [PATCH 282/492] edits --- .../create-wip-policy-using-intune-azure.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index dfb3d3f4cf..0e53bed956 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -604,7 +604,7 @@ For more info about setting up and using a custom template, see [Configuring cus ## Encrypted file extensions -You can restrict which files are protected by WIP when they are downloaded from an SMB share within your enterprise network locations. When this policy is not specified, the existing auto-encryption behavior is applied. When this policy is configured, only files with the extensions in the list will be encrypted. +You can restrict which files are protected by WIP when they are downloaded from an SMB share within your enterprise network locations. If this settings is configured, only files with the extensions in the list will be encrypted. If this setting is not specified, the existing auto-encryption behavior is applied. ![WIP encrypted file extensions](images/wip-encrypted-file-extensions.png) From 1cbc48ce3444e7ed38e926108e20f3e8c81a602c Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 7 May 2019 14:06:31 -0700 Subject: [PATCH 283/492] Update increase-scheduling-priority.md --- .../security-policy-settings/increase-scheduling-priority.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md index 565e032adb..95a0914890 100644 --- a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md +++ b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md @@ -38,7 +38,7 @@ Constant: SeIncreaseBasePriorityPrivilege ### Best practices -- Retain the default value and allow Administrators, and Window Manager/Window Manager Group, as the only accounts responsible for controlling process scheduling priorities. +- Retain the default value as the only accounts responsible for controlling process scheduling priorities. ### Location From 64b22e58edf0dcbf33f1f178e42c21bb9d7f0497 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 7 May 2019 15:33:04 -0700 Subject: [PATCH 284/492] Added 19H1 policies --- .../policy-configuration-service-provider.md | 15 ++ .../mdm/policy-csp-windowslogon.md | 255 +++++++++++++++++- 2 files changed, 264 insertions(+), 6 deletions(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index a27926a537..70e8359000 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -3678,12 +3678,21 @@ The following diagram shows the Policy configuration service provider in tree fo ### WindowsLogon policies
+
+ WindowsLogon/AllowAutomaticRestartSignOn +
+
+ WindowsLogon/ConfigAutomaticRestartSignOn +
WindowsLogon/DisableLockScreenAppNotifications
WindowsLogon/DontDisplayNetworkSelectionUI
+
+ WindowsLogon/EnableFirstLogonAnimation +
WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers
@@ -4116,8 +4125,11 @@ The following diagram shows the Policy configuration service provider in tree fo - [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization) - [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore) - [WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork](./policy-csp-windowsconnectionmanager.md#windowsconnectionmanager-prohitconnectiontonondomainnetworkswhenconnectedtodomainauthenticatednetwork) +- [WindowsLogon/AllowAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon) +- [WindowsLogon/ConfigAutomaticRestartSignOn](./ - [WindowsLogon/DisableLockScreenAppNotifications](./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications) - [WindowsLogon/DontDisplayNetworkSelectionUI](./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui) +- [WindowsLogon/EnableFirstLogonAnimation](./policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation) - [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers](./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers) - [WindowsLogon/SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart](./policy-csp-windowslogon.md#windowslogon-signinlastinteractiveuserautomaticallyafterasysteminitiatedrestart) - [WindowsPowerShell/TurnOnPowerShellScriptBlockLogging](./policy-csp-windowspowershell.md#windowspowershell-turnonpowershellscriptblocklogging) @@ -4975,8 +4987,11 @@ The following diagram shows the Policy configuration service provider in tree fo - [WindowsDefenderSecurityCenter/URL](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-url) - [WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace](./policy-csp-windowsinkworkspace.md#windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace) - [WindowsInkWorkspace/AllowWindowsInkWorkspace](./policy-csp-windowsinkworkspace.md#windowsinkworkspace-allowwindowsinkworkspace) +- [WindowsLogon/AllowAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon) +- [WindowsLogon/ConfigAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon) - [WindowsLogon/DisableLockScreenAppNotifications](./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications) - [WindowsLogon/DontDisplayNetworkSelectionUI](./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui) +- [WindowsLogon/EnableFirstLogonAnimation](./policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation) - [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers](./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers) - [WindowsLogon/HideFastUserSwitching](./policy-csp-windowslogon.md#windowslogon-hidefastuserswitching) - [WindowsLogon/SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart](./policy-csp-windowslogon.md#windowslogon-signinlastinteractiveuserautomaticallyafterasysteminitiatedrestart) diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index e75a0cf6de..4b9da72e50 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -6,12 +6,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 07/12/2018 +ms.date: 05/07/2019 --- # Policy CSP - WindowsLogon - +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
@@ -19,12 +20,21 @@ ms.date: 07/12/2018 ## WindowsLogon policies
+
+ WindowsLogon/AllowAutomaticRestartSignOn +
+
+ WindowsLogon/ConfigAutomaticRestartSignOn +
WindowsLogon/DisableLockScreenAppNotifications
WindowsLogon/DontDisplayNetworkSelectionUI
+
+ WindowsLogon/EnableFirstLogonAnimation +
WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers
@@ -36,6 +46,159 @@ ms.date: 07/12/2018
+
+ + +**WindowsLogon/AllowAutomaticRestartSignOn** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark6check mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting controls whether a device automatically signs in and locks the last interactive user after the system restarts or after a shutdown and cold boot. + +This occurs only if the last interactive user did not sign out before the restart or shutdown.​ + +If the device is joined to Active Directory or Azure Active Directory, this policy applies only to Windows Update restarts. Otherwise, this policy applies to both Windows Update restarts and user-initiated restarts and shutdowns.​ + +If you do not configure this policy setting, it is enabled by default. When the policy is enabled, the user is automatically signed in and the session is automatically locked with all lock screen apps configured for that user after the device boots.​ + +After enabling this policy, you can configure its settings through the [ConfigAutomaticRestartSignOn](#windowslogon-configautomaticrestartsignon) policy, which configures the mode of automatically signing in and locking the last interactive user after a restart or cold boot​. + +If you disable this policy setting, the device does not configure automatic sign in. The user’s lock screen apps are not restarted after the system restarts. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Sign-in and lock last interactive user automatically after a restart* +- GP name: *AutomaticRestartSignOn* +- GP path: *Windows Components/Windows Logon Options* +- GP ADMX file name: *WinLogon.admx* + + + + + + + + + + + + + +
+ + +**WindowsLogon/ConfigAutomaticRestartSignOn** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark6check mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting controls the configuration under which an automatic restart, sign on, and lock occurs after a restart or cold boot. If you chose “Disabled” in the [AllowAutomaticRestartSignOn](#windowslogon-allowautomaticrestartsignon) policy, then automatic sign on does not occur and this policy need not be configured. + +If you enable this policy setting, you can choose one of the following two options: + +- "Enabled if BitLocker is on and not suspended": Specifies that automatic sign on and lock occurs only if BitLocker is active and not suspended during the reboot or shutdown. Personal data can be accessed on the device’s hard drive at this time if BitLocker is not on or suspended during an update. BitLocker suspension temporarily removes protection for system components and data but may be needed in certain circumstances to successfully update boot-critical components. +BitLocker is suspended during updates if: + - The device does not have TPM 2.0 and PCR7 + - The device does not use a TPM-only protector +- "Always Enabled": Specifies that automatic sign on happens even if BitLocker is off or suspended during reboot or shutdown. When BitLocker is not enabled, personal data is accessible on the hard drive. Automatic restart and sign on should only be run under this condition if you are confident that the configured device is in a secure physical location. + +If you disable or do not configure this setting, automatic sign on defaults to the “Enabled if BitLocker is on and not suspended” behavior. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot* +- GP name: *ConfigAutomaticRestartSignOn* +- GP path: *Windows Components/Windows Logon Options* +- GP ADMX file name: *WinLogon.admx* + + + + + + + + + + + +
@@ -188,6 +351,84 @@ ADMX Info:
+ +**WindowsLogon/EnableFirstLogonAnimation** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to control whether users see the first sign-in animation when signing in to the computer for the first time. This applies to both the first user of the computer who completes the initial setup and users who are added to the computer later. It also controls if Microsoft account users are offered the opt-in prompt for services during their first sign-in. + +If you enable this policy setting, Microsoft account users see the opt-in prompt for services, and users with other accounts see the sign-in animation. + +If you disable this policy setting, users do not see the animation and Microsoft account users do not see the opt-in prompt for services. + +If you do not configure this policy setting, the user who completes the initial Windows setup see the animation during their first sign-in. If the first user had already completed the initial setup and this policy setting is not configured, users new to this computer do not see the animation. + +> [!NOTE] +> The first sign-in animation is not displayed on Server, so this policy has no effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Show first sign-in animation* +- GP name: *EnableFirstLogonAnimation* +- GP path: *System/Logon* +- GP ADMX file name: *Logon.admx* + + + +Supported values: +- false - disabled +- true - enabled + + + + + + + + + +
+ **WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers** @@ -374,14 +615,16 @@ ADMX Info: + + +
-Footnote: +Footnotes: - 1 - Added in Windows 10, version 1607. - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. - - - +- 5 - Added in Windows 10, version 1809. +- 6 - Added in Windows 10, version 1903. \ No newline at end of file From a4e67880ba9196aae3599b061c0988d4ba972c71 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 7 May 2019 15:49:05 -0700 Subject: [PATCH 285/492] Removed extra space --- windows/client-management/mdm/policy-csp-windowslogon.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index 4b9da72e50..885ae70ec7 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -34,7 +34,7 @@ ms.date: 05/07/2019
WindowsLogon/EnableFirstLogonAnimation -
+
WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers
From 7ec392d52df5200ca97d355d52f559a40c06cc94 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 7 May 2019 16:03:33 -0700 Subject: [PATCH 286/492] fixed link --- .../create-wip-policy-using-sccm.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md index 6edf443eb3..84ebcf1861 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md @@ -480,7 +480,7 @@ After you've decided where your protected apps can access enterprise data on you - **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions. - - **Allow Azure RMS.** Enables secure sharing of files by using removable media such as USB drives. For more information about how RMS works with WIP, see [Choose to set up Azure Rights Management with WIP](create-wip-policy-using-intune-azure.md#choose-to-set-up-azure-rights-management-with-wip). To confirm what templates your tenant has, run [Get-AadrmTemplate](https://docs.microsoft.com/powershell/module/aadrm/get-aadrmtemplate) from the [AADRM PowerShell module](https://docs.microsoft.com/azure/information-protection/administer-powershell). + - **Allow Azure RMS.** Enables secure sharing of files by using removable media such as USB drives. For more information about how RMS works with WIP, see [Create a WIP policy using Intune](create-wip-policy-using-intune-azure.md). To confirm what templates your tenant has, run [Get-AadrmTemplate](https://docs.microsoft.com/powershell/module/aadrm/get-aadrmtemplate) from the [AADRM PowerShell module](https://docs.microsoft.com/azure/information-protection/administer-powershell). If you don’t specify a template, WIP uses a key from a default RMS template that everyone in the tenant will have access to. 2. After you pick all of the settings you want to include, click **Summary**. From ed83d70393fdc9d3e570091713b9114eddcaf58b Mon Sep 17 00:00:00 2001 From: Max Velitchko Date: Tue, 7 May 2019 17:47:12 -0700 Subject: [PATCH 287/492] Fix mdatp parameters --- ...osoft-defender-atp-mac-install-manually.md | 34 +++++------------- ...ft-defender-atp-mac-install-with-intune.md | 12 +++++++ ...soft-defender-atp-mac-install-with-jamf.md | 12 +++++++ .../microsoft-defender-atp-mac-resources.md | 35 ++++++++++++++----- 4 files changed, 58 insertions(+), 35 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md index 27b3a8f924..82e53c1ff4 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md @@ -114,32 +114,14 @@ After installation, you'll see the Microsoft Defender icon in the macOS status b ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) -## Configuring from the command line +## Test alert -Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line: +Run in Terminal the following command. It will download [a harmless file](https://en.wikipedia.org/wiki/EICAR_test_file) which will trigger a test detection. + + ```bash + curl -o ~/Downloads/eicar.com.txt http://www.eicar.org/download/eicar.com.txt + ``` -|Group |Scenario |Command | -|-------------|-------------------------------------------|-----------------------------------------------------------------------| -|Configuration|Turn on/off real-time protection |`mdatp config --rtp [true/false]` | -|Configuration|Turn on/off cloud protection |`mdatp config --cloud [true/false]` | -|Configuration|Turn on/off product diagnostics |`mdatp config --diagnostic [true/false]` | -|Configuration|Turn on/off automatic sample submission |`mdatp config --sample-submission [true/false]` | -|Configuration|Turn on PUA protection |`mdatp threat --type-handling --potentially_unwanted_application block`| -|Configuration|Turn off PUA protection |`mdatp threat --type-handling --potentially_unwanted_application off` | -|Configuration|Turn on audit mode for PUA protection |`mdatp threat --type-handling --potentially_unwanted_application audit`| -|Diagnostics |Change the log level |`mdatp log-level --[error/warning/info/verbose]` | -|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic` | -|Health |Check the product's health |`mdatp --health` | -|Protection |Scan a path |`mdatp scan --path [path]` | -|Protection |Do a quick scan |`mdatp scan --quick` | -|Protection |Do a full scan |`mdatp scan --full` | -|Protection |Cancel an ongoing on-demand scan |`mdatp scan --cancel` | -|Protection |Request a definition update |`mdatp --signature-update` | +You will get a "Threats found" notification, you can inspect threat's details in the Protection history. -## Logging installation issues - -See [Logging installation issues](microsoft-defender-atp-mac-resources#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. - -## Uninstallation - -See [Uninstalling](microsoft-defender-atp-mac-resources#Uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file +Soon after that you'll get an alert in the ATP Portal. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md index 8af90fded1..6cfc85694d 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md @@ -164,6 +164,18 @@ After Intune changes are propagated to the enrolled machines, you'll see it on t ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) +## Test alert + +Run in Terminal the following command. It will download [a harmless file](https://en.wikipedia.org/wiki/EICAR_test_file) which will trigger a test detection. + + ```bash + curl -o ~/Downloads/eicar.com.txt http://www.eicar.org/download/eicar.com.txt + ``` + +You will get a "Threats found" notification, you can inspect threat's details in the Protection history. + +Soon after that you'll get an alert in the ATP Portal. + ## Logging installation issues See [Logging installation issues](microsoft-defender-atp-mac-resources#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md index 8837b3bcc5..b2df2ab85f 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md @@ -199,6 +199,18 @@ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | This script returns 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service, and another exit code if it is not installed or registered. +## Test alert + +Run in Terminal the following command. It will download [a harmless file](https://en.wikipedia.org/wiki/EICAR_test_file) which will trigger a test detection. + + ```bash + curl -o ~/Downloads/eicar.com.txt http://www.eicar.org/download/eicar.com.txt + ``` + +You will get a "Threats found" notification, you can inspect threat's details in the Protection history. + +Soon after that you'll get an alert in the ATP Portal. + ## Logging installation issues See [Logging installation issues](microsoft-defender-atp-mac-resources#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md index 09a4dcceae..03532ddfb4 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md @@ -36,9 +36,7 @@ If you can reproduce a problem, please increase the logging level, run the syste 1) Increase logging level: ```bash - mavel-mojave:~ testuser$ mdatp log-level --verbose - Creating connection to daemon - Connection established + mavel-mojave:~ testuser$ mdatp --log-level verbose Operation succeeded ``` @@ -47,21 +45,40 @@ If you can reproduce a problem, please increase the logging level, run the syste 3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. ```bash - mavel-mojave:~ testuser$ mdatp --diagnostic - Creating connection to daemon - Connection established + mavel-mojave:~ testuser$ mdatp --diagnostic --create "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" ``` 4) Restore logging level: ```bash - mavel-mojave:~ testuser$ mdatp log-level --info - Creating connection to daemon - Connection established + mavel-mojave:~ testuser$ mdatp --log-level info Operation succeeded ``` +## Managing from the command line + +Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line: + +|Group |Scenario |Command | +|-------------|-------------------------------------------|-----------------------------------------------------------------------| +|Configuration|Turn on/off real-time protection |`mdatp --config rtp [true/false]` | +|Configuration|Turn on/off cloud protection |`mdatp --config cloud [true/false]` | +|Configuration|Turn on/off product diagnostics |`mdatp --config diagnostic [true/false]` | +|Configuration|Turn on/off automatic sample submission |`mdatp --config sample-submission [true/false]` | +|Configuration|Turn on PUA protection |`mdatp --threat --type-handling potentially_unwanted_application block`| +|Configuration|Turn off PUA protection |`mdatp --threat --type-handling potentially_unwanted_application off` | +|Configuration|Turn on audit mode for PUA protection |`mdatp --threat --type-handling potentially_unwanted_application audit`| +|Diagnostics |Change the log level |`mdatp --log-level [error/warning/info/verbose]` | +|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic --create` | +|Health |Check the product's health |`mdatp --health` | +|Health |Prints a single health metric |`mdatp --health [metric]` | +|Protection |Scan a path |`mdatp --scan --path [path]` | +|Protection |Do a quick scan |`mdatp --scan --quick` | +|Protection |Do a full scan |`mdatp --scan --full` | +|Protection |Cancel an ongoing on-demand scan |`mdatp --scan --cancel` | +|Protection |Request a definition update |`mdatp --definition-update` | + ## Logging installation issues If an error occurs during installation, the installer will only report a general failure. From 3a12cbe4d4e5544a2853fb4c7a6f7e002cdb8422 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 8 May 2019 09:47:31 +0500 Subject: [PATCH 288/492] update net-framework-problems-with-ie11.md --- .../ie11-deploy-guide/net-framework-problems-with-ie11.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md index bed077a506..96c9783664 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md @@ -16,9 +16,9 @@ If you’re having problems launching your legacy apps while running Internet Ex **To turn managed browser hosting controls back on** -1. **For x86 systems or for 32-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**. +1. **For x86 systems or for 64-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**. -2. **For x64 systems or for 64-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\Wow6432Node\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**. +2. **For 32-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\Wow6432Node\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**. For more information, see the [Web Applications](https://go.microsoft.com/fwlink/p/?LinkId=308903) section of the Application Compatibility in the .NET Framework 4.5 page. From 42b878163fe6c35d274c36ee3107938ba214604b Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Wed, 8 May 2019 11:25:01 +0530 Subject: [PATCH 289/492] Update windows/deployment/windows-autopilot/enrollment-status.md Co-Authored-By: Malind19 --- windows/deployment/windows-autopilot/enrollment-status.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopilot/enrollment-status.md b/windows/deployment/windows-autopilot/enrollment-status.md index 895cf49881..fd2778c09b 100644 --- a/windows/deployment/windows-autopilot/enrollment-status.md +++ b/windows/deployment/windows-autopilot/enrollment-status.md @@ -21,7 +21,7 @@ The Windows Autopilot Enrollment Status page displaying the status of the comple ![Enrollment status page](images/enrollment-status-page.png) -From Windows 10 version 1803 onwards, you can opt-out of the account setup phase. When it is skipped, the settings will be applied for the users when as they access their desktop for the first time. +From Windows 10 version 1803 onwards, you can opt out of the account setup phase. If it is skipped, settings will be applied for users when they access their desktop for the first time. ## Available settings From 79f9363a41a5d93227958cb3245a6f48997f3fe0 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Wed, 8 May 2019 14:09:10 +0500 Subject: [PATCH 290/492] Wrong Command Their method mentioned was POST where in actual it was DELETE method. I have updated this accordingly. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/1252 --- windows/client-management/mdm/reclaim-seat-from-user.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/reclaim-seat-from-user.md b/windows/client-management/mdm/reclaim-seat-from-user.md index e3351b8c80..95f47c5df9 100644 --- a/windows/client-management/mdm/reclaim-seat-from-user.md +++ b/windows/client-management/mdm/reclaim-seat-from-user.md @@ -29,7 +29,7 @@ The **Reclaim seat from user** operation returns reclaimed seats for a user in t -

POST

+

DELETE

https://bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats/{username}

From f49d3c2d6da0638492675d0c846bf65407b2cbda Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 8 May 2019 14:21:59 +0500 Subject: [PATCH 291/492] update win32-and-centennial-app-policy-configuration.md --- .../mdm/win32-and-centennial-app-policy-configuration.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md index 543252e8f2..d69549935e 100644 --- a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md +++ b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md @@ -50,6 +50,9 @@ When the ADMX policies are imported, the registry keys to which each policy is w > [!Warning] > Some operating system components have built in functionality to check devices for domain membership. MDM enforces the configured policy values only if the devices are domain joined, otherwise it does not. However, you can still import ADMX files and set ADMX-backed policies regardless of whether the device is domain joined or non-domain joined. +> [!NOTE] +> Settings, that cannot be configured using custom policy ingestion, have to be set by pushing the appropriate registry keys directly (for example, by using PowerShell script). + ## Ingesting an app ADMX file The following ADMX file example shows how to ingest a Win32 or Desktop Bridge app ADMX file and set policies from the file. The ADMX file defines eight policies. From 2f92dc55cc0bf116fca0988f97d95662a06d7a74 Mon Sep 17 00:00:00 2001 From: martyav Date: Wed, 8 May 2019 10:07:40 -0400 Subject: [PATCH 292/492] spacing, typo removal --- ...osoft-defender-atp-mac-install-manually.md | 4 +-- ...ft-defender-atp-mac-install-with-intune.md | 8 ++--- ...soft-defender-atp-mac-install-with-jamf.md | 36 +++++++++---------- .../microsoft-defender-atp-mac-resources.md | 22 ++++++------ .../microsoft-defender-atp-mac.md | 4 +-- 5 files changed, 37 insertions(+), 37 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md index 82e53c1ff4..9b90ab16b4 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md @@ -21,7 +21,7 @@ ms.topic: #conceptual **Applies to:** -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp.md) >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. @@ -31,7 +31,7 @@ Microsoft Defender ATP for Mac is not yet widely available, and this topic only ## Prerequisites and system requirements -Before you get started, please see [the main Microsoft Defender ATP for Mac page]((microsoft-defender-atp.md)) for a description of prerequisites and system requirements for the current software version. +Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp.md) for a description of prerequisites and system requirements for the current software version. ## Download installation and onboarding packages diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md index 6cfc85694d..b145ab592c 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md @@ -21,7 +21,7 @@ ms.topic: #conceptual **Applies to:** -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp.md) >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. @@ -31,7 +31,7 @@ Microsoft Defender ATP for Mac is not yet widely available, and this topic only ## Prerequisites and system requirements -Before you get started, please see [the main Microsoft Defender ATP for Mac page]((microsoft-defender-atp.md)) for a description of prerequisites and system requirements for the current software version. +Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp.md) for a description of prerequisites and system requirements for the current software version. ## Download installation and onboarding packages @@ -47,7 +47,7 @@ Download the installation and onboarding packages from Windows Defender Security 6. From a command prompt, verify that you have the three files. Extract the contents of the .zip files: - + ```bash mavel-macmini:Downloads test$ ls -l total 721688 @@ -167,7 +167,7 @@ After Intune changes are propagated to the enrolled machines, you'll see it on t ## Test alert Run in Terminal the following command. It will download [a harmless file](https://en.wikipedia.org/wiki/EICAR_test_file) which will trigger a test detection. - + ```bash curl -o ~/Downloads/eicar.com.txt http://www.eicar.org/download/eicar.com.txt ``` diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md index b2df2ab85f..a66f836f20 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md @@ -21,7 +21,7 @@ ms.topic: #conceptual **Applies to:** -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp.md) >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. @@ -31,7 +31,7 @@ Microsoft Defender ATP for Mac is not yet widely available, and this topic only ## Prerequisites and system requirements -Before you get started, please see [the main Microsoft Defender ATP for Mac page]((microsoft-defender-atp.md)) for a description of prerequisites and system requirements for the current software version. +Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp.md) for a description of prerequisites and system requirements for the current software version. In addition, for JAMF deployment, you need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes having a properly configured distribution point. JAMF has many ways to complete the same task. These instructions provide an example for most common processes. Your organization might use a different workflow. @@ -48,7 +48,7 @@ Download the installation and onboarding packages from Windows Defender Security 5. From a command prompt, verify that you have the two files. Extract the contents of the .zip files: - + ```bash mavel-macmini:Downloads test$ ls -l total 721160 @@ -165,24 +165,24 @@ After the policy is applied, you'll see the Microsoft Defender icon in the macOS You can monitor policy installation on a machine by following the JAMF's log file: ```bash -mavel-mojave:~ testuser$ tail -f /var/log/jamf.log -Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found. -Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for user "testuser"... -Thu Feb 21 11:16:43 mavel-mojave jamf[8051]: Executing Policy WDAV -Thu Feb 21 11:17:02 mavel-mojave jamf[8051]: Installing Microsoft Defender... -Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Successfully installed Microsoft Defender. -Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Checking for patches... -Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found. + mavel-mojave:~ testuser$ tail -f /var/log/jamf.log + Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found. + Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for user "testuser"... + Thu Feb 21 11:16:43 mavel-mojave jamf[8051]: Executing Policy WDAV + Thu Feb 21 11:17:02 mavel-mojave jamf[8051]: Installing Microsoft Defender... + Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Successfully installed Microsoft Defender. + Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Checking for patches... + Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found. ``` You can also check the onboarding status: ```bash -mavel-mojave:~ testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py -uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 -orgid : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 -orgid managed : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 -orgid effective : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 + mavel-mojave:~ testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py + uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 + orgid : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 + orgid managed : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 + orgid effective : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 ``` - **orgid/orgid managed**: This is the Microsoft Defender ATP org id specified in the configuration profile. If this value is blank, then the Configuration Profile was not properly set. @@ -194,7 +194,7 @@ orgid effective : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 You can check that machines are correctly onboarded by creating a script. For example, the following script checks that enrolled machines are onboarded: ```bash -sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+' + sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+' ``` This script returns 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service, and another exit code if it is not installed or registered. @@ -202,7 +202,7 @@ This script returns 0 if Microsoft Defender ATP is registered with the Windows D ## Test alert Run in Terminal the following command. It will download [a harmless file](https://en.wikipedia.org/wiki/EICAR_test_file) which will trigger a test detection. - + ```bash curl -o ~/Downloads/eicar.com.txt http://www.eicar.org/download/eicar.com.txt ``` diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md index 03532ddfb4..8967cf9879 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md @@ -21,7 +21,7 @@ ms.topic: #conceptual **Applies to:** -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp.md) >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. @@ -36,25 +36,25 @@ If you can reproduce a problem, please increase the logging level, run the syste 1) Increase logging level: ```bash - mavel-mojave:~ testuser$ mdatp --log-level verbose - Operation succeeded + mavel-mojave:~ testuser$ mdatp --log-level verbose + Operation succeeded ``` 2) Reproduce the problem 3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. - ```bash - mavel-mojave:~ testuser$ mdatp --diagnostic --create - "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" - ``` + ```bash + mavel-mojave:~ testuser$ mdatp --diagnostic --create + "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" + ``` 4) Restore logging level: - ```bash - mavel-mojave:~ testuser$ mdatp --log-level info - Operation succeeded - ``` + ```bash + mavel-mojave:~ testuser$ mdatp --log-level info + Operation succeeded + ``` ## Managing from the command line diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index af6205c2ca..b22d38d977 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -69,7 +69,7 @@ After you've enabled the service, you may need to configure your network or fire The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an **allow** rule specifically for them: | Service | Description | URL | -| -------------- |:------------------------------------:| --------------------------------------------------------------------:| +| -------------- |:------------------------------------:|:--------------------------------------------------------------------:| | ATP | Advanced threat protection service | `https://x.cp.wd.microsoft.com/`, `https://*.x.cp.wd.microsoft.com/` | To test that a connection is not blocked, open `https://x.cp.wd.microsoft.com/api/report` and `https://wu-cdn.x.cp.wd.microsoft.com/` in a browser, or run the following command in Terminal: @@ -79,7 +79,7 @@ To test that a connection is not blocked, open `https://x.cp.wd.microsoft.com/ap OK ``` -We recommend to keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) ([Wiki](https://en.wikipedia.org/wiki/System_Integrity_Protection)) enabled (default setting) on client machines. +We recommend to keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) ([Wiki](https://en.wikipedia.org/wiki/System_Integrity_Protection) enabled (default setting) on client machines. SIP is a built-in macOS security feature that prevents low-level tampering with the OS. ## Resources From 6d337b5763f4a609a589efd5238cd8dd04ba0d58 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Wed, 8 May 2019 08:53:59 -0700 Subject: [PATCH 293/492] Minor update --- windows/client-management/mdm/policy-csp-windowslogon.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index 885ae70ec7..bdf911fd67 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -165,11 +165,11 @@ This policy setting controls the configuration under which an automatic restart, If you enable this policy setting, you can choose one of the following two options: -- "Enabled if BitLocker is on and not suspended": Specifies that automatic sign on and lock occurs only if BitLocker is active and not suspended during the reboot or shutdown. Personal data can be accessed on the device’s hard drive at this time if BitLocker is not on or suspended during an update. BitLocker suspension temporarily removes protection for system components and data but may be needed in certain circumstances to successfully update boot-critical components. +- Enabled if BitLocker is on and not suspended: Specifies that automatic sign on and lock occurs only if BitLocker is active and not suspended during the reboot or shutdown. Personal data can be accessed on the device’s hard drive at this time if BitLocker is not on or suspended during an update. BitLocker suspension temporarily removes protection for system components and data but may be needed in certain circumstances to successfully update boot-critical components. BitLocker is suspended during updates if: - The device does not have TPM 2.0 and PCR7 - The device does not use a TPM-only protector -- "Always Enabled": Specifies that automatic sign on happens even if BitLocker is off or suspended during reboot or shutdown. When BitLocker is not enabled, personal data is accessible on the hard drive. Automatic restart and sign on should only be run under this condition if you are confident that the configured device is in a secure physical location. +- Always Enabled: Specifies that automatic sign on happens even if BitLocker is off or suspended during reboot or shutdown. When BitLocker is not enabled, personal data is accessible on the hard drive. Automatic restart and sign on should only be run under this condition if you are confident that the configured device is in a secure physical location. If you disable or do not configure this setting, automatic sign on defaults to the “Enabled if BitLocker is on and not suspended” behavior. From 3bb30fe435131c2553ee9b848f5e4f27ad1226f4 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Wed, 8 May 2019 09:23:19 -0700 Subject: [PATCH 294/492] Revert "WIP - update microsoft-defender-atp-mac.md" --- ...osoft-defender-atp-mac-install-manually.md | 127 ----- ...ft-defender-atp-mac-install-with-intune.md | 185 ------- ...soft-defender-atp-mac-install-with-jamf.md | 220 -------- .../microsoft-defender-atp-mac-resources.md | 153 ------ .../microsoft-defender-atp-mac.md | 489 ++++++++++++++++-- 5 files changed, 456 insertions(+), 718 deletions(-) delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md deleted file mode 100644 index 9b90ab16b4..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md +++ /dev/null @@ -1,127 +0,0 @@ ---- -title: Installing Microsoft Defender ATP for Mac with JAMF -description: Describes how to install Microsoft Defender ATP for Mac, using JAMF. -keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra -search.product: eADQiWindows 10XVcnh -search.appverid: #met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: v-maave -author: martyav -ms.localizationpriority: #medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: #conceptual ---- - -# Manual deployment - -**Applies to:** - -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp.md) - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -This topic describes how to install Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. -Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. - -## Prerequisites and system requirements - -Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp.md) for a description of prerequisites and system requirements for the current software version. - -## Download installation and onboarding packages - -Download the installation and onboarding packages from Windows Defender Security Center: - -1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Local script**. -3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. - - ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) - -5. From a command prompt, verify that you have the two files. - Extract the contents of the .zip files: - - ```bash - mavel-macmini:Downloads test$ ls -l - total 721152 - -rw-r--r-- 1 test staff 6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip - -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg - mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip - Archive: WindowsDefenderATPOnboardingPackage.zip - inflating: WindowsDefenderATPOnboarding.py - ``` - -## Application installation - -To complete this process, you must have admin privileges on the machine. - -1. Navigate to the downloaded wdav.pkg in Finder and open it. - - ![App install screenshot](images/MDATP_28_AppInstall.png) - -2. Select **Continue**, agree with the License terms, and enter the password when prompted. - - ![App install screenshot](images/MDATP_29_AppInstallLogin.png) - - > [!IMPORTANT] - > You will be prompted to allow a driver from Microsoft to be installed (either "System Exception Blocked" or "Installation is on hold" or both. The driver must be allowed to be installed. - - ![App install screenshot](images/MDATP_30_SystemExtension.png) - -3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**: - - ![Security and privacy window screenshot](images/MDATP_31_SecurityPrivacySettings.png) - -The installation will proceed. - -> [!NOTE] -> If you don't select **Allow**, the installation will fail after 5 minutes. You can restart it again at any time. - -## Client configuration - -1. Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac. - - The client machine is not associated with orgId. Note that the orgid is blank. - - ```bash - mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py - uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 - orgid : - ``` - -2. Install the configuration file on a client machine: - - ```bash - mavel-mojave:wdavconfig testuser$ python WindowsDefenderATPOnboarding.py - Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password) - ``` - -3. Verify that the machine is now associated with orgId: - - ```bash - mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py - uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 - orgid : E6875323-A6C0-4C60-87AD-114BBE7439B8 - ``` - -After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. - - ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) - -## Test alert - -Run in Terminal the following command. It will download [a harmless file](https://en.wikipedia.org/wiki/EICAR_test_file) which will trigger a test detection. - - ```bash - curl -o ~/Downloads/eicar.com.txt http://www.eicar.org/download/eicar.com.txt - ``` - -You will get a "Threats found" notification, you can inspect threat's details in the Protection history. - -Soon after that you'll get an alert in the ATP Portal. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md deleted file mode 100644 index b145ab592c..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md +++ /dev/null @@ -1,185 +0,0 @@ ---- -title: Installing Microsoft Defender ATP for Mac with Microsoft Intune -description: Describes how to install Microsoft Defender ATP for Mac, using Microsoft Intune. -keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra -search.product: eADQiWindows 10XVcnh -search.appverid: #met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: v-maave -author: martyav -ms.localizationpriority: #medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: #conceptual ---- - -# Microsoft Intune-based deployment - -**Applies to:** - -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp.md) - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -This topic describes how to install Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. -Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. - -## Prerequisites and system requirements - -Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp.md) for a description of prerequisites and system requirements for the current software version. - -## Download installation and onboarding packages - -Download the installation and onboarding packages from Windows Defender Security Center: - -1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. -3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. -5. Download IntuneAppUtil from [https://docs.microsoft.com/en-us/intune/lob-apps-macos](https://docs.microsoft.com/en-us/intune/lob-apps-macos). - - ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) - -6. From a command prompt, verify that you have the three files. - Extract the contents of the .zip files: - - ```bash - mavel-macmini:Downloads test$ ls -l - total 721688 - -rw-r--r-- 1 test staff 269280 Mar 15 11:25 IntuneAppUtil - -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip - -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg - mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip - Archive: WindowsDefenderATPOnboardingPackage.zip - warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators - inflating: intune/kext.xml - inflating: intune/WindowsDefenderATPOnboarding.xml - inflating: jamf/WindowsDefenderATPOnboarding.plist - mavel-macmini:Downloads test$ - ``` - -7. Make IntuneAppUtil an executable: - - ```mavel-macmini:Downloads test$ chmod +x IntuneAppUtil``` - -8. Create the wdav.pkg.intunemac package from wdav.pkg: - - ```bash - mavel-macmini:Downloads test$ ./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav" -n "1.0.0" - Microsoft Intune Application Utility for Mac OS X - Version: 1.0.0.0 - Copyright 2018 Microsoft Corporation - - Creating intunemac file for /Users/test/Downloads/wdav.pkg - Composing the intunemac file output - Output written to ./wdav.pkg.intunemac. - - IntuneAppUtil successfully processed "wdav.pkg", - to deploy refer to the product documentation. - ``` - -## Client Machine Setup - -You need no special provisioning for a Mac machine beyond a standard [Company Portal installation](https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos-cp). - -1. You'll be asked to confirm device management. - -![Confirm device management screenshot](images/MDATP_3_ConfirmDeviceMgmt.png) - -Select Open System Preferences, locate Management Profile on the list and select the **Approve...** button. Your Management Profile would be displayed as **Verified**: - -![Management profile screenshot](images/MDATP_4_ManagementProfile.png) - -2. Select the **Continue** button and complete the enrollment. - -You can enroll additional machines. Optionally, you can do it later, after system configuration and application package are provisioned. - -3. In Intune, open the **Manage > Devices > All devices** blade. You'll see your machine: - -![Add Devices screenshot](images/MDATP_5_allDevices.png) - -## Create System Configuration profiles - -1. In Intune open the **Manage > Device configuration** blade. Select **Manage > Profiles > Create Profile**. -2. Choose a name for the profile. Change **Platform=macOS**, **Profile type=Custom**. Select **Configure**. -3. Open the configuration profile and upload intune/kext.xml. This file was created during the Generate settings step above. -4. Select **OK**. - - ![System configuration profiles screenshot](images/MDATP_6_SystemConfigurationProfiles.png) - -5. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. -6. Repeat these steps with the second profile. -7. Create Profile one more time, give it a name, upload the intune/WindowsDefenderATPOnboarding.xml file. -8. Select **Manage > Assignments**. In the Include tab, select **Assign to All Users & All devices**. - -After Intune changes are propagated to the enrolled machines, you'll see it on the **Monitor > Device status** blade: - -![System configuration profiles screenshot](images/MDATP_7_DeviceStatusBlade.png) - -## Publish application - -1. In Intune, open the **Manage > Client apps** blade. Select **Apps > Add**. -2. Select **App type=Other/Line-of-business app**. -3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload. -4. Select **Configure** and add the required information. -5. Use **macOS Sierra 10.12** as the minimum OS. Other settings can be any other value. - - ![Device status blade screenshot](images/MDATP_8_IntuneAppInfo.png) - -6. Select **OK** and **Add**. - - ![Device status blade screenshot](images/MDATP_9_IntunePkgInfo.png) - -7. It will take a while to upload the package. After it's done, select the name and then go to **Assignments** and **Add group**. - - ![Client apps screenshot](images/MDATP_10_ClientApps.png) - -8. Change **Assignment type=Required**. -9. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**. - - ![Intune assignments info screenshot](images/MDATP_11_Assignments.png) - -10. After some time the application will be published to all enrolled machines. You'll see it on the **Monitor > Device** install status blade: - - ![Intune device status screenshot](images/MDATP_12_DeviceInstall.png) - -## Verify client machine state - -1. After the configuration profiles are deployed to your machines, on your Mac device, open **System Preferences > Profiles**. - - ![System Preferences screenshot](images/MDATP_13_SystemPreferences.png) - ![System Preferences Profiles screenshot](images/MDATP_14_SystemPreferencesProfiles.png) - -2. Verify the three profiles listed there: - ![Profiles screenshot](images/MDATP_15_ManagementProfileConfig.png) - -3. The **Management Profile** should be the Intune system profile. -4. wdav-config and wdav-kext are system configuration profiles that we added in Intune. -5. You should also see the Microsoft Defender icon in the top-right corner: - - ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) - -## Test alert - -Run in Terminal the following command. It will download [a harmless file](https://en.wikipedia.org/wiki/EICAR_test_file) which will trigger a test detection. - - ```bash - curl -o ~/Downloads/eicar.com.txt http://www.eicar.org/download/eicar.com.txt - ``` - -You will get a "Threats found" notification, you can inspect threat's details in the Protection history. - -Soon after that you'll get an alert in the ATP Portal. - -## Logging installation issues - -See [Logging installation issues](microsoft-defender-atp-mac-resources#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. - -## Uninstallation - -See [Uninstalling](microsoft-defender-atp-mac-resources#Uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md deleted file mode 100644 index a66f836f20..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md +++ /dev/null @@ -1,220 +0,0 @@ ---- -title: Installing Microsoft Defender ATP for Mac with JAMF -description: Describes how to install Microsoft Defender ATP for Mac, using JAMF. -keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra -search.product: eADQiWindows 10XVcnh -search.appverid: #met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: v-maave -author: martyav -ms.localizationpriority: #medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: #conceptual ---- - -# JAMF-based deployment - -**Applies to:** - -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp.md) - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -This topic describes how to install Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. -Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. - -## Prerequisites and system requirements - -Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp.md) for a description of prerequisites and system requirements for the current software version. - -In addition, for JAMF deployment, you need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes having a properly configured distribution point. JAMF has many ways to complete the same task. These instructions provide an example for most common processes. Your organization might use a different workflow. - -## Download installation and onboarding packages - -Download the installation and onboarding packages from Windows Defender Security Center: - -1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. -3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. - - ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) - -5. From a command prompt, verify that you have the two files. - Extract the contents of the .zip files: - - ```bash - mavel-macmini:Downloads test$ ls -l - total 721160 - -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip - -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg - mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip - Archive: WindowsDefenderATPOnboardingPackage.zip - warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators - inflating: intune/kext.xml - inflating: intune/WindowsDefenderATPOnboarding.xml - inflating: jamf/WindowsDefenderATPOnboarding.plist - mavel-macmini:Downloads test$ - ``` - -## Create JAMF Policies - -You need to create a configuration profile and a policy to start deploying Microsoft Defender ATP for Mac to client machines. - -### Configuration Profile - -The configuration profile contains one custom settings payload that includes: - -- Microsoft Defender ATP for Mac onboarding information -- Approved Kernel Extensions payload to enable the Microsoft kernel driver to run - -1. Upload jamf/WindowsDefenderATPOnboarding.plist as the Property List File. - - >[!NOTE] - > You must use exactly "com.microsoft.wdav.atp" as the Preference Domain. - - ![Configuration profile screenshot](images/MDATP_16_PreferenceDomain.png) - -### Approved Kernel Extension - -To approve the kernel extension: - -1. In **Computers > Configuration Profiles** select **Options > Approved Kernel Extensions**. -2. Use **UBF8T346G9** for Team Id. - -![Approved kernel extensions screenshot](images/MDATP_17_approvedKernelExtensions.png) - -#### Configuration Profile's Scope - -Configure the appropriate scope to specify the machines that will receive this configuration profile. - -Open Computers -> Configuration Profiles, select **Scope > Targets**. Select the appropriate Target computers. - -![Configuration profile scope screenshot](images/MDATP_18_ConfigurationProfilesScope.png) - -Save the **Configuration Profile**. - -Use the **Logs** tab to monitor deployment status for each enrolled machine. - -### Package - -1. Create a package in **Settings > Computer Management > Packages**. - - ![Computer management packages screenshot](images/MDATP_19_MicrosoftDefenderWDAVPKG.png) - -2. Upload wdav.pkg to the Distribution Point. -3. In the **filename** field, enter the name of the package. For example, wdav.pkg. - -### Policy - -Your policy should contain a single package for Microsoft Defender. - -![Microsoft Defender packages screenshot](images/MDATP_20_MicrosoftDefenderPackages.png) - -Configure the appropriate scope to specify the computers that will receive this policy. - -After you save the Configuration Profile, you can use the Logs tab to monitor the deployment status for each enrolled machine. - -## Client machine setup - -You need no special provisioning for a macOS computer beyond the standard JAMF Enrollment. - -> [!NOTE] -> After a computer is enrolled, it will show up in the Computers inventory (All Computers). - -1. Open the machine details, from **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile. - -![MDM approve button screenshot](images/MDATP_21_MDMProfile1.png) -![MDM screenshot](images/MDATP_22_MDMProfileApproved.png) - -After some time, the machine's User Approved MDM status will change to Yes. - -![MDM status screenshot](images/MDATP_23_MDMStatus.png) - -You can enroll additional machines now. Optionally, can do it after system configuration and application packages are provisioned. - -## Deployment - -Enrolled client machines periodically poll the JAMF Server and install new configuration profiles and policies as soon as they are detected. - -### Status on server - -You can monitor the deployment status in the Logs tab: - -- **Pending** means that the deployment is scheduled but has not yet happened -- **Completed** means that the deployment succeeded and is no longer scheduled - -![Status on server screenshot](images/MDATP_24_StatusOnServer.png) - -### Status on client machine - -After the Configuration Profile is deployed, you'll see the profile on the machine in the **System Preferences > Profiles >** Name of Configuration Profile. - -![Status on client screenshot](images/MDATP_25_StatusOnClient.png) - -After the policy is applied, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. - -![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) - -You can monitor policy installation on a machine by following the JAMF's log file: - -```bash - mavel-mojave:~ testuser$ tail -f /var/log/jamf.log - Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found. - Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for user "testuser"... - Thu Feb 21 11:16:43 mavel-mojave jamf[8051]: Executing Policy WDAV - Thu Feb 21 11:17:02 mavel-mojave jamf[8051]: Installing Microsoft Defender... - Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Successfully installed Microsoft Defender. - Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Checking for patches... - Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found. -``` - -You can also check the onboarding status: - -```bash - mavel-mojave:~ testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py - uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 - orgid : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 - orgid managed : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 - orgid effective : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 -``` - -- **orgid/orgid managed**: This is the Microsoft Defender ATP org id specified in the configuration profile. If this value is blank, then the Configuration Profile was not properly set. - -- **orgid effective**: This is the Microsoft Defender ATP org id currently in use. If it does not match the value in the Configuration Profile, then the configuration has not been refreshed. - -## Check onboarding status - -You can check that machines are correctly onboarded by creating a script. For example, the following script checks that enrolled machines are onboarded: - -```bash - sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+' -``` - -This script returns 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service, and another exit code if it is not installed or registered. - -## Test alert - -Run in Terminal the following command. It will download [a harmless file](https://en.wikipedia.org/wiki/EICAR_test_file) which will trigger a test detection. - - ```bash - curl -o ~/Downloads/eicar.com.txt http://www.eicar.org/download/eicar.com.txt - ``` - -You will get a "Threats found" notification, you can inspect threat's details in the Protection history. - -Soon after that you'll get an alert in the ATP Portal. - -## Logging installation issues - -See [Logging installation issues](microsoft-defender-atp-mac-resources#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. - -## Uninstallation - -See [Uninstalling](microsoft-defender-atp-mac-resources#Uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md deleted file mode 100644 index 8967cf9879..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md +++ /dev/null @@ -1,153 +0,0 @@ ---- -title: Microsoft Defender ATP for Mac Resources -description: Describes resources for Microsoft Defender ATP for Mac, including how to uninstall it, how to collect diagnostic logs, and known issues with the product. -keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra -search.product: eADQiWindows 10XVcnh -search.appverid: #met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: v-maave -author: martyav -ms.localizationpriority: #medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: #conceptual ---- - -# Resources - -**Applies to:** - -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp.md) - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -This topic describes how to use, and details about, Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. -Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. - -## Collecting diagnostic information - -If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default. - -1) Increase logging level: - -```bash - mavel-mojave:~ testuser$ mdatp --log-level verbose - Operation succeeded -``` - -2) Reproduce the problem - -3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. - - ```bash - mavel-mojave:~ testuser$ mdatp --diagnostic --create - "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" - ``` - -4) Restore logging level: - - ```bash - mavel-mojave:~ testuser$ mdatp --log-level info - Operation succeeded - ``` - -## Managing from the command line - -Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line: - -|Group |Scenario |Command | -|-------------|-------------------------------------------|-----------------------------------------------------------------------| -|Configuration|Turn on/off real-time protection |`mdatp --config rtp [true/false]` | -|Configuration|Turn on/off cloud protection |`mdatp --config cloud [true/false]` | -|Configuration|Turn on/off product diagnostics |`mdatp --config diagnostic [true/false]` | -|Configuration|Turn on/off automatic sample submission |`mdatp --config sample-submission [true/false]` | -|Configuration|Turn on PUA protection |`mdatp --threat --type-handling potentially_unwanted_application block`| -|Configuration|Turn off PUA protection |`mdatp --threat --type-handling potentially_unwanted_application off` | -|Configuration|Turn on audit mode for PUA protection |`mdatp --threat --type-handling potentially_unwanted_application audit`| -|Diagnostics |Change the log level |`mdatp --log-level [error/warning/info/verbose]` | -|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic --create` | -|Health |Check the product's health |`mdatp --health` | -|Health |Prints a single health metric |`mdatp --health [metric]` | -|Protection |Scan a path |`mdatp --scan --path [path]` | -|Protection |Do a quick scan |`mdatp --scan --quick` | -|Protection |Do a full scan |`mdatp --scan --full` | -|Protection |Cancel an ongoing on-demand scan |`mdatp --scan --cancel` | -|Protection |Request a definition update |`mdatp --definition-update` | - -## Logging installation issues - -If an error occurs during installation, the installer will only report a general failure. - -The detailed log will be saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. - -## Uninstalling - -There are several ways to uninstall Microsoft Defender ATP for Mac. Please note that while centrally managed uninstall is available on JAMF, it is not yet available for Microsoft Intune. - -### Within the GUI - -- Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**. - -### From the command line - -- ```sudo rm -rf '/Applications/Microsoft Defender ATP'``` - -### With a script - -Create a script in **Settings > Computer Management > Scripts**. - -![Microsoft Defender uninstall screenshot](images/MDATP_26_Uninstall.png) - -For example, this script removes Microsoft Defender ATP from the /Applications directory: - -```bash - echo "Is WDAV installed?" - ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null - - echo "Uninstalling WDAV..." - rm -rf '/Applications/Microsoft Defender ATP.app' - - echo "Is WDAV still installed?" - ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null - - echo "Done!" -``` - -### With a JAMF policy - -If you are running JAMF, your policy should contain a single script: - -![Microsoft Defender uninstall script screenshot](images/MDATP_27_UninstallScript.png) - -Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy. - -## What to expect in the ATP portal - -- AV alerts: - - Severity - - Scan type - - Device information (hostname, machine identifier, tenant identifier, app version, and OS type) - - File information (name, path, size, and hash) - - Threat information (name, type, and state) -- Device information: - - Machine identifier - - Tenant identifier - - App version - - Hostname - - OS type - - OS version - - Computer model - - Processor architecture - - Whether the device is a virtual machine - -## Known issues - -- Not fully optimized for performance or disk space yet. -- Full Windows Defender ATP integration is not available yet. -- Mac devices that switch networks may appear multiple times in the APT portal. -- Centrally managed uninstall via Intune is still in development. As an alternative, manually uninstall Microsoft Defender ATP for Mac from each client device. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index b22d38d977..cccde77573 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -22,40 +22,15 @@ ms.topic: conceptual >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -This topic describes how to install and use Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. -Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. - -## What’s new in the public preview - -We've been working hard through the private preview period, and we've heard your concerns. We've reduced the delay for when new Mac devices appear in the ATP console after they've been deployed. We've improved threat handling, and enhanced the user experience. We've also made numerous bug fixes. Other updates to Microsoft Defender ATP for Mac include: - -- Full accessibility -- Improved performance -- Localization for 37 languages -- Improved anti-tampering protections -- Feedback and samples can now be submitted via the GUI. -- Product health can be queried with JAMF or the command line. -- Admins can set their cloud preference for any location, not just for those in the US. - -## Installing and configuring - -There are various methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac. -In general you'll need to take the following steps: - -- Ensure you have a Windows Defender ATP subscription and have access to the Windows Defender ATP Portal -- Deploy Microsoft Defender ATP for Mac using one of the following deployment methods: - - [Microsoft Intune-based deployment](microsoft-defender-atp-mac-install-with-intune) - - [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf) - - [Manual deployment](microsoft-defender-atp-mac-install-manually) - -### Prerequisites +This topic describes how to install and use Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. +Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. +## Prerequisites You should have beginner-level experience in macOS and BASH scripting. You must have administrative privileges on the machine. You should also have access to Windows Defender Security Center. ### System Requirements - - macOS version: 10.14 (Mojave), 10.13 (High Sierra), 10.12 (Sierra) - Disk space during preview: 1GB @@ -69,19 +44,467 @@ After you've enabled the service, you may need to configure your network or fire The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an **allow** rule specifically for them: | Service | Description | URL | -| -------------- |:------------------------------------:|:--------------------------------------------------------------------:| +| -------------- |:------------------------------------:| --------------------------------------------------------------------:| | ATP | Advanced threat protection service | `https://x.cp.wd.microsoft.com/`, `https://*.x.cp.wd.microsoft.com/` | To test that a connection is not blocked, open `https://x.cp.wd.microsoft.com/api/report` and `https://wu-cdn.x.cp.wd.microsoft.com/` in a browser, or run the following command in Terminal: -```bash +``` mavel-mojave:~ testuser$ curl 'https://x.cp.wd.microsoft.com/api/report' OK ``` -We recommend to keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) ([Wiki](https://en.wikipedia.org/wiki/System_Integrity_Protection) enabled (default setting) on client machines. +We recommend to keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) ([Wiki](https://en.wikipedia.org/wiki/System_Integrity_Protection)) enabled (default setting) on client machines. SIP is a built-in macOS security feature that prevents low-level tampering with the OS. -## Resources +## Installation and configuration overview +There are various methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac. +In general you'll need to take the following steps: + - Ensure you have a Windows Defender ATP subscription and have access to the Windows Defender ATP Portal + - Deploy Microsoft Defender ATP for Mac using one of the following deployment methods: + * [Microsoft Intune based deployment](#microsoft-intune-based-deployment) + * [JAMF based deployment](#jamf-based-deployment) + * [Manual deployment](#manual-deployment) -For further information on logging, uninstalling, the ATP portal, or known issues, see our [Resources](microsoft-defender-atp-mac-resources) page. \ No newline at end of file +## Microsoft Intune based deployment + +### Download installation and onboarding packages +Download the installation and onboarding packages from Windows Defender Security Center: +1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. +3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. +4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. +5. Download IntuneAppUtil from https://docs.microsoft.com/en-us/intune/lob-apps-macos. + + ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) + +6. From a command prompt, verify that you have the three files. + Extract the contents of the .zip files: + + ``` + mavel-macmini:Downloads test$ ls -l + total 721688 + -rw-r--r-- 1 test staff 269280 Mar 15 11:25 IntuneAppUtil + -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip + -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg + mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip + Archive: WindowsDefenderATPOnboardingPackage.zip + warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators + inflating: intune/kext.xml + inflating: intune/WindowsDefenderATPOnboarding.xml + inflating: jamf/WindowsDefenderATPOnboarding.plist + mavel-macmini:Downloads test$ + ``` +7. Make IntuneAppUtil an executable: + + ```mavel-macmini:Downloads test$ chmod +x IntuneAppUtil``` + +8. Create the wdav.pkg.intunemac package from wdav.pkg: + + ``` + mavel-macmini:Downloads test$ ./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav" -n "1.0.0" + Microsoft Intune Application Utility for Mac OS X + Version: 1.0.0.0 + Copyright 2018 Microsoft Corporation + + Creating intunemac file for /Users/test/Downloads/wdav.pkg + Composing the intunemac file output + Output written to ./wdav.pkg.intunemac. + + IntuneAppUtil successfully processed "wdav.pkg", + to deploy refer to the product documentation. + ``` + +### Client Machine Setup +You need no special provisioning for a Mac machine beyond a standard [Company Portal installation](https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos-cp). + +1. You'll be asked to confirm device management. + +![Confirm device management screenshot](images/MDATP_3_ConfirmDeviceMgmt.png) + +Select Open System Preferences, locate Management Profile on the list and select the **Approve...** button. Your Management Profile would be displayed as **Verified**: + +![Management profile screenshot](images/MDATP_4_ManagementProfile.png) + +2. Select the **Continue** button and complete the enrollment. + +You can enroll additional machines. Optionally, you can do it later, after system configuration and application package are provisioned. + +3. In Intune, open the **Manage > Devices > All devices** blade. You'll see your machine: + +![Add Devices screenshot](images/MDATP_5_allDevices.png) + +### Create System Configuration profiles +1. In Intune open the **Manage > Device configuration** blade. Select **Manage > Profiles > Create Profile**. +2. Choose a name for the profile. Change **Platform=macOS**, **Profile type=Custom**. Select **Configure**. +3. Open the configuration profile and upload intune/kext.xml. This file was created during the Generate settings step above. +4. Select **OK**. + + ![System configuration profiles screenshot](images/MDATP_6_SystemConfigurationProfiles.png) + +5. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. +7. Repeat these steps with the second profile. +8. Create Profile one more time, give it a name, upload the intune/WindowsDefenderATPOnboarding.xml file. +9. Select **Manage > Assignments**. In the Include tab, select **Assign to All Users & All devices**. + +After Intune changes are propagated to the enrolled machines, you'll see it on the **Monitor > Device status** blade: + +![System configuration profiles screenshot](images/MDATP_7_DeviceStatusBlade.png) + +### Publish application + +1. In Intune, open the **Manage > Client apps** blade. Select **Apps > Add**. +2. Select **App type=Other/Line-of-business app**. +3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload. +4. Select **Configure** and add the required information. +5. Use **macOS Sierra 10.12** as the minimum OS. Other settings can be any other value. + + ![Device status blade screenshot](images/MDATP_8_IntuneAppInfo.png) + +6. Select **OK** and **Add**. + + ![Device status blade screenshot](images/MDATP_9_IntunePkgInfo.png) + +7. It will take a while to upload the package. After it's done, select the name and then go to **Assignments** and **Add group**. + + ![Client apps screenshot](images/MDATP_10_ClientApps.png) + +8. Change **Assignment type=Required**. +9. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**. + + ![Intune assignments info screenshot](images/MDATP_11_Assignments.png) + +10. After some time the application will be published to all enrolled machines. You'll see it on the **Monitor > Device** install status blade: + + ![Intune device status screenshot](images/MDATP_12_DeviceInstall.png) + +### Verify client machine state +1. After the configuration profiles are deployed to your machines, on your Mac device, open **System Preferences > Profiles**. + + ![System Preferences screenshot](images/MDATP_13_SystemPreferences.png) + ![System Preferences Profiles screenshot](images/MDATP_14_SystemPreferencesProfiles.png) + +2. Verify the three profiles listed there: + ![Profiles screenshot](images/MDATP_15_ManagementProfileConfig.png) + +3. The **Management Profile** should be the Intune system profile. +4. wdav-config and wdav-kext are system configuration profiles that we added in Intune. +5. You should also see the Microsoft Defender icon in the top-right corner: + + ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) + +## JAMF based deployment +### Prerequsites +You need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes a properly configured distribution point. JAMF has many alternative ways to complete the same task. These instructions provide you an example for most common processes. Your organization might use a different workflow. + + +### Download installation and onboarding packages +Download the installation and onboarding packages from Windows Defender Security Center: +1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. +3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. +4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. + + ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) + +5. From a command prompt, verify that you have the two files. + Extract the contents of the .zip files: + + ``` + mavel-macmini:Downloads test$ ls -l + total 721160 + -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip + -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg + mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip + Archive: WindowsDefenderATPOnboardingPackage.zip + warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators + inflating: intune/kext.xml + inflating: intune/WindowsDefenderATPOnboarding.xml + inflating: jamf/WindowsDefenderATPOnboarding.plist + mavel-macmini:Downloads test$ + ``` + +### Create JAMF Policies +You need to create a configuration profile and a policy to start deploying Microsoft Defender ATP for Mac to client machines. + +#### Configuration Profile +The configuration profile contains one custom settings payload that includes: + +- Microsoft Defender ATP for Mac onboarding information +- Approved Kernel Extensions payload to enable the Microsoft kernel driver to run + + +1. Upload jamf/WindowsDefenderATPOnboarding.plist as the Property List File. + + >[!NOTE] + > You must use exactly "com.microsoft.wdav.atp" as the Preference Domain. + + ![Configuration profile screenshot](images/MDATP_16_PreferenceDomain.png) + +#### Approved Kernel Extension + +To approve the kernel extension: +1. In **Computers > Configuration Profiles** select **Options > Approved Kernel Extensions**. +2. Use **UBF8T346G9** for Team Id. + +![Approved kernel extensions screenshot](images/MDATP_17_approvedKernelExtensions.png) + +#### Configuration Profile's Scope +Configure the appropriate scope to specify the machines that will receive this configuration profile. + +Open Computers -> Configuration Profiles, select **Scope > Targets**. Select the appropriate Target computers. + +![Configuration profile scope screenshot](images/MDATP_18_ConfigurationProfilesScope.png) + +Save the **Configuration Profile**. + +Use the **Logs** tab to monitor deployment status for each enrolled machine. + +#### Package +1. Create a package in **Settings > Computer Management > Packages**. + + ![Computer management packages screenshot](images/MDATP_19_MicrosoftDefenderWDAVPKG.png) + +2. Upload wdav.pkg to the Distribution Point. +3. In the **filename** field, enter the name of the package. For example, wdav.pkg. + +#### Policy +Your policy should contain a single package for Microsoft Defender. + +![Microsoft Defender packages screenshot](images/MDATP_20_MicrosoftDefenderPackages.png) + +Configure the appropriate scope to specify the computers that will receive this policy. + +After you save the Configuration Profile, you can use the Logs tab to monitor the deployment status for each enrolled machine. + +### Client machine setup +You need no special provisioning for a macOS computer beyond the standard JAMF Enrollment. + +> [!NOTE] +> After a computer is enrolled, it will show up in the Computers inventory (All Computers). + +1. Open the machine details, from **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile. + +![MDM approve button screenshot](images/MDATP_21_MDMProfile1.png) +![MDM screenshot](images/MDATP_22_MDMProfileApproved.png) + +After some time, the machine's User Approved MDM status will change to Yes. + +![MDM status screenshot](images/MDATP_23_MDMStatus.png) + +You can enroll additional machines now. Optionally, can do it after system configuration and application packages are provisioned. + +### Deployment +Enrolled client machines periodically poll the JAMF Server and install new configuration profiles and policies as soon as they are detected. + +#### Status on server +You can monitor the deployment status in the Logs tab: + - **Pending** means that the deployment is scheduled but has not yet happened + - **Completed** means that the deployment succeeded and is no longer scheduled + +![Status on server screenshot](images/MDATP_24_StatusOnServer.png) + + +#### Status on client machine +After the Configuration Profile is deployed, you'll see the profile on the machine in the **System Preferences > Profiles >** Name of Configuration Profile. + +![Status on client screenshot](images/MDATP_25_StatusOnClient.png) + +After the policy is applied, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. + +![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) + +You can monitor policy installation on a machine by following the JAMF's log file: + +``` +mavel-mojave:~ testuser$ tail -f /var/log/jamf.log +Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found. +Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for user "testuser"... +Thu Feb 21 11:16:43 mavel-mojave jamf[8051]: Executing Policy WDAV +Thu Feb 21 11:17:02 mavel-mojave jamf[8051]: Installing Microsoft Defender... +Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Successfully installed Microsoft Defender. +Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Checking for patches... +Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found. +``` + +You can also check the onboarding status: +``` +mavel-mojave:~ testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py +uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 +orgid : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 +orgid managed : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 +orgid effective : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 +``` + +- **orgid/orgid managed**: This is the Microsoft Defender ATP org id specified in the configuration profile. If this value is blank, then the Configuration Profile was not properly set. + +- **orgid effective**: This is the Microsoft Defender ATP org id currently in use. If it does not match the value in the Configuration Profile, then the configuration has not been refreshed. + +### Uninstalling Microsoft Defender ATP for Mac +#### Uninstalling with a script + +Create a script in **Settings > Computer Management > Scripts**. + +![Microsoft Defender uninstall screenshot](images/MDATP_26_Uninstall.png) + +For example, this script removes Microsoft Defender ATP from the /Applications directory: + +``` +echo "Is WDAV installed?" +ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null + +echo "Uninstalling WDAV..." +rm -rf '/Applications/Microsoft Defender ATP.app' + +echo "Is WDAV still installed?" +ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null + +echo "Done!" +``` + +#### Uninstalling with a policy +Your policy should contain a single script: + +![Microsoft Defender uninstall script screenshot](images/MDATP_27_UninstallScript.png) + +Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy. + +### Check onboarding status + +You can check that machines are correctly onboarded by creating a script. For example, the following script checks that enrolled machines are onboarded: + +``` +sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+' +``` + +This script returns 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service, and another exit code if it is not installed or registered. + +## Manual deployment + +### Download installation and onboarding packages +Download the installation and onboarding packages from Windows Defender Security Center: +1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Local script**. +3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. +4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. + + ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) + +5. From a command prompt, verify that you have the two files. + Extract the contents of the .zip files: + + ``` + mavel-macmini:Downloads test$ ls -l + total 721152 + -rw-r--r-- 1 test staff 6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip + -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg + mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip + Archive: WindowsDefenderATPOnboardingPackage.zip + inflating: WindowsDefenderATPOnboarding.py + ``` + +### Application installation +To complete this process, you must have admin privileges on the machine. + +1. Navigate to the downloaded wdav.pkg in Finder and open it. + + ![App install screenshot](images/MDATP_28_AppInstall.png) + +2. Select **Continue**, agree with the License terms, and enter the password when prompted. + + ![App install screenshot](images/MDATP_29_AppInstallLogin.png) + + > [!IMPORTANT] + > You will be prompted to allow a driver from Microsoft to be installed (either "System Exception Blocked" or "Installation is on hold" or both. The driver must be allowed to be installed. + + ![App install screenshot](images/MDATP_30_SystemExtension.png) + +3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**: + + ![Security and privacy window screenshot](images/MDATP_31_SecurityPrivacySettings.png) + + +The installation will proceed. + +> [!NOTE] +> If you don't select **Allow**, the installation will fail after 5 minutes. You can restart it again at any time. + +### Client configuration +1. Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac. + + The client machine is not associated with orgId. Note that the orgid is blank. + + ``` + mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py + uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 + orgid : + ``` +2. Install the configuration file on a client machine: + + ``` + mavel-mojave:wdavconfig testuser$ python WindowsDefenderATPOnboarding.py + Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password) + ``` + +3. Verify that the machine is now associated with orgId: + + ``` + mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py + uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 + orgid : E6875323-A6C0-4C60-87AD-114BBE7439B8 + ``` +After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. + + ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) + +## Uninstallation +### Removing Microsoft Defender ATP from Mac devices +To remove Microsoft Defender ATP from your macOS devices: + +- Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**. + +Or, from a command line: + +- ```sudo rm -rf '/Applications/Microsoft Defender ATP'``` + +## Known issues +- Microsoft Defender ATP is not yet optimized for performance or disk space. +- Centrally managed uninstall using Intune is still in development. To uninstall (as a workaround) a manual uninstall action has to be completed on each client device). +- Geo preference for telemetry traffic is not yet supported. Cloud traffic (definition updates) routed to US only. +- Full Windows Defender ATP integration is not yet available +- Not localized yet +- There might be accessibility issues + +## Collecting diagnostic information +If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default. + +1) Increase logging level: +``` + mavel-mojave:~ testuser$ mdatp log-level --verbose + Creating connection to daemon + Connection established + Operation succeeded +``` + +2) Reproduce the problem + +3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. + + ``` + mavel-mojave:~ testuser$ mdatp --diagnostic + Creating connection to daemon + Connection established + "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" + ``` + +4) Restore logging level: +``` + mavel-mojave:~ testuser$ mdatp log-level --info + Creating connection to daemon + Connection established + Operation succeeded +``` + + +### Installation issues +If an error occurs during installation, the installer will only report a general failure. The detailed log is saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. From 0734e038948e6d12cbba8e3943558cec05cd5829 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Wed, 8 May 2019 09:32:09 -0700 Subject: [PATCH 295/492] Update hello-hybrid-cert-trust-prereqs.md AS FS > AD FS typo --- .../hello-for-business/hello-hybrid-cert-trust-prereqs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index 3dd1963a94..8179a617a8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -57,7 +57,7 @@ Review these requirements and those from the Windows Hello for Business planning ## Public Key Infrastructure ## The Windows Hello for Business deployment depends on an enterprise public key infrastructure as trust anchor for authentication. Domain controllers for hybrid deployments need a certificate in order for Windows 10 devices to trust the domain controller. -Certificate trust deployments need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. When using Group Policy, hybrid certificate trust deployment uses the Windows Server 2016 Active Directory Federation Server (AS FS) as a certificate registration authority. +Certificate trust deployments need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. When using Group Policy, hybrid certificate trust deployment uses the Windows Server 2016 Active Directory Federation Server (AD FS) as a certificate registration authority. The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012. From 0ea9a0e77a495217ef35d3a03a213927b39e08d6 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 8 May 2019 11:24:38 -0700 Subject: [PATCH 296/492] fixed setting name --- .../customize-attack-surface-reduction.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md index 647e7de5b0..6dbb17c57d 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/07/2019 +ms.date: 05/08/2019 --- # Customize attack surface reduction rules @@ -62,7 +62,7 @@ Block process creations originating from PSExec and WMI commands | d1e49aac-8f56 Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c -Process creation from Adobe Reader | e6db77e5-3df2-4cf1-b95a-636979351e5b +Block persistence through WMI event subscription | e6db77e5-3df2-4cf1-b95a-636979351e5b See the [attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule. From 244670f6f4afec4900759ba76498a0b41048116f Mon Sep 17 00:00:00 2001 From: illfated Date: Wed, 8 May 2019 21:13:55 +0200 Subject: [PATCH 297/492] activate-using-key-management-service-vamt.md typo Typo correction, 2 characters were swapped. - slmrg.vbs -> slmgr.vbs Closes #3539 (Spelling Typo) --- .../activate-using-key-management-service-vamt.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md index dd8545387c..2fea892b96 100644 --- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md +++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md @@ -133,11 +133,9 @@ If you have already established a KMS infrastructure in your organization for an 1. Download and install the correct update for your current KMS host operating system. Restart the computer as directed. 2. Request a new KMS host key from the Volume Licensing Service Center. 3. Install the new KMS host key on your KMS host. -4. Activate the new KMS host key by running the slmrg.vbs script. +4. Activate the new KMS host key by running the slmgr.vbs script. For detailed instructions, see [Update that enables Windows 8.1 and Windows 8 KMS hosts to activate a later version of Windows](https://go.microsoft.com/fwlink/p/?LinkId=618265) and [Update that enables Windows 7 and Windows Server 2008 R2 KMS hosts to activate Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=626590). ## See also - [Volume Activation for Windows 10](volume-activation-windows-10.md) -  - From 14bdb0323bca915ff22c511e8949652c340ad568 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 8 May 2019 12:43:56 -0700 Subject: [PATCH 298/492] edits from Michael H --- .../create-wip-policy-using-intune-azure.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 0e53bed956..c20462e84f 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -11,7 +11,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 05/07/2019 +ms.date: 05/08/2019 --- # Create a Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune @@ -590,7 +590,7 @@ After you've decided where your protected apps can access enterprise data on you - **Use Azure RMS for WIP.** Determines whether WIP encrypts [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management) Files that are copied from Windows 10 to USB or other removable drives so they can be securely shared amongst employees. You must already have Azure Rights Management set up. The RMS template is only applied to the files on removable media, and is only used for access control—it doesn’t actually apply Azure Information Protection to the files. - - **On.** Starts protecting Azure Rights Management files that are copied to a removable drive. You can also add a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. Curly braces -- {} -- are required around the RMS Template ID. The EFS file uses the key from the RMS template’s license to protect the EFS file encryption key. Only users with permission to that template will be able to read it from the USB. If you don’t specify a template, it’s a regular EFS file using a default RMS template that everyone in the tenant will have access to. + - **On.** Protects files that are copied to a removable drive. You can also add a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. Curly braces -- {} -- are required around the RMS Template ID, but they are omitted when you view the saved settings. The EFS file uses the key from the RMS template’s license to protect the EFS file encryption key. Only users with permission to that template will be able to read it from the USB. If you don’t specify a template, it’s a regular EFS file using a default RMS template that everyone in the tenant will have access to. - **Off, or not configured.** Stops WIP from encrypting Azure Rights Management files that are copied to a removable drive. @@ -604,7 +604,7 @@ For more info about setting up and using a custom template, see [Configuring cus ## Encrypted file extensions -You can restrict which files are protected by WIP when they are downloaded from an SMB share within your enterprise network locations. If this settings is configured, only files with the extensions in the list will be encrypted. If this setting is not specified, the existing auto-encryption behavior is applied. +You can restrict which files are protected by WIP when they are downloaded from an SMB share within your enterprise network locations. If this setting is configured, only files with the extensions in the list will be encrypted. If this setting is not specified, the existing auto-encryption behavior is applied. ![WIP encrypted file extensions](images/wip-encrypted-file-extensions.png) From 8c69ffb1b9b212067b87a180f2817d00973e3a1d Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 8 May 2019 12:46:18 -0700 Subject: [PATCH 299/492] edits --- .../create-wip-policy-using-intune-azure.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index c20462e84f..cbae7321c4 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -21,7 +21,7 @@ ms.date: 05/08/2019 - Windows 10, version 1607 and later - Windows 10 Mobile, version 1607 and later (except Microsoft Azure Rights Management, which is only available on the desktop) -Microsoft Intune has an easy way to create and deploy a Windows Information Protection (WIP) policy. You can choose which apps to protect, the level of protection, and how to find enterprise data on the network. The devices can be fully managed by Mobile Device Management (MDM), or managed by Mobile Application Management (MAM), where Intune only manages the apps on a user's personal device. +Microsoft Intune has an easy way to create and deploy a Windows Information Protection (WIP) policy. You can choose which apps to protect, the level of protection, and how to find enterprise data on the network. The devices can be fully managed by Mobile Device Management (MDM), or managed by Mobile Application Management (MAM), where Intune manages only the apps on a user's personal device. ## Differences between MDM and MAM for WIP From 6556ac94e86a1e0c4c2cf4fde79bc91d290febe9 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 8 May 2019 13:50:50 -0700 Subject: [PATCH 300/492] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 096932fb04..7552b38864 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -209,7 +209,7 @@ See the following table for a summary of the management settings for Windows Ser See the following table for a summary of the management settings for Windows Server 2016 Nano Server. | Setting | Registry | Command line | -| - | :-: | :-: | :-: | :-: | :-: | +| - | :-: | :-: | | [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | ![Check mark](images/checkmark.png) | | | [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | | | [22. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | From 4cc2cec7411b5ddcb46b1204855f58ecbf951b4b Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 8 May 2019 13:52:08 -0700 Subject: [PATCH 301/492] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 7552b38864..5ab28a758c 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -194,7 +194,7 @@ See the following table for a summary of the management settings for Windows Ser See the following table for a summary of the management settings for Windows Server 2016 Server Core. | Setting | Group Policy | Registry | Command line | -| - | :-: | :-: | :-: | :-: | :-: | +| - | :-: | :-: | :-: | | [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [6. Font streaming](#font-streaming) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | From 21b1e1063faa09bae66f71d2b69c1d112675e22b Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 8 May 2019 13:53:10 -0700 Subject: [PATCH 302/492] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...windows-operating-system-components-to-microsoft-services.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 5ab28a758c..8fa437fbec 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -634,6 +634,8 @@ To disable the Microsoft Account Sign-In Assistant: - Apply the Accounts/AllowMicrosoftAccountSignInAssistant MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on. + -or- + - Change the **Start** REG_DWORD registry setting in **HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\wlidsvc** to a value of **4**. From 3ead1b57077ad38bc245e538c0a19605a1a02e1a Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Wed, 8 May 2019 14:04:00 -0700 Subject: [PATCH 303/492] Added 19H1 policies --- .../policy-configuration-service-provider.md | 42 ++ .../mdm/policy-csp-update.md | 409 +++++++++++++++++- 2 files changed, 449 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index a27926a537..8a7e1f0050 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -3336,9 +3336,24 @@ The following diagram shows the Policy configuration service provider in tree fo
Update/AutoRestartRequiredNotificationDismissal
+
+ Update/AutomaticMaintenanceWakeUp +
Update/BranchReadinessLevel
+
+ Update/ConfigureDeadlineForFeatureUpdates +
+
+ Update/ConfigureDeadlineForQualityUpdates +
+
+ Update/ConfigureDeadlineGracePeriod +
+
+ Update/ConfigureDeadlineNoAutoReboot +
Update/ConfigureFeatureUpdateUninstallPeriod
@@ -4881,7 +4896,12 @@ The following diagram shows the Policy configuration service provider in tree fo - [Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates](./policy-csp-update.md#update-autorestartdeadlineperiodindaysforfeatureupdates) - [Update/AutoRestartNotificationSchedule](./policy-csp-update.md#update-autorestartnotificationschedule) - [Update/AutoRestartRequiredNotificationDismissal](./policy-csp-update.md#update-autorestartrequirednotificationdismissal) +- [Update/AutomaticMaintenanceWakeUp](./policy-csp-update.md#update-automaticmaintenancewakeup) - [Update/BranchReadinessLevel](./policy-csp-update.md#update-branchreadinesslevel) +- [Update/ConfigureDeadlineForFeatureUpdates](./policy-csp-update.md#update-configuredeadlineforfeatureupdates) +- [Update/ConfigureDeadlineForQualityUpdates](./policy-csp-update.md#update-configuredeadlineforqualityupdates) +- [Update/ConfigureDeadlineGracePeriod](./policy-csp-update.md#update-configuredeadlinegraceperiod) +- [Update/ConfigureDeadlineNoAutoReboot](./policy-csp-update.md#update-configuredeadlinenoautoreboot) - [Update/DeferFeatureUpdatesPeriodInDays](./policy-csp-update.md#update-deferfeatureupdatesperiodindays) - [Update/DeferQualityUpdatesPeriodInDays](./policy-csp-update.md#update-deferqualityupdatesperiodindays) - [Update/DeferUpdatePeriod](./policy-csp-update.md#update-deferupdateperiod) @@ -5025,6 +5045,10 @@ The following diagram shows the Policy configuration service provider in tree fo - [System/AllowTelemetry](#system-allowtelemetry) - [Update/AllowAutoUpdate](#update-allowautoupdate) - [Update/AllowUpdateService](#update-allowupdateservice) +- [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) +- [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) +- [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) +- [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot) - [Update/RequireDeferUpgrade](#update-requiredeferupgrade) - [Update/RequireUpdateApproval](#update-requireupdateapproval) - [Update/ScheduledInstallDay](#update-scheduledinstallday) @@ -5072,6 +5096,10 @@ The following diagram shows the Policy configuration service provider in tree fo - [System/AllowLocation](#system-allowlocation) - [Update/AllowAutoUpdate](#update-allowautoupdate) - [Update/AllowUpdateService](#update-allowupdateservice) +- [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) +- [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) +- [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) +- [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot) - [Update/RequireUpdateApproval](#update-requireupdateapproval) - [Update/ScheduledInstallDay](#update-scheduledinstallday) - [Update/ScheduledInstallTime](#update-scheduledinstalltime) @@ -5152,12 +5180,26 @@ The following diagram shows the Policy configuration service provider in tree fo - [CredentialProviders/AllowPINLogon](#credentialproviders-allowpinlogon) - [CredentialProviders/BlockPicturePassword](#credentialproviders-blockpicturepassword) - [DataProtection/AllowDirectMemoryAccess](#dataprotection-allowdirectmemoryaccess) +- [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) +- [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) +- [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) +- [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot) - [Wifi/AllowAutoConnectToWiFiSenseHotspots](#wifi-allowautoconnecttowifisensehotspots) - [Wifi/AllowInternetSharing](#wifi-allowinternetsharing) - [Wifi/AllowWiFi](#wifi-allowwifi) - [Wifi/WLANScanMode](#wifi-wlanscanmode) + +## Policies supported by Windows 10 IoT Enterprise + +- [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) +- [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) +- [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) +- [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot) + + + ## Policies that can be set using Exchange Active Sync (EAS) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index ab8f25ac1d..9d1af07791 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/01/2019 +ms.date: 05/08/2019 --- # Policy CSP - Update @@ -57,9 +57,24 @@ ms.date: 05/01/2019
Update/AutoRestartRequiredNotificationDismissal
+
+ Update/AutomaticMaintenanceWakeUp +
Update/BranchReadinessLevel
+
+ Update/ConfigureDeadlineForFeatureUpdates +
+
+ Update/ConfigureDeadlineForQualityUpdates +
+
+ Update/ConfigureDeadlineGracePeriod +
+
+ Update/ConfigureDeadlineNoAutoReboot +
Update/ConfigureFeatureUpdateUninstallPeriod
@@ -189,6 +204,7 @@ ms.date: 05/01/2019
+ > [!NOTE] > If the MSA service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are). @@ -933,6 +949,78 @@ The following list shows the supported values:
+ +**Update/AutomaticMaintenanceWakeUp** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to configure Automatic Maintenance wake up policy. + +The maintenance wakeup policy specifies if Automatic Maintenance should make a wake request to the OS for the daily scheduled maintenance. + +> [!Note] +> If the OS power wake policy is explicitly disabled, then this setting has no effect. + +If you enable this policy setting, Automatic Maintenance attempts to set OS wake policy and make a wake request for the daily scheduled time, if required. + +If you disable or do not configure this policy setting, the wake setting as specified in Security and Maintenance/Automatic Maintenance Control Panel applies. + + + +ADMX Info: +- GP English name: *Automatic Maintenance WakeUp Policy* +- GP category English path: *Windows Components/Maintenance Scheduler* +- GP name: *WakeUpPolicy* +- GP path: *Windows Components/Maintenance Scheduler* +- GP ADMX file name: *msched.admx* + + + +Supported values: +- true: Enable +- false: Disable (Default) + + + + + + + + + +
+ **Update/BranchReadinessLevel** @@ -995,6 +1083,298 @@ The following list shows the supported values:
+ +**Update/ConfigureDeadlineForFeatureUpdates** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in Windows 10, version 1903. Allows IT admins to specify the number of days a user has before feature updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule. + + + +ADMX Info: +- GP English name: *Specify deadlines for automatic updates and restarts* +- GP category English path: *Administrative Templates\Windows Components\WindowsUpdate* +- GP name: *ConfigureDeadlineForFeatureUpdates* +- GP element: *ConfigureDeadlineForFeatureUpdates* +- GP ADMX file name: *WindowsUpdate.admx* + + + +Supports a numeric value from 2 - 30, which indicates the number of days a device will wait until performing an aggressive installation of a required feature update. + +Default value is 7. + + + + + + + + + +
+ + +**Update/ConfigureDeadlineForQualityUpdates** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in Windows 10, version 1903. Allows IT admins to specify the number of days a user has before quality updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule. + + +ADMX Info: +- GP English name: *Specify deadlines for automatic updates and restarts* +- GP category English path: *Administrative Templates\Windows Components\WindowsUpdate* +- GP name: *ConfigureDeadlineForQualityUpdates* +- GP element: *ConfigureDeadlineForQualityUpdates* +- GP ADMX file name: *WindowsUpdate.admx* + + + +Supports a numeric value from 2 - 30, which indicates the number of days a device will wait until performing an aggressive installation of a required quality update. + +Default value is 7. + + + + + + + + + +
+ + +**Update/ConfigureDeadlineGracePeriod** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in Windows 10, version 1903. Allows the IT admin (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)) to specify a minimum number of days until restarts occur automatically. Setting the grace period may extend the effective deadline set by the deadline policies. + + +ADMX Info: +- GP English name: *Specify deadlines for automatic updates and restarts* +- GP category English path: *Administrative Templates\Windows Components\WindowsUpdate* +- GP name: *ConfigureDeadlineGracePeriod* +- GP element: *ConfigureDeadlineGracePeriod* +- GP ADMX file name: *WindowsUpdate.admx* + + + +Supports a numeric value from 0 - 5, which indicates the minimum number of days a device will wait until performing an aggressive installation of a required update once deadline has been reached. + +Default value is 2. + + + + + + + + + +
+ + +**Update/ConfigureDeadlineNoAutoReboot** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in Windows 10, version 1903. If enabled (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)), devices will not automatically restart outside of active hours until the deadline is reached, even if applicable updates are already installed and pending a restart. + +When disabled, if the device has installed the required updates and is outside of active hours, it may attempt an automatic restart before the deadline. + + +ADMX Info: +- GP English name: *Specify deadlines for automatic updates and restarts* +- GP category English path: *Administrative Templates\Windows Components\WindowsUpdate* +- GP name: *ConfigureDeadlineNoAutoReboot* +- GP element: *ConfigureDeadlineNoAutoReboot* +- GP ADMX file name: *WindowsUpdate.admx* + + + + + + + + + + + + + +
+ + +**Update/ConfigureFeatureUpdateUninstallPeriod** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark4check mark4check mark4check mark4cross markcross mark
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in Windows 10, version 1803. Enable IT admin to configure feature update uninstall period. Values range 2 - 60 days. Default is 10 days. + + + + +
+ **Update/ConfigureFeatureUpdateUninstallPeriod** @@ -3579,6 +3959,10 @@ ADMX Info: - [Update/AllowAutoUpdate](#update-allowautoupdate) - [Update/AllowUpdateService](#update-allowupdateservice) +- [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) +- [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) +- [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) +- [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot) - [Update/RequireUpdateApproval](#update-requireupdateapproval) - [Update/ScheduledInstallDay](#update-scheduledinstallday) - [Update/ScheduledInstallTime](#update-scheduledinstalltime) @@ -3591,6 +3975,10 @@ ADMX Info: - [Update/AllowAutoUpdate](#update-allowautoupdate) - [Update/AllowUpdateService](#update-allowupdateservice) +- [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) +- [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) +- [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) +- [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot) - [Update/RequireUpdateApproval](#update-requireupdateapproval) - [Update/ScheduledInstallDay](#update-scheduledinstallday) - [Update/ScheduledInstallTime](#update-scheduledinstalltime) @@ -3598,6 +3986,23 @@ ADMX Info: - [Update/RequireDeferUpgrade](#update-requiredeferupgrade) + +## Update policies supported by IoT Core + +- [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) +- [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) +- [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) +- [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot) + + + +## Update policies supported by IoT Enterprise + +- [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) +- [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) +- [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) +- [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot) +
Footnotes: @@ -3607,4 +4012,4 @@ Footnotes: - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. - 5 - Added in Windows 10, version 1809. -- 6 - Added in the next major release of Windows 10. \ No newline at end of file +- 6 - Added in Windows 10, version 1903. \ No newline at end of file From d180e8329794c9bbbb17d655cc8ac977823a1e49 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Wed, 8 May 2019 14:57:42 -0700 Subject: [PATCH 304/492] Moved supportedvalues after description --- .../mdm/policy-csp-update.md | 56 ++++++++++++------- 1 file changed, 36 insertions(+), 20 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 9d1af07791..812ce661cb 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -995,8 +995,14 @@ The maintenance wakeup policy specifies if Automatic Maintenance should make a w If you enable this policy setting, Automatic Maintenance attempts to set OS wake policy and make a wake request for the daily scheduled time, if required. If you disable or do not configure this policy setting, the wake setting as specified in Security and Maintenance/Automatic Maintenance Control Panel applies. - + + +Supported values: +- true: Enable +- false: Disable (Default) + + ADMX Info: - GP English name: *Automatic Maintenance WakeUp Policy* @@ -1006,11 +1012,7 @@ ADMX Info: - GP ADMX file name: *msched.admx* - -Supported values: -- true: Enable -- false: Disable (Default) - + @@ -1122,6 +1124,13 @@ The following list shows the supported values: Added in Windows 10, version 1903. Allows IT admins to specify the number of days a user has before feature updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule. + + +Supports a numeric value from 2 - 30, which indicates the number of days a device will wait until performing an aggressive installation of a required feature update. + +Default value is 7. + + ADMX Info: - GP English name: *Specify deadlines for automatic updates and restarts* @@ -1131,11 +1140,7 @@ ADMX Info: - GP ADMX file name: *WindowsUpdate.admx* - -Supports a numeric value from 2 - 30, which indicates the number of days a device will wait until performing an aggressive installation of a required feature update. -Default value is 7. - @@ -1184,6 +1189,13 @@ Default value is 7. Added in Windows 10, version 1903. Allows IT admins to specify the number of days a user has before quality updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule. + + +Supports a numeric value from 2 - 30, which indicates the number of days a device will wait until performing an aggressive installation of a required quality update. + +Default value is 7. + + ADMX Info: - GP English name: *Specify deadlines for automatic updates and restarts* @@ -1193,11 +1205,7 @@ ADMX Info: - GP ADMX file name: *WindowsUpdate.admx* - -Supports a numeric value from 2 - 30, which indicates the number of days a device will wait until performing an aggressive installation of a required quality update. -Default value is 7. - @@ -1246,6 +1254,13 @@ Default value is 7. Added in Windows 10, version 1903. Allows the IT admin (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)) to specify a minimum number of days until restarts occur automatically. Setting the grace period may extend the effective deadline set by the deadline policies. + + +Supports a numeric value from 0 - 5, which indicates the minimum number of days a device will wait until performing an aggressive installation of a required update once deadline has been reached. + +Default value is 2. + + ADMX Info: - GP English name: *Specify deadlines for automatic updates and restarts* @@ -1255,11 +1270,7 @@ ADMX Info: - GP ADMX file name: *WindowsUpdate.admx* - -Supports a numeric value from 0 - 5, which indicates the minimum number of days a device will wait until performing an aggressive installation of a required update once deadline has been reached. -Default value is 2. - @@ -1310,6 +1321,13 @@ Added in Windows 10, version 1903. If enabled (when used with [Update/ConfigureD When disabled, if the device has installed the required updates and is outside of active hours, it may attempt an automatic restart before the deadline. + + +Supported values: +- 1 - Enabled. Device does not attempt to automatically reboot outside of active hours until the compliance deadline is reached. +- 0 - Disabled. Device may reboot outside of active hours before the deadline. + + ADMX Info: - GP English name: *Specify deadlines for automatic updates and restarts* @@ -1319,9 +1337,7 @@ ADMX Info: - GP ADMX file name: *WindowsUpdate.admx* - - From 6e185405095303a8cb6cababbf7906885df17688 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Wed, 8 May 2019 15:21:26 -0700 Subject: [PATCH 305/492] Minor updates --- windows/client-management/mdm/policy-csp-update.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 812ce661cb..587b602fde 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -985,9 +985,7 @@ The following list shows the supported values: -This policy setting allows you to configure Automatic Maintenance wake up policy. - -The maintenance wakeup policy specifies if Automatic Maintenance should make a wake request to the OS for the daily scheduled maintenance. +This policy setting allows you to configure if Automatic Maintenance should make a wake request to the OS for the daily scheduled maintenance. > [!Note] > If the OS power wake policy is explicitly disabled, then this setting has no effect. @@ -1324,8 +1322,8 @@ When disabled, if the device has installed the required updates and is outside o Supported values: -- 1 - Enabled. Device does not attempt to automatically reboot outside of active hours until the compliance deadline is reached. -- 0 - Disabled. Device may reboot outside of active hours before the deadline. +- 1 - Enabled +- 0 - Disabled From bda1814101cfe758869339716b320e46c789ead4 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 8 May 2019 15:22:33 -0700 Subject: [PATCH 306/492] update preview and ga --- ...windows-defender-advanced-threat-protection.md | 1 - .../whats-new-in-windows-defender-atp.md | 15 +-------------- 2 files changed, 1 insertion(+), 15 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md index c715722f19..1556c307d3 100644 --- a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md @@ -48,7 +48,6 @@ The following features are included in the preview release: - [Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/next-gen-threat-and-vuln-mgt)
A new built-in capability that uses a risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. -- [Interoperability](https://docs.microsoft.com/windows/security/threat-protection/partner-applications)
Microsoft Defender ATP supports third-party applications to help enhance the detection, investigation, and threat intelligence capabilities of the platform. - [Machine health and compliance report](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/machine-reports-windows-defender-advanced-threat-protection) The machine health and compliance report provides high-level information about the devices in your organization. diff --git a/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp.md b/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp.md index fdc7f36695..00babf863c 100644 --- a/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp.md +++ b/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp.md @@ -21,7 +21,7 @@ ms.topic: conceptual **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Here are the new features that are generally available (GA) in the latest release of Windows Defender ATP as well as security features in Windows 10 and Windows Server. +The following features are generally available (GA) in the latest release of Windows Defender ATP as well as security features in Windows 10 and Windows Server. For more information preview features, see [Preview features](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection). @@ -45,19 +45,6 @@ For more information preview features, see [Preview features](https://docs.micro - [Microsoft Defender ATP API](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/use-apis)
Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities. -### In preview -The following capability is included in the April 2019 preview release. - -- [Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/next-gen-threat-and-vuln-mgt)
A new built-in capability that uses a risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. - - - -## March 2019 -### In preview -The following capability is included in the March 2019 preview release. - -- [Machine health and compliance report](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/machine-reports-windows-defender-advanced-threat-protection) The machine health and compliance report provides high-level information about the devices in your organization. - ## February 2019 - [Incidents](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/incidents-queue)
Incident is a new entity in Windows Defender ATP that brings together all relevant alerts and related entities to narrate the broader attack story, giving analysts better perspective on the purview of complex threats. From 67d2ac3c477a7bb1b5ae34fa84d676fe6bf2ac11 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 8 May 2019 15:44:49 -0700 Subject: [PATCH 307/492] update supported versions --- ...igations-windows-defender-advanced-threat-protection.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md index 8ff29cf968..76b8e8448b 100644 --- a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 12/04/2018 --- # Overview of Automated investigations @@ -34,8 +33,10 @@ The Automated investigations list shows all the investigations that have been in Entities are the starting point for Automated investigations. When an alert contains a supported entity for Automated investigation (for example, a file) that resides on a machine that has a supported operating system for Automated investigation then an Automated investigation can start. >[!NOTE] ->Currently, Automated investigation only supports Windows 10, version 1709 or later. ->Some investigation playbooks, like memory investigations, require Windows 10, version 1709 or later. +>Currently, Automated investigation only supports the following OS versions: +>- Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/en-us/help/4493441/windows-10-update-kb4493441)) or later +>- Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/en-us/help/4493464/windows-10-update-kb4493464)) or later +>- Later versions of Windows 10 The alerts start by analyzing the supported entities from the alert and also runs a generic machine playbook to see if there is anything else suspicious on that machine. The outcome and details from the investigation is seen in the Automated investigation view. From a839ec7f1aefb1e51eb9478448793585ee70bc5f Mon Sep 17 00:00:00 2001 From: "Nisha Mittal (Wipro Ltd.)" Date: Wed, 8 May 2019 16:01:00 -0700 Subject: [PATCH 308/492] Latest changes done for few more issues --- ...ssues-windows-10-1809-and-windows-server-2019.yml | 12 ++++++++++++ ...tatus-windows-10-1809-and-windows-server-2019.yml | 6 ++++-- ...atus-windows-7-and-windows-server-2008-r2-sp1.yml | 4 ++-- ...status-windows-8.1-and-windows-server-2012-r2.yml | 4 ++-- 4 files changed, 20 insertions(+), 6 deletions(-) diff --git a/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml index e3ea1030dd..b0d3c9f294 100644 --- a/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml +++ b/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml @@ -32,6 +32,8 @@ sections: - type: markdown text: " + + @@ -66,11 +68,21 @@ sections:
" +- title: May 2019 +- items: + - type: markdown + text: " +
SummaryOriginating updateStatusDate resolved
Latest cumulative update (KB 4495667) installs automatically
Reports that the optional cumulative update (KB 4495667) installs automatically.

See details >		OS Build 17763.475

May 03, 2019
KB4495667		Resolved
May 08, 2019
03:37 PM PT
System may be unresponsive after restart if ArcaBit antivirus software installed
After further investigation ArcaBit has confirmed this issue is not applicable to Windows 10, version 1809

See details >		OS Build 17763.437

April 09, 2019
KB4493509		Resolved
May 08, 2019
03:30 PM PT
Custom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.

See details >		OS Build 17763.379

March 12, 2019
KB4489899		Resolved
KB4495667		May 03, 2019
12:40 PM PT
End-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup.

See details >		OS Build 17763.404

April 02, 2019
KB4490481		Resolved
KB4493509		April 09, 2019
10:00 AM PT
Internet Explorer 11 authentication issue with multiple concurrent logons
Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine.

See details >		OS Build 17763.253

January 08, 2019
KB4480116		Resolved
KB4493509		April 09, 2019
10:00 AM PT
+ +
DetailsOriginating updateStatusHistory
Latest cumulative update (KB 4495667) installs automatically
Due to a servicing side issue some users were offered KB4495667 (optional update) automatically and rebooted devices. This issue has been mitigated.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
Resolution:: This issue has been mitigated on the servicing side to prevent auto installing of this update. Customers do not need to take any action.

Back to top		OS Build 17763.475

May 03, 2019
KB4495667		Resolved
Resolved:
May 08, 2019
03:37 PM PT

Opened:
May 05, 2019
12:01 PM PT
+ " + - title: April 2019 - items: - type: markdown text: " +
DetailsOriginating updateStatusHistory
System may be unresponsive after restart if ArcaBit antivirus software installed
ArcaBit has confirmed this issue is not applicable to Windows 10, version 1809 (client or server).

Microsoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart.

Affected platforms:
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Workaround: ArcaBit has released an update to address this issue for affected platforms. For more information, see the ArcaBit support article.

Resolution: This issue has been resolved. ArcaBit has confirmed this issue is not applicable to Windows 10, version 1809 (client or server).

Back to top		OS Build 17763.437

April 09, 2019
KB4493509		Resolved
Resolved:
May 08, 2019
03:30 PM PT

Opened:
April 09, 2019
10:00 AM PT
End-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system will stop working and a blue screen may appear at startup. This is not a common setting in non-Asian regions.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016
Resolution: This issue was resolved in KB4493509.

Back to top		OS Build 17763.404

April 02, 2019
KB4490481		Resolved
KB4493509		Resolved:
April 09, 2019
10:00 AM PT

Opened:
April 02, 2019
10:00 AM PT
" diff --git a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml index 5237a7fcb5..2b50998415 100644 --- a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml +++ b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml @@ -67,10 +67,11 @@ sections: - + + @@ -93,6 +94,7 @@ sections:
SummaryOriginating updateStatusLast updated
Devices with some Asian language packs installed may receive an error
After installing the KB4493509 devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_F

See details >		OS Build 17763.437

April 09, 2019
KB4493509		Mitigated
May 03, 2019
10:59 AM PT
Printing from Microsoft Edge or other UWP apps, you may receive the error 0x80070007
Attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) applications, you may receive an error.

See details >		OS Build 17763.379

March 12, 2019
KB4489899		Mitigated
May 02, 2019
04:47 PM PT
System may be unresponsive after restart if ArcaBit antivirus software installed
Devices with ArcaBit antivirus software installed may become unresponsive upon restart.

See details >		OS Build 17763.437

April 09, 2019
KB4493509		Mitigated
April 25, 2019
02:00 PM PT
Issue using PXE to start a device from WDS
Using PXE to start a device from a WDS server configured to use Variable Window Extension may cause the connection to the WDS server to terminate prematurely.

See details >		OS Build 17763.379

March 12, 2019
KB4489899		Mitigated
April 09, 2019
10:00 AM PT
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

See details >		OS Build 17763.253

January 08, 2019
KB4480116		Mitigated
April 09, 2019
10:00 AM PT
Audio not working on monitors or TV connected to a PC via HDMI, USB, or DisplayPort
Upgrade block: Microsoft has identified issues with certain new Intel display drivers, which accidentally turn on unsupported features in Windows.

See details >		OS Build 17763.134

November 13, 2018
KB4467708		Mitigated
March 15, 2019
12:00 PM PT
Latest cumulative update (KB 4495667) installs automatically
Reports that the optional cumulative update (KB 4495667) installs automatically.

See details >		OS Build 17763.475

May 03, 2019
KB4495667		Resolved
May 08, 2019
03:37 PM PT
System may be unresponsive after restart if ArcaBit antivirus software installed
After further investigation ArcaBit has confirmed this issue is not applicable to Windows 10, version 1809

See details >		OS Build 17763.437

April 09, 2019
KB4493509		Resolved
May 08, 2019
03:30 PM PT
Custom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.

See details >		OS Build 17763.379

March 12, 2019
KB4489899		Resolved
KB4495667		May 03, 2019
12:40 PM PT
End-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup.

See details >		OS Build 17763.404

April 02, 2019
KB4490481		Resolved
KB4493509		April 09, 2019
10:00 AM PT
Internet Explorer 11 authentication issue with multiple concurrent logons
Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine.

See details >		OS Build 17763.253

January 08, 2019
KB4480116		Resolved
KB4493509		April 09, 2019
10:00 AM PT
+
DetailsOriginating updateStatusHistory
Devices with some Asian language packs installed may receive an error
After installing the April 2019 Cumulative Update (KB4493509), devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND.\"

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
Workaround:
  1. Uninstall and reinstall any recently added language packs. For instructions, see \"Manage the input and display language settings in Windows 10\".
  2. Click Check for Updates and install the April 2019 Cumulative Update. For instructions, see \"Update Windows 10\".
Note: If reinstalling the language pack does not mitigate the issue, reset your PC as follows:
  1. Go to Settings app -> Recovery.
  2. Click on Get Started under \"Reset this PC\" recovery option.
  3. Select \"Keep my Files\".
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 17763.437

April 09, 2019
KB4493509		Mitigated
Last updated:
May 03, 2019
10:59 AM PT

Opened:
May 02, 2019
04:36 PM PT
Printing from Microsoft Edge or other UWP apps, you may receive the error 0x80070007
When attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) applications you may receive the error, \"Your printer has experienced an unexpected configuration problem. 0x80070007e.\"
 
Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
Workaround: You can use another browser, such as Internet Explorer to print your documents.
 
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 17763.379

March 12, 2019
KB4489899		Mitigated
Last updated:
May 02, 2019
04:47 PM PT

Opened:
May 02, 2019
04:47 PM PT
Latest cumulative update (KB 4495667) installs automatically
Due to a servicing side issue some users were offered KB4495667 (optional update) automatically and rebooted devices. This issue has been mitigated.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
Resolution:: This issue has been mitigated on the servicing side to prevent auto installing of this update. Customers do not need to take any action.

Back to top		OS Build 17763.475

May 03, 2019
KB4495667		Resolved
Resolved:
May 08, 2019
03:37 PM PT

Opened:
May 05, 2019
12:01 PM PT
" @@ -101,7 +103,7 @@ sections: - type: markdown text: " - +
DetailsOriginating updateStatusHistory
System may be unresponsive after restart if ArcaBit antivirus software installed
Microsoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493509
 
Microsoft has temporarily blocked devices from receiving this update if ArcaBit antivirus software is installed. 

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server 2012 R2; Windows Server 2008 R2 SP1
Workaround: ArcaBit has released an update to address this issue. For more information, see the Arcabit support article.

Back to top		OS Build 17763.437

April 09, 2019
KB4493509		Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
April 09, 2019
10:00 AM PT
System may be unresponsive after restart if ArcaBit antivirus software installed
ArcaBit has confirmed this issue is not applicable to Windows 10, version 1809 (client or server).

Microsoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart.

Affected platforms:
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Workaround: ArcaBit has released an update to address this issue for affected platforms. For more information, see the ArcaBit support article.

Resolution: This issue has been resolved. ArcaBit has confirmed this issue is not applicable to Windows 10, version 1809 (client or server).

Back to top		OS Build 17763.437

April 09, 2019
KB4493509		Resolved
Resolved:
May 08, 2019
03:30 PM PT

Opened:
April 09, 2019
10:00 AM PT
End-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system will stop working and a blue screen may appear at startup. This is not a common setting in non-Asian regions.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016
Resolution: This issue was resolved in KB4493509.

Back to top		OS Build 17763.404

April 02, 2019
KB4490481		Resolved
KB4493509		Resolved:
April 09, 2019
10:00 AM PT

Opened:
April 02, 2019
10:00 AM PT
" diff --git a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml index a15923a007..ef1b22e4bf 100644 --- a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml +++ b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml @@ -60,10 +60,10 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ - @@ -85,9 +85,9 @@ sections: - type: markdown text: "
SummaryOriginating updateStatusLast updated
System may be unresponsive after restart if ArcaBit antivirus software installed
Devices with ArcaBit antivirus software installed may become unresponsive upon restart.

See details >		April 09, 2019
KB4493472		Mitigated
May 08, 2019
03:29 PM PT
System may be unresponsive after restart if Avira antivirus software installed
Devices with Avira antivirus software installed may become unresponsive upon restart.

See details >		April 09, 2019
KB4493472		Mitigated
May 03, 2019
08:50 AM PT
Authentication may fail for services after the Kerberos ticket expires
Authentication may fail for services that require unconstrained delegation after the Kerberos ticket expires.

See details >		March 12, 2019
KB4489878		Mitigated
April 25, 2019
02:00 PM PT
System unresponsive after restart if Sophos Endpoint Protection installed
Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.

See details >		April 09, 2019
KB4493472		Mitigated
April 25, 2019
02:00 PM PT
System may be unresponsive after restart if ArcaBit antivirus software installed
Devices with ArcaBit antivirus software installed may become unresponsive upon restart.

See details >		April 09, 2019
KB4493472		Mitigated
April 25, 2019
02:00 PM PT
System may be unresponsive after restart with certain McAfee antivirus products
Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.

See details >		April 09, 2019
KB4493472		Mitigated
April 25, 2019
02:00 PM PT
Devices may not respond at login or Welcome screen if running certain Avast software
Devices running Avast for Business, Avast CloudCare, and AVG Business Edition antivirus software may become unresponsive after restart.

See details >		April 09, 2019
KB4493472		Resolved
April 25, 2019
02:00 PM PT
Internet Explorer 11 authentication issue with multiple concurrent logons
Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine.

See details >		January 08, 2019
KB4480970		Resolved
KB4493472		April 09, 2019
10:00 AM PT
+ -
DetailsOriginating updateStatusHistory
System may be unresponsive after restart if ArcaBit antivirus software installed
Microsoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493472.

Microsoft has temporarily blocked devices from receiving this update if ArcaBit antivirus software is installed.

Affected platforms:
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Workaround: ArcaBit has released an update to address this issue. For more information, see the Arcabit support article.

Back to top		April 09, 2019
KB4493472		Mitigated
Last updated:
May 08, 2019
03:29 PM PT

Opened:
April 09, 2019
10:00 AM PT
System may be unresponsive after restart if Avira antivirus software installed
Microsoft and Avira have identified an issue on devices with Avira antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493472.

Microsoft has temporarily blocked devices from receiving this update if Avira antivirus software is installed.

Affected platforms: 
  • Client: Windows 8.1; Windows 7 SP1 
  • Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Next steps: Avira has released an automatic update to address this issue. Guidance for Avira customers can be found in the Avira support article.

Back to top		April 09, 2019
KB4493472		Mitigated
Last updated:
May 03, 2019
08:50 AM PT

Opened:
April 09, 2019
10:00 AM PT
System unresponsive after restart if Sophos Endpoint Protection installed
Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to become unresponsive upon restart after installing KB4493472.

Microsoft has temporarily blocked devices from receiving this update if the Sophos Endpoint is installed until a solution is available.

Affected platforms: 
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Guidance for Sophos Endpoint and Sophos Enterprise Console customers can be found in the Sophos support article.

Back to top		April 09, 2019
KB4493472		Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
April 09, 2019
10:00 AM PT
System may be unresponsive after restart if ArcaBit antivirus software installed
Microsoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493472.

Microsoft has temporarily blocked devices from receiving this update if ArcaBit antivirus software is installed.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server 2012 R2; Windows Server 2008 R2 SP1
Workaround: ArcaBit has released an update to address this issue. For more information, see the Arcabit support article.

Back to top		April 09, 2019
KB4493472		Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
April 09, 2019
10:00 AM PT
System may be unresponsive after restart with certain McAfee antivirus products
Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update. 

Affected platforms:
  • Client:  Windows 8.1; Windows 7 SP1
  • Server:  Windows Server 2012 R2; Windows Server 2008 R2 SP1
Workaround: Guidance for McAfee customers can be found in the following McAfee support articles: 
Next steps: We are presently investigating this issue with McAfee. We will provide an update once we have more information.

Back to top		April 09, 2019
KB4493472		Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
April 09, 2019
10:00 AM PT
Devices may not respond at login or Welcome screen if running certain Avast software
Microsoft and Avast have identified an issue on devices running Avast for Business, Avast CloudCare, and AVG Business Edition antivirus software after you install KB4493472 and restart. Devices may become unresponsive at the login or Welcome screen. Additionally, you may be unable to log in or log in after an extended period of time.

Affected platforms: 
  • Client: Windows 8.1; Windows 7 SP1 
  • Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1 
Resolution: Avast has released emergency updates to address this issue. For more information and AV update schedule, see the Avast support KB article.

Back to top		April 09, 2019
KB4493472		Resolved
Resolved:
April 25, 2019
02:00 PM PT

Opened:
April 09, 2019
10:00 AM PT
diff --git a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml index 75805707fb..e159932ae6 100644 --- a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml +++ b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml @@ -60,10 +60,10 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ - @@ -86,9 +86,9 @@ sections: - type: markdown text: "
SummaryOriginating updateStatusLast updated
System may be unresponsive after restart if ArcaBit antivirus software installed
Devices with ArcaBit antivirus software installed may become unresponsive upon restart.

See details >		April 09, 2019
KB4493446		Mitigated
May 08, 2019
03:29 PM PT
System may be unresponsive after restart if Avira antivirus software installed
Devices with Avira antivirus software installed may become unresponsive upon restart.

See details >		April 09, 2019
KB4493446		Mitigated
May 03, 2019
08:50 AM PT
Issue using PXE to start a device from WDS
There may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension.

See details >		March 12, 2019
KB4489881		Mitigated
April 25, 2019
02:00 PM PT
System unresponsive after restart if Sophos Endpoint Protection installed
Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.

See details >		April 09, 2019
KB4493446		Mitigated
April 25, 2019
02:00 PM PT
System may be unresponsive after restart if ArcaBit antivirus software installed
Devices with ArcaBit antivirus software installed may become unresponsive upon restart.

See details >		April 09, 2019
KB4493446		Mitigated
April 25, 2019
02:00 PM PT
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”.

See details >		January 08, 2019
KB4480963		Mitigated
April 25, 2019
02:00 PM PT
System may be unresponsive after restart with certain McAfee antivirus products
Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.

See details >		April 09, 2019
KB4493446		Mitigated
April 18, 2019
05:00 PM PT
Devices may not respond at login or Welcome screen if running certain Avast software
Devices running Avast for Business, Avast CloudCare, and AVG Business Edition antivirus software may become unresponsive after restart.

See details >		April 09, 2019
KB4493446		Resolved
April 25, 2019
02:00 PM PT
+ -
DetailsOriginating updateStatusHistory
System may be unresponsive after restart if ArcaBit antivirus software installed
Microsoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493446.

Microsoft has temporarily blocked devices from receiving this update if ArcaBit antivirus software is installed.

Affected platforms:
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Workaround: ArcaBit has released an update to address this issue. For more information, see the Arcabit support article.

Back to top		April 09, 2019
KB4493446		Mitigated
Last updated:
May 08, 2019
03:29 PM PT

Opened:
April 09, 2019
10:00 AM PT
System may be unresponsive after restart if Avira antivirus software installed
Microsoft and Avira have identified an issue on devices with Avira antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493446.

Microsoft has temporarily blocked devices from receiving this update if Avira antivirus software is installed.

Affected platforms: 
  • Client: Windows 8.1; Windows 7 SP1 
  • Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Next steps: Avira has released an automatic update to address this issue. Guidance for Avira customers can be found in the Avira support article.

Back to top		April 09, 2019
KB4493446		Mitigated
Last updated:
May 03, 2019
08:50 AM PT

Opened:
April 09, 2019
10:00 AM PT
System unresponsive after restart if Sophos Endpoint Protection installed
Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to become unresponsive upon restart after installing KB4493446.

Microsoft has temporarily blocked devices from receiving this update if the Sophos Endpoint is installed until a solution is available.

Affected platforms: 
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Guidance for Sophos Endpoint and Sophos Enterprise Console customers can be found in the Sophos support article.

Back to top		April 09, 2019
KB4493446		Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
April 09, 2019
10:00 AM PT
System may be unresponsive after restart if ArcaBit antivirus software installed
Microsoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493446.

Microsoft has temporarily blocked devices from receiving this update if ArcaBit antivirus software is installed.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server 2012 R2; Windows Server 2008 R2 SP1
Workaround: ArcaBit has released an update to address this issue. For more information, see the Arcabit support article.

Back to top		April 09, 2019
KB4493446		Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
April 09, 2019
10:00 AM PT
System may be unresponsive after restart with certain McAfee antivirus products
Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update. 

Affected platforms:
  • Client:  Windows 8.1; Windows 7 SP1
  • Server:  Windows Server 2012 R2; Windows Server 2008 R2 SP1
Workaround: Guidance for McAfee customers can be found in the following McAfee support articles:  
Next steps: We are presently investigating this issue with McAfee. We will provide an update once we have more information. 

Back to top		April 09, 2019
KB4493446		Mitigated
Last updated:
April 18, 2019
05:00 PM PT

Opened:
April 09, 2019
10:00 AM PT
Devices may not respond at login or Welcome screen if running certain Avast software
Microsoft and Avast have identified an issue on devices running Avast for Business, Avast CloudCare, and AVG Business Edition antivirus software after you install KB4493446 and restart. Devices may become unresponsive at the login or Welcome screen. Additionally, you may be unable to log in or log in after an extended period of time.

Affected platforms: 
  • Client: Windows 8.1; Windows 7 SP1 
  • Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1 
Resolution: Avast has released emergency updates to address this issue. For more information and AV update schedule, see the Avast support KB article.

Back to top		April 09, 2019
KB4493446		Resolved
Resolved:
April 25, 2019
02:00 PM PT

Opened:
April 09, 2019
10:00 AM PT
From c88375348dda4e2dd36ecfb28f5151e3710d6171 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Wed, 8 May 2019 16:02:39 -0700 Subject: [PATCH 309/492] Minor update --- windows/client-management/mdm/policy-csp-update.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 587b602fde..9d7ac6f259 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -997,8 +997,8 @@ If you disable or do not configure this policy setting, the wake setting as spec Supported values: -- true: Enable -- false: Disable (Default) +- true - Enable +- false - Disable (Default) From 095681f3baa4843ac3a29632891990c0fa263195 Mon Sep 17 00:00:00 2001 From: "Nisha Mittal (Wipro Ltd.)" Date: Wed, 8 May 2019 16:39:45 -0700 Subject: [PATCH 310/492] Status changed for 1809 product issues --- .../status-windows-10-1809-and-windows-server-2019.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml index aa37741e35..2b50998415 100644 --- a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml +++ b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml @@ -65,7 +65,6 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

- @@ -93,7 +92,6 @@ sections: - type: markdown text: "
SummaryOriginating updateStatusLast updated
Latest cumulative update (KB 4495667) installs automatically
Reports that the optional cumulative update (KB 4495667) installs automatically.

See details >		OS Build 17763.475

May 03, 2019
KB4495667		Mitigated
May 05, 2019
12:01 PM PT
Devices with some Asian language packs installed may receive an error
After installing the KB4493509 devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_F

See details >		OS Build 17763.437

April 09, 2019
KB4493509		Mitigated
May 03, 2019
10:59 AM PT
Printing from Microsoft Edge or other UWP apps, you may receive the error 0x80070007
Attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) applications, you may receive an error.

See details >		OS Build 17763.379

March 12, 2019
KB4489899		Mitigated
May 02, 2019
04:47 PM PT
Issue using PXE to start a device from WDS
Using PXE to start a device from a WDS server configured to use Variable Window Extension may cause the connection to the WDS server to terminate prematurely.

See details >		OS Build 17763.379

March 12, 2019
KB4489899		Mitigated
April 09, 2019
10:00 AM PT
- From 46d01547942cb2745ad5e2b75c9b5bb7e1def141 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 8 May 2019 18:52:53 -0700 Subject: [PATCH 311/492] Create windows-endpoints-non-enterprise-editions-1903.md --- ...-endpoints-non-enterprise-editions-1903.md | 163 ++++++++++++++++++ 1 file changed, 163 insertions(+) create mode 100644 windows/privacy/windows-endpoints-non-enterprise-editions-1903.md diff --git a/windows/privacy/windows-endpoints-non-enterprise-editions-1903.md b/windows/privacy/windows-endpoints-non-enterprise-editions-1903.md new file mode 100644 index 0000000000..b6be3b5acd --- /dev/null +++ b/windows/privacy/windows-endpoints-non-enterprise-editions-1903.md @@ -0,0 +1,163 @@ +--- +title: Windows 10, version 1809, connection endpoints for non-Enterprise editions +description: Explains what Windows 10 endpoints are used in non-Enterprise editions. +keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: high +audience: ITPro +author: danihalfin +ms.author: daniha +manager: dansimp +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 6/26/2018 +--- +# Windows 10, version 1809, connection endpoints for non-Enterprise editions + + **Applies to** + +- Windows 10 Home, version 1809 +- Windows 10 Professional, version 1809 +- Windows 10 Education, version 1809 + +In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-1809-endpoints.md), the following endpoints are available on other editions of Windows 10, version 1809. + +We used the following methodology to derive these network endpoints: + +1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. +2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). +3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. +4. Compile reports on traffic going to public IP addresses. +5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. + +> [!NOTE] +> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. + +## Windows 10 Family + +| **Destination** | **Protocol** | **Description** | +| --- | --- | --- | +|\*.aria.microsoft.com\* | HTTPS | Office Telemetry +|\*.dl.delivery.mp.microsoft.com\* | HTTP | Enables connections to Windows Update. +|\*.download.windowsupdate.com\* | HTTP | Used to download operating system patches and updates. +|\*.g.akamai.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. +|\*.msn.com\* |TLSv1.2/HTTPS | Windows Spotlight related traffic +|\*.Skype.com | HTTP/HTTPS | Skype related traffic +|\*.smartscreen.microsoft.com\* | HTTPS | Windows Defender Smartscreen related traffic +|\*.telecommand.telemetry.microsoft.com\* | HTTPS | Used by Windows Error Reporting. +|\*cdn.onenote.net* | HTTP | OneNote related traffic +|\*displaycatalog.mp.microsoft.com\* | HTTPS | Used to communicate with Microsoft Store. +|\*emdl.ws.microsoft.com\* | HTTP | Windows Update related traffic +|\*geo-prod.do.dsp.mp.microsoft.com\* |TLSv1.2/HTTPS | Enables connections to Windows Update. +|\*hwcdn.net* | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. +|\*img-prod-cms-rt-microsoft-com.akamaized.net* | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). +|\*maps.windows.com\* | HTTPS | Related to Maps application. +|\*msedge.net* | HTTPS | Used by OfficeHub to get the metadata of Office apps. +|\*nexusrules.officeapps.live.com\* | HTTPS | Office Telemetry +|\*photos.microsoft.com\* | HTTPS | Photos App related traffic +|\*prod.do.dsp.mp.microsoft.com\* |TLSv1.2/HTTPS | Used for Windows Update downloads of apps and OS updates. +|\*wac.phicdn.net* | HTTP | Windows Update related traffic +|\*windowsupdate.com\* | HTTP | Windows Update related traffic +|\*wns.windows.com\* | HTTPS, TLSv1.2 | Used for the Windows Push Notification Services (WNS). +|\*wpc.v0cdn.net* | | Windows Telemetry related traffic +|auth.gfx.ms/16.000.27934.1/OldConvergedLogin_PCore.js | | MSA related +|evoke-windowsservices-tas.msedge* | HTTPS | The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. +|fe2.update.microsoft.com\* |TLSv1.2/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. +|fe3.\*.mp.microsoft.com.\* |TLSv1.2/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. +|fs.microsoft.com | | Font Streaming (in ENT traffic) +|g.live.com\* | HTTPS | Used by OneDrive +|iriscoremetadataprod.blob.core.windows.net | HTTPS | Windows Telemetry +|mscrl.microsoft.com | | Certificate Revocation List related traffic. +|ocsp.digicert.com\* | HTTP | CRL and OCSP checks to the issuing certificate authorities. +|officeclient.microsoft.com | HTTPS | Office related traffic. +|oneclient.sfx.ms* | HTTPS | Used by OneDrive for Business to download and verify app updates. +|purchase.mp.microsoft.com\* | HTTPS | Used to communicate with Microsoft Store. +|query.prod.cms.rt.microsoft.com\* | HTTPS | Used to retrieve Windows Spotlight metadata. +|ris.api.iris.microsoft.com\* |TLSv1.2/HTTPS | Used to retrieve Windows Spotlight metadata. +|ris-prod-atm.trafficmanager.net | HTTPS | Azure traffic manager +|settings.data.microsoft.com\* | HTTPS | Used for Windows apps to dynamically update their configuration. +|settings-win.data.microsoft.com\* | HTTPS | Used for Windows apps to dynamically update their configuration. +|sls.update.microsoft.com\* |TLSv1.2/HTTPS | Enables connections to Windows Update. +|store*.dsx.mp.microsoft.com\* | HTTPS | Used to communicate with Microsoft Store. +|storecatalogrevocation.storequality.microsoft.com\* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. +|store-images.s-microsoft.com\* | HTTP | Used to get images that are used for Microsoft Store suggestions. +|tile-service.weather.microsoft.com\* | HTTP | Used to download updates to the Weather app Live Tile. +|tsfe.trafficshaping.dsp.mp.microsoft.com\* |TLSv1.2 | Used for content regulation. +|v10.events.data.microsoft.com | HTTPS | Diagnostic Data +|wdcp.microsoft.* |TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. +|wd-prod-cp-us-west-1-fe.westus.cloudapp.azure.com | HTTPS | Windows Defender related traffic. +|www.bing.com* | HTTP | Used for updates for Cortana, apps, and Live Tiles. + +## Windows 10 Pro + +| **Destination** | **Protocol** | **Description** | +| --- | --- | --- | +| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | +| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.tlu.dl.delivery.mp.microsoft.com/* | HTTP | Enables connections to Windows Update. | +| *geo-prod.dodsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update. | +| arc.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| au.download.windowsupdate.com/* | HTTP | Enables connections to Windows Update. | +| ctldl.windowsupdate.com/msdownload/update/* | HTTP | Used to download certificates that are publicly known to be fraudulent. | +| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS) | +| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | +| location-inference-westus.cloudapp.net | HTTPS | Used for location data. | +| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | +| ocsp.digicert.com\* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | +| ris.api.iris.microsoft.com.akadns.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. | +| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | +| vip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic | + + +## Windows 10 Education + +| **Destination** | **Protocol** | **Description** | +| --- | --- | --- | +| *.b.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | +| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | +| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.telecommand.telemetry.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | +| *.tlu.dl.delivery.mp.microsoft.com\* | HTTP | Enables connections to Windows Update. | +| *.windowsupdate.com\* | HTTP | Enables connections to Windows Update. | +| *geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | +| au.download.windowsupdate.com\* | HTTP | Enables connections to Windows Update. | +| cdn.onenote.net/livetile/* | HTTPS | Used for OneNote Live Tile. | +| client-office365-tas.msedge.net/* | HTTPS | Used to connect to the Office 365 portal’s shared infrastructure, including Office Online. | +| config.edge.skype.com/* | HTTPS | Used to retrieve Skype configuration values.  | +| ctldl.windowsupdate.com/* | HTTP | Used to download certificates that are publicly known to be fraudulent. | +| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| displaycatalog.mp.microsoft.com/* | HTTPS | Used to communicate with Microsoft Store. | +| download.windowsupdate.com/* | HTTPS | Enables connections to Windows Update. | +| emdl.ws.microsoft.com/* | HTTP | Used to download apps from the Microsoft Store. | +| fe2.update.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe3.delivery.mp.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| g.live.com/odclientsettings/* | HTTPS | Used by OneDrive for Business to download and verify app updates. | +| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | +| licensing.mp.microsoft.com/* | HTTPS | Used for online activation and some app licensing. | +| maps.windows.com/windows-app-web-link | HTTPS | Link to Maps application | +| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | +| ocos-office365-s2s.msedge.net/* | HTTPS | Used to connect to the Office 365 portal's shared infrastructure. | +| ocsp.digicert.com\* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | +| oneclient.sfx.ms/* | HTTPS | Used by OneDrive for Business to download and verify app updates. | +| settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration. | +| sls.update.microsoft.com/* | HTTPS | Enables connections to Windows Update. | +| storecatalogrevocation.storequality.microsoft.com/* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | +| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. | +| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | +| vip5.afdorigin-prod-ch02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. | +| watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. | +| bing.com/* | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | From 7b1747d7eacafeaa4dbed1af7597007d098674c2 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 8 May 2019 18:53:54 -0700 Subject: [PATCH 312/492] Rename windows-endpoints-non-enterprise-editions-1903.md to windows-endpoints-1903-non-enterprise-editions.md --- ...-1903.md => windows-endpoints-1903-non-enterprise-editions.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename windows/privacy/{windows-endpoints-non-enterprise-editions-1903.md => windows-endpoints-1903-non-enterprise-editions.md} (100%) diff --git a/windows/privacy/windows-endpoints-non-enterprise-editions-1903.md b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md similarity index 100% rename from windows/privacy/windows-endpoints-non-enterprise-editions-1903.md rename to windows/privacy/windows-endpoints-1903-non-enterprise-editions.md From 15912e19d6a7578482a8b56030f73e84a1f8163e Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 8 May 2019 19:03:08 -0700 Subject: [PATCH 313/492] Update windows-endpoints-1903-non-enterprise-editions.md --- ...-endpoints-1903-non-enterprise-editions.md | 128 +++++++++++------- 1 file changed, 78 insertions(+), 50 deletions(-) diff --git a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md index b6be3b5acd..d17a7a9d77 100644 --- a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md @@ -40,56 +40,84 @@ We used the following methodology to derive these network endpoints: | **Destination** | **Protocol** | **Description** | | --- | --- | --- | -|\*.aria.microsoft.com\* | HTTPS | Office Telemetry -|\*.dl.delivery.mp.microsoft.com\* | HTTP | Enables connections to Windows Update. -|\*.download.windowsupdate.com\* | HTTP | Used to download operating system patches and updates. -|\*.g.akamai.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. -|\*.msn.com\* |TLSv1.2/HTTPS | Windows Spotlight related traffic -|\*.Skype.com | HTTP/HTTPS | Skype related traffic -|\*.smartscreen.microsoft.com\* | HTTPS | Windows Defender Smartscreen related traffic -|\*.telecommand.telemetry.microsoft.com\* | HTTPS | Used by Windows Error Reporting. -|\*cdn.onenote.net* | HTTP | OneNote related traffic -|\*displaycatalog.mp.microsoft.com\* | HTTPS | Used to communicate with Microsoft Store. -|\*emdl.ws.microsoft.com\* | HTTP | Windows Update related traffic -|\*geo-prod.do.dsp.mp.microsoft.com\* |TLSv1.2/HTTPS | Enables connections to Windows Update. -|\*hwcdn.net* | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. -|\*img-prod-cms-rt-microsoft-com.akamaized.net* | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). -|\*maps.windows.com\* | HTTPS | Related to Maps application. -|\*msedge.net* | HTTPS | Used by OfficeHub to get the metadata of Office apps. -|\*nexusrules.officeapps.live.com\* | HTTPS | Office Telemetry -|\*photos.microsoft.com\* | HTTPS | Photos App related traffic -|\*prod.do.dsp.mp.microsoft.com\* |TLSv1.2/HTTPS | Used for Windows Update downloads of apps and OS updates. -|\*wac.phicdn.net* | HTTP | Windows Update related traffic -|\*windowsupdate.com\* | HTTP | Windows Update related traffic -|\*wns.windows.com\* | HTTPS, TLSv1.2 | Used for the Windows Push Notification Services (WNS). -|\*wpc.v0cdn.net* | | Windows Telemetry related traffic -|auth.gfx.ms/16.000.27934.1/OldConvergedLogin_PCore.js | | MSA related -|evoke-windowsservices-tas.msedge* | HTTPS | The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -|fe2.update.microsoft.com\* |TLSv1.2/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. -|fe3.\*.mp.microsoft.com.\* |TLSv1.2/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. -|fs.microsoft.com | | Font Streaming (in ENT traffic) -|g.live.com\* | HTTPS | Used by OneDrive -|iriscoremetadataprod.blob.core.windows.net | HTTPS | Windows Telemetry -|mscrl.microsoft.com | | Certificate Revocation List related traffic. -|ocsp.digicert.com\* | HTTP | CRL and OCSP checks to the issuing certificate authorities. -|officeclient.microsoft.com | HTTPS | Office related traffic. -|oneclient.sfx.ms* | HTTPS | Used by OneDrive for Business to download and verify app updates. -|purchase.mp.microsoft.com\* | HTTPS | Used to communicate with Microsoft Store. -|query.prod.cms.rt.microsoft.com\* | HTTPS | Used to retrieve Windows Spotlight metadata. -|ris.api.iris.microsoft.com\* |TLSv1.2/HTTPS | Used to retrieve Windows Spotlight metadata. -|ris-prod-atm.trafficmanager.net | HTTPS | Azure traffic manager -|settings.data.microsoft.com\* | HTTPS | Used for Windows apps to dynamically update their configuration. -|settings-win.data.microsoft.com\* | HTTPS | Used for Windows apps to dynamically update their configuration. -|sls.update.microsoft.com\* |TLSv1.2/HTTPS | Enables connections to Windows Update. -|store*.dsx.mp.microsoft.com\* | HTTPS | Used to communicate with Microsoft Store. -|storecatalogrevocation.storequality.microsoft.com\* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. -|store-images.s-microsoft.com\* | HTTP | Used to get images that are used for Microsoft Store suggestions. -|tile-service.weather.microsoft.com\* | HTTP | Used to download updates to the Weather app Live Tile. -|tsfe.trafficshaping.dsp.mp.microsoft.com\* |TLSv1.2 | Used for content regulation. -|v10.events.data.microsoft.com | HTTPS | Diagnostic Data -|wdcp.microsoft.* |TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. -|wd-prod-cp-us-west-1-fe.westus.cloudapp.azure.com | HTTPS | Windows Defender related traffic. -|www.bing.com* | HTTP | Used for updates for Cortana, apps, and Live Tiles. +|\*.aria.microsoft.com*|HTTPS|Microsoft Office Telemetry +|\*.b.akamai*.net|HTTPS|Used to check for updates to Maps that have been downloaded for offline use +|\*.c-msedge.net|HTTP|Microsoft Office +|\*.dl.delivery.mp.microsoft.com*|HTTP|Enables connections to Windows Update +|\*.download.windowsupdate.com*|HTTP|Used to download operating system patches and updates +|\*.g.akamai*.net|HTTPS|Used to check for updates to Maps that have been downloaded for offline use +|\*.login.msa.*.net|HTTPS|Microsoft Account related +|\*.msn.com*|TLSv1.2/HTTPS|Windows Spotlight +|\*.skype.com|HTTP/HTTPS|Skype +|\*.smartscreen.microsoft.com*|HTTPS|Windows Defender Smartscreen +|\*.telecommand.telemetry.microsoft.com*|HTTPS|Used by Windows Error Reporting +|*cdn.onenote.net*|HTTP|OneNote +|*displaycatalog.*mp.microsoft.com*|HTTPS|Used to communicate with Microsoft Store +|*emdl.ws.microsoft.com*|HTTP|Windows Update +|*geo-prod.do.dsp.mp.microsoft.com*|TLSv1.2/HTTPS|Enables connections to Windows Update +|*hwcdn.net*|HTTP|Highwinds Content Delivery Network / Windows updates +|*img-prod-cms-rt-microsoft-com.*|HTTPS|Microsoft Store or Inbox MSN Apps image download +|*licensing.*mp.microsoft.com*|HTTPS|Licensing +|*maps.windows.com*|HTTPS|Related to Maps application +|*msedge.net*|HTTPS|Used by Microsoft OfficeHub to get the metadata of Microsoft Office apps +|*nexusrules.officeapps.live.com*|HTTPS|Microsoft Office Telemetry +|*photos.microsoft.com*|HTTPS|Photos App +|*prod.do.dsp.mp.microsoft.com*|TLSv1.2/HTTPS|Used for Windows Update downloads of apps and OS updates +|*purchase.md.mp.microsoft.com.akadns.net|HTTPS|Used to communicate with Microsoft Store +|*settings.data.microsoft.com.akadns.net|HTTPS|Used for Windows apps to dynamically update their configuration +|*wac.phicdn.net*|HTTP|Windows Update +|*windowsupdate.com*|HTTP|Windows Update +|*wns.*windows.com*|TLSv1.2/HTTPS|Used for the Windows Push Notification Services (WNS) +|*wpc.v0cdn.net*|HTTP|Windows Telemetry +|arc.msn.com|HTTPS|Spotlight +|auth.gfx.ms*|HTTPS|MSA related +|cdn.onenote.net|HTTPS|OneNote Live Tile +|dmd.metaservices.microsoft.com*|HTTP|Device Authentication +|e-0009.e-msedge.net|HTTPS|Microsoft Office +|e10198.b.akamaiedge.net|HTTPS|Maps application +|evoke-windowsservices-tas.msedge*|HTTPS|Photos app +|fe2.update.microsoft.com*|TLSv1.2/HTTPS|Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store +|fe3.*.mp.microsoft.com.*|TLSv1.2/HTTPS|Windows Update, Microsoft Update, and Microsoft Store services +|g.live.com*|HTTPS|OneDrive +|go.microsoft.com|HTTP|Windows Defender +|iriscoremetadataprod.blob.core.windows.net|HTTPS|Windows Telemetry +|login.live.com|HTTPS|Device Authentication +|msagfx.live.com|HTTP|OneDrive +|ocsp.digicert.com*|HTTP|CRL and OCSP checks to the issuing certificate authorities +|officeclient.microsoft.com|HTTPS|Microsoft Office +|oneclient.sfx.ms*|HTTPS|Used by OneDrive for Business to download and verify app updates +|onecollector.cloudapp.aria.akadns.net|HTTPS|Microsoft Office +|ow1.res.office365.com|HTTP|Microsoft Office +|pti.store.microsoft.com|HTTPS|Microsoft Store +|purchase.mp.microsoft.com*|HTTPS|Used to communicate with Microsoft Store +|query.prod.cms.rt.microsoft.com*|HTTPS|Used to retrieve Windows Spotlight metadata +|ris.api.iris.microsoft.com*|TLSv1.2/HTTPS|Used to retrieve Windows Spotlight metadata +|ris-prod-atm.trafficmanager.net|HTTPS|Azure traffic manager +|s-0001.s-msedge.net|HTTPS|Microsoft Office +|self.events.data.microsoft.com|HTTPS|Microsoft Office +|settings.data.microsoft.com*|HTTPS|Used for Windows apps to dynamically update their configuration +|settings-win.data.microsoft.com*|HTTPS|Used for Windows apps to dynamically update their configuration +|share.microsoft.com|HTTPS|Microsoft Store +|skypeecs-prod-usw-0.cloudapp.net|HTTPS|Microsoft Store +|sls.update.microsoft.com*|TLSv1.2/HTTPS|Enables connections to Windows Update +|slscr.update.microsoft.com*|HTTPS|Enables connections to Windows Update +|store*.dsx.mp.microsoft.com*|HTTPS|Used to communicate with Microsoft Store +|storecatalogrevocation.storequality.microsoft.com|HTTPS|Microsoft Store +|storecatalogrevocation.storequality.microsoft.com*|HTTPS|Used to revoke licenses for malicious apps on the Microsoft Store +|store-images.*microsoft.com*|HTTP|Used to get images that are used for Microsoft Store suggestions +|storesdk.dsx.mp.microsoft.com|HTTP|Microsoft Store +|tile-service.weather.microsoft.com*|HTTP|Used to download updates to the Weather app Live Tile +|time.windows.com|HTTP|Microsoft Windows Time related +|tsfe.trafficshaping.dsp.mp.microsoft.com*|TLSv1.2/HTTPS|Used for content regulation +|v10.events.data.microsoft.com|HTTPS|Diagnostic Data +|watson.telemetry.microsoft.com|HTTPS|Diagnostic Data +|wdcp.microsoft.*|TLSv1.2, HTTPS|Used for Windows Defender when Cloud-based Protection is enabled +|wd-prod-cp-us-west-1-fe.westus.cloudapp.azure.com|HTTPS|Windows Defender +|wusofficehome.msocdn.com|HTTPS|Microsoft Office +|www.bing.com*|HTTP|Used for updates for Cortana, apps, and Live Tiles +|www.msftconnecttest.com|HTTP|Network Connection (NCSI) +|www.office.com|HTTPS|Microsoft Office + ## Windows 10 Pro From ec9c3676fce744d81cd501ddacd0bb7d334b2fe4 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 8 May 2019 19:04:42 -0700 Subject: [PATCH 314/492] Update windows-endpoints-1903-non-enterprise-editions.md --- .../privacy/windows-endpoints-1903-non-enterprise-editions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md index d17a7a9d77..2d162078d9 100644 --- a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md @@ -56,7 +56,7 @@ We used the following methodology to derive these network endpoints: |*emdl.ws.microsoft.com*|HTTP|Windows Update |*geo-prod.do.dsp.mp.microsoft.com*|TLSv1.2/HTTPS|Enables connections to Windows Update |*hwcdn.net*|HTTP|Highwinds Content Delivery Network / Windows updates -|*img-prod-cms-rt-microsoft-com.*|HTTPS|Microsoft Store or Inbox MSN Apps image download +|*img-prod-cms-rt-microsoft-com*|HTTPS|Microsoft Store or Inbox MSN Apps image download |*licensing.*mp.microsoft.com*|HTTPS|Licensing |*maps.windows.com*|HTTPS|Related to Maps application |*msedge.net*|HTTPS|Used by Microsoft OfficeHub to get the metadata of Microsoft Office apps From 294d08f16e964c2721de6689a6f59fee058d40cf Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 8 May 2019 19:19:17 -0700 Subject: [PATCH 315/492] Update windows-endpoints-1903-non-enterprise-editions.md --- ...-endpoints-1903-non-enterprise-editions.md | 91 ++++++++++++++----- 1 file changed, 70 insertions(+), 21 deletions(-) diff --git a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md index 2d162078d9..25dd51cf33 100644 --- a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md @@ -123,27 +123,76 @@ We used the following methodology to derive these network endpoints: | **Destination** | **Protocol** | **Description** | | --- | --- | --- | -| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | -| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| *.tlu.dl.delivery.mp.microsoft.com/* | HTTP | Enables connections to Windows Update. | -| *geo-prod.dodsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update. | -| arc.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | -| au.download.windowsupdate.com/* | HTTP | Enables connections to Windows Update. | -| ctldl.windowsupdate.com/msdownload/update/* | HTTP | Used to download certificates that are publicly known to be fraudulent. | -| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS) | -| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | -| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | -| location-inference-westus.cloudapp.net | HTTPS | Used for location data. | -| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | -| ocsp.digicert.com\* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | -| ris.api.iris.microsoft.com.akadns.net | HTTPS | Used to retrieve Windows Spotlight metadata. | -| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. | -| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | -| vip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic | +|\*.cloudapp.azure.com|HTTPS|Azure +|\*.delivery.dsp.mp.microsoft.com.nsatc.net|HTTPS|Windows Update, Microsoft Update, and Microsoft Store services +|\*.displaycatalog.md.mp.microsoft.com.akadns.net|HTTPS|Microsoft Store +|\*.dl.delivery.mp.microsoft.com*|HTTP|Enables connections to Windows Update +|\*.e-msedge.net|HTTPS|Used by OfficeHub to get the metadata of Office apps +|\*.g.akamaiedge.net|HTTPS|Used to check for updates to maps that have been downloaded for offline use +|\*.s-msedge.net|HTTPS|Used by OfficeHub to get the metadata of Office apps +|\*.windowsupdate.com*|HTTP|Enables connections to Windows Update +|\*.wns.notify.windows.com.akadns.net|HTTPS|Used for the Windows Push Notification Services (WNS) +|\*dsp.mp.microsoft.com.nsatc.net|HTTPS|Enables connections to Windows Update +|\*c-msedge.net|HTTP|Office +|a1158.g.akamai.net|HTTP|Maps application +|arc.msn.com*|HTTP / HTTPS|Used to retrieve Windows Spotlight metadata +|blob.mwh01prdstr06a.store.core.windows.net|HTTPS|Microsoft Store +|browser.pipe.aria.microsoft.com|HTTPS|Microsoft Office +|bubblewitch3mobile.king.com|HTTPS|Bubble Witch application +|candycrush.king.com|HTTPS|Candy Crush application +|cdn.onenote.net|HTTP|Microsoft OneNote +|cds.p9u4n2q3.hwcdn.net|HTTP|Highwinds Content Delivery Network traffic for Windows updates +|client.wns.windows.com|HTTPS|Winddows Notification System +|co4.telecommand.telemetry.microsoft.com.akadns.net|HTTPS|Windows Error Reporting +|config.edge.skype.com|HTTPS|Microsoft Skype +|cs11.wpc.v0cdn.net|HTTP|Windows Telemetry +|cs9.wac.phicdn.net|HTTP|Windows Update +|cy2.licensing.md.mp.microsoft.com.akadns.net|HTTPS|Used to communicate with Microsoft Store +|cy2.purchase.md.mp.microsoft.com.akadns.net|HTTPS|Used to communicate with Microsoft Store +|cy2.settings.data.microsoft.com.akadns.net|HTTPS|Used to communicate with Microsoft Store +|dmd.metaservices.microsoft.com.akadns.net|HTTP|Device Authentication +|e-0009.e-msedge.net|HTTPS|Microsoft Office +|e10198.b.akamaiedge.net|HTTPS|Maps application +|fe3.update.microsoft.com|HTTPS|Windows Update +|g.live.com|HTTPS|Microsoft OneDrive +|g.msn.com.nsatc.net|HTTPS|Used to retrieve Windows Spotlight metadata +|geo-prod.do.dsp.mp.microsoft.com|HTTPS|Windows Update +|go.microsoft.com|HTTP|Windows Defender +|iecvlist.microsoft.com|HTTPS|Microsoft Edge +|img-prod-cms-rt-microsoft-com.akamaized.net|HTTP / HTTPS|Microsoft Store +|ipv4.login.msa.akadns6.net|HTTPS|Used for Microsoft accounts to sign in +|licensing.mp.microsoft.com|HTTP|Licensing +|location-inference-westus.cloudapp.net|HTTPS|Used for location data +|login.live.com|HTTP|Device Authentication +|maps.windows.com|HTTP|Maps application +|modern.watson.data.microsoft.com.akadns.net|HTTPS|Used by Windows Error Reporting +|msagfx.live.com|HTTP|OneDrive +|nav.smartscreen.microsoft.com|HTTPS|Windows Defender +|ocsp.digicert.com*|HTTP|CRL and OCSP checks to the issuing certificate authorities +|oneclient.sfx.ms|HTTP|OneDrive +|pti.store.microsoft.com|HTTPS|Microsoft Store +|ris.api.iris.microsoft.com.akadns.net|HTTPS|Used to retrieve Windows Spotlight metadata +|ris-prod-atm.trafficmanager.net|HTTPS|Azure +|s2s.config.skype.com|HTTP|Microsoft Skype +|settings-win.data.microsoft.com|HTTPS|Application settings +|share.microsoft.com|HTTPS|Microsoft Store +|skypeecs-prod-usw-0.cloudapp.net|HTTPS|Microsoft Skype +|slscr.update.microsoft.com|HTTPS|Windows Update +|storecatalogrevocation.storequality.microsoft.com|HTTPS|Microsoft Store +|store-images.microsoft.com|HTTPS|Microsoft Store +|tile-service.weather.microsoft.com/*|HTTP|Used to download updates to the Weather app Live Tile +|time.windows.com|HTTP|Windows time +|tsfe.trafficshaping.dsp.mp.microsoft.com|HTTPS|Used for content regulation +|v10.events.data.microsoft.com*|HTTPS|Microsoft Office +|vip5.afdorigin-prod-am02.afdogw.com|HTTPS|Used to serve office 365 experimentation traffic +|watson.telemetry.microsoft.com|HTTPS|Telemetry +|wdcp.microsoft.com|HTTPS|Windows Defender +|wusofficehome.msocdn.com|HTTPS|Microsoft Office +|www.bing.com|HTTPS|Cortana and Search +|www.microsoft.com|HTTP|Diagnostic +|www.msftconnecttest.com|HTTP|Network connection +|www.office.com|HTTPS|Microsoft Office + ## Windows 10 Education From 2d64996a22c8185a3d1b3325628fb04622f37aec Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Wed, 8 May 2019 19:31:51 -0700 Subject: [PATCH 316/492] Update windows-endpoints-1903-non-enterprise-editions.md --- ...-endpoints-1903-non-enterprise-editions.md | 109 +++++++++++------- 1 file changed, 70 insertions(+), 39 deletions(-) diff --git a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md index 25dd51cf33..44fadd939e 100644 --- a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md @@ -199,42 +199,73 @@ We used the following methodology to derive these network endpoints: | **Destination** | **Protocol** | **Description** | | --- | --- | --- | -| *.b.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | -| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | -| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| *.telecommand.telemetry.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | -| *.tlu.dl.delivery.mp.microsoft.com\* | HTTP | Enables connections to Windows Update. | -| *.windowsupdate.com\* | HTTP | Enables connections to Windows Update. | -| *geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| au.download.windowsupdate.com\* | HTTP | Enables connections to Windows Update. | -| cdn.onenote.net/livetile/* | HTTPS | Used for OneNote Live Tile. | -| client-office365-tas.msedge.net/* | HTTPS | Used to connect to the Office 365 portal’s shared infrastructure, including Office Online. | -| config.edge.skype.com/* | HTTPS | Used to retrieve Skype configuration values.  | -| ctldl.windowsupdate.com/* | HTTP | Used to download certificates that are publicly known to be fraudulent. | -| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| displaycatalog.mp.microsoft.com/* | HTTPS | Used to communicate with Microsoft Store. | -| download.windowsupdate.com/* | HTTPS | Enables connections to Windows Update. | -| emdl.ws.microsoft.com/* | HTTP | Used to download apps from the Microsoft Store. | -| fe2.update.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.mp.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| g.live.com/odclientsettings/* | HTTPS | Used by OneDrive for Business to download and verify app updates. | -| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | -| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | -| licensing.mp.microsoft.com/* | HTTPS | Used for online activation and some app licensing. | -| maps.windows.com/windows-app-web-link | HTTPS | Link to Maps application | -| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | -| ocos-office365-s2s.msedge.net/* | HTTPS | Used to connect to the Office 365 portal's shared infrastructure. | -| ocsp.digicert.com\* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | -| oneclient.sfx.ms/* | HTTPS | Used by OneDrive for Business to download and verify app updates. | -| settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration. | -| sls.update.microsoft.com/* | HTTPS | Enables connections to Windows Update. | -| storecatalogrevocation.storequality.microsoft.com/* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | -| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. | -| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | -| vip5.afdorigin-prod-ch02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. | -| watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. | -| bing.com/* | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | +|\*.b.akamaiedge.net|HTTPS|Used to check for updates to maps that have been downloaded for offline use +|\*.c-msedge.net|HTTP|Used by OfficeHub to get the metadata of Office apps +|\*.dl.delivery.mp.microsoft.com*|HTTP|Windows Update +|\*.e-msedge.net|HTTPS|Used by OfficeHub to get the metadata of Office apps +|\*.g.akamaiedge.net|HTTPS|Used to check for updates to Maps that have been downloaded for offline use +|\*.licensing.md.mp.microsoft.com.akadns.net|HTTPS|Microsoft Store +|\*.settings.data.microsoft.com.akadns.net|HTTPS|Microsoft Store +|\*.skype.com*|HTTPS|Used to retrieve Skype configuration values +|\*.smartscreen*.microsoft.com|HTTPS|Windows Defender +|\*.s-msedge.net|HTTPS|Used by OfficeHub to get the metadata of Office apps +|\*.telecommand.telemetry.microsoft.com*|HTTPS|Used by Windows Error Reporting +|\*.wac.phicdn.net|HTTP|Windows Update +|\*.windowsupdate.com*|HTTP|Windows Update +|\*.wns.windows.com|HTTPS|Windows Notifications Service +|\*.wpc.*.net|HTTP|Diagnostic Data +|\*displaycatalog.md.mp.microsoft.com.akadns.net|HTTPS|Microsoft Store +|\*dsp.mp.microsoft.com|HTTPS|Windows Update +|a1158.g.akamai.net|HTTP|Maps +|a122.dscg3.akamai.net|HTTP|Maps +|a767.dscg3.akamai.net|HTTP|Maps +|au.download.windowsupdate.com*|HTTP|Windows Update +|bing.com/*|HTTPS|Used for updates for Cortana, apps, and Live Tiles +|blob.dz5prdstr01a.store.core.windows.net|HTTPS|Microsoft Store +|browser.pipe.aria.microsoft.com|HTTP|Used by OfficeHub to get the metadata of Office apps +|cdn.onenote.net/livetile/*|HTTPS|Used for OneNote Live Tile +|cds.p9u4n2q3.hwcdn.net|HTTP|Used by the Highwinds Content Delivery Network to perform Windows updates +|client-office365-tas.msedge.net/*|HTTPS|Office 365 porta and Office Online +|ctldl.windowsupdate.com*|HTTP|Used to download certificates that are publicly known to be fraudulent +|displaycatalog.mp.microsoft.com/*|HTTPS|Microsoft Store +|dmd.metaservices.microsoft.com*|HTTP|Device Authentication +|download.windowsupdate.com*|HTTPS|Windows Update +|emdl.ws.microsoft.com/*|HTTP|Used to download apps from the Microsoft Store +|evoke-windowsservices-tas.msedge.net|HTTPS|Photo app +|fe2.update.microsoft.com*|HTTPS|Windows Update, Microsoft Update, Microsoft Store services +|fe3.delivery.dsp.mp.microsoft.com.nsatc.net|HTTPS|Windows Update, Microsoft Update, Microsoft Store services +|fe3.delivery.mp.microsoft.com*|HTTPS|Windows Update, Microsoft Update, Microsoft Store services +|g.live.com*|HTTPS|Used by OneDrive for Business to download and verify app updates +|g.msn.com.nsatc.net|HTTPS|Used to retrieve Windows Spotlight metadata +|go.microsoft.com|HTTP|Windows Defender +|iecvlist.microsoft.com|HTTPS|Microsoft Edge browser +|ipv4.login.msa.akadns6.net|HTTPS|Used for Microsoft accounts to sign in +|licensing.mp.microsoft.com*|HTTPS|Used for online activation and some app licensing +|login.live.com|HTTPS|Device Authentication +|maps.windows.com/windows-app-web-link|HTTPS|Maps application +|modern.watson.data.microsoft.com.akadns.net|HTTPS|Used by Windows Error Reporting +|msagfx.live.com|HTTPS|OneDrive +|ocos-office365-s2s.msedge.net/*|HTTPS|Used to connect to the Office 365 portal's shared infrastructure +|ocsp.digicert.com*|HTTP|CRL and OCSP checks to the issuing certificate authorities +|oneclient.sfx.ms/*|HTTPS|Used by OneDrive for Business to download and verify app updates +|onecollector.cloudapp.aria.akadns.net|HTTPS|Microsoft Office +|pti.store.microsoft.com|HTTPS|Microsoft Store +|settings-win.data.microsoft.com/settings/*|HTTPS|Used as a way for apps to dynamically update their configuration +|share.microsoft.com|HTTPS|Microsoft Store +|skypeecs-prod-usw-0.cloudapp.net|HTTPS|Skype +|sls.update.microsoft.com*|HTTPS|Windows Update +|storecatalogrevocation.storequality.microsoft.com*|HTTPS|Used to revoke licenses for malicious apps on the Microsoft Store +|tile-service.weather.microsoft.com*|HTTP|Used to download updates to the Weather app Live Tile +|tsfe.trafficshaping.dsp.mp.microsoft.com|HTTPS|Windows Update +|v10.events.data.microsoft.com*|HTTPS|Diagnostic Data +|vip5.afdorigin-prod-ch02.afdogw.com|HTTPS|Used to serve Office 365 experimentation traffic +|watson.telemetry.microsoft.com*|HTTPS|Used by Windows Error Reporting +|wdcp.microsoft.com|HTTPS|Windows Defender +|wd-prod-cp-us-east-1-fe.eastus.cloudapp.azure.com|HTTPS|Azure +|wusofficehome.msocdn.com|HTTPS|Microsoft Office +|www.bing.com|HTTPS|Cortana and Search +|www.microsoft.com|HTTP|Diagnostic Data +|www.microsoft.com/pkiops/certs/*|HTTP|CRL and OCSP checks to the issuing certificate authorities +|www.msftconnecttest.com|HTTP|Network Connection +|www.office.com|HTTPS|Microsoft Office + From 16577f4056c0a629a2a3a503476030de93bed559 Mon Sep 17 00:00:00 2001 From: Malin De Silva Date: Thu, 9 May 2019 08:26:19 +0530 Subject: [PATCH 317/492] added not supportive line for pro editions --- .../windows-defender-application-guard/reqs-wd-app-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md index 1cb8fce44c..741592efe2 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md @@ -36,6 +36,6 @@ Your environment needs the following software to run Windows Defender Applicatio |Software|Description| |--------|-----------| -|Operating system|Windows 10 Enterprise edition, version 1709 or higher
Windows 10 Professional edition, version 1803 or higher
Windows 10 Professional for Workstations edition, version 1803 or higher
Windows 10 Professional Education edition version 1803 or higher
Windows 10 Education edition, version 1903 or higher| +|Operating system|Windows 10 Enterprise edition, version 1709 or higher
Windows 10 Professional edition, version 1803 or higher
Windows 10 Professional for Workstations edition, version 1803 or higher
Windows 10 Professional Education edition version 1803 or higher
Windows 10 Education edition, version 1903 or higher
Professional editions are only supportive for the non-managed devices; Intune or any other 3rd party mobile device management(MDM) solutions are not supportive with WDAG for Professional editions. | |Browser|Microsoft Edge and Internet Explorer| |Management system
(only for managed devices)|[Microsoft Intune](https://docs.microsoft.com/intune/)

**-OR-**

[System Center Configuration Manager](https://docs.microsoft.com/sccm/)

**-OR-**

[Group Policy](https://technet.microsoft.com/library/cc753298(v=ws.11).aspx)

**-OR-**

Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.| From 816a1c8e5f6eec2f02e5ba213a5e039f24508c76 Mon Sep 17 00:00:00 2001 From: KC Cross Date: Wed, 8 May 2019 20:58:21 -0700 Subject: [PATCH 318/492] Trailing slash required for docset --- acrolinx-config.edn | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acrolinx-config.edn b/acrolinx-config.edn index 7f639efb92..b235e443b5 100644 --- a/acrolinx-config.edn +++ b/acrolinx-config.edn @@ -1,3 +1,3 @@ {:allowed-branchname-matches ["master"] - :allowed-filename-matches ["windows"] + :allowed-filename-matches ["windows/"] } From 3e80f2b5777a6ba91c4f8701338bdb1045212e83 Mon Sep 17 00:00:00 2001 From: botmoto <42125490+botmoto@users.noreply.github.com> Date: Thu, 9 May 2019 04:57:14 -0700 Subject: [PATCH 319/492] Update credential-guard-manage.md Cosmetic formatting --- .../credential-guard/credential-guard-manage.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index e02b561b04..59b6865e4e 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -128,8 +128,7 @@ DG_Readiness_Tool_v3.5.ps1 -Ready ``` > [!NOTE] - -For client machines that are running Windows 10 1703, LsaIso.exe is running whenever virtualization-based security is enabled for other features. +> For client machines that are running Windows 10 1703, LsaIso.exe is running whenever virtualization-based security is enabled for other features. - We recommend enabling Windows Defender Credential Guard before a device is joined to a domain. If Windows Defender Credential Guard is enabled after domain join, the user and device secrets may already be compromised. In other words, enabling Credential Guard will not help to secure a device or identity that has already been compromised, which is why we recommend turning on Credential Guard as early as possible. From 8debfd65035ef44784a7beaeaf47914fa82b7a5e Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Thu, 9 May 2019 17:06:58 +0500 Subject: [PATCH 320/492] Sentence was confusing The sentence was confusing so I made a correction where now it makes more sense that when MDM policy is configured, it will win over GP. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/3379 --- .../client-management/mdm/policy-csp-controlpolicyconflict.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md index f6626284ef..c51f4ad30a 100644 --- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md +++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md @@ -67,7 +67,7 @@ Added in Windows 10, version 1803. This policy allows the IT admin to control wh > [!Note] > MDMWinsOverGP only applies to policies in Policy CSP. It does not apply to other MDM settings with equivalent GP settings that are defined on other configuration service providers. -This policy is used to ensure that MDM policy wins over GP when same setting is set by both GP and MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1. +This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1. Note: This policy doesn’t support the Delete command and doesn’t support setting the value to 0 again after it was previously set to 1. Windows 10 version 1809 will support using the Delete command to set the value to 0 again, if it was previously set to 1. The following list shows the supported values: From 1da22a72a5fc239e82570c666f4dbcfbd48ceaa2 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 9 May 2019 05:23:38 -0700 Subject: [PATCH 321/492] Update reqs-wd-app-guard.md --- .../windows-defender-application-guard/reqs-wd-app-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md index 741592efe2..25b4ede41d 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md @@ -36,6 +36,6 @@ Your environment needs the following software to run Windows Defender Applicatio |Software|Description| |--------|-----------| -|Operating system|Windows 10 Enterprise edition, version 1709 or higher
Windows 10 Professional edition, version 1803 or higher
Windows 10 Professional for Workstations edition, version 1803 or higher
Windows 10 Professional Education edition version 1803 or higher
Windows 10 Education edition, version 1903 or higher
Professional editions are only supportive for the non-managed devices; Intune or any other 3rd party mobile device management(MDM) solutions are not supportive with WDAG for Professional editions. | +|Operating system|Windows 10 Enterprise edition, version 1709 or higher
Windows 10 Professional edition, version 1803 or higher
Windows 10 Professional for Workstations edition, version 1803 or higher
Windows 10 Professional Education edition version 1803 or higher
Windows 10 Education edition, version 1903 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with WDAG for Professional editions. | |Browser|Microsoft Edge and Internet Explorer| |Management system
(only for managed devices)|[Microsoft Intune](https://docs.microsoft.com/intune/)

**-OR-**

[System Center Configuration Manager](https://docs.microsoft.com/sccm/)

**-OR-**

[Group Policy](https://technet.microsoft.com/library/cc753298(v=ws.11).aspx)

**-OR-**

Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.| From c1f385942dab5d5cdad178621bc6a91da1920d02 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Thu, 9 May 2019 17:28:50 +0500 Subject: [PATCH 322/492] Removed random alpha-neumaric value As the user suggested, removed the random value and inserted the guideline to let the user know what to insert here. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/1239 --- .../mdm/federated-authentication-device-enrollment.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/federated-authentication-device-enrollment.md b/windows/client-management/mdm/federated-authentication-device-enrollment.md index 22ee108fb4..6a8c928ee7 100644 --- a/windows/client-management/mdm/federated-authentication-device-enrollment.md +++ b/windows/client-management/mdm/federated-authentication-device-enrollment.md @@ -553,7 +553,7 @@ The following code shows sample provisioning XML (presented in the preceding pac - + @@ -562,7 +562,7 @@ The following code shows sample provisioning XML (presented in the preceding pac - + From 99f5ae268f16739cf7a0a224eab6860068a1b893 Mon Sep 17 00:00:00 2001 From: martyav Date: Thu, 9 May 2019 09:25:20 -0400 Subject: [PATCH 323/492] refining text, linting, CL commands in resources --- ...osoft-defender-atp-mac-install-manually.md | 40 +--- ...ft-defender-atp-mac-install-with-intune.md | 16 +- ...soft-defender-atp-mac-install-with-jamf.md | 197 ++++++++++++------ .../microsoft-defender-atp-mac-resources.md | 32 ++- .../microsoft-defender-atp-mac.md | 6 +- 5 files changed, 177 insertions(+), 114 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md index 27b3a8f924..eecb31f9e4 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md @@ -1,27 +1,27 @@ --- -title: Installing Microsoft Defender ATP for Mac with JAMF -description: Describes how to install Microsoft Defender ATP for Mac, using JAMF. +title: Installing Microsoft Defender ATP for Mac manually +description: Describes how to install Microsoft Defender ATP for Mac manually, from the command line. keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra search.product: eADQiWindows 10XVcnh -search.appverid: #met150 +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.author: v-maave author: martyav -ms.localizationpriority: #medium +ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance -ms.topic: #conceptual +ms.topic: conceptual --- # Manual deployment **Applies to:** -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp.md) >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. @@ -31,7 +31,7 @@ Microsoft Defender ATP for Mac is not yet widely available, and this topic only ## Prerequisites and system requirements -Before you get started, please see [the main Microsoft Defender ATP for Mac page]((microsoft-defender-atp.md)) for a description of prerequisites and system requirements for the current software version. +Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp.md) for a description of prerequisites and system requirements for the current software version. ## Download installation and onboarding packages @@ -114,32 +114,10 @@ After installation, you'll see the Microsoft Defender icon in the macOS status b ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) -## Configuring from the command line - -Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line: - -|Group |Scenario |Command | -|-------------|-------------------------------------------|-----------------------------------------------------------------------| -|Configuration|Turn on/off real-time protection |`mdatp config --rtp [true/false]` | -|Configuration|Turn on/off cloud protection |`mdatp config --cloud [true/false]` | -|Configuration|Turn on/off product diagnostics |`mdatp config --diagnostic [true/false]` | -|Configuration|Turn on/off automatic sample submission |`mdatp config --sample-submission [true/false]` | -|Configuration|Turn on PUA protection |`mdatp threat --type-handling --potentially_unwanted_application block`| -|Configuration|Turn off PUA protection |`mdatp threat --type-handling --potentially_unwanted_application off` | -|Configuration|Turn on audit mode for PUA protection |`mdatp threat --type-handling --potentially_unwanted_application audit`| -|Diagnostics |Change the log level |`mdatp log-level --[error/warning/info/verbose]` | -|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic` | -|Health |Check the product's health |`mdatp --health` | -|Protection |Scan a path |`mdatp scan --path [path]` | -|Protection |Do a quick scan |`mdatp scan --quick` | -|Protection |Do a full scan |`mdatp scan --full` | -|Protection |Cancel an ongoing on-demand scan |`mdatp scan --cancel` | -|Protection |Request a definition update |`mdatp --signature-update` | - ## Logging installation issues -See [Logging installation issues](microsoft-defender-atp-mac-resources#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. +See [Logging installation issues](microsoft-defender-atp-mac-resources.md#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. ## Uninstallation -See [Uninstalling](microsoft-defender-atp-mac-resources#Uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file +See [Uninstalling](microsoft-defender-atp-mac-resources.md#Uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md index 8af90fded1..bf6854e899 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md @@ -3,25 +3,25 @@ title: Installing Microsoft Defender ATP for Mac with Microsoft Intune description: Describes how to install Microsoft Defender ATP for Mac, using Microsoft Intune. keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra search.product: eADQiWindows 10XVcnh -search.appverid: #met150 +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.author: v-maave author: martyav -ms.localizationpriority: #medium +ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance -ms.topic: #conceptual +ms.topic: conceptual --- # Microsoft Intune-based deployment **Applies to:** -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp.md) >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. @@ -31,7 +31,7 @@ Microsoft Defender ATP for Mac is not yet widely available, and this topic only ## Prerequisites and system requirements -Before you get started, please see [the main Microsoft Defender ATP for Mac page]((microsoft-defender-atp.md)) for a description of prerequisites and system requirements for the current software version. +Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp.md) for a description of prerequisites and system requirements for the current software version. ## Download installation and onboarding packages @@ -47,7 +47,7 @@ Download the installation and onboarding packages from Windows Defender Security 6. From a command prompt, verify that you have the three files. Extract the contents of the .zip files: - + ```bash mavel-macmini:Downloads test$ ls -l total 721688 @@ -166,8 +166,8 @@ After Intune changes are propagated to the enrolled machines, you'll see it on t ## Logging installation issues -See [Logging installation issues](microsoft-defender-atp-mac-resources#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. +See [Logging installation issues](microsoft-defender-atp-mac-resources.md#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. ## Uninstallation -See [Uninstalling](microsoft-defender-atp-mac-resources#Uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file +See [Uninstalling](microsoft-defender-atp-mac-resources.md#Uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md index 27b3a8f924..eead3818a7 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md @@ -3,25 +3,25 @@ title: Installing Microsoft Defender ATP for Mac with JAMF description: Describes how to install Microsoft Defender ATP for Mac, using JAMF. keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra search.product: eADQiWindows 10XVcnh -search.appverid: #met150 +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.author: v-maave author: martyav -ms.localizationpriority: #medium +ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance -ms.topic: #conceptual +ms.topic: conceptual --- -# Manual deployment +# JAMF-based deployment **Applies to:** -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp.md) >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. @@ -31,14 +31,16 @@ Microsoft Defender ATP for Mac is not yet widely available, and this topic only ## Prerequisites and system requirements -Before you get started, please see [the main Microsoft Defender ATP for Mac page]((microsoft-defender-atp.md)) for a description of prerequisites and system requirements for the current software version. +Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp.md) for a description of prerequisites and system requirements for the current software version. + +In addition, for JAMF deployment, you need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes having a properly configured distribution point. JAMF has many ways to complete the same task. These instructions provide an example for most common processes. Your organization might use a different workflow. ## Download installation and onboarding packages Download the installation and onboarding packages from Windows Defender Security Center: 1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Local script**. +2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. 3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. 4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. @@ -46,100 +48,161 @@ Download the installation and onboarding packages from Windows Defender Security 5. From a command prompt, verify that you have the two files. Extract the contents of the .zip files: - + ```bash - mavel-macmini:Downloads test$ ls -l - total 721152 - -rw-r--r-- 1 test staff 6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip + mavel-macmini:Downloads test$ ls -l + total 721160 + -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip Archive: WindowsDefenderATPOnboardingPackage.zip - inflating: WindowsDefenderATPOnboarding.py + warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators + inflating: intune/kext.xml + inflating: intune/WindowsDefenderATPOnboarding.xml + inflating: jamf/WindowsDefenderATPOnboarding.plist + mavel-macmini:Downloads test$ ``` -## Application installation +## Create JAMF Policies -To complete this process, you must have admin privileges on the machine. +You need to create a configuration profile and a policy to start deploying Microsoft Defender ATP for Mac to client machines. -1. Navigate to the downloaded wdav.pkg in Finder and open it. +### Configuration Profile - ![App install screenshot](images/MDATP_28_AppInstall.png) +The configuration profile contains one custom settings payload that includes: -2. Select **Continue**, agree with the License terms, and enter the password when prompted. +- Microsoft Defender ATP for Mac onboarding information +- Approved Kernel Extensions payload to enable the Microsoft kernel driver to run - ![App install screenshot](images/MDATP_29_AppInstallLogin.png) +1. Upload jamf/WindowsDefenderATPOnboarding.plist as the Property List File. - > [!IMPORTANT] - > You will be prompted to allow a driver from Microsoft to be installed (either "System Exception Blocked" or "Installation is on hold" or both. The driver must be allowed to be installed. + >[!NOTE] + > You must use exactly "com.microsoft.wdav.atp" as the Preference Domain. - ![App install screenshot](images/MDATP_30_SystemExtension.png) + ![Configuration profile screenshot](images/MDATP_16_PreferenceDomain.png) -3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**: +### Approved Kernel Extension - ![Security and privacy window screenshot](images/MDATP_31_SecurityPrivacySettings.png) +To approve the kernel extension: -The installation will proceed. +1. In **Computers > Configuration Profiles** select **Options > Approved Kernel Extensions**. +2. Use **UBF8T346G9** for Team Id. + +![Approved kernel extensions screenshot](images/MDATP_17_approvedKernelExtensions.png) + +#### Configuration Profile's Scope + +Configure the appropriate scope to specify the machines that will receive this configuration profile. + +Open Computers -> Configuration Profiles, select **Scope > Targets**. Select the appropriate Target computers. + +![Configuration profile scope screenshot](images/MDATP_18_ConfigurationProfilesScope.png) + +Save the **Configuration Profile**. + +Use the **Logs** tab to monitor deployment status for each enrolled machine. + +### Package + +1. Create a package in **Settings > Computer Management > Packages**. + + ![Computer management packages screenshot](images/MDATP_19_MicrosoftDefenderWDAVPKG.png) + +2. Upload wdav.pkg to the Distribution Point. +3. In the **filename** field, enter the name of the package. For example, wdav.pkg. + +### Policy + +Your policy should contain a single package for Microsoft Defender. + +![Microsoft Defender packages screenshot](images/MDATP_20_MicrosoftDefenderPackages.png) + +Configure the appropriate scope to specify the computers that will receive this policy. + +After you save the Configuration Profile, you can use the Logs tab to monitor the deployment status for each enrolled machine. + +## Client machine setup + +You need no special provisioning for a macOS computer beyond the standard JAMF Enrollment. > [!NOTE] -> If you don't select **Allow**, the installation will fail after 5 minutes. You can restart it again at any time. +> After a computer is enrolled, it will show up in the Computers inventory (All Computers). -## Client configuration +1. Open the machine details, from **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile. -1. Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac. +![MDM approve button screenshot](images/MDATP_21_MDMProfile1.png) +![MDM screenshot](images/MDATP_22_MDMProfileApproved.png) - The client machine is not associated with orgId. Note that the orgid is blank. +After some time, the machine's User Approved MDM status will change to Yes. - ```bash - mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py - uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 - orgid : - ``` +![MDM status screenshot](images/MDATP_23_MDMStatus.png) -2. Install the configuration file on a client machine: +You can enroll additional machines now. Optionally, can do it after system configuration and application packages are provisioned. - ```bash - mavel-mojave:wdavconfig testuser$ python WindowsDefenderATPOnboarding.py - Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password) - ``` +## Deployment -3. Verify that the machine is now associated with orgId: +Enrolled client machines periodically poll the JAMF Server and install new configuration profiles and policies as soon as they are detected. - ```bash - mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py - uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 - orgid : E6875323-A6C0-4C60-87AD-114BBE7439B8 - ``` +### Status on server -After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. +You can monitor the deployment status in the Logs tab: - ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) +- **Pending** means that the deployment is scheduled but has not yet happened +- **Completed** means that the deployment succeeded and is no longer scheduled -## Configuring from the command line +![Status on server screenshot](images/MDATP_24_StatusOnServer.png) -Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line: +### Status on client machine -|Group |Scenario |Command | -|-------------|-------------------------------------------|-----------------------------------------------------------------------| -|Configuration|Turn on/off real-time protection |`mdatp config --rtp [true/false]` | -|Configuration|Turn on/off cloud protection |`mdatp config --cloud [true/false]` | -|Configuration|Turn on/off product diagnostics |`mdatp config --diagnostic [true/false]` | -|Configuration|Turn on/off automatic sample submission |`mdatp config --sample-submission [true/false]` | -|Configuration|Turn on PUA protection |`mdatp threat --type-handling --potentially_unwanted_application block`| -|Configuration|Turn off PUA protection |`mdatp threat --type-handling --potentially_unwanted_application off` | -|Configuration|Turn on audit mode for PUA protection |`mdatp threat --type-handling --potentially_unwanted_application audit`| -|Diagnostics |Change the log level |`mdatp log-level --[error/warning/info/verbose]` | -|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic` | -|Health |Check the product's health |`mdatp --health` | -|Protection |Scan a path |`mdatp scan --path [path]` | -|Protection |Do a quick scan |`mdatp scan --quick` | -|Protection |Do a full scan |`mdatp scan --full` | -|Protection |Cancel an ongoing on-demand scan |`mdatp scan --cancel` | -|Protection |Request a definition update |`mdatp --signature-update` | +After the Configuration Profile is deployed, you'll see the profile on the machine in the **System Preferences > Profiles >** Name of Configuration Profile. + +![Status on client screenshot](images/MDATP_25_StatusOnClient.png) + +After the policy is applied, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. + +![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) + +You can monitor policy installation on a machine by following the JAMF's log file: + +```bash + mavel-mojave:~ testuser$ tail -f /var/log/jamf.log + Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found. + Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for user "testuser"... + Thu Feb 21 11:16:43 mavel-mojave jamf[8051]: Executing Policy WDAV + Thu Feb 21 11:17:02 mavel-mojave jamf[8051]: Installing Microsoft Defender... + Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Successfully installed Microsoft Defender. + Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Checking for patches... + Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found. +``` + +You can also check the onboarding status: + +```bash + mavel-mojave:~ testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py + uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 + orgid : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 + orgid managed : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 + orgid effective : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 +``` + +- **orgid/orgid managed**: This is the Microsoft Defender ATP org id specified in the configuration profile. If this value is blank, then the Configuration Profile was not properly set. + +- **orgid effective**: This is the Microsoft Defender ATP org id currently in use. If it does not match the value in the Configuration Profile, then the configuration has not been refreshed. + +## Check onboarding status + +You can check that machines are correctly onboarded by creating a script. For example, the following script checks that enrolled machines are onboarded: + +```bash + sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+' +``` + +This script returns 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service, and another exit code if it is not installed or registered. ## Logging installation issues -See [Logging installation issues](microsoft-defender-atp-mac-resources#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. +See [Logging installation issues](microsoft-defender-atp-mac-resources.md#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. ## Uninstallation -See [Uninstalling](microsoft-defender-atp-mac-resources#Uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file +See [Uninstalling](microsoft-defender-atp-mac-resources.md#Uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md index 09a4dcceae..c7d8d338eb 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md @@ -1,27 +1,27 @@ --- title: Microsoft Defender ATP for Mac Resources -description: Describes resources for Microsoft Defender ATP for Mac, including how to uninstall it, how to collect diagnostic logs, and known issues with the product. +description: Describes resources for Microsoft Defender ATP for Mac, including how to uninstall it, how to collect diagnostic logs, CLI commands, and known issues with the product. keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra search.product: eADQiWindows 10XVcnh -search.appverid: #met150 +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.author: v-maave author: martyav -ms.localizationpriority: #medium +ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance -ms.topic: #conceptual +ms.topic: conceptual --- # Resources **Applies to:** -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp.md) >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. @@ -109,6 +109,28 @@ If you are running JAMF, your policy should contain a single script: Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy. +## Configuring from the command line + +Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line: + +|Group |Scenario |Command | +|-------------|-------------------------------------------|-----------------------------------------------------------------------| +|Configuration|Turn on/off real-time protection |`mdatp config --rtp [true/false]` | +|Configuration|Turn on/off cloud protection |`mdatp config --cloud [true/false]` | +|Configuration|Turn on/off product diagnostics |`mdatp config --diagnostic [true/false]` | +|Configuration|Turn on/off automatic sample submission |`mdatp config --sample-submission [true/false]` | +|Configuration|Turn on PUA protection |`mdatp threat --type-handling --potentially_unwanted_application block`| +|Configuration|Turn off PUA protection |`mdatp threat --type-handling --potentially_unwanted_application off` | +|Configuration|Turn on audit mode for PUA protection |`mdatp threat --type-handling --potentially_unwanted_application audit`| +|Diagnostics |Change the log level |`mdatp log-level --[error/warning/info/verbose]` | +|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic` | +|Health |Check the product's health |`mdatp --health` | +|Protection |Scan a path |`mdatp scan --path [path]` | +|Protection |Do a quick scan |`mdatp scan --quick` | +|Protection |Do a full scan |`mdatp scan --full` | +|Protection |Cancel an ongoing on-demand scan |`mdatp scan --cancel` | +|Protection |Request a definition update |`mdatp --signature-update` | + ## What to expect in the ATP portal - AV alerts: diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index af6205c2ca..416840ac2d 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -44,9 +44,9 @@ In general you'll need to take the following steps: - Ensure you have a Windows Defender ATP subscription and have access to the Windows Defender ATP Portal - Deploy Microsoft Defender ATP for Mac using one of the following deployment methods: - - [Microsoft Intune-based deployment](microsoft-defender-atp-mac-install-with-intune) - - [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf) - - [Manual deployment](microsoft-defender-atp-mac-install-manually) + - [Microsoft Intune-based deployment](microsoft-defender-atp-mac-install-with-intune.md) + - [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf.md) + - [Manual deployment](microsoft-defender-atp-mac-install-manually.md) ### Prerequisites From a72734f71581f2d89be4ddbb7402cab473bd085b Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Thu, 9 May 2019 18:59:26 +0500 Subject: [PATCH 324/492] update win32-and-centennial-app-policy-configuration.md --- .../mdm/win32-and-centennial-app-policy-configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md index d69549935e..9ead93e55b 100644 --- a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md +++ b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md @@ -51,7 +51,7 @@ When the ADMX policies are imported, the registry keys to which each policy is w > Some operating system components have built in functionality to check devices for domain membership. MDM enforces the configured policy values only if the devices are domain joined, otherwise it does not. However, you can still import ADMX files and set ADMX-backed policies regardless of whether the device is domain joined or non-domain joined. > [!NOTE] -> Settings, that cannot be configured using custom policy ingestion, have to be set by pushing the appropriate registry keys directly (for example, by using PowerShell script). +> Settings that cannot be configured using custom policy ingestion have to be set by pushing the appropriate registry keys directly (for example, by using PowerShell script). ## Ingesting an app ADMX file From b5c59e32bc4ac40a650f4c440abdb63dc26301fd Mon Sep 17 00:00:00 2001 From: martyav Date: Thu, 9 May 2019 09:59:38 -0400 Subject: [PATCH 325/492] typos in links --- .../microsoft-defender-atp-mac-install-manually.md | 8 ++++---- .../microsoft-defender-atp-mac-install-with-intune.md | 8 ++++---- .../microsoft-defender-atp-mac-install-with-jamf.md | 8 ++++---- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md index eecb31f9e4..1df8b31e64 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md @@ -21,7 +21,7 @@ ms.topic: conceptual **Applies to:** -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp.md) +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp-mac.md) >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. @@ -31,7 +31,7 @@ Microsoft Defender ATP for Mac is not yet widely available, and this topic only ## Prerequisites and system requirements -Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp.md) for a description of prerequisites and system requirements for the current software version. +Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version. ## Download installation and onboarding packages @@ -116,8 +116,8 @@ After installation, you'll see the Microsoft Defender icon in the macOS status b ## Logging installation issues -See [Logging installation issues](microsoft-defender-atp-mac-resources.md#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. +See [Logging installation issues](microsoft-defender-atp-mac-resources.md#logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. ## Uninstallation -See [Uninstalling](microsoft-defender-atp-mac-resources.md#Uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file +See [Uninstalling](microsoft-defender-atp-mac-resources.md#uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md index bf6854e899..54e0829561 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md @@ -21,7 +21,7 @@ ms.topic: conceptual **Applies to:** -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp.md) +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp-mac.md) >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. @@ -31,7 +31,7 @@ Microsoft Defender ATP for Mac is not yet widely available, and this topic only ## Prerequisites and system requirements -Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp.md) for a description of prerequisites and system requirements for the current software version. +Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version. ## Download installation and onboarding packages @@ -166,8 +166,8 @@ After Intune changes are propagated to the enrolled machines, you'll see it on t ## Logging installation issues -See [Logging installation issues](microsoft-defender-atp-mac-resources.md#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. +See [Logging installation issues](microsoft-defender-atp-mac-resources.md#logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. ## Uninstallation -See [Uninstalling](microsoft-defender-atp-mac-resources.md#Uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file +See [Uninstalling](microsoft-defender-atp-mac-resources.md#uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md index eead3818a7..3e4122d3a0 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md @@ -21,7 +21,7 @@ ms.topic: conceptual **Applies to:** -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp.md) +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp-mac.md) >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. @@ -31,7 +31,7 @@ Microsoft Defender ATP for Mac is not yet widely available, and this topic only ## Prerequisites and system requirements -Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp.md) for a description of prerequisites and system requirements for the current software version. +Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version. In addition, for JAMF deployment, you need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes having a properly configured distribution point. JAMF has many ways to complete the same task. These instructions provide an example for most common processes. Your organization might use a different workflow. @@ -201,8 +201,8 @@ This script returns 0 if Microsoft Defender ATP is registered with the Windows D ## Logging installation issues -See [Logging installation issues](microsoft-defender-atp-mac-resources.md#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. +See [Logging installation issues](microsoft-defender-atp-mac-resources.md#logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. ## Uninstallation -See [Uninstalling](microsoft-defender-atp-mac-resources.md#Uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file +See [Uninstalling](microsoft-defender-atp-mac-resources.md#uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file From 34e77a00035ef4617f6ffee4798cf68c5f311d24 Mon Sep 17 00:00:00 2001 From: martyav Date: Thu, 9 May 2019 11:59:32 -0400 Subject: [PATCH 326/492] corrected list of settings, updated note on E5 --- ...ecurity-settings-with-tamper-protection.md | 32 +++++++++---------- 1 file changed, 15 insertions(+), 17 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md index 930eb2406a..16fceaea85 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md +++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md @@ -20,35 +20,33 @@ ms.author: v-anbic - Windows 10 Tamper protection helps prevent malicious apps from changing important security settings. These settings include: - + - Real-time protection - Cloud-delivered protection - IOfficeAntivirus (IOAV) - Behavior monitoring -- Scheduled scans -- Policy override settings - +- Removing security intelligence updates + With tamper protection set to **On**, you can still change these settings in the Windows Security app. The following apps and methods can't change these settings: - + - Mobile device management (MDM) apps like Intune - Enterprise configuration management apps like System Center Configuration Manager (SCCM) - Command line instruction MpCmdRun.exe -removedefinitions -dynamicsignatures - Windows System Image Manager (Windows SIM) settings DisableAntiSpyware and DisableAntiMalware (used in Windows unattended setup) - Group Policy - Other Windows Management Instrumentation (WMI) apps - + The tamper protection setting doesn't affect how third party antivirus apps register with the Windows Security app. - + On computers running Windows 10 Enterprise E5, users can't change the tamper protection setting. - + Tamper protection is On by default. If you set tamper protection to **Off**, you will see a yellow warning in the Windows Security app under **Virus & threat protection**. - -##Configure tamper protection - -1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. -2. Select **Virus & threat protection**, then select **Virus & threat protection settings**. -3. Set **Tamper Protection** to **On** or **Off**. - + +## Configure tamper protection + +1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. +2. Select **Virus & threat protection**, then select **Virus & threat protection settings**. +3. Set **Tamper Protection** to **On** or **Off**. + >[!NOTE] ->If your computer is running Windows 10 Enterprise E5, you can't change the tamper protection setting. - +>If your computer is running Windows 10 Enterprise E5, you can't change the tamper protection settings from within Windows Security App. \ No newline at end of file From 26f085eeddcb189d96fcbca07c5ae82b33c15645 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 9 May 2019 09:40:06 -0700 Subject: [PATCH 327/492] Added 19H1 policies --- .../policy-configuration-service-provider.md | 6 + .../mdm/policy-csp-system.md | 152 +++++++++++++++++- 2 files changed, 155 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index a27926a537..f566cfd699 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -3111,6 +3111,9 @@ The following diagram shows the Policy configuration service provider in tree fo
System/AllowBuildPreview
+
+ System/AllowCommercialDataPipeline +
System/AllowDeviceNameInDiagnosticData
@@ -3171,6 +3174,9 @@ The following diagram shows the Policy configuration service provider in tree fo
System/TelemetryProxy
+
+ System/TurnOffFileHistory +
### SystemServices policies diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 77c58a2714..92fd30f9bb 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/01/2019 +ms.date: 05/09/2019 --- # Policy CSP - System @@ -24,6 +24,9 @@ ms.date: 05/01/2019
System/AllowBuildPreview
+
+ System/AllowCommercialDataPipeline +
System/AllowDeviceNameInDiagnosticData
@@ -84,6 +87,9 @@ ms.date: 05/01/2019
System/TelemetryProxy
+
+ System/TurnOffFileHistory +
@@ -128,7 +134,6 @@ ms.date: 05/01/2019 > [!NOTE] > This policy setting applies only to devices running Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, Windows 10 Mobile, and Windows 10 Mobile Enterprise. - This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under "Get Insider builds," and enable users to make their devices available for downloading and installing Windows preview software. If you enable or do not configure this policy setting, users can download and install Windows preview software on their devices. If you disable this policy setting, the item "Get Insider builds" will be unavailable. @@ -154,6 +159,80 @@ The following list shows the supported values:
+ +**System/AllowCommercialDataPipeline** + + +
DetailsOriginating updateStatusHistory
Latest cumulative update (KB 4495667) installs automatically
Due to a servicing side issue some users were offered 4495667 (optional update) automatically. This issue has been mitigated.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
Next steps: This issue has been mitigated on the servicing side to prevent auto installing of this update. Customers do not need to take any action.

Back to top		OS Build 17763.475

May 03, 2019
KB4495667		Mitigated
Last updated:
May 05, 2019
12:01 PM PT

Opened:
May 05, 2019
12:01 PM PT
Devices with some Asian language packs installed may receive an error
After installing the April 2019 Cumulative Update (KB4493509), devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND.\"

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
Workaround:
  1. Uninstall and reinstall any recently added language packs. For instructions, see \"Manage the input and display language settings in Windows 10\".
  2. Click Check for Updates and install the April 2019 Cumulative Update. For instructions, see \"Update Windows 10\".
Note: If reinstalling the language pack does not mitigate the issue, reset your PC as follows:
  1. Go to Settings app -> Recovery.
  2. Click on Get Started under \"Reset this PC\" recovery option.
  3. Select \"Keep my Files\".
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 17763.437

April 09, 2019
KB4493509		Mitigated
Last updated:
May 03, 2019
10:59 AM PT

Opened:
May 02, 2019
04:36 PM PT
Printing from Microsoft Edge or other UWP apps, you may receive the error 0x80070007
When attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) applications you may receive the error, \"Your printer has experienced an unexpected configuration problem. 0x80070007e.\"
 
Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
Workaround: You can use another browser, such as Internet Explorer to print your documents.
 
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 17763.379

March 12, 2019
KB4489899		Mitigated
Last updated:
May 02, 2019
04:47 PM PT

Opened:
May 02, 2019
04:47 PM PT
Latest cumulative update (KB 4495667) installs automatically
Due to a servicing side issue some users were offered KB4495667 (optional update) automatically and rebooted devices. This issue has been mitigated.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
Resolution:: This issue has been mitigated on the servicing side to prevent auto installing of this update. Customers do not need to take any action.

Back to top		OS Build 17763.475

May 03, 2019
KB4495667		Resolved
Resolved:
May 08, 2019
03:37 PM PT

Opened:
May 05, 2019
12:01 PM PT
+ + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +> [!NOTE] +> This policy setting applies only to the Windows operating system and apps included with Windows, it does not apply to third-party apps or services running on Windows 10. + +This policy setting opts the device into the Windows enterprise data pipeline. + +If you enable this setting, data collected from the device is opted into the Windows enterprise data pipeline. + +If you disable or do not configure this setting, all data from the device is collected and processed in accordance with the policies for the Windows standard data pipeline. + +Configuring this setting does not change the telemetry collection level or the ability of the user to change the level. + + + +ADMX Info: +- GP English name: *Allow commercial data pipeline* +- GP name: *AllowCommercialDataPipeline* +- GP element: *AllowCommercialDataPipeline* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + +The following list shows the supported values: + +- 0 (default) - Do not use the Windows Commercial Data Pipeline +- 1 - Use the Windows Commercial Data Pipeline + + + + + + + + + + +
+ **System/AllowDeviceNameInDiagnosticData** @@ -1434,6 +1513,73 @@ ADMX Info: +
+ + +**System/TurnOffFileHistory** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to turn off File History. + +If you enable this policy setting, File History cannot be activated to create regular, automatic backups. + +If you disable or do not configure this policy setting, File History can be activated to create regular, automatic backups. + + + +ADMX Info: +- GP English name: *Turn off File History* +- GP name: *DisableFileHistory* +- GP path: *Windows Components/File History* +- GP ADMX file name: *FileHistory.admx* + + + +The following list shows the supported values: + +- false (default) - allow File History +- true - turn off File History + + + + + + + + + @@ -1459,4 +1605,4 @@ Footnotes: - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. - 5 - Added in Windows 10, version 1809. -- 6 - Added in the next major release of Windows 10. \ No newline at end of file +- 6 - Added in Windows 10, version 1903. \ No newline at end of file From 7c9ffa815bda413ae78dbe8839a96c00e0cea23f Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Thu, 9 May 2019 10:09:13 -0700 Subject: [PATCH 328/492] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...perating-system-components-to-microsoft-services.md | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 923bfedcb3..9b76bb4c29 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -194,7 +194,7 @@ See the following table for a summary of the management settings for Windows Ser See the following table for a summary of the management settings for Windows Server 2016 Server Core. | Setting | Group Policy | Registry | Command line | -| - | :-: | :-: | :-: | :-: | :-: | +| - | :-: | :-: | :-: | | [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [6. Font streaming](#font-streaming) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | @@ -209,7 +209,7 @@ See the following table for a summary of the management settings for Windows Ser See the following table for a summary of the management settings for Windows Server 2016 Nano Server. | Setting | Registry | Command line | -| - | :-: | :-: | :-: | :-: | :-: | +| - | :-: | :-: | | [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | ![Check mark](images/checkmark.png) | | | [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | | | [22. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | @@ -634,6 +634,8 @@ To disable the Microsoft Account Sign-In Assistant: - Apply the Accounts/AllowMicrosoftAccountSignInAssistant MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on. + -or- + - Change the **Start** REG_DWORD registry setting in **HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\wlidsvc** to a value of **4**. @@ -1857,10 +1859,6 @@ You can disconnect from the Microsoft Antimalware Protection Service. - Use the registry to set the REG_DWORD value **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SpyNetReporting** to **0 (zero)**. - -and- - -- Delete the registry setting **named** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Updates**. - -OR- - For Windows 10 only, apply the Defender/AllowClouldProtection MDM policy from the [Defender CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). From 089238bd71ac1a5e82f177e147c1ea10b5605297 Mon Sep 17 00:00:00 2001 From: John Kaiser <35939694+CoveMiner@users.noreply.github.com> Date: Thu, 9 May 2019 10:24:07 -0700 Subject: [PATCH 329/492] Update assettag.md --- devices/surface/assettag.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface/assettag.md b/devices/surface/assettag.md index 9771aacb0d..03a43060a5 100644 --- a/devices/surface/assettag.md +++ b/devices/surface/assettag.md @@ -27,7 +27,7 @@ for Surface devices. It works on Surface Pro 3 and all newer Surface devices. To run Surface Asset Tag: 1. On the Surface device, download **Surface Pro 3 AssetTag.zip** from the [Microsoft Download - Center](http://www.microsoft.com/download/details.aspx?id=44076), + Center](https://www.microsoft.com/en-us/download/details.aspx?id=46703), extract the zip file, and save AssetTag.exe in desired folder (in this example, C:\\assets). From b1c2f37f09e2717000d94b5995359a47b1745293 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Thu, 9 May 2019 10:25:14 -0700 Subject: [PATCH 330/492] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...-system-components-to-microsoft-services.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 9b76bb4c29..58d06760a9 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -508,11 +508,11 @@ To turn off Insider Preview builds for Windows 10: | Registry Key | Registry path | |------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| Turn on Suggested Sites| HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Suggested Sites
REG_DWORD: Enabled
**Set Value to: 0**| -| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer
REG_DWORD: AllowServicePoweredQSA
**Set Value to: 0**| -| Turn off the auto-complete feature for web addresses | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\CurrentVersion\\Explorer\\AutoComplete
REG_SZ: AutoSuggest
Set Value to: **no** | -| Turn off browser geolocation | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Geolocation
REG_DWORD: PolicyDisableGeolocation
**Set Value to: 1** | -| Prevent managing SmartScreen filter | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\PhishingFilter
REG_DWORD: EnabledV9
**Set Value to: 0** | +| Turn on Suggested Sites| HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Suggested Sites
REG_DWORD: Enabled
**Set Value to: 0**| +| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer
REG_DWORD: AllowServicePoweredQSA
**Set Value to: 0**| +| Turn off the auto-complete feature for web addresses |HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\CurrentVersion\\Explorer\\AutoComplete
REG_SZ: AutoSuggest
Set Value to: **no** | +| Turn off browser geolocation | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Geolocation
REG_DWORD: PolicyDisableGeolocation
**Set Value to: 1** | +| Prevent managing SmartScreen filter | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\PhishingFilter
REG_DWORD: EnabledV9
**Set Value to: 0** | There are more Group Policy objects that are used by Internet Explorer: @@ -527,10 +527,10 @@ You can also use Registry keys to set these policies. | Registry Key | Registry path | |------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| Choose whether employees can configure Compatibility View. | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\BrowserEmulation
REG_DWORD: DisableSiteListEditing
**Set Value to 1**| -| Turn off the flip ahead with page prediction feature | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\FlipAhead
REG_DWORD: Enabled
**Set Value to 0**| -| Turn off background synchronization for feeds and Web Slices | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds
REG_DWORD: BackgroundSyncStatus
**Set Value to 0**| -| Allow Online Tips | HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer
REG_DWORD: AllowOnlineTips
**Set Value to 0 (zero)**| +| Choose whether employees can configure Compatibility View. | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\BrowserEmulation
REG_DWORD: DisableSiteListEditing
**Set Value to 1**| +| Turn off the flip ahead with page prediction feature | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\FlipAhead
REG_DWORD: Enabled
**Set Value to 0**| +| Turn off background synchronization for feeds and Web Slices | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds
REG_DWORD: BackgroundSyncStatus
**Set Value to 0**| +| Allow Online Tips | HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer
REG_DWORD: AllowOnlineTips
**Set Value to 0**| To turn off the home page, **Enable** the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Disable changing home page settings**, and set it to **about:blank**. From 99097ab1dc0ff506314811efce4107d2e9d7d74e Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Thu, 9 May 2019 11:38:39 -0700 Subject: [PATCH 331/492] Delete manage-windows-1903-endpoints.md --- .../privacy/manage-windows-1903-endpoints.md | 170 ------------------ 1 file changed, 170 deletions(-) delete mode 100644 windows/privacy/manage-windows-1903-endpoints.md diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md deleted file mode 100644 index f73b24241a..0000000000 --- a/windows/privacy/manage-windows-1903-endpoints.md +++ /dev/null @@ -1,170 +0,0 @@ ---- -title: Connection endpoints for Windows 10, version 1903 -description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. -keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.localizationpriority: high -audience: ITPro -author: danihalfin -ms.author: v-medgar -manager: sanashar -ms.collection: M365-security-compliance -ms.topic: article -ms.date: 5/3/2019 ---- -# Manage connection endpoints for Windows 10, version 1903 - -**Applies to** - -- Windows 10, version 1903 - -Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include: - -- Connecting to Microsoft Office and Windows sites to download the latest app and security updates. -- Connecting to email servers to send and receive email. -- Connecting to the web for every day web browsing. -- Connecting to the cloud to store and access backups. -- Using your location to show a weather forecast. - -This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later. -Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). -Where applicable, each endpoint covered in this topic includes a link to specific details about how to control traffic to it. - -We used the following methodology to derive these network endpoints: - -1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. -2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). -3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. -4. Compile reports on traffic going to public IP addresses. -5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. -6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. - -> [!NOTE] -> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. - -## Windows 10 1903 Enterprise connection endpoints - -|Area|Description|Protocol|Destination| -|----------------|----------|----------|------------| -|Apps|The following endpoints are used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|blob.weather.microsoft.com| -|||HTTP|tile-service.weather.microsoft.com -||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/livetile/?Language=en-US -||The following endpoint is used for Twitter updates. To turn off traffic for these endpoints, either uninstall Twitter or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|*.twimg.com*| -||The following endpoint is used for Candy Crush Saga updates. To turn off traffic for this endpoint, either uninstall Candy Crush Saga or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLS v1.2|candycrushsoda.king.com| -||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|evoke-windowsservices-tas.msedge.net| -||The following endpoint is used for by the Microsoft Wallet app. To turn off traffic for this endpoint, either uninstall the Wallet app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|wallet.microsoft.com| -||The following endpoint is used by the Groove Music app for update HTTP handler status. If you turn off traffic for this endpoint, apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app.|HTTPS|mediaredirect.microsoft.com| -||The following endpoints are used when using the Whiteboard app. To turn off traffic for this endpoint disable the Microsoft Store.|HTTPS|int.whiteboard.microsoft.com| -|||HTTPS|wbd.ms| -|||HTTPS|whiteboard.microsoft.com| -|||HTTP / HTTPS|whiteboard.ms| -|Azure |The following endpoints are related to Azure. |HTTPS|wd-prod-*fe*.cloudapp.azure.com| -|||HTTPS|ris-prod-atm.trafficmanager.net| -|||HTTPS|validation-v2.sls.trafficmanager.net| -|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible turn off traffic to this endpoint, but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.|HTTP|ctldl.windowsupdate.com| -|Cortana and Search|The following endpoint is used to get images that are used for Microsoft Store suggestions. If you turn off traffic for this endpoint, you will block images that are used for Microsoft Store suggestions. |HTTPS|store-images.*microsoft.com| -||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|HTTPS|www.bing.com/client| -|||HTTPS|www.bing.com| -|||HTTPS|www.bing.com/proactive| -|||HTTPS|www.bing.com/threshold/xls.aspx| -|||HTTP|exo-ring.msedge.net| -|||HTTP|fp.msedge.net| -|||HTTP|fp-vp.azureedge.net| -|||HTTP|odinvzc.azureedge.net| -|||HTTP|spo-ring.msedge.net| -|Device authentication| -||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com*| -||The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.|HTTP|dmd.metaservices.microsoft.com| -|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.|HTTP|v10.events.data.microsoft.com| -|||HTTPS|v10.vortex-win.data.microsoft.com/collect/v1| -|||HTTP|www.microsoft.com| -||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|HTTPS|co4.telecommand.telemetry.microsoft.com| -|||HTTP|cs11.wpc.v0cdn.net| -|||HTTPS|cs1137.wpc.gammacdn.net| -|||TLS v1.2|modern.watson.data.microsoft.com*| -|||HTTPS|watson.telemetry.microsoft.com| -|Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.|HTTPS|*licensing.mp.microsoft.com*| -|Location|The following endpoints are used for location data. If you turn off traffic for this endpoint, apps cannot use location data.|HTTPS|inference.location.live.net| -|||HTTP|location-inference-westus.cloudapp.net| -|Maps|The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|HTTPS|*g.akamaiedge.net| -|||HTTP|*maps.windows.com*| -|Microsoft Account|The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |HTTP|login.msa.akadns6.net| -|||HTTP|us.configsvc1.live.com.akadns.net| -|Microsoft Edge|This traffic is related to the Microsoft Edge browser.|HTTPS|iecvlist.microsoft.com| -|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTPS|go.microsoft.com| -|Microsoft Store|The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|HTTPS|*.wns.windows.com| -||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTP|storecatalogrevocation.storequality.microsoft.com| -||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com*|HTTPS|store-images.microsoft.com| -||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|TLS v1.2|*.md.mp.microsoft.com*| -|||HTTPS|*displaycatalog.mp.microsoft.com| -|||HTTP \ HTTPS|pti.store.microsoft.com| -|||HTTP|storeedgefd.dsx.mp.microsoft.com| -|||HTTP|markets.books.microsoft.com| -|||HTTP |share.microsoft.com| -|Network Connection Status Indicator (NCSI)| -||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.|HTTP|www.msftconnecttest.com*| -Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.|HTTP|*.c-msedge.net| -|||HTTPS|*.e-msedge.net| -|||HTTPS|*.s-msedge.net| -|||HTTPS|nexusrules.officeapps.live.com| -|||HTTPS|ocos-office365-s2s.msedge.net| -|||HTTPS|officeclient.microsoft.com| -|||HTTPS|outlook.office365.com| -|||HTTPS|client-office365-tas.msedge.net| -|||HTTPS|www.office.com| -|||HTTPS|onecollector.cloudapp.aria| -|||HTTP|v10.events.data.microsoft.com/onecollector/1.0/| -|||HTTPS|self.events.data.microsoft.com| -||The following endpoint is used to connect the Office To-Do app to its cloud service. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store.|HTTPS|to-do.microsoft.com -|OneDrive|The following endpoints are related to OneDrive. If you turn off traffic for these endpoints, anything that relies on g.live.com to get updated URL information will no longer work.|HTTP \ HTTPS|g.live.com/1rewlive5skydrive/*| -|||HTTP|msagfx.live.com| -|||HTTPS|oneclient.sfx.ms| -|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.|HTTPS|cy2.settings.data.microsoft.com.akadns.net| -|||HTTPS|settings.data.microsoft.com| -|||HTTPS|settings-win.data.microsoft.com| -|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|browser.pipe.aria.microsoft.com| -|||HTTP|config.edge.skype.com| -|||HTTP|s2s.config.skype.com| -|||HTTPS|skypeecs-prod-usw-0-b.cloudapp.net| -|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.|HTTPS|wdcp.microsoft.com| -|||HTTPS|definitionupdates.microsoft.com| -|||HTTPS|go.microsoft.com| -||The following endpoints are used for Windows Defender Smartscreen reporting and notifications. If you turn off traffic for these endpoints, Smartscreen notifications will not appear.|HTTPS|*smartscreen.microsoft.com| -|||HTTPS|smartscreen-sn3p.smartscreen.microsoft.com| -|||HTTPS|unitedstates.smartscreen-prod.microsoft.com| -|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see Windows Spotlight.|TLS v1.2|*.search.msn.com| -|||HTTPS|arc.msn.com| -|||HTTPS|g.msn.com*| -|||HTTPS|query.prod.cms.rt.microsoft.com| -|||HTTPS|ris.api.iris.microsoft.com| -|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.|HTTPS|*.prod.do.dsp.mp.microsoft.com| -|||HTTP|cs9.wac.phicdn.net| -|||HTTP|emdl.ws.microsoft.com| -||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|HTTP|*.dl.delivery.mp.microsoft.com| -|||HTTP|*.windowsupdate.com*| -||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store.|HTTPS|*.delivery.mp.microsoft.com| -|||HTTPS|*.update.microsoft.com| -||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly.|HTTPS|tsfe.trafficshaping.dsp.mp.microsoft.com| - - -## Other Windows 10 editions - -To view endpoints for other versions of Windows 10 Enterprise, see: -- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) -- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) - -To view endpoints for non-Enterprise Windows 10 editions, see: -- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md) -- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) -- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) - - -## Related links - -- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US) -- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune) - - From 89813ad60b70028b7888dde35b9011e4bdda5b49 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Thu, 9 May 2019 11:56:31 -0700 Subject: [PATCH 332/492] Delete windows-endpoints-1903-non-enterprise-editions.md --- ...-endpoints-1903-non-enterprise-editions.md | 271 ------------------ 1 file changed, 271 deletions(-) delete mode 100644 windows/privacy/windows-endpoints-1903-non-enterprise-editions.md diff --git a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md deleted file mode 100644 index 44fadd939e..0000000000 --- a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md +++ /dev/null @@ -1,271 +0,0 @@ ---- -title: Windows 10, version 1809, connection endpoints for non-Enterprise editions -description: Explains what Windows 10 endpoints are used in non-Enterprise editions. -keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.localizationpriority: high -audience: ITPro -author: danihalfin -ms.author: daniha -manager: dansimp -ms.collection: M365-security-compliance -ms.topic: article -ms.date: 6/26/2018 ---- -# Windows 10, version 1809, connection endpoints for non-Enterprise editions - - **Applies to** - -- Windows 10 Home, version 1809 -- Windows 10 Professional, version 1809 -- Windows 10 Education, version 1809 - -In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-1809-endpoints.md), the following endpoints are available on other editions of Windows 10, version 1809. - -We used the following methodology to derive these network endpoints: - -1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. -2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). -3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. -4. Compile reports on traffic going to public IP addresses. -5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. -6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. - -> [!NOTE] -> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. - -## Windows 10 Family - -| **Destination** | **Protocol** | **Description** | -| --- | --- | --- | -|\*.aria.microsoft.com*|HTTPS|Microsoft Office Telemetry -|\*.b.akamai*.net|HTTPS|Used to check for updates to Maps that have been downloaded for offline use -|\*.c-msedge.net|HTTP|Microsoft Office -|\*.dl.delivery.mp.microsoft.com*|HTTP|Enables connections to Windows Update -|\*.download.windowsupdate.com*|HTTP|Used to download operating system patches and updates -|\*.g.akamai*.net|HTTPS|Used to check for updates to Maps that have been downloaded for offline use -|\*.login.msa.*.net|HTTPS|Microsoft Account related -|\*.msn.com*|TLSv1.2/HTTPS|Windows Spotlight -|\*.skype.com|HTTP/HTTPS|Skype -|\*.smartscreen.microsoft.com*|HTTPS|Windows Defender Smartscreen -|\*.telecommand.telemetry.microsoft.com*|HTTPS|Used by Windows Error Reporting -|*cdn.onenote.net*|HTTP|OneNote -|*displaycatalog.*mp.microsoft.com*|HTTPS|Used to communicate with Microsoft Store -|*emdl.ws.microsoft.com*|HTTP|Windows Update -|*geo-prod.do.dsp.mp.microsoft.com*|TLSv1.2/HTTPS|Enables connections to Windows Update -|*hwcdn.net*|HTTP|Highwinds Content Delivery Network / Windows updates -|*img-prod-cms-rt-microsoft-com*|HTTPS|Microsoft Store or Inbox MSN Apps image download -|*licensing.*mp.microsoft.com*|HTTPS|Licensing -|*maps.windows.com*|HTTPS|Related to Maps application -|*msedge.net*|HTTPS|Used by Microsoft OfficeHub to get the metadata of Microsoft Office apps -|*nexusrules.officeapps.live.com*|HTTPS|Microsoft Office Telemetry -|*photos.microsoft.com*|HTTPS|Photos App -|*prod.do.dsp.mp.microsoft.com*|TLSv1.2/HTTPS|Used for Windows Update downloads of apps and OS updates -|*purchase.md.mp.microsoft.com.akadns.net|HTTPS|Used to communicate with Microsoft Store -|*settings.data.microsoft.com.akadns.net|HTTPS|Used for Windows apps to dynamically update their configuration -|*wac.phicdn.net*|HTTP|Windows Update -|*windowsupdate.com*|HTTP|Windows Update -|*wns.*windows.com*|TLSv1.2/HTTPS|Used for the Windows Push Notification Services (WNS) -|*wpc.v0cdn.net*|HTTP|Windows Telemetry -|arc.msn.com|HTTPS|Spotlight -|auth.gfx.ms*|HTTPS|MSA related -|cdn.onenote.net|HTTPS|OneNote Live Tile -|dmd.metaservices.microsoft.com*|HTTP|Device Authentication -|e-0009.e-msedge.net|HTTPS|Microsoft Office -|e10198.b.akamaiedge.net|HTTPS|Maps application -|evoke-windowsservices-tas.msedge*|HTTPS|Photos app -|fe2.update.microsoft.com*|TLSv1.2/HTTPS|Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store -|fe3.*.mp.microsoft.com.*|TLSv1.2/HTTPS|Windows Update, Microsoft Update, and Microsoft Store services -|g.live.com*|HTTPS|OneDrive -|go.microsoft.com|HTTP|Windows Defender -|iriscoremetadataprod.blob.core.windows.net|HTTPS|Windows Telemetry -|login.live.com|HTTPS|Device Authentication -|msagfx.live.com|HTTP|OneDrive -|ocsp.digicert.com*|HTTP|CRL and OCSP checks to the issuing certificate authorities -|officeclient.microsoft.com|HTTPS|Microsoft Office -|oneclient.sfx.ms*|HTTPS|Used by OneDrive for Business to download and verify app updates -|onecollector.cloudapp.aria.akadns.net|HTTPS|Microsoft Office -|ow1.res.office365.com|HTTP|Microsoft Office -|pti.store.microsoft.com|HTTPS|Microsoft Store -|purchase.mp.microsoft.com*|HTTPS|Used to communicate with Microsoft Store -|query.prod.cms.rt.microsoft.com*|HTTPS|Used to retrieve Windows Spotlight metadata -|ris.api.iris.microsoft.com*|TLSv1.2/HTTPS|Used to retrieve Windows Spotlight metadata -|ris-prod-atm.trafficmanager.net|HTTPS|Azure traffic manager -|s-0001.s-msedge.net|HTTPS|Microsoft Office -|self.events.data.microsoft.com|HTTPS|Microsoft Office -|settings.data.microsoft.com*|HTTPS|Used for Windows apps to dynamically update their configuration -|settings-win.data.microsoft.com*|HTTPS|Used for Windows apps to dynamically update their configuration -|share.microsoft.com|HTTPS|Microsoft Store -|skypeecs-prod-usw-0.cloudapp.net|HTTPS|Microsoft Store -|sls.update.microsoft.com*|TLSv1.2/HTTPS|Enables connections to Windows Update -|slscr.update.microsoft.com*|HTTPS|Enables connections to Windows Update -|store*.dsx.mp.microsoft.com*|HTTPS|Used to communicate with Microsoft Store -|storecatalogrevocation.storequality.microsoft.com|HTTPS|Microsoft Store -|storecatalogrevocation.storequality.microsoft.com*|HTTPS|Used to revoke licenses for malicious apps on the Microsoft Store -|store-images.*microsoft.com*|HTTP|Used to get images that are used for Microsoft Store suggestions -|storesdk.dsx.mp.microsoft.com|HTTP|Microsoft Store -|tile-service.weather.microsoft.com*|HTTP|Used to download updates to the Weather app Live Tile -|time.windows.com|HTTP|Microsoft Windows Time related -|tsfe.trafficshaping.dsp.mp.microsoft.com*|TLSv1.2/HTTPS|Used for content regulation -|v10.events.data.microsoft.com|HTTPS|Diagnostic Data -|watson.telemetry.microsoft.com|HTTPS|Diagnostic Data -|wdcp.microsoft.*|TLSv1.2, HTTPS|Used for Windows Defender when Cloud-based Protection is enabled -|wd-prod-cp-us-west-1-fe.westus.cloudapp.azure.com|HTTPS|Windows Defender -|wusofficehome.msocdn.com|HTTPS|Microsoft Office -|www.bing.com*|HTTP|Used for updates for Cortana, apps, and Live Tiles -|www.msftconnecttest.com|HTTP|Network Connection (NCSI) -|www.office.com|HTTPS|Microsoft Office - - -## Windows 10 Pro - -| **Destination** | **Protocol** | **Description** | -| --- | --- | --- | -|\*.cloudapp.azure.com|HTTPS|Azure -|\*.delivery.dsp.mp.microsoft.com.nsatc.net|HTTPS|Windows Update, Microsoft Update, and Microsoft Store services -|\*.displaycatalog.md.mp.microsoft.com.akadns.net|HTTPS|Microsoft Store -|\*.dl.delivery.mp.microsoft.com*|HTTP|Enables connections to Windows Update -|\*.e-msedge.net|HTTPS|Used by OfficeHub to get the metadata of Office apps -|\*.g.akamaiedge.net|HTTPS|Used to check for updates to maps that have been downloaded for offline use -|\*.s-msedge.net|HTTPS|Used by OfficeHub to get the metadata of Office apps -|\*.windowsupdate.com*|HTTP|Enables connections to Windows Update -|\*.wns.notify.windows.com.akadns.net|HTTPS|Used for the Windows Push Notification Services (WNS) -|\*dsp.mp.microsoft.com.nsatc.net|HTTPS|Enables connections to Windows Update -|\*c-msedge.net|HTTP|Office -|a1158.g.akamai.net|HTTP|Maps application -|arc.msn.com*|HTTP / HTTPS|Used to retrieve Windows Spotlight metadata -|blob.mwh01prdstr06a.store.core.windows.net|HTTPS|Microsoft Store -|browser.pipe.aria.microsoft.com|HTTPS|Microsoft Office -|bubblewitch3mobile.king.com|HTTPS|Bubble Witch application -|candycrush.king.com|HTTPS|Candy Crush application -|cdn.onenote.net|HTTP|Microsoft OneNote -|cds.p9u4n2q3.hwcdn.net|HTTP|Highwinds Content Delivery Network traffic for Windows updates -|client.wns.windows.com|HTTPS|Winddows Notification System -|co4.telecommand.telemetry.microsoft.com.akadns.net|HTTPS|Windows Error Reporting -|config.edge.skype.com|HTTPS|Microsoft Skype -|cs11.wpc.v0cdn.net|HTTP|Windows Telemetry -|cs9.wac.phicdn.net|HTTP|Windows Update -|cy2.licensing.md.mp.microsoft.com.akadns.net|HTTPS|Used to communicate with Microsoft Store -|cy2.purchase.md.mp.microsoft.com.akadns.net|HTTPS|Used to communicate with Microsoft Store -|cy2.settings.data.microsoft.com.akadns.net|HTTPS|Used to communicate with Microsoft Store -|dmd.metaservices.microsoft.com.akadns.net|HTTP|Device Authentication -|e-0009.e-msedge.net|HTTPS|Microsoft Office -|e10198.b.akamaiedge.net|HTTPS|Maps application -|fe3.update.microsoft.com|HTTPS|Windows Update -|g.live.com|HTTPS|Microsoft OneDrive -|g.msn.com.nsatc.net|HTTPS|Used to retrieve Windows Spotlight metadata -|geo-prod.do.dsp.mp.microsoft.com|HTTPS|Windows Update -|go.microsoft.com|HTTP|Windows Defender -|iecvlist.microsoft.com|HTTPS|Microsoft Edge -|img-prod-cms-rt-microsoft-com.akamaized.net|HTTP / HTTPS|Microsoft Store -|ipv4.login.msa.akadns6.net|HTTPS|Used for Microsoft accounts to sign in -|licensing.mp.microsoft.com|HTTP|Licensing -|location-inference-westus.cloudapp.net|HTTPS|Used for location data -|login.live.com|HTTP|Device Authentication -|maps.windows.com|HTTP|Maps application -|modern.watson.data.microsoft.com.akadns.net|HTTPS|Used by Windows Error Reporting -|msagfx.live.com|HTTP|OneDrive -|nav.smartscreen.microsoft.com|HTTPS|Windows Defender -|ocsp.digicert.com*|HTTP|CRL and OCSP checks to the issuing certificate authorities -|oneclient.sfx.ms|HTTP|OneDrive -|pti.store.microsoft.com|HTTPS|Microsoft Store -|ris.api.iris.microsoft.com.akadns.net|HTTPS|Used to retrieve Windows Spotlight metadata -|ris-prod-atm.trafficmanager.net|HTTPS|Azure -|s2s.config.skype.com|HTTP|Microsoft Skype -|settings-win.data.microsoft.com|HTTPS|Application settings -|share.microsoft.com|HTTPS|Microsoft Store -|skypeecs-prod-usw-0.cloudapp.net|HTTPS|Microsoft Skype -|slscr.update.microsoft.com|HTTPS|Windows Update -|storecatalogrevocation.storequality.microsoft.com|HTTPS|Microsoft Store -|store-images.microsoft.com|HTTPS|Microsoft Store -|tile-service.weather.microsoft.com/*|HTTP|Used to download updates to the Weather app Live Tile -|time.windows.com|HTTP|Windows time -|tsfe.trafficshaping.dsp.mp.microsoft.com|HTTPS|Used for content regulation -|v10.events.data.microsoft.com*|HTTPS|Microsoft Office -|vip5.afdorigin-prod-am02.afdogw.com|HTTPS|Used to serve office 365 experimentation traffic -|watson.telemetry.microsoft.com|HTTPS|Telemetry -|wdcp.microsoft.com|HTTPS|Windows Defender -|wusofficehome.msocdn.com|HTTPS|Microsoft Office -|www.bing.com|HTTPS|Cortana and Search -|www.microsoft.com|HTTP|Diagnostic -|www.msftconnecttest.com|HTTP|Network connection -|www.office.com|HTTPS|Microsoft Office - - - -## Windows 10 Education - -| **Destination** | **Protocol** | **Description** | -| --- | --- | --- | -|\*.b.akamaiedge.net|HTTPS|Used to check for updates to maps that have been downloaded for offline use -|\*.c-msedge.net|HTTP|Used by OfficeHub to get the metadata of Office apps -|\*.dl.delivery.mp.microsoft.com*|HTTP|Windows Update -|\*.e-msedge.net|HTTPS|Used by OfficeHub to get the metadata of Office apps -|\*.g.akamaiedge.net|HTTPS|Used to check for updates to Maps that have been downloaded for offline use -|\*.licensing.md.mp.microsoft.com.akadns.net|HTTPS|Microsoft Store -|\*.settings.data.microsoft.com.akadns.net|HTTPS|Microsoft Store -|\*.skype.com*|HTTPS|Used to retrieve Skype configuration values -|\*.smartscreen*.microsoft.com|HTTPS|Windows Defender -|\*.s-msedge.net|HTTPS|Used by OfficeHub to get the metadata of Office apps -|\*.telecommand.telemetry.microsoft.com*|HTTPS|Used by Windows Error Reporting -|\*.wac.phicdn.net|HTTP|Windows Update -|\*.windowsupdate.com*|HTTP|Windows Update -|\*.wns.windows.com|HTTPS|Windows Notifications Service -|\*.wpc.*.net|HTTP|Diagnostic Data -|\*displaycatalog.md.mp.microsoft.com.akadns.net|HTTPS|Microsoft Store -|\*dsp.mp.microsoft.com|HTTPS|Windows Update -|a1158.g.akamai.net|HTTP|Maps -|a122.dscg3.akamai.net|HTTP|Maps -|a767.dscg3.akamai.net|HTTP|Maps -|au.download.windowsupdate.com*|HTTP|Windows Update -|bing.com/*|HTTPS|Used for updates for Cortana, apps, and Live Tiles -|blob.dz5prdstr01a.store.core.windows.net|HTTPS|Microsoft Store -|browser.pipe.aria.microsoft.com|HTTP|Used by OfficeHub to get the metadata of Office apps -|cdn.onenote.net/livetile/*|HTTPS|Used for OneNote Live Tile -|cds.p9u4n2q3.hwcdn.net|HTTP|Used by the Highwinds Content Delivery Network to perform Windows updates -|client-office365-tas.msedge.net/*|HTTPS|Office 365 porta and Office Online -|ctldl.windowsupdate.com*|HTTP|Used to download certificates that are publicly known to be fraudulent -|displaycatalog.mp.microsoft.com/*|HTTPS|Microsoft Store -|dmd.metaservices.microsoft.com*|HTTP|Device Authentication -|download.windowsupdate.com*|HTTPS|Windows Update -|emdl.ws.microsoft.com/*|HTTP|Used to download apps from the Microsoft Store -|evoke-windowsservices-tas.msedge.net|HTTPS|Photo app -|fe2.update.microsoft.com*|HTTPS|Windows Update, Microsoft Update, Microsoft Store services -|fe3.delivery.dsp.mp.microsoft.com.nsatc.net|HTTPS|Windows Update, Microsoft Update, Microsoft Store services -|fe3.delivery.mp.microsoft.com*|HTTPS|Windows Update, Microsoft Update, Microsoft Store services -|g.live.com*|HTTPS|Used by OneDrive for Business to download and verify app updates -|g.msn.com.nsatc.net|HTTPS|Used to retrieve Windows Spotlight metadata -|go.microsoft.com|HTTP|Windows Defender -|iecvlist.microsoft.com|HTTPS|Microsoft Edge browser -|ipv4.login.msa.akadns6.net|HTTPS|Used for Microsoft accounts to sign in -|licensing.mp.microsoft.com*|HTTPS|Used for online activation and some app licensing -|login.live.com|HTTPS|Device Authentication -|maps.windows.com/windows-app-web-link|HTTPS|Maps application -|modern.watson.data.microsoft.com.akadns.net|HTTPS|Used by Windows Error Reporting -|msagfx.live.com|HTTPS|OneDrive -|ocos-office365-s2s.msedge.net/*|HTTPS|Used to connect to the Office 365 portal's shared infrastructure -|ocsp.digicert.com*|HTTP|CRL and OCSP checks to the issuing certificate authorities -|oneclient.sfx.ms/*|HTTPS|Used by OneDrive for Business to download and verify app updates -|onecollector.cloudapp.aria.akadns.net|HTTPS|Microsoft Office -|pti.store.microsoft.com|HTTPS|Microsoft Store -|settings-win.data.microsoft.com/settings/*|HTTPS|Used as a way for apps to dynamically update their configuration -|share.microsoft.com|HTTPS|Microsoft Store -|skypeecs-prod-usw-0.cloudapp.net|HTTPS|Skype -|sls.update.microsoft.com*|HTTPS|Windows Update -|storecatalogrevocation.storequality.microsoft.com*|HTTPS|Used to revoke licenses for malicious apps on the Microsoft Store -|tile-service.weather.microsoft.com*|HTTP|Used to download updates to the Weather app Live Tile -|tsfe.trafficshaping.dsp.mp.microsoft.com|HTTPS|Windows Update -|v10.events.data.microsoft.com*|HTTPS|Diagnostic Data -|vip5.afdorigin-prod-ch02.afdogw.com|HTTPS|Used to serve Office 365 experimentation traffic -|watson.telemetry.microsoft.com*|HTTPS|Used by Windows Error Reporting -|wdcp.microsoft.com|HTTPS|Windows Defender -|wd-prod-cp-us-east-1-fe.eastus.cloudapp.azure.com|HTTPS|Azure -|wusofficehome.msocdn.com|HTTPS|Microsoft Office -|www.bing.com|HTTPS|Cortana and Search -|www.microsoft.com|HTTP|Diagnostic Data -|www.microsoft.com/pkiops/certs/*|HTTP|CRL and OCSP checks to the issuing certificate authorities -|www.msftconnecttest.com|HTTP|Network Connection -|www.office.com|HTTPS|Microsoft Office - From aeb325db764df3de68061c8ecad1b01c22b08de7 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 9 May 2019 12:56:34 -0700 Subject: [PATCH 333/492] Update microsoft-defender-atp-mac.md Edits --- .../windows-defender-antivirus/microsoft-defender-atp-mac.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index 416840ac2d..8a8a11ac75 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -84,4 +84,4 @@ SIP is a built-in macOS security feature that prevents low-level tampering with ## Resources -For further information on logging, uninstalling, the ATP portal, or known issues, see our [Resources](microsoft-defender-atp-mac-resources) page. \ No newline at end of file +For additional information about logging, uninstalling, or known issues, see our [Resources](microsoft-defender-atp-mac-resources) page. From 0c7afd2190b914bf0d2899a961a48ec2411c097c Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 9 May 2019 13:00:14 -0700 Subject: [PATCH 334/492] Update microsoft-defender-atp-mac-resources.md Edits --- .../microsoft-defender-atp-mac-resources.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md index c7d8d338eb..8af686d049 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md @@ -33,7 +33,7 @@ Microsoft Defender ATP for Mac is not yet widely available, and this topic only If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default. -1) Increase logging level: +1. Increase logging level: ```bash mavel-mojave:~ testuser$ mdatp log-level --verbose @@ -42,9 +42,9 @@ If you can reproduce a problem, please increase the logging level, run the syste Operation succeeded ``` -2) Reproduce the problem +2. Reproduce the problem -3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. +3. Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. ```bash mavel-mojave:~ testuser$ mdatp --diagnostic @@ -53,7 +53,7 @@ If you can reproduce a problem, please increase the logging level, run the syste "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" ``` -4) Restore logging level: +4. Restore logging level: ```bash mavel-mojave:~ testuser$ mdatp log-level --info @@ -131,15 +131,15 @@ Important tasks, such as controlling product settings and triggering on-demand s |Protection |Cancel an ongoing on-demand scan |`mdatp scan --cancel` | |Protection |Request a definition update |`mdatp --signature-update` | -## What to expect in the ATP portal - -- AV alerts: +## Microsoft Defender ATP portal information +In the Microsoft Defender ATP portal, you'll see two categories of information: +- AV alerts, including: - Severity - Scan type - Device information (hostname, machine identifier, tenant identifier, app version, and OS type) - File information (name, path, size, and hash) - Threat information (name, type, and state) -- Device information: +- Device information, including: - Machine identifier - Tenant identifier - App version @@ -155,4 +155,4 @@ Important tasks, such as controlling product settings and triggering on-demand s - Not fully optimized for performance or disk space yet. - Full Windows Defender ATP integration is not available yet. - Mac devices that switch networks may appear multiple times in the APT portal. -- Centrally managed uninstall via Intune is still in development. As an alternative, manually uninstall Microsoft Defender ATP for Mac from each client device. \ No newline at end of file +- Centrally managed uninstall via Intune is still in development. As an alternative, manually uninstall Microsoft Defender ATP for Mac from each client device. From 8b6c29d5325aa3f5b15a61db64f46e515c7b9711 Mon Sep 17 00:00:00 2001 From: Jina Yoon <45857656+msft-jinayoon@users.noreply.github.com> Date: Thu, 9 May 2019 16:28:26 -0400 Subject: [PATCH 335/492] Updating Domain/ComputerName node info MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Incorporating the following info: • This node edits the DNS hostname of the computer. • If using the %RAND:x% or %SERIAL% macros, the new name is limited to 15 characters • If the serial number generated from the %SERIAL% macro is too long, the serial number will be truncated from the beginning of the serial number sequence, not the end. (e.g. 123ABCDEF456 --> CDEF456) • If the new name is a constant string (i.e. not using any of the macros) the new name can be up to 63 characters long • Validation for accepted characters are based on the SetComputerNameEx function: https://docs.microsoft.com/en-us/windows/desktop/api/sysinfoapi/nf-sysinfoapi-setcomputernameexa • This node does not work properly for hybrid-joined AAD/AD devices (it only works for fully AAD joined devices) I would love feedback and additional edits on how to make the proposed changes more customer-doc-friendly. Thanks! --- windows/client-management/mdm/accounts-csp.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md index 19820b0309..18e6657277 100644 --- a/windows/client-management/mdm/accounts-csp.md +++ b/windows/client-management/mdm/accounts-csp.md @@ -26,9 +26,13 @@ Root node. Interior node for the account domain information. **Domain/ComputerName** -This node specifies the name for a device. This setting can be managed remotely. A couple of macros can be embedded within the value for dynamic substitution: %RAND:<# of digits>% and %SERIAL%. +This node specifies the DNS hostname for a device. This setting can be managed remotely, but note that this not supported for devices hybrid joined to Azure Active Directory and an on-premises Active directory. The server must explicitly reboot the device for this value to take effect. A couple of macros can be embedded within the value for dynamic substitution. Using any of these macros will limit the new name to 15 characters. -Examples: (a) "Test%RAND:6%" will generate a name "Test" followed by 6 random digits (e.g., "Test123456"). (b) "Foo%SERIAL%", will generate a name "Foo" followed by the serial number derived from device's ID. The server must explicitly reboot the device for this value to take effect. +Available naming macros: +|Macro|Description|Example|Generated Name| +|:---|:---|:---|:---| +|%RAND:<# of digits>|Generates the specified number of random digits.|Test%RAND:6%|Test123456| +|%SERIAL%|Generates the serial number derived from the device. If the serial number causes the new name to exceed the 15 character limit, the serial number will be truncated from the beginning of the sequence.|Test-Device-%SERIAL%|Test-Device-456| Supported operation is Add. @@ -46,4 +50,4 @@ Supported operation is Add. **Users/_UserName_/LocalUserGroup** This optional node specifies the local user group that a local user account should be joined to. If the node is not set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely. -Supported operation is Add. \ No newline at end of file +Supported operation is Add. From 15fa5a43139094203763b0bcb8f43ac3902b65e6 Mon Sep 17 00:00:00 2001 From: martyav Date: Thu, 9 May 2019 16:29:44 -0400 Subject: [PATCH 336/492] reworded [!IMPORTANT] for redundancy --- .../microsoft-defender-atp-mac-install-manually.md | 6 +----- .../microsoft-defender-atp-mac-install-with-intune.md | 6 +----- .../microsoft-defender-atp-mac-install-with-jamf.md | 6 +----- .../microsoft-defender-atp-mac-resources.md | 7 ++----- .../microsoft-defender-atp-mac.md | 6 ++---- 5 files changed, 7 insertions(+), 24 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md index 1df8b31e64..13edfebf77 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md @@ -22,12 +22,8 @@ ms.topic: conceptual **Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp-mac.md) - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -This topic describes how to install Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. -Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. +>[!IMPORTANT]This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. ## Prerequisites and system requirements diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md index 54e0829561..c1568dc518 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md @@ -23,11 +23,7 @@ ms.topic: conceptual [Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp-mac.md) ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -This topic describes how to install Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. -Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. +>[!IMPORTANT]This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. ## Prerequisites and system requirements diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md index 3e4122d3a0..e3ff4b865a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md @@ -22,12 +22,8 @@ ms.topic: conceptual **Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp-mac.md) - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -This topic describes how to install Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. -Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. +>[!IMPORTANT]This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. ## Prerequisites and system requirements diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md index 8af686d049..d2f6dcffa8 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md @@ -22,12 +22,8 @@ ms.topic: conceptual **Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp.md) - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -This topic describes how to use, and details about, Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. -Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. +>[!IMPORTANT]This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. ## Collecting diagnostic information @@ -133,6 +129,7 @@ Important tasks, such as controlling product settings and triggering on-demand s ## Microsoft Defender ATP portal information In the Microsoft Defender ATP portal, you'll see two categories of information: + - AV alerts, including: - Severity - Scan type diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index 8a8a11ac75..70ba7ddb6b 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -19,11 +19,9 @@ ms.topic: conceptual # Microsoft Defender ATP for Mac ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +>[!IMPORTANT]This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. -This topic describes how to install and use Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. -Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. +This topic describes how to install and use Microsoft Defender ATP for Mac. ## What’s new in the public preview From c63815f124bc8b66304f82edc668bd8b22ddb836 Mon Sep 17 00:00:00 2001 From: KC Cross Date: Thu, 9 May 2019 13:36:06 -0700 Subject: [PATCH 337/492] Removed extra line in acro config --- acrolinx-config.edn | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/acrolinx-config.edn b/acrolinx-config.edn index b235e443b5..92f0d843c1 100644 --- a/acrolinx-config.edn +++ b/acrolinx-config.edn @@ -1,3 +1,2 @@ {:allowed-branchname-matches ["master"] - :allowed-filename-matches ["windows/"] - } + :allowed-filename-matches ["windows/"]} From f654a356f4b7a1069f9abfbe6e34c433215a54b9 Mon Sep 17 00:00:00 2001 From: martyav Date: Thu, 9 May 2019 16:48:01 -0400 Subject: [PATCH 338/492] fixed spacing on [!IMPORTANT] to make build happy --- .../microsoft-defender-atp-mac-install-manually.md | 3 ++- .../microsoft-defender-atp-mac-install-with-intune.md | 3 ++- .../microsoft-defender-atp-mac-install-with-jamf.md | 3 ++- .../microsoft-defender-atp-mac-resources.md | 4 +++- .../windows-defender-antivirus/microsoft-defender-atp-mac.md | 3 ++- 5 files changed, 11 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md index 13edfebf77..5652662325 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md @@ -23,7 +23,8 @@ ms.topic: conceptual [Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp-mac.md) ->[!IMPORTANT]This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. +>[!IMPORTANT] +>This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. ## Prerequisites and system requirements diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md index c1568dc518..15bfabbd53 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md @@ -23,7 +23,8 @@ ms.topic: conceptual [Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp-mac.md) ->[!IMPORTANT]This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. +>[!IMPORTANT] +>This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. ## Prerequisites and system requirements diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md index e3ff4b865a..d0ad4df2aa 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md @@ -23,7 +23,8 @@ ms.topic: conceptual [Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp-mac.md) ->[!IMPORTANT]This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. +>[!IMPORTANT] +>This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. ## Prerequisites and system requirements diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md index d2f6dcffa8..14853fbcd4 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md @@ -23,7 +23,8 @@ ms.topic: conceptual [Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp.md) ->[!IMPORTANT]This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. +>[!IMPORTANT] +>This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. ## Collecting diagnostic information @@ -128,6 +129,7 @@ Important tasks, such as controlling product settings and triggering on-demand s |Protection |Request a definition update |`mdatp --signature-update` | ## Microsoft Defender ATP portal information + In the Microsoft Defender ATP portal, you'll see two categories of information: - AV alerts, including: diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index 70ba7ddb6b..ad6e81eb5a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -19,7 +19,8 @@ ms.topic: conceptual # Microsoft Defender ATP for Mac ->[!IMPORTANT]This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. +>[!IMPORTANT] +>This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. This topic describes how to install and use Microsoft Defender ATP for Mac. From 6a1c728b1bb8f153042b2e51725d740a569a51db Mon Sep 17 00:00:00 2001 From: martyav Date: Thu, 9 May 2019 16:51:34 -0400 Subject: [PATCH 339/492] fixed links --- .../microsoft-defender-atp-mac-resources.md | 2 +- .../windows-defender-antivirus/microsoft-defender-atp-mac.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md index 14853fbcd4..7f138a6ca7 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md @@ -21,7 +21,7 @@ ms.topic: conceptual **Applies to:** -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp.md) +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp-mac.md) >[!IMPORTANT] >This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index ad6e81eb5a..10fffbc787 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -83,4 +83,4 @@ SIP is a built-in macOS security feature that prevents low-level tampering with ## Resources -For additional information about logging, uninstalling, or known issues, see our [Resources](microsoft-defender-atp-mac-resources) page. +For additional information about logging, uninstalling, or known issues, see our [Resources](microsoft-defender-atp-mac-resources.md) page. From de10cb9abc00e333906b1f07e0cd121b5c0ad9b9 Mon Sep 17 00:00:00 2001 From: Liza Poggemeyer Date: Thu, 9 May 2019 14:03:32 -0700 Subject: [PATCH 340/492] renamed acrolinx file --- acrolinx-config.edn => .acrolinx-config.edn | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename acrolinx-config.edn => .acrolinx-config.edn (100%) diff --git a/acrolinx-config.edn b/.acrolinx-config.edn similarity index 100% rename from acrolinx-config.edn rename to .acrolinx-config.edn From a40b57465652b271bf35ac02133670ba5935245a Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 9 May 2019 14:37:56 -0700 Subject: [PATCH 341/492] added new image --- .../wip-azure-advanced-settings-optional.png | Bin 14186 -> 23584 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png index cd8e0d0388c3d30f4e4288d6884302ee048c3bb1..02138b02a709d31ff3a1c22f09c939f907a810f9 100644 GIT binary patch literal 23584 zcmdRWWl)^awk7WFbV#t^+RzZ(-L3IJppiy`6G9+(a1HKmjavcebZzm`N3tYWd`xv(MgZt-ZdE($P{T!~@}>pr8<{swn88prEy*prC%j zK?B|?rCvM${zLWDQM))i7a&(iN=?ekoN-jto&9H;}bhc#500!#OI9J1d~7|6Gs2 zrhKyjy3e=%rLEl~Ke9sK#GQ%xSVH?Y}Wg1>)Ko5vEV@(*w>>e8dxmY zj+KfKcopmLMltmMZBr}cGvMjvLokbG&t=4CV zZDrc$iS`&z#&e{03j9hsxIUiD|1@CLsF4`~uk;z?s%!6cD-~dC71H5Mh$@p#-ImAZ%&XZ6uGoHwqa*acJsjceV=or!bN^?t3bLd zU4M+HOfdaDMK<=~h(cebggiG$YpgkYpl_^b6~h>!u|W`pK$uww=_V>_EDAu17~~q_iA$^{M>Tic ztA{ms9?^ndoo0MGEHoa{VQIvgPGQFBFDR8_6&SO!r^_*wEaU~@?68RQKcw|Un}TeW z;&`w>)2!#`i+dz$|DHc&(OSv0d$`?nl0dV6%&N-FygE)?J>7h6sd|w?+3*!Pz1%AT zjDc4e@+sk;C0Ejo{n^XbGdKJmPKe5BVDA`L4+)Ok&N4H~`!j8j?pCml`ZA1*nT9%4 z$y%l{z2Aa2x!UF#yu*(bjWeHBDB^$amC@>A8rSYsx+-!(r9W82>)YyBSQK+z&PdNd zt_zA^(ZO_GHoVx7b6fZoX)V@iB|L93Md3Me#uZCz=xRDK9<^;&V6yQW#Dx$w5b|o! zGHs^aQPMAf5mjWXNF`ZJ){?oyB3Bk}4)gL_;iu8OwS!a=0$6OhOjpAiS<0#}RvV zW0opMfM_n>JqXT!bctui8K>;a@E)gVj5$+<%mV{&cKxNPA#JQ^t6i37S!}7nVDS+9 zsNhi#5%Nho7rY3zm?fc*O5Eewy;Fn(KBLpr*P&(a>u+19MF*?3)Ps48D?TzQv&V_> ztd8>9BgSzO%awu=qo%6|Y%k+8k)T0}&$@XSWBSD$YxZt2!@ffG_`oWy!wkcQK55gq=J+9Wi{E;k?>eDbm$b<6OMrX!c<2aEm79I--=;oUICXAH1{7PKkSaYB%7PD3D#i#YukIEKYawkWtI(yVIs^HWl2 zY708vOG9FuHc}ocipB?0zER8+1{~0-6j=0iB!w^cG)k&0?G^(_S9GT8!`TU;dg=?z z*UZj&q*D|L(hMqE92H7Nh&EW_`u2$Mh>0!Yd#pOtHbcbA7)Ql~3u`aCirgOiadJB5 zPQ^+6cAFrHCg-+oCDTR&Q;JU5up`Kqf$520ek%n(&ng{%#>)hL!@dC--%)-ZY=$^a z0dR}L9wk?hy(MicE3kd|&bkqr$wfY)i9N8jf5)1X@?iUK<&#>p(3~?*@2m1?)HR)eS6QRuqqRgcZnkO}RJfdc%$Hi`g z@@ks1be=BFh7R_35=yIpZGe33{LUepd=|X zLlju2LOT*A0(|t!Snwl$N`<^uP{TV}i|DNr+_yX_xRglFjWIV+)?$Uyy8?|PrvAv8 zIYLC4U1E^Vm*m1KgUUVORpIBm0<9b!K^A)=%!J*_4>Jpt!g7c)nJVa}N8*R8RmrV0_Phz-H88F}cLIroJF z44FvK@axIxglD{DL;J~1Cw1Yj;k$;8kCRG2bfGk%g3G!^;v>oM(nfE|L$l<9TQAe1 z4R_~JQ-zq}L|ZE9aRGG5K|@31xCU)Y62=43g*p~0Y)HTgcNACjL~m6p z7$P`T0{TPV4v92e#m+LQxP%-YrEmzsQwI78+&_(A5R_nkh7^M))VTTl!q&E%y_wP6 z)ok?=gBZRDYMbjoU7%wQkR|J=6Oydf+n|Tq{zoMqQen?)tpryc`V|CbSl{T1$_v^H z7*sf(qIu8zGjG$*@8K)r(BmPaC09QC8yzh<7SXLOZv;Uqt8qxXUWHXss@=R?;j~{f$`k!{ zeQs!tR2#aUGRRSR@ScuMC(*5#KrOrsN5%3d7(!%FJRe&vU>YGYlfz%(S{a)T{+&do zLt9~(TqB3Ma9n^vpgqo{$I_93Db??s#+abkJgn9fYMds6u1MseZ=y+>Z}VAF8B0_{ zokpF8SrQM-mnQqGHQr9i>5yGD}fGif#*DhNox=&7_z; zc>Jt(%Z#=O#ot;;z($4q=@FeLG-@+y3N%x~K^EHX;(KD3C^N&6szh1A=~)Vrmw&`G zWxT4yYQU@tg<>sQ?*>(p3KAzB>za(nv{t5%@`Je|J2yzwgFQFWMqXeQxq9_XL~=T5 z_9nN%#gMt2M6-?+1mK$}7t*xVB04zSd$NDZ1LaGwM?aDTY@G*-U*uM%p3<8E4f=Pb zg_V*J7En@~wldTO6fnp(lnpg7ILA{J8z955$S#zqW-_i5qp_1Cl|v;Mv4e9wB~&re za^A_|{uJ3Z`~tHO{l)3bTE`C!7&He!k(AtvXB0xZdAU%M9|fGdLQU2<1Hlq>s0}Hj ztyx!E1T6J4pf6k5L>FZ;i?2@|(+WXcOt8-w%qrm)9_WOop!hnA_?&d6IZx}}RNXvN za8e%t&PIGV6I4?3-J1kj!9OI5r`^JiMq&)X&xM-bi5|CSKvww=4Z}(8Vq?r^x$0sC z9O8{R_2)FJ3I!mcHaIF(ShEmYYEkC^gYNzZs35JWben?ahh2rDs#83}z5p^BZmTO} zDB}^*%!*VZg`%PU$vOVXTWS@{-S)AJ zLyMw9g9#xjLeIXULbfrf<4g1(Q`g=#gj9rE+}212ZqQb^VxRAu4u*jIxlaVIpzpSG z&XF$2XA?|RguO*pF2;}?Bayz=reIg_w%89h>rI<~e%5nOC2H#7`~bnw;Nk||6Ob9a z7%br3!RFqg|M}xIEr^8QbzK}U@#7aEuAg_z#147xZuzgAynVs>8=w4ub5N-UDx%v% zPrVP$AFKoLH@?|_qGh{Tp>O-D?(gkHApIg zu2iWd6kbcjpIe~qvB75nv9ZrU#;6Es(FEX?5>h_<%N+qX zm#JJvwNF1Pt@easmjd@Y*1lT@AC9Of7!^%dE~o1v$&Vd~!OHE)dJ2xSa=b`Qb@-v7 zEDlZ=+?;jDVUO>kMobjg<}I(|0uhOVxz z#zv-88CgEz3cNXh|IJ`Njlz29>Q1v$A2p9Y$R<}g=ulEdLTG%{RvJ|5k%Pk$nJBI| zf$hdRh=#{$6s5S~KcPDzsvpmaX8^_W9b7eHkx#~&{n;BQP*DvjBDvTQY>lF7H(;%? z*d*z1JQf^83um6?oQN%*6H}-X8;rI}xNeeMNphf#cABrH3_kd*Ka9zJw!gx63O3ku z0BETNK<$ox^Hqeu>0`+EZR7Ci=b5Pash_muB{Hy!FXq(5GCV{!lo8KMrsHBzMGp2T z%SrBe6v2YJjuV!neN16cHJXH?R1}OLl@OPH>sW2KVkdz1(QdreH=ZU_F~0byxwOoW zG9R9WvoX-m!&+MyYMdO6P5g+$!L1(-`QWvyR~g&(>eTU2c#uYr?E@KM4n_`YsX(|q zQ+${Rn}U=Ud%uYy@J=#f}Y%>qf$Xe47SFQ>o!PSX3 z40y`}hO%Tz@ZL5~hU0*lhsh~Y<%1+wSZ(8Vodnzq1)A4180Q`jCvo(bcucTug)vW^ui1>?0DgS$5psf&uXw zj7RxMThJ4iMfT}u1ktGLOCNpIZ*W8(z+yA0fw+iI7NJy-5?Ie6Sy(?WBys8H=#_oL za%DuKsSMiC*Mv-diq(=D{vyE6Z0LR@n*K?~q&#;p+9s$OcH-|C&1p7zo~Ti4_%y6H zZS-*#QGbsyXR=G;F!Nhs+qbbP9=%QJS>K^t>Uf;w!b(G$QIZ~dvZrc&3P`uzX_kN8 zLoU0!+OEWuJ6apAi29mw5s5OsTeD8?>$DAWoJf+PM>-RzTq$e{ErbEGXJ_uWiZS7#p`p3Cxp8rEEiElQ&)hDKHla-^ZazBB*O#3g9Zy~IfMgcX zB!Ubwm*FZP3o3>?5uo*QGy42ql;v`EajC7VQ6TYBE4NK6H>uK6GxHHEr?{+ocBco7XP;LbfgwBs^6|prV!Qu^hpQz_27HkH z%KI{J7yq=cBm>0h#!pjSSLaj)l%H2}Mn$MKLDoCJ-k*w?PxjywjQ{A{zYO#0o0yo` z+e36|Tg8Gqinx&V4GqX`qx#7&P6QWn1P<}VU`}9D?V{&K-p{F2;M2A2{5wPMsk|oj zeAk6<-;QJMb1|0~DdDBdGMd!g`Ml*#wtvRb%Z6L~jKGs0^g{ug9r=ZH6PoWYj#hnM z%b|O_ceEWF(r&HxS>8H#IX)db?eUQ+$G{2=zOyI+51vG5DfC%ev4`)dW(;Sifl0t+V{Wlb8nrvVY(%DSxMOQacz&^Oy0jTH>P^AI}jch zN7y9~jOeD29LY~d^yJAC_0k6?jk1OWXv~_N%nXg;!8*Xj>P2{WP|EH((!?xwiL=4BawZz` z#L{5+#p5@%?o2}#$r)Dz5L&r?c?S_74!84waqR6m&gX~Z{INh+$}*@8!&F{EvvAl^ zfj9?PIelfLsh?4k^^moVisB30n03qEKdr>)BeS$@m&kc{zqnIT@bB*@YierrcCk`= z6foWPidOOIUy0J!9)Czgn^_JYE@HgWx&0kCUo5twUex2N4PceJ9R)~rO%0C>gnOHd zkWbR*{BW$zlE>0v*j3eF_QFCVdBh{VZ9c0NxPqrPTagtER{Wz2><_HcNC?BQ+^T_s zyz)xk`H`{(%ggLZh=P83QLuwRZI|TV2q8z-2TcySUwe8%SMmy?!6`kJkytxB`w)%m zKNx8*)r<6Sq2BTH*ee$~w;9cMT7W`(5)I5mPfrh;6n+%LcNF|3hJk}=WnxQV>T(uP z=gpCmnEAHfuHqXts%Im!2qB~Gm%CSKw`b%)Ts;Bes=l+cGsx$oYx_$s_oe=7Da>r)FmBw~qhVC=o@d;eA$Tzye;64yKhrsIP)j0jyx#eb1mJib&_P{Nr;xAto*^K8*RefbxEdk|z{H7Zw(bpFUNT z{F_I_-R6~wNkP5b@5bo=}F@5@WEX<7S8ATi~N`-sGidGs!Q`TBKD3kVX` zgNu)3z?^wfv4POynL79;bZye8njd-uix1o!U6BG=;5&uFU&Z_${sJ%m?Ta>n(J-(|Udq^8Yh|IwzAg|BVr`w<#gT4Jq2 z=${#av}s`@ZqOs@m~h|wCc*B5rRZ=y(XV4(( zm5Px-O>$l7?C9#U1VH~5cRd3VWm4*jdk9)NMjR79G*Dz^A&~}`p)a5WDqNlz5$L`| zjZFi^q+51i(3EqXlZXVH27zWk1$i^^oi0^+Lr{o57z9Bu1XeH^QIxN{fFuWNnBd%n ztR}r$LpiwLS+xVE5iq4Gb*WM*rHPja29G+r{9=53cYcIWTCMe9G)H8lVp)#-i1K@~ ztA(>fe^0>~vbibWeh1Qw04p$S8#A|Nl08u^In%3=+AwBq#knY^BK%^V_~4y9$p&R|or&ZciAqHE zY7ulqA)Gcu!yN1#_5HjeDnAK@-^Y7$=y8X2p@1M6fK{N)2V?xN9^)njjh;j!!u4sb z@njemQXecnJaM78$JhW+=so)06RJn=d3XET7X%vKr?Gws)es3>R=RCc;N3xxZAVgIG-jRsWj~# zFPhiF5f!XtQI$EKp^>WksTPoi5>nKZs8Iq6TiKRTL{^BB5$pONT!VeJSfyfs8KjP8 zR2kJ#8Np&rtby{+Y4iYWCOV7vYwLn83r+x^9n|E?7J=e9k_i}Y%qWhz6>|)ImZ3P( zO>+1;qVqI}qyLM%=qEIh6kO#rbF9&<0E=k`IWTXHDHutos9^@?*8Hr%F6u-<3k}aO z8u%HO{RztRlB77M9g$MS$V9JHXiloxPxq1jtsru3nCMse)YxPFk{%k2et-=En9E=f z#{Z9d0}u_vpDze=QhPlqnuVcbDn7RvR2eQ?x+4qX8Lfh7S{Ep}Eg|@jA=p0*qp`nT z!4tD0oFzTDu}u03WrpN@m}p$LznQYHg5`P0Q_-pS(UsK<#5{Iv)rQk)56hPDKiK#M zIP27g7a&afKL}N3d9b>tD_(Ix1V<I+>#-` z;*V&0YPzn zqV26#q^{Fjv)$Bnj2XjN$2`|JW#NIIYl+EYV=Ap}<}+j!tZ!X03UP`W3lQgDYKlgM z?Wcdvdf<&~2q;qDgXL?rQ1F(<{bv99`D?s)`{p|1{&(k2gQ`yBBSS4wt)%u(GhA{U zsLy|Q7hHVDwQD66X3NCxjj#~ok#V`e!R4Qhsb;5`c`4?rqo_}NBqQUb5nU#Mp}88B zROXnHq0Tx~u8uL^KuyXHw+PYk6)6B^j?p-o_V!O|%IH4=>sTLshA>BF8BiI(tT?u- zt;=YN2}G0IMT#~lvNCO=AvA)zkYRW%SbbtmA@rT!^EFOvkx$CcM*KRSrKbyS6tnCf zks4mLdf?bN3yjx@^&!?3?4uIRq~runMjy&5b65Dy;x+zw*2k0Y=DX-Tzj&EnBsB|S=| zV%cQ#-&%t-+sBruEJ6jE)`g9EZn>O=r z(v3B;$jZmZ$J5hOgs!%x=4q$D?<_ahVs6hfeo$PiA#kNo+H``+FuV2q8J~^{pnZn9tA8--!P(2@@ag zNcJi)ufE6KO4~)jD<;^Xs6~a79#-2u(p?8F9mM{J<@>bP=S%c{>l)@Im$#F*Va=)* zO*n@`lBolKF^nOEfkFf(EG$e!L=;_V@7#GSjC~OJ@^b%nDX_!m1s_KLAL2Vz!8MoK z+FH{mz#+uDI*@~yN(%YPvxNKe+dt*qh}nf({P^)>(c~|@e_bq(ET~gC`6Cp57Wjv4 zw$P8L)+g{M;dp$uI1PaTpc>4O1F8YQfmYLz%K`DL(?-jP_-~$`yQf&q-~UIF(Cu2( z@fv1*eENQJ<|ElSzyzkUDY6>>!mB9w!qU>_{1j&U_RYoJ>9K#t>kYoU1_<3D{oOa> z`n#|B*O49~PnNbm`C&=V$vibbd-2JK_Ir)xwfgLbj33g0=Wddx)}hj0fS&$6e6I%> z+`D&%oVkbM^UE73A1`j+tKY23BkndY0@+g=LN`KWWW0E&gI0Ri-EyxKuWPy_Blk|{ z1EMycNL?!3(*eJX(4J?Wp2u!q?-xV{fV>cp_sw#ch465+?6VS8TMUIclD0~5i}SB} z@w07~XD{wVxv-w@VEs&WN2Q*zX}t7H`WIXdwv_pJ8)?ph6H@;p4)^Ko73R^;$oNjk z;RAZf>#uUhif^2i^>#pP9zTVm+AO&_0-bn&aZf zf52>?o4 z|3vgNT8(%`T6Uv>V784 zyCj2Imfuzw$U$@WTP`kFN6#*_U(((Os{(-0CvO>WL^|Z2sDQ60TAo1fFMIGi!TTtJ z{G>>Z1;2j7aW<>Uv;8C(YsvQRqdKtLh;t*cXb7-?m@b{BrN8(TI2K`2imRm#@wzx(+WR%aua+{swtmFg^Tj%}7`zdPn@gF9A}d$d1WP6A1J;3Q zj|mIcXJUE;W@cuKUzTrIJb|n50Mvbo{%-g94)XPORoeTcZCKGlV>Pww_KjUh-JsXa z(8qgu;+_X2y3i0syuPI$Rf(YPe0O%g|7Xq!p5EsKVAC=Aj<0?H{_OSZrD#C6eWku# zg!;nAXMS!jk?8vEo=?vt)1pvEchLFqU%YPyRPwOfjd}}jKnW=M087gNhU%7ZGFg{| zzxWYgf=*Jv%?ZYk6Nb!0dg3fGpjxF-;bKytpE&_1^|)7ti~eDxnPC6_j~4vX^Ha_M z$^*E;s+%zC-DXmx8m z+xa7^eZo&F!iQE!e#@6rrhtV=qYT)os(pEW`^%D0Qj&%{UJVHUXw#&W8D}{g$T+N> z!ahE&D0uzAOS_*<<9qc=S=1sRW=)r>b8&HL#{m-T-mh=()w98a5>h~Q)cWBt+Fi8j zY=v~A`m(a3%%s9)06@hxn^*dhuw zWQ3vt3M9x>wIV7cm`9zA(q>ScyQ#34+R#DLHy40r?A#y&hzx4(~=hMf(?tNIZv zku9%yx0b_97X+H3;KG6u320?A=nU{oNBT*UrpO|3V5vF|k!J5*D5YVszH~sHaEGV9 z3PDHl`}sBnb~Q8cK)mIhM=sOP)KykL=f#C%)<@4`kI_GKaer-uVvQz|X|}=avL3w2 zA@huNZlQ3e3ei$a<>-&9NGZZ?HnbWMb*k~mOM&TRF-=# z8uk5(!J%9=9RsHX`XM}f&ouNQ)z#G!FAoY{K7eUB0V4>>)fInQnP62nmMtz0b8dtT zTrk4lzPSMlo6r`kT`$-RiVEnAXTrbD#%t(naXhiLYX$2(;<7hWEavb-s~OGzj#Sqf zXGWV4<2*NEQ8gAdV#cFYwEd^@xYv?R=vR<+ zi%N64%`|dV$7XV>LMaQsC{~pSgl?UVXi_d5f3_JL%VT)z;Uu&&cHegq6Je5?Bl)i1 z9tSQH0&+*s;7|ay_{$bSy}3NIUtdF>>-xQJ4!MTr0!+;0wIadeod+fyebFi+00Yur z?m4b32tKdmbXgA=nld2++!8rV#VVy(%Hihx zXDzWIq_B9=U{2LSlMUWX&Q8RKHqpikQ%{*#Q7x>GX;phn2n>ZkvA?aYNpxRlp}uxI z`@IBon^G<_e$3ZVy8_C>IFkbUMsbB0ThVS(Hmi$sR!|b>i%~D57Frb<(;ZrL=6FnF1=kH3xcrFMxaqySd^pzz4tOWB}I6&*LL z$fyO4*56di&6-3h*4Y!yV{W`=*d>!QAb#qnUdtAx69)(pq{G7Caj?Vdp|4mdK2ohYZpE2be zB5vQ~ub3W&tgmPG$!+9BkU)u;ChBP;Ov-4}GG<&z@^lAylS-Tk_L6oxe>O*hloY4d-Gaa`26rFg7CL3qnu0^Y&^dPWGz zBuD3+6c~M&e`F)upcWxyV2)tnkO2S6qgGhASuc|VWH4c(xfpNXsyobPC1o+o*#b={nm6e+q zwz&36V??5;I!**?mO8Y48YB_U35{hWFjCPED4GquvrmiFA3aH4*LT_Ko|J$K^(;O_ zxC_o=GiDd{(1$?=b7F}U(f!Ox#JQ(Zs#1R#*HeC#HRpwh{G=ZZ(iq$Q-|%~=5o z>#)vx;IPpTi2=lxo2D)VlUB$USf=-6fPHe&ln^yZKJ_tFR3~RJ#VM+ZchXp zK}+5*09%Z{ZU`@fANY|EW+Wq1;ryP#u+Zdcpag6Ogp?25-rf$xP_vM-o40weAW|H7 z0tRW0MT{ZbK;w8zwKd@8Ls*EhiOJy;o;a{}h+>}}?A}jm=UWdqcKpj8xQYKab&=Z? zLPtmU^XE@zXJX82RVVi#FeT@G!onfbIe4?`kOVMKxd? zoTjkFHc#xD`nI;V&Q4y!o(=$xah**AwTI6n435**?OIExVxS%>%3Q$M>hqRp04Nq^ zfnL0zM4VzI&OmpMzQ&ew@52o#fWnyk0RWZst|7$jgWI4?zU7yIt8MI+mCK$gK7SY> zM!w$bjj`WkGUJ_Qy%0z)ejr9eQ2hWnU4$1q=mdmrui;8ev(fwBGT@hX;MHWnnbGaJ zh9!N#JX?lJ=4@ZYqW+yCD*zyX#zgq|_&6}Yvp+&u6zE-*M&+4#2$1 z=@?Ap>rdPg0Tus~L5PTm>>SUtbY5JzLa~2|emuDd@92>1S^$=%qlg??u)oFg{Wu}; zX0~f2;!7O0Yg#z-?asV({LQGJw7h6ew#)J6eRBhAZ|#-mc8$PTUqsjSmw90TI2x8p{L3LWIu6#U)Mc$&PJkH4O%!`76oT z5GG}RDE@fHy1eMi^)Fg64=hgTh>NQ$F&4V!;$M1judEx@aLJN{J$2RC0o|^u>u$ZZ zSN1v~9oFvL_r!4RtVsN&g7r3ZD&-ks?Rp(}a(gBcb`pgjT{69hM&FalY; z`hBpT>Dgu4Ii0xjwgPe7k-?h0$?I7sn z(=m9d+}&@hpiZ?Dhtp>~H~VZr*t!B_27uhJQTJc0ygam%8spS-Gc7{>aODcU4<6d} z)xN#rq!?1d!!F*4zQUF4zY~xOHy(>2RR1J;%a`ujaVW@IkxmO>bsXl!A=FTg4)*)-?%m+ctOn4SJqZJnDM3VEULeap&{UfPdM4&T_pU95gP*j6 zE7+PQPHAy&c~thES^#zbMr{v$OWg8q83>(qVD%)-=D*HZzS?c83jhZ8m|7;-)rNP zm{aJ_ko#&t266?|xS*w_rPEXIlF*5~U%!6c^9fMqX4uE3mX?8BQ!}&V@5g_;65D`r z8G}yom1R!xFgFied;`rV`fBrx8K61c9Ff4qz=Ju8|0clvyLaaQ$&W?+%xR7RqksB` zd!9=IB&)vF1K>FTj#Op~-_6vrL)B*#@srt4T+=RlS2yNJc@bZ92VMfU8$InrLCp=z zJ>|5Z7EZz;-#=gM^UZllFw|@bRE4qQ8W0c42}1SF1A(cD*>H}*DjMi{!O8FSDA(o) zgTu4T&X(kRX0|acf{{-oob3;qwbl&zugY-r@V>X(Z*3L4*Xtv666btv)PN>Gpulwk zdRU9oyvt(iAs~@Y1L<+=r(3up`Vb}3>mB7xZ>2)$+o-;b6HZ#j4JCc{Q1d*^Z1T$_ z8(D@Fd#%(t>QqTY)vrUON5#^7MxytHkN&f7q1_IoBQC z1ppm`N<;{$ldDQbDE3}XW@kaaO_lB``4E{e1)iv>7M3{jh%pPMHnaf~C{X_mWzk60 zEfCWe8p_dDVS(BQ5u-v4>u`!@V+@tb#lX*p$xC8JMN1{p-AJGdj-&zrAsDX%?>voi zZgXD`2PEi0Zs~GX5Q5qKS*##2qKPv(yX@iK`LlB9tYbeNs(2n}%pz%7ZVb&Kfd@51 zXIXM~J-dM?W<9%BrFMwn0LI#sqOELqJ^y8Yj-mx*af5bgHp_G336oezT5Z-#H=yBC zL^P=LFixpd01H*u{Qi29!1dTY7Yw%JxG772iOfc+xA@9TKbbJ9_^@Gva26#M@?s@g z*PweZ6UK?ntrm3tMU%}XRXZqmH4CINMUfnRjtZqSDD$?yW}vec(ae#vpsPTf+eCYl zQS(`F?>!q!1($j#xC;T{dvcF4VM>rVI@62qg+U3Uf*CI>v_Xfy!?FQU%KlWcB*PqcP$267q*B~d<*-U2C;@0gat{4=X665J)@bthbWT5CWmE;zs_dkNz z>v;8$3K*)%DFM;^N!zH%YOPIN$|~XE22=cd*4rEE6NUvU=@Rz;Bi4BK%Z0UD-7_q60z0K!xXY4+x1Jz}gn=>Bn z1((xdvG)+nQ)yQXf}%`Xu3kxZLq;dSL~pR*O)|100iCJ49gyauCs; zk+K`v@Ofz1m~-8N+^AUf)b3wb)`6g~t(+ThQv9G%#Y>tLo+!6|s9%kn)9~ZxWPehn zARjrl+eWCi6i!qov0_s4BpF*Mampx7X}KV@c$f&I5&=Hs+-_%}Y~Es+CX}_HvYv=! zh72vLqgGvPwV=_NMu&g&*{5>gR~qC7UC-b59tn^&aDLXnU^GHhMiBeY{e5bHdxO;z z6hn7&uFrBq0LFEmp!xtd_610)+#y$I`^*mqS6bTzKyiRp4!!p*<~;nb<=1GyGXvy& z0N|~Kj1GR(%FGuNm5$IQc{rbUkn@FiC z$Ia*6`}ev8?(-FCet;LQES*~pPyv4tM#u+vKDD$w+po4K{mpQuH685Ha4(zF0!1jm z{viQYWVqC)H$apA%MRMYbzL z4V?1o?j=ww^Ss*<`O1oYYwGGe?Qf*s0N;osQVi{6LVla4={zV*uaZBbGY8x`MRr5u z!2SJozu^8uKRoyZcaLCDTe0z;d z(l@`PVO|{z-?fE-5*-M5Je;3D2b%t=YWD3X$U2Xpn}d(8DVKc_2GVC&fx4V9>=Df1 zpdC|Ql&&{Jt72y{=hCgOr4cI~hhk~>Xwu4Lp>*Gh2rCp=@ji!phYu=%oRIL(r+(zG zzA$iM1t+nll9HInZ$IRgsM=ts&tADYsrM#=3RB^WU*${n*j*OZpJtT>sra^zl~b zCiN_U^`GMSO29>nf9u4L%m2|NvwH6yYK^(b0=8WS%YEkpuu`3xEz#Z4J)M2eR$)zG z>&98M`YWG)$2j*&=C4+QQ#T>z>c%fFE&aeMW~CDHoj zZt-S5=e^D59M~7$jsFf{u|ZzxH~YMRIwXA$VgGu*($(x2{{zGp&UEdce9Hfo{(nOp zpU=CU{w6JbZMj{HjJ%5RnzFfvvcW`(eap*_x?*|1YetuD=5#D~dzH`t6W!X>anrR8 zqz*GN3c>>E+nMbMeKFD?+uQa3FCUazjD zQ<8{QuCL$U?@Q6wlT$5!PSP!2uReHOX9DnUz}sd9z6Y$k<`5JQE1=`y?VW0=cf)&b z685o-n&uVnEs%+}flP#RGh$T|dTa4`_F+>$z`P^;N&*Ao%)c)K$Cw-g^f})o2Tqcs zlq0``g^SbFtioPE(`pG=hSKnX%}d2|pGkq@)9_z&ga6ku?*Gn9{{O_$;TN9ATjPMo z=Ah{_y_7%j2yDH?)z7BV+YEvTd8U+6+TanXyX)gp>qi6RQgVP;0zT1#>?jc5gX3v_ zX-;JKmy587U`2V%D$*zM1IQYJi5z3!BV`p#RFeq5v)`$gy;fo$sEe|4V@o~gT(~qZ zOiY$m^m9_cSeGoIW|o1@zP5?95)YqxnAC6f^X=DZd&x23{!_dtN3NbPJ;jgI1$ZhI z&bju{-Qn1Ho_W#zrpk|j$Tv}E6mfOQ3*;*AK`0^DXvst`U`j)aN)l` z>1jX?s5!F<$EgZM8Sjh>PNT>;SBkrQrwvg z_`Qg{HAod3XvD2peN$ydrjouehtcIXOj6>{*;x|4wvdd>Vpm|72rVoxb~!5CfsNLT z@*7>fcGRBHto8Huxlt@5P`m|A`kRnHqu*!pZz0mhtn8DH3<9(t>E&qgO>~Emh+N2r z;jSXJP7U~9XRcvp zTE>UP8hlv2Y!8Myh%;Y=ey%bYJQI@^*sX{%Qm?VN*jh_2=g+RDVPENd{m~%rl_Nk7 zfJX@cv+gm*i8=&c9HFNT&yLU45-%Q|#qFP?dQkCaW;{h6^RoUZ9a{eb z?$l!4Ub%F-d=KYp$Yy+IJ2g5OMn6gZ+2xU@LNOhfL%}4EWTu>MriW*gqL=MkFfZ^B zNzJT)-H|z>1rKq7MFV?L&^DxrEMa|7jiskN&c(+{3SkzlAeikJJc+{yvRE}KRZeu+ zjmn{vWvwOHu<>{sB$>s&fn@Y~OlS(N?XJnvoiJfuBPo>0)E|DLC9jdK$f}MprH&7n zi#Siq^FDZNMgt^3TdqqX^ck@=+cXhnJ#>?Yz-?;ljpTmNPoF)rTs+y9%q`~NGLfgx ztbMwrT~iD^yZ!k!7JX+8lFqCv7IBJ1vYy(Mwrx0WSo+H4y_9+?AZQpQ=MuuX&G4^H@^Ej&x=_8cBtnz?2v-|VRB{+Mxx0TcB&S5lS&HUhBy+P^wx+fIcGW3d}Q=L@b zSjY@e7#2v?RRGvk-$9#0f}(z#sD7K+$5o2O zs^r0rS%UYst!Ch0kNA(9rre`ZVwzFZY#PZU&^;afA#wFW87))71a9|6dl8KxfIyZ} zJ2M{I?66@1p=Sd#NmC|{!F0H1AL80+bnS#N16v(z$R|8JLv#H2#1vBhWPnwr@N0s# zQ}#QkPy%6L$43LuH!tUuFXd==wAn3#P?yClI)zkiyg-G zNksas<%r}M*=BCBkX&{c2A(-NWG_Z-D7jQcx04z3hii(au>r2+rO>4y-vZN%lZ^Ce zNq^H6AF(jJuvA3t;`?A$$>di}|HuP&_#)19NwmzF3f7Tofk%sM`m}rfHYtaZJbMA_ z1MyY_r@WSiW|DELDnU6f9(%q-x}$r=)^+(f=KI!%UXv~$Yg6S4R^!qd!vI89l6|Z? z5h)unwV+8fJ|XRO4(oQwdiu*XG7nr5eJq6M ztR=r9n~xEc6m15BIs=7mUG^!Q(j4n`AydC;m!O1YZ{j!<1VoQB>K3g-5C{TaN5|;; z#3x>8TTRMDV`%vj)RChS~H>I;-sw270)L0XF3%U%d z%v}RPo`-`ZCB_MLj&D5JQ^P!Jx7e+xj6FkezHk_5W57K_cc4O~c!4!2ZzMR-453Sl zb`xJ}&{B0i_hbMq2}@rAJ6<4Ljuo`I`(XPq^`(wxDzdFLhfZZ+CU<#9DFmgaQbK`Z z#7S!v>nq0%!i%9GynaO0#h(9^8#LDFes_Db_kesS9PmRLgJ}f$fN$WF6N)*hZ*l`| zinQc!?_HTG?p>W{zn|WrI>5GK6y>c@ix`)SCF!wi?)&;Dg!ef4fAQ4XtH+?_!@Gb1 zz>nPNf3dd;CF*4>vn;YYkiLC!>__YmaKKOLb$RCLw_Wo*AT6}2!K2h@00_;Xi<|>L z7!d-Tyj)RRm==~s5))2tjeIudfK1i|uy23SY8cR$_cT4RNe0{DHo!#~fr!kZlKf&5 zYXXc>EAl@*6mZv`*Q{LD7^flOCD4$ryQ{8rcaR9hyia>5!@#TlA?e%0=`^_|;D}eniGZJg$m_bS>N4e29=^ylCF3fG?FlFt(JHZOA3>u zly_x#s*5Nr^ACJNoeXwj&b7wnDuIs=~bmn7i5laAGpzM95aM}5|w$uOjI-OS*3Q0 zv7w9MKu%>nCx$CRX-X8q=1V4=;|UptGLc(uYDfiasY`7bq`ej%A8=Lml!STdLI;{x z>&X!Yru@%ok3-{vk9dZmmjc!=T&B&nQ`zF3Vl(-$?|fX{j-_h?ZXTLE0iLT&Opd~$ zV%smgIGCa0ULzRZkOUrpujknAJl|O;gZ*)RL~MK{t9L|`Og=$U_)?>7ef;sE%}hDW zGXxqwGgX<)Y&7(?EQgw0?Hj2hPpT@3{=?&}jSNxfL%R^)LqU3vqs%xe=^-PG!VIQK ziu#RH=XeqK%7$lrsR}J`qgi{U*(&>OCU>YRV&(JHj~QiK)L0X$7%605q;kZ*jsrgh zyPT}SheD=wbU~-z}B0#fb@gY zd?b6~E6Wzn6unThnt`9B@Dzml;Q1yDRy=GIlQGXWqJuX6{aoR#W(x3pp;cM5 zHlsG9p~Kf#dPE-$S)b^>iSjHLk|@kd?`BJTh-g-Y9;&}4kX@@CkyZ|pAgvgznG;Ma z1r5-6S`*#wFCWwecwW(mmr8{rDCAFrvFd@`z@sR?jN$!Znp zc$p|4D7GbtMekjCefZy+IrDI+`*)9L%^JdBC|g-3WX+7oPBHeGP{K2|8HFsBUC5T5 zWX&4JSjtu?*}_;ONs26CBng8^_O-fiYE z2W+L(&K;qKnlM>cZ8k?1MQcQ##Z4hEW4*bV+e`2zVYsEC{<-nY8dYu`Ln^Cv*W0RO zX*_*OGH_Zg)yJ(F?R&h-*85*dV`ap)aItnjkG^wxd$W%L9ua{%z)-h=*Zp6lm) z`HMJO-cJyX{&Z@rZD@*A8stlv(@U!*P@m9Pn>H6d{=PLhf3WkdI_?Ge_=$+PP~8qj zMB6FW*4a5X<*lKZ0H4&ws!9vJ=m$@6V?%Wd1JJyscdc4e=6n`6%7m^>EaIZ{-!bYI z6dL3YT<1o&Q@^sJ3S1|E8fsBzHHKI%rP3^-9f&GP;(6{zq)T&go}KOU!zf;=wzQWT zU~D%=(jPpR@7GOCy`3=DZ~J01Ei;?%C9)#aVqPL~kE`;8(Y40F{J=Rm@YSng#7^Ip>7 zAn}hIxF`e1G+ZNfVP;5@e%yT6TD!nmo>I+6@M2!wKCN~?Dmhpvtl~aq)-ThtqOkFH zGNL)_Dq7A{EtCO4LfZ0S^)h_V!bIm`Ze|ZQs36kLkwS_#sXu!-tz2+uUBVTnCys=8ynKY`GdbsTj+3qRn?;&9Eagf7kF3#s2vr(=(~)EU+KbLN zzI)am%A<`SUO5RvtBc@aI|aa{!_W*$FiGR`O>iu__cw=g3Y(7<&6WDYs7{IOM? zyl1;p79yH~Xd}^GlT@(G@}PEraV}i?!&*97N0EtY-exlTafhg`c5v(5v!BGn=4B_= zr4xDzuEBq{<%GoxH1aKPV=E$GwFzDnZXPlRN$$UKc44?NU%3|q0%G#BIc>T|N9W>qe zA*|vrDWElSin4<#y?KWpK(z;VJrL$cl))X(P=01xFr;t&R~2#EPOb4*(Li0k00;t5 zZ)~o@4$p9oi2jc55^wvTsqO!VL&LikoUA-DHogEal$dySD{*}wTiHon`d*~Dzf@$$ z%r9J!#PRk{nq->0FA$9~KCLb;eVBdBj|?DIbG=d}Bg;T*$r#|_3O5SHqB)yHhx3aP zroqX$_f%#2la8u(VQ5e)Djf4QZmV$SrJ<(;pA@vDHD$}q6SRn|FRAdbs&ULpN9LQh60xi|$KDez81fY^03P zh1kfL9QeM?yQ!&`n_u5sbc6Ak9`4LS&g)97eXYaQl2-4_5kkgaO0f3nFGUJ@3f3WZ z=$I+h-SQFRo;hi&fYiZhn~VA<#k~B5)~IyK2XiNwx!5I0EZ#~U$#XZ~xgnJ#Bz#AX z>tOs8D$QYU*UHLnbnsf3qOk>8<;mhHJ%+=}=;A9CpUiY{@Js9*Y=?UN9`vX-AvY51 zQyvhOMIcO=Nmqu z+|T>E_GUB{vE|vDUn7FgDHAF0&riNE2(kdx~zG(h<5R)dyPK( zY`M*RQ3AJt*bnFRAwPJN4!+kmBIP6`6Q(X+rMK;fB`m<*SS3%vQRM}MUJdKi-dnYZ zq+W1XmfRJfjTQ*f{6qXBwHSAgWvwZn7hcui31=yk+7Rww$qAXj>!;7==^WeqC8Np<#kQ>7lnl~%`Y*UF;>&Iv@T@73{B>3DMe|kWDVqR%cPBpfK zK(NszS`31rluO$6-7UAc@!2u{eng4(a8lmu(OM4ttcI}iXGT@`)Anr4!*A$B&r;)i zy|dTf71KXElMr1rQ>Q-!-3=3Pw1mQ#2_y0+g5!>N(4m}qINRDA%;Nnb$k!CqO{fND3Y+tqdC=X^=TgYyY2h{KxoHPJC6 zd7yUberTBRXgtjz436MZ$XbkShRUrw-kYEU(}fY#=27rsp3l+fmrj-<*wQ|%M?p<` zp8JE`v~J-K=PR57@g?ES1lNrTCwgocnBCem`)>k|h0?Fslw*jUb?e_L)E;gfIjbH; zu07`KwVqR&^pr)Qh7EabUOb4g%2mmf{@If>&#|L?v5^VH{5`D?cHXZF2{N>0XRIR` z439{NP(@#)>o!JnzG>*CB7khUZU*BcOW85-hh|8JcHYSX#8o*5CD^)o|03v2Fw4C_ zL_v%QBH|bLKsu93hnfxDk_R%E1TlJb&hkuE@|7bHVWIeOP1w3?T^!&Sj}bPc(>^7-&}I6HQlqqz z=|?p6xI7#NDM1QqU$gHmZ0HPRpM5pD^f~LYL*lgf%{anreq}+->wF~-PL{T}+G%3e zLaLIMMjGhJY`z-4&f|Bp%~`SNl-vAhfjJWa!kzdPt)h;)3r-AGlSx8o3{?S!!3eOD z{Ic#<^a>Y?!fwkA#o2C4knEr1qk0saCJ0LXL&}NgIu4Qxyq*mCRJ|?L%9Lo2tFAke ze7&D*_G8RK4a4#Vxo> zIv4Ag%nSCYO}?h&XE^dcV$fOhDCFlT=bDodq5Qt&jyT%^)CEzov(j*hnZQ!}td^2+?=ofLxK@Ru zhC%YE&N}A$Tpz;zf7cI7Alh=nsRO10QQ zn=#7Oo3tZvPQxPj$;iFD1KNrw;bPnDC%S2+M!S-4RV@T-D!K3nq~3hWP$k51(G#PL zvg=|sL=Rjr&f!@jKf%w``7qg5a;w*}nbN0uI&-DbT`A<|a_e$MO$%CN3>!-75}Gte zQ@XN-bek15jc7@{`1k{z>m4Ag^2Rr6sboSE(d7~p-Ys&<+2@ga_0hq$P-+EMQHk?q z0^+x#tVH6>B6FVfCeyb$9xFfX%n2`14N#KzlXU*x%h^WE_j`f(!wFyJlxO4iBfROQ2vR4p zZqZ!&QJj$hIYS@>1I;(HSMAeoH|9yB@nf>Kdc8*|C_$jpA#$!Qt)qLI6!@bReb;Pql_|0{y?^X;hTm`KDQ}jt67~AJ< zZj&f#P3Y%iF5!l8XOlY_~Y-ACUCS0Zk|11^u;vB{w}d;3X1SgAb(7Tp*x+`&JfHE=psUG0mP zupLsLJe#|4zy}0Pz`sgB!J~sBcLE>u55mn1m9%|&>dh{`R_7qEqw9FE4_6xEB)M*EVM}SAE6wbfmde92VY1#vb#jP zeFq$TR(=1ep#4F;`VPnZb@!%$^zSUe6`@THD_`$_lW)D;vYk%2AvYGXzdGZ;^7ZRZ z=U-#=AmvA2Ua9W`7Yotq9(?fCJY+j*Da3DI(7nL>%sTkqU-aw2eoJByvybhV z;Ln|zJd`UrGZMRmQndNedpWM}%7U$+@dvO$*eJNiwQD|m%8`hDL=(Zo#I%#QcN(SB z0W7tp{{|CeKN75Z{&!qQ#;b1O|D|TPI)(ca>jeb1RjZ5ejA+PC;*M;&VjC_d()i%T z2xak5c_4B5hT zy!MhgP}&00=f@8Rmd>TWIazDanf{BDW!?syY(FBPIrQ^+x$7ptcWY?LDgiJ>?oa{t z_RRHnJD%1ZlouxtVc)WBwL zTjJ@UdFhnXBXDz;@V3^x5U@s%gLjrg2|yV0-C1`EQT|o|IFWE04eCo2q(B`Y1<@cS zWONk$hUTz|TxKoJEjMts{A@@JwxqzxePKE@%PT7&CrI>|&(<{$k10SEj1Vb)Ffi^` z-hiWpHm~Irh)hv)@hlXcmUz88E1>I))BGUJ(_k@ixO%|8s)1 j+3!@3eo^1FBLV`_ zf^@^Vd7gKl^L}{uTDv}+4|^?UF>%K~uU}l(9igfI|vC4-T)`1VVY#ysU#=@$KBfc=l13nWuD;c_BVUcv*ys-P6 z3azlPM6Z?QAM1LW{QjgBZvE|b{?e+~u!>11bVYC>#Y=fllbJPMkcyCqlf;o+_`o1m z1{@I@`&j%|ZfYw|xGSUvPS&HBOJ0L-hWT zg`ve0kR*MShMSe?{3@B4?l$kbJ=>G^_tK7@;)tF;Cu1}w$^SRc9-`n5(Ki&Wy4KLT z!LRlgmqY6{f+75=cI84^BZjsRqo=gGdYP(ery-iZ(FNa$3MSzO$3$g=hO4I3k=eOu zgH(!VRVPA*>zm8GwN^Yh0)ENTB1kX3vx+n0Dl{TPmPA9^@#7=TD=x$!SER(f5{8c@ znG$~NsfIox-!AuVx`LC3y5z9bxFGgb5FLkaW%$LH{S>U^kLS2L6Sf?U9_y3oTpZHr zPJ;K`o%%5H^iGJc@P0;ra2SV2Pi|m$H|}978#z7L%OZrgMkLn%MD#&UK_UfiQSoBU z=f_u%-4gQ0nxi6cJUqDUK}5q#;Y>N)=DIkyEqcK?l}kfH4L0R8$Vi1PmY1@2_H%e5 zlDhhBNxQnk-O(kTOd8y@!seQgQA%*fa$Jp)72X1iTny@|Wms|L(@scvlGd*f@j=Lg z9B|=7&{4t2L|i1nUc_hDeoRTIz_eF&LXz%oZI<=tG0m>kZ6Qv%eDRJM zdQHI(q-==Y8Z+HS?vFo71AeI{%&tck@YDR^1Z#p2=(X1Ok#y)1hjw7{Wv78xbu?hu;U_<-?IE~Yjo`0o%@cxS}3;bTzSE|7QzGb23pkn9=sJ>QVAXZd^%~th#4m zcW8nSsSfhDr1e0Jc6SjW=DK=BmfD?*?8>)!&SD;I&)hjGGjp&Wo}SjDR0}<3bmef| z2%)3=SjTPUFpo#8AS3FiddJ3rBNDRPLZS45QcDiqFNKHeMLv6+ER|pVcq2NAWq>06 z++`TVpJU3=A?z~}n77%Jv^;%F0E({?_?)XFSV6F|T1ypQ7N*j1cedn-Hx+xin;;!zkSo({>U4wM-pGb5qEq+ix}&N?Gr7E%`64cvj&|_yhKo zvqtX665CNueuJ&b-LyGOLerUd=SL7f!lex84qA|wTv^OUj_R~6YO2uDZ_h}Rb!FTb zC;}cky_G}DI$kD|r12euZ^`^tZDYYRM{PWfOe&-4OR`Ehk9WX~b0xpxG8V+2WF(it z7H0Wy;AN3irWSAuq43iY;v=bxEfYF4^__2w49T#z6a=-}6k{3H%j3w8evIEfAIjHX z$eI&a-XSZiCNBe(f#M2!b9RG~4_q0Cz2zBA5zoU5M7H5o$S%L~BDt@UGluwA&-!rE z+|4I>rB2ePtP6#_o04Tf34$bSkGSi#-*vnSVK4opQ3EdmT~1e*;G2mn3)nd*0c(jF zpD-(xmZ)$@#oSFuMUCuiW_1vQff~47n^g~1MTxU~zb9#|a6R;u5!yc*plu${7ngjy zsHQ(b%J zZ%ivPZBpoc*7>zu;jyU^b3Swc8cRDQPC{53)z6*f6l)LXLr(k4Mfwv?STkAZ)-ZRS z%p9i2B|I&rwo|c$EY*X?;k{OY%Uk>19CB?_K|umvzxLdWJ1 zaeD&hj>~A4D>Tj6v5*Kdfdv)s*S3)|w+}7-EV3O6wc@c| zw2Gt&(gne03>C|)u_zM*M&A_}{_sBk_1;*885c22&9YM+F6B=0^xl>tGw$&1!Rg`x zApudnLyt_TmjHfx#z)@Bp%83*wTuWB1Z^J@uaR8Y03~jK@tw&RwPCWPo+-kV<_TUx zczo75#Wku#wugJ=s|ZH$n?gzBm#wj|s|4*{e@Ld?A6T1MjBr!^s)Tsoch4^6kCpK( z&wytmV#AsRNfrH7xp?|ge!1w*RtnWxnNoBvUrr(Gx!oX#quS$y;3_?=W8R=WJ3e!P zCGo7aW2Rz>@>DM!#!=!b;(R6Z%dSOrE0}`8+18)QyGSBWZgNY_DNo~W8F*h|(Lhp2 zi*e1}C5Te$@;R7c%a)lW0j60w&!IsZ64TO!*j#D$2oYOFpt6iED17}2Y#QI_zL zH=v5ial^1i%@JSp-R14e;2oIr5)DpuS&JGq_EN!HPRo5Paw_fb3x*aDADoR;G77Nn zr^^jHLj3O3A_`M$8Sg0W2;`(IH^N~+Q^af`y5-~Va(?x8rrCgXK!ge~Q)>Dwp$^qC9?&BxP9>XK+_v_E|7wCBmHpkmX}Ez;bilhLQbp=@*i z>1HM6h+y+2+&CSW>7X|Fgn+!O*r0@Q%g2sHotqI@DV$^+Y>+2EdV|B%vvi=k@)pBu z6d0U!&FB$(Fu&KvX}6DnSUVzy>j}oO?Cm+C`yfqBSj73+6Ou_#8+0bz~Wx2GC z=Kk#UU#yY;-(`&!aE$Ny(Qp2M(?NYI-(NhY*)xyi<>j}jZ%E_dm4+HMRc&v0-u29b z;R{Y46`!~z`uUSy3Js{s=;M8q*u29JfO{U}+1u|gz;JtdYsy8bOYHZJoLUaoa^e&d z_vaYsIgR<00GfJLT83&CJHGC;yDFRX$wH05u6?^{ydCiypT`3%_rlO9U2EcMzICAO zvCdhf?h=t#i@MVlk}fNv<_i0hze7)SfCEV!?8-A~u_vzjoWp~d9H7WBdwWQAWSXKy z1>@zsO-_Zd$`_Z<)z-`NLcFU6=>xblfuc)s#?XUNIkiYI$*UiYhZy?`WN!!dKN^*x zn69EppeBsGJ`Q2~IYqz7U=KO&(qCbFS`bx$@Ge%~RZ3sCdkl1Pe^nU6fJ+-&n%o+T zY|!5(<%~ws`jAy;q?mXY{qte(F+)ClPIX!nDq7D{M|?R%)&J3Zi9FH1Sgo_$V_T#e-bAsGu09NiCL$;;Z`J8)#mRrO&Yvfd z!FKTHtqk_ zcQdJ?^CuXv(VXNP=|j$IU4I9tSleX<<^D{?MV7Z%1C@?r77 z6POzDrZIRf^^Y=+0To2sG5UAr*|L~my=7m+2cDAY3>%YE|IFXG)bmh#uQ`idK-&0u zWTE<e$Ah6GdpwvhcajzUpLhmSz=>`(%tPdu#I?4068>5QkyEaauqh+ zu-7;XZ**HNnfE;o7>HH^ztwnybWab$kDE_q3iv7cf(CX}Rk2!@#)BxUEL&8Nx1!oo zOz(3Yx*m8H3KLA%cbcKZW6 zsKcf0xw&{pN`6+>8Z!cnFVl6aA)vYvP%}ZIZrR;^m!CY;gbf{6C>uu5*Pp)JY`ydv zddC&nH%4@2ul$ zz0mqT_^hne1f|(G^3N6g-&KkKZix8zh2g)rL{zKzN_rr}Tqq-AP9VayI{)kh6swUX?&ONNkEebtJM8jc!l`+;mn{yOxPr9*_BE5#PH(bH`6%suAA_*)Efi#{}cSuqL!H~p=I?wCffZ&wMmQj>s`6+ zzQxDW8)5B0)Mm$L^~pogh`YstwePg2&Mk9-2l!2zX>5wjyaa45;xo=6BTx$Py!cbytx~^|#=TV3w88cMQxFi$PJjV89+d+lk2)R$@odHijb6#< z$$LQ7Kb>*K(APo`%pt&z2&Z_{AEcgy1=Id{T9A#^ z5#~y0S=kF3u0w%sTc4EBgzT?f>av9xfh;la4Fb%caTWfbr+>m=vlt-I^pgSlon-S7 zQX-%#ieZ!}_|dO(%QW0i!O|_7-1WkGW6e(lZgb~5kS9tE%Q)9O8oSSnXsz2Q6;SFl zSjfV$ov_%80_ub^@j?ZzoI_%ZHjcrdVmj>k& zzw7X(?P*~hTr+o=_{rwD^1A^!1t&{jQ!hd>RFB2wJ#o&6cY}H~2JYXBiC~PcY{WOm zbv-za&lN7+3Nn*{#a9lQL{1$G`P|;tbLI`wOt^GkD%x$Y?`I5M7;0&V)ososJ1Y(x znmzyf?meRO$kic)gVZ|Rv{ip+5X+@^QZ{h=hS!_uV6ZgJea2?7OvyJ71%b`>)G;j`!FIbuXu&_B(P$2$iSykY#Z$Q|O(HiiP6wtpvz)M3s#t`|?JQ%0A zr0)DtRTAl1jB$cB$jr0*gd+2#8(92|{wL;J1dN^wz?yd=V`cRjSx2VIQRQ_k5cU$j zc1|G=xfN!$h9t0g4}V$w`8C7kuQ6>${OFK8tmqS5oyq3-N`;dqNIoWHDlwJST=VRC z3$EmQ&im#E%60)l#tw@U#3CwMdHJGd4w(g8pXXx^80}V++|RvglBTAyXo)0m;gzV%$aJe1_HBG@Iv$0Im6y$Sl;%aZaEvmo0EsHyj{_`V0 z4lq+wh@kNBE$q#gZZ&YF3OBcAj1X`b5d2nMkk$Z=V9XL7S+W}>B}#8cw@A7QE zC8pz^dW;rqqeWafoV=AYhg{+{4vi4veqegJAjgI1CCYu5E}uU+D6DB<@I@&*)t z_2ndI+l_=n`BdXOf~4>A&)Ao)RYCi03F{{r!(@aG%pa z=H*v#y+A7ft<8FJ(C>|jIyYziu-!L!<)si?15aJ?fna=>>|qSzV@u*=D-Xo@(MB2X zdH!yR7{+(j2cn1)GIW$aZE5hI{qa5B)RFcEQnqB$cb4YGN&sM~mXI8U%S6PTOa4x? zuEq@UxMo&fOFG^dkD@kW7|_})A`Slu2D@Yc+4L_vs1N=b**==Au6X_@rv;!k-^$C6 zKsU2$Aa~<@E(3G=pKv?>OE~r~JXKeiGeC^##a_K=^*udZ&Ah%?gq=05Um)Wv{**ckw;ZLLc6>S;=cy*e ztdib}t@JSkKoc*3h`f8maNa?{bkQr;I`&px9uDxnXzkc}vZ<9jTIpiTzfw$NX}a=M zQp$~+&~yX@8n8=u09jHg?QJ2>k4#&A8$_t&VSjM#=r}q3q4A#EBBaXUYpxY6GR30s zY;1Qucq4gNyeBgP@iqRWUtqs?U^?$zp5cewD4)g37L53N8^3GCEvSX zqClP@)dBg~qM==LfJ;HjX32&05a+!|e?~hK!khF{gdf`wKGNW}ns%3oq4@}7U-#;V zT?`(eajc#J5+|Ev-UMdh=AG=0jd-*vks{$t)SnF%Ps<)b4;nc%eypPbapu3~HT!Jh z3K(e;$5E3J2`0>mC)3FI)=KV={r*$R2D(sPgr?3xiHh%i0*mLS$7ON`X_art=fUgt zj2d@#-AqH;h>Zn{>ncdAA(}>G-+$Iu1=HG_F^STUBm9nL^1Fx~{Wr_%ZbmeR>C*PE z=`WaEp@<#saEa#ZY`-VD%8$LILx1KFvF_MN7;dA=#B{dQx;58uP|A;o!x|B1OuWvy z0a>te;ND6C6+&5b7D|5WB!S!?&VaI4@z`g^+|S0~jY=l= z>%X06r#qrSs>*)TW=fuiQ~K$5^eBAcV3{=Rk#h>;Cy7nD zfRE20*b-|#pIHNqzm9zeX<&iaZxh=4MJ;O<1UPZ>b`?qN#&Zc!X@v>o;@CB|R`RAU zM+9xy{T>^c3({S;5N`qX(SlK5N2JuZp3}+U6Bh*fQ?@`v56+XE(vLQC)cd zEWopmW5|cOf?pg80cykTiK8^pO>EwlvfEd_!A{p5t$)rQp+{GaFK5*%jE#TO-k@dW z6U=O~pd8$|IXt{H3IoOcuf7``t~~{SZhCL7VZR7=TCiui)NuMcpzPy_|1W~6rUB$f zJIUsgcLC+KJJ-kn+c}73Q%_WQfA>s`C|k?gD-mUry^EH*SJwaxM%(~s*$cy-73lug z<8uc9n^z16_o;4l?0OBZqhjd(^B4O3T_R)r*K=0)Qe1o7yOQ7lh zt0@J`6zldIA3}OVbe}5q+qU zxzSC_c&B4T<9;RUFN@oMe%UIP^A|<1X9!~Kix7R%;8it;j;`#{{Y$pyp!!X(>MEmw6w5%=LYl~yo03nRQk%V=5Hm43n;OVbAgN!ftODq0AK+^psbeWNUg-MJ1`Z%!HOad+s zS18F6&fgu@o>uiS+N0kB(D|axzeNNcqD!c1??7M78bG#+N*Al@OImF9J#}?>R!g&6 zUa)#`y6;}rYQ;)BPWNV8;Prenkh-kV)RTa`Zf9D>IyeDv5xVBN-LN|6fBqW{u*-db zqYORhm9=+DUyh5p>WLLS-XL7NKm0(@!tkpU8s11~8}q@uQQI)|_;dQhHKatZOiz@) zsh^1VML$~{AT{Z4@H4I7Eec?7r+}7M%-d5pltmhQJHjK!;c$jYRme_7l}2IM$11Zn z&XzfdkBCa*V4%NG%Bx`l*hxpYU~de)7{YTgLb!wJRaE$_n8TBFGQLKv-^$eEH%5h5DBb{$JRTOA@ zJGGRCV#8h{%xr0Fepl2neC`8mFCnh>sG|cI-y1t^D1*<|t>Pie)wE@dA-778c6Ov1 zRI#>_Y4FAUI`bkAG-<}JKxDt1we%Sk3$DsHA8uZ2=Qt+GsGdTof?C?oDXWcL*7$eT1hd@DWygp}|-lYG=6 zA7E$=eLAddxO@LVErdWT!q&W7BJ||lS+mMI!|iXxAY;@c#dMz_22H>iQ#R_de4n2@ zrlb8_ciJF5sg1v$6Su^*_Xy>$)o1-+_>&~{eMZ}TK(={qqRYC0NH=S!kv{ez@&2u% z1OE3z3s3wP83Nmcu;f^k2+em0v=#29+Loed`=wCWEuxk-y0DBn@=m#5FLb|C3#glz z2Nw;Nhu~_gvikkTAUQLAg)m$EK&aj3L{GrOi{E*E z)?=}|4VcZlyr@VbcHf`xsGlFa1x18n3-#X9;J4JoCY|C1+)szZgD#>6uX)FQQ;k%5%NPe?8s^SV%Xv z>W%-C|F=^57iP_kF}QR6J0N4{kS+7N?FG&C%5mGf-F?_8J?yMgEjlbiB_*Ls~MTs73i}n4j!UFxq;Pb#~Ru2nNka~cy zC$w1DU@n@jf3~F@U91Oq9S59+#H==iT|+!9%6<316Mu`a>)j!yT0n&PuEy-#`IjQh z|7>3ByzTldoo2RbX*PqeRjlo7{0{lE{mp>Wn3`mpo4X!G0>VltSGBaGKgJOk`4W@70F;!U1@o`{Gn5Fn zOrm!GmdIwNwO&m-sN<8p7DIWf3e9vI=c2z_)oSa;|N7s=^)$8P5%9bGN~bplI#28s z1-(w6zozOPxn6d-c^Xsyn4s8bA7TZP;Y6uP(U55 zv?xfUf)A?xk-q#7<`H@$>iPkd{y$jh@;{~hSS44=>gLXF6yL@E2q2nHfhb<*H2>-z zYjwqtTzZ9R+toA~>h<&COxOq!jUD3;f4ZTNqyD2o9 zPgl|bQ}ig2))vBP7C`rE^Ws-2bi00Q9qDZB2xsmxvQ){)Lh+On#z)dzM$$wDG`HVw zCCKnDcQ{19XhLF@ z)lY8#%-CXrjKX7oFuePo2NToC`qp`FlpgeRsjSroqk13rlhM7ea3i#zOv!}3n;)~z zpM{9gTrn`t`LZ{{|7<;6@S=n1qGNvqHVc_&KJM%?h88|%VEZU z+#YPmOnU$G*RqMtW_JB+3bGgG!VUUgZqqOG_tV01KYmTFy0y&Emn7G`^UnVf&SJL` z@&n(#5Vu-5W36IcBaRKI_h>O8@ww$=A(=^As0w%({zIyVwfRGbl$w%E;V-!_CHT*j z$DmN80-pNzNl8g4E^U8i%-iZ3lR`MX^BYGQdX-W=_`41s__{T2A2=AAns|cU% z0nSW^m|)yJz%8DEtz@IxwR!|o_V2O2v|e>)&&P4axV}P1FmQ*mNSJT3zk4hIa$V_; zjyGH8HF0Mg*7K5`H=4j!7aCPb6d%Ya;&ICmVUSGlEJirb$|~u3M1Riw+=+D_Vg@go zyUWzHCRKHwm^Gpi3Ppb2u}&3j3ID$Io*^ak#MZ$CJDimx{|1kAei@upORsCUiv zmNTFaXHFlxk&S0bDA7otjm3#_nb_`UUY};x^>%dBj7X=`kj==!^HHxq9`y;^SY$91 z?cQCQXdd2fC8oF8-n~l+W~cy4HI{Vh3yR!B z>NuIjt$klk1MgS?=L6{3TF!+BKWqP_`Ip{CjLP z;i&$}wKh0s&t(=$qR-9U^<+hUWp-#x8N#_YE)dP|iJ_j-6yo|&|AO0`MvM9_1(fkj^=(M~=`{c+S7XN00&`Dms-`wW7$-~kQ$=SMg^`Yh>Dm@kC zp)QS!DWT@MN^f~uO;tc-sdPz~d(BL>skp+NY|cU!Zh`0l!m2)Vpv;bBX8P9Z34W~Q z7G+m|>Jq(evhl);JfM3P)G9VMo2-m7_zoBHy>jFZ8J8r-I@IC=wCSMfXk%-QF;5gw8IRC(AfPM>Xyy zKlJF4q7CbLc+*$c9w|e?t(#%(>XJfC#&azOy&t1v6}sQcIVbTvFj2MYeM+yh^=zu*=ruW3nM-%1UKtIVju`*;`xzY@H@+`|14cfnnh6D9LggvC z&8>m)%IO}@qdbLPrV%2aYK!TjD5fwzzwHQza-x9UsD7(9=njD+V`lK>&sK3ha6qD$ zE6wUli~2r_qIQG((dP!Z;pVJL-?)k&u|z+mY5-qP+OBWi0)=o7duDxIVFXj$XHE?& zzZ;L0##O<;S1;8;6ZTlBU}1MlC2DJ5Kx<`j?gfR2Z@RfK(5sti--9cDy zE-;ASc0VO0NP4Jyfz%bnAM*CSSp=31S6thQv0$l&5vS+K%^-@JL4CS$gW)g+T!HEb z7S#{74JWZe z?((EhwXlN>&e=?#!mBr%qFnwAUlxHKb}My@dL7tcfDS6S+2A*25gB-P`|CH}*D|kW zx<=ehAh8Mh*RkSA9Y`|p+CGH{!vDI4&wstt`oB*=m!*Hkh|Qf0*+{#skKf;(M)9yh zmW46CR~M&)Dg1T4pCrEl?9=%tPA`ykxJgy7axsHbjVu$&oDx%&U8IkuEm5yo>8Wb& zk_$;X2tw?ez4qbu(Pox2$v~O)6x%9J`jDJMOltd++UxPaDOgqdpJBg-0IGOm4fQGJrG zKmYwoPAIToHekvj1t^E%O1wB(ireoUl2W_ilLb-~7|hUESHw)_Go#6sEAbWPk`=CD zBr1wl=1UDJ40$Sk2JU*5S}%IN1iP|q5e!&nV`^|&!ao+?tz-VH9d5O``mK4G=rGHB zu8fBS6k+=B?z}G&Vz&_?xZ0cK^_2BGGsN%FC1=hj(ZQ*oP<6fo9twBM%E^5y(A`yt z-i8jOMsPEqa&e_*b8{6YaS0HXS8^jPzUm~9axN&Ve&q=0jUDXGWKF%#sDza}$&F=K z{u!-TqC`OsWsD8e+L9?Q4ut0Cscf_GwuFqabDHZZN)_#yjdu4x&GcGH^$c84jcnsk zz+0MoO3zh$@BAt zEWC*RQozP_8|_~C7_Oxr8^>TXYl&r}>D{o(yEGaR2Dc{mbj4vrIH&OICplc6MkVA# z!hu{dHcfl`bW2htNCQK&8y{Jj=E8L#^b+r&gO*W}_t|K1ab=hGHc1IiB6Rp|`E$!d zA@*Sm_O|teN^w_xj`bp^hF(*x0}k^rB28GQTfInx*eVijAn-7!Z~@vKVh-+1e%Qb) z=OrXSx#HG2Y-2oYdAEDH;ov-w6L-DLb4zt>MDM;Jv}6GhqB%f}&rzBg+hCWxJ2_ib z!-xEn_GW01zik$#6||q zLAJ~M)_}5gzfTccHeluc`0A8oV~RV>%)LLmHgyXsI7uTQM=sU^`e{WOAQ7vK%46P7 zg)8ucl^ht@+pwQ1es5YB0xJ1Fb7x1Vz58Y5+0S8?`)2)1d~PWC zWIUyH(%rz3s=@STp5EV;aNjs6f>=8dal@h@ozZFSQ^jZKvM_si0j@_HndNN#*D9qa#n1^PmuG7CpuJL0O@fj_NRlu?qJp zWuBM&W)hk@6MBaS30BPT7wzAHx|%;-;3pA4su?E8D#Q;YG={@F8rqdRytIIU=K@yO z6TO)XwGY@iu*uuiKPy<4t&;6xS2r9RH>^t8XD!>uEevoJw?4y^iAP$@?z=)X6>Sz+Ad0o2Y3x1IFxfB7ps*+QNSEqq*9SYR)n zD1hnwaSoTcrz+zlB8XpL&{3H7;E9z;%J9_pCDK1t4)r!S<3iynu;N@5rnrh^0Gs(tk2* z*xzkjYORkgZXIH_Cnq2C{ zN>i>GGr>Z^a&~MHV$xs&OS0GBzL@1k%XfM*buwL!F-ZYxKf&tcqz`u07jV&6rXj!5 zONZfgy$;eovI{#AQIWTLQ;4em2I>YDVFFi{=pdq#e*ff2H-K}h*#Gi}-ID~S)9W9cm|1sLl1bqCI4orab@_5xv$y{TgA`ok From bc29a14319ea4f06773eeed0e587b5c2b59e9d10 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 9 May 2019 14:38:10 -0700 Subject: [PATCH 342/492] added new imag' --- .../create-wip-policy-using-intune-azure.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index cbae7321c4..be51cbc165 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -588,9 +588,11 @@ After you've decided where your protected apps can access enterprise data on you - **Off, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but protected apps. Not configured is the default option. - - **Use Azure RMS for WIP.** Determines whether WIP encrypts [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management) Files that are copied from Windows 10 to USB or other removable drives so they can be securely shared amongst employees. You must already have Azure Rights Management set up. The RMS template is only applied to the files on removable media, and is only used for access control—it doesn’t actually apply Azure Information Protection to the files. + - **Use Azure RMS for WIP.** Determines whether WIP uses [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management) to apply EFS encryption to files that are copied from Windows 10 to USB or other removable drives so they can be securely shared amongst employees. You must already have Azure Rights Management set up. The RMS template is only applied to the files on removable media, and is only used for access control—it doesn’t actually apply Azure Information Protection to the files. In other words, WIP uses AIP "machinery" to apply EFS encryption to files when they are copied to removable media. - - **On.** Protects files that are copied to a removable drive. You can also add a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. Curly braces -- {} -- are required around the RMS Template ID, but they are omitted when you view the saved settings. The EFS file uses the key from the RMS template’s license to protect the EFS file encryption key. Only users with permission to that template will be able to read it from the USB. If you don’t specify a template, it’s a regular EFS file using a default RMS template that everyone in the tenant will have access to. + - **On.** Protects files that are copied to a removable drive. You can enter a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. Curly braces {} are required around the RMS Template ID, but they are removed after you save the policy. + + The EFS file uses the key from the RMS template’s license to protect the EFS file encryption key. Only users with permission to that template will be able to read it from the USB. If you don’t specify a template, it’s a regular EFS file using a default RMS template that everyone in the tenant will have access to. - **Off, or not configured.** Stops WIP from encrypting Azure Rights Management files that are copied to a removable drive. From 402fb6538d0f7cef2e079c551cfaf440cc26e99b Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 9 May 2019 14:53:58 -0700 Subject: [PATCH 343/492] added Note --- .../create-wip-policy-using-intune-azure.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index be51cbc165..06d1375468 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -596,6 +596,9 @@ After you've decided where your protected apps can access enterprise data on you - **Off, or not configured.** Stops WIP from encrypting Azure Rights Management files that are copied to a removable drive. + >[!NOTE] + >Regardless of this setting, all files in OneDrive for Business will be encrypted, including moved Known Folders. + - **Allow Windows Search Indexer to search encrypted files.** Determines whether to allow the Windows Search Indexer to index items that are encrypted, such as WIP protected files. - **On.** Starts Windows Search Indexer to index encrypted files. From 7e9bcb3724a8cfc1835b4efe3ebf24d671481c40 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 9 May 2019 15:06:20 -0700 Subject: [PATCH 344/492] new image --- .../wip-azure-advanced-settings-optional.png | Bin 23584 -> 23683 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png index 02138b02a709d31ff3a1c22f09c939f907a810f9..2ac8f45b5c4f2bf46b77dcbf28f258bb34db65e3 100644 GIT binary patch literal 23683 zcmdSBcT`i|x-T4iMFhk`Rp}t0(jkD-drjzw0unmX2~}T3nt*hH5G3@3BArkz6ln zHB^j1pi>t>pcCEaPXhna$?|>?`0IqXk-8G749B(vyg3bftos-Qs))a||LhF#{=y3l zb8irc(dYQjiD?JU01(LPrl!hcNWhcTDSXVNY3TaVykh-W;8u8v=;Y^;ZzGsrf7QOd zclqs`n=t|Tx?rD(ry1u}ZmCUnT+$8yAX?)!Zc%gViyJTF<}9wLH5h9a4fdRPn7jQB zA?^*Emu$JU8L~u`4IHr~Q;WScm-T%|3X$~D3ka%At75*ahbgq~2pAU#A8;82df6Et z6$`v6i2Q%`Iy@2p4kc&#YZaU`Ewh4`8dBu<7IWjDJT1wT@<6AArtVv0Z0XeduTL9D zsjm>JRrb3(3z;6yN!knIe})%fU5b3dt<*S0(W6|;7c7T$+h4syyA~*kncIn*!7=h9 zNsq-m18Gh4E{CX{=H1xXO-R4|`NF;BmuW*TuA8XqGrd@V_Qi%nR z6ksU=3Yw9zCfe&2hM}s`Q-$L(#Rb*T$Q7GEY*l(~(NBiAE}A{OWci6|T)pq;df#EH z(D*FY1>?}3X6(_Bg3N5uGVTc)-2)mZ{7!u!x#+m8&4HSDhq2?#2_YP zKrpZ@?5B6HEQ65fbyne{@Ry^D;eCO;O`lyB(fxr@v8k>#wp>#WV~faLmzs8c?@C$- zYsbd!&-;ywUPpgS44@Pnm`6=~yf|Bp%^3`=#kRDGJu!uL+NF!qE-*MWKMd5mj_1g3 zyzb2u&uCZNb_Aj<5*14)!=~BvCr-h;ut_%|L@h%uhYyXuntWSxvgqEPO=L>) zKmknX1~Q*wRK6us8S!ZnY{ExNw~9t)X|{|Q%Iy4LG{hJUWoQn0C^G$3ry0UJL+qru3Q{d)%Qnlvviz&n7ug+QKdxF4k>|AQF_nT4 zCTLu{32RDbeP|)r5`TZKrL6?zU22Gs)aT;6x5GwyQeLw&29YVxA3|<)--qFhguyc> z%Tdm2+6l2`=p5?6IMWAJi7EY>M+6f`1$f{C@AVHN#ea#CYTZZmdP?{nfuE^Nr4GPI zXKMF0lkWva!etZGHyh9uwlXGKgR80LgO=97O8C&vVo@qJIo%z)(S>myDVKO)(8ol? zHubZUqUo$TN|tuPLbn)|K`^k3VqCj_s7j+PSCfqoPJPb}vRza6IznkzoQ`KSHnfpwjF0GHZvc0AnYhg*&QAwB4UgO1#@|_Mv235ut(#0)_;Im{7txbj zsfCJIloZuXHi;Uvup9Cx6JQH8?R$^uavel&SVtdL6|GOBGzT|)w9wb(*3)CE+!uYJ zS#7q;(8nQy7$q22=}(k?*Gfi>$C~-%>$e87>yJ#VDdM&jTI4ldndMXjIHM~+dfWB3lvG*r0Be17V z3uO_?sIjI+Nfs0=->u%Zj<0CqSM1Um#K;mNkyRPirrG&%JrH)f2eJv+lsbwWa*)HO$@Bv z>4+}-EAV?&2G3av+qjsAM|f}g3+_r>P~KNC!UF!W$$ka#I)DWW^DScZNU+cp@ehmx z!-@DyU3-Hq4Cti;8~cwpRppCPc$Z2VVl#_mXRGJ6tF}v1)UhWo@U zWLW+}_L_$h@g?oG#TF&1cBI3UG6xQ3@MZ}El&>IbkeKYF>1BJJ{sy(0pCFD#&KbEc z-jW>2?jIPJ6BX>m47X8)uTF)d?TK3)tWGn^EivPcM|0Ka0&M8?rq!Zsy4(;x_y&gW zeM9%0L&H$0h>1RXOh$`^e3f18b?OLD-9@-Nv08Tv`ehbv+5Qo$=cw2UbsKK$JxW#D zEce7r%K{Vq*0^s{vr#{Ot-5R>2m&o@xQIO$6GYZ#?z=A{L6i$L7`Af~F5^rt)vDw> z1t!&0%hfqoY&SEd?w1(Ti`=6X>L*5fr0%94>6~BVK3p|RZrhIDbuGUOzO`3eR8YMm z*%s@*4&~4$CL^n86>K~z%`zBX0=gmR!7L)gWnGP^X+kVns~lJxTtQc_hhs=`YhCp! zTbX|N--|5#fiX%^v^E{VwLGIT9xS$2$yYY0s_9~1H`95~nr1U^>~8rsY?v}}z;B)6 zGmvzr92F?(oK8G#n>5wh;fqz(bie7OUuk5Gmc2{_>+(#GI*+4DE~XSM6!VIhYBnlk zI-+@Vq*!aI{b#I#YaWSW)oYx=d!;b%%KoIyjCfSsVgL-59qsX2ffOqt_ui zTrPO4W?zMHS-CDAmL4bO4kq5r8dem=`DX?5DhU&TRxyv7t}H6~nY=BS96PpaH2vnL zC$6PN6q;oZ)uqcSL|1zxEf+bEho6_3Jfzd_pd;&iBPREslt;A(ZyNVme<+6f`pdQ} z{S|0Dfm5K`LhpD)wh^~&`$%guSs%1y(-gx77y6?irHqX^6=-5RM?+ZbidRhHovfp5ts1gbTr!x*cN=Q@I2=CC7*gwD`~u@QZd>9kgEEI| z--lv&*IjG6a>k+>vSpZX=-A2+-rR!DsJA?W{Rj*(os5v{!kZbIW;9)t%Z%xk^H(0y zZ%N+il)5WwBQc>|Z_x$TKDFe0Z*a`YyqV;NH%&1ZUg{Mavej-m-n_k+Zsg0?`DJH~ z6T#0s5*F^e9I2*3%zY^+TZLuggZldzUa{{0%B9O2S+h^e zl+;Gre^=(W7B)|7GUa%%UKQlsu-vw^%`I14nUUOU>~5(m5lFQ?o>zC`N1R}eFSI#4 z*k2{7cww+52ea1Hrq&{l<@Ts{e^*J&GNH%ni8DbwY-_L}>m zi2LTxosCMx^+(<8R;Sh0Ym4yp+}$QIePchc?H|{~oY7!?=pa>avO8SHjqo}s#=IC? zSs|Q$Hd-biDL19t`$(ibaQFrCgP^~jwCoLu%}rE4>q^$g2s(|@F&@Zo>Oe62BCD2-m8DnV zxN)iVQecy_h?odMCGl4BZT%>1c;v?ll*Qx?{eiK`FxMsEp-i9&XE*47`%*rfMrYlrIzLk^_y$^9Ca$CS(>19?h% z68_R4GLK|pfUS8AL6FcVlwLR#C8WJspmJFFM4sL@+0SDEV-k%#JoRb+G#dF}7G_pv zBLYq#vz4DQ(zV=gx{-o$Xkj_%Y(M~WluMH6E8n4W-=6=*z?$YJ zqVDcGjQqy?*=C7J{^D4lVYtz*E8ZJlq)_lFrX84u25`Npf{P*ey zJE$~L=$3e7tlk(ROy*{yjQXAhL7{0h>>+OKku4X(^7Xse>LQ$f&+x4Zf&iB!3wQJM z5-wGTT3{HQ{0X-ixce3FXUkQB`q{3A+>SZ8fqTion)T2&H)o(n{l|5=V0b#nurDh1 zlh@hntWIBrq{yV(k^n{haQFZ5RaU)%AQzixK01Er_LkO4Mo3ZnZXJnofI$7jcCL9z zjk1X$2vg5@TKh0Pif2oGRdlSo-$8<}Xurcj`*|ru&45tf5gROlbd~i4s6T?kj*Fd2 z%ziuQR5~}A@ZMKV8~>bEVR+>wz)#BCmvFzoR~QcUHl^aU-8fM83xVmQi-cVDk#d`v z$;qaGjoEzdw6Z77fh)tMUUZ!+ldyG1W>vV?C%Xkn;O6`q2Numo*I{tYho!{Akby)_=*JScP}g+yt=Zqtb*_K zlUt?#kQbfp(?yy!;5x^2Mf9F*$zPuYSE2+MJeD0nLD8<<;3TUj^a_OGAcB5sI2@wuPZcCfd@mlRdywY5w%q6fWvwj?Dv zV9s%_mQim-!^HmMo4E^x`La0Qu8nAZ_B1vjY2mV4u%=3xm;F5S%VykY0b#u$mV`*! zd;qF6I(EE54|+#Mw@>UkzZRy=I}+|p!7@SnPiFZYc@pWUXZ;GO?CBE9jlndpsMpg0 za|8L>g4m!P_bw^-nU>WI;FdL8D-0Dve3j&`^>6&jwHT9L0ersF&oiaMO@-1Iw81%d%q#ujN_uJhFwt-qk!4jK!b?o?zG9b`-2 z8h)|WAJ;m)nfx_3fVC@N6-V1&XB0k9Q`LBq0CBU#XrGP2b(9UUPG@hiKPV8t{!5LR1{)Z zA6leRqZRd%B{MU#&V8yoyEsZI--sFX@&qugjGVoU>j{6(`(OQdYC3!Xj>sGkG`!1s zl=?b~uLA#TlwXPN00Mu*MF1D6P)?7d`?>YM+2T@~P7^oYYz_uIG32wBZFKDdE zph=r00=|L_2H!jwpxMO?zy>~Byfdmnu0Wyor{68UF%dUlU(M>ow&$$%f2oL*QTf2E zGymdovPo9t0HQR*Opa1iEmXwGoZ4IEq5gbTz=`r8f{m5rV-S_LeqkQNB9dBgWg?T- z9Mi3JdT8-otfZ8bH50I_m*geA_zkjVFTV46+WFWWxPm|_VdiRoggn%^>d~9Iq z>a#Jcdf3JQdip+kKKmRU z9(dgXz5H_Le`!dvnWKyI^Yg!dzwr0>4+;trXK@3*epn4m-HPu_>YD%YFyb|723*7CTFO% zD)Vc2TcdhJL;3`@=&1&vhWYvXk5KK>n)O?54X8VIy;o(~L(NtRK{@@J%O82UB;mX&=SLaseHl&Wk4+i4*7x_A& z;XL5Od5_lLi=CaFO}?i=Hxq&0epKl{WAkNL=74M(YW^^u^N3huQ#`-W8fr|@J)^FQ zk}h5^(zv2rv7&7 zp%49|dgYzY&xGzQllOVXV5R)vV#W24$q`nW&`$nyYN162Y3Q#loE8pMlYH3-N(FGs z$Di$(+nAny(zW?9I!GzGv(PE9i82hMYI>(YpO%6DX7{k@Iqsaj;0Tll{l`gWopo#Hd2V^wUUt@uh*6G+ zz|Ya|PV(38Ps#1#mW;#NM5%kDwz&J+EEE~syg9&L8b#Gp~xz(QK% zOia0gqT~NmCj8z3gyQ3m`FME^?2J^brqn6Kh&5ge!3jz(Z{ZaW7y0n}49okgzw+DF zHVPPyv?V~FKX2Y-?ZV-337*Ah~hUL~w8ZEx4EmH%BO>lF#_ zI_G>3+1Fp=TUXaHW7Tnl>bMOq>`zmGPozCg+E?u0J)swS5FXQtamUuF$-69QMY1&LA)|^4_&&Z7(x^_H zZ0&$5B5PAF2{&A$YmWXNNLkR`P7WqQ_}uedv|6w!=1kju?TN6hAFG1tZ=KZ?wJ;GM z{C?$OON%ou*=gI^dTJ&^$t~9=riTP6&A%BD+d2q$|ajy7~s;z>Sx~_+YmDlirc4NVah#=lnA~nLrSVDh5 z*NPv_+1DIgm=bv*a(Hc_g31`Bg*1|QMweE#EbQzsU6$z7b{a8E{JwC7%E*m|v&`!H z9l;~!5+UAxq?;n^X4A3JO4<8y3A5bHPa6G7=VtSuRnAF{EYGU!8I)M##k0~oz>$l49@N=yw1DsL52B(e*Jh^uz-swH}8T^ zudcZ5X0bLr(6h^uMLx3Im*`|2U0p;4Yj!E~GvvC|Pu}nGU>PG~OfmS8wdrO{=Tjh@ z9xzrid@i?)F(P(A0Z+MbE&Q?R92-;#!q@pgmWJHiD+!JqM>x04I~SDD4+YV52#(%CTn z_gJ^zT5?R;nr7jY`B!NHGlI0l1~&_E0t}^1z|L3P!;49kI3x-%0^oEGKvY02-~kvs zqjM63C?&P4(NubuYNZ3I>5wdYM)i;UITaATY#kaX(@w8uo9DTFepB_m?BoJxktkoy zpmV_%jogJ?E2O&4K5M7*&==U=F&Hp5+Xz+p&eYnaL~{SypfxGy+x~?W=jk%@ov*rD z1qs=#TI4&n%}W@|JZd7g#z!R4KeBe=rv2e0BZ6MY=p6_4Pvvyh1C$P-OGt z?ovt7gjso}%5#`CR^HvcD2Gav(FPV+3;DK6ug=MFtGqkw5a=@>7OpL4BdhqgdSN;&7>D*=3NlGSD)DZ_|bdo~Y^` zRU+kazF2|t%HRXNdpyap-yY())6^w=89VbF`-5BFniD58FA2-;Sj-v>ZGw-2jn3X! z27F0tz01qflt8=N8_*q5xRp(GMpkZsaEfF8V{h^_ypX5Rt_yDaAcbk$bj(u{}$f z1DrR-C^rEEogl>uro-S&Iz;iV4`Iv+{H2MBnsNe$)6)ZBCTq02I)^nS_3weI$8(T8 zZq(T2x{Q=zc|kv1w^&)fu;nJ}*y#;F1hPq;V(VuRDaO#u)>|8}CJ2mfXdt?d@$p zKR-6XrD=9f&a|KlpwCx@MJ1z)9Kjqblh9hL&(Q_|(;%NOzIFn1Um8FF*DmPtGM!PA zwb5oUNm~23Hn+VkNf7=AC0e>lG!$If_w4=oZGC$0&!1KL(2!@FKZyRVR#6cJySsZf zPU9KD=4#)he8gE8I8K1x7VeCGU%$D;Z$07dv!3K}4Yp6PIh>_Gnw?%&xW>mGeCTFw zq`XtT%b5cL-3I|210YPm4Z7^b5hghI1Btn){eG|RuNg)D;w-DbekB9M>2<${Yu3kY;;khW_Zy-G&r-jy zbLg`0oC1AbUik-!n6S~A*qhJ16Oud}+U6f07atEl)&RHxBz*XMohSIr-Z{nnySQJb z)4L_f3S0h1`|B-#<5+W3cT+j*8*21mN6z?GTH(@!BqcYS&6GLy_n)NJ1JvcCKO2tX zv*iw_KxcCSv@DZdyNEcX3bo!#?~FfM9xsP@QEgfUXa#@e-ZexF`9rwRWrwYRQ1P8x z*++WH`%5!nw|KhO!U7q`^5ti5>;bThW(MHOo50BCHUd06%I$YIUUP;foZ>PL$nz>> z=3crMZy;c^j1S`6*;0#}dC>hTfm3iOAN^@PB6aNE&c>H7UmV4~00IRav2z{TQ5S|z zGNHf}q} zOPX;4flL5DlQ29ye0UhzwfX43;2Dv}%;9es4=@LRS09D{iemg5TX+Jn1;xW94<9A< zNhU9_4{rrQ@vtW;YHOq3e{<^YjFg3*Yc=iXNS_x?9>DM)0SqtvQ>fwpoM5a2;Pq`@ z=P||4TQ9eh`!6`gK*@jL7|SuE`_`_Y&rko!85molC;)A3Pqz+NfHAXf?UFgeHj`i{ z6aGap2m#=QQ@{Y6`#J+Ak#KlS$mU+gdLSY-W^N!+*u z`h0(r1JJg>PbOwII7S=QE%Z*SC3UIP`O4=$0eyZc%q2--z3dVc#{m>$m`&f4ab@j4 zi?G(MXf}XTa<%+L2fB%T-lm2c^Z|2t0Nj36G)PD(aD8rWWadcgamPh@k#`)fp?_+4 zZBhxrof?J-cddag`1!W5fMg}mvtncE&S?JKO(NFD?H?Mx#O!@ncLKf4v2b?fR##V- zlaq^nAKb>l#x{xdR*w+D@l9nN9E40214=??&AtghJVsO5SC;_70;glk@eRB(R#fp_uFTmmWKDEMSN{)g)yV&LBj?B z<+w5=WLlQ2!^9_3(L1VfYN`odWseh)98j1qHIs>HQ;X}x{r(X~yHK+0b`sRo1gILS z+*K!U+vcVyyH=wBJQ%bzkS~?klP0Pd{O6O^Sx_~wC44y`8(n{eTKKLl=+E9wCgd=$ zgEdp!IHx&y{-Eu+YJ77l%UrRVM9X1w;o%jpC~cmZNSVf#c9toyh`>sPPZv)jy@zP$ zM1BSl+4)d4&5A#tU$;P5UtgZQ+LvZ~N+Q;1==TfkeSNv0vNH|+<}sx!h?n!-A{D`f zP0@)?0Wk5TCRHT5{VUH}#>Ef`2dE*uF^5FKor%sQAH)YuEp^1Q9*fZ$dFKTNy!N(N zjV^$GmjL&+F*d2d7u?bI?Bhim^a+XfXn=<^Re=$eF)&+=zgZ|G7;k4Zgw>i&hRW*A z2D@XwP2TTCU*}5|g~vXyjAc9(Ri3INMyKD!zMx%pi>K_WEN z{UhBA`%tN%9o!YZz=0Un{86P6E_9?7|F*!D2EO zFm6+kbhRf+5+|T#NaluRH`6*er;>zbK6Nm6{Dki;V|->g8VWli4vhOQh#G8BiO$U_ zeSLk5=Oo;vvIv| z4YMIHD+awHOfKA0(K;%IFo}?{9sxGc-uQpR2>6!L8;lK3denKn8ESnA*E6?1< z-ydf5R|ytS+v#`bfuDP5DwN)VI8!UP@e%1Jaf0ZoUS|aDK_BKufb)M-Dhz|J=)cWw z{_NRH8jLITjop_Jc0za@rsOPm0W8QJAZ+e~!kRC)@u?rQtq!#W_~I1}B6(C-lu z&I?twvKR+;v1fV`c(H6hc*$}vwOX6kX{X#7TDL5gY9m}Ie=a6Ba5&w%xM8aV{L{J4 z?o>O`cGIDKu)=}v!0J+o+6~dMCFhfHcjlBJnG|Q7R;SL8x9?0Y6R^HG3sWXT&vI$JJ~nHAtAJt1L?g>k}#*6!UMGC8J4((hH$yc8SqE*hek_+b-h4AjIa zMY^<%QsPrg9ZHAx!OYlt6Fa+4MO9)ehu27T`f@24ZppUX`btPom-qLen?&>iT4v=u ze$asGNTLOt$4izA`L9{dRa^STk+d&~7(gD9ml7tlBpk&{uHTgBPe{wHg))g+QI?zN z37JJuvaR<~)xv$)D=fCUvrp^KAYe6Eod*>Gr{Pk#9FXLD0!R^+G>yR%{nY_?(_$t% z7)ZZL<{n!;o{SHSOHxCBQzNGfX)9z4W)a2DJ-4$piiHwKc+xa_b3(@3Pi98z&tr&J z;aA{^Gz89C6Zs;wuuzueJ1ak->XIFWu@tOn?Pa3dOROYYd{nJttg3WAIa@;N<`|*0 zS;mXJpvS%t z3=U51y-FAQ3Pu8)!40|n)lm%|^p6bCOW^04xFo+`Y79FH-BPd6eU&hqciiUg+2&H? zM$d~nJxu4nX{2%NOYpc))_;*x1KmGYL4d0Rhu-Ih|J7*+oIrq(=@k%A-`LpL+$_%$ zTU%Qz`9frA4G#ufXLImbYA2ghI}a1!+NMd~$H0mcj+UcmZkNkvI` z|M}f`EJNAFwqgYC4-!+;Vtmno)ZU5mYo9;sJ+4r4Ar17HY0}$`JM95_0E* zpzPpW>ACnr%8jr;H+D>Ra-^4jP(7OO&h!%;RRRF99yx8t)oPcQ>m!dR)G7YiLaVFN za!ASH@}VU`vhD|*lw%3|e=>*_S{&hjB?nKk{+c2bsiGT|ZpqH)v(dPhfdAn(7vBxkYpCOI_j1Ca6sCs&Osni%J z#Xmo9csjHKI(`0TaqAvAY$u=dXj7`Y!K-n6so{R$kH>of`+bVKt(#nmyIr2pXBXlX zX%nL0-HnY09_;^slHXf@P3@R|^3^+{rP!qQ&UJ?Qu9^yBY2`D?!Ny+<6ZrL(T{RUtw?w zaLdP^-3Vx^t22ElUo?xnO4@MB;3#j}GCy3@eQZ=b_4+VW-tA~G30D`1vU--p`(Dw< z<(yIB7JxZ_+_`e)idt^MzjXT+Mdx(tiS%w?Xp~^61#VC6AY^QDW#$k@u8V;bX=_PK zdRfq)(b@!lQc-00aq{5|w9a?sJCR&LW~vMDCif9r+o5N*tynN^j&_0{}lvEp4x ziU&oG4)hrf5V&#RYi33?odYqk6FYtQvAq27-k%o3;5d`#`a2r{8I|ZEiTxAgyLou* zu&^HdDQqQNVE5GjzR{oFrgrp4RG)Xab8ed89}_&|C{sZI_JUMTNJ(Q!(CWW@4uAi; z^`o3OC$qNKi;KBWeiVy}jpIB}=)79^=QqqAS~3Uvo}CN*VsLDGO!GZA{hL?3|0l1w z65&H%-lw=~X$9eW`h`7>M%|Ur2 zm8W?@4b9D^dn51 zAE1nL&v&W+0yr(uuzVJ0g9oO@W@bjR#;2$Kta?21fx-gpRm1+MmGzRvwsvg(RTIO6 zwdA!MoTw9^;VCtz&`ejWfkBBj?D z;1CXtzn?oM`vc;feX1TolPO<^L=-4ZJf;QvRpM^e!s&0dby%TV*}l{TUF(ppqVHLN z`yeHbckTz9w0JTg#%`@Cf#I z$0<_meKeg?_!(Zy3Tf5n4aCJ>6ITKMymBzevtR-rM_R5G8uzN-mF=2HQNF&jj+~&D zt3mkmZ5w!Py`%Wj>y+4Kt=rWST};+yTEl>o^_+6_dmv{L0?2o;aKP(+QHFT#3Sn<% z(4U{f%C-v8-mI}{Q~1~VNU8WB>qKyBrKbd5(EEs>wUy#)k?d=L%9inYaoea*ou|7) zp%-;=ZEzB8k30zINm@eG0@=rY%Y;HmX*)9lCnrkewFl;Ld~))hXFsclRdXOT{5X9; zJIh&i0)&gNdKWvM5d9|^SWny!^PfrzrLcApbgs5un1^ffIU`w??vl9~(j6%V-?BT& zMS;dSEVbl0#`GF{0?&>Bhjl5UhM%ygRYzvC9h{7JQS-JgU0@5!mzke3NwN}a1R^z2 zFOdyE%%&;U9#G&#YfgZqU0}CZWvtmT3OJ!GvOBYxv}OAVnRoBeQS)7kM#xfJXbOZ) z++GI#d!EV$VPyJFWHYNK+lj1S-r^P&+~I`G_IFb~pA{Cpw`1p-1bf8Imk1U;dvTyA zM}+)MBwq-N1Il0;jiMfT1em9lee1gh_!bTZta?A0I>R;DTKI%UlsVGQ!Yg zG3}bWuv|_aTdjuq4_pmf!3g)B3XRk>^H_Jm4O|foaoA^QD9*4m_9PUEpRFLQPSk1t z9eN3v0X9h}a3i!|_!H5%k;qh^{)H+@To8Lh!gXRfF0^awHN9{4M%CR+@ChD>;==pE z*=fqWoSaV$SXsg_YH<0JMT~5ep_eNVwNI^t*5z0l*#S_SsTxD%}KgXe{=tNG12R( zhKxs(sM9=pmJ+l87>_r*KL-Tm#Q*b-75{QhH@aYORi?2CNM*JCOdz>=X7h->Cfm3b z$dwH5*;XXX|E-7vj-5cLmo5l|vs$lU_}I^P_}gyF`d7>i(dm|uM!>}T!FF5n>qCBU zgWqb#T+Syf77l3OMyEh8sjo)Q_vC6EyA?pz1pvWXRKPp_!S-K8_Wr+2%b4jly#C*S zQEKOd2>R9_K;b%unc;-jrZWd#JRBLz0G`Zu`rAiy4<0f6vb_9}Y*1!8Ga zxth85Adp!I01f!~_+0j4oB(7kmKQ%T9{*>J@E>7k^PBRgNB@T*nve;#(9NVd^jAiX zFiM?G@=s1hz>L@@{!`TyCJ$cE8Vn01rSVYzY}i=urD(Yyu1N9BKwdz&qmy>yqUQk& z!TxA-qyCUO;}ofQuqT?UG6p1C?lxAd@7o@&t%-1AfVkSRS`Ow|UtLYnQ4Ib4P1NhD z{l$35TJ>MtS+fj+B<%zE`drKO_YFBUnfnyw@CFF;_Cf!{Op=1ae-6Rq|KG-Fen%Ak zD?=kGDH(WhcN;$L<@GGceDhu}lfR)c6DGXZ=H~aldcW-Q*SUED7?NmI7)mw}VQi_WJ5;41-Vep3) z3LF5Mww&Kn>xqgz_B+f)S_=Whl>9d#P&Iv}x3@C{VLWk+dpqMpv+W{{ga3$C3J!aM z=J5pd)1q$Vn%#O*CFVZ^(Fg?@u#p81kGEPyLes9h=+8)wy=(=VWd?N9`+(fqGq&t( zufJg!!jRb-^A7^TH8wV8{#DBG34EnWx(d@zF0svha+pQf z!;JNt0)j?)+D`#On#a?wRtwZ$MMchSO|px?*X4feOn?W!@a3fO1LX+;oZ9)tMMoG+ zogp!P^!4l4K)!FWznzxXSk>BEE?3jsyjq_+qXl5~iAuZNk4z&o=7gviZ|yrJsJl}F zQ=$qgr$8mI#bS=1V#VD7)EdxBf&ZVq=C)X2y-0mhGsnJ{;_hPZ2#b`*^gUI)rW;YS ztK?)U#Jk0R{YjTySz6dz5J;~*qeBgd+{EGUbTRY_bXO$Io}$}KgdqcOOI{q04xU3! zeutHs==cfZ-}kaFYnoBC$&J}0Vr-{f%JBoY+WwL=R-W{JZ(~k=;vIeCh7T_pCj}$;_Yx}zF}ic%@cQ*wL!U=2pM@Pe)!^m(9K8r-h#MaI5x!j4(b&*C zVO?x8FUPn8#Jib6=`I~S=ioGlko79k;lW;-s7(tH?PiSykj-?xXRg($muE_>U451# z`tR<0+5CN_X;Z$oOJKzacl!WBf4f+I$N$L2AJG&K&c2gueudr;J4`*#CivD^7F`v zq~uYvC{>bhpU~F69drJsdBZXNc7*vM7BY z0fjfUVfsmeQFhrsuQMFdwDRSvDuDInA$!r|%lGsP8qT{HES;R& z=Vdx0u|kAu-{J;OEsOd_93XZA`VD9gj-U28t{et zT3I&z7;Vpei0JNP(Sx$v#IC|!+SR^JqXJ$UxX6K(>Akr(raB&Dr7N$Zm|=uW;k9~h zcL>!bK=Fg$NKt1bqG}*=AANj8wEW#Ypk=SdVdRq9#IzsbrhRg9$!Kt`?D~@z&$`4Z zU&VBJMqJCE7#|1q_g;{e$Y|C$~DV34ZVBPAjXOlA?Uch z^s3)`JL_rZ9VMq_PkxG&h>h(Po$(Z0WHvW1>|?%b=&5}03moJHCwePH`<(3!#F{1r zYmNo;7JK^x+bqQ_t~gEz#_>S^Npj!04-0H#=mP!~M*6gGXXu|1l&9$g(z2mtJj9J+ zS$MgQyg$bTiZa@Z7V2^7MZdDGm_6uq*$63DIp~$hDsxY2SE%!^F%st6VH<)XVZN8f zD-54hR=SZa5>0asF|rR(d+|!;71X%MJpw*4Y&e!x3do<=`>l>oHTqLw&R!d{?MAF1 z2g?;e{ddNU*z$}QYBaUrW!`Tx&d_YxBhn%Ao$!zDa(Iw&7Lefq3&+*Tcw^eU?%_WH z&o>T#n0xET*WJLa-&<&LkI%p8O{Jc8O|LnG&%=5R3>m}?Nvah$R5o>#u<&1J9WwB> zDnh3C(SorKzM1#7W!9bf^glAjq->X7LPydvREk9OUQ z8%2;zpY;P4=(EGKiGN;8f`m~^dRSo}`PI0VfOD}L zWSA=Md)VxafpkJQ`&0QuyBFZjop&+Xv(@dP3wEx0^jh;AlzbWSH_oX#rmpky>tGcg zUV-V)Xop5+V|dG@4EQvEOgNeS1HMW)y^J8|UsFnTZXp2LKKufT4xgDW=Xn55KjZOU zP9VK-Y>{uqhgq;xpj}Tei<|^kAf7C}_*&MEOTqZmr^uR^*v-mJo3WJGG>by2c5S7g zkBR7Hx2*7To9Jd}MO>OMa|1X#V{OdII7)C4v>2RHw|uobDIxerUxsD7ajZ6O;STB> z7;Y$O+QT%M53T?+(dAX&C~}_ls_C0E$((c5F^U5F7}Nv@FYwMf%_m0lCfzV|dx~^Z zm9VqYCmzhh7nqB)fd}T+n&ybS0Wl~C4#+8zHZ#!`50)Z8^`!@Sp#5wJqM6}L8bvP< zZJ2li3GYvInuiu?A`1r?L!2XvicR2~lbXjeJkLpIpAI#k-}*lXeXwJ<<7&2tk(2@n z{@D2&&j~AD*#2E5eF3+673SHiUU!z)+K^E5u1i~@xjA4aW$k>XSU39h zCG-RK7;t8>wGzvJ0VSi&1Nsm%>gb$akpNUz>uNh1uTUI1R{VPoMsKU};!HvSHumh?4^x@cYM? z*PXjyt<#@A`M!${-TpGQcSIHX*Ec?K)*bF0sk?3-RI87dBm(yRw|u7T(Z#)ETjLXN zWbAdNW0xc2wxq@RV~Nh?uTjT4$8q733%0r8$IoW{{X>-ju0DX~wc4w=|4mVPuQP1F za~jinxYFv^#fF~iMuloE8I!(NSs#pLAEaMO;a81a)MDaSjVkN7tZP1UR2Q~aXH@;t zEGroWbNaY_TD%P~(UE3d;tp=bbzi@=Q}UaW3RQF4*m#pPZTM`S8U#*LoP4aG(F`6-O)@2o3<%oKnT-{W9iA}Vs; z2`#oZu6=zF7hTd7$V0#aLxYjB=-;%c62}h`3 zexeF3a}_&O(&x~>XKF(I0M~Qjeem8w6-&NP28Z6#*P~RE6Oj7UUeDfH^ugvrfRl_c zk>X1n)A9bU|870Mo8UI>x3yl)&#v9$L|70xP^bN9@XdfPMMtJ@r{j|N3h{47U5Wg7fZk>T7J%~>UcMuU zdA24DgX(6esyu8V5 zZ4^GL41C+yu*r4#NBNB6VMh~8vXJtDkbLia#(u1SpVna7S|i6|v& z!Sup$x#DSXnaTlJGhgmT5vJjc*72{5*fv&z80qqMK##Q4>1F6Z2QoCp&WXJvw>iGB zkH3qqG5kI9-0he~5!$tl2S1c}(8gLmy(&5J4^qS}58w27vr`3%c8Rx&ooPci{DEK8 za$4xYd-|s3fFyHvL4v}kR)6V@N4raJE@ARj+4CnF86bu7Kd+X8g?0*j?(xms&bK?6 z@ou>@1j7DY*h4il&>-uBQCYcmf=L7c{_6wdgA>-V7YAC_AG%mV#1wgk^s9+iQEyn( zEVl-+W#9I8B9m?(k&M z(JuGs1|u}wM-{{-n?imSTgg}BHK0A`a*DXKy|X$;?_s4l(~Y*u8984OZQT-n4t0kF zhFS4zb@oayJ#Y41ow~neJQXg}^ooZHxp!wqU@&qOXD#gEq1sHsc(x{g*Z$s^_lEC! zlBaC9>e6zePno>`-BsVHApUeUWNpE?&r$EgDSa>##KyevwU+JIRZnVYM=j`cu{1E} zJSo4z9vD5%i(t$zdhA;LUez{tx#meZh1fNZ@hr2ay}3HFAz;ML_&`gJ#Xv&BiBk|= z@HNp17`Zd;w$IU*a1?L8W5?b(L4R5QGUNoG6^9-|!W3sorb)Y%3Aitox~#ul{2$Gn zX*iqd{>OEhV=$_U>Y=S^)lzF)#Lkq8iZvvm_N}#)s=Z+_ZFNCIi%>Mw8ci%ygodJv zB9_=1R4p^M1hrIbLFC-&^t?FdI_F&fm;X0;@g%vPC%NwDzVGMv`+UCsYtoCiE#_>q zlQ*2NINO%X^r$5{^^&vd(}N!H+8UYPBw5UaZm3yT>Ff9X(u7zQ?AD&RNb?JFX*g#s zeT&-kL+X&^LWlEGSoAwuY%65{n@&ki4<|aB(~Py4S~1+H-D``3yVpc-F50e%zU(t{ z{Ub*Dgd{8MtBj0JN>}jy3|s(aXv+_MqNlVd`cIb za|WIK^@_7!9(d_8dusJL&RIDM6=by#k0J|r)xr>xuDF?e7quj~lEQVq#c{o;oDOpg z{-Y1wn}8G67#hTOJ(BZo=-sUIPQ4~nubDpszFeamyFS$O+9Y@wF;m_0WY*#By~(mz=(`zK5u8l_xnee~luBmV z5t7X?{b(pE#xWP^aFe$zbg$%3&r33%sWfU=K8odRuc(aT>(++Y$mIUg;Dqe#HYRyt z{Xve8KW&@{qsM0JB!B_yQ#58wU-T7M$ibh;zE$ESf?#xaeKfNO*^7lVMuZ9QsLq1F z^R%ArIdxW?s(ks%WzesDa#&J%8cZV;ygM>CMKN!m&gDs^uP=qy!33*m3e{Fa9P?ZM zdpGjfI@VXp59zVyLMi zKFS>wN{}N#>4*o#LYG5hq`Xc=p4KsPKIxNSVrWoj^l@3wJxpV0lh6KwOMxaSvDWd4 zK(~hCJUIp$yL>aNuGqUjig-i+Jf7q|#J8v&&#>u)kJM4rYW!>AZqksp$WP<);u^so zaw)ci+T3HsHGRq2tFg0k78b@$n+fSbF%O-TfZy&Dq~4VyjZQ80-H^K5TkLO8y`hHR z_eV`jX65?u&WCGf15ZI5+b01@vY^{@k|!xg?ESts<|BWIJ<(;yWE?IMS zjb0>ygfW1O_&J3&gY>b@rLlpNfZLbuv%4;+X{!1o&RTo9^>+?=pOzCKw$~g755;60 zmV6Pn?tB456(7{vvX_B`oDq(~I0k$jzRX15F8>*l{odNqQ+i=n?k66+FYxh!-&B-I z-bmUx;wdedA8cNde;bkN7HU0H9Fe6uNQ);Ck-I|=F1A8_E-(aEP8f2SUy6K^UH8Fe z(Oroc1=UfGA32V*SMF3Nn?_k*7+MC_32a|k6{xmFVFr>ismt?Nt4~c{g$j=jW8~3g zdKmEy&wX!``drN@N=da3hZ$vuCA+`AV>iDBApY4i_1t<&LKQz2Cdfks&T@NO%8@8` z$my;G%&*4|iq{jhB8g?&%RdFL=AX1&Q?ru5NajOz%WDZrNV;n>`Tf&`(tK63u%|;Bc;gWg2G@$g0&oZrV*45`>3EpQLAM5FUi#rO3KYuGUrPk zD(s}bYFRG~tyG_AD_Igz5njehD!9NT(P0TUm{6o;)u`TbC|$isRKt_%dS~dQ(|j4a z%`?XjU90q93RP>bKJ8Ab~;MB4- zsD6#Tj1TR8eZ{xT`jY|>N%rS`*f6@iJS}0WV+I%}9n!d&T;yA@g;b+dcd!+4JN9X> zrvKiWRC2vF9^0)-f<@ajubFCK=~k!9FLmKVO$v12hIZ^@^%B(3$As5&b6FMXpu8i~ z0||2c_<~_eY8_QT6@7aQmh70#ep&jfCh_()TF+h7Yccd<^^(g6YaTpJ@2J*w3BuuU z0*G${a(r25<5{9num@6(S)A%u+ddUlJo%yiy&lXt1Z7AhlM@Ce4~<;{Gf;U;^imCj zKzC;ys<)1uJXBbM7mc|_lMw&X?3nDBpkNB=C-ag*n6+G&M2msZ6g~4|8e|j5OxO%+ z>??Z)%Ds(@7DfBmKH2pz8>6ew(Y%BPC3M+nhnIHXdBJs?#axMP z+Ycg&S@(7#i4Mv9#DGU9EoX@aFuT$)fL*5g$vYADJ7}<5p|O^#S%aSn#eZ(B&^}T5 zC^kGvXRt}(#zKIGjY;NON2z~bb=8erHxZM$Ti71I1bgpIJDd#MHrzM&wQr*%$HV z&#>C-;eJ%B*^4Fv*X@%lE@+miC~E~WpR0uZ;1`rc>eLOg>r!Ce-?1GP?}KT0$Pl#S zBhceg;kpYdNd)kmMIAZFRG*DZMT$86&LLo{{2eaz7~~bEZD86#4F@#ISgSJtHBAjF z{T=bc@BX0owKhL%pQYrwyt)8?<`FAg>582sY!%z=rs6}2Y1nEU!qgtAd_SqsNQSjO zr19Ag9;yK^2)(~#$+v#gPOzRZ3)^~ZXB3_uVc+2|5#0Y27UoASFtX^v*^8)k!$1}d z<|GkCre7N$PcQj7a-RqaLx%yeKoz#+fpUm0Ap`8SBf-c;MJuSOPDP_v{ z(T3kdL)NQDVFhm?G2&5ad0%s4&6^OnOqGiuOyM}5%zblbG zz;dRjMr63jU~gXC1jRM8*`bTbG~2bcfZm^&Po~~QIIdnN9zkn$pFz#nbaw9?F1!`~ z@}>__cD7=5P3OZyoa7Bh^ML2Rz3l`u*UmKkdH(hg5x7o<4JGs`ji8SVx+AWO5B(a? z9LutE3rAFYJL+ME{~V^+AQ_^@UD;5&Jhe8cv1(EGX^sQw_LD2Sdcy^M<1^br9**8Ob%h>Dll!*|&B<>}p;<_Bg1Y&_`4i{cHr`Wnz) zEBM@J0O1tgG&()Ra6Xmi5i6E7ghF3#sKU40))&Rx;YkK1LoG8AqJ3C2v*CbF`IWi&y9^0!-M^ei3=Jv`z0gx|AI%~>8!8T4f|Q;s zA;`k(v*K2Rm=Ly~t20?_s6CBg0YY>&?^=sZC zf>+n8b#DD?Mi`1rk;LLKLvDEnkVVZEBoXmnv`9(T$QaMizH|RVn3~?0E=K}_Cqa< z6Kp^JRFs!n+vy@VP1V0W+Cso|hcJf&Nl3_`e0D_a>@*&OAJf)^dyu@XWjD&}=PBkE zTK=$HW0E;xko)5WHrz7BDAGFA~=DTyP1qvj%2umJCeB1DkZ&u{*+qlCo z2)03Gsv!Vz5RL0)tj=@-SiUiQA*1?2mIX|oNAV%}WWf!C9pwP0p5e;?*l}au$aV&? zIzSFcde~QLrDNR6U1Bet$G$tO#yE1HHk#3u70n3n0PtT2H>)({l%gnN#}}f zK-jHYS`rvh$?`x%*#E|5pLjZt4RC`#ep8Z$*y;iLH8OG&s7IpZY5xs3NRe8&0UWr) z-}O7j*4FTCIHfY{Uzyq00HM?Ed;mPT+aSATRkiTnGdnV7G&F&9hXr}MT;nc`PQ`)V z==yFl7n1xA%sw$12Q0$aRUgoU<;F&V-<+FQvKX`4{n!9@-EgwObkDmRaGig94umPt z3H9>w;+rsKy%lPHsI~*NGsR+S_Lw23L6r+;!UwURX;wq``VI(o&g$8c2l!LN5=~3fRoCf_DLYZpZOg}I-n0ve&D$b}H;p?3GIoaJ!1D85 zYV%c}U+1X8Kj@$8m>N*m=XSq$`*Q9S**5U9*-;~VcsX2zFS#Ls{bsEJHW)81lSL~O(5d-X-}Uefq=kUF!> z(8XJ`g`2yqL4ovJhzTw;rVU!XAGfa!ip#?xK_Jyv$;(!G+tQwefAJ#!%=ZA~_0GU`BlK7BfyHO@^<3BG2Z-*e>yv~iEsCdHo4x~cY0au(d@ zZJFQVKK>fiB(@Z6?HhV9%^CVKIEbo@`@qlho6G`$V*v-x4TZQ~(rmaNeLqE@kQbm6 z%RgAjrjZ)SKw+ELhv*m>jE{^szLUF7A9ypa-yd@N9DtICaQc5SwjK<9$PrH98xnis z$-fD9%H~nq<_{b90BzaDTLvR5O6)`7fXtV4S!!-&bm| zsvgbiLV+-M5X$xEYy-|DCIWs$69NH2BH>LLwq=LLG@4y%sOMF9+*dNhC9^o3BZ-g0 znwAz9&qhBC{Q`{OdeeHl#OuJI8(&;r78%*k^S1zyLp0Y*3ns3#gA5|&He&$tHzy}2 zKLi}=-AKr{=VsO=Fw%I=nf#w$kz7uJNAD|d+zRKwrGt4+Msr8gz!4rZ6RS%VM(%h1 E0m%d!iU0rr literal 23584 zcmdRWWl)^awk7WFbV#t^+RzZ(-L3IJppiy`6G9+(a1HKmjavcebZzm`N3tYWd`xv(MgZt-ZdE($P{T!~@}>pr8<{swn88prEy*prC%j zK?B|?rCvM${zLWDQM))i7a&(iN=?ekoN-jto&9H;}bhc#500!#OI9J1d~7|6Gs2 zrhKyjy3e=%rLEl~Ke9sK#GQ%xSVH?Y}Wg1>)Ko5vEV@(*w>>e8dxmY zj+KfKcopmLMltmMZBr}cGvMjvLokbG&t=4CV zZDrc$iS`&z#&e{03j9hsxIUiD|1@CLsF4`~uk;z?s%!6cD-~dC71H5Mh$@p#-ImAZ%&XZ6uGoHwqa*acJsjceV=or!bN^?t3bLd zU4M+HOfdaDMK<=~h(cebggiG$YpgkYpl_^b6~h>!u|W`pK$uww=_V>_EDAu17~~q_iA$^{M>Tic ztA{ms9?^ndoo0MGEHoa{VQIvgPGQFBFDR8_6&SO!r^_*wEaU~@?68RQKcw|Un}TeW z;&`w>)2!#`i+dz$|DHc&(OSv0d$`?nl0dV6%&N-FygE)?J>7h6sd|w?+3*!Pz1%AT zjDc4e@+sk;C0Ejo{n^XbGdKJmPKe5BVDA`L4+)Ok&N4H~`!j8j?pCml`ZA1*nT9%4 z$y%l{z2Aa2x!UF#yu*(bjWeHBDB^$amC@>A8rSYsx+-!(r9W82>)YyBSQK+z&PdNd zt_zA^(ZO_GHoVx7b6fZoX)V@iB|L93Md3Me#uZCz=xRDK9<^;&V6yQW#Dx$w5b|o! zGHs^aQPMAf5mjWXNF`ZJ){?oyB3Bk}4)gL_;iu8OwS!a=0$6OhOjpAiS<0#}RvV zW0opMfM_n>JqXT!bctui8K>;a@E)gVj5$+<%mV{&cKxNPA#JQ^t6i37S!}7nVDS+9 zsNhi#5%Nho7rY3zm?fc*O5Eewy;Fn(KBLpr*P&(a>u+19MF*?3)Ps48D?TzQv&V_> ztd8>9BgSzO%awu=qo%6|Y%k+8k)T0}&$@XSWBSD$YxZt2!@ffG_`oWy!wkcQK55gq=J+9Wi{E;k?>eDbm$b<6OMrX!c<2aEm79I--=;oUICXAH1{7PKkSaYB%7PD3D#i#YukIEKYawkWtI(yVIs^HWl2 zY708vOG9FuHc}ocipB?0zER8+1{~0-6j=0iB!w^cG)k&0?G^(_S9GT8!`TU;dg=?z z*UZj&q*D|L(hMqE92H7Nh&EW_`u2$Mh>0!Yd#pOtHbcbA7)Ql~3u`aCirgOiadJB5 zPQ^+6cAFrHCg-+oCDTR&Q;JU5up`Kqf$520ek%n(&ng{%#>)hL!@dC--%)-ZY=$^a z0dR}L9wk?hy(MicE3kd|&bkqr$wfY)i9N8jf5)1X@?iUK<&#>p(3~?*@2m1?)HR)eS6QRuqqRgcZnkO}RJfdc%$Hi`g z@@ks1be=BFh7R_35=yIpZGe33{LUepd=|X zLlju2LOT*A0(|t!Snwl$N`<^uP{TV}i|DNr+_yX_xRglFjWIV+)?$Uyy8?|PrvAv8 zIYLC4U1E^Vm*m1KgUUVORpIBm0<9b!K^A)=%!J*_4>Jpt!g7c)nJVa}N8*R8RmrV0_Phz-H88F}cLIroJF z44FvK@axIxglD{DL;J~1Cw1Yj;k$;8kCRG2bfGk%g3G!^;v>oM(nfE|L$l<9TQAe1 z4R_~JQ-zq}L|ZE9aRGG5K|@31xCU)Y62=43g*p~0Y)HTgcNACjL~m6p z7$P`T0{TPV4v92e#m+LQxP%-YrEmzsQwI78+&_(A5R_nkh7^M))VTTl!q&E%y_wP6 z)ok?=gBZRDYMbjoU7%wQkR|J=6Oydf+n|Tq{zoMqQen?)tpryc`V|CbSl{T1$_v^H z7*sf(qIu8zGjG$*@8K)r(BmPaC09QC8yzh<7SXLOZv;Uqt8qxXUWHXss@=R?;j~{f$`k!{ zeQs!tR2#aUGRRSR@ScuMC(*5#KrOrsN5%3d7(!%FJRe&vU>YGYlfz%(S{a)T{+&do zLt9~(TqB3Ma9n^vpgqo{$I_93Db??s#+abkJgn9fYMds6u1MseZ=y+>Z}VAF8B0_{ zokpF8SrQM-mnQqGHQr9i>5yGD}fGif#*DhNox=&7_z; zc>Jt(%Z#=O#ot;;z($4q=@FeLG-@+y3N%x~K^EHX;(KD3C^N&6szh1A=~)Vrmw&`G zWxT4yYQU@tg<>sQ?*>(p3KAzB>za(nv{t5%@`Je|J2yzwgFQFWMqXeQxq9_XL~=T5 z_9nN%#gMt2M6-?+1mK$}7t*xVB04zSd$NDZ1LaGwM?aDTY@G*-U*uM%p3<8E4f=Pb zg_V*J7En@~wldTO6fnp(lnpg7ILA{J8z955$S#zqW-_i5qp_1Cl|v;Mv4e9wB~&re za^A_|{uJ3Z`~tHO{l)3bTE`C!7&He!k(AtvXB0xZdAU%M9|fGdLQU2<1Hlq>s0}Hj ztyx!E1T6J4pf6k5L>FZ;i?2@|(+WXcOt8-w%qrm)9_WOop!hnA_?&d6IZx}}RNXvN za8e%t&PIGV6I4?3-J1kj!9OI5r`^JiMq&)X&xM-bi5|CSKvww=4Z}(8Vq?r^x$0sC z9O8{R_2)FJ3I!mcHaIF(ShEmYYEkC^gYNzZs35JWben?ahh2rDs#83}z5p^BZmTO} zDB}^*%!*VZg`%PU$vOVXTWS@{-S)AJ zLyMw9g9#xjLeIXULbfrf<4g1(Q`g=#gj9rE+}212ZqQb^VxRAu4u*jIxlaVIpzpSG z&XF$2XA?|RguO*pF2;}?Bayz=reIg_w%89h>rI<~e%5nOC2H#7`~bnw;Nk||6Ob9a z7%br3!RFqg|M}xIEr^8QbzK}U@#7aEuAg_z#147xZuzgAynVs>8=w4ub5N-UDx%v% zPrVP$AFKoLH@?|_qGh{Tp>O-D?(gkHApIg zu2iWd6kbcjpIe~qvB75nv9ZrU#;6Es(FEX?5>h_<%N+qX zm#JJvwNF1Pt@easmjd@Y*1lT@AC9Of7!^%dE~o1v$&Vd~!OHE)dJ2xSa=b`Qb@-v7 zEDlZ=+?;jDVUO>kMobjg<}I(|0uhOVxz z#zv-88CgEz3cNXh|IJ`Njlz29>Q1v$A2p9Y$R<}g=ulEdLTG%{RvJ|5k%Pk$nJBI| zf$hdRh=#{$6s5S~KcPDzsvpmaX8^_W9b7eHkx#~&{n;BQP*DvjBDvTQY>lF7H(;%? z*d*z1JQf^83um6?oQN%*6H}-X8;rI}xNeeMNphf#cABrH3_kd*Ka9zJw!gx63O3ku z0BETNK<$ox^Hqeu>0`+EZR7Ci=b5Pash_muB{Hy!FXq(5GCV{!lo8KMrsHBzMGp2T z%SrBe6v2YJjuV!neN16cHJXH?R1}OLl@OPH>sW2KVkdz1(QdreH=ZU_F~0byxwOoW zG9R9WvoX-m!&+MyYMdO6P5g+$!L1(-`QWvyR~g&(>eTU2c#uYr?E@KM4n_`YsX(|q zQ+${Rn}U=Ud%uYy@J=#f}Y%>qf$Xe47SFQ>o!PSX3 z40y`}hO%Tz@ZL5~hU0*lhsh~Y<%1+wSZ(8Vodnzq1)A4180Q`jCvo(bcucTug)vW^ui1>?0DgS$5psf&uXw zj7RxMThJ4iMfT}u1ktGLOCNpIZ*W8(z+yA0fw+iI7NJy-5?Ie6Sy(?WBys8H=#_oL za%DuKsSMiC*Mv-diq(=D{vyE6Z0LR@n*K?~q&#;p+9s$OcH-|C&1p7zo~Ti4_%y6H zZS-*#QGbsyXR=G;F!Nhs+qbbP9=%QJS>K^t>Uf;w!b(G$QIZ~dvZrc&3P`uzX_kN8 zLoU0!+OEWuJ6apAi29mw5s5OsTeD8?>$DAWoJf+PM>-RzTq$e{ErbEGXJ_uWiZS7#p`p3Cxp8rEEiElQ&)hDKHla-^ZazBB*O#3g9Zy~IfMgcX zB!Ubwm*FZP3o3>?5uo*QGy42ql;v`EajC7VQ6TYBE4NK6H>uK6GxHHEr?{+ocBco7XP;LbfgwBs^6|prV!Qu^hpQz_27HkH z%KI{J7yq=cBm>0h#!pjSSLaj)l%H2}Mn$MKLDoCJ-k*w?PxjywjQ{A{zYO#0o0yo` z+e36|Tg8Gqinx&V4GqX`qx#7&P6QWn1P<}VU`}9D?V{&K-p{F2;M2A2{5wPMsk|oj zeAk6<-;QJMb1|0~DdDBdGMd!g`Ml*#wtvRb%Z6L~jKGs0^g{ug9r=ZH6PoWYj#hnM z%b|O_ceEWF(r&HxS>8H#IX)db?eUQ+$G{2=zOyI+51vG5DfC%ev4`)dW(;Sifl0t+V{Wlb8nrvVY(%DSxMOQacz&^Oy0jTH>P^AI}jch zN7y9~jOeD29LY~d^yJAC_0k6?jk1OWXv~_N%nXg;!8*Xj>P2{WP|EH((!?xwiL=4BawZz` z#L{5+#p5@%?o2}#$r)Dz5L&r?c?S_74!84waqR6m&gX~Z{INh+$}*@8!&F{EvvAl^ zfj9?PIelfLsh?4k^^moVisB30n03qEKdr>)BeS$@m&kc{zqnIT@bB*@YierrcCk`= z6foWPidOOIUy0J!9)Czgn^_JYE@HgWx&0kCUo5twUex2N4PceJ9R)~rO%0C>gnOHd zkWbR*{BW$zlE>0v*j3eF_QFCVdBh{VZ9c0NxPqrPTagtER{Wz2><_HcNC?BQ+^T_s zyz)xk`H`{(%ggLZh=P83QLuwRZI|TV2q8z-2TcySUwe8%SMmy?!6`kJkytxB`w)%m zKNx8*)r<6Sq2BTH*ee$~w;9cMT7W`(5)I5mPfrh;6n+%LcNF|3hJk}=WnxQV>T(uP z=gpCmnEAHfuHqXts%Im!2qB~Gm%CSKw`b%)Ts;Bes=l+cGsx$oYx_$s_oe=7Da>r)FmBw~qhVC=o@d;eA$Tzye;64yKhrsIP)j0jyx#eb1mJib&_P{Nr;xAto*^K8*RefbxEdk|z{H7Zw(bpFUNT z{F_I_-R6~wNkP5b@5bo=}F@5@WEX<7S8ATi~N`-sGidGs!Q`TBKD3kVX` zgNu)3z?^wfv4POynL79;bZye8njd-uix1o!U6BG=;5&uFU&Z_${sJ%m?Ta>n(J-(|Udq^8Yh|IwzAg|BVr`w<#gT4Jq2 z=${#av}s`@ZqOs@m~h|wCc*B5rRZ=y(XV4(( zm5Px-O>$l7?C9#U1VH~5cRd3VWm4*jdk9)NMjR79G*Dz^A&~}`p)a5WDqNlz5$L`| zjZFi^q+51i(3EqXlZXVH27zWk1$i^^oi0^+Lr{o57z9Bu1XeH^QIxN{fFuWNnBd%n ztR}r$LpiwLS+xVE5iq4Gb*WM*rHPja29G+r{9=53cYcIWTCMe9G)H8lVp)#-i1K@~ ztA(>fe^0>~vbibWeh1Qw04p$S8#A|Nl08u^In%3=+AwBq#knY^BK%^V_~4y9$p&R|or&ZciAqHE zY7ulqA)Gcu!yN1#_5HjeDnAK@-^Y7$=y8X2p@1M6fK{N)2V?xN9^)njjh;j!!u4sb z@njemQXecnJaM78$JhW+=so)06RJn=d3XET7X%vKr?Gws)es3>R=RCc;N3xxZAVgIG-jRsWj~# zFPhiF5f!XtQI$EKp^>WksTPoi5>nKZs8Iq6TiKRTL{^BB5$pONT!VeJSfyfs8KjP8 zR2kJ#8Np&rtby{+Y4iYWCOV7vYwLn83r+x^9n|E?7J=e9k_i}Y%qWhz6>|)ImZ3P( zO>+1;qVqI}qyLM%=qEIh6kO#rbF9&<0E=k`IWTXHDHutos9^@?*8Hr%F6u-<3k}aO z8u%HO{RztRlB77M9g$MS$V9JHXiloxPxq1jtsru3nCMse)YxPFk{%k2et-=En9E=f z#{Z9d0}u_vpDze=QhPlqnuVcbDn7RvR2eQ?x+4qX8Lfh7S{Ep}Eg|@jA=p0*qp`nT z!4tD0oFzTDu}u03WrpN@m}p$LznQYHg5`P0Q_-pS(UsK<#5{Iv)rQk)56hPDKiK#M zIP27g7a&afKL}N3d9b>tD_(Ix1V<I+>#-` z;*V&0YPzn zqV26#q^{Fjv)$Bnj2XjN$2`|JW#NIIYl+EYV=Ap}<}+j!tZ!X03UP`W3lQgDYKlgM z?Wcdvdf<&~2q;qDgXL?rQ1F(<{bv99`D?s)`{p|1{&(k2gQ`yBBSS4wt)%u(GhA{U zsLy|Q7hHVDwQD66X3NCxjj#~ok#V`e!R4Qhsb;5`c`4?rqo_}NBqQUb5nU#Mp}88B zROXnHq0Tx~u8uL^KuyXHw+PYk6)6B^j?p-o_V!O|%IH4=>sTLshA>BF8BiI(tT?u- zt;=YN2}G0IMT#~lvNCO=AvA)zkYRW%SbbtmA@rT!^EFOvkx$CcM*KRSrKbyS6tnCf zks4mLdf?bN3yjx@^&!?3?4uIRq~runMjy&5b65Dy;x+zw*2k0Y=DX-Tzj&EnBsB|S=| zV%cQ#-&%t-+sBruEJ6jE)`g9EZn>O=r z(v3B;$jZmZ$J5hOgs!%x=4q$D?<_ahVs6hfeo$PiA#kNo+H``+FuV2q8J~^{pnZn9tA8--!P(2@@ag zNcJi)ufE6KO4~)jD<;^Xs6~a79#-2u(p?8F9mM{J<@>bP=S%c{>l)@Im$#F*Va=)* zO*n@`lBolKF^nOEfkFf(EG$e!L=;_V@7#GSjC~OJ@^b%nDX_!m1s_KLAL2Vz!8MoK z+FH{mz#+uDI*@~yN(%YPvxNKe+dt*qh}nf({P^)>(c~|@e_bq(ET~gC`6Cp57Wjv4 zw$P8L)+g{M;dp$uI1PaTpc>4O1F8YQfmYLz%K`DL(?-jP_-~$`yQf&q-~UIF(Cu2( z@fv1*eENQJ<|ElSzyzkUDY6>>!mB9w!qU>_{1j&U_RYoJ>9K#t>kYoU1_<3D{oOa> z`n#|B*O49~PnNbm`C&=V$vibbd-2JK_Ir)xwfgLbj33g0=Wddx)}hj0fS&$6e6I%> z+`D&%oVkbM^UE73A1`j+tKY23BkndY0@+g=LN`KWWW0E&gI0Ri-EyxKuWPy_Blk|{ z1EMycNL?!3(*eJX(4J?Wp2u!q?-xV{fV>cp_sw#ch465+?6VS8TMUIclD0~5i}SB} z@w07~XD{wVxv-w@VEs&WN2Q*zX}t7H`WIXdwv_pJ8)?ph6H@;p4)^Ko73R^;$oNjk z;RAZf>#uUhif^2i^>#pP9zTVm+AO&_0-bn&aZf zf52>?o4 z|3vgNT8(%`T6Uv>V784 zyCj2Imfuzw$U$@WTP`kFN6#*_U(((Os{(-0CvO>WL^|Z2sDQ60TAo1fFMIGi!TTtJ z{G>>Z1;2j7aW<>Uv;8C(YsvQRqdKtLh;t*cXb7-?m@b{BrN8(TI2K`2imRm#@wzx(+WR%aua+{swtmFg^Tj%}7`zdPn@gF9A}d$d1WP6A1J;3Q zj|mIcXJUE;W@cuKUzTrIJb|n50Mvbo{%-g94)XPORoeTcZCKGlV>Pww_KjUh-JsXa z(8qgu;+_X2y3i0syuPI$Rf(YPe0O%g|7Xq!p5EsKVAC=Aj<0?H{_OSZrD#C6eWku# zg!;nAXMS!jk?8vEo=?vt)1pvEchLFqU%YPyRPwOfjd}}jKnW=M087gNhU%7ZGFg{| zzxWYgf=*Jv%?ZYk6Nb!0dg3fGpjxF-;bKytpE&_1^|)7ti~eDxnPC6_j~4vX^Ha_M z$^*E;s+%zC-DXmx8m z+xa7^eZo&F!iQE!e#@6rrhtV=qYT)os(pEW`^%D0Qj&%{UJVHUXw#&W8D}{g$T+N> z!ahE&D0uzAOS_*<<9qc=S=1sRW=)r>b8&HL#{m-T-mh=()w98a5>h~Q)cWBt+Fi8j zY=v~A`m(a3%%s9)06@hxn^*dhuw zWQ3vt3M9x>wIV7cm`9zA(q>ScyQ#34+R#DLHy40r?A#y&hzx4(~=hMf(?tNIZv zku9%yx0b_97X+H3;KG6u320?A=nU{oNBT*UrpO|3V5vF|k!J5*D5YVszH~sHaEGV9 z3PDHl`}sBnb~Q8cK)mIhM=sOP)KykL=f#C%)<@4`kI_GKaer-uVvQz|X|}=avL3w2 zA@huNZlQ3e3ei$a<>-&9NGZZ?HnbWMb*k~mOM&TRF-=# z8uk5(!J%9=9RsHX`XM}f&ouNQ)z#G!FAoY{K7eUB0V4>>)fInQnP62nmMtz0b8dtT zTrk4lzPSMlo6r`kT`$-RiVEnAXTrbD#%t(naXhiLYX$2(;<7hWEavb-s~OGzj#Sqf zXGWV4<2*NEQ8gAdV#cFYwEd^@xYv?R=vR<+ zi%N64%`|dV$7XV>LMaQsC{~pSgl?UVXi_d5f3_JL%VT)z;Uu&&cHegq6Je5?Bl)i1 z9tSQH0&+*s;7|ay_{$bSy}3NIUtdF>>-xQJ4!MTr0!+;0wIadeod+fyebFi+00Yur z?m4b32tKdmbXgA=nld2++!8rV#VVy(%Hihx zXDzWIq_B9=U{2LSlMUWX&Q8RKHqpikQ%{*#Q7x>GX;phn2n>ZkvA?aYNpxRlp}uxI z`@IBon^G<_e$3ZVy8_C>IFkbUMsbB0ThVS(Hmi$sR!|b>i%~D57Frb<(;ZrL=6FnF1=kH3xcrFMxaqySd^pzz4tOWB}I6&*LL z$fyO4*56di&6-3h*4Y!yV{W`=*d>!QAb#qnUdtAx69)(pq{G7Caj?Vdp|4mdK2ohYZpE2be zB5vQ~ub3W&tgmPG$!+9BkU)u;ChBP;Ov-4}GG<&z@^lAylS-Tk_L6oxe>O*hloY4d-Gaa`26rFg7CL3qnu0^Y&^dPWGz zBuD3+6c~M&e`F)upcWxyV2)tnkO2S6qgGhASuc|VWH4c(xfpNXsyobPC1o+o*#b={nm6e+q zwz&36V??5;I!**?mO8Y48YB_U35{hWFjCPED4GquvrmiFA3aH4*LT_Ko|J$K^(;O_ zxC_o=GiDd{(1$?=b7F}U(f!Ox#JQ(Zs#1R#*HeC#HRpwh{G=ZZ(iq$Q-|%~=5o z>#)vx;IPpTi2=lxo2D)VlUB$USf=-6fPHe&ln^yZKJ_tFR3~RJ#VM+ZchXp zK}+5*09%Z{ZU`@fANY|EW+Wq1;ryP#u+Zdcpag6Ogp?25-rf$xP_vM-o40weAW|H7 z0tRW0MT{ZbK;w8zwKd@8Ls*EhiOJy;o;a{}h+>}}?A}jm=UWdqcKpj8xQYKab&=Z? zLPtmU^XE@zXJX82RVVi#FeT@G!onfbIe4?`kOVMKxd? zoTjkFHc#xD`nI;V&Q4y!o(=$xah**AwTI6n435**?OIExVxS%>%3Q$M>hqRp04Nq^ zfnL0zM4VzI&OmpMzQ&ew@52o#fWnyk0RWZst|7$jgWI4?zU7yIt8MI+mCK$gK7SY> zM!w$bjj`WkGUJ_Qy%0z)ejr9eQ2hWnU4$1q=mdmrui;8ev(fwBGT@hX;MHWnnbGaJ zh9!N#JX?lJ=4@ZYqW+yCD*zyX#zgq|_&6}Yvp+&u6zE-*M&+4#2$1 z=@?Ap>rdPg0Tus~L5PTm>>SUtbY5JzLa~2|emuDd@92>1S^$=%qlg??u)oFg{Wu}; zX0~f2;!7O0Yg#z-?asV({LQGJw7h6ew#)J6eRBhAZ|#-mc8$PTUqsjSmw90TI2x8p{L3LWIu6#U)Mc$&PJkH4O%!`76oT z5GG}RDE@fHy1eMi^)Fg64=hgTh>NQ$F&4V!;$M1judEx@aLJN{J$2RC0o|^u>u$ZZ zSN1v~9oFvL_r!4RtVsN&g7r3ZD&-ks?Rp(}a(gBcb`pgjT{69hM&FalY; z`hBpT>Dgu4Ii0xjwgPe7k-?h0$?I7sn z(=m9d+}&@hpiZ?Dhtp>~H~VZr*t!B_27uhJQTJc0ygam%8spS-Gc7{>aODcU4<6d} z)xN#rq!?1d!!F*4zQUF4zY~xOHy(>2RR1J;%a`ujaVW@IkxmO>bsXl!A=FTg4)*)-?%m+ctOn4SJqZJnDM3VEULeap&{UfPdM4&T_pU95gP*j6 zE7+PQPHAy&c~thES^#zbMr{v$OWg8q83>(qVD%)-=D*HZzS?c83jhZ8m|7;-)rNP zm{aJ_ko#&t266?|xS*w_rPEXIlF*5~U%!6c^9fMqX4uE3mX?8BQ!}&V@5g_;65D`r z8G}yom1R!xFgFied;`rV`fBrx8K61c9Ff4qz=Ju8|0clvyLaaQ$&W?+%xR7RqksB` zd!9=IB&)vF1K>FTj#Op~-_6vrL)B*#@srt4T+=RlS2yNJc@bZ92VMfU8$InrLCp=z zJ>|5Z7EZz;-#=gM^UZllFw|@bRE4qQ8W0c42}1SF1A(cD*>H}*DjMi{!O8FSDA(o) zgTu4T&X(kRX0|acf{{-oob3;qwbl&zugY-r@V>X(Z*3L4*Xtv666btv)PN>Gpulwk zdRU9oyvt(iAs~@Y1L<+=r(3up`Vb}3>mB7xZ>2)$+o-;b6HZ#j4JCc{Q1d*^Z1T$_ z8(D@Fd#%(t>QqTY)vrUON5#^7MxytHkN&f7q1_IoBQC z1ppm`N<;{$ldDQbDE3}XW@kaaO_lB``4E{e1)iv>7M3{jh%pPMHnaf~C{X_mWzk60 zEfCWe8p_dDVS(BQ5u-v4>u`!@V+@tb#lX*p$xC8JMN1{p-AJGdj-&zrAsDX%?>voi zZgXD`2PEi0Zs~GX5Q5qKS*##2qKPv(yX@iK`LlB9tYbeNs(2n}%pz%7ZVb&Kfd@51 zXIXM~J-dM?W<9%BrFMwn0LI#sqOELqJ^y8Yj-mx*af5bgHp_G336oezT5Z-#H=yBC zL^P=LFixpd01H*u{Qi29!1dTY7Yw%JxG772iOfc+xA@9TKbbJ9_^@Gva26#M@?s@g z*PweZ6UK?ntrm3tMU%}XRXZqmH4CINMUfnRjtZqSDD$?yW}vec(ae#vpsPTf+eCYl zQS(`F?>!q!1($j#xC;T{dvcF4VM>rVI@62qg+U3Uf*CI>v_Xfy!?FQU%KlWcB*PqcP$267q*B~d<*-U2C;@0gat{4=X665J)@bthbWT5CWmE;zs_dkNz z>v;8$3K*)%DFM;^N!zH%YOPIN$|~XE22=cd*4rEE6NUvU=@Rz;Bi4BK%Z0UD-7_q60z0K!xXY4+x1Jz}gn=>Bn z1((xdvG)+nQ)yQXf}%`Xu3kxZLq;dSL~pR*O)|100iCJ49gyauCs; zk+K`v@Ofz1m~-8N+^AUf)b3wb)`6g~t(+ThQv9G%#Y>tLo+!6|s9%kn)9~ZxWPehn zARjrl+eWCi6i!qov0_s4BpF*Mampx7X}KV@c$f&I5&=Hs+-_%}Y~Es+CX}_HvYv=! zh72vLqgGvPwV=_NMu&g&*{5>gR~qC7UC-b59tn^&aDLXnU^GHhMiBeY{e5bHdxO;z z6hn7&uFrBq0LFEmp!xtd_610)+#y$I`^*mqS6bTzKyiRp4!!p*<~;nb<=1GyGXvy& z0N|~Kj1GR(%FGuNm5$IQc{rbUkn@FiC z$Ia*6`}ev8?(-FCet;LQES*~pPyv4tM#u+vKDD$w+po4K{mpQuH685Ha4(zF0!1jm z{viQYWVqC)H$apA%MRMYbzL z4V?1o?j=ww^Ss*<`O1oYYwGGe?Qf*s0N;osQVi{6LVla4={zV*uaZBbGY8x`MRr5u z!2SJozu^8uKRoyZcaLCDTe0z;d z(l@`PVO|{z-?fE-5*-M5Je;3D2b%t=YWD3X$U2Xpn}d(8DVKc_2GVC&fx4V9>=Df1 zpdC|Ql&&{Jt72y{=hCgOr4cI~hhk~>Xwu4Lp>*Gh2rCp=@ji!phYu=%oRIL(r+(zG zzA$iM1t+nll9HInZ$IRgsM=ts&tADYsrM#=3RB^WU*${n*j*OZpJtT>sra^zl~b zCiN_U^`GMSO29>nf9u4L%m2|NvwH6yYK^(b0=8WS%YEkpuu`3xEz#Z4J)M2eR$)zG z>&98M`YWG)$2j*&=C4+QQ#T>z>c%fFE&aeMW~CDHoj zZt-S5=e^D59M~7$jsFf{u|ZzxH~YMRIwXA$VgGu*($(x2{{zGp&UEdce9Hfo{(nOp zpU=CU{w6JbZMj{HjJ%5RnzFfvvcW`(eap*_x?*|1YetuD=5#D~dzH`t6W!X>anrR8 zqz*GN3c>>E+nMbMeKFD?+uQa3FCUazjD zQ<8{QuCL$U?@Q6wlT$5!PSP!2uReHOX9DnUz}sd9z6Y$k<`5JQE1=`y?VW0=cf)&b z685o-n&uVnEs%+}flP#RGh$T|dTa4`_F+>$z`P^;N&*Ao%)c)K$Cw-g^f})o2Tqcs zlq0``g^SbFtioPE(`pG=hSKnX%}d2|pGkq@)9_z&ga6ku?*Gn9{{O_$;TN9ATjPMo z=Ah{_y_7%j2yDH?)z7BV+YEvTd8U+6+TanXyX)gp>qi6RQgVP;0zT1#>?jc5gX3v_ zX-;JKmy587U`2V%D$*zM1IQYJi5z3!BV`p#RFeq5v)`$gy;fo$sEe|4V@o~gT(~qZ zOiY$m^m9_cSeGoIW|o1@zP5?95)YqxnAC6f^X=DZd&x23{!_dtN3NbPJ;jgI1$ZhI z&bju{-Qn1Ho_W#zrpk|j$Tv}E6mfOQ3*;*AK`0^DXvst`U`j)aN)l` z>1jX?s5!F<$EgZM8Sjh>PNT>;SBkrQrwvg z_`Qg{HAod3XvD2peN$ydrjouehtcIXOj6>{*;x|4wvdd>Vpm|72rVoxb~!5CfsNLT z@*7>fcGRBHto8Huxlt@5P`m|A`kRnHqu*!pZz0mhtn8DH3<9(t>E&qgO>~Emh+N2r z;jSXJP7U~9XRcvp zTE>UP8hlv2Y!8Myh%;Y=ey%bYJQI@^*sX{%Qm?VN*jh_2=g+RDVPENd{m~%rl_Nk7 zfJX@cv+gm*i8=&c9HFNT&yLU45-%Q|#qFP?dQkCaW;{h6^RoUZ9a{eb z?$l!4Ub%F-d=KYp$Yy+IJ2g5OMn6gZ+2xU@LNOhfL%}4EWTu>MriW*gqL=MkFfZ^B zNzJT)-H|z>1rKq7MFV?L&^DxrEMa|7jiskN&c(+{3SkzlAeikJJc+{yvRE}KRZeu+ zjmn{vWvwOHu<>{sB$>s&fn@Y~OlS(N?XJnvoiJfuBPo>0)E|DLC9jdK$f}MprH&7n zi#Siq^FDZNMgt^3TdqqX^ck@=+cXhnJ#>?Yz-?;ljpTmNPoF)rTs+y9%q`~NGLfgx ztbMwrT~iD^yZ!k!7JX+8lFqCv7IBJ1vYy(Mwrx0WSo+H4y_9+?AZQpQ=MuuX&G4^H@^Ej&x=_8cBtnz?2v-|VRB{+Mxx0TcB&S5lS&HUhBy+P^wx+fIcGW3d}Q=L@b zSjY@e7#2v?RRGvk-$9#0f}(z#sD7K+$5o2O zs^r0rS%UYst!Ch0kNA(9rre`ZVwzFZY#PZU&^;afA#wFW87))71a9|6dl8KxfIyZ} zJ2M{I?66@1p=Sd#NmC|{!F0H1AL80+bnS#N16v(z$R|8JLv#H2#1vBhWPnwr@N0s# zQ}#QkPy%6L$43LuH!tUuFXd==wAn3#P?yClI)zkiyg-G zNksas<%r}M*=BCBkX&{c2A(-NWG_Z-D7jQcx04z3hii(au>r2+rO>4y-vZN%lZ^Ce zNq^H6AF(jJuvA3t;`?A$$>di}|HuP&_#)19NwmzF3f7Tofk%sM`m}rfHYtaZJbMA_ z1MyY_r@WSiW|DELDnU6f9(%q-x}$r=)^+(f=KI!%UXv~$Yg6S4R^!qd!vI89l6|Z? z5h)unwV+8fJ|XRO4(oQwdiu*XG7nr5eJq6M ztR=r9n~xEc6m15BIs=7mUG^!Q(j4n`AydC;m!O1YZ{j!<1VoQB>K3g-5C{TaN5|;; z#3x>8TTRMDV`%vj)RChS~H>I;-sw270)L0XF3%U%d z%v}RPo`-`ZCB_MLj&D5JQ^P!Jx7e+xj6FkezHk_5W57K_cc4O~c!4!2ZzMR-453Sl zb`xJ}&{B0i_hbMq2}@rAJ6<4Ljuo`I`(XPq^`(wxDzdFLhfZZ+CU<#9DFmgaQbK`Z z#7S!v>nq0%!i%9GynaO0#h(9^8#LDFes_Db_kesS9PmRLgJ}f$fN$WF6N)*hZ*l`| zinQc!?_HTG?p>W{zn|WrI>5GK6y>c@ix`)SCF!wi?)&;Dg!ef4fAQ4XtH+?_!@Gb1 zz>nPNf3dd;CF*4>vn;YYkiLC!>__YmaKKOLb$RCLw_Wo*AT6}2!K2h@00_;Xi<|>L z7!d-Tyj)RRm==~s5))2tjeIudfK1i|uy23SY8cR$_cT4RNe0{DHo!#~fr!kZlKf&5 zYXXc>EAl@*6mZv`*Q{LD7^flOCD4$ryQ{8rcaR9hyia>5!@#TlA?e%0=`^_|;D}eniGZJg$m_bS>N4e29=^ylCF3fG?FlFt(JHZOA3>u zly_x#s*5Nr^ACJNoeXwj&b7wnDuIs=~bmn7i5laAGpzM95aM}5|w$uOjI-OS*3Q0 zv7w9MKu%>nCx$CRX-X8q=1V4=;|UptGLc(uYDfiasY`7bq`ej%A8=Lml!STdLI;{x z>&X!Yru@%ok3-{vk9dZmmjc!=T&B&nQ`zF3Vl(-$?|fX{j-_h?ZXTLE0iLT&Opd~$ zV%smgIGCa0ULzRZkOUrpujknAJl|O;gZ*)RL~MK{t9L|`Og=$U_)?>7ef;sE%}hDW zGXxqwGgX<)Y&7(?EQgw0?Hj2hPpT@3{=?&}jSNxfL%R^)LqU3vqs%xe=^-PG!VIQK ziu#RH=XeqK%7$lrsR}J`qgi{U*(&>OCU>YRV&(JHj~QiK)L0X$7%605q;kZ*jsrgh zyPT}SheD=wbU~-z}B0#fb@gY zd?b6~E6Wzn6unThnt`9B@Dzml;Q1yDRy=GIlQGXWqJuX6{aoR#W(x3pp;cM5 zHlsG9p~Kf#dPE-$S)b^>iSjHLk|@kd?`BJTh-g-Y9;&}4kX@@CkyZ|pAgvgznG;Ma z1r5-6S`*#wFCWwecwW(mmr8{rDCAFrvFd@`z@sR?jN$!Znp zc$p|4D7GbtMekjCefZy+IrDI+`*)9L%^JdBC|g-3WX+7oPBHeGP{K2|8HFsBUC5T5 zWX&4JSjtu?*}_;ONs26CBng8^_O-fiYE z2W+L(&K;qKnlM>cZ8k?1MQcQ##Z4hEW4*bV+e`2zVYsEC{<-nY8dYu`Ln^Cv*W0RO zX*_*OGH_Zg)yJ(F?R&h-*85*dV`ap)aItnjkG^wxd$W%L9ua{%z)-h=*Zp6lm) z`HMJO-cJyX{&Z@rZD@*A8stlv(@U!*P@m9Pn>H6d{=PLhf3WkdI_?Ge_=$+PP~8qj zMB6FW*4a5X<*lKZ0H4&ws!9vJ=m$@6V?%Wd1JJyscdc4e=6n`6%7m^>EaIZ{-!bYI z6dL3YT<1o&Q@^sJ3S1|E8fsBzHHKI%rP3^-9f&GP;(6{zq)T&go}KOU!zf;=wzQWT zU~D%=(jPpR@7GOCy`3=DZ~J01Ei;?%C9)#aVqPL~kE`;8(Y40F{J=Rm@YSng#7^Ip>7 zAn}hIxF`e1G+ZNfVP;5@e%yT6TD!nmo>I+6@M2!wKCN~?Dmhpvtl~aq)-ThtqOkFH zGNL)_Dq7A{EtCO4LfZ0S^)h_V!bIm`Ze|ZQs36kLkwS_#sXu!-tz2+uUBVTnCys=8ynKY`GdbsTj+3qRn?;&9Eagf7kF3#s2vr(=(~)EU+KbLN zzI)am%A<`SUO5RvtBc@aI|aa{!_W*$FiGR`O>iu__cw=g3Y(7<&6WDYs7{IOM? zyl1;p79yH~Xd}^GlT@(G@}PEraV}i?!&*97N0EtY-exlTafhg`c5v(5v!BGn=4B_= zr4xDzuEBq{<%GoxH1aKPV=E$GwFzDnZXPlRN$$UKc44?NU%3|q0%G#BIc>T|N9W>qe zA*|vrDWElSin4<#y?KWpK(z;VJrL$cl))X(P=01xFr;t&R~2#EPOb4*(Li0k00;t5 zZ)~o@4$p9oi2jc55^wvTsqO!VL&LikoUA-DHogEal$dySD{*}wTiHon`d*~Dzf@$$ z%r9J!#PRk{nq->0FA$9~KCLb;eVBdBj|?DIbG=d}Bg;T*$r#|_3O5SHqB)yHhx3aP zroqX$_f%#2la8u(VQ5e)Djf4QZmV$SrJ<(;pA@vDHD$}q6SRn|FRAdbs&ULpN9LQh60xi|$KDez81fY^03P zh1kfL9QeM?yQ!&`n_u5sbc6Ak9`4LS&g)97eXYaQl2-4_5kkgaO0f3nFGUJ@3f3WZ z=$I+h-SQFRo;hi&fYiZhn~VA<#k~B5)~IyK2XiNwx!5I0EZ#~U$#XZ~xgnJ#Bz#AX z>tOs8D$QYU*UHLnbnsf3qOk>8<;mhHJ%+=}=;A9CpUiY{@Js9*Y=?UN9`vX-AvY51 zQyvhOMIcO=Nmqu z+|T>E_GUB{vE|vDUn7FgDHAF0&riNE2(kdx~zG(h<5R)dyPK( zY`M*RQ3AJt*bnFRAwPJN4!+kmBIP6`6Q(X+rMK;fB`m<*SS3%vQRM}MUJdKi-dnYZ zq+W1XmfRJfjTQ*f{6qXBwHSAgWvwZn7hcui31=yk+7Rww$qAXj>!;7==^WeqC8Np<#kQ>7lnl~%`Y*UF;>&Iv@T@73{B>3DMe|kWDVqR%cPBpfK zK(NszS`31rluO$6-7UAc@!2u{eng4(a8lmu(OM4ttcI}iXGT@`)Anr4!*A$B&r;)i zy|dTf71KXElMr1rQ>Q-!-3=3Pw1mQ#2_y0+g5!>N(4m}qINRDA%;Nnb$k!CqO{fND3Y+tqdC=X^=TgYyY2h{KxoHPJC6 zd7yUberTBRXgtjz436MZ$XbkShRUrw-kYEU(}fY#=27rsp3l+fmrj-<*wQ|%M?p<` zp8JE`v~J-K=PR57@g?ES1lNrTCwgocnBCem`)>k|h0?Fslw*jUb?e_L)E;gfIjbH; zu07`KwVqR&^pr)Qh7EabUOb4g%2mmf{@If>&#|L?v5^VH{5`D?cHXZF2{N>0XRIR` z439{NP(@#)>o!JnzG>*CB7khUZU*BcOW85-hh|8JcHYSX#8o*5CD^)o|03v2Fw4C_ zL_v%QBH|bLKsu93hnfxDk_R%E1TlJb&hkuE@|7bHVWIeOP1w3?T^!&Sj}bPc(>^7-&}I6HQlqqz z=|?p6xI7#NDM1QqU$gHmZ0HPRpM5pD^f~LYL*lgf%{anreq}+->wF~-PL{T}+G%3e zLaLIMMjGhJY`z-4&f|Bp%~`SNl-vAhfjJWa!kzdPt)h;)3r-AGlSx8o3{?S!!3eOD z{Ic#<^a>Y?!fwkA#o2C4knEr1qk0saCJ0LXL&}NgIu4Qxyq*mCRJ|?L%9Lo2tFAke ze7&D*_G8RK4a4#Vxo> zIv4Ag%nSCYO}?h&XE^dcV$fOhDCFlT=bDodq5Qt&jyT%^)CEzov(j*hnZQ!}td^2+?=ofLxK@Ru zhC%YE&N}A$Tpz;zf7cI7Alh=nsRO10QQ zn=#7Oo3tZvPQxPj$;iFD1KNrw;bPnDC%S2+M!S-4RV@T-D!K3nq~3hWP$k51(G#PL zvg=|sL=Rjr&f!@jKf%w``7qg5a;w*}nbN0uI&-DbT`A<|a_e$MO$%CN3>!-75}Gte zQ@XN-bek15jc7@{`1k{z>m4Ag^2Rr6sboSE(d7~p-Ys&<+2@ga_0hq$P-+EMQHk?q z0^+x#tVH6>B6FVfCeyb$9xFfX%n2`14N#KzlXU*x%h^WE_j`f(!wFyJlxO4iBfROQ2vR4p zZqZ!&QJj$hIYS@>1I;(HSMAeoH|9yB@nf>Kdc8*|C_$jpA#$!Qt)qLI6!@bReb;Pql_|0{y?^X;hTm`KDQ}jt67~AJ< zZj&f#P3Y%iF5!l8XOlY_~Y-ACUCS0Zk|11^u;vB{w}d;3X1SgAb(7Tp*x+`&JfHE=psUG0mP zupLsLJe#|4zy}0Pz`sgB!J~sBcLE>u55mn1m9%|&>dh{`R_7qEqw9FE4_6xEB)M*EVM}SAE6wbfmde92VY1#vb#jP zeFq$TR(=1ep#4F;`VPnZb@!%$^zSUe6`@THD_`$_lW)D;vYk%2AvYGXzdGZ;^7ZRZ z=U-#=AmvA2Ua9W`7Yotq9(?fCJY+j*Da3DI(7nL>%sTkqU-aw2eoJByvybhV z;Ln|zJd`UrGZMRmQndNedpWM}%7U$+@dvO$*eJNiwQD|m%8`hDL=(Zo#I%#QcN(SB z0W7tp{{|CeKN75Z{&!qQ#;b1O|D|TPI)(ca>jeb1RjZ5ejA+PC;*M;&VjC_d()i%T z2xak5c_4B5hT zy!MhgP}&00=f@8Rmd>TWIazDanf{BDW!?syY(FBPIrQ^+x$7ptcWY?LDgiJ>?oa{t z_RRHnJD%1ZlouxtVc)WBwL zTjJ@UdFhnXBXDz;@V3^x5U@s%gLjrg2|yV0-C1`EQT|o|IFWE04eCo2q(B`Y1<@cS zWONk$hUTz|TxKoJEjMts{A@@JwxqzxePKE@%PT7&CrI>|&(<{$k10SEj1Vb)Ffi^` z-hiWpHm~Irh)hv)@hlXcmUz88E1>I))BGUJ(_k@ixO%|8s)1 j+3!@3eo^1 Date: Thu, 9 May 2019 15:23:44 -0700 Subject: [PATCH 345/492] Updated with dev comments --- .../policy-configuration-service-provider.md | 8 +- .../mdm/policy-csp-windowslogon.md | 75 +------------------ 2 files changed, 3 insertions(+), 80 deletions(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 70e8359000..785873969f 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -3699,10 +3699,7 @@ The following diagram shows the Policy configuration service provider in tree fo -
- WindowsLogon/SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart -
- + ### WindowsPowerShell policies @@ -4129,9 +4126,7 @@ The following diagram shows the Policy configuration service provider in tree fo - [WindowsLogon/ConfigAutomaticRestartSignOn](./ - [WindowsLogon/DisableLockScreenAppNotifications](./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications) - [WindowsLogon/DontDisplayNetworkSelectionUI](./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui) -- [WindowsLogon/EnableFirstLogonAnimation](./policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation) - [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers](./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers) -- [WindowsLogon/SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart](./policy-csp-windowslogon.md#windowslogon-signinlastinteractiveuserautomaticallyafterasysteminitiatedrestart) - [WindowsPowerShell/TurnOnPowerShellScriptBlockLogging](./policy-csp-windowspowershell.md#windowspowershell-turnonpowershellscriptblocklogging) @@ -4994,7 +4989,6 @@ The following diagram shows the Policy configuration service provider in tree fo - [WindowsLogon/EnableFirstLogonAnimation](./policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation) - [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers](./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers) - [WindowsLogon/HideFastUserSwitching](./policy-csp-windowslogon.md#windowslogon-hidefastuserswitching) -- [WindowsLogon/SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart](./policy-csp-windowslogon.md#windowslogon-signinlastinteractiveuserautomaticallyafterasysteminitiatedrestart) - [WindowsPowerShell/TurnOnPowerShellScriptBlockLogging](./policy-csp-windowspowershell.md#windowspowershell-turnonpowershellscriptblocklogging) - [WirelessDisplay/AllowProjectionToPC](./policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectiontopc) - [WirelessDisplay/RequirePinForPairing](./policy-csp-wirelessdisplay.md#wirelessdisplay-requirepinforpairing) diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index bdf911fd67..e307f8f433 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -41,9 +41,6 @@ ms.date: 05/07/2019
WindowsLogon/HideFastUserSwitching
-
- WindowsLogon/SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart -
@@ -399,21 +396,15 @@ If you do not configure this policy setting, the user who completes the initial > The first sign-in animation is not displayed on Server, so this policy has no effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - + ADMX Info: - GP English name: *Show first sign-in animation* - GP name: *EnableFirstLogonAnimation* - GP path: *System/Logon* - GP ADMX file name: *Logon.admx* - + Supported values: - false - disabled @@ -554,68 +545,6 @@ To validate on Desktop, do the following: -
- - -**WindowsLogon/SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system. - -If you enable or do not configure this policy setting, the device securely saves the user's credentials (including the user name, domain and encrypted password) to configure automatic sign-in after a Windows Update restart. After the Windows Update restart, the user is automatically signed-in and the session is automatically locked with all the lock screen apps configured for that user. - -If you disable this policy setting, the device does not store the user's credentials for automatic sign-in after a Windows Update restart. The users' lock screen apps are not restarted after the system restarts. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Sign-in last interactive user automatically after a system-initiated restart* -- GP name: *AutomaticRestartSignOn* -- GP path: *Windows Components/Windows Logon Options* -- GP ADMX file name: *WinLogon.admx* - - - -
From 66d6f8f1831a3489e9d4499b3c9cf975dc9acb75 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 9 May 2019 15:25:34 -0700 Subject: [PATCH 346/492] fixed images --- .../enable-controlled-folders-exploit-guard.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md index d761ebfc85..fe87bdd2c0 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/29/2019 +ms.date: 05/09/2019 --- # Enable controlled folder access @@ -59,9 +59,12 @@ For more information about disabling local list merging, see [Prevent or allow u ![Create endpoint protection profile](images/create-endpoint-protection-profile.png) 1. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**. 1. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection and click **Add**. + ![Enable controlled folder access in Intune](images/enable-cfa-intune.png) + >[!NOTE] >Wilcard is supported for applications, but not for folders. Subfolders are not protected. + 1. Click **OK** to save each open blade and click **Create**. 1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**. @@ -93,7 +96,7 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt - **Disable (Default)** - The Controlled folder access feature will not work. All apps can make changes to files in protected folders. - **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization. - ![Screenshot of group policy option with Enabled and then Enable selected in the drop down](images/cfa-gp-enable.png) + ![Screenshot of group policy option with Enabled and then Enable selected in the drop down](images/cfa-gp-enable.png) >[!IMPORTANT] >To fully enable controlled folder access, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu. From 7b826ecc7aadf0609b764f4681ab6772001e6705 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 9 May 2019 15:34:37 -0700 Subject: [PATCH 347/492] edits --- .../enable-attack-surface-reduction.md | 4 ++-- .../enable-controlled-folders-exploit-guard.md | 2 +- .../enable-exploit-protection.md | 4 ++-- .../enable-network-protection.md | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index 1a68651c4f..cc1cc8023d 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/29/2019 +ms.date: 05/09/2019 --- # Enable attack surface reduction rules @@ -26,7 +26,7 @@ Each ASR rule contains three settings: To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Windows Defender Advanced Threat Protection (Windows Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules. -You can enable attack surface reduction rules by using any of the these methods: +You can enable attack surface reduction rules by using any of these methods: - [Microsoft Intune](#intune) - [Mobile Device Management (MDM)](#mdm) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md index fe87bdd2c0..c17a0c7285 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md @@ -22,7 +22,7 @@ ms.date: 05/09/2019 [Controlled folder access](controlled-folders-exploit-guard.md) helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Controlled folder access is included with Windows 10 and Windows Server 2019. -You can enable controlled folder access by using any of the these methods: +You can enable controlled folder access by using any of these methods: - [Windows Security app](#windows-security-app) - [Microsoft Intune](#intune) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md index 58cb4ad00c..c2ce902a34 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/22/2019 +ms.date: 05/09/2019 --- # Enable exploit protection @@ -26,7 +26,7 @@ Many features from the Enhanced Mitigation Experience Toolkit (EMET) are include You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine. -You can enable each mitigation separately by using any of the these methods: +You can enable each mitigation separately by using any of these methods: - [Windows Security app](#windows-security-app) - [Microsoft Intune](#intune) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md index 8df4d37da6..25cb0873bd 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/22/2019 +ms.date: 05/09/2019 --- # Enable network protection @@ -22,7 +22,7 @@ ms.date: 04/22/2019 [Network protection](network-protection-exploit-guard.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. You can [audit network protection](evaluate-network-protection.md) in a test environment to see which apps would be blocked before you enable it. -You can enable network protection by using any of the these methods: +You can enable network protection by using any of these methods: - [Microsoft Intune](#intune) - [Mobile Device Management (MDM)](#mdm) From cd60824364d7ea4119b37af656ce8fac1e09c39a Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 9 May 2019 15:34:48 -0700 Subject: [PATCH 348/492] edits --- .../enable-attack-surface-reduction.md | 2 +- .../enable-controlled-folders-exploit-guard.md | 4 ++-- .../evaluate-network-protection.md | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index cc1cc8023d..6a2dd583d4 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -131,7 +131,7 @@ Value: c:\path|e:\path|c:\Whitelisted.exe >[!WARNING] >If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup. -1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**. +1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**. 2. Enter the following cmdlet: diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md index c17a0c7285..d2b9eac2b9 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md @@ -96,14 +96,14 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt - **Disable (Default)** - The Controlled folder access feature will not work. All apps can make changes to files in protected folders. - **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization. - ![Screenshot of group policy option with Enabled and then Enable selected in the drop down](images/cfa-gp-enable.png) + ![Screenshot of group policy option with Enabled and then Enable selected in the drop-down](images/cfa-gp-enable.png) >[!IMPORTANT] >To fully enable controlled folder access, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu. ## PowerShell -1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**. +1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**. 2. Enter the following cmdlet: diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md index 74605b559a..c0ed880905 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md @@ -34,7 +34,7 @@ You can enable network protection in audit mode to see which IP addresses and do You might want to do this to make sure it doesn't affect line-of-business apps or to get an idea of how often blocks occur. -1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** +1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator** 2. Enter the following cmdlet: ```PowerShell From 12a7d68480c7926b83d1fae527be0529c589c201 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 9 May 2019 15:38:53 -0700 Subject: [PATCH 349/492] resixed image --- .../wip-azure-advanced-settings-optional.png | Bin 14186 -> 43333 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png index cd8e0d0388c3d30f4e4288d6884302ee048c3bb1..785925efdf7d8f2daf549c90c5ff84fb6f2750c9 100644 GIT binary patch literal 43333 zcmc$`RaDhq_$RD@bST}O(jnd5ErN7|bVzsS0S?_=(xTGc-2#%*2uMoDyZQZR)_Uh| z?&iXE1jKW8JMvfv*uQx3(g6_$e8V!TsC@bJUmE}KU-wA{ z(m5?HM$?Rm8^;_v9xng399Qc$jPqW;mXnhcdAOJvN~DY3?ATtYGfkvZfkZ~KL+W`W zBO}juCq#U2zd0RJ^Yh3n zbb`_7_`Ca?^^E=aSu`GN33JPeJ+WcjT*ZeP?YfQQkwz#K+I_argLN@1M4Zll!|mNaExe9-F1>46$;qkzG#f43@^%4(U?9iz;r3rRItd55Ju>bQ+Wur;G@e>SSsDH2 zHCZtK#-5XwKWk!(+tIH&({M0ASp@}&G6<>AC*mhgXksEB^T%Gp&1lqYD|v7 zXEzy6V(9N8ffrkV#SnDFT2eGLH1zlP-(2@{-Jjkj^P4yI@bF0IFhAR!$mO(DrW%pZ zuF~S)KRU7_eqtWWc&GcrRwsc{DrS=jl8eP!^VHsIMS%YoVuopHuvQ{6*7}rL5S0RoH3gJ{po;280rvPGC||iqbjp><5aRJ*685c zmD&DuaaUK@{X2*Q@p;bCT8BvcM-B&)r%BhrBhxq`3t}^!Rta%&cywYb;-)Srjlx^a zGSzQZYST=J+~%=_?@T^)3)@WO2ptBUZ;!}4)^t32Z4D;Ol&aKUP*G92AFpQ9sgUZp zT|aCN#NpAa28`h?HNzsHzrK(S-5t*^6pw^g&f@L*UirbT#x`)s%&E3JC@6^d;X2rE z>4zHM2Q^O!G2h@~yRQJ>0EDElRTgDVeJPpogH^T9&DllD!~SZU_tnwT04ZxQ%yLmPMf`cqz%!YlFSy&dFmI zcSj9t=w!l*>FUMuYA=>Bzp+!rM1N)+2@tN-Z%L_Gpk`+^A4xGE+(J=&9sEVNfu%6- zaduWStP{rK&cVy`&#vFt%|A99^B4vPt`BjQ1)EhfcvsWa&-qJ}lzpT_SW^>-8rTC?AziG=~-NiGjyB?=I5Jh#*7G3X9L*ziii|nzB6Ts zQ4!HmR^(^IwJ}0=`N{Sw5%Sa(vmE2BQU5LN-EAjZx~sGHsHQA|a{A+9$goZUllWha z(}{1<9orw_N4}U+Zv8C$%&$>rA{Ar0`ePyL2R)Mwj*V=k;>%GQ5;lFTXg%6fbW3oS zNTcQTyS#^kt{?A?Mea`|cA!hBJ#`3M_Qp;1(Y=hn7dx&uP`Co1%ie1~=drDi7ysrB zT{u;3$FulQ@K~tB89aBh-L(-EQRj#KkXtyfW=GFx#2`otDe|(ljXGG=e%HSdJ{3}n z_tl6s3lPgbtdJ?q33AM@EA?b@~Sa0XL>lofhoG-4J3HgI4@q z@di4T97WwqYmV{|T|~0*DZkr&I?rid<8HXDjCu}OdwqUs0v5|Rrh!+h-f`oJLkzb= z4?Shp8G(a^zh0r>s)k98CQXsuD*DTsvj0^q{~5wi@*yVUmO%JlqFhayj3lB9yN0GL zt$}t)uMqgN}1eBC7HK!n~HTv zYOH)QR?Ce})c8q)Nj0H*BLe%W;fAtQq^d*vYC)$40X;i0=mGAka z>|Dc2>NpjYz4|yzO~r)1rfxHhq!Ei|4G;DvI@%;!1Sr1TZrZ$Ne5GgHb%K{@ z!gAQtb~zwnb=T4(ep&Y($;an?yGCBrs{OWf&nZ?V59onRAbY3w< zChL+a(*X#zqYo1k<}w@HfHoFm9O1iRoneU0-b^V*bin7ITMA;>Z(f0xq=S(T|7g_=XWUHB&_8d0hSuW4nM9~Gibb` z5kXym>?9Y93P)g$0t`X?<7NT@l~SSw0U9CKpy#R>fF(t0fi{MIH|By7#9!;Z|2FN) z)(-Znygb10r`rdx$OKMqMnZ1=ROvjU*4yLZ-#pD&NnmVHk@d!+Wo|N;BgXoG+@y<( zD)nA+Q92=RL(wZAN~&%|=ZM+Q2R~!y;_TT=p>lNPA#z(KI7DB?e>FHvjM2X0cijs} z?6YxU=7}-eAYApkvy;m-Qj}Z&WQ~W@71=n>@T&1N$N$ljyAK*nwT^x~SCL8#qt#cj zA>?!brK<1Ys`IC$Si)Wo=fxv`Do!;hc&o>3Ffm$0;TdM!ElTRON8z;AX(s1MD}{?g zQW9{!m78|1FvCTi?J!mF3XA$ik?{sUg$UUtz0i9*`9oRC%T@O^UnrFTogB)9;5jNw zGF<;akt~PX!EzHPUlEw4;r>vrbN~b_aQ9%(%`-BRd$yUBo5#i&(<_BeH>(>zZdNs{ za-fBVxOBv)@j6jbGN&_YRT?qKf9ynDu2qaB{;JSfnz-)lgx>iOK_ZKa&n6lZ1GnKK z`&z;!YJ7&hBn@Yyv9tVdrL;>myM7$05H)ii!9@sB7T0fbH*yMvZk(U>%U-s+V=da% zI4d;j_uHw4)VX&FguGI8i_wE8fp>Uw30%M7aH#^>>VMHBlFU)X37U9S+59%Z9SF)# zQ*|OAB@BkTOTF}_YVv;uooLEsGKA;OPtF+79Y~6>DXv=zbs7_{AW~=Q*Rv*L_OEFP zQm>qGwZkisFB$vmR+Mw=h*mlizJ5txWI{CWx-L<}22a zv2OS(6?~D)_ApHxwp9=`%Nf_{-U>Z@cA}EU=BFY@pgjI7q|2PMUPaN4Q#}tjN}@%_ z$c6LNZ-UNAV#bsoi(tnOh}U21)a+=iiH9N&&2VRkzI8Ovj22h;o|d$fb~gSMVi~r~ ziM=k&L*|`fL_DnU>oW_R^TE$58Z`6ar2KGddQ;(*g2aD+<`TK;J69;JvEFuoZbG9E zp!A~&%O5dU^P*+7r2L8<1ESz~mJiig#2l1cDHM|_d>z`tJ+L&@XIEDPJ;Jwpg|_aF z@AV=ohErK{`AW4>LoK+sBe7J&(oJT@vgIt<-soCfIx_K5ZRX5DExsKhQO+;H;S_a@$f zZ@y@ji)TC#4|13m)Fm%up={Hd#K=}w@@O$M;G1G^rZVYFs}-IXt0ML3IqAn={L~wQ z+s4m=E3xoZr+bIxVuZ^;zJ3LOf^7z*Gg@Ajtq<`9Rv`Q7;B1(|54$BTQd08je+Tn) z6w;<+wO=ZIp zcM12li(ie={^D(DezZiOx(R8ujWc69w9*ktBh2mOmO^IxgF3Q`Gdd{RNH)c%MRndc z9^lgt(HWhij7u6S!ceRhl(p31wwerJi07a^i-=|>|45_JQyr9zH4@{+n}i^>;Rg3D zJ%`-8zphUmAbakYntd?w^F=SH(#D1kUklbYn_){uVVA2FhGpS2{%p-$uxq(pio#)( zhx6Y(Pfc_$G&<#3^(gfE_ox4qEUlWj_MNy5F|YAgouoZv+@$S6iV?zj+E;LH10_}I zM8kvUSkq9)(9cXP(;-C3H{9r1AK0%p+{=DerdKzY+$e0*^L%7U@03rT*D3F1ib?Gi zdtKl}RDWmDmB3&*_P36I+j#uDYS_|hYl61+hWvtg{qSPGOT)UxLahADPMCXhef5A? zqC3nVD7^A~cOTM7EUHG7#n;D^Qq?<|B*dF3^lU6|J7ejr6L=VAN|cCZ70zDGdu{#X z_>Boaelm93)HWuJc>T947(s&>5?OzEA%&zEjns%*V!%YD8qoGez-03pV?m3`;kfOJ z^jDY-740Ug7^(W$MV&_mx1D^iX_8y_o??DM#o>iM5hi{HpSmD+eSf2)OOwm4bk1oe zhTus+7LH@IBp;Laqci=)3)#k>RN~{4vMsCfWeJB3h=bP(3u5cnpq*xj!+CTIwxzm-h7tp(w{2=J|X%R}*ffUs()^sOi*90f%}@+OjdJ_~X2fHrlWu`*5H3 zSgw+6YdGV(aM)zD6;~B^zwmT2n8g`IPwHG2qP}i2AtQeku$U@5LQ%M*Iz8WgD;AFU zF9i@ZUG124%)s8mg`chQzw5Vpy+(uh-soli9z*DSkG(U#{e#230mh)&_wF*0R*AC9 z&ct5Dd}zwWCEbatcDxw&LK63_*}`1iT@kEy-1}c&-ZN5NVKgph`6~YTWR^woj|jn? zo8UMq6W+ya!PX+c+Xyi8uN`50E<3V8zE=Qbr_Ta?#9214=Wkq7YJHjk=6qM=T04)p^vH6rhLp*c!P&7ob zl~v3N)X*;x2#S)Hk_FDITmDjxK?0Rt_|j5RY(eq51FP_VQ1&O!M`=gdE~PWjLVVMb zbbisN&2CeB2}LZ=io%*l(AMVMVm z8YL z9^QA-H6S$D(PaqmI=ezBGR`O+ zfhfCX;&>)&mD8pM{M{fH`OY|T2BYSnWbJ*L?7U@cOa7`t?;Te{It>_By;qm21ItNSbEuw^q$Vw77e7?;iU#<>*?j^W_P-Lfhg zQ5F;jXKa!DUs00Tho}`w4^i~ts{#FCyZxGIVbj^$#DC{Q4ozdXYi6diS&#rEAcw1p zlM+r`dF8hU(_3>p^94+p^wDocr#2WO_l~J7`i(Es0!nkdx%8s5BKE7$%l8 z^Ip#2v!CYsP^CLck7x@GXLs}!}6dIUrt#@-B5SxTBeQ@ zdE`~1n$uMHP=^`))nTo@lI`*k79O?nhdvfTUXfgyOW=9;qixTk#-z-v(pD(b(VEn~$ckd%UNGp_(mIEA)SQ=qpNNvqK07k5pzhy2`ZV zH|U=Ua*#4^fS&Sqt^tza4ddH1!b>~tJdIN2i;yo{$fn`Z*ihDTCd`=O!KATH*~dD+;A$w5X8Y8Jpcx*vB6UxKkd(qEui1jZc`Ay>RS?~{%Xrr^F(A`_vp<%AyIUtaTfiMN&fu!2*FQ9*lz?2G zO+D%i!GHU^HuJo`R6}%?Zi7~tYS)uPhYzhnq57xJVbcLu8RqsU#P;@f;1rOuoAd(D z00DzkuTUE8yoy~X`{d-rX|sPUlV{?eQrr{k)YOzMLrk!Uk$H1FiG&)tkPu1D=c7+@ z%E~F>75%42J1g#M`t=rQSKnKsu4;Pa&EAqR-Ng0m{Jp<9&)3-+dG}~8DJeNPVmkN< zY4?MUoS#;Bz};v%=VHC3yKnI5(?}#19WpLcn(-6FGA1VGe%|M%VB^i}sp#<zmOl))1}*;{|$R16Ld+N_}?pvr{B zzvOt@Ip=iSZSXd{6QElt1-tIdlvcmlRp(DX#_PA>tr|!sWcMq^b3-}MvkXlyhZ$?q zKK|Q`6KMwogc>la3k(tc-R*np4c&|JeK67E*#h(b?${C&6T{JnxP7iq0De2?dGzlH zhz)E#9~U@UYM40bY6r_He1Fmtjmyjdsp_9oIatw^5Wj8^p;;N6|IXZl?w*2 z@3Tyx+vVRC-S+*HurN8F30k9zy(vVI7A$^2^I_~D>&@?J z_dMT8uAx@`{J83Xv^((vjetY4-PapvZa_1>IqAUwt@`cDidrE5m*)CqjDmmO1n*LB zIq`P~?sPp~^$<+tYJ)>=k;v1%OHl%sGp|W+ghDC{MfjlG)!&shuLI_JR^L}i4xovE z2GDrZBy?d7q<=uXP74ku1`%iPCnYeNgul>;7i&K^afEKTXduLK#9r>t>;eG|iezkT z49p5k)nIru=o)*;M9l54T%im>PmVtPk{h%`f;`x?4X}fmb$=YrmSgqkwRycuJ_x@8 zUYp_E z*BAnWr~0UnCRMUxkAZ=aiqMKhr>qCS(l!M!286sXFV4@Yi1q4BURh#cVZFh>xd{UA zowp1aI>inVn^9+xTq0sBryxx6IHgq7Ym^KX8&;sRl91>Z%j58k=88OhC;L_m1@@2# za3Xe85+-+>KOd+k`xGNe900?|w{R*D7NOv0K?yz2pVa~>6!_0qEAAL%!dc`{w$!to z`5*-&`ARuPY}4>AX|eXtzmmV(%vb9*K}q0yShXs(>n+Bpf%sy7Bc=FkXZ~1cXQ(pl zXcwH95;$(!C56!_f@#{Q)vEeP>^wX$fPh00crSR;3A;U#N~a{Qx!bVj$LSyNnmwiF z4>`KhV%SMuSak0Eeqw3O7%GzNk`*KD6Dx#=m>_so5K1Ytbq_1)Ft^bU~K z?TWJGX-zJ9RD~%h0v`fzyrofp=(o7Vs8tuA#}e_dXq2E@i#s-d^Efq`4ygynG$Hq$ z{dAGs58Fi+!*<0hRWbHgMz~>e@%o_1U6M&Q9Kw&16?0JhN->nomy&(}qNXvzblK-H zx(RT!ccMwGn1q6j{oQs^z1j4 zL*!ci)93O4dGpg`-b?mv;B-c!N1`Al&``gE`wAE}6h2AauRbw>G8f9wb@Bc9wKR#E z?-zc*dtQDouP1AVEN}E61qD=v_KQY~o86yMsUS|tXo;x&jiPOm z?sqmn4_Djn0QTdw`N`BP2R=J+!;(e({myqIrZx{A1;4uDCoI((!?IfeEJ1B(bhyLn z4O=LED3|B<;pzIlS#O#=zC~D_O9X#^Z?Eg0*>a${-qT!HYnDTuZZYU-@zm+w+Dk7T z(kXt|0yUk340y#()Z^LowE#*%fpgLar2F(5F_@2(#>5F_1X&4GUlva>UY}y%xZfJ<}ZnB=r_Z;bnmr)%q>%_h$;j zg$ZI}Vtb6~1fqU>F-}Hxf)|q#XU3#IU?j6x+b*D6D2VuN(43jq{|e3E1~g63ivT$S zy2yqze-kj)z!&)uTU6c)TcDQMBGM{lNLntuRK=-s;d>>U*FqzoBwBR$??A?G_5}Dj z3NF=ymKKsq`uSm>=DrXhJa4g*O(j7d$92)oL9|KK4Yp;kOm4gTED?>)wTK8r>;mAx ztB2(!2C%B+2;#Bm(HpdSfSDMiCZyVvd;@BzPOVWFaA64<3NW{j38YaNHOm72_&hya zMG#Xs06bF6?WO!ck4r(K2Yyj18dp#178GcvpFr%!Q3u4I2hh6 z(6@a7$K)Yh#9vr9_VM8kD_Na_C=~P)4GM1Ki7rT>30yBI%etVd+38n6v=0H22ljU< zJpZVl3Glq}1wjV_wQn>>s6|Z~Bq@d@r6I)S9jJ-Ph!_}8rvqd>whNurQf?T7Cm=WA zwL&-jJbAQvB41Pf$;!(^ZzyShe5`76-llw;tnvJ#okRlljFgm=oE*qnYAQSq&*^6q z;^)vsL#8f$@!&2P=0p~s%k9Pf-ky~!w$l4|pAk${ZSjeT508(JcXvOu``mDt4-ejj zfJ&dV)K>+a2AaUpYMa2^O`k-ueDW~JVTg(bwBj+?{5GdS{zhrie`*(IUsOy-BV!ON zkxBNyzF7k&-tO18a@Bko-W)7B(l zv!!{sb_TrEVTb=r!y)Xuw>&shL1HMe6#;)tKh1n|b_ekiJl=HYYfm=@s{rIbAE2~f zoU?)HNRJCIb_GNcG~z$MzT2#?J^o$Do`59EVZ`y{`LXnE9GExJh@}7F-p5sN{kR#n zXxXk!&eZD-#8+?({wy^(gsJrYhl2=pt}0 z>ILKTz=8*gTmd)+Fs#OD9qAW@-{#0?@Yi2?X^MoOI%;lQXA%S{`{VR(P^v1 zbvT&3Nf1z`xw*Z0XS?9|oS)%)UY2?Qg8r_w@GvorYB*3T)h`mE2`P08w`D!Fd_@pp zcDnMm^jpAZw!HImx1P7`Yv?evb@v$V&PKXS-|lxGVJuyyX6Sp|EaCMo7<+TNQVGR` zd^}9K${pnV4mM_6oUZOs1NTbHzSUXsDNTZqcSiQ@5d*ikPxGeXmoc?fv`S$uUDscK zU?Ek~`9ZHXH#bd9O}CQ(JcIIiNXugo^Qz{HzuN4y>t|_;${0U7zUKF!|Iq1hniu3- zst1WuArm}zHfgn6xGyt4rxMY}Oom!`JALYvPEDI588=W8@MP%Q@bH}-Y$BLu!im29 zXO;DkueM7`sm^RH{8Rk#L4^Nc)9%PS*RkK<~(bikOWK4KM9f z`?j`o^stzL-%oEwxK%^uGU>Vi+m{A$vqM^3qnw6Cc$sN_G~-8c?F&az&bQR1OIO)S zb=Qw?R>M44m$25#d;dHFP&QU!I@j~IxN^k*xWj5VPFv< zeGYD!!2s?6s<6t#t!wkxU%T(P<44!XFduw;E8Q|*z4>=u$6bN1UGE|Kui$YJrZSch z4re&M?qn>mpoxHtzgE|$t;({xXn>}AX!*Bolyz_9@+(_-s{ zbg^Nil7l)!e7*V~+PX!BozFfLVZDVq4 zw9;Cf=84~&-+To7&ic}Djlr3p<6)#&P3+NNRSV|B=1@)QeC~c`&zm#^ZxJol5La8< ztTBt38VpTPhs^+00v%k)_tw?StjOt*)R+I_pD?iB($CzjAD=JT2~9` z_8}o51Ek)gyyIUhMY1McuNRXfGv`jF(0C#xwxHKnGP5yT2%ezyK*%{*RuV4%aZCpq z@XW_+$Q-?wM;JXYtThu}D=I1iX$9B6%S~2O1=2{*K=9}0(DAw*=tCYJ*Z(C1nMPL3 zgZ+Fc{C~W582CU>{(&cSQ-aOPOqp!cklSH^2P@&&?t9p6UZH=9gR%_L#HMYs{Ehz% z6&b($IB-;=@K~$)zkqsjDZ$9!9MBr}Dcb`y%W2UN=2Q#{)eywD#1ZDJ>2(&Bl z+(2$*EKR1F+(xjjLRm;O8|@he3ReJdKU!&N01$cF|9^Vf$#F7(={}&h)U;h@`1G?^ zxcpK7qoTXPO(NHdnfmuO`Aq{#=2#BZ;9dJCF_Htz2^?E(kEI`W0152_9YI?=ZR@$m zr-$wO-x6`#FE;}GyfcNPR+N(iIm*bWD1MIKF>sAP zSG3ANrv}s@=SMa)3hYHs=X8-*xZZuvUOpMeGUU1SMi4V_zbwWx0?_2-R zUZVv*%FD!&w)sE#ZIVZ`0sUg7#hnO&XMCzqrUQhDp2MWq9m9a`b$~!9fEw`@1jGVv zif3S#{}mOaEe5Ds9b^H?Ku8gtg#THVkgoOy%k(Ps6S3JFusF;xjxLf?Qb)hOGroH_ z$NN|VO-pNZ*&V;W_Lyc02I*7zc2FcqA_j`MXlTqQ^Ta?*s;5$?9&rSbAqLBS{ovqW z`*W#C5F|F%Zte?CwIMo?vwwXxSCCtSTU}j^`Ss~L;lR`T+5o;g|9VuAn>v41YwpiR zR6u<87FimgNHG2X(vV;!Gp|la<5TXfpJFz)6)41q32bE#sM1DFJ2=_U8leHz}AyfttXhEVtI( z-Tkv#UqQ9eeuZEBH%MxMX`h&wh%*U^q*KmXf2$lC76!I*d_d$l-doK*FoGD!4-j-! zn*q>wT7@Nv7JuqzmF~7DYx;dLr=9|x|IKzPfVs&`I_ep0eEyGu+nHR}8^^~g=|H)f zMqV*hCE~H~6~<2=c@8^36pdu0QC^UJ*S8TIanyIswj-ydLx};8URG0 zdQHy0xBI1U-n?m?0!ow|YB;A9wjDQ7Uw;fia3Zrt$tZY>(>ROx@Xh{zAojM@OLOfc z84cZoQ+{eWZkO09N*nrM=o|X8fH53{EM*Y?9nk--GLT|SNH2nqZpx+zLqu`f+@O}39A70UR{hWmw(-2|>Z6AC_q`5~yPGD~}xz&hN{ zzX00*b6zBZ{t0AGHnxX~o^t&kZ@^-{)vA=u_Wwtnr36bNnxe|U#Af%4i>n;OX0?yO z+{=h1u+M5DyF`&7JrsE(3NllQI}gKEb$9kA|2q5!3_9Ix)jSf_6!Z{PN(Fn1@ zR@Z$@nsfo_0f;fMK4%pN*vJbl)alQk`nS_En({=LGC@7QI$q0FtA&|51fPD9z6i7t z2GB;3l0n9B6;x=j6E^%a-`PmhuHN+F8GHnL5(}{?C8bJ*R4^WFV>mRx#w8!5G3o9O(g}W)Py_mfQw;4N7g#^*{tf;n%V< zOa1|!>$57^w>oxk_@er5y%K>8w;h8BNFTmqP#Zx3&Alox(a} zdE<@(JugnjA z3roY%4pgRGj}4^T{=COOk=01=*;y~(tfI$W3cyx(U+*Hl_dx47Q4{X}$5P6`; z*a5}#^cOKSvV|HIiX3Tik~toYis*WIy!Os=xoD$)MNhC@+t^Jyx21K`cj`sH{$hG=vaEBH$KN zQ5(7Ch~ppFvp>h;XJEH`W zbsuUBTrmsTr_9uuy9(;_Ol#FKU7WNe3DfCvn;dcLUZ-)4xT>H(!Ee~I6e(P!$4Y^+ z#71(18uebrvMB8t4+9ysPh|Lx`OPfYU}XHRh^b2GU!Lu5Uy$>YECWZNSQG^Cm2(6= zZ_doA!^@(xfcQVq+spgOsagEK(2DvMB0?m&+B@{q z1zq2!khDN3vh`K-Sj1qF-~4z0VgS=%w3^higHDRx^_lV<8lJ{%s9lRVW2x-KFKCwufMJ5o`%W^ zjUIynw@V?nY3OXDWbhkr<4cr*g)I1;Q$nH3(Sd1?&Ly6%{jwB<8%XA65wNG}>-s zyP%V>)WZmbSvUfvOtRj*2%Jo+w53+hdhAYBC^@!ns|UL-?mm1=A~@TWJ-wlWf>Sxz zu$Nd{K=RW;uVeEa&*Wj1xVszItTA{19Bo#SP{XLfMhc=J*|66SIsy%+pkUTf61H2_ zjH19t=aPN+yBFs;ivSCZjPzK%WW%a{eK<`fSJ=Ct7d1t&wdmuK2P!TSsJN%*7PeEM z+JdgVaRIEq7?oq-0hTIfM^u1@LjNkFY?Asy8XeTh^!WIAVDA=za{`oBsuCm=6e_aF zf?wd`L_tZ}$a0el2<1n<6$A-c%?Mcqb}V8mz;D*PkA=q7--9N88{YFyLXI4bejCV- zD!uo;SSr9D?pj;Rg>Ge1U=P~VxxPm~o$VEJ-3J=Hc>p~D-Y^6FbfFB!MGmgDvfh0N z5*Gg1vl~>cF95e0if2HccuSCQPAQXtD;2IdXqFp@|60AC&ZzZ6wVv1y(5-xLMytyc zo)y@T=Q}5Up%Mk7^M?Lyz&&!U0XJ24Oy9q(SH&m|U`C`F!hQusKS}*|a1z*tk|;jW z6y=sqm2T2(H~w8y97ch%?XY0avcvCT;Ua#Bp$=YFZj@d+-ffWwO#bfPRN*LtT{cj{ zLE*A6-j7Rn3?+frf(}Pc(KHu3BiBE0kmUnG$_(Zw%q!$90rzoUbv+}VlbuY5jIQP1 zJ>lV~1VPiA-)VM#0Qc`W@8Yjd%sU0JBBXBmU^{{8H=aN>0Oab0(D;|zbUsh$9u@j98XdKOxl_{J)2rzg? zxp4e|ge27v20YwdbzDpACWWESU2ylOWCPhmj z|LcBRA9JcY<+FDxB_&l{Qc`k%H1L${5A)kO9xKT7ruySEL%noHDdrLu_5-d$sY)*H zJWyeeH#dVZ@k^64gGeIBEEMGBo1M3#8XB%ZBLwZ|{btsGeq-Z%b$NPso#Mr>x9w5EF|>q-O4)Dbxpnq^_>c}NRQj~j(j@(_hV;p=jd)=+zbE%6kMjp&pK7vK=%9fM`k|*Eko9dxVb;R2=|3VuC$XV`fJ{T`w1!&u{s;q zb$V^Gy)q;`Iqe>Fa;bTJsnfdcJ`i(H)R$x5K=&)g ze~7?ecTB0$K&zqy@AtmKnqfx$J4hD5!DbUV`hGLI|MP!Q6*Dj}0OP6Lpsm^I5J`(f z*28@~Isd%c=h}r@+-&P3Q)x{RdN$F`zhNtmc@lYij)UQXY{;72Kg5>qL>ZR$Pe{%x zQd3jZy5p~p=gCGMEJ|zLNin=@4Y(D8!soCn+qHC|N1KKP1sfzHS?VCu2Hd87ItW-f z4g%oU0}Kjg>~B}D;*GJd;x6kr-tfK#dHBR-;?U>tEQm6fpGC!8NQC}xxloszL!rd8 z>&ECLB=i$)TcOW(qkSXg;~qf#M4Fr$E{6Hhs#~OOpBp`8O~+E~H$%0S8Mj;4%j-vW z@iAt^9^L<-WaTsy!tb{S{HbMYYil(%HD~GPX&@G)5(f~DQNQ_{(>ix%98LS<%(mwP z@}(8#uR^E27(5hB#y?N9sd&8R^$YW)^29fi3lDR_6H+Bh%$EjZ;>XNSyFA;?J;e(b zV={?MZZeXe%vN|WUA-ZC!il*f4L%MgH8m{C+Qje7_vh|?l~Ir4TeRkk6uz!tT2hIB z?_FZ5<5qxf@(8S`X~=x2O38JnjYmft8#h)|jLA}eo+<<|Rp16C3P>UmH%321Z%<+T z9M!5B&4szqnHNO)(f`!UlYctNIaIfwY=BmCV{u)d$dbjEn{nP$xKYak~7o(4K80ROzX5oY9>dX(Qu{n<<0iM zzqdy0e)vmhK5e)HWKMTCw`cSB<#x|9kqgk)X{o6fY#}d3e4*-0y9LvKQjysp*>HEB zuMj+Ex-%%Gg2dY}{Pb+^Y6}v*wpeu*SpOVMt1Oe4B)P^mG(Z`fEOGAKVl`^8@0yD z-g5-sx31>mSu^Z4T)84U>*hz~_Ico3ThuMNz~7y8+#3bdaB@EfS~$=qWUT>21d(zx z;>K`{0;BKt!YO9N0+CAcadC1L2Ft8tN^>{5&Y>P)<3a=UYvyPBC zaDJs;{DOTc;y!m8DraB-VWs-!p@XGyBv*cU&*xL!;dH%Qq#G5=SIqS;`G?^34(oFT z&IN<2(r>v0k-Zq$tCP#G5D%uSN{{+00#x#~UT`b^&k*n5)va-W8d)N_<1J&|1(EZ*i% z^&)yBr`a;V$@=!O3dAp*<^R`dC@?$yX#A5j?lJ**SYJ_{+2R>+XBcIUFIHq}2qS{RMJHxXL$r?e403CV{*5JSL zEXqH%*J6vYjQ%?B*F6+vcm*>^E1$5>pYHctp~su%%!Ug!_T`IDCL|#`lck_MymYqJyV!vB{F61 zTD9iBdvsv{r+=VyVdfBWfjd3q#<VEaa`nL8hk1`qe5oz@hhWOW^ z2WjTUq)5<*`EP26WSc(KHg&zFS3bN~*Y*(Ket@s!Q(0Du*1lPv z1JE0V%`gq(FTRnQ&oLH9g(7T#5I|7mtKWlH<`}s6&6$CSj(!P^3ov77t%UIKPn`;g z$#i}CZnEUE%bLUM=`}E(efZ(|`cx8O>3<^ru9jT+5Rlh-?0&fdi5ZMJ)9(plV$!e_ z929i6GZyXh6C}m~Qttmxl;?IDDF$yYrS`buaYpiAe(h{c@_)XyEdKxawL4LrkbuB* zO3v1nDIA2%p3Um4W+_x+UdOYop?)zfa3{STK)PrA2ysYx)^mZ-#Do5o>G=j52xr9x z6VcJqmH?;?lJp!9FhTZMq>0l&+589C80qmAkg#Y61_tPOd9}yA;sInQ8B1|BGRo`d z=qPe{1#XRk98fK=Zhd@xff%IK>}tJvZE<>jewP_o$ga&GBm^$#zgw{V0TOeDZC*er zwj>6;xkA1fNcYdKZ;=B`%p~w7Kv0EX;8|-&0##L06Z=g+$lj`IJlp8hYoET$cLz^S z0`Zbs>A}FD;e_BHh(+MC=vfhaz_dOAo~T=@Oak86IP;9>M;lPLw9YOsxgic{+Kbn1Rj6TnWO!FdT$S08)n|mBqt|d2Z@Ca0F`1*wThLRXG7BcYZz-m`_ z{qNc`HRcRT47hOPzCSI6j)L>HcMS-uAU~7Q`114`%#Y&(U~#E1&(C!Ltd$J_IZ&il zfa(Mu_5h@=QNRv>AOIBI=Uc(uivY9HP*eL{Ov%tFq<}1iz=!g@+Jf5R=aHBlZQ7J7<~lr%!(d$oxlXz@51=aH|~L{r)`t z@*_o#0l0Ake0czac>(GLZVM2ka{@9Uz${54KLlDs21tKM0F@5ccoAgO_U_{;B)}sb zWW)FE0B|Jry_f>(+0dkw{o+@1*R)T8UJ<_t-mH`)0!+>F=mj>+`wA_Z?h;2pKm8tW zEQhgL`33Iifa7AT)eejWz(Hhtbvpcf1s_4J623d+^pbiR7OZMq+}OyQv1$99MtZtG z2b$D)Iwu|2n}7+ZXF7so2sjqd^!08P5m|;q*vl<}{xphRp8}q}KpQH*GoBqSw}@Qp zc?;5rk*wh4eglucxXlHkp*3Qmu?sxCk`K^?L6E>y6%Y#pKq0=ouYiz=w1aI0$Wr}V zd=%f31yE0b8zjk2=nHc2L;2^Z)b#XLK!9`&jvTCgMR8riN7(&^m}3>N-(1oR8lcY0 zqHWb)J*Q^)z<|3SU6Z%PbYm(!PB$RUkEy_Q?r*UeBcx5R=J&eT1MH8DLB9>BMFLp0 zT!Z1oz#w;1VFORt_%Gt%Avz>xh(rjFL8|BlECTQzBBZfgFEzkM%91+d6%g0PjCdI@ zTC9q=Ol)2Bx9w`xCCMcp987>nlem;G>jp@B789hmR5>sso);o}_bAur3<=6${gOnA zb)U|f<#4KS0PMAs1EEqWX=&&q5I&1O1mtDRwcq}!0O~e*AoZHdgb-AY zMum?ecDVhd8>P{7+6uopLNmT!#uQ5)1ei|2U16D_K}r2dI%Rg;FctKKNnM9Fsc!IO z62jti{?Bi%hbQgAqzQGzC9|atfma{~BbOKP4YCZi;8#QewkCmR{I||+RAiE53ERO4 zS@Mbt0tI2a8R=fqKj!e)<9p^~c7;+1obcn0~%N^`iE6|5*1!N0< zmQlq*Q%vZEyd`D$TC&soc&TegK~!ppO|JgVm}McCFZvz{c}$zP&r7;{D4(?Y&q5v5 zFIIDK>J{VF;)F<~IKU-|u+-k|Y+>Jz97w^F;+QyZHOap`XV)?UwSIpo5(SSh0ndPl zI^nYWh5fnf4y)(8^$dIh71jrXa&;O8YjI&`dTZAp*>9jz6(J#)ts!Qc`5XAc|a)-L#Y|#NAXvmLe z)bXk^ClDZ+;AOEIjWvHyR}y>(EQee^ddr65RmcS(0hcSs9@NQWTOoq}{p zNp}bqDUu@HC7>YEje;U2An~5-`RzNivw!W*?Ck7c&y2$Z_kG3rp7W{Gd?zO&DGA@d zp9M-OFTpO1*3r9|&vYbZWIo}{+mVIkB1*YZtl#jODJ`mIuV5rDhW4##7ayP~q!~<7i*fMDd53_JJ3=-}aH}06^DsfFk_NeMa z8rtx%cdhBk-1>}u%zUkkJb4ZZum*}IryE0t>R71N{b$|#>qE)6V}^{e6epr@D;K(p z+`7EHL_t9T7j=^N-K{$r8n=L&p~A+)PI6vsllpl>N8er!dt$UQ0-bwe7f}m(Liox} z5>Dn-uZU}D%j4{ip{CMQaFi61oXK_%r-%#!`FbA8X8x!fi_n9fyPxw9%EFC?^)nMz z=jeVk7QRGoQffmT9sF83R=v;({Er~;B;1S`>v;w!@I1S}6uV2?zw0;dt}|mk#pJ@A z$9z7+h5thh#S-Lro>;R5Vtt@=;^3pvC1zw>M_ILC_ox=) z+$FTD;gu61$6l`r3i5GP5520PS{Z8+3qvTS$gzq#?A<$P2tnhj?UH4 z@Ym*!1!wtt3@Nb?%hGQP+NJRimJYRyJha5_j3}O*a*%$tVe$ccLt0jsxTm}8_qPrd zg61Lx^pI))C-lzkepzR+S3N(!ynB!#h8KOlw**{*d=lp4y{B+&rKPYo8W=x<5mA{K+U-^f#dxZJ50N z2uenL2CXJDB}-zHiN=SmO{EWqo`UI{T);*Z?g8iywOf^{AhtfqVSsG&G4fBz0=m`~ZIz*>*_c`rULz{8M$Fj89q4M`UU&so9UodtiX)j#&|D$zd{e5xgAvgUNj|p+@GtU)YEbe5KxOO8 zFTSo0+~(IRbKX#lA6Cj(%%$R?o}W#OBz)BVU&<-jLcXw znbe3?O_Ig&-kD+eB7M4++CBG(mJA5Xe;MY%9oQ}2*P`2zLzrg~ph`H9b$A6hEMC)p zaZks^|8fCm>HTX(#Sh(e3W3h33oQ&@DMwssEC^ZqIUY<=v2su5n~xw>iPQ(LpHpF` z)^-SFCCo$`#arEfOJjQRy($sVzMsEJplEEEMha+?CTI|B)C+p(p<-I#eSTxadn}b1 z1h^+V%PA&~9MzYUfe(dHjv#QT6ek4yP>bix$S zp|KKZ6+HEIrF;jMt|JTsD7rXKrA%IvEwXlk=`aE&#(t17GVN?hZ!w?VN% z);VBG6sE86(f{Z^;bCa5ah=^~I&Zt3@J94qn@1pQxAD{q0kCE5)+XzF_q`=K$Mki@ zzL~{p`7Q1iSxvWHZ$;g-D}j^1+Y3n*J^ea!OTdu;<2?)BrG(YD?J)1b_w`z_esRMH z+9F}+Ik96|C(QAEP?sgM?%REja-xcW1|YY3{_o!7vMbwY_u=wnV~lN&$Q$K133j2e z*8#CH$Y`{)1Tb!U!6ks!>~%?Ou_@ULz30p8>t4I7Tawgg)RdHt)a*QK!&wIqaFHz? zbOvk?qPc7n=mFY^z^9T*zG z9JF@eH+c6M3N-W-l$6;pbG7_xj{7tn-1QU@i)ImX-QP?94+DhQEg!fxE-t@0@4a3d zE0BShGKw}?9u13nlk?Vh3udIew{IwK>~=cVyexg$+ta6F8hgioXYCU02A>lIGr%;l zb#@^KpGn=$U858c+5nfNBnN#i16oYxF;c zhcNWDIPbRj{5EcIeh3Xco!?sW+eUquoKMM?{5a;}3l%HHK_1JW$Dbrchxng79GsB* zx?;&O|0(1Ovd`cFPWkfeGq3`0@W$RQ{yxbz@2i`aT-yFsP*`!UFhlfY?8C^#ksz)< z%pGGuT7crWff$+R1#W2vle6;hIQPVoApW@@64}{yRf5cc7o+HLc>IMgRL2Kpsw6k) z@{$uHe6>%+_m_1ycf5xb@T7=|iG?6==>H^#uCZ3RfB!y+DH2w>G=94<;nHf?q6dh3 z4uvL%l+5TqIo=XlH4kjQcy7-02Qx94fagZQ$Reev_x3$^i97rK;HqO}WGwyfemVf> zH~sE`{iSKP3Ie##eN0>rS@x|7W?MFuA!mfXO&OW0FilaK{L&yI`pSF|#PK(}jk;*?D&F#;`DwFv^%vwIzZC4lgQGoTABc)-}sYTkB z;J1Z~%iJ5%oX0aW*rx%sLr2}oCM>8v&u=@#G!(r&CeD!>an}AIekmTTHY*i$RFg0B z;{ApN>VQC*2B-~VkSK;4gyh=Y?mU%1{+e*A_Vd3xVT>*%8~^~0mT zXAT~Bwn2*IPEJ9=Q4UuvZMXvj!BkWa#!vqZ|4MbP(y527?*g>h{)EWNUen7?TT}f{ zS04!)ZFr)9z4;%FcB6(BVYcuQEShUr0_*!DKWfMC`cfA!&O7TCO`YzK zo_@UP+!pRwUs@{pdhhtphD-Xt5d*j&ZxiiHr^d#3IXMT#T=7<3cN;wL3{>`$+r%VG zop7p94yJeq|iE#N3?CQpi^~C=4Sz=0~2+}a8$o$PU&J$Iu(QRll`F$)@*w;q4f8;WiAJaBi@W*y z(p{C5w+o59fqT6_&VSpTJWjEzy5G-G#_{Su-)aL2ydZF(LXoqEfY0`?;<$O*eyeP& zOg!a0<!wb4qyp@{s^R;mf9FE zdk#)2gWmMN_o`7klaMwrIZDu{^BHAwlyk~<7v}zUswl+JLrbu_JdM#JJeV(8{#;Vq z^qrYuKz7+?Y4k`RA@6fuFDvz|HOkdd-r_BHogJSd@) z&Y2&q4$6&iiko>zx$T!06qo}lwe}YIJmS7PlD?pfN&(ac+9|5Oe0t$|t+kEylLSF+ zDV&R|tX9_MfA(ZtZKJ<8Ta0(2YvzCL+I!yN{_@Kgs~BUg_nTYj{4p;@VCW{Y81DS}v(@ zZ=jVm2<>W1Q(l5hq=HiHsw`|bZ|oz)i`K*V3~hzl)qkvYcdAUSUEMcC-U8?{Sk=D* z?`#^QVcsNa*^zic!+#p4*fRYe}ul~TDmI7TgX-f z7m=z1NDW|&CdS8K0)I*FkX}D__UN==US9*1e=<0)GSkvBGd*F@0P8s@1usHx&|+dA z43nK9RYY{~U5Z|GV&cMPHwaek>XKL2*K4M2N%sE!V@+CeSz}Z~gQ#w>g@wgvZsKAnzdLeazITJf0R9K1Q=k9;Xr-}VOg!j^$Wl;O zLX0je%NkB3ld>5pI^CdYu6#0X8{`RhoH<7pM$;wR7Q}Tu(Y|!CN4S%qgEF5 zypDVTH~*ZjLPVcVA`kri{Q-vs90^f2rnx|^KulpjUX|C{k2w>2?f;Kkt{Q}}r6tA1 zy@@nbR8$(xFhf9kM^at1oT6g)C2jeh6+$e_wVr_Ep!-TZ7(!he3mNGN_{OWps;T2qXZr8rYz(t(V1P-Q4{B`*|Cf zJk2AZlwN5Idd_Y?_;n`Dp0CylC(-SJ-(lc_n~2XT&+Z3BRUBKj>Jg4tiWv9??3K9L zwI6_*#DnylZj0>)2_d2U;Wq%S;bi%SpQI)v4t^94R(ct)A5+OfHC&Pe5;0~evUgd` z;bpOF-C+im2g64z7dhN{iwt^OXyTJ)h1}uy<-X9Y031SLiOb=-QV4KcFi?|&PM}nJ1Q6s)i0R1JME3&Nl$tR$SHf?uUp=3?p60l;$;IM72Wn8&(nyD1O-BIO z4OIdMp?Vn5JYNJo%~gs4%oYwNO{YFfa8ZJg-Sy#TRAzhvmi97@eokdyNIKm@o44zS z*`g4~@+UmhA`TO!Afs!Rwyye*y4Zpbt(9Haq!>d8F7^emn@3Fz@RR~xIvRF`MuiR0 zc@(tjXv+C~mZ9rHR40DUC5$(H9AGVIZ)i%Yyp( zc&?G({RHA3=&8be^k!fx6Er2q$Ct&7{+scLP>Er`B&E8VkNG%Rg;ox09IXj`?K68! zd%NtV-U%QRWv_uuK&m(-+nhjb0Osw7t1_}GpEn?%4DD4(Csg+Im%HAQXL-El(n9eX zrOYu%zMML30imRxFFe!;EKU!vz^dayt9Y^%C|m$Oi5xb1XL2OY#st`gs55n}s+fim zpa%aySF5woIPoe1z!;TjHKMQ*gw9Jo$w^Av7mzi=)Lc()2lMCWV4jRXqT;|07&z(t z6A!v`G>0RE8x;o;OO0q$U#S6lZ?|K8%Cl8vVZhceCp36_y1QXS#8=Tqk4(P<(1!M% zKj;!ZyKmwZi=!X8y7Esj7 zNy!)Rd;xI6)%87*ydMD0bxX;8wR=uvYsBusz}S4MMZ($lwf8d9R(`Dyls{F)e^|tV zo*Zos$p=Z)#KgSM?XM0ewL>8H44$rFD8GtMy~0}2sentg0s{w_RvQfPaGJ{DuCFVv zaF#v>l20#X@S*Tig@bu1J84Hn9Wk#T2H8Lm{;nXkP0>eXNhU&%+`uPqcFa8~NdfsD zaPFD&vT*N4G>J?UkH{bpCejw)fe6bZ0ga9PCJl?ALYo>SeX#SvOLe(1_#!SBMqsT1 z>Aaak_^s&ztT@z9Hg@7E1i`yt-4-(&e(NrrpRpPqGgknUIs@HtN}WPMLc-F6Oc*&` z)_PFC91ghUWt-s*u9yPlZnO%W?@}m8i9Mjig)63=1HV#Ao@@vMTxkSgame}q`2sT7 zPvf>22ljmt*Dg%@Z=h*N8%|}zlPkSb5TBUHdX^TITZumfg?zzjWtOeR;>S1OsI+m^ z@4aMJ01p_n9v=H^YJOeG#+eqs0MkgZi{I~M5g)!bYgnq94Eb6846$)14C$4U&v6P1 z(Z9m`&JM)@u+RYz&Z7|c0f-6YDYGpgt9-bXp_E%_Vd~kJY%DBUHNrvcI)zVv`Xa{@ z738*`0qnN?7D}|Z@7@xqt4TgO%{L350-E9Xr-uyW>AM6>%B>(HSi`>}FmGE1X|uFj zkj+g1RbT5Ag}E&SqQ+F<>l5k__5e_W05OzM(*_mU)n?A%;ANUHjo?(hhlPc;p`rpP z-!vR%8D{_^a#z${BHGu4)*ujCwu3S?y582Ck(g`|NKH#io0++U)Y z^%PwXi0*d3dbGj*2vhkuWK%;kfO>Ml+>BVuux_Ra#z>q#;D)m>*l14Nic&cJO@3t0o06T9os>yVMC5U@ zw+ue9sK`iZpw&W-cJYyK`ECQiH#o?XCcuSK3x}9;y8B~QEiJQJ8?2Ue`+UER=EX4N z^UXPeaI{+!p!hcEc;a~59@*I1R`!%JUz7g%>)qzCGhU$1C#U=CpfGTxwl_}SP5dp% z!N}d?EGPZZ`I4s3J7+%MQSh?to76u!dI@C<|7E=&9;rOPB-T%6F95CwAz{Dv7V;Ei z#Xw#FG*U2n2;ko7_*U`$D2hmwT5T?H_|HE!R;&RL0UwE@)y^;P>!S#tD~Sb54>RR9 zrp;Pgg|8Y{iZc2iJoil2c5!)pu^;Ml57Y5JM}=ardEBbxvDE9Ao?~PFznliCWFBg1 zd7bZXLDT;a<}j-NWJAN9f_kxuq+rmyx^PPg8T~+{b~mcv(o=0Jv&^U^*sJF6TJ)6X zYG41EX4BzX2AQ36q7-HF?0#1r6PeOQv#6X_)7X12{&E7ls6=M`)j;amql*Lb76&?rWT7vm1KmP#eL|0C$m#63)rHgqob$i``rJOhlu18 z+EFN7_5eWCL=ywy`nAdKm^+$&m(tAhcUGF*B=68SI?=vLO4E~zzRpoowHD$WX&2d! z{JRNso*t=hus+=TN5sAD-M2cK)8kxs1Kls-cfP1fwb6WomW;@`X1S&P>~nD$7;$@I zPfBW!Glc@=o258M{_qaWyF7LG6rR8Q*`_!l?jFuq`QO``6%UY;fPes~yn92x2i7yb z43zt1e}%6qL-#YB)=&BY<;PV6_xXlSqNK$I%`)4HCxyoefD&IX6Eu_&#pSrv07D?vpx)?!n$*0Crr^caBx^>H zCB~)KljJTix2MIq?T#!zez+BQko@W3mO03mM@?bgWJv`zs#%kJkG>3DUYgZnAXm+k zcUPxj-`p|I(E>m6nB866H~YMlE8V9;^8K%6&2Rq=UgK_FH}|aaUw?*uE|_0_vm$!( zD|oBNZh&fqh9DILYZqf=rf467C6jdOE9m5N*t-9HiE=mj`OEogyJ=u--DCJ^4sVga zF>lXH@k^ge)y9#H<-UHTTr7gA9#p9bF@H24Men1Z`3+>?o#PoQcBbUoY20l9n1GE* z;&XcL#(?PliN7%bV83qW=u@nw?rw{;yx|NGKl@!VyEr}T^Mggh@)N)#`V%`CU4c60 z4b>0iQK{*kC;LtIygVWWI zDh=VL9Say9j84BCUVTYPcjnC-6MayaVX*ESoa4w#yWzt!O0e%AV9aDijq+GCjGJe` zu&A)0g?qMQF5^mHPtRd!dOG=k#Owfzfxrj6;&z~it!g-GVl9GT0=GMlFP@3on{hmt zsS1>n=@eu7Nvgx1pNudKHb21Jusk>{W{&Nl@)w5)Y2N z$W5)Bd3jZ)vN!S*C7QFH-kA6P@swg^ja0bkWP%E=*(<1LQmhyQ2W)}3N3WRo^TZiTf&=G2Ww@=n!zvW$$Tkg{=TlN_QfJbZcp1KR4bFZrtagcRK%g<{uX}$OcA)&zkgay4d{0W5=2tG&H2ZQ#d&i3Fh?I!{Mo;Gwk zm!BUjmDVpL+3h`3-r0UB9GCr_CZzGSpx)0`oAXBKZxFfPc+O@Vcw zD{nZW_x1H44Inh4R`Lmx$TRrvzan-M06}ZDZ~#I?H-Bv{tI_J@&sLJ)Lz`Nb zae`Wqrp|(b^miUvAkCsCI_@8hTI2IpOtXiR$~7VJe=sFFj$KQ3CjCk1XJF|;I&4(} zn}6OW(#C0arkdN+5fe|r;|DZ6Gn-`F1TRF<&jfURR~k&msa7nPG!wns0LcS?d#}W$ z3nQh7jKgs?|v7B`UUOrbd|XbKwQes>9z+oY0ozGtWunu+obxL zW_Hsd%A{W7x*^Zn3H>%C6hZ%!nUXRANDWwg)hUpABiO{EcXN4p8JK@*@Mm9s)XI}k ztN{JX{=+-Q*lUwxeLqfi21nYgeptRuPb*!E)=0J=GoP#TF%Jw31Zy;i*It?rfyCFn z1&lK{z56manL$ak4*6B!dj?sd=*1;X4~aqQEp_Osq0_!!Yct^V?Q)Zf^uKGrLHa+Q zo^!IjHA$qaCSLy(^MBZU{_n4``hU9i>i_MZcTgrIA}T2cuCoMgw_e?^Hqg#PpWkl=3QWjl zwOm`^0+rwcpqXLnQbiU+dBWTz>AjQ5q=L(__qV&J2S6PM5ORPijjz`EHaO8PU{*tv zbBMd@r=2)pMlXmt^uiATOo{CH#=j>DU>V@BX#x#-@87?Nq)5=qHaLFy0a$9a$-CZ| zkYR-0V`4H^1?j45Nz4T3)bbWmdLyBWfk=C{krCA!z}Kc(euTb`>@lDN_i(ceU0ht; zL5&O_)oZ{2w9h&aBF07cA{YcDATz(Mmz|r7>@=Wkavq0(H8L~bQ1nYr814WYaR3m2)nDhvc$PN0N{(d zKeV_&lG^nj=GK4)cv>?wSD*=+clZ-J!mDEXVy;W=&?F-wPQ;X{bp4Wl7k3K0)5 zwopQ1!0`ZELFvnvRt<1Xz$^(E~wSMNwdpbX z>wClVKoLtQm~yA4^?@+WyjAe4tOlgrZ6GqB%e-yC+H$%DF6862_uaO2n&O-yEC`uzr|G{8|JckY-DfF0{ zC`fmZ9fe+hi{ypR&Wvt;f&H~7eCChI0YuJWCIneQ8%U5Pe0~k9)-Z^J*2h+YTovw$ zz@sj}^!UY&5xrt#5;a%kt?e$@|3Cg;>H?du#b-Tx!%uShyccqYXnGMsO@YByPm`fQZOiqKk$fK(GFO)sm!Q zcG^-<1ka@#lO50dN_a*DeOyDN@S71%{S1zO{(})zz||={(5=gu#SD_?e}LUBe^ULu z_=%3ceZHULoFIFR{YgVzM~2ajKUM~+Y4oS8Vm|Ma(1jt}Y#2Rb zN-E|PuP=48a6?Jc)tm6uTuZ75^HfwsFHw+p-D1Z_m1RXk(ykM84##A!?mQZ&=V60K zRU3~&0R5Eh0!;18eV?ZRi$vb_DOuK>>zAm#9nQ?4s!rroW%Uk#?K!2)&8l>zoJ8K_ z6DYFZA>xkRp)deyt2|!3H5>39g?KnoLLZdEbqpsA;Dk1xq-4cO(qK+#g5*)9u=bzu zW-$Xa*CoWT=OkIGWfv;MxZJpeXIN>fHpX%RVT_X~YJx#;ZxUj1tH+$E1z*n(_$6MN zjc&(gmZ2H?%|^5fpPcpa)A{(dx{z#0gT>NJ_#vn_kx6hDCeC+t(RqI+Le#L?rB>$~ z-B!UdfJyP~fvPmAGRCXiPqkdeoPZZG64Hpd7N#)_+St}IbnT?1qId^zv87X#SQG=E z*FK{*xdPc53G%VUzL+*bL!S&|wL5kht&xH^nnC?xS4{GtgRF>QA)y;cq0>0MU;wDr zmWKFH^2x3kwZ$On5ojWnmvN($h+F>u)` zghD9F5BXuhJ`!Rzgy>+bE+w4X&w-m^UWd0Ef zm4Kw4JoF9b$&9!q^~;=gY^4khbY<>&yGPLbDX6m)RN(%@{{e+qKoeDez$d~`>;X*w z6ZiExt%$fl?JgB5dr@g9JZUi0Y0;~uqNGH?Pn110x-%P$N|gsOk3zIPO7jV(<@_=6 z-()Rhag7^>y+TBLMz)2tWezqnm^2dgGlHt;6d|ivA9H{^S{t@>|1h zM+|h-r7BRyq-d(uar5O#JD}!)IFrEqITO4Mjm8t`7l_dzfzX7Zx%))i%7YvpK z*95{@Vbb7y*Wv;oW!T#y8;fF4dYq zZ-KX=`yDK>Y&S6f!N4umSC`7MyPqK~$$5rNj{7l1sEu|A-_z`0o9&Mb&3Nedz4axr zn$*+SlZ)=u#rUz@$%=;>An%ojTkSv52Hz>WS=%}VU>1>Z%MeSUIEJdJ)1YVY32D^W`acoP%8M6hhL zHT&+iDZadhuS8i!BAzy2+o!O(-3xCk6SnLqW90^Z_3Klej&NPT60;99T(W{*rKWJP z*&`3J+Sl|6uyM433j)AY^9E;{Wes>KW19EK8uMYXB#^$k(jrfdiunRO)ZH85Oov3E zFm4&zq-vMT^HU%|Oxgm)<*=H=Tv9g6rWDrJociRzmB`-p3fd?t;}BVoZ~_DO!!2E0 ztlK>;%b)g|Ov9{MMyUktaQu~xu%bs?Rp?6sxY-pBAi+++lr2xt-odgxn?hBZJ+)oJ_&B_s2~Ccp>uDMJAn{Tb_hJSZp&b@tE0 z>oyu;8$kP+<;mMyufd(`4bRGesAXSoehm6`6-8q-&D&vv3_+=2$t?CIbvZ{h`z|)< zSp8?y#nV$LKf@E&m$_2-`kl`M-`e!#yGS=728(PFIRhnUgq=>NYv_IGO=0bY>MAf{ zZdJ^#_0fzq*hN(Kr?;n3J7uF?fl(u{S53rvSE%Os>@mQs>I&VOVzv@p_t06+ds;pt zDo$VlVebXnw3F#hc#4qvOn6;a4G4G0$~B{vw-jWyx%1?l#Ut#~gn~)Quza6XvZRj4 zLFw4b2a+F_3|)JtBRFrNa~QjC8W#=%)dJZlUDqNUXgG8AnfL1A!@S*Ez_(!$>EZ>3 zOx85wzLAKuj+DbDn6txoaO7Y~L*$2w1oWUn_m|hV2va)?UcOuinB_7-_4p35#5Z80;OQ69K)7Q)l*G<5f=jeOAbcOF_Bo-oM8$EetCI=iM%@ zI#aB*zIC{g zrbJ2n@ORLW!-JuO7tggWgOl@2EtM4kW!QzHcCcn10(Bo5POL-RqhI}aY!=VA3Oh9K z4&wpwzN{Az+)!MFYJc5H(wjC)d~qcfo{t>+&^vw8?}SwvDtBH($YVovNKsm3czFLb ziQml?-Ic%9)zy#97g{`E1nn-NFcbMt+8G+Mj5wzeA?0Nr-hapdi{QYl?zYjpO>+s) zFMW$Y{pso;c@ucJ-aiiLZ&-fmO_Z1mzdBa!eePt6t?K~Ai8p)L;YjOa*cbQma=Y`) zLSSr)=gp_icRgziAskj*Ih!Z#$IxFMQ5RBaxr;ja7Okx>1$V zV#l`n2IDd^r0a3nv1iZ+1g-QXZ`r-xt+e<*gpYHP9z<6bvpfIc&CqL^zx?s0YS2ZZ z(ztE|Qo?>f%sG&sYdiHji=U9SmcOT7O+scIge84~_!I~f>s<%Y@{3$(ZF6&{%>uXw zPO+WA7=y^^rGW#dXsg?UU>Kl3_;9(>K~cliW*a6h(p`> zRGc$dEHc2b6b((&1gt^(dG&WF8TE(Vk4A!H9tRhc7;J`nN0B5-rt^DTd`-ke?W^7He9 zpP8)8xY5-TW>J23aM4u#dt5?(H<;$QASpfl7_=ICP1LYTCG>O`Op!mUKDGHDIl5;e zy(@zWRIg25ap)|Huhl_89fS56vZS_}KlyDALio_gXe2skv`ua7_!5lXsa^XP2Y-eI z#|+-yCm_i%Cn`456r%aw;#0MHc4Z5i9L;o)MM9ecZC~h1O0W(O6ce-STvN$XqWJ#k z>*>dggl9kH<^&z5*a^2fB!9OuWi@_=NJ)(|KpEk|V75z9NQF4Pl^Y1v;q8rnR`46?&i3{>I~LIoRdbj zT2b&#`luA9p=ao1gtZzk+k+p$<_G2(A};ebQ-Oe^A3e&U-C!q_1lw%nIlvM99EHJa zxx!r$niS#){|^9Ak`1IE3_h{>m!(G3Afl-%5;)sA{naHWSal)G6!?p^kwHTpkuJCZ;<0~ z_-L6y2P-Q@Sqo6A*ngwH&dZ$LlkTB1nItEhWq?o%{60DDCbTMo=kTEhI20+b5IGA} z@rHgmju`9eB9XY#T@6Zz98ki(GIPn8*iUKj703~aU*vVc2xP}B8R*XJHL7PeI zuS$a&6-!Te`GbR}?idssCHzypm$G3ZH?5aJc?d}caqK$kwa=EF;0UxeO|#@&Hvq2t z;SE$LY<0-vJzI4Kpn|DxxH3#=5WenXlefAh*Ev;3;je%5v%p`YxPWbH7EeaqN$w)r z1A&W+i*>Tr7%S-dxmp;-mDH3KpO7awYe>h1I|@#{1rC`g&(nY7*RN&WpQC-dLbcA} zA*WLDd-Q0H+~;}cjT~zrY-`Zk0Qx)n=C7HWXTBJ8eH`cWVAG#1(;#~fJJoKCMei-O zVBNwJhT;){=XLSb_n4_$%_jS3=(%EcRZ;fMC?b{T$?b5Q9_@V77r2Yh9VT)%S^wC` z?};$jlM52**scJGNwLBt9}JhyI>HVqDN!^5V061s?iqD~r1xuH$8OTlq&T6^R4?g! z^T27UY*DgwW__(+Bs&eXT(I4#!Vxrdo;V8Nh*wcXRhAVaaB>>@@H7`X^Wtde%k5ji z3nb&d7X9eDE(dq9$JSRbx;3kts6HYRo{>QVL%g3f?Ev1?F@KF3sc_rrE_BmhT6|nQ z>cVbjYgd1J%a_BYg^%^pPh;+ z{7;}{yGB3z^||Cmu`nzmHDQYy1-l&TMenx* zT}gDWln3w)z+;`~t&zqqXUP?hSv0cd;fIV$=If$M_)5*;{E}Wjm{lY5nt3=!Jg&{O^*8k{{hBt5R+-2Mc$2GLbmV>7!k7&MQb#jbR|YHuKcCyBOQt@ zaiNW#@z?%ib`*CkT5a_Fn*BA@9}&3}W2`s~PL^opPL|B7V|bONnp*AfGzc6JWFVvtf)>hbiY3zNy`z5;G6!b<| z2Du5a1^tQV(}fg;Mf?qjpcY|&^xDb1KjS7t*CiS)Kn&Yg0F-ZGd3Wu&$1bR&>Il5H z)rs%Pbnx^(}sZ$m@dm8_iI`cVZiJQQ4_iqO?3-wB}K5j1`P2s|#gf zXBnzt57SRLQ;XduxMgSW3V@mQ7zlA-uOA}7tM#Jq&e+@=E;)$33hmhdUA%M9@Ca!a zvi%8O9gZj<&QaA~LD)L)xt;#}40F_^SwP@PY)JtbF885@lFEsv$9YZ}akSSO0i$E6 zkUDGP^F1&uaDoz$$rS&Sa-qVEWpET@e%`0XX*kds(pQw>q}MD|ej3Kv-=YAr%)~YN zVZ^fU7H|9(o}Nl8*N2ZX{1q(#YYLzFbUgdG6j<~~{1n*@n)Tc~1{>zEW#YR_8AZS& z_LJPz$if+Kj(-Cfi)k32D;BC63rKZ5NMgWZH>i;_;dl0oIQbOLPJ9fBIC9mz2}`Ga z*bbpGr}iva5WS7Wu(J% zWdJbiC$Y9)VJ5<`qMwS#ASWY?yC7hWX(}T`HJ{SDDOu?z&1Wx4uPZP+@S#1>FUNxH z=*8yyrx#c&cOy!eiAKo3o%KI67V|%3M@xI(j@m^$eT)B_(dP!bOW!!C-gQ|zgwQ79 zVPjikGoB(B-m+so|Fy6*tN7*Q5euH;@WpO-KoeS>jM3kag(CNo6Y{GojgGO{e<1Su z3lPCP@UBZs7GdP_u-*xOB?U%Wpx;*S0q_cgF8yl+4&M+mPh$xdmtKj-ePG~Q z!{7Gap1`1JFHomfim2c^f~Gf*^r87prFTk{p_lj;Mfdt6*Dx_@XAeMJxUvN#1(F^q z06k51TAHFgzJp0}R6-}52GP%1(o?7vmCXK~QzfBK8B9PXv0c2FXKU+usknRGOrb*e zTzuS~53poTyjz@7mYeyzkm+9I7w`hMft}Gy`%*AN9V|m7LyVaH_=HGyk4p^Qve};`O26Sqy=7;$V)eK205Y}Tu zS&#iU{;qVx&R)Rc<%0Cg*yi$Jsyu2XUHZ8~?fLXKAM$CjkTRJ?^t4bAu`j=qh6QmG zjiX3XrIfFb;2A@T><`yJNE8Yo%olRGG^f#7C#LOD!1Sa1H3F$C`aOYx4lhO*pdm7H zf%ffWowEXdf%%YNZ=XFum7tCGVe8MzmbJ9o!<|4qLcXS4xFY|#aAM9iTwXeSeEQ$9 z0!8ich#=fAE;>zF>nYFr&rVfn0*w$<8r(BQM&wbqLLU+CE8Oayy#H*Fg2s&YQ88Rf z_U1ZVG^bkcT@#)rsN0C5(72kmSUwM~p5pL{M*U2nFZL1cma&gzt769paS6EbeJE=fy-odc ziIBBtF76r?Ch4^od}cAk5b{ozZQV9wQPko@S$g0UITJ9D8bX|nJ4vcw_cd3T!s3a| zOyDGGY+{75Nj&c3H0}rK1W2<2@<6X3twLzT_)FcRzY{xLNJ$jUvRlfS7A3AA zJ;wVqdI=+8qdWCi7)TV_ZEQFO^H2h~iWguofhT>wUk?)ej00A>0@Pa_sn2;unai&B zr`2P$VDKxIcs&=2pHFD>CXsXS$y$}?q4H^l#(&)ZoTGs{A~xvZu5C-BbZG&cL6>;U zjcFyNe$o3-DOG$|`eV68{he)xkl>Gq*R^;~C=pM2hCA-M3zvbQc0%G+sLx*F69|yV z2>H+&>YcM1a1Hq#Jx{1nwg(b6AK<+DS8&2N91&zhSe)`r8o>u*`&^~xM~oPZTz~xx zJeEQ;Hv8{0tRL_HzB2v4e60Wd@&3R5FE|sBZBme6!VGY2JvqhBKt41;S^nE)8K5w+T=PdgX2E>s<|+km z8lo3kTeDd`acP1N2}nxa`{DCXFpD_C_XOQtuNx^dZe%*cfv`G7M1j%qJQq0xsE0OG{vTr-Vd%7*g@&<%Pr*Kg6i)dIvyL z*!J(2P!j!HS*;TQFr6{`S_AP_5R800HYGVJR&E#;`Yo}`@4Tu5by!!4lp(G z7}qjyBO%?-#yBr;ioCsnOPvY()FiE^B_HZu4*5ofheOcXxS0F%MabRf;CKZ?biXoO zNEQ!hLL0ZitN}^QXd$x|x=aFpXrg&K@GWftp&wwNAtF++SM>-{R#H+sgF|o&MJq`t zJTkI44*+jiA14;IWefMe;#O4WGAz6>faC%An0nk&az3wa=&EUI-f>^U{1O=v5o4jl zrss2Z=rD1Dk!t{VUDbo6Gw|1(cx5p+2uLK_*AbA(30Pl+Bu`&ovFwp?1m4Ql$$bB& zbp*1G^9YxtZ5iuvLmk?Iwuo_W7M-;?Ot;=>3@ zR<10@`9ce@{xUKtgCL8UPyRYyoD|1oqnmZ4GG0^eUW8js5r4wKxLD8i=tyu}04DWV zmy)tfaH@T3TrJz86xR8j+m;@ZcIn}?=rRCvfU7p%0Q&YpB!KpHrzg%ate~`RYs?KD zA48T}Q2fX!(j6w@DcS_^hK*r;Aniki3_$dHni2!?7T$%NcB!n@%t8IYwK@E-jQ7O( zXDwl90e8W+A4kR8x00SP{NL07xvk?CGijk94ks+8)b!{IHST9tCJu1#-U7=Y~jiTinN+J21j5qh+Ll6}3BCM0#Rg?EL-Oy@4wKn`J$`*H3YE!cbU(GmuI2M zj%5pDKd!TjPT6*a&hgPSdlCDU6l~Mm=I2)i=VFCL+2r1fSYVFIT0PRRM+>?8RGm7!5mv>1LX*Ga7 zK->(570C7ukT#Knk|o;WJnV}D){_X;nW z&X6wI0$TMK#5t>CCLf$)9#~FmFGFYhnF#gn6dCU^=#YvNPsEs0UzQa-T^Lsf77t9P zHt=%$R)8}kI`T6LHIKc68${i_Pqb!vT?t_Q*&mn}mp(sT*2fZA=DI*^ljLN=)#e>W z6Zd)}_Ke;bjy&qZqUrh>lLir#cXOo^R{k|o3%VZzIz;q0R@EA4Q4<~VxR|19P9^}i z=8)WQNMln@&<_SSJrny(5EkB^b%oakF)$Bi@X|$g`cFNpuPHwGDiKx5&vgtH>)i*TV0M#smEV4W|6VAG-cECx^M)qSiSYa3-n1)KxW zo!BdS#-LbL}1t zD52K$=GHoc)~E-vR>vPi_O8$QC^IOX{tjI;ZlrTX|MjfAD`&}A70Nh~3(KjPSa&44 zvlReY%zIO?Wyd?;v;E%OkGUjx0atkwEnsg(shdP&CWzEf$}Nb!I`bC6UO=e&8Nvru zt4Z4B3iTi!vM(>WtC!-2Vwf{xQfs_6Ax5bffliBlgG~;HCv(W{YpHG<++!LQO_NA) zy3^q^2)z0Mh!-3A3aFY|Ql8n%<*JVJ(9kd6{2qZU1gTkSWU&X`mFla~Z&JwCX68p> z$?B}>MFGs@*ui%Nl5b0}Dx}sd^&yhEVWsS)r_24usqjfY0rl#uH*xX}gsZBT8oVFF z>(%Z6KHfc&atd)r6FlkmriX?Cq1fN*lMuZBUE!+$Beu~!M`airfFElQ0wc9^%gzrTd; zx`=MHHZi!C*8#Fx#Ccv`|HIVL8!d!I%6(hTEa<6`nV(Yp^JAu(lmV_BK`lQ+N-Sqx zZ{3t85aof8t6u??$iO(A(RJ0esFWk7hO6PQ%|!MjQ~xw zXjbO0*;h7k?Zh5`-RNpQtZ(>3M(6!Eb}g~{bm$aEGmp!B3jh!$yp?1ZH@HCB$5yVn z=0`vqm3hzoscY=_lyPRjaVs#*V%Vc*2&!TgO11nQh`lDNEft&tuUn6*hNM21Dht3ZenFQTiy9l=kOcaB{iD*-W5Y;$KE< zo@dM?w5KJCJJ#ICB#7p;c_ctOi2qadj*3yTrfF-*)=}ZL<-$^aRN4ceh-Z={SW<%- zMZ!zBZdu-(i0)hCO;L#Akj>^MxXcK|&EgeOi(RfAU|6t{vix6-on=(iYrDn)K}v}s z1nCB)K|ys1^m$DIUY+@;lF9a&G-AIJ^u*^J08ZiIa$|YHTU55#BzU~stC3U zz5CHO#7JEbZi(7PD!A>b@VEh5@9Gtr`{vpN{48>Py^-8gMpU6h?Q>O{6ziebm93Pa zo1_YPGS|Z5^v8rld$fH<8e zr1HlxkpFp{tfu;Hx{H@yQ9-q%dRpvPo;+GN7dw6L2`<|H_zN(4$J&GqA(FT zZlQnxCVQnIu`&p_ZIs*x?(%qzzfbb3@T8h9lT^?AkF( ziy%_PNkCKzF3k*Y(BEush=%kbK6GQa&)0=X;`NBjX=VBz>SHl75}?U~sUcYHLV+x) zZruloR#Xa$2HmO`6oucBL3>nRhWt*;^e{}irCyjm$9Ua{omP0(&$RE%u<%$D z6(uD^fE}+|%z9-YcZ|}<+~G+z=JB!|hFbPGtjO5O(ZToSd6!qp6X+V_u^L7t@Q7N} zGfC1`7_3%1*OR?akfru8ZF-|7VOdUbv^ z;Wp?Cdbi$@bO@(kO-jN`e1Mk{{iOmymG|zthe3RdrZTmC;umk~Y!TP%dB5!!nytH8 zKIBp7Bb8k%lmjR+s*kOt;1`CXZVAdo5q2ZS?)Xh1PewD`(okWEGjQ2wqnas|xONH5?HhbMC~`SV zWgf|y#ty($*=1Au*_Rj7fA~sx?XlVzFj0~^8AH=K`GkJ+t}*ev#Z6{4f082@Fi65k z^4e(%mH4rnGqJYo_K9v~nyojn2`b#m*rSZ?htOBO^` z8h?g6%|2&4OoOAVB)0`Tft$)iL^rAm4MGyEqxzMl%y9j~ogk4b47m&5RB!@{k5Qi_ zY;!Lir6jOg`Uy2P*^o-B*TQk!O|*Hi=W~Wj`&aYVsMHc#$w-m&BU)}ZnIo77En$om8-y*P zR@4?6-fAfY4KqiBXhmrYY$uXnE2YA%iv761=+=;+%}i_{EKAZYX7)7%;10}zMt3|m z^rk*gkx?brrEr8|rIIraF=kcLBBfH91JPm{ZopI5hI zQ2TvE3SF)Muh|G5Sw9$W)r_L=p>ph!1vSCB0;i`ycTuKyMBIQdGWep!H^GVAB}hPD zWGrC>KC-GldK@P|OSwqutUM7jGs{%GQmgcvcUOZs73oqfvp+uV#&n&~Moo48}!tB%0?A2z6 z6m@$0@4T(7Bl#j}3W{t~Z2@mAU<(NB-VPZ1LqkK+{Vwk?qdLwJl@^v*Zr&}ZqH?{~ z@gU65D3yUJeR73hecdTWw516ya5iaJP{$@Nii5v#PdTbjPwpn0nt-EDskvW=8KIq& zp2!?I%?)fCJAU3zEtXy;zt-Y%Pd&@${}_KrqbN%F3n9pEEIWJkn_XDzpY8g)o)yZt zv;>cLA!k2HAd!v$IoVv4xYU%omnU>VsD6SPM(!I&p>N$4Z(;H29+*EUxdZ z(fCtK74dUTi{M&&L`i8z5iM-z%k$a{cXLr@LX7?V9)Qkf92s8gRp_E55 zD`N6QhdGEfp*w@OqXJ&5MPgEZ6EpvC?O`s(yA=Z}P8Mwz5vD+2>j$mtwkQ&=+CwlNUicP-{N{W`yRCIyqB?)f9W|HH_f_X1Y8PBuCK`06w zic(k0MeJn-y{veW4^(;GFf3RUsbzD8Dsc%2lYV;RGV+|~E08(?50Ug z?BqvF9Tsq{$u0zMlk5@;_7?3QfXhA0khfwNh_KMI!-vI6L!fh5PY&3@YOXvYQ zFF|t!L+2cUey<6laLwl^?kD^lPC8vXO8Q!_{4xKXvR-rlp^q*U;OvxM8Br*J{I8VH zp*<3b4B98dQ7Cn(G?g_mnSl-+5Yq*nmp?0`Q$~|5JkOeZzykv=suqyk4}yb(&oZ*) zg?b-zZIv4v(wPV)r%{5`K|!Gd3kG=o=?o#7Am<5YL657Px{2>k9aYutN1oF5=lTn2_9)Bqnq5JC?)kT6Hhw0Bk*sg-X^ zr%QUNZNw4&S9#tXx(B!?>1Lczat0C8 z^LACWyUcvHPc*8iFKA8d{_YUv9~8hEBuqwSrMo$=6fXt@1V94B0~|BfZ?$C59xrZa z0)%iFBYn@#=Hk|$B7zRnInC(6G{YUgE@dU9Y6r25n*CR@LcJzxhOYd(WAY16G^SRX z3x?>)SZMoP>ZcPJUu=)lK#oFW08d=5qe|VlYMD;EqQ4pCf!2!Ixv?c3w*FYf(5*5f#67qYTB zh=#_a83K*Ew1>8{#mKVEzYkiD2}z3sr=wLL*_|GINY98tN;r>`#@}ocRjjSI)w+1G zgoUf#_@CgkW4Huq+(d~NQDoU@Zy)l|CcUen9P6UCy4_6K{TX7k=5TqZig${%@8Ysg z`FwZxKiD~KZS6+cQmEKgR7PTgPHP(5qMg$!ojp(YL|)I=~D0%Z$mm zOe$s2z|-?YqYp}8vd~RF_`_Y^;v>77qr3E6;MG#82Av;}a|+1a*-YlU+AS*YWf$5F5_Q)h;+^Qx5$K zOVOh0MfrDsbZmSP)k1$VFR&pn9f*Yk0a9pg`cGgw+}W#fJze?{mu@rhFjJIJg(K#3 zm*WS#8&1yqLfOV6S5{E-@f*K%uX{YhU~jQfuE1H@|NK#AcB99+p@Aq^rF(N}Da?TG zO9_qGWnP*+z)e*ZPV)%A&-HMUqFdb^M&7|GvjSwQmlnTP^`!H4s_b!$C98j_?)@0- zI4hKoIuieTRp0k@k5rTn%PXpjDK=>4H+#u+OJeSvsv={;Z?w60O_up? zb+TRADoZ~5dZR`9obCUJO!HFi*juz2{sr!U@Muu5J1zsWt~*5d_|y=@0oWR>gJYti z4u(#iGQ6SB;AuK3N$iJsGot8R>Rni!KkibLdd0Nv9ZslfL)Nl=2lf{#)@Yuz^TxrX zpWyNAE^B1W0*|D^)^+oLQq$*>u<(AUGSm0euJ_$rG?V z{#@;6f%vDw!;wW>8SmFjbBY@5hFEk=Cu)Rm{}^6A`r-9ubhk%tmZXt2y`?X5cKD71 z`AHj9Og5Q4u_(doiQ6Vh0i(d09_w-2oEY{pMjzX(lE-v)U{8E&T>l$3D-P9$$0ON> z8qti~FSp6LbOoCbueY8~3r}wyiA>X6tQxO33NH; zD&NC*DGer2nRwZ3_)pCb;s3wp=c|hU4-|UK>3Gv}Xm|Ju%x-G#=eB5ICw#qW-Gn72 bPcJY6zKdT+GBb=}z>l)Lx?HJ@Y0$p_z-}$b literal 14186 zcmeHuWmJ@XyDuRnBST0dEl5cWDFcI)AYB3?4FeLAA{~Nsqafh`(w!sSEey>FBLV`_ zf^@^Vd7gKl^L}{uTDv}+4|^?UF>%K~uU}l(9igfI|vC4-T)`1VVY#ysU#=@$KBfc=l13nWuD;c_BVUcv*ys-P6 z3azlPM6Z?QAM1LW{QjgBZvE|b{?e+~u!>11bVYC>#Y=fllbJPMkcyCqlf;o+_`o1m z1{@I@`&j%|ZfYw|xGSUvPS&HBOJ0L-hWT zg`ve0kR*MShMSe?{3@B4?l$kbJ=>G^_tK7@;)tF;Cu1}w$^SRc9-`n5(Ki&Wy4KLT z!LRlgmqY6{f+75=cI84^BZjsRqo=gGdYP(ery-iZ(FNa$3MSzO$3$g=hO4I3k=eOu zgH(!VRVPA*>zm8GwN^Yh0)ENTB1kX3vx+n0Dl{TPmPA9^@#7=TD=x$!SER(f5{8c@ znG$~NsfIox-!AuVx`LC3y5z9bxFGgb5FLkaW%$LH{S>U^kLS2L6Sf?U9_y3oTpZHr zPJ;K`o%%5H^iGJc@P0;ra2SV2Pi|m$H|}978#z7L%OZrgMkLn%MD#&UK_UfiQSoBU z=f_u%-4gQ0nxi6cJUqDUK}5q#;Y>N)=DIkyEqcK?l}kfH4L0R8$Vi1PmY1@2_H%e5 zlDhhBNxQnk-O(kTOd8y@!seQgQA%*fa$Jp)72X1iTny@|Wms|L(@scvlGd*f@j=Lg z9B|=7&{4t2L|i1nUc_hDeoRTIz_eF&LXz%oZI<=tG0m>kZ6Qv%eDRJM zdQHI(q-==Y8Z+HS?vFo71AeI{%&tck@YDR^1Z#p2=(X1Ok#y)1hjw7{Wv78xbu?hu;U_<-?IE~Yjo`0o%@cxS}3;bTzSE|7QzGb23pkn9=sJ>QVAXZd^%~th#4m zcW8nSsSfhDr1e0Jc6SjW=DK=BmfD?*?8>)!&SD;I&)hjGGjp&Wo}SjDR0}<3bmef| z2%)3=SjTPUFpo#8AS3FiddJ3rBNDRPLZS45QcDiqFNKHeMLv6+ER|pVcq2NAWq>06 z++`TVpJU3=A?z~}n77%Jv^;%F0E({?_?)XFSV6F|T1ypQ7N*j1cedn-Hx+xin;;!zkSo({>U4wM-pGb5qEq+ix}&N?Gr7E%`64cvj&|_yhKo zvqtX665CNueuJ&b-LyGOLerUd=SL7f!lex84qA|wTv^OUj_R~6YO2uDZ_h}Rb!FTb zC;}cky_G}DI$kD|r12euZ^`^tZDYYRM{PWfOe&-4OR`Ehk9WX~b0xpxG8V+2WF(it z7H0Wy;AN3irWSAuq43iY;v=bxEfYF4^__2w49T#z6a=-}6k{3H%j3w8evIEfAIjHX z$eI&a-XSZiCNBe(f#M2!b9RG~4_q0Cz2zBA5zoU5M7H5o$S%L~BDt@UGluwA&-!rE z+|4I>rB2ePtP6#_o04Tf34$bSkGSi#-*vnSVK4opQ3EdmT~1e*;G2mn3)nd*0c(jF zpD-(xmZ)$@#oSFuMUCuiW_1vQff~47n^g~1MTxU~zb9#|a6R;u5!yc*plu${7ngjy zsHQ(b%J zZ%ivPZBpoc*7>zu;jyU^b3Swc8cRDQPC{53)z6*f6l)LXLr(k4Mfwv?STkAZ)-ZRS z%p9i2B|I&rwo|c$EY*X?;k{OY%Uk>19CB?_K|umvzxLdWJ1 zaeD&hj>~A4D>Tj6v5*Kdfdv)s*S3)|w+}7-EV3O6wc@c| zw2Gt&(gne03>C|)u_zM*M&A_}{_sBk_1;*885c22&9YM+F6B=0^xl>tGw$&1!Rg`x zApudnLyt_TmjHfx#z)@Bp%83*wTuWB1Z^J@uaR8Y03~jK@tw&RwPCWPo+-kV<_TUx zczo75#Wku#wugJ=s|ZH$n?gzBm#wj|s|4*{e@Ld?A6T1MjBr!^s)Tsoch4^6kCpK( z&wytmV#AsRNfrH7xp?|ge!1w*RtnWxnNoBvUrr(Gx!oX#quS$y;3_?=W8R=WJ3e!P zCGo7aW2Rz>@>DM!#!=!b;(R6Z%dSOrE0}`8+18)QyGSBWZgNY_DNo~W8F*h|(Lhp2 zi*e1}C5Te$@;R7c%a)lW0j60w&!IsZ64TO!*j#D$2oYOFpt6iED17}2Y#QI_zL zH=v5ial^1i%@JSp-R14e;2oIr5)DpuS&JGq_EN!HPRo5Paw_fb3x*aDADoR;G77Nn zr^^jHLj3O3A_`M$8Sg0W2;`(IH^N~+Q^af`y5-~Va(?x8rrCgXK!ge~Q)>Dwp$^qC9?&BxP9>XK+_v_E|7wCBmHpkmX}Ez;bilhLQbp=@*i z>1HM6h+y+2+&CSW>7X|Fgn+!O*r0@Q%g2sHotqI@DV$^+Y>+2EdV|B%vvi=k@)pBu z6d0U!&FB$(Fu&KvX}6DnSUVzy>j}oO?Cm+C`yfqBSj73+6Ou_#8+0bz~Wx2GC z=Kk#UU#yY;-(`&!aE$Ny(Qp2M(?NYI-(NhY*)xyi<>j}jZ%E_dm4+HMRc&v0-u29b z;R{Y46`!~z`uUSy3Js{s=;M8q*u29JfO{U}+1u|gz;JtdYsy8bOYHZJoLUaoa^e&d z_vaYsIgR<00GfJLT83&CJHGC;yDFRX$wH05u6?^{ydCiypT`3%_rlO9U2EcMzICAO zvCdhf?h=t#i@MVlk}fNv<_i0hze7)SfCEV!?8-A~u_vzjoWp~d9H7WBdwWQAWSXKy z1>@zsO-_Zd$`_Z<)z-`NLcFU6=>xblfuc)s#?XUNIkiYI$*UiYhZy?`WN!!dKN^*x zn69EppeBsGJ`Q2~IYqz7U=KO&(qCbFS`bx$@Ge%~RZ3sCdkl1Pe^nU6fJ+-&n%o+T zY|!5(<%~ws`jAy;q?mXY{qte(F+)ClPIX!nDq7D{M|?R%)&J3Zi9FH1Sgo_$V_T#e-bAsGu09NiCL$;;Z`J8)#mRrO&Yvfd z!FKTHtqk_ zcQdJ?^CuXv(VXNP=|j$IU4I9tSleX<<^D{?MV7Z%1C@?r77 z6POzDrZIRf^^Y=+0To2sG5UAr*|L~my=7m+2cDAY3>%YE|IFXG)bmh#uQ`idK-&0u zWTE<e$Ah6GdpwvhcajzUpLhmSz=>`(%tPdu#I?4068>5QkyEaauqh+ zu-7;XZ**HNnfE;o7>HH^ztwnybWab$kDE_q3iv7cf(CX}Rk2!@#)BxUEL&8Nx1!oo zOz(3Yx*m8H3KLA%cbcKZW6 zsKcf0xw&{pN`6+>8Z!cnFVl6aA)vYvP%}ZIZrR;^m!CY;gbf{6C>uu5*Pp)JY`ydv zddC&nH%4@2ul$ zz0mqT_^hne1f|(G^3N6g-&KkKZix8zh2g)rL{zKzN_rr}Tqq-AP9VayI{)kh6swUX?&ONNkEebtJM8jc!l`+;mn{yOxPr9*_BE5#PH(bH`6%suAA_*)Efi#{}cSuqL!H~p=I?wCffZ&wMmQj>s`6+ zzQxDW8)5B0)Mm$L^~pogh`YstwePg2&Mk9-2l!2zX>5wjyaa45;xo=6BTx$Py!cbytx~^|#=TV3w88cMQxFi$PJjV89+d+lk2)R$@odHijb6#< z$$LQ7Kb>*K(APo`%pt&z2&Z_{AEcgy1=Id{T9A#^ z5#~y0S=kF3u0w%sTc4EBgzT?f>av9xfh;la4Fb%caTWfbr+>m=vlt-I^pgSlon-S7 zQX-%#ieZ!}_|dO(%QW0i!O|_7-1WkGW6e(lZgb~5kS9tE%Q)9O8oSSnXsz2Q6;SFl zSjfV$ov_%80_ub^@j?ZzoI_%ZHjcrdVmj>k& zzw7X(?P*~hTr+o=_{rwD^1A^!1t&{jQ!hd>RFB2wJ#o&6cY}H~2JYXBiC~PcY{WOm zbv-za&lN7+3Nn*{#a9lQL{1$G`P|;tbLI`wOt^GkD%x$Y?`I5M7;0&V)ososJ1Y(x znmzyf?meRO$kic)gVZ|Rv{ip+5X+@^QZ{h=hS!_uV6ZgJea2?7OvyJ71%b`>)G;j`!FIbuXu&_B(P$2$iSykY#Z$Q|O(HiiP6wtpvz)M3s#t`|?JQ%0A zr0)DtRTAl1jB$cB$jr0*gd+2#8(92|{wL;J1dN^wz?yd=V`cRjSx2VIQRQ_k5cU$j zc1|G=xfN!$h9t0g4}V$w`8C7kuQ6>${OFK8tmqS5oyq3-N`;dqNIoWHDlwJST=VRC z3$EmQ&im#E%60)l#tw@U#3CwMdHJGd4w(g8pXXx^80}V++|RvglBTAyXo)0m;gzV%$aJe1_HBG@Iv$0Im6y$Sl;%aZaEvmo0EsHyj{_`V0 z4lq+wh@kNBE$q#gZZ&YF3OBcAj1X`b5d2nMkk$Z=V9XL7S+W}>B}#8cw@A7QE zC8pz^dW;rqqeWafoV=AYhg{+{4vi4veqegJAjgI1CCYu5E}uU+D6DB<@I@&*)t z_2ndI+l_=n`BdXOf~4>A&)Ao)RYCi03F{{r!(@aG%pa z=H*v#y+A7ft<8FJ(C>|jIyYziu-!L!<)si?15aJ?fna=>>|qSzV@u*=D-Xo@(MB2X zdH!yR7{+(j2cn1)GIW$aZE5hI{qa5B)RFcEQnqB$cb4YGN&sM~mXI8U%S6PTOa4x? zuEq@UxMo&fOFG^dkD@kW7|_})A`Slu2D@Yc+4L_vs1N=b**==Au6X_@rv;!k-^$C6 zKsU2$Aa~<@E(3G=pKv?>OE~r~JXKeiGeC^##a_K=^*udZ&Ah%?gq=05Um)Wv{**ckw;ZLLc6>S;=cy*e ztdib}t@JSkKoc*3h`f8maNa?{bkQr;I`&px9uDxnXzkc}vZ<9jTIpiTzfw$NX}a=M zQp$~+&~yX@8n8=u09jHg?QJ2>k4#&A8$_t&VSjM#=r}q3q4A#EBBaXUYpxY6GR30s zY;1Qucq4gNyeBgP@iqRWUtqs?U^?$zp5cewD4)g37L53N8^3GCEvSX zqClP@)dBg~qM==LfJ;HjX32&05a+!|e?~hK!khF{gdf`wKGNW}ns%3oq4@}7U-#;V zT?`(eajc#J5+|Ev-UMdh=AG=0jd-*vks{$t)SnF%Ps<)b4;nc%eypPbapu3~HT!Jh z3K(e;$5E3J2`0>mC)3FI)=KV={r*$R2D(sPgr?3xiHh%i0*mLS$7ON`X_art=fUgt zj2d@#-AqH;h>Zn{>ncdAA(}>G-+$Iu1=HG_F^STUBm9nL^1Fx~{Wr_%ZbmeR>C*PE z=`WaEp@<#saEa#ZY`-VD%8$LILx1KFvF_MN7;dA=#B{dQx;58uP|A;o!x|B1OuWvy z0a>te;ND6C6+&5b7D|5WB!S!?&VaI4@z`g^+|S0~jY=l= z>%X06r#qrSs>*)TW=fuiQ~K$5^eBAcV3{=Rk#h>;Cy7nD zfRE20*b-|#pIHNqzm9zeX<&iaZxh=4MJ;O<1UPZ>b`?qN#&Zc!X@v>o;@CB|R`RAU zM+9xy{T>^c3({S;5N`qX(SlK5N2JuZp3}+U6Bh*fQ?@`v56+XE(vLQC)cd zEWopmW5|cOf?pg80cykTiK8^pO>EwlvfEd_!A{p5t$)rQp+{GaFK5*%jE#TO-k@dW z6U=O~pd8$|IXt{H3IoOcuf7``t~~{SZhCL7VZR7=TCiui)NuMcpzPy_|1W~6rUB$f zJIUsgcLC+KJJ-kn+c}73Q%_WQfA>s`C|k?gD-mUry^EH*SJwaxM%(~s*$cy-73lug z<8uc9n^z16_o;4l?0OBZqhjd(^B4O3T_R)r*K=0)Qe1o7yOQ7lh zt0@J`6zldIA3}OVbe}5q+qU zxzSC_c&B4T<9;RUFN@oMe%UIP^A|<1X9!~Kix7R%;8it;j;`#{{Y$pyp!!X(>MEmw6w5%=LYl~yo03nRQk%V=5Hm43n;OVbAgN!ftODq0AK+^psbeWNUg-MJ1`Z%!HOad+s zS18F6&fgu@o>uiS+N0kB(D|axzeNNcqD!c1??7M78bG#+N*Al@OImF9J#}?>R!g&6 zUa)#`y6;}rYQ;)BPWNV8;Prenkh-kV)RTa`Zf9D>IyeDv5xVBN-LN|6fBqW{u*-db zqYORhm9=+DUyh5p>WLLS-XL7NKm0(@!tkpU8s11~8}q@uQQI)|_;dQhHKatZOiz@) zsh^1VML$~{AT{Z4@H4I7Eec?7r+}7M%-d5pltmhQJHjK!;c$jYRme_7l}2IM$11Zn z&XzfdkBCa*V4%NG%Bx`l*hxpYU~de)7{YTgLb!wJRaE$_n8TBFGQLKv-^$eEH%5h5DBb{$JRTOA@ zJGGRCV#8h{%xr0Fepl2neC`8mFCnh>sG|cI-y1t^D1*<|t>Pie)wE@dA-778c6Ov1 zRI#>_Y4FAUI`bkAG-<}JKxDt1we%Sk3$DsHA8uZ2=Qt+GsGdTof?C?oDXWcL*7$eT1hd@DWygp}|-lYG=6 zA7E$=eLAddxO@LVErdWT!q&W7BJ||lS+mMI!|iXxAY;@c#dMz_22H>iQ#R_de4n2@ zrlb8_ciJF5sg1v$6Su^*_Xy>$)o1-+_>&~{eMZ}TK(={qqRYC0NH=S!kv{ez@&2u% z1OE3z3s3wP83Nmcu;f^k2+em0v=#29+Loed`=wCWEuxk-y0DBn@=m#5FLb|C3#glz z2Nw;Nhu~_gvikkTAUQLAg)m$EK&aj3L{GrOi{E*E z)?=}|4VcZlyr@VbcHf`xsGlFa1x18n3-#X9;J4JoCY|C1+)szZgD#>6uX)FQQ;k%5%NPe?8s^SV%Xv z>W%-C|F=^57iP_kF}QR6J0N4{kS+7N?FG&C%5mGf-F?_8J?yMgEjlbiB_*Ls~MTs73i}n4j!UFxq;Pb#~Ru2nNka~cy zC$w1DU@n@jf3~F@U91Oq9S59+#H==iT|+!9%6<316Mu`a>)j!yT0n&PuEy-#`IjQh z|7>3ByzTldoo2RbX*PqeRjlo7{0{lE{mp>Wn3`mpo4X!G0>VltSGBaGKgJOk`4W@70F;!U1@o`{Gn5Fn zOrm!GmdIwNwO&m-sN<8p7DIWf3e9vI=c2z_)oSa;|N7s=^)$8P5%9bGN~bplI#28s z1-(w6zozOPxn6d-c^Xsyn4s8bA7TZP;Y6uP(U55 zv?xfUf)A?xk-q#7<`H@$>iPkd{y$jh@;{~hSS44=>gLXF6yL@E2q2nHfhb<*H2>-z zYjwqtTzZ9R+toA~>h<&COxOq!jUD3;f4ZTNqyD2o9 zPgl|bQ}ig2))vBP7C`rE^Ws-2bi00Q9qDZB2xsmxvQ){)Lh+On#z)dzM$$wDG`HVw zCCKnDcQ{19XhLF@ z)lY8#%-CXrjKX7oFuePo2NToC`qp`FlpgeRsjSroqk13rlhM7ea3i#zOv!}3n;)~z zpM{9gTrn`t`LZ{{|7<;6@S=n1qGNvqHVc_&KJM%?h88|%VEZU z+#YPmOnU$G*RqMtW_JB+3bGgG!VUUgZqqOG_tV01KYmTFy0y&Emn7G`^UnVf&SJL` z@&n(#5Vu-5W36IcBaRKI_h>O8@ww$=A(=^As0w%({zIyVwfRGbl$w%E;V-!_CHT*j z$DmN80-pNzNl8g4E^U8i%-iZ3lR`MX^BYGQdX-W=_`41s__{T2A2=AAns|cU% z0nSW^m|)yJz%8DEtz@IxwR!|o_V2O2v|e>)&&P4axV}P1FmQ*mNSJT3zk4hIa$V_; zjyGH8HF0Mg*7K5`H=4j!7aCPb6d%Ya;&ICmVUSGlEJirb$|~u3M1Riw+=+D_Vg@go zyUWzHCRKHwm^Gpi3Ppb2u}&3j3ID$Io*^ak#MZ$CJDimx{|1kAei@upORsCUiv zmNTFaXHFlxk&S0bDA7otjm3#_nb_`UUY};x^>%dBj7X=`kj==!^HHxq9`y;^SY$91 z?cQCQXdd2fC8oF8-n~l+W~cy4HI{Vh3yR!B z>NuIjt$klk1MgS?=L6{3TF!+BKWqP_`Ip{CjLP z;i&$}wKh0s&t(=$qR-9U^<+hUWp-#x8N#_YE)dP|iJ_j-6yo|&|AO0`MvM9_1(fkj^=(M~=`{c+S7XN00&`Dms-`wW7$-~kQ$=SMg^`Yh>Dm@kC zp)QS!DWT@MN^f~uO;tc-sdPz~d(BL>skp+NY|cU!Zh`0l!m2)Vpv;bBX8P9Z34W~Q z7G+m|>Jq(evhl);JfM3P)G9VMo2-m7_zoBHy>jFZ8J8r-I@IC=wCSMfXk%-QF;5gw8IRC(AfPM>Xyy zKlJF4q7CbLc+*$c9w|e?t(#%(>XJfC#&azOy&t1v6}sQcIVbTvFj2MYeM+yh^=zu*=ruW3nM-%1UKtIVju`*;`xzY@H@+`|14cfnnh6D9LggvC z&8>m)%IO}@qdbLPrV%2aYK!TjD5fwzzwHQza-x9UsD7(9=njD+V`lK>&sK3ha6qD$ zE6wUli~2r_qIQG((dP!Z;pVJL-?)k&u|z+mY5-qP+OBWi0)=o7duDxIVFXj$XHE?& zzZ;L0##O<;S1;8;6ZTlBU}1MlC2DJ5Kx<`j?gfR2Z@RfK(5sti--9cDy zE-;ASc0VO0NP4Jyfz%bnAM*CSSp=31S6thQv0$l&5vS+K%^-@JL4CS$gW)g+T!HEb z7S#{74JWZe z?((EhwXlN>&e=?#!mBr%qFnwAUlxHKb}My@dL7tcfDS6S+2A*25gB-P`|CH}*D|kW zx<=ehAh8Mh*RkSA9Y`|p+CGH{!vDI4&wstt`oB*=m!*Hkh|Qf0*+{#skKf;(M)9yh zmW46CR~M&)Dg1T4pCrEl?9=%tPA`ykxJgy7axsHbjVu$&oDx%&U8IkuEm5yo>8Wb& zk_$;X2tw?ez4qbu(Pox2$v~O)6x%9J`jDJMOltd++UxPaDOgqdpJBg-0IGOm4fQGJrG zKmYwoPAIToHekvj1t^E%O1wB(ireoUl2W_ilLb-~7|hUESHw)_Go#6sEAbWPk`=CD zBr1wl=1UDJ40$Sk2JU*5S}%IN1iP|q5e!&nV`^|&!ao+?tz-VH9d5O``mK4G=rGHB zu8fBS6k+=B?z}G&Vz&_?xZ0cK^_2BGGsN%FC1=hj(ZQ*oP<6fo9twBM%E^5y(A`yt z-i8jOMsPEqa&e_*b8{6YaS0HXS8^jPzUm~9axN&Ve&q=0jUDXGWKF%#sDza}$&F=K z{u!-TqC`OsWsD8e+L9?Q4ut0Cscf_GwuFqabDHZZN)_#yjdu4x&GcGH^$c84jcnsk zz+0MoO3zh$@BAt zEWC*RQozP_8|_~C7_Oxr8^>TXYl&r}>D{o(yEGaR2Dc{mbj4vrIH&OICplc6MkVA# z!hu{dHcfl`bW2htNCQK&8y{Jj=E8L#^b+r&gO*W}_t|K1ab=hGHc1IiB6Rp|`E$!d zA@*Sm_O|teN^w_xj`bp^hF(*x0}k^rB28GQTfInx*eVijAn-7!Z~@vKVh-+1e%Qb) z=OrXSx#HG2Y-2oYdAEDH;ov-w6L-DLb4zt>MDM;Jv}6GhqB%f}&rzBg+hCWxJ2_ib z!-xEn_GW01zik$#6||q zLAJ~M)_}5gzfTccHeluc`0A8oV~RV>%)LLmHgyXsI7uTQM=sU^`e{WOAQ7vK%46P7 zg)8ucl^ht@+pwQ1es5YB0xJ1Fb7x1Vz58Y5+0S8?`)2)1d~PWC zWIUyH(%rz3s=@STp5EV;aNjs6f>=8dal@h@ozZFSQ^jZKvM_si0j@_HndNN#*D9qa#n1^PmuG7CpuJL0O@fj_NRlu?qJp zWuBM&W)hk@6MBaS30BPT7wzAHx|%;-;3pA4su?E8D#Q;YG={@F8rqdRytIIU=K@yO z6TO)XwGY@iu*uuiKPy<4t&;6xS2r9RH>^t8XD!>uEevoJw?4y^iAP$@?z=)X6>Sz+Ad0o2Y3x1IFxfB7ps*+QNSEqq*9SYR)n zD1hnwaSoTcrz+zlB8XpL&{3H7;E9z;%J9_pCDK1t4)r!S<3iynu;N@5rnrh^0Gs(tk2* z*xzkjYORkgZXIH_Cnq2C{ zN>i>GGr>Z^a&~MHV$xs&OS0GBzL@1k%XfM*buwL!F-ZYxKf&tcqz`u07jV&6rXj!5 zONZfgy$;eovI{#AQIWTLQ;4em2I>YDVFFi{=pdq#e*ff2H-K}h*#Gi}-ID~S)9W9cm|1sLl1bqCI4orab@_5xv$y{TgA`ok From fa02b615b06626780481a69292efeb2a4c65456b Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 9 May 2019 15:43:52 -0700 Subject: [PATCH 350/492] Corrected bookmark --- .../mdm/policy-configuration-service-provider.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 785873969f..4913c03360 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -4123,7 +4123,7 @@ The following diagram shows the Policy configuration service provider in tree fo - [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore) - [WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork](./policy-csp-windowsconnectionmanager.md#windowsconnectionmanager-prohitconnectiontonondomainnetworkswhenconnectedtodomainauthenticatednetwork) - [WindowsLogon/AllowAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon) -- [WindowsLogon/ConfigAutomaticRestartSignOn](./ +- [WindowsLogon/ConfigAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon) - [WindowsLogon/DisableLockScreenAppNotifications](./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications) - [WindowsLogon/DontDisplayNetworkSelectionUI](./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui) - [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers](./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers) From c67e518bec98b2c39d77e35e6e2a8ad20f26b026 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 9 May 2019 15:45:46 -0700 Subject: [PATCH 351/492] resized images --- .../wip-azure-advanced-settings-optional.png | Bin 23683 -> 43333 bytes .../images/wip-encrypted-file-extensions.png | Bin 10846 -> 23272 bytes 2 files changed, 0 insertions(+), 0 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png index 2ac8f45b5c4f2bf46b77dcbf28f258bb34db65e3..785925efdf7d8f2daf549c90c5ff84fb6f2750c9 100644 GIT binary patch literal 43333 zcmc$`RaDhq_$RD@bST}O(jnd5ErN7|bVzsS0S?_=(xTGc-2#%*2uMoDyZQZR)_Uh| z?&iXE1jKW8JMvfv*uQx3(g6_$e8V!TsC@bJUmE}KU-wA{ z(m5?HM$?Rm8^;_v9xng399Qc$jPqW;mXnhcdAOJvN~DY3?ATtYGfkvZfkZ~KL+W`W zBO}juCq#U2zd0RJ^Yh3n zbb`_7_`Ca?^^E=aSu`GN33JPeJ+WcjT*ZeP?YfQQkwz#K+I_argLN@1M4Zll!|mNaExe9-F1>46$;qkzG#f43@^%4(U?9iz;r3rRItd55Ju>bQ+Wur;G@e>SSsDH2 zHCZtK#-5XwKWk!(+tIH&({M0ASp@}&G6<>AC*mhgXksEB^T%Gp&1lqYD|v7 zXEzy6V(9N8ffrkV#SnDFT2eGLH1zlP-(2@{-Jjkj^P4yI@bF0IFhAR!$mO(DrW%pZ zuF~S)KRU7_eqtWWc&GcrRwsc{DrS=jl8eP!^VHsIMS%YoVuopHuvQ{6*7}rL5S0RoH3gJ{po;280rvPGC||iqbjp><5aRJ*685c zmD&DuaaUK@{X2*Q@p;bCT8BvcM-B&)r%BhrBhxq`3t}^!Rta%&cywYb;-)Srjlx^a zGSzQZYST=J+~%=_?@T^)3)@WO2ptBUZ;!}4)^t32Z4D;Ol&aKUP*G92AFpQ9sgUZp zT|aCN#NpAa28`h?HNzsHzrK(S-5t*^6pw^g&f@L*UirbT#x`)s%&E3JC@6^d;X2rE z>4zHM2Q^O!G2h@~yRQJ>0EDElRTgDVeJPpogH^T9&DllD!~SZU_tnwT04ZxQ%yLmPMf`cqz%!YlFSy&dFmI zcSj9t=w!l*>FUMuYA=>Bzp+!rM1N)+2@tN-Z%L_Gpk`+^A4xGE+(J=&9sEVNfu%6- zaduWStP{rK&cVy`&#vFt%|A99^B4vPt`BjQ1)EhfcvsWa&-qJ}lzpT_SW^>-8rTC?AziG=~-NiGjyB?=I5Jh#*7G3X9L*ziii|nzB6Ts zQ4!HmR^(^IwJ}0=`N{Sw5%Sa(vmE2BQU5LN-EAjZx~sGHsHQA|a{A+9$goZUllWha z(}{1<9orw_N4}U+Zv8C$%&$>rA{Ar0`ePyL2R)Mwj*V=k;>%GQ5;lFTXg%6fbW3oS zNTcQTyS#^kt{?A?Mea`|cA!hBJ#`3M_Qp;1(Y=hn7dx&uP`Co1%ie1~=drDi7ysrB zT{u;3$FulQ@K~tB89aBh-L(-EQRj#KkXtyfW=GFx#2`otDe|(ljXGG=e%HSdJ{3}n z_tl6s3lPgbtdJ?q33AM@EA?b@~Sa0XL>lofhoG-4J3HgI4@q z@di4T97WwqYmV{|T|~0*DZkr&I?rid<8HXDjCu}OdwqUs0v5|Rrh!+h-f`oJLkzb= z4?Shp8G(a^zh0r>s)k98CQXsuD*DTsvj0^q{~5wi@*yVUmO%JlqFhayj3lB9yN0GL zt$}t)uMqgN}1eBC7HK!n~HTv zYOH)QR?Ce})c8q)Nj0H*BLe%W;fAtQq^d*vYC)$40X;i0=mGAka z>|Dc2>NpjYz4|yzO~r)1rfxHhq!Ei|4G;DvI@%;!1Sr1TZrZ$Ne5GgHb%K{@ z!gAQtb~zwnb=T4(ep&Y($;an?yGCBrs{OWf&nZ?V59onRAbY3w< zChL+a(*X#zqYo1k<}w@HfHoFm9O1iRoneU0-b^V*bin7ITMA;>Z(f0xq=S(T|7g_=XWUHB&_8d0hSuW4nM9~Gibb` z5kXym>?9Y93P)g$0t`X?<7NT@l~SSw0U9CKpy#R>fF(t0fi{MIH|By7#9!;Z|2FN) z)(-Znygb10r`rdx$OKMqMnZ1=ROvjU*4yLZ-#pD&NnmVHk@d!+Wo|N;BgXoG+@y<( zD)nA+Q92=RL(wZAN~&%|=ZM+Q2R~!y;_TT=p>lNPA#z(KI7DB?e>FHvjM2X0cijs} z?6YxU=7}-eAYApkvy;m-Qj}Z&WQ~W@71=n>@T&1N$N$ljyAK*nwT^x~SCL8#qt#cj zA>?!brK<1Ys`IC$Si)Wo=fxv`Do!;hc&o>3Ffm$0;TdM!ElTRON8z;AX(s1MD}{?g zQW9{!m78|1FvCTi?J!mF3XA$ik?{sUg$UUtz0i9*`9oRC%T@O^UnrFTogB)9;5jNw zGF<;akt~PX!EzHPUlEw4;r>vrbN~b_aQ9%(%`-BRd$yUBo5#i&(<_BeH>(>zZdNs{ za-fBVxOBv)@j6jbGN&_YRT?qKf9ynDu2qaB{;JSfnz-)lgx>iOK_ZKa&n6lZ1GnKK z`&z;!YJ7&hBn@Yyv9tVdrL;>myM7$05H)ii!9@sB7T0fbH*yMvZk(U>%U-s+V=da% zI4d;j_uHw4)VX&FguGI8i_wE8fp>Uw30%M7aH#^>>VMHBlFU)X37U9S+59%Z9SF)# zQ*|OAB@BkTOTF}_YVv;uooLEsGKA;OPtF+79Y~6>DXv=zbs7_{AW~=Q*Rv*L_OEFP zQm>qGwZkisFB$vmR+Mw=h*mlizJ5txWI{CWx-L<}22a zv2OS(6?~D)_ApHxwp9=`%Nf_{-U>Z@cA}EU=BFY@pgjI7q|2PMUPaN4Q#}tjN}@%_ z$c6LNZ-UNAV#bsoi(tnOh}U21)a+=iiH9N&&2VRkzI8Ovj22h;o|d$fb~gSMVi~r~ ziM=k&L*|`fL_DnU>oW_R^TE$58Z`6ar2KGddQ;(*g2aD+<`TK;J69;JvEFuoZbG9E zp!A~&%O5dU^P*+7r2L8<1ESz~mJiig#2l1cDHM|_d>z`tJ+L&@XIEDPJ;Jwpg|_aF z@AV=ohErK{`AW4>LoK+sBe7J&(oJT@vgIt<-soCfIx_K5ZRX5DExsKhQO+;H;S_a@$f zZ@y@ji)TC#4|13m)Fm%up={Hd#K=}w@@O$M;G1G^rZVYFs}-IXt0ML3IqAn={L~wQ z+s4m=E3xoZr+bIxVuZ^;zJ3LOf^7z*Gg@Ajtq<`9Rv`Q7;B1(|54$BTQd08je+Tn) z6w;<+wO=ZIp zcM12li(ie={^D(DezZiOx(R8ujWc69w9*ktBh2mOmO^IxgF3Q`Gdd{RNH)c%MRndc z9^lgt(HWhij7u6S!ceRhl(p31wwerJi07a^i-=|>|45_JQyr9zH4@{+n}i^>;Rg3D zJ%`-8zphUmAbakYntd?w^F=SH(#D1kUklbYn_){uVVA2FhGpS2{%p-$uxq(pio#)( zhx6Y(Pfc_$G&<#3^(gfE_ox4qEUlWj_MNy5F|YAgouoZv+@$S6iV?zj+E;LH10_}I zM8kvUSkq9)(9cXP(;-C3H{9r1AK0%p+{=DerdKzY+$e0*^L%7U@03rT*D3F1ib?Gi zdtKl}RDWmDmB3&*_P36I+j#uDYS_|hYl61+hWvtg{qSPGOT)UxLahADPMCXhef5A? zqC3nVD7^A~cOTM7EUHG7#n;D^Qq?<|B*dF3^lU6|J7ejr6L=VAN|cCZ70zDGdu{#X z_>Boaelm93)HWuJc>T947(s&>5?OzEA%&zEjns%*V!%YD8qoGez-03pV?m3`;kfOJ z^jDY-740Ug7^(W$MV&_mx1D^iX_8y_o??DM#o>iM5hi{HpSmD+eSf2)OOwm4bk1oe zhTus+7LH@IBp;Laqci=)3)#k>RN~{4vMsCfWeJB3h=bP(3u5cnpq*xj!+CTIwxzm-h7tp(w{2=J|X%R}*ffUs()^sOi*90f%}@+OjdJ_~X2fHrlWu`*5H3 zSgw+6YdGV(aM)zD6;~B^zwmT2n8g`IPwHG2qP}i2AtQeku$U@5LQ%M*Iz8WgD;AFU zF9i@ZUG124%)s8mg`chQzw5Vpy+(uh-soli9z*DSkG(U#{e#230mh)&_wF*0R*AC9 z&ct5Dd}zwWCEbatcDxw&LK63_*}`1iT@kEy-1}c&-ZN5NVKgph`6~YTWR^woj|jn? zo8UMq6W+ya!PX+c+Xyi8uN`50E<3V8zE=Qbr_Ta?#9214=Wkq7YJHjk=6qM=T04)p^vH6rhLp*c!P&7ob zl~v3N)X*;x2#S)Hk_FDITmDjxK?0Rt_|j5RY(eq51FP_VQ1&O!M`=gdE~PWjLVVMb zbbisN&2CeB2}LZ=io%*l(AMVMVm z8YL z9^QA-H6S$D(PaqmI=ezBGR`O+ zfhfCX;&>)&mD8pM{M{fH`OY|T2BYSnWbJ*L?7U@cOa7`t?;Te{It>_By;qm21ItNSbEuw^q$Vw77e7?;iU#<>*?j^W_P-Lfhg zQ5F;jXKa!DUs00Tho}`w4^i~ts{#FCyZxGIVbj^$#DC{Q4ozdXYi6diS&#rEAcw1p zlM+r`dF8hU(_3>p^94+p^wDocr#2WO_l~J7`i(Es0!nkdx%8s5BKE7$%l8 z^Ip#2v!CYsP^CLck7x@GXLs}!}6dIUrt#@-B5SxTBeQ@ zdE`~1n$uMHP=^`))nTo@lI`*k79O?nhdvfTUXfgyOW=9;qixTk#-z-v(pD(b(VEn~$ckd%UNGp_(mIEA)SQ=qpNNvqK07k5pzhy2`ZV zH|U=Ua*#4^fS&Sqt^tza4ddH1!b>~tJdIN2i;yo{$fn`Z*ihDTCd`=O!KATH*~dD+;A$w5X8Y8Jpcx*vB6UxKkd(qEui1jZc`Ay>RS?~{%Xrr^F(A`_vp<%AyIUtaTfiMN&fu!2*FQ9*lz?2G zO+D%i!GHU^HuJo`R6}%?Zi7~tYS)uPhYzhnq57xJVbcLu8RqsU#P;@f;1rOuoAd(D z00DzkuTUE8yoy~X`{d-rX|sPUlV{?eQrr{k)YOzMLrk!Uk$H1FiG&)tkPu1D=c7+@ z%E~F>75%42J1g#M`t=rQSKnKsu4;Pa&EAqR-Ng0m{Jp<9&)3-+dG}~8DJeNPVmkN< zY4?MUoS#;Bz};v%=VHC3yKnI5(?}#19WpLcn(-6FGA1VGe%|M%VB^i}sp#<zmOl))1}*;{|$R16Ld+N_}?pvr{B zzvOt@Ip=iSZSXd{6QElt1-tIdlvcmlRp(DX#_PA>tr|!sWcMq^b3-}MvkXlyhZ$?q zKK|Q`6KMwogc>la3k(tc-R*np4c&|JeK67E*#h(b?${C&6T{JnxP7iq0De2?dGzlH zhz)E#9~U@UYM40bY6r_He1Fmtjmyjdsp_9oIatw^5Wj8^p;;N6|IXZl?w*2 z@3Tyx+vVRC-S+*HurN8F30k9zy(vVI7A$^2^I_~D>&@?J z_dMT8uAx@`{J83Xv^((vjetY4-PapvZa_1>IqAUwt@`cDidrE5m*)CqjDmmO1n*LB zIq`P~?sPp~^$<+tYJ)>=k;v1%OHl%sGp|W+ghDC{MfjlG)!&shuLI_JR^L}i4xovE z2GDrZBy?d7q<=uXP74ku1`%iPCnYeNgul>;7i&K^afEKTXduLK#9r>t>;eG|iezkT z49p5k)nIru=o)*;M9l54T%im>PmVtPk{h%`f;`x?4X}fmb$=YrmSgqkwRycuJ_x@8 zUYp_E z*BAnWr~0UnCRMUxkAZ=aiqMKhr>qCS(l!M!286sXFV4@Yi1q4BURh#cVZFh>xd{UA zowp1aI>inVn^9+xTq0sBryxx6IHgq7Ym^KX8&;sRl91>Z%j58k=88OhC;L_m1@@2# za3Xe85+-+>KOd+k`xGNe900?|w{R*D7NOv0K?yz2pVa~>6!_0qEAAL%!dc`{w$!to z`5*-&`ARuPY}4>AX|eXtzmmV(%vb9*K}q0yShXs(>n+Bpf%sy7Bc=FkXZ~1cXQ(pl zXcwH95;$(!C56!_f@#{Q)vEeP>^wX$fPh00crSR;3A;U#N~a{Qx!bVj$LSyNnmwiF z4>`KhV%SMuSak0Eeqw3O7%GzNk`*KD6Dx#=m>_so5K1Ytbq_1)Ft^bU~K z?TWJGX-zJ9RD~%h0v`fzyrofp=(o7Vs8tuA#}e_dXq2E@i#s-d^Efq`4ygynG$Hq$ z{dAGs58Fi+!*<0hRWbHgMz~>e@%o_1U6M&Q9Kw&16?0JhN->nomy&(}qNXvzblK-H zx(RT!ccMwGn1q6j{oQs^z1j4 zL*!ci)93O4dGpg`-b?mv;B-c!N1`Al&``gE`wAE}6h2AauRbw>G8f9wb@Bc9wKR#E z?-zc*dtQDouP1AVEN}E61qD=v_KQY~o86yMsUS|tXo;x&jiPOm z?sqmn4_Djn0QTdw`N`BP2R=J+!;(e({myqIrZx{A1;4uDCoI((!?IfeEJ1B(bhyLn z4O=LED3|B<;pzIlS#O#=zC~D_O9X#^Z?Eg0*>a${-qT!HYnDTuZZYU-@zm+w+Dk7T z(kXt|0yUk340y#()Z^LowE#*%fpgLar2F(5F_@2(#>5F_1X&4GUlva>UY}y%xZfJ<}ZnB=r_Z;bnmr)%q>%_h$;j zg$ZI}Vtb6~1fqU>F-}Hxf)|q#XU3#IU?j6x+b*D6D2VuN(43jq{|e3E1~g63ivT$S zy2yqze-kj)z!&)uTU6c)TcDQMBGM{lNLntuRK=-s;d>>U*FqzoBwBR$??A?G_5}Dj z3NF=ymKKsq`uSm>=DrXhJa4g*O(j7d$92)oL9|KK4Yp;kOm4gTED?>)wTK8r>;mAx ztB2(!2C%B+2;#Bm(HpdSfSDMiCZyVvd;@BzPOVWFaA64<3NW{j38YaNHOm72_&hya zMG#Xs06bF6?WO!ck4r(K2Yyj18dp#178GcvpFr%!Q3u4I2hh6 z(6@a7$K)Yh#9vr9_VM8kD_Na_C=~P)4GM1Ki7rT>30yBI%etVd+38n6v=0H22ljU< zJpZVl3Glq}1wjV_wQn>>s6|Z~Bq@d@r6I)S9jJ-Ph!_}8rvqd>whNurQf?T7Cm=WA zwL&-jJbAQvB41Pf$;!(^ZzyShe5`76-llw;tnvJ#okRlljFgm=oE*qnYAQSq&*^6q z;^)vsL#8f$@!&2P=0p~s%k9Pf-ky~!w$l4|pAk${ZSjeT508(JcXvOu``mDt4-ejj zfJ&dV)K>+a2AaUpYMa2^O`k-ueDW~JVTg(bwBj+?{5GdS{zhrie`*(IUsOy-BV!ON zkxBNyzF7k&-tO18a@Bko-W)7B(l zv!!{sb_TrEVTb=r!y)Xuw>&shL1HMe6#;)tKh1n|b_ekiJl=HYYfm=@s{rIbAE2~f zoU?)HNRJCIb_GNcG~z$MzT2#?J^o$Do`59EVZ`y{`LXnE9GExJh@}7F-p5sN{kR#n zXxXk!&eZD-#8+?({wy^(gsJrYhl2=pt}0 z>ILKTz=8*gTmd)+Fs#OD9qAW@-{#0?@Yi2?X^MoOI%;lQXA%S{`{VR(P^v1 zbvT&3Nf1z`xw*Z0XS?9|oS)%)UY2?Qg8r_w@GvorYB*3T)h`mE2`P08w`D!Fd_@pp zcDnMm^jpAZw!HImx1P7`Yv?evb@v$V&PKXS-|lxGVJuyyX6Sp|EaCMo7<+TNQVGR` zd^}9K${pnV4mM_6oUZOs1NTbHzSUXsDNTZqcSiQ@5d*ikPxGeXmoc?fv`S$uUDscK zU?Ek~`9ZHXH#bd9O}CQ(JcIIiNXugo^Qz{HzuN4y>t|_;${0U7zUKF!|Iq1hniu3- zst1WuArm}zHfgn6xGyt4rxMY}Oom!`JALYvPEDI588=W8@MP%Q@bH}-Y$BLu!im29 zXO;DkueM7`sm^RH{8Rk#L4^Nc)9%PS*RkK<~(bikOWK4KM9f z`?j`o^stzL-%oEwxK%^uGU>Vi+m{A$vqM^3qnw6Cc$sN_G~-8c?F&az&bQR1OIO)S zb=Qw?R>M44m$25#d;dHFP&QU!I@j~IxN^k*xWj5VPFv< zeGYD!!2s?6s<6t#t!wkxU%T(P<44!XFduw;E8Q|*z4>=u$6bN1UGE|Kui$YJrZSch z4re&M?qn>mpoxHtzgE|$t;({xXn>}AX!*Bolyz_9@+(_-s{ zbg^Nil7l)!e7*V~+PX!BozFfLVZDVq4 zw9;Cf=84~&-+To7&ic}Djlr3p<6)#&P3+NNRSV|B=1@)QeC~c`&zm#^ZxJol5La8< ztTBt38VpTPhs^+00v%k)_tw?StjOt*)R+I_pD?iB($CzjAD=JT2~9` z_8}o51Ek)gyyIUhMY1McuNRXfGv`jF(0C#xwxHKnGP5yT2%ezyK*%{*RuV4%aZCpq z@XW_+$Q-?wM;JXYtThu}D=I1iX$9B6%S~2O1=2{*K=9}0(DAw*=tCYJ*Z(C1nMPL3 zgZ+Fc{C~W582CU>{(&cSQ-aOPOqp!cklSH^2P@&&?t9p6UZH=9gR%_L#HMYs{Ehz% z6&b($IB-;=@K~$)zkqsjDZ$9!9MBr}Dcb`y%W2UN=2Q#{)eywD#1ZDJ>2(&Bl z+(2$*EKR1F+(xjjLRm;O8|@he3ReJdKU!&N01$cF|9^Vf$#F7(={}&h)U;h@`1G?^ zxcpK7qoTXPO(NHdnfmuO`Aq{#=2#BZ;9dJCF_Htz2^?E(kEI`W0152_9YI?=ZR@$m zr-$wO-x6`#FE;}GyfcNPR+N(iIm*bWD1MIKF>sAP zSG3ANrv}s@=SMa)3hYHs=X8-*xZZuvUOpMeGUU1SMi4V_zbwWx0?_2-R zUZVv*%FD!&w)sE#ZIVZ`0sUg7#hnO&XMCzqrUQhDp2MWq9m9a`b$~!9fEw`@1jGVv zif3S#{}mOaEe5Ds9b^H?Ku8gtg#THVkgoOy%k(Ps6S3JFusF;xjxLf?Qb)hOGroH_ z$NN|VO-pNZ*&V;W_Lyc02I*7zc2FcqA_j`MXlTqQ^Ta?*s;5$?9&rSbAqLBS{ovqW z`*W#C5F|F%Zte?CwIMo?vwwXxSCCtSTU}j^`Ss~L;lR`T+5o;g|9VuAn>v41YwpiR zR6u<87FimgNHG2X(vV;!Gp|la<5TXfpJFz)6)41q32bE#sM1DFJ2=_U8leHz}AyfttXhEVtI( z-Tkv#UqQ9eeuZEBH%MxMX`h&wh%*U^q*KmXf2$lC76!I*d_d$l-doK*FoGD!4-j-! zn*q>wT7@Nv7JuqzmF~7DYx;dLr=9|x|IKzPfVs&`I_ep0eEyGu+nHR}8^^~g=|H)f zMqV*hCE~H~6~<2=c@8^36pdu0QC^UJ*S8TIanyIswj-ydLx};8URG0 zdQHy0xBI1U-n?m?0!ow|YB;A9wjDQ7Uw;fia3Zrt$tZY>(>ROx@Xh{zAojM@OLOfc z84cZoQ+{eWZkO09N*nrM=o|X8fH53{EM*Y?9nk--GLT|SNH2nqZpx+zLqu`f+@O}39A70UR{hWmw(-2|>Z6AC_q`5~yPGD~}xz&hN{ zzX00*b6zBZ{t0AGHnxX~o^t&kZ@^-{)vA=u_Wwtnr36bNnxe|U#Af%4i>n;OX0?yO z+{=h1u+M5DyF`&7JrsE(3NllQI}gKEb$9kA|2q5!3_9Ix)jSf_6!Z{PN(Fn1@ zR@Z$@nsfo_0f;fMK4%pN*vJbl)alQk`nS_En({=LGC@7QI$q0FtA&|51fPD9z6i7t z2GB;3l0n9B6;x=j6E^%a-`PmhuHN+F8GHnL5(}{?C8bJ*R4^WFV>mRx#w8!5G3o9O(g}W)Py_mfQw;4N7g#^*{tf;n%V< zOa1|!>$57^w>oxk_@er5y%K>8w;h8BNFTmqP#Zx3&Alox(a} zdE<@(JugnjA z3roY%4pgRGj}4^T{=COOk=01=*;y~(tfI$W3cyx(U+*Hl_dx47Q4{X}$5P6`; z*a5}#^cOKSvV|HIiX3Tik~toYis*WIy!Os=xoD$)MNhC@+t^Jyx21K`cj`sH{$hG=vaEBH$KN zQ5(7Ch~ppFvp>h;XJEH`W zbsuUBTrmsTr_9uuy9(;_Ol#FKU7WNe3DfCvn;dcLUZ-)4xT>H(!Ee~I6e(P!$4Y^+ z#71(18uebrvMB8t4+9ysPh|Lx`OPfYU}XHRh^b2GU!Lu5Uy$>YECWZNSQG^Cm2(6= zZ_doA!^@(xfcQVq+spgOsagEK(2DvMB0?m&+B@{q z1zq2!khDN3vh`K-Sj1qF-~4z0VgS=%w3^higHDRx^_lV<8lJ{%s9lRVW2x-KFKCwufMJ5o`%W^ zjUIynw@V?nY3OXDWbhkr<4cr*g)I1;Q$nH3(Sd1?&Ly6%{jwB<8%XA65wNG}>-s zyP%V>)WZmbSvUfvOtRj*2%Jo+w53+hdhAYBC^@!ns|UL-?mm1=A~@TWJ-wlWf>Sxz zu$Nd{K=RW;uVeEa&*Wj1xVszItTA{19Bo#SP{XLfMhc=J*|66SIsy%+pkUTf61H2_ zjH19t=aPN+yBFs;ivSCZjPzK%WW%a{eK<`fSJ=Ct7d1t&wdmuK2P!TSsJN%*7PeEM z+JdgVaRIEq7?oq-0hTIfM^u1@LjNkFY?Asy8XeTh^!WIAVDA=za{`oBsuCm=6e_aF zf?wd`L_tZ}$a0el2<1n<6$A-c%?Mcqb}V8mz;D*PkA=q7--9N88{YFyLXI4bejCV- zD!uo;SSr9D?pj;Rg>Ge1U=P~VxxPm~o$VEJ-3J=Hc>p~D-Y^6FbfFB!MGmgDvfh0N z5*Gg1vl~>cF95e0if2HccuSCQPAQXtD;2IdXqFp@|60AC&ZzZ6wVv1y(5-xLMytyc zo)y@T=Q}5Up%Mk7^M?Lyz&&!U0XJ24Oy9q(SH&m|U`C`F!hQusKS}*|a1z*tk|;jW z6y=sqm2T2(H~w8y97ch%?XY0avcvCT;Ua#Bp$=YFZj@d+-ffWwO#bfPRN*LtT{cj{ zLE*A6-j7Rn3?+frf(}Pc(KHu3BiBE0kmUnG$_(Zw%q!$90rzoUbv+}VlbuY5jIQP1 zJ>lV~1VPiA-)VM#0Qc`W@8Yjd%sU0JBBXBmU^{{8H=aN>0Oab0(D;|zbUsh$9u@j98XdKOxl_{J)2rzg? zxp4e|ge27v20YwdbzDpACWWESU2ylOWCPhmj z|LcBRA9JcY<+FDxB_&l{Qc`k%H1L${5A)kO9xKT7ruySEL%noHDdrLu_5-d$sY)*H zJWyeeH#dVZ@k^64gGeIBEEMGBo1M3#8XB%ZBLwZ|{btsGeq-Z%b$NPso#Mr>x9w5EF|>q-O4)Dbxpnq^_>c}NRQj~j(j@(_hV;p=jd)=+zbE%6kMjp&pK7vK=%9fM`k|*Eko9dxVb;R2=|3VuC$XV`fJ{T`w1!&u{s;q zb$V^Gy)q;`Iqe>Fa;bTJsnfdcJ`i(H)R$x5K=&)g ze~7?ecTB0$K&zqy@AtmKnqfx$J4hD5!DbUV`hGLI|MP!Q6*Dj}0OP6Lpsm^I5J`(f z*28@~Isd%c=h}r@+-&P3Q)x{RdN$F`zhNtmc@lYij)UQXY{;72Kg5>qL>ZR$Pe{%x zQd3jZy5p~p=gCGMEJ|zLNin=@4Y(D8!soCn+qHC|N1KKP1sfzHS?VCu2Hd87ItW-f z4g%oU0}Kjg>~B}D;*GJd;x6kr-tfK#dHBR-;?U>tEQm6fpGC!8NQC}xxloszL!rd8 z>&ECLB=i$)TcOW(qkSXg;~qf#M4Fr$E{6Hhs#~OOpBp`8O~+E~H$%0S8Mj;4%j-vW z@iAt^9^L<-WaTsy!tb{S{HbMYYil(%HD~GPX&@G)5(f~DQNQ_{(>ix%98LS<%(mwP z@}(8#uR^E27(5hB#y?N9sd&8R^$YW)^29fi3lDR_6H+Bh%$EjZ;>XNSyFA;?J;e(b zV={?MZZeXe%vN|WUA-ZC!il*f4L%MgH8m{C+Qje7_vh|?l~Ir4TeRkk6uz!tT2hIB z?_FZ5<5qxf@(8S`X~=x2O38JnjYmft8#h)|jLA}eo+<<|Rp16C3P>UmH%321Z%<+T z9M!5B&4szqnHNO)(f`!UlYctNIaIfwY=BmCV{u)d$dbjEn{nP$xKYak~7o(4K80ROzX5oY9>dX(Qu{n<<0iM zzqdy0e)vmhK5e)HWKMTCw`cSB<#x|9kqgk)X{o6fY#}d3e4*-0y9LvKQjysp*>HEB zuMj+Ex-%%Gg2dY}{Pb+^Y6}v*wpeu*SpOVMt1Oe4B)P^mG(Z`fEOGAKVl`^8@0yD z-g5-sx31>mSu^Z4T)84U>*hz~_Ico3ThuMNz~7y8+#3bdaB@EfS~$=qWUT>21d(zx z;>K`{0;BKt!YO9N0+CAcadC1L2Ft8tN^>{5&Y>P)<3a=UYvyPBC zaDJs;{DOTc;y!m8DraB-VWs-!p@XGyBv*cU&*xL!;dH%Qq#G5=SIqS;`G?^34(oFT z&IN<2(r>v0k-Zq$tCP#G5D%uSN{{+00#x#~UT`b^&k*n5)va-W8d)N_<1J&|1(EZ*i% z^&)yBr`a;V$@=!O3dAp*<^R`dC@?$yX#A5j?lJ**SYJ_{+2R>+XBcIUFIHq}2qS{RMJHxXL$r?e403CV{*5JSL zEXqH%*J6vYjQ%?B*F6+vcm*>^E1$5>pYHctp~su%%!Ug!_T`IDCL|#`lck_MymYqJyV!vB{F61 zTD9iBdvsv{r+=VyVdfBWfjd3q#<VEaa`nL8hk1`qe5oz@hhWOW^ z2WjTUq)5<*`EP26WSc(KHg&zFS3bN~*Y*(Ket@s!Q(0Du*1lPv z1JE0V%`gq(FTRnQ&oLH9g(7T#5I|7mtKWlH<`}s6&6$CSj(!P^3ov77t%UIKPn`;g z$#i}CZnEUE%bLUM=`}E(efZ(|`cx8O>3<^ru9jT+5Rlh-?0&fdi5ZMJ)9(plV$!e_ z929i6GZyXh6C}m~Qttmxl;?IDDF$yYrS`buaYpiAe(h{c@_)XyEdKxawL4LrkbuB* zO3v1nDIA2%p3Um4W+_x+UdOYop?)zfa3{STK)PrA2ysYx)^mZ-#Do5o>G=j52xr9x z6VcJqmH?;?lJp!9FhTZMq>0l&+589C80qmAkg#Y61_tPOd9}yA;sInQ8B1|BGRo`d z=qPe{1#XRk98fK=Zhd@xff%IK>}tJvZE<>jewP_o$ga&GBm^$#zgw{V0TOeDZC*er zwj>6;xkA1fNcYdKZ;=B`%p~w7Kv0EX;8|-&0##L06Z=g+$lj`IJlp8hYoET$cLz^S z0`Zbs>A}FD;e_BHh(+MC=vfhaz_dOAo~T=@Oak86IP;9>M;lPLw9YOsxgic{+Kbn1Rj6TnWO!FdT$S08)n|mBqt|d2Z@Ca0F`1*wThLRXG7BcYZz-m`_ z{qNc`HRcRT47hOPzCSI6j)L>HcMS-uAU~7Q`114`%#Y&(U~#E1&(C!Ltd$J_IZ&il zfa(Mu_5h@=QNRv>AOIBI=Uc(uivY9HP*eL{Ov%tFq<}1iz=!g@+Jf5R=aHBlZQ7J7<~lr%!(d$oxlXz@51=aH|~L{r)`t z@*_o#0l0Ake0czac>(GLZVM2ka{@9Uz${54KLlDs21tKM0F@5ccoAgO_U_{;B)}sb zWW)FE0B|Jry_f>(+0dkw{o+@1*R)T8UJ<_t-mH`)0!+>F=mj>+`wA_Z?h;2pKm8tW zEQhgL`33Iifa7AT)eejWz(Hhtbvpcf1s_4J623d+^pbiR7OZMq+}OyQv1$99MtZtG z2b$D)Iwu|2n}7+ZXF7so2sjqd^!08P5m|;q*vl<}{xphRp8}q}KpQH*GoBqSw}@Qp zc?;5rk*wh4eglucxXlHkp*3Qmu?sxCk`K^?L6E>y6%Y#pKq0=ouYiz=w1aI0$Wr}V zd=%f31yE0b8zjk2=nHc2L;2^Z)b#XLK!9`&jvTCgMR8riN7(&^m}3>N-(1oR8lcY0 zqHWb)J*Q^)z<|3SU6Z%PbYm(!PB$RUkEy_Q?r*UeBcx5R=J&eT1MH8DLB9>BMFLp0 zT!Z1oz#w;1VFORt_%Gt%Avz>xh(rjFL8|BlECTQzBBZfgFEzkM%91+d6%g0PjCdI@ zTC9q=Ol)2Bx9w`xCCMcp987>nlem;G>jp@B789hmR5>sso);o}_bAur3<=6${gOnA zb)U|f<#4KS0PMAs1EEqWX=&&q5I&1O1mtDRwcq}!0O~e*AoZHdgb-AY zMum?ecDVhd8>P{7+6uopLNmT!#uQ5)1ei|2U16D_K}r2dI%Rg;FctKKNnM9Fsc!IO z62jti{?Bi%hbQgAqzQGzC9|atfma{~BbOKP4YCZi;8#QewkCmR{I||+RAiE53ERO4 zS@Mbt0tI2a8R=fqKj!e)<9p^~c7;+1obcn0~%N^`iE6|5*1!N0< zmQlq*Q%vZEyd`D$TC&soc&TegK~!ppO|JgVm}McCFZvz{c}$zP&r7;{D4(?Y&q5v5 zFIIDK>J{VF;)F<~IKU-|u+-k|Y+>Jz97w^F;+QyZHOap`XV)?UwSIpo5(SSh0ndPl zI^nYWh5fnf4y)(8^$dIh71jrXa&;O8YjI&`dTZAp*>9jz6(J#)ts!Qc`5XAc|a)-L#Y|#NAXvmLe z)bXk^ClDZ+;AOEIjWvHyR}y>(EQee^ddr65RmcS(0hcSs9@NQWTOoq}{p zNp}bqDUu@HC7>YEje;U2An~5-`RzNivw!W*?Ck7c&y2$Z_kG3rp7W{Gd?zO&DGA@d zp9M-OFTpO1*3r9|&vYbZWIo}{+mVIkB1*YZtl#jODJ`mIuV5rDhW4##7ayP~q!~<7i*fMDd53_JJ3=-}aH}06^DsfFk_NeMa z8rtx%cdhBk-1>}u%zUkkJb4ZZum*}IryE0t>R71N{b$|#>qE)6V}^{e6epr@D;K(p z+`7EHL_t9T7j=^N-K{$r8n=L&p~A+)PI6vsllpl>N8er!dt$UQ0-bwe7f}m(Liox} z5>Dn-uZU}D%j4{ip{CMQaFi61oXK_%r-%#!`FbA8X8x!fi_n9fyPxw9%EFC?^)nMz z=jeVk7QRGoQffmT9sF83R=v;({Er~;B;1S`>v;w!@I1S}6uV2?zw0;dt}|mk#pJ@A z$9z7+h5thh#S-Lro>;R5Vtt@=;^3pvC1zw>M_ILC_ox=) z+$FTD;gu61$6l`r3i5GP5520PS{Z8+3qvTS$gzq#?A<$P2tnhj?UH4 z@Ym*!1!wtt3@Nb?%hGQP+NJRimJYRyJha5_j3}O*a*%$tVe$ccLt0jsxTm}8_qPrd zg61Lx^pI))C-lzkepzR+S3N(!ynB!#h8KOlw**{*d=lp4y{B+&rKPYo8W=x<5mA{K+U-^f#dxZJ50N z2uenL2CXJDB}-zHiN=SmO{EWqo`UI{T);*Z?g8iywOf^{AhtfqVSsG&G4fBz0=m`~ZIz*>*_c`rULz{8M$Fj89q4M`UU&so9UodtiX)j#&|D$zd{e5xgAvgUNj|p+@GtU)YEbe5KxOO8 zFTSo0+~(IRbKX#lA6Cj(%%$R?o}W#OBz)BVU&<-jLcXw znbe3?O_Ig&-kD+eB7M4++CBG(mJA5Xe;MY%9oQ}2*P`2zLzrg~ph`H9b$A6hEMC)p zaZks^|8fCm>HTX(#Sh(e3W3h33oQ&@DMwssEC^ZqIUY<=v2su5n~xw>iPQ(LpHpF` z)^-SFCCo$`#arEfOJjQRy($sVzMsEJplEEEMha+?CTI|B)C+p(p<-I#eSTxadn}b1 z1h^+V%PA&~9MzYUfe(dHjv#QT6ek4yP>bix$S zp|KKZ6+HEIrF;jMt|JTsD7rXKrA%IvEwXlk=`aE&#(t17GVN?hZ!w?VN% z);VBG6sE86(f{Z^;bCa5ah=^~I&Zt3@J94qn@1pQxAD{q0kCE5)+XzF_q`=K$Mki@ zzL~{p`7Q1iSxvWHZ$;g-D}j^1+Y3n*J^ea!OTdu;<2?)BrG(YD?J)1b_w`z_esRMH z+9F}+Ik96|C(QAEP?sgM?%REja-xcW1|YY3{_o!7vMbwY_u=wnV~lN&$Q$K133j2e z*8#CH$Y`{)1Tb!U!6ks!>~%?Ou_@ULz30p8>t4I7Tawgg)RdHt)a*QK!&wIqaFHz? zbOvk?qPc7n=mFY^z^9T*zG z9JF@eH+c6M3N-W-l$6;pbG7_xj{7tn-1QU@i)ImX-QP?94+DhQEg!fxE-t@0@4a3d zE0BShGKw}?9u13nlk?Vh3udIew{IwK>~=cVyexg$+ta6F8hgioXYCU02A>lIGr%;l zb#@^KpGn=$U858c+5nfNBnN#i16oYxF;c zhcNWDIPbRj{5EcIeh3Xco!?sW+eUquoKMM?{5a;}3l%HHK_1JW$Dbrchxng79GsB* zx?;&O|0(1Ovd`cFPWkfeGq3`0@W$RQ{yxbz@2i`aT-yFsP*`!UFhlfY?8C^#ksz)< z%pGGuT7crWff$+R1#W2vle6;hIQPVoApW@@64}{yRf5cc7o+HLc>IMgRL2Kpsw6k) z@{$uHe6>%+_m_1ycf5xb@T7=|iG?6==>H^#uCZ3RfB!y+DH2w>G=94<;nHf?q6dh3 z4uvL%l+5TqIo=XlH4kjQcy7-02Qx94fagZQ$Reev_x3$^i97rK;HqO}WGwyfemVf> zH~sE`{iSKP3Ie##eN0>rS@x|7W?MFuA!mfXO&OW0FilaK{L&yI`pSF|#PK(}jk;*?D&F#;`DwFv^%vwIzZC4lgQGoTABc)-}sYTkB z;J1Z~%iJ5%oX0aW*rx%sLr2}oCM>8v&u=@#G!(r&CeD!>an}AIekmTTHY*i$RFg0B z;{ApN>VQC*2B-~VkSK;4gyh=Y?mU%1{+e*A_Vd3xVT>*%8~^~0mT zXAT~Bwn2*IPEJ9=Q4UuvZMXvj!BkWa#!vqZ|4MbP(y527?*g>h{)EWNUen7?TT}f{ zS04!)ZFr)9z4;%FcB6(BVYcuQEShUr0_*!DKWfMC`cfA!&O7TCO`YzK zo_@UP+!pRwUs@{pdhhtphD-Xt5d*j&ZxiiHr^d#3IXMT#T=7<3cN;wL3{>`$+r%VG zop7p94yJeq|iE#N3?CQpi^~C=4Sz=0~2+}a8$o$PU&J$Iu(QRll`F$)@*w;q4f8;WiAJaBi@W*y z(p{C5w+o59fqT6_&VSpTJWjEzy5G-G#_{Su-)aL2ydZF(LXoqEfY0`?;<$O*eyeP& zOg!a0<!wb4qyp@{s^R;mf9FE zdk#)2gWmMN_o`7klaMwrIZDu{^BHAwlyk~<7v}zUswl+JLrbu_JdM#JJeV(8{#;Vq z^qrYuKz7+?Y4k`RA@6fuFDvz|HOkdd-r_BHogJSd@) z&Y2&q4$6&iiko>zx$T!06qo}lwe}YIJmS7PlD?pfN&(ac+9|5Oe0t$|t+kEylLSF+ zDV&R|tX9_MfA(ZtZKJ<8Ta0(2YvzCL+I!yN{_@Kgs~BUg_nTYj{4p;@VCW{Y81DS}v(@ zZ=jVm2<>W1Q(l5hq=HiHsw`|bZ|oz)i`K*V3~hzl)qkvYcdAUSUEMcC-U8?{Sk=D* z?`#^QVcsNa*^zic!+#p4*fRYe}ul~TDmI7TgX-f z7m=z1NDW|&CdS8K0)I*FkX}D__UN==US9*1e=<0)GSkvBGd*F@0P8s@1usHx&|+dA z43nK9RYY{~U5Z|GV&cMPHwaek>XKL2*K4M2N%sE!V@+CeSz}Z~gQ#w>g@wgvZsKAnzdLeazITJf0R9K1Q=k9;Xr-}VOg!j^$Wl;O zLX0je%NkB3ld>5pI^CdYu6#0X8{`RhoH<7pM$;wR7Q}Tu(Y|!CN4S%qgEF5 zypDVTH~*ZjLPVcVA`kri{Q-vs90^f2rnx|^KulpjUX|C{k2w>2?f;Kkt{Q}}r6tA1 zy@@nbR8$(xFhf9kM^at1oT6g)C2jeh6+$e_wVr_Ep!-TZ7(!he3mNGN_{OWps;T2qXZr8rYz(t(V1P-Q4{B`*|Cf zJk2AZlwN5Idd_Y?_;n`Dp0CylC(-SJ-(lc_n~2XT&+Z3BRUBKj>Jg4tiWv9??3K9L zwI6_*#DnylZj0>)2_d2U;Wq%S;bi%SpQI)v4t^94R(ct)A5+OfHC&Pe5;0~evUgd` z;bpOF-C+im2g64z7dhN{iwt^OXyTJ)h1}uy<-X9Y031SLiOb=-QV4KcFi?|&PM}nJ1Q6s)i0R1JME3&Nl$tR$SHf?uUp=3?p60l;$;IM72Wn8&(nyD1O-BIO z4OIdMp?Vn5JYNJo%~gs4%oYwNO{YFfa8ZJg-Sy#TRAzhvmi97@eokdyNIKm@o44zS z*`g4~@+UmhA`TO!Afs!Rwyye*y4Zpbt(9Haq!>d8F7^emn@3Fz@RR~xIvRF`MuiR0 zc@(tjXv+C~mZ9rHR40DUC5$(H9AGVIZ)i%Yyp( zc&?G({RHA3=&8be^k!fx6Er2q$Ct&7{+scLP>Er`B&E8VkNG%Rg;ox09IXj`?K68! zd%NtV-U%QRWv_uuK&m(-+nhjb0Osw7t1_}GpEn?%4DD4(Csg+Im%HAQXL-El(n9eX zrOYu%zMML30imRxFFe!;EKU!vz^dayt9Y^%C|m$Oi5xb1XL2OY#st`gs55n}s+fim zpa%aySF5woIPoe1z!;TjHKMQ*gw9Jo$w^Av7mzi=)Lc()2lMCWV4jRXqT;|07&z(t z6A!v`G>0RE8x;o;OO0q$U#S6lZ?|K8%Cl8vVZhceCp36_y1QXS#8=Tqk4(P<(1!M% zKj;!ZyKmwZi=!X8y7Esj7 zNy!)Rd;xI6)%87*ydMD0bxX;8wR=uvYsBusz}S4MMZ($lwf8d9R(`Dyls{F)e^|tV zo*Zos$p=Z)#KgSM?XM0ewL>8H44$rFD8GtMy~0}2sentg0s{w_RvQfPaGJ{DuCFVv zaF#v>l20#X@S*Tig@bu1J84Hn9Wk#T2H8Lm{;nXkP0>eXNhU&%+`uPqcFa8~NdfsD zaPFD&vT*N4G>J?UkH{bpCejw)fe6bZ0ga9PCJl?ALYo>SeX#SvOLe(1_#!SBMqsT1 z>Aaak_^s&ztT@z9Hg@7E1i`yt-4-(&e(NrrpRpPqGgknUIs@HtN}WPMLc-F6Oc*&` z)_PFC91ghUWt-s*u9yPlZnO%W?@}m8i9Mjig)63=1HV#Ao@@vMTxkSgame}q`2sT7 zPvf>22ljmt*Dg%@Z=h*N8%|}zlPkSb5TBUHdX^TITZumfg?zzjWtOeR;>S1OsI+m^ z@4aMJ01p_n9v=H^YJOeG#+eqs0MkgZi{I~M5g)!bYgnq94Eb6846$)14C$4U&v6P1 z(Z9m`&JM)@u+RYz&Z7|c0f-6YDYGpgt9-bXp_E%_Vd~kJY%DBUHNrvcI)zVv`Xa{@ z738*`0qnN?7D}|Z@7@xqt4TgO%{L350-E9Xr-uyW>AM6>%B>(HSi`>}FmGE1X|uFj zkj+g1RbT5Ag}E&SqQ+F<>l5k__5e_W05OzM(*_mU)n?A%;ANUHjo?(hhlPc;p`rpP z-!vR%8D{_^a#z${BHGu4)*ujCwu3S?y582Ck(g`|NKH#io0++U)Y z^%PwXi0*d3dbGj*2vhkuWK%;kfO>Ml+>BVuux_Ra#z>q#;D)m>*l14Nic&cJO@3t0o06T9os>yVMC5U@ zw+ue9sK`iZpw&W-cJYyK`ECQiH#o?XCcuSK3x}9;y8B~QEiJQJ8?2Ue`+UER=EX4N z^UXPeaI{+!p!hcEc;a~59@*I1R`!%JUz7g%>)qzCGhU$1C#U=CpfGTxwl_}SP5dp% z!N}d?EGPZZ`I4s3J7+%MQSh?to76u!dI@C<|7E=&9;rOPB-T%6F95CwAz{Dv7V;Ei z#Xw#FG*U2n2;ko7_*U`$D2hmwT5T?H_|HE!R;&RL0UwE@)y^;P>!S#tD~Sb54>RR9 zrp;Pgg|8Y{iZc2iJoil2c5!)pu^;Ml57Y5JM}=ardEBbxvDE9Ao?~PFznliCWFBg1 zd7bZXLDT;a<}j-NWJAN9f_kxuq+rmyx^PPg8T~+{b~mcv(o=0Jv&^U^*sJF6TJ)6X zYG41EX4BzX2AQ36q7-HF?0#1r6PeOQv#6X_)7X12{&E7ls6=M`)j;amql*Lb76&?rWT7vm1KmP#eL|0C$m#63)rHgqob$i``rJOhlu18 z+EFN7_5eWCL=ywy`nAdKm^+$&m(tAhcUGF*B=68SI?=vLO4E~zzRpoowHD$WX&2d! z{JRNso*t=hus+=TN5sAD-M2cK)8kxs1Kls-cfP1fwb6WomW;@`X1S&P>~nD$7;$@I zPfBW!Glc@=o258M{_qaWyF7LG6rR8Q*`_!l?jFuq`QO``6%UY;fPes~yn92x2i7yb z43zt1e}%6qL-#YB)=&BY<;PV6_xXlSqNK$I%`)4HCxyoefD&IX6Eu_&#pSrv07D?vpx)?!n$*0Crr^caBx^>H zCB~)KljJTix2MIq?T#!zez+BQko@W3mO03mM@?bgWJv`zs#%kJkG>3DUYgZnAXm+k zcUPxj-`p|I(E>m6nB866H~YMlE8V9;^8K%6&2Rq=UgK_FH}|aaUw?*uE|_0_vm$!( zD|oBNZh&fqh9DILYZqf=rf467C6jdOE9m5N*t-9HiE=mj`OEogyJ=u--DCJ^4sVga zF>lXH@k^ge)y9#H<-UHTTr7gA9#p9bF@H24Men1Z`3+>?o#PoQcBbUoY20l9n1GE* z;&XcL#(?PliN7%bV83qW=u@nw?rw{;yx|NGKl@!VyEr}T^Mggh@)N)#`V%`CU4c60 z4b>0iQK{*kC;LtIygVWWI zDh=VL9Say9j84BCUVTYPcjnC-6MayaVX*ESoa4w#yWzt!O0e%AV9aDijq+GCjGJe` zu&A)0g?qMQF5^mHPtRd!dOG=k#Owfzfxrj6;&z~it!g-GVl9GT0=GMlFP@3on{hmt zsS1>n=@eu7Nvgx1pNudKHb21Jusk>{W{&Nl@)w5)Y2N z$W5)Bd3jZ)vN!S*C7QFH-kA6P@swg^ja0bkWP%E=*(<1LQmhyQ2W)}3N3WRo^TZiTf&=G2Ww@=n!zvW$$Tkg{=TlN_QfJbZcp1KR4bFZrtagcRK%g<{uX}$OcA)&zkgay4d{0W5=2tG&H2ZQ#d&i3Fh?I!{Mo;Gwk zm!BUjmDVpL+3h`3-r0UB9GCr_CZzGSpx)0`oAXBKZxFfPc+O@Vcw zD{nZW_x1H44Inh4R`Lmx$TRrvzan-M06}ZDZ~#I?H-Bv{tI_J@&sLJ)Lz`Nb zae`Wqrp|(b^miUvAkCsCI_@8hTI2IpOtXiR$~7VJe=sFFj$KQ3CjCk1XJF|;I&4(} zn}6OW(#C0arkdN+5fe|r;|DZ6Gn-`F1TRF<&jfURR~k&msa7nPG!wns0LcS?d#}W$ z3nQh7jKgs?|v7B`UUOrbd|XbKwQes>9z+oY0ozGtWunu+obxL zW_Hsd%A{W7x*^Zn3H>%C6hZ%!nUXRANDWwg)hUpABiO{EcXN4p8JK@*@Mm9s)XI}k ztN{JX{=+-Q*lUwxeLqfi21nYgeptRuPb*!E)=0J=GoP#TF%Jw31Zy;i*It?rfyCFn z1&lK{z56manL$ak4*6B!dj?sd=*1;X4~aqQEp_Osq0_!!Yct^V?Q)Zf^uKGrLHa+Q zo^!IjHA$qaCSLy(^MBZU{_n4``hU9i>i_MZcTgrIA}T2cuCoMgw_e?^Hqg#PpWkl=3QWjl zwOm`^0+rwcpqXLnQbiU+dBWTz>AjQ5q=L(__qV&J2S6PM5ORPijjz`EHaO8PU{*tv zbBMd@r=2)pMlXmt^uiATOo{CH#=j>DU>V@BX#x#-@87?Nq)5=qHaLFy0a$9a$-CZ| zkYR-0V`4H^1?j45Nz4T3)bbWmdLyBWfk=C{krCA!z}Kc(euTb`>@lDN_i(ceU0ht; zL5&O_)oZ{2w9h&aBF07cA{YcDATz(Mmz|r7>@=Wkavq0(H8L~bQ1nYr814WYaR3m2)nDhvc$PN0N{(d zKeV_&lG^nj=GK4)cv>?wSD*=+clZ-J!mDEXVy;W=&?F-wPQ;X{bp4Wl7k3K0)5 zwopQ1!0`ZELFvnvRt<1Xz$^(E~wSMNwdpbX z>wClVKoLtQm~yA4^?@+WyjAe4tOlgrZ6GqB%e-yC+H$%DF6862_uaO2n&O-yEC`uzr|G{8|JckY-DfF0{ zC`fmZ9fe+hi{ypR&Wvt;f&H~7eCChI0YuJWCIneQ8%U5Pe0~k9)-Z^J*2h+YTovw$ zz@sj}^!UY&5xrt#5;a%kt?e$@|3Cg;>H?du#b-Tx!%uShyccqYXnGMsO@YByPm`fQZOiqKk$fK(GFO)sm!Q zcG^-<1ka@#lO50dN_a*DeOyDN@S71%{S1zO{(})zz||={(5=gu#SD_?e}LUBe^ULu z_=%3ceZHULoFIFR{YgVzM~2ajKUM~+Y4oS8Vm|Ma(1jt}Y#2Rb zN-E|PuP=48a6?Jc)tm6uTuZ75^HfwsFHw+p-D1Z_m1RXk(ykM84##A!?mQZ&=V60K zRU3~&0R5Eh0!;18eV?ZRi$vb_DOuK>>zAm#9nQ?4s!rroW%Uk#?K!2)&8l>zoJ8K_ z6DYFZA>xkRp)deyt2|!3H5>39g?KnoLLZdEbqpsA;Dk1xq-4cO(qK+#g5*)9u=bzu zW-$Xa*CoWT=OkIGWfv;MxZJpeXIN>fHpX%RVT_X~YJx#;ZxUj1tH+$E1z*n(_$6MN zjc&(gmZ2H?%|^5fpPcpa)A{(dx{z#0gT>NJ_#vn_kx6hDCeC+t(RqI+Le#L?rB>$~ z-B!UdfJyP~fvPmAGRCXiPqkdeoPZZG64Hpd7N#)_+St}IbnT?1qId^zv87X#SQG=E z*FK{*xdPc53G%VUzL+*bL!S&|wL5kht&xH^nnC?xS4{GtgRF>QA)y;cq0>0MU;wDr zmWKFH^2x3kwZ$On5ojWnmvN($h+F>u)` zghD9F5BXuhJ`!Rzgy>+bE+w4X&w-m^UWd0Ef zm4Kw4JoF9b$&9!q^~;=gY^4khbY<>&yGPLbDX6m)RN(%@{{e+qKoeDez$d~`>;X*w z6ZiExt%$fl?JgB5dr@g9JZUi0Y0;~uqNGH?Pn110x-%P$N|gsOk3zIPO7jV(<@_=6 z-()Rhag7^>y+TBLMz)2tWezqnm^2dgGlHt;6d|ivA9H{^S{t@>|1h zM+|h-r7BRyq-d(uar5O#JD}!)IFrEqITO4Mjm8t`7l_dzfzX7Zx%))i%7YvpK z*95{@Vbb7y*Wv;oW!T#y8;fF4dYq zZ-KX=`yDK>Y&S6f!N4umSC`7MyPqK~$$5rNj{7l1sEu|A-_z`0o9&Mb&3Nedz4axr zn$*+SlZ)=u#rUz@$%=;>An%ojTkSv52Hz>WS=%}VU>1>Z%MeSUIEJdJ)1YVY32D^W`acoP%8M6hhL zHT&+iDZadhuS8i!BAzy2+o!O(-3xCk6SnLqW90^Z_3Klej&NPT60;99T(W{*rKWJP z*&`3J+Sl|6uyM433j)AY^9E;{Wes>KW19EK8uMYXB#^$k(jrfdiunRO)ZH85Oov3E zFm4&zq-vMT^HU%|Oxgm)<*=H=Tv9g6rWDrJociRzmB`-p3fd?t;}BVoZ~_DO!!2E0 ztlK>;%b)g|Ov9{MMyUktaQu~xu%bs?Rp?6sxY-pBAi+++lr2xt-odgxn?hBZJ+)oJ_&B_s2~Ccp>uDMJAn{Tb_hJSZp&b@tE0 z>oyu;8$kP+<;mMyufd(`4bRGesAXSoehm6`6-8q-&D&vv3_+=2$t?CIbvZ{h`z|)< zSp8?y#nV$LKf@E&m$_2-`kl`M-`e!#yGS=728(PFIRhnUgq=>NYv_IGO=0bY>MAf{ zZdJ^#_0fzq*hN(Kr?;n3J7uF?fl(u{S53rvSE%Os>@mQs>I&VOVzv@p_t06+ds;pt zDo$VlVebXnw3F#hc#4qvOn6;a4G4G0$~B{vw-jWyx%1?l#Ut#~gn~)Quza6XvZRj4 zLFw4b2a+F_3|)JtBRFrNa~QjC8W#=%)dJZlUDqNUXgG8AnfL1A!@S*Ez_(!$>EZ>3 zOx85wzLAKuj+DbDn6txoaO7Y~L*$2w1oWUn_m|hV2va)?UcOuinB_7-_4p35#5Z80;OQ69K)7Q)l*G<5f=jeOAbcOF_Bo-oM8$EetCI=iM%@ zI#aB*zIC{g zrbJ2n@ORLW!-JuO7tggWgOl@2EtM4kW!QzHcCcn10(Bo5POL-RqhI}aY!=VA3Oh9K z4&wpwzN{Az+)!MFYJc5H(wjC)d~qcfo{t>+&^vw8?}SwvDtBH($YVovNKsm3czFLb ziQml?-Ic%9)zy#97g{`E1nn-NFcbMt+8G+Mj5wzeA?0Nr-hapdi{QYl?zYjpO>+s) zFMW$Y{pso;c@ucJ-aiiLZ&-fmO_Z1mzdBa!eePt6t?K~Ai8p)L;YjOa*cbQma=Y`) zLSSr)=gp_icRgziAskj*Ih!Z#$IxFMQ5RBaxr;ja7Okx>1$V zV#l`n2IDd^r0a3nv1iZ+1g-QXZ`r-xt+e<*gpYHP9z<6bvpfIc&CqL^zx?s0YS2ZZ z(ztE|Qo?>f%sG&sYdiHji=U9SmcOT7O+scIge84~_!I~f>s<%Y@{3$(ZF6&{%>uXw zPO+WA7=y^^rGW#dXsg?UU>Kl3_;9(>K~cliW*a6h(p`> zRGc$dEHc2b6b((&1gt^(dG&WF8TE(Vk4A!H9tRhc7;J`nN0B5-rt^DTd`-ke?W^7He9 zpP8)8xY5-TW>J23aM4u#dt5?(H<;$QASpfl7_=ICP1LYTCG>O`Op!mUKDGHDIl5;e zy(@zWRIg25ap)|Huhl_89fS56vZS_}KlyDALio_gXe2skv`ua7_!5lXsa^XP2Y-eI z#|+-yCm_i%Cn`456r%aw;#0MHc4Z5i9L;o)MM9ecZC~h1O0W(O6ce-STvN$XqWJ#k z>*>dggl9kH<^&z5*a^2fB!9OuWi@_=NJ)(|KpEk|V75z9NQF4Pl^Y1v;q8rnR`46?&i3{>I~LIoRdbj zT2b&#`luA9p=ao1gtZzk+k+p$<_G2(A};ebQ-Oe^A3e&U-C!q_1lw%nIlvM99EHJa zxx!r$niS#){|^9Ak`1IE3_h{>m!(G3Afl-%5;)sA{naHWSal)G6!?p^kwHTpkuJCZ;<0~ z_-L6y2P-Q@Sqo6A*ngwH&dZ$LlkTB1nItEhWq?o%{60DDCbTMo=kTEhI20+b5IGA} z@rHgmju`9eB9XY#T@6Zz98ki(GIPn8*iUKj703~aU*vVc2xP}B8R*XJHL7PeI zuS$a&6-!Te`GbR}?idssCHzypm$G3ZH?5aJc?d}caqK$kwa=EF;0UxeO|#@&Hvq2t z;SE$LY<0-vJzI4Kpn|DxxH3#=5WenXlefAh*Ev;3;je%5v%p`YxPWbH7EeaqN$w)r z1A&W+i*>Tr7%S-dxmp;-mDH3KpO7awYe>h1I|@#{1rC`g&(nY7*RN&WpQC-dLbcA} zA*WLDd-Q0H+~;}cjT~zrY-`Zk0Qx)n=C7HWXTBJ8eH`cWVAG#1(;#~fJJoKCMei-O zVBNwJhT;){=XLSb_n4_$%_jS3=(%EcRZ;fMC?b{T$?b5Q9_@V77r2Yh9VT)%S^wC` z?};$jlM52**scJGNwLBt9}JhyI>HVqDN!^5V061s?iqD~r1xuH$8OTlq&T6^R4?g! z^T27UY*DgwW__(+Bs&eXT(I4#!Vxrdo;V8Nh*wcXRhAVaaB>>@@H7`X^Wtde%k5ji z3nb&d7X9eDE(dq9$JSRbx;3kts6HYRo{>QVL%g3f?Ev1?F@KF3sc_rrE_BmhT6|nQ z>cVbjYgd1J%a_BYg^%^pPh;+ z{7;}{yGB3z^||Cmu`nzmHDQYy1-l&TMenx* zT}gDWln3w)z+;`~t&zqqXUP?hSv0cd;fIV$=If$M_)5*;{E}Wjm{lY5nt3=!Jg&{O^*8k{{hBt5R+-2Mc$2GLbmV>7!k7&MQb#jbR|YHuKcCyBOQt@ zaiNW#@z?%ib`*CkT5a_Fn*BA@9}&3}W2`s~PL^opPL|B7V|bONnp*AfGzc6JWFVvtf)>hbiY3zNy`z5;G6!b<| z2Du5a1^tQV(}fg;Mf?qjpcY|&^xDb1KjS7t*CiS)Kn&Yg0F-ZGd3Wu&$1bR&>Il5H z)rs%Pbnx^(}sZ$m@dm8_iI`cVZiJQQ4_iqO?3-wB}K5j1`P2s|#gf zXBnzt57SRLQ;XduxMgSW3V@mQ7zlA-uOA}7tM#Jq&e+@=E;)$33hmhdUA%M9@Ca!a zvi%8O9gZj<&QaA~LD)L)xt;#}40F_^SwP@PY)JtbF885@lFEsv$9YZ}akSSO0i$E6 zkUDGP^F1&uaDoz$$rS&Sa-qVEWpET@e%`0XX*kds(pQw>q}MD|ej3Kv-=YAr%)~YN zVZ^fU7H|9(o}Nl8*N2ZX{1q(#YYLzFbUgdG6j<~~{1n*@n)Tc~1{>zEW#YR_8AZS& z_LJPz$if+Kj(-Cfi)k32D;BC63rKZ5NMgWZH>i;_;dl0oIQbOLPJ9fBIC9mz2}`Ga z*bbpGr}iva5WS7Wu(J% zWdJbiC$Y9)VJ5<`qMwS#ASWY?yC7hWX(}T`HJ{SDDOu?z&1Wx4uPZP+@S#1>FUNxH z=*8yyrx#c&cOy!eiAKo3o%KI67V|%3M@xI(j@m^$eT)B_(dP!bOW!!C-gQ|zgwQ79 zVPjikGoB(B-m+so|Fy6*tN7*Q5euH;@WpO-KoeS>jM3kag(CNo6Y{GojgGO{e<1Su z3lPCP@UBZs7GdP_u-*xOB?U%Wpx;*S0q_cgF8yl+4&M+mPh$xdmtKj-ePG~Q z!{7Gap1`1JFHomfim2c^f~Gf*^r87prFTk{p_lj;Mfdt6*Dx_@XAeMJxUvN#1(F^q z06k51TAHFgzJp0}R6-}52GP%1(o?7vmCXK~QzfBK8B9PXv0c2FXKU+usknRGOrb*e zTzuS~53poTyjz@7mYeyzkm+9I7w`hMft}Gy`%*AN9V|m7LyVaH_=HGyk4p^Qve};`O26Sqy=7;$V)eK205Y}Tu zS&#iU{;qVx&R)Rc<%0Cg*yi$Jsyu2XUHZ8~?fLXKAM$CjkTRJ?^t4bAu`j=qh6QmG zjiX3XrIfFb;2A@T><`yJNE8Yo%olRGG^f#7C#LOD!1Sa1H3F$C`aOYx4lhO*pdm7H zf%ffWowEXdf%%YNZ=XFum7tCGVe8MzmbJ9o!<|4qLcXS4xFY|#aAM9iTwXeSeEQ$9 z0!8ich#=fAE;>zF>nYFr&rVfn0*w$<8r(BQM&wbqLLU+CE8Oayy#H*Fg2s&YQ88Rf z_U1ZVG^bkcT@#)rsN0C5(72kmSUwM~p5pL{M*U2nFZL1cma&gzt769paS6EbeJE=fy-odc ziIBBtF76r?Ch4^od}cAk5b{ozZQV9wQPko@S$g0UITJ9D8bX|nJ4vcw_cd3T!s3a| zOyDGGY+{75Nj&c3H0}rK1W2<2@<6X3twLzT_)FcRzY{xLNJ$jUvRlfS7A3AA zJ;wVqdI=+8qdWCi7)TV_ZEQFO^H2h~iWguofhT>wUk?)ej00A>0@Pa_sn2;unai&B zr`2P$VDKxIcs&=2pHFD>CXsXS$y$}?q4H^l#(&)ZoTGs{A~xvZu5C-BbZG&cL6>;U zjcFyNe$o3-DOG$|`eV68{he)xkl>Gq*R^;~C=pM2hCA-M3zvbQc0%G+sLx*F69|yV z2>H+&>YcM1a1Hq#Jx{1nwg(b6AK<+DS8&2N91&zhSe)`r8o>u*`&^~xM~oPZTz~xx zJeEQ;Hv8{0tRL_HzB2v4e60Wd@&3R5FE|sBZBme6!VGY2JvqhBKt41;S^nE)8K5w+T=PdgX2E>s<|+km z8lo3kTeDd`acP1N2}nxa`{DCXFpD_C_XOQtuNx^dZe%*cfv`G7M1j%qJQq0xsE0OG{vTr-Vd%7*g@&<%Pr*Kg6i)dIvyL z*!J(2P!j!HS*;TQFr6{`S_AP_5R800HYGVJR&E#;`Yo}`@4Tu5by!!4lp(G z7}qjyBO%?-#yBr;ioCsnOPvY()FiE^B_HZu4*5ofheOcXxS0F%MabRf;CKZ?biXoO zNEQ!hLL0ZitN}^QXd$x|x=aFpXrg&K@GWftp&wwNAtF++SM>-{R#H+sgF|o&MJq`t zJTkI44*+jiA14;IWefMe;#O4WGAz6>faC%An0nk&az3wa=&EUI-f>^U{1O=v5o4jl zrss2Z=rD1Dk!t{VUDbo6Gw|1(cx5p+2uLK_*AbA(30Pl+Bu`&ovFwp?1m4Ql$$bB& zbp*1G^9YxtZ5iuvLmk?Iwuo_W7M-;?Ot;=>3@ zR<10@`9ce@{xUKtgCL8UPyRYyoD|1oqnmZ4GG0^eUW8js5r4wKxLD8i=tyu}04DWV zmy)tfaH@T3TrJz86xR8j+m;@ZcIn}?=rRCvfU7p%0Q&YpB!KpHrzg%ate~`RYs?KD zA48T}Q2fX!(j6w@DcS_^hK*r;Aniki3_$dHni2!?7T$%NcB!n@%t8IYwK@E-jQ7O( zXDwl90e8W+A4kR8x00SP{NL07xvk?CGijk94ks+8)b!{IHST9tCJu1#-U7=Y~jiTinN+J21j5qh+Ll6}3BCM0#Rg?EL-Oy@4wKn`J$`*H3YE!cbU(GmuI2M zj%5pDKd!TjPT6*a&hgPSdlCDU6l~Mm=I2)i=VFCL+2r1fSYVFIT0PRRM+>?8RGm7!5mv>1LX*Ga7 zK->(570C7ukT#Knk|o;WJnV}D){_X;nW z&X6wI0$TMK#5t>CCLf$)9#~FmFGFYhnF#gn6dCU^=#YvNPsEs0UzQa-T^Lsf77t9P zHt=%$R)8}kI`T6LHIKc68${i_Pqb!vT?t_Q*&mn}mp(sT*2fZA=DI*^ljLN=)#e>W z6Zd)}_Ke;bjy&qZqUrh>lLir#cXOo^R{k|o3%VZzIz;q0R@EA4Q4<~VxR|19P9^}i z=8)WQNMln@&<_SSJrny(5EkB^b%oakF)$Bi@X|$g`cFNpuPHwGDiKx5&vgtH>)i*TV0M#smEV4W|6VAG-cECx^M)qSiSYa3-n1)KxW zo!BdS#-LbL}1t zD52K$=GHoc)~E-vR>vPi_O8$QC^IOX{tjI;ZlrTX|MjfAD`&}A70Nh~3(KjPSa&44 zvlReY%zIO?Wyd?;v;E%OkGUjx0atkwEnsg(shdP&CWzEf$}Nb!I`bC6UO=e&8Nvru zt4Z4B3iTi!vM(>WtC!-2Vwf{xQfs_6Ax5bffliBlgG~;HCv(W{YpHG<++!LQO_NA) zy3^q^2)z0Mh!-3A3aFY|Ql8n%<*JVJ(9kd6{2qZU1gTkSWU&X`mFla~Z&JwCX68p> z$?B}>MFGs@*ui%Nl5b0}Dx}sd^&yhEVWsS)r_24usqjfY0rl#uH*xX}gsZBT8oVFF z>(%Z6KHfc&atd)r6FlkmriX?Cq1fN*lMuZBUE!+$Beu~!M`airfFElQ0wc9^%gzrTd; zx`=MHHZi!C*8#Fx#Ccv`|HIVL8!d!I%6(hTEa<6`nV(Yp^JAu(lmV_BK`lQ+N-Sqx zZ{3t85aof8t6u??$iO(A(RJ0esFWk7hO6PQ%|!MjQ~xw zXjbO0*;h7k?Zh5`-RNpQtZ(>3M(6!Eb}g~{bm$aEGmp!B3jh!$yp?1ZH@HCB$5yVn z=0`vqm3hzoscY=_lyPRjaVs#*V%Vc*2&!TgO11nQh`lDNEft&tuUn6*hNM21Dht3ZenFQTiy9l=kOcaB{iD*-W5Y;$KE< zo@dM?w5KJCJJ#ICB#7p;c_ctOi2qadj*3yTrfF-*)=}ZL<-$^aRN4ceh-Z={SW<%- zMZ!zBZdu-(i0)hCO;L#Akj>^MxXcK|&EgeOi(RfAU|6t{vix6-on=(iYrDn)K}v}s z1nCB)K|ys1^m$DIUY+@;lF9a&G-AIJ^u*^J08ZiIa$|YHTU55#BzU~stC3U zz5CHO#7JEbZi(7PD!A>b@VEh5@9Gtr`{vpN{48>Py^-8gMpU6h?Q>O{6ziebm93Pa zo1_YPGS|Z5^v8rld$fH<8e zr1HlxkpFp{tfu;Hx{H@yQ9-q%dRpvPo;+GN7dw6L2`<|H_zN(4$J&GqA(FT zZlQnxCVQnIu`&p_ZIs*x?(%qzzfbb3@T8h9lT^?AkF( ziy%_PNkCKzF3k*Y(BEush=%kbK6GQa&)0=X;`NBjX=VBz>SHl75}?U~sUcYHLV+x) zZruloR#Xa$2HmO`6oucBL3>nRhWt*;^e{}irCyjm$9Ua{omP0(&$RE%u<%$D z6(uD^fE}+|%z9-YcZ|}<+~G+z=JB!|hFbPGtjO5O(ZToSd6!qp6X+V_u^L7t@Q7N} zGfC1`7_3%1*OR?akfru8ZF-|7VOdUbv^ z;Wp?Cdbi$@bO@(kO-jN`e1Mk{{iOmymG|zthe3RdrZTmC;umk~Y!TP%dB5!!nytH8 zKIBp7Bb8k%lmjR+s*kOt;1`CXZVAdo5q2ZS?)Xh1PewD`(okWEGjQ2wqnas|xONH5?HhbMC~`SV zWgf|y#ty($*=1Au*_Rj7fA~sx?XlVzFj0~^8AH=K`GkJ+t}*ev#Z6{4f082@Fi65k z^4e(%mH4rnGqJYo_K9v~nyojn2`b#m*rSZ?htOBO^` z8h?g6%|2&4OoOAVB)0`Tft$)iL^rAm4MGyEqxzMl%y9j~ogk4b47m&5RB!@{k5Qi_ zY;!Lir6jOg`Uy2P*^o-B*TQk!O|*Hi=W~Wj`&aYVsMHc#$w-m&BU)}ZnIo77En$om8-y*P zR@4?6-fAfY4KqiBXhmrYY$uXnE2YA%iv761=+=;+%}i_{EKAZYX7)7%;10}zMt3|m z^rk*gkx?brrEr8|rIIraF=kcLBBfH91JPm{ZopI5hI zQ2TvE3SF)Muh|G5Sw9$W)r_L=p>ph!1vSCB0;i`ycTuKyMBIQdGWep!H^GVAB}hPD zWGrC>KC-GldK@P|OSwqutUM7jGs{%GQmgcvcUOZs73oqfvp+uV#&n&~Moo48}!tB%0?A2z6 z6m@$0@4T(7Bl#j}3W{t~Z2@mAU<(NB-VPZ1LqkK+{Vwk?qdLwJl@^v*Zr&}ZqH?{~ z@gU65D3yUJeR73hecdTWw516ya5iaJP{$@Nii5v#PdTbjPwpn0nt-EDskvW=8KIq& zp2!?I%?)fCJAU3zEtXy;zt-Y%Pd&@${}_KrqbN%F3n9pEEIWJkn_XDzpY8g)o)yZt zv;>cLA!k2HAd!v$IoVv4xYU%omnU>VsD6SPM(!I&p>N$4Z(;H29+*EUxdZ z(fCtK74dUTi{M&&L`i8z5iM-z%k$a{cXLr@LX7?V9)Qkf92s8gRp_E55 zD`N6QhdGEfp*w@OqXJ&5MPgEZ6EpvC?O`s(yA=Z}P8Mwz5vD+2>j$mtwkQ&=+CwlNUicP-{N{W`yRCIyqB?)f9W|HH_f_X1Y8PBuCK`06w zic(k0MeJn-y{veW4^(;GFf3RUsbzD8Dsc%2lYV;RGV+|~E08(?50Ug z?BqvF9Tsq{$u0zMlk5@;_7?3QfXhA0khfwNh_KMI!-vI6L!fh5PY&3@YOXvYQ zFF|t!L+2cUey<6laLwl^?kD^lPC8vXO8Q!_{4xKXvR-rlp^q*U;OvxM8Br*J{I8VH zp*<3b4B98dQ7Cn(G?g_mnSl-+5Yq*nmp?0`Q$~|5JkOeZzykv=suqyk4}yb(&oZ*) zg?b-zZIv4v(wPV)r%{5`K|!Gd3kG=o=?o#7Am<5YL657Px{2>k9aYutN1oF5=lTn2_9)Bqnq5JC?)kT6Hhw0Bk*sg-X^ zr%QUNZNw4&S9#tXx(B!?>1Lczat0C8 z^LACWyUcvHPc*8iFKA8d{_YUv9~8hEBuqwSrMo$=6fXt@1V94B0~|BfZ?$C59xrZa z0)%iFBYn@#=Hk|$B7zRnInC(6G{YUgE@dU9Y6r25n*CR@LcJzxhOYd(WAY16G^SRX z3x?>)SZMoP>ZcPJUu=)lK#oFW08d=5qe|VlYMD;EqQ4pCf!2!Ixv?c3w*FYf(5*5f#67qYTB zh=#_a83K*Ew1>8{#mKVEzYkiD2}z3sr=wLL*_|GINY98tN;r>`#@}ocRjjSI)w+1G zgoUf#_@CgkW4Huq+(d~NQDoU@Zy)l|CcUen9P6UCy4_6K{TX7k=5TqZig${%@8Ysg z`FwZxKiD~KZS6+cQmEKgR7PTgPHP(5qMg$!ojp(YL|)I=~D0%Z$mm zOe$s2z|-?YqYp}8vd~RF_`_Y^;v>77qr3E6;MG#82Av;}a|+1a*-YlU+AS*YWf$5F5_Q)h;+^Qx5$K zOVOh0MfrDsbZmSP)k1$VFR&pn9f*Yk0a9pg`cGgw+}W#fJze?{mu@rhFjJIJg(K#3 zm*WS#8&1yqLfOV6S5{E-@f*K%uX{YhU~jQfuE1H@|NK#AcB99+p@Aq^rF(N}Da?TG zO9_qGWnP*+z)e*ZPV)%A&-HMUqFdb^M&7|GvjSwQmlnTP^`!H4s_b!$C98j_?)@0- zI4hKoIuieTRp0k@k5rTn%PXpjDK=>4H+#u+OJeSvsv={;Z?w60O_up? zb+TRADoZ~5dZR`9obCUJO!HFi*juz2{sr!U@Muu5J1zsWt~*5d_|y=@0oWR>gJYti z4u(#iGQ6SB;AuK3N$iJsGot8R>Rni!KkibLdd0Nv9ZslfL)Nl=2lf{#)@Yuz^TxrX zpWyNAE^B1W0*|D^)^+oLQq$*>u<(AUGSm0euJ_$rG?V z{#@;6f%vDw!;wW>8SmFjbBY@5hFEk=Cu)Rm{}^6A`r-9ubhk%tmZXt2y`?X5cKD71 z`AHj9Og5Q4u_(doiQ6Vh0i(d09_w-2oEY{pMjzX(lE-v)U{8E&T>l$3D-P9$$0ON> z8qti~FSp6LbOoCbueY8~3r}wyiA>X6tQxO33NH; zD&NC*DGer2nRwZ3_)pCb;s3wp=c|hU4-|UK>3Gv}Xm|Ju%x-G#=eB5ICw#qW-Gn72 bPcJY6zKdT+GBb=}z>l)Lx?HJ@Y0$p_z-}$b literal 23683 zcmdSBcT`i|x-T4iMFhk`Rp}t0(jkD-drjzw0unmX2~}T3nt*hH5G3@3BArkz6ln zHB^j1pi>t>pcCEaPXhna$?|>?`0IqXk-8G749B(vyg3bftos-Qs))a||LhF#{=y3l zb8irc(dYQjiD?JU01(LPrl!hcNWhcTDSXVNY3TaVykh-W;8u8v=;Y^;ZzGsrf7QOd zclqs`n=t|Tx?rD(ry1u}ZmCUnT+$8yAX?)!Zc%gViyJTF<}9wLH5h9a4fdRPn7jQB zA?^*Emu$JU8L~u`4IHr~Q;WScm-T%|3X$~D3ka%At75*ahbgq~2pAU#A8;82df6Et z6$`v6i2Q%`Iy@2p4kc&#YZaU`Ewh4`8dBu<7IWjDJT1wT@<6AArtVv0Z0XeduTL9D zsjm>JRrb3(3z;6yN!knIe})%fU5b3dt<*S0(W6|;7c7T$+h4syyA~*kncIn*!7=h9 zNsq-m18Gh4E{CX{=H1xXO-R4|`NF;BmuW*TuA8XqGrd@V_Qi%nR z6ksU=3Yw9zCfe&2hM}s`Q-$L(#Rb*T$Q7GEY*l(~(NBiAE}A{OWci6|T)pq;df#EH z(D*FY1>?}3X6(_Bg3N5uGVTc)-2)mZ{7!u!x#+m8&4HSDhq2?#2_YP zKrpZ@?5B6HEQ65fbyne{@Ry^D;eCO;O`lyB(fxr@v8k>#wp>#WV~faLmzs8c?@C$- zYsbd!&-;ywUPpgS44@Pnm`6=~yf|Bp%^3`=#kRDGJu!uL+NF!qE-*MWKMd5mj_1g3 zyzb2u&uCZNb_Aj<5*14)!=~BvCr-h;ut_%|L@h%uhYyXuntWSxvgqEPO=L>) zKmknX1~Q*wRK6us8S!ZnY{ExNw~9t)X|{|Q%Iy4LG{hJUWoQn0C^G$3ry0UJL+qru3Q{d)%Qnlvviz&n7ug+QKdxF4k>|AQF_nT4 zCTLu{32RDbeP|)r5`TZKrL6?zU22Gs)aT;6x5GwyQeLw&29YVxA3|<)--qFhguyc> z%Tdm2+6l2`=p5?6IMWAJi7EY>M+6f`1$f{C@AVHN#ea#CYTZZmdP?{nfuE^Nr4GPI zXKMF0lkWva!etZGHyh9uwlXGKgR80LgO=97O8C&vVo@qJIo%z)(S>myDVKO)(8ol? zHubZUqUo$TN|tuPLbn)|K`^k3VqCj_s7j+PSCfqoPJPb}vRza6IznkzoQ`KSHnfpwjF0GHZvc0AnYhg*&QAwB4UgO1#@|_Mv235ut(#0)_;Im{7txbj zsfCJIloZuXHi;Uvup9Cx6JQH8?R$^uavel&SVtdL6|GOBGzT|)w9wb(*3)CE+!uYJ zS#7q;(8nQy7$q22=}(k?*Gfi>$C~-%>$e87>yJ#VDdM&jTI4ldndMXjIHM~+dfWB3lvG*r0Be17V z3uO_?sIjI+Nfs0=->u%Zj<0CqSM1Um#K;mNkyRPirrG&%JrH)f2eJv+lsbwWa*)HO$@Bv z>4+}-EAV?&2G3av+qjsAM|f}g3+_r>P~KNC!UF!W$$ka#I)DWW^DScZNU+cp@ehmx z!-@DyU3-Hq4Cti;8~cwpRppCPc$Z2VVl#_mXRGJ6tF}v1)UhWo@U zWLW+}_L_$h@g?oG#TF&1cBI3UG6xQ3@MZ}El&>IbkeKYF>1BJJ{sy(0pCFD#&KbEc z-jW>2?jIPJ6BX>m47X8)uTF)d?TK3)tWGn^EivPcM|0Ka0&M8?rq!Zsy4(;x_y&gW zeM9%0L&H$0h>1RXOh$`^e3f18b?OLD-9@-Nv08Tv`ehbv+5Qo$=cw2UbsKK$JxW#D zEce7r%K{Vq*0^s{vr#{Ot-5R>2m&o@xQIO$6GYZ#?z=A{L6i$L7`Af~F5^rt)vDw> z1t!&0%hfqoY&SEd?w1(Ti`=6X>L*5fr0%94>6~BVK3p|RZrhIDbuGUOzO`3eR8YMm z*%s@*4&~4$CL^n86>K~z%`zBX0=gmR!7L)gWnGP^X+kVns~lJxTtQc_hhs=`YhCp! zTbX|N--|5#fiX%^v^E{VwLGIT9xS$2$yYY0s_9~1H`95~nr1U^>~8rsY?v}}z;B)6 zGmvzr92F?(oK8G#n>5wh;fqz(bie7OUuk5Gmc2{_>+(#GI*+4DE~XSM6!VIhYBnlk zI-+@Vq*!aI{b#I#YaWSW)oYx=d!;b%%KoIyjCfSsVgL-59qsX2ffOqt_ui zTrPO4W?zMHS-CDAmL4bO4kq5r8dem=`DX?5DhU&TRxyv7t}H6~nY=BS96PpaH2vnL zC$6PN6q;oZ)uqcSL|1zxEf+bEho6_3Jfzd_pd;&iBPREslt;A(ZyNVme<+6f`pdQ} z{S|0Dfm5K`LhpD)wh^~&`$%guSs%1y(-gx77y6?irHqX^6=-5RM?+ZbidRhHovfp5ts1gbTr!x*cN=Q@I2=CC7*gwD`~u@QZd>9kgEEI| z--lv&*IjG6a>k+>vSpZX=-A2+-rR!DsJA?W{Rj*(os5v{!kZbIW;9)t%Z%xk^H(0y zZ%N+il)5WwBQc>|Z_x$TKDFe0Z*a`YyqV;NH%&1ZUg{Mavej-m-n_k+Zsg0?`DJH~ z6T#0s5*F^e9I2*3%zY^+TZLuggZldzUa{{0%B9O2S+h^e zl+;Gre^=(W7B)|7GUa%%UKQlsu-vw^%`I14nUUOU>~5(m5lFQ?o>zC`N1R}eFSI#4 z*k2{7cww+52ea1Hrq&{l<@Ts{e^*J&GNH%ni8DbwY-_L}>m zi2LTxosCMx^+(<8R;Sh0Ym4yp+}$QIePchc?H|{~oY7!?=pa>avO8SHjqo}s#=IC? zSs|Q$Hd-biDL19t`$(ibaQFrCgP^~jwCoLu%}rE4>q^$g2s(|@F&@Zo>Oe62BCD2-m8DnV zxN)iVQecy_h?odMCGl4BZT%>1c;v?ll*Qx?{eiK`FxMsEp-i9&XE*47`%*rfMrYlrIzLk^_y$^9Ca$CS(>19?h% z68_R4GLK|pfUS8AL6FcVlwLR#C8WJspmJFFM4sL@+0SDEV-k%#JoRb+G#dF}7G_pv zBLYq#vz4DQ(zV=gx{-o$Xkj_%Y(M~WluMH6E8n4W-=6=*z?$YJ zqVDcGjQqy?*=C7J{^D4lVYtz*E8ZJlq)_lFrX84u25`Npf{P*ey zJE$~L=$3e7tlk(ROy*{yjQXAhL7{0h>>+OKku4X(^7Xse>LQ$f&+x4Zf&iB!3wQJM z5-wGTT3{HQ{0X-ixce3FXUkQB`q{3A+>SZ8fqTion)T2&H)o(n{l|5=V0b#nurDh1 zlh@hntWIBrq{yV(k^n{haQFZ5RaU)%AQzixK01Er_LkO4Mo3ZnZXJnofI$7jcCL9z zjk1X$2vg5@TKh0Pif2oGRdlSo-$8<}Xurcj`*|ru&45tf5gROlbd~i4s6T?kj*Fd2 z%ziuQR5~}A@ZMKV8~>bEVR+>wz)#BCmvFzoR~QcUHl^aU-8fM83xVmQi-cVDk#d`v z$;qaGjoEzdw6Z77fh)tMUUZ!+ldyG1W>vV?C%Xkn;O6`q2Numo*I{tYho!{Akby)_=*JScP}g+yt=Zqtb*_K zlUt?#kQbfp(?yy!;5x^2Mf9F*$zPuYSE2+MJeD0nLD8<<;3TUj^a_OGAcB5sI2@wuPZcCfd@mlRdywY5w%q6fWvwj?Dv zV9s%_mQim-!^HmMo4E^x`La0Qu8nAZ_B1vjY2mV4u%=3xm;F5S%VykY0b#u$mV`*! zd;qF6I(EE54|+#Mw@>UkzZRy=I}+|p!7@SnPiFZYc@pWUXZ;GO?CBE9jlndpsMpg0 za|8L>g4m!P_bw^-nU>WI;FdL8D-0Dve3j&`^>6&jwHT9L0ersF&oiaMO@-1Iw81%d%q#ujN_uJhFwt-qk!4jK!b?o?zG9b`-2 z8h)|WAJ;m)nfx_3fVC@N6-V1&XB0k9Q`LBq0CBU#XrGP2b(9UUPG@hiKPV8t{!5LR1{)Z zA6leRqZRd%B{MU#&V8yoyEsZI--sFX@&qugjGVoU>j{6(`(OQdYC3!Xj>sGkG`!1s zl=?b~uLA#TlwXPN00Mu*MF1D6P)?7d`?>YM+2T@~P7^oYYz_uIG32wBZFKDdE zph=r00=|L_2H!jwpxMO?zy>~Byfdmnu0Wyor{68UF%dUlU(M>ow&$$%f2oL*QTf2E zGymdovPo9t0HQR*Opa1iEmXwGoZ4IEq5gbTz=`r8f{m5rV-S_LeqkQNB9dBgWg?T- z9Mi3JdT8-otfZ8bH50I_m*geA_zkjVFTV46+WFWWxPm|_VdiRoggn%^>d~9Iq z>a#Jcdf3JQdip+kKKmRU z9(dgXz5H_Le`!dvnWKyI^Yg!dzwr0>4+;trXK@3*epn4m-HPu_>YD%YFyb|723*7CTFO% zD)Vc2TcdhJL;3`@=&1&vhWYvXk5KK>n)O?54X8VIy;o(~L(NtRK{@@J%O82UB;mX&=SLaseHl&Wk4+i4*7x_A& z;XL5Od5_lLi=CaFO}?i=Hxq&0epKl{WAkNL=74M(YW^^u^N3huQ#`-W8fr|@J)^FQ zk}h5^(zv2rv7&7 zp%49|dgYzY&xGzQllOVXV5R)vV#W24$q`nW&`$nyYN162Y3Q#loE8pMlYH3-N(FGs z$Di$(+nAny(zW?9I!GzGv(PE9i82hMYI>(YpO%6DX7{k@Iqsaj;0Tll{l`gWopo#Hd2V^wUUt@uh*6G+ zz|Ya|PV(38Ps#1#mW;#NM5%kDwz&J+EEE~syg9&L8b#Gp~xz(QK% zOia0gqT~NmCj8z3gyQ3m`FME^?2J^brqn6Kh&5ge!3jz(Z{ZaW7y0n}49okgzw+DF zHVPPyv?V~FKX2Y-?ZV-337*Ah~hUL~w8ZEx4EmH%BO>lF#_ zI_G>3+1Fp=TUXaHW7Tnl>bMOq>`zmGPozCg+E?u0J)swS5FXQtamUuF$-69QMY1&LA)|^4_&&Z7(x^_H zZ0&$5B5PAF2{&A$YmWXNNLkR`P7WqQ_}uedv|6w!=1kju?TN6hAFG1tZ=KZ?wJ;GM z{C?$OON%ou*=gI^dTJ&^$t~9=riTP6&A%BD+d2q$|ajy7~s;z>Sx~_+YmDlirc4NVah#=lnA~nLrSVDh5 z*NPv_+1DIgm=bv*a(Hc_g31`Bg*1|QMweE#EbQzsU6$z7b{a8E{JwC7%E*m|v&`!H z9l;~!5+UAxq?;n^X4A3JO4<8y3A5bHPa6G7=VtSuRnAF{EYGU!8I)M##k0~oz>$l49@N=yw1DsL52B(e*Jh^uz-swH}8T^ zudcZ5X0bLr(6h^uMLx3Im*`|2U0p;4Yj!E~GvvC|Pu}nGU>PG~OfmS8wdrO{=Tjh@ z9xzrid@i?)F(P(A0Z+MbE&Q?R92-;#!q@pgmWJHiD+!JqM>x04I~SDD4+YV52#(%CTn z_gJ^zT5?R;nr7jY`B!NHGlI0l1~&_E0t}^1z|L3P!;49kI3x-%0^oEGKvY02-~kvs zqjM63C?&P4(NubuYNZ3I>5wdYM)i;UITaATY#kaX(@w8uo9DTFepB_m?BoJxktkoy zpmV_%jogJ?E2O&4K5M7*&==U=F&Hp5+Xz+p&eYnaL~{SypfxGy+x~?W=jk%@ov*rD z1qs=#TI4&n%}W@|JZd7g#z!R4KeBe=rv2e0BZ6MY=p6_4Pvvyh1C$P-OGt z?ovt7gjso}%5#`CR^HvcD2Gav(FPV+3;DK6ug=MFtGqkw5a=@>7OpL4BdhqgdSN;&7>D*=3NlGSD)DZ_|bdo~Y^` zRU+kazF2|t%HRXNdpyap-yY())6^w=89VbF`-5BFniD58FA2-;Sj-v>ZGw-2jn3X! z27F0tz01qflt8=N8_*q5xRp(GMpkZsaEfF8V{h^_ypX5Rt_yDaAcbk$bj(u{}$f z1DrR-C^rEEogl>uro-S&Iz;iV4`Iv+{H2MBnsNe$)6)ZBCTq02I)^nS_3weI$8(T8 zZq(T2x{Q=zc|kv1w^&)fu;nJ}*y#;F1hPq;V(VuRDaO#u)>|8}CJ2mfXdt?d@$p zKR-6XrD=9f&a|KlpwCx@MJ1z)9Kjqblh9hL&(Q_|(;%NOzIFn1Um8FF*DmPtGM!PA zwb5oUNm~23Hn+VkNf7=AC0e>lG!$If_w4=oZGC$0&!1KL(2!@FKZyRVR#6cJySsZf zPU9KD=4#)he8gE8I8K1x7VeCGU%$D;Z$07dv!3K}4Yp6PIh>_Gnw?%&xW>mGeCTFw zq`XtT%b5cL-3I|210YPm4Z7^b5hghI1Btn){eG|RuNg)D;w-DbekB9M>2<${Yu3kY;;khW_Zy-G&r-jy zbLg`0oC1AbUik-!n6S~A*qhJ16Oud}+U6f07atEl)&RHxBz*XMohSIr-Z{nnySQJb z)4L_f3S0h1`|B-#<5+W3cT+j*8*21mN6z?GTH(@!BqcYS&6GLy_n)NJ1JvcCKO2tX zv*iw_KxcCSv@DZdyNEcX3bo!#?~FfM9xsP@QEgfUXa#@e-ZexF`9rwRWrwYRQ1P8x z*++WH`%5!nw|KhO!U7q`^5ti5>;bThW(MHOo50BCHUd06%I$YIUUP;foZ>PL$nz>> z=3crMZy;c^j1S`6*;0#}dC>hTfm3iOAN^@PB6aNE&c>H7UmV4~00IRav2z{TQ5S|z zGNHf}q} zOPX;4flL5DlQ29ye0UhzwfX43;2Dv}%;9es4=@LRS09D{iemg5TX+Jn1;xW94<9A< zNhU9_4{rrQ@vtW;YHOq3e{<^YjFg3*Yc=iXNS_x?9>DM)0SqtvQ>fwpoM5a2;Pq`@ z=P||4TQ9eh`!6`gK*@jL7|SuE`_`_Y&rko!85molC;)A3Pqz+NfHAXf?UFgeHj`i{ z6aGap2m#=QQ@{Y6`#J+Ak#KlS$mU+gdLSY-W^N!+*u z`h0(r1JJg>PbOwII7S=QE%Z*SC3UIP`O4=$0eyZc%q2--z3dVc#{m>$m`&f4ab@j4 zi?G(MXf}XTa<%+L2fB%T-lm2c^Z|2t0Nj36G)PD(aD8rWWadcgamPh@k#`)fp?_+4 zZBhxrof?J-cddag`1!W5fMg}mvtncE&S?JKO(NFD?H?Mx#O!@ncLKf4v2b?fR##V- zlaq^nAKb>l#x{xdR*w+D@l9nN9E40214=??&AtghJVsO5SC;_70;glk@eRB(R#fp_uFTmmWKDEMSN{)g)yV&LBj?B z<+w5=WLlQ2!^9_3(L1VfYN`odWseh)98j1qHIs>HQ;X}x{r(X~yHK+0b`sRo1gILS z+*K!U+vcVyyH=wBJQ%bzkS~?klP0Pd{O6O^Sx_~wC44y`8(n{eTKKLl=+E9wCgd=$ zgEdp!IHx&y{-Eu+YJ77l%UrRVM9X1w;o%jpC~cmZNSVf#c9toyh`>sPPZv)jy@zP$ zM1BSl+4)d4&5A#tU$;P5UtgZQ+LvZ~N+Q;1==TfkeSNv0vNH|+<}sx!h?n!-A{D`f zP0@)?0Wk5TCRHT5{VUH}#>Ef`2dE*uF^5FKor%sQAH)YuEp^1Q9*fZ$dFKTNy!N(N zjV^$GmjL&+F*d2d7u?bI?Bhim^a+XfXn=<^Re=$eF)&+=zgZ|G7;k4Zgw>i&hRW*A z2D@XwP2TTCU*}5|g~vXyjAc9(Ri3INMyKD!zMx%pi>K_WEN z{UhBA`%tN%9o!YZz=0Un{86P6E_9?7|F*!D2EO zFm6+kbhRf+5+|T#NaluRH`6*er;>zbK6Nm6{Dki;V|->g8VWli4vhOQh#G8BiO$U_ zeSLk5=Oo;vvIv| z4YMIHD+awHOfKA0(K;%IFo}?{9sxGc-uQpR2>6!L8;lK3denKn8ESnA*E6?1< z-ydf5R|ytS+v#`bfuDP5DwN)VI8!UP@e%1Jaf0ZoUS|aDK_BKufb)M-Dhz|J=)cWw z{_NRH8jLITjop_Jc0za@rsOPm0W8QJAZ+e~!kRC)@u?rQtq!#W_~I1}B6(C-lu z&I?twvKR+;v1fV`c(H6hc*$}vwOX6kX{X#7TDL5gY9m}Ie=a6Ba5&w%xM8aV{L{J4 z?o>O`cGIDKu)=}v!0J+o+6~dMCFhfHcjlBJnG|Q7R;SL8x9?0Y6R^HG3sWXT&vI$JJ~nHAtAJt1L?g>k}#*6!UMGC8J4((hH$yc8SqE*hek_+b-h4AjIa zMY^<%QsPrg9ZHAx!OYlt6Fa+4MO9)ehu27T`f@24ZppUX`btPom-qLen?&>iT4v=u ze$asGNTLOt$4izA`L9{dRa^STk+d&~7(gD9ml7tlBpk&{uHTgBPe{wHg))g+QI?zN z37JJuvaR<~)xv$)D=fCUvrp^KAYe6Eod*>Gr{Pk#9FXLD0!R^+G>yR%{nY_?(_$t% z7)ZZL<{n!;o{SHSOHxCBQzNGfX)9z4W)a2DJ-4$piiHwKc+xa_b3(@3Pi98z&tr&J z;aA{^Gz89C6Zs;wuuzueJ1ak->XIFWu@tOn?Pa3dOROYYd{nJttg3WAIa@;N<`|*0 zS;mXJpvS%t z3=U51y-FAQ3Pu8)!40|n)lm%|^p6bCOW^04xFo+`Y79FH-BPd6eU&hqciiUg+2&H? zM$d~nJxu4nX{2%NOYpc))_;*x1KmGYL4d0Rhu-Ih|J7*+oIrq(=@k%A-`LpL+$_%$ zTU%Qz`9frA4G#ufXLImbYA2ghI}a1!+NMd~$H0mcj+UcmZkNkvI` z|M}f`EJNAFwqgYC4-!+;Vtmno)ZU5mYo9;sJ+4r4Ar17HY0}$`JM95_0E* zpzPpW>ACnr%8jr;H+D>Ra-^4jP(7OO&h!%;RRRF99yx8t)oPcQ>m!dR)G7YiLaVFN za!ASH@}VU`vhD|*lw%3|e=>*_S{&hjB?nKk{+c2bsiGT|ZpqH)v(dPhfdAn(7vBxkYpCOI_j1Ca6sCs&Osni%J z#Xmo9csjHKI(`0TaqAvAY$u=dXj7`Y!K-n6so{R$kH>of`+bVKt(#nmyIr2pXBXlX zX%nL0-HnY09_;^slHXf@P3@R|^3^+{rP!qQ&UJ?Qu9^yBY2`D?!Ny+<6ZrL(T{RUtw?w zaLdP^-3Vx^t22ElUo?xnO4@MB;3#j}GCy3@eQZ=b_4+VW-tA~G30D`1vU--p`(Dw< z<(yIB7JxZ_+_`e)idt^MzjXT+Mdx(tiS%w?Xp~^61#VC6AY^QDW#$k@u8V;bX=_PK zdRfq)(b@!lQc-00aq{5|w9a?sJCR&LW~vMDCif9r+o5N*tynN^j&_0{}lvEp4x ziU&oG4)hrf5V&#RYi33?odYqk6FYtQvAq27-k%o3;5d`#`a2r{8I|ZEiTxAgyLou* zu&^HdDQqQNVE5GjzR{oFrgrp4RG)Xab8ed89}_&|C{sZI_JUMTNJ(Q!(CWW@4uAi; z^`o3OC$qNKi;KBWeiVy}jpIB}=)79^=QqqAS~3Uvo}CN*VsLDGO!GZA{hL?3|0l1w z65&H%-lw=~X$9eW`h`7>M%|Ur2 zm8W?@4b9D^dn51 zAE1nL&v&W+0yr(uuzVJ0g9oO@W@bjR#;2$Kta?21fx-gpRm1+MmGzRvwsvg(RTIO6 zwdA!MoTw9^;VCtz&`ejWfkBBj?D z;1CXtzn?oM`vc;feX1TolPO<^L=-4ZJf;QvRpM^e!s&0dby%TV*}l{TUF(ppqVHLN z`yeHbckTz9w0JTg#%`@Cf#I z$0<_meKeg?_!(Zy3Tf5n4aCJ>6ITKMymBzevtR-rM_R5G8uzN-mF=2HQNF&jj+~&D zt3mkmZ5w!Py`%Wj>y+4Kt=rWST};+yTEl>o^_+6_dmv{L0?2o;aKP(+QHFT#3Sn<% z(4U{f%C-v8-mI}{Q~1~VNU8WB>qKyBrKbd5(EEs>wUy#)k?d=L%9inYaoea*ou|7) zp%-;=ZEzB8k30zINm@eG0@=rY%Y;HmX*)9lCnrkewFl;Ld~))hXFsclRdXOT{5X9; zJIh&i0)&gNdKWvM5d9|^SWny!^PfrzrLcApbgs5un1^ffIU`w??vl9~(j6%V-?BT& zMS;dSEVbl0#`GF{0?&>Bhjl5UhM%ygRYzvC9h{7JQS-JgU0@5!mzke3NwN}a1R^z2 zFOdyE%%&;U9#G&#YfgZqU0}CZWvtmT3OJ!GvOBYxv}OAVnRoBeQS)7kM#xfJXbOZ) z++GI#d!EV$VPyJFWHYNK+lj1S-r^P&+~I`G_IFb~pA{Cpw`1p-1bf8Imk1U;dvTyA zM}+)MBwq-N1Il0;jiMfT1em9lee1gh_!bTZta?A0I>R;DTKI%UlsVGQ!Yg zG3}bWuv|_aTdjuq4_pmf!3g)B3XRk>^H_Jm4O|foaoA^QD9*4m_9PUEpRFLQPSk1t z9eN3v0X9h}a3i!|_!H5%k;qh^{)H+@To8Lh!gXRfF0^awHN9{4M%CR+@ChD>;==pE z*=fqWoSaV$SXsg_YH<0JMT~5ep_eNVwNI^t*5z0l*#S_SsTxD%}KgXe{=tNG12R( zhKxs(sM9=pmJ+l87>_r*KL-Tm#Q*b-75{QhH@aYORi?2CNM*JCOdz>=X7h->Cfm3b z$dwH5*;XXX|E-7vj-5cLmo5l|vs$lU_}I^P_}gyF`d7>i(dm|uM!>}T!FF5n>qCBU zgWqb#T+Syf77l3OMyEh8sjo)Q_vC6EyA?pz1pvWXRKPp_!S-K8_Wr+2%b4jly#C*S zQEKOd2>R9_K;b%unc;-jrZWd#JRBLz0G`Zu`rAiy4<0f6vb_9}Y*1!8Ga zxth85Adp!I01f!~_+0j4oB(7kmKQ%T9{*>J@E>7k^PBRgNB@T*nve;#(9NVd^jAiX zFiM?G@=s1hz>L@@{!`TyCJ$cE8Vn01rSVYzY}i=urD(Yyu1N9BKwdz&qmy>yqUQk& z!TxA-qyCUO;}ofQuqT?UG6p1C?lxAd@7o@&t%-1AfVkSRS`Ow|UtLYnQ4Ib4P1NhD z{l$35TJ>MtS+fj+B<%zE`drKO_YFBUnfnyw@CFF;_Cf!{Op=1ae-6Rq|KG-Fen%Ak zD?=kGDH(WhcN;$L<@GGceDhu}lfR)c6DGXZ=H~aldcW-Q*SUED7?NmI7)mw}VQi_WJ5;41-Vep3) z3LF5Mww&Kn>xqgz_B+f)S_=Whl>9d#P&Iv}x3@C{VLWk+dpqMpv+W{{ga3$C3J!aM z=J5pd)1q$Vn%#O*CFVZ^(Fg?@u#p81kGEPyLes9h=+8)wy=(=VWd?N9`+(fqGq&t( zufJg!!jRb-^A7^TH8wV8{#DBG34EnWx(d@zF0svha+pQf z!;JNt0)j?)+D`#On#a?wRtwZ$MMchSO|px?*X4feOn?W!@a3fO1LX+;oZ9)tMMoG+ zogp!P^!4l4K)!FWznzxXSk>BEE?3jsyjq_+qXl5~iAuZNk4z&o=7gviZ|yrJsJl}F zQ=$qgr$8mI#bS=1V#VD7)EdxBf&ZVq=C)X2y-0mhGsnJ{;_hPZ2#b`*^gUI)rW;YS ztK?)U#Jk0R{YjTySz6dz5J;~*qeBgd+{EGUbTRY_bXO$Io}$}KgdqcOOI{q04xU3! zeutHs==cfZ-}kaFYnoBC$&J}0Vr-{f%JBoY+WwL=R-W{JZ(~k=;vIeCh7T_pCj}$;_Yx}zF}ic%@cQ*wL!U=2pM@Pe)!^m(9K8r-h#MaI5x!j4(b&*C zVO?x8FUPn8#Jib6=`I~S=ioGlko79k;lW;-s7(tH?PiSykj-?xXRg($muE_>U451# z`tR<0+5CN_X;Z$oOJKzacl!WBf4f+I$N$L2AJG&K&c2gueudr;J4`*#CivD^7F`v zq~uYvC{>bhpU~F69drJsdBZXNc7*vM7BY z0fjfUVfsmeQFhrsuQMFdwDRSvDuDInA$!r|%lGsP8qT{HES;R& z=Vdx0u|kAu-{J;OEsOd_93XZA`VD9gj-U28t{et zT3I&z7;Vpei0JNP(Sx$v#IC|!+SR^JqXJ$UxX6K(>Akr(raB&Dr7N$Zm|=uW;k9~h zcL>!bK=Fg$NKt1bqG}*=AANj8wEW#Ypk=SdVdRq9#IzsbrhRg9$!Kt`?D~@z&$`4Z zU&VBJMqJCE7#|1q_g;{e$Y|C$~DV34ZVBPAjXOlA?Uch z^s3)`JL_rZ9VMq_PkxG&h>h(Po$(Z0WHvW1>|?%b=&5}03moJHCwePH`<(3!#F{1r zYmNo;7JK^x+bqQ_t~gEz#_>S^Npj!04-0H#=mP!~M*6gGXXu|1l&9$g(z2mtJj9J+ zS$MgQyg$bTiZa@Z7V2^7MZdDGm_6uq*$63DIp~$hDsxY2SE%!^F%st6VH<)XVZN8f zD-54hR=SZa5>0asF|rR(d+|!;71X%MJpw*4Y&e!x3do<=`>l>oHTqLw&R!d{?MAF1 z2g?;e{ddNU*z$}QYBaUrW!`Tx&d_YxBhn%Ao$!zDa(Iw&7Lefq3&+*Tcw^eU?%_WH z&o>T#n0xET*WJLa-&<&LkI%p8O{Jc8O|LnG&%=5R3>m}?Nvah$R5o>#u<&1J9WwB> zDnh3C(SorKzM1#7W!9bf^glAjq->X7LPydvREk9OUQ z8%2;zpY;P4=(EGKiGN;8f`m~^dRSo}`PI0VfOD}L zWSA=Md)VxafpkJQ`&0QuyBFZjop&+Xv(@dP3wEx0^jh;AlzbWSH_oX#rmpky>tGcg zUV-V)Xop5+V|dG@4EQvEOgNeS1HMW)y^J8|UsFnTZXp2LKKufT4xgDW=Xn55KjZOU zP9VK-Y>{uqhgq;xpj}Tei<|^kAf7C}_*&MEOTqZmr^uR^*v-mJo3WJGG>by2c5S7g zkBR7Hx2*7To9Jd}MO>OMa|1X#V{OdII7)C4v>2RHw|uobDIxerUxsD7ajZ6O;STB> z7;Y$O+QT%M53T?+(dAX&C~}_ls_C0E$((c5F^U5F7}Nv@FYwMf%_m0lCfzV|dx~^Z zm9VqYCmzhh7nqB)fd}T+n&ybS0Wl~C4#+8zHZ#!`50)Z8^`!@Sp#5wJqM6}L8bvP< zZJ2li3GYvInuiu?A`1r?L!2XvicR2~lbXjeJkLpIpAI#k-}*lXeXwJ<<7&2tk(2@n z{@D2&&j~AD*#2E5eF3+673SHiUU!z)+K^E5u1i~@xjA4aW$k>XSU39h zCG-RK7;t8>wGzvJ0VSi&1Nsm%>gb$akpNUz>uNh1uTUI1R{VPoMsKU};!HvSHumh?4^x@cYM? z*PXjyt<#@A`M!${-TpGQcSIHX*Ec?K)*bF0sk?3-RI87dBm(yRw|u7T(Z#)ETjLXN zWbAdNW0xc2wxq@RV~Nh?uTjT4$8q733%0r8$IoW{{X>-ju0DX~wc4w=|4mVPuQP1F za~jinxYFv^#fF~iMuloE8I!(NSs#pLAEaMO;a81a)MDaSjVkN7tZP1UR2Q~aXH@;t zEGroWbNaY_TD%P~(UE3d;tp=bbzi@=Q}UaW3RQF4*m#pPZTM`S8U#*LoP4aG(F`6-O)@2o3<%oKnT-{W9iA}Vs; z2`#oZu6=zF7hTd7$V0#aLxYjB=-;%c62}h`3 zexeF3a}_&O(&x~>XKF(I0M~Qjeem8w6-&NP28Z6#*P~RE6Oj7UUeDfH^ugvrfRl_c zk>X1n)A9bU|870Mo8UI>x3yl)&#v9$L|70xP^bN9@XdfPMMtJ@r{j|N3h{47U5Wg7fZk>T7J%~>UcMuU zdA24DgX(6esyu8V5 zZ4^GL41C+yu*r4#NBNB6VMh~8vXJtDkbLia#(u1SpVna7S|i6|v& z!Sup$x#DSXnaTlJGhgmT5vJjc*72{5*fv&z80qqMK##Q4>1F6Z2QoCp&WXJvw>iGB zkH3qqG5kI9-0he~5!$tl2S1c}(8gLmy(&5J4^qS}58w27vr`3%c8Rx&ooPci{DEK8 za$4xYd-|s3fFyHvL4v}kR)6V@N4raJE@ARj+4CnF86bu7Kd+X8g?0*j?(xms&bK?6 z@ou>@1j7DY*h4il&>-uBQCYcmf=L7c{_6wdgA>-V7YAC_AG%mV#1wgk^s9+iQEyn( zEVl-+W#9I8B9m?(k&M z(JuGs1|u}wM-{{-n?imSTgg}BHK0A`a*DXKy|X$;?_s4l(~Y*u8984OZQT-n4t0kF zhFS4zb@oayJ#Y41ow~neJQXg}^ooZHxp!wqU@&qOXD#gEq1sHsc(x{g*Z$s^_lEC! zlBaC9>e6zePno>`-BsVHApUeUWNpE?&r$EgDSa>##KyevwU+JIRZnVYM=j`cu{1E} zJSo4z9vD5%i(t$zdhA;LUez{tx#meZh1fNZ@hr2ay}3HFAz;ML_&`gJ#Xv&BiBk|= z@HNp17`Zd;w$IU*a1?L8W5?b(L4R5QGUNoG6^9-|!W3sorb)Y%3Aitox~#ul{2$Gn zX*iqd{>OEhV=$_U>Y=S^)lzF)#Lkq8iZvvm_N}#)s=Z+_ZFNCIi%>Mw8ci%ygodJv zB9_=1R4p^M1hrIbLFC-&^t?FdI_F&fm;X0;@g%vPC%NwDzVGMv`+UCsYtoCiE#_>q zlQ*2NINO%X^r$5{^^&vd(}N!H+8UYPBw5UaZm3yT>Ff9X(u7zQ?AD&RNb?JFX*g#s zeT&-kL+X&^LWlEGSoAwuY%65{n@&ki4<|aB(~Py4S~1+H-D``3yVpc-F50e%zU(t{ z{Ub*Dgd{8MtBj0JN>}jy3|s(aXv+_MqNlVd`cIb za|WIK^@_7!9(d_8dusJL&RIDM6=by#k0J|r)xr>xuDF?e7quj~lEQVq#c{o;oDOpg z{-Y1wn}8G67#hTOJ(BZo=-sUIPQ4~nubDpszFeamyFS$O+9Y@wF;m_0WY*#By~(mz=(`zK5u8l_xnee~luBmV z5t7X?{b(pE#xWP^aFe$zbg$%3&r33%sWfU=K8odRuc(aT>(++Y$mIUg;Dqe#HYRyt z{Xve8KW&@{qsM0JB!B_yQ#58wU-T7M$ibh;zE$ESf?#xaeKfNO*^7lVMuZ9QsLq1F z^R%ArIdxW?s(ks%WzesDa#&J%8cZV;ygM>CMKN!m&gDs^uP=qy!33*m3e{Fa9P?ZM zdpGjfI@VXp59zVyLMi zKFS>wN{}N#>4*o#LYG5hq`Xc=p4KsPKIxNSVrWoj^l@3wJxpV0lh6KwOMxaSvDWd4 zK(~hCJUIp$yL>aNuGqUjig-i+Jf7q|#J8v&&#>u)kJM4rYW!>AZqksp$WP<);u^so zaw)ci+T3HsHGRq2tFg0k78b@$n+fSbF%O-TfZy&Dq~4VyjZQ80-H^K5TkLO8y`hHR z_eV`jX65?u&WCGf15ZI5+b01@vY^{@k|!xg?ESts<|BWIJ<(;yWE?IMS zjb0>ygfW1O_&J3&gY>b@rLlpNfZLbuv%4;+X{!1o&RTo9^>+?=pOzCKw$~g755;60 zmV6Pn?tB456(7{vvX_B`oDq(~I0k$jzRX15F8>*l{odNqQ+i=n?k66+FYxh!-&B-I z-bmUx;wdedA8cNde;bkN7HU0H9Fe6uNQ);Ck-I|=F1A8_E-(aEP8f2SUy6K^UH8Fe z(Oroc1=UfGA32V*SMF3Nn?_k*7+MC_32a|k6{xmFVFr>ismt?Nt4~c{g$j=jW8~3g zdKmEy&wX!``drN@N=da3hZ$vuCA+`AV>iDBApY4i_1t<&LKQz2Cdfks&T@NO%8@8` z$my;G%&*4|iq{jhB8g?&%RdFL=AX1&Q?ru5NajOz%WDZrNV;n>`Tf&`(tK63u%|;Bc;gWg2G@$g0&oZrV*45`>3EpQLAM5FUi#rO3KYuGUrPk zD(s}bYFRG~tyG_AD_Igz5njehD!9NT(P0TUm{6o;)u`TbC|$isRKt_%dS~dQ(|j4a z%`?XjU90q93RP>bKJ8Ab~;MB4- zsD6#Tj1TR8eZ{xT`jY|>N%rS`*f6@iJS}0WV+I%}9n!d&T;yA@g;b+dcd!+4JN9X> zrvKiWRC2vF9^0)-f<@ajubFCK=~k!9FLmKVO$v12hIZ^@^%B(3$As5&b6FMXpu8i~ z0||2c_<~_eY8_QT6@7aQmh70#ep&jfCh_()TF+h7Yccd<^^(g6YaTpJ@2J*w3BuuU z0*G${a(r25<5{9num@6(S)A%u+ddUlJo%yiy&lXt1Z7AhlM@Ce4~<;{Gf;U;^imCj zKzC;ys<)1uJXBbM7mc|_lMw&X?3nDBpkNB=C-ag*n6+G&M2msZ6g~4|8e|j5OxO%+ z>??Z)%Ds(@7DfBmKH2pz8>6ew(Y%BPC3M+nhnIHXdBJs?#axMP z+Ycg&S@(7#i4Mv9#DGU9EoX@aFuT$)fL*5g$vYADJ7}<5p|O^#S%aSn#eZ(B&^}T5 zC^kGvXRt}(#zKIGjY;NON2z~bb=8erHxZM$Ti71I1bgpIJDd#MHrzM&wQr*%$HV z&#>C-;eJ%B*^4Fv*X@%lE@+miC~E~WpR0uZ;1`rc>eLOg>r!Ce-?1GP?}KT0$Pl#S zBhceg;kpYdNd)kmMIAZFRG*DZMT$86&LLo{{2eaz7~~bEZD86#4F@#ISgSJtHBAjF z{T=bc@BX0owKhL%pQYrwyt)8?<`FAg>582sY!%z=rs6}2Y1nEU!qgtAd_SqsNQSjO zr19Ag9;yK^2)(~#$+v#gPOzRZ3)^~ZXB3_uVc+2|5#0Y27UoASFtX^v*^8)k!$1}d z<|GkCre7N$PcQj7a-RqaLx%yeKoz#+fpUm0Ap`8SBf-c;MJuSOPDP_v{ z(T3kdL)NQDVFhm?G2&5ad0%s4&6^OnOqGiuOyM}5%zblbG zz;dRjMr63jU~gXC1jRM8*`bTbG~2bcfZm^&Po~~QIIdnN9zkn$pFz#nbaw9?F1!`~ z@}>__cD7=5P3OZyoa7Bh^ML2Rz3l`u*UmKkdH(hg5x7o<4JGs`ji8SVx+AWO5B(a? z9LutE3rAFYJL+ME{~V^+AQ_^@UD;5&Jhe8cv1(EGX^sQw_LD2Sdcy^M<1^br9**8Ob%h>Dll!*|&B<>}p;<_Bg1Y&_`4i{cHr`Wnz) zEBM@J0O1tgG&()Ra6Xmi5i6E7ghF3#sKU40))&Rx;YkK1LoG8AqJ3C2v*CbF`IWi&y9^0!-M^ei3=Jv`z0gx|AI%~>8!8T4f|Q;s zA;`k(v*K2Rm=Ly~t20?_s6CBg0YY>&?^=sZC zf>+n8b#DD?Mi`1rk;LLKLvDEnkVVZEBoXmnv`9(T$QaMizH|RVn3~?0E=K}_Cqa< z6Kp^JRFs!n+vy@VP1V0W+Cso|hcJf&Nl3_`e0D_a>@*&OAJf)^dyu@XWjD&}=PBkE zTK=$HW0E;xko)5WHrz7BDAGFA~=DTyP1qvj%2umJCeB1DkZ&u{*+qlCo z2)03Gsv!Vz5RL0)tj=@-SiUiQA*1?2mIX|oNAV%}WWf!C9pwP0p5e;?*l}au$aV&? zIzSFcde~QLrDNR6U1Bet$G$tO#yE1HHk#3u70n3n0PtT2H>)({l%gnN#}}f zK-jHYS`rvh$?`x%*#E|5pLjZt4RC`#ep8Z$*y;iLH8OG&s7IpZY5xs3NRe8&0UWr) z-}O7j*4FTCIHfY{Uzyq00HM?Ed;mPT+aSATRkiTnGdnV7G&F&9hXr}MT;nc`PQ`)V z==yFl7n1xA%sw$12Q0$aRUgoU<;F&V-<+FQvKX`4{n!9@-EgwObkDmRaGig94umPt z3H9>w;+rsKy%lPHsI~*NGsR+S_Lw23L6r+;!UwURX;wq``VI(o&g$8c2l!LN5=~3fRoCf_DLYZpZOg}I-n0ve&D$b}H;p?3GIoaJ!1D85 zYV%c}U+1X8Kj@$8m>N*m=XSq$`*Q9S**5U9*-;~VcsX2zFS#Ls{bsEJHW)81lSL~O(5d-X-}Uefq=kUF!> z(8XJ`g`2yqL4ovJhzTw;rVU!XAGfa!ip#?xK_Jyv$;(!G+tQwefAJ#!%=ZA~_0GU`BlK7BfyHO@^<3BG2Z-*e>yv~iEsCdHo4x~cY0au(d@ zZJFQVKK>fiB(@Z6?HhV9%^CVKIEbo@`@qlho6G`$V*v-x4TZQ~(rmaNeLqE@kQbm6 z%RgAjrjZ)SKw+ELhv*m>jE{^szLUF7A9ypa-yd@N9DtICaQc5SwjK<9$PrH98xnis z$-fD9%H~nq<_{b90BzaDTLvR5O6)`7fXtV4S!!-&bm| zsvgbiLV+-M5X$xEYy-|DCIWs$69NH2BH>LLwq=LLG@4y%sOMF9+*dNhC9^o3BZ-g0 znwAz9&qhBC{Q`{OdeeHl#OuJI8(&;r78%*k^S1zyLp0Y*3ns3#gA5|&He&$tHzy}2 zKLi}=-AKr{=VsO=Fw%I=nf#w$kz7uJNAD|d+zRKwrGt4+Msr8gz!4rZ6RS%VM(%h1 E0m%d!iU0rr diff --git a/windows/security/information-protection/windows-information-protection/images/wip-encrypted-file-extensions.png b/windows/security/information-protection/windows-information-protection/images/wip-encrypted-file-extensions.png index 1a0ec5397d87e4b1f8af36ddd7fa49b20a528a64..8ec000d2a74d4d1478511f67b84df3bbc6e82833 100644 GIT binary patch literal 23272 zcmb@uXIRqh8$Vo`xl&WhJu)jTx256$Q#0!>HM87GW;t@<^KQcBrQQj}U%)B`5s&Ary;zSja>(GgndCdX2YvX_7 z1V8gD{(zG+E>a;UPS`^4-PV5`;z-VBO}}6~8HdsFJ_`bzmeqfMF3K}jt}03PzWsz8 z-=)Z@d)3J%spm8#|E~XJ_YLllI3sM;MW#iXn(VHrY^kvL&$SHP@NfQRYGw5#IFj)s zFfdpS2%KJ>Zmy@UO$@#C@GxPQjy-2^`%G0;70Pe%AFjS!Jwo%s`}=E!X^z_|%t!3f zx4+PaaQ3<1I1nY!8EFW9^ouKghc#k=eBdXMs!6!-#8*~<23X-#Xo;z=&s&r zx;Dw`Qsn4v8l_c0;e&A83lf{5)K@e=IcD!`*wTbRpxK>i;?oST9*qYT6+W-YKj=ZR zXhlk~b8$1lvNzXjmGXlL|XSme1LB~jfr&TUgt4Uk@2dt3!xHo^7E z>3X}@c4bz@NNM`Hr+^5bF;w;;H0qFh@$FyL-b3G(*oSAVls$6~e%M(@g$>u&3>9RV z>$;>zIz!bc0KEy6x85ai5nSWVK~+`G;_Yw%aPm!PwM4sIQNE-3lpwWOb9DnDza}MV z=qdj)9XV7`Zf>8p2#@!gL)fiFuEsAG%CW5QuZUZLB^5MB;3ZhqPXAYdsvr6mWBkIb z5r0vZ9jKpi3bAVN(3!cAv#OCFlCV7U*^*eJ^Sk%&sIM9S`dkcVg?`A@Lv=de_}TQ- zfp=Adc$+ISR*lj&PF_ZcND zBDc2zum7rleBm-ZXz9u3Viwmg=( zs@^s=9)8awYTW|Tcq zc5RJv5GnfEPPv&;>r5loVkq><(bKMtlk$`2w;@Y1kK0fFtlk$5xU)x9!mVd9Ns`Q!OEy945+Lw88JO z*kDbCgFJ4%AL;x=jfZgr-Le1ZN_HBykz5+GCiqyEyqM1`iPK+aVf=BrC&d05u`(?aon_OtZfYjua91k3DKhjSN8 z7uwk7M>*Ku3>jCHZE!Z%fFzv*Iz#}f3`mbtxpbl77cDL(B?{H)^uodN zv5g=V5M;maTcwQctR=Rn$+t&2A`%_+N;4Bso$fCkeA|A1iRv(FBP-jF_uxBig8}JR zeifbN;n*2y<9Ha8c;8CA!3H-r_jmkczdMK0$|B@-)1_lIz_mh1FO`MKa8nB*xCUgiLU}Fc8d3f3Y8z_h4a&fl z7XaujIB#kyI+=?(8?3J-53#Rk+nR))oV>0$Gn(f;Jtv&%lv}QEDE@A&X)&z5pikhYt7Gz9r@s%DPYD4Z9&vgWoqIv%gkD?eqX#%eT%tgf z{s=y?&jVD zMv$qd*_PrTTTh~$zjwUw&9ezAC6J9Ww9V$wB0{J>RJO0v)?OfosSBj+g zL!bgN4>3JgnKs`b|5Tz%`TCsr1w+C~Q9}pLhiT>ZH0re4^)h}UH`N_y757jhpjtcc zY<$!CJS9&y?T=az$!3?&>kveUt}hsueLYW-s36gCYB-MQ!;Za1bx`|WDj0Ny7Yh{? zXWP4yO5h3`jzc(}?7nkwE-BF8`V0y9L7Hv9sLi)H&i?}v@c{l2a_gybqvB+)aIGO~ z=&7BYArGSLR<1E{?aYIO3s3DNeBXBFNrdzV#MhkThAW8?Lq$_ppC0>_7(2M(IV-35 z@CGRWXpv`WqM8m+f^B?$4TKvy`Ll`Dz6ItAyPJ^85{Hd8J zgsf5ntF<>9w1sHHQ+`t7Vf^Wv|6J`ays2#hajb^uuiwJfoC;H@H=5voh+1=`(k}x% zL;zOJv+dpx1GSQYa&Y}Q4Y>>SkXl2Yl|PaQJ286!%MPBe7ye#yhz>N5rv)g?rk|&n zRcaL9zqIn68>$1&JqeYyKXjgbTYBe+Ja_KrkA!ZCSBK_lw}-EY(TXKj(oYek1?Y%Q zbwM`bGxb$=T>UUrCsC2J!oUgCyNUJ^rA@ z7y6=R{Z|3^=py>AzMWtAcc(Nw#9{4VWY{p}HTgxsdaoX&5r0D+XdfC&MJoM8=EmUC603 zGIsBLNHQR>fkBm=J)QE;c=qA2AeEY21_Nlh`6ql_X9QC{b>Q86T-a{x&%g zDn3hQ$MRJ6+>bA8fF{3gBA&e$wD=N!h>0pwi1tz>aPWX{RKmoYbkw|#e6zh&jEz1$ z_R)_n`EDruF6CnM6{FlEwsmue~cjf81@>`I?#9gwf+$M(;qq-F1O`#Q*v@8Nul{mM!FYq2P1*|z6ac4 z82ghRi%1n@_)1JraSW&_8GVX=8$9sr43&%GL@I#YM}n_vl9F)^XiRG414<8{9L$ z8bbj0>5YRUA4)9{C}EU?#S%T!Xs(A4@iT|tX25$6z`rYt)J30fy!}O^pLy4eJC2OR zEnm4Uu8KsPhz>~x^wJ(bW;DwN4c!pkRXrxv*ix!ZqkRZM~>zdrh~nQFxTtY zW|UDyAUkKxmJdD^P^*^~u7VSIy;OXl@+f@6V2`@dHC3sCC)n+}E7Bjlo2hFbm+2Y-^T}UZIr^Lze6MTIv`l*@LnvaulFn$aVbMk@^$s zC-%qHiQzBRSLcJv%+)Qxp&cw=$j)RYksnV)K154dJ;vW-kBo^(2Z^;#3T*t2Uawd# z(V-yD78Sq*yL%w-Kx}lwb1uN+(xZO8V%I$+NyIT}hS*kru&5t$E$ro4ivdPGKXB6U zoVPb{S7vAk$_R!XxO}#%TmABpCPNeJ!HBnZPoHzqA#DB=RrYi*{>ixG$LZIb*D0IA zM;vr9N2SULifJPV@5JA3L|SY*%yZS2_*|xB=Tu`k3g^mm4VhU9gQ`-_vhAB=uCyl( zI=7Ii^g|KHR0rq!OTC9B;MbCW`-XP1Yt#?lFPcVjwcq@D*5X(>cDYw|${N#oTvoX; z=va?V-B3D{DbvEfY6koML(4xC9D9h9K@+Dh6}g5ONlx+-;X~lsb~T*$*k9c*s?M+; zoaxyi8z^qzN71=&?y_ zZVq{MSzM*%uh~kZ@^PLn=F3KCzna}XoGL9Aw8dHLnx|RIOEa@fa@adfji=dr`$HmB zve=2Qmd}D?Rj4}l+1^~0m{Y)xnq=6Lp;p7|GjrERmcaZI)&x3^f_g1(!1%zONU))=bZ-xCHjzAobU&L+2?HhuuUi`@!c zwg@%FV3WR2ZADBB{dX$w#nBJ<$RTdIp>*04YrZ)VcjnHG6jl5@dK$*fIs6#2`sE3Y zrQg-jDxIKTDWyxOFiH=L&wvf4g!cP#v>(GESH!pHohpc>1_uv%s{V9WX206xtpvMX ze83hpw~_A}7WxFb$Lx9q;m<(aQEYg%li3Oc`YVWra01BR#u#~h&muXeJ4@ zlfIpv%lezjO)N9tt8Z^)Px&-SXH49D0Nl3`o(5N!&qcqt-90GkfQ61)HPD0GPwF@D zPeZniJD#ASathN8?fNH3A_m)PEAHS?+w@tNJh7kSSSj zqFno-zba_!{Xg=cuPIW^-le&A<+TYqPijw9VA zZD;az@-tgC>Zd?i_}<+&asQ??F1gj#QifHXAL}?LV~u28iOcCJ>;e|&cg=q5_ALd>t5&EL3RZmk5 zy=ec?(p3{}JDYRq;Ko9`lg`$Rg3fN0z1~vfVSB0=2(3SMk zSp>;bYaS7<=e|tih+CU8`^S@0yy?r{(scjQ^k2`B?}lq1rXMkcrGLi9Z%m2J+~^<0 zc_ZD4|Mt=6x5ekO>QVmRy>H~(Q5%Zi6$8dk zB?6t275mC-#?#-0Z(Y$^JQC-UsQO`mRj75By3lN9&ft%z|3kAXl*!#6-G6(9Mv|qb z1P8YS6>i8y`9Ir>p+&Yd>!5bJWSL5_|rgXOM5)yi*4m#-Bn5nRw z)?W9&X7+0{^S2$3P{YgnGetjB1a-)JY{|!SJ7x3B_t%EvF3`F)3(Iv6Z;u|OSWY%H zt4%jW9ZSPe$67l=necQz1R-$b~muEYRmd0lE zV$eY*>!{S?LfOh!Q;4ar;tG1o0Nz`VI<~hbz%V~rHw4GhmS^`-M3e7RWp-#;mD(}S z@Oe1B@n<-pWil+Qb-1-?Wl$szb?!hl;D>H_q<7rn$I(gY<2I0Z{g1j0>XF=Sfoj39p&I!w@nxtHHp?oFQ^AnD~g}(HeMKws@u_Z+`1X4{OkGeKNUIK74|&U{V-^&3J$A1-RWj zBg{b7PQ9=~0_E`LNyl%SR4X5W8G2POO8EUkclvpuYM(SKo3UZ*Oy5AC@9`Uu>nk^F zt+Ie&wpKGScPc_?)LDepM)_eh`0k;>EyH zBYB2)C%ILxsQr(W_|p`#yZ+$IkWQ=~x;4lDRDFxW^!qC1oMX&-&`?!2Ie%<>nri@m zWd!MnX1pkoXfdeCTjvrhDMaek|`Z4;O+qCA~-+>OkCeJLx zY`~>sTgE=#zP80s^HS&EX9cC<_$BJ?xbgG%1}f@uQy&B1(VGSb{aI?e?@rGx9H#`E z)%ovw`-F4fM-9>L2BysK-^`uteCI)$7-@R%K+Q0~S5719-S8E%lgj7hK3 ztsnhn`NZa4A#nypVCx@w0uQK^U~4Oht@)`8+(d1}ND1OW&0i)>=CvoJ@n6Rm*#aRx zW)&q=&tA*l8bKipO)j`I1HIRLkWJ@Pf=S1l%FGcXY2%lEUu_!{(b4^#1E~3a@Lpdr z;&q=kRupqQqNg}IdBqrSIPQ2;{DaxtnlA0PD8Nzr00L`#aelPXyh^r8DZ4R|=HX)) zhPCNaeqb&Z69D6Xs**J(Np{X+N${Ly+n*7CiXSxZxvg_Pb)>Q4`Q~@&!+zoefNN6Y zeA%UXknx2LSp7J(Z_fWiMZ;$v9(SPwQ65PNR6)?)I;inwyi4}8>=YxSuO^`GaPou% z$kqkMSjv2H!Np@`%IZP7GDav|eG;~te=kUGvY~d$zy7n%m#1-%ahInKC_ExYU|Kfy z6ny=LXIeqyK%0$@XR}7o@2K%e{Fer3m-1ssGvlBOuLbbt!Gk8^ci+}`PN+l97L$%yhqaqTwCTD(xCx4UJaAsV)Ue;`7UTl7+O$IE02@O~}}& zxQi!O5n>ac7cjneenSEqfU2R9pB}g9;e(oBh5p^k5BO6FWr;0pfd_=D!B&S_JSO0L z<22}K7d26?dxm`sdX!ae>fbIQf;#s4US|8%{xycjwCvRQyHhjV!jrmEOT2EO@bzVJ zu~wVUNhF59p>ph=|E5@H>+H>~QDND2DOPyC15x;(LT}Ot1g2n$ZV`@3rjl^Dj5)U+ zp+xyC0ezRl$4lOt8gc!11Kr1uG~{O1fsKib-Jds`BO`>;x}GfCs|O<5A=OQ_NmZ_B zxti;da&Pe*-d1X@TiS3RLRU4{OLDdAjyW;}A665FmE%Eor`^9U=7{xU^z5gmiaL7< z6u7e`n=@$l!T}m_FPt>_e{GuprTea~<7bi-EEmQmieNel-QRo*tT8v?>&RP#uU=}F zcc2;@l0LiHj|f+Tb3eE+nhyu`FGP6SDT^$f9;ash3- z2}72tyNh3}cBbnuXUsf2YIxY;Ye3xUVEu@a$m;!y@Vfs0kxWaVBVSN>5wqWXqH0dBKEr%WH(+=Y=eM-jLoZ^pyqG zU%@`GbysflJ`{K{CpU*;;I7581T1xEc`HpGGg@2iTxVJ3J*PfAz;AC~2-@+8LmdeI zrtM}=jz^_fHnQEm3d(WqG^#6KGx0S&D=ww^hz&4lWSl7TxaCRjAdWvaSTf5Eo|iSh z(dWl2B_0wUfA9`w;eBXq{JnVl;qJ%s2Z!0rbip)dP5>C?-$Yta{9THwk(xK;kQP(F z*d|y}Ty5@Fu`%?0?Nf*L#IPopSM&EjCk;q3)n^J^y<>UE-6+Dw=m@HZ zDo+N$PD>o5%j9_WbS>(I=F);jStc~jG|i=bX~ts%OcV2npat~hsrs`+sxC7T?-qYG zt9kKft-@INy?SPv7O($oQVDcPR_raQBAx6zU@aqY2wb(_S<3X8^uJV5 zXCG98_NMtowT-i|UCCv&2vu*81MyD%?PYs%Q|NncvcN``3c|p*U&u$(4?W^$KU}|> zHhbsj{a-^AOS>KQ-YX>@caBkkP(Q@4e0*J%6L4OU^;0(d@`NDp?`ZW&uwqGVuB9bj z0vqIA%qvwoJB6vCy(EgK@6ddFWRdp*&9b&p%TECU4*1Rn@|rH-cc0MwRDFYRO*Y$= zNxp(drH231hP!*TDrhmK|oYl~*U^gAns?ppj(LeM74Ybxe+cGY^^ zK`DAZZpr2`gorNXv8$1#MJBTbAKytoJP5;YTNk)B-HmbRRFt>t@d{@ z$6kuZzDM^h$6F8T>T7?>>4fM&v%s%SL=dl-5IiAsA(DK5zuzX5wss6Xim$NM@(U0P zUwc~)dwb5n(|(HbGK#v)=Tn4nbn_@*S;m%&trF)CN%yuBzQ@#i&HRouc>ODeCBUce zdc8+(cO3)uz_BMoCc=wj<2=G7rh>3eX z3PMa2{PQb^)JoIx;;F`OzE-!y$yOV%H!zt+mGJf!Yc8Mrx+s9* zB^En2M26$b!%Ih?^d4~L{&!{!X!Y1xPoboCnUFg1ChKMM4%OhmDYOu{&jW|8d!$H7!y7yQ~{@xXx*s#keH{6l2-TLZgP8!uNi ziMi&P>$TCJZPWCIiY{eY*t-@T%<1s;E0+i2?SxvtD|ZJU>lm$D7!*zCdL^DiZ%kk6 zG2RP^%{aQ)9+k6vmbgdn6d9rAYH}&oSAvd>*a-;`M}25$I!qS91quxQR)Jxe>;9&# zLq>brA%YqX$Ohl<(336HrhR>R+ZRUygBG$yQ2cYv=gOmx{b^aKzTakr1s$zm=0d41Qn`+p0eQspHjlc(vws; zB#$8F^mS~tk7krk#yuXONk=}>+czWG9D#>6LOZV8WjJ`H3`#y%j!oOqrFDc~%tCBB ztlk?Kuqe9?z-`1poEg@!VyoDh+DSi7NJMYx@uyA@yQ>E04PbL+*Lu3+acEhqw*ey= zhWDV(weqwBee&>q2nFx z9wI{;NXBt1JB4pboMK=ORj5WDFUj4mJH0VAzDq1xsOuG7Ea^M!9#{yqBiUDX;cgM=?dI)RE18JFc`Zx3)d^PiiragqVms7xhKghkBOe%t z{B_2Zxxyl!fZ>#_T^GAE-S=C$oR7DEZ*%!d?3@E}%)I~{RYYhH6yE6FS@ny}IKIZd zqa7jAK6i&M9|1(B>3ypxN#Bsmak_yAUDY(Dawf5l~+4KuGQ8P9E zUl+$)K0XQBzd@yQun*{`FS;JNO1GS+gb73T7Anlz`u=^jJ7bqQo5g>kH9n@ny}6gbDfU4x#CU%l|1O zXKaO02w(Zw7$_H90hgGiu8YRXCrdFdpcfe0Uu7OJp2aGMs*R0)7->8V1-7u#zBUy1 z8vw>WrKDmO=`WKV#zEcjvPO26#Ye1Zt)W?_aoKEuHPqFB+rQKTYz~OF21+|*GGI8s`dB!5)!JbZAtkD zXXxh-gQ7t5LKMbUCi3vUlL9JwJ)E?E3I`tAHDqwTI~FAw8|<=BBAUwNwNo>SeMG42 zu7=<^8i|EjDPYC zK;t#|WWgh5L*Um`wQeB(5?`3G4C=lypwJ1UYd0TUSh2y%q@Bn^p;sxM!9}|}1b)nS zzVhgt#cMGj33@&nU77#`z;5uBZ}wQQG9HoOvLo0ujX$mi7*?47Ii(${x-VLC-}Q8u zr|ets3jE)C^JEz>Pog$SNFP&Jq3r%yDwc36_I^H-VR4?aQ(|^Yd(xR3(bGkb+EX+L zNvc35Xl7b1O<3Y;7{wd06m2kp7juPO$QeWF+Ishj0c<`?e!Kl#8jaJFOxGLRfYX%q zwMsS;c4YYWA7P$c>Nj2+yF^OIzzH95ySr46ybZ)Wkc0W?3Pl&eSpx5WsI+omFks5L zL)_1d4$6*6Y~TFy?!sR{_bzpC&jCTcIU;*Nclw1nz1Z&zg)-EZkThP3JFY$orbMy3 z99t^B*weM29zUN!FGT0ayfMNBm#g15I#4;5#tp4&12I`qghIE0Tj24#|E>paX#dyk z@JCWHlum`nf1>P>q%*^SKP{d zvxoSVMnA$~f533-H4=ZTvKxQp9>_EMffk^6=Av=3w=n!+s2f!O2q-J1)W@&R#&rp) zLbl@%SgsUucvyaV4LpAy>44S{@Fm9l>8FsQgJK4w2fjvz8Ac-o+iw~AO zjD4KSwly5wt~{pvDu>v%^b5YY{FX6#lCFiT_uUtxNYc!HP38j$#>NYs>2C59g`tvy zi;81{!K5=V8<*dOftCl*gb7+nd{f45r)W*tq;;`JY24rtJDJdybRmAQClT~DF*LNH zdpm|OTu{}joKH{_p#!+|PBLIPXIc25$6KwdeeI!cWgB_f}gUH??+*u#C7kRpOOJqM@9#xNx-d^4;a*)l4C-$KTW z9!!nRKefJptlM29v&~CkGepMxI%pB5qqym~cb97%aRp~lEGuyZMe7;jiJ-iKaK)%y z4(hMmE+Hy6cRX5?qO6aRpt#8wVbPnFDJ{sv2;kdOJ5ul5D&>~)`&!FV6u-Gfj{vhh z1`kl0NUy!*3anAmzTNR{E~<%&p&95cRA@wu?&_!bvVsQi$d8l?L&=Im(<1fUN^*IC zGzW@Hg5|+u9t!#Ch0poQp13gsDHFx9Q0_&MH_&NizQriXgZ4*x$0vY?UX#`VFW-)Q z_A1cq7?FBWt;yLd7F*5zpjvyaxj5Uxck#9AM(d@ThWDhD-4RNfSXdu$E?pqGs>&Ln&G;aqmRUv|x z$^PVxfoW6ZVz5?ER3!08eJ%T=2r?^%`v6uI>aHp%n)A%5*6Tb{9*sV|$Xn3oT)DPg z6!`fl=9#^S(@As0W+rYo2KK7LSj)K*F%%px85*~z9}X*fcArGJUMUB&d3Ni)yqU0< za14V)k#Lfze|6+c+MoDQmKQ0;GzQyF&<;8Ov$XqUp(}zTl2&4pY=`g9=*6g4CxyDn zPYQQ6Z-42uJ=<*`b68-023-}xF7izd^A}bf}XgNcaMqmyvrL%UWYxALOKqV#Vteu%6 z+)iIF-T)a^Rd6oGzm8@{auPBeFNcET9sRP6+P=o>bp#F8#y1J4F0*4j4WSv~B@nmE z-5gLkT)}$8R#j58q?a`u5!j2uS+Kyb#O`1Z_7y z6C^$?wZJ@01-1NQFRZp6?qy7l+J2tT4RPR=_#=|@urbcOp9Ix00DDXB7=+ux%Hqs5 zM>Vs!8TB}+$q578uwt}iAct~1?8z0%_(mLV9smhb5G&_4hZ`ap)^I-nlOa9C*#5E1 z$s{(qgjVu$6Q2z8$?kIFv*?M}Ga!cxtcaDsXP9pV=+<@V0} zTDN4cs!qYwtgN-amSwgt;^N}G8@=$TeoI_eY=;w9oPni``P*#%y45L&w`V*U|Hlruj)4qMXE;Qix5ZiR7vcFeH zTYK_ji8B`AEtZjy!A-s}Zi8}#!O%lzP6wqfEH0`q3^n?@dJxd9@&aj%dUtJXG7<|~ zy~oP4%N$#qq|H)Ou)MqS_+0W2KLM2aix-7M>fX6N=>0A-1`R#1eemEdUSl`%<;!pQ zt4I@XB)Rhi%H-Lz&vsU|jv+IOjxFQanulD77!wg<5AHwKNBRyjPHqc@G?iEsH8p4wB8K8}VRU!iew&UkymxciZnu2J&Da>s);u=cr)4YN4!!d2 z`&5$;hJoTT%hc#&zC#}U!z-rId$8HTJNAa_=&EVfUgo0LVQ{Z1Hl(q!(L4Mk5=a{# z2=EL(k_;MmGVOQ)(Dv3k(LZXtY7c2+h5Z98Fh)AcGd3cRn|GN9ydpSkxzN;qr%$ta zGdp;uF;!y^?@`g(V#uTQysUwR2auOvHp?E?0BCM;jAR4~?fzilZP0EnvGV{{Q%CK> zA*ZIdZY#BHw%6TE!ppv%2VJqTu~F(Jcj!}SgvjGF+{d83S(YM!GNFL8Q&No6lRN=v zUBJ8&cQ!w-giL))NfaV;?B$d#Z8GKk`zf`vu}os1&D#DM-JRYWPgBFsFn-+~FLw~Mgj$ww_fuw&1Q&q@yV~#cC zdcw?N^9K4rR2&pDzqp-8{wonLV5U2mq~d#k1ksC`a}=r(PV+Q`50ypssgD7GJK;zB zL~hdr{8jSf`E9@32|os_>u17xW?wh>F?DN%yTJFdv~(LI2TGfu{Y_ME@;V)?o~}Fx zbJL~YaTA!EY6?>W14@`nBQCvAe2KhbVFrAWa@C}oDKcZTrIRL_(+k}{v^!M&@Gg>X zT{Axqc`3J2-kap;PSmkFweDdf(lwdYqIsm=dMb-u{~!n@Vr({7Dk=_)ksOLA;2X)|D^|M%Hl)ugr|=!YfVF1d>;dZ zuPylw%-;YAxjAbrL&t6JkU(^j3~&654zn!>v*jT(y}*K(_B>(HdPjQ&T;Sm8K*^vl zt9<;z+(MB*`HVxxCzO5=JB&HF6b%p%!wyffqJk{iu zU;=auSpxT!&5fwG>oUTv&a^h$@w|#5lN;s{FcNXo^w&FSL(x08PDMBUL2nE3e98SA zy0g^hFXQ2w2n_xhNObH1s}IR8g>x zSNrbKpX1rBHoj()WJ`4eXc}QPp}4IT=2$JR1-*HMU9 zc5vbu;(_0XWSM}IrD9%MtCHu|@K1Hpz_3QKt;=i@0q?|?7nt*F$KKQ5GI6yxv%t@U zD9Ml5^rN2ntCWbOdq8{^K%K=%NHkRIgbsM~DuW?DaYw*2JH$)eQ?%uFGJ zAM<49gk!_FrRTuce(t*F^``Is3T8m+upVWT1D{oY5vj8d&{-)iC`EPoZntRDR9lUxiZSI#_5Suj3U2ci{j+(chpL_7}qORWl zMS*<1TgJJ(>z*%bwc!Yz=riwjRHH-Bt*H-Y%qR4u>C(PqMZz)nh1YA=W7 zcJI6SkRqm_yVKs~W5!ZYN@n0;+4dh1>41>0X1U(ZU2lC6))xJG#}QV!HT~MFLK00~ zrs_`F)E%*47$?Y=ofjqe`G!jpq&$CXx!Y& z6#a%|)BY%#+T~JNVv{dIT8Fs6G{TPGdBnH=^)h5;2o>z)INX>d5j-^*$06aMy)wnC zj5(|x!ilhphdR1OJHNv7C+lxM4>)0Lm!@Fz7a=<{Jr5!byQ%Xy;B>gdzGPi~Ktxog z-FI%k3ChX&_;FFvn3y2(;Of;iuPWDn0Q;Zn_1w<67qiT_C7%@KDEFrf8aD%&g2_L% z!Z};a3%=6kpDN^o_;b_LhbN?86GSl6A=jR<<9kcOC3EDZ2tCNj1^9jrFMeezm;H8D zP<3Zs5wt|5j)9wXI4(n4M1wE72a|sI(%F6XtHe)6wR%LX?x%H&*?$0>`epUzt%S~K z-0{Zokxv;uMjuvccs0<^LfW&qL#q&~Y@}vlY_beNM~{4#Iq<4%Pa% zJI4`u7-u90l62l>a+Y=F&vW!@iA03OK{9|(;wNH=IGrRBGiy;>9)^Exl28D00VCe;<98%g&kW?vE95#`l)7SpmUcfS1hzs04(hL;{U7RtITT! znVlD*HcB&HP3ujoSxO=Q?8S?DLlzfFSMm|{DlxmU{7N^ZR-#cZIi+?g^k3S4@|Wlj z=BG5g5H7E3I#rb6R0ofoGfNlM?KQA2>6#heBN4jgI+NS>(f&Cqj{=W*i{*Q257VdC= zr`5k-3+vLGKF6%~kBp26a>gCL`)^L?=!6Y<;hIf&#{0|&{nGenB z#A5MGCx4h8=-dhjsH>|J{U1DZGYAN%#ngJ23jJ?92DRb=B+A48MtuAKGOGOl4btO| z66VlPOw&7yIf{MN|AF3tGr=T-e4K6M7&x*ux7sOP#i`wPae^6{d+u*9!d85CMy$XS zYZEn!OmKzd`}ZTaP}@%S>GJ0FmrRqG&sYT?SAQ>W>NW*ZAM3qfSlHOO|Ni|uXaKl7 z&h#@_$MnWM%Ig*Sg&;uhhSz z8_u*!Ud(VqNt_2xPLR#1giFE3l7t5^e$)9RWUG7}rrB`P)j`uZT_nURr^QceqP z(j$l&2Q@E#l((8>hVve*tgJ!Dj9vUkE5~J&A&kB(+q~J%RaRR&?A26$DK;kr%5q(UIYEg&d8q?wG$ z)O2b;Ei@3pA%0CLerE~D426}v5BIhlD;!%}m^pz)mB^CNr3}}Wm6ewjOq}h=%ptV0 z@ap0|dQnJ&j(6_F4^=;4DuuU*X^9m50~6_>HD%@3N?;VOelz!52-3MwiB<0vvh2tq_aS|9Ca-{f8`9NKVfA_TIn!os+|p z5Eo}pn_BJHC*>}W#*^L1t(nl8Y zG`iOGWZT`esC)R_spKd4Buhm*jn7mxJ;C5{(Z#{ZA}2A5C3hl?x&rrzWDUXfE|ZYBW4BmW z!GOOr3=qo6WMcX!VZF6Me*spu=wB}z8tQmWTy6OD=>xdit|jhBLX~y)&EKXVRG7xc z#W})sD2U%(UEf43cMQ?&enCHwP+VF61BTO;^}1}X&6s|fqIa)+3XTdY%v6R|aq1Dz zeMzK-dfD8Z=^x;_Lr7YA|JQhxS@2CGnEmna&oCYMksR6fGxM2)0vll&H55PI_aysc6-hXVJx)IK@r=Ba8lq48=F z{Cklq+FZ3~ZFlm6)U45!wJk)~xRs_fUrxubuJM}t48@3FOtraZV(H{@~!UkG~cf#8a zwRo!};H`C|H-RAZoNU%^pGkfW`%HMtYH75FtG}bGMspZ%;O)@Bz{Y~QxOioK!xPr_ z@A&pa96VY3MpOd7*mC+QKdZTHZMFfmHH=XT3UxsO3Kt2pbATDw4ht7R!g4yK!5yC_K%H6WLfz;@wzD4`*zy0zYlM}f}uAy6359ck9lLB z1cLRiyRx`5y@ci>&0NZJS^dob;a|C@8){kW4|nYDU0c4PyZ-1tVa$LyhQL?#$A<$& zq;`{|Te)?z?kY6ruv~r$vF!rqkHadB$bQ$C>UZLl^0Qi1cjs<)XWMsBZS)Enmsd&y z&M);_(y8vi6x(Nf`~v6>>_XkbLbeod)Le)aKQ zZdo>Bkz}1Y&y&P4_y@)e5jy7nIe^eohsi1G73k{N2mHbYs*iTQ5Y}rQ-)9hV{+v9~ zAS6soS0wuRb6zN2dPv-IX|4obdk=!4U7|h$0ah5hCs^(iPW^E&{8zsJ2xVKY)zHYs zq?t&UE&OdFQ{F-;zieReP&UVHriP}(X#w(NAtoio4&HJwYOZ4~T&Z@Lfb+PHu=(LX zNq9(%VbaE4#5{EEdisBX%m0V5+2Z&AMBU>lhOtRW?!hwNaemwyarnOMt|TWXSBC3t z+(CdQ+=~?0b*C#?s1MP42x?rzc_hc>|8dQ#8@vLmE=~uOqN9xD)6m#Bhuc7d>LWz0 z2T;VlTu$&v{uGm_e}$+necaZc2+ue ztO2fzsRrc=qKCb`J!fGIu252 zgo{8PkX=;56%9v%V*%VT7O*Y&6PS$jf)ssG#IVqn%#w8bkom(Y91)@dWX3uq+}1z|J;?yRuIFg2i$G{#Qb8!Ods5X$dD7_;Ac#{8aPi^#}{8K)NM+ z_7Ek?PSQ21--yBwg@qcawz>$nDR6B4A-3*-1!hQfEXsF^QLxxjPekmJ2$9{<#26In z0}{p#lh$lglEqi@(Tn0wImeuQIVMU1##ekY&N$|{hh*(^#pVVUi%qn+a%IE>Mz!&! zOLK@8Kbn&d*PtmqM`j{oQx_qC^qmrH~iopq1dLl6V=G5H+1i6IhGHQxUNs=pf0&^p556Tqinnj~ zoDSwpY~MZ{c!u&S3H9D>a)=SAxVZpg!2mn!inIV{jf@z28(d)@V{v*i6(+|M{KeXL zsfiOVMr3knO3v7@6aV}7?-6662C5q%mm3)Pt=3p_00!-zR=(Iz+9~CP9QOE$)1>w{ z#^SO5<8NXm(N+01Vpd%+-R$`f-AUg14D}E)&P5!WIz*0xQ4PwZ>LhN_gr#xW8U97P5(;3!eJOER$2jN?ZVBS#rqz8>2s#zCBKAAeRZ) zniazdni<^abHU?ggbqH_h<_$_X?0+ebL0%td+6v_9Xe&JYzToh?AYRs`aG=kt6&lvHYV->+rv%a7dmk{9!qU!c?hs_aPa312a z+T-+biCn=+m0#*oua76sPcb^z%OIaFEVGgr3k>&ZbR6-!yLI;ys*zj;X#cmweFCq2m zD^c>>$3EMDh`8w0rh}>Gq%lh40_D|i)6$q}50gG83EWG&t zr)+_S78Vu`&3c=qWviT$EoHNZR#(lnM>SsEJyBL39`=Sr`h_l>u-4b7hAsnsi+NeN zx*m`vSEMn#&HLHh+#X_PULTm{trs{9LIZsAI0*tQB8?$rI6dL=o<_9L0qTTYY?<%% z&P?kjp0-}z-H^wRv!kN+Lr|H;1&YKUJ#pd$DB5iKw{NgSL^sXCC} zkf3Y@*Qd*P+Z#0>4#vhd-*9q9pIUES% z-XXYUtvS&(?OMhxu2BqyafJSbp5nYGuOU|1N5=TJ##woJ`D(~~{5F@}-Q!S!A{o)w zhFXFQ%~_Ksu9P2E}+E6J0o>8GRuPo;G&f}bvtTHstYRCn~s>g{5q@$r=g(+~~dBCXJg1W1uwC{WV@l+)giq2FF>{1>4u@{gA4)}xH+$IZ?tKsbLmdg4d* z;Z10Le}yEIqlgTg1kcZk3lP1EwfJ5V6apQaa=!}>CtOE+P27~x@+KBo39w39@6W1D znp;@gKUXmGc2aF4_9HbYyOWwEc<`r>>we43Shv4SKQl&o@R&RINDR)V6qjvmW&VhTt{gs+DSb$5_LF=crhj97wS=g9z^sH8>E9E7BiC$~ zoTWVE_L24sIP(giU&eViC>1Pa&6~=+d-u+xB9Lcghr``dn>Z)mq}m_OT+=FlcAsb8 zrR82)E@Ia%r>WV!-gbAy2KP`!rU1e{x}=Jcg_NnG4s|EugbWz)h=Gh3aEfqG?=(eY zAvvCWubN1<*w1RRhSHj&HgV8_GBkWAExJNF&#LrJR{RL9VyHS;i+={`(Ae!FypCfs z6{G&QVR2#wDh&$Fqtn`_`-5$DZ`7W>8ctQx=5*(&o`w1&bWl#cnw zsHJT>E|4oSVwQO<5-4;~bB?XPXs->6o>2DX%T+44tA4;C(=yQGqY^7ydGKM&$`*PW zf@FQizW5;+a3sdYci4(LSm_Vie~e~wb@2eD)UJsa(dXiRBcDl=XbakvnAJtpp@(h(&<`v%ILCX=b8+r74j;!+DI2OejI!e>} zhH|nKe0o6p=xA4~Tg$B(AwE}Obd=lgNy0W<({EU;y*=`^Rj0uQeynYRlJnNFYw38i z1_D|lMNnXrMYvsy+{YEOETXXfqbc{inVI_sP4>Q?JVDN%ij#X}spx0ZMc?7y6kMof z3!WZp6Z=!|ab==q$ukc~t2J%l(ACBG$>sdMXkJTW<;7oJv{YYTiCAWe8_m_bF zRjNS(*r`*e1ZAtmw(`>#u6FbCxizvA;RCjOKg1iGUtu@sA0m}v82j|;jp|2&JY0vM z--_{{8%nLI6@P}aZU4b$(!Y9B|HjKGsNUNkPg4l=tb-?SEnQ|u#Jd&OLl9Te)$Lz5 zzjm#-BE>Mc2SU9gh;I2W$Qw0S+uK*-Gw?y47%HZe4NE>~huI!yY93OT05itHcb*5d z&St*uU1nxJuUT)Pd~<`OcWzgfA^{ErV%J82D}%0e0;(N`K>9;AlJX3Nb#A(s&Bv^> z^fo=9P<2-xz41;lX%~%z5lsp1rv;NoAR0ectwlGam#{;`^5mMnYL<@q( zexaJDy=a6goBL&Twn4cs87WlbOAmru|PkGnOaY|49s zipa3P!vGs|JAhx<+vCe5_^4~(+-L?NCZUT1_XdEC_08@O$J_wemQ@ofUg9KeB;yqo zx(PN-37F*;vj@dGASTuW`yoReBaq1=nTo4DxBQ({m=7u{Pf90oeKAC`&Mb6j-|CG^we=QC)xndn1wu8FoUt2ywY4-N^y)MA^tQY2?rIpfdT5 zjh9HX^$MYh74jQ>{RQ2>p&9>#te4GJU^J z`t6oe(}C*snM#U$ogOWG7zrq(sk~Swi^YJyG(B8G93MV6UF^lawZ6LO!{w zXD(RK_@y(8CyoNUX7pmT`Y#@aQ$Hs=`=^3ZaJwZov{v-qCrbiyXKa=!1%0#8>*&o9;_*=qfPF-X&nH*3wc&EtM zF;Wqij{=(=mXq|IFC%%a-v7s!f;)4}Emb1}NjqfzBOdl& zlTT^G&erdH8)R+`v(6Y9ts1jyeV2dvR_`~_e}ZA!&4hulQJ>%A0|14YU%fiEeR(Ty zgeAM5NzH^?4KRN`&q&&@!5n!hJNZgY;)M$rP~UI8$scy>riomHl|SD_jw`bA35u(C mVQW_AdXF_CjlqU2-&o0b?ByJgLhn5w76hbs2t_)f2STrp6p@|~ zsubw~A+*o~XLz3Towd$;&iVDO_d7qh$;_IW`?|}u_rCT_@Jmf)S{fD_5C}x8s-mb3 z0#RNEfhcZVJa=}6uD=TSN8zHa{0vmm$3_4S&cmK+JOzQuBQ77mq5_UDIjR`CfIv4~ z&;BT;-g0_^Ks?*3icfVt&DJJOW7zS2#LY%?c|lj7brY8;8~xtP5>41ip6LSKPF3V+ zxkz}-42>YK0x}@XHX3Us?^^{+O0iPKEyDWRkJH zN?J98X?PGDcYB5rEPh}y46GP`iWr@=DLx@mhe;&}nyvtWWq_B|z0ZR{@_f!*AW(qJ z|D$afTvSg@5V{E#Py1s=PV44%_4h>cpDs+K9*u--DcDR3HB5R5pPzO`ABEksY7tYe zSL6PGaHPA3;@vloaBtS9I_;HC^-BW+`+lO=PmUG_X`UcOTtQHeM@o9?THPd9~H2 z-?iDf=F0x==6dy%Q1|JE{n9Q@=^*K9$c(bTaV$}Cg6z!T`+ajA1Kj{OP1K5=Fa0>9 z{A{BUR_}kLd23^mUdqSnAU(p>UJe?Yep+@Bu`jOVHC?;TR5(LSA8_O8uG6l6wsHB6 zr~k#KQPmAYq?=4bhSmdC zk9J}l#rDz!c9#Q)MMUmupoc#er7r~7@|9J(w`l~Korfw6lrCYP(k;YSk zrhGC98N#h!Y=vAMgbXdQmx)Y3`WRqc6w}7j5ceQ8e~U7Nv(80?lOK5S%1i(!-7v(A zmql!1XPx^umUvZv`%@KSi@buhnd;t+A?mfV@K}QlFD0A|w;pzh+}YnHk>@9%W$WjB zzTaLv~|9dV;% zF%+1&pJYzhq_D9D-LPziUy^%CMZDbVae}_$nJKVe%ey~i&e-Y! zZG}`*fsLuA=>v%+f$7$lhZ#+#SOfh{s7f2gZXCa1Xy877I!}5m-``GQy)g&fU=IqJ zIYP}ajR(5PnKlWW2fw6h9%3xwTi6n~v;U2EA3P1egs9;q(zSLw#8U7Uwp+DJNSF%m z#sodVLR{x*rcBOugFMTx!t`Y$iQBZ{WW^D!)+B_sX@(J4tDX`&V@6i=ag}FbI|>fh zYqeZHTXK~TtK{suoe!j#%p&Euqdj`N-UW>vdfCg=J49|NZkpi(C;3xEW<~J~Es5S# z=j`mt9U47{zt1-1%?y(0!`P{p`6d7E@19mG%MoB$WwAcKY(ktaD>}b zuA8VU@`ARqu5j0NOIrZ99=B2yliL>hn;-K@;=;JyYODb4v}lM8ddSMd_x+Y#-w+x5 z$|@thad$b&<+Smr<)Dy5qVT!?9{JCA4P9{cwn5e5d|`7aeq`#XMh|LKSBv^tet2NY zZCq&Hu1abE;Kiu)ol=wysT8q@y2o0KI(<{fYg_4kGRuuw zaf>L&LJ?}IQqK*aTRd*VyKaup=+?ti zT0$+0_3#_NOrQ$}c$qOH{3BaE(lY$C%RTY`(yv(IPled9d?(MW-Xtj@^HI{c5_=^V z6O{C8M1GA4?=zNBt$?6;!tOU(uXsej(O zW_8cXN&@KocTS zN5Us^^aGuz`-k-a^81laT&x;<8&9kECu+>en@Q-j<%)O1BrkX&?BvLwy!d(>zVpo*+D|C*Wj0rczH_JBh0}Z~ z<2~Me*_9S2#>(Q}k$!2(EEpB*7-x+ow$r0<9XKaxZ1fjBK}Z$>N=R^y=r{Ax_4F(jrhW$xTJR<#uwP!PxtR4ujR0z|9>U6C}aylmG-B@iMFZK%q1cer!%?lRm~_Q|dJ z0x#*4!RJ_++<06z=WoJ6)!Uq6VYw%qsB^B7@LR{h5@^zWzNxT7t)~LTokh?g=KgPO zkJj4N{NCR;RZ1v@Y|)xn_n9Bhcj^0!OHae<7MHhJ+s$*ADkL+WS1U};`-!_IK?u%LbQt+}lS`5U~w z#ww4l4(8)l3}lG{SPnEf;`YcWXQZ5Vf9U37nFOH+)^-w;uoiZP)NGas&E2Hd5FHd zxQRNn7`iBbOk4~hikRwLS^6Dz55~&}x`FUf*qby6_foA>ah2A^SL1<+rwQG&9$Yhr zGWbgG70c@RCEy!nOxxj`vy7amy>+w;*Yu1M71Yn7X}X@jG2E^tk83KSo6vzn>qlJr z$N~+6jUKku6oJ@{eGe(+u9r@DM?+s4&AFG3%Dk2Ryr2~DBr#V{uoE?cMYyfazG^!M zN=ZU?rT3bWS`4RP=d|m}bE@TG%yrcDsCo;N`xw?YrAj<71`H=AZ;xmM{p1PK5-^L! z<+u9`t$~}C=4I<_g^S!H|A~aqge|KC;MWFBppTLhu9NqMqjCuoeK`RHgZhiS02 z)LpWr>mwtSf*Z6_)ZW}%_PWFH!dqy zxWSdtG5u64JaZz=-`8UYW-Qq0lNaB?`X*h8$D!Hl$kn&OKMy)-A4gI7mO*$5xpBZM z z_Q*}MQJB`xJ>9iuuXtDKijT_284BDn68y!7pVtIdJBgC`+1@>8I}=rfG2I1WGt(69 z00gj;wn>@XC$+b7Jy2gb9h9c`$6?cZ;}}5i*Nf_^ z4^EP?z1nMiBCgV|&^=pj`c1?bOzTCcujO#WdQ%gLR~wp;0%ec3Z-H;x)!(`%=Fs2N zYLhn=h$1kRkgGxvzec@nGbd@ch8lztF!oo}x-LGsw@8YZ-Q&pqC_YXHQV=++&P5)X6pI=MY-y2W}*ni883A;_wS7RaBeSM07xmZ zcW4@Ri2Y6JfS3o1W>j`1;bL{k!%X<6s7{OYfu0K#9_4-y?m7Pwe$`p@~CG(rMU*$P{Y(pxN>`NoEA^qqt5CeVQDNOL6pAS<6V;UW3Tp&i^1!=T zRG|iM7P8c`7Q^Lgzd~t$%Rw1Tpk6LeyE4qmEz5smh%qT#x$?CRmBo^aIvHz5g^w6P zIUS+0URhAmff1Cl%pa;?tpE*MHTrv?Vss8|lDKZBli9edZZ(HvfIuK;FPwT8@)P~% zGQB5ygMJ1mj|ZBU1akT|UTnh9ASwm++r_)L$bgjQ-7h!Coadu-^D@8Kw4Gqp5@Xle z4{hB$L0@btq(RgP?2qy8r(N^)U^rGcE~}c^n!0v8$LqP!8*jm$((UtX17apbxnsf> zc>!!jHSLstv8j{>@lC*B3AZruY=aWIp=Q@wr!6>rBajmnc)DF2KND2AwSKMP`1!32 zw2_J4*AF-bOR(3wdt^oBk~4{!%1OQa^&c?_GyYplDpSD@Ro&jh$%<=$TJ<5(uMGmi z@(;I^5tTzp`rpcP9S?CmVUN53s7{+a3sYt4E5ncwGzWBj8d52i02CwK?2mvdpu$n! z20W*J-Y%hqrd&|6Ovev)&A-Hmw{MSS(lfs4ucm1@4 z_5~A{%6ivK{!@~4>QNuV!ouw7n`O3#nonVS1?y1gMl;76qLk(&#Y1ZE^H~k*!g+JS zSkvv4F!|VGlf2$HXLXY%VNRTdVq71M6MgtOF|a>+f~gKoHW-ZYPA(v$Z1Jd^iq zWA2V8F=<_&E`efNuH+t1w^Y>xglPdL_b`x?Y^T+$;l8%7SaYIcN7fzGZZoB-9bg8U%l=G=@!6)A>%R!mO2 zqF~@LCPDJ|)uZ6F1j;S)ysJ|Oo1>jE*vqvHffhdxmQy^djY^0><(o6@Q#G1J*;LV# z{)UN~6t-)Sg=cnZiz+Sv2htmBw^~Weu z*11=#JwDFliBCZgMkIQY7xkYa5>T#>kYZfc$co$B>(_iOzWlxWz-&e74Z5Q6D#GMh zyqqO(ZNLWzH-Z?^E;s#SVJ+Ye6f5k+IOw<5UH(I>zrE=wW_;A;hR+!xKUm|2e4MF2 z1dISeI-UM@xg&vSHVru`uG=x^%t+_gYpt8eCC{IJR6C6U3TMY#i4>Z(hA>tyd{1H(|4#ZZcI~K*#4Us0iCvj=xP|{o1b; zG|$YrCN^R+x0_spQ!##LpY3joA*0&4Wn>#fx$GRO_9fwYyd!FJ)0qux{ zM~#*YKY5u^xlSo1OxVfs95Zt1>5{sA@bhGm9Lgt+5#BFD3t5Ox)+Y1D4&Ij|_IwzS zv=Y@Dv9o?TM{b%k%&Ov6jda>;B^}6n9C2RV)|N6=Mv@^1iiYN;wNF*k9kySl6n-3i zOo8z{o;A(u)SJldSND!LVRR5FSxv3u-@MYflxVM58EOV$i-~S>3~>$aO6uSarNoU4$u0*yvm|44E*Cf%L>40Rm)U>ZRej;$}PzD=m3`%=B; z+MMP%G^<3&EgE^+0d1pZtah;98G0j}o*$Q$2#F<;l36QjJizhAPhA+G?cANd7ua~< zsu8`A=BlwBz$BUcl;F+4(8jvA9nwGeDw^X;E{&v)@P%Uu9;dR}jLz}%^Vf3JanNqi62Hv=Kdse zq_7I4#qaQYML}|NmO9mNw1<+11+{}AV!~EGl0p!YV^d>NqdUtKi{Ikna}0`;YhMRk z9#0m}?_{RW`Oe&O8!j2sJbcY17lXkJ_~TG@LJv&764 z=cXRCz0{wOqn02?-ocHS`#FInU~*`St<770_38of`a36U>PexaOO5~Ez>$>1;$ z6KIJYqiu_I zZ!}Z80)xYSj?d!H`a~B*kHxNj;rb|${z!FDhulpHR-sO5)5;!XrZ#3%=_Ry;{z?ot zknKo($i4=8(rb-d&`8Xdw2+<0n?2Y4U@Eg~Q}{)%pqDp1I4Nixhmw%zizg}C>0noH z+hCzRN2H-QP9bXDQQ>8~ndR{co*$z6qp$Y+Y_`@z-CEwrL`}_$JpRu{HPDbKLh#QI$CphaKt76S$&(tiwh!)Q@U40215bmU9wBbq| zcrOQ6P{l&lWS2#erpw>~8Rxk~w>XN67PyeE{}mz=6JXe$&-RG!oB=A;0EwCL*9A9v~H!ItLO4vHb^aDlv!0Gion%b1@1q2`hYG7_T>rA{`+K82w=;)mZaLX+1(Wm@gJv*slczkw=hP%&a>v;1~&-HE8 zD0Z-H{2cEP_2TTVxp3drYPSq)=a-fh?4T#8#23fiBq!e8$trUgc$4+YY{3BWPB7Qg z-e?-fukm$K=44CpI0m9eF+8~fWxQiBOn>t7Hlkyxe-W8~Ns``i%&V*o(r*mD7Qva| zlW{=rWlbmQ|0GX2!bC2G^3j!EZk+@X)otk+Va^-e&}52KhJ!gt=p2*GWTqk3{AOHD z-A|*~K9v2Sr6FYBMcyuNRFU)vml$Fv3d0I7dtyx~^EWMmKaA)+WqZNl$`TB}{;7ba zGu8dq!a|1j1IQO|T}i+9%cX*J9m@py&%mY>x?}u2~nN%v+X)*`qP< z7oFMSIDQaDsUOM8?7Gzpt-fa!i|_WHNsz~MYz`o}<3%Xs!}5NZC57QK(B~{J^I)Sg zim0t{hmx(^^2JUvA&rL#tDr|u=ha){tc8!GZUbg%z|%7;$Y@?2lzS1-@dZl%23(#2 zAMl2~B|FZm%kg=NNF(q9{=W_Q&LDLvE?R`4Kc?YYq8NZrLq8^){Co_l1G;!bf;X4w z0Z_zg>g(%wALgj}?EWdx2)D7ZfhVP;@U1EgxMvrE60e_4gL0DUS8%$4fx&=gLPEmX z#mS7JS*qc0tgMvq?d|PoxsT)V6g}sGSMRv2p8Fl?kcY-t%{a;0mFigaifq<6fdW)d z7ygxJw-r^(*W0jjk7R$Uzdk-tTyv@3kB{a^h>!oZ?2&epfWj6X9C%@VgtJS(hChI7 zIo2J1QwU;fu$y?Y1e>)0;nXShL_S<7;z;2f+e@Mr)nB$s1n=#&jL2j-BVi^FC@IS% z+Z*P9gpA>q^UvubgwrGwhB)FAk|Mk52JYr4^7+& zU7*<)o2a3DczZkG1{Z`UnYuyuAbuRGm$k(mhhZ;{Mugn}UC8Tt^IB3zD#1ErNbNbp zPX2QZe*|Qz!pv8P7qHB8%#?J8b(hheuSxOkg`tI@T)ji>7szLluoduCPr1#nQQBpC zgU2%(Vw4~Y`D6vIc##7?=f;Oa$IMHQA4u`qxNl!s){jiPg}*V(SMZ?eP`x`7ZS?cS zfGx$NPjE}a*J`I;EtWF5Iy|M!_b4n}LcH1liV5>dnV7`t+pEJr z_a`0CVu0n-!<7Hoi~sdlrEk82rCBC43It4$%o$>hJ=+hZO#Tro8K?2vMGE3i*o)EC zu$1xX06DZ-ZBqO4;lVYbBDugY;>~!h^E;|Tj{|>Z)t}1DbY+jgTxP3F4s7XKa;@o- z-t^5wX79fR&pO;wJ$@ElBTQb;YZH=vrs*CD~IaBP;4|9C%_)z>?Fo2^QFt6NrQP>T; zf!1U*uk=facZ8wXM|-xBe?R6YBEnE~15;uy*N#syrhN23v{Fn4C;qZ6toP_B`vQ7b zx(j&;_)0`YIS|betI@?-&uFFA+p+m@cg4Jf5(N611b)8cclPB-(!cK({QpmPy}l$m z4w?KVOl76+FhvhP?HgJc?FyO>WGUW-EEwJMPVjhk|IG9Ta+O~H4e!aqp#;Mbouo!( zU7e9&J=>3@009L`!|zGROD*Ra3`6~E_t!m2LK`X zOpGqc2VVk@qG|sOnsFYuFJdYgd=RFQlxAe^<;_M-26 z4;$_1@Nc5~)wNHbsN&+D6rhwNoFY5~LRvQ$=s_lo$p&0Vk(^%~=J((~b>`A!eSYOL zVn)m)q&h^3-g!gu+gv~xE=EDk*^)8NJaKa)oO8%B%T79sjZ$$5nw4V4dGLw|AkuVR z=?dm!*@GRpYL!ZPOv5VU@9CI@A}=K>_5K#(AoL|2$5%WQb`Cv=iyJ2y_&8C4zVj`z zpE~;?L;UteOPf1yV~_<&ATKU_s1}u?k!h&zJ5#C_Q5!mcRTnNpQ&Up|1IN!d&0ieI z@?s)ID40LJe!caN#+*RNZmRYK4J}`t95P6uA%|2PoWuZ^h~&BLt0jxHtIAV}@hUju z(|f%%XDTE?38{6tqnHYlr?kiLMbp2TBO#I(rh2MyRIitj|^&wI!6IFH$t7 zVm6f$MP=S19PShJ~@~a;fSOvWu z3(qLp5%atcy5ayZOSUWQM#>dB(#wg3m>oQ(tmy)O1$uB5~D&l|P75DvSsZzThsONT=d4zYE zE5k8Mmw=#6q78?Esi|Gq`G6=a5=c}W5QVP>PhZgSgFIQE-Ta~ht-^;LL~yXqLrgu5 zMXt5PQCzfjwoL;c6ubIR04wuS@SWnh78PI+CCCDajL-Y)Q6F%OcK{f=LAzwcH7`76 z>re%1S-y#j1n>sYi?l`{%yi!HHs#Eh3J0@H-sLU)guFD$B8s$0ifrx}`rod`Agu+D z3GWl{=NykAImqo?fU2#!PrD>azXfy26kflTVFH-J77e0H>iT{2Z9lfNfZ+=A^XL1y zxj_rC$HxsnySuwXHa%L}C1c`wdAOl}D?hA#u#s604+W^Xu*6F~?#X z1{(J!&sjVd_#_@}V>uS)^dn_jyg)2GXjl6889AB!4spHzaP{d}<%wDk;%d&Y1V_6W zx!VmOCE@KQrG|dM%YL*Cyu$>6w*H+K5TK^OGZHJ$zAJm@lB*9S9#?UX+GmmRvoI`d r0DuR9e%$*%+N0C6${ggq;(EflePYHe+VkBXI0mUIX)2aHvk3ejDV@d2 From 170fce992d89ff18362e18f604274665307b5ac1 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 9 May 2019 16:00:36 -0700 Subject: [PATCH 352/492] Update safety-scanner-download.md adding version info link --- .../threat-protection/intelligence/safety-scanner-download.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/intelligence/safety-scanner-download.md b/windows/security/threat-protection/intelligence/safety-scanner-download.md index 890f7e0401..5a4ea7bd10 100644 --- a/windows/security/threat-protection/intelligence/safety-scanner-download.md +++ b/windows/security/threat-protection/intelligence/safety-scanner-download.md @@ -22,6 +22,8 @@ Microsoft Safety Scanner is a scan tool designed to find and remove malware from - [Download Microsoft Safety Scanner (64-bit)](https://go.microsoft.com/fwlink/?LinkId=212732) +[!NOTE] The security intelligence update version of the Microsoft Safety Scaner matches the version described [in this web page](https://www.microsoft.com/en-us/wdsi/definitions). + Safety Scanner only scans when manually triggered and is available for use 10 days after being downloaded. We recommend that you always download the latest version of this tool before each scan. > **NOTE:** This tool does not replace your antimalware product. For real-time protection with automatic updates, use [Windows Defender Antivirus on Windows 10 and Windows 8](https://www.microsoft.com/en-us/windows/windows-defender) or [Microsoft Security Essentials on Windows 7](https://support.microsoft.com/help/14210/security-essentials-download). These antimalware products also provide powerful malware removal capabilities. If you are having difficulties removing malware with these products, you can refer to our help on [removing difficult threats](https://www.microsoft.com/en-us/wdsi/help/troubleshooting-infection). @@ -49,4 +51,4 @@ For more information about the Safety Scanner, see the support article on [how t - [Microsoft Security Essentials](https://support.microsoft.com/help/14210/security-essentials-download) - [Removing difficult threats](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware) - [Submit file for malware analysis](https://www.microsoft.com/wdsi/filesubmission) -- [Microsoft antimalware and threat protection solutions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) \ No newline at end of file +- [Microsoft antimalware and threat protection solutions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) From 6ab9f954d99e1fd29d766b3b61cee2c762c56e42 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 9 May 2019 16:29:52 -0700 Subject: [PATCH 353/492] Removed ADMXBacked info for 19H1 policies --- .../policy-configuration-service-provider.md | 24 ++-- .../client-management/mdm/policy-csp-power.md | 132 ++++-------------- 2 files changed, 36 insertions(+), 120 deletions(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index a565731cbb..f1fdf56518 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -4117,24 +4117,12 @@ The following diagram shows the Policy configuration service provider in tree fo - [Power/AllowStandbyWhenSleepingPluggedIn](./policy-csp-power.md#power-allowstandbywhensleepingpluggedin) - [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery) - [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin) -- [Power/EnergySaverBatteryThresholdOnBattery](./policy-csp-power.md#power-energysaverbatterythresholdonbattery) -- [Power/EnergySaverBatteryThresholdPluggedIn](./policy-csp-power.md#power-energysaverbatterythresholdpluggedin) - [Power/HibernateTimeoutOnBattery](./policy-csp-power.md#power-hibernatetimeoutonbattery) - [Power/HibernateTimeoutPluggedIn](./policy-csp-power.md#power-hibernatetimeoutpluggedin) - [Power/RequirePasswordWhenComputerWakesOnBattery](./policy-csp-power.md#power-requirepasswordwhencomputerwakesonbattery) - [Power/RequirePasswordWhenComputerWakesPluggedIn](./policy-csp-power.md#power-requirepasswordwhencomputerwakespluggedin) -- [Power/SelectLidCloseActionOnBattery](./policy-csp-power.md#power-selectlidcloseactiononbattery) -- [Power/SelectLidCloseActionPluggedIn](./policy-csp-power.md#power-selectlidcloseactionpluggedin) -- [Power/SelectPowerButtonActionOnBattery](./policy-csp-power.md#power-selectpowerbuttonactiononbattery) -- [Power/SelectPowerButtonActionPluggedIn](./policy-csp-power.md#power-selectpowerbuttonactionpluggedin) -- [Power/SelectSleepButtonActionOnBattery](./policy-csp-power.md#power-selectsleepbuttonactiononbattery) -- [Power/SelectSleepButtonActionPluggedIn](./policy-csp-power.md#power-selectsleepbuttonactionpluggedin) - [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery) - [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin) -- [Power/TurnOffHybridSleepOnBattery](./policy-csp-power.md#power-turnoffhybridsleeponbattery) -- [Power/TurnOffHybridSleepPluggedIn](./policy-csp-power.md#power-turnoffhybridsleeppluggedin) -- [Power/UnattendedSleepTimeoutOnBattery](./policy-csp-power.md#power-unattendedsleeptimeoutonbattery) -- [Power/UnattendedSleepTimeoutPluggedIn](./policy-csp-power.md#power-unattendedsleeptimeoutpluggedin) - [Printers/PointAndPrintRestrictions](./policy-csp-printers.md#printers-pointandprintrestrictions) - [Printers/PointAndPrintRestrictions_User](./policy-csp-printers.md#printers-pointandprintrestrictions-user) - [Printers/PublishPrinters](./policy-csp-printers.md#printers-publishprinters) @@ -4759,12 +4747,24 @@ The following diagram shows the Policy configuration service provider in tree fo - [Power/AllowStandbyWhenSleepingPluggedIn](./policy-csp-power.md#power-allowstandbywhensleepingpluggedin) - [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery) - [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin) +- [Power/EnergySaverBatteryThresholdOnBattery](./policy-csp-power.md#power-energysaverbatterythresholdonbattery) +- [Power/EnergySaverBatteryThresholdPluggedIn](./policy-csp-power.md#power-energysaverbatterythresholdpluggedin) - [Power/HibernateTimeoutOnBattery](./policy-csp-power.md#power-hibernatetimeoutonbattery) - [Power/HibernateTimeoutPluggedIn](./policy-csp-power.md#power-hibernatetimeoutpluggedin) - [Power/RequirePasswordWhenComputerWakesOnBattery](./policy-csp-power.md#power-requirepasswordwhencomputerwakesonbattery) - [Power/RequirePasswordWhenComputerWakesPluggedIn](./policy-csp-power.md#power-requirepasswordwhencomputerwakespluggedin) +- [Power/SelectLidCloseActionOnBattery](./policy-csp-power.md#power-selectlidcloseactiononbattery) +- [Power/SelectLidCloseActionPluggedIn](./policy-csp-power.md#power-selectlidcloseactionpluggedin) +- [Power/SelectPowerButtonActionOnBattery](./policy-csp-power.md#power-selectpowerbuttonactiononbattery) +- [Power/SelectPowerButtonActionPluggedIn](./policy-csp-power.md#power-selectpowerbuttonactionpluggedin) +- [Power/SelectSleepButtonActionOnBattery](./policy-csp-power.md#power-selectsleepbuttonactiononbattery) +- [Power/SelectSleepButtonActionPluggedIn](./policy-csp-power.md#power-selectsleepbuttonactionpluggedin) - [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery) - [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin) +- [Power/TurnOffHybridSleepOnBattery](./policy-csp-power.md#power-turnoffhybridsleeponbattery) +- [Power/TurnOffHybridSleepPluggedIn](./policy-csp-power.md#power-turnoffhybridsleeppluggedin) +- [Power/UnattendedSleepTimeoutOnBattery](./policy-csp-power.md#power-unattendedsleeptimeoutonbattery) +- [Power/UnattendedSleepTimeoutPluggedIn](./policy-csp-power.md#power-unattendedsleeptimeoutpluggedin) - [Printers/PointAndPrintRestrictions](./policy-csp-printers.md#printers-pointandprintrestrictions) - [Printers/PointAndPrintRestrictions_User](./policy-csp-printers.md#printers-pointandprintrestrictions-user) - [Printers/PublishPrinters](./policy-csp-printers.md#printers-publishprinters) diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md index c1696a003a..3b9db5c095 100644 --- a/windows/client-management/mdm/policy-csp-power.md +++ b/windows/client-management/mdm/policy-csp-power.md @@ -388,14 +388,7 @@ If you disable or do not configure this policy setting, users control this setti -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - + ADMX Info: - GP English name: *Energy Saver Battery Threshold (on battery)* - GP name: *EsBattThresholdDC* @@ -403,7 +396,7 @@ ADMX Info: - GP path: *System/Power Management/Energy Saver Settings* - GP ADMX file name: *power.admx* - + Supported values: 0-100. The default is 70. @@ -461,14 +454,7 @@ If you disable or do not configure this policy setting, users control this setti -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - + ADMX Info: - GP English name: *Energy Saver Battery Threshold (plugged in)* - GP name: *EsBattThresholdAC* @@ -476,7 +462,7 @@ ADMX Info: - GP path: *System/Power Management/Energy Saver Settings* - GP ADMX file name: *power.admx* - + Supported values: 0-100. The default is 70. @@ -786,14 +772,7 @@ If you disable this policy setting or do not configure it, users can see and cha -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - + ADMX Info: - GP English name: *Select the lid switch action (on battery)* - GP name: *DCSystemLidAction_2* @@ -801,7 +780,7 @@ ADMX Info: - GP path: *System/Power Management/Button Settings* - GP ADMX file name: *power.admx* - + The following are the supported lid close switch actions (on battery): @@ -865,14 +844,7 @@ If you disable this policy setting or do not configure it, users can see and cha -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - + ADMX Info: - GP English name: *Select the lid switch action (plugged in)* - GP name: *ACSystemLidAction_2* @@ -880,7 +852,7 @@ ADMX Info: - GP path: *System/Power Management/Button Settings* - GP ADMX file name: *power.admx* - + The following are the supported lid close switch actions (plugged in): @@ -944,14 +916,7 @@ If you disable this policy setting or do not configure it, users can see and cha -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - + ADMX Info: - GP English name: *Select the Power button action (on battery)* - GP name: *DCPowerButtonAction_2* @@ -959,7 +924,7 @@ ADMX Info: - GP path: *System/Power Management/Button Settings* - GP ADMX file name: *power.admx* - + The following are the supported Power button actions (on battery): @@ -1023,14 +988,7 @@ If you disable this policy setting or do not configure it, users can see and cha -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - + ADMX Info: - GP English name: *Select the Power button action (plugged in)* - GP name: *ACPowerButtonAction_2* @@ -1038,7 +996,7 @@ ADMX Info: - GP path: *System/Power Management/Button Settings* - GP ADMX file name: *power.admx* - + The following are the supported Power button actions (plugged in): @@ -1102,14 +1060,7 @@ If you disable this policy setting or do not configure it, users can see and cha -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - + ADMX Info: - GP English name: *Select the Sleep button action (on battery)* - GP name: *DCSleepButtonAction_2* @@ -1117,7 +1068,7 @@ ADMX Info: - GP path: *System/Power Management/Button Settings* - GP ADMX file name: *power.admx* - + The following are the supported Sleep button actions (on battery): @@ -1181,14 +1132,7 @@ If you disable this policy setting or do not configure it, users can see and cha -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - + ADMX Info: - GP English name: *Select the Sleep button action (plugged in)* - GP name: *ACSleepButtonAction_2* @@ -1196,7 +1140,7 @@ ADMX Info: - GP path: *System/Power Management/Button Settings* - GP ADMX file name: *power.admx* - + The following are the supported Sleep button actions (plugged in): @@ -1388,21 +1332,14 @@ If you set this policy setting to 1 or do not configure this policy setting, use -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - + ADMX Info: - GP English name: *Turn off hybrid sleep (on battery)* - GP name: *DCStandbyWithHiberfileEnable_2* - GP path: *System/Power Management/Sleep Settings* - GP ADMX file name: *power.admx* - + The following are the supported values for Hybrid sleep (on battery): @@ -1464,21 +1401,14 @@ If you set this policy setting to 1 or do not configure this policy setting, use -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - + ADMX Info: - GP English name: *Turn off hybrid sleep (plugged in)* - GP name: *ACStandbyWithHiberfileEnable_2* - GP path: *System/Power Management/Sleep Settings* - GP ADMX file name: *power.admx* - + The following are the supported values for Hybrid sleep (plugged in): @@ -1542,14 +1472,7 @@ If the user has configured a slide show to run on the lock screen when the machi -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - + ADMX Info: - GP English name: *Specify the unattended sleep timeout (on battery)* - GP name: *UnattendedSleepTimeOutDC* @@ -1557,7 +1480,7 @@ ADMX Info: - GP path: *System/Power Management/Sleep Settings* - GP ADMX file name: *power.admx* - + Default value for unattended sleep timeout (on battery): 300 @@ -1618,14 +1541,7 @@ If the user has configured a slide show to run on the lock screen when the machi -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - + ADMX Info: - GP English name: *Specify the unattended sleep timeout (plugged in)* - GP name: *UnattendedSleepTimeOutAC* @@ -1633,7 +1549,7 @@ ADMX Info: - GP path: *System/Power Management/Sleep Settings* - GP ADMX file name: *power.admx* - + Default value for unattended sleep timeout (plugged in): 300 From a7086db799558a3b86cff93e138e713d42f0c09c Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 9 May 2019 17:00:55 -0700 Subject: [PATCH 354/492] Removed extra space --- .../mdm/policy-configuration-service-provider.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index f1fdf56518..3be2804a24 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -2420,7 +2420,7 @@ The following diagram shows the Policy configuration service provider in tree fo
Power/EnergySaverBatteryThresholdPluggedIn -
+
Power/HibernateTimeoutOnBattery
@@ -2456,7 +2456,7 @@ The following diagram shows the Policy configuration service provider in tree fo
Power/SelectSleepButtonActionPluggedIn -
+
Power/StandbyTimeoutOnBattery
From 6c67c066f897fc0875bf60fbaf1e7a3e68e0dfca Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Fri, 10 May 2019 10:15:30 +0500 Subject: [PATCH 355/492] Changed applied Changed applied as suggested by @mapalko. --- .../hello-for-business/hello-how-it-works-technology.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md index 015c33f72a..99026497a4 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md @@ -101,7 +101,7 @@ The Windows Hello for Business Cloud deployment is exclusively for organizations [Return to Top](hello-how-it-works-technology.md) ## Cloud Experience Host -In Windows 10 Enterprise edition, Cloud Experience Host is an application that helps you join the workplace environment or Azure AD using your company-provided credentials. Once you enroll your device to your workplace environment or Azure AD, your organization will be able to manage your PC and collect information about you (including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC. +In Windows 10, Cloud Experience Host is an application used while joining the workplace environment or Azure AD for rendering the experience when collecting your company-provided credentials. Once you enroll your device to your workplace environment or Azure AD, your organization will be able to manage your PC and collect information about you (including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC. ### Related topics [Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification), [Managed Windows Hello in Organization](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-manage-in-organization) From 6653d97f9ae5f5ca2e94c156457315c02e68d0d9 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 10 May 2019 07:29:41 -0700 Subject: [PATCH 356/492] new image --- .../wip-azure-advanced-settings-optional.png | Bin 43333 -> 44501 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png index 785925efdf7d8f2daf549c90c5ff84fb6f2750c9..e0072bbc2fada185f186710d991255065da8f02d 100644 GIT binary patch literal 44501 zcmd43Rali>*gq)U-QC?G9n#(14HDAbNJ+PJN{G@S-QA^>bR!7T4YPQ^`Tlb<$8*hr zmz&MziS?{?-@jTrN>y0~1(6W(&6_tUaA1_92LD00smqAJ zshT7{1V2FAh$)G^c~hH!^k@bHenxPX)pL9E2GjlZAHJ^dj8M$J~=An5d>$NQvZKkqEhZT-~8X|~_4Ru>VEH76%WQCtmMN)5Yudw<{S z@z#aO)$e$bgG%M~%~baS*(6GyI7b}t0h$i64GUn!6%Z>IL>guuE4K9bXB`t3Ij*B%E3=AW~=a_J4q$_P+ z)pLj3@lGSjGzte%E{RuBv9UsdkIgR5B-VddTHFT3_9EW?u$?RYu2W4ow6?u7lJe7m zcm>zR#U-29Nm*8wJ^lspBsGqRcP(#sDqpnAakcgK)_eQbdK%06dfrN1tkK|yL+$Us zgJ&1FP*zbC! z(LNpAL?(Fo=hyeR&?9zxLC<4$R8HQC+S9HV(ieMTzl5u!g`k^Nufd)VE}OkD_t!UG zP_?zSeGw>q^+ZE2(C!#PQZa*P6V0x>qc-^g*9q4#f?g+&XG3I5^Y}wS3Hd?KcWk^& zEAA<@N}QUzS3A{>gw!%1&6uU``IJYHD9CIz;&0fI%gV50{yMCUU#MV>!66z{|&nZ$UW3+x?`1Zc4m@$@A=YeSEmu z=Jj{E@#*O)&X5gbV{m9_h_92z8}Z(h*fIeBHtrf30pYAQX%0af&whMrYKl*pXytf& zC?TEO0~Q8G?*96A>?%LnVX1BtnvlogJ@E_HpM~nF=K|B7kKhi`4W1@ESU+JrKchpl zwp_*5AZ?0dfqNZ@!HcU1fE(3q6QKrnIS694KhK2w4RME=S^}IU-3IREG`-R(B z!*E`Ht=$I+n?8|FB~K*a9z2Qt^WCxI^D3h@TpXP6qjb|x<6MriSRu9U<3q`dt1Gf~ zECK=dmv;km+H^^)6Rzy$ZWC)BZOI5Cj(Yru*k?%P~IIS_ZjPE z@wf#`DT@5U)R@(3?boX^|9wQzAs5sj{9Z7eX;_uvhY+~jPSkV#Ry zCS_!~DPK;nDhCJ0-d`nJ{+;a4J?5NtOZ?_!I^S(3O_>->#hH?llC;0$Y_m)IPBP^d zigOfAst0$D)ZS`->}UDr8>5P$mq)M_mb5KI*v&NjvN42_%BRZ=8FN=FU^Z5gYt^`1zcQ zwXrlf8Cg281L2$|hGR6=xeeKNMjWj5wr;j&>a%+Ssfx94a5!gnvbSMIom+fN;JNMY zt*YKGph=sOY(XDZ{v2t{Q^8|+_hc#}Ga#>6If{VeWqU&&0LVZ@u-`!UB@rbrm6y zwUt+~8KlGa{1IGP@P`)6+TGQUO?fEFparBq@cuPmoUb&{>GZ#QIPD60e!P?Z{QJ8z ziyQTiw7}Z!>85?TOpSG`Ivg_4Yo{m>RnZO-NOb z+a0nW^H@?`F+o!RTnA`sMlIG%18Zqm+FK%-GYVdYhA#meb~K)T%5Fi@^lZ=i6xs zG>jIoBwfJj?0R_?)R4+`2+H%>BUnKxTg)QicilN@J6)?WgJMdM@;{g^{PYRFe{B^5 zPw}zsv~x^La*bKTvksKW$H$8)IVVtZz+87gJ>Q?2qV&F;k;y#$^<4*#QS;M$I*Wny zu6yA1@e;RDxjN0sJ`56WEQ#P}(lvEolmPf(u>N~sNQ-4jCy&PNQ2$4=m`;` zbh#ATziS;t+Z($Isq`FnKj~S^^hZ@kz`9%7(BLl}gfy2kdwG7ED^uC0-Er{t=A-Gl z+sp2YM6*Ctl&8snH<610$29kJ7LN7(x6z|H$!^O5icQz!Ig)hBUv@u+FLu1T$zz8^ z5WH%rI$D+bY5o;MkB&=q;Yckp-!#j6pOy+G;Dlft&qnC-Ej{T&AvmN!G5j~PVhf6_ z$lewvF6QUr_6AC4yUT-_hGE4s{d#L9M+@YK-EnzPl6JkT3$>ss#$GJB7s68fL(9ON?QebqOR@jzfHyY*%F1r zc4nx(k0UfG-|?A|BHr~JgK_We2@}7B;7V=Y$;@iM+!FQ9%>xN zPIJ@!rpZt)*1b^?#9D|m>TI#*HYFVEc(ygL;_Hn@40*$M<8X7b%F%{=v7aAgZRP6K zbw0|JL#b)S*mb*wWc}F}-($7a;}9Wb?7k<{nN73GP){HGt66UtLhL7mzrUN<28+cV zaSc<{dRaCViRb%7mT#$ zHL%l+jAB#GGx(@aJIpL~5iPkKNYWe1mbF))JzEUL^J$$qW#nS0(VfH`TJyD=OVDCx z^7?M9?V3{JA~+)AiGASXjp!2|_&fe{j(9Eju$#oC%mTvj9?TILA4dZ_@|3it0x_uL zaf&u!Tx#o0X$u0K3f&|~e3a~(HTZ+_NRM4dp)oFpMRugp9=H;c&u_UX4%a&T>RIL3 zlfWF~R`|@#HMH7`>4N97C6Y+6x3`@jx|c}v@y&+U;x>7oH!kNAw+ovKFJxe}UxZ?5 z&f7Rq%8AvOGTKdqUv-hDBx4j@O1V$>R}zpkkq?n=Nc-Xy7KkE<|pN zjVd+7>5Ay%eKEl+R}*T6)T=j3AF_lJ7T37N_y+>D!EJw19pQ$@i*Lf^<AUv7w31%A(Y&S9U?qCRO+R}oWVx?y7K~#MCilLlYxsiU=3f#}=m^A#&qQ-~F ztnXZngPuHckUk&(EKk`{WvO0SyG6xh))Zp%5{W^4B8LkKvnXQphhQS;+G`y@w8VCe zqO+{yIe@h#{5xBMgpfnt;hOJ-g0)U(8?vWsnq2DlDTg}4Jd>e6!tRhRzyis>%5Hq% zpIpt)79?5cAT$3PIVgV)18B_QHv>D@mNoBr8f)P(-gt?n(`5Q$9fBJL)d?wzz!?Sj;jdlb#@+!OdLE5iV+LwwH7M6N)CnZi7Naj*yItPyS$y ziJV9j2Aw`#^-v5!Bv_gkz+cv!JuaBV0{K9P`4y5jSy0LmE(a<_c^#l{y1Zz=e6c8) zcRVUzF}xBDWp`DC&ceofmCVHI&Ub4eti?Fx*cn1$QOp&nzlYCkHtK%o?q|**O|a@y zPKCCxgh=cT*^rXka24?TQQssHJXKGIJ#!zVS?lphare@6Ml%D1KOn_Q{*axgyn$W{U4+aYt)=Hl}U&_Po-aWH6 zQcyTB?9@1K_8uQLr_0ta44&2Q!3&qiktUBMPRMW{r|KOwj7=n1)fDa^xkAZijUBR- zQcZYfAl1g^m}AMOH{%MfR!|90c;f zkJyr4Rx#JFIT&U(?%|WpESr3+!SB$sHz@VQH5KH1<4w^|rdg><0$bx6Hc&#!%~Y8c zKI*%bqYJM$|ASW<6j^s6R3eH9RylGS^QTsf+PibY9UbsP3^uh#w@3be(qC zabtsZESVQWo}gjPGC8_jDgL@*jX*XtR9G^mZ{$U#1W>1Zq>0kAYGk*Bl=0*$)+6ma{y+gPG{eGaP%KV+l!V zJ_?ChzKcJJTRaDG6BCgHKeri%8`7p1I?FuD4GzD5!BSgcqP^c!9yGv>Yn5x9^BeCZ@c%9H$x=m z#BFRlrBb4cJ_V)66LMb;_VnbsL75r8PK=|5f&b{#5D~RRkcdlzvg4*Ll)i5&Oh!7o zq&Xa}&Qk47Bdrf$!Zlpp6*-Ue=qd{PoVuH?Zia(9wFV~b$~b5~Vhw|_1bq~39;`_e zJCnHvqi^_+^AAE@jyn@MD@rs)uw9IPI1p5|Ygg)z6XMc-vtFMFL~0s)_b;H?c19Uu z;jrcF`!U%k1kH~ymdv+o#UCqSG3if!h5ZhRgG`Ppw>^`_fm30#C5-Hxfu5Hp34vh; zobG1LFF`38`wfr!FdYR|8@&*o?Wk&Sne*i-Ktd%`&8Lt=AY?Xk8e>>o3+$NwBkCag zE{=W4X4W&6C!Af`0?(qvrQx6@ydav0wr7};7#i+04ks{(3x{Sw+*WSTbn+1f3EkA8 z7o|6V;*MKMMaYTc5B5|y!w5u+Fc1{VbVHauFpr5WP0T4_4qA$Z;}oBERxUe-i;CCI zi(zo9l3EEIelL9+enztFg4)8C@7 z#~b4~ayS3pQlnFFE}1JlKR-Pv@j`q;@j~@VC7yNLNwFt@;Vt%ucLS=1A*E-5t=_If zEdflCLe{7L3+3jw$BMg~A;hyb*UQMGZdMk5iBL`ugsIIFSTG&_)g$m> zxa2dldv&LwDkR-$_#HAWghkX~4iF9Y;zsoOd3@ti0bm}@t;N%{ft}yO-zJxMKs`p&*~nP3deB+Sal@j03YA^G z2e#MWe~8Y6DpP}{F|u1}=IH2^w034=_Y~-(#aSw_7^kI8(_rS8LtjEi;}9I@yTW2s z5E0|g)D8a5_qY|q_U}FBqfhT@*inUQA*AgJaZ_;nmq!~egMxPuZfSJ`EgU)FL^dgo zU*ZRQP|~;*6-Q;oTo3B^<)J9K8YE{^=u`&XWATzoi}mXHJw2PSXcY_e5n@XC9Su@5 zmbmfWtVL|9rtwpj&R%qKnK2?%%GUfQ&-mPxF9&nA4zTF?xU}m({fzW94S@I^jSpdy zpsL+TBQJX3$P}}Als><2wEIO3?PcV%`mo8p6Tm$ii`_(y6s)a2fS)sP?2bH`Kql(A z!Y34ZnK|jS+Nwnii8rgV)HeOO0%c>5lCk7FzLKjVA`WB!DEBEJE-BO|F4YrYt|E{B z`to9;MF3gJ&5Uk+h7foxyi?trLLaLUsTI9Rzhj>YTZMv37co^Aitw4LGU*bbr0n%i zy(R0m=V0Z9{mhA4B@xe`4*x4fMFh}imEv@%!CdkLyR&DqfJ=-RmFqMbh0maxGNl)n>z~b9-{AaZ{M~aKm_j5*|;3EwPv^fH;D{G)|pxXi>4yQ{mNqld69)Vc0bEf>UvBq4lbT=2<7;zR10 zBhko|MNS^B7EH?6zfj!{)?j6YZgz|WbtvaLle zM;ENg%Pa?Ki;IQ2x&Ulyy9*6DzqbwZV6KA7IHc=uSC%o-jvb!;6KmXqC?Wf|W~I}Z z)L}`S{)~kbh}*dYBE}ithSU9W+Kg#GKEz8PW?O8orB2tn)(>DCqLr&i;6 z%~oZrSq+_|Fqp!6y@syi~Jk^Cr~ zN#f{qVKIxGXpp{^Y@LChe`02HJc4LuT`p7nDUS;=(<_s$RZQ*?Pb~I()lrT0a2bVl zrgRH&x}->HDG_o=L^0{T1S&#N&`3}4Wxny|1OXvbAq%YXTm`+|mp6lj)RkN=)WLiB zkUDDh&?pTb2M!PdOi|dsYAVD(eDc?Z^enZVVjvarX1|uZf^aAZ)ceC7hf<4{+do91 z#>e@MbAdv_`+CV{Nu?(70O~1qsBFC2;akl`TuihXrvPGol`NO@Y=ijzh>c-gOHV8_ z5l4DPYP^}*u>|UNk>5K)2@a$@uLg2^q6=3FCYf>B7()e`j4WIR2~?O@^TtjCh7)~q zYxI!FVw3TFNzavKu#B|jDi|iBu>ZMyuowR@c>mkya_UH$B)d5aR)+}Y9wzNwH z`BG)hTB1l!lb?fOqm$V7$3IJT~hGEGn^Vg*p(Zv|}oq`5(^5*y&N~%SlIF?R461}FvZL`8q>FliE4$w;a{pQEh+L{N|D!gminY1@aewA z?vBbGABVh$xxROI6Dx9D=NrS=Y_m07o2ed*ZW|VzGB;`}a#&nVl50@a?Bl zu#o+?zybP53Td*vA#gj&^I^GWjx!!-U;?y*QsWoHT7-|wB?@@v_S<||-FthW0X&hJ zbbqbnT_2kGQ}bY=#8N}U@tEO<;jJelyp+M;Hi0VN%z$=qMb{!f3igK{eknkIAjQ{Z*Q|GikXU!&l^ zK(I?iVbVM+pmEe8-ktBZId4MN7F1WC0+ELmjq3%9JQ2vAJu?mV3zNh5M3!TpD-|<2 z&x0rXhlc2YG6`T?+nGvt$DahqLm(i<4{pu zo4+wdULG%i>XU>IoGW0r(P)4J-Jxxh43KbI4jVXiSP?f{l>$&Tw7MRL3QV{Y(3uPk zf%CPnQ+@S<3VfK@*3BWlj*qKPDQ~8PZ&rW?8pj-CHIeleXn7xi3D*_)YU<(x>L%FQ{+qKhK?HW_q8lMPUzMh}%fWGnCJy_>th%U0E zX#dju{#Tx`-(*Xd2d*k7wNmFj+^aFr?tRwX-AyX&d->;=0_O{+sHkZ6kXN%GQrW}4 zTARmF#N-GsSr5405lQVJpwAW*6ad9S@?6P3AmCzu>J-)rX>lB@k zfVPl@lG*-n(sqs_iT!5eQP9+;^#)A(Ca3l1INr4kZrfyAn^&8ZYnw#wyKXIIuLYRR zuOem|6WzLyGO=`x0g#_}+<DkFtrN6Qw8JM)3)Oy3a( z?rdp-kG6>L2nc!|zHc*40`E#PMZx)ohh^omojrjk5&QFz=UUU0_m5c(@GHE5EDK*? zGm$kwa}MJHrklL=puLzSnB}M>0+Nsv$Vf=`zkjeqo_mx6G?I1-FI6N-=ykdl_lQpZ z!+rr(`1!Cbe>gTi{$#yNv~Ho*!yZy~N2VY7>1eKON&-#zCvYRe!ot8KN{MQYClfX9 zEWH{c3zFmHcAh_Yk?UMI|=?8%4-sY-m@5?XfKSA$KiOTt3;2VdOPQOi{FCntkZ73h|5r&Cys zT2q zmf5D*O5!Dp(8J+P!BtrUi!`cS-)JLgu?zg@TOTJ+_9n8AewIrFGbMC_>1*&^o8?0A z*QfK{3sp@i{fGpC&uk{o$5$o@Z#S7Opa(fkyMw*fd?NoX%wa<&v*q?{1FL-iD#_vtRX1>-!JOk!0XcU^U1QsEpsJLd=NsG*5HY zfvHL>%FUhnb@F1a9XPpP-!e-5RIqIEIGV?0(MO+5h7~s$B@YBK0T-~oWa0>=$aZ=S z-W}MANYlm_2VOMoD^h>%0M&!x4qQj0(|VqSG{s%mk35slBky*IBncp0-=lu!KS!*mlyY;EGNvl4OV><+nlsrya{T5h^#VWZ1Qju0K6iLDe ztTxB7MbdGEp>Sxla6FDH^hphL&`qgM%e5 z`7JtofLy?&*_on87=et8tT?^Ekc@!|9KiK|BRH}q1934if&f#1HKUTlmz0q~zaCLI zqpRN?yt%n~F59AzS=*6HP)|L-`FH#lAZCxAZp0hrz(8x&W;JXY*6BU<%o&6AmfXC`ywz92d2e-SE>~K6 zo_guTe%yY2yqr6W+PWf6usSe1}urN%rweFwJ@cGa5u6vzE`R}Ib#6rHdIa;WJ ztL1&it*tFwR>Q>_v%U(}CI(NNO0Rgf-`*2j7LB)hK8@#7pEI9l$OQJB8ljhsNj*xZ z!eZhGMKb_M8cCreviNWPl7V~?FoSo7lOzIV$rUa}7cUHMXmrJm$kJUccGh7h-?wow z4qUMfo={U?F;-R8(!tjR2)vx13SyDkukS6^TJSzAegsn|S?*uf7AVZ$K;~&Mgg2w( zPCpM170>t1`Q#)r@b~8Zpaq4z=v&u+Y%e%E^ zgd=mqO^f9`D!~+zNvtRX5jJ06hjK0p1(uiQPc-u<4Sp|`rjiSp2gh$uat8hcspPgT zROngc{C6t^YicV1moGZ}cuf@y+3tPOOV>vgbbJ23Mb|~&xicZ25a_uVdYHcZ6U!w3 zgE7D5ZyBlRz4H&kkC&$bNRz&era#EpkoylC{JWU%{|sPPB$rO}jHs3CnvOr78^qJ% z9(d9RHAzIWQPZig*hjgc9}1+bzF?A61;M*5ize+lt+oj|?w6+`?#i2hpayWeq&r_n zCi7qX76_VcP70oKqt1>mL!IS6;d)%#FYrG1<$6IA-!>eyrLdOr<@l-4eGtm==AZ1e zGkNTP%i-b@pOUWOnX8zZY`gRGSE^ANCQDU*Q&&KThp_N&*}D%Y7i36r=e$;rDf z(osNOE_FQA3!9ggb})u4L*I?PP#@#v-^R%PNuApsjLV+P>Z?7rH=&D+K>4_Hp?EDU^_wIE!d@qal9FLAiPq>p zvuGfpo}LT*?|K7N`y&}6HQW2Tj4EpuvaEt?U7+Q;j?Y#mzWeTvksYJjB=fG>q5Nwc zq}EMV&v|h&A{)!okZbAnXD$?(Ig3|VAf7@Ko!fcBfHoO}aV@q=Pn2>A|r`M&xj(?C5>EbIJqs8;8;o>?sI1#2+9$GugPI(#&g*K_E8|L{PR`5#8@ z6^zaXCA?qqv^^8?CLP5Xhal+fH5zDYZKAcmj1C{9BJQXjM{zIf7vuVV_gnLO{0ih4 zG;Xsb&$4TmA+iYSkh;E##AM!2_7AA2G9e=;Zq%#9Z9*=~wX|uZgy?TVjg$yHFn&cx z4&E{@AVgE+cjLHCKCxm#@zqk~#c@49r7z5KX!SJry@!r$N$)3l0dWVTdT(-CxiOi{ z3XyrYvJ}{f&c|PKE!jU&>kVaH@>Cqx=-cH=HkwKe>%80f|5AQ%B0#E|vV&P#UO-KV zi&9Wlp8U*`?ed!998m;k1@d=S(93giG4(dz2WYrO>&wv~R>qQHCK>r_5zNcW9vS;E zW&e>|%lQ)f>kMce(*xfxm*3LY>yLHmn1dXH#HF`yui@*I42kB}w@UzVtJO=QUG!f^gWLPUFU_FQuF-8@`Sh9NeL+4-M<4}J>K6o zMiw-QWEqlvk7D0T;ABkLX zTx%bhno`--2J2=Hpp}WwECzt0?@wgg5ZhQ8`>;RU;$8frC$o(564?G*989FrC5yHivhA2eDgp3k2k1t z%CSi$laq#r=Z8U)qqMg6-t60lEh87VrU6HREa%;>A< zuhTQx?JrtTm0s8ni<)c92M|*WbZgDi7`2L?ySv|+m@G8m5S7(qy9;P|tT;B&QPYAT zC>g)2`}Sbm^Yb%{e#3A!Z}tBSeQI&~RxgO90nXQ9GnE${{3fzbES@Dr=<}1xhP%Mi z<0GI@TEM2DQh0q*{l#Cl5as0L@YsxFV`8W{x$06IHn+F?XleQQ_yCY;je7kQV{zLS zBUs4Mkn~lsa<4CvF~0uyj=Xe1^mlNJ^aLS{Rp9+1OXzR^sUZKKe8AFfz^Kl01VEm+ zQ0Crf9Ht*m>yE^aZbe_dfEyyl!LcHKsZLH#uJgY;2YoVeuo%QWldHkydz@u$0m%FX ztXHS@vqA7^M1TT7#rpvWKr}3WuBzEVV0S&}WtH!C->}s^O6|h#^-!s)+<^Wc5x zC|5T(bR4GLZ?I({-+oL35Qq zFzY%`&C2QstWPi?)Dw-G@E~KGUSH1Vb53o;ke`^?UAXEf>VNwW$VbCV9ez#wP`^PP zQ_wQ(rN{;31@bpc&MnYV-fKqF(9$Mvy99+ z#;ig?&q6c=*k#m_=k5`#7;SR|tf`OL;#$WRme|%>_=ys+ayqLe%p)Ts?hHIUpSf2H zkf}-#`0d3Z&iNIl4(a$)%{BnZYY^{Llw|yxcu%8bW}92epm=kDSx;*dP9o?ji{&c2 zo0>W~7p+P2H(5?DQ-hhdUd4^~`fmv1hqu=7<$*+6>(iOG~_P`T=Dra%f*Lg+BvBru9gD&SR{0$q^`2T;oIVEL=6 zqHo=RtRukYuXMhCO2nWmP#87f*Eg-^J>bicuiZ|oJBmEtZUb7HRG<$@2#uWH;eBR4 zims~w7Y3N#R5mXfn+lDlE>NPl&w&Qh>3hYfq%l%wHTG)c{ebz|J^7}30@W0p(LIV! zZcQTmYxBCE&7N0jb;Z3bpcq-hZIpYcK~Z z7OA*L*(FIZcQ5kCsBQK;ZR8y(L&anE3+2w=rf*A3l+Q-V{E` z0@SxZKg$&bG~Q(x7fD9FwVy{OCiB00Xvf{& zx<9KwZNHcV25n@6`_X)yVi*NbteiUU_P`VTU1z0mHp!xpjX$RAB4)38eC}AIRVV`ZC*~)iQmxuSbO-8;YMCPTaKcz&|~~pos-int}M?t zy0h@oL8+LhfD2@Gi}dZjB!k)R1Jp7_2rU;}t-fOrV+2c|Oc1lBKWu(NX5})61r_1= zU8_PmYeTr!>+TCqHAhdb#juva+pnCN>ZBI4(7TzamU(%q`#@V!ss*l@+g5*+gEqX% zp#dm441I&*d35WLpL;;2g8i))#s*~vJP+5fXJqbBzVHj6Fn4&M4sXq$f@s<+h3DQx z3PD1UL~2?r*C+$BBk?BnF;&WKsB9{<81f8qXPP9K(8CahKDFipo+m4EgmCiCQGm*< zldZ>fOG-;`EdkA3HXP(%C=%1YL;DEGKlba9-}d3v<80`29Z(p45tq!>=~w4mg8mnM zDxE=7_NwEXTB(#_WeplggtZ zJ5;)2Fw7$Nv|Km`>2eUi%pw-&ZS64*!7!6k9Bp2lGo>G=|1}yB{1>uSN+@oHQtIU1 zP}ctiWSz&%Kt8=C2c2Mys`XOo{193E%8PV_6GQTaaxo)*BO4m3&;mpQp`RqXmc%Kd zckq~XRr4fN^J?pviV(tb^k}(2$<#8N6cM(8>yGG7y%P=nfiEb%mj<65hy9xq72=79 z%>Gr7AO-5$JMSSTyAVwDlf=P&OtEJWUtDDiRK~x=O#2)vlqPC1#Jm#vNx81i`07qq9GA+;@)Li zT|F<=SKQ5-!yVE}JnhgQNU%w~ocv7bq3uhtAJ64Qa9Zn8@G)S7xELhNjC+P%ZDzl^ zY(x+*Qzl#EQSvvygOENIRS_3R)lpYa=f5Gml2V#s*No25F$wTkX?Bs^xmgeDvSFG< znVKZe#0;2ig&y7blR2aXsg#{rtZ{`qt~hAW=J`Q@e9#7^;9hfbcQ&l;{-rt}$tTTT z<4UQ**FJ-=-sp!6SeCn5lIdByPu2iuDGrdiQ^sXHHvr}3D@hbk@9Z~w!;|F>q`9Sw z-i1H{p*=&u!w&3okYt3P*_+B|Bm17DLh+h}=SIEkd^n-{NhIJ-zlk^50QM(9+vGs@ zQXzyZ0c0gb18QcPL=h{rTzgAdb(wyzm^`a-yRNIM`xIpG99>Syw~1_CEJu0TDq`Uj z?r$pZwVIvHW{=UR^RT9oA)A4H0t7!f)Bx!XKw{p_5trJHVJXibE=NVdBICcKLqNBE zzuaJ}9?bU)_RLT(!X2-7kPTYiyvKiL`iSK(XU zrwE^q?Dg9eE_dfvrQI5Y!e+yYyC6X~o{+tI8>}z;3%acVw4$t-utE+zWF^UaT+Q#= zO1Q|Mw3Li&1QzR>r(U5QC74$S`Q-vAL_GaOs6;#!0T0&)Lr84x|3D9;?4ysw_Wsuc zhY;bM<+|AHVnMyRWRqWl5Bh;DcDii19e+Q}&GC{OSOjRIkL)xE=W9Ouxd5^ZUnpW( z)&a2z)FodKxWB*t8}lbDJbW{rfmWFSJy0ziOoErP{J^3-VC(?23s19=y5DEE6}ktKoA81otc=shh3wS%0xC8eu- zg!##lVeVO~UE&%gX?4dnuqe~>z`icP1T>=BWt6o{0C01RtF=d4_&@LWhAo3PRcz1 zAj6XEy2^5JvKlNnqg?)_vBXon!Qo(IVNue~oR;svw2*>pwEQ>*M^wA(=kh}KICCb1 z9;^4oR&G={t!%DZA0b+zM<>dj@a6CK_^tAY`CY>TkYO?~E(1Xo1HfLB(|P0F4=ZUP ztfY>M0doON*B4fgLYn=a$bwSkQsM@&h51wZ(CBfYoHeYOQ2TaPv5=wS&qDBD5gcR4QFHFbi_|Ac_x;wmf*&1#L#$ z76NwspwC>NuCEV2nS|fo0@D@HFDsh;$=u(=U}xrt<=3q>V(JgzQVR8tkLP61X- zW6;M-aD5eL6l4FFPZ1P0&&tLS0lTiM^&9_0(dE&D;Q0PfJa%gqUwJ~hl0C0hAu%}?O&wq$1qd#tN7sJqupOaz9~pR9s- zrCnY&^RbF8oX`DW8t4l@Tik5!KD_x)i{G*uFlu!_-0X`K^!T%LMs0~t)c!YQL4AdH&srzw5`okE6@8 zm&y%XONWY{&Cex#J;PU++MZApKR!HQ<&n6Z_&0n36%G#w++bhs|L}QBVD>dREX@L_ zzTHh^sNh^7h~M?B3Rztn6?9uqStRgGLoGOL62xwHGa}j6C+O?>sP5WyI%S|vjJwVq zRXMlmZd|X!NUHkX0sVy$8?}bIH1uG$@6FNYzb<5x?fsj;$f*l_@~v)qW$)fFr}QVl z&H)=b$wd>kapH{?9Un)^Rjf@2g!a#oMDv1n>bW8(2}DnL%s#jSQL4*;(Bs&AbZ$N8 zi06Lg_AN)$$XZgSoP9NkK(@n~lEM2U=Lp#4Wo~$rixZM+o{8r_5=%Pm0Yfnp^#(;9 zFC^qu@ey~i89sOF6(y=6{==1zz6r1L!V(aWfeljw@EOo1ThMc7H^=HxM&YIov`qgn z!Tj*oEjAQ;`J7Kkc1qa6>^p7IBJD9^K;Jf1O=RvFXt?vmv*jaHJ9{F~aJPi366Ezh z*gm9cwtoruTSJyVVQ>?Q^%pkB;ihLq|CEGmjpIh*CR`AUWKy^7X#E%Vej2t-EQt?K zRjZL;OKpZ4q0@Kp*+Fww(bH}AB#YS?HrAh1zsfmocV^BDw=K{GmqE- zAn|{*w|tdlG7-R21B(#~3Mwv?o6E-Uc(nwoH}qwi*L9vmmfYDvRoGH;zdbS%&*0vg z!oGlIw@f`>XfJpDy@IT#c@M<2$s3fJ_chA0FVAxF`NV^)m z#`XOI%4Euhb#y0Jd;H9Dw)3)OG(z|>CFD&nAzhQ|fHSCUkqo@DNO$)Jpqb0>oEZ=h zB)lgWa*Q{Y9l^`fkLXa4tf@5hBvZ)JS~+RhL%9*_GBVMkDCV>O3@;QwGvNAmU||R| zWuxX+KPoutTRqIu^jHIstw;9v?FJ9WXV*7&od1_h%HKvDsCMfh;Gdu!@qe#&$v z|86Z$dvjfeROmz&*aNz%MV*?R(kMed?=(CSBve~Hgxu!q$eQ7;7hK=_*bp-}lLyh+3=NdmHovjj{jZ79}rznvFOnkNcIE^i>Aj4FK2~)n5CF^40FY`#A7qcK8wm{fOog@QrEB3_v#}vB7j* zek?<>$RDjQ!HZl^DlUH!z6vcZeUX}E%Nu@swZH)V1b8@?@_+3R!Ra|!%-Pu)NUA_I z%KP;~%I)`Q>YEo*IxEKe7CWy1?2!{mL8tBf?^Wd43P0}f4(`2ElTJ^g9i0?k>Vv|5 z$SIHEJY;`xqiXv7!y$Ubs{lCPCm8=-JOhvrMJc!ns5WzVt^Z;1cbHFnV?Ti@7Amk)son3j8@+44P#FYr*WwZqahPBz#HT9(YrNELFILSze0L-j(}U>!{n+?m0_jUcWrR~(2ubRY5#)>F4Ya4`G~=nDS(_= zH25M3AdP@;p!g63Eyv*^kP86;acuGFJ@~!^1F(s>riOhx=e5*F$;k`=n4pF|(4U>J zrTzM97x(`U>hk|yLt=b15gFMF$SQ-N!VsS_-2WZd-zJX%tX|X~Y)c>P`RfYyB?GOI znwlDaNG}CQ#O+{XE`Wd_9?1{rEwPBdw{}x#5&a7l=;*Jps6XGU0XFTFh(v8S?(qF( zT@Mf@^6Fc8@2JH^-Fjt0;h^XC;{=>9@NT`dc_q9r3vLKqgSRY>uxJ;@GL_ zcU-9ZHqRi?rLjp!SPsE|v$ltHo&``%HQ-e8dp-8i4?s|R>#*p24)ioS<>R%EwlI>; z&Q2gdt9Kiqlg~yMm*>z@=aM?CwqCuWGt~C}7`D#g`F_4;BLEx;nt$27jd$93-8|T4 zL0n7(Sj=mNEHbwqavbUlo-SG5Aw3F_L@spCppRW;G&SPPX@s2SiH6i0BM zlh56+CC=607BIUKqc^4?p8$xX`1|+thhRY`lV@d$1_j0uzO|mriOQ!TWzi^&#TEg= z^s4{>&=pYKfJ_OqTM*l~ISle6XQMzByKM|)I3muL$8>=hxBEsnMC-&R$S7Wez!KO!z6|!W ztOEyLLR=gl>1pSuk=LqJCK#tG-P(`72bO?|0KM67cNE7m!Zctsl>ylku!0>f3~cF; z&&+ytzE^+zPFf=SGy$oIQ26%@{rYRbQAk_=FXFy3EX(!VQxKKzF6okx?nb&pK#&GO zkrwGzx)G$ilt#K61O!2)M5IGNT1uGp`kym1pU-?aU-rJPy_I;M=U(?(zgjIoVp`!? z;vYXO(F}YoBoA$x=N2+p? zGv7l(LwQMzBipsnmJ9JmK9QzynfgHp4CI6GN(02vX<^wPm5Z5Z00@Mg#o^j00vB8d zjaQ4$8IMYk3JA;+;Dcp~IV;yKO-KT6f@MlOVb%a`#q3^`M&JQ)&9Mvj(_;J z3`S=aBli1VgL30~^3m1^IbzH@k0t$}Vrhmi#hKhRqjFNC^Kt^@-f%~qfFMjKO2m-u zs9v{Jd;3L{3{hYLP5YV_6_XTeQ@`XASu0s#@jY!fOC20neen zXj-Gu?Pmd~RnjE7UPQ1JwF40q|teK~{JGtm@ zF=~NgBE++nm#f#RgO4ejllC!T+$>56!2@%VgSAl=q%F$(W;f0h`6s*BLAhMvwmAWx zh&NQBP14%eCfd}ivgtFAq~Uo+65W&k1AxRZXw@dg8IrN?96QnWmzj3>f!nz1W^z}+ zOpSFuHD|9E{Na4k+dhEVZ(@#e--7CuG|WwCS5LyHW}a$FkURjl7b&6LwtQvDb@c#s zWJH9;!0V3*vabwCbKh9^d&z#;WatCE)n6deTsA7UajG`Wy?d9;k*fT*zLgKtS%r4F zcd@|vKNthR7pCM6sEnsV#*)~&Jm9qyaqApfdZl&i^P6x2=B4k>jlJ;@d^4cGbnLWX z{3^ERao(g=f;<~4B`Z_i;>?z@8$VIwgzCs|zO7U*ITL&mMvHmw<;(KrY%tPj}q6 z4(TzSvOG;V53775y@VhO3+iuG!GP%`)uX6~D{tiEr-64B0Gx5N2e>+vOhk*_=^C)&`mvTswBvhSF4#nMgt|lMDwZ4vU8s#=>qf zhBPcm=;FEch!~7+dsb8>kZ~z9gxaWNm*N&aDY{Q0dYfmH*_l^>wxaOywyegqo|7R5zGuj^G(_M|>^S2~F+Z)_yYt zu+t1te2xt;XF5SQ%}|0OP6~SV z9O+=tC#ZO^-9q7{J(oU4gss5svNZVsb^od)B}rORQ&~yVgvYtJ`f0 z+J&W*C%6d}vB~hRGCO0^v_x6iHKW|a+ln-@W5mL0v?Z106$S05t3XqC=Zugae`$Fc z??x@h(=~Q}9gaZq$K+7WjIa)=)I{hns6D05fd#b09YbbvyS3N<_FZ82sddW% zEDq5r2oD#hst%Ys^x@^w``hY5yo1QMl05x+vs<)R{u8>fdgl>z8|_e6Gi2sKmT8@p zfTF0E^*la@VYM__KhM*7p;QD875N)vRcD>(K)BfH&LGnZk?IltVO(ZgDzx-2z_Lco zZg%-4EiVp z+bpB`2^m&V)Ou2NZTufYwTt^xnDr35VDRP>FZz=1ERP^JQx+4y^uuuH=$n5wRz_bm zI{P`IuWkl7n^jkh+>cpbpi;^%6sT1fakb2h%EXS-2;v{gK?wZQV~yOTpkw4x+PQGR z`MwHHk|&gnk{Y^IX402w#nVnKS|rWZ?MmU)xH#gcKZ6SpusSYNAXVTdu)pDLE1T8K zAumJZ5{lI0_^_0k;fX>`Wt3o2D-kj8M)~6jUUuhj=T#>tl?P=!dispfW^es{b-_ac z$7DFY9aFCVnE=~(0}v|8=RotNeA1b&b(s*_g)YuhXD>IDI*%xbElMg|zx)wnU!yTT zviV&vdvZ_c15ix9$o>fm4#p$pfe&NUq2FFHPcSKgR_8Tee)9Mz!MUnEo842ID0#fi z0y~s6n~&2-ie&8aqxceOuF@z&KS}`9-la>1Zl}i8;+%9AxJm|BAoRlMj(L|8EFa;_ z)!+k|qmX8M1<%9w>pLR5Ps&J&)=#_GJ5OGHQo(J74u=QC-91b_k3ZI!_uT&S2Q|0 zper}wLWRp{uE8;ua*2g;gZ6$Og}}3KQEuSAagNE#78h8Yg)#)N=?lQ)8y$HgWb9Ya z7(S(tV*J*4LJcBr-Vh?&$Xf6&JfEtd^6mVbKfaQG&j#AMiLXE})&j)>^EjmL%tDj( z6_{0h6VF#7WHNA}u>`yw8mPVXT6KULZs4aj><2@vW5rzoB1@BK=z`B@F<-h8AfAPoOk5C?xBut(Bzo)3G(&m;Yb*-u1vo1mSArQ)q75H{ZZQVK=;&q;f zHeRnbCd5CEfHmpokAZ>Ea-u`^Q7dXmzYHz2e$d2Dh#wJ6hFeeHtkyYONz@>{)e1MZ zg^Aa*v=q)lFR4*Q?l60%EWdNRhw3Suk8N#1j!T-_1@aWFWHKWxG7_($Ml1b0bQK8# zUB++=ri3D42I?DT4?YKywDG&1A{>rv%TbUSlex0kAvNvHw+JTCKaFRU(w|O4ge@uN z#1}S7s!KloQUb(!?V;s@0BDq<(W2Yge&lejZv?HGKU$0D@7~4;rH4LSEaue~+PN~f zmbRgiz}3C+M&Cr(W6ulgMm*Oaq* zT)H$*JUnbSUdefvRPs*`cySLcKB-&VYsk`YqkDgL)4mvgTjJrf_8W6UC@qy=(-OD0KcWBB^Qh}KRW|q zX4C^83FLsS{Zamh04BR>86TM)grGUM2e$K5@RgWseHrSFi4UK@i63z~+j7_W!EMvh3)%7mND`thVIUw=-wNqkZD;^R+Q{ zRu}vIR`=V>=TV1;Iwy|G=UGZ0I$n04IhY$cq^}k(e~M{h=cqMorgnXZ;ey@TQ+(!k zLFM<&u+Ud|r$!&ON|j?%$FHHSs$=zi_qSNiQ_AE0Y-90lm#|9Hh(fI`F3CaVoOXym znFT8nbWG&@Pu-SNl>Wg9cYfd7{hY5rGLofrR?(vUZhp>k|LmiYd&)e%=kz9t+in8K z&@LuM4HLr*e!|X7kUgvWTpfycy;*vXd3g9s`4C*k*}Ua#yj*xch|_bbcUYk+Xj!b0<8MO&#X$U?WhH#Yabq!RS2q=?}og;Tu^N6u)BI4 z(s%rj^MzKJ#mbd+rVUwf-{Oa2p-b7D6{~~aYJLYVd@bS0&EXBL{Hn+IY{^Z;A5x`q za%ldhKSH3dk%B~mjEvUXIF`!Eob&V=f43~x&U~+1IQRxPEnR&D9hs7Nk$+jW^w`Z@ zTMUzHOpzJiANIHLh734>a^NzrcK+u}VA3?MWF6goENYqY?cnbJV^jea7y-IX2Hdb9xsa_>DWLj=O@-Ir#s13-8Pp8@b?ir@B%aB{-E59=k2DUBWPktCz4#s6iONqRP}y4Kkv=Y5B{v89=fwjoV5u%YdO2sNu~OzHD6y><`)wH_orfO zYYXb8XiEgGH2JfRR8VAV>+IfVlE{=90c+o-8J2X%w0F^M_%Ag=$=jIRjfBm6wpi2E zcSI+>CwQ@1z9%|yaC3^}?ud>?Jmmafzug?t*jxO%PMpZo{US)5Rq5nc2m7C~J+y<4 zRu|Kiz{uK)%N~}qWL$UunX_UQX0C;)>W6L2Pk)g-|&{iUH0O>mvD(z|kStSl~?*VAcZ>R{UVa_r#dq~w|J z(QslG*@TE*Ogi}{kY-wqH zIhe{@+|h9jcWKnWkB=9G>}|wUM31WWerD=d%J&)hI&`QPW2odFoM~(eyY8PB2E^UC zrs?>(N24!CkvP6PZ!>CYXHcd3Bdwh6PwIi{@Q(@&wByXre*@QltGEnL?=1dWuXPFuIt{d|yC8D}wqLcQwA1Ex1?F|n^!j%b+-9AH zC=HZ4e3aqkb_L30H1*!gIPuLw7xSjt{3g2y;Ec7g9mF1%+x6Ku$?Q0s)idXZe{1b? zp_+03&e-##Ki&d|i*(<`uktHp2FKp)YU6ORF<$vlOy5Pscf&B0V4ek+ll|kf0spC^ zb=-Nn=Bq2izuq4ZS3mTLHoL90OEL4_CMqWs*$rj^vG*AG)h}h^=b9e&rR{QP2z_m{>KF+C^4V_$L!{r{{drIvXC~vt z?886dsLn-;pKB_!$5L;SwELZ`-)Wihb{^3gi`m{gapYp|WAvX{Ee>m)VZkLNCdJ*J zc>H1Jg*3SY2^QdQU%;@D=R5Bsd?Vy#5vyKi^;PTWnZL z-Y4`1>H+ts(+vH~I=K_#1a(oM5^O3H@9A?c8z6MlsvbKO_uEe|583#i{?K3FZ3^~F z7ci?Zt++o$qCU?#s2w=ri4HWBn^5VKsR`d9v?0GhKe#L&+#`vIRT6u7Dx+DSL-&&S zd&h3oFNF&Sm6udXtTV{I*_T`UGB~=5v8Jt&#;z=k+^=X?SO~SMR3(PQTz~pVh55%I z*`hWK+tz8G##7$BAThA=3B z1{O?hZ6C{_z83YRcYGruArSvT{KHG!wr=f+vGIU;+&%Ic$)?v2Px%^~WEs_C` zC|YC5R9UV{!zDsPRYut(Y;?2AINEg$^@T`=gubPY%WFeQ^|?9^1=}2gzhU7o|E@^o zWG9Bi#_~@ukR?hr{=!82(8rY1dt%=uu^(QKvW2;?q*~q2I9^x30SsMW@h6zPEi6vK(5}|dq+h5bM z4m5iPqquoj7mmb)O|+w;mgMkO&y>k`{0n6yg-xls$UEAP){i~KLJQ}mFEXXSY4!P# z|E>$2rKDgxBUwmD8e3?t$XlRFPdr31U`{&nJS(x(Xti{)TNonAocuJ+tao6Fw|cr| z@NsJOQk_vmLd@c~>38PX*yB~%69Lb%=QT!mMXf6F?8!_D5@-Duz{NXJa8o1dimA!qh5*D1{dF$R3ORTuh~6BhC3$B~8_K zmLM1u9JGrKzh-~gZ0Az}%K$zF1qBtAFUWNO5vT(J#(xM}3((rUg24q5+|ceL%sTYU z|HZjv3_yhj1_l6_?=~*S1O)K;wgFrgkzoFReG?AJ*P^=6XFM3f|1VzYf6_TovQ$Km zhK2^SI+&fMTwH465mKVdN(&eiuQw-)5i!gV5{~b%vIj5;m<N|TL^%|EZjYFZ2q7q){0gh8~2M7#Nwe zvoobn@I_1Fcz_~lSPf1+VS6HUCSkRO*^0zo9Jg}NEGqUglon-fKN5~3c#iC;kXIE>7$00AzA#6mpy%M_PDO>u}w z13_E?Yj_Tjhbc*~qL?y^7s9egkg4d?&b1a46F3==k-?^6xa&{R-glh$Iv$LwA z;#APnb9^9|qyktmfN#J9j{`iKjg!;;C6tm|XI!l`$|`48~0W z*o#(xD!M*hj-5OQei%>jaKB875g|al(^+o@Bt0q{H{DrpW`+!v|HY0VYxqeDRi+=?IM^Zn?RNb>y-MCD5Y!Aoe?T6Dw3$$A$WD+a^Gj_iZfxbH_g`|mlyW=Br zQSyGBh1^h^Z}$~NL$;29KZ+yGsCGH}DYz|+@KElDV>^7Pz#2KQOCcg>FwoI0TfeM;fPZHX)R(ESq6dg!*!WLQb;SG^9dD2&`Vgv{0ESDVSvkehmbZ3@~8|yI~MM zDTy(R*Szpn;;+h90H69ySw=>t`x%ILr!8aghLk=Z z`34_Y`cyY)yQ30lGZ2arS-l|3piQ_UCXKMsGH1AZdwb(-j9Y6Sn;8TDEb|47Hu_Wi z)S9$NjQEP=98d1h#Jd5oSAFyOXWVa~zAkM!y<76Ioc!VjWDJFJ#=8zsy^QNw3$FNa zT5;dy0x*8mB;6-~kn^}v(oB8!Z&6FKvAqL)2XRVgg@Fc#m;=(OM(ILS%Bf1zh0mk#mW49p zh`S`;$K&_?8F*(Uj!CY+Q&;&u?`QmTDXFL>aDaIO#th#sSqFLaft(zOqQy1Dk9DCK z#OW>fzA${yM$B#y@MU#0ouryC`!D)7rl!KuGF+;KUX%J}BtiAL?Z(fnn(j&uKly0e zT|39LEwC{HGh?L|=P=hXcY+=q7p% zO5&ZP)8Xvn>Cp8o&#R{Kl_IPfHamd%hZ}w-VnrJ~1Nxa!ZL~DVo<%d~Mi2=VRVIg# zKpMUIRdh6(7rnFzpruf8J6`@a86p9g5>kD%L>2&M!q#FniC3aCbG<7Srj+BOGf$UD zthEYV1eqZ*#(8wVir#@2eaNScdswtvloChdvQe4sc=uG0fQB=B+KeRs?Jl(Di&A2vcppzVfCM8w;y~gbw(9LG^KoaG~|$zs~DLkX`S>zY0BA{h%m&P{0R! zTXdc2`T+AT)X0{APWH_j!$Qd0H#f9;6UuKqNBjf@r5{I_r8-}n%E29c#Y$Icrl zX7E}peM3_PZH6pU==+D|bfG!uM0l$-ag4_Fi9JA)dHdPg!hL0XbLk1C5j!~kLSDiR z%;+G`p-KJ@9UWbU4GuTUU05JOh%_5~kUI*R*q>$2Z7u3~MimxS2MX_*RJ=y=G1NjIq0Ng_ec8r? zu)5JoI}S+?UT=$U0@-B|3SfLff0VtB;#-Y3o3xovglq+lb;}GsPeuvCUGNqWN6F5< z4NRfJfkG51t-IxdCV~+ASKuWGSu{J-Bi>uN5ObM`f%BlA^*}eH^A8xq;{JpqkO;R2 zM1TD8keA@z!2PCj^bcvf@n2?Hgkc)~5aENSTmSW+3YK-O-@O7HK1e%@2OO>Mr>CdTz9L>Md3lR5=xyP0z&QL*?uRNOKLj)_P-t}!jPx5ecqpTTdJ}ekK1TW-&XyJyuxlZ-Kbj)tp8h9L+Of}3OgZ$4+I=sf@$-gaR5|$&ms`^faVv!$nO{?H_8n}N@jJqF!nJv z*x?!#_aGGDS&GaekFOOOivKCH=e~dCUVf;+{RWy~2rP?s{ulOS1(X|fRV4WMbRAFD ziL|#rF}I5ld|x#?mm6Ewz+L=~~~1pU`Z@&cPt^=pmM{c%Dc4n1;fK z2uy#Wn$_ZBK`a*SW)GUcO5PuTA$jGT+66**5>I~!!Olc z3d|iQ+nFW1_DO$#o-quU`&pe-I?ra#)Lfj{QSZ+dVCbYM7#*A%9-fbxc)ZxHpEi$O zuQ68NoDz7leus|O$H3$3Pddk!gVxT?e!|m@r}bzbq8}4kR^NgXg%JJypP&nGC`NmG zP7pr9K22m)SK==>c=!C_d%4cC(Q4oH^%7&D98jSQ=!Dg0kX4$Ak5Chn*=AU9Vx-(Fp}tlJy2 zNNwYH|NHvca*?SC8QD6z4?*kRRYeCE{~Q&zf|OLizX|f6g83FYAtWpbVo#_BIxW1p zSi;x2+ABNu`5-Pf{naS6$L{65B-APrG@KJw+{NW{zwi&zw>*2EUxmFdEx=Y8YW35% z*hw~MsT_6TX6nPYtwou!z^4+fJ!@?LLKi*FVSRXEiC;Xq3AXzGqkeaQI|&S-b|6&t zR=MLKnMFzP=Q@6&eR3#Xfgsy)qwda>V4;-zg6Qu(h59J?duO z(6qNNbIuUhdV}G&QZfF0>~2EOd@=s;i7?Lx*DNVXeMg;b;ucZN7rsAOqPHNwN*Tov z*?zFV`Esm!w(P`XpoCFtek&AbD{a7qwa9}t168&+;AjButQ&%ojvNtGw@y8g=6#H zTt&YwXL%OOgN7{FGMrm=T-*fcMt! zxPVaXLT7!Gmq56X=k}n+a(@G;6F_$-kAz^35*Jq&28fayK}4Vi;(g!83%}#);IKG+ zy*eG9+Wv8>@|f$V*(}{ka;m4N^Lx94+^S+`I3Ac7RZmM4uUG_!ERg>4NM zS~#{a#&8+dFrZ0FPEB!<71v_73%nma9>q_6x6V4`Tus8IuoELjO4by+*#Zbf?Gr(X zhlr8FN*w?&T29VgKor0V9TpwU_`G56xj<#xlS|3S$xV27_W%6B!NeSaOb1|)kCbYl z#wXKI5$Q|OYJLYgKJ;b#hP1P<-RsKA%CL(6oN2F#$N!cLK0qSW&ptx%&HuBpAOC#- z?fO<50wbws!gB#T5X zt3r;YSQU(x%QRRFOiUI}l}y{bj$s~}{%&ORhYm6)Z9&rv^J;#6KCI6R>RD{`IjeDw z%Nmcc>w!?9At=pd;;I~wtVomnl`(WJt;1tKZw0`Cvuc=Au8%e+`?ZLzfVo1%E7;nW zjM{*XW&s?O+9jH_%io_nLmDWcaFFQg+SSzsZhg?-tif(Hi;N4`dixn|2vdN2X985! z-2@t9&Vcd{mv#(+_S1FsW1k!8z>j=z9D-1W?Q!!5=WQfE9|(j5?a;}eKY}$^kl?Y# z{eV2y{-uyFf)J%g%LOzYVouH*@=hmzfMi*Pxxm;S61tNAG;O(FVgbQ z*qjtVZ~5qpje^;#YUAHcQ;NZ$I!!t359Z}wqXnNsto_s^LY6Z?p`Q4lY%ecE_e;I} z^Dao2N4^zEzB_$<+ z^0x%Wx|+2a%A6K?VVt*-P$povWd=nE8fXwV00is1Jt$NTU8i)izOh@(XiEXwvptJJ z22L9=q(X1&3+iQ4uT4f_3`G?HRR_WG?Qd+HVU-2YH>CW?6}B$T3fNBvC`87_7LUNM zib!g3jts%jM!dvHz57Gvy1HK=S;7_K^U3?rCQv>i6znp@-4bq!5nV8-qhSppVjH8_ z1;J?A_<-{a62<|W`wC?-G5p5M?df=v@L$D5UOe6>_Q#%9q+V*6ypS zGT6}-!`qYQFs?L&H{0NdNRzRbc_JjIi+dwV<8Q~+`TL}Olv*%ms!afxOPiH=1VF6n z-?!M0*WpW8jM)n*r z*`ij$6BLTH#~5BB5fJ@|xFpQUjstyd1aeS-cJo^Qw7TEg%Lc7qVCo(;h-BY~Lz73Hk zi679&Rd3MRQF3;N$0QWF%+duC!*x07`$GxYk;RUnH@1lJFIXLx7?m{9eES{gY!G`F zx&%|VZ-VY7L?T{ZizVQ8octV|I@?;du3a@;bY^nTOkf_cHc=` z=>Rz?DiPXBvQI|K3I>$FoJ6_6f|-FbqXzW@q+D1ux&YvJl%=35N(-?&enC93TZ;2g z>6D3gbezfrliS;!R|TxBw`}9F(9xKJ24j`Xmp~n@gv}dMS{?8!=$9F{eN08%4^S`z zoKScZ1bDtM)%9U33dzepdrWc}58DtP1^Jz5EcpJ(v`QPlCp`QO2}5NKYR&Xxb6LU$ zfX_aV zjE1LQpF)U^IU^;B?m}CNb>hS)#=Y}1 z1@Ez^MiNR;h-nWN9u@%+o~IMbT_%|`YOjr4kp9LM`9OQRr-08#!y%{AngHN#LWoYI zm~In1+XA)wjQWdCt8t{S)T9gyNH@U>qCh9vJqa4zJOH+&0wI~HdH7253yl_bTOrz` zUTXr$)sa+!1?9|)Zo30=e0*)#1$3L!?rEY^;txb(Gyr7MoImUS;AaLvMhG2LFNEkQE!yI0#WOTkiXj zTQzAP<=ld)@umEs;z1dXK6{Ni#WMkS+LsjBdQG{`m*1U3*>OAo?Tqs|!QDp1a~V2X z0mW&Vlb7Pa+g^a!#`(mp2ET;+M!7&Q#BONfj3gL3C!-#Q5&m%h^C@9GOI!oB^KOV7 zN+bYEG$VzWTdyMJ^!Kc_4~V~mME#WO1MbV%C#uJ1Ok3RA4lGKM3Gy~_F193fOeWH| zJ_n@xk*jQV>ARq5kw0Ht`US@i@^4+7QkL$OiUGF2wBHoM)Ju{`pBjKUt})r?I=BZd zoFM%q7 zH#V{tojP{B$@!3&1tsPyk)rdEq-jl)>fCk1WEB1QpWAAy$t9VrHUt6|y;5pfySLM@P{iRPB)3)=1xasX{?g93 zf=IhXTVq3%h1`Y)9G9MxA$7V6A91ft>eazG?15)aQVP(<2Hz?plTcB z9vz$>*fLOE|MaW!Bj)EBjo2pI63!7C#fP!tC#2@YubK+L-9$IHB=1R7oPo}pgYq$s z2{~Ez>5nE?=Jt!smp{60LHy|?;cZ-^+-rt{$2s#5q~287E}WGXEif*})>nu_lYS!! zCosu?(w30oqlX%5-RPB$w%1@1Ua=os2ffb$!Lp9nWN1OkNklmhIdvI|9=}`9-XGW( zq&HKlm=>edod^V|N*zi(K&Mao;oH#{qsl&m-VU-rgsr>-bClDN(i{i8x}$21c%HPv zTVMJR)z_>?Vd<;BDI^ovz3ced3|;w*NtI5QgWP)Q4@Y7HQqq%tobT26Rsqv9_FwqP z{Ogp79w_P8)Gy(CLiWVX-%%IP?cJ4l50G3VMaBVGrJS@Iy8-6^1F2sH_p#levy@|N z6b|u(pTug(B>WQ9dhZ!jMFa&SWATv!jhCsji3>_MJikWCA@0QlPzExn5%wLjbqk?M z!8jlUuw({(`SJ{$x_h@&!@eL?(OBTi0#aiW8U)#OJT#xSL7cBkQmje?B@ZWB)9g^} zp~s5~dM^PzX^{7sYU)vFiTaP}epEo8iA?WOQ)fZf23*p(8~}+xVn#C5-s&Ppba}Z9 z)~Y4FQOc!>wY?udJg5R(`5mOagt?^C2)m`P*<$S51RO=M%HD!Y{+Zk$Cg`|dY>lMx z|AJr}uz^^)(nnl@chOl`N9mV6&BpVq%d=Eb0qx#=z+uaai;!;?RFM{dRv%1khBa1b z`3S!WvV8uEw|d+VT$XR8M@$M7@!bB#i0+!%RVzpzGC_N(*y6S+lMmtV#rFw5xbHmr zMiGjLdf8^P>QbCENaq<58cukI@X0MNo7QF{b{XMqTd1bm4#{1m{slxav8ZQdQWL_A zAt{X868b90dA$D{T5|eTwJL%7H{20q))z8Z_T&W(P=UlGP(1Ccqw~vd`=M|t`2;+X zt2l>Es>X|hK)6l9VF6FtZH-V#ucdHimZ)ajqMskp20_^!DB2$k%qtR{(C@0@zCM6u6$vHS zxeqeN*_xS2AnASa2=)<#4KNEdL#Q8}v_6`}2JMf;T|ARX^9dp6gTD7mp5ZSPVG%?P zVCo+}IhB+{ON}pwPn8Etj#}-xfF@S{>lQnYw)-}#cG2v;^v^lq?(q?&-Tl2u+c_Lf zR$l^53AzHv!*e3qdX;>iSUFE)gAUm-sU=3P4G?FW>@IdQ?X;o;Q1IvY2yUTd%1J<6 z;vb;F5gm9Kacy|H-`OgOR~X(jwN@0>7_0(e?T?xq()H($lzz)^6WAp$CpT`So8dRX z=Z(sZ>hd64r;R@#!Q6ca$h!Z)QhXejD9>ty z{NbBS6jy0i%tqjfy#&t_<a7+XQ2Zi47bhmWqNP|3b{3Kkq((vObaxY&&~oRpOPn5)KrAG0E_Y06Y3V@@Z;5*LQUS#D zPI~>yv9pmC1?50-G!pl6v7V>=J9552_Bq@2GHz1CvndDYpCR4M{GI^BqCh9524SdI zkFU}r(gA<=^xGh+fK46{x{OIFq$$CfZU+(%Zpqwo7EKUy0MtMT;YqNcV)2|PHsZkX z@UG801Pj5E8hyR3WBpH@VsEuW`tlRS``AiBKS}V_JkV+l`K7V-PU7La6W)H)#bPRp z?`7qUrh-`}?_FOZ>$%J(Mt3|zWcnw4Fsn20L4N+LW8vA0M~^VurUun`Vcvc&-s;dE z(NBVgAbcbAr+Lg5hDO(ou-`wUEKa@dzGx($M<5C&%;LQdB!v+wl>aA7)bPUljbL;n z`(&e2{bfJb%J(GDn@|h86hPFWmX;O_R`ZR{`LNL?+qcdh=wM)QKuX|xu%g7t-EsIA zhI4rDetfXgfr06=c>(54Kk!K+I8in|<#w*A&8yNq7=Zyz9@aobb#L*7kqd6qH;##+ zkiP&n#cVHa-_H(g|9DS05FC;z&sLgq)%)Lo&}6K#m8KXz&W6*h^MZl`P((n+rg8gx zmN^72Za{$`V$+R72679mv6284!jcZ)hFammf>%sOVnP4U2hKIho+#`*gGea$l<6+o7uIwq{Dq}0U&O!fj? z9j+0hRM-Q+JO=2clGyA40(2BXASb`Ov_jDb?=0Os z7;gZHSR@{jRxFTW`&MbnRpALuGo&rXTz%{oT)92 z|MmKug8wNY85wIRNJ(}HtbE7wTCb*39zKF?ty84 zf-W765Cg3Xds~Y%=W<;0k<|7bOw!Jn5WY&lZ)75HAE&12`oPX)#6{q|C%6IeS1@t( zbps4TK+x3)BU~Fmb@7zs7TJO2Zw>nswy&PMr^!21Q#h5|OFJO_jfb^~a%sPW#=x445^L)PA&JJ;` zM+K*I!yb2Iig57z<@k6QO_Y#iefE{$N0CpUDY6^SLF(eREBJ$$@qGTJs^KdUwBo$3|`_+ru)&upx6$JK#|WKhR5n2%`^|Zuss}^hz{i zz)Q)he_x;M1$2oUR`uXRB_e}BW2+xYh}{f3g4kE+_MhBPP*CEE4pl>sDAl0Qv!m5x zB=l_42STUG@LWb}WVOF5TQ((54xI?1D3{1)MxyBVm}cV zv4#TNimyr52x(;G#HwKRo_cC5%Kj%99uyQ6QPndB8=(UX!yTM~Ow(4_W|6>D)4NF! zp3vV1TU%|^*i}NHhtl%-1y1bZ#;1fk`3i2WIF|8&SYZqv+2MrjK zdQT1TtIul3$y}=?&E7NAku?zygZ_+B7%V|=CKNdTM<*MFU;uNjzP}fSPU9 znL(D5CoF)_z4#f7GePFAZ_HU7@I1T4>({-?RyxN!njDeiwJ;G}6G!5lm{wiSsWD@P z#!+7m5a|a!!Y_$Gb0;T{(iphN=Ps%AK3wGUe`pQ(T!;lo!mI&9!=;cz<%g_SNpiz7 zgKEgPCBkC*Na%<$xCM23T)$g$2=9s4&Md!hK~;$;=LM8MNE}JNEGx_4PZe~`3i-mv z4QISnAQi-3+4s$5fU<^+M4FaBNM4B#9syZTW95YrZk{;E)ocZB$5RRrgsden^&^hF zJLVuhQrk)oh^AsT-y!ngOz%9fTA(SqfTT>&C#y1{GYdoTDPwQ1=C&?mH**L_J@%`i z9yNlJOhL2sIbA{%5}BVw4YHA71De;EF@n&2$u|hTRl}Vo=Ma8 zBc-ID4@l?i@y2nmSrLII%3{&ACzo;RY}1@#e~%_noDf+$qAxk=7~)yb`Vl$+pX_!guzBI#EqD z;Q`K21&*aM95nhowK}jHv zE`H#}B0SO}Cex|B@e2f@GlEqNgVHZcYvHbeG~Y`QbiO4_ZPBe#p^;CaxP@HH_g~%!oPS_*0i)e zz;WaWGbB^KhT&qNHm*wGuuu2LQU1KH?QUGy@hDGOH6+#)l2?KN@#ASZ*JbnaeosnD zT#QDOh~saS;=Hjs_G`nKp9$JDfC$~=MB-RRPBiGOZm^fl_~kKGr|GzgBhMSa1gDUO8C@wDVO4UgOSJ{ zHI2`10+d(YzhC$|GW$__=C1(?G=cTKt=c%UuauZ`qYg}i`w)!2qItp@Fqqr5HqZo= zmHOZ_Wh#1W&4k;Y+8nXOW)SyX^NI&{>`eG92dv8FzYQWKxlpuWnNVO)|0SzEQaZufqZck^$tmU^YstUB}-YWJdhaC&ZC=AXLB z;l(OZDt&*wOrONy3Xm3*V8P}C5Z8X}S%)ox*rfMw;Q1n!PA`N6TjA^DHQ?#v_2PcZ z5lkY3>~32`C1xdfQ$%#sp`MRSC(i5w`PW)~t;-bcp~VM;0|@ z4B~jkZ6s69%51_iLncPXlRWBLbtF6P2j^q=7iJ-PA9fgCNAZW%lJN^0Kl|2XKf}Xk z2BSVASO=54`j-U`DZA)fm@FoZKGl%Wt~{u&LX-bVXgQKCDLJ8z8BLm~#2x=003|J6 zBjSR(`22!1*HZ56%UDGr zH0y5R7-+j>LO0DPW(+)b1Mf#RwV9pA?Esl%$*0PuVZ0$m@O&2y%nPK-EB2QLU#p3W zt*0aCerc$_d$f1u)wdwY!T|hDjRYigY464u|%E@S2xQtWKJe;$BoPv{%Yv4HhA)E>)NRHdHIUoTxg7d8ubhjQ&8) zrSoA(6l#S0*p0hHJgVn*PdS{>)Zz?2*y4TWAie;3Hlx&lTu2sQ=qVPp*jwzlaQB)9 z5S!m7*lGUp7;`v3?BFusilBzTVDgT;?l#3+x#Ur}tYAp|h;ClY$juio(q=)$Z6?{(vwZBk372auC-|jO2Ib_f`x*pZPrV@A%rv|LddrIoJ{&SncXWi)al|1}L zQqmy&omi&0Uvuerr;gG`qwAgEH8Lxb>XvtFjIKSJ7KwEot~nf!NQZ#S>Ik*?4`uN%jwKXtna}t2--M`3C{?M>KjEnbe#- zdDHQfue>v}$(0z#wcv7*O9vs1T&=G@n~5nCqtase(vq$BX*Qz8ceZOdH0rkl0)HUn z(k^)TW9d)fmFWB&)9}6jY$HLtV!oo*|Mz`w{+F=wzb_y7|Njb`6^$Tr6!AJ@35Q6s zzZZX0Y`k2dg#w-z{42|+$&e?$3b|$d(!_yC)Dk|^n{MQ=*9*V|P;T^h`6mG?02T?d zJB9?rFcj%W2mhi3R1O$N92j9=n4+Jmp1LDs8g%c9;(#7NQ)Y)eoi0M__ zKJd}306_}j6!4`@VMVXnfn#(>hrg3kmGe(MSh-;-q66XwXlv9{dHM#AZ<7+dpSAZF z@kQD7FgJ-_?g%Q~KR)KiZpE65p?E>JjD~^H?s%U-+%omW8FkP zFa_i6PgxvsxuCXXu8vE()J4mwOMEG5uyW#PL_-l2%5{=UEKy06=xF4wuPbG*;%^?W|2a#HvZ5F`wdp+M7VC=hx{ zfUM|mhXVluPt1xnC?jg%E$`tcTtMQjQ3)sk=+*iFi-Ul57nCr}ymOP_$$<~Ju8ou# zt_V$6nD{QUT?~R31Qo$HI4Iyt!X`n-$@#aq;AY8@X&t~w1Xr2sc*J`*n48K#C$;h# zgdB9?%MpCMyu_zZ8+|79{=RY=KoCon=GX*7uAA-MB~sa)?%`cr+B@B^1OfLrV)E^K za6{nex5E#TT_!>T9SjU6}a`5eF9R};KpD< z&%JDmM}*2sNu}jMpvspGh&+>Ix@gbz(A-0(4X}vE>@srqc0a>aA!TdMwk`~PFHB0% z@FS^srt{IXv~FQEAQN_;5emnDU{W`Ee(k*IfL$v31A%wo3_Y-qCq(X%SYokQ>Tlq* zDn%Tr>$didDMNzPP{O&IZ_R#q#E;i(cUM!j*~-N*`#XzK=ab8zMxjmg zocTL=vMTaSroRAB^T?5!!Q^&5__7k-KsAS&x+%1@yn$Uhg$=$leKuV$PU#c*4hv%D zU!3i68iXPjcC9EO&Y+E2u-*LvhmzBt)D#O*ZoP9eO*VZDf!g1E2_b8C5Y44AEsF4f zu#w6{IS|t;D(3WLKjpELPfVI|ny;(KY;yd}*t_bVA{Adehn#C8Rq4N2=)V;r-wC-~ z=~~htav~on1eH3#A-cDJB!uyxdOVj7=72LM&XbZ;XpNZSCyz}ySzhnEV=T~FoPnfc z!3Yfhqa4g~VsQ40__t*~g1CYBo3^O#BS8=aeI`twIXKb+im+I@&V}J@=~#W$dw56< z3kDYlkmcyZ=6)FJQ&r=~?jpeDl;d$$hmWkk7uYekeDz}`gX}1QgEBC3)Zrenr>U=* zs@cDdV^YFG2Iw4@Y%1}A*DjXCrdaHl4-bAvLR^rtaP$^j0@U}NMB#Zx$Et5&bNM~h z7S6T#VHGQAsM34)R^oK^AD$yJ3ShjWNN@Tq3X@u<=cm6zufxWBUr9?_C?;*(-lrgB z-zsCsW)ORZcZ;OXG-3@s!Qij<)=ZVX+d)+wvpnNlMuyAM(&f94nno4Sn_Km_&hUX??Z zdQPB|XAPDI=ZRNwsTB^otbd8Wp0M3paTYW{39#oG%3{N3JlTG#IpKw&N7#RaDfg2^ z*%8#~*5Tr*&gZ4@9wfRGtdeZ=DSL~QO{f443-6%1ofZb&nuTJE^)Uz;kiKeNebH>4 zliv<4%8g@N${&|i$UL)b;NJ(Ect#hHg(WT<-B=Wz^k$g<*NsQID>YkEJKaMlKnyqD zdrRI`73Yb?ozCetQ?=ypAtBSn2-Xra*Cq5tFUc?<5Uy&2W2}L<620C%vocZhZ3aSl zfX4_J&6cPS6eg|-wo844n(OIH&57=OjoepLsICx1JQ_ySVSOW!92uGYiC4(jw1UHP z)hWQ=r<)O8&*$HL$SaUhDyC)_xIiy(_fviVlZbhu%#tR+a^BnB{)8HCLO5k{Fs`^b&J6vTNY7 zl3|*>@;Qi$1WMGIAqh=W5ww=BobwL$z% zg?hhBUyr)C!2;~)D8CjbZ4EJN9CiAi6g#)nUWd9UioKz=&b&c0evLxvsQFX%9RhXsG9~p;S3ng) zBPEG1&eLkCv?7I3F!{F?=aAG_+#a`FmcS5cwRt7uY~2bETN&qBA$Xf(}T83@2xNtT=X*T%ytlVwDD0F<;R~#^@2V9qsl)=!9 z5_#5Jkd_lJ$xm?TT_!TrXgDR-r?lvITeA7wwbbBJ;=W7EaKE^=I1y*>kV`kawI9RP zV+%e}f>x-xKl83QM&NY0bFuyz06tIq6;Pb&$(M0M2y0FN$KO%j1=AZv1fHyO1~jE= zf{{%2#z5ozH<^>SYOFsipfj4Fy@3=wZc`5~NlxeQx_ zmoDOT!81B)-0yzvY6hO;8w;wE$ecrm61&EM3BY69LoJPhU2cQppRHPG6Fz5x3Rkut0%jK(o8m@!7yQ)uKcnkz9?gI(B*B6= z7{c@3!f51exl!Hnf--|r_3=Xi;8(eac*inQ*!qwNgqknVGvUZ)QhAD1reRfiG2{RtTbd|;Ii0=wNV;1AaT!sjb2gJf z$(ZK>Ds2`-ja?+I0@1NF?7e3rQ+`9b^CI2+4cGo6WV%uLmt=um+*0}@BaIt?3#A$I z@AWt8stR|P4)I@ve}f*ZBM<)>TApEIe*^=0!f~$DBIPBqy&5+@oN!!TxQl=ZmL!Pp zslyr9=!(PoH z{_+A&is>3T-WLq@0F8fc?fu>9Toyx9%<+-pdB0~g{^4c+4jrYgrOd-jse=6WaWVF1uxO<* zy;|SaEi(7EFl2uQ;FlSR^kj;)k$m>wd>I;fw^=^}LO1{E>1Oica}=f{cWcm0P<)SW zqjj_m)6$?>QhYP~IyXaBRK#0yVj%|@c6(tf(U_wd7uX~-;z?lxtN+ddxC(Z#pPC;$ zb){etT0uziSN#KUbXS&qa`WJ18oSJC^dFF3%4>G-Lufcd<+yl3{<&qKE@4DC08xjK zt{EKX&^q-6euon&=aG_Ra|^gq^$@GfV0@Kqn-D!2AgC=@~d zPU!wG7`vm#l2{}oI3XLEMn!y-6DH2bFfC8e%|p_Lo&_8(>Vb`sHj*t(-Uc;D?xqAQt_h*_8>ZebtT&Iajr4KluwQYG8hA!=9{34xOSlxBEZb}R5@UuNhM?lHvrk|`aRQKiCKvFA(4-lLex#E3CD{C(+gTuS-Z)_e+$cE9*N1oDcgzXzKK zg1+j2Ul!k6JNuiyb!qQ*ole%q!nmvn();J!7geNt=wNEWRsD~;Xu>8~A1u6zQ{+=UxC|3c)j&)7mj&-+L$q3=iKU{z0t9d0mCo4d|#${#FXJf zP4c+%3UY}d%Vv(+&H`kabVgCoJHrIO(=;92Pok%_KVqC@TY|y0Qmpk(OQn{U1|(c> zCXcy_-~%$ZClLpw%j^BPU@}22H(C2|7Mx|e9!n}ogk57#l@2n8F5Suw14e{*`nq47 z-XT-amuRHu_@j-^jl*8UeW@g`r=9wNO@8J6SGzNVV`rpaFWV~?7Z*QaQYb zr6+KtKQ)vWiQjn@`QHvG!Kwh|%D-Bj!RNXQEOIG2aERdeK%+#$P0w7lVNP<8O8UahX1Y z)?jhV8gAGyKY*O1Q0|s3ifFYORZq7&6?@|G_S?`zU|UbB-=5FzI77LdhhIqG9Y9D| zX`}zTjuU<|%1KIYgKx%Po&$L8kxY@S)Z9$gCSm8Pic&}B^mLQFlcR#prG_Z-L#Dx{ z+2yLS98H^r##;BjeY~^__;1FJV`u=xLo-0T6D}cvT_yCwB~OrH;GT)R06mf7UA z3x7a-uQ|v`_2TcqGkpXr@cr;n#Wnmj2~h zUZ}5+0Hg!uei`tE;15IZ_$~7l=6er#hEIM;=Wn_5hn{ar&l20-72^CX34h^>sp{R4 z@`4R{h(Ye#TZsJI#LaGNG6y>W;VdjrDM)9;Uh!++>N*s$Fvj@glGQ?j)QD3oy3=0Q zuk}x=jsf}j<5;4`mP$u03GB;~+qE?{HL%&U{WZer$3UDNJSU(I%)DN?cSgwHrM!A1 z%1?o1dxOXQSIB6xLRN}X|Kyj`-tX6g-n{Vl`#Rojt8%@jarS42fI!L03x-*oHDkS> zVSA6nbDys(j>EYVqlfM@l`5I5T-YyGw&qd^#dKi^ zE;VcbG63u!YZpVGO5ji^g%6?L>kf&0{`v!z3lDA^h=&{m4|a9o5s?*+R43=WD# zidl4guV1K=FVCwT+MTyo>zlnK6gm7_y^oO$Z8yX3}h z8Bz2bBrR&|PH)>u&$P|S@`f92@N;Ezy}W#!+QW0*zLdXZgou{crfG>fE)ooSv-wSQ|r#`LhA1C?L1C!Q=s* zRnt#3fAgvR8Ed+RCU(A+^lkQn_S$QrZ|<=nQ)0KO`RSR$zK)K53fl0Rx|LX--;C{wyxy z!u`Gu**8VL*kjt=3WB+By;~_hH!W>hQ#(v-+^Y7f>QjL>qR{uqSP>@b{igLZKPYJ$ z7~{77l^2WlIdZ1m9s!LARj%BhO{P>_d;kQoot$WznNK}B4#q4v^o(yjuVt6T{0i({ zV@&m~>X7TCD)Tkl?EP9eN(lI9kAMOw0Qf+g2en;7benBH*D(%*Tp26i{^bStuhZ0~ zxgfor1cGzJH$oxSPS=CD$9;wkSUj}|t}&%#vNVo6m&p~<5!@(L zcRzt&kYa$|FX-w8`_%%JTS4c$iZP$e&mXa?x2FcW>q3&Kzvc;yjZV%wDM?o8A#Dr| zC!Qq9U9HqeL3hOHv-O>Dz?UjHAn_W<2Twb4V1nHvV^(yJ7vr^!`8aR)^QjYuokGtM8h`CAvT#6l-fn4!GE&q{kzgF)r zij#le2-U~(gopT_!pV-Kt#HYOObgQH)+ z*#Dn9cj~3ZA((za=m=MMka^hCmY=2&osfSaNSSm=rp}A1e17jmUvE%@t7qJmKSNWj zpN=Z*+-uw?7PDW{U}hsUTylTaUD-%ISxt?ca2X24Kh8Qn#=H`OfIEVd9c;z0!3tW{ ztwR1&;)9<<7R;UEn17!%c7i{f0%F9TjHv%8cAA|rSCW%aiuRe zXv`?R8{NM%bvzO^jb$ir0H-9VW+Cu(d3fP$d~)&$*r(%>LOU>)L#Nb(A4dDM&bDj{ zU*o?%cew7(e{|`d>eKYR&X(U~jl+}mx*G2?6Ba^G)Cq|BRP`++v=|#nv3@+!yr)(T zYK6X@9^grUR|wYfGI!p8-#kgaEYUOlVmqtVw!^J9WI&&_`pd{=u2-Ax&Zs*L|(*$DFx;muHB!dx6s1l~?lm+PwaRFe>+I7VJU m!Kx1a9I3f2-cMkcPiV6i`89rM*9)G4A6-oYjVd*}i2nhHRjYac literal 43333 zcmc$`RaDhq_$RD@bST}O(jnd5ErN7|bVzsS0S?_=(xTGc-2#%*2uMoDyZQZR)_Uh| z?&iXE1jKW8JMvfv*uQx3(g6_$e8V!TsC@bJUmE}KU-wA{ z(m5?HM$?Rm8^;_v9xng399Qc$jPqW;mXnhcdAOJvN~DY3?ATtYGfkvZfkZ~KL+W`W zBO}juCq#U2zd0RJ^Yh3n zbb`_7_`Ca?^^E=aSu`GN33JPeJ+WcjT*ZeP?YfQQkwz#K+I_argLN@1M4Zll!|mNaExe9-F1>46$;qkzG#f43@^%4(U?9iz;r3rRItd55Ju>bQ+Wur;G@e>SSsDH2 zHCZtK#-5XwKWk!(+tIH&({M0ASp@}&G6<>AC*mhgXksEB^T%Gp&1lqYD|v7 zXEzy6V(9N8ffrkV#SnDFT2eGLH1zlP-(2@{-Jjkj^P4yI@bF0IFhAR!$mO(DrW%pZ zuF~S)KRU7_eqtWWc&GcrRwsc{DrS=jl8eP!^VHsIMS%YoVuopHuvQ{6*7}rL5S0RoH3gJ{po;280rvPGC||iqbjp><5aRJ*685c zmD&DuaaUK@{X2*Q@p;bCT8BvcM-B&)r%BhrBhxq`3t}^!Rta%&cywYb;-)Srjlx^a zGSzQZYST=J+~%=_?@T^)3)@WO2ptBUZ;!}4)^t32Z4D;Ol&aKUP*G92AFpQ9sgUZp zT|aCN#NpAa28`h?HNzsHzrK(S-5t*^6pw^g&f@L*UirbT#x`)s%&E3JC@6^d;X2rE z>4zHM2Q^O!G2h@~yRQJ>0EDElRTgDVeJPpogH^T9&DllD!~SZU_tnwT04ZxQ%yLmPMf`cqz%!YlFSy&dFmI zcSj9t=w!l*>FUMuYA=>Bzp+!rM1N)+2@tN-Z%L_Gpk`+^A4xGE+(J=&9sEVNfu%6- zaduWStP{rK&cVy`&#vFt%|A99^B4vPt`BjQ1)EhfcvsWa&-qJ}lzpT_SW^>-8rTC?AziG=~-NiGjyB?=I5Jh#*7G3X9L*ziii|nzB6Ts zQ4!HmR^(^IwJ}0=`N{Sw5%Sa(vmE2BQU5LN-EAjZx~sGHsHQA|a{A+9$goZUllWha z(}{1<9orw_N4}U+Zv8C$%&$>rA{Ar0`ePyL2R)Mwj*V=k;>%GQ5;lFTXg%6fbW3oS zNTcQTyS#^kt{?A?Mea`|cA!hBJ#`3M_Qp;1(Y=hn7dx&uP`Co1%ie1~=drDi7ysrB zT{u;3$FulQ@K~tB89aBh-L(-EQRj#KkXtyfW=GFx#2`otDe|(ljXGG=e%HSdJ{3}n z_tl6s3lPgbtdJ?q33AM@EA?b@~Sa0XL>lofhoG-4J3HgI4@q z@di4T97WwqYmV{|T|~0*DZkr&I?rid<8HXDjCu}OdwqUs0v5|Rrh!+h-f`oJLkzb= z4?Shp8G(a^zh0r>s)k98CQXsuD*DTsvj0^q{~5wi@*yVUmO%JlqFhayj3lB9yN0GL zt$}t)uMqgN}1eBC7HK!n~HTv zYOH)QR?Ce})c8q)Nj0H*BLe%W;fAtQq^d*vYC)$40X;i0=mGAka z>|Dc2>NpjYz4|yzO~r)1rfxHhq!Ei|4G;DvI@%;!1Sr1TZrZ$Ne5GgHb%K{@ z!gAQtb~zwnb=T4(ep&Y($;an?yGCBrs{OWf&nZ?V59onRAbY3w< zChL+a(*X#zqYo1k<}w@HfHoFm9O1iRoneU0-b^V*bin7ITMA;>Z(f0xq=S(T|7g_=XWUHB&_8d0hSuW4nM9~Gibb` z5kXym>?9Y93P)g$0t`X?<7NT@l~SSw0U9CKpy#R>fF(t0fi{MIH|By7#9!;Z|2FN) z)(-Znygb10r`rdx$OKMqMnZ1=ROvjU*4yLZ-#pD&NnmVHk@d!+Wo|N;BgXoG+@y<( zD)nA+Q92=RL(wZAN~&%|=ZM+Q2R~!y;_TT=p>lNPA#z(KI7DB?e>FHvjM2X0cijs} z?6YxU=7}-eAYApkvy;m-Qj}Z&WQ~W@71=n>@T&1N$N$ljyAK*nwT^x~SCL8#qt#cj zA>?!brK<1Ys`IC$Si)Wo=fxv`Do!;hc&o>3Ffm$0;TdM!ElTRON8z;AX(s1MD}{?g zQW9{!m78|1FvCTi?J!mF3XA$ik?{sUg$UUtz0i9*`9oRC%T@O^UnrFTogB)9;5jNw zGF<;akt~PX!EzHPUlEw4;r>vrbN~b_aQ9%(%`-BRd$yUBo5#i&(<_BeH>(>zZdNs{ za-fBVxOBv)@j6jbGN&_YRT?qKf9ynDu2qaB{;JSfnz-)lgx>iOK_ZKa&n6lZ1GnKK z`&z;!YJ7&hBn@Yyv9tVdrL;>myM7$05H)ii!9@sB7T0fbH*yMvZk(U>%U-s+V=da% zI4d;j_uHw4)VX&FguGI8i_wE8fp>Uw30%M7aH#^>>VMHBlFU)X37U9S+59%Z9SF)# zQ*|OAB@BkTOTF}_YVv;uooLEsGKA;OPtF+79Y~6>DXv=zbs7_{AW~=Q*Rv*L_OEFP zQm>qGwZkisFB$vmR+Mw=h*mlizJ5txWI{CWx-L<}22a zv2OS(6?~D)_ApHxwp9=`%Nf_{-U>Z@cA}EU=BFY@pgjI7q|2PMUPaN4Q#}tjN}@%_ z$c6LNZ-UNAV#bsoi(tnOh}U21)a+=iiH9N&&2VRkzI8Ovj22h;o|d$fb~gSMVi~r~ ziM=k&L*|`fL_DnU>oW_R^TE$58Z`6ar2KGddQ;(*g2aD+<`TK;J69;JvEFuoZbG9E zp!A~&%O5dU^P*+7r2L8<1ESz~mJiig#2l1cDHM|_d>z`tJ+L&@XIEDPJ;Jwpg|_aF z@AV=ohErK{`AW4>LoK+sBe7J&(oJT@vgIt<-soCfIx_K5ZRX5DExsKhQO+;H;S_a@$f zZ@y@ji)TC#4|13m)Fm%up={Hd#K=}w@@O$M;G1G^rZVYFs}-IXt0ML3IqAn={L~wQ z+s4m=E3xoZr+bIxVuZ^;zJ3LOf^7z*Gg@Ajtq<`9Rv`Q7;B1(|54$BTQd08je+Tn) z6w;<+wO=ZIp zcM12li(ie={^D(DezZiOx(R8ujWc69w9*ktBh2mOmO^IxgF3Q`Gdd{RNH)c%MRndc z9^lgt(HWhij7u6S!ceRhl(p31wwerJi07a^i-=|>|45_JQyr9zH4@{+n}i^>;Rg3D zJ%`-8zphUmAbakYntd?w^F=SH(#D1kUklbYn_){uVVA2FhGpS2{%p-$uxq(pio#)( zhx6Y(Pfc_$G&<#3^(gfE_ox4qEUlWj_MNy5F|YAgouoZv+@$S6iV?zj+E;LH10_}I zM8kvUSkq9)(9cXP(;-C3H{9r1AK0%p+{=DerdKzY+$e0*^L%7U@03rT*D3F1ib?Gi zdtKl}RDWmDmB3&*_P36I+j#uDYS_|hYl61+hWvtg{qSPGOT)UxLahADPMCXhef5A? zqC3nVD7^A~cOTM7EUHG7#n;D^Qq?<|B*dF3^lU6|J7ejr6L=VAN|cCZ70zDGdu{#X z_>Boaelm93)HWuJc>T947(s&>5?OzEA%&zEjns%*V!%YD8qoGez-03pV?m3`;kfOJ z^jDY-740Ug7^(W$MV&_mx1D^iX_8y_o??DM#o>iM5hi{HpSmD+eSf2)OOwm4bk1oe zhTus+7LH@IBp;Laqci=)3)#k>RN~{4vMsCfWeJB3h=bP(3u5cnpq*xj!+CTIwxzm-h7tp(w{2=J|X%R}*ffUs()^sOi*90f%}@+OjdJ_~X2fHrlWu`*5H3 zSgw+6YdGV(aM)zD6;~B^zwmT2n8g`IPwHG2qP}i2AtQeku$U@5LQ%M*Iz8WgD;AFU zF9i@ZUG124%)s8mg`chQzw5Vpy+(uh-soli9z*DSkG(U#{e#230mh)&_wF*0R*AC9 z&ct5Dd}zwWCEbatcDxw&LK63_*}`1iT@kEy-1}c&-ZN5NVKgph`6~YTWR^woj|jn? zo8UMq6W+ya!PX+c+Xyi8uN`50E<3V8zE=Qbr_Ta?#9214=Wkq7YJHjk=6qM=T04)p^vH6rhLp*c!P&7ob zl~v3N)X*;x2#S)Hk_FDITmDjxK?0Rt_|j5RY(eq51FP_VQ1&O!M`=gdE~PWjLVVMb zbbisN&2CeB2}LZ=io%*l(AMVMVm z8YL z9^QA-H6S$D(PaqmI=ezBGR`O+ zfhfCX;&>)&mD8pM{M{fH`OY|T2BYSnWbJ*L?7U@cOa7`t?;Te{It>_By;qm21ItNSbEuw^q$Vw77e7?;iU#<>*?j^W_P-Lfhg zQ5F;jXKa!DUs00Tho}`w4^i~ts{#FCyZxGIVbj^$#DC{Q4ozdXYi6diS&#rEAcw1p zlM+r`dF8hU(_3>p^94+p^wDocr#2WO_l~J7`i(Es0!nkdx%8s5BKE7$%l8 z^Ip#2v!CYsP^CLck7x@GXLs}!}6dIUrt#@-B5SxTBeQ@ zdE`~1n$uMHP=^`))nTo@lI`*k79O?nhdvfTUXfgyOW=9;qixTk#-z-v(pD(b(VEn~$ckd%UNGp_(mIEA)SQ=qpNNvqK07k5pzhy2`ZV zH|U=Ua*#4^fS&Sqt^tza4ddH1!b>~tJdIN2i;yo{$fn`Z*ihDTCd`=O!KATH*~dD+;A$w5X8Y8Jpcx*vB6UxKkd(qEui1jZc`Ay>RS?~{%Xrr^F(A`_vp<%AyIUtaTfiMN&fu!2*FQ9*lz?2G zO+D%i!GHU^HuJo`R6}%?Zi7~tYS)uPhYzhnq57xJVbcLu8RqsU#P;@f;1rOuoAd(D z00DzkuTUE8yoy~X`{d-rX|sPUlV{?eQrr{k)YOzMLrk!Uk$H1FiG&)tkPu1D=c7+@ z%E~F>75%42J1g#M`t=rQSKnKsu4;Pa&EAqR-Ng0m{Jp<9&)3-+dG}~8DJeNPVmkN< zY4?MUoS#;Bz};v%=VHC3yKnI5(?}#19WpLcn(-6FGA1VGe%|M%VB^i}sp#<zmOl))1}*;{|$R16Ld+N_}?pvr{B zzvOt@Ip=iSZSXd{6QElt1-tIdlvcmlRp(DX#_PA>tr|!sWcMq^b3-}MvkXlyhZ$?q zKK|Q`6KMwogc>la3k(tc-R*np4c&|JeK67E*#h(b?${C&6T{JnxP7iq0De2?dGzlH zhz)E#9~U@UYM40bY6r_He1Fmtjmyjdsp_9oIatw^5Wj8^p;;N6|IXZl?w*2 z@3Tyx+vVRC-S+*HurN8F30k9zy(vVI7A$^2^I_~D>&@?J z_dMT8uAx@`{J83Xv^((vjetY4-PapvZa_1>IqAUwt@`cDidrE5m*)CqjDmmO1n*LB zIq`P~?sPp~^$<+tYJ)>=k;v1%OHl%sGp|W+ghDC{MfjlG)!&shuLI_JR^L}i4xovE z2GDrZBy?d7q<=uXP74ku1`%iPCnYeNgul>;7i&K^afEKTXduLK#9r>t>;eG|iezkT z49p5k)nIru=o)*;M9l54T%im>PmVtPk{h%`f;`x?4X}fmb$=YrmSgqkwRycuJ_x@8 zUYp_E z*BAnWr~0UnCRMUxkAZ=aiqMKhr>qCS(l!M!286sXFV4@Yi1q4BURh#cVZFh>xd{UA zowp1aI>inVn^9+xTq0sBryxx6IHgq7Ym^KX8&;sRl91>Z%j58k=88OhC;L_m1@@2# za3Xe85+-+>KOd+k`xGNe900?|w{R*D7NOv0K?yz2pVa~>6!_0qEAAL%!dc`{w$!to z`5*-&`ARuPY}4>AX|eXtzmmV(%vb9*K}q0yShXs(>n+Bpf%sy7Bc=FkXZ~1cXQ(pl zXcwH95;$(!C56!_f@#{Q)vEeP>^wX$fPh00crSR;3A;U#N~a{Qx!bVj$LSyNnmwiF z4>`KhV%SMuSak0Eeqw3O7%GzNk`*KD6Dx#=m>_so5K1Ytbq_1)Ft^bU~K z?TWJGX-zJ9RD~%h0v`fzyrofp=(o7Vs8tuA#}e_dXq2E@i#s-d^Efq`4ygynG$Hq$ z{dAGs58Fi+!*<0hRWbHgMz~>e@%o_1U6M&Q9Kw&16?0JhN->nomy&(}qNXvzblK-H zx(RT!ccMwGn1q6j{oQs^z1j4 zL*!ci)93O4dGpg`-b?mv;B-c!N1`Al&``gE`wAE}6h2AauRbw>G8f9wb@Bc9wKR#E z?-zc*dtQDouP1AVEN}E61qD=v_KQY~o86yMsUS|tXo;x&jiPOm z?sqmn4_Djn0QTdw`N`BP2R=J+!;(e({myqIrZx{A1;4uDCoI((!?IfeEJ1B(bhyLn z4O=LED3|B<;pzIlS#O#=zC~D_O9X#^Z?Eg0*>a${-qT!HYnDTuZZYU-@zm+w+Dk7T z(kXt|0yUk340y#()Z^LowE#*%fpgLar2F(5F_@2(#>5F_1X&4GUlva>UY}y%xZfJ<}ZnB=r_Z;bnmr)%q>%_h$;j zg$ZI}Vtb6~1fqU>F-}Hxf)|q#XU3#IU?j6x+b*D6D2VuN(43jq{|e3E1~g63ivT$S zy2yqze-kj)z!&)uTU6c)TcDQMBGM{lNLntuRK=-s;d>>U*FqzoBwBR$??A?G_5}Dj z3NF=ymKKsq`uSm>=DrXhJa4g*O(j7d$92)oL9|KK4Yp;kOm4gTED?>)wTK8r>;mAx ztB2(!2C%B+2;#Bm(HpdSfSDMiCZyVvd;@BzPOVWFaA64<3NW{j38YaNHOm72_&hya zMG#Xs06bF6?WO!ck4r(K2Yyj18dp#178GcvpFr%!Q3u4I2hh6 z(6@a7$K)Yh#9vr9_VM8kD_Na_C=~P)4GM1Ki7rT>30yBI%etVd+38n6v=0H22ljU< zJpZVl3Glq}1wjV_wQn>>s6|Z~Bq@d@r6I)S9jJ-Ph!_}8rvqd>whNurQf?T7Cm=WA zwL&-jJbAQvB41Pf$;!(^ZzyShe5`76-llw;tnvJ#okRlljFgm=oE*qnYAQSq&*^6q z;^)vsL#8f$@!&2P=0p~s%k9Pf-ky~!w$l4|pAk${ZSjeT508(JcXvOu``mDt4-ejj zfJ&dV)K>+a2AaUpYMa2^O`k-ueDW~JVTg(bwBj+?{5GdS{zhrie`*(IUsOy-BV!ON zkxBNyzF7k&-tO18a@Bko-W)7B(l zv!!{sb_TrEVTb=r!y)Xuw>&shL1HMe6#;)tKh1n|b_ekiJl=HYYfm=@s{rIbAE2~f zoU?)HNRJCIb_GNcG~z$MzT2#?J^o$Do`59EVZ`y{`LXnE9GExJh@}7F-p5sN{kR#n zXxXk!&eZD-#8+?({wy^(gsJrYhl2=pt}0 z>ILKTz=8*gTmd)+Fs#OD9qAW@-{#0?@Yi2?X^MoOI%;lQXA%S{`{VR(P^v1 zbvT&3Nf1z`xw*Z0XS?9|oS)%)UY2?Qg8r_w@GvorYB*3T)h`mE2`P08w`D!Fd_@pp zcDnMm^jpAZw!HImx1P7`Yv?evb@v$V&PKXS-|lxGVJuyyX6Sp|EaCMo7<+TNQVGR` zd^}9K${pnV4mM_6oUZOs1NTbHzSUXsDNTZqcSiQ@5d*ikPxGeXmoc?fv`S$uUDscK zU?Ek~`9ZHXH#bd9O}CQ(JcIIiNXugo^Qz{HzuN4y>t|_;${0U7zUKF!|Iq1hniu3- zst1WuArm}zHfgn6xGyt4rxMY}Oom!`JALYvPEDI588=W8@MP%Q@bH}-Y$BLu!im29 zXO;DkueM7`sm^RH{8Rk#L4^Nc)9%PS*RkK<~(bikOWK4KM9f z`?j`o^stzL-%oEwxK%^uGU>Vi+m{A$vqM^3qnw6Cc$sN_G~-8c?F&az&bQR1OIO)S zb=Qw?R>M44m$25#d;dHFP&QU!I@j~IxN^k*xWj5VPFv< zeGYD!!2s?6s<6t#t!wkxU%T(P<44!XFduw;E8Q|*z4>=u$6bN1UGE|Kui$YJrZSch z4re&M?qn>mpoxHtzgE|$t;({xXn>}AX!*Bolyz_9@+(_-s{ zbg^Nil7l)!e7*V~+PX!BozFfLVZDVq4 zw9;Cf=84~&-+To7&ic}Djlr3p<6)#&P3+NNRSV|B=1@)QeC~c`&zm#^ZxJol5La8< ztTBt38VpTPhs^+00v%k)_tw?StjOt*)R+I_pD?iB($CzjAD=JT2~9` z_8}o51Ek)gyyIUhMY1McuNRXfGv`jF(0C#xwxHKnGP5yT2%ezyK*%{*RuV4%aZCpq z@XW_+$Q-?wM;JXYtThu}D=I1iX$9B6%S~2O1=2{*K=9}0(DAw*=tCYJ*Z(C1nMPL3 zgZ+Fc{C~W582CU>{(&cSQ-aOPOqp!cklSH^2P@&&?t9p6UZH=9gR%_L#HMYs{Ehz% z6&b($IB-;=@K~$)zkqsjDZ$9!9MBr}Dcb`y%W2UN=2Q#{)eywD#1ZDJ>2(&Bl z+(2$*EKR1F+(xjjLRm;O8|@he3ReJdKU!&N01$cF|9^Vf$#F7(={}&h)U;h@`1G?^ zxcpK7qoTXPO(NHdnfmuO`Aq{#=2#BZ;9dJCF_Htz2^?E(kEI`W0152_9YI?=ZR@$m zr-$wO-x6`#FE;}GyfcNPR+N(iIm*bWD1MIKF>sAP zSG3ANrv}s@=SMa)3hYHs=X8-*xZZuvUOpMeGUU1SMi4V_zbwWx0?_2-R zUZVv*%FD!&w)sE#ZIVZ`0sUg7#hnO&XMCzqrUQhDp2MWq9m9a`b$~!9fEw`@1jGVv zif3S#{}mOaEe5Ds9b^H?Ku8gtg#THVkgoOy%k(Ps6S3JFusF;xjxLf?Qb)hOGroH_ z$NN|VO-pNZ*&V;W_Lyc02I*7zc2FcqA_j`MXlTqQ^Ta?*s;5$?9&rSbAqLBS{ovqW z`*W#C5F|F%Zte?CwIMo?vwwXxSCCtSTU}j^`Ss~L;lR`T+5o;g|9VuAn>v41YwpiR zR6u<87FimgNHG2X(vV;!Gp|la<5TXfpJFz)6)41q32bE#sM1DFJ2=_U8leHz}AyfttXhEVtI( z-Tkv#UqQ9eeuZEBH%MxMX`h&wh%*U^q*KmXf2$lC76!I*d_d$l-doK*FoGD!4-j-! zn*q>wT7@Nv7JuqzmF~7DYx;dLr=9|x|IKzPfVs&`I_ep0eEyGu+nHR}8^^~g=|H)f zMqV*hCE~H~6~<2=c@8^36pdu0QC^UJ*S8TIanyIswj-ydLx};8URG0 zdQHy0xBI1U-n?m?0!ow|YB;A9wjDQ7Uw;fia3Zrt$tZY>(>ROx@Xh{zAojM@OLOfc z84cZoQ+{eWZkO09N*nrM=o|X8fH53{EM*Y?9nk--GLT|SNH2nqZpx+zLqu`f+@O}39A70UR{hWmw(-2|>Z6AC_q`5~yPGD~}xz&hN{ zzX00*b6zBZ{t0AGHnxX~o^t&kZ@^-{)vA=u_Wwtnr36bNnxe|U#Af%4i>n;OX0?yO z+{=h1u+M5DyF`&7JrsE(3NllQI}gKEb$9kA|2q5!3_9Ix)jSf_6!Z{PN(Fn1@ zR@Z$@nsfo_0f;fMK4%pN*vJbl)alQk`nS_En({=LGC@7QI$q0FtA&|51fPD9z6i7t z2GB;3l0n9B6;x=j6E^%a-`PmhuHN+F8GHnL5(}{?C8bJ*R4^WFV>mRx#w8!5G3o9O(g}W)Py_mfQw;4N7g#^*{tf;n%V< zOa1|!>$57^w>oxk_@er5y%K>8w;h8BNFTmqP#Zx3&Alox(a} zdE<@(JugnjA z3roY%4pgRGj}4^T{=COOk=01=*;y~(tfI$W3cyx(U+*Hl_dx47Q4{X}$5P6`; z*a5}#^cOKSvV|HIiX3Tik~toYis*WIy!Os=xoD$)MNhC@+t^Jyx21K`cj`sH{$hG=vaEBH$KN zQ5(7Ch~ppFvp>h;XJEH`W zbsuUBTrmsTr_9uuy9(;_Ol#FKU7WNe3DfCvn;dcLUZ-)4xT>H(!Ee~I6e(P!$4Y^+ z#71(18uebrvMB8t4+9ysPh|Lx`OPfYU}XHRh^b2GU!Lu5Uy$>YECWZNSQG^Cm2(6= zZ_doA!^@(xfcQVq+spgOsagEK(2DvMB0?m&+B@{q z1zq2!khDN3vh`K-Sj1qF-~4z0VgS=%w3^higHDRx^_lV<8lJ{%s9lRVW2x-KFKCwufMJ5o`%W^ zjUIynw@V?nY3OXDWbhkr<4cr*g)I1;Q$nH3(Sd1?&Ly6%{jwB<8%XA65wNG}>-s zyP%V>)WZmbSvUfvOtRj*2%Jo+w53+hdhAYBC^@!ns|UL-?mm1=A~@TWJ-wlWf>Sxz zu$Nd{K=RW;uVeEa&*Wj1xVszItTA{19Bo#SP{XLfMhc=J*|66SIsy%+pkUTf61H2_ zjH19t=aPN+yBFs;ivSCZjPzK%WW%a{eK<`fSJ=Ct7d1t&wdmuK2P!TSsJN%*7PeEM z+JdgVaRIEq7?oq-0hTIfM^u1@LjNkFY?Asy8XeTh^!WIAVDA=za{`oBsuCm=6e_aF zf?wd`L_tZ}$a0el2<1n<6$A-c%?Mcqb}V8mz;D*PkA=q7--9N88{YFyLXI4bejCV- zD!uo;SSr9D?pj;Rg>Ge1U=P~VxxPm~o$VEJ-3J=Hc>p~D-Y^6FbfFB!MGmgDvfh0N z5*Gg1vl~>cF95e0if2HccuSCQPAQXtD;2IdXqFp@|60AC&ZzZ6wVv1y(5-xLMytyc zo)y@T=Q}5Up%Mk7^M?Lyz&&!U0XJ24Oy9q(SH&m|U`C`F!hQusKS}*|a1z*tk|;jW z6y=sqm2T2(H~w8y97ch%?XY0avcvCT;Ua#Bp$=YFZj@d+-ffWwO#bfPRN*LtT{cj{ zLE*A6-j7Rn3?+frf(}Pc(KHu3BiBE0kmUnG$_(Zw%q!$90rzoUbv+}VlbuY5jIQP1 zJ>lV~1VPiA-)VM#0Qc`W@8Yjd%sU0JBBXBmU^{{8H=aN>0Oab0(D;|zbUsh$9u@j98XdKOxl_{J)2rzg? zxp4e|ge27v20YwdbzDpACWWESU2ylOWCPhmj z|LcBRA9JcY<+FDxB_&l{Qc`k%H1L${5A)kO9xKT7ruySEL%noHDdrLu_5-d$sY)*H zJWyeeH#dVZ@k^64gGeIBEEMGBo1M3#8XB%ZBLwZ|{btsGeq-Z%b$NPso#Mr>x9w5EF|>q-O4)Dbxpnq^_>c}NRQj~j(j@(_hV;p=jd)=+zbE%6kMjp&pK7vK=%9fM`k|*Eko9dxVb;R2=|3VuC$XV`fJ{T`w1!&u{s;q zb$V^Gy)q;`Iqe>Fa;bTJsnfdcJ`i(H)R$x5K=&)g ze~7?ecTB0$K&zqy@AtmKnqfx$J4hD5!DbUV`hGLI|MP!Q6*Dj}0OP6Lpsm^I5J`(f z*28@~Isd%c=h}r@+-&P3Q)x{RdN$F`zhNtmc@lYij)UQXY{;72Kg5>qL>ZR$Pe{%x zQd3jZy5p~p=gCGMEJ|zLNin=@4Y(D8!soCn+qHC|N1KKP1sfzHS?VCu2Hd87ItW-f z4g%oU0}Kjg>~B}D;*GJd;x6kr-tfK#dHBR-;?U>tEQm6fpGC!8NQC}xxloszL!rd8 z>&ECLB=i$)TcOW(qkSXg;~qf#M4Fr$E{6Hhs#~OOpBp`8O~+E~H$%0S8Mj;4%j-vW z@iAt^9^L<-WaTsy!tb{S{HbMYYil(%HD~GPX&@G)5(f~DQNQ_{(>ix%98LS<%(mwP z@}(8#uR^E27(5hB#y?N9sd&8R^$YW)^29fi3lDR_6H+Bh%$EjZ;>XNSyFA;?J;e(b zV={?MZZeXe%vN|WUA-ZC!il*f4L%MgH8m{C+Qje7_vh|?l~Ir4TeRkk6uz!tT2hIB z?_FZ5<5qxf@(8S`X~=x2O38JnjYmft8#h)|jLA}eo+<<|Rp16C3P>UmH%321Z%<+T z9M!5B&4szqnHNO)(f`!UlYctNIaIfwY=BmCV{u)d$dbjEn{nP$xKYak~7o(4K80ROzX5oY9>dX(Qu{n<<0iM zzqdy0e)vmhK5e)HWKMTCw`cSB<#x|9kqgk)X{o6fY#}d3e4*-0y9LvKQjysp*>HEB zuMj+Ex-%%Gg2dY}{Pb+^Y6}v*wpeu*SpOVMt1Oe4B)P^mG(Z`fEOGAKVl`^8@0yD z-g5-sx31>mSu^Z4T)84U>*hz~_Ico3ThuMNz~7y8+#3bdaB@EfS~$=qWUT>21d(zx z;>K`{0;BKt!YO9N0+CAcadC1L2Ft8tN^>{5&Y>P)<3a=UYvyPBC zaDJs;{DOTc;y!m8DraB-VWs-!p@XGyBv*cU&*xL!;dH%Qq#G5=SIqS;`G?^34(oFT z&IN<2(r>v0k-Zq$tCP#G5D%uSN{{+00#x#~UT`b^&k*n5)va-W8d)N_<1J&|1(EZ*i% z^&)yBr`a;V$@=!O3dAp*<^R`dC@?$yX#A5j?lJ**SYJ_{+2R>+XBcIUFIHq}2qS{RMJHxXL$r?e403CV{*5JSL zEXqH%*J6vYjQ%?B*F6+vcm*>^E1$5>pYHctp~su%%!Ug!_T`IDCL|#`lck_MymYqJyV!vB{F61 zTD9iBdvsv{r+=VyVdfBWfjd3q#<VEaa`nL8hk1`qe5oz@hhWOW^ z2WjTUq)5<*`EP26WSc(KHg&zFS3bN~*Y*(Ket@s!Q(0Du*1lPv z1JE0V%`gq(FTRnQ&oLH9g(7T#5I|7mtKWlH<`}s6&6$CSj(!P^3ov77t%UIKPn`;g z$#i}CZnEUE%bLUM=`}E(efZ(|`cx8O>3<^ru9jT+5Rlh-?0&fdi5ZMJ)9(plV$!e_ z929i6GZyXh6C}m~Qttmxl;?IDDF$yYrS`buaYpiAe(h{c@_)XyEdKxawL4LrkbuB* zO3v1nDIA2%p3Um4W+_x+UdOYop?)zfa3{STK)PrA2ysYx)^mZ-#Do5o>G=j52xr9x z6VcJqmH?;?lJp!9FhTZMq>0l&+589C80qmAkg#Y61_tPOd9}yA;sInQ8B1|BGRo`d z=qPe{1#XRk98fK=Zhd@xff%IK>}tJvZE<>jewP_o$ga&GBm^$#zgw{V0TOeDZC*er zwj>6;xkA1fNcYdKZ;=B`%p~w7Kv0EX;8|-&0##L06Z=g+$lj`IJlp8hYoET$cLz^S z0`Zbs>A}FD;e_BHh(+MC=vfhaz_dOAo~T=@Oak86IP;9>M;lPLw9YOsxgic{+Kbn1Rj6TnWO!FdT$S08)n|mBqt|d2Z@Ca0F`1*wThLRXG7BcYZz-m`_ z{qNc`HRcRT47hOPzCSI6j)L>HcMS-uAU~7Q`114`%#Y&(U~#E1&(C!Ltd$J_IZ&il zfa(Mu_5h@=QNRv>AOIBI=Uc(uivY9HP*eL{Ov%tFq<}1iz=!g@+Jf5R=aHBlZQ7J7<~lr%!(d$oxlXz@51=aH|~L{r)`t z@*_o#0l0Ake0czac>(GLZVM2ka{@9Uz${54KLlDs21tKM0F@5ccoAgO_U_{;B)}sb zWW)FE0B|Jry_f>(+0dkw{o+@1*R)T8UJ<_t-mH`)0!+>F=mj>+`wA_Z?h;2pKm8tW zEQhgL`33Iifa7AT)eejWz(Hhtbvpcf1s_4J623d+^pbiR7OZMq+}OyQv1$99MtZtG z2b$D)Iwu|2n}7+ZXF7so2sjqd^!08P5m|;q*vl<}{xphRp8}q}KpQH*GoBqSw}@Qp zc?;5rk*wh4eglucxXlHkp*3Qmu?sxCk`K^?L6E>y6%Y#pKq0=ouYiz=w1aI0$Wr}V zd=%f31yE0b8zjk2=nHc2L;2^Z)b#XLK!9`&jvTCgMR8riN7(&^m}3>N-(1oR8lcY0 zqHWb)J*Q^)z<|3SU6Z%PbYm(!PB$RUkEy_Q?r*UeBcx5R=J&eT1MH8DLB9>BMFLp0 zT!Z1oz#w;1VFORt_%Gt%Avz>xh(rjFL8|BlECTQzBBZfgFEzkM%91+d6%g0PjCdI@ zTC9q=Ol)2Bx9w`xCCMcp987>nlem;G>jp@B789hmR5>sso);o}_bAur3<=6${gOnA zb)U|f<#4KS0PMAs1EEqWX=&&q5I&1O1mtDRwcq}!0O~e*AoZHdgb-AY zMum?ecDVhd8>P{7+6uopLNmT!#uQ5)1ei|2U16D_K}r2dI%Rg;FctKKNnM9Fsc!IO z62jti{?Bi%hbQgAqzQGzC9|atfma{~BbOKP4YCZi;8#QewkCmR{I||+RAiE53ERO4 zS@Mbt0tI2a8R=fqKj!e)<9p^~c7;+1obcn0~%N^`iE6|5*1!N0< zmQlq*Q%vZEyd`D$TC&soc&TegK~!ppO|JgVm}McCFZvz{c}$zP&r7;{D4(?Y&q5v5 zFIIDK>J{VF;)F<~IKU-|u+-k|Y+>Jz97w^F;+QyZHOap`XV)?UwSIpo5(SSh0ndPl zI^nYWh5fnf4y)(8^$dIh71jrXa&;O8YjI&`dTZAp*>9jz6(J#)ts!Qc`5XAc|a)-L#Y|#NAXvmLe z)bXk^ClDZ+;AOEIjWvHyR}y>(EQee^ddr65RmcS(0hcSs9@NQWTOoq}{p zNp}bqDUu@HC7>YEje;U2An~5-`RzNivw!W*?Ck7c&y2$Z_kG3rp7W{Gd?zO&DGA@d zp9M-OFTpO1*3r9|&vYbZWIo}{+mVIkB1*YZtl#jODJ`mIuV5rDhW4##7ayP~q!~<7i*fMDd53_JJ3=-}aH}06^DsfFk_NeMa z8rtx%cdhBk-1>}u%zUkkJb4ZZum*}IryE0t>R71N{b$|#>qE)6V}^{e6epr@D;K(p z+`7EHL_t9T7j=^N-K{$r8n=L&p~A+)PI6vsllpl>N8er!dt$UQ0-bwe7f}m(Liox} z5>Dn-uZU}D%j4{ip{CMQaFi61oXK_%r-%#!`FbA8X8x!fi_n9fyPxw9%EFC?^)nMz z=jeVk7QRGoQffmT9sF83R=v;({Er~;B;1S`>v;w!@I1S}6uV2?zw0;dt}|mk#pJ@A z$9z7+h5thh#S-Lro>;R5Vtt@=;^3pvC1zw>M_ILC_ox=) z+$FTD;gu61$6l`r3i5GP5520PS{Z8+3qvTS$gzq#?A<$P2tnhj?UH4 z@Ym*!1!wtt3@Nb?%hGQP+NJRimJYRyJha5_j3}O*a*%$tVe$ccLt0jsxTm}8_qPrd zg61Lx^pI))C-lzkepzR+S3N(!ynB!#h8KOlw**{*d=lp4y{B+&rKPYo8W=x<5mA{K+U-^f#dxZJ50N z2uenL2CXJDB}-zHiN=SmO{EWqo`UI{T);*Z?g8iywOf^{AhtfqVSsG&G4fBz0=m`~ZIz*>*_c`rULz{8M$Fj89q4M`UU&so9UodtiX)j#&|D$zd{e5xgAvgUNj|p+@GtU)YEbe5KxOO8 zFTSo0+~(IRbKX#lA6Cj(%%$R?o}W#OBz)BVU&<-jLcXw znbe3?O_Ig&-kD+eB7M4++CBG(mJA5Xe;MY%9oQ}2*P`2zLzrg~ph`H9b$A6hEMC)p zaZks^|8fCm>HTX(#Sh(e3W3h33oQ&@DMwssEC^ZqIUY<=v2su5n~xw>iPQ(LpHpF` z)^-SFCCo$`#arEfOJjQRy($sVzMsEJplEEEMha+?CTI|B)C+p(p<-I#eSTxadn}b1 z1h^+V%PA&~9MzYUfe(dHjv#QT6ek4yP>bix$S zp|KKZ6+HEIrF;jMt|JTsD7rXKrA%IvEwXlk=`aE&#(t17GVN?hZ!w?VN% z);VBG6sE86(f{Z^;bCa5ah=^~I&Zt3@J94qn@1pQxAD{q0kCE5)+XzF_q`=K$Mki@ zzL~{p`7Q1iSxvWHZ$;g-D}j^1+Y3n*J^ea!OTdu;<2?)BrG(YD?J)1b_w`z_esRMH z+9F}+Ik96|C(QAEP?sgM?%REja-xcW1|YY3{_o!7vMbwY_u=wnV~lN&$Q$K133j2e z*8#CH$Y`{)1Tb!U!6ks!>~%?Ou_@ULz30p8>t4I7Tawgg)RdHt)a*QK!&wIqaFHz? zbOvk?qPc7n=mFY^z^9T*zG z9JF@eH+c6M3N-W-l$6;pbG7_xj{7tn-1QU@i)ImX-QP?94+DhQEg!fxE-t@0@4a3d zE0BShGKw}?9u13nlk?Vh3udIew{IwK>~=cVyexg$+ta6F8hgioXYCU02A>lIGr%;l zb#@^KpGn=$U858c+5nfNBnN#i16oYxF;c zhcNWDIPbRj{5EcIeh3Xco!?sW+eUquoKMM?{5a;}3l%HHK_1JW$Dbrchxng79GsB* zx?;&O|0(1Ovd`cFPWkfeGq3`0@W$RQ{yxbz@2i`aT-yFsP*`!UFhlfY?8C^#ksz)< z%pGGuT7crWff$+R1#W2vle6;hIQPVoApW@@64}{yRf5cc7o+HLc>IMgRL2Kpsw6k) z@{$uHe6>%+_m_1ycf5xb@T7=|iG?6==>H^#uCZ3RfB!y+DH2w>G=94<;nHf?q6dh3 z4uvL%l+5TqIo=XlH4kjQcy7-02Qx94fagZQ$Reev_x3$^i97rK;HqO}WGwyfemVf> zH~sE`{iSKP3Ie##eN0>rS@x|7W?MFuA!mfXO&OW0FilaK{L&yI`pSF|#PK(}jk;*?D&F#;`DwFv^%vwIzZC4lgQGoTABc)-}sYTkB z;J1Z~%iJ5%oX0aW*rx%sLr2}oCM>8v&u=@#G!(r&CeD!>an}AIekmTTHY*i$RFg0B z;{ApN>VQC*2B-~VkSK;4gyh=Y?mU%1{+e*A_Vd3xVT>*%8~^~0mT zXAT~Bwn2*IPEJ9=Q4UuvZMXvj!BkWa#!vqZ|4MbP(y527?*g>h{)EWNUen7?TT}f{ zS04!)ZFr)9z4;%FcB6(BVYcuQEShUr0_*!DKWfMC`cfA!&O7TCO`YzK zo_@UP+!pRwUs@{pdhhtphD-Xt5d*j&ZxiiHr^d#3IXMT#T=7<3cN;wL3{>`$+r%VG zop7p94yJeq|iE#N3?CQpi^~C=4Sz=0~2+}a8$o$PU&J$Iu(QRll`F$)@*w;q4f8;WiAJaBi@W*y z(p{C5w+o59fqT6_&VSpTJWjEzy5G-G#_{Su-)aL2ydZF(LXoqEfY0`?;<$O*eyeP& zOg!a0<!wb4qyp@{s^R;mf9FE zdk#)2gWmMN_o`7klaMwrIZDu{^BHAwlyk~<7v}zUswl+JLrbu_JdM#JJeV(8{#;Vq z^qrYuKz7+?Y4k`RA@6fuFDvz|HOkdd-r_BHogJSd@) z&Y2&q4$6&iiko>zx$T!06qo}lwe}YIJmS7PlD?pfN&(ac+9|5Oe0t$|t+kEylLSF+ zDV&R|tX9_MfA(ZtZKJ<8Ta0(2YvzCL+I!yN{_@Kgs~BUg_nTYj{4p;@VCW{Y81DS}v(@ zZ=jVm2<>W1Q(l5hq=HiHsw`|bZ|oz)i`K*V3~hzl)qkvYcdAUSUEMcC-U8?{Sk=D* z?`#^QVcsNa*^zic!+#p4*fRYe}ul~TDmI7TgX-f z7m=z1NDW|&CdS8K0)I*FkX}D__UN==US9*1e=<0)GSkvBGd*F@0P8s@1usHx&|+dA z43nK9RYY{~U5Z|GV&cMPHwaek>XKL2*K4M2N%sE!V@+CeSz}Z~gQ#w>g@wgvZsKAnzdLeazITJf0R9K1Q=k9;Xr-}VOg!j^$Wl;O zLX0je%NkB3ld>5pI^CdYu6#0X8{`RhoH<7pM$;wR7Q}Tu(Y|!CN4S%qgEF5 zypDVTH~*ZjLPVcVA`kri{Q-vs90^f2rnx|^KulpjUX|C{k2w>2?f;Kkt{Q}}r6tA1 zy@@nbR8$(xFhf9kM^at1oT6g)C2jeh6+$e_wVr_Ep!-TZ7(!he3mNGN_{OWps;T2qXZr8rYz(t(V1P-Q4{B`*|Cf zJk2AZlwN5Idd_Y?_;n`Dp0CylC(-SJ-(lc_n~2XT&+Z3BRUBKj>Jg4tiWv9??3K9L zwI6_*#DnylZj0>)2_d2U;Wq%S;bi%SpQI)v4t^94R(ct)A5+OfHC&Pe5;0~evUgd` z;bpOF-C+im2g64z7dhN{iwt^OXyTJ)h1}uy<-X9Y031SLiOb=-QV4KcFi?|&PM}nJ1Q6s)i0R1JME3&Nl$tR$SHf?uUp=3?p60l;$;IM72Wn8&(nyD1O-BIO z4OIdMp?Vn5JYNJo%~gs4%oYwNO{YFfa8ZJg-Sy#TRAzhvmi97@eokdyNIKm@o44zS z*`g4~@+UmhA`TO!Afs!Rwyye*y4Zpbt(9Haq!>d8F7^emn@3Fz@RR~xIvRF`MuiR0 zc@(tjXv+C~mZ9rHR40DUC5$(H9AGVIZ)i%Yyp( zc&?G({RHA3=&8be^k!fx6Er2q$Ct&7{+scLP>Er`B&E8VkNG%Rg;ox09IXj`?K68! zd%NtV-U%QRWv_uuK&m(-+nhjb0Osw7t1_}GpEn?%4DD4(Csg+Im%HAQXL-El(n9eX zrOYu%zMML30imRxFFe!;EKU!vz^dayt9Y^%C|m$Oi5xb1XL2OY#st`gs55n}s+fim zpa%aySF5woIPoe1z!;TjHKMQ*gw9Jo$w^Av7mzi=)Lc()2lMCWV4jRXqT;|07&z(t z6A!v`G>0RE8x;o;OO0q$U#S6lZ?|K8%Cl8vVZhceCp36_y1QXS#8=Tqk4(P<(1!M% zKj;!ZyKmwZi=!X8y7Esj7 zNy!)Rd;xI6)%87*ydMD0bxX;8wR=uvYsBusz}S4MMZ($lwf8d9R(`Dyls{F)e^|tV zo*Zos$p=Z)#KgSM?XM0ewL>8H44$rFD8GtMy~0}2sentg0s{w_RvQfPaGJ{DuCFVv zaF#v>l20#X@S*Tig@bu1J84Hn9Wk#T2H8Lm{;nXkP0>eXNhU&%+`uPqcFa8~NdfsD zaPFD&vT*N4G>J?UkH{bpCejw)fe6bZ0ga9PCJl?ALYo>SeX#SvOLe(1_#!SBMqsT1 z>Aaak_^s&ztT@z9Hg@7E1i`yt-4-(&e(NrrpRpPqGgknUIs@HtN}WPMLc-F6Oc*&` z)_PFC91ghUWt-s*u9yPlZnO%W?@}m8i9Mjig)63=1HV#Ao@@vMTxkSgame}q`2sT7 zPvf>22ljmt*Dg%@Z=h*N8%|}zlPkSb5TBUHdX^TITZumfg?zzjWtOeR;>S1OsI+m^ z@4aMJ01p_n9v=H^YJOeG#+eqs0MkgZi{I~M5g)!bYgnq94Eb6846$)14C$4U&v6P1 z(Z9m`&JM)@u+RYz&Z7|c0f-6YDYGpgt9-bXp_E%_Vd~kJY%DBUHNrvcI)zVv`Xa{@ z738*`0qnN?7D}|Z@7@xqt4TgO%{L350-E9Xr-uyW>AM6>%B>(HSi`>}FmGE1X|uFj zkj+g1RbT5Ag}E&SqQ+F<>l5k__5e_W05OzM(*_mU)n?A%;ANUHjo?(hhlPc;p`rpP z-!vR%8D{_^a#z${BHGu4)*ujCwu3S?y582Ck(g`|NKH#io0++U)Y z^%PwXi0*d3dbGj*2vhkuWK%;kfO>Ml+>BVuux_Ra#z>q#;D)m>*l14Nic&cJO@3t0o06T9os>yVMC5U@ zw+ue9sK`iZpw&W-cJYyK`ECQiH#o?XCcuSK3x}9;y8B~QEiJQJ8?2Ue`+UER=EX4N z^UXPeaI{+!p!hcEc;a~59@*I1R`!%JUz7g%>)qzCGhU$1C#U=CpfGTxwl_}SP5dp% z!N}d?EGPZZ`I4s3J7+%MQSh?to76u!dI@C<|7E=&9;rOPB-T%6F95CwAz{Dv7V;Ei z#Xw#FG*U2n2;ko7_*U`$D2hmwT5T?H_|HE!R;&RL0UwE@)y^;P>!S#tD~Sb54>RR9 zrp;Pgg|8Y{iZc2iJoil2c5!)pu^;Ml57Y5JM}=ardEBbxvDE9Ao?~PFznliCWFBg1 zd7bZXLDT;a<}j-NWJAN9f_kxuq+rmyx^PPg8T~+{b~mcv(o=0Jv&^U^*sJF6TJ)6X zYG41EX4BzX2AQ36q7-HF?0#1r6PeOQv#6X_)7X12{&E7ls6=M`)j;amql*Lb76&?rWT7vm1KmP#eL|0C$m#63)rHgqob$i``rJOhlu18 z+EFN7_5eWCL=ywy`nAdKm^+$&m(tAhcUGF*B=68SI?=vLO4E~zzRpoowHD$WX&2d! z{JRNso*t=hus+=TN5sAD-M2cK)8kxs1Kls-cfP1fwb6WomW;@`X1S&P>~nD$7;$@I zPfBW!Glc@=o258M{_qaWyF7LG6rR8Q*`_!l?jFuq`QO``6%UY;fPes~yn92x2i7yb z43zt1e}%6qL-#YB)=&BY<;PV6_xXlSqNK$I%`)4HCxyoefD&IX6Eu_&#pSrv07D?vpx)?!n$*0Crr^caBx^>H zCB~)KljJTix2MIq?T#!zez+BQko@W3mO03mM@?bgWJv`zs#%kJkG>3DUYgZnAXm+k zcUPxj-`p|I(E>m6nB866H~YMlE8V9;^8K%6&2Rq=UgK_FH}|aaUw?*uE|_0_vm$!( zD|oBNZh&fqh9DILYZqf=rf467C6jdOE9m5N*t-9HiE=mj`OEogyJ=u--DCJ^4sVga zF>lXH@k^ge)y9#H<-UHTTr7gA9#p9bF@H24Men1Z`3+>?o#PoQcBbUoY20l9n1GE* z;&XcL#(?PliN7%bV83qW=u@nw?rw{;yx|NGKl@!VyEr}T^Mggh@)N)#`V%`CU4c60 z4b>0iQK{*kC;LtIygVWWI zDh=VL9Say9j84BCUVTYPcjnC-6MayaVX*ESoa4w#yWzt!O0e%AV9aDijq+GCjGJe` zu&A)0g?qMQF5^mHPtRd!dOG=k#Owfzfxrj6;&z~it!g-GVl9GT0=GMlFP@3on{hmt zsS1>n=@eu7Nvgx1pNudKHb21Jusk>{W{&Nl@)w5)Y2N z$W5)Bd3jZ)vN!S*C7QFH-kA6P@swg^ja0bkWP%E=*(<1LQmhyQ2W)}3N3WRo^TZiTf&=G2Ww@=n!zvW$$Tkg{=TlN_QfJbZcp1KR4bFZrtagcRK%g<{uX}$OcA)&zkgay4d{0W5=2tG&H2ZQ#d&i3Fh?I!{Mo;Gwk zm!BUjmDVpL+3h`3-r0UB9GCr_CZzGSpx)0`oAXBKZxFfPc+O@Vcw zD{nZW_x1H44Inh4R`Lmx$TRrvzan-M06}ZDZ~#I?H-Bv{tI_J@&sLJ)Lz`Nb zae`Wqrp|(b^miUvAkCsCI_@8hTI2IpOtXiR$~7VJe=sFFj$KQ3CjCk1XJF|;I&4(} zn}6OW(#C0arkdN+5fe|r;|DZ6Gn-`F1TRF<&jfURR~k&msa7nPG!wns0LcS?d#}W$ z3nQh7jKgs?|v7B`UUOrbd|XbKwQes>9z+oY0ozGtWunu+obxL zW_Hsd%A{W7x*^Zn3H>%C6hZ%!nUXRANDWwg)hUpABiO{EcXN4p8JK@*@Mm9s)XI}k ztN{JX{=+-Q*lUwxeLqfi21nYgeptRuPb*!E)=0J=GoP#TF%Jw31Zy;i*It?rfyCFn z1&lK{z56manL$ak4*6B!dj?sd=*1;X4~aqQEp_Osq0_!!Yct^V?Q)Zf^uKGrLHa+Q zo^!IjHA$qaCSLy(^MBZU{_n4``hU9i>i_MZcTgrIA}T2cuCoMgw_e?^Hqg#PpWkl=3QWjl zwOm`^0+rwcpqXLnQbiU+dBWTz>AjQ5q=L(__qV&J2S6PM5ORPijjz`EHaO8PU{*tv zbBMd@r=2)pMlXmt^uiATOo{CH#=j>DU>V@BX#x#-@87?Nq)5=qHaLFy0a$9a$-CZ| zkYR-0V`4H^1?j45Nz4T3)bbWmdLyBWfk=C{krCA!z}Kc(euTb`>@lDN_i(ceU0ht; zL5&O_)oZ{2w9h&aBF07cA{YcDATz(Mmz|r7>@=Wkavq0(H8L~bQ1nYr814WYaR3m2)nDhvc$PN0N{(d zKeV_&lG^nj=GK4)cv>?wSD*=+clZ-J!mDEXVy;W=&?F-wPQ;X{bp4Wl7k3K0)5 zwopQ1!0`ZELFvnvRt<1Xz$^(E~wSMNwdpbX z>wClVKoLtQm~yA4^?@+WyjAe4tOlgrZ6GqB%e-yC+H$%DF6862_uaO2n&O-yEC`uzr|G{8|JckY-DfF0{ zC`fmZ9fe+hi{ypR&Wvt;f&H~7eCChI0YuJWCIneQ8%U5Pe0~k9)-Z^J*2h+YTovw$ zz@sj}^!UY&5xrt#5;a%kt?e$@|3Cg;>H?du#b-Tx!%uShyccqYXnGMsO@YByPm`fQZOiqKk$fK(GFO)sm!Q zcG^-<1ka@#lO50dN_a*DeOyDN@S71%{S1zO{(})zz||={(5=gu#SD_?e}LUBe^ULu z_=%3ceZHULoFIFR{YgVzM~2ajKUM~+Y4oS8Vm|Ma(1jt}Y#2Rb zN-E|PuP=48a6?Jc)tm6uTuZ75^HfwsFHw+p-D1Z_m1RXk(ykM84##A!?mQZ&=V60K zRU3~&0R5Eh0!;18eV?ZRi$vb_DOuK>>zAm#9nQ?4s!rroW%Uk#?K!2)&8l>zoJ8K_ z6DYFZA>xkRp)deyt2|!3H5>39g?KnoLLZdEbqpsA;Dk1xq-4cO(qK+#g5*)9u=bzu zW-$Xa*CoWT=OkIGWfv;MxZJpeXIN>fHpX%RVT_X~YJx#;ZxUj1tH+$E1z*n(_$6MN zjc&(gmZ2H?%|^5fpPcpa)A{(dx{z#0gT>NJ_#vn_kx6hDCeC+t(RqI+Le#L?rB>$~ z-B!UdfJyP~fvPmAGRCXiPqkdeoPZZG64Hpd7N#)_+St}IbnT?1qId^zv87X#SQG=E z*FK{*xdPc53G%VUzL+*bL!S&|wL5kht&xH^nnC?xS4{GtgRF>QA)y;cq0>0MU;wDr zmWKFH^2x3kwZ$On5ojWnmvN($h+F>u)` zghD9F5BXuhJ`!Rzgy>+bE+w4X&w-m^UWd0Ef zm4Kw4JoF9b$&9!q^~;=gY^4khbY<>&yGPLbDX6m)RN(%@{{e+qKoeDez$d~`>;X*w z6ZiExt%$fl?JgB5dr@g9JZUi0Y0;~uqNGH?Pn110x-%P$N|gsOk3zIPO7jV(<@_=6 z-()Rhag7^>y+TBLMz)2tWezqnm^2dgGlHt;6d|ivA9H{^S{t@>|1h zM+|h-r7BRyq-d(uar5O#JD}!)IFrEqITO4Mjm8t`7l_dzfzX7Zx%))i%7YvpK z*95{@Vbb7y*Wv;oW!T#y8;fF4dYq zZ-KX=`yDK>Y&S6f!N4umSC`7MyPqK~$$5rNj{7l1sEu|A-_z`0o9&Mb&3Nedz4axr zn$*+SlZ)=u#rUz@$%=;>An%ojTkSv52Hz>WS=%}VU>1>Z%MeSUIEJdJ)1YVY32D^W`acoP%8M6hhL zHT&+iDZadhuS8i!BAzy2+o!O(-3xCk6SnLqW90^Z_3Klej&NPT60;99T(W{*rKWJP z*&`3J+Sl|6uyM433j)AY^9E;{Wes>KW19EK8uMYXB#^$k(jrfdiunRO)ZH85Oov3E zFm4&zq-vMT^HU%|Oxgm)<*=H=Tv9g6rWDrJociRzmB`-p3fd?t;}BVoZ~_DO!!2E0 ztlK>;%b)g|Ov9{MMyUktaQu~xu%bs?Rp?6sxY-pBAi+++lr2xt-odgxn?hBZJ+)oJ_&B_s2~Ccp>uDMJAn{Tb_hJSZp&b@tE0 z>oyu;8$kP+<;mMyufd(`4bRGesAXSoehm6`6-8q-&D&vv3_+=2$t?CIbvZ{h`z|)< zSp8?y#nV$LKf@E&m$_2-`kl`M-`e!#yGS=728(PFIRhnUgq=>NYv_IGO=0bY>MAf{ zZdJ^#_0fzq*hN(Kr?;n3J7uF?fl(u{S53rvSE%Os>@mQs>I&VOVzv@p_t06+ds;pt zDo$VlVebXnw3F#hc#4qvOn6;a4G4G0$~B{vw-jWyx%1?l#Ut#~gn~)Quza6XvZRj4 zLFw4b2a+F_3|)JtBRFrNa~QjC8W#=%)dJZlUDqNUXgG8AnfL1A!@S*Ez_(!$>EZ>3 zOx85wzLAKuj+DbDn6txoaO7Y~L*$2w1oWUn_m|hV2va)?UcOuinB_7-_4p35#5Z80;OQ69K)7Q)l*G<5f=jeOAbcOF_Bo-oM8$EetCI=iM%@ zI#aB*zIC{g zrbJ2n@ORLW!-JuO7tggWgOl@2EtM4kW!QzHcCcn10(Bo5POL-RqhI}aY!=VA3Oh9K z4&wpwzN{Az+)!MFYJc5H(wjC)d~qcfo{t>+&^vw8?}SwvDtBH($YVovNKsm3czFLb ziQml?-Ic%9)zy#97g{`E1nn-NFcbMt+8G+Mj5wzeA?0Nr-hapdi{QYl?zYjpO>+s) zFMW$Y{pso;c@ucJ-aiiLZ&-fmO_Z1mzdBa!eePt6t?K~Ai8p)L;YjOa*cbQma=Y`) zLSSr)=gp_icRgziAskj*Ih!Z#$IxFMQ5RBaxr;ja7Okx>1$V zV#l`n2IDd^r0a3nv1iZ+1g-QXZ`r-xt+e<*gpYHP9z<6bvpfIc&CqL^zx?s0YS2ZZ z(ztE|Qo?>f%sG&sYdiHji=U9SmcOT7O+scIge84~_!I~f>s<%Y@{3$(ZF6&{%>uXw zPO+WA7=y^^rGW#dXsg?UU>Kl3_;9(>K~cliW*a6h(p`> zRGc$dEHc2b6b((&1gt^(dG&WF8TE(Vk4A!H9tRhc7;J`nN0B5-rt^DTd`-ke?W^7He9 zpP8)8xY5-TW>J23aM4u#dt5?(H<;$QASpfl7_=ICP1LYTCG>O`Op!mUKDGHDIl5;e zy(@zWRIg25ap)|Huhl_89fS56vZS_}KlyDALio_gXe2skv`ua7_!5lXsa^XP2Y-eI z#|+-yCm_i%Cn`456r%aw;#0MHc4Z5i9L;o)MM9ecZC~h1O0W(O6ce-STvN$XqWJ#k z>*>dggl9kH<^&z5*a^2fB!9OuWi@_=NJ)(|KpEk|V75z9NQF4Pl^Y1v;q8rnR`46?&i3{>I~LIoRdbj zT2b&#`luA9p=ao1gtZzk+k+p$<_G2(A};ebQ-Oe^A3e&U-C!q_1lw%nIlvM99EHJa zxx!r$niS#){|^9Ak`1IE3_h{>m!(G3Afl-%5;)sA{naHWSal)G6!?p^kwHTpkuJCZ;<0~ z_-L6y2P-Q@Sqo6A*ngwH&dZ$LlkTB1nItEhWq?o%{60DDCbTMo=kTEhI20+b5IGA} z@rHgmju`9eB9XY#T@6Zz98ki(GIPn8*iUKj703~aU*vVc2xP}B8R*XJHL7PeI zuS$a&6-!Te`GbR}?idssCHzypm$G3ZH?5aJc?d}caqK$kwa=EF;0UxeO|#@&Hvq2t z;SE$LY<0-vJzI4Kpn|DxxH3#=5WenXlefAh*Ev;3;je%5v%p`YxPWbH7EeaqN$w)r z1A&W+i*>Tr7%S-dxmp;-mDH3KpO7awYe>h1I|@#{1rC`g&(nY7*RN&WpQC-dLbcA} zA*WLDd-Q0H+~;}cjT~zrY-`Zk0Qx)n=C7HWXTBJ8eH`cWVAG#1(;#~fJJoKCMei-O zVBNwJhT;){=XLSb_n4_$%_jS3=(%EcRZ;fMC?b{T$?b5Q9_@V77r2Yh9VT)%S^wC` z?};$jlM52**scJGNwLBt9}JhyI>HVqDN!^5V061s?iqD~r1xuH$8OTlq&T6^R4?g! z^T27UY*DgwW__(+Bs&eXT(I4#!Vxrdo;V8Nh*wcXRhAVaaB>>@@H7`X^Wtde%k5ji z3nb&d7X9eDE(dq9$JSRbx;3kts6HYRo{>QVL%g3f?Ev1?F@KF3sc_rrE_BmhT6|nQ z>cVbjYgd1J%a_BYg^%^pPh;+ z{7;}{yGB3z^||Cmu`nzmHDQYy1-l&TMenx* zT}gDWln3w)z+;`~t&zqqXUP?hSv0cd;fIV$=If$M_)5*;{E}Wjm{lY5nt3=!Jg&{O^*8k{{hBt5R+-2Mc$2GLbmV>7!k7&MQb#jbR|YHuKcCyBOQt@ zaiNW#@z?%ib`*CkT5a_Fn*BA@9}&3}W2`s~PL^opPL|B7V|bONnp*AfGzc6JWFVvtf)>hbiY3zNy`z5;G6!b<| z2Du5a1^tQV(}fg;Mf?qjpcY|&^xDb1KjS7t*CiS)Kn&Yg0F-ZGd3Wu&$1bR&>Il5H z)rs%Pbnx^(}sZ$m@dm8_iI`cVZiJQQ4_iqO?3-wB}K5j1`P2s|#gf zXBnzt57SRLQ;XduxMgSW3V@mQ7zlA-uOA}7tM#Jq&e+@=E;)$33hmhdUA%M9@Ca!a zvi%8O9gZj<&QaA~LD)L)xt;#}40F_^SwP@PY)JtbF885@lFEsv$9YZ}akSSO0i$E6 zkUDGP^F1&uaDoz$$rS&Sa-qVEWpET@e%`0XX*kds(pQw>q}MD|ej3Kv-=YAr%)~YN zVZ^fU7H|9(o}Nl8*N2ZX{1q(#YYLzFbUgdG6j<~~{1n*@n)Tc~1{>zEW#YR_8AZS& z_LJPz$if+Kj(-Cfi)k32D;BC63rKZ5NMgWZH>i;_;dl0oIQbOLPJ9fBIC9mz2}`Ga z*bbpGr}iva5WS7Wu(J% zWdJbiC$Y9)VJ5<`qMwS#ASWY?yC7hWX(}T`HJ{SDDOu?z&1Wx4uPZP+@S#1>FUNxH z=*8yyrx#c&cOy!eiAKo3o%KI67V|%3M@xI(j@m^$eT)B_(dP!bOW!!C-gQ|zgwQ79 zVPjikGoB(B-m+so|Fy6*tN7*Q5euH;@WpO-KoeS>jM3kag(CNo6Y{GojgGO{e<1Su z3lPCP@UBZs7GdP_u-*xOB?U%Wpx;*S0q_cgF8yl+4&M+mPh$xdmtKj-ePG~Q z!{7Gap1`1JFHomfim2c^f~Gf*^r87prFTk{p_lj;Mfdt6*Dx_@XAeMJxUvN#1(F^q z06k51TAHFgzJp0}R6-}52GP%1(o?7vmCXK~QzfBK8B9PXv0c2FXKU+usknRGOrb*e zTzuS~53poTyjz@7mYeyzkm+9I7w`hMft}Gy`%*AN9V|m7LyVaH_=HGyk4p^Qve};`O26Sqy=7;$V)eK205Y}Tu zS&#iU{;qVx&R)Rc<%0Cg*yi$Jsyu2XUHZ8~?fLXKAM$CjkTRJ?^t4bAu`j=qh6QmG zjiX3XrIfFb;2A@T><`yJNE8Yo%olRGG^f#7C#LOD!1Sa1H3F$C`aOYx4lhO*pdm7H zf%ffWowEXdf%%YNZ=XFum7tCGVe8MzmbJ9o!<|4qLcXS4xFY|#aAM9iTwXeSeEQ$9 z0!8ich#=fAE;>zF>nYFr&rVfn0*w$<8r(BQM&wbqLLU+CE8Oayy#H*Fg2s&YQ88Rf z_U1ZVG^bkcT@#)rsN0C5(72kmSUwM~p5pL{M*U2nFZL1cma&gzt769paS6EbeJE=fy-odc ziIBBtF76r?Ch4^od}cAk5b{ozZQV9wQPko@S$g0UITJ9D8bX|nJ4vcw_cd3T!s3a| zOyDGGY+{75Nj&c3H0}rK1W2<2@<6X3twLzT_)FcRzY{xLNJ$jUvRlfS7A3AA zJ;wVqdI=+8qdWCi7)TV_ZEQFO^H2h~iWguofhT>wUk?)ej00A>0@Pa_sn2;unai&B zr`2P$VDKxIcs&=2pHFD>CXsXS$y$}?q4H^l#(&)ZoTGs{A~xvZu5C-BbZG&cL6>;U zjcFyNe$o3-DOG$|`eV68{he)xkl>Gq*R^;~C=pM2hCA-M3zvbQc0%G+sLx*F69|yV z2>H+&>YcM1a1Hq#Jx{1nwg(b6AK<+DS8&2N91&zhSe)`r8o>u*`&^~xM~oPZTz~xx zJeEQ;Hv8{0tRL_HzB2v4e60Wd@&3R5FE|sBZBme6!VGY2JvqhBKt41;S^nE)8K5w+T=PdgX2E>s<|+km z8lo3kTeDd`acP1N2}nxa`{DCXFpD_C_XOQtuNx^dZe%*cfv`G7M1j%qJQq0xsE0OG{vTr-Vd%7*g@&<%Pr*Kg6i)dIvyL z*!J(2P!j!HS*;TQFr6{`S_AP_5R800HYGVJR&E#;`Yo}`@4Tu5by!!4lp(G z7}qjyBO%?-#yBr;ioCsnOPvY()FiE^B_HZu4*5ofheOcXxS0F%MabRf;CKZ?biXoO zNEQ!hLL0ZitN}^QXd$x|x=aFpXrg&K@GWftp&wwNAtF++SM>-{R#H+sgF|o&MJq`t zJTkI44*+jiA14;IWefMe;#O4WGAz6>faC%An0nk&az3wa=&EUI-f>^U{1O=v5o4jl zrss2Z=rD1Dk!t{VUDbo6Gw|1(cx5p+2uLK_*AbA(30Pl+Bu`&ovFwp?1m4Ql$$bB& zbp*1G^9YxtZ5iuvLmk?Iwuo_W7M-;?Ot;=>3@ zR<10@`9ce@{xUKtgCL8UPyRYyoD|1oqnmZ4GG0^eUW8js5r4wKxLD8i=tyu}04DWV zmy)tfaH@T3TrJz86xR8j+m;@ZcIn}?=rRCvfU7p%0Q&YpB!KpHrzg%ate~`RYs?KD zA48T}Q2fX!(j6w@DcS_^hK*r;Aniki3_$dHni2!?7T$%NcB!n@%t8IYwK@E-jQ7O( zXDwl90e8W+A4kR8x00SP{NL07xvk?CGijk94ks+8)b!{IHST9tCJu1#-U7=Y~jiTinN+J21j5qh+Ll6}3BCM0#Rg?EL-Oy@4wKn`J$`*H3YE!cbU(GmuI2M zj%5pDKd!TjPT6*a&hgPSdlCDU6l~Mm=I2)i=VFCL+2r1fSYVFIT0PRRM+>?8RGm7!5mv>1LX*Ga7 zK->(570C7ukT#Knk|o;WJnV}D){_X;nW z&X6wI0$TMK#5t>CCLf$)9#~FmFGFYhnF#gn6dCU^=#YvNPsEs0UzQa-T^Lsf77t9P zHt=%$R)8}kI`T6LHIKc68${i_Pqb!vT?t_Q*&mn}mp(sT*2fZA=DI*^ljLN=)#e>W z6Zd)}_Ke;bjy&qZqUrh>lLir#cXOo^R{k|o3%VZzIz;q0R@EA4Q4<~VxR|19P9^}i z=8)WQNMln@&<_SSJrny(5EkB^b%oakF)$Bi@X|$g`cFNpuPHwGDiKx5&vgtH>)i*TV0M#smEV4W|6VAG-cECx^M)qSiSYa3-n1)KxW zo!BdS#-LbL}1t zD52K$=GHoc)~E-vR>vPi_O8$QC^IOX{tjI;ZlrTX|MjfAD`&}A70Nh~3(KjPSa&44 zvlReY%zIO?Wyd?;v;E%OkGUjx0atkwEnsg(shdP&CWzEf$}Nb!I`bC6UO=e&8Nvru zt4Z4B3iTi!vM(>WtC!-2Vwf{xQfs_6Ax5bffliBlgG~;HCv(W{YpHG<++!LQO_NA) zy3^q^2)z0Mh!-3A3aFY|Ql8n%<*JVJ(9kd6{2qZU1gTkSWU&X`mFla~Z&JwCX68p> z$?B}>MFGs@*ui%Nl5b0}Dx}sd^&yhEVWsS)r_24usqjfY0rl#uH*xX}gsZBT8oVFF z>(%Z6KHfc&atd)r6FlkmriX?Cq1fN*lMuZBUE!+$Beu~!M`airfFElQ0wc9^%gzrTd; zx`=MHHZi!C*8#Fx#Ccv`|HIVL8!d!I%6(hTEa<6`nV(Yp^JAu(lmV_BK`lQ+N-Sqx zZ{3t85aof8t6u??$iO(A(RJ0esFWk7hO6PQ%|!MjQ~xw zXjbO0*;h7k?Zh5`-RNpQtZ(>3M(6!Eb}g~{bm$aEGmp!B3jh!$yp?1ZH@HCB$5yVn z=0`vqm3hzoscY=_lyPRjaVs#*V%Vc*2&!TgO11nQh`lDNEft&tuUn6*hNM21Dht3ZenFQTiy9l=kOcaB{iD*-W5Y;$KE< zo@dM?w5KJCJJ#ICB#7p;c_ctOi2qadj*3yTrfF-*)=}ZL<-$^aRN4ceh-Z={SW<%- zMZ!zBZdu-(i0)hCO;L#Akj>^MxXcK|&EgeOi(RfAU|6t{vix6-on=(iYrDn)K}v}s z1nCB)K|ys1^m$DIUY+@;lF9a&G-AIJ^u*^J08ZiIa$|YHTU55#BzU~stC3U zz5CHO#7JEbZi(7PD!A>b@VEh5@9Gtr`{vpN{48>Py^-8gMpU6h?Q>O{6ziebm93Pa zo1_YPGS|Z5^v8rld$fH<8e zr1HlxkpFp{tfu;Hx{H@yQ9-q%dRpvPo;+GN7dw6L2`<|H_zN(4$J&GqA(FT zZlQnxCVQnIu`&p_ZIs*x?(%qzzfbb3@T8h9lT^?AkF( ziy%_PNkCKzF3k*Y(BEush=%kbK6GQa&)0=X;`NBjX=VBz>SHl75}?U~sUcYHLV+x) zZruloR#Xa$2HmO`6oucBL3>nRhWt*;^e{}irCyjm$9Ua{omP0(&$RE%u<%$D z6(uD^fE}+|%z9-YcZ|}<+~G+z=JB!|hFbPGtjO5O(ZToSd6!qp6X+V_u^L7t@Q7N} zGfC1`7_3%1*OR?akfru8ZF-|7VOdUbv^ z;Wp?Cdbi$@bO@(kO-jN`e1Mk{{iOmymG|zthe3RdrZTmC;umk~Y!TP%dB5!!nytH8 zKIBp7Bb8k%lmjR+s*kOt;1`CXZVAdo5q2ZS?)Xh1PewD`(okWEGjQ2wqnas|xONH5?HhbMC~`SV zWgf|y#ty($*=1Au*_Rj7fA~sx?XlVzFj0~^8AH=K`GkJ+t}*ev#Z6{4f082@Fi65k z^4e(%mH4rnGqJYo_K9v~nyojn2`b#m*rSZ?htOBO^` z8h?g6%|2&4OoOAVB)0`Tft$)iL^rAm4MGyEqxzMl%y9j~ogk4b47m&5RB!@{k5Qi_ zY;!Lir6jOg`Uy2P*^o-B*TQk!O|*Hi=W~Wj`&aYVsMHc#$w-m&BU)}ZnIo77En$om8-y*P zR@4?6-fAfY4KqiBXhmrYY$uXnE2YA%iv761=+=;+%}i_{EKAZYX7)7%;10}zMt3|m z^rk*gkx?brrEr8|rIIraF=kcLBBfH91JPm{ZopI5hI zQ2TvE3SF)Muh|G5Sw9$W)r_L=p>ph!1vSCB0;i`ycTuKyMBIQdGWep!H^GVAB}hPD zWGrC>KC-GldK@P|OSwqutUM7jGs{%GQmgcvcUOZs73oqfvp+uV#&n&~Moo48}!tB%0?A2z6 z6m@$0@4T(7Bl#j}3W{t~Z2@mAU<(NB-VPZ1LqkK+{Vwk?qdLwJl@^v*Zr&}ZqH?{~ z@gU65D3yUJeR73hecdTWw516ya5iaJP{$@Nii5v#PdTbjPwpn0nt-EDskvW=8KIq& zp2!?I%?)fCJAU3zEtXy;zt-Y%Pd&@${}_KrqbN%F3n9pEEIWJkn_XDzpY8g)o)yZt zv;>cLA!k2HAd!v$IoVv4xYU%omnU>VsD6SPM(!I&p>N$4Z(;H29+*EUxdZ z(fCtK74dUTi{M&&L`i8z5iM-z%k$a{cXLr@LX7?V9)Qkf92s8gRp_E55 zD`N6QhdGEfp*w@OqXJ&5MPgEZ6EpvC?O`s(yA=Z}P8Mwz5vD+2>j$mtwkQ&=+CwlNUicP-{N{W`yRCIyqB?)f9W|HH_f_X1Y8PBuCK`06w zic(k0MeJn-y{veW4^(;GFf3RUsbzD8Dsc%2lYV;RGV+|~E08(?50Ug z?BqvF9Tsq{$u0zMlk5@;_7?3QfXhA0khfwNh_KMI!-vI6L!fh5PY&3@YOXvYQ zFF|t!L+2cUey<6laLwl^?kD^lPC8vXO8Q!_{4xKXvR-rlp^q*U;OvxM8Br*J{I8VH zp*<3b4B98dQ7Cn(G?g_mnSl-+5Yq*nmp?0`Q$~|5JkOeZzykv=suqyk4}yb(&oZ*) zg?b-zZIv4v(wPV)r%{5`K|!Gd3kG=o=?o#7Am<5YL657Px{2>k9aYutN1oF5=lTn2_9)Bqnq5JC?)kT6Hhw0Bk*sg-X^ zr%QUNZNw4&S9#tXx(B!?>1Lczat0C8 z^LACWyUcvHPc*8iFKA8d{_YUv9~8hEBuqwSrMo$=6fXt@1V94B0~|BfZ?$C59xrZa z0)%iFBYn@#=Hk|$B7zRnInC(6G{YUgE@dU9Y6r25n*CR@LcJzxhOYd(WAY16G^SRX z3x?>)SZMoP>ZcPJUu=)lK#oFW08d=5qe|VlYMD;EqQ4pCf!2!Ixv?c3w*FYf(5*5f#67qYTB zh=#_a83K*Ew1>8{#mKVEzYkiD2}z3sr=wLL*_|GINY98tN;r>`#@}ocRjjSI)w+1G zgoUf#_@CgkW4Huq+(d~NQDoU@Zy)l|CcUen9P6UCy4_6K{TX7k=5TqZig${%@8Ysg z`FwZxKiD~KZS6+cQmEKgR7PTgPHP(5qMg$!ojp(YL|)I=~D0%Z$mm zOe$s2z|-?YqYp}8vd~RF_`_Y^;v>77qr3E6;MG#82Av;}a|+1a*-YlU+AS*YWf$5F5_Q)h;+^Qx5$K zOVOh0MfrDsbZmSP)k1$VFR&pn9f*Yk0a9pg`cGgw+}W#fJze?{mu@rhFjJIJg(K#3 zm*WS#8&1yqLfOV6S5{E-@f*K%uX{YhU~jQfuE1H@|NK#AcB99+p@Aq^rF(N}Da?TG zO9_qGWnP*+z)e*ZPV)%A&-HMUqFdb^M&7|GvjSwQmlnTP^`!H4s_b!$C98j_?)@0- zI4hKoIuieTRp0k@k5rTn%PXpjDK=>4H+#u+OJeSvsv={;Z?w60O_up? zb+TRADoZ~5dZR`9obCUJO!HFi*juz2{sr!U@Muu5J1zsWt~*5d_|y=@0oWR>gJYti z4u(#iGQ6SB;AuK3N$iJsGot8R>Rni!KkibLdd0Nv9ZslfL)Nl=2lf{#)@Yuz^TxrX zpWyNAE^B1W0*|D^)^+oLQq$*>u<(AUGSm0euJ_$rG?V z{#@;6f%vDw!;wW>8SmFjbBY@5hFEk=Cu)Rm{}^6A`r-9ubhk%tmZXt2y`?X5cKD71 z`AHj9Og5Q4u_(doiQ6Vh0i(d09_w-2oEY{pMjzX(lE-v)U{8E&T>l$3D-P9$$0ON> z8qti~FSp6LbOoCbueY8~3r}wyiA>X6tQxO33NH; zD&NC*DGer2nRwZ3_)pCb;s3wp=c|hU4-|UK>3Gv}Xm|Ju%x-G#=eB5ICw#qW-Gn72 bPcJY6zKdT+GBb=}z>l)Lx?HJ@Y0$p_z-}$b From f9e9e3afb69786c726c4f7d4526ff37829293810 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 10 May 2019 07:51:30 -0700 Subject: [PATCH 357/492] spelling --- .../enable-network-protection.md | 6 +++--- .../evaluate-network-protection.md | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md index 25cb0873bd..fbd863f1ef 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/09/2019 +ms.date: 05/10/2019 --- # Enable network protection @@ -87,7 +87,7 @@ You can confirm network protection is enabled on a local computer by using Regis ## PowerShell -1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** +1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator** 2. Enter the following cmdlet: ``` @@ -100,7 +100,7 @@ You can enable the feature in audit mode using the following cmdlet: Set-MpPreference -EnableNetworkProtection AuditMode ``` -Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off. +Use `Disabled` instead of `AuditMode` or `Enabled` to turn the feature off. ## Related topics diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md index c0ed880905..bcc8af6812 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/02/2019 +ms.date: 05/10/2019 --- # Evaluate network protection @@ -22,7 +22,7 @@ ms.date: 04/02/2019 [Network protection](network-protection-exploit-guard.md) helps prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. -This topic helps you evaluate Network protection by enabling the feature and guiding you to a testing site. The site in this evaluation topic are not malicious, they are specially created websites that pretend to be malicious. The site will replicate the behavior that would happen if a user visted a malicious site or domain. +This topic helps you evaluate Network protection by enabling the feature and guiding you to a testing site. The site in this evaluation topic are not malicious, they are specially created websites that pretend to be malicious. The site will replicate the behavior that would happen if a user visited a malicious site or domain. >[!TIP] From 08579d2e06844a862a5255c0ae7cda48815ccbfc Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 10 May 2019 08:55:04 -0700 Subject: [PATCH 358/492] edits --- .../create-wip-policy-using-intune-azure.md | 70 +++++++++---------- 1 file changed, 35 insertions(+), 35 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 3b01319d95..c77253574c 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -566,50 +566,50 @@ After you've decided where your protected apps can access enterprise data on you **To set your optional settings** -1. Choose to set any or all optional settings: +Choose these optional settings: + +- **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile.** Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are: + + - **On.** Turns on the feature and provides the additional protection. + + - **Off, or not configured.** Doesn't enable this feature. + +- **Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: + + - **On, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment. + + - **Off.** Stop local encryption keys from being revoked from a device during unenrollment. For example if you’re migrating between Mobile Device Management (MDM) solutions. + +- **Show the enterprise data protection icon.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are: + + - **On.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but protected apps, the icon overlay also appears on the app tile and with Managed text on the app name in the **Start** menu. + + - **Off, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but protected apps. Not configured is the default option. + +- **Use Azure RMS for WIP.** Determines whether WIP uses [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management) to apply EFS encryption to files that are copied from Windows 10 to USB or other removable drives so they can be securely shared amongst employees. In other words, WIP uses Azure Rights Management "machinery" to apply EFS encryption to files when they are copied to removable drives. You must already have Azure Rights Management set up. The EFS file encryption key is protected by the RMS template’s license. Only users with permission to that template will be able to read it from the removable drive. WIP can also integrate with Azure RMS by using the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings in the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp). + + - **On.** Protects files that are copied to a removable drive. You can enter a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. The RMS template is only applied to the files on removable media, and is only used for access control—it doesn’t actually apply Azure Information Protection to the files. Curly braces {} are required around the RMS Template ID, but they are removed after you save the policy. + + If you don’t specify an [RMS template](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates), it’s a regular EFS file using a default RMS template that everyone in the tenant will have access to. + + - **Off, or not configured.** Stops WIP from encrypting Azure Rights Management files that are copied to a removable drive. - ![Microsoft Intune, Choose if you want to include any of the optional settings](images/wip-azure-advanced-settings-optional.png) - - - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile.** Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are: - - - **On.** Turns on the feature and provides the additional protection. - - - **Off, or not configured.** Doesn't enable this feature. - - - **Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: - - - **On, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment. - - - **Off.** Stop local encryption keys from being revoked from a device during unenrollment. For example if you’re migrating between Mobile Device Management (MDM) solutions. - - - **Show the enterprise data protection icon.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are: - - - **On.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but protected apps, the icon overlay also appears on the app tile and with Managed text on the app name in the **Start** menu. - - - **Off, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but protected apps. Not configured is the default option. - - - **Use Azure RMS for WIP.** Determines whether WIP uses [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management) to apply EFS encryption to files that are copied from Windows 10 to USB or other removable drives so they can be securely shared amongst employees. You must already have Azure Rights Management set up. The RMS template is only applied to the files on removable media, and is only used for access control—it doesn’t actually apply Azure Information Protection to the files. In other words, WIP uses AIP "machinery" to apply EFS encryption to files when they are copied to removable media. - - - **On.** Protects files that are copied to a removable drive. You can enter a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. Curly braces {} are required around the RMS Template ID, but they are removed after you save the policy. - - The EFS file uses the key from the RMS template’s license to protect the EFS file encryption key. Only users with permission to that template will be able to read it from the USB. If you don’t specify a template, it’s a regular EFS file using a default RMS template that everyone in the tenant will have access to. - - - **Off, or not configured.** Stops WIP from encrypting Azure Rights Management files that are copied to a removable drive. + >[!NOTE] + >Regardless of this setting, all files in OneDrive for Business will be encrypted, including moved Known Folders. - >[!NOTE] - >Regardless of this setting, all files in OneDrive for Business will be encrypted, including moved Known Folders. + For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service]. - - **Allow Windows Search Indexer to search encrypted files.** Determines whether to allow the Windows Search Indexer to index items that are encrypted, such as WIP protected files. +- **Allow Windows Search Indexer to search encrypted files.** Determines whether to allow the Windows Search Indexer to index items that are encrypted, such as WIP protected files. - - **On.** Starts Windows Search Indexer to index encrypted files. + - **On.** Starts Windows Search Indexer to index encrypted files. - - **Off, or not configured.** Stops Windows Search Indexer from indexing encrypted files. + - **Off, or not configured.** Stops Windows Search Indexer from indexing encrypted files. -For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates). WIP can also integrate with Azure RMS by using the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings in the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp). +![Advanced optional settings ](images/wip-azure-advanced-settings-optional.png) ## Encrypted file extensions -You can restrict which files are protected by WIP when they are downloaded from an SMB share within your enterprise network locations. If this setting is configured, only files with the extensions in the list will be encrypted. If this setting is not specified, the existing auto-encryption behavior is applied. +You can restrict which files are protected by WIP when they are downloaded from an SMB share within your enterprise network locations. If this setting is configured, only files with te extensions in the list will be encrypted. If this setting is not specified, the existing auto-encryption behavior is applied. ![WIP encrypted file extensions](images/wip-encrypted-file-extensions.png) From a89de968768a50169ab962dc4da7c724006011bb Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 10 May 2019 10:29:09 -0700 Subject: [PATCH 359/492] edit --- .../create-wip-policy-using-intune-azure.md | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index c77253574c..2ca3e9daf4 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -562,11 +562,7 @@ After you create and deploy your WIP policy to your employees, Windows begins to ![Microsoft Intune, Upload your Data Recovery Agent (DRA) certificate](images/wip-azure-advanced-settings-efsdra.png) ## Choose your optional WIP-related settings -After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings. - -**To set your optional settings** - -Choose these optional settings: +After you've decided where your protected apps can access enterprise data on your network, choose these optional settings: - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile.** Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are: From ea8367658d1826c9c2ea3bbe836dc2c1b8279159 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 10 May 2019 11:01:34 -0700 Subject: [PATCH 360/492] fixed image and list --- .../create-wip-policy-using-intune-azure.md | 74 +++++++++---------- 1 file changed, 36 insertions(+), 38 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 2ca3e9daf4..ac8ada75d1 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -562,46 +562,44 @@ After you create and deploy your WIP policy to your employees, Windows begins to ![Microsoft Intune, Upload your Data Recovery Agent (DRA) certificate](images/wip-azure-advanced-settings-efsdra.png) ## Choose your optional WIP-related settings -After you've decided where your protected apps can access enterprise data on your network, choose these optional settings: - -- **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile.** Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are: - - - **On.** Turns on the feature and provides the additional protection. - - - **Off, or not configured.** Doesn't enable this feature. - -- **Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: - - - **On, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment. - - - **Off.** Stop local encryption keys from being revoked from a device during unenrollment. For example if you’re migrating between Mobile Device Management (MDM) solutions. - -- **Show the enterprise data protection icon.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are: - - - **On.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but protected apps, the icon overlay also appears on the app tile and with Managed text on the app name in the **Start** menu. - - - **Off, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but protected apps. Not configured is the default option. - -- **Use Azure RMS for WIP.** Determines whether WIP uses [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management) to apply EFS encryption to files that are copied from Windows 10 to USB or other removable drives so they can be securely shared amongst employees. In other words, WIP uses Azure Rights Management "machinery" to apply EFS encryption to files when they are copied to removable drives. You must already have Azure Rights Management set up. The EFS file encryption key is protected by the RMS template’s license. Only users with permission to that template will be able to read it from the removable drive. WIP can also integrate with Azure RMS by using the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings in the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp). - - - **On.** Protects files that are copied to a removable drive. You can enter a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. The RMS template is only applied to the files on removable media, and is only used for access control—it doesn’t actually apply Azure Information Protection to the files. Curly braces {} are required around the RMS Template ID, but they are removed after you save the policy. - - If you don’t specify an [RMS template](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates), it’s a regular EFS file using a default RMS template that everyone in the tenant will have access to. - - - **Off, or not configured.** Stops WIP from encrypting Azure Rights Management files that are copied to a removable drive. - - >[!NOTE] - >Regardless of this setting, all files in OneDrive for Business will be encrypted, including moved Known Folders. - - For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service]. - -- **Allow Windows Search Indexer to search encrypted files.** Determines whether to allow the Windows Search Indexer to index items that are encrypted, such as WIP protected files. - - - **On.** Starts Windows Search Indexer to index encrypted files. - - - **Off, or not configured.** Stops Windows Search Indexer from indexing encrypted files. +After you've decided where your protected apps can access enterprise data on your network, you can choose optional settings. ![Advanced optional settings ](images/wip-azure-advanced-settings-optional.png) + +**Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile.** Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are: + +- **On.** Turns on the feature and provides the additional protection. + +- **Off, or not configured.** Doesn't enable this feature. + +**Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: + +- **On, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment. + +- **Off.** Stop local encryption keys from being revoked from a device during unenrollment. For example if you’re migrating between Mobile Device Management (MDM) solutions. + +**Show the enterprise data protection icon.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are: + +- **On.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but protected apps, the icon overlay also appears on the app tile and with Managed text on the app name in the **Start** menu. + +- **Off, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but protected apps. Not configured is the default option. + +**Use Azure RMS for WIP.** Determines whether WIP uses [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management) to apply EFS encryption to files that are copied from Windows 10 to USB or other removable drives so they can be securely shared amongst employees. In other words, WIP uses Azure Rights Management "machinery" to apply EFS encryption to files when they are copied to removable drives. You must already have Azure Rights Management set up. The EFS file encryption key is protected by the RMS template’s license. Only users with permission to that template will be able to read it from the removable drive. WIP can also integrate with Azure RMS by using the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings in the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp). + +- **On.** Protects files that are copied to a removable drive. You can enter a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. The RMS template is only applied to the files on removable media, and is only used for access control—it doesn’t actually apply Azure Information Protection to the files. Curly braces {} are required around the RMS Template ID, but they are removed after you save the policy. + + If you don’t specify an [RMS template](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates), it’s a regular EFS file using a default RMS template that everyone in the tenant will have access to. + +- **Off, or not configured.** Stops WIP from encrypting Azure Rights Management files that are copied to a removable drive. + +>[!NOTE] +>Regardless of this setting, all files in OneDrive for Business will be encrypted, including moved Known Folders. + +**Allow Windows Search Indexer to search encrypted files.** Determines whether to allow the Windows Search Indexer to index items that are encrypted, such as WIP protected files. + +- **On.** Starts Windows Search Indexer to index encrypted files. + +- **Off, or not configured.** Stops Windows Search Indexer from indexing encrypted files. ## Encrypted file extensions From 7c773be415354c7ad36ee5f628d9aa7875c5b326 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 10 May 2019 11:02:03 -0700 Subject: [PATCH 361/492] date --- .../create-wip-policy-using-intune-azure.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index ac8ada75d1..1d57580668 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -11,7 +11,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 05/08/2019 +ms.date: 05/10/2019 --- # Create a Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune From 5a0d6d9e959aa2c19f362029a757a85c08525dd7 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 10 May 2019 11:12:09 -0700 Subject: [PATCH 362/492] Update hello-hybrid-key-trust-prereqs.md --- .../hello-for-business/hello-hybrid-key-trust-prereqs.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index a4a1cc41b4..4d48eaed74 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -85,7 +85,7 @@ Organizations using older directory synchronization technology, such as DirSync
## Federation with Azure ## -You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization) and [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) 2012 R2 or later. +You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization) and [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) beginning with Windows Server 2012 R2. ### Section Review ### > [!div class="checklist"] @@ -97,7 +97,7 @@ You can deploy Windows Hello for Business key trust in non-federated and federat ## Multifactor Authentication ## Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but needs a second factor of authentication. -Hybrid Windows Hello for Business deployments can use Azure’s Multi-factor Authentication service or they can use multi-factor authentication provided by Windows Server 2012 R2 or later Active Directory Federation Services, which include an adapter model that enables third parties to integrate their multi-factor authentication into AD FS. The Multi-factor authentication enabled in Office 365 license is sufficient for direct Multi-factor Authentication against Azure AD. +Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Authentication (MFA) service or they can use MFA provided by AD FS beginning with Windows Server 2012 R2, which includes an adapter model that enables third parties to integrate their MFA into AD FS. The MFA enabled by an Office 365 license is sufficient for Azure AD. ### Section Review > [!div class="checklist"] From 33bc56ed1e0f1e68b4ffdebe277e2dc44a36fcbd Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 10 May 2019 11:13:55 -0700 Subject: [PATCH 363/492] Update hello-hybrid-key-trust-prereqs.md --- .../hello-for-business/hello-hybrid-key-trust-prereqs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index 4d48eaed74..e7e22f7c8f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -97,7 +97,7 @@ You can deploy Windows Hello for Business key trust in non-federated and federat ## Multifactor Authentication ## Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but needs a second factor of authentication. -Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Authentication (MFA) service or they can use MFA provided by AD FS beginning with Windows Server 2012 R2, which includes an adapter model that enables third parties to integrate their MFA into AD FS. The MFA enabled by an Office 365 license is sufficient for Azure AD. +Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Authentication (MFA) service or they can use multifactor authentication provided by AD FS beginning with Windows Server 2012 R2, which includes an adapter model that enables third parties to integrate their MFA into AD FS. The MFA enabled by an Office 365 license is sufficient for Azure AD. ### Section Review > [!div class="checklist"] From 5dc0ff8e942f0d59708af9683da3bd914bf8f5e2 Mon Sep 17 00:00:00 2001 From: "Nisha Mittal (Wipro Ltd.)" Date: Fri, 10 May 2019 13:19:46 -0700 Subject: [PATCH 364/492] Latest changes for 1809 issues --- .../status-windows-10-1507.yml | 22 ------------ ...indows-10-1607-and-windows-server-2016.yml | 26 ++++++-------- .../status-windows-10-1703.yml | 24 ++++++------- .../status-windows-10-1709.yml | 26 ++++++-------- .../status-windows-10-1803.yml | 28 ++++++--------- ...indows-10-1809-and-windows-server-2019.yml | 18 ++-------- ...ndows-7-and-windows-server-2008-r2-sp1.yml | 34 ++++++------------- ...windows-8.1-and-windows-server-2012-r2.yml | 26 ++++++-------- .../status-windows-server-2008-sp2.yml | 12 ------- .../status-windows-server-2012.yml | 24 ++++++------- 10 files changed, 72 insertions(+), 168 deletions(-) diff --git a/windows/release-information/status-windows-10-1507.yml b/windows/release-information/status-windows-10-1507.yml index 3cab3fb9e9..16bf511276 100644 --- a/windows/release-information/status-windows-10-1507.yml +++ b/windows/release-information/status-windows-10-1507.yml @@ -61,9 +61,6 @@ sections: text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

- - -
SummaryOriginating updateStatusLast updated
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

See details >		OS Build 10240.18094

January 08, 2019
KB4480962		Mitigated
April 25, 2019
02:00 PM PT
MSXML6 may cause applications to stop responding
MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

See details >		OS Build 10240.18094

January 08, 2019
KB4480962		Resolved
KB4493475		April 09, 2019
10:00 AM PT
Custom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.

See details >		OS Build 10240.18158

March 12, 2019
KB4489872		Resolved
KB4493475		April 09, 2019
10:00 AM PT
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.

See details >		OS Build 10240.18132

February 12, 2019
KB4487018		Resolved
KB4493475		April 09, 2019
10:00 AM PT
" @@ -74,30 +71,11 @@ sections:
" -- title: March 2019 -- items: - - type: markdown - text: " - - -
DetailsOriginating updateStatusHistory
Custom URI schemes may not start corresponding application
After installing KB4489872, Custom URI Schemes for Application Protocol handlers may not start the corresponding application for local intranet and trusted sites on Internet Explorer.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue was resolved in KB4493475.

Back to top		OS Build 10240.18158

March 12, 2019
KB4489872		Resolved
KB4493475		Resolved:
April 09, 2019
10:00 AM PT

Opened:
March 12, 2019
10:00 AM PT
- " - -- title: February 2019 -- items: - - type: markdown - text: " - - -
DetailsOriginating updateStatusHistory
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. 
 
For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color. 
 
Affected platforms:  
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Resolution: This issue is resolved in KB4493475

Back to top		OS Build 10240.18132

February 12, 2019
KB4487018		Resolved
KB4493475		Resolved:
April 09, 2019
10:00 AM PT

Opened:
February 12, 2019
10:00 AM PT
- " - - title: January 2019 - items: - type: markdown text: " -
DetailsOriginating updateStatusHistory
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: Do one of the following: 
  • Perform the operation from a process that has administrator privilege. 
  • Perform the operation from a node that doesn’t have CSV ownership. 
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 10240.18094

January 08, 2019
KB4480962		Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
January 08, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding
After installing KB4480962, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue was resolved in KB4493475.

Back to top		OS Build 10240.18094

January 08, 2019
KB4480962		Resolved
KB4493475		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
" diff --git a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml index b22aced938..d444c69dac 100644 --- a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml +++ b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml @@ -61,16 +61,13 @@ sections: text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ - - - -
SummaryOriginating updateStatusLast updated
Zone transfers over TCP may fail
Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail.

See details >		OS Build 14393.2941

April 25, 2019
KB4493473		Investigating
April 25, 2019
02:00 PM PT
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.

See details >		OS Build 14393.2931

April 25, 2019
KB4492241		Mitigated
May 10, 2019
10:35 AM PT
Cluster service may fail if the minimum password length is set to greater than 14
The cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the Group Policy “Minimum Password Length” is configured with greater than 14 characters.

See details >		OS Build 14393.2639

November 27, 2018
KB4467684		Mitigated
April 25, 2019
02:00 PM PT
Issue using PXE to start a device from WDS
There may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension.

See details >		OS Build 14393.2848

March 12, 2019
KB4489882		Mitigated
April 25, 2019
02:00 PM PT
SCVMM cannot enumerate and manage logical switches deployed on the host
For hosts managed by System Center Virtual Machine Manager (VMM), VMM cannot enumerate and manage logical switches deployed on the host.

See details >		OS Build 14393.2639

November 27, 2018
KB4467684		Mitigated
April 25, 2019
02:00 PM PT
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

See details >		OS Build 14393.2724

January 08, 2019
KB4480961		Mitigated
April 25, 2019
02:00 PM PT
Windows may not start on certain Lenovo and Fujitsu laptops with less than 8GB of RAM
Windows may fail to start on certain Lenovo and Fujitsu laptops that have less than 8 GB of RAM.

See details >		OS Build 14393.2608

November 13, 2018
KB4467691		Mitigated
February 19, 2019
10:00 AM PT
Custom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.

See details >		OS Build 14393.2848

March 12, 2019
KB4489882		Resolved
KB4493473		April 25, 2019
02:00 PM PT
End-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system will stop working and a blue screen may appear at startup.

See details >		OS Build 14393.2879

March 19, 2019
KB4489889		Resolved
KB4493470		April 09, 2019
10:00 AM PT
Internet Explorer 11 authentication issue with multiple concurrent logons
Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine.

See details >		OS Build 14393.2724

January 08, 2019
KB4480961		Resolved
KB4493470		April 09, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding
MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

See details >		OS Build 14393.2724

January 08, 2019
KB4480961		Resolved
KB4493470		April 09, 2019
10:00 AM PT
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.

See details >		OS Build 14393.2791

February 12, 2019
KB4487026		Resolved
KB4493470		April 09, 2019
10:00 AM PT
" @@ -81,6 +78,15 @@ sections:
" +- title: May 2019 +- items: + - type: markdown + text: " + + +
DetailsOriginating updateStatusHistory
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Workaround: Until a resolution is released, we recommend switching to a different Japanese font, such as Yu Gothic or MS Mincho. Alternatively, you can uninstall the optional update.

Next steps: Microsoft is working on a resolution and estimates a solution will be available in mid-May.

Back to top		OS Build 14393.2931

April 25, 2019
KB4492241		Mitigated
Last updated:
May 10, 2019
10:35 AM PT

Opened:
May 10, 2019
10:35 AM PT
+ " + - title: April 2019 - items: - type: markdown @@ -98,16 +104,6 @@ sections:
Issue using PXE to start a device from WDS
After installing KB4489882, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:

Option 1:
Open an Administrator Command prompt and type the following:
Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No

Option 2:
Use the Windows Deployment Services UI to make the following adjustment:
  1. Open Windows Deployment Services from Windows Administrative Tools.
  2. Expand Servers and right-click a WDS server.
  3. Open its properties and clear the Enable Variable Window Extension box on the TFTP tab.
Option 3:
Set the following registry value to 0:
HKLM\\System\\CurrentControlSet\\Services\\WDSServer\\Providers\\WDSTFTP\\EnableVariableWindowExtension

Restart the WDSServer service after disabling the Variable Window Extension.

Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to topOS Build 14393.2848

March 12, 2019
KB4489882Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
March 12, 2019
10:00 AM PT
Custom URI schemes may not start corresponding application
After installing KB4489882, Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer.

Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue is resolved in KB4493473

Back to topOS Build 14393.2848

March 12, 2019
KB4489882Resolved
KB4493473Resolved:
April 25, 2019
02:00 PM PT

Opened:
March 12, 2019
10:00 AM PT -
End-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system will stop working and a blue screen may appear at startup. This is not a common setting in non-Asian regions.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016
Resolution: This issue was resolved in KB4493470.

Back to topOS Build 14393.2879

March 19, 2019
KB4489889Resolved
KB4493470Resolved:
April 09, 2019
10:00 AM PT

Opened:
March 19, 2019
10:00 AM PT - - " - -- title: February 2019 -- items: - - type: markdown - text: " - -
DetailsOriginating updateStatusHistory
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. 
 
For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color. 
 
Affected platforms:  
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Resolution: This issue is resolved in KB4493470

Back to top		OS Build 14393.2791

February 12, 2019
KB4487026		Resolved
KB4493470		Resolved:
April 09, 2019
10:00 AM PT

Opened:
February 12, 2019
10:00 AM PT
" @@ -117,8 +113,6 @@ sections: text: " - -
DetailsOriginating updateStatusHistory
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege. 

Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507;  Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: Do one of the following:
  • Perform the operation from a process that has administrator privilege. 
  • Perform the operation from a node that doesn’t have CSV ownership.
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 14393.2724

January 08, 2019
KB4480961		Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
January 08, 2019
10:00 AM PT
Internet Explorer 11 authentication issue with multiple concurrent logons
After installing KB4480961, Internet Explorer 11 and other applications that use WININET.DLL may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to:
  • Cache size and location show zero or empty.
  • Keyboard shortcuts may not work properly.
  • Webpages may intermittently fail to load or render correctly.
  • Issues with credential prompts.
  • Issues when downloading files.
Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolution: This issue was resolved in KB4493470.

Back to top		OS Build 14393.2724

January 08, 2019
KB4480961		Resolved
KB4493470		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding
After installing KB4480961, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue was resolved in KB4493470.

Back to top		OS Build 14393.2724

January 08, 2019
KB4480961		Resolved
KB4493470		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
" diff --git a/windows/release-information/status-windows-10-1703.yml b/windows/release-information/status-windows-10-1703.yml index 10d69d6cc5..c0cfa4ac36 100644 --- a/windows/release-information/status-windows-10-1703.yml +++ b/windows/release-information/status-windows-10-1703.yml @@ -60,11 +60,9 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ - - -
SummaryOriginating updateStatusLast updated
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.

See details >		OS Build 15063.1771

April 25, 2019
KB4492242		Mitigated
May 10, 2019
10:35 AM PT
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

See details >		OS Build 15063.1563

January 08, 2019
KB4480973		Mitigated
April 25, 2019
02:00 PM PT
Custom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.

See details >		OS Build 15063.1689

March 12, 2019
KB4489871		Resolved
KB4493436		April 25, 2019
02:00 PM PT
End-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup.

See details >		OS Build 15063.1716

March 19, 2019
KB4489888		Resolved
KB4493474		April 09, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding
MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

See details >		OS Build 15063.1563

January 08, 2019
KB4480973		Resolved
KB4493474		April 09, 2019
10:00 AM PT
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.

See details >		OS Build 15063.1631

February 12, 2019
KB4487020		Resolved
KB4493474		April 09, 2019
10:00 AM PT
" @@ -75,22 +73,21 @@ sections:
" +- title: May 2019 +- items: + - type: markdown + text: " + + +
DetailsOriginating updateStatusHistory
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Workaround: Until a resolution is released, we recommend switching to a different Japanese font, such as Yu Gothic or MS Mincho. Alternatively, you can uninstall the optional update.

Next steps: Microsoft is working on a resolution and estimates a solution will be available in mid-May.

Back to top		OS Build 15063.1771

April 25, 2019
KB4492242		Mitigated
Last updated:
May 10, 2019
10:35 AM PT

Opened:
May 10, 2019
10:35 AM PT
+ " + - title: March 2019 - items: - type: markdown text: " - -
DetailsOriginating updateStatusHistory
Custom URI schemes may not start corresponding application
After installing KB4489871, custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue is resolved in KB4493436

Back to top		OS Build 15063.1689

March 12, 2019
KB4489871		Resolved
KB4493436		Resolved:
April 25, 2019
02:00 PM PT

Opened:
March 12, 2019
10:00 AM PT
End-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup. This is not a common setting in non-Asian regions.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016
Resolution: This issue was resolved in KB4493474.

Back to top		OS Build 15063.1716

March 19, 2019
KB4489888		Resolved
KB4493474		Resolved:
April 09, 2019
10:00 AM PT

Opened:
March 19, 2019
10:00 AM PT
- " - -- title: February 2019 -- items: - - type: markdown - text: " - -
DetailsOriginating updateStatusHistory
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. 
 
For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color. 
 
Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Resolution: This issue is resolved in KB4493474

Back to top		OS Build 15063.1631

February 12, 2019
KB4487020		Resolved
KB4493474		Resolved:
April 09, 2019
10:00 AM PT

Opened:
February 12, 2019
10:00 AM PT
" @@ -100,6 +97,5 @@ sections: text: " -
DetailsOriginating updateStatusHistory
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege. 

Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: Do one of the following: 
  • Perform the operation from a process that has administrator privilege. 
  • Perform the operation from a node that doesn’t have CSV ownership. 
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 15063.1563

January 08, 2019
KB4480973		Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
January 08, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding
After installing KB4480973, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue was resolved in KB4493474.

Back to top		OS Build 15063.1563

January 08, 2019
KB4480973		Resolved
KB4493474		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
" diff --git a/windows/release-information/status-windows-10-1709.yml b/windows/release-information/status-windows-10-1709.yml index abdaf311b0..2618d42ebf 100644 --- a/windows/release-information/status-windows-10-1709.yml +++ b/windows/release-information/status-windows-10-1709.yml @@ -61,12 +61,9 @@ sections: text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ - - - -
SummaryOriginating updateStatusLast updated
Zone transfers over TCP may fail
Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail.

See details >		OS Build 16299.1127

April 25, 2019
KB4493440		Investigating
April 25, 2019
02:00 PM PT
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.

See details >		OS Build 16299.1111

April 25, 2019
KB4492243		Mitigated
May 10, 2019
10:35 AM PT
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

See details >		OS Build 16299.904

January 08, 2019
KB4480978		Mitigated
April 25, 2019
02:00 PM PT
Custom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.

See details >		OS Build 16299.1029

March 12, 2019
KB4489886		Resolved
KB4493440		April 25, 2019
02:00 PM PT
End-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup.

See details >		OS Build 16299.1059

March 19, 2019
KB4489890		Resolved
KB4493441		April 09, 2019
10:00 AM PT
MSXML6 causes applications to stop responding if an exception was thrown
MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

See details >		OS Build 16299.904

January 08, 2019
KB4480978		Resolved
KB4493441		April 09, 2019
10:00 AM PT
Stop error when attempting to start SSH from WSL
A stop error occurs when attempting to start Secure Shell from Windows Subsystem for Linux with agent forwarding using a command line switch (ssh –A) or a configuration setting.

See details >		OS Build 16299.1029

March 12, 2019
KB4489886		Resolved
KB4493441		April 09, 2019
10:00 AM PT
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.

See details >		OS Build 16299.967

February 12, 2019
KB4486996		Resolved
KB4493441		April 09, 2019
10:00 AM PT
" @@ -77,6 +74,15 @@ sections:
" +- title: May 2019 +- items: + - type: markdown + text: " + + +
DetailsOriginating updateStatusHistory
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Workaround: Until a resolution is released, we recommend switching to a different Japanese font, such as Yu Gothic or MS Mincho. Alternatively, you can uninstall the optional update.

Next steps: Microsoft is working on a resolution and estimates a solution will be available in mid-May.

Back to top		OS Build 16299.1111

April 25, 2019
KB4492243		Mitigated
Last updated:
May 10, 2019
10:35 AM PT

Opened:
May 10, 2019
10:35 AM PT
+ " + - title: April 2019 - items: - type: markdown @@ -92,17 +98,6 @@ sections: text: " - - -
DetailsOriginating updateStatusHistory
Custom URI schemes may not start corresponding application
After installing KB4489886, custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue is resolved in KB4493440

Back to top		OS Build 16299.1029

March 12, 2019
KB4489886		Resolved
KB4493440		Resolved:
April 25, 2019
02:00 PM PT

Opened:
March 12, 2019
10:00 AM PT
End-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup. This is not a common setting in non-Asian regions.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016
Resolution: This issue is resolved in KB4493441.

Back to top		OS Build 16299.1059

March 19, 2019
KB4489890		Resolved
KB4493441		Resolved:
April 09, 2019
10:00 AM PT

Opened:
March 19, 2019
10:00 AM PT
Stop error when attempting to start SSH from WSL
After applying KB4489886, a stop error occurs when attempting to start the Secure Shell (SSH) client program from Windows Subsystem for Linux (WSL) with agent forwarding enabled using a command line switch (ssh –A) or a configuration setting.

Affected platforms:
  • Client: Windows 10, version 1803; Windows 10, version 1709
  • Server: Windows Server, version 1803; Windows Server, version 1709
Resolution: This issue is resolved in KB4493441.

Back to top		OS Build 16299.1029

March 12, 2019
KB4489886		Resolved
KB4493441		Resolved:
April 09, 2019
10:00 AM PT

Opened:
March 12, 2019
10:00 AM PT
- " - -- title: February 2019 -- items: - - type: markdown - text: " - -
DetailsOriginating updateStatusHistory
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. 
 
For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color. 
 
Affected platforms:  
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Resolution: This issue is resolved in KB4493441

Back to top		OS Build 16299.967

February 12, 2019
KB4486996		Resolved
KB4493441		Resolved:
April 09, 2019
10:00 AM PT

Opened:
February 12, 2019
10:00 AM PT
" @@ -112,6 +107,5 @@ sections: text: " -
DetailsOriginating updateStatusHistory
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege. 

Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: Do one of the following:
  • Perform the operation from a process that has administrator privilege. 
  • Perform the operation from a node that doesn’t have CSV ownership. 
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 16299.904

January 08, 2019
KB4480978		Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
January 08, 2019
10:00 AM PT
MSXML6 causes applications to stop responding if an exception was thrown
After installing KB4480978, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue is resolved in KB4493441.

Back to top		OS Build 16299.904

January 08, 2019
KB4480978		Resolved
KB4493441		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
" diff --git a/windows/release-information/status-windows-10-1803.yml b/windows/release-information/status-windows-10-1803.yml index 3e58d9c048..9fea9cbeb3 100644 --- a/windows/release-information/status-windows-10-1803.yml +++ b/windows/release-information/status-windows-10-1803.yml @@ -61,14 +61,10 @@ sections: text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ - - - - -
SummaryOriginating updateStatusLast updated
Zone transfers over TCP may fail
Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail.

See details >		OS Build 17134.753

April 25, 2019
KB4493437		Investigating
April 25, 2019
02:00 PM PT
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.

See details >		OS Build 17134.730

April 25, 2019
KB4492245		Mitigated
May 10, 2019
10:35 AM PT
Issue using PXE to start a device from WDS
Using PXE to start a device from a WDS server configured to use Variable Window Extension may cause the connection to the WDS server to terminate prematurely.

See details >		OS Build 17134.648

March 12, 2019
KB4489868		Mitigated
April 25, 2019
02:00 PM PT
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

See details >		OS Build 17134.523

January 08, 2019
KB4480966		Mitigated
April 25, 2019
02:00 PM PT
Custom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.

See details >		OS Build 17134.648

March 12, 2019
KB4489868		Resolved
KB4493437		April 25, 2019
02:00 PM PT
End-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup.

See details >		OS Build 17134.677

March 19, 2019
KB4489894		Resolved
KB4493464		April 09, 2019
10:00 AM PT
First character of the Japanese era name not recognized
The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.

See details >		OS Build 17134.556

January 15, 2019
KB4480976		Resolved
KB4487029		April 09, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding
MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

See details >		OS Build 17134.523

January 08, 2019
KB4480966		Resolved
KB4493464		April 09, 2019
10:00 AM PT
Stop error when attempting to start SSH from WSL
A stop error occurs when attempting to start Secure Shell from Windows Subsystem for Linux with agent forwarding using a command line switch (ssh –A) or a configuration setting.

See details >		OS Build 17134.648

March 12, 2019
KB4489868		Resolved
KB4493464		April 09, 2019
10:00 AM PT
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.

See details >		OS Build 17134.590

February 12, 2019
KB4487017		Resolved
KB4493464		April 09, 2019
10:00 AM PT
" @@ -79,6 +75,15 @@ sections:
" +- title: May 2019 +- items: + - type: markdown + text: " + + +
DetailsOriginating updateStatusHistory
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Workaround: Until a resolution is released, we recommend switching to a different Japanese font, such as Yu Gothic or MS Mincho. Alternatively, you can uninstall the optional update.

Next steps: Microsoft is working on a resolution and estimates a solution will be available in mid-May.

Back to top		OS Build 17134.730

April 25, 2019
KB4492245		Mitigated
Last updated:
May 10, 2019
10:35 AM PT

Opened:
May 10, 2019
10:35 AM PT
+ " + - title: April 2019 - items: - type: markdown @@ -96,17 +101,6 @@ sections:
Issue using PXE to start a device from WDS
After installing KB4489868, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension. 

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:

Option 1: 
Open an Administrator Command prompt and type the following:  
Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No

 Option 2: 
Use the Windows Deployment Services UI to make the following adjustment:  
  1. Open Windows Deployment Services from Windows Administrative Tools. 
  2. Expand Servers and right-click a WDS server. 
  3. Open its properties and clear the Enable Variable Window Extension box on the TFTP tab.  
Option 3: 
Set the following registry value to 0:
HKLM\\System\\CurrentControlSet\\Services\\WDSServer\\Providers\\WDSTFTP\\EnableVariableWindowExtension  

Restart the WDSServer service after disabling the Variable Window Extension. 
 
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release. 

Back to topOS Build 17134.648

March 12, 2019
KB4489868Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
March 12, 2019
10:00 AM PT
Custom URI schemes may not start corresponding application
After installing KB4489868, custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer. 

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue is resolved in KB4493437

Back to topOS Build 17134.648

March 12, 2019
KB4489868Resolved
KB4493437Resolved:
April 25, 2019
02:00 PM PT

Opened:
March 12, 2019
10:00 AM PT -
End-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup. This is not a common setting in non-Asian regions. 

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016
Resolution: This issue was resolved in KB4493464

Back to topOS Build 17134.677

March 19, 2019
KB4489894Resolved
KB4493464Resolved:
April 09, 2019
10:00 AM PT

Opened:
March 19, 2019
10:00 AM PT -
Stop error when attempting to start SSH from WSL
After applying KB4489868, a stop error occurs when attempting to start the Secure Shell (SSH) client program from Windows Subsystem for Linux (WSL) with agent forwarding enabled using a command line switch (ssh -A) or a configuration setting.

Affected platforms:
  • Client: Windows 10, version 1803; Windows 10, version 1709
  • Server: Windows Server, version 1803; Windows Server, version 1709
Resolution: This issue was resolved in KB4493464.

Back to topOS Build 17134.648

March 12, 2019
KB4489868Resolved
KB4493464Resolved:
April 09, 2019
10:00 AM PT

Opened:
March 12, 2019
10:00 AM PT - - " - -- title: February 2019 -- items: - - type: markdown - text: " - -
DetailsOriginating updateStatusHistory
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. 
 
For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color. 
 
Affected platforms:  
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Resolution: This issue is resolved in KB4493464

Back to top		OS Build 17134.590

February 12, 2019
KB4487017		Resolved
KB4493464		Resolved:
April 09, 2019
10:00 AM PT

Opened:
February 12, 2019
10:00 AM PT
" @@ -116,7 +110,5 @@ sections: text: " - -
DetailsOriginating updateStatusHistory
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: Do one of the following:
  • Perform the operation from a process that has administrator privilege. 
  • Perform the operation from a node that doesn’t have CSV ownership. 
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 17134.523

January 08, 2019
KB4480966		Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
January 08, 2019
10:00 AM PT
First character of the Japanese era name not recognized
After installing KB4480976, the first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue is resolved in KB4487029

Back to top		OS Build 17134.556

January 15, 2019
KB4480976		Resolved
KB4487029		Resolved:
February 19, 2019
02:00 PM PT

Opened:
January 08, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding
After installing KB4480966, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue was resolved in KB4493464

Back to top		OS Build 17134.523

January 08, 2019
KB4480966		Resolved
KB4493464		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
" diff --git a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml index 2b50998415..afb53b80c9 100644 --- a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml +++ b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml @@ -65,6 +65,7 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ @@ -73,10 +74,6 @@ sections: - - - -
SummaryOriginating updateStatusLast updated
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.

See details >		OS Build 17763.475

May 03, 2019
KB4495667		Mitigated
May 10, 2019
10:35 AM PT
Devices with some Asian language packs installed may receive an error
After installing the KB4493509 devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_F

See details >		OS Build 17763.437

April 09, 2019
KB4493509		Mitigated
May 03, 2019
10:59 AM PT
Printing from Microsoft Edge or other UWP apps, you may receive the error 0x80070007
Attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) applications, you may receive an error.

See details >		OS Build 17763.379

March 12, 2019
KB4489899		Mitigated
May 02, 2019
04:47 PM PT
Issue using PXE to start a device from WDS
Using PXE to start a device from a WDS server configured to use Variable Window Extension may cause the connection to the WDS server to terminate prematurely.

See details >		OS Build 17763.379

March 12, 2019
KB4489899		Mitigated
April 09, 2019
10:00 AM PT
Latest cumulative update (KB 4495667) installs automatically
Reports that the optional cumulative update (KB 4495667) installs automatically.

See details >		OS Build 17763.475

May 03, 2019
KB4495667		Resolved
May 08, 2019
03:37 PM PT
System may be unresponsive after restart if ArcaBit antivirus software installed
After further investigation ArcaBit has confirmed this issue is not applicable to Windows 10, version 1809

See details >		OS Build 17763.437

April 09, 2019
KB4493509		Resolved
May 08, 2019
03:30 PM PT
Custom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.

See details >		OS Build 17763.379

March 12, 2019
KB4489899		Resolved
KB4495667		May 03, 2019
12:40 PM PT
End-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup.

See details >		OS Build 17763.404

April 02, 2019
KB4490481		Resolved
KB4493509		April 09, 2019
10:00 AM PT
Internet Explorer 11 authentication issue with multiple concurrent logons
Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine.

See details >		OS Build 17763.253

January 08, 2019
KB4480116		Resolved
KB4493509		April 09, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding
MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

See details >		OS Build 17763.253

January 08, 2019
KB4480116		Resolved
KB4493509		April 09, 2019
10:00 AM PT
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.

See details >		OS Build 17763.316

February 12, 2019
KB4487044		Resolved
KB4493509		April 09, 2019
10:00 AM PT
" @@ -92,6 +89,7 @@ sections: - type: markdown text: " + @@ -104,7 +102,6 @@ sections: text: "
DetailsOriginating updateStatusHistory
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Workaround: Until a resolution is released, we recommend switching to a different Japanese font, such as Yu Gothic or MS Mincho. Alternatively, you can uninstall the optional update.

Next steps: Microsoft is working on a resolution and estimates a solution will be available in mid-May.

Back to top		OS Build 17763.475

May 03, 2019
KB4495667		Mitigated
Last updated:
May 10, 2019
10:35 AM PT

Opened:
May 10, 2019
10:35 AM PT
Devices with some Asian language packs installed may receive an error
After installing the April 2019 Cumulative Update (KB4493509), devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND.\"

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
Workaround:
  1. Uninstall and reinstall any recently added language packs. For instructions, see \"Manage the input and display language settings in Windows 10\".
  2. Click Check for Updates and install the April 2019 Cumulative Update. For instructions, see \"Update Windows 10\".
Note: If reinstalling the language pack does not mitigate the issue, reset your PC as follows:
  1. Go to Settings app -> Recovery.
  2. Click on Get Started under \"Reset this PC\" recovery option.
  3. Select \"Keep my Files\".
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 17763.437

April 09, 2019
KB4493509		Mitigated
Last updated:
May 03, 2019
10:59 AM PT

Opened:
May 02, 2019
04:36 PM PT
Printing from Microsoft Edge or other UWP apps, you may receive the error 0x80070007
When attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) applications you may receive the error, \"Your printer has experienced an unexpected configuration problem. 0x80070007e.\"
 
Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
Workaround: You can use another browser, such as Internet Explorer to print your documents.
 
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 17763.379

March 12, 2019
KB4489899		Mitigated
Last updated:
May 02, 2019
04:47 PM PT

Opened:
May 02, 2019
04:47 PM PT
Latest cumulative update (KB 4495667) installs automatically
Due to a servicing side issue some users were offered KB4495667 (optional update) automatically and rebooted devices. This issue has been mitigated.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
Resolution:: This issue has been mitigated on the servicing side to prevent auto installing of this update. Customers do not need to take any action.

Back to top		OS Build 17763.475

May 03, 2019
KB4495667		Resolved
Resolved:
May 08, 2019
03:37 PM PT

Opened:
May 05, 2019
12:01 PM PT
-
DetailsOriginating updateStatusHistory
System may be unresponsive after restart if ArcaBit antivirus software installed
ArcaBit has confirmed this issue is not applicable to Windows 10, version 1809 (client or server).

Microsoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart.

Affected platforms:
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Workaround: ArcaBit has released an update to address this issue for affected platforms. For more information, see the ArcaBit support article.

Resolution: This issue has been resolved. ArcaBit has confirmed this issue is not applicable to Windows 10, version 1809 (client or server).

Back to top		OS Build 17763.437

April 09, 2019
KB4493509		Resolved
Resolved:
May 08, 2019
03:30 PM PT

Opened:
April 09, 2019
10:00 AM PT
End-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system will stop working and a blue screen may appear at startup. This is not a common setting in non-Asian regions.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016
Resolution: This issue was resolved in KB4493509.

Back to top		OS Build 17763.404

April 02, 2019
KB4490481		Resolved
KB4493509		Resolved:
April 09, 2019
10:00 AM PT

Opened:
April 02, 2019
10:00 AM PT
" @@ -119,23 +116,12 @@ sections: " -- title: February 2019 -- items: - - type: markdown - text: " - - -
DetailsOriginating updateStatusHistory
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. 
 
For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color. 
 
Affected platforms:  
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1  
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2  
Resolution: This issue is resolved in KB4493509.  

Back to top		OS Build 17763.316

February 12, 2019
KB4487044		Resolved
KB4493509		Resolved:
April 09, 2019
10:00 AM PT

Opened:
February 12, 2019
10:00 AM PT
- " - - title: January 2019 - items: - type: markdown text: " - -
DetailsOriginating updateStatusHistory
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege. 

Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: Do one of the following:  
  • Perform the operation from a process that has administrator privilege. 
  • Perform the operation from a node that doesn’t have CSV ownership. 
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 17763.253

January 08, 2019
KB4480116		Mitigated
Last updated:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
Internet Explorer 11 authentication issue with multiple concurrent logons
After installing KB4480116, Internet Explorer 11 and other applications that use WININET.DLL may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to: 
  • Cache size and location show zero or empty. 
  • Keyboard shortcuts may not work properly. 
  • Webpages may intermittently fail to load or render correctly. 
  • Issues with credential prompts. 
  • Issues when downloading files. 
Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolution: This issue was resolved in KB4493509

Back to top		OS Build 17763.253

January 08, 2019
KB4480116		Resolved
KB4493509		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding
After installing KB4480116, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
 
The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings. 

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue was resolved in KB4493509

Back to top		OS Build 17763.253

January 08, 2019
KB4480116		Resolved
KB4493509		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
" diff --git a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml index ef1b22e4bf..0ce3cb79c0 100644 --- a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml +++ b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml @@ -60,16 +60,13 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ - - - -
SummaryOriginating updateStatusLast updated
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.

See details >		April 25, 2019
KB4493453		Mitigated
May 10, 2019
10:35 AM PT
System may be unresponsive after restart if ArcaBit antivirus software installed
Devices with ArcaBit antivirus software installed may become unresponsive upon restart.

See details >		April 09, 2019
KB4493472		Mitigated
May 08, 2019
03:29 PM PT
System may be unresponsive after restart if Avira antivirus software installed
Devices with Avira antivirus software installed may become unresponsive upon restart.

See details >		April 09, 2019
KB4493472		Mitigated
May 03, 2019
08:50 AM PT
Authentication may fail for services after the Kerberos ticket expires
Authentication may fail for services that require unconstrained delegation after the Kerberos ticket expires.

See details >		March 12, 2019
KB4489878		Mitigated
April 25, 2019
02:00 PM PT
System unresponsive after restart if Sophos Endpoint Protection installed
Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.

See details >		April 09, 2019
KB4493472		Mitigated
April 25, 2019
02:00 PM PT
System may be unresponsive after restart with certain McAfee antivirus products
Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.

See details >		April 09, 2019
KB4493472		Mitigated
April 25, 2019
02:00 PM PT
Devices may not respond at login or Welcome screen if running certain Avast software
Devices running Avast for Business, Avast CloudCare, and AVG Business Edition antivirus software may become unresponsive after restart.

See details >		April 09, 2019
KB4493472		Resolved
April 25, 2019
02:00 PM PT
Internet Explorer 11 authentication issue with multiple concurrent logons
Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine.

See details >		January 08, 2019
KB4480970		Resolved
KB4493472		April 09, 2019
10:00 AM PT
Custom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.

See details >		March 12, 2019
KB4489878		Resolved
KB4493472		April 09, 2019
10:00 AM PT
NETDOM.EXE fails to run
NETDOM.EXE fails to run and the error, “The command failed to complete successfully.” appears on screen.

See details >		March 12, 2019
KB4489878		Resolved
KB4493472		April 09, 2019
10:00 AM PT
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.

See details >		February 12, 2019
KB4486563		Resolved
KB4493472		April 09, 2019
10:00 AM PT
" @@ -80,6 +77,15 @@ sections:
" +- title: May 2019 +- items: + - type: markdown + text: " + + +
DetailsOriginating updateStatusHistory
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Workaround: Until a resolution is released, we recommend switching to a different Japanese font, such as Yu Gothic or MS Mincho. Alternatively, you can uninstall the optional update.

Next steps: Microsoft is working on a resolution and estimates a solution will be available in mid-May.

Back to top		April 25, 2019
KB4493453		Mitigated
Last updated:
May 10, 2019
10:35 AM PT

Opened:
May 10, 2019
10:35 AM PT
+ " + - title: April 2019 - items: - type: markdown @@ -99,25 +105,5 @@ sections: text: " - - -
DetailsOriginating updateStatusHistory
Authentication may fail for services after the Kerberos ticket expires
After installing KB4489878, some customers report that authentication fails for services that require unconstrained delegation after the Kerberos ticket expires (the default is 10 hours). For example, the SQL server service fails.

Affected platforms: 
  • Client: Windows 7 SP1
  • Server: Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Workaround: To mitigate this issue, use one of the following options:
  • Option 1: Purge the Kerberos tickets on the application server. After the Kerberos ticket expires, the issue will occur again, and you must purge the tickets again.
  • Option 2: If purging does not mitigate the issue, restart the application; for example, restart the Internet Information Services (IIS) app pool associated with the SQL server.
  • Option 3: Use constrained delegation.
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		March 12, 2019
KB4489878		Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
March 12, 2019
10:00 AM PT
Custom URI schemes may not start corresponding application
After installing KB4489878, custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites on Internet Explorer.

Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1 
Resolution: This issue is resolved in KB4493472.

Back to top		March 12, 2019
KB4489878		Resolved
KB4493472		Resolved:
April 09, 2019
10:00 AM PT

Opened:
March 12, 2019
10:00 AM PT
NETDOM.EXE fails to run
After installing KB4489878, NETDOM.EXE fails to run, and the on-screen error, “The command failed to complete successfully.” appears.

Affected platforms: 
  • Client: Windows 7 SP1
  • Server: Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue is resolved in KB4493472.

Back to top		March 12, 2019
KB4489878		Resolved
KB4493472		Resolved:
April 09, 2019
10:00 AM PT

Opened:
March 12, 2019
10:00 AM PT
- " - -- title: February 2019 -- items: - - type: markdown - text: " - - -
DetailsOriginating updateStatusHistory
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. 
 
For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color. 
 
Affected platforms:  
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Resolution: This issue is resolved in KB4493472

Back to top		February 12, 2019
KB4486563		Resolved
KB4493472		Resolved:
April 09, 2019
10:00 AM PT

Opened:
February 12, 2019
10:00 AM PT
- " - -- title: January 2019 -- items: - - type: markdown - text: " - -
DetailsOriginating updateStatusHistory
Internet Explorer 11 authentication issue with multiple concurrent logons
After installing KB4480970, Internet Explorer 11 and other applications that use WININET.DLL may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to:
  • Cache size and location show zero or empty.
  • Keyboard shortcuts may not work properly.
  • Webpages may intermittently fail to load or render correctly.
  • Issues with credential prompts.
  • Issues when downloading files.
Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolution: This issue is resolved in KB4493472.

Back to top		January 08, 2019
KB4480970		Resolved
KB4493472		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
" diff --git a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml index e159932ae6..a16b0e0d20 100644 --- a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml +++ b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml @@ -60,6 +60,7 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ @@ -67,10 +68,6 @@ sections: - - - -
SummaryOriginating updateStatusLast updated
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.

See details >		April 25, 2019
KB4493443		Mitigated
May 10, 2019
10:35 AM PT
System may be unresponsive after restart if ArcaBit antivirus software installed
Devices with ArcaBit antivirus software installed may become unresponsive upon restart.

See details >		April 09, 2019
KB4493446		Mitigated
May 08, 2019
03:29 PM PT
System may be unresponsive after restart if Avira antivirus software installed
Devices with Avira antivirus software installed may become unresponsive upon restart.

See details >		April 09, 2019
KB4493446		Mitigated
May 03, 2019
08:50 AM PT
Issue using PXE to start a device from WDS
There may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension.

See details >		March 12, 2019
KB4489881		Mitigated
April 25, 2019
02:00 PM PT
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”.

See details >		January 08, 2019
KB4480963		Mitigated
April 25, 2019
02:00 PM PT
System may be unresponsive after restart with certain McAfee antivirus products
Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.

See details >		April 09, 2019
KB4493446		Mitigated
April 18, 2019
05:00 PM PT
Devices may not respond at login or Welcome screen if running certain Avast software
Devices running Avast for Business, Avast CloudCare, and AVG Business Edition antivirus software may become unresponsive after restart.

See details >		April 09, 2019
KB4493446		Resolved
April 25, 2019
02:00 PM PT
Internet Explorer 11 authentication issue with multiple concurrent logons
Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine.

See details >		January 08, 2019
KB4480963		Resolved
KB4493446		April 09, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding.
MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

See details >		January 08, 2019
KB4480963		Resolved
KB4493446		April 09, 2019
10:00 AM PT
Custom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.

See details >		March 12, 2019
KB4489881		Resolved
KB4493446		April 09, 2019
10:00 AM PT
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.

See details >		February 12, 2019
KB4487000		Resolved
KB4493446		April 09, 2019
10:00 AM PT
" @@ -81,6 +78,15 @@ sections:
" +- title: May 2019 +- items: + - type: markdown + text: " + + +
DetailsOriginating updateStatusHistory
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Workaround: Until a resolution is released, we recommend switching to a different Japanese font, such as Yu Gothic or MS Mincho. Alternatively, you can uninstall the optional update.

Next steps: Microsoft is working on a resolution and estimates a solution will be available in mid-May.

Back to top		April 25, 2019
KB4493443		Mitigated
Last updated:
May 10, 2019
10:35 AM PT

Opened:
May 10, 2019
10:35 AM PT
+ " + - title: April 2019 - items: - type: markdown @@ -101,16 +107,6 @@ sections: - -
DetailsOriginating updateStatusHistory
Issue using PXE to start a device from WDS
After installing KB4489881, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012 
Workaround: To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:

Option 1:
Open an Administrator Command prompt and type the following:
Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No

Option 2:
Use the Windows Deployment Services UI to make the following adjustment:
  1. Open Windows Deployment Services from Windows Administrative Tools.
  2. Expand Servers and right-click a WDS server.
  3. Open its properties and clear the Enable Variable Window Extension box on the TFTP tab.
Option 3:
Set the following registry value to 0:
HKLM\\System\\CurrentControlSet\\Services\\WDSServer\\Providers\\WDSTFTP\\EnableVariableWindowExtension

Restart the WDSServer service after disabling the Variable Window Extension.

Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		March 12, 2019
KB4489881		Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
March 12, 2019
10:00 AM PT
Custom URI schemes may not start corresponding application
After installing KB4489881, custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer.

Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1 
Resolution: This issue is resolved in KB4493446.

Back to top		March 12, 2019
KB4489881		Resolved
KB4493446		Resolved:
April 09, 2019
10:00 AM PT

Opened:
March 12, 2019
10:00 AM PT
- " - -- title: February 2019 -- items: - - type: markdown - text: " - -
DetailsOriginating updateStatusHistory
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.

For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color.

Affected platforms 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Resolution: This issue is resolved in KB4493446.

Back to top		February 12, 2019
KB4487000		Resolved
KB4493446		Resolved:
April 09, 2019
10:00 AM PT

Opened:
February 12, 2019
10:00 AM PT
" @@ -120,7 +116,5 @@ sections: text: " - -
DetailsOriginating updateStatusHistory
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: Do one of the following:
  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		January 08, 2019
KB4480963		Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
January 08, 2019
10:00 AM PT
Internet Explorer 11 authentication issue with multiple concurrent logons
After installing KB4480963, Internet Explorer 11 and other applications that use WININET.DLL may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to:
  • Cache size and location show zero or empty.
  • Keyboard shortcuts may not work properly.
  • Webpages may intermittently fail to load or render correctly.
  • Issues with credential prompts.
  • Issues when downloading files.
Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolution: This issue is resolved in KB4493446.

Back to top		January 08, 2019
KB4480963		Resolved
KB4493446		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding.
After installing KB4480963, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue is resolved in KB4493446.

Back to top		January 08, 2019
KB4480963		Resolved
KB4493446		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
" diff --git a/windows/release-information/status-windows-server-2008-sp2.yml b/windows/release-information/status-windows-server-2008-sp2.yml index 102f665769..689abfde38 100644 --- a/windows/release-information/status-windows-server-2008-sp2.yml +++ b/windows/release-information/status-windows-server-2008-sp2.yml @@ -63,8 +63,6 @@ sections:
System may be unresponsive after restart if Avira antivirus software installed
Devices with Avira antivirus software installed may become unresponsive upon restart.

See details >April 09, 2019
KB4493471Mitigated
May 03, 2019
08:51 AM PT
System unresponsive after restart if Sophos Endpoint Protection installed
Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.

See details >April 09, 2019
KB4493471Mitigated
April 25, 2019
02:00 PM PT
Authentication may fail for services after the Kerberos ticket expires
Authentication may fail for services that require unconstrained delegation after the Kerberos ticket expires.

See details >March 12, 2019
KB4489880Mitigated
April 25, 2019
02:00 PM PT -
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.

See details >February 12, 2019
KB4487023Resolved
KB4493471April 09, 2019
10:00 AM PT -
NETDOM.EXE fails to run
NETDOM.EXE fails to run and the error, “The command failed to complete successfully.” appears on screen.

See details >March 12, 2019
KB4489880Resolved
KB4493471April 09, 2019
10:00 AM PT " @@ -91,15 +89,5 @@ sections: text: " - -
DetailsOriginating updateStatusHistory
Authentication may fail for services after the Kerberos ticket expires
After installing KB4489880, some customers report that authentication fails for services that require unconstrained delegation after the Kerberos ticket expires (the default is 10 hours). For example, the SQL server service fails.

Affected platforms: 
  • Client: Windows 7 SP1
  • Server: Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Workaround: To mitigate this issue, use one of the following options:
  • Option 1: Purge the Kerberos tickets on the application server. After the Kerberos ticket expires, the issue will occur again, and you must purge the tickets again.
  • Option 2: If purging does not mitigate the issue, restart the application; for example, restart the Internet Information Services (IIS) app pool associated with the SQL server.
  • Option 3: Use constrained delegation.
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		March 12, 2019
KB4489880		Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
March 12, 2019
10:00 AM PT
NETDOM.EXE fails to run
After installing KB4489880, NETDOM.EXE fails to run, and the on-screen error, “The command failed to complete successfully.” appears.

Affected platforms: 
  • Client: Windows 7 SP1
  • Server: Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue is resolved in KB4493471.

Back to top		March 12, 2019
KB4489880		Resolved
KB4493471		Resolved:
April 09, 2019
10:00 AM PT

Opened:
March 12, 2019
10:00 AM PT
- " - -- title: February 2019 -- items: - - type: markdown - text: " - -
DetailsOriginating updateStatusHistory
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.

For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color.

Affected platforms 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue is resolved in KB4493471.

Back to top		February 12, 2019
KB4487023		Resolved
KB4493471		Resolved:
April 09, 2019
10:00 AM PT

Opened:
February 12, 2019
10:00 AM PT
" diff --git a/windows/release-information/status-windows-server-2012.yml b/windows/release-information/status-windows-server-2012.yml index 831a726f86..be5f206c02 100644 --- a/windows/release-information/status-windows-server-2012.yml +++ b/windows/release-information/status-windows-server-2012.yml @@ -60,13 +60,11 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ - - -
SummaryOriginating updateStatusLast updated
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.

See details >		April 25, 2019
KB4493462		Mitigated
May 10, 2019
10:35 AM PT
System may be unresponsive after restart if Avira antivirus software installed
Devices with Avira antivirus software installed may become unresponsive upon restart.

See details >		April 09, 2019
KB4493451		Mitigated
May 03, 2019
08:51 AM PT
Issue using PXE to start a device from WDS
There may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension.

See details >		March 12, 2019
KB4489891		Mitigated
April 25, 2019
02:00 PM PT
System unresponsive after restart if Sophos Endpoint Protection installed
Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.

See details >		April 09, 2019
KB4493451		Mitigated
April 25, 2019
02:00 PM PT
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”.

See details >		January 08, 2019
KB4480975		Mitigated
April 25, 2019
02:00 PM PT
Internet Explorer 11 authentication issue with multiple concurrent logons
Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine.

See details >		January 08, 2019
KB4480975		Resolved
KB4493451		April 09, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding
MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

See details >		January 08, 2019
KB4480975		Resolved
KB4493451		April 09, 2019
10:00 AM PT
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.

See details >		February 12, 2019
KB4487025		Resolved
KB4493451		April 09, 2019
10:00 AM PT
" @@ -77,6 +75,15 @@ sections:
" +- title: May 2019 +- items: + - type: markdown + text: " + + +
DetailsOriginating updateStatusHistory
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Workaround: Until a resolution is released, we recommend switching to a different Japanese font, such as Yu Gothic or MS Mincho. Alternatively, you can uninstall the optional update.

Next steps: Microsoft is working on a resolution and estimates a solution will be available in mid-May.

Back to top		April 25, 2019
KB4493462		Mitigated
Last updated:
May 10, 2019
10:35 AM PT

Opened:
May 10, 2019
10:35 AM PT
+ " + - title: April 2019 - items: - type: markdown @@ -97,22 +104,11 @@ sections: " -- title: February 2019 -- items: - - type: markdown - text: " - - -
DetailsOriginating updateStatusHistory
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.

For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color.

Affected platforms 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Resolution: This issue is resolved in KB4493451.

Back to top		February 12, 2019
KB4487025		Resolved
KB4493451		Resolved:
April 09, 2019
10:00 AM PT

Opened:
February 12, 2019
10:00 AM PT
- " - - title: January 2019 - items: - type: markdown text: " - -
DetailsOriginating updateStatusHistory
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: Do one of the following:
  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		January 08, 2019
KB4480975		Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
January 08, 2019
10:00 AM PT
Internet Explorer 11 authentication issue with multiple concurrent logons
After installing KB4480975, Internet Explorer 11 and other applications that use WININET.DLL may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to:
  • Cache size and location show zero or empty.
  • Keyboard shortcuts may not work properly.
  • Webpages may intermittently fail to load or render correctly.
  • Issues with credential prompts.
  • Issues when downloading files.
Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolution: This issue is resolved in KB4493451.

Back to top		January 08, 2019
KB4480975		Resolved
KB4493451		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding
After installing KB4480975, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue is resolved in KB4493451.

Back to top		January 08, 2019
KB4480975		Resolved
KB4493451		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
" From ac3bb9b597ae2a230cb762bd95cf8bb28a10ea7c Mon Sep 17 00:00:00 2001 From: "Nisha Mittal (Wipro Ltd.)" Date: Fri, 10 May 2019 13:49:57 -0700 Subject: [PATCH 365/492] New Announcement Added --- windows/release-information/windows-message-center.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/windows/release-information/windows-message-center.yml b/windows/release-information/windows-message-center.yml index 2a4ba41456..fb66108a56 100644 --- a/windows/release-information/windows-message-center.yml +++ b/windows/release-information/windows-message-center.yml @@ -50,6 +50,16 @@ sections: text: " + - -
MessageDate
Reminder: Windows 10 update servicing cadence
This month we received questions about the cadence of updates we released in April and May 2019. Here's a quick recap of our releases and servicing cadence:
+
    +
  • April 9, 2019 was the regular Update Tuesday release for all versions of Windows.
    • +
  • May 1, 2019 was a Windows 10, version 1809 out of band update (OOB) released to Microsoft Catalog and WSUS, providing a critical fix for our OEM partners.
    • +
  • May 3, 2019 was the Windows 10, version 1809 \"C\" release for April. This update contained important Japan era packages for commercial customers to preview. It was delayed due to a blocking issue requiring investigation, causing it to be released later than expected. The update was then mistakenly published as \"required\" (instead of \"optional\"), which pushed the update out to customers and required a reboot. Within 24 hours of receiving customer reports, we corrected the classification and mitigated the issue.
    • +
+For more information about the Windows 10 update servicing cadence, please see the Window IT Pro blog.
+ + +		May 10, 2019
10:00 AM PT
Take action: Install servicing stack update for Windows Server 2008 SP2 for SHA-2 code sign support
A standalone update, KB4493730, that introduce SHA-2 code sign support for the servicing stack (SSU) was released today as a security update.		April 19, 2019
10:00 AM PT
The benefits of Windows 10 Dynamic Update
Dynamic Update can help organizations and end users alike ensure that their Windows 10 devices have the latest feature update content (as part of an in-place upgrade)—and preserve precious features on demand (FODs) and language packs (LPs) that may have been previously installed.

From 0b80b692f94db3055b589de8d153ccb5e7334b4b Mon Sep 17 00:00:00 2001 From: "Nisha Mittal (Wipro Ltd.)" Date: Fri, 10 May 2019 14:07:02 -0700 Subject: [PATCH 366/492] Latest Change for announcement --- .../windows-message-center.yml | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/windows/release-information/windows-message-center.yml b/windows/release-information/windows-message-center.yml index fb66108a56..5990f3d920 100644 --- a/windows/release-information/windows-message-center.yml +++ b/windows/release-information/windows-message-center.yml @@ -50,16 +50,13 @@ sections: text: " - + From 951f8092f962a0932629e8b141b25fdf3f91e2e6 Mon Sep 17 00:00:00 2001 From: DocsPreview <49669258+DocsPreview@users.noreply.github.com> Date: Fri, 10 May 2019 15:12:41 -0700 Subject: [PATCH 369/492] Release info preview (#162) * Latest changes for 1809 issues * New Announcement Added * Latest Change for announcement * Updated link for japanese era content --- .../status-windows-10-1507.yml | 22 ------------ ...indows-10-1607-and-windows-server-2016.yml | 26 ++++++-------- .../status-windows-10-1703.yml | 24 ++++++------- .../status-windows-10-1709.yml | 26 ++++++-------- .../status-windows-10-1803.yml | 28 ++++++--------- ...indows-10-1809-and-windows-server-2019.yml | 18 ++-------- ...ndows-7-and-windows-server-2008-r2-sp1.yml | 34 ++++++------------- ...windows-8.1-and-windows-server-2012-r2.yml | 26 ++++++-------- .../status-windows-server-2008-sp2.yml | 12 ------- .../status-windows-server-2012.yml | 24 ++++++------- .../windows-message-center.yml | 7 ++++ 11 files changed, 79 insertions(+), 168 deletions(-) diff --git a/windows/release-information/status-windows-10-1507.yml b/windows/release-information/status-windows-10-1507.yml index 3cab3fb9e9..16bf511276 100644 --- a/windows/release-information/status-windows-10-1507.yml +++ b/windows/release-information/status-windows-10-1507.yml @@ -61,9 +61,6 @@ sections: text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

MessageDate
Reminder: Windows 10 update servicing cadence
This month we received questions about the cadence of updates we released in April and May 2019. Here's a quick recap of our releases and servicing cadence:
-
    -
  • April 9, 2019 was the regular Update Tuesday release for all versions of Windows.
    • -
  • May 1, 2019 was a Windows 10, version 1809 out of band update (OOB) released to Microsoft Catalog and WSUS, providing a critical fix for our OEM partners.
    • -
  • May 3, 2019 was the Windows 10, version 1809 \"C\" release for April. This update contained important Japan era packages for commercial customers to preview. It was delayed due to a blocking issue requiring investigation, causing it to be released later than expected. The update was then mistakenly published as \"required\" (instead of \"optional\"), which pushed the update out to customers and required a reboot. Within 24 hours of receiving customer reports, we corrected the classification and mitigated the issue.
    • -
-For more information about the Windows 10 update servicing cadence, please see the Window IT Pro blog.
- - -		May 10, 2019
10:00 AM PT
Reminder: Windows 10 update servicing cadence
This month we received questions about the cadence of updates we released in April and May 2019. Here's a quick recap of our releases and servicing cadence:
+
    +
  • April 9, 2019 was the regular Update Tuesday release for all versions of Windows.
    • +
  • May 1, 2019 was an \"optional\" out of band update (OOB), non-security update for Windows 10, version 1809. It was released to Microsoft Catalog and WSUS, providing a critical fix for our OEM partners.
    • +
  • May 3, 2019 was the \"optional\" Windows 10, version 1809 \"C\" release for April. This update contained important Japanese era packages for commercial customers to preview. It was released later than expected and mistakenly targeted as \"required\" (instead of \"optional\") for consumers, which pushed the update out to customers and required a reboot. Within 24 hours of receiving customer reports, we corrected the targeting logic and mitigated the issue.
    • +
+ For more information about the Windows 10 update servicing cadence, please see the Window IT Pro blog.
May 10, 2019
10:00 AM PT
Take action: Install servicing stack update for Windows Server 2008 SP2 for SHA-2 code sign support
A standalone update, KB4493730, that introduce SHA-2 code sign support for the servicing stack (SSU) was released today as a security update.		April 19, 2019
10:00 AM PT
The benefits of Windows 10 Dynamic Update
Dynamic Update can help organizations and end users alike ensure that their Windows 10 devices have the latest feature update content (as part of an in-place upgrade)—and preserve precious features on demand (FODs) and language packs (LPs) that may have been previously installed.

From 6a6fe30fe138e9f0ce63896660bd5820a3e92ecc Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Fri, 10 May 2019 14:36:01 -0700 Subject: [PATCH 367/492] Update safety-scanner-download.md fixing NOTE style --- .../threat-protection/intelligence/safety-scanner-download.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/intelligence/safety-scanner-download.md b/windows/security/threat-protection/intelligence/safety-scanner-download.md index 5a4ea7bd10..69dfef35ee 100644 --- a/windows/security/threat-protection/intelligence/safety-scanner-download.md +++ b/windows/security/threat-protection/intelligence/safety-scanner-download.md @@ -22,7 +22,7 @@ Microsoft Safety Scanner is a scan tool designed to find and remove malware from - [Download Microsoft Safety Scanner (64-bit)](https://go.microsoft.com/fwlink/?LinkId=212732) -[!NOTE] The security intelligence update version of the Microsoft Safety Scaner matches the version described [in this web page](https://www.microsoft.com/en-us/wdsi/definitions). +> **NOTE** The security intelligence update version of the Microsoft Safety Scaner matches the version described [in this web page](https://www.microsoft.com/en-us/wdsi/definitions). Safety Scanner only scans when manually triggered and is available for use 10 days after being downloaded. We recommend that you always download the latest version of this tool before each scan. From 9928a0c615f9ec727ca9b389f9b6786aa7797dc9 Mon Sep 17 00:00:00 2001 From: "Nisha Mittal (Wipro Ltd.)" Date: Fri, 10 May 2019 14:41:55 -0700 Subject: [PATCH 368/492] Updated link for japanese era content --- windows/release-information/windows-message-center.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/release-information/windows-message-center.yml b/windows/release-information/windows-message-center.yml index 5990f3d920..64f62b302e 100644 --- a/windows/release-information/windows-message-center.yml +++ b/windows/release-information/windows-message-center.yml @@ -54,7 +54,7 @@ sections:
  • April 9, 2019 was the regular Update Tuesday release for all versions of Windows.
  • May 1, 2019 was an \"optional\" out of band update (OOB), non-security update for Windows 10, version 1809. It was released to Microsoft Catalog and WSUS, providing a critical fix for our OEM partners.
    • -
  • May 3, 2019 was the \"optional\" Windows 10, version 1809 \"C\" release for April. This update contained important Japanese era packages for commercial customers to preview. It was released later than expected and mistakenly targeted as \"required\" (instead of \"optional\") for consumers, which pushed the update out to customers and required a reboot. Within 24 hours of receiving customer reports, we corrected the targeting logic and mitigated the issue.
    • +
  • May 3, 2019 was the \"optional\" Windows 10, version 1809 \"C\" release for April. This update contained important Japanese era packages for commercial customers to preview. It was released later than expected and mistakenly targeted as \"required\" (instead of \"optional\") for consumers, which pushed the update out to customers and required a reboot. Within 24 hours of receiving customer reports, we corrected the targeting logic and mitigated the issue.
For more information about the Windows 10 update servicing cadence, please see the Window IT Pro blog.		May 10, 2019
10:00 AM PT
Take action: Install servicing stack update for Windows Server 2008 SP2 for SHA-2 code sign support
A standalone update, KB4493730, that introduce SHA-2 code sign support for the servicing stack (SSU) was released today as a security update.		April 19, 2019
10:00 AM PT
- - -
SummaryOriginating updateStatusLast updated
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

See details >		OS Build 10240.18094

January 08, 2019
KB4480962		Mitigated
April 25, 2019
02:00 PM PT
MSXML6 may cause applications to stop responding
MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

See details >		OS Build 10240.18094

January 08, 2019
KB4480962		Resolved
KB4493475		April 09, 2019
10:00 AM PT
Custom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.

See details >		OS Build 10240.18158

March 12, 2019
KB4489872		Resolved
KB4493475		April 09, 2019
10:00 AM PT
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.

See details >		OS Build 10240.18132

February 12, 2019
KB4487018		Resolved
KB4493475		April 09, 2019
10:00 AM PT
" @@ -74,30 +71,11 @@ sections:
" -- title: March 2019 -- items: - - type: markdown - text: " - - -
DetailsOriginating updateStatusHistory
Custom URI schemes may not start corresponding application
After installing KB4489872, Custom URI Schemes for Application Protocol handlers may not start the corresponding application for local intranet and trusted sites on Internet Explorer.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue was resolved in KB4493475.

Back to top		OS Build 10240.18158

March 12, 2019
KB4489872		Resolved
KB4493475		Resolved:
April 09, 2019
10:00 AM PT

Opened:
March 12, 2019
10:00 AM PT
- " - -- title: February 2019 -- items: - - type: markdown - text: " - - -
DetailsOriginating updateStatusHistory
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. 
 
For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color. 
 
Affected platforms:  
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Resolution: This issue is resolved in KB4493475

Back to top		OS Build 10240.18132

February 12, 2019
KB4487018		Resolved
KB4493475		Resolved:
April 09, 2019
10:00 AM PT

Opened:
February 12, 2019
10:00 AM PT
- " - - title: January 2019 - items: - type: markdown text: " -
DetailsOriginating updateStatusHistory
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: Do one of the following: 
  • Perform the operation from a process that has administrator privilege. 
  • Perform the operation from a node that doesn’t have CSV ownership. 
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 10240.18094

January 08, 2019
KB4480962		Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
January 08, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding
After installing KB4480962, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue was resolved in KB4493475.

Back to top		OS Build 10240.18094

January 08, 2019
KB4480962		Resolved
KB4493475		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
" diff --git a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml index b22aced938..d444c69dac 100644 --- a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml +++ b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml @@ -61,16 +61,13 @@ sections: text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ - - - -
SummaryOriginating updateStatusLast updated
Zone transfers over TCP may fail
Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail.

See details >		OS Build 14393.2941

April 25, 2019
KB4493473		Investigating
April 25, 2019
02:00 PM PT
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.

See details >		OS Build 14393.2931

April 25, 2019
KB4492241		Mitigated
May 10, 2019
10:35 AM PT
Cluster service may fail if the minimum password length is set to greater than 14
The cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the Group Policy “Minimum Password Length” is configured with greater than 14 characters.

See details >		OS Build 14393.2639

November 27, 2018
KB4467684		Mitigated
April 25, 2019
02:00 PM PT
Issue using PXE to start a device from WDS
There may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension.

See details >		OS Build 14393.2848

March 12, 2019
KB4489882		Mitigated
April 25, 2019
02:00 PM PT
SCVMM cannot enumerate and manage logical switches deployed on the host
For hosts managed by System Center Virtual Machine Manager (VMM), VMM cannot enumerate and manage logical switches deployed on the host.

See details >		OS Build 14393.2639

November 27, 2018
KB4467684		Mitigated
April 25, 2019
02:00 PM PT
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

See details >		OS Build 14393.2724

January 08, 2019
KB4480961		Mitigated
April 25, 2019
02:00 PM PT
Windows may not start on certain Lenovo and Fujitsu laptops with less than 8GB of RAM
Windows may fail to start on certain Lenovo and Fujitsu laptops that have less than 8 GB of RAM.

See details >		OS Build 14393.2608

November 13, 2018
KB4467691		Mitigated
February 19, 2019
10:00 AM PT
Custom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.

See details >		OS Build 14393.2848

March 12, 2019
KB4489882		Resolved
KB4493473		April 25, 2019
02:00 PM PT
End-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system will stop working and a blue screen may appear at startup.

See details >		OS Build 14393.2879

March 19, 2019
KB4489889		Resolved
KB4493470		April 09, 2019
10:00 AM PT
Internet Explorer 11 authentication issue with multiple concurrent logons
Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine.

See details >		OS Build 14393.2724

January 08, 2019
KB4480961		Resolved
KB4493470		April 09, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding
MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

See details >		OS Build 14393.2724

January 08, 2019
KB4480961		Resolved
KB4493470		April 09, 2019
10:00 AM PT
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.

See details >		OS Build 14393.2791

February 12, 2019
KB4487026		Resolved
KB4493470		April 09, 2019
10:00 AM PT
" @@ -81,6 +78,15 @@ sections:
" +- title: May 2019 +- items: + - type: markdown + text: " + + +
DetailsOriginating updateStatusHistory
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Workaround: Until a resolution is released, we recommend switching to a different Japanese font, such as Yu Gothic or MS Mincho. Alternatively, you can uninstall the optional update.

Next steps: Microsoft is working on a resolution and estimates a solution will be available in mid-May.

Back to top		OS Build 14393.2931

April 25, 2019
KB4492241		Mitigated
Last updated:
May 10, 2019
10:35 AM PT

Opened:
May 10, 2019
10:35 AM PT
+ " + - title: April 2019 - items: - type: markdown @@ -98,16 +104,6 @@ sections:
Issue using PXE to start a device from WDS
After installing KB4489882, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:

Option 1:
Open an Administrator Command prompt and type the following:
Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No

Option 2:
Use the Windows Deployment Services UI to make the following adjustment:
  1. Open Windows Deployment Services from Windows Administrative Tools.
  2. Expand Servers and right-click a WDS server.
  3. Open its properties and clear the Enable Variable Window Extension box on the TFTP tab.
Option 3:
Set the following registry value to 0:
HKLM\\System\\CurrentControlSet\\Services\\WDSServer\\Providers\\WDSTFTP\\EnableVariableWindowExtension

Restart the WDSServer service after disabling the Variable Window Extension.

Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 14393.2848

March 12, 2019
KB4489882		Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
March 12, 2019
10:00 AM PT
Custom URI schemes may not start corresponding application
After installing KB4489882, Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer.

Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue is resolved in KB4493473

Back to top		OS Build 14393.2848

March 12, 2019
KB4489882		Resolved
KB4493473		Resolved:
April 25, 2019
02:00 PM PT

Opened:
March 12, 2019
10:00 AM PT
End-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system will stop working and a blue screen may appear at startup. This is not a common setting in non-Asian regions.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016
Resolution: This issue was resolved in KB4493470.

Back to top		OS Build 14393.2879

March 19, 2019
KB4489889		Resolved
KB4493470		Resolved:
April 09, 2019
10:00 AM PT

Opened:
March 19, 2019
10:00 AM PT
- " - -- title: February 2019 -- items: - - type: markdown - text: " - -
DetailsOriginating updateStatusHistory
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. 
 
For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color. 
 
Affected platforms:  
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Resolution: This issue is resolved in KB4493470

Back to top		OS Build 14393.2791

February 12, 2019
KB4487026		Resolved
KB4493470		Resolved:
April 09, 2019
10:00 AM PT

Opened:
February 12, 2019
10:00 AM PT
" @@ -117,8 +113,6 @@ sections: text: " - -
DetailsOriginating updateStatusHistory
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege. 

Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507;  Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: Do one of the following:
  • Perform the operation from a process that has administrator privilege. 
  • Perform the operation from a node that doesn’t have CSV ownership.
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 14393.2724

January 08, 2019
KB4480961		Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
January 08, 2019
10:00 AM PT
Internet Explorer 11 authentication issue with multiple concurrent logons
After installing KB4480961, Internet Explorer 11 and other applications that use WININET.DLL may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to:
  • Cache size and location show zero or empty.
  • Keyboard shortcuts may not work properly.
  • Webpages may intermittently fail to load or render correctly.
  • Issues with credential prompts.
  • Issues when downloading files.
Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolution: This issue was resolved in KB4493470.

Back to top		OS Build 14393.2724

January 08, 2019
KB4480961		Resolved
KB4493470		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding
After installing KB4480961, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue was resolved in KB4493470.

Back to top		OS Build 14393.2724

January 08, 2019
KB4480961		Resolved
KB4493470		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
" diff --git a/windows/release-information/status-windows-10-1703.yml b/windows/release-information/status-windows-10-1703.yml index 10d69d6cc5..c0cfa4ac36 100644 --- a/windows/release-information/status-windows-10-1703.yml +++ b/windows/release-information/status-windows-10-1703.yml @@ -60,11 +60,9 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ - - -
SummaryOriginating updateStatusLast updated
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.

See details >		OS Build 15063.1771

April 25, 2019
KB4492242		Mitigated
May 10, 2019
10:35 AM PT
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

See details >		OS Build 15063.1563

January 08, 2019
KB4480973		Mitigated
April 25, 2019
02:00 PM PT
Custom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.

See details >		OS Build 15063.1689

March 12, 2019
KB4489871		Resolved
KB4493436		April 25, 2019
02:00 PM PT
End-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup.

See details >		OS Build 15063.1716

March 19, 2019
KB4489888		Resolved
KB4493474		April 09, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding
MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

See details >		OS Build 15063.1563

January 08, 2019
KB4480973		Resolved
KB4493474		April 09, 2019
10:00 AM PT
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.

See details >		OS Build 15063.1631

February 12, 2019
KB4487020		Resolved
KB4493474		April 09, 2019
10:00 AM PT
" @@ -75,22 +73,21 @@ sections:
" +- title: May 2019 +- items: + - type: markdown + text: " + + +
DetailsOriginating updateStatusHistory
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Workaround: Until a resolution is released, we recommend switching to a different Japanese font, such as Yu Gothic or MS Mincho. Alternatively, you can uninstall the optional update.

Next steps: Microsoft is working on a resolution and estimates a solution will be available in mid-May.

Back to top		OS Build 15063.1771

April 25, 2019
KB4492242		Mitigated
Last updated:
May 10, 2019
10:35 AM PT

Opened:
May 10, 2019
10:35 AM PT
+ " + - title: March 2019 - items: - type: markdown text: " - -
DetailsOriginating updateStatusHistory
Custom URI schemes may not start corresponding application
After installing KB4489871, custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue is resolved in KB4493436

Back to top		OS Build 15063.1689

March 12, 2019
KB4489871		Resolved
KB4493436		Resolved:
April 25, 2019
02:00 PM PT

Opened:
March 12, 2019
10:00 AM PT
End-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup. This is not a common setting in non-Asian regions.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016
Resolution: This issue was resolved in KB4493474.

Back to top		OS Build 15063.1716

March 19, 2019
KB4489888		Resolved
KB4493474		Resolved:
April 09, 2019
10:00 AM PT

Opened:
March 19, 2019
10:00 AM PT
- " - -- title: February 2019 -- items: - - type: markdown - text: " - -
DetailsOriginating updateStatusHistory
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. 
 
For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color. 
 
Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Resolution: This issue is resolved in KB4493474

Back to top		OS Build 15063.1631

February 12, 2019
KB4487020		Resolved
KB4493474		Resolved:
April 09, 2019
10:00 AM PT

Opened:
February 12, 2019
10:00 AM PT
" @@ -100,6 +97,5 @@ sections: text: " -
DetailsOriginating updateStatusHistory
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege. 

Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: Do one of the following: 
  • Perform the operation from a process that has administrator privilege. 
  • Perform the operation from a node that doesn’t have CSV ownership. 
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 15063.1563

January 08, 2019
KB4480973		Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
January 08, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding
After installing KB4480973, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue was resolved in KB4493474.

Back to top		OS Build 15063.1563

January 08, 2019
KB4480973		Resolved
KB4493474		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
" diff --git a/windows/release-information/status-windows-10-1709.yml b/windows/release-information/status-windows-10-1709.yml index abdaf311b0..2618d42ebf 100644 --- a/windows/release-information/status-windows-10-1709.yml +++ b/windows/release-information/status-windows-10-1709.yml @@ -61,12 +61,9 @@ sections: text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ - - - -
SummaryOriginating updateStatusLast updated
Zone transfers over TCP may fail
Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail.

See details >		OS Build 16299.1127

April 25, 2019
KB4493440		Investigating
April 25, 2019
02:00 PM PT
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.

See details >		OS Build 16299.1111

April 25, 2019
KB4492243		Mitigated
May 10, 2019
10:35 AM PT
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

See details >		OS Build 16299.904

January 08, 2019
KB4480978		Mitigated
April 25, 2019
02:00 PM PT
Custom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.

See details >		OS Build 16299.1029

March 12, 2019
KB4489886		Resolved
KB4493440		April 25, 2019
02:00 PM PT
End-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup.

See details >		OS Build 16299.1059

March 19, 2019
KB4489890		Resolved
KB4493441		April 09, 2019
10:00 AM PT
MSXML6 causes applications to stop responding if an exception was thrown
MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

See details >		OS Build 16299.904

January 08, 2019
KB4480978		Resolved
KB4493441		April 09, 2019
10:00 AM PT
Stop error when attempting to start SSH from WSL
A stop error occurs when attempting to start Secure Shell from Windows Subsystem for Linux with agent forwarding using a command line switch (ssh –A) or a configuration setting.

See details >		OS Build 16299.1029

March 12, 2019
KB4489886		Resolved
KB4493441		April 09, 2019
10:00 AM PT
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.

See details >		OS Build 16299.967

February 12, 2019
KB4486996		Resolved
KB4493441		April 09, 2019
10:00 AM PT
" @@ -77,6 +74,15 @@ sections:
" +- title: May 2019 +- items: + - type: markdown + text: " + + +
DetailsOriginating updateStatusHistory
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Workaround: Until a resolution is released, we recommend switching to a different Japanese font, such as Yu Gothic or MS Mincho. Alternatively, you can uninstall the optional update.

Next steps: Microsoft is working on a resolution and estimates a solution will be available in mid-May.

Back to top		OS Build 16299.1111

April 25, 2019
KB4492243		Mitigated
Last updated:
May 10, 2019
10:35 AM PT

Opened:
May 10, 2019
10:35 AM PT
+ " + - title: April 2019 - items: - type: markdown @@ -92,17 +98,6 @@ sections: text: " - - -
DetailsOriginating updateStatusHistory
Custom URI schemes may not start corresponding application
After installing KB4489886, custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue is resolved in KB4493440

Back to top		OS Build 16299.1029

March 12, 2019
KB4489886		Resolved
KB4493440		Resolved:
April 25, 2019
02:00 PM PT

Opened:
March 12, 2019
10:00 AM PT
End-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup. This is not a common setting in non-Asian regions.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016
Resolution: This issue is resolved in KB4493441.

Back to top		OS Build 16299.1059

March 19, 2019
KB4489890		Resolved
KB4493441		Resolved:
April 09, 2019
10:00 AM PT

Opened:
March 19, 2019
10:00 AM PT
Stop error when attempting to start SSH from WSL
After applying KB4489886, a stop error occurs when attempting to start the Secure Shell (SSH) client program from Windows Subsystem for Linux (WSL) with agent forwarding enabled using a command line switch (ssh –A) or a configuration setting.

Affected platforms:
  • Client: Windows 10, version 1803; Windows 10, version 1709
  • Server: Windows Server, version 1803; Windows Server, version 1709
Resolution: This issue is resolved in KB4493441.

Back to top		OS Build 16299.1029

March 12, 2019
KB4489886		Resolved
KB4493441		Resolved:
April 09, 2019
10:00 AM PT

Opened:
March 12, 2019
10:00 AM PT
- " - -- title: February 2019 -- items: - - type: markdown - text: " - -
DetailsOriginating updateStatusHistory
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. 
 
For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color. 
 
Affected platforms:  
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Resolution: This issue is resolved in KB4493441

Back to top		OS Build 16299.967

February 12, 2019
KB4486996		Resolved
KB4493441		Resolved:
April 09, 2019
10:00 AM PT

Opened:
February 12, 2019
10:00 AM PT
" @@ -112,6 +107,5 @@ sections: text: " -
DetailsOriginating updateStatusHistory
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege. 

Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: Do one of the following:
  • Perform the operation from a process that has administrator privilege. 
  • Perform the operation from a node that doesn’t have CSV ownership. 
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 16299.904

January 08, 2019
KB4480978		Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
January 08, 2019
10:00 AM PT
MSXML6 causes applications to stop responding if an exception was thrown
After installing KB4480978, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue is resolved in KB4493441.

Back to top		OS Build 16299.904

January 08, 2019
KB4480978		Resolved
KB4493441		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
" diff --git a/windows/release-information/status-windows-10-1803.yml b/windows/release-information/status-windows-10-1803.yml index 3e58d9c048..9fea9cbeb3 100644 --- a/windows/release-information/status-windows-10-1803.yml +++ b/windows/release-information/status-windows-10-1803.yml @@ -61,14 +61,10 @@ sections: text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ - - - - -
SummaryOriginating updateStatusLast updated
Zone transfers over TCP may fail
Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail.

See details >		OS Build 17134.753

April 25, 2019
KB4493437		Investigating
April 25, 2019
02:00 PM PT
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.

See details >		OS Build 17134.730

April 25, 2019
KB4492245		Mitigated
May 10, 2019
10:35 AM PT
Issue using PXE to start a device from WDS
Using PXE to start a device from a WDS server configured to use Variable Window Extension may cause the connection to the WDS server to terminate prematurely.

See details >		OS Build 17134.648

March 12, 2019
KB4489868		Mitigated
April 25, 2019
02:00 PM PT
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

See details >		OS Build 17134.523

January 08, 2019
KB4480966		Mitigated
April 25, 2019
02:00 PM PT
Custom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.

See details >		OS Build 17134.648

March 12, 2019
KB4489868		Resolved
KB4493437		April 25, 2019
02:00 PM PT
End-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup.

See details >		OS Build 17134.677

March 19, 2019
KB4489894		Resolved
KB4493464		April 09, 2019
10:00 AM PT
First character of the Japanese era name not recognized
The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.

See details >		OS Build 17134.556

January 15, 2019
KB4480976		Resolved
KB4487029		April 09, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding
MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

See details >		OS Build 17134.523

January 08, 2019
KB4480966		Resolved
KB4493464		April 09, 2019
10:00 AM PT
Stop error when attempting to start SSH from WSL
A stop error occurs when attempting to start Secure Shell from Windows Subsystem for Linux with agent forwarding using a command line switch (ssh –A) or a configuration setting.

See details >		OS Build 17134.648

March 12, 2019
KB4489868		Resolved
KB4493464		April 09, 2019
10:00 AM PT
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.

See details >		OS Build 17134.590

February 12, 2019
KB4487017		Resolved
KB4493464		April 09, 2019
10:00 AM PT
" @@ -79,6 +75,15 @@ sections:
" +- title: May 2019 +- items: + - type: markdown + text: " + + +
DetailsOriginating updateStatusHistory
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Workaround: Until a resolution is released, we recommend switching to a different Japanese font, such as Yu Gothic or MS Mincho. Alternatively, you can uninstall the optional update.

Next steps: Microsoft is working on a resolution and estimates a solution will be available in mid-May.

Back to top		OS Build 17134.730

April 25, 2019
KB4492245		Mitigated
Last updated:
May 10, 2019
10:35 AM PT

Opened:
May 10, 2019
10:35 AM PT
+ " + - title: April 2019 - items: - type: markdown @@ -96,17 +101,6 @@ sections:
Issue using PXE to start a device from WDS
After installing KB4489868, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension. 

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:

Option 1: 
Open an Administrator Command prompt and type the following:  
Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No

 Option 2: 
Use the Windows Deployment Services UI to make the following adjustment:  
  1. Open Windows Deployment Services from Windows Administrative Tools. 
  2. Expand Servers and right-click a WDS server. 
  3. Open its properties and clear the Enable Variable Window Extension box on the TFTP tab.  
Option 3: 
Set the following registry value to 0:
HKLM\\System\\CurrentControlSet\\Services\\WDSServer\\Providers\\WDSTFTP\\EnableVariableWindowExtension  

Restart the WDSServer service after disabling the Variable Window Extension. 
 
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release. 

Back to topOS Build 17134.648

March 12, 2019
KB4489868Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
March 12, 2019
10:00 AM PT
Custom URI schemes may not start corresponding application
After installing KB4489868, custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer. 

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue is resolved in KB4493437

Back to topOS Build 17134.648

March 12, 2019
KB4489868Resolved
KB4493437Resolved:
April 25, 2019
02:00 PM PT

Opened:
March 12, 2019
10:00 AM PT -
End-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup. This is not a common setting in non-Asian regions. 

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016
Resolution: This issue was resolved in KB4493464

Back to topOS Build 17134.677

March 19, 2019
KB4489894Resolved
KB4493464Resolved:
April 09, 2019
10:00 AM PT

Opened:
March 19, 2019
10:00 AM PT -
Stop error when attempting to start SSH from WSL
After applying KB4489868, a stop error occurs when attempting to start the Secure Shell (SSH) client program from Windows Subsystem for Linux (WSL) with agent forwarding enabled using a command line switch (ssh -A) or a configuration setting.

Affected platforms:
  • Client: Windows 10, version 1803; Windows 10, version 1709
  • Server: Windows Server, version 1803; Windows Server, version 1709
Resolution: This issue was resolved in KB4493464.

Back to topOS Build 17134.648

March 12, 2019
KB4489868Resolved
KB4493464Resolved:
April 09, 2019
10:00 AM PT

Opened:
March 12, 2019
10:00 AM PT - - " - -- title: February 2019 -- items: - - type: markdown - text: " - -
DetailsOriginating updateStatusHistory
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. 
 
For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color. 
 
Affected platforms:  
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Resolution: This issue is resolved in KB4493464

Back to top		OS Build 17134.590

February 12, 2019
KB4487017		Resolved
KB4493464		Resolved:
April 09, 2019
10:00 AM PT

Opened:
February 12, 2019
10:00 AM PT
" @@ -116,7 +110,5 @@ sections: text: " - -
DetailsOriginating updateStatusHistory
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: Do one of the following:
  • Perform the operation from a process that has administrator privilege. 
  • Perform the operation from a node that doesn’t have CSV ownership. 
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 17134.523

January 08, 2019
KB4480966		Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
January 08, 2019
10:00 AM PT
First character of the Japanese era name not recognized
After installing KB4480976, the first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue is resolved in KB4487029

Back to top		OS Build 17134.556

January 15, 2019
KB4480976		Resolved
KB4487029		Resolved:
February 19, 2019
02:00 PM PT

Opened:
January 08, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding
After installing KB4480966, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue was resolved in KB4493464

Back to top		OS Build 17134.523

January 08, 2019
KB4480966		Resolved
KB4493464		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
" diff --git a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml index 2b50998415..afb53b80c9 100644 --- a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml +++ b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml @@ -65,6 +65,7 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ @@ -73,10 +74,6 @@ sections: - - - -
SummaryOriginating updateStatusLast updated
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.

See details >		OS Build 17763.475

May 03, 2019
KB4495667		Mitigated
May 10, 2019
10:35 AM PT
Devices with some Asian language packs installed may receive an error
After installing the KB4493509 devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_F

See details >		OS Build 17763.437

April 09, 2019
KB4493509		Mitigated
May 03, 2019
10:59 AM PT
Printing from Microsoft Edge or other UWP apps, you may receive the error 0x80070007
Attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) applications, you may receive an error.

See details >		OS Build 17763.379

March 12, 2019
KB4489899		Mitigated
May 02, 2019
04:47 PM PT
Issue using PXE to start a device from WDS
Using PXE to start a device from a WDS server configured to use Variable Window Extension may cause the connection to the WDS server to terminate prematurely.

See details >		OS Build 17763.379

March 12, 2019
KB4489899		Mitigated
April 09, 2019
10:00 AM PT
Latest cumulative update (KB 4495667) installs automatically
Reports that the optional cumulative update (KB 4495667) installs automatically.

See details >		OS Build 17763.475

May 03, 2019
KB4495667		Resolved
May 08, 2019
03:37 PM PT
System may be unresponsive after restart if ArcaBit antivirus software installed
After further investigation ArcaBit has confirmed this issue is not applicable to Windows 10, version 1809

See details >		OS Build 17763.437

April 09, 2019
KB4493509		Resolved
May 08, 2019
03:30 PM PT
Custom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.

See details >		OS Build 17763.379

March 12, 2019
KB4489899		Resolved
KB4495667		May 03, 2019
12:40 PM PT
End-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup.

See details >		OS Build 17763.404

April 02, 2019
KB4490481		Resolved
KB4493509		April 09, 2019
10:00 AM PT
Internet Explorer 11 authentication issue with multiple concurrent logons
Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine.

See details >		OS Build 17763.253

January 08, 2019
KB4480116		Resolved
KB4493509		April 09, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding
MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

See details >		OS Build 17763.253

January 08, 2019
KB4480116		Resolved
KB4493509		April 09, 2019
10:00 AM PT
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.

See details >		OS Build 17763.316

February 12, 2019
KB4487044		Resolved
KB4493509		April 09, 2019
10:00 AM PT
" @@ -92,6 +89,7 @@ sections: - type: markdown text: " + @@ -104,7 +102,6 @@ sections: text: "
DetailsOriginating updateStatusHistory
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Workaround: Until a resolution is released, we recommend switching to a different Japanese font, such as Yu Gothic or MS Mincho. Alternatively, you can uninstall the optional update.

Next steps: Microsoft is working on a resolution and estimates a solution will be available in mid-May.

Back to top		OS Build 17763.475

May 03, 2019
KB4495667		Mitigated
Last updated:
May 10, 2019
10:35 AM PT

Opened:
May 10, 2019
10:35 AM PT
Devices with some Asian language packs installed may receive an error
After installing the April 2019 Cumulative Update (KB4493509), devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND.\"

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
Workaround:
  1. Uninstall and reinstall any recently added language packs. For instructions, see \"Manage the input and display language settings in Windows 10\".
  2. Click Check for Updates and install the April 2019 Cumulative Update. For instructions, see \"Update Windows 10\".
Note: If reinstalling the language pack does not mitigate the issue, reset your PC as follows:
  1. Go to Settings app -> Recovery.
  2. Click on Get Started under \"Reset this PC\" recovery option.
  3. Select \"Keep my Files\".
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 17763.437

April 09, 2019
KB4493509		Mitigated
Last updated:
May 03, 2019
10:59 AM PT

Opened:
May 02, 2019
04:36 PM PT
Printing from Microsoft Edge or other UWP apps, you may receive the error 0x80070007
When attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) applications you may receive the error, \"Your printer has experienced an unexpected configuration problem. 0x80070007e.\"
 
Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
Workaround: You can use another browser, such as Internet Explorer to print your documents.
 
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 17763.379

March 12, 2019
KB4489899		Mitigated
Last updated:
May 02, 2019
04:47 PM PT

Opened:
May 02, 2019
04:47 PM PT
Latest cumulative update (KB 4495667) installs automatically
Due to a servicing side issue some users were offered KB4495667 (optional update) automatically and rebooted devices. This issue has been mitigated.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
Resolution:: This issue has been mitigated on the servicing side to prevent auto installing of this update. Customers do not need to take any action.

Back to top		OS Build 17763.475

May 03, 2019
KB4495667		Resolved
Resolved:
May 08, 2019
03:37 PM PT

Opened:
May 05, 2019
12:01 PM PT
-
DetailsOriginating updateStatusHistory
System may be unresponsive after restart if ArcaBit antivirus software installed
ArcaBit has confirmed this issue is not applicable to Windows 10, version 1809 (client or server).

Microsoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart.

Affected platforms:
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Workaround: ArcaBit has released an update to address this issue for affected platforms. For more information, see the ArcaBit support article.

Resolution: This issue has been resolved. ArcaBit has confirmed this issue is not applicable to Windows 10, version 1809 (client or server).

Back to top		OS Build 17763.437

April 09, 2019
KB4493509		Resolved
Resolved:
May 08, 2019
03:30 PM PT

Opened:
April 09, 2019
10:00 AM PT
End-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system will stop working and a blue screen may appear at startup. This is not a common setting in non-Asian regions.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016
Resolution: This issue was resolved in KB4493509.

Back to top		OS Build 17763.404

April 02, 2019
KB4490481		Resolved
KB4493509		Resolved:
April 09, 2019
10:00 AM PT

Opened:
April 02, 2019
10:00 AM PT
" @@ -119,23 +116,12 @@ sections: " -- title: February 2019 -- items: - - type: markdown - text: " - - -
DetailsOriginating updateStatusHistory
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. 
 
For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color. 
 
Affected platforms:  
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1  
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2  
Resolution: This issue is resolved in KB4493509.  

Back to top		OS Build 17763.316

February 12, 2019
KB4487044		Resolved
KB4493509		Resolved:
April 09, 2019
10:00 AM PT

Opened:
February 12, 2019
10:00 AM PT
- " - - title: January 2019 - items: - type: markdown text: " - -
DetailsOriginating updateStatusHistory
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege. 

Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: Do one of the following:  
  • Perform the operation from a process that has administrator privilege. 
  • Perform the operation from a node that doesn’t have CSV ownership. 
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 17763.253

January 08, 2019
KB4480116		Mitigated
Last updated:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
Internet Explorer 11 authentication issue with multiple concurrent logons
After installing KB4480116, Internet Explorer 11 and other applications that use WININET.DLL may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to: 
  • Cache size and location show zero or empty. 
  • Keyboard shortcuts may not work properly. 
  • Webpages may intermittently fail to load or render correctly. 
  • Issues with credential prompts. 
  • Issues when downloading files. 
Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolution: This issue was resolved in KB4493509

Back to top		OS Build 17763.253

January 08, 2019
KB4480116		Resolved
KB4493509		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding
After installing KB4480116, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
 
The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings. 

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue was resolved in KB4493509

Back to top		OS Build 17763.253

January 08, 2019
KB4480116		Resolved
KB4493509		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
" diff --git a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml index ef1b22e4bf..0ce3cb79c0 100644 --- a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml +++ b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml @@ -60,16 +60,13 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ - - - -
SummaryOriginating updateStatusLast updated
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.

See details >		April 25, 2019
KB4493453		Mitigated
May 10, 2019
10:35 AM PT
System may be unresponsive after restart if ArcaBit antivirus software installed
Devices with ArcaBit antivirus software installed may become unresponsive upon restart.

See details >		April 09, 2019
KB4493472		Mitigated
May 08, 2019
03:29 PM PT
System may be unresponsive after restart if Avira antivirus software installed
Devices with Avira antivirus software installed may become unresponsive upon restart.

See details >		April 09, 2019
KB4493472		Mitigated
May 03, 2019
08:50 AM PT
Authentication may fail for services after the Kerberos ticket expires
Authentication may fail for services that require unconstrained delegation after the Kerberos ticket expires.

See details >		March 12, 2019
KB4489878		Mitigated
April 25, 2019
02:00 PM PT
System unresponsive after restart if Sophos Endpoint Protection installed
Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.

See details >		April 09, 2019
KB4493472		Mitigated
April 25, 2019
02:00 PM PT
System may be unresponsive after restart with certain McAfee antivirus products
Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.

See details >		April 09, 2019
KB4493472		Mitigated
April 25, 2019
02:00 PM PT
Devices may not respond at login or Welcome screen if running certain Avast software
Devices running Avast for Business, Avast CloudCare, and AVG Business Edition antivirus software may become unresponsive after restart.

See details >		April 09, 2019
KB4493472		Resolved
April 25, 2019
02:00 PM PT
Internet Explorer 11 authentication issue with multiple concurrent logons
Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine.

See details >		January 08, 2019
KB4480970		Resolved
KB4493472		April 09, 2019
10:00 AM PT
Custom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.

See details >		March 12, 2019
KB4489878		Resolved
KB4493472		April 09, 2019
10:00 AM PT
NETDOM.EXE fails to run
NETDOM.EXE fails to run and the error, “The command failed to complete successfully.” appears on screen.

See details >		March 12, 2019
KB4489878		Resolved
KB4493472		April 09, 2019
10:00 AM PT
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.

See details >		February 12, 2019
KB4486563		Resolved
KB4493472		April 09, 2019
10:00 AM PT
" @@ -80,6 +77,15 @@ sections:
" +- title: May 2019 +- items: + - type: markdown + text: " + + +
DetailsOriginating updateStatusHistory
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Workaround: Until a resolution is released, we recommend switching to a different Japanese font, such as Yu Gothic or MS Mincho. Alternatively, you can uninstall the optional update.

Next steps: Microsoft is working on a resolution and estimates a solution will be available in mid-May.

Back to top		April 25, 2019
KB4493453		Mitigated
Last updated:
May 10, 2019
10:35 AM PT

Opened:
May 10, 2019
10:35 AM PT
+ " + - title: April 2019 - items: - type: markdown @@ -99,25 +105,5 @@ sections: text: " - - -
DetailsOriginating updateStatusHistory
Authentication may fail for services after the Kerberos ticket expires
After installing KB4489878, some customers report that authentication fails for services that require unconstrained delegation after the Kerberos ticket expires (the default is 10 hours). For example, the SQL server service fails.

Affected platforms: 
  • Client: Windows 7 SP1
  • Server: Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Workaround: To mitigate this issue, use one of the following options:
  • Option 1: Purge the Kerberos tickets on the application server. After the Kerberos ticket expires, the issue will occur again, and you must purge the tickets again.
  • Option 2: If purging does not mitigate the issue, restart the application; for example, restart the Internet Information Services (IIS) app pool associated with the SQL server.
  • Option 3: Use constrained delegation.
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		March 12, 2019
KB4489878		Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
March 12, 2019
10:00 AM PT
Custom URI schemes may not start corresponding application
After installing KB4489878, custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites on Internet Explorer.

Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1 
Resolution: This issue is resolved in KB4493472.

Back to top		March 12, 2019
KB4489878		Resolved
KB4493472		Resolved:
April 09, 2019
10:00 AM PT

Opened:
March 12, 2019
10:00 AM PT
NETDOM.EXE fails to run
After installing KB4489878, NETDOM.EXE fails to run, and the on-screen error, “The command failed to complete successfully.” appears.

Affected platforms: 
  • Client: Windows 7 SP1
  • Server: Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue is resolved in KB4493472.

Back to top		March 12, 2019
KB4489878		Resolved
KB4493472		Resolved:
April 09, 2019
10:00 AM PT

Opened:
March 12, 2019
10:00 AM PT
- " - -- title: February 2019 -- items: - - type: markdown - text: " - - -
DetailsOriginating updateStatusHistory
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. 
 
For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color. 
 
Affected platforms:  
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Resolution: This issue is resolved in KB4493472

Back to top		February 12, 2019
KB4486563		Resolved
KB4493472		Resolved:
April 09, 2019
10:00 AM PT

Opened:
February 12, 2019
10:00 AM PT
- " - -- title: January 2019 -- items: - - type: markdown - text: " - -
DetailsOriginating updateStatusHistory
Internet Explorer 11 authentication issue with multiple concurrent logons
After installing KB4480970, Internet Explorer 11 and other applications that use WININET.DLL may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to:
  • Cache size and location show zero or empty.
  • Keyboard shortcuts may not work properly.
  • Webpages may intermittently fail to load or render correctly.
  • Issues with credential prompts.
  • Issues when downloading files.
Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolution: This issue is resolved in KB4493472.

Back to top		January 08, 2019
KB4480970		Resolved
KB4493472		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
" diff --git a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml index e159932ae6..a16b0e0d20 100644 --- a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml +++ b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml @@ -60,6 +60,7 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ @@ -67,10 +68,6 @@ sections: - - - -
SummaryOriginating updateStatusLast updated
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.

See details >		April 25, 2019
KB4493443		Mitigated
May 10, 2019
10:35 AM PT
System may be unresponsive after restart if ArcaBit antivirus software installed
Devices with ArcaBit antivirus software installed may become unresponsive upon restart.

See details >		April 09, 2019
KB4493446		Mitigated
May 08, 2019
03:29 PM PT
System may be unresponsive after restart if Avira antivirus software installed
Devices with Avira antivirus software installed may become unresponsive upon restart.

See details >		April 09, 2019
KB4493446		Mitigated
May 03, 2019
08:50 AM PT
Issue using PXE to start a device from WDS
There may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension.

See details >		March 12, 2019
KB4489881		Mitigated
April 25, 2019
02:00 PM PT
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”.

See details >		January 08, 2019
KB4480963		Mitigated
April 25, 2019
02:00 PM PT
System may be unresponsive after restart with certain McAfee antivirus products
Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.

See details >		April 09, 2019
KB4493446		Mitigated
April 18, 2019
05:00 PM PT
Devices may not respond at login or Welcome screen if running certain Avast software
Devices running Avast for Business, Avast CloudCare, and AVG Business Edition antivirus software may become unresponsive after restart.

See details >		April 09, 2019
KB4493446		Resolved
April 25, 2019
02:00 PM PT
Internet Explorer 11 authentication issue with multiple concurrent logons
Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine.

See details >		January 08, 2019
KB4480963		Resolved
KB4493446		April 09, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding.
MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

See details >		January 08, 2019
KB4480963		Resolved
KB4493446		April 09, 2019
10:00 AM PT
Custom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.

See details >		March 12, 2019
KB4489881		Resolved
KB4493446		April 09, 2019
10:00 AM PT
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.

See details >		February 12, 2019
KB4487000		Resolved
KB4493446		April 09, 2019
10:00 AM PT
" @@ -81,6 +78,15 @@ sections:
" +- title: May 2019 +- items: + - type: markdown + text: " + + +
DetailsOriginating updateStatusHistory
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Workaround: Until a resolution is released, we recommend switching to a different Japanese font, such as Yu Gothic or MS Mincho. Alternatively, you can uninstall the optional update.

Next steps: Microsoft is working on a resolution and estimates a solution will be available in mid-May.

Back to top		April 25, 2019
KB4493443		Mitigated
Last updated:
May 10, 2019
10:35 AM PT

Opened:
May 10, 2019
10:35 AM PT
+ " + - title: April 2019 - items: - type: markdown @@ -101,16 +107,6 @@ sections: - -
DetailsOriginating updateStatusHistory
Issue using PXE to start a device from WDS
After installing KB4489881, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012 
Workaround: To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:

Option 1:
Open an Administrator Command prompt and type the following:
Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No

Option 2:
Use the Windows Deployment Services UI to make the following adjustment:
  1. Open Windows Deployment Services from Windows Administrative Tools.
  2. Expand Servers and right-click a WDS server.
  3. Open its properties and clear the Enable Variable Window Extension box on the TFTP tab.
Option 3:
Set the following registry value to 0:
HKLM\\System\\CurrentControlSet\\Services\\WDSServer\\Providers\\WDSTFTP\\EnableVariableWindowExtension

Restart the WDSServer service after disabling the Variable Window Extension.

Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		March 12, 2019
KB4489881		Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
March 12, 2019
10:00 AM PT
Custom URI schemes may not start corresponding application
After installing KB4489881, custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer.

Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1 
Resolution: This issue is resolved in KB4493446.

Back to top		March 12, 2019
KB4489881		Resolved
KB4493446		Resolved:
April 09, 2019
10:00 AM PT

Opened:
March 12, 2019
10:00 AM PT
- " - -- title: February 2019 -- items: - - type: markdown - text: " - -
DetailsOriginating updateStatusHistory
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.

For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color.

Affected platforms 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Resolution: This issue is resolved in KB4493446.

Back to top		February 12, 2019
KB4487000		Resolved
KB4493446		Resolved:
April 09, 2019
10:00 AM PT

Opened:
February 12, 2019
10:00 AM PT
" @@ -120,7 +116,5 @@ sections: text: " - -
DetailsOriginating updateStatusHistory
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: Do one of the following:
  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		January 08, 2019
KB4480963		Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
January 08, 2019
10:00 AM PT
Internet Explorer 11 authentication issue with multiple concurrent logons
After installing KB4480963, Internet Explorer 11 and other applications that use WININET.DLL may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to:
  • Cache size and location show zero or empty.
  • Keyboard shortcuts may not work properly.
  • Webpages may intermittently fail to load or render correctly.
  • Issues with credential prompts.
  • Issues when downloading files.
Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolution: This issue is resolved in KB4493446.

Back to top		January 08, 2019
KB4480963		Resolved
KB4493446		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding.
After installing KB4480963, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue is resolved in KB4493446.

Back to top		January 08, 2019
KB4480963		Resolved
KB4493446		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
" diff --git a/windows/release-information/status-windows-server-2008-sp2.yml b/windows/release-information/status-windows-server-2008-sp2.yml index 102f665769..689abfde38 100644 --- a/windows/release-information/status-windows-server-2008-sp2.yml +++ b/windows/release-information/status-windows-server-2008-sp2.yml @@ -63,8 +63,6 @@ sections:
System may be unresponsive after restart if Avira antivirus software installed
Devices with Avira antivirus software installed may become unresponsive upon restart.

See details >April 09, 2019
KB4493471Mitigated
May 03, 2019
08:51 AM PT
System unresponsive after restart if Sophos Endpoint Protection installed
Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.

See details >April 09, 2019
KB4493471Mitigated
April 25, 2019
02:00 PM PT
Authentication may fail for services after the Kerberos ticket expires
Authentication may fail for services that require unconstrained delegation after the Kerberos ticket expires.

See details >March 12, 2019
KB4489880Mitigated
April 25, 2019
02:00 PM PT -
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.

See details >February 12, 2019
KB4487023Resolved
KB4493471April 09, 2019
10:00 AM PT -
NETDOM.EXE fails to run
NETDOM.EXE fails to run and the error, “The command failed to complete successfully.” appears on screen.

See details >March 12, 2019
KB4489880Resolved
KB4493471April 09, 2019
10:00 AM PT " @@ -91,15 +89,5 @@ sections: text: " - -
DetailsOriginating updateStatusHistory
Authentication may fail for services after the Kerberos ticket expires
After installing KB4489880, some customers report that authentication fails for services that require unconstrained delegation after the Kerberos ticket expires (the default is 10 hours). For example, the SQL server service fails.

Affected platforms: 
  • Client: Windows 7 SP1
  • Server: Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Workaround: To mitigate this issue, use one of the following options:
  • Option 1: Purge the Kerberos tickets on the application server. After the Kerberos ticket expires, the issue will occur again, and you must purge the tickets again.
  • Option 2: If purging does not mitigate the issue, restart the application; for example, restart the Internet Information Services (IIS) app pool associated with the SQL server.
  • Option 3: Use constrained delegation.
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		March 12, 2019
KB4489880		Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
March 12, 2019
10:00 AM PT
NETDOM.EXE fails to run
After installing KB4489880, NETDOM.EXE fails to run, and the on-screen error, “The command failed to complete successfully.” appears.

Affected platforms: 
  • Client: Windows 7 SP1
  • Server: Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue is resolved in KB4493471.

Back to top		March 12, 2019
KB4489880		Resolved
KB4493471		Resolved:
April 09, 2019
10:00 AM PT

Opened:
March 12, 2019
10:00 AM PT
- " - -- title: February 2019 -- items: - - type: markdown - text: " - -
DetailsOriginating updateStatusHistory
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.

For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color.

Affected platforms 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue is resolved in KB4493471.

Back to top		February 12, 2019
KB4487023		Resolved
KB4493471		Resolved:
April 09, 2019
10:00 AM PT

Opened:
February 12, 2019
10:00 AM PT
" diff --git a/windows/release-information/status-windows-server-2012.yml b/windows/release-information/status-windows-server-2012.yml index 831a726f86..be5f206c02 100644 --- a/windows/release-information/status-windows-server-2012.yml +++ b/windows/release-information/status-windows-server-2012.yml @@ -60,13 +60,11 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ - - -
SummaryOriginating updateStatusLast updated
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.

See details >		April 25, 2019
KB4493462		Mitigated
May 10, 2019
10:35 AM PT
System may be unresponsive after restart if Avira antivirus software installed
Devices with Avira antivirus software installed may become unresponsive upon restart.

See details >		April 09, 2019
KB4493451		Mitigated
May 03, 2019
08:51 AM PT
Issue using PXE to start a device from WDS
There may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension.

See details >		March 12, 2019
KB4489891		Mitigated
April 25, 2019
02:00 PM PT
System unresponsive after restart if Sophos Endpoint Protection installed
Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.

See details >		April 09, 2019
KB4493451		Mitigated
April 25, 2019
02:00 PM PT
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”.

See details >		January 08, 2019
KB4480975		Mitigated
April 25, 2019
02:00 PM PT
Internet Explorer 11 authentication issue with multiple concurrent logons
Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine.

See details >		January 08, 2019
KB4480975		Resolved
KB4493451		April 09, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding
MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

See details >		January 08, 2019
KB4480975		Resolved
KB4493451		April 09, 2019
10:00 AM PT
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.

See details >		February 12, 2019
KB4487025		Resolved
KB4493451		April 09, 2019
10:00 AM PT
" @@ -77,6 +75,15 @@ sections:
" +- title: May 2019 +- items: + - type: markdown + text: " + + +
DetailsOriginating updateStatusHistory
Layout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Workaround: Until a resolution is released, we recommend switching to a different Japanese font, such as Yu Gothic or MS Mincho. Alternatively, you can uninstall the optional update.

Next steps: Microsoft is working on a resolution and estimates a solution will be available in mid-May.

Back to top		April 25, 2019
KB4493462		Mitigated
Last updated:
May 10, 2019
10:35 AM PT

Opened:
May 10, 2019
10:35 AM PT
+ " + - title: April 2019 - items: - type: markdown @@ -97,22 +104,11 @@ sections: " -- title: February 2019 -- items: - - type: markdown - text: " - - -
DetailsOriginating updateStatusHistory
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.

For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color.

Affected platforms 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Resolution: This issue is resolved in KB4493451.

Back to top		February 12, 2019
KB4487025		Resolved
KB4493451		Resolved:
April 09, 2019
10:00 AM PT

Opened:
February 12, 2019
10:00 AM PT
- " - - title: January 2019 - items: - type: markdown text: " - -
DetailsOriginating updateStatusHistory
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: Do one of the following:
  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

Back to top		January 08, 2019
KB4480975		Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
January 08, 2019
10:00 AM PT
Internet Explorer 11 authentication issue with multiple concurrent logons
After installing KB4480975, Internet Explorer 11 and other applications that use WININET.DLL may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to:
  • Cache size and location show zero or empty.
  • Keyboard shortcuts may not work properly.
  • Webpages may intermittently fail to load or render correctly.
  • Issues with credential prompts.
  • Issues when downloading files.
Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolution: This issue is resolved in KB4493451.

Back to top		January 08, 2019
KB4480975		Resolved
KB4493451		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding
After installing KB4480975, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue is resolved in KB4493451.

Back to top		January 08, 2019
KB4480975		Resolved
KB4493451		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
" diff --git a/windows/release-information/windows-message-center.yml b/windows/release-information/windows-message-center.yml index 2a4ba41456..64f62b302e 100644 --- a/windows/release-information/windows-message-center.yml +++ b/windows/release-information/windows-message-center.yml @@ -50,6 +50,13 @@ sections: text: " + - +

/ui:<ComputerName>\\<LocalUserName>

@@ -500,17 +500,17 @@ By default, all users are migrated. The only way to specify which users to inclu

  • /uel:2002/1/15 migrates users who have logged on or been modified January 15, 2002 or afterwards.

    • For example:

    -

    scanstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore /uel:0

    +

    scanstate /i:migapp.xml /i:migdocs.xml \\\server\share\migration\mystore /uel:0

    - +

    /ue:<ComputerName>\\<LocalUserName>

    +

    scanstate /i:migdocs.xml /i:migapp.xml \\\server\share\migration\mystore /ue:contoso\user1

    MessageDate
    Reminder: Windows 10 update servicing cadence
    This month we received questions about the cadence of updates we released in April and May 2019. Here's a quick recap of our releases and servicing cadence:
    +
      +
    • April 9, 2019 was the regular Update Tuesday release for all versions of Windows.
      • +
    • May 1, 2019 was an \"optional\" out of band update (OOB), non-security update for Windows 10, version 1809. It was released to Microsoft Catalog and WSUS, providing a critical fix for our OEM partners.
      • +
    • May 3, 2019 was the \"optional\" Windows 10, version 1809 \"C\" release for April. This update contained important Japanese era packages for commercial customers to preview. It was released later than expected and mistakenly targeted as \"required\" (instead of \"optional\") for consumers, which pushed the update out to customers and required a reboot. Within 24 hours of receiving customer reports, we corrected the targeting logic and mitigated the issue.
      • +
    + For more information about the Windows 10 update servicing cadence, please see the Window IT Pro blog.
    		May 10, 2019
    10:00 AM PT
    Take action: Install servicing stack update for Windows Server 2008 SP2 for SHA-2 code sign support
    A standalone update, KB4493730, that introduce SHA-2 code sign support for the servicing stack (SSU) was released today as a security update.    		April 19, 2019
    10:00 AM PT
    The benefits of Windows 10 Dynamic Update
    Dynamic Update can help organizations and end users alike ensure that their Windows 10 devices have the latest feature update content (as part of an in-place upgrade)—and preserve precious features on demand (FODs) and language packs (LPs) that may have been previously installed.

    From 774a98767c45c9edaf490cd3ef55e6d0ab648518 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Fri, 10 May 2019 15:38:34 -0700 Subject: [PATCH 370/492] Added 19H1 policy --- .../policy-configuration-service-provider.md | 4 ++ .../mdm/policy-csp-experience.md | 72 +++++++++++++++++++ 2 files changed, 76 insertions(+) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 4913c03360..8c6acf42f8 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1262,6 +1262,9 @@ The following diagram shows the Policy configuration service provider in tree fo
    Experience/PreventUsersFromTurningOnBrowserSyncing
    +
    + Experience/ShowLockOnUserTile +
    ### ExploitGuard policies @@ -4369,6 +4372,7 @@ The following diagram shows the Policy configuration service provider in tree fo - [Experience/DoNotShowFeedbackNotifications](./policy-csp-experience.md#experience-donotshowfeedbacknotifications) - [Experience/DoNotSyncBrowserSettings](./policy-csp-experience.md#experience-donotsyncbrowsersetting) - [Experience/PreventUsersFromTurningOnBrowserSyncing](./policy-csp-experience.md#experience-preventusersfromturningonbrowsersyncing) +- [Experience/ShowLockOnUserTile](policy-csp-experience.md#experience-showlockonusertile) - [ExploitGuard/ExploitProtectionSettings](./policy-csp-exploitguard.md#exploitguard-exploitprotectionsettings) - [FileExplorer/TurnOffDataExecutionPreventionForExplorer](./policy-csp-fileexplorer.md#fileexplorer-turnoffdataexecutionpreventionforexplorer) - [FileExplorer/TurnOffHeapTerminationOnCorruption](./policy-csp-fileexplorer.md#fileexplorer-turnoffheapterminationoncorruption) diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index c0d7b7cad4..cbc286da97 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -96,6 +96,9 @@ ms.date: 05/01/2019
    Experience/PreventUsersFromTurningOnBrowserSyncing
    +
    + Experience/ShowLockOnUserTile +
    @@ -1569,6 +1572,75 @@ Validation procedure: +
    + + +**Experience/ShowLockOnUserTile** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcross markcheck mark6check mark6check mark6
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Shows or hides lock from the user tile menu. + +If you enable this policy setting, the lock option is shown in the User Tile menu. + +If you disable this policy setting, the lock option is never shown in the User Tile menu. + +If you do not configure this policy setting, the lock option is shown in the User Tile menu. Users can choose if they want to show the lock in the user tile menu from the Power Options control panel. + + + +ADMX Info: +- GP English name: *Show lock in the user tile menu* +- GP name: *ShowLockOption* +- GP path: *File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +Supported values: +- false (default) - The lock option is not displayed in the User Tile menu. +- true - The lock option is displayed in the User Tile menu. + + + + + + + + + + From 3f8aed8f7b7117226619b32b71b2f35501014996 Mon Sep 17 00:00:00 2001 From: Jose Ortega Date: Sat, 11 May 2019 03:22:18 -0500 Subject: [PATCH 371/492] added note for #874 --- ...ndows-operating-system-components-to-microsoft-services.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 58d06760a9..c669ded36f 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -768,7 +768,9 @@ To remove the News app: - Right-click the app in Start, and then click **Uninstall**. -or- - +>[!IMPORTANT] +> If you have any issue with this commands, go ahead a do a system reboot,and try the scripts again. +> - Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** -and- From 7c2b0b98bdea9032629c8f45266e5f5bb13a4fe9 Mon Sep 17 00:00:00 2001 From: illfated Date: Sat, 27 Apr 2019 06:45:36 +0200 Subject: [PATCH 372/492] USMT ScanState Syntax: hidden unescaped characters Asterisks, backslashes or combinations of asterisk and backslash need to be escaped for the character to migrate properly to the docs.microsoft.com site as visible text in HTML. Github shows the characters well enough, but the migration process does not seem to keep the special characters through the MarkDown-to-HTML conversion. In this PR, I have made a "best effort" attempt to resolve the missing or malformed command examples in the "USMT ScanState Syntax" page. Closes #2388 --- .../deployment/usmt/usmt-scanstate-syntax.md | 34 +++++++++---------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/windows/deployment/usmt/usmt-scanstate-syntax.md b/windows/deployment/usmt/usmt-scanstate-syntax.md index 3090160049..67c879d27a 100644 --- a/windows/deployment/usmt/usmt-scanstate-syntax.md +++ b/windows/deployment/usmt/usmt-scanstate-syntax.md @@ -455,9 +455,9 @@ By default, all users are migrated. The only way to specify which users to inclu

    USMT migrates all user accounts on the computer, unless you specifically exclude an account with either the /ue or /uel options. For this reason, you do not need to specify this option on the command line. However, if you choose to specify the /all option, you cannot also use the /ui, /ue or /uel options.

    /ui:<DomainName>\<UserName>

    +

    /ui:<DomainName>\\<UserName>

    or

    -

    /ui:<ComputerName>\<LocalUserName>

    (User include)

    Migrates the specified users. By default, all users are included in the migration. Therefore, this option is helpful only when used with the /ue or /uel options. You can specify multiple /ui options, but you cannot use the /ui option with the /all option. DomainName and UserName can contain the asterisk (*) wildcard character. When you specify a user name that contains spaces, you will need to surround it with quotation marks.

    @@ -469,10 +469,10 @@ By default, all users are migrated. The only way to specify which users to inclu

    For example:

      -

    • To include only User2 from the Fabrikam domain, type:

      -

      /ue:*\* /ui:fabrikam\user2

      • -

    • To migrate all users from the Fabrikam domain, and only the user accounts from other domains that have been active or otherwise modified in the last 30 days, type:

      -

      /uel:30 /ui:fabrikam\*

      +

      To include only User2 from the Fabrikam domain, type:

      +

      /ue:\*\\\* /ui:fabrikam\user2

      +

      To migrate all users from the Fabrikam domain, and only the user accounts from other domains that have been active or otherwise modified in the last 30 days, type:

      +

      /uel:30 /ui:fabrikam\\\*

      In this example, a user account from the Contoso domain that was last modified 2 months ago will not be migrated.

    For more examples, see the descriptions of the /ue and /ui options in this table.

    /ue:<DomainName>\<UserName>

    +

    /ue:<DomainName>\\<UserName>

    -or-

    -

    /ue:<ComputerName>\<LocalUserName>

    (User exclude)

    Excludes the specified users from the migration. You can specify multiple /ue options. You cannot use this option with the /all option. <DomainName> and <UserName> can contain the asterisk (*) wildcard character. When you specify a user name that contains spaces, you need to surround it with quotation marks.

    For example:

    -

    scanstate /i:migdocs.xml /i:migapp.xml \\server\share\migration\mystore /ue:contoso\user1
    @@ -548,15 +548,15 @@ The following examples apply to both the /**ui** and /**ue** options. You can re

    Exclude all domain users.

    -

    /ue:Domain\*

    +

    /ue:Domain\\\*

    Exclude all local users.

    -

    /ue:%computername%\*

    +

    /ue:%computername%\\\*

    Exclude users in all domains named User1, User2, and so on.

    -

    /ue:*\user*

    +

    /ue:\*\user\*

    @@ -586,23 +586,23 @@ The /**uel** option takes precedence over the /**ue** option. If a user has logg

    Include only User2 from the Fabrikam domain and exclude all other users.

    -

    /ue:*\* /ui:fabrikam\user2

    +

    /ue:\*\\\* /ui:fabrikam\user2

    Include only the local user named User1 and exclude all other users.

    -

    /ue:*\* /ui:user1

    +

    /ue:\*\\\* /ui:user1

    Include only the domain users from Contoso, except Contoso\User1.

    This behavior cannot be completed using a single command. Instead, to migrate this set of users, you will need to specify the following:

      -

    • On the ScanState command line, type: /ue:*\* /ui:contoso\*

      • +

    • On the ScanState command line, type: /ue:\*\\\* /ui:contoso\*

    • On the LoadState command line, type: /ue:contoso\user1

    Include only local (non-domain) users.

    -

    /ue:*\* /ui:%computername%\*

    +

    /ue:\*\\\* /ui:%computername%\\\*

    From 0c29aa345115c4123bf56a0990cc79c8ea108645 Mon Sep 17 00:00:00 2001 From: illfated Date: Sat, 27 Apr 2019 07:39:02 +0200 Subject: [PATCH 373/492] Use ASCII character codes instead of backslash - change from using backslashes as escape character to use \ as the direct character for backslash - replace asterisks with * where needed --- .../deployment/usmt/usmt-scanstate-syntax.md | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/windows/deployment/usmt/usmt-scanstate-syntax.md b/windows/deployment/usmt/usmt-scanstate-syntax.md index 67c879d27a..15e9ea1b2d 100644 --- a/windows/deployment/usmt/usmt-scanstate-syntax.md +++ b/windows/deployment/usmt/usmt-scanstate-syntax.md @@ -455,9 +455,9 @@ By default, all users are migrated. The only way to specify which users to inclu

    USMT migrates all user accounts on the computer, unless you specifically exclude an account with either the /ue or /uel options. For this reason, you do not need to specify this option on the command line. However, if you choose to specify the /all option, you cannot also use the /ui, /ue or /uel options.

    -

    /ui:<DomainName>\\<UserName>

    +

    /ui:<DomainName>\<UserName>

    or

    -

    /ui:<ComputerName>\\<LocalUserName>

    +

    /ui:<ComputerName>\<LocalUserName>

    (User include)

    Migrates the specified users. By default, all users are included in the migration. Therefore, this option is helpful only when used with the /ue or /uel options. You can specify multiple /ui options, but you cannot use the /ui option with the /all option. DomainName and UserName can contain the asterisk (*) wildcard character. When you specify a user name that contains spaces, you will need to surround it with quotation marks.

    @@ -470,9 +470,9 @@ By default, all users are migrated. The only way to specify which users to inclu

    For example:

      To include only User2 from the Fabrikam domain, type:

      -

      /ue:\*\\\* /ui:fabrikam\user2

      +

      /ue:*\* /ui:fabrikam\user2

      To migrate all users from the Fabrikam domain, and only the user accounts from other domains that have been active or otherwise modified in the last 30 days, type:

      -

      /uel:30 /ui:fabrikam\\\*

      +

      /uel:30 /ui:fabrikam\*

      In this example, a user account from the Contoso domain that was last modified 2 months ago will not be migrated.

    For more examples, see the descriptions of the /ue and /ui options in this table.

    @@ -500,17 +500,17 @@ By default, all users are migrated. The only way to specify which users to inclu

  • /uel:2002/1/15 migrates users who have logged on or been modified January 15, 2002 or afterwards.

    • For example:

    -

    scanstate /i:migapp.xml /i:migdocs.xml \\\server\share\migration\mystore /uel:0

    +

    scanstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore /uel:0

    -

    /ue:<DomainName>\\<UserName>

    +

    /ue:<DomainName>\<UserName>

    -or-

    -

    /ue:<ComputerName>\\<LocalUserName>

    +

    /ue:<ComputerName>\<LocalUserName>

    (User exclude)

    Excludes the specified users from the migration. You can specify multiple /ue options. You cannot use this option with the /all option. <DomainName> and <UserName> can contain the asterisk (*) wildcard character. When you specify a user name that contains spaces, you need to surround it with quotation marks.

    For example:

    -

    scanstate /i:migdocs.xml /i:migapp.xml \\\server\share\migration\mystore /ue:contoso\user1

    +

    scanstate /i:migdocs.xml /i:migapp.xml \\server\share\migration\mystore /ue:contoso\user1

    @@ -548,15 +548,15 @@ The following examples apply to both the /**ui** and /**ue** options. You can re

    Exclude all domain users.

    -

    /ue:Domain\\\*

    +

    /ue:Domain\*

    Exclude all local users.

    -

    /ue:%computername%\\\*

    +

    /ue:%computername%\*

    Exclude users in all domains named User1, User2, and so on.

    -

    /ue:\*\user\*

    +

    /ue:*\user*

    @@ -586,23 +586,23 @@ The /**uel** option takes precedence over the /**ue** option. If a user has logg

    Include only User2 from the Fabrikam domain and exclude all other users.

    -

    /ue:\*\\\* /ui:fabrikam\user2

    +

    /ue:*\* /ui:fabrikam\user2

    Include only the local user named User1 and exclude all other users.

    -

    /ue:\*\\\* /ui:user1

    +

    /ue:*\* /ui:user1

    Include only the domain users from Contoso, except Contoso\User1.

    This behavior cannot be completed using a single command. Instead, to migrate this set of users, you will need to specify the following:

      -

    • On the ScanState command line, type: /ue:\*\\\* /ui:contoso\*

      • +

    • On the ScanState command line, type: /ue:*\* /ui:contoso\*

    • On the LoadState command line, type: /ue:contoso\user1

    Include only local (non-domain) users.

    -

    /ue:\*\\\* /ui:%computername%\\\*

    +

    /ue:*\* /ui:%computername%\*

    From 4841ee484624fccc9d8d0145a51e48ab0e9046d0 Mon Sep 17 00:00:00 2001 From: illfated Date: Fri, 10 May 2019 23:38:20 +0200 Subject: [PATCH 374/492] Microsoft Accounts: small typo correction Change proposed: change the typo "a mean of identifying a user" to `a means of identifying a user` Closes #3601 --- .../identity-protection/access-control/microsoft-accounts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/access-control/microsoft-accounts.md b/windows/security/identity-protection/access-control/microsoft-accounts.md index 38c26d9546..18d956384e 100644 --- a/windows/security/identity-protection/access-control/microsoft-accounts.md +++ b/windows/security/identity-protection/access-control/microsoft-accounts.md @@ -22,7 +22,7 @@ ms.date: 10/13/2017 This topic for the IT professional explains how a Microsoft account works to enhance security and privacy for users, and how you can manage this consumer account type in your organization. -Microsoft sites, services, and properties, as well as computers running Windows 10, can use a Microsoft account as a mean of identifying a user. Microsoft account was previously called Windows Live ID. It has user-defined secrets, and consists of a unique email address and a password. +Microsoft sites, services, and properties, as well as computers running Windows 10, can use a Microsoft account as a means of identifying a user. Microsoft account was previously called Windows Live ID. It has user-defined secrets, and consists of a unique email address and a password. When a user signs in with a Microsoft account, the device is connected to cloud services. Many of the user's settings, preferences, and apps can be shared across devices. From 5b409467b1ef06aeeaaa6c6d221931236db7c141 Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Sat, 11 May 2019 14:21:14 +0200 Subject: [PATCH 375/492] Update advanced-security-audit-policy-settings.md Typo line 93 fixes https://github.com/MicrosoftDocs/windows-itpro-docs/issues/3587 --- .../auditing/advanced-security-audit-policy-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md index 842cb0b7bb..6ce2b1bc64 100644 --- a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md +++ b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md @@ -90,7 +90,7 @@ Logon/Logoff security policy settings and audit events allow you to track attemp ## Object Access -Object Access policy settings and audit events allow you to track attempts to access specific objects or types of objects on a network or computer. To audit attempts to access a file, directory, registry key, or any other object, you must enable the appropriate object Aaccess auditing subcategory for success and/or failure events. For example, the file system subcategory needs to be enabled to audit file operations, and the Registry subcategory needs to be enabled to audit registry accesses. +Object Access policy settings and audit events allow you to track attempts to access specific objects or types of objects on a network or computer. To audit attempts to access a file, directory, registry key, or any other object, you must enable the appropriate Object Access auditing subcategory for success and/or failure events. For example, the file system subcategory needs to be enabled to audit file operations, and the Registry subcategory needs to be enabled to audit registry accesses. Proving that these audit policies are in effect to an external auditor is more difficult. There is no easy way to verify that the proper SACLs are set on all inherited objects. To address this issue, see [Global Object Access Auditing](#global-object-access-auditing). From 4ff728b4c6f1025ad8413725522693400c7fcea9 Mon Sep 17 00:00:00 2001 From: Jose Ortega Date: Sat, 11 May 2019 12:09:40 -0500 Subject: [PATCH 376/492] @Illfated corrections --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index c669ded36f..2c21af8eba 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -769,7 +769,7 @@ To remove the News app: -or- >[!IMPORTANT] -> If you have any issue with this commands, go ahead a do a system reboot,and try the scripts again. +> If you have any issue with these commands, go ahead a do a system reboot, and try the scripts again. > - Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** From ffd29448058dc6c7a1525031b726a6ec6af15b45 Mon Sep 17 00:00:00 2001 From: "Nisha Mittal (Wipro Ltd.)" Date: Sat, 11 May 2019 11:13:14 -0700 Subject: [PATCH 377/492] Made some change in Announcement. --- windows/release-information/windows-message-center.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/release-information/windows-message-center.yml b/windows/release-information/windows-message-center.yml index 64f62b302e..bcea3b01d7 100644 --- a/windows/release-information/windows-message-center.yml +++ b/windows/release-information/windows-message-center.yml @@ -53,7 +53,7 @@ sections: Reminder: Windows 10 update servicing cadence
    This month we received questions about the cadence of updates we released in April and May 2019. Here's a quick recap of our releases and servicing cadence:
    • April 9, 2019 was the regular Update Tuesday release for all versions of Windows.
      • -
    • May 1, 2019 was an \"optional\" out of band update (OOB), non-security update for Windows 10, version 1809. It was released to Microsoft Catalog and WSUS, providing a critical fix for our OEM partners.
      • +
    • May 1, 2019 was an \"optional,\" out of band non-security update (OOB) for Windows 10, version 1809. It was released to Microsoft Catalog and WSUS, providing a critical fix for our OEM partners.
    • May 3, 2019 was the \"optional\" Windows 10, version 1809 \"C\" release for April. This update contained important Japanese era packages for commercial customers to preview. It was released later than expected and mistakenly targeted as \"required\" (instead of \"optional\") for consumers, which pushed the update out to customers and required a reboot. Within 24 hours of receiving customer reports, we corrected the targeting logic and mitigated the issue.
    For more information about the Windows 10 update servicing cadence, please see the Window IT Pro blog.
    May 10, 2019
    10:00 AM PT From 9debc2dabe6990dd5c4e8709997902507c239de9 Mon Sep 17 00:00:00 2001 From: DocsPreview <49669258+DocsPreview@users.noreply.github.com> Date: Sat, 11 May 2019 11:51:23 -0700 Subject: [PATCH 378/492] Release info preview (#164) * Latest changes for 1809 issues * New Announcement Added * Latest Change for announcement * Updated link for japanese era content * Made some change in Announcement. --- windows/release-information/windows-message-center.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/release-information/windows-message-center.yml b/windows/release-information/windows-message-center.yml index 64f62b302e..bcea3b01d7 100644 --- a/windows/release-information/windows-message-center.yml +++ b/windows/release-information/windows-message-center.yml @@ -53,7 +53,7 @@ sections: Reminder: Windows 10 update servicing cadence
    This month we received questions about the cadence of updates we released in April and May 2019. Here's a quick recap of our releases and servicing cadence:
    • April 9, 2019 was the regular Update Tuesday release for all versions of Windows.
      • -
    • May 1, 2019 was an \"optional\" out of band update (OOB), non-security update for Windows 10, version 1809. It was released to Microsoft Catalog and WSUS, providing a critical fix for our OEM partners.
      • +
    • May 1, 2019 was an \"optional,\" out of band non-security update (OOB) for Windows 10, version 1809. It was released to Microsoft Catalog and WSUS, providing a critical fix for our OEM partners.
    • May 3, 2019 was the \"optional\" Windows 10, version 1809 \"C\" release for April. This update contained important Japanese era packages for commercial customers to preview. It was released later than expected and mistakenly targeted as \"required\" (instead of \"optional\") for consumers, which pushed the update out to customers and required a reboot. Within 24 hours of receiving customer reports, we corrected the targeting logic and mitigated the issue.
    For more information about the Windows 10 update servicing cadence, please see the Window IT Pro blog.
    May 10, 2019
    10:00 AM PT From a7bcfabadcbf92e5d4bbd3f63c6d8ec9c4837779 Mon Sep 17 00:00:00 2001 From: DocsPreview <49669258+DocsPreview@users.noreply.github.com> Date: Sat, 11 May 2019 12:19:38 -0700 Subject: [PATCH 379/492] Release info preview (#164) (#165) * Latest changes for 1809 issues * New Announcement Added * Latest Change for announcement * Updated link for japanese era content * Made some change in Announcement. --- windows/release-information/windows-message-center.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/release-information/windows-message-center.yml b/windows/release-information/windows-message-center.yml index 64f62b302e..bcea3b01d7 100644 --- a/windows/release-information/windows-message-center.yml +++ b/windows/release-information/windows-message-center.yml @@ -53,7 +53,7 @@ sections: Reminder: Windows 10 update servicing cadence
    This month we received questions about the cadence of updates we released in April and May 2019. Here's a quick recap of our releases and servicing cadence:
    • April 9, 2019 was the regular Update Tuesday release for all versions of Windows.
      • -
    • May 1, 2019 was an \"optional\" out of band update (OOB), non-security update for Windows 10, version 1809. It was released to Microsoft Catalog and WSUS, providing a critical fix for our OEM partners.
      • +
    • May 1, 2019 was an \"optional,\" out of band non-security update (OOB) for Windows 10, version 1809. It was released to Microsoft Catalog and WSUS, providing a critical fix for our OEM partners.
    • May 3, 2019 was the \"optional\" Windows 10, version 1809 \"C\" release for April. This update contained important Japanese era packages for commercial customers to preview. It was released later than expected and mistakenly targeted as \"required\" (instead of \"optional\") for consumers, which pushed the update out to customers and required a reboot. Within 24 hours of receiving customer reports, we corrected the targeting logic and mitigated the issue.
    For more information about the Windows 10 update servicing cadence, please see the Window IT Pro blog.
    May 10, 2019
    10:00 AM PT From 7c787e3a2c8fe1754a18470c91cc3d0669dbb033 Mon Sep 17 00:00:00 2001 From: Jose Gabriel Ortega Castro Date: Sat, 11 May 2019 14:47:53 -0500 Subject: [PATCH 380/492] More Illfated corrections :) thank you Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 2c21af8eba..67e8c2419e 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -769,7 +769,7 @@ To remove the News app: -or- >[!IMPORTANT] -> If you have any issue with these commands, go ahead a do a system reboot, and try the scripts again. +> If you have any issues with these commands, do a system reboot and try the scripts again. > - Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** From 1f9ba5ca8659274066e82e3671004cc7097608bb Mon Sep 17 00:00:00 2001 From: Jose Ortega Date: Sun, 12 May 2019 04:33:26 -0500 Subject: [PATCH 381/492] Solving issue #880 --- .../deployment/deploy-enterprise-licenses.md | 53 ++++++++++++------- 1 file changed, 33 insertions(+), 20 deletions(-) diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index afc9f144c2..038c839c38 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -12,14 +12,20 @@ author: greg-lindsay ms.topic: article --- + + # Deploy Windows 10 Enterprise licenses +>[!IMPORTANT] +>Licenses E3 and E5 brings windows 10 license enterprise with them, this tutorial is special for the use and implementation of these licenses in a on-premises Active Directory environment. + + This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with [Windows 10 Enterprise Subscription Activation](windows-10-enterprise-subscription-activation.md) or [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD). >[!NOTE] ->Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later.
    ->Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later.
    ->Automatic, non-KMS activation requires Windows 10, version 1803 or later on a device with a firmware-embedded activation key.
    +>* Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later. +>* Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later. +>* Automatic, non-KMS activation requires Windows 10, version 1803 or later on a device with a firmware-embedded activation key. ## Firmware-embedded activation key @@ -35,9 +41,9 @@ If the device has a firmware-embedded activation key, it will be displayed in th If you are an EA customer with an existing Office 365 tenant, use the following steps to enable Windows 10 Subscription licenses on your existing tenant: -1. Work with your reseller to place an order for one $0 SKU per user. There are two SKUs available, depending on their current Windows Enterprise SA license:
    - a. **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3
    - b. **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5
    +1. Work with your reseller to place an order for one $0 SKU per user. There are two SKUs available, depending on their current Windows Enterprise SA license: + a. **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3 + b. **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5 2. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant. 3. The admin can now assign subscription licenses to users. @@ -59,7 +65,7 @@ Also in this article: You probably have on-premises Active Directory Domain Services (AD DS) domains. Users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10 Enterprise E3 or E5 licenses to users, you need to synchronize the identities in the on-premises ADDS domain with Azure AD. -You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Enterprise E3 or E5). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them. +You might ask why you need to synchronize these identities. The answer is that users will have a **single identity** that they can use to access their on-premises apps and cloud services that use Azure AD (**such as Windows 10 Enterprise E3 or E5**). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them. **Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](https://www.microsoft.com/en-us/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure. @@ -72,6 +78,13 @@ For more information about integrating on-premises AD DS domains with Azure AD, - [Integrating your on-premises identities with Azure Active Directory](https://azure.microsoft.com/documentation/articles/active-directory-aadconnect/) - [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/) +>[!NOTE] +>If you are implementing Azure AD, and have already an on-premises, you don't need to join the computers into Azure AD, since your main authentication method is your internal AD. In case, that you want to manage all your infrastructure on the cloud, then you can safely remote your domain controller and work with the join of the computers into the Azure AD, but you won't be able to apply fine control into the computers using GPO. +>The whole idea of using Azure AD, is mostly when you don't have any on-premises servers, and you want and enterprise administration of devices worldwide. + + + + ## Preparing for deployment: reviewing requirements Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic. @@ -151,12 +164,12 @@ Now the device is Azure AD joined to the company’s subscription. ### Step 2: Pro edition activation >[!IMPORTANT] ->If the device is running Windows 10, version 1803 or later, this step is no longer necessary when there is a firmware-embedded activation key on the device. Starting with Windows 10, version 1803 the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key.
    +>If the device is running Windows 10, version 1803 or later, this step is no longer necessary when there is a firmware-embedded activation key on the device. Starting with Windows 10, version 1803 the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key. >If the device is running Windows 10, version 1703 or 1709, then Windows 10 Pro must be successfully activated in **Settings > Update & Security > Activation**, as illustrated in **Figure 7a**. Windows 10 Pro activated -
    **Figure 7a - Windows 10 Pro activation in Settings**
    +**Figure 7a - Windows 10 Pro activation in Settings** Windows 10 Pro activation is required before Enterprise E3 or E5 can be enabled (Windows 10, versions 1703 and 1709 only). @@ -176,16 +189,16 @@ You can verify the Windows 10 Enterprise E3 or E5 subscription in **Settings &g Windows 10 activated and subscription active -
    **Figure 9 - Windows 10 Enterprise subscription in Settings**
    +**Figure 9 - Windows 10 Enterprise subscription in Settings** If there are any problems with the Windows 10 Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process. >[!NOTE] ->If you use slmgr /dli or /dlv commands to retrieve the activation information for the Windows 10 E3 or E5 license, the license information displayed will be the following:
    ->Name: Windows(R), Professional edition
    ->Description: Windows(R) Operating System, RETAIL channel
    ->Partial Product Key: 3V66T
    +>If you use slmgr /dli or /dlv commands to retrieve the activation information for the Windows 10 E3 or E5 license, the license information displayed will be the following: +>Name: Windows(R), Professional edition +>Description: Windows(R) Operating System, RETAIL channel +>Partial Product Key: 3V66T ## Virtual Desktop Access (VDA) @@ -211,23 +224,23 @@ Use the following figures to help you troubleshoot when users experience these c - [Figure 12](#win-10-not-activated-subscription-not-active) (below) illustrates a device on which Windows 10 Pro license is not activated and the Windows 10 Enterprise subscription is lapsed or removed. -
    + Windows 10 not activated and subscription active -
    **Figure 10 - Windows 10 Pro, version 1703 edition not activated in Settings**
    +**Figure 10 - Windows 10 Pro, version 1703 edition not activated in Settings** + -
    Windows 10 activated and subscription not active -
    **Figure 11 - Windows 10 Enterprise subscription lapsed or removed in Settings**
    +**Figure 11 - Windows 10 Enterprise subscription lapsed or removed in Settings** + -
    Windows 10 not activated and subscription not active -
    **Figure 12 - Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings**
    +**Figure 12 - Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings** ### Review requirements on devices From 36ad8a02943d2ffd1f48afacc1edc1ff613d3d50 Mon Sep 17 00:00:00 2001 From: sccmentor Date: Sun, 12 May 2019 11:18:47 +0100 Subject: [PATCH 382/492] Update waas-manage-updates-wufb.md --- windows/deployment/update/waas-manage-updates-wufb.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md index be96b68e59..19a38e1f89 100644 --- a/windows/deployment/update/waas-manage-updates-wufb.md +++ b/windows/deployment/update/waas-manage-updates-wufb.md @@ -85,13 +85,13 @@ Starting with Windows 10, version 1709, the Windows Update for Business settings | Manage Windows Insider Preview builds | System/AllowBuildPreview | Update/ManagePreviewBuilds | | Manage when updates are received | Select when Feature Updates are received | Select when Preview Builds and Feature Updates are received (Update/BranchReadinessLevel) | -## Managing Windows Update for Business with Software Center Configuration Manager +## Managing Windows Update for Business with System Center Configuration Manager -Starting with Windows 10, version 1709, you can assign a collection of devices to have dual scan enabled and manage that collection with Windows Update for Business policies. Starting with Windows 10, version 1809, you can set a collection of devices to receive the Windows Insider Preview Feature Updates from Windows Update from within Software Center Configuration Manager. +Starting with Windows 10, version 1709, you can assign a collection of devices to have dual scan enabled and manage that collection with Windows Update for Business policies. Starting with Windows 10, version 1809, you can set a collection of devices to receive the Windows Insider Preview Feature Updates from Windows Update from within System Center Configuration Manager. | Action | Windows 10 versions between 1709 and 1809 | Windows 10 versions after 1809 | | --- | --- | --- | -| Manage Windows Update for Business in Configuration Manager | Manage Feature or Quality Updates with Windows Update for Business via Dual Scan | Manage Insider pre-release builds with Windows Update for Business within Software Center Configuration Manager | +| Manage Windows Update for Business in Configuration Manager | Manage Feature or Quality Updates with Windows Update for Business via Dual Scan | Manage Insider pre-release builds with Windows Update for Business within System Center Configuration Manager | ## Managing Windows Update for Business with Windows Settings options Windows Settings includes options to control certain Windows Update for Business features: From 12147107edb489af66f821a83bf816fdfafa1258 Mon Sep 17 00:00:00 2001 From: Lindsay <45809756+lindspea@users.noreply.github.com> Date: Mon, 13 May 2019 07:18:18 +0200 Subject: [PATCH 383/492] Update appv-creating-and-managing-virtualized-applications.md Updated extensions. --- ...reating-and-managing-virtualized-applications.md | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md index dca1b3b048..a2e9327cb3 100644 --- a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md +++ b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md @@ -93,20 +93,11 @@ The following table lists the supported shell extensions: Copy on write (CoW) file extensions allow App-V to dynamically write to specific locations contained in the virtual package while it is being used. -The following table displays the file types that can exist in a virtual package under the VFS directory, but cannot be updated on the computer running the App-V client. All other files and directories can be modified. +The following table displays the file types that can exist in a virtual package under the VFS directory, since App-V 5.1, but cannot be updated on the computer running the App-V client. All other files and directories can be modified. | File Type|||||| |---|---|---|---|---|---| -| .acm | .asa | .asp | .aspx | .ax | .bat | -| .cer | .chm | .clb | .cmd | .cnt | .cnv | -| .com | .cpl | .cpx | .crt | .dll | .drv | -| .esc | .exe | .fon | .grp | .hlp | .hta | -| .ime | .inf | .ins | .isp | .its | .js | -| .jse | .lnk | .msc | .msi | .msp | .mst | -| .mui | .nls | .ocx | .pal | .pcd | .pif | -| .reg | .scf | .scr | .sct | .shb | .shs | -| .sys | .tlb | .tsp | .url | .vb | .vbe | -| .vbs | .vsmacros | .ws | .wsf | .wsh | | +| .com | .exe | .dll | .ocx | | ## Modifying an existing virtual application package From 412888018f32607672f3e3a839a30e579cee5b26 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 13 May 2019 17:08:19 +0500 Subject: [PATCH 384/492] update microsoft-store-for-business-overview.md --- store-for-business/microsoft-store-for-business-overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/store-for-business/microsoft-store-for-business-overview.md b/store-for-business/microsoft-store-for-business-overview.md index 0bf1fdc2d4..f6afc25250 100644 --- a/store-for-business/microsoft-store-for-business-overview.md +++ b/store-for-business/microsoft-store-for-business-overview.md @@ -28,8 +28,8 @@ Organizations or schools of any size can benefit from using Microsoft Store for - **Scales to fit the size of your business** - For smaller businesses, with Azure AD accounts or Office 365 accounts and Windows 10 devices, you can quickly have an end-to-end process for acquiring and distributing content using the Store for Business. For larger businesses, all the capabilities of the Store for Business are available to you, or you can integrate Microsoft Store for Business with management tools, for greater control over access to apps and app updates. You can use existing work or school accounts. - **Bulk app acquisition** - Acquire apps in volume from Microsoft Store for Business. - **Centralized management** – Microsoft Store provides centralized management for inventory, billing, permissions, and order history. You can use Microsoft Store to view, manage and distribute items purchased from: - - **Microsoft Store for Business** – Apps and subscriptions - - **Microsoft Store for Education** – Apps and subscriptions + - **Microsoft Store for Business** – Apps acquired from Microsoft Store for Business + - **Microsoft Store for Education** – Apps acquired from Microsoft Store for Education - **Office 365** – Subscriptions - **Volume licensing** - Apps purchased with volume licensing - **Private store** - Create a private store for your business that’s easily available from any Windows 10 device. Your private store is available from Microsoft Store on Windows 10, or with a browser on the Web. People in your organization can download apps from your organization's private store on Windows 10 devices. From f2e7db1c27a2f01fe8490dc7ce55e3f62a1b8352 Mon Sep 17 00:00:00 2001 From: Jose Gabriel Ortega Castro Date: Mon, 13 May 2019 10:04:55 -0500 Subject: [PATCH 385/492] Update windows/deployment/deploy-enterprise-licenses.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- windows/deployment/deploy-enterprise-licenses.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index 038c839c38..ca9c5911b9 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -164,7 +164,7 @@ Now the device is Azure AD joined to the company’s subscription. ### Step 2: Pro edition activation >[!IMPORTANT] ->If the device is running Windows 10, version 1803 or later, this step is no longer necessary when there is a firmware-embedded activation key on the device. Starting with Windows 10, version 1803 the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key. +>If your device is running Windows 10, version 1803 or later, this step not needed. Starting with Windows 10 version 1803 the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key. >If the device is running Windows 10, version 1703 or 1709, then Windows 10 Pro must be successfully activated in **Settings > Update & Security > Activation**, as illustrated in **Figure 7a**. From bd221ac09c378556b5d5b985485edcc9805736fa Mon Sep 17 00:00:00 2001 From: Jose Ortega Date: Mon, 13 May 2019 10:11:25 -0500 Subject: [PATCH 386/492] Corrections --- windows/deployment/deploy-enterprise-licenses.md | 5 ----- 1 file changed, 5 deletions(-) diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index ca9c5911b9..9a03873d7c 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -19,7 +19,6 @@ ms.topic: article >[!IMPORTANT] >Licenses E3 and E5 brings windows 10 license enterprise with them, this tutorial is special for the use and implementation of these licenses in a on-premises Active Directory environment. - This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with [Windows 10 Enterprise Subscription Activation](windows-10-enterprise-subscription-activation.md) or [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD). >[!NOTE] @@ -82,9 +81,6 @@ For more information about integrating on-premises AD DS domains with Azure AD, >If you are implementing Azure AD, and have already an on-premises, you don't need to join the computers into Azure AD, since your main authentication method is your internal AD. In case, that you want to manage all your infrastructure on the cloud, then you can safely remote your domain controller and work with the join of the computers into the Azure AD, but you won't be able to apply fine control into the computers using GPO. >The whole idea of using Azure AD, is mostly when you don't have any on-premises servers, and you want and enterprise administration of devices worldwide. - - - ## Preparing for deployment: reviewing requirements Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic. @@ -225,7 +221,6 @@ Use the following figures to help you troubleshoot when users experience these c - [Figure 12](#win-10-not-activated-subscription-not-active) (below) illustrates a device on which Windows 10 Pro license is not activated and the Windows 10 Enterprise subscription is lapsed or removed. - Windows 10 not activated and subscription active **Figure 10 - Windows 10 Pro, version 1703 edition not activated in Settings** From c020150f3684eb897ef425c8c9d4a3a7d0008685 Mon Sep 17 00:00:00 2001 From: Jose Gabriel Ortega Castro Date: Mon, 13 May 2019 10:12:49 -0500 Subject: [PATCH 387/492] Update windows/deployment/deploy-enterprise-licenses.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- windows/deployment/deploy-enterprise-licenses.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index 9a03873d7c..8c90e9f4ba 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -24,7 +24,7 @@ This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with >[!NOTE] >* Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later. >* Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later. ->* Automatic, non-KMS activation requires Windows 10, version 1803 or later on a device with a firmware-embedded activation key. +>* Automatic, non-KMS activation requires Windows 10, version 1803 or later, on a device with a firmware-embedded activation key. ## Firmware-embedded activation key From ea00510908b1f1de7bdece0cebfa77aab8d83dc1 Mon Sep 17 00:00:00 2001 From: Jose Gabriel Ortega Castro Date: Mon, 13 May 2019 10:12:58 -0500 Subject: [PATCH 388/492] Update windows/deployment/deploy-enterprise-licenses.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- windows/deployment/deploy-enterprise-licenses.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index 8c90e9f4ba..83fbd2a73f 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -64,7 +64,7 @@ Also in this article: You probably have on-premises Active Directory Domain Services (AD DS) domains. Users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10 Enterprise E3 or E5 licenses to users, you need to synchronize the identities in the on-premises ADDS domain with Azure AD. -You might ask why you need to synchronize these identities. The answer is that users will have a **single identity** that they can use to access their on-premises apps and cloud services that use Azure AD (**such as Windows 10 Enterprise E3 or E5**). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them. +You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Enterprise E3 or E5). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them. **Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](https://www.microsoft.com/en-us/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure. From 67f98f7e71c82dcdb80bd8042948accab6e44060 Mon Sep 17 00:00:00 2001 From: Jose Gabriel Ortega Castro Date: Mon, 13 May 2019 10:13:06 -0500 Subject: [PATCH 389/492] Update windows/deployment/deploy-enterprise-licenses.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- windows/deployment/deploy-enterprise-licenses.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index 83fbd2a73f..9721ecd2be 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -42,7 +42,7 @@ If you are an EA customer with an existing Office 365 tenant, use the following 1. Work with your reseller to place an order for one $0 SKU per user. There are two SKUs available, depending on their current Windows Enterprise SA license: a. **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3 - b. **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5 +- **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5 2. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant. 3. The admin can now assign subscription licenses to users. From f5ca28c6688d8184e914da54a4a258bea602e573 Mon Sep 17 00:00:00 2001 From: Jose Gabriel Ortega Castro Date: Mon, 13 May 2019 10:13:14 -0500 Subject: [PATCH 390/492] Update windows/deployment/deploy-enterprise-licenses.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- windows/deployment/deploy-enterprise-licenses.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index 9721ecd2be..cdecd2c70f 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -78,7 +78,7 @@ For more information about integrating on-premises AD DS domains with Azure AD, - [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/) >[!NOTE] ->If you are implementing Azure AD, and have already an on-premises, you don't need to join the computers into Azure AD, since your main authentication method is your internal AD. In case, that you want to manage all your infrastructure on the cloud, then you can safely remote your domain controller and work with the join of the computers into the Azure AD, but you won't be able to apply fine control into the computers using GPO. +>If you are implementing Azure AD, and you already have an on-premises domain, you don't need to integrate with Azure AD, since your main authentication method is your internal AD. If you want to manage all your infrastructure in the cloud, you can safely configure your domain controller remotely to integrate your computers with Azure AD, but you won't be able to apply fine controls using GPO. Azure AD is best suited for the global administration of devices when you don't have any on-premises servers. >The whole idea of using Azure AD, is mostly when you don't have any on-premises servers, and you want and enterprise administration of devices worldwide. ## Preparing for deployment: reviewing requirements From 4ad41520e7864728f84d69c50b0ea11cc417bcef Mon Sep 17 00:00:00 2001 From: Jose Gabriel Ortega Castro Date: Mon, 13 May 2019 10:13:28 -0500 Subject: [PATCH 391/492] Update windows/deployment/deploy-enterprise-licenses.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- windows/deployment/deploy-enterprise-licenses.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index cdecd2c70f..38252eee03 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -79,7 +79,6 @@ For more information about integrating on-premises AD DS domains with Azure AD, >[!NOTE] >If you are implementing Azure AD, and you already have an on-premises domain, you don't need to integrate with Azure AD, since your main authentication method is your internal AD. If you want to manage all your infrastructure in the cloud, you can safely configure your domain controller remotely to integrate your computers with Azure AD, but you won't be able to apply fine controls using GPO. Azure AD is best suited for the global administration of devices when you don't have any on-premises servers. ->The whole idea of using Azure AD, is mostly when you don't have any on-premises servers, and you want and enterprise administration of devices worldwide. ## Preparing for deployment: reviewing requirements From 33cec4871e6275f66bbaa57f1b32b20f1257d8b3 Mon Sep 17 00:00:00 2001 From: Jose Gabriel Ortega Castro Date: Mon, 13 May 2019 10:13:39 -0500 Subject: [PATCH 392/492] Update windows/deployment/deploy-enterprise-licenses.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- windows/deployment/deploy-enterprise-licenses.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index 38252eee03..b1b4b2b9d5 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -41,7 +41,7 @@ If the device has a firmware-embedded activation key, it will be displayed in th If you are an EA customer with an existing Office 365 tenant, use the following steps to enable Windows 10 Subscription licenses on your existing tenant: 1. Work with your reseller to place an order for one $0 SKU per user. There are two SKUs available, depending on their current Windows Enterprise SA license: - a. **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3 +- **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3 - **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5 2. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant. 3. The admin can now assign subscription licenses to users. From 85e9423476bb32060213ca9bb7e15691c189362d Mon Sep 17 00:00:00 2001 From: Jose Gabriel Ortega Castro Date: Mon, 13 May 2019 10:13:57 -0500 Subject: [PATCH 393/492] Update windows/deployment/deploy-enterprise-licenses.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- windows/deployment/deploy-enterprise-licenses.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index b1b4b2b9d5..fd04ba220b 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -17,7 +17,7 @@ ms.topic: article # Deploy Windows 10 Enterprise licenses >[!IMPORTANT] ->Licenses E3 and E5 brings windows 10 license enterprise with them, this tutorial is special for the use and implementation of these licenses in a on-premises Active Directory environment. +>Office 365 Enterprise E3 and Office 365 Enterprise E5 include a Windows 10 Enterprise license. This article is about the use and implementation of these licenses in a on-premises Active Directory environment. This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with [Windows 10 Enterprise Subscription Activation](windows-10-enterprise-subscription-activation.md) or [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD). From 73007e7e463bd4fa727fb2652090d6287a4f9063 Mon Sep 17 00:00:00 2001 From: Jose Gabriel Ortega Castro Date: Mon, 13 May 2019 10:54:17 -0500 Subject: [PATCH 394/492] Update windows/deployment/deploy-enterprise-licenses.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/deployment/deploy-enterprise-licenses.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index fd04ba220b..c202b6f22e 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -159,7 +159,7 @@ Now the device is Azure AD joined to the company’s subscription. ### Step 2: Pro edition activation >[!IMPORTANT] ->If your device is running Windows 10, version 1803 or later, this step not needed. Starting with Windows 10 version 1803 the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key. +>If your device is running Windows 10, version 1803 or later, this step is not needed. From Windows 10, version 1803, the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key. >If the device is running Windows 10, version 1703 or 1709, then Windows 10 Pro must be successfully activated in **Settings > Update & Security > Activation**, as illustrated in **Figure 7a**. From bc4f9a20eb45721386f3bfb236894d72c009c331 Mon Sep 17 00:00:00 2001 From: Lindsay <45809756+lindspea@users.noreply.github.com> Date: Mon, 13 May 2019 18:09:47 +0200 Subject: [PATCH 395/492] Update windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../appv-creating-and-managing-virtualized-applications.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md index a2e9327cb3..9a68fb9338 100644 --- a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md +++ b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md @@ -93,7 +93,7 @@ The following table lists the supported shell extensions: Copy on write (CoW) file extensions allow App-V to dynamically write to specific locations contained in the virtual package while it is being used. -The following table displays the file types that can exist in a virtual package under the VFS directory, since App-V 5.1, but cannot be updated on the computer running the App-V client. All other files and directories can be modified. +The following table displays the file types that can exist in a virtual package under the VFS directory, since App-V 5.1, but which cannot be updated on the computer running the App-V client. All other files and directories can be modified. | File Type|||||| |---|---|---|---|---|---| From b779a2462eab915da80af93e2075aa45b39f115f Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 13 May 2019 10:17:20 -0700 Subject: [PATCH 396/492] spelling --- .../create-wip-policy-using-intune-azure.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 1d57580668..18eb0da280 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -11,7 +11,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 05/10/2019 +ms.date: 05/13/2019 --- # Create a Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune @@ -588,7 +588,7 @@ After you've decided where your protected apps can access enterprise data on you - **On.** Protects files that are copied to a removable drive. You can enter a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. The RMS template is only applied to the files on removable media, and is only used for access control—it doesn’t actually apply Azure Information Protection to the files. Curly braces {} are required around the RMS Template ID, but they are removed after you save the policy. - If you don’t specify an [RMS template](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates), it’s a regular EFS file using a default RMS template that everyone in the tenant will have access to. + If you don’t specify an [RMS template](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates), it’s a regular EFS file using a default RMS template that all users can access. - **Off, or not configured.** Stops WIP from encrypting Azure Rights Management files that are copied to a removable drive. @@ -603,7 +603,7 @@ After you've decided where your protected apps can access enterprise data on you ## Encrypted file extensions -You can restrict which files are protected by WIP when they are downloaded from an SMB share within your enterprise network locations. If this setting is configured, only files with te extensions in the list will be encrypted. If this setting is not specified, the existing auto-encryption behavior is applied. +You can restrict which files are protected by WIP when they are downloaded from an SMB share within your enterprise network locations. If this setting is configured, only files with the extensions in the list will be encrypted. If this setting is not specified, the existing auto-encryption behavior is applied. ![WIP encrypted file extensions](images/wip-encrypted-file-extensions.png) From 91623a4d58af4d0db2873912b77e3b53daa23c5a Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 13 May 2019 10:29:36 -0700 Subject: [PATCH 397/492] spelling --- .../create-wip-policy-using-intune-azure.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 18eb0da280..33ced2e6e3 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -98,7 +98,7 @@ Select **Store apps**, type the app product name and publisher, and click **OK** ![Add Store app](images\add-a-protected-store-app.png) -To add multiple Store apps, click the elipsis **…**. +To add multiple Store apps, click the ellipsis **…**. If you don't know the Store app publisher or product name, you can find them by following these steps. @@ -187,7 +187,7 @@ To add **Desktop apps**, complete the following fields, based on what results yo -To add another Desktop app, click the elipsis **…**. After you’ve entered the info into the fields, click **OK**. +To add another Desktop app, click the ellipsis **…**. After you’ve entered the info into the fields, click **OK**. ![Microsoft Intune management console: Adding Desktop app info](images/wip-azure-add-desktop-apps.png) From d30d89b19b2259e021a68bc78345dc8a464bf8cc Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 13 May 2019 10:33:44 -0700 Subject: [PATCH 398/492] edits --- .../create-wip-policy-using-sccm.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md index 84ebcf1861..8cb0bcd6e9 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/30/2019 +ms.date: 05/13/2019 --- # Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager @@ -474,7 +474,7 @@ After you've decided where your protected apps can access enterprise data on you - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps. - - **Revoke local encryption keys during the unerollment process.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: + - **Revoke local encryption keys during the unenrollment process.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: - **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment. From dfbffb033924d6cd9a79b6195186941dc06b0187 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 13 May 2019 12:58:17 -0700 Subject: [PATCH 399/492] fix indicators --- ...-blocked-list-windows-defender-advanced-threat-protection.md | 2 +- .../threat-protection/windows-defender-atp/manage-indicators.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md index 78b40b3a95..de4d01bd79 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md @@ -64,5 +64,5 @@ You can define the conditions for when entities are identified as malicious or s ## Related topics - [Manage automation file uploads](manage-automation-file-uploads-windows-defender-advanced-threat-protection.md) -- [Manage allowed/blocked lists](manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md) +- [Manage indicators](manage-indicators.md) - [Manage automation folder exclusions](manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/manage-indicators.md b/windows/security/threat-protection/windows-defender-atp/manage-indicators.md index 46f6939d8e..2a60cfdd55 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-indicators.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-indicators.md @@ -38,7 +38,7 @@ On the top navigation you can: - Apply filters ## Create an indicator -1. In the navigation pane, select **Settings** > **Allowed/blocked list**. +1. In the navigation pane, select **Settings** > **Indicators**. 2. Select the tab of the type of entity you'd like to create an indicator for. You can choose any of the following entities: - File hash From 0e0a602102d712a74a297c084fe633824a554d8d Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 13 May 2019 13:36:11 -0700 Subject: [PATCH 400/492] indicators --- .../threat-protection/windows-defender-atp/manage-indicators.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/manage-indicators.md b/windows/security/threat-protection/windows-defender-atp/manage-indicators.md index 2a60cfdd55..c74b1a805e 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-indicators.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-indicators.md @@ -62,7 +62,7 @@ On the top navigation you can: ## Manage indicators -1. In the navigation pane, select **Settings** > **Allowed/blocked list**. +1. In the navigation pane, select **Settings** > **Indicators**. 2. Select the tab of the entity type you'd like to manage. From cbf9fa503667e7e718f929b9f7f255cbcd8350bf Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 13 May 2019 14:54:28 -0700 Subject: [PATCH 401/492] added caveat about excluded apps --- .../customize-attack-surface-reduction.md | 16 +++++++--------- ...customize-controlled-folders-exploit-guard.md | 9 +++++---- .../enable-attack-surface-reduction.md | 4 ++-- .../enable-controlled-folders-exploit-guard.md | 6 +++--- 4 files changed, 17 insertions(+), 18 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md index 6dbb17c57d..fe9741366e 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/08/2019 +ms.date: 05/13/2019 --- # Customize attack surface reduction rules @@ -31,20 +31,18 @@ You can use Group Policy, PowerShell, and MDM CSPs to configure these settings. ## Exclude files and folders -You can exclude files and folders from being evaluated by all attack surface reduction rules. This means that even if the file or folder contains malicious behavior as determined by an attack surface reduction rule, the file will not be blocked from running. - -This could potentially allow unsafe files to run and infect your devices. +You can exclude files and folders from being evaluated by attack surface reduction rules. This means that even if an attack surface reduction rule detects that the file contains malicious behavior, the file will not be blocked from running. >[!WARNING] ->Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded. -> ->If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md). +>This could potentially allow unsafe files to run and infect your devices. Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded. -You can specify individual files or folders (using folder paths or fully qualified resource names) but you cannot specify if the exclusions should only be applied to individual rules: the exclusions will apply to all rules that are enabled (or placed in audit mode) and that allow exclusions. +An exclusion applies to all rules that allow exclusions. You can specify an individual file, folder path, or the fully qualified domain name for a resource, but you cannot limit an exclusion to certain rules. + +An exclusion is applied only when when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted. Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). +If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md). -Exclusions apply to all attack surface reduction rules. Rule description | GUID -|:-:|- diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md index bf18867655..deed0e6c2e 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/07/2019 +ms.date: 05/13/2019 --- # Customize controlled folder access @@ -89,13 +89,14 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.m You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you're finding a particular app that you know and trust is being blocked by the controlled folder access feature. >[!IMPORTANT] ->By default, Windows adds apps that it considers friendly to the allowed list - apps added automatically by Windows are not recorded in the list shown in the Windows Security app or by using the associated PowerShell cmdlets. +>By default, Windows adds apps that it considers friendly to the allowed list—apps added automatically by Windows are not recorded in the list shown in the Windows Security app or by using the associated PowerShell cmdlets. >You shouldn't need to add most apps. Only add apps if they are being blocked and you can verify their trustworthiness. -You can use the Windows Security app or Group Policy to add and remove apps that should be allowed to access protected folders. - When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders - if the app (with the same name) is located in a different location, then it will not be added to the allow list and may be blocked by controlled folder access. +An allowed application or service only has write access to a controlled flder after it starts. For example, if you allow an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted. + + ### Use the Windows Defender Security app to allow specific apps 1. Open the Windows Security by clicking the shield icon in the task bar or searching the start menu for **Defender**. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index 1a68651c4f..3b305feed9 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/29/2019 +ms.date: 05/13/2019 --- # Enable attack surface reduction rules @@ -51,7 +51,7 @@ You can exclude files and folders from being evaluated by most attack surface re >- Block process creations originating from PSExec and WMI commands >- Block JavaScript or VBScript from launching downloaded executable content -You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to. +You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to. An exclusion is applied only when when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted. ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md index d761ebfc85..f6e6986c98 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/29/2019 +ms.date: 05/13/2019 --- # Enable controlled folder access @@ -61,7 +61,7 @@ For more information about disabling local list merging, see [Prevent or allow u 1. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection and click **Add**. ![Enable controlled folder access in Intune](images/enable-cfa-intune.png) >[!NOTE] - >Wilcard is supported for applications, but not for folders. Subfolders are not protected. + >Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted. 1. Click **OK** to save each open blade and click **Create**. 1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**. @@ -76,7 +76,7 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt 1. Enter a name and a description, click **Controlled folder access**, and click **Next**. 1. Choose whether block or audit changes, allow other apps, or add other folders, and click **Next**. >[!NOTE] - >Wilcard is supported for applications, but not for folders. Subfolders are not protected. + >Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted. 1. Review the settings and click **Next** to create the policy. 1. After the policy is created, click **Close**. From 7e1f1cb739ba64bf813b7bcc0f3970c7b6d48b72 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Mon, 13 May 2019 15:08:33 -0700 Subject: [PATCH 402/492] Added feedback from dev --- windows/client-management/mdm/policy-csp-update.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 9d7ac6f259..8e56b33127 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1254,7 +1254,7 @@ Added in Windows 10, version 1903. Allows the IT admin (when used with [Update/C -Supports a numeric value from 0 - 5, which indicates the minimum number of days a device will wait until performing an aggressive installation of a required update once deadline has been reached. +Supports a numeric value from 0 - 7, which indicates the minimum number of days a device will wait until performing an aggressive installation of a required update once deadline has been reached. Default value is 2. @@ -1323,7 +1323,7 @@ When disabled, if the device has installed the required updates and is outside o Supported values: - 1 - Enabled -- 0 - Disabled +- 0 (default) - Disabled From ddddfbbf4d4a8080cdf8e9cb625dd020253d2917 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 13 May 2019 15:16:26 -0700 Subject: [PATCH 403/492] edits --- .../customize-attack-surface-reduction.md | 4 ++-- .../customize-controlled-folders-exploit-guard.md | 6 +++--- .../enable-attack-surface-reduction.md | 4 ++-- .../enable-controlled-folders-exploit-guard.md | 4 ++-- .../enable-exploit-protection.md | 2 +- .../enable-network-protection.md | 3 ++- 6 files changed, 12 insertions(+), 11 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md index fe9741366e..20e1ca5eda 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md @@ -74,9 +74,9 @@ See the [attack surface reduction](attack-surface-reduction-exploit-guard.md) to 4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. -### Use PowerShell to exclude files and folderss +### Use PowerShell to exclude files and folders -1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** +1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator** 2. Enter the following cmdlet: ```PowerShell diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md index deed0e6c2e..28a78453b2 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md @@ -94,7 +94,7 @@ You can specify if certain apps should always be considered safe and given write When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders - if the app (with the same name) is located in a different location, then it will not be added to the allow list and may be blocked by controlled folder access. -An allowed application or service only has write access to a controlled flder after it starts. For example, if you allow an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted. +An allowed application or service only has write access to a controlled folder after it starts. For example, if you allow an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted. ### Use the Windows Defender Security app to allow specific apps @@ -107,7 +107,7 @@ An allowed application or service only has write access to a controlled flder af 4. Click **Add an allowed app** and follow the prompts to add apps. - ![Screenshot of the add an allowed app button](images/cfa-allow-app.png) + ![Screenshot of how to add an allowed app button](images/cfa-allow-app.png) ### Use Group Policy to allow specific apps @@ -121,7 +121,7 @@ An allowed application or service only has write access to a controlled flder af ### Use PowerShell to allow specific apps -1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** +1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator** 2. Enter the following cmdlet: ```PowerShell diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index 3b305feed9..57d6a0abd8 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -26,7 +26,7 @@ Each ASR rule contains three settings: To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Windows Defender Advanced Threat Protection (Windows Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules. -You can enable attack surface reduction rules by using any of the these methods: +You can enable attack surface reduction rules by using any of these methods: - [Microsoft Intune](#intune) - [Mobile Device Management (MDM)](#mdm) @@ -131,7 +131,7 @@ Value: c:\path|e:\path|c:\Whitelisted.exe >[!WARNING] >If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup. -1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**. +1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**. 2. Enter the following cmdlet: diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md index f6e6986c98..0f4dcde83d 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md @@ -22,7 +22,7 @@ ms.date: 05/13/2019 [Controlled folder access](controlled-folders-exploit-guard.md) helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Controlled folder access is included with Windows 10 and Windows Server 2019. -You can enable controlled folder access by using any of the these methods: +You can enable controlled folder access by using any of these methods: - [Windows Security app](#windows-security-app) - [Microsoft Intune](#intune) @@ -100,7 +100,7 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt ## PowerShell -1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**. +1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**. 2. Enter the following cmdlet: diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md index 58cb4ad00c..56932bf8a1 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md @@ -26,7 +26,7 @@ Many features from the Enhanced Mitigation Experience Toolkit (EMET) are include You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine. -You can enable each mitigation separately by using any of the these methods: +You can enable each mitigation separately by using any of these methods: - [Windows Security app](#windows-security-app) - [Microsoft Intune](#intune) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md index 8df4d37da6..75c4d76f00 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md @@ -22,7 +22,8 @@ ms.date: 04/22/2019 [Network protection](network-protection-exploit-guard.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. You can [audit network protection](evaluate-network-protection.md) in a test environment to see which apps would be blocked before you enable it. -You can enable network protection by using any of the these methods: + +You can enable network protection by using any of these methods: - [Microsoft Intune](#intune) - [Mobile Device Management (MDM)](#mdm) From 4a8b2dc1f690a7f0edfce207b4608dd30d5de124 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 13 May 2019 15:17:29 -0700 Subject: [PATCH 404/492] edits --- .../enable-network-protection.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md index 75c4d76f00..a3cad38060 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/22/2019 +ms.date: 05/13/2019 --- # Enable network protection @@ -88,7 +88,7 @@ You can confirm network protection is enabled on a local computer by using Regis ## PowerShell -1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** +1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator** 2. Enter the following cmdlet: ``` From 5dc8cb6c1852377314ebaac4ae1f4e8b1db9afa5 Mon Sep 17 00:00:00 2001 From: Jose Gabriel Ortega Castro Date: Mon, 13 May 2019 20:36:14 -0500 Subject: [PATCH 405/492] Update windows/deployment/deploy-enterprise-licenses.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- windows/deployment/deploy-enterprise-licenses.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index c202b6f22e..353bb97445 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -13,7 +13,6 @@ ms.topic: article --- - # Deploy Windows 10 Enterprise licenses >[!IMPORTANT] From 6040e1162d7e9720e47d80be71d545ff288f0b50 Mon Sep 17 00:00:00 2001 From: Jose Gabriel Ortega Castro Date: Mon, 13 May 2019 20:36:22 -0500 Subject: [PATCH 406/492] Update windows/deployment/deploy-enterprise-licenses.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- windows/deployment/deploy-enterprise-licenses.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index 353bb97445..1c21ee3718 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -224,7 +224,6 @@ Use the following figures to help you troubleshoot when users experience these c **Figure 10 - Windows 10 Pro, version 1703 edition not activated in Settings** - Windows 10 activated and subscription not active **Figure 11 - Windows 10 Enterprise subscription lapsed or removed in Settings** From 528382e2207c4d93ef968cce2d6fbc579998ec64 Mon Sep 17 00:00:00 2001 From: Jose Gabriel Ortega Castro Date: Mon, 13 May 2019 20:36:31 -0500 Subject: [PATCH 407/492] Update windows/deployment/deploy-enterprise-licenses.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- windows/deployment/deploy-enterprise-licenses.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index 1c21ee3718..f2bf17ad13 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -229,7 +229,6 @@ Use the following figures to help you troubleshoot when users experience these c **Figure 11 - Windows 10 Enterprise subscription lapsed or removed in Settings** - Windows 10 not activated and subscription not active **Figure 12 - Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings** From de56796a975c25c688fc74917111f6b3b1c795d7 Mon Sep 17 00:00:00 2001 From: Jose Gabriel Ortega Castro Date: Mon, 13 May 2019 21:28:02 -0500 Subject: [PATCH 408/492] Update windows/deployment/deploy-enterprise-licenses.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- windows/deployment/deploy-enterprise-licenses.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index f2bf17ad13..25a638d45a 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -12,7 +12,6 @@ author: greg-lindsay ms.topic: article --- - # Deploy Windows 10 Enterprise licenses >[!IMPORTANT] From c9e0b1d57e0067291f01e82ca694727663379631 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 14 May 2019 11:13:08 +0500 Subject: [PATCH 409/492] update windows-upgrade-and-migration-considerations.md --- .../upgrade/windows-upgrade-and-migration-considerations.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md index d5eff8daa4..b2bade848b 100644 --- a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md +++ b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md @@ -28,6 +28,9 @@ Windows Easy Transfer is a software wizard for transferring files and settings With Windows Easy Transfer, files and settings can be transferred using a network share, a USB flash drive (UFD), or the Easy Transfer cable. However, you cannot use a regular universal serial bus (USB) cable to transfer files and settings with Windows Easy Transfer. An Easy Transfer cable can be purchased on the Web, from your computer manufacturer, or at an electronics store. +> [!NOTE] +> Windows Easy Transfer [is not available in Windows 10](https://support.microsoft.com/help/4026265/windows-windows-easy-transfer-is-not-available-in-windows-10). + ### Migrate with the User State Migration Tool You can use USMT to automate migration during large deployments of the Windows operating system. USMT uses configurable migration rule (.xml) files to control exactly which user accounts, user files, operating system settings, and application settings are migrated and how they are migrated. You can use USMT for both *side-by-side* migrations, where one piece of hardware is being replaced, or *wipe-and-load* (or *refresh*) migrations, when only the operating system is being upgraded. From da0b5bab3173f4f76393ebb99c18ee787d942890 Mon Sep 17 00:00:00 2001 From: Deland-Han Date: Tue, 14 May 2019 15:59:53 +0800 Subject: [PATCH 410/492] finish --- ...windows-10-device-automatically-using-group-policy.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index 24e4a9039a..b79c6c1219 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -108,6 +108,15 @@ Requirements: - Ensure that PCs belong to same computer group. 1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**. + >[!Note] + >If you do not see the policy, it may be caused because you don’t have the ADMX installed for Windows 10, version 1803. To fix the issue, follow these steps: + > 1. Download [Administrative Templates (.admx) for Windows 10 April 2018 Update (1803) +](https://www.microsoft.com/en-us/download/details.aspx?id=56880). + > 2. Install the package on the Primary Domain Controller. + > 3. Navigate to the folder **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2**. + > 4. Copy policy definitions folder to **C:\Windows\SYSVOL\domain\Policies**. + > 5. Restart the Primary Domain Controller for the policy to be available. + 2. Create a Security Group for the PCs. 3. Link the GPO. 4. Filter using Security Groups. From e0e5aa64c2648a982296f756133a5912e01d4a09 Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Tue, 14 May 2019 13:25:19 +0200 Subject: [PATCH 411/492] Update waas-quick-start.md Link added under Learn More. Resolves https://github.com/MicrosoftDocs/windows-itpro-docs/issues/1576 --- windows/deployment/update/waas-quick-start.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md index 9ef541fce2..af88e40987 100644 --- a/windows/deployment/update/waas-quick-start.md +++ b/windows/deployment/update/waas-quick-start.md @@ -69,8 +69,8 @@ Click the following Microsoft Mechanics video for an overview of the updated rel ## Learn more -[Adopting Windows as a service at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/851/Adopting-Windows-as-a-service-at-Microsoft) - +- [Adopting Windows as a service at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/851/Adopting-Windows-as-a-service-at-Microsoft) +- [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet) ## Related topics From baeeac3e0909bb2defa029f9d6c8632a6b771fc1 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 14 May 2019 10:06:17 -0700 Subject: [PATCH 412/492] Moved supported value tag after ADMXmapped tag --- .../mdm/policy-csp-update.md | 32 ++++++++----------- 1 file changed, 13 insertions(+), 19 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 8e56b33127..3650b5f1c6 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1188,12 +1188,6 @@ ADMX Info: Added in Windows 10, version 1903. Allows IT admins to specify the number of days a user has before quality updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule. - -Supports a numeric value from 2 - 30, which indicates the number of days a device will wait until performing an aggressive installation of a required quality update. - -Default value is 7. - - ADMX Info: - GP English name: *Specify deadlines for automatic updates and restarts* @@ -1203,7 +1197,11 @@ ADMX Info: - GP ADMX file name: *WindowsUpdate.admx* + +Supports a numeric value from 2 - 30, which indicates the number of days a device will wait until performing an aggressive installation of a required quality update. +Default value is 7. + @@ -1253,12 +1251,6 @@ ADMX Info: Added in Windows 10, version 1903. Allows the IT admin (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)) to specify a minimum number of days until restarts occur automatically. Setting the grace period may extend the effective deadline set by the deadline policies. - -Supports a numeric value from 0 - 7, which indicates the minimum number of days a device will wait until performing an aggressive installation of a required update once deadline has been reached. - -Default value is 2. - - ADMX Info: - GP English name: *Specify deadlines for automatic updates and restarts* @@ -1268,7 +1260,11 @@ ADMX Info: - GP ADMX file name: *WindowsUpdate.admx* + +Supports a numeric value from 0 - 7, which indicates the minimum number of days a device will wait until performing an aggressive installation of a required update once deadline has been reached. +Default value is 2. + @@ -1320,12 +1316,6 @@ Added in Windows 10, version 1903. If enabled (when used with [Update/ConfigureD When disabled, if the device has installed the required updates and is outside of active hours, it may attempt an automatic restart before the deadline. - -Supported values: -- 1 - Enabled -- 0 (default) - Disabled - - ADMX Info: - GP English name: *Specify deadlines for automatic updates and restarts* @@ -1335,7 +1325,11 @@ ADMX Info: - GP ADMX file name: *WindowsUpdate.admx* - + +Supported values: +- 1 - Enabled +- 0 (default) - Disabled + From 5297438f59503b0aa8897169d609d4e185f8a9df Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 14 May 2019 10:08:42 -0700 Subject: [PATCH 413/492] minor update --- windows/client-management/mdm/policy-csp-update.md | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 3650b5f1c6..8e9d7a15c7 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -995,12 +995,6 @@ If you enable this policy setting, Automatic Maintenance attempts to set OS wake If you disable or do not configure this policy setting, the wake setting as specified in Security and Maintenance/Automatic Maintenance Control Panel applies. - -Supported values: -- true - Enable -- false - Disable (Default) - - ADMX Info: - GP English name: *Automatic Maintenance WakeUp Policy* @@ -1010,7 +1004,11 @@ ADMX Info: - GP ADMX file name: *msched.admx* - + +Supported values: +- true - Enable +- false - Disable (Default) + From f066c23a3f08fe7488e8ba2a31922ea69343c763 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 14 May 2019 11:14:34 -0700 Subject: [PATCH 414/492] Added preview mode info --- .../mdm/new-in-windows-mdm-enrollment-management.md | 8 ++++---- .../mdm/policy-configuration-service-provider.md | 4 ++-- .../client-management/mdm/policy-csp-authentication.md | 10 ++++++++-- 3 files changed, 14 insertions(+), 8 deletions(-) diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index b7d977b310..d652e7d5f2 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -1398,8 +1398,8 @@ For details about Microsoft mobile device management protocols for Windows 10 s
    WindowsLogon/HideFastUserSwitching